Text

Process Integrated Control System The NRC staff evaluated the sufficiency of the SHINE facility PICS, as described in SHINE FSAR Section 7.3, Process Integrated Control System, using the applicable guidance and acceptance criteria from Section 7.3, Reactor Control System, of NUREG-1537, Parts 1 and 2, and Section 7b.3, Process Control Systems, of the ISG augmenting NUREG-1537, Part 2.

NUREG-1537 Part 1 includes and assumed I&C system architecture:

The [protection system] should monitor selected operating parameters [and] is designed to ensure [facility] and personnel safety by limiting parameters to operate within analyzed operating ranges. The [protection system] can also give the [engineered safety features actuation system (ESFAS)] information for the operation of ESFs when the instruments indicate that abnormal or accident conditions could occur. The

[operational control system(s)] may monitor many of the same parameters as the [safety systems] and give information for automatic or manual control of the operating conditions... The facility instruments present operating parameter and system status information to the operator for monitoring operation and for deciding on manual control actions to be taken. Instrument systems are the means through which automatic or operator control actions are transmitted for execution by the [operational control system(s)]. Radiation instruments show radiation levels in selected areas in the [facility]

and could give data to the [safety systems(s)] to help in the control of personnel radiation exposure, or monitor the release of radioactive material from the [facility].

For the SHINE facility, the PICS includes the operational control system, instrument systems, and control console described in the NUREG-1537, Part 1. The safety systems and the radiation monitors are considered separate systems in this evaluation.

7.4.3.1 SYSTEM DESCRIPTION The PICS is a distributed control system to monitor and control the various processes in the irradiation facility (IF) and radioisotope production facility (RPF). PICS includes the main control board, operator and supervisor workstations, and associated control cabinets.

The PICS interfaces with other controllers or systems, supplied for several equipment and components to maintain the operating characteristics and parameters of the facility irradiation units and radioisotope production facility as further described in Section 4 of the SER. SHINE FSAR Figure 7.3-1, Process Integrated Control System Architecture, depicts the PICS system architectures, including the vendor-provided control systems, and the control console and displays. SHINE FSAR Section 7.3.1 describes these systems, and this description was considered during an audit when SMT20A-FS-001, Rev. 1, System Architecture Functional Specification SHINE Process Integrated Control System, was confirmed to be consistent with this FSAR description. The PICS system network routes signals to the main distribution switch located in the server room. Information from the facility control room, remote input/output cabinets, remote human machine interface panels, programmable logic controllers, vendor-provided control systems, and virtual machines communicates through the main distribution switch with a combination of copper cabling and fiber optic cabling. Some key aspects associated with PICS which are described in other FSAR section are summarized below.

7-34

Main Control Board The main control board consists of a console, static display screens, and manual actuation interfaces. The configuration of the main control board is shown in FSAR Figure 7.6-2.

The main control board contains eight sections, each containing one column of displays dedicated to a single irradiation unit (IU). This board also includes a ninth section containing two columns of displays dedicated to the facility status. Each column includes three static display screens to display safety functions of the IU cells and other facility processes, so the operator can easily verify the status of the SHINE facility. In addition, these columns include manual actuation devices and the enable nonsafety switch (labeled E/D). The facility status section includes the facility master operating permissive (labeled O/S).

Operator Workstation The operator workstations consist of display screens and human interface equipment to operate the PICS and NDAS. This workstation consists of four desks, two for the PICS and two for the NDAS controls. SHINE FSAR Figure 7.6-1 also shows the layout of the operator workstation.

Both PICS workstations can display any screens about the operation in the SHINE facility.

However, only one workstation is assigned to manipulate the controls necessary for operation, while the other can only monitor. The PICS allows for the transfer of controls between the PICS workstations and to the supervisor workstation, if necessary. In addition, a limited set of control functions can be transferred to the PICS local control stations. Only one workstation (operator, supervisor, or local) is allowed to input control commands to a particular component at any time.

The PICS workstation includes the screens to operate and monitor the facility. The operator uses the IU screen to advance the modes of operation for the IUs. Also, one of the screens is configured to always display alarms present in the facility.

The NDAS workstations are used to monitor and operate the neutron drivers for each IU cell.

