Text

From:

Michael Balazik To:

Jeffrey Bartelme Cc:

Josh Borromeo; Holly Cruz

Subject:

RCI For Chapter 7, Instrumentation and Control Date:

Thursday, November 10, 2022 7:28:00 PM Dr. Gregory Piefer Chief Executive Officer SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546

SUBJECT:

SHINE MEDICAL TECHNOLOGIES, LLC - REQUEST FOR CONFIRMATORY INFORMATION RELATED TO INSTRUMENTATION AND CONTROL SYSTEMS (EPID NO. L-2019-NEW-0004)

Dear Dr. Piefer:

By letter dated July 17, 2019 (Agencywide Documents Access and Management System Accession No. ML19211C044), as supplemented, SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.

During the NRC staffs review of SHINEs operating license application, questions have arisen for which confirmatory information is needed. The enclosed request for confirmatory information (RCI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report, submitted in connection with the operating license application, and prepare a safety evaluation report. The specific technical area of the SHINE operating license application covered by these RCIs is Chapter 7, Instrumentation and Control Systems.

It is requested that SHINE provide responses to the enclosed RCI within 30 days from the date of this letter. To facilitate a timely and complete response to the enclosed RCI, the NRC staff is available to meet with SHINE to clarify the scope of information and level of detail expected to be included in the RCI response. SHINE may coordinate the scheduling and agendas for any such meetings with the responsible project manager assigned to this project.

In accordance with 10 CFR 50.30(b), Oath or affirmation, SHINE must execute its response in a signed original document under oath or affirmation. The response must be submitted in accordance with 10 CFR 50.4, Written communications. Information included in the response that is considered sensitive or proprietary, that SHINE seeks to have withheld from the public, must

be marked in accordance with 10 CFR 2.390, Public inspections, exemptions, requests for withholding. Any information related to safeguards should be submitted in accordance with 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements. Following receipt of the confirmatory information, the NRC staff will continue its evaluation of the subject chapters and technical areas of the SHINE operating license application.

As the NRC staff continues its review of SHINEs operating license application, additional RCIs for other chapters and technical areas may be developed. The NRC staff will transmit any further questions to SHINE under separate correspondence.

If SHINE has any questions, or needs additional time to respond to this request, please contact me at 301-415-2856, or by electronic mail at Michael.Balazik@nrc.gov.

OFFICE OF NUCLEAR REACTOR REGULATION REQUEST FOR CONFIRMATORY INFORMATION REGARDING OPERATING LICENSE APPLICATION FOR SHINE MEDICAL TECHNOLOGIES, LLC CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608

By letter dated July 17, 2019 (Agencywide Documents Access and Management System Accession No. ML19211C044), as supplemented, SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.

During the NRC staffs review of the SHINE operating license application, and the review of documents during the audit, questions have arisen for which confirmatory information is needed. This request for confirmatory information (RCI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report (FSAR), submitted as part of the operating license application, and prepare a safety evaluation report. Specific chapters and technical areas of the SHINE operating license application covered by this RCI include the following:

Chapter 7, Instrumentation and Control Systems Applicable Regulatory Requirements and Guidance Documents Section 50.34, Contents of applications; technical information, paragraph (b) of 10 CFR states, in part, that [t]he final safety analysis report shall include information that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the structures, systems, and components and of the facility as a whole. Section 50.34, subparagraph (b)(4) of 10 CFR states, in part, that final analysis and evaluation of the design and performance of structures, systems, and components with the objective stated in paragraph (a)(4) of this section and taking into account any pertinent information developed since the submittal of the preliminary safety analysis report.

RCI 7-1 For the hard-wired modules described in SHINE FSAR Section 7.4.1, System Description, confirm the following the following information:

Section 3.1.1, Independence of TECRPT-2019-0048, Rev. 5, TRPS System Design Description, states that hard-wired submodules (HW-SB) on the SBVMs are used for signals between TRPS Division A to ESFAS Division A or between TRPS Division B to ESFAS Division B (for actuations impacting both systems), which are processed using unidirectional communications type cables via divisional raceways / wireways.

RCI 7-2 For the equipment interface module described in SHINE FSAR Section 7.4.1, confirm the following information:

Section 3.1, System Architecture of TECRPT-2019-0048, Rev. 5, TRPS System Design Description and TECRPT-2020-0002, Engineered Safety Features Actuation System Design Description, state that an EIM is included in each actuation division (Divisions A and B) for each component actuated by the TRPS and ESFAS. Each

EIM has two separate logic paths to allow for connection to separate actuated components. Each component is connected to two separate EIMs, resulting in two EIMs providing redundant control to each component as shown in Figure 3-6, Equipment Interface Module Configuration. This allows an EIM to be taken out of service and replaced online without actuating the connected equipment.

