ML21172A195: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot change) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 18: | Line 18: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:July 1, 2021 Dr. Gregory Piefer, Chief Executive Officer SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 | ||
==SUBJECT:== | |||
SHINE MEDICAL TECHNOLOGIES, LLC - REQUEST FOR ADDITIONAL INFORMATION RELATED TO INSTRUMENTATION AND CONTROL SYSTEMS (EPID NO. L-2019-NEW-0004) | |||
==Dear Dr. Piefer:== | |||
By {{letter dated|date=July 17, 2019|text=letter dated July 17, 2019}} (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027), | |||
November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264), | |||
and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities. | |||
During the NRC staffs review of SHINEs operating license application, questions have arisen for which additional information is needed. The enclosed request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report, submitted in connection with the operating license application, and prepare a safety evaluation report. The specific chapter of the SHINE operating license application covered by this RAI is Chapter 7, Instrumentation and Control Systems. | |||
It is requested that SHINE provide responses to the enclosed RAI within 60 days from the date of this letter. To facilitate a timely and complete response to the enclosed RAI, the NRC staff is available to meet with SHINE to clarify the scope of information and level of detail expected to be included in the RAI response and corresponding final safety analysis report update. SHINE may coordinate the scheduling and agendas for any such meetings with the responsible project manager assigned to this project. | |||
In accordance with 10 CFR 50.30(b), Oath or affirmation, SHINE must execute its response in a signed original document under oath or affirmation. The response must be submitted in accordance with 10 CFR 50.4, Written communications. Information included in the response that is considered sensitive or proprietary, that SHINE seeks to have withheld from the public, must be marked in accordance with 10 CFR 2.390, Public inspections, exemptions, requests for withholding. Any information related to safeguards should be submitted in accordance with 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements. Following | |||
G. Piefer receipt of the additional information, the NRC staff will continue its evaluation of the subject chapters and technical areas of the SHINE operating license application. | |||
As the NRC staff continues its review of SHINEs operating license application, additional RAIs for other chapters and technical areas may be developed. The NRC staff will transmit any further questions to SHINE under separate correspondence. | |||
If SHINE has any questions, or needs additional time to respond to this request, please contact me at 301-415-1524, or by electronic mail at Steven.Lynch@nrc.gov. | |||
Sincerely, Signed by Lynch, Steven on 07/01/21 Steven T. Lynch, Senior Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-608 Construction Permit No. CPMIF-001 | |||
==Enclosure:== | |||
As stated cc: See next page | |||
SHINE Medical Technologies, LLC Docket No. 50-608 cc: | |||
Jeff Bartelme Licensing Manager SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Nathan Schleifer General Counsel SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Christopher Landers Director, Office of Conversion National Nuclear Security Administration, NA 23 U.S. Department of Energy 1000 Independence Avenue, SW Washington, DC 20585 Mark Paulson Supervisor Radiation Protection Section Wisconsin Department of Health Services P.O. Box 2659 Madison, WI 53701-2659 Test, Research and Training Reactor Newsletter Attention: Amber Johnson Dept. of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Mark Freitag City Manager P.O. Box 5005 Janesville, WI 53547-5005 Bill McCoy 1326 Putnam Avenue Janesville, WI 53546 Alfred Lembrich 541 Miller Avenue Janesville, WI 53548 | |||
ML21172A195 NRR-088 OFFICE NRR/DANU/PM NRR/DANU/LA NRR/DANU/BC NRR/DANU/ADD NRR/DANU/PM NAME SLynch NParker JBorromeo SAnderson SLynch DATE 6/22/2021 6/23/2021 7/1/2021 7/1/2021 7/1/2021 OFFICE OF NUCLEAR REACTOR REGULATION REQUEST FOR ADDITIONAL INFORMATION REGARDING OPERATING LICENSE APPLICATION FOR SHINE MEDICAL TECHNOLOGIES, LLC CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608 By {{letter dated|date=July 17, 2019|text=letter dated July 17, 2019}} (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027), | |||
November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264), | |||
and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities. | |||
During the NRC staffs review of SHINEs operating license application, questions have arisen for which additional information is needed. The enclosed request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report (FSAR), submitted in connection with the operating license application, and prepare a safety evaluation (SE) report. The specific chapter of the SHINE operating license application covered by this RAI is Chapter 7, Instrumentation and Control Systems. | |||
The SHINE FSAR, Sections 7.1.2, Target Solution Vessel Reactivity Protection System, and 7.1.3, Engineered Safety Features Actuation System, states that the highly integrated protection system (HIPS) platform is used for the target solution vessel (TSV) reactivity protection system (TRPS) and engineered safety features actuation system (ESFAS). The HIPS platform is a logic-based system that uses discrete components and field programmable gate array (FPGA) technology. The HIPS platform comprises the safety function, communications, equipment interface, and hardwired modules. The SHINE FSAR identifies the TRPS and ESFAS as safety-related systems for the SHINE facility. The SHINE FSAR also states that SHINE relies on the prior NRC approval of the HIPS platform described in the HIPS topical report (TR) SE to demonstrate the acceptability of the platform for use in the SHINE facility and to partially demonstrate that the design of the TRPS and ESFAS satisfies the SHINE design criteria specified in Section 3.1 and the TRPS and ESFAS specific criteria identified in Sections 7.4, Target Solution Vessel Reactivity Protection System, and 7.5, Engineered Safety Features Actuation System, of the SHINE FSAR. The approved HIPS platform is described in the SE for the TR-1015-18653-NP-A Revision 2, Design of Highly Integrated Protection System Platform (ADAMS Accession No. ML17256A892). | |||
Enclosure | |||
Chapter 13, Accident Analysis, of the SHINE FSAR describes postulated initiating events and credible accidents that form the basis of the safety justification for the irradiation facility and radioisotope production facility. For accident scenarios with potential consequences that could exceed appropriate guidelines for worker or public exposure, controls were applied to ensure that the scenario is prevented or that consequences are mitigate to within acceptable limits. | |||
For example, the accident analysis identifies the maximum hypothetical accident as the failure of the TSV off-gas system (TOGS) pressure boundary resulting in a release of off-gas into the TOGS cell. The safety controls credited for mitigation of the dose consequences for this accident include safety functions performed by the TRPS (i.e., initiation of an irradiation unit (IU) | |||
Cell Safety Actuation signal which terminates irradiation operations) and ESFAS (i.e., isolation of the main facility ventilation system). The SHINE safety-related systems sense nuclear and radiological conditions and initiate functions to ensure isolation of the primary confinement boundary, terminate the fusion neutron production and fission processes within the subcritical assembly, and mitigate hydrogen levels. Therefore, the intended safety functions of the TRPS and ESFAS are credited in reliably preventing or mitigating the release of nuclear material and ensuring exposures to workers and the public do not exceed acceptable limits. | |||
On May 26, 2020, the NRC staff issued an RAI (ADAMS Accession No. ML20148M279) requesting information on how the TRPS and ESFAS meet the applicable SHINE design criteria. SHINE submitted responses to these RAIs and associated FSAR updates on August 28, 2020 (ADAMS Accession No. ML20255A026). These RAIs were necessary for the NRC staff to determine that there is reasonable assurance that the HIPS-related portions of the TRPS and ESFAS systems are appropriately designed and will reliably provide adequate protection of public health and safety, and that applicable regulatory requirements are met. The following requests for information identify additional information needed for the NRC staff to perform its review of the SHINE implementation of the HIPS platform and associated components for the TRPS and ESFAS. | |||
The NRC staff is preparing three additional sets of RAIs related to SHINEs instrumentation and control systems (ICSs). The subjects of these sets of RAIs are as follows: | |||
: 1) TRPS and ESFAS | |||
: 2) Process Integrated Control System (PICS) | |||
: 3) Neutron Flux Monitoring and Radiation Monitoring The NRC staff expects to issue these remaining three sets of ICSs RAIs by the end of July 2021. | |||
Applicable Regulatory Requirements and Guidance Documents The NRC staff is reviewing the SHINE operating license application, which describes the SHINE irradiation facility, including the IUs, and radioisotope production facility, using the applicable regulations, as well as the guidance contained in NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996 (ADAMS Accession No. ML042430055), and NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996 (ADAMS Accession No. ML042430048). The NRC staff is also using the Final Interim Staff Guidance | |||
[ISG] Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS | |||
Accession No. ML12156A069), and Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A075). As applicable, additional guidance cited in SHINEs FSAR or referenced in NUREG-1537, Parts 1 and 2, or the ISG Augmenting NUREG-1537, Parts 1 and 2, has been utilized in the review of the SHINE operating license application. | |||
For the purposes of this review, the term reactor, as it appears in NUREG-1537, the ISG Augmenting NUREG-1537, and other relevant guidance can be interpreted to refer to SHINEs irradiation unit, irradiation facility, or radioisotope production facility, as appropriate within the context of the application and corresponding with the technology described by SHINE in its application. Similarly, for the purposes of this review, the term reactor fuel, as it appears in the relevant guidance listed above, may be interpreted to refer to SHINEs target solution. | |||
Chapter 7 - Instrumentation and Control Systems HIPS Platform and Associated TRPS and ESFAS Components The following regulatory requirement is applicable to RAIs 7-9 through 7-19: | |||
Paragraph (b)(2) of 10 CFR 50.34, Contents of applications; technical information, requires, in part, that an FSAR include [a] description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations. | |||
RAI 7-9 Implementation of Design Criteria Section 50.34 of 10 CFR states, in part, that a safety analysis report (SAR) shall include (1) the principal design criteria for the facility, and (2) the design bases and the relation of the design bases to the principal design criteria. A definition is provided in 10 CFR 50.2 for what constitutes a design bases: | |||
Design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals. | |||
NUREG-1537, Part 2, Section 7.4, Reactor Protection System, states, in part, that the SAR should include the design bases, acceptance criteria, and guidelines used for design of the protection system, as well as an analysis of adequacy of the design to perform the functions necessary to ensure safety, and its conformance to the design bases, acceptance criteria, and the guidelines used. | |||
Section 7.2.2, Design Criteria, of the SHINE FSAR states, in part, that the design criteria of the I&C systems were derived from the criteria in 10 CFR 50 Appendix A, and 10 CFR 70.64(a) and are applied in a graded approach to each I&C system. The SHINE FSAR states that Section 3.1, Design Criteria, shows how the facility design criteria are applied to each ICS The SHINE FSAR also indicates that system-specific criteria are provided in SHINE FSAR Sections 7.4 and 7.5 for TRPS and ESFAS and additionally describe how the facility design criteria and system-specific design criteria are met or implemented for each I&C system. | |||
The NRC staff reviewed the SHINE design criteria and sampled selected system-specific criteria in Sections 7.4 and 7.5 of the SHINE FSAR that predominantly rely upon the underlying HIPS protective system architecture, communications, and equipment interface that is common in both the TRPS and | |||
ESFAS. The SHINE FSAR descriptions of how the TRPS and ESFAS meet applicable design criteria lack sufficient detail on the attributes of the HIPS platform configuration and its operation. Without an adequate description of the specific configuration details and operation, the NRC staff cannot determine if the facility design criteria, TRPS design criteria, and ESFAS design criteria are achieved. | |||