These workstations can only send commands to the NDAS control system, as long as the PICS permissive is satisfied.

Supervisor Workstation The supervisor workstation is similar to the PICS operator workstations and may be used to control a process or IU but is normally used for monitoring facility status only. The supervisor station does not have any NDAS control capabilities.

Maintenance Workstation Although not part of PICS, there are two maintenance workstations for the TRPS and ESFAS.

These workstations will be used to performance maintenance and modify tunable parameters including setpoints of the TRPS or ESFAS. This update is done through a temporary connection to the monitoring and indication communication module of the associated division.

Each workstation is assigned to Division A or Division B, for Division C the SHINE staff would use the workstation assigned to Division A. The workstations are in the facility control room, one inside the Division A TRPS cabinet and the other inside Division B TRPS cabinet. FSAR Figure 7.6-3 shows the location of the workstation within the cabinet.

7-35

The PICS also includes an engineering workstation located in the PICS server room, which is used to perform system administrator functions.

7.4.3.2 EVALUATION OF PICS DESIGN CRITERIA FSAR Chapter 3.1, Design Criteria, states:

Safety-related SSCs at SHINE are those physical SSCs whose intended functions are to prevent accidents that could cause undue risk to health and safety of workers and the public; and to control or mitigate the consequences of such accidents.

FSAR Chapter 3, Design of Structures Systems, and Components, Section 3.1, Design Criteria, Table 3.1-2, Nonsafety-Related Structures, Systems, and Components, and FSAR Section 7.3.2, Design Criteria, identify the design criterion for PICS, which is classified as nonsafety-related.

Based on these two facts the NRC concludes that: (1) PICS does not include functions intended to prevent accidents, (2) PICS cannot cause undue risk to the health and safety of workers and the public, and (3) PICS does not control or mitigate the consequences of accidents. The evaluation of PICS documented below is based on this conclusion.

7.4.3.2.1 SHINE Facility Design Criteria The SHINE design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety that provide reasonable assurance that the SHINE facility can be operated without undue risk to the health and safety of the public. Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

By letter dated April 22, 2022, the response to RAI 7-49 stated:

SHINE Design Criteria 3 and 6 are applicable to the process integrated control system (PICS). SHINE does not rely on the PICS to satisfy SHINE Design Criteria 1, 2, 4, 5, 7, and 8. SHINE has revised Subsections 7.3.2.1 and 7.6.2 of the FSAR to describe the relationship between the PICS design basis to SHINE Design Criteria 3 and 6.

These two design criteria below are copied from FSAR Chapter 3.1.

Criterion 3 - Fire protection Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

Noncombustible and heat resistant materials are used wherever practical throughout the facility, particularly in locations such as confinement boundaries and the control room.

Fire detection and suppression systems of appropriate capacity and capability are provided and designed to minimize the adverse effects of fires on safety-related SSCs.

Firefighting systems are designed to ensure that their rupture or inadvertent operation does not significantly impair the safety capability of these SSCs.

7-36

The NRC evaluation of the fire protection program (and any specific crediting of SSCs) that are found in SHINE FSAR Section 9a2.3, Fire Protections Systems and Programs, is addressed in the SE section on Fire Protection.

Criterion 6 - Control room A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.

The NRC evaluation of the suitability of the control room for operations (and any specific crediting of SSCs) that are found in SE Section 7.9.

FSAR Table 3.1-2 and Section 7.3.2.1 state that the SHINE facility design criterion 13 applies to the PICS.

SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating ranges.

FSAR Section 7.3.1 describes the PICS functions, as well as the systems that interfaces with it; specifically, Section 7.3.1 describes the Monitoring and Alarms, Control Functions, and Interlocks and Permissives, of the PICS with respect to the specific systems identified.

Furthermore, PICS interfaces with the safety-related TRPS, ESFAS, NFDS, and radiation monitors. FSAR Tables 7.4-1 and 7.5-1 identify the monitored variables for the TRPS and ESFAS. FSAR Tables 7.7-1 through 7.7-3 identify the radiation monitors installed in the SHINE facility. The monitored variables and instrument ranges for the safety-related radiation monitors are identified in FSAR Tables 7.4-1 and 7.5-1. FSAR Section 7.8.3.1 describes the monitored variables for the NFDS, including instrument operational ranges and analytical limits. FSAR Table 7.4-1 also identifies monitored variables and instrument ranges for the NFDS.

