ML22199A303
| ML22199A303 | |
| Person / Time | |
|---|---|
| Site: | SHINE Medical Technologies |
| Issue date: | 07/18/2022 |
| From: | Gavello M NRC/NRR/DANU |
| To: | |
| Gavello M | |
| Shared Package | |
| ML22073A179 | List: |
| References | |
| Download: ML22199A303 (73) | |
Text
INSTRUMENTATION AND CONTROL SYSTEMS Instrumentation and control (I&C) systems comprise the sensors, electronic circuitry, displays, and actuating devices that provide the information and means to safely control the SHINE Medical Technologies, LLC (SHINE, the applicant) irradiation facility (IF) and radioisotope production facility (RPF) and to avoid or mitigate accidents. Together, the IF and RPF constitute the SHINE facility. The final design description of the I&C systems in the SHINE Final Safety Analysis Report (FSAR) focuses on those structures, systems, and components (SSCs) and associated equipment that constitute the I&C systems and includes the overall design bases, system classifications, functional requirements, and system architecture.
This chapter of the SHINE operating license application safety evaluation report (SER) describes the review and evaluation of the U.S. Nuclear Regulatory Commission (NRC, the Commission) staff of the final design of the SHINE I&C systems as presented in Chapter 7, Instrumentation and Control Systems, of the SHINE FSAR and supplemented by the applicants responses to staff requests for additional information (RAIs).
Areas of Review The NRC staff reviewed SHINE FSAR Chapter 7 against applicable regulatory requirements, using appropriate regulatory guidance and acceptance criteria, to assess the sufficiency of the final design and performance of SHINEs I&C systems. The final design of SHINEs I&C systems was evaluated to ensure that the design bases and functions of the systems and components are presented in sufficient detail to allow a clear understanding of the facility and that the facility can be operated for its intended purpose and within regulatory limits for ensuring the health and safety of the operating staff and the public. Drawings and diagrams were evaluated to ensure that they present a clear and general understanding of the physical facility features and of the processes involved. In addition, the staff evaluated the sufficiency of SHINEs proposed technical specifications (TSs) for the facility.
Summary of Application SHINE FSAR Chapter 7 describes the I&C systems, which provide the capability to monitor, control, and protect the facility systems manually and automatically during normal and accident conditions.
Systems and topics addressed in SHINE FSAR Chapter 7 include:
The process integrated control system (PICS) and vendor-provided control systems; The target solution vessel (TSV) reactivity protection system (TRPS);
The engineered safety features actuation system (ESFAS);
The highly integrated protection system (HIPS) platform implementing the TRPS and ESFAS; The SHINE facility control room control consoles and displays; The radiation monitoring systems (RMS), including Process radiation monitors considered part of the ESFAS, TRPS, and tritium purification system (TPS)
Process radiation monitors included as part of other facility processes 7-1
The radiation area monitoring system (RAMS)
The continuous air monitoring system (CAMS)
The stack release monitoring system (SRMS); and The neutron flux detection system (NFDS).
Regulatory Requirements and Guidance and Acceptance Criteria The NRC staff reviewed SHINE FSAR Chapter 7 against the applicable regulatory requirements, using appropriate regulatory guidance and acceptance criteria, to assess the sufficiency of the bases and the information provided by SHINE for the issuance of an operating license.
Applicable Regulatory Requirements The applicable regulatory requirements for the evaluation of SHINEs I&C systems are as follows:
10 CFR 50.34, Contents of applications; technical information, paragraph (b), Final safety analysis report.
10 CFR 50.36, Technical specifications.
10 CFR 50.40, Common standards.
10 CFR 50.57, Issuance of operating license.
10 CFR Part 20, Standards for protection against radiation.
Applicable Regulatory Guidance and Acceptance Criteria In determining the regulatory guidance and acceptance criteria to apply, the NRC staff used its technical judgment, as the available guidance and acceptance criteria were typically developed for nuclear reactors. Given the similarities between the SHINE facility and non-power research reactors, the staff determined to use the following regulatory guidance and acceptance criteria:
NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996.
NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996.
Final Interim Staff Guidance Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012.
7-2
Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012.
As stated in the interim staff guidance (ISG) augmenting NUREG-1537, the NRC staff determined that certain guidance originally developed for heterogeneous non-power research and test reactors is applicable to aqueous homogenous facilities and production facilities. SHINE used this guidance to inform the design of its facility and to prepare its FSAR. The staffs use of reactor-based guidance in its evaluation of the SHINE FSAR is consistent with the ISG augmenting NUREG-1537.
As appropriate, the NRC staff used additional guidance (e.g., NRC regulatory guides, Institute of Electrical and Electronics Engineers (IEEE) standards, American National Standards Institute/American Nuclear Society (ANSI/ANS) standards, etc.) in the review of the SHINE FSAR. The additional guidance was used based on the technical judgment of the reviewer, as well as references in NUREG-1537, Parts 1 and 2; the ISG augmenting NUREG-1537, Parts 1 and 2; and the SHINE FSAR. Additional guidance documents used to evaluate the SHINE FSAR are provided as references in Appendix B, References, of this SER.
Review Procedures, Technical Evaluation, and Evaluation Findings The NRC staff performed a review of the technical information presented in SHINE FSAR Chapter 7, as supplemented, to assess the sufficiency of the final design and performance of SHINEs I&C systems for the issuance of an operating license. The sufficiency of the final design and performance of SHINEs I&C systems is determined by ensuring that it meets applicable regulatory requirements, guidance, and acceptance criteria, as discussed in Section 7.3, Regulatory Requirements and Guidance and Acceptance Criteria, of this SER. The findings of the staff review are described in SER Section 7.5, Review Findings.
Summary Description The NRC staff evaluated the sufficiency of the summary description of the SHINE facility I&C systems, as presented in SHINE FSAR Section 7.1, Summary Description, using the applicable guidance and acceptance criteria from Section 7.1, Summary Description, of NUREG-1537, Parts 1 and 2, and Section 7b.1, Summary Description, of the ISG augmenting NUREG-1537, Parts 1 and 2.
Design of Instrumentation and Control Systems The SHINE facility is monitored and controlled through the PICS. The PICS performs the monitoring and control functions of the IFs eight irradiation units (IUs) and at the facility level.
This includes transferring target solution from one location to another, adjusting cooling systems, and the monitoring of temperature, pressure, level, and flow in various locations throughout the facility.
Each of the eight IUs has an independent TRPS and NFDS. PICS also controls certain systems in the RPF as described in SHINE FSAR Section 4b, Radioisotope Production Facility 7-3
Description. The ESFAS is provided for protective functions that are common to the entire facility. The RMS monitors radiation levels within the facility and emissions from the facility.
The purpose of the TRPS is to monitor process variables and provide automatic initiating signals in response to off-normal conditions, providing protection against unsafe IU operation during the IU filling, irradiation, and post-irradiation modes of operation.
The SHINE facility includes engineered safety features (ESF) to mitigate the consequences of postulated accidents.
The SHINE facility control consoles and displays (i.e., operator workstations and main control board) are provided as the human system interface (HSI). A single PICS provides the monitoring and control functions of the IUs and facility level monitoring and control functions.
The SHINE facility also includes the RMS, which consists of the inputs to the TRPS, and ESFAS, the RAMS, the SRMS, and the CAMS. The systems monitor radiation at a facility level separate from the IUs. The criticality accident alarm system (CAAS) is discussed in SHINE FSAR Section 6b.3.3, Criticality Accident Alarm System, and the criticality safety program relies on two of the ESFAS safety functions for satisfying the double contingency principal.
The NFDS is used for monitoring the reactivity and power of the subcritical assembly system in each IU. The NFDS is a system with redundant channels of neutron flux detectors. The NFDS detects and provides remote indication of the neutron flux levels during TSV filling and irradiation to determine the multiplication factor and power levels, respectively. The NFDS provides outputs to the TRPS used for trip determination. The TRPS also provides these same outputs to the PICS, which are used for the monitoring of conditions within the IU.
System Description
7.4.1.2.1 Design Criteria NUREG-1537, Part 1, Section 3.1, Design Criteria, states, in part:
In this section the applicant should specify the design criteria for the facility structures, systems, and components.... The design criteria should be both specific and general.
SHINE FSAR Section 3.1, Design Criteria, includes Tables 3.1-1 and 3.1-2, which list the design criteria applicable to each I&C system. In addition, the SHINE FSAR identifies additional design criteria for each I&C system; these criteria are provided in SHINE FSAR Sections 7.3 through 7.8 and evaluated for each I&C system below. In effect, the SHINE FSAR identifies two types of design criteria: (1) SHINE Design Criteria (i.e., those listed in SHINE FSAR Table 3.1-
- 3) and (2) system-specific design criteria (e.g., PICS Criterion 1). SHINE FSAR Table 3.1-1, Note 2 states that the generally applicable SHINE Design Criteria 1-8 from SHINE FSAR Table 3.1-3 are not specifically listed even though they are generally applicable to most SSCs.
NUREG-1537, Part 1, Section 7.2.1, Design Criteria, states, in part:
In this section of the [F]SAR, the applicant should discuss the criteria for developing the design bases for the I&C systems. The basis for evaluating the reliability and performance of the I&C systems should be included.
7-4
There are a few design criteria that are applicable to multiple I&C systems, in part, because the required functionality is only achieved through the interaction of these I&C systems. For example, the NFDS includes the neutron flux sensors and dedicated electronics, while the TRPS includes the logic for initiating the associated protective actions, while the PICS displays the flux values to the operator. The PICS displays are part of the SHINE facility control console and display instruments.
The NRC staffs evaluation of the I&C systems against the applicable SHINE Design Criteria considers only the role that the I&C system plays in meeting the design criteria and should not be understood to mean that the I&C system, by itself, satisfies all of the aspects of the SHINE Design Criteria.
The SHINE FSAR identifies the following design attributes:
Independence
- Physical
- Electrical
- Communication
- Functional Redundancy Predictability and repeatability Diversity Simplicity These design principles are incorporated into the additional design criteria for I&C systems, as applicable.
7.4.1.2.2 Design Bases NUREG-1537, Part 1, Section 7.2.2, Design-Basis Requirements, states, in part:
I&C system design requirements are generally derived from the results of analyses of normal operating conditions and of accidents and transients that could occur.
The I&C design bases describe I&C system-specific functions to be performed, operational characteristics, specific values or ranges of values chosen for monitoring and controlling parameters, and design principles. The design basis for the I&C systems is described in SHINE FSAR Sections 7.3 through 7.8 and evaluated below.
SHINE FSAR Tables 7.2.1 through 7.2.6 identify the design radiation and environmental parameters for the different areas in the SHINE facility where the I&C systems are installed.
HIPS Design The NRC staff evaluated the sufficiency of the design of the SHINE facility I&C systems, as presented in SHINE FSAR Section 7.2, Design of Instrumentation and Control Systems, using the applicable guidance and acceptance criteria from Section 7.2, Design of Instrumentation and Control Systems, of NUREG-1537, Parts 1 and 2, and Section 7b.2, Design of Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.
7-5
SHINE FSAR Section 7.4.5 states that the HIPS platform is used for the TRPS and ESFAS design and incorporates by reference the HIPS platform topical report (TR), TR-1015-18653, Revision 2, Design of the Highly Integrated Protection System Platform (ADAMS Accession No. ML17256A892). In its safety evaluation of the HIPS TR, the NRC staff concluded that the HIPS platform meets the standards of IEEE Std. 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, including the correction sheet dated January 30, 1995, IEEE Std. 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, NRC Digital I&C Interim Staff Guidance (DI&C-ISG)-04, Highly-Integrated Control RoomsCommunications Issues, and the NRC Staff Requirements Memorandum (SRM), dated July 21, 1993, to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR)
Designs. The staff safety evaluation of the HIPS TR requires the user to address 65 application-specific action items (ASAIs) to ensure that the generic approval granted by the safety evaluation remains valid for a specific system or plant application using the HIPS platform.
In its response to RAI 7-10 (ADAMS Accession No. ML22144A231), SHINE provided technical report TECRPT-2018-0028, Revision 2, HIPS Platform Application Specific Action Item Report for the TRPS and ESFAS. This technical report addresses the 65 ASAIs in relation to the design of the TRPS and ESFAS for the SHINE facility and evaluates each ASAI for applicability to SHINEs operating license application. If the ASAI is determined to be not applicable, justification for why it is not considered applicable is provided. If the ASAI is determined to be applicable, a reference is given for the appropriate sections of the SHINE FSAR or for the appropriate design basis document that provides the material that addresses the ASAI. The results of the applicants disposition of the ASAIs are provided in Table 3-1 of TECRPT-2018-0028. The ASAIs specified in the HIPS TR safety evaluation are intended for power reactor applications and therefore some of the ASAIs are not applicable to the SHINE application of the HIPS platform. Based on its evaluation of SHINE technical report TECRPT-2018-0028, the NRC staff finds the applicants dispositions of the ASAIs acceptable.
For the TRPS and ESFAS applications, the applicant has made a few modifications and additions to the fundamental HIPS platform equipment design and functionality as described in the HIPS TR. The following modifications and additions to the HIPS platform are described in Section 5 of TECRPT-2018-0028. These changes to the fundamental HIPS platform equipment design and functionality, listed below, are evaluated in applicable sections of Section 7.4.2 of this SER.
Hardwired Module (HWM) Input Routing Use of Fiber Optic Communications Communications Module (CM) Bi-Directional Communications Implementation of Equipment Interface Modules (EIM) Switching Outputs Specific Implementation of Communications Modules o Scheduling, Bypass, and Voting Modules (SBVM) o Gateway Communications Modules (GWCM)
SBVM Safety Data Bus Frame Self-Testing o Analog to Digital Converter o EIM Input and Output Testing o HWM Input Channel Test o End-to-End Testing 7-6
HIPS Module LEDs Remote Input Submodule (RISM)
SBVM Manual Testing Capability
System Description
The HIPS is a digital system that uses field programmable gate array (FPGA) and discrete components. The HIPS uses different modules installed in a chassis. These modules and inputs and outputs (I/O) are connected to each other through the back panel and backplane of the chassis. The back panel provides structural support to mount the backplane to the chassis.
The backplane consists of a printed circuit board, connectors (to connect modules), and copper traces (for communication). The HIPS TR includes a representative architecture to illustrate how the HIPS platform meets the fundamental digital I&C principles of independence, redundancy, predictability and repeatability, and diversity and defense-in-depth. The architectures of the TRPS and ESFAS are described in SHINE FSAR Sections 7.4.1 and 7.5.1, respectively, and include modifications and additions made to the generic architecture described in the TR.
The HIPS platform supports an installation that provides redundant electrical power sources to the HIPS chassis backplane. The TRPS divisions A and B are powered from a separate division of the uninterruptible electrical power supply system (UPSS); TRPS division C receives auctioneered power from both UPSS divisions A and B. While the UPSS is not classified as a Class 1E system, portions of Class 1E standards are applied to the UPSS. The acceptability of the UPSS is evaluated in Chapter 8, Electrical Power Systems, of this SER.
HIPS Modules The HIPS platform consists of a system of modules that are interchangeable between chassis.
The platform is designed to work with different module types configured to the individual application where multiple chassis can be connected to create a larger system as needed. The different HIPS modules and platform inputs and outputs are connected to each other through backplane and back panel of the chassis. As a part of the NRC staffs review of the HIPS TR, fundamental building blocks of the HIPS platform consisting of safety function modules (SFM),
CM, EIM, and HWM were found to be acceptable for use in a safety-related I&C architecture based on the HIPS platform. The same fundamental building blocks of the HIPS platform have been customized in building the TRPS and ESFAS. HIPS modules used in the TRPS and ESFAS are:
Safety Function Modules o Remote Input Submodule (RISM) o Self-Testing of Analog to Digital Converter Communications Modules configured as:
o Scheduling and Bypass Modules (SBM) o Scheduling Bypass and Voting Modules (SBVM) o SBVM Safety Data Bus Frame o Gateway Communications Modules (GWCM) o Maintenance & Indication CM (MI-CB) o CM Bi-Directional Communications Hard-Wired Modules o Hard-Wired Sub-Modules (HW-SM) 7-7
o HWM Input Routing o Self-Testing of HWM Input Channel Test o FPGA on HWM for Operational Status Equipment Interface Modules o Implementation of EIM Switching Outputs o Self-Testing of EIM Input and Output Maintenance Work Station (MWS)
HIPS Module LEDs In its response to RAI 7-10, the applicant provided technical report TECRPT-2018-0028, which describes the design differences between the generic HIPS platform modules presented in the HIPS TR and the specific HIPS modules implemented in the TRPS and ESFAS. The following is the NRC staffs technical evaluation of the modifications and additions to the generic HIPS platform module design and functionality for SHINE applications.
Safety Function Module (SFM)
Fundamental design and functionality of the SFMs used in the TRPS and ESFAS are the same as those evaluated in the HIPS TR. SFMs used in the SHINE applications are composed of three functional areas: (1) input sub-module; (2) SFM digital logic circuits; and (3) communications engines, which are the same as described in Section 2.5.1 of the HIPS TR.
For the SHINE applications, the SFMs have been modified to accept remote input signals via a new input sub-module (ISM) designated as RISM. The RISM is directly associated with a single SFM that allows for remotely locating one ISM from its associated SFM. The ISM used on an RISM is the same as described in the HIPS TR. Once an input signal is in digital format on the ISM, the input information is provided by the RISM via an isolated, one-way RS-485 connection to its associated SFM within the division for triplication and trip determination. There is an additional RS-485 connection between the RISM and its associated SFM which independently supports modification of tunable parameters necessary on the RISM. The technical evaluation of ISM in Section 3.1.4.1.1 of the NRC staffs safety evaluation of the HIPS TR is not affected by this additional application of ISM. Therefore, the staff finds this modification of SFM acceptable.
Section 8.2.1 of the HIPS TR describes an auto calibration feature for the analog to digital converter (ADC) for an ISM. The auto-calibration function includes the use of external passive components, whereas the analog ISM used in the TRPS and ESFAS incorporates critical passive components onto the ADC chip. This results in very precise values that are factory calibrated and are significantly less prone to drift over time and temperature; therefore, the auto-calibration function is not implemented for the TRPS and ESFAS designs. Since all analog input signals to the TRPS and ESFAS will be periodically surveilled for accuracy, the NRC staff finds the modification to ISM acceptable.
Communications Module (CM)
Fundamental design and functionality of the CMs used in the TRPS and ESFAS architecture is the same as that evaluated in the HIPS TR. Specific configurations of HIPS CMs used in the TRPS and ESFAS design are SBM, SBVM, MI-CM, and GWCM.
Throughout the HIPS TR, the use of SBM and SVM is discussed as part of a representative architecture, which is provided in the TR to help describe the design principles implemented within the HIPS platform. Both modules are example configurations of the HIPS CM. The TRPS and ESFAS designs use a configuration of CM that is referred to as a SBVM in Divisions 7-8
A and B. The SBVM combines all functions, capabilities, and design principles described in the HIPS TR for a SBM and a SVM into a single module. This was implemented to minimize the total number of HIPS hardware modules necessary for the required TRPS and ESFAS functionality. As such, the use of a SBVM in the TRPS and ESFAS designs does not represent a modification or addition to the HIPS Platform as described in the HIPS TR. Since the SVM functionality on each SBVM will load each of the specific TRPS or ESFAS applications voting registers with the partial trip determination actuation (PTDA) information received by its SBM functionality, Figure 7-8 of the HIPS TR is modified in TECRPT-2018-0028, Figure 5-1 to add a note that the Wait for Sync is not necessary for the SBVMs. Because the TRPS and ESFAS implement 1-out-of-2, 2-out-of-2, or 2-out-of-3 voting, which is different than the 2-out-of-4 voting discussed in the HIPS TR, this figure has also been modified to show the three TRPS/ESFAS divisions as opposed to the four divisions of the representative architecture in the HIPS TR.
