ML22318A178

From kanterella
Jump to navigation Jump to search
Shine Technologies, LLC Application for an Operating License Response to Request for Confirmatory Information
ML22318A178
Person / Time
Site: SHINE Medical Technologies
Issue date: 11/14/2022
From: Jim Costedio
SHINE Technologies
To:
Office of Nuclear Reactor Regulation, Document Control Desk
References
2022-SMT-0120
Download: ML22318A178 (1)
v  d  e


Text

November 14, 2022 2022-SMT-0120 10 CFR 50.30 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555

References:

(1) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License, dated July 17, 2019 (ML19211C143)

(2) NRC electronic mail to SHINE Technologies, LLC, SHINE Medical Technologies, LLC - Request for Confirmatory Information Related to Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated November 10, 2022 SHINE Technologies, LLC Application for an Operating License Response to Request for Confirmatory Information Pursuant to 10 CFR Part 50.30, SHINE Technologies, LLC (SHINE) submitted an application for an operating license for a medical isotope production facility to be located in Janesville, Wisconsin (Reference 1). The NRC staff determined that confirmatory information was required to enable the staffs continued review of the SHINE operating license application (Reference 2).

Enclosure 1 provides the SHINE responses to the NRC staffs request for confirmatory information.

If you have any questions, please contact Mr. Jeff Bartelme, Director of Licensing, at 608/210-1735.

I declare under the penalty of perjury that the foregoing is true and correct.

Executed on November 14, 2022.

Very truly yours, James Costedio Vice President of Regulatory Affairs and Quality SHINE Technologies, LLC Docket No. 50-608 Enclosure cc: Project Manager, USNRC SHINE General Counsel Supervisor, Radioactive Materials Program, Wisconsin Division of Public Health 3400 Innovation Ct

  • Janesville, WI 53546
  • 877.512.6554
  • info@shinemed.com
  • www.SHINEtechnologies.com

ENCLOSURE 1 SHINE TECHNOLOGIES, LLC SHINE TECHNOLOGIES, LLC APPLICATION FOR AN OPERATING LICENSE RESPONSE TO REQUEST FOR CONFIRMATORY INFORMATION The U.S. Nuclear Regulatory Commission (NRC) staff determined that confirmatory information was required (Reference 1) to enable the continued review of the SHINE Technologies, LLC (SHINE) operating license application (Reference 2). The following information is provided by SHINE in response to the NRC staffs request.

RCI 7-1 For the hard-wired modules described in SHINE FSAR Section 7.4.1, System Description, confirm the following the following information:

Section 3.1.1, Independence of TECRPT-2019-0048, Rev. 5, TRPS System Design Description, states that hard-wired submodules (HW-SB) on the SBVMs are used for signals between TRPS Division A to ESFAS Division A or between TRPS Division B to ESFAS Division B (for actuations impacting both systems), which are processed using unidirectional communications type cables via divisional raceways / wireways.

SHINE Response SHINE confirms that the information related to the hardwired modules described in Subsection 7.4.1 of the FSAR is accurate with one clarification. SHINE clarifies that the unidirectional communications referred to are discrete contacts.

RCI 7-2 For the equipment interface module described in SHINE FSAR Section 7.4.1, confirm the following information:

Section 3.1, System Architecture of TECRPT-2019-0048, Rev. 5, TRPS System Design Description and TECRPT-2020-0002, Engineered Safety Features Actuation System Design Description, state that an EIM is included in each actuation division (Divisions A and B) for each component actuated by the TRPS and ESFAS. Each EIM has two separate logic paths to allow for connection to separate actuated components. Each component is connected to two separate EIMs, resulting in two EIMs providing redundant control to each component as shown in Figure 3-6, Equipment Interface Module Configuration. This allows an EIM to be taken out of service and replaced online without actuating the connected equipment.

Page 1 of 8

SHINE Response SHINE confirms that the information related to the equipment interface module described in Subsection 7.4.1 of the FSAR is accurate with one clarification. SHINE clarifies that each EIM has up to eight logic paths to allow connection to separate actuated components.

RCI 7-3 For HIPS modules electrical independence in SHINE FSAR Section 7.4.5.2.1, Independence, confirm the following information:

RCI-942-1000-61001, EMC and Isolation Qualification Report for HIPS Platform EQTS, Rev. 0, Section 4 of this test report concludes that isolation testing of the HIPS modules meets the requirements as specified in Section 4.6.4 of EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, dated December 1996.