FSAR Section 4a2.8.6, Radiation and Hydrogen Concentration Control/Monitoring, states that The TOGS is designed to maintain hydrogen concentrations at or less than 2 percent during normal operation and if the hydrogen concentration exceeds 2.5 percent by volume, an alarm alerts the operator to take action. FSAR Section 7.3.1.1.2, Target Solution Vessel Off-Gas System describes that PICS directly monitors and provides alarms for TOGS hydrogen concentration. High measured hydrogen concentration is addressed only by control system, and not directly by protection system functions. However, the TRPS initiates an IU Cell Nitrogen Purge when monitored variables indicate a loss of hydrogen recombination capability in the IU (See FSAR Sections 7.4.4.1.10, 7.4.4.1.11, & 7.4.4.1.12). An IU Cell Nitrogen Purge results in purging the primary system boundary for the affected IU with nitrogen.

The NRC staff did not review or evaluate the PICS equipment design to determine the adequacy of the control systems to maintain the required variables within operational limits during facility operation; however, the NRC staff verified that the impact of control system failures is appropriately considered in the accident analyses and is addressed by the protection systems. Based on the system description, confirmed in part by the NRC staff observations of 7-37

the equipment during an audit where TECRPT-2022-0033 Rev. 0, Evaluation of Indirect Safety Impacts of Multiple PICS Failures, was confirmed to support the support the statements made in SHINE FSAR Section 7.3.2.2.4, Effects of Control System Operation/Failures, the NRC staff finds that the PICS is designed to meet the design acceptance criteria in the guidance in Section 7.3 of NUREG 1537, Part 2, that the instrumentation is designed to provide continuous indication of the neutron flux over the licensed power range in the irradiation units and entire expected range of the monitored process variables for both the IRs and production facility as defined in SHINE TS, and that alarms and/or indications will be provided.

7.4.3.2.2 PICS System Design Criteria SHINE FSAR Section 7.3.2.2 provides PICS design criteria that will be incorporated into the PICS design and implementation. The staff reviewed the design criteria and attributes of the PICS, as described below, as part of the basis for verifying appropriate controls can be designed and implemented for PICS and consistent with the acceptance criteria in Section 7.3 of NUREG-1537 to the extent practical. The NRC staff did not independently review or confirm specific PICS design features, programming logic, or other configurations (e.g., typically developed in the requirements or implementation phase) that demonstrate how the attributes are achieved.

7.4.3.2.2.1 Access Control FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. FSAR Chapter 7.3.2.2.1 includes PICS Criterion 1. FSAR Section 7.6.2.2.1 includes PICS Criterion 10 for control consoles and displays.

PICS Criterion 1 - The PICS design shall incorporate design or administrative controls to prevent/limit unauthorized physical and electronic access to critical digital assets (CDAs) during the operational phase, including the transition from development to operations.

CDAs are defined as digital systems and devices that are used to perform or support, among other things, physical security and access control, safety-related functions, and reactivity control.

PICS Criterion 10 - The operator workstation and main control board design shall incorporate design or administrative controls to prevent or limit unauthorized physical and electronic access to critical digital assets (CDAs) during the operational phase, including the transition from development to operations. CDAs are defined as digital systems and devices that are used to perform or support, among other things, physical security and access control, safety-related functions, and reactivity control.

FSAR Section 7.3.5 describes how SHINE performs access control and cyber security and states that the PICS and other vendor-provided nonsafety-related control systems do not allow remote access, And that the PICS and other vendor-provided nonsafety-related control systems do not use any wireless interface capabilities for control functions. FSAR Section 7.6.3.4 describes access control for the facility control room and the facility control systems and states that to use PICS, operators need to request authorization and set up a personal username and password.

7-38

Since PICS does not allow remote or wireless access, the NRC staff concludes the PICS design include design features to allow administrative control of access during operation. The specific administrative controls employed are addressed as part of the cyber security assessment.

7.4.3.2.2.2 Software Requirements Development FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. FSAR Chapter 7.3.2.2.2 includes PICS Criteria 2, 3, & 4.