Sections 7.6.3 through 7.7.1 of the HIPS TR describe the operations and safety data bus frames for the SBM and SVM. The TRPS and ESFAS will incorporate a change to how the SBVM votes on the PTDA and communicates actuation data to the EIMs. Instead of sending separate trip determination actuation (TDA) information for each safety function group (SFG) to the EIMs, all SFGs are voted on at the same time and the TDA for all SFGs are then transferred to the EIMs at once. To reflect this change, Figure 7-12 of the HIPS TR is modified in TECRPT-2018-0028, Figure 5-3 to show a single transaction for the TRPS and ESFAS implementation. Figure 7-14 of the HIPS TR is also modified in TECRPT-2018-0028, Figure 5-3 to show the SBM and SVM functionality being performed by the SBVM module.
The GWCM is a HIPS platform communications module not described in the HIPS TR, which performs only monitoring and indication functions. The TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional monitoring and indication communications module (MI-CM) via one-way isolated RS-485 connections to respective redundant GWCMs, which are in two redundant gateway chassis. Figure 7-15-1, TRPS and ESFAS Gateway Communications Architecture, of RAI response 7-15 (ADAMS Accession No. ML22144A231) depicts the TRPS and ESFAS communications architecture.
The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. They are physically located within two chassis and located in the ESFAS Division C cabinet. This figure shows the specific inputs and outputs from the independent TRPS GWCMs and the independent ESFAS GWCMs. As described in Section 2.5.3 of the HIPS TR, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only.
Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Two-way communication is a departure from the HIPS TR description of a communications module. The staff finds this is acceptable because the communication from each MI-CM to a GWCM is isolated and one-way only.
Hard-Wired Module (HWM)
Fundamental design and functionality of the HWMs used in the TRPS and ESFAS architecture is the same as those evaluated in the HIPS TR. The HWM converts hard-wired contact inputs into logic levels for direct connection on dedicated backplane traces to particular modules as per the detail application design. The following are the TRPS and ESFAS design specific HWM configurations.
7-9
3.2.1 and SR 3.2.2, operability of EIMs will be periodically tested, therefore the NRC staff finds the lack of a EIM self-test feature acceptable.
Maintenance Workstation (MWS)
Each division of the TRPS and ESFAS has a MWS for the purpose of online monitoring and offline maintenance and calibration. The HIPS platform MWS supports online monitoring through one-way isolated communication ports. The MWS is used to update setpoints and tunable parameters in the HIPS chassis when the safety function is out of service. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function. A temporary cable and OOS switch are required to be activated before any changes can be made to an SFM. Application of the MWS in the TRPS and ESFAS design is same as described in the HIPS TR. The response to RAI 7-18 (ADAMS Accession No. ML21239A049) describes the use of MWS in the TRPS and ESFAS design for modification of setpoints and tunable parameters and FSAR Section 7.4.5.3.3 provides additional detail on how the MWS is used to change setpoints and tunable parameters.
HIPS Module ACTIVE and FAULT LEDs Section 8.2.7 of the HIPS TR identifies that LED tests will be performed to identify if an incorrect LED status is being displayed. This test will not be performed on a continuous basis for the TRPS and ESFAS designs for the following reasons:
Module front panel indication is not a safety function Correct LED operation will be tested as part of factory and installation testing Section 8.4 of the HIPS TR describes the two LEDs on the front of each HIPS module which are used to indicate the state of the module latches, the operational state of the module, and the presence of any faults for the module. The TRPS and ESFAS designs will include the following changes to the function of the LEDs from that presented in the TR:
The ACTIVE and FAULT LEDs are Green during normal operation with no fault present The ACTIVE LED will turn Red on a vital fault or when the module has one latch open The FAULT LED will never flash and not turn Red The FAULT LED will turn Yellow for any fault (non-vital or vital)
The NRC staff finds this change does not affect the acceptability of the HIPS Module ACTIVE and FAULT LEDs.
7.4.2.1.1 HIPS Communication Data communication in the TRPS and ESFAS design is same as described in the HIPS TR. For the TRPS and ESFAS design, copper RS-485 physical layer is being implemented. Whereas the representative protection system architecture in the HIPS TR is based on fiber optic physical layer. Sections 2.5.3, 4.3, and 4.6.2 of the HIPS TR describe the use of fiber optic ports for inter-divisional transmit-only or receive-only fiber optic ports. The TRPS and ESFAS designs do not use fiber optic ports for inter-divisional communications. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections.
7-11
7.4.2.1.2 HIPS Operation The HIPS TR describes operation of the HIPS platform with an example of a representative four channel protection system architecture. SHINE FSAR Sections 7.1.2, 7.1.3, 7.4.1, and 7.5.1 and Figures 7.1-1, 7.1-2, and 7.1-3 and TSs Bases for Limiting Condition for Operation 3.2.1 and 3.2.2 describe how operation of the HIPS is implemented for the TRPS and ESFAS.
Differences between the representative HIPS platform presented in the HIPS TR and the specific SHINE implementation for the TRPS and ESFAS are documented in Section 5 of TECRPT-2018-0028, which the applicant submitted in response to RAI 7-10. Detailed documentation of TRPS and ESFAS architecture is contained in TRPS and ESFAS system design descriptions. Consistent with the HIPS TR, the TRPS and ESFAS designs incorporate the fundamental I&C design principles as well as functionality including the capability for test and calibration.
TRPS and ESFAS are comprised of three independent divisions of equipment identified as Division A, Division B, and Division C. The TRPS and ESFAS use redundant and independent sensor inputs to each of these three divisions to complete the logical decisions necessary to initiate the required protective trip and actuations in Division A and Division B.
The HIPS architecture for TRPS and ESFAS consists primarily of SFMs, which receive the sensor signals and initiate trip signals that is communicated to the SBVMs via three safety data buses (SDBs). The output of the three redundant SBVMs in Divisions A and B is communicated via three independent SDBs to the associated EIMs. Division C uses a SBM instead of an SBVM to pass signals through to Division A and B where the voting and actuations occur.
When an input channel exceeds a predetermined limit, the SFMs in each division initiate redundant trip signals that are sent to the Division A and Division B SBVMs. The SBVMs perform coincident logic voting to initiate trip or actuation signals to the TRPS and ESFAS components through EIMs. Either 1-out-of-2 or 2-out-of-3 voting is used so that a single failure of a trip signal will not prevent an equipment actuation from occurring when required. Each voting layer receives trip or actuation information from the SFMs via the SDB. When the TRPS or ESFAS logic and voting determine a trip is required, the SBVM sends the trip demand signal to the appropriate EIMs, via the SDB, which then trip or actuate the appropriate equipment via dedicated copper wire. An EIM is included in each actuation division (Divisions A and B) for each component actuated by the TRPS and ESFAS. Each EIM has two separate logic paths to allow for connection to separate actuated components. Each component is connected to two separate EIMs, resulting in two EIMs providing redundant control to each component. Both EIMs associated with a component are required to be deenergized for actuation of component(s) (fail-safe) to their actuated (deenergized) states. Use of redundant EIMs allows for one of the EIMs to be taken out of service and replaced online without actuating the connected equipment.
When a trip signal is generated in the SBVM, the appropriate switching outputs from the EIM open, power is interrupted to the actuation components, and the components change state to their deenergized position. Normal operation of the facility is performed from the facility control room (FCR) using the PICS. There are no required operator actions under postulated accident conditions. However, both automatic and manual initiation capability for all safety functions are provided in the TRPS and ESFAS design.
7.4.2.1.3 Equipment Qualification 7-12
The HIPS TR does not include environmental qualification of the HIPS platform. SHINE Design Criterion 16 states, in part, the protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis. To comply with the SHINE Design Criterion 16, the HIPS equipment for the TRPS and ESFAS is required to be qualified for the postulated environmental conditions. In response to RAI 7-16 (ADAMS Accession No. ML21239A049), the applicant provided additional information on HIPS equipment qualification and proposed changes to FSAR Sections 7.4.2.2.11, 7.4.3.5, 7.4.3.6, 7.5.2.2.11, 7.5.3.4, and 7.5.3.5. These FSAR changes provide additional description of the environmental, seismic, radiation, and EMI/RFI qualification testing of the HIPS equipment.
Applicants response to RAI 7-16 states that the HIPS equipment for the TRPS and the ESFAS has been qualified by the vendor. A discussion of the environmental, seismic, radiation, and EMI/RFI qualifications of the HIPS equipment for TRPS and ESFAS follows.
Environmental Qualification Mild environmental qualification was performed for the HIPS equipment for TRPS and ESFAS using guidance provided in Sections 4.1, 5.1, 6.1, and 7 of IEEE Standard 323-2003, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations. Environmental qualification was performed considering temperature, relative humidity, radiation, and pressure.
Because the HIPS equipment for TRPS and ESFAS is in a mild environment and will not be subject to harsh environmental conditions during normal operation or transient conditions, a qualified life determination is not required. The HIPS equipment has been designed for continuous operation up to 140 degrees Fahrenheit (°F) and limited operation up to 158 °F. A proof test was performed in an environmental chamber, which verified the normal and abnormal temperature exposure levels for the HIPS equipment. The temperature conditions under which the proof test was performed and satisfactorily completed envelop the normal and transient temperature conditions that the HIPS equipment is expected to operate in, as provided in SHINE FSAR Tables 7.2-2 and 7.2-3.
The HIPS equipment for the TRPS and ESFAS is acceptable for mild environment relative humidity conditions. Non-condensing humidity does not represent a credible failure mode applicable to the HIPS equipment. During the proof test discussed above, humidity was not controlled and varied based upon the temperature at the time of testing. Acceptance criteria of the proof test were met, demonstrating that the equipment is expected to operate under required conditions for humidity.
As provided in SHINE FSAR Table 7.2-1, the total integrated dose (TID) for areas of the facility that the HIPS equipment will be installed is calculated as 1.0E+03 rad TID. When performing the HIPS equipment qualification, the vendor reviewed industry studies that compiled radiation effects data on a wide range of materials showing that the least radiation resistance threshold for organic compounds (i.e., nonmetallic materials) is greater than 1.0E+04 rad gamma. For electronic components, studies have shown that metal oxide semiconductor devices may be susceptible at a lower level of 3.0E+03 rad gamma. Since the service conditions for the HIPS equipment for the TRPS and ESFAS is less than these bounding values, no further evaluation for radiation in the environmental qualification was required.
The HIPS equipment for the TRPS and ESFAS is acceptable for normal atmospheric pressure, which is the normal and transient pressures provided in SHINE FSAR Tables 7.2-2 and 7.2-3.
7-13
Normal atmospheric pressure is not considered adverse to the HIPS equipment operation; the HIPS components are not pressure sealed, and therefore, do not create any differential pressure or failure mechanism.
Seismic Qualification The HIPS equipment for the TRPS and ESFAS was subjected to a proof test in accordance with Section 8 of IEEE Standard 344-2013, Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Generating Stations. The HIPS equipment for the TRPS and ESFAS underwent biaxial and triaxial excitation testing. Five operating basis earthquake (OBE) tests were performed in each direction for a total of 20 OBE runs. One safe shutdown earthquake (SSE) test was performed in each direction for a total of four SSE runs. For the triaxial excitation testing, the HIPS equipment was tested in each of three orientations with respect to the excitation. The triaxial excitation test was performed in all three directions for each test. A total of five OBE tests were performed. The results of the proof test demonstrated that for all test runs, structural integrity of the HIPS equipment was maintained, and no mechanical damage was observed. In response to RAI 7-16, SHINE states that the acceptance criteria of the seismic testing were met to demonstrate qualification of the equipment for the TRPS and ESFAS.
Electromagnetic Interference (EMI)/Radio-Frequency Interference (RFI) Qualification Although the regulatory positions of Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems are specific to nuclear power plants and are not applicable to non-power production and utilization facilities, this regulatory guide, which provides an acceptable method for qualifying computer-based digital systems, informed the EMI/RFI qualification of the HIPS equipment. Installation of HIPS equipment in SHINE facility will be grounded per Section 5.2.1 of IEEE Standard 1050-2004, Guide for Instrumentation and Control Equipment Grounding in Generating Stations.
Emissions testing for HIPS equipment was performed using the testing methods listed in Regulatory Position 3, Table 2, of Regulatory Guide 1.180.
Susceptibility Testing for HIPS equipment was performed using the testing methods listed in Regulatory Position 4, Table 6, of Regulatory Guide 1.180.
Surge withstand testing for HIPS equipment was performed using the International Electrotechnical Committee (IEC) methods listed in Regulatory Position 5, Table 21, of Regulatory Guide 1.180.
The results of this testing were satisfactory and demonstrates that the HIPS equipment for the TRPS and ESFAS and confirms that the effects of EMI/RFI and power surges are addressed.
Based on the successful equipment qualification of the HIPS equipment for TRPS and ESFAS, the staff finds that the SHINE protection systems meet the applicable parts of the SHINE Design Criterion 16, which ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function.
7.4.2.1.4 HIPS Diagnostic and Self-testing 7-14
In response to RAI 7-15, the applicant provided the following details related to the HIPS diagnostics and self-testing features and SHINE FSAR Section 7.4.5.5 provides additional description of the diagnostic and maintenance features associated with the HIPS platform for the TRPS and ESFAS.
The TRPS and ESFAS are designed with the capability for calibration and surveillance testing, including channel checks, calibration verification, and time response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow SSCs to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of self-testing and periodic surveillance testing.
Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.
The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the EIM. This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic. The actuation priority logic consists of discrete components and directly causes actuation of field components.
The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the IU is in Mode 0.
While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESFAS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provide a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation. This capability is provided by one of the following methods:
Perturbing the monitored variable Cross-checking between channels that have a known relationship (channel check)
Introducing and varying a substitute input to the sensor The TRPS and ESFAS have redundant gateways which gather the output of the MI-CMs for each of the three divisions. The data for each of the three divisions are compared to perform a channel check, and the results are provided to the PICS.
The TRPS and ESFAS incorporate failure detection and isolation techniques. Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Self-testing will generate an alarm and report a failure to the operator and place the component (e.g., SFM; SBVM; or EIM components) in a fail-safe state.
The self-testing features of the HIPS platform are designed, developed, and validated at the same level as the functional logic. The overlapped self-test features of the HIPS platform are 7-15
integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the rest of the platform.
Diagnostic data for the division of the TRPS and ESFAS are provided to the MWS. Diagnostics data is communicated via the MIB, which is a physically separate communications path from the safety data path, ensuring the diagnostics functionality is independent of the safety functionality.
Self-testing features and use of the MWS employed in the TRPS and ESFAS design is the same as described in Appendix B of the HIPS TR and complies with Sections 5.5.2 and 5.5.3 of the IEEE Standard 7-4.3.2-2003. By incorporating diagnostic and maintenance test features that test from the sensor inputs of the TRPS and ESFAS through to the actuated equipment, the necessary test coverage is provided in the SHINE application of the HIPS platform.
The NRC staff assessed these self-testing features of the SFM and EIM modules and finds that they do not affect the ability of any module to perform its safety function.
7.4.2.1.5 Operational and Maintenance Bypass The response to RAI 7-14, provided additional details on the operational and maintenance bypass features employed in the TRPS and ESFAS design. SHINE FSAR Sections 7.4.4.2, 7.4.4.3, and 7.5.4.4 describe the design, configuration, and implementation of the bypass function considered for the HIPS equipment for the TRPS and ESFAS. FSAR Sections 7.4.2.1.3 and 7.5.2.1.3 provide additional description of how SHINE Design Criterion 15 is met for the TRPS and ESFAS. The RAI response provided the following additional details on operational and maintenance bypass.
Operational Bypass FSAR Section 7.4.4.2 describes the use of operational bypasses for the TRPS during the operation of the IU cells. Operational bypasses for the TRPS are based upon the mode of operation and are automatically implemented within the SBVMs to bypass safety actuations that are not required for each mode. Operator action is required to request the TRPS to transition to the next mode of operation. A mode transition request occurs via separate discrete inputs from PICS to each of the Division A and B HWMs, which then converts the mode transition input to a logic level signal and makes the signal available to the associated SBVMs within the division.
When associated permissives are satisfied and the manual operator action for mode transition occurs, the TRPS progresses to the next mode and the TRPS SBVMs will 1) automatically bypass the final trip determinations for safety actuations that are not required for that particular mode of operation and 2) automatically remove any bypasses of the final trip determinations for safety actuations that are required for that particular mode of operation. If the permissive conditions are not met for transitioning to the next mode and the operator action occurs, the TRPS will not advance to the next mode of operation.
The status of TRPS operational bypasses is first provided by the SBVMs to the associated divisional MI-CM on the MIB. This status information is then provided to PICS for indication to the operators.
Maintenance Bypass 7-16
For the SHINE application, maintenance bypasses are associated with the sense and command features only for the TRPS and ESFAS. There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.
Channels associated with an SFM of the TRPS and ESFAS can be taken out of service by direct component replacement or the manipulation of manual switches. Components that are designed to be replaced directly are the SBMs, SBVMs, EIMs, and HWMs.
When a SBM is removed from its chassis, the Division A and B SBVMs, which correspond with the SDB of the removed SBM, will assert all partial trip signals associated with that SBM to the trip state for input to the coincident voting performed in the SBVMs. The impacted SDB will be in a 1-out-of-3 trip state for all safety functions that require Division C input within the SBVM and the other two SDBs will be in a 0-out-of-3 trip state within the SBVMs. When this occurs, the Division C SFMs and Division A and B SBVMs will provide fault indication information to the PICS for alerting the operators that there is an issue with the SBM.
When a SBVM is removed from its chassis, the other corresponding divisional SBVM will assert all partial trip signals associated with the missing SBVM to the trip state for input to the coincident voting performed in the SBVM. The impacted SDB will be in a 1-out-of-3 trip state within the SBVM and the other two SDBs will be in a 0-out-of-3 trip state within the SBVMs.
When this occurs, the following modules will provide fault indication information to the PICS for alerting the operators that there is an issue with the SBVM:
All SFMs in the same division as the removed SBVM All EIMs in the same division as the removed SBVM All SBMs The other corresponding divisional SBVM When an EIM is removed from its chassis, nothing will occur because the redundant EIM to the one removed will continue to provide actuation capability for all actuation components associated with the EIM. When this occurs, all the SBVMs in the same division as the removed EIM will provide fault indication information to the PICS for alerting the operators that there is an issue with the EIM.
When a HWM is removed from its chassis, all hardwired inputs to the associated division via the HWM will become inactive. For the TRPS, removal of an HWM will effectively bypass the associated TSV Fill Isolation Valve Full Closed and HVPS Breaker Full Open input signals, which are safety inputs to the TRPS. For the ESFAS, a removed HWM will not affect any safety functions because there are no safety inputs to the HWMs.
The HWM includes a FPGA, which is a departure from the HIPS TR description of an HWM.
Function of the FPGA on the HWM is only to drive the module front panel LED indications and to provide module operational status to the MI-CM. The FPGA on the HWM cannot affect the function of receiving hardwired inputs and making them available on the backplane of the chassis. When a HWM is removed from its chassis, the MI-CM for the division will provide fault indication information to the PICS, alerting the operators that there is an issue with the HWM.