RCI 7-3 For HIPS modules electrical independence in SHINE FSAR Section 7.4.5.2.1, Independence, confirm the following information:

RCI-942-1000-61001, EMC and Isolation Qualification Report for HIPS Platform EQTS, Rev. 0, Section 4 of this test report concludes that isolation testing of the HIPS modules meets the requirements as specified in Section 4.6.4 of EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, dated December 1996.

RCI 7-4 For redundancy in the TRPS and ESFAS design described in SHINE FSAR Section 7.4.5.2.2, Redundancy, confirm the following the following information:

For SHINE TECRPT-2019-0031, Revision 3, TRPS and ESFAS Single Failure Analysis, that the scope of this single failure assessment applies to the sense and command and execute features of the TRPS and ESFAS used for safety-related functions. The actuation devices (e.g., solenoids and valve actuators) are not included in the scope of this analysis except to establish that the actuated systems include independent, redundant means of completing safety functions. Equipment feedback such as valve position is considered if used for an input to a safety function.

RCI 7-5 For redundancy in the TRPS and ESFAS design described in SHINE FSAR Section 7.4.5.2.2, confirm the following information:

SHINE TECRPT-2019-0031, Revision 3, applied the following definition of single-failure to the TRPS and ESFAS:

The TRPS and ESFAS shall perform their required functions, for a design basis event, in the presence of the following:

Any single detectable failures within the TRPS or ESFAS concurrent with all identifiable, but nondetectable failures All failures cause by the single failure All failures and spurious system actions that cause, or are caused by, the design basis event requiring the safety functions.

RCI 7-6 For TRPS and ESFAS design criteria as described in SHINE FSAR Sections 7.4.2.2, TRPS System Design Criteria, and 7.5.2.2, ESFAS System Design Criteria, confirm the following information:

The conclusions of SHINE TECRPT-2019-0031, Revision 3, are as follows:

For functions that require 1-out-of-2 voting, a single failure of a single measurement channel or process interface division will not prevent a protective actuation when required. For functions that require 2-out-of-3 voting, a single failure of a single measurement channel or process interface division with another channel or process interface division out-of-service will not prevent a protective actuation when required and will not cause a spurious TRPS or ESFAS actuation when it is not required.

The single failure criterion is satisfied for all potential failures of an instrument channel.

For TRPS and ESFAS functions with 1-out-of-2 voting, the protective action will be initiated if one of the two channels vote to trip. If one of the two channels fail such that it will not produce a trip, the remaining channel can initiate the required protective action. The only TRPS protective actions with 1-out-of-2 voting are for the IU Cell Safety Actuation and Fill Stop based on the TSV Fill Valve Fully Closed inputs.

The TSV Fill Valve position signals input is received into HWMs, which cannot be placed OOS by design. Administrative controls are required on ESFAS input channels for 1-out-of-2 voting functions which do not allow them to be placed OOS in order to satisfy the single failure criterion.

For TRPS and ESFAS functions with 2-out-of-3 voting, the protective action will be initiated if two of the three channels vote to trip. In the 2-out-of-3 configuration, the single failure criterion is satisfied for all potential failures of an instrument channel with a redundant channel OOS with its respective trip/bypass switch in the trip position. There is a need for administrative controls on components which are placed OOS. The TRPS and ESFAS satisfy the single failure criterion with administrative controls on OOS conditions.

For the TRPS permissives derived from two process interface inputs, administrative controls not allowing bypass of any input channels associated with the permissive are required to satisfy the single failure criterion.

RCI 7-7 For the TRPS and ESFAS response times described in SHINE FSAR Section 7.4.5.2.3, Predictability and Repeatability confirm the following information:

Subsection 4.1, System Response Time of TECRPT-2019-0048, Revision 5, TRPS System Design Description, states that total response time includes the Analog Input Delay, SFM Logic Delay, t1, t2, EIM Logic Delay, and the Analog Output Delay times. The response times of instrumentation is manufacturer and instrumentation loop dependent. The final design testing of the TRPS platform (during factory acceptance testing and site acceptance testing) will better define the actual response time.