PICS Criterion 2 - A structured process, which is commensurate with the risk associated with its failure or malfunction and the potential for the failures challenging safety systems, shall be used in developing software for the PICS.

PICS Criterion 3 - The PICS software development lifecycle process requirements shall be described and documented in appropriate plans which shall address verification and validation (V&V) and configuration control activities.

PICS Criterion 4 - The configuration control process shall assure that the required PICS hardware and software are installed in the appropriate system configuration and ensure that the correct version of the software/firmware is installed in the correct hardware components.

SHINE FSAR Section 7.3.2.2.2 describes how SHINE met these criteria. Also, SHINE FSAR Section 7.3.3.4 describes the development process followed for PICS, neutron driver assembly system (NDAS, and third-party developed system (e.g., radioactive liquid waste immobilization (RLWI) system).

ANSI/ANS 10.4-2008 provides guidance for the verification and validation of scientific and engineering computer programs for the nuclear industry. Section 9 of the standard recommends that the test results for the V&V activities during the installation phase be documented and reported as specified in the V&V Plan and, if the findings necessitate any retesting or revision of the test report, the updated test results should be verified again before final program acceptance.

SHINE FSAR Section 7.3.3.4 states that the PICS validation master plan describes the V&V activities.

The NRC staff evaluated the PICS and other non-safety related I&C systems design using the design basis acceptance criteria identified in Section 3.1 Design Criteria, and Section 7.3, Reactor Control System, of NUREG 1537, Part 2. While NURG-1537 Part 2 provides criteria for verifying that the hardware and software for control systems should meet the guidelines of IEEE 7-4.3.2-1993 IEEE Standard Design Criteria for Digital Computer Systems in Safety Systems of Nuclear Power Generation Stations, the staff agrees with the use of ANSI/ANS 10.4-2008 for testing V&V activities given the function of the PICS, associated failure analysis provided for the system (see section 7.4.3.2.2.4), and safety margins described in Section 13 of the SE. Based on the information provided by the licensee and reviewed by the NRC staff, the NRC staff finds that PICS and other non-safety related I&C systems design results in a reliable, redundant and fail-safe system that helps ensure continued operation of the facility within the SL and LSSS established in the SHINE TSs, assuming the final design implementation and testing 7-39

of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR Section 7.3.

7.4.3.2.2.3 Fail Safe SHINE FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. SHINE FSAR Chapter 7.3.2.2.3 includes PICS Criterion 5.

PICS Criterion 5 - The PICS shall assume a defined safe state with loss of electrical power to the PICS.

The fail-safe design acceptance criteria of NUREG 1537 ensure that, on loss of power, the control system and associated equipment are designed to assume a safe state and will enable safe reactor shutdown.

SHINE FSAR Sections 7.3.3.6 and 7.6.3.5 note that there are local batteries for the PICS servers, the operator workstations, and the main control to continue operating for at least 10 minutes after power is lost. If power is not restored to PICS within this time, the PICS control outputs open and all controlled components will transition to their safe states, as confirmed during the audit discussion of Topic 1 Bullet 3. In addition, in case that normal power is interrupted, the SGS will provide backup power to PICS. SHINE FSAR Section 7.3.3.6 states that SGS requires five minutes to start. Finally, SHINE FSAR Sections 7.3.2.2.3 and 7.3.3.6 state that components controlled by the PICS assume a defined safe state on loss of electrical power. Fail-safe states are also discussed in the component classification and HAZOP processes when they are relevant to consequences of concerns. PICS will not attempt to reposition those components upon detecting they have gone to their safe state, as confirmed during the audit discussion of Topic 1 Bullet 3.

Based on the above information provided in the SHINE FSAR, the NRC staff finds that the licensees implementation of fail-safe acceptance criteria for the PICS is acceptable. The PICS design includes methods for its components to assume a safe state on loss of electrical power.

7.4.3.2.2.4 Effects of Control System Operation/Failures Effects of Control Failures on TRPS and ESFAS Safety Functions SHINE FSAR Chapter 3.1, Design Criteria, states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. SHINE FSAR Chapter 7.3.2.2.4 includes PICS Criterion 6.