SFM input channels of the TRPS and ESFAS can be taken out-of-service (OOS) using the OOS switches located on the front of each SFM, and an associated separate trip/bypass switch located below each SFM. The OOS switch has two positions: Operate and OOS. When the 7-17
switch is placed in the OOS position, the respective divisional SBMs or SBVMs will force the partial trip information associated with the SFM to the trip or bypass state, depending on the position of the trip/bypass switch, and take the channel OOS. Any time an SFM module is placed in an OOS condition, the SBMs or SBVMs associated with the SFM read the state of the trip or bypass switch to determine if the SFM input channels should be bypassed or treated as a trip when continuing the flow of data through the system. With the OOS switch in the OOS position, the trip/bypass switch is used to activate maintenance trips and maintenance bypasses. The trip/bypass switch signal is input first to an HWM, which then converts the trip/bypass discrete input to a logic level signal and makes the signal available to the associated SBMs or SBVMs within the same division as the trip/bypass switch. When the OOS switch is in the Operate position and the SFM is functioning normally, the SBMs or SBVMs associated with the SFM will ignore the associated trip/bypass switch input.
The SFMs continually provide the status of their OOS switch to the associated divisional SBMs or SBVMs along with their partial trip information. With an SFMs OOS switch in the OOS position and the associated trip/bypass switch in the trip position, the associated divisional SBMs or SBVMs will then assert all partial trip information associated with the SFM to the trip state for input to coincident logic voting in the SBVMs. All the partial trip information associated with all inputs for this SFM would be in a maintenance trip condition for this case. For those safety functions that use 2-out-of-3 coincident voting, a single failure of the same SFM in another division would not defeat the safety function because the third remaining divisional SFM is available to complete a 2-out-of-3 vote if required. For those safety functions that only use 1-out-of-2 coincident voting, the safety functions would be actuated when the OOS switch is placed into the OOS position with the associated trip/bypass switch in the trip position.
For safety functions that use either 1-out-of-2 or 2-out-of-3 coincident voting, a single failure of the same SFM in another division would defeat the safety function. Placing a single SFM in maintenance bypass is allowed by the SHINE TSs for up to two hours for the purpose of performing required surveillance testing. A time limit of two hours is acceptable based on the small amount of time the channel could be in bypass, the continual attendance by operations or maintenance personnel during the test, the continued operability of the redundant channel(s),
and the low likelihood that an accident would occur during the two-hour period. TSs LCO 3.2.3 and 3.2.4 contain a note that specifies that any single SFM may be bypassed for up to two hours while the variable(s) associated with the SFM is in the condition of applicability for the purpose of performing a Channel Test or Channel Calibration. By only allowing a single SFM to be bypassed at one time, SHINE ensures that the same SFM across multiple divisions (which would be more than one SFM) will not be placed into maintenance bypass. By specifying this in the TSs, SHINE ensures that administrative controls are in place and consistent with the HIPS TR to prevent an operator from placing the same SFM across more than one division into maintenance bypass.
With an SFMs OOS switch in the OOS position and the associated trip/bypass switch in either the trip or bypass position, the input channels associated with the SFM are inoperable. The input to the voting logic for the maintenance trip and bypass states are discussed above. The maintenance bypass function supports the in-service testability requirement of SHINE Design Criterion 15 for the TRPS and ESFAS. By allowing a single SFM module to be placed in maintenance bypass in accordance with the TS requirements, TS surveillances can be performed to verify the operability of TRPS and ESFAS components during system operation.
As described above, the time that the maintenance bypass feature is allowed to be used is limited to two hours. This satisfies the SHINE Design Criterion 15 requirement that the removal from service of any component or channel does not result in the loss of required minimum 7-18
is independent and separated from the PICS. In response to RAI 7-10, the applicant stated that the design bases description for the TRPS and ESFAS power source is provided in SHINE FSAR Section 8a2.2. Division A of both the TRPS and ESFAS is powered from Division A of the uninterruptible power supply system (UPSS). Division B of both the TRPS and ESFAS is powered from Division B of the UPSS. Division C of both the TRPS and ESFAS receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above. Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay.
These provide independent +5V A and +5V B power channels to each chassis.
For communications independence, SHINE FSAR Section 7.4.5.2.1 states that the design of the TRPS and ESFAS is such that each safety division functions independently of other safety divisions. Apart from interdivisional voting, communication within a division does not rely on communication outside the respective division to perform the safety function. Safety-related inputs to the TRPS or ESFAS which originate within a specific division of the TRPS or ESFAS are input to, and processed in, only the same division prior to being provided to any other division of the system for voting purposes. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections.
Voting function of the SBVM is not dependent on voting data from other divisions because the SBVM voters will still be able to complete their safety function in the presence of erroneous or missing voting. The SBVM voting function applies a safe default value for the missing inputs.
TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional MI-CM via one-way isolated RS-485 connections to respective redundant nonsafety GWCMs, which are in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa.
They are physically located within two chassis and located in the ESFAS Division C cabinet. As described in Section 2.5.3 of HIPS TR, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only. Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Data communication between the GWCM and PICS is a nonsafety function, and the upstream communication from each MI-CM to a GWCM is isolated and one-way only.
For functional independence, SHINE FSAR Section 7.4.5.2.5, Simplicity, states that dedicating SFMs to a function or group of functions based on its inputs provides inherent function segmentation creating simpler and separate SFMs that can be more easily tested. This segmentation also helps limit module failures to a subset of safety functions. The discrete and programmable logic circuits on an EIM provide a clear distinction between those portions that are and are not vulnerable to a software common-cause failures (CCF). Implementation of triple redundant communication within a division of TRPS and ESFAS increases the number of components (e.g., additional CMs) but provides simpler maintenance and self-testing. A failure of a data path or CM with triple redundant communication does not cause all safety functions of that division to be inoperable. Based on the staffs evaluation in Section 7.4.2.2.4, Diversity of 7-21
SHINE FSAR Sections 7.4.3.3 and 7.5.3.2 state that the TRPS and ESFAS are designed so that once initiated, protective actions will continue to completion. Only deliberate operator action can be taken to reset the TRPS or ESFAS following a protective action.
Based on review of the logic diagrams of SHINE FSAR Figure 7.4-1, Sheets 11 through 13, and Figure 7.5-1, Sheets 21 through 26, the NRC staff finds that a protective action, once initiated automatically or manually by either the TRPS or ESFAS, latches-in the actuation signal to maintain the state of a protective action until a deliberate operator action to reset the output to normal operating conditions. An enable nonsafety switch allows an operator, after the switch has been brought to enable, to control state of the TRPS and ESFAS components with a hardwired binary control signal from the nonsafety-related controls. The enable nonsafety switch is used to prevent spurious nonsafety related control signals from adversely affecting safety-related components. If the enable nonsafety switch is active, and no automatic safety actuation or manual actuation signals are present, the operator is capable of energizing or deenergizing any EIM outputs using the nonsafety-related hardwired control signals. If the enable nonsafety switch is not active, the nonsafety-related hardwired control signals are ignored. Therefore, the NRC staff finds that all the protective actions initiated by TRPS and ESFAS are designed to continue to completion and a deliberate operator action is required to reset these protective actions.
7.4.2.2.6 Prioritization of Functions FSAR Sections 7.4.3.12 and 7.5.3.11 state that the APL in the EIM is designed to provide priority to safety-related signals over nonsafety-related signals. Division A and Division B priority logic of the TRPS and ESFAS prioritizes the automatic safety actuation and manual safety actuation over the manual control of safety components from PICS nonsafety control signals. The manual actuation signals input from the operators in the FCR is brought directly into the discrete APL. The manual safety actuation input into the priority logic does not have the ability to be bypassed and will always have equal priority to the automated actuation signal over any other signals that are present. Failures of the EIM do not defeat APL prioritization of the automatic or manual safety actuations over the PICS control signals.
Based on the review TRPS and ESFAS logic diagrams, SHINE FSAR Figure 7.4-1, Sheets 12 and 13, and Figure 7.5-1, Sheets 22 through 26, the staff finds that the PICS can only control a safety related component when the Enable Nonsafety Switch is in the Enable (E) position and no automatic safety actuation or manual safety actuation signals are present. A non-safety control signal from the PICS is provided to the APL via the HWM, which provides electrical isolation between safety and nonsafety circuits. Therefore, the NRC staff finds that the automatic safety actuations and manual safety actuations have priority over the manual control of safety components from PICS nonsafety control signals.
7.4.2.2.7 Access Control FSAR Section 7.4.5.3.3 states that the HIPS platform based TRPS and ESFAS include the following access control features, which are consistent with the access control features evaluated in the safety evaluation for the HIPS TR:
Required use of a physical key at the main control board to prevent unauthorized use.
Rack mounted equipment is installed within cabinets that can be locked so access can be administratively controlled.
7-28
FPGAs on any of the HIPS modules cannot be modified or replaced while installed in the HIPS chassis.
Capability to modify modules installed in the HIPS chassis is limited to setpoints and tunable parameters that may require periodic modification.
Each division of the TRPS and ESFAS has a nonsafety-related MWS for the purpose of online monitoring and offline maintenance and calibration. The MWS supports online monitoring through one-way isolated communication ports. The MWS is used to update TRPS and ESFAS setpoints and tunable parameters only when the safety function is out of service. Access to the MWS is password protected. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function.
Controls are also put in place to prevent inadvertent changes to a setpoint or tunable parameter.
A temporary cable and OOS switch are required to be activated before any changes can be made to an SFM. When the safety function is removed from service, either in bypass or trip, an indication is provided in the facility control room to inform the operator. Adjustments to parameters are performed in accordance with TSs, including any that establish the minimum number of redundant safety channels that must remain operable for the applicable operating modes and conditions. The SFM includes a load switch to update the NVM parameters when setpoints are changed during maintenance.
Based on the above discussion, the NRC staff finds that the HIPS platform based TRPS and ESFAS design incorporates adequate access control features to prevent any inadvertent changes to the TRPS and ESFAS.
HIPS Design Process 7.4.2.3.1 Programmable Logic Lifecycle Process 7.4.2.3.2 Programmable Logic Lifecycle Process License Condition 7.4.2.3.3 Conclusion for HIPS Design Process Conclusion The NRC staff has reasonable assurance that the HIPS digital I&C platform used to implement TRPS and ESFAS is designed to be consistent with the approved HIPS TR and incorporates the fundamental design principals of independence, redundancy, predictably and repeatability, and diversity. The NRC staff also finds that the HIPS design meets the applicable portions of the SHINE Design Criteria 15, 16, and 19. Therefore, the NRC staff concludes that the HIPS platform used to implement TRPS and ESFAS is capable of performing the allocated design basis safety function under postulated conditions.
Process Integrated Control System The NRC staff evaluated the sufficiency of the SHINE facility PICS, as described in SHINE FSAR Section 7.3, Process Integrated Control System, using the applicable guidance and acceptance criteria from Section 7.3, Reactor Control System, of NUREG-1537, Parts 1 and 2, and Section 7b.3, Process Control Systems, of the ISG augmenting NUREG-1537, Part 2.
Target Solution Vessel Reactivity Protection System 7-29
The NRC staff evaluated the sufficiency of the SHINE facility TRPS, as described in SHINE FSAR Section 7.4, Target Solution Vessel Reactivity Protection System, using the applicable guidance and acceptance criteria from Section 7.4, Reactor Protection System, of NUREG-1537, Parts 1 and 2, and Chapter 7, Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.
SHINE FSAR Section 7.4, Target Solution Vessel Reactivity Protection System, and SHINE TECRPT-2019-0048, Rev. 6, Target Solution Vessel Reactivity Protection System Design Description, describe the target solution vessel (TSV) reactivity protection system (TRPS). The TRPS is an instrumentation and control (I&C) system consisting of eight independent instances, each dedicated to one of the eight irradiation units (IU) in the irradiation facility (IF). Section 7.4.2 of this SER evaluates the HIPS design for implementation of each TRPS.
The IUs operating cycle includes the following steps:
- Prepared target solution is transferred to the target solution hold tank and then into the TSV.
- The neutron driver is energized.
- The subcritical assembly is operated at power for approximately 5.5 days.
- The IU is shut down and the target solution heat is allowed to decay.
- The target solution is transferred to the radioisotope production facility (RPF) for processing.
SHINE FSAR Section 7.8, Neutron Flux Detection System, describes three independent sets of two neutron detectors and associated electronics as a system for each TRPS. Each NFDS division includes an ionization chamber detector and a Boron Trifluoride (BF3) detector pair.
These detector types are primarily sensitive to thermal neutrons. The NRC staff evaluated the NFDS as part of the TRPS similar to the other sensor and instrumentation inputs to the TRPS.
Therefore, all findings for the TRPS are applicable to the NFDS as appropriate.
Each TRPS does not have its own dedicated display, rather, all TRPS information (including sensor input values) are sent to process integrated control system (PICS) for display purposes.
All information provided by TRPS to PICS is provided through a transmit only communication mechanism.
System Description
SHINE FSAR Section 7.4.1, System Description, identifies the safety functions of the TRPS system:
The TRPS monitors variables important to the safety functions of the irradiation process during each operating mode of the IU to perform one or more of the following safety functions:
- IU Cell Safety Actuation
- IU Cell Nitrogen Purge
- IU Cell Tritium Purification System (TPS) Actuation
- Driver Dropout The TRPS also performs the nonsafety defense-in-depth Fill Stop function.
7-30
SHINE FSAR Section 7.8.1, System Description, describes the neutron flux system:
The NFDS is a three-division system with six detectors configured in three sets of two detectors (source range and power/wide range), with each set positioned around the subcritical assembly support structure (SASS) at approximately 120-degree intervals to the TSV. Each division of the NFDS consists of watertight detectors located in the light water pool and an NFDS amplifier mounted in the radioisotope production facility (RPF) or irradiation facility (IF). The six watertight detectors are located in the light water pool and are supported using brackets attached to the outer shell of the SASS. These brackets serve to locate the flux detectors in a fixed location relative to the TSV, ensuring flux profiles are measured consistently such that the sensitivity in the source range reliably indicates the neutron flux levels through the entire range of filling with the target solution.
The signal from the NFDS detectors is transmitted to the NFDS amplifiers where signal conditioning is performed. Each NFDS amplifier provides an analog signal representative of neutron flux. The NFDS interfaces with the TRPS for monitoring and indication, which then transmits the flux values to the PICS. The NFDS provides continuous indication of the neutron flux during operation, from filling through maximum power during irradiation. To cover the entire range of neutron flux levels, there are three different ranges provided from the NFDS: source range, wide range, and power range. One set of three independent NFDS detectors is used for the source range input into the TRPS (i.e., measures low flux levels common to what would be expected during the filling of the IU cell prior to irradiation of the target solution). The other set of three independent detectors provides the input for the power range and wide range measurements. Each independent detector provides analog input signals to an independent division of TRPS.
Design Criteria 10 CFR 50.34(a)(3)(i) requires that a PSAR include: The principal design criteria for the facility. The principal design criteria for a facility establish the engineering design criteria that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. Once the principal design criteria for a facility are established, the remainder of the SAR includes an explanation of how the principal design criteria for a facility are achieved (in addition to how other regulatory requirements are achieved).
SHINE FSAR Section 1.3.3.1, Principal Design Criteria, states:
Principal design criteria for the facility are described in Section 3.1.
SHINE FSAR Section 3.1, Design Criteria, states:
Structures, systems, and components (SSCs) present in the SHINE facility are identified in Tables 3.1-1 and 3.1-2, including the applicable FSAR section(s) which describe each SSC and the applicable SHINE design criteria. Design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR section describing those SSCs.
For each SSC, the FSAR section identifies location, function, modes of operation, and type of actuation for specific SSCs, as applicable.
7-31
The SHINE facility uses design criteria to ensure that the SSCs within the facility demonstrate adequate protection against the hazards present. The design criteria are selected to cover:
The complete range of irradiation facility and radioisotope production facility operating conditions.
The response of SSCs to anticipated transients and potential accidents.
Design features for safety-related SSCs including redundancy, environmental qualification, and seismic qualification Inspection, testing, and maintenance of safety-related SSCs.
Design features to prevent or mitigate the consequences of fires, explosions, and other manmade or natural conditions.
Quality standards.
Analyses and design for meteorological, hydrological, and seismic effects.
The bases for technical specifications necessary to ensure the availability and operability of required SSC The SHINE design criteria are described in Table 3.1-3.
The facility, as a whole, should meet the principal design criteria of the facility, and individual SSCs only support the facilities ability to achieve the principal design criteria of the facility. This section of the SER documents the NRC staffs review and evaluation of the proposed TRPS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(b) requirements. The NRC staffs evaluation of the design of the proposed TRPS is based on acceptance criteria in Section 7.4 NUREG-1537, including acceptance criteria from the guidance and industry standards referenced by NUREG-1537, as listed in Section 7.2 of this SER.
7.4.4.2.1 SHINE Facility Design Criteria Generally, the SHINE Design Criteria are applicable to more than one system, and the determination of whether the SHINE facility as a whole meets the SHINE Design Criteria consists of two parts: (1) Whether each individual system meets the applicable parts of the SHINE Design Criteria, and (2) whether the individual systems together ensure the facility as a whole meets the SHINE Design Criteria.
SHINE FSAR Table 3.1-1, Safety-related Structures, Systems, and Components, and Section 7.4.2.1, SHINE Facility Design Criteria, state that SHINE Design Criteria 13 through 19, 38, and 39 apply to the TRPS. Each of these SHINE Design Criterion are addressed in a separate subsection below that include an evaluation of the TRPS against each of the applicable SHINE Design Criteria to the extent the TRPS supports the ability of the overall facility to demonstrate adequate protection against the hazards present.
SHINE FSAR Table 3.1-1, Note 2, states that the SHINE Design Criteria 1-8 from FSAR Table 3.1-3 are not specifically listed even though they are generally applicable to most SSCs. SHINE FSAR Section 7.4.2.1, SHINE Facility Design Criteria, states:
The generally-applicable SHINE facility design criteria 1 through 6 apply to the TRPS.
The TRPS is designed, fabricated, and erected to quality standards commensurate to the safety functions to be performed; will perform these safety functions during external 7-32
events; will perform these safety functions within the environmental conditions associated with normal operation, maintenance, and testing; does not share components between irradiation units; and is able to be manually initiated from the facility control room. These elements of the TRPS design contribute to satisfying SHINE facility design criteria 1 through 6.
Quality Standards and Records NUREG-1537, Part 1, Section 7.2.1, Design Criteria, states:
All systems and components of the I&C systems should be designed, constructed, and tested to quality standards commensurate with the safety importance of the functions to be performed. Where generally recognized codes and standards are used, they should be named and evaluated for applicability, adequacy, and sufficiency. They should be supplemented or modified as needed in keeping with the safety importance of the function to be performed. Evaluations and modifications of the standards should be described in the SAR.
Consistent with this guidance NUREG-1537, the FSAR includes SHINE Design Criterion 1 and states that it is applicable to the TRPS.
SHINE Design Criterion 1 - Quality standards and records Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.
A quality assurance program is established and implemented in order to provide adequate assurance that these SSCs satisfactorily perform their safety functions.
Appropriate records of the design, fabrication, erection and testing of safety-related SSCs are maintained by or under the control of SHINE throughout the life of the facility.