In some cases, the NRC staff has also identified explanations where design or operational descriptions appear to be incomplete, inconsistent with the language and common understanding of the design criterion wording, or inconsistent with the HIPS TR and intent of the associated plant-specific action items. | |||
(a) Re-evaluate the TRPS and ESFAS design criteria in SHINE FSAR Sections 7.4 and 7.5, and provide additional design and operational detail in the SHINE FSAR to explain how the facility design criteria and TRPS and ESFAS criteria are met. | |||
In its re-evaluation, SHINE should verify the applicability of each of its design criteria to the TRPS and ESFAS. SHINE should describe how design features or functions are used to meet each of the criteria applicable to the TRPS and ESFAS. SHINE should consider RAI 7-9 items (b) - (f), below, as examples of inconsistent explanations of the implementation design criteria in the SHINE FSAR that may aid in the preparation of its response to this part of the RAI. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates. After assessing the applicability of the design criteria, the relevant SHINE FSAR narratives should be updated to summarize the type of information likely to address how the design criteria are met. The NRC staff notes that key SHINE design documents, such as the TRPS and ESFAS system requirement specifications; TRPS and ESFAS system design descriptions; and TRPS and ESFAS system design specifications could be provided to support this information need 1. | |||
The NRC staff recognizes that the information needs requested in RAIs 7-10 through 7-16 below may address the deficiencies associated with several of the design criteria. | |||
(b) Maintenance Bypass of Execute Features - TRPS Criterion 41 contains the design criteria for the maintenance bypass of execute features of the TRPS (ESFAS Criterion 42 contains similar criteria). | |||
Section 7.4.2.2.9, Operational Bypass, Permissives, and Interlocks, states, in part, that [w]here three channels are provided, taking an SFM [safety function module] out of service preserves the single failure criterion for variables associated with that SFM. In cases where only two channels are 1 For information that SHINE prefers to share in its electronic reading room rather than through docketed correspondence, a regulatory audit of information may be the most appropriate means for further NRC staff evaluation. | |||
provided, taking a channel out of service will actuate the associated safety function. For testing purposes, placing a channel in maintenance bypass will be allowed by technical specifications [TSs] for up to two hours to perform required testing. Two hours is considered acceptable due to the continued operability of the redundant channel(s) and the low likelihood that an accident would occur in those two hours (Subsection 7.4.4.3). | |||
Further, from the NRC audit of the HIPS platform on May 13, 2021, the NRC staff learned that the design and configuration of the HIPS equipment for TRPS is not intended to allow a portion of the execute features to be placed in maintenance bypass. | |||
The explanation provided in the SHINE FSAR describes maintenance bypass features associated with the sense and command features of the HIPS equipment, and does not address the execute functions of the HIPS equipment or the execute features of the TRPS that is specified in TRPS Criterion 41. | |||
For example, there are two options for taking the SFM modules out of service, and only one option is consistent with the description provided. | |||
Furthermore, in cases where only two channels are provided2, the manner of taking a channel out of service is accomplished differently and is not explained. | |||
Revise the SHINE FSAR to include an explanation to clearly reflect the intended design of the TRPS and ESFAS for maintenance bypass of the execute features. | |||
(c) Separation of Protection and Control Systems - SHINE Design Criterion 18 contains the design criteria for the separation of the protection system from control systems. This criterion is normally used to address instrumentation and control configurations where the control of a process parameter (e.g., power density) and the protection against an undesirable process parameter value (e.g., exceeding power density limits) are using the same sensors. For example, from the description in the SHINE FSAR, it appears that the SHINE facility protects and controls solution power density using the same set of safety-related sensors. The NRC staff notes that IU power indications (i.e., neutron flux) are common to both protection and control. | |||
This particular type of equipment configuration is vulnerable to a sensor failure causing an undesirable control action and could prevent the protection system from protecting against the undesirable control action due to reliance on the same sensor. | |||
2 For the TRPS, there is only one instance where only two channels are provided. This is the case for the TSV fill valve position indication. Since this input does not use an SFM, there is no description of how to remove these channels from service. ESFAS, on the other hand, has many two channel configurations that use SFMs. | |||
Section 7.4.2.1.6, Separation of Protection and Control Systems, of the SHINE FSAR states the following: | |||
SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired. | |||
Nonsafety-related inputs into the TRPS are designed and controlled so they do not prevent the TRPS from performing its safety functions (Subsection 7.4.3.4). | |||
The NRC staff notes that since protection systems are safety-related, then all shared sensors with the PICS should be safety-related. Therefore, the NRC staff does not agree that there are nonsafety-related inputs into the TRPS. | |||
In addition, the SHINE FSAR description quoted above does not identify what sensors are shared between the protection and control systems. Further, this description does not explain how the TRPS would perform its protection function given a failure of a shared component. | |||
Revise the SHINE FSAR to include a description of how the TRPS design meets SHINE Design Criterion 18 to clearly reflect the intended design of components shared to protect and control certain operations. | |||
(d) Protection of Specified Acceptable Target Solution Design Limits - | |||
SHINE Design Criterion 14 requires the TRPS to be designed to automatically initiate the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients. | |||
SHINE FSAR Section 13a2.1.2, Insertion of Excess Reactivity, describes accidents analyzed due to insertion of excess reactivity. One identified initiating event and scenario is attributed to high neutron production (and consequently high power) at cold conditions. To protect from these events, Chapter 13 of the SHINE FSAR identifies actions to be performed by the TRPS to terminate IU operation to preserve the safety limits (SLs). The NRC staff considers SHINE Design Criterion 14 to apply to all excess reactivity scenarios. | |||
Chapter 7 of the SHINE FSAR does not appear to 1) provide or reference a description of the specified acceptable target solution design limits referenced in SHINE Design Criterion 14 or 2) describe how the TRPS protects against exceeding such limits during all analyzed scenarios. The NRC staff infers that the SHINE TS limiting condition for operation (LCO) 3.1.6 provides acceptable target solution design limits applicable | |||
during operation and 3.1.7 design limits only during loss of driver and restart transients. Based on this information, the NRC staff infers that the TRPS protects against the specific design limits identified in LCO 3.1.7 for driver and restart transients above 40 percent power, because the high wide range neutron flux setpoint will initiate an automatic IU Cell Safety Actuation. | |||
However, it appears that the TRPS is not identified to protect against the acceptable target solution design limits of LCO 3.1.6 for all other operating conditions. In particular, it is not clear to the NRC staff how TRPS and power range monitors protect against design solution limits for all excess neutron production or excess reactivity scenarios below 120 degrees Fahrenheit. | |||
Revise the SHINE FSAR to identify protection functions credited to maintain the specified acceptable target solution design limits during all modes of operation and the transients specified in Chapter 13 of the SHINE FSAR. | |||
(e) Protection System Independence and Diversity - SHINE Design Criterion 16 requires, in part, that design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function. | |||
Section 7.4.2.1.4, Protection System Independence, of the SHINE FSAR notes that the architecture provides diverse methods for actuation of the safety functions at the division level, automatic and manual, and FPGAs in each division are of a different physical architecture to prevent common cause failure (CCF) (e.g. equipment diversity). In addition, SHINE FSAR Section 7.4.5.2.4, Diversity, does not include a discussion on diversity features, such as the type of FPGA technologies used, logic development tools, signals, built-in equipment diversity, segregation of safety functions, or diverse protection logic on a safety function module for each safety function. | |||
Instead, the SHINE FSAR refers back to the approved HIPS TR. However, application specific action item (ASAI) 10 of the HIPS TR requires that an applicant verify that diversity attributes conform to those described in the approved TR, which SHINE has not done. | |||
Further, Section 7.4.5.2.5, Simplicity, of the SHINE FSAR states that the HIPS design uses segmentation to provide functional diversity. However, the SHINE FSAR description does not include any description of functional diversity. The NRC staff considers functional diversity to be when two different plant process parameters are sensed to initiate protective actions against the same event. | |||
Revise the SHINE FSAR to describe diversity features included in the HIPS for the TRPS and ESFAS. Also, describe whether and how functional diversity is applied to prevent loss of function, including CCFs. | |||
(f) Interlocks - TRPS Criterion 34 requires that interlocks ensure operator actions cannot defeat an automatic safety function during any operating condition where that safety function may be required. | |||
The NRC staff considers TRPS Criterion 34 to apply to all operating conditions, including both operational bypass and maintenance bypass conditions. | |||
Section 7.4.2.2.9 of the SHINE FSAR describes how Criterion 34 is achieved for only operational bypass. This section does not describe if there are other ways the operator can defeat an automatic safety function. | |||
Section 7.4.4.3, Maintenance Bypass, of the SHINE FSAR describes administrative controls for maintenance bypass, which are in the proposed TSs. However, the SHINE FSAR does not describe whether interlocks are implemented to prevent an operator from putting all instrument channels in maintenance bypass (i.e., not in tripped mode) concurrently. | |||
Confirm the intent of the TRPS Design Criterion 34 by clearly describing how interlocks are implemented to prevent operators from defeating automatic safety functions during all operating conditions. | |||
The information requested in parts (a) through (f) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that | |||
[t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
RAI 7-10 Implementation of the Approved HIPS Platform TR NUREG-1537, Part 2, Section 7.4, states, in part, that the applicant should thoroughly describe the [protection system], listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action. Additionally, NUREG-1537, Part 2, Section 7.4, states, in part, that the SAR should include the design bases, acceptance criteria, and guidelines used for design of the protection system, as well as an analysis of adequacy of the design to perform the functions necessary to ensure safety, and its conformance to the design bases, acceptance criteria, and the guidelines used. Therefore, the design bases, acceptance criteria, and guidelines used for design of the TRPS and ESFAS should be specified, and an analysis of the adequacy of the designs to perform the functions necessary to ensure safety and conform to the design bases and acceptance criteria should be provided in the SHINE FSAR. | |||
Sections 7.1.2 and 7.1.3 of the SHINE FSAR state that both the TRPS and ESFAS use the NRC-approved HIPS platform. The NRCs SE for the HIPS platform excluded the HIPS platform circuit boards and their instrument chassis, application-specific architecture, the application-specific design process, and application-specific equipment qualification. As such, the NRC staff identified 65 ASAIs to be addressed by any applicant referencing the TR in a site-specific license application as a means of demonstrating compliance with the approved platform and site-specific use in accordance with the applicable requirements in 10 CFR Part 50. SHINEs disposition of these ASAIs were provided in response to RAI 7-4 (ADAMS Accession No. ML20254A355). The NRC staff reviewed this | |||