PICS Criterion 6 - The PICS shall be designed so that it cannot fail or operate in a mode that could prevent the TRPS or ESFAS from performing its designated functions.

SHINE FSAR Section 7.3.2.2.4 describes that any non-safety related signal transmitted from PICS to the TRPS and/or ESFAS wont interfere with their operation. SHINE FSAR Sections 7.4.3.4 and 7.5.3.4 describe the communication mechanisms between PICS and TRPS and 7-40

ESFAS, respectively. In addition, SHINE FSAR Section 7.6.4.5 provides additional descriptions for these communications. Finally, response to RAI 7-9 (c) () states:

There are no sensor outputs that have both a target solution vessel (TSV) reactivity protection system (TRPS) safety-related protection function and a nonsafety-related control function. As described in Subsection 7.5.2.1.6 of the FSAR, there are no sensor outputs that have both an engineered safety features actuation system (ESFAS) safety-related protection function and a nonsafety-related control function. SHINE has revised Subsections 7.3.1.1.2 and 7.4.2.1.6 of the FSAR to clarify that there are no sensor outputs that have both a TRPS protection function and a nonsafety-related control function.

SHINE FSAR Section 7.3.1.3.11, Target Solution Vessel Reactivity Protection System and Engineered Safety Features Actuation System, (provided in Supplement 23 by letter dated June 10, 2022) states:

Safety-related components that are capable of being actuated by the TRPS or ESFAS, but also have a nonsafety-related function related to production, achieve their safe state by having power removed. PICS controls these components directly by cycling power through the use of relays and contacts and does not send a signal to the TRPS or ESFAS during these normal operations. Should a safety actuation be required, the TRPS or ESFAS opens a contact in series with the power supply to the component, causing it to achieve its safe state regardless of the control signal from the PICS.

Following the safety actuation, the PICS provides a nonsafety-related control signal to the TRPS or ESFAS to allow for component repositioning. The actuation and priority logic (APL) in the TRPS or ESFAS processes these signals based upon the position of the enable nonsafety switch Safety-related components that are capable of being actuated by the TRPS or ESFAS and do not have a nonsafety-related production function are not controlled directly by PICS. Following the safety actuation, the PICS sends a nonsafety-related control signal to the TRPS or ESFAS and the APL in the TRPS or ESFAS processes this signal based upon the position of the enable nonsafety switch. If not prevented by higher priority inputs to the APL, the TRPS or ESFAS will position the component as requested by the PICS.

SHINE also stated that the FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

The NRC staff evaluated the PICS failures using the acceptance criteria identified in Section 3.1 Design Criteria, and Section 7.3, Reactor Control System, of NUREG 1537, Part 2. For this review, acceptance criteria of NUREG 1537 specify that the systems should assume a safe state, enable safe reactor shutdown, and not prevent the TRPS or ESFAS from performing their designed safety functions in the case of control system action or inaction. Conceptually, this design is the same as that for many reactor-rod-control systems for safe shutdown.

Therefore, the staff has reasonable assurance that this design is adequate for ensuring that PICS cannot fail in mode that would prevent the TRPS or ESFAS from performing their safety functions, assuming the final design implementation and testing of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR Section 7.3.

7-41

Effects of Control Failures in SHINE Safety Analysis Methodology As stated in the SHINE FSAR and confirmed in the audit of PICS failure analysis described below, the SHINE safety analysis methodology uses process hazards analysis (PHA) methods appropriate to the system or process being analyzed, including HAZOPs, FMEAs, and What-If/Checklist, to identify the necessary inputs to the safety systems (i.e., TRPS and ESFAS) to identify potentially unsafe conditions. These PHA methods are generally focused on the consequences of process deviations and how those deviations can be detected independent of cause. Those variables that need to be monitored to detect process deviations that could lead to undue risk are the monitored variables in TRPS and ESFAS. Therefore, any unsafe conditions caused by PICS would be identified by the TRPS and ESFAS monitored variables and the appropriate safety actuation would be initiated. The FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

SHINE also performed a PICS failure analysis to evaluate potential impacts of PICS failures (including a failure of cards and racks) on the ability of the safety-related control systems to detect unsafe conditions and perform the appropriate safety functions in TECRPT-2022-0033, Revision 0 Evaluation of Indirect Safety Impacts of Multiple PICS Failures. Potential impacts on controls listed in the SHINE Safety Analysis (SSA) Summary Report that are not implemented through the safety-related control systems were also evaluated by SHINE. The purpose was to demonstrate that PICS failures will not adversely impact the safety analysis in the SHINE facility as documented in SHINE FSAR Chapters 4 and 13. Where multiple PICS failures could potentially lead to a failure to detect unsafe conditions or perform the appropriate safety function, requirements for separation within the PICS system design have been developed.