SHINE FSAR Section 7.4.2.2.2, Software Requirements Development, states:
The developmental process for creating the safety-related TRPS has been delegated to SHINE's safety-related control system vendor (Subsection 7.4.5.3.1), including any modifications to the system logic after initial development (Subsection 7.4.5.4). SHINE is responsible for providing oversight of the vendor, verifying deliverables are developed in accordance with approved quality and procurement documents, and maintaining the vendor as an approved supplier on the SHINE approved supplier list (Subsection 7.4.5.4.1).
The adequacy of the SHINE quality assurance program is reviewed and found acceptable in Chapter 12, Conduct of Operations, of this SER. Inspections of records of the TRPS will evaluate whether this program was adequately applied to the fabrication, erection and testing of the TRPS equipment.
7-33
Natural Phenomena Hazards NUREG-1537 Part 1 Section 7.2.1, Design Criteria, states:
Systems and components (including I&C systems) determined by the analyses in the SAR to be important to the safe operation should be able to withstand the effects of natural - phenomena without loss of capability to perform their safety function Consistent with this guidance NUREG-1537, the FSAR includes SHINE Design Criterion 2 and states that it is applicable to the TRPS.
SHINE Design Criterion 2 - Natural phenomena hazards The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.
Safety-related SSCs are designed to withstand the effects of earthquakes without loss of capability to perform their safety functions.
The evaluation of the TRPS against the effects of some natural phenomena is documented in Section 7.4.3.6, Seismic, Tornado, Flood, below. SHINE FSAR Section 8a2.1.4, Grounding and Lightning Protections, addresses protections from lighting. Additionally, FSAR Section 7.4.2.1.4, Protection System Independence and Section 7.4.2.2.11, Equipment Qualification, addresses protection from earthquakes, tornados, lightning, and floods. Chapter 3 of this SER evaluates effects of natural phenomena. The NRC staff finds that the safety-related TRPS meets SHINE Design Criterion 2.
Fire Protection NUREG-1537 Part 1 Section 7.2.1, Design Criteria, states:
I&C systems and components determined in the SAR-analyses to be important to the safe operation should be 'designed, located, and protected so that the effects of fires or explosions would not prevent them from performing their safety functions.
Consistent with this guidance NUREG-1537, the FSAR includes SHINE Design Criterion 3 and states that it is applicable to the TRPS.
SHINE Design Criterion 3 - Fire protection Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.
Noncombustible and heat resistant materials are used wherever practical throughout the facility, particularly in locations such as confinement boundaries and the control room.
Fire detection and suppression systems of appropriate capacity and capability are provided and designed to minimize the adverse effects of fires on safety-related SSCs.
Firefighting systems are designed to ensure that their rupture or inadvertent operation 7-34
does not significantly impair the safety capability of these SSCs.
The evaluation of the TRPS against this criterion is based on the information provided in SHINE FSAR Section 7.4.3.9, Fire Protection. Additional information can be found in SHINE FSAR Section 9a2.3, Fire Protections Systems and Programs.
SHINE FSAR Section 7.4.3.9 describes that the TRPS design uses physical separation to minimize the effects from fire and that equipment for different divisions is located in separate fire areas when practical. The obvious exceptions include components for all three divisions located in the facility control room, in an individual IU or in TOGS cells, and in other locations where end devices are installed.
The NRC staff examined these descriptions and finds that the combination of physical separation and the fire protection program provide reasonable assurance this design criteria is met for TRPS.
Environmental and Dynamic Effects NUREG-1537, Part 1, Section 7.2.1, Design Criteria, states:
I&C systems and components determined in the SAR to be important to the safe operation should be designed to function reliably under anticipated environmental conditions (e.g., temperature, pressure, humidity, and corrosive atmospheres) for the full range of reactor operation, during maintenance, while testing, and under postulated accident conditions, if the systems and components are assumed to function in the accident analysis.
As described above, the FSAR includes SHINE Design Criterion 4 and states that it is applicable to the TRPS.
SHINE Design Criterion 4 - Environmental and dynamic effects Safety-related SSCs are designed to perform their functions with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.
The SHINE FSAR Sections 7.4.2.1.4, Protection System Independence, and 7.4.2.2.11, Equipment Qualification, are further evaluated in Section 7.4.4.2.1, Protection System Independence, of this SER. Therefore, the NRC staff finds that the TRPS design meets SHINE design criterion 4.
Sharing of Structures, Systems, and Components As described above, the FSAR states that SHINE Design Criterion 5 is applicable to the TRPS.
SHINE Design Criterion 5 - Sharing of structures, systems, and components Safety-related SSCs are not shared between irradiation units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions.
7-35
Each IU contains an independent TRPS that is not shared. All IUs share the ESFAS for mitigation of potential accident consequences and have a common control room. There are three separate TPS trains that shared with certain sets of irradiation unit. The FSAR does not provide a specific evaluation that sharing does not significantly impair the TPS ability to perform its safety functions; however, the NRC staff used engineering judgment and finds that the sharing of I&C related systems would not significantly impair the ability to perform the associated safety functions.
Control Room As described above, the FSAR states that SHINE Design Criterion 6 is applicable to the TRPS.
SHINE Design Criterion 6 - Control room A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.
SHINE FSAR Section 7.6, Control Console and Display instruments, describes the SHINE facility control room. HIPS equipment of the TRPS is in the control room. The adequacy of specific Controls and Displays are evaluated in Section 7.4.6 of this SER. The adequacy of the control room is evaluated Chapter 13, Accident Analysis, of the safety evaluation.
Instrumentation and Controls NUREG-1537 Part 1 Section 7.2.2, Design-Basis Requirements, states:
Design bases for the I&C system, subsystems, and components should includeThe range of values that monitored variables may exhibit for normal operation, shutdown conditions, and for postulated accidents.
NUREG-1537, Part 2, Section 7.4, Reactor Protection System, states, [t]he range of operation of sensor (detector) channels should be sufficient to cover the expected range of variation of the monitored variable during normal and transientreactor operation.
SHINEFSAR Section 7.4.2.1.1, Instrumentation and Controls, states:
SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.
SHINE Design Criterion 13 is applicable to operator displays and controls including PICS, as the first means of defense in maintaining process variables and systems within prescribed operating range. The second barrier against postulated accidents is the automatic protective systems that actuate controls during an accident condition or inadvertent operation. SHINE Design Criterion 14 also provides additional design criteria for protective functions. Finally, as part of post-protective-action accident-mitigation by the operator must be able to determine facility and 7-36
process parameter states or statuses (e.g., post accident monitoring). In addition, some of the indications (of facility parameter values) to the operator are based solely on TRPS related monitored variables. Therefore, SHINE Design Criterion 13 applies to the TRPS monitored variable sensor ranges.
SHINE FSAR Section 7.4.2.1.1, Instrumentation and Controls, states:
The TRPS monitored variables for performance of design basis functions are presented in Table 7.4-1 and include the instrument range for covering normal and accident conditions...
SHINE FSAR Table 7.4-1, TRPS Monitored Variables, identifies the instrument range for each monitored variable; FSAR Section 7.4.4.1, Monitored Variables and Response, states:
Table 7.4-1 identifies specific variables that provide input into the TRPS and includes the instrument range for covering normal and accident conditions.
In response to RAI 7-13, the applicant states that each division of the TRPS transmits monitoring and indication information to the PICS. The following information from the TRPS is displayed in the facility control room (FCR):
Mode and Fault status for each HIPS module Status and value of the monitored variables identified in FSAR Table 7.4-1 Trip/Bypass switch status Divisional partial trip determination status Divisional full trip determination status TRPS IU cell operational mode status Actuation output and fault status Actuated component position feedback status The TRPS monitoring, and indication information is available to the operators in the FCR at the PICS operator workstations. A subset of the TRPS monitoring, and indication information is displayed at the main control board in the FCR near the manual control switches for actuating TRPS safety functions. The TRPS provides redundant outputs to the PICS. The PICS receives the outputs from the TRPS onto a fault-tolerant server comprised of internal redundant physical servers. The use of redundant outputs from the TRPS to redundant internal physical servers on the PICS ensures that a failure would not prevent the operator from obtaining or resolving conflicting information. By displaying TRPS monitoring and indication information at multiple locations in the FCR, including near manual controls for actuating TRPS equipment, the design ensures the operator has sufficient information to operate the facility and take manual operator action, as necessary. SHINE FSAR Section 7.4.5.2.4 provides a description of the information available to the operators in the FCR. FSAR Section 7.4.4.1, Monitored Variables and Response provides a discussion of the TRPS response to each monitored variable (signal input) and SHINE FSAR Table 7.4-1 provides the instrument range, accuracy, response time, and a specified analytical limit. The staff did not review specific design information or performance data for the sensors/instruments listed in Table 7.4-1, and therefore did not specifically confirm the validity of performance parameters assigned to each instrument. SHINE will test and qualify the instrumentation in accordance with Technical Specifications and FSAR Section 12.11.2.
7-37
Based on the information provided, the NRC staff has reasonable assurance that the variables listed in the FSAR are used to measure, display, and to initiate defined protective actuations of the applicable TRPS functions. The adequacy of PICS, consoles, and displays in meeting Criterion 13 are addressed in Section 7.4.3 and 7.4.6 of this SER.
Protection System Functions The design bases (defined in 10 CFR 50.2) predominately includes the specific functions to be performed (by SSCs) and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. 10 CFR 50.34(a)(3)(ii) requires that a PSAR include: The design bases and the relation of the design bases to the principal design criteria.
NUREG-1537, Part 1, Section 3.1, Design Criteria, states: general design criteria should includeDesign to cope with anticipated transients and potential accidents, including those discussed in Chapter 13, Accident Analyses, of the SAR.
NUREG-1537, Part 1, Section 7.2.1, Design Criteria, states:
The RPS should be designed to automatically initiate the operation of systems or give clear warning to the operator to ensure that specified reactor design limits are not exceeded as a result of measured parameters indicating the onset of potential abnormal conditions.
NUREG-1537, Part 2, Section 7.4, Reactor Protection System, states, in part, that the safety analysis report (SAR) should describe the protection system, listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action.
SHINE FSAR Section 7.4.2.1.2, Protection System Functions, describes how the TRPS meets SHINE Design Criteria 14, which is:
SHINE Design Criterion 14 - The protection systems are designed to: (1) initiate, automatically, the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients; and (2) sense accident conditions and to initiate the operation of safety-related systems and components.
SHINE FSAR Section 7.4.2.1.2, Protection System Functions, contains the criteria for the protection system functions to address two types of events: (1) anticipated transients, and (2) accidents. FSAR Section 7.4.2.1.2, Protection System Functions, further states:
There are no anticipated transients that would result in target solution design limits being exceeded.
SHINE applies a tailored, risk-based methodology similar to the guidance described in NUREG-1520, Standard Review Plan for Fuel Cycle Facilities License Applications, in the development of the detailed accident analysis. Design basis accidents (DBAs) were identified as credible accident scenarios that range from anticipated events, such as a loss of electrical power, to events that are still credible, but considered unlikely to occur during the lifetime of the plant.
The maximum hypothetical accident (MHA) is defined as a fission product-based release that bounds the radiological consequences for all credible fission product-based accident scenarios 7-38
at the SHINE facility. Section 7.4.4.1 of the FSAR describes TRPS monitored variables and protective actions against events and references the protective actions to specific scenarios in FSAR Chapter 13. For selected scenarios, FSAR Chapter 13 further provides references to FSAR Chapter 4 power and pressure transient analysis that support the accident scenarios.
Portions of the FSAR do not always clearly distinguish between design basis accidents and anticipated transients. For example, FSAR Section 1.2.4, Potential Accidents at the Facility, states:
Potential design basis accidents (DBAs) at the SHINE facility were identified by the application of hazard analysis methodologies to evaluate the design of the facility and processes for potential hazards, initiating events (IEs), scenarios, and associated controls. As described in Chapter 13, these methodologies were applied to both the IF and the RPF. The list of accident categories and IEs that were the basis for the identification of potential DBAs are described in Chapter 13. The following accident categories and IEs are addressed for the SHINE facility.
Given the approach taken in the FSAR, the NRC staff could not independently identify and distinguish a set of anticipated transients apart from design basis accidents as described in SHINE FSAR Section 7.4.2.1.2 with respect to the specific accident-initiating events and scenarios described in FSAR Chapter 13. However, the FSAR explicitly identifies the safety functions of the TRPS (see Section 7.4.1 above) and the safety analyses credits these functions in demonstrating reasonable assurance of adequate safety for normal operations and accident-initiating events. The adequacy of the safety analyses is addressed in Chapters 5, 6, and 13 of this SER. The NRC staff therefore reviewed FSAR Chapters 4, 5, and 13, to identify the TRPS functions credited by these chapters regardless of its treatment as either a potential transient or accident in the context of SHINE Design Criterion 14. The NRC staff concluded that FSAR Chapter 7.4.3.1, Safety Functions, includes the TRPS functions credited in these FSAR chapters, and that FSAR Section 7.4 references the FSAR Chapter 13 analyses where these functions are credited. Based on this evaluation the NRC staff concludes that Section 7.4 describes the TRPS safety functions explicitly credited in FSAR Chapters 4, 5, and 13; therefore, the NRC staff finds that the FSAR Section 7.4 includes the appropriate safety functions to meet the applicable principal design criteria of the facility to cope with the scenarios and pressure and power transients described in the FSAR Chapter 13.
SHINE FSAR Section 7.4.2.1.2, Protection System Functions, identify the target solution design limits as being in FSAR Table 4a2.2-2. Furthermore, this FSAR section references FSAR Section 7.4.4.1, Monitored Variables and Response, which has a subsection for each monitored variable and each of these subsections identifies the specific FSAR Chapter 13 scenarios addressed by each monitored variable. FSAR Chapter 4 also describes the analysis of events for which TRPS initiates protective actions, but only FSAR Chapter 13 events/scenarios are identified in FSAR Section 7.4.4.1. The NRC staff traced the references in FSAR Chapter 7 to Chapter 13 scenarios, and subsequently to Chapter 4 to the extent practical for selected events.
SHINE FSAR Chapter 4, Table 4a2.2-2, Target Solution Operating Limits, identifies certain acceptable target solution design limits, and includes temperature and power density, which can be protected by TRPS. In addition, the TSs contain LCOs for certain acceptable target solution design limits:
LCO 3.1.3 Limits the minimal volume in the TSV (relates to power density)
LCO 3.1.4 Limits the maximum temperature in the TSV 7-39
LCO 3.1.6 Limits the average power density LCO 3.1.7 Limits the transient average power density LCO 3.8.3 Limits the and pH LCO 3.8.4 Limits the uranium concentration SHINE TSs, in LCO 3.1.6, establishes the power density limit on the irradiated solution, which is effectively achieved by controlling power (i.e., controlling tritium). FSAR Section 13a2.1.2.2, Scenario 4, High Power Due to High Neutron Production and High Reactivity at Cold Conditions, states that a high reactivity and power event can occur due to excess tritium injection into the NDAS during cold conditions and that this can occur as a result of a tritium purification system (TPS) control system or component failure during startup that injects excess tritium before the TSV is at operating temperature, and that the TRPS initiates an IU shutdown on high wide range neutron flux. The IU Cell Safety Actuation initiated by the High Wide Range Neutron Flux described in FSAR Section 7.4.4.1.4, High Wide Range Neutron Flux, is well below the transient average power density described in LCO 3.1.7 but is above the average power density limit of LCO 3.1.6 for much of the operating range.
The maximum temperature limit is protected, in part, by actuations initiated by High Time-Averaged Neutron Flux, High PCLS Temperature, and Low PCLS Flow.
NUREG-1537 Part 1 Section 7.2.2, Design-Basis Requirements, states:
Design bases for the I&C system, subsystems, and components should include The function or purpose of systems or instruments considering which reactor parameters are monitored or controlled.
SHINE FSAR Section 7.4.3.1 describes the TRPS safety functions relied upon for specific accident scenarios. The NRC staff confirmed that credited protection system functions in Chapter 4 and 13 were described in Chapter 7. The adequacy of these safety functions in mitigating or preventing the accident-initiating events and scenarios are evaluated in Chapter 4 and 13 of this SER (e.g., component actuations for confinement and criticality safety and physical effects). Based on review of these FSAR Chapters and the TRPS logic diagrams depicted in SHINE FSAR Figure 7.4-1, the NRC staff finds that the TRPS is reasonably designed to perform the safety functions credited by the SHINE safety analysis in Chapter 13.
Therefore, the NRC staff finds that the TRPS design satisfies SHINE Design Criterion 14 for anticipated transients and accident conditions.
Protection System Reliability and Testability NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system should be designed to perform its safety function after a single failure and to meet requirements for redundancy and independence.
SHINE FSAR Section 7.4.2.1.3, Protection System Reliability and Testability, states that the TRPS meets SHINE Design Criterion 15:
SHINE Design Criterion 15 - The protection systems are designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection systems are sufficient to ensure that: (1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the 7-40
required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.
This inputs to the TRPS listed in SHINE FSAR Table 7.4.4.1, TRPS Monitored Variables, have associated actuation logic of 2-out-of-3, 1-out-of-2, and 1-out-of-1. The HIPS equipment provides two modes in which an instrument channel can be removed from service: (1) it can be placed in trip, or (2) it can be placed in bypass (i.e., not tripped). If 2-out-of-3 logic is placed in trip, then it becomes 1-out-of-2 logic and does not result in loss of the required minimum redundancy; however, it if is placed in bypass it does result in loss of the required minimum redundancy.
SHINE FSAR Section 7.4.2.1.3, Protection System Reliability and Testability, states that the maintenance bypass function allows an individual safety function module to be removed from service for required testing without loss of redundancy and references FSAR Section 7.4.4.3 which states only that the redundant channels are not affected. Effectively, SHINE FSAR Section 7.4.4.3 states that the independence aspect of the SHINE Design Criterion 15 is satisfied. The NRC staff finds that with one channel in maintenance bypass, the TRPS cannot continue to be able to perform its safety functions in the presence of certain single failures in the remaining two channels for certain events. SHINE Design Criterion 15 states that the justification states that loss of the required minimum redundancy is not acceptable, unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The NRC staff has reasonable assurance that the reliability of the HIPS equipment is acceptable, as described in Section 7.2 of HIPS, with respect to protecting against a temporary (two hours allowed by TS) reduction of minimum redundancy and given the low likelihood of a single failure of a channel concurrent with an accident event and other channel in bypass and the large safety margins described in Chapter 13 of this SER.
Protection System Independence NUREG-1537 Part 1 Section 7.2.1, Design Criteria, states:
I&C systems should be designed so that a single failure will not prevent the safe shutdown of the reactor.
Generally, the single failure criterion is met by having redundant in independent equipment.
SHINE Design Criteria 16 addresses the independence of the redundant portion of the TRPS.
SHINE Design Criterion 16 - The protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis.
Design techniques, such as functional diversity or diversity in component design and principles of operation are used to the extent practical to prevent loss of the protection function.
SHINE Design Criterion 16 address two different aspect of protections system independence (i.e., effects & diversity - see associated subsections below). The criteria are meant to address a particular source of CCF. FSAR Section 7.4.2.1.4, Protection System Independence, 7-41
provides information related to this design criterion. Section 7.2.1.4, Equipment Qualification, of this SER includes additional evaluation applicable to this criterion.
The evaluation of the TRPS against the effects of natural phenomena is documented in Section 7.4.3.6, Seismic, Tornado, Flood, of this SER. The TRPS equipment is located in the control room which is a mild environment (i.e., not subject to extreme conditions due to accident conditions). SHINE FSAR Section 8a2.1.4, Grounding and Lightning Protections, addresses protections from lighting.