RCI 7-8 For the reliability of PICS as described in SHINE FSAR Section 7.6.4.5, Reliability, confirm the following:

The SHINE safety analysis methodology uses process hazards analysis (PHA) methods appropriate to the system or process being analyzed, including HAZOPs, FMEAs, and What-If/Checklist, to identify the necessary inputs to the safety systems (i.e., TRPS and ESFAS) to identify potentially unsafe conditions. These PHA methods are generally focused on the consequences of process deviations and how those deviations can be detected independent of cause. Those variables that need to be monitored to detect process deviations that could lead to undue risk are the monitored variables in TRPS and ESFAS. Therefore, any unsafe conditions caused by PICS would be identified by the TRPS and ESFAS monitored variables and the appropriate safety actuation would be initiated. The FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

RCI 7-9 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

The report states that for the SHINE design, four echelons of defense identified in NUREG/CR-6303 are modified and summarized as follows:

Control System - The control system echelon usually consists of equipment that is used in the normal operation and routinely prevents operations in unsafe operational regimes.

Reactor Trip Echelon - The reactor trip echelon consists of equipment designed to prevent escalation of an event. The reactor trip echelon spans across both TRPS and ESFAS.

Engineered Safety Features Actuation System - The ESF echelon (which should not be confused with the SHINE ESFAS) consists of equipment that mitigates design basis events. The ESF echelon spans across both TRPS and ESFAS.

Monitoring and Indicator System - The monitoring and indicator system echelon consists of sensors, safety parameter displays, data communication systems, and independent manual controls relied upon by operators to respond to operating events.

RCI 7-10 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

TECRPT-2019-0041 presents the following conclusions, in part:

Potential digital-based common cause failure within Safety Block I or Safety Block II may lead to spurious initiation of protective actions within TRPS and ESFAS without adverse impacts to safety. There are no potential Type 2 digital-based common cause failure, failures that do not directly cause transients but are undetected until environmental effects or physical equipment failures cause a transient or design basis accident to which protective equipment may not respond, within Safety Block I, II, or II that may lead to failure of initiating protective actions for any AOO or PA. At least two other Safety Blocks remains functional which can result in automatic alarms within the Monitoring and Indication block due to parameters deviating by a predefined amount. The PICS block will continue to monitor, alarm, and attempt to automatically correct parameter deviations. In addition, the operator always retains the capability to manually initiate all protective actions as needed.

A digital-based common cause failure of radiation detector sets may lead to spurious actuations with production impacts without adverse safety impacts.

A digital-based common cause failure of any radiation detector may cause failure to initiate protective actions; however, for each set, there exists alternate means for either the operator to identify, initiate and assess protective actions, or alternate automatic means of mitigating events.

RCI 7-11 For SHINE FSAR Figure 7.4-3, TRPS and ESFAS Programmable Logic Lifecycle Process, confirm that the Test Plans are not included in the Requirements Phase.

RCI 7-12 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

The D3 assessment is based on the following factors:

SECY-93-087, two principal factors for defense against common cause failures are the use of quality and diversity; Safety-related TRPS and ESFAS are designed and manufactured under a prescribed quality assurance program that provides protection from items such as manufacturing errors and design deficiencies; Digital-based common cause failures in TRPS and ESFAS are considered credible but beyond design basis; and BTP 7-19, a diversity strategy is used by combining diversity attributes to make an overall case for eliminating digital-based common cause failures in TRPS and ESFAS from further

consideration.

RCI 7-13 For SHINE defense-in-depth assessment as described in FSAR Section 7.4.5.2.4, Diversity, confirm the following:

Digital technology-based sensors in this D3 assessment are radiological ventilation zone, irradiation unit cell exhaust radiation, RCA exhaust radiation, and supercell area exhaust radiation, which are evaluated for digital common cause failure based anomalous readings. Each TRPS has three radiation detectors while ESFAS has twenty-seven radiation detector inputs. In total, the SHINE facility has fifty-one safety-related digital-based radiation detectors.

RCI 7-14 For SHINE FSAR Section 7.4.5.4.5 Verification and Validation, confirm that a set of Software Integrity Level (SIL) certified model based software development tool sets tools are being used by the vendor in performing the V&V of the TRPS and ESFAS programmable logic design.

RCI 7-15 For SHINE FSAR Section 7.4.5.4.5, confirm that the core logic for the HIPS modules will be used as safety-related pre-developed HIPS components in the TRPS and ESFAS design. The TRPS and ESFAS applications will use the latest approved version of the HIPS modules for their development and any changes will be tracked under their development project.

RCI 7-16 For SHINE FSAR Section 7.4.5.4.5, confirm this includes the results of the HIPS core logic development project RCI-940 performed by Rock Creek Innovations (RCI). Model based development and verification tools are being used by RCI for developing the FPGA programable logic for HIPS core modules, and the TRPS and ESFAS applications. Model based software development tools are used to develop time-based block diagrams and event-based state machines.

Michael Balazik Project Manager/Inspector Non-Power Production and Utilization Facility Licensing Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Michael.Balazik@nrc.govl Tel: (301) 415-2856