The staff evaluated the PICS failure assessment and associated requirements for separation within the PICS system. During the audit, the staff confirmed two instances in which PICS design requirements were purposely defined, in part as result of the failure assessment, to maintain the effects of potential PICS failures within the operating conditions and accident basis analyzed in the SHINE FSAR. The staff has reasonable assurance that potential PICS failure events will remain within the bounds of the safety assessment, assuming the final design implementation and testing of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR Section 7.3 and TECRPT-2022-0033, Revision 0 Evaluation of Indirect Safety Impacts of Multiple PICS Failures.

7.4.3.2.2.5 Operational Bypass SHINE FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. SHINE FSAR Chapter 7.3.2.2.5 includes PICS Criterion 7.

PICS Criterion 7 - Bypasses of PICS interlocks, including provisions for testing, shall be under the direct control of a control room operator and shall be indicated on control room displays.

Sections 7.3 and 7.4 of NUREG 1537, Part 2 provides guidance related to operational bypass. FSAR Section 7.3.2.2.5 states that a control room operator can bypass 7-42

nonsafety-related interlocks using the PICS workstation. The PICS workstation display will annunciate when an interlock is bypassed in addition, as confirmed during the audit discussion of Topic 1 Bullet 4 that PICS interlocks or permissives are not credited with performing any safety-related function in order to reduce the likelihood or consequences of an accident sequence.

The Design Criteria in Section 7.3, Reactor Control System, of NUREG 1537, Part 2 specify that the control system should include interlocks to limit personnel hazards or prevent damage to systems during the full range of normal operations. SHINE FSAR Section 7.3.1 identifies the PICS interlocks for each associated I&C system in the SHINE facility.

Based on a review of the interlock description against the criteria identified, the NRC staff agrees that the description of bypasses of PICS interlocks and associated provisions for control room indication are acceptable.

7.4.3.2.2.6 Surveillance SHINE FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR Chapter describing those SSCs. SHINE FSAR Chapter 7.3.2.2.6 includes PICS Criteria 8 & 9.

PICS Criterion 8 - Subsystems of and equipment in the PICS shall be designed to allow testing, calibration, and inspection to ensure functionality.

PICS Criterion 9 - Testing, calibration, and inspections of the PICS shall be sufficient to confirm that surveillance test and self-test features address failure detection, self-test capabilities, and actions taken upon failure detection.

The guidance in Section 7.3 of NUREG 1537, Part 2 recommends application of the functional design and analyses to the development of bases of technical specifications, including surveillance tests and intervals. Additionally, ANSI/ANS 15.15 recommends the system design include capability for periodic checks, tests and calibrations. The standard also recommends that, if on-line periodic testing is necessary, such testing should not reduce the capability of the system to perform its safety function.

SHINE FSAR Section 7.3.2.2.6 describes how the PICS meets these criteria. SHINE FSAR Section 7.3.4.2 describes the testing and maintenance capabilities of the PICS. SHINE will test PICS during factory acceptance test (FAT) and post installation testing to demonstrate its functionality and demonstrate conformance of the system equipment to the design performance requirements, including requirements for testing.

Therefore, the NRC staff concludes that the PICS allows testing, calibration, and inspection to ensure functionality, and includes features for failure detection and self-test capabilities.

SHINE FSAR Section 7.3.4.3 states that PICS is not in the SHINE TS because it does not perform safety-related controls and functions. Therefore, the staff did not evaluate testing or surveillance procedures as referenced in PICS criterion 9. The NRC staff confirmed that an SR is not warranted for the PICS because any failures would not prevent the safety systems (i.e.,

TRPS) from performing their safety functions.