information and found several dispositions to be acceptable. However, many other dispositions are insufficient for demonstrating how the HIPS-platform-based TRPS and ESFAS meet the stated design criteria in the SHINE FSAR. | |||
For example, ASAI 2 requires that an applicant demonstrate that the HIPS platform used to implement the application-specific system is unchanged from the base platform addressed in HIPS TR SE. Otherwise, the applicant must clearly and completely identify any modification or addition to the base HIPS platform as it is employed and provide evidence of compliance by the modified platform with all applicable regulations that are affected by the changes. The SHINE response to RAI 7-4 stated that the Sections 7.1, Summary Description, and 7.4.5, Highly Integrated Protection System Design, of the SHINE FSAR provide evidence that the HIPS platform used to implement the TRPS and ESFAS design is unchanged from the base platform described in the HIPS platform TR. After reviewing the information in Subsections 7.1 and 7.4.5 of the SHINE FSAR, the NRC staff determined that the application of the HIPS platform used to implement the TRPS and ESFAS design is different from the base platform addressed in the TR for the HIPS platform. Fundamentally, the approved HIPS platform uses two different FPGA technologies with a two-out-of-four safety logic channel configuration. Whereas, the HIPS equipment for the TRPS and ESFAS appears to use three different FPGA technologies with a two-out-of-three safety logic channel configuration. | |||
The NRC staff performed an audit of the HIPS equipment for the SHINE facility on May 12, 2021. This audit focused on Audit Topic 1 identified in the audit plan (ADAMS Accession No. ML21130A313). During the audit discussions, the NRC staff better understood the modified version (e.g. system requirements and configuration) of the HIPS platform for the SHINE facility. The NRC staff also identified differences between the previously approved HIPS TR platform, and the HIPS-based TRPS and ESFAS. For example, the NRC staff learned from the audit that (1) the TRPS includes the remote input sub-module (RISM) or scheduling, bypass, and voting modules (SBVM), but the HIPS platform describe in the TR does not contain these modules; (2) the TRPS and ESFAS are combined in the same equipment rack, whereas the HIPS TR depicts instrument channels and actuation divisions in separate racks of equipment; and (3) the use of a gateway communication between TRPS/ESFAS and PICS. | |||
However, information in Section 7.4.5 of the SHINE FSAR is not consistent with the requirements and descriptions in the HIPS design documents discussed in the audit. Consequently, referencing and relying upon the NRC-approved HIPS TR without clearly describing the differences in the SHINE facility implementation of HIPS platform in the TRPS and ESFAS design is not sufficient for staff to verify the intended function of the TRPS and ESFAS, and conformance with associated SHINE, TRPS, and ESFAS design criteria. | |||
Therefore, update and clarify the following: | |||
(a) How the TRPS and ESFAS specifically implement the generic HIPS platform; | |||
(b) How ASAIs 2, 4, 5, 6, 7, 9, 10, 11, 12, 18, 21, 23, 24, 25, 26, 30, 32, 33, 34, 42, 43, 45, 46, 47, 49, 50, 51, 54, 57, 62, 63, 64 and 65 identified for specific implementation of the HIPS platform are dispositioned for the SHINE facility; and (c) The differences between the representative system architecture described in the HIPS platform TR and the architecture proposed for the TRPS and ESFAS. | |||
The SHINE FSAR should be revised, as necessary, to describe the implementation of HIPS platform; demonstrate how the ASAIs are being dispositioned by the design of the SHINE facility; and describe the TRPS and ESFAS architecture. This information is necessary for the NRC staff to verify the acceptability of the HIPS platform for use in the TRPS and EFSAS, and to make a reasonable assurance finding of adequate protection based on demonstration of the TRPS and ESFAS compliance to the identified design criteria. (The NRC staff recognizes that this additional information may address the information needs identified in RAI 7-9.) Specifically, the information requested in parts (a) through (c) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
As part of the response to this RAI, the SHINE FSAR should be updated to contain additional information on the types and configuration of modules, equipment configuration, equipment communication, configuration of maintenance and operational bypass, configuration of the HIPS capabilities for self-testing and diagnostics, design attributes implemented (e.g., redundancy, diversity, etc.), HIPS design process, and HIPS equipment qualification that demonstrate the equipment meets the SHINE environmental qualification requirements. | |||
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS are designed and implement the HIPS TR. | |||
SHINE should ensure that the responses to parts (a) through (c) of this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Number and types of FPGAs used in the HIPS architecture for TRPS and ESFAS that demonstrate built-in diversity. The SHINE FSAR (e.g., | |||
Section 7.4.2.1.4) states that the HIPS will use three types of FPGAs. | |||
However, the TR for the HIPS platform describes using two types of FPGAs in a 4-channel architecture to provide adequate built-in diversity Differences and similarities of modules approved in the HIPS TR and modules used in the HIPS for the TRPS and ESFAS. For example, (1) the HIPS TR does not include RISM or SBVM modules, but the TRPS does, and (2) the HIPS TR depicts instrument channels and actuation | |||
divisions in separate racks of equipment, while the TRPS and ESFAS are combined in the same equipment rack. Also, include a description of each module configuration for the TRPS and ESFAS Use of functional segregation in the HIPS based TRPS and ESFAS for achieving defense-in-depth Data validation, transmission, bypass, and voting for the SBVM installed in the HIPS for the TRPS and ESFAS Design and implementation of the built-in self-test functions (e.g., in the SFM). This information is particularly important for parts of the HIPS platform that rely solely on self-testing to ensure operability (e.g., there are no surveillance requirements to determine operability in the TSs) | |||
Design and development processes followed for the logic in the HIPS for the TRPS and ESFAS Verification and validation activities performed for the logic in the HIPS for the TRPS and ESFAS Configuration management established for the logic in the HIPS for the TRPS and ESFAS Aspects of the development environment addressed in the HIPS TR that are applicable to the SHINE application RAI 7-11 Single Failure Criterion and System Diversity NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system should be designed to perform its safety function after a single failure and to meet requirements for seismic and environmental qualification, redundancy, diversity, and independence. NUREG-1537, Part 2, Section 7.4, also states that the protection systems should be reliable and perform their intended safety functions under all conditions. Therefore, the design of the protection systems should consider features that can improve the reliability of the system such as independence, redundancy, diversity, maintenance, testing, and quality components. | |||
SHINE Design Criterion 15 and TRPS Criteria 16, 17, 21, 22, 37, and 41 require the safety system not be susceptible to a single failure. (Similar criteria are also identified for the ESFAS in the SHINE FSAR.) The SHINE FSAR states that to increase reliability and address single failures, the HIPS equipment for TRPS and ESFAS includes redundancy, such that no single failure can prevent a safety actuation when required. Section 7.4.3.2, Mode Transition, of the SHINE FSAR describes how the system design addresses the single failure criterion by implementing a system architecture comprised of three divisions of signal condition and trip determination, and two divisions of voting and actuation. | |||
Because redundant systems can be compromised by a potential vulnerability to a CCF, the use of diversity within a safety system can be one acceptable means to | |||
address the potential for a CCF. Taking this into account, the licensee identified SHINE Design Criterion 16 to require that design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function. The approved TR for the HIPS platform describes the diversity attributes utilized in the base HIPS platform (i.e., equipment diversity, design diversity, and functional diversity). The approved HIPS TR identifies ASAIs 11 and 62 as requiring the licensee to demonstrate how diversity would be implemented in its application when referencing the TR in a site-specific application. Section 7.4.2.1.4 of the SHINE FSAR describes how the TRPS design address SHINE Design Criterion 16 by incorporating the diversity principles outlined in the NRC approved HIPS TR. | |||
Further, Section 7.4.5.2.4 of the SHINE FSAR describes diversity attributes, such as diversity within the equipment, considered in the HIPS design for the TRPS and ESFAS. This section also references the HIPS TR for further information on diversity. | |||
The NRC staff agrees that using three redundant divisions with appropriately configured multiple FPGA technologies can ensure accomplishment of safety functions even in the presence of random failures, and that using diverse FPGAs provides diverse means to address vulnerabilities against CCFs. However, additional information is needed to evaluate how the diversity attributes of the HIPS platform for the TRPS and ESFAS (i.e., equipment diversity, design diversity, and functional diversity) assure performance of safety functions under all postulated random and CCFs. | |||
Update the SHINE FSAR to describe the design, configuration, and implementation considered for the HIPS equipment for the TRPS and ESFAS to address single failure and vulnerabilities to CCFs. | |||
The NRC staff need this information for making a finding that the TRPS and ESFAS will perform the required protective actions in the presence of any single failure or malfunction, address vulnerabilities against CCFs, and meet the identified design criteria for single failure. Further, this information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS meet the single failure criterion and use of diversity to address vulnerabilities to CCFs. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Identification and assessment of potential vulnerabilities to CCFs Description of how the use of three FPGA technologies is used to decrease susceptible to CCFs. The HIPS TR described the conceptual | |||
design for two diverse FPGA technologies in a 4-channel architecture to demonstrate acceptable performance in presence of potential CCFs Description of diversity attributes included in the HIPS equipment for the TRPS and ESFAS relied upon to protect against digital CCFs Design and implementation of built-in diversity within the TRPS and ESFAS, and allocation of the safety functions among the diverse divisions to mitigate the effects of postulated failures RAI 7-12 Failure Modes NUREG-1537, Part 2, Section 7.4 states, in part, that the shutdown function of the protection system should be fail-safe against malfunction and electrical power failures. | |||
SHINE Design Criteria 16 and 17 require the protection systems be designed to fail into a safe state if conditions such as disconnection of the system, loss of power, or postulated adverse environments are experienced. Further, TRPS Criterion 16 requires the system be designed to perform its protective functions after experiencing a single random active failure in non-safety control systems or in the TRPS, and such failure should not prevent the TRPS, and credited passive redundant control components, from performing its intended functions. | |||
Section 7.4.2.1.4 of the SHINE FSAR describes how the TRPS design would meet SHINE Design Criterion 16; and Section 7.4.2.1.5 of the SHINE FSAR describes how the TRPS would meet SHINE Design Criterion 17. However, the descriptions provided focus on independence of the safety systems, as well as the requirement for the systems to be protected from earthquakes, adverse environmental conditions, and loss of power. These descriptions do not cover what known failures can affect the systems, how they would be addressed, and the fail-safe state of variables controlled by the safety systems. Also, the provided descriptions in the SHINE FSAR do not demonstrate whether failures of other systems, especially connected non-safety systems, would not prevent the TRPS from performing its safety function. | |||
The TRPS and ESFAS are credited for the safe operation of the SHINE facility. | |||
