Text

December 14, 2022 Dr. Gregory Piefer Chief Executive Officer SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546

SUBJECT:

SHINE TECHNOLOGIES, LLC REGULATORY REPORT ON THE AUDIT OF PROGRAMMABLE LOGIC LIFECYCLE DESCRIBED IN OPERATING LICENSE APPLICATION (EPID NO. L-2019-NEW-0004)

Dear Dr. Piefer:

By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), SHINE Medical Technologies, LLC (SHINE) submitted its application for an operating license.

Enclosed is a report on the regulatory audit conducted by staff of the U.S. Nuclear Regulatory Commission (NRC) in connection with its review of the application, in addition to the review of the highly integrated protection system programmable logic lifecycle within chapter 7, Instrumentation and Control Systems, of the SHINE Medical Technologies, LLC operating license application. This regulatory audit was held to close technical gaps identified during the review of chapter 7.

The audit report does not make any licensing conclusions or findings, but it is part of the administrative record of the NRC staffs review of the application and may provide information supporting the NRC staffs safety evaluation. The audit followed the plan provided by letter dated August 8, 2022 (ADAMS Accession No. ML22216A112), unless otherwise noted in the enclosed report. The enclosed report constitutes the final report on the audit and provides a closure path for each of the identified open technical item.

If you have any questions, please contact me at (301) 415-2856, or by electronic mail at Michael.Balazik@nrc.gov.

Sincerely, Michael Balazik, Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-608 Construction Permit No. CPMIF-001

Enclosure:

As stated cc: See next page Michael F.

Balazik Digitally signed by Michael F.

Balazik

SHINE Medical Technologies, LLC Docket No. 50-608 cc:

Jeff Bartelme Licensing Manager SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546 Nathan Schleifer General Counsel SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546 Christopher Landers Director, Office of Conversion National Nuclear Security Administration, NA 23 U.S. Department of Energy 1000 Independence Ave SW Washington, DC 20585 Mark Paulson, Supervisor Radiation Protection Section Wisconsin Department of Health Services P.O. Box 2659 Madison, WI 53701-2659 Test, Research and Training Reactor Newsletter Attention: Amber Johnson Dept of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Mark Freitag City Manager P.O. Box 5005 Janesville, WI 53547-5005 Bill McCoy 1326 Putnam Avenue Janesville, WI 53546 Alfred Lembrich 541 Miller Avenue Janesville, WI 53548

ML22347A177 NRR-106 OFFICE NRR/DANU/PM NRR/DANU/BC NRR/DANU/PM NAME MBalazik JBorromeo MBalazik DATE 12/14/2022 12/14/2022 12/14/2022

Enclosure OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT PLAN REGARDING PROGRAMMABLE LOGIC LIFECYCLE OPERATING LICENSE APPLICATION SHINE TECHNOLOGIES, LLC DOCKET NO. 50-608 Location:

Virtually and in-person at Rock Creeks facilities in New Strawn, Kansas Dates:

August 9, 2022, from 8:00am to 5:30pm (Central Time)

August 10, 2022, from 8:00am to 5:30pm August 11, 2022, from 8:00pm to11:00am Audit Team Members:

Dinesh Taneja (NRR/DEX) - Audit Team Leader Norbert Carte (NRR/DEX) - Technical Reviewer, virtual Michael Waters (NRR/DEX) - Observer Steve Ruffin (NRR/DEX) - Observer Michael Balazik (NRR/DANU) - Observer, virtual Licensee Representatives:

Jeff Bartelme, SHINE Technologies, LLC (SHINE), et al.

=

Background===

By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), SHINE submitted its application for an operating license.

This report summarizes the regulatory audit conducted by staff of the NRC on August 9, 2022 -

August 11, 2022, and provides a closure path for each of the Audit Topics and Questions.