SHINE Response SHINE confirms that the information related to the highly integrated protection system (HIPS) modules electrical independence described in Subsection 7.4.5.2.1 of the FSAR is accurate.

RCI 7-4 For redundancy in the TRPS and ESFAS design described in SHINE FSAR Section 7.4.5.2.2, Redundancy, confirm the following the following information:

For SHINE TECRPT-2019-0031, Revision 3, TRPS and ESFAS Single Failure Analysis, that the scope of this single failure assessment applies to the sense and command and execute features of the TRPS and ESFAS used for safety-related functions. The actuation devices (e.g., solenoids and valve actuators) are not included in the scope of this analysis except to establish that the actuated systems include independent, redundant means of completing safety functions. Equipment feedback such as valve position is considered if used for an input to a safety function.

SHINE Response SHINE confirms that the information related to redundancy in the target solution vessel (TSV) reactivity protection system (TRPS) and engineered safety features actuation System (ESFAS) design described in Subsection 7.4.5.2.1 of the FSAR is accurate.

RCI 7-5 For redundancy in the TRPS and ESFAS design described in SHINE FSAR Section 7.4.5.2.2, confirm the following information:

SHINE TECRPT-2019-0031, Revision 3, applied the following definition of single-failure to the TRPS and ESFAS:

Page 2 of 8

The TRPS and ESFAS shall perform their required functions, for a design basis event, in the presence of the following:

  • Any single detectable failures within the TRPS or ESFAS concurrent with all identifiable, but nondetectable failures
  • All failures cause by the single failure
  • All failures and spurious system actions that cause, or are caused by, the design basis event requiring the safety functions.

SHINE Response SHINE confirms that the information related to redundancy in the TRPS and ESFAS described in Subsection 7.4.5.2.2 of the FSAR is accurate.

RCI 7-6 For TRPS and ESFAS design criteria as described in SHINE FSAR Sections 7.4.2.2, TRPS System Design Criteria, and 7.5.2.2, ESFAS System Design Criteria, confirm the following information:

The conclusions of SHINE TECRPT-2019-0031, Revision 3, are as follows:

  • For functions that require 1-out-of-2 voting, a single failure of a single measurement channel or process interface division will not prevent a protective actuation when required. For functions that require 2-out-of-3 voting, a single failure of a single measurement channel or process interface division with another channel or process interface division out-of-service will not prevent a protective actuation when required and will not cause a spurious TRPS or ESFAS actuation when it is not required. The single failure criterion is satisfied for all potential failures of an instrument channel.
  • For TRPS and ESFAS functions with 1-out-of-2 voting, the protective action will be initiated if one of the two channels vote to trip. If one of the two channels fail such that it will not produce a trip, the remaining channel can initiate the required protective action.

The only TRPS protective actions with 1-out-of-2 voting are for the IU Cell Safety Actuation and Fill Stop based on the TSV Fill Valve Fully Closed inputs. The TSV Fill Valve position signals input is received into HWMs, which cannot be placed OOS by design. Administrative controls are required on ESFAS input channels for 1-out-of-2 voting functions which do not allow them to be placed OOS in order to satisfy the single failure criterion.

  • For TRPS and ESFAS functions with 2-out-of-3 voting, the protective action will be initiated if two of the three channels vote to trip. In the 2-out-of-3 configuration, the single failure criterion is satisfied for all potential failures of an instrument channel with a redundant channel OOS with its respective trip/bypass switch in the trip position. There is a need for administrative controls on components which are placed OOS. The TRPS and ESFAS satisfy the single failure criterion with administrative controls on OOS conditions.
  • For the TRPS permissives derived from two process interface inputs, administrative controls not allowing bypass of any input channels associated with the permissive are required to satisfy the single failure criterion.

Page 3 of 8

SHINE Response SHINE confirms that the information related to TRPS and ESFAS system design criteria described in Subsections 7.4.2.2 and 7.5.2.2 of the FSAR is accurate.

RCI 7-7 For the TRPS and ESFAS response times described in SHINE FSAR Section 7.4.5.2.3, Predictability and Repeatability confirm the following information:

Subsection 4.1, System Response Time of TECRPT-2019-0048, Revision 5, TRPS System Design Description, states that total response time includes the Analog Input Delay, SFM Logic Delay, t1, t2, EIM Logic Delay, and the Analog Output Delay times. The response times of instrumentation is manufacturer and instrumentation loop dependent. The final design testing of the TRPS platform (during factory acceptance testing and site acceptance testing) will better define the actual response time.