SHINE FSAR Sections 7.4.2.1.5, Protection System Failure Modes, and 7.4.3.5, Operating Conditions, state that the TRPS equipment is qualified in the environments in which it is required to operate.
SHINE FSAR Section 7.4.2.2.11, Equipment Qualification, addresses the effects of EMI/RFI and power surges, which is evaluated in Section 7.4.2.2.11, Equipment Qualification, below.
SHINE FSAR Section 7.4.5.2.1, states:
The TRPS control and logic functions operate inside of the facility control room, where the environment is mild, not exposed to the irradiation process, and is protected from earthquakes, tornadoes, and floods (Subsections 7.4.3.5 and 7.4.3.6). The TRPS structures, systems, and components that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident. This division independence is maintained throughout the design, extending from the sensor to the devices actuating the protective function (Subsection 7.4.5.2.1).
Based on a review of the FSAR Chapters described above, the NRC staff concludes the TRPS design meets the first design attribute of SHINE Design Criterion 16 that protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis.
FSAR Section 7.4.5.2.1, states:
Functional diversity and diversity in component design are used to prevent loss of the protection function. Functional diversity is discussed in Subsection 7.4.5.2.5. Field programmable gate arrays (FPGAs) in each division are of a different physical architecture to prevent common cause failure (CCF) (Subsection 7.4.5.2.4).
SHINE FSAR Section 7.4.5.2.5 further describes the functional allocation of different process parameters on different SFMs, and diversity in component design are used to prevent loss of the protection function. The NRC staff notes that functional diversity is commonly defined as the ability to protect against the same event by monitoring two different parameters to initiate protective actions. This is different than the allocation of functions to different SFMs. While some TRPS monitored variables can protect against the same event or scenario, the FSAR and associated RAI response did not credit or evaluate how this type of functional diversity is achieved in the SHINE design. Therefore, the NRC staff determined that the FSAR does not demonstrate that the existence of functional diversity for all events.
7-42
SHINE FSAR Section 7.4.5.2.1, Independence, states that the HIPS design incorporates the independence principles outlined in Section 4.0 of HIPS TR. Section 4.2, Safety Function Module, of the HIPS TR states that each SFM, which is a TRPS channel, is dedicated to implementing a safety function or function group which results in the gate level implementation of each safety function being different than the other safety functions. However, the implementation of TRPS with HIPS deviates from the HIPS TR because there are many functions on each SFM. Therefore, while the allocation provides some diversity, it does not provide complete functional diversity as previously credited in the HIPS TR.
SHINE FSAR Sections, 7.4.2.1.4, Protection System Independence, and 7.4.5.2.4, state that field programmable gate arrays (FPGAs) in each division are of a different FPGA architecture (static random access memory, flash, or one-time programmable) which is consistent with diversity in component design and principles of operation of this design criteria. The only difference is component design identified is the use of different FPGAs, and possibly different tools associated with each FPGA; therefore, this design protects against CCF that are a result of systematic errors in a particular FPGA type (or tool, if different tools are used).
The NRC staff also evaluated the D3 assessment in TECRPT-2019-004 of the TRPS and ESFAS and identify potential vulnerabilities to digital-based CCFs. The staff evaluation of TECRPT-2019-004 concludes there is reasonable assurance that the TRPS and ESFAS design have adequate diversity that is commensurate with the potential consequences and large safety margins described in Chapter 13 of this SER. See Section 7.4.2.2.4 of this SER.
The NRC staff evaluated the overall diversity strategy and finds the TRPS contains sufficient attributes that is commensurate with the low likelihood of potential CCFs safety functions concurrent with the design basis scenarios and events in Chapter 4 and 13, and the potential consequence and large safety margins described in Chapter 13 of this SER.
Protection System Failure Modes NUREG-1537 Part 1 Section 7.2.1, Design Criteria, states:
I&C systems should be designed to fail into a safe state on loss of electrical power or exposure to extreme adverse environments.
Consistent with this guidance, the FSAR includes SHINE Design Criterion 17 and states that it is applicable to the TRPS.
SHINE Design Criterion 17 - The protection systems are designed to fail into a safe state if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments are experienced.
TS LCO 3.2.1 states that each division of the TRPS has two 5V power supplies. TS Bases for LCO 3.6.1 states that the 24V power supplies for the TRPS and ESFAS cabinets are also within the scope of LCO 3.6.1 for the UPSS distribution system. The power for the actuated components originates from other sources, but can be controlled (i.e., removed) from the TRPS.
SHINE FSAR Section 7.4.3.8, Loss of External Power, states that on a loss of power to the TRPS, the TRPS deenergizes actuation components and that controlled components associated with safety actuations are designed to go to its safe state when deenergized.
7-43
SHINE FSAR Sections 7.4.2.1.5, Protection System Failure Modes, and 7.4.3.5, Operating Conditions, state that the TRPS equipment is qualified in the environments in which it is required to operate.
Based on this information provided in these FSAR Sections, the NRC staff concludes that the TRPS meets SHINE Design Criterion 17.
Separation of Protection and Control Systems SHINE Design Criteria 18 addresses the separation of protection and control the TRPS.
SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.
Generally, facilities that are designed to meet the single failure criterion (as the SHINE Design Criteria require), are required to protect against certain initiating events concurrent with a single failure (and all associated cascading failures) in the protection system. When the design of the facility has a control system and a separate and independent protection systems that meets the single failure criterion, then the facility can withstand failure of the control system that causes a initiating event that is assumed as a design basis accident, and then subsequent failure of the protection system.
When the control system and the protection system share components in a 2-out-of-3 trip system, then measures are appropriate to provide separation of protection and control as provided in SHINE Design Criterion 18. The redundancy and independence requirements stated in SHINE Design Criterion 15 and referred to in SHINE Design Criterion 18 is equivalent to requiring a system must meet the single failure criterion. In a 2-out-of-3 system, a failure of a shared component would result in a 2-out-of-2 system, which can protect against the event (i.e.,
the failure that has occurred), but not in the presence of a single failure in the protection system provided in SHINE Criterion 18.
A facility that has three sensors that are shared between protection and control system, and where the protection system uses 2-out-of-3 logic cannot meet the criteria as stated in SHINE Design Criterion 18, but it can be safe by protecting against the two failures of concern by using other means besides redundancy. The response to RAI 7-9(c) (ADAMS Accession No. ML21272A343) stated that FSAR Section 7.4.2.1.6 was revised to enhance the description of how TRPS meets this criterion. The revised section states there is no shared equipment. Since there is no shared equipment or sensors among the protection and control systems, the NRC I&C technical review staff conclude that the SHINE facility meets Criterion 18.
Protection Against Anticipated Transients SHINE Design Criteria 19 addresses protection against anticipated transients.
7-44
SHINE Design Criterion 19 - The protection systems are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated transients.
The safety functions of the TRPS are evaluated in Section 7.4.4.2.1, Protection System Functions, of this SER. The arrangement of HIPS modules in the TRPS is the same for each safety function; therefore, the evaluation in this section addresses the extremely high probability aspect of this criterion.
SHINE FSAR Section 7.4.2.1.7, Protection Against Anticipated Transients, states that the TRPS is extremely reliable because of its: independence, redundancy, and diversity. The NRC staff considered the reliability of the HIPS equipment as evaluated in Section 7.4.2 of this SER.
As noted above, power and pressure transients are analyzed in FSAR Chapters 4, 5, and 13, but the staff could not independently identify and distinguish a set of anticipated transients apart from design basis accidents with respect to the specific accident-initiating events and scenarios described in Chapter 13. Therefore, NRC staff reviewed FSAR Chapters 4, 5, and 13, to identify the TRPS functions credited by these chapters regardless of its treatment as either a potential transient or accident. Section 7.4.2.2 and 7.4.2.3 of this SER describes the HIPS design attributes and design process that provides reasonable assurance of TRPS reliability; and Chapter 13 of this SER further describes the TRPS protection functions that are credited for transients. Based on the TRPS having adequate reliability for protecting upset conditions in the subcritical aqueous solution environment of the TSV and the significant safety margins described in Chapter 13 of this SER, the staff has reasonable assurance that the TRPS meets SHINE Design Criterion 19.
Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.
SHINE FSAR Section 7.7, Radiation Monitoring Systems, describes the radiation monitoring systems. FSAR Table 7.4-1, TRPS Monitored Variables, identifies only one radiation monitoring sensor (i.e., RVZ1e IU cell radiation) as initiating a TRPS safety function. Therefore, the NRC staff conclude that the TRPS supports the SHINE facility meeting SHINE Design Criterion 38. The radiation monitoring system is further evaluated in Section 7.4.6 of this SER.
Hydrogen Mitigation SHINE Design Criterion 39 - Systems to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen are provided to ensure that the integrity of the system and confinement boundaries is maintained.
SHINE FSAR Section 4a2.8, Gas Management System, describes how the target solution vessel (TSV) off-gas system (TOGS), the vacuum transfer system (VTS), the process vessel vent system (PVVS), the process integrated control system (PICS), and the operator work together to control to control the buildup of hydrogen.
7-45
The NRC staff did not evaluate the adequacy of PICS and operators to control build-up of hydrogen. The TRPS monitors key parameters of the TOGS system to ensure it is working properly (e.g., per FSAR Section 4a2.8.6: minimum TOGS mainstream flow, minimum TOGS dump tank flow, and minimum oxygen concentration). The TRPS, initiates the protective functions evaluated in Section 7.4.2.1.2, Protection System Functions, for IU Cell Nitrogen Purge when setpoints are exceeded for these parameters. Therefore, the NRC staff concludes that the TRPS supports the SHINE facility meeting SHINE Design Criterion 39.
7.4.4.2.2 TRPS System Design Criteria SHINE FSAR Section 7.4.2.2 outlines several TRPS system specific design criteria for protective actions, single failure, independence, communication, prioritization, setpoints, bypass and permissives, equipment qualification, surveillance, human factors, access control, software requirements development, and quality. The NRC staffs evaluation of the safety significant TRPS system design criteria is documented in Section 7.4.4.2.1 of this SER as a part of the SHINE facility design criteria evaluation and in Section 7.4.2 of this SE as a part of the HIPS design evaluation. While the NRC staff evaluated the analysis of selected equipment design criteria as subsidiary elements of the broader SHINE Design Criteria, the NRC staff did not independently confirm each TRPS system design criterion and is not specifically making a finding for the TRPS system design criteria.
Design Basis The design bases (defined in 10 CFR 50.2) predominately includes the specific functions to be performed by SSCs and the specific values or ranges of values chosen for controlling parameters as reference bounds for design.
Other FSAR Chapters demonstrate the design of the facility provides reasonable assurance of safety. SHINE FSAR Chapter 3 provides the design criteria for the facility, FSAR Chapter 4 discusses the intended operations of the facility including I&C, and FSAR Chapter 13 describes accident and transient scenarios that assume protective functions of the TRPS within specified analytical limits. The FSAR Chapter 13 accident analysis and transient scenarios are based on certain required behavior of the TRPS, as described in FSAR Chapter 7.4. This evaluation determines whether FSAR Chapter 7.4 describes the features, credited in other FSAR Chapters, needed to ensure reasonable assurance of safety. This review focused on:
the safety functions to be performed, the prioritization for commands, the facility parameter monitored to determine when a safety function is needed, the value assumed in the analysis at which the safety function is initiated, the time assumed in the analysis to achieve the safety function, and finally, the conditions under which the I&C equipment described in FSAR Chapter 7 (i.e., TRPS,
& NFDS) must be able to operate, and the TRPS equipment reliably and predictably performs the functions as described in Chapter 7.
7.4.4.3.1 Safety Functions 7-46
Generally, the term safety function is used to refer to those design bases functions performed by the safety systems and credited in the safety analysis.
NUREG-1537, Part 1, Section 3.1, Design Criteria, states: general design criteria should includeDesign to cope with anticipated transients and potential accidents, including those discussed in Chapter 13, "Accident Analyses," of the SAR.
NUREG-1537 Part 2, Section 7.4, Reactor Protection System, states: In this section, the applicant should thoroughly discuss and describe the RPS, listing the protective functions performed by the RPS SHINE FSAR Section 7.4.2.1.2, Protection System Functions, includes specific acceptance criteria for two types of design basis events: (1) anticipated transients, and (2) accidents, and states: There are no anticipated transients that would result in target solution design limits being exceeded.
The FSAR explicitly identifies the safety functions of the TRPS and the safety analyses credits these functions for demonstrating reasonable assurance of adequate safety. The adequacy of the safety analyses is addressed in other chapters of this safety evaluation.
The NRC staff reviewed SHINE FSAR Chapters 4, 5, and 13, to identify the TRPS functions credited in these chapters, and the NRC staff concluded that FSAR Section 7.4.3.1, Safety Functions, includes the TRPS functions credited in these FSAR chapters, and that FSAR Section 7.4 references the FSAR Chapter 13 analyses where these functions are credited. The NRC staff performed an audit to confirm how specific functions were addressed. Based on this evaluation the NRC staff has reasonable assurance that Section 7.4 describes the TRPS safety functions explicitly credited in FSAR Chapters 4, 5, and 13; therefore, the NRC staff finds that the SHINE FSAR Section 7.4 includes the appropriate safety functions to meet the applicable principal design criteria of the facility to cope with anticipated transients and potential accidents, including those discussed in the accident analyses.
7.4.4.3.2 Prioritization NUREG-1537, Part 1, Section 3.1, Design Criteria, states: general design criteria should includedesign to cope with anticipated transients and potential accidents anticipated transients and potential accidents should include malfunction of any control function The SHINE facility sometimes uses the same actuated components for normal operational purposes (e.g., for normal operational control), and for implementing the safety functions of the safety-related systems (e.g., TRPS initiated safety functions) for some processes. In these situations, the design must ensure that the commands from the safety system (e.g., to implement a safety function) have priority over the commands from the nonsafety operational or control systems. This prioritization is necessary to ensure that the safety systems are design to address failures in the operations systems, as described by the preceding paragraph.
SHINE FSAR Section 7.4.2.2.6, Prioritization of Functions, contains a design criterion for prioritization and states: Priority is provided to automatic and manual safety-related actuation signals over nonsafety-related signals as described in Subsection 7.4.3.12. Based on this description, the NRC staff has reasonable assurance that TRPS actuation commands have priority over the control system commends.
7-47
7.4.4.3.3 Parameters Monitored NUREG-1537, Part 1, Section 7.1, Summary Description, states: The general description of each category of I&C subsystem should include the types of parameters monitored, both nuclear and nonnuclear, the number of channels designed to monitor each parameter, the actuating logic that determines the need for actions to change reactor conditions and that takes these actions NUREG-1537 Part 2, Section 7.4, Reactor Protection System, states: In this section, the applicant should thoroughly discuss and describe the RPS, listing the parameters monitored to detect the need for protective action.
SHINE FSAR Section 7.4.4.1, Monitored Variables and Response, identifies the parameters monitored to determine when to initiate each safety function, and points to the FSAR Chapter 13 analyses where these monitored variables are credited for initiating each safety function. FSAR Table 7.4-1 identifies the number of sensors used to monitor each parameter. FSAR Figure 7.4-1, TRPS Logic Diagrams, depicts the actuation associated logic. The NRC staff sampled scenarios in FSAR Chapters 4 and 13 to confirm that the TRPS monitored variables, includes the TRPS facility process parameters credited in FSAR Chapters 4 and 13. Based on this description, the NRC staff finds the FSAR adequately describes the parameters monitored by the TRPS.
7.4.4.3.4 Values Assumed in the Analysis 10 CFR 50.36(c), states: Technical specifications will include items in the following categories:
(1) Safety limits, limiting safety system settings(2) Limiting Conditions for operation....
NUREG-1537 Part 2, Chapter 7.4, Reactor Protection System, states: The SAR should containProposed trip setpoints, time delays, accuracy requirements, and actuated equipment response to verify that the RPS is consistent with the SAR analyses of safety limits, limiting safety system settings (LSSS), and limiting conditions of operation (LCOs), and that this information is adequately included in the technical specifications as discussed in Chapter 14 SHINE FSAR Chapters 4 & 13 includes an analysis of events which is evaluated by the NRC staff to ensure the analyzed events demonstrate reasonable assurance of adequate safety.
Each event that is addressed by protective action in the safety systems, is analyzed assuming that a protective action is initiated at a certain value. The NRC staff considers this value the analytical limit for purposes of determining the adequacy of instrumentation and control systems. The limiting setpoints in the TS are determined by starting with the analytical limit and accounting for known uncertainties and drift between surveillances.
The safety limits of the SHINE facility are documented in TS Section 2.1, Safety Limits. The LSSS and lowest functional capability or performance levels of equipment are in the TS LCOs.
The limiting process parameter value assumed in the analysis, where an automatic protective action is initiated, is generally called the Analytic Limit (AL). FSAR Chapter 13 analyses provide justification for the adequacy of the analytical limit (AL) for protecting the safety limit. FSAR setpoint chapters describe that the LSSS values in the TS LCO are chosen to be more conservative than the AL by at least the amount associated with uncertainties in the process measurements. Generally, FSAR Section 7.4.4.1, Monitored Variables and Response, includes a subsection for each TRPS-variable monitored, and each of these subsections identifies the FSAR Chapter 13 subsection(s) and scenario(s) that credit(s) that particular 7-48
monitored variable for performing a TSPS safety function. Furthermore, FSAR Table 7.4-1 includes the analytical limit(s) for each variable monitored. Based on this description the NRC staff finds that the FSAR provides safety analytical limits for which the TRPS is designed to protect.
7.4.4.3.5 Response Time Subparagraph 50.34(b)(2) of 10 CFR requires that the FSAR include:
A description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.
NUREG-1537 Part 2, Section 7.4, Reactor Protection System, states: The SAR should containactuated equipment response to verify that the RPS is consistent with the SAR analyses NUREG-1537 Part 2, Section 7.4, Reactor Protection System, states: The SAR should containtime delaysand actuated equipment response to verify that the RPS is consistent with the SAR analyses of safety limits, limiting safety system settings (LSSS), and limiting conditions of operation (LCOs), and that this information is adequately included in the technical specifications as discussed in Chapter 14 The implementation of a safety function requires that certain protective actions are achieved within a particular time period. To support this need, certain response times should be included in the FSAR. FSAR Section 7.4.2.1.1, Instrumentation and Controls, states (FSAR Section 7.4.4.1 has a similar statement.):
The TRPS monitored variables for performance of design basis functions are presented in Table 7.4-1 and includethe response time Chapter 13 of this SER provides the determination of overall response time, as appropriate, to ensure target solution limits are not exceeded as a result of transients and accidents.
Therefore, the NRC staff finds that the TRPS design meets SHINE Design Criterion 14.
7.4.4.3.6 Seismic, Tornado, Flood SHINE FSAR Section 7.4.3.6, Seismic, Tornado, Flood, states: (1) the TRPS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods, and (2) the TRPS equipment is Seismic Category I, designed in accordance with Section 8 of IEEE Standard 344-2013 (IEEE, 2013). Evaluation of the ability of the TRPS to withstand seismic, tornado, and flood is evaluated in Section 3.4 of this SER.
Technical Specifications 10 CFR 50.36(a)(1) requires that each applicant for a license authorizing operation of a production or utilization facility include in this application proposed technical specifications and a 7-49
summary statement of the bases or reasons for such specifications, other than those covering administrative controls, shall also be included in the application, but shall not become part of the technical specifications.