This audit was conducted in connection with the NRC staffs review of the application. The audit report does not make any licensing conclusions or findings, but it is part of the administrative record of the NRC staffs review of the application and may provide information supporting the NRC staffs safety evaluation. The audit followed the plan provided by letter dated August 8, 2022 (ADAMS Accession No. ML22216A112), unless otherwise noted in this report.

Regulatory Bases for the Audit The purpose of the audit was to close technical gaps identified during the review of chapter 7, Instrumentation and Control Systems. The licensees proposed instrumentation and control systems is being reviewed in accordance with the applicable regulatory requirements of Title 10 of the Code of Federal Regulations Part 50, Domestic Licensing of Production and Utilization Facilities, and applicable guidance provided in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Part 1, Format and Content, and Part 2, Standard Review Plan and Acceptance Criteria (ADAMS Accession Nos. ML042430055 and ML042430048, respectively).

Audit Activities The following activities were performed during the audit:

1. Entrance Meeting At the entrance meeting on August 9, 2022, the NRC staff explained the scope and desired outcomes for the audit. The NRC staff stated that after completion of the audit, an audit report will be prepared and sent to SHINE.

2. Review of Audit Topics and Questions This audit was held to: (1) gain a better understanding of information underlying the application in the area of the highly integrated protection system (HIPS) programmable logic lifecycle within chapter 7, Instrumentation and Control Systems, (2) identify specific information that will require docketing to support the basis of the licensing or regulatory decision; and (3) close open technical items or identify a closure path in the Audit Topics and Questions section of this audit plan. Closure paths for the Audit Topics and Questions provided in the audit plan are noted in the enclosure.

The audit addressed updates to the SHINE final safety analysis report (FSAR) in the area of the HIPS programmable logic lifecycle, provided in chapter 7. The audit also addressed additional information and FSAR revisions provided for other systems. Therefore, any additional information identified from the audit that is needed to address a regulatory finding has been documented in this audit report. As outlined in the audit plan, the following topics described in FSAR Sections 7.4.2.2.2, 7.4.5.4, and 7.5.2.2.2 were addressed in the audit:

Software Verification and Validation (V&V)

Configuration Management Quality Assurance Software Safety Secure Development Environment As discussed in the audit plan, the NRC staff conducted document reviews using the electronic reading room as part of the audit. The NRC staff provided a list of the documents to be reviewed in its audit plan. The NRC staff did not review any additional documents in the electronic reading room beyond those listed.

3. Exit Briefing An exit briefing was held on August 11, 2022. During this exit briefing, the audit team restated the purpose of the meeting, recapped the closure paths of the audit items, and highlighted areas where additional information may be warranted. It was noted that during the audit, SHINE had stated that it would provide supplemental information on the docket to address additional information needs identified by the NRC staff. Based on SHINE providing this supplemental information to address information needs identified by the NRC staff, the NRC staff considers the audit items provided in the audit plan closed. However, the NRC staff noted that it is still continuing its review of the SHINE operating license application, including the supplemental information, and that additional audits may be necessary. No disagreements with the audit summary were noted by the licensee during the exit briefing.

Audit Session: August 9, 2022 - August 11, 2022 The objective of this audit was to verify that the highly integrated protection system (HIPS) programmable logic lifecycle platform requirements for implementing target solution vessel reactivity protection system (TRPS) and engineered safety features actuation system (ESFAS) functional and regulatory requirements are in accordance with the SHINE final safety analysis report (FSAR) and related docketed information. To this end, the scope of the audit included requirements phase of the HIPS programmable logic (PL) development activities. Concurrent with the TRPS and ESFAS system development project (SMT-016), the vendor is performing a PL lifecycle process for HIPS core logic for developing HIPS components for the TRPS/ESFAS design. The HIPS core logic project (RCI [request for confirmatory information]-940) is being conducted independent of the TRPS and ESFAS PL development project. The purpose of the HIPS core logic project is to formally develop HIPS modules/components for safety-related applications. SHINE TRPS and ESFAS are the very first safety-related applications of the HIPS platform. Successful completion of the HIPS core logic project will result in pre-developed HIPS components, a TRPS and ESFAS planning phase activity, as depicted on figure 7.4-3 of the SHINE FSAR. Therefore, the scope of this audit included the RCI-940 project conceptual/

planning and requirement phases. This audit also evaluated the project requirements traceability matrix, configuration management, and secure development environment.