SHINE Response SHINE confirms that the information related to TRPS and ESFAS response times described in Subsection 7.4.5.2.3 of the FSAR is accurate.

RCI 7-8 For the reliability of PICS as described in SHINE FSAR Section 7.6.4.5, Reliability, confirm the following:

The SHINE safety analysis methodology uses process hazards analysis (PHA) methods appropriate to the system or process being analyzed, including HAZOPs, FMEAs, and What-If/Checklist, to identify the necessary inputs to the safety systems (i.e., TRPS and ESFAS) to identify potentially unsafe conditions. These PHA methods are generally focused on the consequences of process deviations and how those deviations can be detected independent of cause. Those variables that need to be monitored to detect process deviations that could lead to undue risk are the monitored variables in TRPS and ESFAS. Therefore, any unsafe conditions caused by PICS would be identified by the TRPS and ESFAS monitored variables and the appropriate safety actuation would be initiated. The FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

SHINE Response SHINE confirms that the information related to reliability of the process integrated control system (PICS) described in Subsection 7.6.4.5 of the FSAR is accurate.

RCI 7-9 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

The report states that for the SHINE design, four echelons of defense identified in NUREG/CR-6303 are modified and summarized as follows:

Page 4 of 8

  • Control System - The control system echelon usually consists of equipment that is used in the normal operation and routinely prevents operations in unsafe operational regimes.
  • Engineered Safety Features Actuation System - The ESF echelon (which should not be confused with the SHINE ESFAS) consists of equipment that mitigates design basis events. The ESF echelon spans across both TRPS and ESFAS.
  • Monitoring and Indicator System - The monitoring and indicator system echelon consists of sensors, safety parameter displays, data communication systems, and independent manual controls relied upon by operators to respond to operating events.

SHINE Response SHINE confirms that the information related to the diversity and defense-in-depth (D3) assessment described in Subsection 7.4.5.2.4 of the FSAR is accurate.

RCI 7-10 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

TECRPT-2019-0041 presents the following conclusions, in part:

  • Potential digital-based common cause failure within Safety Block I or Safety Block II may lead to spurious initiation of protective actions within TRPS and ESFAS without adverse impacts to safety. There are no potential Type 2 digital-based common cause failure, failures that do not directly cause transients but are undetected until environmental effects or physical equipment failures cause a transient or design basis accident to which protective equipment may not respond, within Safety Block I, II, or II that may lead to failure of initiating protective actions for any AOO or PA. At least two other Safety Blocks remains functional which can result in automatic alarms within the Monitoring and Indication block due to parameters deviating by a predefined amount. The PICS block will continue to monitor, alarm, and attempt to automatically correct parameter deviations. In addition, the operator always retains the capability to manually initiate all protective actions as needed.
  • A digital-based common cause failure of radiation detector sets may lead to spurious actuations with production impacts without adverse safety impacts.
  • A digital-based common cause failure of any radiation detector may cause failure to initiate protective actions; however, for each set, there exists alternate means for either the operator to identify, initiate and assess protective actions, or alternate automatic means of mitigating events.

Page 5 of 8

SHINE Response SHINE confirms the information related to the D3 assessment described in Subsection 7.4.5.2.4 of the FSAR is accurate.

RCI 7-11 For SHINE FSAR Figure 7.4-3, TRPS and ESFAS Programmable Logic Lifecycle Process, confirm that the Test Plans are not included in the Requirements Phase.

SHINE Response SHINE confirms that test plans are not included in the Requirements Phase of the Programmable Logic Lifecycle Process. SHINE has documented in its corrective action program the inconsistency between the depiction of test plans in the Requirements Phase of the Programmable Logic Lifecycle Process provided in Figure 7.4-3 of the FSAR and the description of the Requirements Phase provided in Subsection 7.4.5.4.2.2 of the FSAR. SHINE will revise Figure 7.4-3 of the FSAR at the next FSAR update to correct this inconsistency.

RCI 7-12 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

The D3 assessment is based on the following factors:

  • SECY-93-087, two principal factors for defense against common cause failures are the use of quality and diversity;
  • Safety-related TRPS and ESFAS are designed and manufactured under a prescribed quality assurance program that provides protection from items such as manufacturing errors and design deficiencies;
  • Digital-based common cause failures in TRPS and ESFAS are considered credible but beyond design basis; and
  • BTP 7-19, a diversity strategy is used by combining diversity attributes to make an overall case for eliminating digital-based common cause failures in TRPS and ESFAS from further consideration.