Therefore, the SHINE FSAR should describe the potential vulnerabilities that can affect their operation and how the systems would behave under specific identified failure modes. Typically, a failure mode and effect analysis (FMEA) are performed to identify potential failures and how the system will behave during such failures. In addition, the failure analysis would determine and describe the safe state that the system outputs would default in conditions such as communication failures, disconnection of the system, or loss of power. | |||
Section 7.4.3.8, Loss of External Power, of the SHINE FSAR identifies and describes the safe-state of controlled components associated with safety actuations during a loss of power. However, information was not provided in the SHINE FSAR for other potential failure modes. | |||
The approved TR for the HIPS platform describes the self-testing features of the system to detect malfunctions in certain modules or functions. Because these features would depend on how they are configured for each application, ASAIs 12 and 57 require an applicant to perform a system-level FMEA to demonstrate that the application-specific use of the HIPS platform identifies each potential failure mode and determines the effects of each failure. These ASAIs also require that the system be configured to alarm and assume a fail-safe state in the event of a failure. Further, ASAI 51 requires that an applicant or licensee demonstrate that the combination of HIPS platform self-tests and system surveillance testing provide the necessary test coverage to ensure that there are no undetectable failures that could adversely affect a required safety function. | |||
This should be done with sufficient detail to allow assessment of the complexity of the TRPS and evaluation of opportunities for malfunction or operability failure during facility operation. In its responses to RAI 7-4, SHINE described how these ASAIs were dispositioned. However, the SHINE FSAR does not include sufficient information for the NRC staff to evaluate how failures were identified and analyzed for the HIPS platform for the TRPS and ESFAS. Also, the SHINE FSAR does not include sufficient details on the configuration of self-test and diagnostics to conform to the maintenance and testing features described in the HIPS TR. | |||
(a) Update the FSAR to describe the failure modes analyzed, as well as the design, configuration, and implementation of testing and maintenance features considered for the HIPS equipment for the TRPS and ESFAS. | |||
(b) Provide information on how the TRPS and ESFAS would respond to each of the failures in the HIPS platform (i.e., assume a fail-safe state, only alarm failure, or assume a fail-safe state and alarm failure). | |||
The NRC staff needs this information for making a finding that the TRPS and ESFAS will perform the required protective actions in the presence of any single failure or malfunction, including malfunctions from connected systems, and meet the identified design criteria. The information requested in parts (a) and (b) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS respond to identified failure modes. SHINE should ensure that the responses to parts (a) and (b) of this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
A summary of failure modes identified for the modules included in the HIPS for the TRPS and ESFAS, including a description of the analyses used to confirm the adequacy of relevant design elements and safety features to perform their intended functions | |||
Failures detected by self-tests and diagnostics or periodic surveillance are consistent with the assumed failure detection methods of the TRPS and ESFAS single-failure analysis RAI 7-13 System Operation NUREG-1537, Part 2, Section 7.4, states, in part, that the SAR should describe operation of the protection system, listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action. Further, NUREG-1537, Part 2, Section 7.4, states, in part, that the facility should have operable protection capability in all operating modes and conditions, as analyzed in the SAR and [t]he range of operation of sensor (detector) channels should be sufficient to cover the expected range of variation of the monitored variable during normal and transientoperation. | |||
SHINE Design Criterion 13 requires instrumentation be provided to monitor variables and systems over the expected range of variation of the monitored variable during normal and transient operation. Also, this criterion requires that the information provided be sufficient to verify that individual SLs are protected by independent channels. | |||
Section 7.4 and 7.5 in the SHINE FSAR describe operation of TRPS and ESFAS, respectively. Tables 7.4-1, TRPS Monitored Variables, and 7.5-1, ESFAS Monitored Variables, in the SHINE FSAR list variables monitored, their analytical limits, safety logic, instrument range, accuracy, and instrument response for the TRPS and ESFAS, respectively. | |||
Protection systems should provide necessary information to the operator in the control room related to safety systems process parameters and equipment status for operation, safety, and protection of the facility. SHINE Design Criterion 16 also credits manual actuation as one of the diverse means to provide defense-in-depth. The SHINE FSAR states that an operator can control multiple systems within the facility and provides defense-in-depth to analyzed accidents. For the operator to perform any actions, the operator would require data to act upon. | |||
Further, the control room includes a main control board (described in Section 7.6.1, Description, of the SHINE FSAR) that contains manual actuation interfaces (e.g., switches and pushbuttons) and display screens showing variables important to safety to provide diverse means for operators to actuate automated safety functions. | |||
The SHINE FSAR identifies variable monitored but it does not clearly describe the information to be displayed in the control room console and main control board for operation of the facility and manual actuation of safety functions, if necessary. | |||
In addition, ASAI 30 requires an applicant or licensee to describe how the information displays are accessible to the operator and are visible from the location of any controls used to perform a manually controlled protective action provided by the front panel controls of a HIPS-based system. ASAI 65 requires demonstration that the HIPS platform equipment provides diversity for indication and component control signals to ensure HIPS platform monitoring and control | |||
performance in the presence of a digital CCF. In response to RAI 7-4, SHINE describes how it intends to address these ASAIs and notes that the TRPS and ESFAS is not used to display information for the operator or to affect a manually-controlled protective action. The NRC staff agrees that information is not directly displayed in the TRPS and ESFAS, but instead these systems transmit process parameters and equipment status to PICS for display in the control console and main control board. Based on the information provided, SHINE has not identified the TRPS and ESFAS monitored variables that are transmitted to PICS and main control board for the operator to perform manual protective functions. | |||
Update the SHINE FSAR to describe variables monitored and displayed to operate the facility and provide diversity for manual operator action, if necessary. | |||
The NRC staff needs this information to make a finding that the TRPS and ESFAS will provide all necessary information in the control room for operators to operate IUs and perform manual safety actuation, if necessary, and meet the design criteria. The information requested in above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he protection channels and protective responses are sufficient to ensure that no safety limit, limiting safety system setting, or [protection system]-related limiting condition of operation discussed and analyzed in the SAR will be exceeded. | |||
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS respond to identified failure modes. SHINE should ensure that the response to this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Information necessary to be displayed for the operator to manually actuate safety functions, if necessary A description of the PICS design demonstrating how monitored variables from the TRPS and ESFAS are sufficiently diverse such that any failure does not prevent the operator from obtaining or resolving conflicting information RAI 7-14 Bypass NUREG-1537, Part 2, Section 7.4, states that the protection system should be designed for reliable operation. In some circumstances, an applicant or licensee may bypass a function or component. Bypassing a component allows the licensee to take it out of service during operation or maintenance. | |||
Section 7.4.2.2.9 of the SHINE FSAR identifies the TRPS criteria related to bypasses, permissives and interlocks, and removal of equipment from service. | |||
In this section, SHINE explains that the TRPS (and similarly the ESFAS) includes maintenance and operational bypasses, as well as a description of how the design meets the TRPS criteria. | |||
SHINE Design Criterion 15 requires that the removal from service of any [safety system] component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. Sections 7.4.4.2, Operational Bypass, Permissives, and Interlocks, and 7.4.4.3 of the SHINE FSAR describe the HIPS design features to meet these identified criteria. | |||
Section 7.4.4.2 of the SHINE FSAR describes the use of operational bypasses during the operation of the IU cells. Section 7.4.4.3 of the SHINE FSAR describes how the TRPS can be placed in maintenance bypass. Further, the SHINE TSs identify the surveillance requirements needed to demonstrate operability of the system, the use of maintenance bypass, and the maximum amount of time permitted for the maintenance bypass. | |||
In addition, the approved HIPS TR describes features for placing certain modules of the HIPS platform in bypass. Because these were conceptual descriptions of these features, the NRC staff identified ASAIs 42, 43, and 45 to require a licensee using the approved HIPS platform to describe how the HIPS equipment is used for operational and maintenance bypasses and provide the TS requirements. SHINEs response to RAI 7-4 described how these ASAIs were addressed for the TRPS and ESFAS. However, these descriptions do not provide sufficient detail to ensure that the HIPS equipment for TRPS and ESFAS conform to the conceptual designs and features approved in the HIPS TR for using bypass (see RAI 7-10). Additionally, the SHINE FSAR and proposed TSs contain inconsistencies on allowed bypass states and limiting conditions, respectively. | |||
Update the SHINE FSAR to describe the design, configuration, and implementation of the bypass function considered for the HIPS equipment for the TRPS and ESFAS. Further, describe how the HIPS design meets SHINE Design Criterion 15. | |||
The NRC staff requires this information to determine that SHINEs use of maintenance or operational bypasses do not affect the reliability of the system and that the system can perform its safety and protection functions. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS meet the design criteria identified for operational and maintenance bypass. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Design and implementation of bypass capabilities of modules in the HIPS for the TRPS and ESFAS Information on how signals and voting logics are treated during trip, inoperable, and bypass states Use of the out-of-service switch and trip/bypass switches and differences between maintenance bypass and trip states Effects of using bypass at the module level and/or division in the single failure criterion Transmission of trip or bypass signal through the hardwired module and effect on the bypass and voting modules Restrictions identified in the TR of the HIPS platform for placing the same SFM across more than one division in maintenance bypass RAI 7-15 Maintenance and Testing NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system be sufficiently distinct in function from the [control system] that its unique safety features can be readily tested, verified, and calibrated. In addition, NUREG-1537, Part 2, Section 7.4, also states, in part, that the protection system function and time scale should be readily tested to ensure operability of at least minimum protection for alloperations. Therefore, the TRPS and ESFAS should be designed to be readily tested and calibrated to ensure operability. | |||
Additionally, the TSs, including surveillance tests and intervals, should ensure availability and operability of these actuation systems. | |||
SHINE Design Criterion 15 requires the TRPS be designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Section 7.4.4.3 of the SHINE FSAR describes how a channel can be placed in maintenance bypass and its effect on the voting logic. Section 7.4.4.4, Testing Capability, of the SHINE FSAR describes testing capabilities included in the TRPS. | |||