Planning Phase SHINE procurement and technical documents are inputs to the planning phase. This includes the results of the HIPS core logic development project RCI-940 performed by Rock Creek Innovations (RCI). Model-based development and verification tool set by MathWorks is being used by RCI for developing the field-programmable gate array (FPGA) PL for HIPS core modules, and the TRPS and ESFAS applications. Simulink is a software package that enables the user to model, simulate, and analyze digital systems. Stateflow is an environment for modeling and simulating decision logic in the form of state transition diagrams, which are graphical representation of a finite state machine. HDL Coder from MathWorks is a software package that enables the user to generate Structured Text Code for FPGA platforms. These MathWorks software tools are certified by TUV SUD, a third-party certifying body, for developing safety-related software according to the International Electrotechnical Commission (IEC) 61508 standard for any software integrity level (SIL). RCI is using the Simulink modeling guidelines for high-integrity systems for developing models and generating code using model-based design.

These guidelines provide model setting, block usage, and block parameter considerations for creating models that are complete, unambiguous, statically deterministic, robust, and verifiable.

Model based software development are used to develop time-based block diagrams and event-based state machines. The use of these tools was audited, and the NRC staff confirmed that they were appropriate for modeling and verification of the FPGA PL for HIPS core modules.

RCIs project verification and validation (V&V) plan for the system development is adapted for the FPGA technology from the guidance in Institute of Electrical and Electronics Engineers Standard 1012-2004. The V&V activities are commensurate with the expectations for a SIL 2 classification. The specific validation process is described in HIPS platform V&V plan. The NRC staff audited the V&V of the core PL developed for the HIPS modules, including the summary reports for the conceptual and requirements phases. The NRC staff confirmed that the vendor is applying a reasonable V&V process for the core logic, consistent with IEEE Standard 1012-2004, including the incorporation of specific software logic into the core logic, consistent with the requirement specifications provided for TRPS and ESFAS. The NRC staff confirmed that the vendor has completed the conceptual and requirements phases for development of the core logic for HIPS modules. The TRPS and ESFAS applications will use the latest approved version of the HIPS modules for their development and any changes will be tracked under their development project.

RCI 7-15 was initiated to confirm that the core logic for the HIPS modules will be used as safety-related pre-developed HIPS components in the TRPS and ESFAS design.

The NRC staff audited planning phase of the TRPS and ESFAS PL development lifecycle activities. In the RCI system design control procedure, planning phase activities as described in the FSAR are performed in the RCIs planning and system concept phases. During the planning phase, RCI reviewed the SHINE procurement requirement specifications, design input documents, and identified design output documents and data required by the SHINE contract.

During the system concept phase, RCI generated a system requirements specification (SyRS) defining the system design requirements details, and a system design specification (SyDS) defining the system design details. During the audit, the NRC staff confirmed that the vendor implemented similar planning documents for this phase consistent with SHINE FSAR section 7.4.5.4.1. RCI performed the following V&V tasks during the concept phase:

System requirements review Concept documentation evaluation Criticality analysis Traceability analysis Management review of the V&V effort RCIs planning/concept phase for TRPS and ESFAS development activities are similar to the planning phase activities outlined in SHINE FSAR section 7.4.5.4.2.1. During the audit, the NRC staff confirmed that RCIs TRPS and ESFAS planning, and concept phase development activities are consistent with the development process defined in the SHINE FSAR sections 7.4.5.4.2.1 and 7.4.5.4.2.2.

Requirements Phase The NRC staff audited the PL requirements phase of the TRPS and ESFAS development lifecycle activities. According to RCIs system design control procedure, the TRPS and ESFAS system PL requirements specification (PLRS) is developed that translates the programmable logic requirements from the conforming specifications into project-specific design requirements.