7-43

Based on its review of the information provided, the NRC staff concludes the design of the PICS meets the design acceptance criteria in Section 7.3 of NUREG1537, Part 2 to include the capability for periodic checks, tests and calibrations to facilitate the performance of the required testing to ensure PICS operability without affecting its ability to perform its intended function.

Also, the staff concludes that the PICS testing provisions provide reasonable assurance of its continued reliable operation.

7.4.3.2.

2.7 CONCLUSION

OF EVALUATION OF PICS DESIGN CRITERIA Based on the information reviewed, the NRC staff concludes that SHINE established the necessary design, fabrication, construction, testing, and performance requirements for the PICS to provide reasonable assurance that the facility be operated without undue risk to the health and safety of the public.

7.4.3.3 PICS DESIGN BASIS This section documents the NRC staff review and evaluation of the design basis of the PICS against the design bases acceptance criteria identified in Sections 3.1 and 7.3 of NUREG 1537, Part 2. Further, Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

SHINE FSAR Sections 7.3.1 and 7.3.3 identify the design bases used for the PICS. The NRC staff reviewed and evaluated the PICS to verify that the impact of control system failures is appropriately included in the FSAR accident analyses.

SHINE FSAR Tables 7.4-1 and 7.5-1 show that the sensors used for protective actions (for example, for the neutron flux detectors) can detect process parameter values at the same or over a larger range than required to safely operate the SHINE facility. These channels provide information to both PICS, TRPS and ESFAS to monitor the facility during normal, transient, and accident conditions.

7.4.3.3.1 Design Basis Functions The PICS does not perform safety functions. The PICS is only used to assist operators perform normal operations of the SHINE facility. Also, the PICS receives information from safety systems for operators to monitor process variables and system operation status. The PICS can be used for diverse actuations to the safety systems but is not credited in the SHINE FSAR Chapters 7 or 13. In addition, SHINE FSAR Section 7.4.2.2.6, Prioritization of Functions, contains a design criterion for prioritization and states: Priority is provided to automatic and manual safety-related actuation signals over nonsafety-related signals as described in Subsection 7.4.3.12.

7.4.3.3.2 Modes of Operation SHINE FSAR Section 7.3.1.1 describes the modes of operation and specific monitoring, control, and interlock functions of PICS in each mode of the irradiation unit systems, which includes SCAS, the neutron driver assembly system (NDAS), the TSV off-gas system (TOGS), the 7-44

primary closed loop cooling system (PCLS), and the neutron flux detection system (NFDS).

SHINE FSAR Figure 7.4-1, Sheet 8, shows the transition modes for the IU cell.

The PICS provides a signal to the TRPS, when manually initiated by the operator, to sequentially transition the TRPS from one mode to the next. To advance each mode of operation of the IU cell, the operator manually selects the next mode using PICS. The TRPS controls the transition for these modes by implementing the required mode-specific system interlocks and bypasses to ensure safe operation of the main production facility. Before an operator can manually transition to a different mode, all transition criteria conditions must be met. Note that when an IU cell safety signal is activated, the operation of the IU cell will automatically transition to Mode 3, independently of the operating mode.

The PICS is installed in the facility control room, where conditions are designed to be as described in FSAR Table 7.2-2.

7.4.3.3.3 System Operation Through the main control board and operator workstations, the PICS is used to operate the SHINE facility. PICS functions include signal conditioning, system controls, interlocks, and monitoring of the process variables and system status. SHINE FSAR Figure 7.3-1 depicts the PICS architecture.

The building automation system receives commands from the PICS to start and stop select control sequences and provides information to the PICS for monitoring.

The PICS also receives information for monitoring only from the following vendor-provided systems:

• Supercell control system

• Radioactive liquid waste immobilization In addition, PICS monitors valve or damper position feedback as needed to perform control functions or implement interlocks and permissives. SHINE FSAR Section 7.3.1 describes those components.

7.4.

3.4 CONCLUSION

The NRC staff concludes that the design of the PICS is such that any single malfunction in its components would not prevent the TRPS and ESFAS from performing necessary functions, nor prevent achieving a safe shutdown condition of the facility and (based on the review documented above) that there is reasonable assurance the PICS conforms to its design criteria.

7-45