The approved TR for the HIPS platform describes the diagnostic and maintenance features (e.g., built-in self-testing, periodic testing, etc.) available in the HIPS platform. Because the HIPS platform diagnostic and maintenance features were conceptual designs, the NRC staff identified ASAIs 13, 14, 24, 25, 32 ,49, 50, and 51 as necessary for facility-specific implementation. The ASAIs require an applicant or licensee to describe how diagnostic and maintenance features are implemented in the site-specific application. Specifically, an applicant or licensee should (1) demonstrate diagnostic and maintenance features provide necessary test coverage, and (2) demonstrate that the use of these features wont prevent the system from performing its safety and protection functions. In response to RAI 7-4, SHINE described whether these ASAIs are applicable to SHINE and their dispositions. | |||
The NRC staff generally agrees with the SHINEs stated applicability of these ASAIs to the TRPS and ESFAS. However, the description and information in the SHINE FSAR do not include sufficient detail on the configuration of self-testing and diagnostics to evaluate conformance to the maintenance and testing features described in the HIPS TR and how the SHINE design criteria are met. | |||
Update the SHINE FSAR to describe how diagnostic and maintenance features are implemented in the HIPS equipment for the TRPS and ESFAS. Demonstrate that the features provide necessary test coverage. Also, demonstrate that the use of these features wont prevent the systems from performing their safety and protection functions. | |||
The NRC staff need this information to verify that testing and maintenance of the TRPS and ESFAS will ensure operability of the equipment and meet the SHINE Design Criterion 15. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that | |||
[t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate testing and maintenance features implemented in the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Modification of configurable variables and setpoints Features and limitations to perform in-chassis calibration Surveillance tests using automatic sensor cross-check Test and calibration functions of the HIPS platform and compliance with regulatory guidance Validation of self-testing functions in HIPS equipment RAI 7-16 Equipment Qualification NUREG-1537, Part 2, Section 7.4, states, in part, that the design of the protection systems should be adequate to perform the functions necessary to ensure safety. Therefore, the design of the SHINE facility should include provisions for the protection systems to reliably operate in the normal range of environmental conditions and postulated credible accidents, transients, and other events at the facility that could require their operation. | |||
SHINE Design Criterion 16 requires the system be designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis. | |||
Sections 7.4.3.5, Operating Conditions, and 7.4.3.6, Seismic, Tornado, Flood, of the SHINE FSAR describe operating and transient conditions in the facility and seismic requirements. However, these sections do not confirm whether the TRPS and ESFAS have been tested to demonstrate that they will function in these conditions. Further, the approved HIPS TR identifies ASAI 18 for an applicant to demonstrate system qualification for installation and operation in mild environment locations. In response to RAI 7-4, SHINE references Sections 7.4.3.13, Design Codes and Standards, and 7.5.3.12, Design Codes and Standards, of the SHINE FSAR, which identify the codes and standards to be used in qualifying the TRPS and ESFAS equipment. While these sections describe applicable environmental qualification criteria, they do not demonstrate that the TRPS and ESFAS have been qualified to meet the environmental qualification criteria and associated SHINE design criterion. | |||
Update the SHINE FSAR to demonstrate that the HIPS equipment for the TRPS and ESFAS has undergone environmental, seismic, radiation and emissions qualifications. Also, demonstrate that the results envelope the operating and transient conditions identified for the facility. | |||
The NRC staff needs this information to make a finding that the TRPS and ESFAS are qualified to operate under the different conditions in the facility and meet the applicable design criteria. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he [protective system] is designed to prevent or mitigate hazardsso that the full range of normal operations poses no undue radiological risk to the health and safety of the public, the facility staff, or the environment. | |||
The following are examples of the types of information the NRC staff needs to evaluate qualification of the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Confirmation of qualified life for the TRPS and ESFAS equipment Confirmation that the effects of electromagnetic interference/radio-frequency interference (EMI/RFI) and power surges, including computer-based digital systems, are addressed Confirmation that the protection systems meet the site-specific requirements for seismic and normal range and postulated credible accidents and transients of environmental conditions anticipated within the SHINE facility RAI 7-17 Codes and Standards NUREG-1537, Part 2, Section 7.4, states that the protection systems should be designed for reliable operation in the normal range of environmental conditions anticipated within the facility. | |||
The SHINE FSAR identified codes and standards to which SHINE committed to use to demonstrate meeting the SHINE design criteria, meeting NRC guidance and regulations, and developing high quality ICS. | |||
Chapter 7 of the SHINE FSAR includes a list of codes and standards that are applied to the design of the TRPS and ESFAS (e.g., SHINE FSAR Section 7.4.3.13 identifies codes and standards applied to the TRPS design). | |||
However, the SHINE FSAR does not describe how these codes and standards were used or how the current design conforms to the applied standards. In RAI 7-3 (ADAMS Accession No. ML20255A026), the NRC staff requested a description of how codes and standards listed in the SHINE FSAR are used to design each of the ICS. But this information was not included in the response. | |||
The NRC staff recognizes that NUREG-1537 identifies the guidelines of Institute of Electrical and Electronics Engineers Std. 7-4.3.2-1993, IEEE Standard Criteria for digital Computers in Safety Systems of Nuclear Power Generating Stations, and Regulatory Guide 1.152, Revision 1, Criteria for Digital Computers In Safety Systems of Nuclear Power Plants, American National Standards Institute/American Nuclear Society (ANSI/ANS)-10.4-1987, Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, ANSI/ANS-15.15-1978, Criteria for the Reactor Safety Systems of Research Reactors, and draft ANSI/ANS-15.20, Criteria for the Control and Safety Systems for Research Reactors, but does not identify additional specific codes and standards for the system to conform. Nevertheless, NUREG-1537 states that a reliable system is built using accepted engineering and industrial practices. | |||
Update the SHINE FSAR to describe how codes and standards listed in the SHINE FSAR are used to design each of the ICS. | |||
The NRC staff need this information to verify that engineering and industrial practices were used to design reliable protection systems that will perform the intended safety functions when required and meet the applicable design criteria. | |||
The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate how codes and standards used to design, build, and test the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Codes and standards used for the design and development of the logic for the TRPS and ESFAS, including traceability of the codes and standards to system design and testing documents | |||
Codes and standards used for the environmental, seismic, radiation, and EMI/RFI qualification of the HIPS for the TRPS and ESFAS, including traceability to system design and testing documents RAI 7-18 Setpoints NUREG-1537, Part 2, Section 7.4, states, in part, that [t]he sensitivity of each sensor channel should be commensurate with the precision and accuracy to which knowledge of the variable measured is required for the protective function. | |||
This information is necessary to ensure that adequate margins exist between analytical limits and instrument setpoints so that protective actions are initiated before SLs are exceeded. | |||
Sections 7.4.2.1.3, Protection System Reliability and Testability, 7.4.4, Operation and Performance, and 7.4.5.3.3, Access Control, of the SHINE FSAR note that there are setpoints and tunable parameters that may require periodic modification. To do this, the operator would use the maintenance workstation (MWS) in the HIPS equipment when the safety function is out of service. To prevent inadvertent changes, the HIPS equipment includes physical and logical features to allow changes to these values. The setpoints and tunable parameters are stored in the nonvolatile memory (NVM) in the MWS. | |||
The approved TR for the HIPS equipment states that the MWS was not part of the base platform, and thus was not evaluated by the NRC staff. Nevertheless, the HIPS TR briefly describes how setpoint and tunable parameters can be modified. The TR also mentions that the logic associated with setpoints and tunable parameters is part of the safety function module in the HIPS platform. | |||
Because the MWS was not described in detail and evaluated in the HIPS TR, the NRC staff needs information on how the MWS would be used to change setpoints and tunable parameters. | |||
Update the SHINE FSAR to describe modifications to setpoints and tunable parameters, including operation and configuration of the NVM, separation of the safety logic and calibration functions, modifications of NVM during operation, and controls to prevent inadvertent changes to setpoint and tunable parameters. | |||
This information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he protection channels and protective responses are sufficient to ensure that no safety limit, limiting safety system setting, or [protection system]-related limiting condition of operation discussed and analyzed in the SAR will be exceeded. | |||
RAI 7-19 Power Supply NUREG-1537 states that the protection systems should be fail-safe against malfunction and electrical power failure, should be as close to passive as can be reasonably achieved, should go to completion once initiated, and should go to completion within the time scale derived from applicable analyses in the SAR. | |||
The approved TR for the HIPS platform describes the power requirements for a licensee using the HIPS platform. Because this information would depend on the specific instrumentation and control configuration, the NRC staff identified ASAI 46 to require that an applicant referencing the HIPS TR describe power sources to the HIPS platform equipment and how they meet applicable regulatory requirements. | |||
SHINEs response to RAI 7-4 stated that description of the TRPS and ESFAS power source is provided in Subsection 8a2.2 of the SHINE FSAR. SHINE FSAR, Section 7.4.3.4 describes how the HIPS design meets the single failure criterion, including sources of electrical power supply for each division. The information provided is insufficient to evaluate how the safety system would be powered and how the system would be powered in case of a loss of power. | |||
During the audit performed in May 2021, SHINE staff briefly described how off-site power is supplied to the facility and distributed to the TRPS and ESFAS. | |||
SHINE also described how this approach addresses ASAI 46. This type of information should be provided in the SHINE FSAR. | |||
Update the SHINE FSAR to describe the power supplies and power requirements for the TRPS and ESFAS, and how the safety systems meet the design criteria. | |||
This information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition. | |||
The following are examples of the types of information the NRC staff needs to evaluate the power supply for the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates: | |||
Sources of power supply to each division of the TRPS and ESFAS during normal and emergency operation Sources of power for redundant power supplies within each division of the TRPS and ESFAS Safety classification of power supplies for the TRPS and ESFAS}} |
Revision as of 04:41, 9 September 2021
ML21172A195 | |
Person / Time | |
---|---|
Site: | SHINE Medical Technologies |
Issue date: | 07/01/2021 |
From: | Steven Lynch NRC/NRR/DANU/UNPL |
To: | Piefer G SHINE Medical Technologies |
Lynch S | |
References | |
EPID L-2019-NEW-0004, Permit No. CPMIF-001 | |
Download: ML21172A195 (28) | |
Text
July 1, 2021 Dr. Gregory Piefer, Chief Executive Officer SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545
SUBJECT:
SHINE MEDICAL TECHNOLOGIES, LLC - REQUEST FOR ADDITIONAL INFORMATION RELATED TO INSTRUMENTATION AND CONTROL SYSTEMS (EPID NO. L-2019-NEW-0004)
Dear Dr. Piefer:
By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027),
November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264),
and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.