SHINE Response SHINE confirms that the information related to the D3 assessment described in Subsection 7.4.5.2.4 of the FSAR is accurate.

RCI 7-13 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

Digital technology-based sensors in this D3 assessment are radiological ventilation zone, irradiation unit cell exhaust radiation, RCA exhaust radiation, and supercell area exhaust radiation, which are evaluated for digital common cause failure based anomalous readings.

Page 6 of 8

Each TRPS has three radiation detectors while ESFAS has twenty-seven radiation detector inputs. In total, the SHINE facility has fifty-one safety-related digital-based radiation detectors.

SHINE Response SHINE confirms that the information related to the D3 assessment described in Subsection 7.4.5.2.4 of the FSAR is accurate with the following clarifications. In addition to the listed safety-related process radiation monitors, the D3 assessment evaluated the digital-based TSV off-gas system (TOGS) oxygen concentration sensors/analyzers and the digital-based molybdenum extraction and purification system (MEPS) heating loop radiation monitors for digital common-cause failure. The ESFAS contains 33 digital-based safety-related process radiation monitor inputs. The 51 digital-based safety-related process radiation monitors referenced in Section 5.5.1 of the D3 assessment refer to the radiological ventilation zone 1 exhaust (RVZ1e) monitors listed in Table 5-1 of the D3 assessment (24 monitors), providing input to TRPS, and the RVZ area radiation monitors listed in Table 5-2 of the D3 assessment (27 monitors), providing input to ESFAS. The MEPS heating loop radiation monitors (6 monitors) listed in Table 5-2 of the D3 assessment, also providing input to ESFAS, are evaluated for digital common cause failure in Section 5.6.3.4 of the D3 assessment.

RCI 7-14 For SHINE FSAR Section 7.4.5.4.5 Verification and Validation, confirm that a set of Software Integrity Level (SIL) certified model based software development tool sets tools are being used by the vendor in performing the V&V of the TRPS and ESFAS programmable logic design.

SHINE Response SHINE clarifies that the verification and validation (V&V) process used by the vendor in performing the TRPS and ESFAS programmable logic design, which follows the guidance of Institute of Electrical and Electronics Engineers (IEEE) Standard 1012-2004, Standard for Software Verification and Validation (Reference 3), includes the use of model based software development tools which are Safety Integrity Level certified (International Electrotechnical Commission [IEC] 61508, Functional Safety of Electrical/Electronic/Programmable Electronics Safety-Related Systems (Reference 4)).

RCI 7-15 For SHINE FSAR Section 7.4.5.4.5, confirm that the core logic for the HIPS modules will be used as safety-related pre-developed HIPS components in the TRPS and ESFAS design. The TRPS and ESFAS applications will use the latest approved version of the HIPS modules for their development and any changes will be tracked under their development project.

SHINE Response SHINE confirms that the information related to core logic for the HIPS modules and the applications of TRPS and ESFAS described in Subsection 7.4.5.2.4 of the FSAR is accurate.

Page 7 of 8

RCI 7-16 For SHINE FSAR Section 7.4.5.4.5, confirm this includes the results of the HIPS core logic development project RCI-940 performed by Rock Creek Innovations (RCI). Model based development and verification tools are being used by RCI for developing the FPGA programable logic for HIPS core modules, and the TRPS and ESFAS applications. Model based software development tools are used to develop time-based block diagrams and event-based state machines SHINE Response SHINE confirms that the information related to the HIPS core logic development project RCI-940 by Rock Creek Innovations and the model-based development and verification tools being used by Rock Creek Innovations for developing the field programmable gate array (FPGA) programmable logic described in Subsection 7.4.5.4.5 of the FSAR is accurate.

References

1. NRC electronic mail to SHINE Technologies, LLC, SHINE Medical Technologies, LLC -

Request for Confirmatory Information Related to Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated November 10, 2022

2. SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License, dated July 17, 2019 (ML19211C143)
3. Institute of Electrical and Electronics Engineers, Standard for Software Verification and Validation, IEEE-1012-2004, New York, NY
4. International Electrotechnical Commission, Functional Safety of Electrical/Electronic/Programmable Electronics Safety-Related Systems, IEC 61508, Geneva, Switzerland Page 8 of 8
Retrieved from "https://kanterella.com/w/index.php?title=ML22318A178&oldid=3522096"