The PLRS is organized consistent with the guidance in IEEE Standard 830-1998. The vendor performed the following V&V tasks during the PL requirement phase:

Evaluation of PL/software requirements for each HIPS module used in the TRPS and ESFAS architecture Traceability analysis Interface analysis Management review of the V&V effort During the audit, the NRC staff noted that RCI identified several anomalies while performing V&V of the system requirement phase. The V&V summary report recommends proceeding to the next development phase and requires dispositioning of the anomalies before completion of the PL design phase. The NRC staff sampled a number of key anomalies and didnt identify any significant issues that would prevent proceeding to the next development phase.

The NRC staff noted a discrepancy between the SHINE FSAR figure 7.4-3 and RCIs system design control procedure. The SHINE FSAR figure shows development of the test plans during the requirement phase, whereas RCIs procedure calls for developing the test plans during the design phase. RCI 7-11 was initiated for resolution of this discrepancy in the FSAR Figure 7.4-3.

The results of this audit concluded that RCIs TRPS and ESFAS PL requirement phase development activities are consistent with the development process defined in the SHINE FSAR section 7.4.5.4.2.2.

Project Requirements Traceability Matrix During the audit, the NRC staff noted that the TRPS and ESFAS system requirements specification is generated using a Matlab requirement set that identifies unique requirement IDs, basis, requirement allocation, and model links. The TRPS and ESFAS PLRS is subsequently generated using a separate Matlab requirement set. The system requirement traceability matrix is used to generate comprehensive validation test procedures that ensure that each requirement is adequately tested and meets the system requirements. As noted above, a PL V&V traceability analysis was performed for both planning/conceptual and requirements phases. For the conceptual phase, the TRPS and ESFAS system requirements specification was utilized for performing the V&V traceability analysis, and for the requirements phase, the V&V traceability analysis focused on links identified within the PLRS requirement sets to the system requirement specifications. Results of these V&V traceability analysis identified a number of anomalies and observations. The NRC staff sampled some key anomalies and didnt identify any significant issues that would prevent proceeding to the next development phase.

Configuration Management The NRC staff audited RCIs HIPS platform configuration management plan that applies to the PL and hardware-related documentation developed for HIPS platform applications to confirm the information in SHINE FSAR section 7.4.5.4.6. The NRC staff noted that the project configuration management plan (PCMP) was developed using guidance from Regulatory Guide (RG) 1.169, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, and IEEE Standard 828-2005, Standard for Software Configuration Management Plans. This PCMP describes use of TortoiseSVN (SVN) for configuration item storage and management. SVN is a Windows revision control/version control

/source control software that ensures that all files in the project are revision controlled and traceable. Version control, revision control, and baselining of the project configuration management process is achieved using SVN. During the PL development process, a design model in Simulink creates a file that is automatically assigned a version number by Simulink.

The version number automatically increments when the model is saved. These version numbers are the basis for tracking configuration progress during development and are used to maintain configuration control of design models. Additionally, the PCMP describes the configuration management resources which provides additional assurance of reasonable configuration management. The NRC staff confirmed that item storage and management, including version control, revision control, traceability and baselining was appropriately considered in the PCMP.

During the regulatory audit of the HIPS PL development lifecycle process, the following vendor documents were audited for addressing the audit topics:

Document No.