During the NRC staffs review of SHINEs operating license application, questions have arisen for which additional information is needed. The enclosed request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report, submitted in connection with the operating license application, and prepare a safety evaluation report. The specific chapter of the SHINE operating license application covered by this RAI is Chapter 7, Instrumentation and Control Systems.
It is requested that SHINE provide responses to the enclosed RAI within 60 days from the date of this letter. To facilitate a timely and complete response to the enclosed RAI, the NRC staff is available to meet with SHINE to clarify the scope of information and level of detail expected to be included in the RAI response and corresponding final safety analysis report update. SHINE may coordinate the scheduling and agendas for any such meetings with the responsible project manager assigned to this project.
In accordance with 10 CFR 50.30(b), Oath or affirmation, SHINE must execute its response in a signed original document under oath or affirmation. The response must be submitted in accordance with 10 CFR 50.4, Written communications. Information included in the response that is considered sensitive or proprietary, that SHINE seeks to have withheld from the public, must be marked in accordance with 10 CFR 2.390, Public inspections, exemptions, requests for withholding. Any information related to safeguards should be submitted in accordance with 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements. Following
G. Piefer receipt of the additional information, the NRC staff will continue its evaluation of the subject chapters and technical areas of the SHINE operating license application.
As the NRC staff continues its review of SHINEs operating license application, additional RAIs for other chapters and technical areas may be developed. The NRC staff will transmit any further questions to SHINE under separate correspondence.
If SHINE has any questions, or needs additional time to respond to this request, please contact me at 301-415-1524, or by electronic mail at Steven.Lynch@nrc.gov.
Sincerely, Signed by Lynch, Steven on 07/01/21 Steven T. Lynch, Senior Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-608 Construction Permit No. CPMIF-001
Enclosure:
As stated cc: See next page
SHINE Medical Technologies, LLC Docket No. 50-608 cc:
Jeff Bartelme Licensing Manager SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Nathan Schleifer General Counsel SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Christopher Landers Director, Office of Conversion National Nuclear Security Administration, NA 23 U.S. Department of Energy 1000 Independence Avenue, SW Washington, DC 20585 Mark Paulson Supervisor Radiation Protection Section Wisconsin Department of Health Services P.O. Box 2659 Madison, WI 53701-2659 Test, Research and Training Reactor Newsletter Attention: Amber Johnson Dept. of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Mark Freitag City Manager P.O. Box 5005 Janesville, WI 53547-5005 Bill McCoy 1326 Putnam Avenue Janesville, WI 53546 Alfred Lembrich 541 Miller Avenue Janesville, WI 53548
ML21172A195 NRR-088 OFFICE NRR/DANU/PM NRR/DANU/LA NRR/DANU/BC NRR/DANU/ADD NRR/DANU/PM NAME SLynch NParker JBorromeo SAnderson SLynch DATE 6/22/2021 6/23/2021 7/1/2021 7/1/2021 7/1/2021 OFFICE OF NUCLEAR REACTOR REGULATION REQUEST FOR ADDITIONAL INFORMATION REGARDING OPERATING LICENSE APPLICATION FOR SHINE MEDICAL TECHNOLOGIES, LLC CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608 By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027),
November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264),
and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.
During the NRC staffs review of SHINEs operating license application, questions have arisen for which additional information is needed. The enclosed request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report (FSAR), submitted in connection with the operating license application, and prepare a safety evaluation (SE) report. The specific chapter of the SHINE operating license application covered by this RAI is Chapter 7, Instrumentation and Control Systems.
The SHINE FSAR, Sections 7.1.2, Target Solution Vessel Reactivity Protection System, and 7.1.3, Engineered Safety Features Actuation System, states that the highly integrated protection system (HIPS) platform is used for the target solution vessel (TSV) reactivity protection system (TRPS) and engineered safety features actuation system (ESFAS). The HIPS platform is a logic-based system that uses discrete components and field programmable gate array (FPGA) technology. The HIPS platform comprises the safety function, communications, equipment interface, and hardwired modules. The SHINE FSAR identifies the TRPS and ESFAS as safety-related systems for the SHINE facility. The SHINE FSAR also states that SHINE relies on the prior NRC approval of the HIPS platform described in the HIPS topical report (TR) SE to demonstrate the acceptability of the platform for use in the SHINE facility and to partially demonstrate that the design of the TRPS and ESFAS satisfies the SHINE design criteria specified in Section 3.1 and the TRPS and ESFAS specific criteria identified in Sections 7.4, Target Solution Vessel Reactivity Protection System, and 7.5, Engineered Safety Features Actuation System, of the SHINE FSAR. The approved HIPS platform is described in the SE for the TR-1015-18653-NP-A Revision 2, Design of Highly Integrated Protection System Platform (ADAMS Accession No. ML17256A892).
Enclosure
Chapter 13, Accident Analysis, of the SHINE FSAR describes postulated initiating events and credible accidents that form the basis of the safety justification for the irradiation facility and radioisotope production facility. For accident scenarios with potential consequences that could exceed appropriate guidelines for worker or public exposure, controls were applied to ensure that the scenario is prevented or that consequences are mitigate to within acceptable limits.
For example, the accident analysis identifies the maximum hypothetical accident as the failure of the TSV off-gas system (TOGS) pressure boundary resulting in a release of off-gas into the TOGS cell. The safety controls credited for mitigation of the dose consequences for this accident include safety functions performed by the TRPS (i.e., initiation of an irradiation unit (IU)
Cell Safety Actuation signal which terminates irradiation operations) and ESFAS (i.e., isolation of the main facility ventilation system). The SHINE safety-related systems sense nuclear and radiological conditions and initiate functions to ensure isolation of the primary confinement boundary, terminate the fusion neutron production and fission processes within the subcritical assembly, and mitigate hydrogen levels. Therefore, the intended safety functions of the TRPS and ESFAS are credited in reliably preventing or mitigating the release of nuclear material and ensuring exposures to workers and the public do not exceed acceptable limits.
On May 26, 2020, the NRC staff issued an RAI (ADAMS Accession No. ML20148M279) requesting information on how the TRPS and ESFAS meet the applicable SHINE design criteria. SHINE submitted responses to these RAIs and associated FSAR updates on August 28, 2020 (ADAMS Accession No. ML20255A026). These RAIs were necessary for the NRC staff to determine that there is reasonable assurance that the HIPS-related portions of the TRPS and ESFAS systems are appropriately designed and will reliably provide adequate protection of public health and safety, and that applicable regulatory requirements are met. The following requests for information identify additional information needed for the NRC staff to perform its review of the SHINE implementation of the HIPS platform and associated components for the TRPS and ESFAS.
The NRC staff is preparing three additional sets of RAIs related to SHINEs instrumentation and control systems (ICSs). The subjects of these sets of RAIs are as follows:
- 1) TRPS and ESFAS
- 2) Process Integrated Control System (PICS)
- 3) Neutron Flux Monitoring and Radiation Monitoring The NRC staff expects to issue these remaining three sets of ICSs RAIs by the end of July 2021.
Applicable Regulatory Requirements and Guidance Documents The NRC staff is reviewing the SHINE operating license application, which describes the SHINE irradiation facility, including the IUs, and radioisotope production facility, using the applicable regulations, as well as the guidance contained in NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996 (ADAMS Accession No. ML042430055), and NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996 (ADAMS Accession No. ML042430048). The NRC staff is also using the Final Interim Staff Guidance
[ISG] Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS
Accession No. ML12156A069), and Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A075). As applicable, additional guidance cited in SHINEs FSAR or referenced in NUREG-1537, Parts 1 and 2, or the ISG Augmenting NUREG-1537, Parts 1 and 2, has been utilized in the review of the SHINE operating license application.