10 CFR 50.36(b) requires that the TSs be derived from the analyses and evaluation included in the safety analysis report.
10 CFR 50.36(c) requires the TSs to include:
Safety limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity (50.36(c)(1)(i)(A));
Limiting safety system settings for automatic protective devices related to those variables having significant safety functions (50.36(c)(1)(ii)(A));
Limiting conditions for operation, which are the lowest functional capability or performance levels of equipment required for safe operation of the facility (50.36(c)(2));
Surveillance requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met (50.36(c)(3)).
NUREG-1537 Part 1, Chapter 14, Technical Specifications, contains guidance regarding the contents of applications in the area of TSs, and states:
The technical specifications are neither derived nor justified in this chapter of the SAR.
They are determined by the analyses that appear in the other chapters of the SAR. Each of the technical specifications should be supported by the SAR, and it is useful to refer to the supporting SAR analysis in the basis of each technical specification.
SHINE FSAR Section 7.4.4.5, Technical Specifications and Surveillance, states, in its entirety:
Limiting Conditions for Operation and Surveillance Requirements are established for TRPS logic, voting, and actuation divisions and instrumentation monitored by TRPS as input to safety actuations.
SHINE FSAR Section 7.4.4.6 states that limiting conditions for operation (LCO) and surveillance requirements (SR) are established for TRPS logic, voting, and actuation divisions. LCOs are established for components of the safety-related I&C systems that perform safety functions to ensure that the system will remain available to perform safety functions when required. SRs are performed at a frequency to ensure that limiting safety system settings are not exceeded.
SHINE FSAR Section 7.2.1 states that SHINE uses a documented methodology for establishing and calibrating setpoints for safety-related I&C functions. Instrument drift between calibrations is accounted for in the setpoint methodology. SHINE safety limits will not be exceeded if required actions are initiated before analytical limits are exceeded. Analytical limits are chosen to include a conservative margin between the analytical limit and the safety limit. The LSSS is the least conservative value that the instrument setpoint can be and still ensure the analytical limits are not exceeded and the safety limits are protected. The LSSS is separated from the analytical 7-50
limit by an amount not less than the total loop uncertainty for the setpoint determined by the SHINE setpoint methodology. Based on the review of SHINE Technical Specifications Section 3.2, the NRC staff finds that LCO 3.2.1 and SR 3.2.3 include the TRPS logic, voting, actuation divisions, and instrumentation monitored by TRPS as input to safety actuations. Setpoint values in Table 3.2.4-a of the SHINE Technical Specifications are based on the SHINE setpoint calculations for the applicable process variables. The staff evaluation of the adequacy and acceptability of the SHINE TSs related to TRPS is in Section 7.4.10 of this SER. Startup-testing conditions and first use of the instrumentation and the TRPS is discussed in Section FSAR Section 12.11.2.
Conclusion The NRC staff has reasonable assurance that the SHINE TRPS is designed to 1) mitigate the consequences of design basis events within the main production facility, 2) provides sense, command, and execute functions necessary to maintain the facility confinement strategy, 3) provides process actuation functions required to shut down processes and maintain processes in a safe condition, and provides system status and measured process variable values to the facility process integrated control system (PICS) for viewing, recording, and trending. The NRC staff has reasonable assurance that the NFDS is adequately described in SHINE FSAR Section 7.8. The NFDS is adequately designed for measurement of the neutron flux signal, signal processing, indication, and interfacing with other systems, including providing analog input to the TRPS. The NRC staff also finds that the TRPS design meets SHINE design criteria 1 through 6, 13 through 19, and 37 through 38. The staff review of the lifecycle development process for HIPS is described in Section 7.4.2 of this SER and the adequacy of HIPS and TRPS-related TS is evaluated in Section 7.4.10 of this SER. Therefore, the NRC staff concludes that the TRPS is capable of performing the allocated design basis safety function under postulated conditions.
Engineered Safety Features Actuation System The NRC staff evaluated the sufficiency of the SHINE facility ESFAS, as described in SHINE FSAR Section 7.5, Engineered Safety Features Actuation System, using the applicable guidance and acceptance criteria from Section 7.5, Engineered Safety Features Actuation Systems, of NUREG-1537, Parts 1 and 2, and Section 7b.4, Engineered Safety Features Actuation Systems, of the ISG augmenting NUREG-1537, Part 2.
System Description
The applicant describes the ESFAS in FSAR Section 7.5.1, and SHINE TECRPT-2020-0002, Rev. 5, Engineered Safety Features Actuation System Design Description. FSAR Figure 6a2.1-1 is a block diagram of the engineered safety features (ESFs) for the irradiated facility and FSAR Figure 6b.1-1 is a block diagram of the ESF for the radioisotope production facility.
ESFAS is built using the HIPS digital I&C platform. Section 7.4.2 of this SER evaluates the HIPS design for implementation of ESFAS. A general architecture of the ESFAS is shown in SHINE FSAR Figure 7.1-3, Engineered Safety Feature Actuation System Architecture.
The SHINE facility has a safety-related ESFAS I&C system that provides monitoring and actuation functions credited in the safety analysis described in Chapter 13 to prevent the occurrence or mitigate the consequences of design basis events within the SHINE facility. If a monitored variable exceeds its predetermined limits, the ESFAS automatically initiates the associated safety function. The ESFAS monitors variables important to the safety functions for 7-51
confinement of fission products and tritium, and for criticality safety to perform the following functions:
Radiologically Controlled Area (RCA) Isolation Supercell Isolation Carbon Delay Bed Isolation Vacuum Transfer System (VTS) Safety Actuation Tritium Purification System (TPS) Train Isolation TPS Process Vent Actuation Irradiation Unit (IU) Cell Nitrogen Purge RPF Nitrogen Purge Molybdenum Extraction and Purification System (MEPS) Heating Loop Isolation Extraction Column Alignment Actuation Iodine and Xenon Purification and Packaging (IXP) Alignment Actuation Dissolution Tank Isolation The ESFAS also provides nonsafety-related system status and measured process variable values to the PICS for viewing, recording, and trending.
Design Criteria SHINE FSAR Section 7.5.2.1, SHINE Facility Design Criteria, states that the generally applicable SHINE Design Criteria 1 through 6 and SHINE Design Criteria 13 through 19 and 37 through 39 apply to the ESFAS. The subsections below therefore include an evaluation of the ESFAS against each of the applicable SHINE Design Criteria to the extent the ESFAS supports the ability of the overall facility to demonstrate adequate protection against the hazards present.
This section of the SER documents the NRC staffs review and evaluation of the proposed ESFAS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staffs evaluation of the design of the proposed ESFAS is based on acceptance criteria in Section 7.5 of NUREG-1537, Part 2, including acceptance criteria from the guidance and industry standards referenced by NUREG-1537, as listed in Section 7.2 of this SER.
7.4.5.2.1 SHINE Facility Design Criteria Each of the SHINE Design Criterion applicable to ESFAS is addressed in a separate subsection below.
Quality Standards and Records SHINE Design Criterion 1 - Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.
SHINE FSAR Section 7.5.2.2.15, Quality, states that the ESFAS design, fabrication, installation, and modification is performed in accordance with a quality assurance program 7-52
which conforms to the guidance of ANSI/ANS 15.8-1995 as endorsed by Regulatory Guide 2.5 and in accordance with the HIPS platform vendors project quality assurance plan described in FSAR Section 7.4.5.4. SHINE is responsible for oversight of the vendor and maintaining the vendor as an approved supplier on the approved supplier list. FSAR Section 7.5.3.12 outlines the codes and standards applicable to the ESFAS design, fabrication, installation, and testing.
Therefore, the NRC staff finds that the safety-related ESFAS meets SHINE Design Criterion 1.
Natural Phenomena Hazards SHINE Design Criterion 2 - The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.
SHINE FSAR Section 7.5.3.5 states that the ESFAS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods. The ESFAS equipment is Seismic Category I, tested using biaxial excitation testing and triaxial excitation testing, in accordance with Section 8 of IEEE Standard 344-2013. Based on the NRC staffs evaluation in Chapter 3 of this SER for natural phenomena, and SHINE FSAR Section 7.5.3.4 for seismic events, the staff finds that the safety-related ESFAS meets SHINE Design Criterion 2.
Fire Protection SHINE Design Criterion 3 - Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.
SHINE FSAR Section 7.5.3.8, Fire Protection, states that the ESFAS design uses physical separation to minimize the effects from fire or explosion. ESFAS equipment in different divisions is located in separate fire areas except for the facility control room and in other locations where end devices are installed. Physical separation is used to achieve separation of redundant sensors. Wiring for redundant divisions uses physical separation and isolation to provide independence for circuits. Separation of wiring is achieved using separate wireways and cable trays for each of Divisions A, B, and C. Field Instruments are located in separate fire areas. Within the facility control room, Division A and C ESFAS cabinets are separated by a minimum of 4 feet and are located on the opposite side of the facility control room from where Division B cabinets are located. Nonsafety-related ESFAS inputs and outputs are routed in non-divisional cable raceways and are segregated from safety-related inputs and outputs.
Spatial separation between cable and raceway groups is in accordance with IEEE Standard 384-2008. Portable Class A and Class C fire extinguishers are located in the control room to extinguish fires originating within a cabinet, console, or connecting cables. Noncombustible and heat resistant materials are used whenever practical in the ESFAS design, particularly in locations such as confinement boundaries and the facility control room. Additional information on fire protection can be found in FSAR Section 9a2.3, Fire Protections Systems and Programs. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 3.
Environmental and Dynamic Effects SHINE Design Criterion 4 - Safety-related SSCs are designed to perform their functions 7-53
with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.
SHINE FSAR Section 7.5.2.2.11 states that the ESFAS rack mounted equipment is installed in a mild operating environment and is designed for the facility control room environmental parameters outlined in FSAR Table 7.2-2. Rack mounted ESFAS equipment is tested to appropriate standards to show that the effects of EMI/RFI and power surges are adequately addressed. This testing includes emissions testing, susceptibility testing, and surge withstand testing. Appropriate grounding of the ESFAS is performed in accordance with Section 5.2.1 of IEEE Std. 1050-2004. SHINE FSAR Section 7.5.3.4 states that the cables for the ESFAS are routed through the radiologically controlled area to the process areas. The routed cables have the potential to be exposed to more harsh conditions than the mild environment of the facility control room. The sensors are located inside the process confinement boundary; therefore, the terminations of the cables routed to the sensors are exposed to the high radiation environment.
During normal operation, the ESFAS equipment will operate in the applicable normal radiation environments identified in FSAR Table 7.2-1 for up to 20 years, replaced at a frequency sufficient such that the radiation qualification of the affected components is not exceeded. The radiation qualification of the affected components is based upon the total integrated dose (TID) identified in FSAR Table 7.2-1 being less than the threshold values identified in industry studies.
The environmental conditions for ESFAS components are outlined in FSAR Tables 7.2-1 through 7.2-3. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 4.
Sharing of Structures, Systems, and Components SHINE Design Criterion 5 - Safety-related SSCs are not shared between irradiation units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions.
SHINE FSAR Section 7.5.2.1 states that the ESFAS does not share components between irradiation units. FSAR Section 7.5.2.1.6, Separation of Protection and Control Systems, states that there are no sensor outputs that have both an ESFAS safety-related protection function and a nonsafety-related control function. Based on review of ESFAS monitored variables in FSAR Table 7.5-1, ESFAS Monitored Variables, and ESFAS logic diagrams in FSAR Figure 7.5-1, the NRC staff finds that the ESFAS does not share components between irradiation units unless that sharing will not significantly impair the ability to perform the required safety functions. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 5.
Control Room SHINE Design Criterion 6 - A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.
SHINE FSAR Section 7.5.2.2.14, Human Factors, states that the ESFAS design provides capability for manual actuation of ESFAS safety function in the facility control room. ESFAS logic diagrams in the FSAR Figure 7.5-1 show the logic for manual actuation of ESFAS safety functions. The ESFAS includes redundantly isolated outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS, which includes indication 7-54
of ESFAS actuation device status. This supports operator actions under postulated accident conditions. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 6.
Instrumentation and Controls SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.
In response to RAI 7-13, the applicant states that each division of the ESFAS transmits monitoring and indication information to the PICS. The following information from the ESFAS is displayed in the facility control room (FCR):
Mode and Fault status for each HIPS module Status and value of the monitored variables identified in Table 7.5-1 of the FSAR Trip/Bypass switch status Divisional partial trip determination status Divisional full trip determination status Actuation output and fault status Actuated component position feedback status The ESFAS monitoring, and indication information is available to the operators in the FCR at the PICS operator workstations. A subset of the ESFAS monitoring, and indication information is displayed at the main control board in the FCR near the manual control switches for actuating ESFAS safety functions. The ESFAS provides redundant outputs to the PICS. The PICS receives the outputs from the ESFAS onto a fault-tolerant server comprised of internal redundant physical servers. The use of redundant outputs from the ESFAS to redundant internal physical servers on the PICS ensures that a failure would not prevent the operator from obtaining or resolving conflicting information. By displaying ESFAS monitoring and indication information at multiple locations in the FCR, including near manual controls for actuating ESFAS equipment, the design ensures the operator has sufficient information to operate the facility and take manual operator action, as necessary. SHINE FSAR Section 7.4.5.2.4 provides a description of the information available to the operators in the FCR. SHINE FSAR Section 7.5.4.1, Monitored Variables and Response provides a discussion of the ESFAS response to each monitored variable (signal input). Table 7.5-1 provides the instrument range, accuracy, response time, and a specified analytical limit. The staff did not review specific design information or performance data for the sensors/instruments listed in Table 7.5-1, and therefore did not specifically confirm the validly of performance parameters assigned to each instrument.
SHINE will test and qualify the instrumentation in accordance with Technical Specifications and SHINE FSAR Section 12.11.2, Startup Tests.
Based on the information provided, the NRC staff confirmed that the variables listed in FSAR Table 7.5-1 are used for display and to initiate defined actuation of the applicable ESF. Further, these variables have operable protection capability in all operating modes and conditions, as analyzed in the FSAR for the complete range of normal facility operating conditions and to cope 7-55
with anticipated transients and potential accidents evaluated. The adequacy of PICS, consoles, and displays in meeting Criterion 13 is addressed separately in Section 7.4.6 of this SER.
Protection System Functions SHINE Design Criterion 14 - The protection systems are designed to: (1) initiate, automatically, the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients; and (2) sense accident conditions and to initiate the operation of safety-related systems and components.
SHINE FSAR Section 7.5.2.1.2, Protection System Functions, states that there are no anticipated transients that require the initiation of the ESFAS to ensure specified acceptable target solution design limits are not exceeded and refers to FSAR Section 7.5.3.1, Safety Functions, that describes the ESFAS safety functions that are relied upon for specific accident scenarios. Based on review of these FSAR sections and the ESFAS logic diagrams depicted in FSAR Figure 7.5-1, the NRC staff finds that the ESFAS is designed to perform the safety functions for transients and accidents credited by FSAR Chapter 13 necessary to maintain the facility confinement strategy and provides process actuation functions required to shut down processes and maintain processes in a safe condition. The FSAR does not appear to describe the total system response time assumed or credited for all event scenarios in Chapter 13 and, or how the instrument response time specified in FSAR Table 7.5-1 relates to any associated analyses assumed total system response time. The NRC staff also reviewed selected calculations to confirm that the response time in FSAR Table 7.5-1 is consistent with the total response time assumed in the accident analysis for instrument response time, HIPS response time, and actuation time. The staff reviewed SHINE CALC-2019-0045, Rev.1, MEPS heating Loop Radiation Extraction Area A/B/C. Review of the calculation provides reasonable assurance of the basis for the response time values listed in Table 7.5-1. Chapter 13 of this SER provides the evaluation of overall response times, as appropriate, to ensure target solution limits are not exceeded as a result of transients and accidents. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 14.
Protection System Reliability and Testability SHINE Design Criterion 15 - The protection systems are designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection systems are sufficient to ensure that: (1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.
SHINE FSAR Section 7.5.2.1.3 states that the HIPS platform design for the ESFAS supports high functional reliability by:
Incorporating predictability and repeatability principles to ensure an extremely high probability of accomplishing safety functions.
ESFAS contains capabilities for inservice testing for those functions that cannot be tested while the associated equipment is out of service. The HIPS maintenance bypass 7-56
function allows for an individual SFM to be removed from service in accordance with the technical specifications, for the purpose of performing required technical specification surveillance testing to verify the operability of ESFAS components during system operation, which supports in-service testability.
SSCs that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident.
Redundancy within the ESFAS consists of two or three divisions of input processing and trip determination and two divisions of actuation logic arranged such that no single failure can prevent a safety actuation when required. An ESFAS channel can be taken out of service without an adverse impact on redundancy.
Self-test features are provided for the HIPS components that do not have setpoints or tunable parameters. Self-testing capabilities provide indication of component degradation and failure, which allows action to be taken to ensure that no single failure results in the loss of the protection function.
The NRC staffs evaluation of the HIPS platform design for the TRPS and ESFAS in Section 7.4.2, HIPS Design of this SER finds that the high functional reliability features discussed above have been adequately implemented in the HIPS platform. Specifically, the NRC staffs evaluation in Sections 7.4.2.1.4, HIPS Diagnostics and Self-testing, 7.4.2.1.5, Operational and Maintenance Bypass, 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.3, Predictability and Repeatability of this SER finds that the HIPS platform design for TRPS and ESFAS provides for high functional reliability and testability thereby meets SHINE Design Criterion 15.
Protection System Independence SHINE Design Criterion 16 - The protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis.
Design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function.
SHINE FSAR Section 7.5.2.1.4, Protection System Independence, states that the ESFAS control and logic functions operate inside of the facility control room where the environment is mild, not exposed to the irradiation process, and is protected from earthquakes, tornadoes, and floods. The ESFAS SSC that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident. Division independence is maintained throughout, extending from the sensor to the devices actuating the protective function. Functional allocation of different process parameters on different SFM and diversity in component design are used to prevent loss of the protection function. FSAR Section 7.5.3.4 states that the ESFAS components are qualified to the environmental and radiological parameters provided in FSAR Tables 7.2-1 through 7.2-3. SHINE FSAR Section 7.5.3.5 states that the ESFAS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods. The ESFAS equipment is Seismic Category I, tested using biaxial excitation testing and triaxial excitation testing, in accordance with Section 8 of IEEE Std. 344-2013. FSAR Section 7.5.2.2.11 states that the rack mounted ESFAS equipment is tested to appropriate standards to show that the effects of EMI/RFI and power surges are adequately addressed. This testing includes emissions testing, 7-57
susceptibility testing, and surge withstand testing. Appropriate grounding of the ESFAS is performed in accordance with Section 5.2.1 of IEEE Std. 1050-2004.
Based on the above discussion and the NRC staffs evaluation of equipment qualification in Section 7.4.2.1.3 and diversity in Section 7.4.2.2.4 of this SER, the staff finds that the SHINE protection systems meet the SHINE Design Criterion 16, considering the potential consequences and large safety margins described in Chapter 13 of this SER. This ensures that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function.
Protection System Failure Modes SHINE Design Criterion 17 - The protection systems are designed to fail into a safe state if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments are experienced.