Title RCI-980-8000-00000, Rev. 2 SDE and IDN Security Plan RCI-990-9200-40010, Rev. 1 Programmable Logic Requirements Specification Development Procedure RCI-990-9200-50011, Rev. 0 Hardware Design Specification Development Procedure RCI-990-9200-62000, Rev. 2 Verification Process Procedure RCI-990-9200-10009, Rev. 7 System Design Control Procedure RCI-990-9200-71000, Rev. 1 Programmable Logic Modeling Standards RCI-940-1000-10002, Rev. 1 HIPS Platform Configuration Management Plan RCI-940-1000-10003, Rev. 1 HIPS Platform Verification and Validation Plan RCI-940-1000-10004, Rev. 2 HIPS Platform Equipment Qualification Plan RCI-940-1000-10006, Rev. 2 HIPS Platform Security Plan RCI-940-1000-10010, Rev. 2 HIPS Platform Requirement Specification RCI-940-1000-10011, Rev. 5 HIPS Platform Design Specification RCI-940-1000-40000, Rev. 1 HIPS Platform Library Programmable Logic Development Plan RCI-940-1000-62010, Rev. 0 System Concept Phase V&V Summary Report RCI-940-1000-62020, Rev. 0 Programmable Logic Requirement Phase V&V Summary Report SMT-016-1000-10003, Rev. 3 Project Verification and Validation Plan SMT-016-1000-10005, Rev. 1 Project Master Test Plan SMT-016-1000-10010, Rev. 11 System Requirement Specification SMT-016-1000-62001, Rev. 0 Criticality Analysis SMT-016-1000-62002, Rev. 0 System Requirements Review and Concept Documentation Evaluation Task Report SMT-016-1000-62003, Rev. 0 Recommendations from Management Review of the V&V Effort SMT-016-1000-62004, Rev. 0 Proposed/Baseline Change Assessment Task Report SMT-016-1000-62005, Rev. 0 Traceability Analysis SMT-016-1000-62010, Rev. 0 System Concept Phase V&V Summary Report Document No.

Title SMT-016-1000-62015, Rev. 1 Programmable Logic Requirement Phase Traceability Analysis SMT-016-1000-62020, Rev. 1 Programmable Logic Requirement Phase V&V Summary Report AR-00012-SMT-016-1000-61502 TRPS and ESFAS FRS have missing links from the SyRS AR-00013-SMT-016-1000-61502 TRPS and ESFAS requirement set missing some model links AR-00014-SMT-016-1000-61502 Vague, conflicting, and missing user needs specified in TRPS and ESFAS FRS AR-00015-SMT-016-1000-61502 Vague, conflicting, missing, and inappropriate requirements found in SyRS AR-00016-SMT-016-1000-61502 TRPS and ESFAS SyDS general issues AR-00017-SMT-016-1000-61502 All digital elements requiring self-testing is too vague AR-00018-SMT-016-1000-61502 Lifecycle process is not clear when V&V design simulation occurs DRR-00418-SMT-016-2100 ABC-40010, Rev. 0 TRPS SFM1 ABC PLRS Audit Topics and Questions:

During the audit, the NRC staff reviewed each of the audit topic and questions identified in the audit plan with the applicant and the vendor to verify that they were adequately addressed. This audit resulted in two RCIs, as noted above. The objectives of this audit that included reviewing the conceptual/planning and requirement phases of RCI-940 and SMT-016 projects, the requirements traceability matrix, configuration management, and secure development environment were successfully achieved.

Recommendations for Follow-up Audits or Inspections:

Since the scope of this audit was limited to assuring that development activities of the SHINE TRPS and ESFAS PL and hardware have adequately captured all the applicable SHINE design and regulatory requirements, the NRC staff recommends the following subsequent audits or inspections. The purpose of these follow-up actions is to verify that the as-built HIPS platform for TRPS and ESFAS has been developed in accordance with the final safety evaluation report and satisfies the requirements for the operating license readiness assessment.

1. Audit or Inspect Resolutions of Anomalies identified during the TRPS and ESFAS development lifecycle

2. Audit or Inspect PL Regression Analysis of Modifications to PLRS and PLDS

3. Audit/Inspection of Factory Acceptance Testing (FAT) of HIPS Platform

4. Inspection of Site Acceptance Testing (SAT) of HIPS Platform

5. Inspect Regression Analysis of Modifications to TRPS or ESFAS during Installation and Start-up

6. Inspect Configuration Management of the TRPS and ESFAS PL and hardware