For the purposes of this review, the term reactor, as it appears in NUREG-1537, the ISG Augmenting NUREG-1537, and other relevant guidance can be interpreted to refer to SHINEs irradiation unit, irradiation facility, or radioisotope production facility, as appropriate within the context of the application and corresponding with the technology described by SHINE in its application. Similarly, for the purposes of this review, the term reactor fuel, as it appears in the relevant guidance listed above, may be interpreted to refer to SHINEs target solution.
Chapter 7 - Instrumentation and Control Systems HIPS Platform and Associated TRPS and ESFAS Components The following regulatory requirement is applicable to RAIs 7-9 through 7-19:
Paragraph (b)(2) of 10 CFR 50.34, Contents of applications; technical information, requires, in part, that an FSAR include [a] description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.
RAI 7-9 Implementation of Design Criteria Section 50.34 of 10 CFR states, in part, that a safety analysis report (SAR) shall include (1) the principal design criteria for the facility, and (2) the design bases and the relation of the design bases to the principal design criteria. A definition is provided in 10 CFR 50.2 for what constitutes a design bases:
Design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.
NUREG-1537, Part 2, Section 7.4, Reactor Protection System, states, in part, that the SAR should include the design bases, acceptance criteria, and guidelines used for design of the protection system, as well as an analysis of adequacy of the design to perform the functions necessary to ensure safety, and its conformance to the design bases, acceptance criteria, and the guidelines used.
Section 7.2.2, Design Criteria, of the SHINE FSAR states, in part, that the design criteria of the I&C systems were derived from the criteria in 10 CFR 50 Appendix A, and 10 CFR 70.64(a) and are applied in a graded approach to each I&C system. The SHINE FSAR states that Section 3.1, Design Criteria, shows how the facility design criteria are applied to each ICS The SHINE FSAR also indicates that system-specific criteria are provided in SHINE FSAR Sections 7.4 and 7.5 for TRPS and ESFAS and additionally describe how the facility design criteria and system-specific design criteria are met or implemented for each I&C system.
The NRC staff reviewed the SHINE design criteria and sampled selected system-specific criteria in Sections 7.4 and 7.5 of the SHINE FSAR that predominantly rely upon the underlying HIPS protective system architecture, communications, and equipment interface that is common in both the TRPS and
ESFAS. The SHINE FSAR descriptions of how the TRPS and ESFAS meet applicable design criteria lack sufficient detail on the attributes of the HIPS platform configuration and its operation. Without an adequate description of the specific configuration details and operation, the NRC staff cannot determine if the facility design criteria, TRPS design criteria, and ESFAS design criteria are achieved.
In some cases, the NRC staff has also identified explanations where design or operational descriptions appear to be incomplete, inconsistent with the language and common understanding of the design criterion wording, or inconsistent with the HIPS TR and intent of the associated plant-specific action items.
(a) Re-evaluate the TRPS and ESFAS design criteria in SHINE FSAR Sections 7.4 and 7.5, and provide additional design and operational detail in the SHINE FSAR to explain how the facility design criteria and TRPS and ESFAS criteria are met.
In its re-evaluation, SHINE should verify the applicability of each of its design criteria to the TRPS and ESFAS. SHINE should describe how design features or functions are used to meet each of the criteria applicable to the TRPS and ESFAS. SHINE should consider RAI 7-9 items (b) - (f), below, as examples of inconsistent explanations of the implementation design criteria in the SHINE FSAR that may aid in the preparation of its response to this part of the RAI. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates. After assessing the applicability of the design criteria, the relevant SHINE FSAR narratives should be updated to summarize the type of information likely to address how the design criteria are met. The NRC staff notes that key SHINE design documents, such as the TRPS and ESFAS system requirement specifications; TRPS and ESFAS system design descriptions; and TRPS and ESFAS system design specifications could be provided to support this information need 1.
The NRC staff recognizes that the information needs requested in RAIs 7-10 through 7-16 below may address the deficiencies associated with several of the design criteria.
(b) Maintenance Bypass of Execute Features - TRPS Criterion 41 contains the design criteria for the maintenance bypass of execute features of the TRPS (ESFAS Criterion 42 contains similar criteria).
Section 7.4.2.2.9, Operational Bypass, Permissives, and Interlocks, states, in part, that [w]here three channels are provided, taking an SFM [safety function module] out of service preserves the single failure criterion for variables associated with that SFM. In cases where only two channels are 1 For information that SHINE prefers to share in its electronic reading room rather than through docketed correspondence, a regulatory audit of information may be the most appropriate means for further NRC staff evaluation.
provided, taking a channel out of service will actuate the associated safety function. For testing purposes, placing a channel in maintenance bypass will be allowed by technical specifications [TSs] for up to two hours to perform required testing. Two hours is considered acceptable due to the continued operability of the redundant channel(s) and the low likelihood that an accident would occur in those two hours (Subsection 7.4.4.3).
Further, from the NRC audit of the HIPS platform on May 13, 2021, the NRC staff learned that the design and configuration of the HIPS equipment for TRPS is not intended to allow a portion of the execute features to be placed in maintenance bypass.
The explanation provided in the SHINE FSAR describes maintenance bypass features associated with the sense and command features of the HIPS equipment, and does not address the execute functions of the HIPS equipment or the execute features of the TRPS that is specified in TRPS Criterion 41.
For example, there are two options for taking the SFM modules out of service, and only one option is consistent with the description provided.
Furthermore, in cases where only two channels are provided2, the manner of taking a channel out of service is accomplished differently and is not explained.
Revise the SHINE FSAR to include an explanation to clearly reflect the intended design of the TRPS and ESFAS for maintenance bypass of the execute features.
(c) Separation of Protection and Control Systems - SHINE Design Criterion 18 contains the design criteria for the separation of the protection system from control systems. This criterion is normally used to address instrumentation and control configurations where the control of a process parameter (e.g., power density) and the protection against an undesirable process parameter value (e.g., exceeding power density limits) are using the same sensors. For example, from the description in the SHINE FSAR, it appears that the SHINE facility protects and controls solution power density using the same set of safety-related sensors. The NRC staff notes that IU power indications (i.e., neutron flux) are common to both protection and control.
This particular type of equipment configuration is vulnerable to a sensor failure causing an undesirable control action and could prevent the protection system from protecting against the undesirable control action due to reliance on the same sensor.
2 For the TRPS, there is only one instance where only two channels are provided. This is the case for the TSV fill valve position indication. Since this input does not use an SFM, there is no description of how to remove these channels from service. ESFAS, on the other hand, has many two channel configurations that use SFMs.
Section 7.4.2.1.6, Separation of Protection and Control Systems, of the SHINE FSAR states the following:
SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.
Nonsafety-related inputs into the TRPS are designed and controlled so they do not prevent the TRPS from performing its safety functions (Subsection 7.4.3.4).
The NRC staff notes that since protection systems are safety-related, then all shared sensors with the PICS should be safety-related. Therefore, the NRC staff does not agree that there are nonsafety-related inputs into the TRPS.
In addition, the SHINE FSAR description quoted above does not identify what sensors are shared between the protection and control systems. Further, this description does not explain how the TRPS would perform its protection function given a failure of a shared component.
Revise the SHINE FSAR to include a description of how the TRPS design meets SHINE Design Criterion 18 to clearly reflect the intended design of components shared to protect and control certain operations.
(d) Protection of Specified Acceptable Target Solution Design Limits -
SHINE Design Criterion 14 requires the TRPS to be designed to automatically initiate the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients.
SHINE FSAR Section 13a2.1.2, Insertion of Excess Reactivity, describes accidents analyzed due to insertion of excess reactivity. One identified initiating event and scenario is attributed to high neutron production (and consequently high power) at cold conditions. To protect from these events, Chapter 13 of the SHINE FSAR identifies actions to be performed by the TRPS to terminate IU operation to preserve the safety limits (SLs). The NRC staff considers SHINE Design Criterion 14 to apply to all excess reactivity scenarios.
Chapter 7 of the SHINE FSAR does not appear to 1) provide or reference a description of the specified acceptable target solution design limits referenced in SHINE Design Criterion 14 or 2) describe how the TRPS protects against exceeding such limits during all analyzed scenarios. The NRC staff infers that the SHINE TS limiting condition for operation (LCO) 3.1.6 provides acceptable target solution design limits applicable
during operation and 3.1.7 design limits only during loss of driver and restart transients. Based on this information, the NRC staff infers that the TRPS protects against the specific design limits identified in LCO 3.1.7 for driver and restart transients above 40 percent power, because the high wide range neutron flux setpoint will initiate an automatic IU Cell Safety Actuation.
However, it appears that the TRPS is not identified to protect against the acceptable target solution design limits of LCO 3.1.6 for all other operating conditions. In particular, it is not clear to the NRC staff how TRPS and power range monitors protect against design solution limits for all excess neutron production or excess reactivity scenarios below 120 degrees Fahrenheit.
Revise the SHINE FSAR to identify protection functions credited to maintain the specified acceptable target solution design limits during all modes of operation and the transients specified in Chapter 13 of the SHINE FSAR.
(e) Protection System Independence and Diversity - SHINE Design Criterion 16 requires, in part, that design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function.
Section 7.4.2.1.4, Protection System Independence, of the SHINE FSAR notes that the architecture provides diverse methods for actuation of the safety functions at the division level, automatic and manual, and FPGAs in each division are of a different physical architecture to prevent common cause failure (CCF) (e.g. equipment diversity). In addition, SHINE FSAR Section 7.4.5.2.4, Diversity, does not include a discussion on diversity features, such as the type of FPGA technologies used, logic development tools, signals, built-in equipment diversity, segregation of safety functions, or diverse protection logic on a safety function module for each safety function.