SHINE FSAR Section 7.5.2.1.5, Protection System Failure Modes, states that controlled components associated with safety actuations are designed to go to their safe state when deenergized. FSAR Table 7.5-2 identifies the fail-safe positions of the ESFAS safety actuation components on loss of power. SHINE FSAR Section 7.5.3.4 states that the ESFAS equipment is qualified for radiological and environmental hazards present during normal operation and postulated accidents. During normal operation, the ESFAS equipment will operate in the applicable normal radiation environments identified in FSAR Table 7.2-1 for up to 20 years, replaced at a frequency sufficient such that the radiation qualification of the affected components, which is based upon the total integrated dose (TID) identified in FSAR Table 7.2-1, is not exceeded.
Based on the information provided above, the NRC staffs evaluation of equipment qualification, and protection system reliability and testability in Sections 7.4.2.1.3 and 7.4.5.2.1 of this SER, and evaluation of the ESFAS logic diagrams in the FSAR Figure 7.5-1, Sheets 1 through 27, the NRC staff finds that the ESFAS is designed to fail into a safe state and will perform its protective actions upon loss of power, loss of an ESFAS component, or adverse environmental conditions.
Therefore, the NRC staff concludes that the ESFAS is designed to perform the required protective actions in the presence of any single failure or malfunction and meets the SHINE Design Criterion 17, design acceptance criterion in NUREG-1537, Part 2, for single failure, and the design acceptance criteria in Sections 5.1 and 5.4 of ANSI/ANS15.15-1978 for single failure and fail-safe.
Separation of Protection and Control Systems SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.
SHINE FSAR Section 7.5.2.1.6 states that there are no sensor outputs that have both an ESFAS safety-related protection function and a nonsafety-related control function. There are no 7-58
inputs to the ESFAS from the PICS that are used in the determination of protective actions.
Nonsafety-related inputs to the ESFAS from the PICS are limited to those for controls and monitoring and indication only variables. SHINE FSAR Section 7.5.3.3 states that the nonsafety control signals from the PICS are implemented through a hardwired parallel interface that requires the PICS to send a binary address associated to the output state of the EIM along with a mirrored complement address. The mirrored complement address prevents any single incorrectly presented bit from addressing the wrong EIM output state. The ESFAS contains an enable nonsafety switch that controls when the hardwired parallel interface within the APL is active, thus controlling when the PICS inputs can operate ESFAS components. When the enable nonsafety switch is not active, the nonsafety-related control signal is ignored. If the enable nonsafety is active, and no automatic or manual safety actuation command is present, the nonsafety-related control signal can control the ESFAS component. The hardwired module provides isolation for the nonsafety-related signal path.
Based on the information provided above, the NRC staffs evaluation in Sections 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.6, Prioritization of Functions of this SER, the NRC staff finds that the ESFAS is adequately separated from the PICS such that failure of any single PICS component, or failure or removal from service of any single ESFAS component or channel, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the ESFAS. Interconnection of the ESFAS and PICS is designed to assure that safety is not significantly impaired. Therefore, the NRC staff concludes that the ESFAS design meets SHINE Design Criterion 18.
Protection Against Anticipated Transients SHINE Design Criterion 19 - The protection systems are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated transients.
SHINE FSAR Section 7.5.2.1.7 states that the HIPS platforms implementation of the ESFAS ensures an extremely high probability of accomplishing the required safety functions by applying the attributes of independence, redundancy, and predictability and repeatability. Collectively, these attributes ensure the ESFAS functions in a highly consistent manner with high reliability.
Independence principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring that SSCs that comprise a division are physically separated.
Redundancy principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring that no single failure can prevent a safety actuation. Predictability and repeatability principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring the ESFAS produces the same outputs for a given set of input signals within well-defined response time limits.
Based on this information provided above and the staffs evaluation in Sections 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.3, Predictability and Repeatability of this SER, the NRC staff finds that the ESFAS is designed to ensure an extremely high probability of accomplishing its safety functions in the event of anticipated transients. Therefore, the NRC staff finds that the ESFAS meets the SHINE Design Criterion 19 and the acceptance criterion in NUREG 1537, Part 2, for single failure, and the design acceptance criteria in Sections 5.1 and 5.4 of ANSI/ANS 15.15-1978 for single failure and fail-safe.
Criticality Control in the Radioisotope Production Facility 7-59
SHINE Design Criterion 37 - Criticality in the radioisotope production facility is prevented by physical systems or processes and the use of administrative controls. Use of geometrically safe configurations is preferred. Control of criticality adheres to the double contingency principle. A criticality accident alarm system to detect and alert facility personnel of an inadvertent criticality is provided.
SHINE FSAR Section 7.5.2.1.8, Criticality Control in the Radioisotope Production Facility, states that the ESFAS provides the following two safety functions as required by the SHINE criticality safety program described in FSAR Section 6b.3, Nuclear Criticality Safety.
Vacuum Transfer System (VTS) Safety Actuation - This safety function stops the transfer of target solution or other radioactive solutions upon indication of potential upset conditions. The VTS vacuum header liquid detection signal protects against an overflow of the vacuum lift tanks to prevent a potential criticality event as described in SHINE FSAR Section 6b.3.2.5, Vacuum Transfer System.
TSPS Dissolution Tank Isolation - Dissolution tank isolation is relied upon as a safety-related control for preventing criticality event as described in SHINE FSAR Section 6b.3.2.4, Target Solution Preparation System. This safety function protects against a criticality event due to excess fissile material in a non-favorable geometry system and prevents overflow of the dissolution tank into the uranium handling glovebox or ventilation system.
SHINE FSAR Section 6b.3.1.4, Nuclear Criticality Safety Evaluations, states that for the purposes of nuclear criticality safety evaluations (NCSEs), criticality events are always considered to be high consequence, with a strict emphasis on selection of controls to prevent criticality, and where the double contingency principle (DCP) is employed. The NCSE contains a description of its implementation. SHINE FSAR Section 6b.3.2, Criticality Safety Controls, describes the criticality safety controls, which states that the failure of a single nuclear criticality safety (NCS) control which maintains two or more controlled parameters is considered a single process upset when determining whether the DCP is met. Passive engineered geometry controls are the most preferred type of NCS controls. Otherwise, the preferred hierarchy of NCS controls is (1) passive engineered, (2) active engineered, (3) enhanced administrative, and (4) administrative. Generally, control on two independent criticality parameters is preferred over multiple controls on a single parameter. If redundant controls on a single parameter are used, a preference is given to diverse means of control on that parameter. SHINE FSAR Section 6b.3.2 describes following systems that require active engineered criticality safety control:
SHINE FSAR Section 6b.3.2.4: Target Solution Preparation System (TSPS) - High level within the dissolution tanks requires application of the DCP to prevent criticality accidents. The dissolution tanks are equipped with high level controls that are interlocked with isolation valves on cooling and ventilation lines.
SHINE FSAR Section 6b.3.2.5: Vacuum Transfer System (VTS) - The inadvertent transfer of solution to a non-fissile system requires application of the DCP to prevent criticality accidents. The VTS piping design and features prevent transfer of target solution to non-favorable geometry components within the VTS. The vacuum headers are equipped with liquid detection that stops transfers upon detection of liquid.
SHINE FSAR Section 6b.3.2.8: Radioactive Drain System (RDS) - Precipitation of solids requires application of the DCP to prevent criticality accidents. The hold tanks are equipped with level instrumentation to detect a leak of solution transferred to RDS.
FSAR Section 7.3.1.3.3, Radioactive Drain System, states that drains from vaults, 7-60
trenches, and other areas where uranium-bearing solutions may be present are part of the RDS. PICS is used to provide indication of leakage and the presence of liquid in the RDS sump tanks to alert the operator of abnormal situations.
The NRC staffs evaluation of the NCSEs and CAAS is documented in Section 6b.3.3 of this SER. Based on the information provided above, the NRC staff finds that the TSPS dissolution tank level signals protect against a criticality event due to excess fissile material in a non-favorable geometry system since the TSPS dissolution tank level signal is received by the ESFAS and on high level in either dissolution tank, which initiate TSPS dissolution tank isolation. Additionally, the NRC staff finds that the VTS vacuum header liquid detection signal protects against an overflow of the vacuum lift tanks to prevent a potential criticality event because VTS vacuum header liquid detection signal is received by the ESFAS and upon detection of liquid in the VTS vacuum header a VTS safety actuation is initiated. Further, the NRC staff finds that the RDS liquid detection signal detects leakage or overflow from other tanks and piping since the RDS liquid detection signal is received by the ESFAS and upon detection of liquid in the RDS a VTS Safety Actuation is initiated. Therefore, the NRC staff finds that the ESFAS design meets the SHINE Design Criterion 37.
Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.
SHINE FSAR Section 7.5.2.1.9, Monitoring Radioactivity Releases, states the ESFAS monitors for potential radioactivity releases from the following various areas of the main production facility:
Radiological Ventilation Zones - SHINE FSAR Section 7.5.3.1.24, RCA Isolations, states that ESFAS monitors radiation in the radiological ventilation zone 1 (RVZ1) and RVZ2 exhaust for an RCA isolation actuation.
Super Cell Areas - SHINE FSAR Sections 7.5.3.1.1 through 7.5.3.1.10 state that the ESFAS monitors radiation at the outlet of each supercell area 1 through area 10 for respective supercell area(s) isolation actuation.
TPS Confinement - SHINE FSAR Sections 7.5.3.1.18 through 7.5.3.1.20 state that ESFAS monitors tritium purification system (TPS) confinement tritium for the respective TPS train isolation actuation.
SHINE FSAR Section 7.4.4.1.15, High RVZ1e IU Cell Exhaust Radiation, states that the high RVZ1e IU cell exhaust radiation is measured on the exhaust of the PCLS expansion tank located in each IU cell. High RVZ1e IU Cell exhaust radiation signal is generated by TRPS when an RVZ1e IU cell exhaust radiation input exceeds the high level setpoint.
SHINE FSAR Section 7.7.2, Nonsafety-Related Process Radiation Monitoring, states that nonsafety-related process radiation monitoring is provided as part of various systems to provide information to the operator on the status and effectiveness of processes. They may be used to diagnose process upsets but are not relied upon to prevent or mitigate accidents.
7-61
SHINE FSAR Section 7.7.3, Area Radiation Monitoring, states that the area radiation monitoring within the facility is provided by the radiation area monitoring system (RAMS). Area radiation monitors are in areas where personnel may be present and where radiation levels could become significant. The monitors provide local and remote indication of radiation levels and provide local alarms to notify personnel of potentially hazardous conditions.
SHINE FSAR Section 7.7.4, Continuous Air Monitoring, states that continuous airborne contamination monitoring within the facility is provided by the continuous air monitoring system (CAMS). Each CAMS unit samples air and provides real time alpha and beta activities or tritium activity to alert personnel when airborne contamination is above preset limits. CAMS units are in areas where personnel may be present and where contamination levels could become significant. Each CAMS unit provides local and remote indication of airborne radiation levels and alarm capabilities.
SHINE FSAR Section 7.7.5, Effluent Monitoring, states that effluent monitoring for the facility is provided by the SRMS. The SRMS is composed of two monitoring units: the main facility stack release monitor (SRM), and the carbon delay bed effluent monitor (CDBEM). The SRM is used to demonstrate that gaseous effluents from the main production facility are within regulatory limits and do not have an accident mitigation or personnel protection function. The SRM performs its function by drawing a representative air sample from the stack and providing a means to measure the air sample for noble gases (continuous measurement) and capturing particulates, iodine, and tritium for collective measurement. The CDBEM monitors for noble gases at the exhaust of the process vessel vent system (PVVS) carbon delay beds to provide information about the health of the PVVS carbon delay beds and to provide the ability to monitor the safety-related exhaust point effluent release pathway when it is in use. The CDBEM is used on an as needed basis to demonstrate that gaseous effluents from the main production facility are within regulatory limits (e.g., during a loss of off-site power when the normal heating, ventilation, and air conditioning [HVAC] systems and the PVVS are not operating) and do not have an accident mitigation or personnel protection function. Two particulate and iodine filters (redundant configuration) are provided for in-line capturing and collective measurement when the safety-related exhaust point is in use.
Based on the above discussion, the NRC staff finds that means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents. Therefore, the NRC staff finds that the SHINE facility, including ESFAS meets the SHINE Design Criterion 38.
Hydrogen Mitigation SHINE Design Criterion 39 - Systems to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen are provided to ensure that the integrity of the system and confinement boundaries is maintained.
FSAR Section 7.5.2.1.10 states that the ESFAS monitors variables and provides actuations to protect against hydrogen deflagration in various areas in the SHINE main production facility.
FSAR Section 7.5.4.1.14 states that the TRPS IU cell nitrogen purge signal protects against a loss of hydrogen mitigation capabilities in the irradiation units. The ESFAS initiates an IU Cell 7-62
nitrogen purge based on the TRPS IU cell nitrogen purge signal. Upon receipt of a TRPS IU cell nitrogen purge initiation signal, ESFAS initiates IU Cell Nitrogen Purge.
FSAR Section 7.5.4.1.15 states that the PVVS flow signal protects against loss of hydrogen mitigation capabilities in the RPF. The ESFAS initiates an RPF nitrogen purge based on low PVVS flow.
SHINE FSAR Section 7.5.4.1.19, UPSS Loss of External Power, states that the loss of external power signal protects against an anticipatory loss of hydrogen mitigation in the IU cell.
The ESFAS provides an ESFAS loss of external power actuation signal to the TRPS subsystem associated with each IU cell upon receipt of an uninterruptible electrical power supply system (UPSS) loss of external power signal to initiate an IU Cell Nitrogen Purge within the TRPS. The ESFAS initiated IU Cell Nitrogen Purge signal is provided to each of the eight TRPS subsystems as an ESFAS loss of external power signal.
Based on the discussion above, the NRC staff finds that the ESFAS is designed to initiate nitrogen purge to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen to ensure that the integrity of the system and confinement boundaries is maintained. Therefore, the NRC staff finds that the ESFAS design meets the SHINE Design Criterion 39.
7.4.5.2.2 ESFAS System Design Criteria SHINE FSAR Section 7.5.2.2, ESFAS System Design Criteria, outlines several ESFAS system specific design criteria for protective actions, single failure, independence, communication, prioritization, setpoints, bypass and permissives, equipment qualification, surveillance, human factors, access control, software requirements development, and quality. The NRC staffs evaluation of the safety significant ESFAS system design features and attributes is documented in Section 7.4.5.2.1 of this SER as a part of the SHINE Design Criteria evaluation and in Section 7.4.2 of this SER as a part of the HIPS design evaluation. While the NRC staff evaluated the analysis of selected equipment design criteria as subsidiary elements of the broader SHINE Design Criteria, the NRC staff did not independently confirm each ESFAS system design criterion and is not specifically making a finding for the ESFAS system design criteria.
Design Basis The ESFAS is a safety-related system designed to monitors process variables and provides automatic initiating signals in response to off-normal conditions, providing protection against unsafe conditions in the main production facility. HIPS digital I&C platform is used to implement the ESFAS logic and the design basis associated with the HIPS platform are evaluated in Section 7.4.2 of this SER. Following is the NRC staffs evaluation of the ESFAS specific design basis.
7.4.5.3.1 Safety Functions SHINE FSAR Section 7.5.3.1 describes the safety functions performed by ESFAS to mitigate the consequences of design basis events credited in FSAR Chapter 13. The ESFAS monitors variables associated with the safety functions for confinement of radiation and tritium within the irradiation facility (IF) and the radioisotope production facility (RPF) and for criticality safety. For each ESFAS safety function, this FSAR section identifies the components that actuate based on 7-63
monitored variables and associated system actuation. SHINE FSAR Section 7.5.3.6, Human Factors, states that the ESFAS provides manual actuation capabilities for the ESFAS safety functions via the manual push buttons located on the main control board. To support the use of manual safety actuations and reset of protective actions, the ESFAS provides monitored process parameters information, ESFAS actuated components status and ESFAS actuation function status to the PICS. Based on review of these FSAR sections and the ESFAS logic diagrams depicted in SHINE FSAR Figure 7.5-1, the NRC staff finds that the ESFAS is design to perform the safety functions credited by the safety analysis in FSAR Chapter 13 necessary to maintain the facility confinement strategy and provides process actuation functions required to shut down processes and maintain processes in a safe condition.
7.4.5.3.2 Completion of ESFAS Protective Actions SHINE FSAR Section 7.5.3.2 states that ESFAS is designed so that once initiated, protective actions will continue to completion. Only deliberate operator action can be taken to reset the ESFAS following a protective action.
Based on review of the ESFAS logic diagrams in FSAR Figure 7.5-1, the NRC staff finds that ESFAS latches in a protective action and maintains the state of a protective action until operator input is initiated to reset the output of the ESFAS to normal operating conditions. If there is no signal present from the automatic safety actuation or manual actuation, then the enable nonsafety switch would allow an operator, after the switch has been brought to enable, to control the output state of the ESFAS with a control signal from the nonsafety-related PICS.
Therefore, the NRC staff finds that the ESFAS is design allows the initiated protective actions to completion that can only be manually reset by an operator in the absence of a safety actuation signal.
7.4.5.3.3 Single Failure FSAR Section 7.5.3.3 states that no single failure within the ESFAS results in the loss of the protective function. HIPS digital I&C platform is used to implement ESFAS and the ESFAS single failure criterion associated with the HIPS platform is evaluated in Section 7.4.2 of this SER. Following is the NRC staffs evaluation of single failures in the ESFAS design where a passive check valve is credited as a redundant component.
Based on the SHINE FSAR Sections 7.5.3.1.17, VTS Safety Actuation, 7.5.3.1.18, TPS Train A Isolation, 7.5.3.1.19, TPS Train B Isolation, 7.5.3.1.20, TPS Train C Isolation, 7.5.3.1.23, RPF Nitrogen Purge, 7.5.3.3, Single Failure, and ESFAS Logic Diagram FSAR Figure 7.5-1, Sheets 13, 14, 15, 18, 19, 20, the ESFAS is designed to actuate only Division A component for the following select safety functions where a passive check valve is credited as a redundant component:
Each of the following Division A valve that closes due to VTS Safety Actuation has a respective redundant passive check valve to prevent backflow should any of the valves fail to close due to a single failure:
- MEPS A/B/C extraction column wash supply valve
- MEPS A/B/C extraction column eluent valve
- MEPS A/B/C wash supply valve
- MEPS A/B/C effluent valve
- IXP recovery column wash supply valve 7-64
- IXP recovery column effluent valve
- IXP wash supply valve
- IXP effluent valve
- IXP FNHS supply valve
- IXP liquid nitrogen supply valve Division A TPS train A/B/C helium supply isolation valve closes due to TPS Train A/B/C Isolation signal. A TPS helium supply check valve is provided in series with the isolation valve to protect against a single failure.
Division A RLWI PVVS isolation valve closes due to an RPF Nitrogen Purge signal. An RLWI PVVS check valve is provided in series with the isolation valve to protect against a single failure.
The NRC staff finds that in each of the above instances, sufficient redundancy is provided such that no single failure results in the loss of the protective function.
Technical Specifications SHINE FSAR Section 7.5.4.6, Technical Specifications and Surveillance, states that limiting conditions for operation (LCO) and surveillance requirements (SR) are established for ESFAS logic, voting, and actuation divisions and instrumentation monitored by ESFAS as input to safety actuations. LCOs are established for components of the safety-related I&C systems that perform safety functions to ensure that the system will remain available to perform safety functions when required. SRs are performed at a frequency to ensure that limiting safety system settings are not exceeded. SHINE FSAR Section 7.2.1 states that SHINE uses a documented methodology for establishing and calibrating setpoints for safety-related I&C functions.
Instrument drift between calibrations is accounted for in the setpoint methodology. SHINE safety limits will not be exceeded if required actions are initiated before analytical limits are exceeded. Analytical limits are chosen to include a conservative margin between the analytical limit and the safety limit. The LSSS is the least conservative value that the instrument setpoint can be and still ensure the analytical limits are not exceeded and the safety limits are protected.
The LSSS is separated from the analytical limit by an amount not less than the total loop uncertainty for the setpoint determined by the SHINE setpoint methodology. Based on the review of SHINE TSs Section 3.2, the NRC staff finds that LCO 3.2.2, SR 3.2.2, LCO 3.2.4, and SR 3.2.4 include the ESFAS logic, voting, actuation divisions, and instrumentation monitored by ESFAS as input to safety actuations. Setpoint values in Table 3.2.4-a of the SHINE proposed TSs are based on the SHINE setpoint calculations for the applicable process variables. The NRC staff evaluation of the adequacy and acceptability of the SHINE TSs related to ESFAS is in Section 7.4.10 of this SER. Startup-testing conditions and first use of the instrumentation and the ESFAS is discussed in FSAR Section 12.11.2 of the FSAR Conclusion The NRC staff has reasonable assurance that the SHINE ESFAS is designed to 1) mitigate the consequences of design basis events within the main production facility, 2) provides sense, command, and execute functions necessary to maintain the facility confinement strategy, 3) provides process actuation functions required to shut down processes and maintain processes in a safe condition, and provides system status and measured process variable values to the facility process integrated control system (PICS) for viewing, recording, and trending. The NRC staff also finds that the ESFAS design meets SHINE design criteria 1 through 6, 13 through 19, 7-65
and 37 through 39. The staff review of the lifecycle development process for HIPS is described in Section 7.4.2 of this SER and the adequacy of HIPS and ESFAS-related TS is included in Section 7.4.10 of this SER. Therefore, the NRC staff concludes that the ESFAS is capable of performing the allocated design basis safety function under postulated conditions.
Control Console and Display Instruments The NRC staff evaluated the sufficiency of the SHINE facility control console and display instruments, as described in SHINE FSAR Section 7.6, Control Console and Display Instruments, using the applicable guidance and acceptance criteria from Section 7.6, Control Console and Display Instruments, of NUREG-1537, Parts 1 and 2, and Section 7b.5, Control Console and Display Instruments, of the ISG augmenting NUREG-1537, Part 2.
Radiation Monitoring Systems The NRC staff evaluated the sufficiency of the SHINE facility RMS, as described in SHINE FSAR Section 7.7, Radiation Monitoring Systems, using the applicable guidance and acceptance criteria from Section 7.7, Radiation Monitoring Systems, of NUREG-1537, Parts 1 and 2, and Section 7b.6, Radiation Monitoring Systems, of the ISG augmenting NUREG-1537, Part 2.
SHINE FSAR Section 7.7 states that the SHINE facility uses the RMS to perform radiation monitoring functions within the facility and include the following safety-related and nonsafety-related equipment:
Safety-related process radiation monitors as a part of ESFAS, TRPS, and TPS; Nonsafety-related process radiation monitors as a part of other facility processes; Nonsafety-related RAMS; Nonsafety-related CAMS; and Nonsafety-related SRMS for effluent monitoring is comprised of:
- Main facility stack release monitor (SRM)
- Carbon delay bed effluent monitor (CDBEM).
SHINE FSAR Section 7.7 states that the ESFAS and TRPS receive analog signals from the safety-related process radiation monitors for performing their intended safety functions.
Whereas the non-safety related equipment monitors several areas of the facility and provides information to the operator on the status and effectiveness of processes and effluent monitoring.
Nonsafety-related process radiation monitors may be used to diagnose process upsets and are not used to control personnel or environmental radiological exposures. The RAMS provide local and remote indication of radiation levels and provide local alarms to notify personnel of potentially hazardous conditions. Each CAMS unit samples air and provides real time alpha and beta activities or tritium activity to alert personnel when airborne contamination is above preset limits. Both the RAMS and CAMS provide a nonsafety-related defense-in-depth ALARA function of alerting personnel of the need to evacuate an area if required. The SRM is used to demonstrate that gaseous effluents from the main production facility are within regulatory limits and do not have an accident mitigation or personnel protection function. The CDBEM monitors for noble gases at the exhaust of the PVVS carbon delay beds to provide information about the health of the PVVS carbon delay beds and to provide the ability to monitor the safety-related exhaust point effluent release pathway when it is in use. Although the CDBEM monitors a safety-related point in the PVVS system, the CDBEM is not required to perform a safety 7-66
function. The CDBEM is used on an as needed basis to demonstrate that gaseous effluents from the main production facility are within regulatory limits (e.g., during a loss of off-site power when the normal HVAC systems and the PVVS are not operating) and do not have an accident mitigation or personnel protection function.
In this section, the NRC staffs evaluation of the RMS is primarily focused on the safety-related process radiation monitors that are used for actuating safety functions performed by ESFAS and TRPS. The evaluation of the non-safety related RMS for radiation protection is addressed in Chapter 11, Radiation Protection Program and Waste Management, of this SER.
Safety-Related Process Radiation Monitoring 7.4.7.1.1 System Description SHINE FSAR Section 7.7.1 states that the safety-related system monitors radiation and actuates safety and protection systems if defined radiation levels are reached. There are different radiation monitors to detect fission products or tritium. The monitors detecting beta and gamma-ray radiation send signals to the TRPS and/or ESFAS to perform safe actuations when abnormal situations within the facility ventilation systems are presented. In addition, radiation monitors will send a signal to the TRPS for interlocking the operation of the neutron driver. The radiation monitors detecting tritium are part of the TPS. If tritium releases to a defined level, then the TPS provides inputs to the ESFAS and provides interlock inputs to the TRPS. SHINE FSAR Table 7.7-1 identifies the safety-related radiation monitors, and SHINE FSAR Section 7.7.1.4.2 refers to FSAR Tables 7.4-1 and 7.5-1 for the instrument ranges, accuracies, and response times of these process radiation monitors.
Safety-related process radiation monitors provide analog signals to the ESFAS and TRPS that are then used to generate actuation signals when radiation levels exceed pre-determined setpoints. SHINE FSAR Section 7.7.1.4.1 describes the safety-related radiation signals processed to generate the different actuation signals.
7.4.7.1.2 Safety-Related Process Radiation Monitors Design Criteria SHINE FSAR Section 7.7.1.2 states that the generally applicable SHINE Design Criteria 1, 2, and 4 apply to the safety-related process radiation monitors. In addition, SHINE Design Criteria 13 and 38 also apply to the safety-related process radiation monitors. The following sections include an evaluation of the safety-related process radiation monitors against each applicable SHINE Design Criteria.
This section of the SER documents the NRC staffs review and evaluation of the proposed RMS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staffs evaluation of the RMS design is based on acceptance criteria in Section 7.5 of NUREG 1537, including acceptance criteria from the guidance and industry standards referenced by NUREG 1537, as listed in Section 7.2 of this safety evaluation.
Quality Standards and Records SHINE Design Criterion 1 - Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards 7-67
are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.
SHINE FSAR Section 7.7.1.3.9 states that the safety-related process radiation monitors are designed, procured, fabricated, erected, and tested in accordance with the QAPD, and all associated quality records are maintained. The following codes and standards are invoked for design of the safety-related process radiation monitors:
IEEE Std. 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, for environmental qualification; IEEE Std. 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations, Section 8 for seismic qualification; IEEE Std. 384-2008, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, for separation of safety-related and nonsafety-related cables and raceways; and IEEE Std. 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations, Section 5.2.1 to support electromagnetic compatibility qualification for digital I&C equipment.
Based on the discussion above, the NRC staff has reasonable assurance that the safety-related process radiation monitors meet SHINE Design Criterion 1.
Natural Phenomena Hazards SHINE Design Criterion 2 - The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.
SHINE FSAR Section 7.7.1.3.8 states that the process radiation monitors are installed in the seismically qualified portion of the main production facility where they are protected from earthquakes, tornadoes, and floods. The process radiation monitors are Seismic Category I, designed and tested using triaxial testing in accordance with Section 8 of IEEE Std. 344-2013.
Based on the above and the NRC staffs evaluation in Chapter 3 of this SER for natural phenomena, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 2.
Environmental and Dynamic Effects SHINE Design Criterion 4 - Safety-related SSCs are designed to perform their functions with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.
SHINE FSAR Sections 7.7.1.3.2 and 7.7.1.4 state that the process radiation monitors are designed to operate under normal environmental conditions for an expected 20-year lifetime of the equipment, and under transient conditions until the associated protective function has continued to completion. These process radiation monitors are qualified to the environmental parameters provided in SHINE FSAR Tables 7.2-1, 7.2-3, and 7.2-6 in accordance with the 7-68
guidance of IEEE Std. 323-2003 Sections 4.1, 5.1, 6.1, and 7. Electromagnetic interference (EMI) / radio-frequency interference (RFI) qualification testing has been performed on these radiation monitors through emissions, susceptibility, and surge withstand capability testing. The process radiation monitors are grounded in accordance with IEEE Std. 1050-2004 Section 5.2.1. Therefore, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 4.
Instrumentation and Controls SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.
SHINE FSAR Section 7.7.1.2.1 states that the safety-related process radiation monitors are designed to function during normal operation, anticipated transients, and design basis accidents to a level required to detect accident conditions and provide safety-related inputs to the ESFAS and TRPS to initiate protective actions, which are evaluated in Sections 7.4.4 and 7.4.5 of this SER. Setpoints are selected based on analytical limits and calculated to account for known uncertainties in accordance with the setpoint methodology and these radiation monitors are periodically functionally tested and maintained. SHINE FSAR Table 7.7-1 identifies the safety-related radiation monitors and the corresponding analytical limits, ranges, accuracies, and response times are identified in SHINE FSAR Tables 7.4-1 and 7.5-1. Therefore, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 13.
Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.
SHINE FSAR Section 7.7.1.2.2 states that the safety-related process radiation monitors provide radiation monitoring for the primary confinement boundary, hot cell, and glovebox atmospheres, and monitor effluent release paths. SHINE FSAR Section 7.7.1.4.1 and SHINE FSAR Table 7.7-1 identify the location for the safety related radiation monitors. These radiation monitors send an analog signal to the TRPS and ESFAS, which is then sent to PICS for monitoring and alarming purposes. Based on the above information and NRC staffs evaluation in Section 7.4.5.2.1 of this SER, the staff finds that design of the safety-related radiation monitors meet SHINE Design Criterion 38.
7.4.7.1.3 Safety-Related Process Radiation Monitors Design Bases Each safety-related process radiation monitor provides an analog signal proportional to the monitored radiation levels to the ESFAS or TRPS for performing the associated safety function.
The TRPS and ESFAS are safety-related systems designed to monitor process variables and provide automatic initiating signals in response to off-normal conditions, providing protection 7-69
against unsafe conditions. The HIPS digital I&C platform is used to implement the TRPS and ESFAS logic and the design basis associated with the HIPS platform are evaluated in Section 7.4.2.5 of this SER. The TRPS and ESFAS specific design basis are evaluated in Sections 7.4.4.3 and 7.4.5.3 of this SER, respectively. The following is the NRC staffs evaluation of the safety-related process radiation monitors specific design basis.
Design Bases Functions SHINE FSAR Section 7.7.1.3.1 states that the safety related radiation monitors are selected based on the presence of radiation materials in the different areas of the facility. As determined by the safety analysis, each location that requires process radiation monitoring is equipped with a safety-related process radiation monitor. SHINE FSAR Table 7.7-1 contains a list of safety-related process radiation monitors along with the monitored location, number of sensing channels, and operability requirements. Process radiation monitors are selected for compatibility with the normal and postulated accident environmental and radiological conditions.
The safety-related process radiation monitors are designed to function during normal operation, anticipated transients, and design basis accidents to a level required to detect accident conditions and provide safety-related inputs to the ESFAS and TRPS for initiating protective actions. If the measured radiation field goes above the full-scale, the analog output from the safety-related process radiation monitor will be equivalent to the full-scale reading. The TRPS or ESFAS will process this signal as a valid, full-scale value. For defense-in-depth, the RCA exhaust, general area radiation levels, and the airborne particulates are monitored by stack release, radiation area, and continuous area monitors, respectively.
Single Failure SHINE FSAR Section 7.7.1.3.3 states that two or three redundant and independent safety-related process radiation monitors are provided for each protection function input parameter, each providing input to the associated division of the TRPS or ESFAS. Channel A safety-related process radiation monitors are powered by UPSS Division A, Channel B safety-related process radiation monitors powered by UPSS Division B, and Channel C safety-related process radiation monitors, when provided, receive auctioneered power from both UPSS Division A and B. On a loss of power to a safety-related process radiation monitor, analog output to the TRPS or ESFAS fails low, and a trip or a partial trip signal is initiated for the associated safety function.
Based on the above information and the NRC staffs evaluation of single failure in TRPS and ESFAS in this SER Sections 7.4.4.2.1 and 7.4.5.3.3, respectively, and staffs evaluation of the HIPS design in Section 7.4.2 of this SER, the NRC staff finds that a single failure of a safety-related process radiation detector will not adversely impact the associated safety function.
Independence SHINE FSAR Section 7.7.1.3.4 states that physical separation is maintained between divisions of safety-related process radiation monitors, and division independence is maintained from the safety-related process radiation monitors, through the TRPS and ESFAS. The safety-related process radiation monitors provide analog signals directly to the TRPS and ESFAS and do not interface electrically with any nonsafety-related system. Safety-related process radiation monitors from separate divisions are independently powered from the associated UPSS division.
7-70
Based on the information above, the NRC staff finds that the design of the safety-related radiation monitors demonstrates adequate independence such that a failure in a redundant channel or in a nonsafety-related system would not adversely impact any associated safety function.
Technical Specifications SHINE FSAR Section 7.7.1.4.3 states that the safety-related process radiation monitors are periodically tested and maintained in accordance with the TSs to verify operability. The surveillance frequencies for the safety-related process radiation monitoring instruments included in the TSs were selected consistent with the guidance provided in ANSI/ANS 15.1-2007, The Development of Technical Specifications for Research Reactors. The surveillance requirements for the safety-related process radiation monitoring instruments included in the TSs verify the operability of the channel from the safety-related process radiation monitor to the inputs to the SBVM or SBM located in the TRPS or ESFAS. Safety-related process radiation monitors located in a low background area are equipped with a check source to be able to verify proper operation.
SHINE TS Section 3.7 identifies the LCOs and SRs for the safety-related process radiation monitoring instruments and gaseous effluents. Section 7.4.10 of this SER addresses the adequacy and acceptability of the SHINE TSs related to the RMS. Startup-testing conditions and first use of safety-related RMS instrumentation is discussed in SHINE FSAR Section 12.11.2 and the startup plan is evaluated in Chapter 12, Conduct of Operations, of this SER.
Conclusion Based on the NRC staffs evaluation above, the staff finds that the SHINE RMS is designed to perform radiation monitoring functions within the facility that includes safety-related and nonsafety-related radiation monitoring equipment. Each safety-related process radiation monitor provides an analog signal proportional to the monitored variable to ESFAS or TRPS for performing the associated safety function. Nonsafety-related process radiation monitors, RAMS, CAMS, and SRMS monitors several areas of the facility that provides information to the operator on the status and effectiveness of processes and effluent monitoring. Nonsafety-related process radiation monitors may be used to diagnose process upsets but do not perform an accident mitigation or personnel protection function. The evaluation of the non-safety related RMS for radiation protection is addressed in Section 11.4.1.4, Radiation monitoring and Surveying, of this SER. The NRC staff also finds that design of the safety-related process radiation monitors meets SHINE Design Criteria 1, 2, 4, 13, and 38. Therefore, the NRC staff concludes that the RMS is capable of performing the allocated design basis function under postulated conditions.
Neutron Flux Detection System The NRC staff evaluated the sufficiency of the SHINE facility NFDS, as described in SHINE FSAR Section 7.8, Neutron Flux Detection System, using the applicable guidance and acceptance criteria from Chapter 7, Instrumentation and Control Systems, of NUREG-1537, Parts 1 and 2, and Chapter 7, Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.
System Description
7-71
SHINE FSAR Section 7.8 states that the NFDS will measure, monitor, and indicate the neutron flux levels in the TSV during filling and irradiation of the target solution. The NFDS consists of three divisions. Each division consists of watertight detectors located in the light water pool and an NFDS amplifier mounted in the RPF or IF The NFDS provides data to the TRPS for safety functions, monitoring, and indication, and also interfaces with the PICS for nonsafety-related functions.
SHINE FSAR Section 7.8 states that the NFDS covers the entire range of neutron flux levels.
There are three different ranges provided from the NFDS: source range, wide range, and power range. Source range covers the low levels expected while the TSV is being filled while power range covers the higher flux levels anticipated while the neutron driver is on and irradiating. The wide range monitors the flux levels between the source and power range with a minimum one decade overlap with the high end of the source range and two decades of overlap with the low end of the power range. SHINE FSAR Table 7.4-1 identifies the instrument range, accuracy, instrument response time, logic, and analytical limit. SHINE TS Table 3.2.3-a identifies the setpoints for the monitored variables. When any neutron channel reaches its defined setpoint for action, the TRPS will generate and output a signal to isolate the IU Cell.
As summarized above, the SHINE FSAR describes the variables monitored by the NFDS. In the SHINE TSs, the applicant identified the neutron flux to maintain LSSS 2.2.1, 2.2.2, and 2.2.3. These LSSSs were established to protect the primary system boundary pressure safety limit.
The three detectors for the NFDS are positioned around the SASS at approximately 120-degree intervals to the TSV.
Conclusion As described in Section 7.4.4 of this SER, the NRC staff evaluated the NFDS as part of the TRPS as instrumentation inputs to the TRPS. Therefore, all findings for the TRPS are applicable to the NFDS as appropriate. The staff has reasonable assurance that the NFDS is adequately described in SHINE FSAR Section 7.8. The staff finds that the NFDS is adequately designed for measurement of the neutron flux signal, signal processing, indication, and interfacing with other systems, including providing analog input to the TRPS. The staff review of the lifecycle development process for HIPS is described in Section 7.4.2 of this SER, and the adequacy of HIPS and TRPS and NFDS related TS is evaluated in Section 7.4.10 of this SER.
Therefore, the NRC staff concludes that the TRPS and NFDS is capable of performing the allocated design basis safety function under postulated conditions.
Human Factors Engineering Proposed Technical Specifications Review Findings 7-72
The NRC staff reviewed the descriptions and discussions of the SHINE facility I&C systems, as described in SHINE FSAR Chapter 7, as supplemented, against the applicable regulatory requirements and using appropriate regulatory guidance and acceptance criteria.
Based on its review of the information in the SHINE FSAR and independent confirmatory review, as appropriate, the NRC staff determined that:
(1) SHINE described the facility I&C systems and identified the major features or components incorporated therein for the protection of the health and safety of the public.
(2) The processes to be performed, the operating procedures, the facility and equipment, the use of the facility, and other TSs provide reasonable assurance that the applicant will comply with the regulations in 10 CFR Part 50 and 10 CFR Part 20 and that the health and safety of the public will be protected.
(3) The issuance of an operating license for the facility would not be inimical to the common defense and security or to the health and safety of the public.
Based on the above determinations, the NRC staff finds that the descriptions and discussions of the SHINE facility I&C systems are sufficient and meet the applicable regulatory requirements and guidance and acceptance criteria for the issuance of an operating license.
7-73