Instead, the SHINE FSAR refers back to the approved HIPS TR. However, application specific action item (ASAI) 10 of the HIPS TR requires that an applicant verify that diversity attributes conform to those described in the approved TR, which SHINE has not done.
Further, Section 7.4.5.2.5, Simplicity, of the SHINE FSAR states that the HIPS design uses segmentation to provide functional diversity. However, the SHINE FSAR description does not include any description of functional diversity. The NRC staff considers functional diversity to be when two different plant process parameters are sensed to initiate protective actions against the same event.
Revise the SHINE FSAR to describe diversity features included in the HIPS for the TRPS and ESFAS. Also, describe whether and how functional diversity is applied to prevent loss of function, including CCFs.
(f) Interlocks - TRPS Criterion 34 requires that interlocks ensure operator actions cannot defeat an automatic safety function during any operating condition where that safety function may be required.
The NRC staff considers TRPS Criterion 34 to apply to all operating conditions, including both operational bypass and maintenance bypass conditions.
Section 7.4.2.2.9 of the SHINE FSAR describes how Criterion 34 is achieved for only operational bypass. This section does not describe if there are other ways the operator can defeat an automatic safety function.
Section 7.4.4.3, Maintenance Bypass, of the SHINE FSAR describes administrative controls for maintenance bypass, which are in the proposed TSs. However, the SHINE FSAR does not describe whether interlocks are implemented to prevent an operator from putting all instrument channels in maintenance bypass (i.e., not in tripped mode) concurrently.
Confirm the intent of the TRPS Design Criterion 34 by clearly describing how interlocks are implemented to prevent operators from defeating automatic safety functions during all operating conditions.
The information requested in parts (a) through (f) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that
[t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
RAI 7-10 Implementation of the Approved HIPS Platform TR NUREG-1537, Part 2, Section 7.4, states, in part, that the applicant should thoroughly describe the [protection system], listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action. Additionally, NUREG-1537, Part 2, Section 7.4, states, in part, that the SAR should include the design bases, acceptance criteria, and guidelines used for design of the protection system, as well as an analysis of adequacy of the design to perform the functions necessary to ensure safety, and its conformance to the design bases, acceptance criteria, and the guidelines used. Therefore, the design bases, acceptance criteria, and guidelines used for design of the TRPS and ESFAS should be specified, and an analysis of the adequacy of the designs to perform the functions necessary to ensure safety and conform to the design bases and acceptance criteria should be provided in the SHINE FSAR.
Sections 7.1.2 and 7.1.3 of the SHINE FSAR state that both the TRPS and ESFAS use the NRC-approved HIPS platform. The NRCs SE for the HIPS platform excluded the HIPS platform circuit boards and their instrument chassis, application-specific architecture, the application-specific design process, and application-specific equipment qualification. As such, the NRC staff identified 65 ASAIs to be addressed by any applicant referencing the TR in a site-specific license application as a means of demonstrating compliance with the approved platform and site-specific use in accordance with the applicable requirements in 10 CFR Part 50. SHINEs disposition of these ASAIs were provided in response to RAI 7-4 (ADAMS Accession No. ML20254A355). The NRC staff reviewed this
information and found several dispositions to be acceptable. However, many other dispositions are insufficient for demonstrating how the HIPS-platform-based TRPS and ESFAS meet the stated design criteria in the SHINE FSAR.
For example, ASAI 2 requires that an applicant demonstrate that the HIPS platform used to implement the application-specific system is unchanged from the base platform addressed in HIPS TR SE. Otherwise, the applicant must clearly and completely identify any modification or addition to the base HIPS platform as it is employed and provide evidence of compliance by the modified platform with all applicable regulations that are affected by the changes. The SHINE response to RAI 7-4 stated that the Sections 7.1, Summary Description, and 7.4.5, Highly Integrated Protection System Design, of the SHINE FSAR provide evidence that the HIPS platform used to implement the TRPS and ESFAS design is unchanged from the base platform described in the HIPS platform TR. After reviewing the information in Subsections 7.1 and 7.4.5 of the SHINE FSAR, the NRC staff determined that the application of the HIPS platform used to implement the TRPS and ESFAS design is different from the base platform addressed in the TR for the HIPS platform. Fundamentally, the approved HIPS platform uses two different FPGA technologies with a two-out-of-four safety logic channel configuration. Whereas, the HIPS equipment for the TRPS and ESFAS appears to use three different FPGA technologies with a two-out-of-three safety logic channel configuration.
The NRC staff performed an audit of the HIPS equipment for the SHINE facility on May 12, 2021. This audit focused on Audit Topic 1 identified in the audit plan (ADAMS Accession No. ML21130A313). During the audit discussions, the NRC staff better understood the modified version (e.g. system requirements and configuration) of the HIPS platform for the SHINE facility. The NRC staff also identified differences between the previously approved HIPS TR platform, and the HIPS-based TRPS and ESFAS. For example, the NRC staff learned from the audit that (1) the TRPS includes the remote input sub-module (RISM) or scheduling, bypass, and voting modules (SBVM), but the HIPS platform describe in the TR does not contain these modules; (2) the TRPS and ESFAS are combined in the same equipment rack, whereas the HIPS TR depicts instrument channels and actuation divisions in separate racks of equipment; and (3) the use of a gateway communication between TRPS/ESFAS and PICS.
However, information in Section 7.4.5 of the SHINE FSAR is not consistent with the requirements and descriptions in the HIPS design documents discussed in the audit. Consequently, referencing and relying upon the NRC-approved HIPS TR without clearly describing the differences in the SHINE facility implementation of HIPS platform in the TRPS and ESFAS design is not sufficient for staff to verify the intended function of the TRPS and ESFAS, and conformance with associated SHINE, TRPS, and ESFAS design criteria.
Therefore, update and clarify the following:
(a) How the TRPS and ESFAS specifically implement the generic HIPS platform;
(b) How ASAIs 2, 4, 5, 6, 7, 9, 10, 11, 12, 18, 21, 23, 24, 25, 26, 30, 32, 33, 34, 42, 43, 45, 46, 47, 49, 50, 51, 54, 57, 62, 63, 64 and 65 identified for specific implementation of the HIPS platform are dispositioned for the SHINE facility; and (c) The differences between the representative system architecture described in the HIPS platform TR and the architecture proposed for the TRPS and ESFAS.
The SHINE FSAR should be revised, as necessary, to describe the implementation of HIPS platform; demonstrate how the ASAIs are being dispositioned by the design of the SHINE facility; and describe the TRPS and ESFAS architecture. This information is necessary for the NRC staff to verify the acceptability of the HIPS platform for use in the TRPS and EFSAS, and to make a reasonable assurance finding of adequate protection based on demonstration of the TRPS and ESFAS compliance to the identified design criteria. (The NRC staff recognizes that this additional information may address the information needs identified in RAI 7-9.) Specifically, the information requested in parts (a) through (c) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
As part of the response to this RAI, the SHINE FSAR should be updated to contain additional information on the types and configuration of modules, equipment configuration, equipment communication, configuration of maintenance and operational bypass, configuration of the HIPS capabilities for self-testing and diagnostics, design attributes implemented (e.g., redundancy, diversity, etc.), HIPS design process, and HIPS equipment qualification that demonstrate the equipment meets the SHINE environmental qualification requirements.
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS are designed and implement the HIPS TR.
SHINE should ensure that the responses to parts (a) through (c) of this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Number and types of FPGAs used in the HIPS architecture for TRPS and ESFAS that demonstrate built-in diversity. The SHINE FSAR (e.g.,
Section 7.4.2.1.4) states that the HIPS will use three types of FPGAs.
However, the TR for the HIPS platform describes using two types of FPGAs in a 4-channel architecture to provide adequate built-in diversity Differences and similarities of modules approved in the HIPS TR and modules used in the HIPS for the TRPS and ESFAS. For example, (1) the HIPS TR does not include RISM or SBVM modules, but the TRPS does, and (2) the HIPS TR depicts instrument channels and actuation
divisions in separate racks of equipment, while the TRPS and ESFAS are combined in the same equipment rack. Also, include a description of each module configuration for the TRPS and ESFAS Use of functional segregation in the HIPS based TRPS and ESFAS for achieving defense-in-depth Data validation, transmission, bypass, and voting for the SBVM installed in the HIPS for the TRPS and ESFAS Design and implementation of the built-in self-test functions (e.g., in the SFM). This information is particularly important for parts of the HIPS platform that rely solely on self-testing to ensure operability (e.g., there are no surveillance requirements to determine operability in the TSs)
Design and development processes followed for the logic in the HIPS for the TRPS and ESFAS Verification and validation activities performed for the logic in the HIPS for the TRPS and ESFAS Configuration management established for the logic in the HIPS for the TRPS and ESFAS Aspects of the development environment addressed in the HIPS TR that are applicable to the SHINE application RAI 7-11 Single Failure Criterion and System Diversity NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system should be designed to perform its safety function after a single failure and to meet requirements for seismic and environmental qualification, redundancy, diversity, and independence. NUREG-1537, Part 2, Section 7.4, also states that the protection systems should be reliable and perform their intended safety functions under all conditions. Therefore, the design of the protection systems should consider features that can improve the reliability of the system such as independence, redundancy, diversity, maintenance, testing, and quality components.
SHINE Design Criterion 15 and TRPS Criteria 16, 17, 21, 22, 37, and 41 require the safety system not be susceptible to a single failure. (Similar criteria are also identified for the ESFAS in the SHINE FSAR.) The SHINE FSAR states that to increase reliability and address single failures, the HIPS equipment for TRPS and ESFAS includes redundancy, such that no single failure can prevent a safety actuation when required. Section 7.4.3.2, Mode Transition, of the SHINE FSAR describes how the system design addresses the single failure criterion by implementing a system architecture comprised of three divisions of signal condition and trip determination, and two divisions of voting and actuation.
Because redundant systems can be compromised by a potential vulnerability to a CCF, the use of diversity within a safety system can be one acceptable means to
address the potential for a CCF. Taking this into account, the licensee identified SHINE Design Criterion 16 to require that design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function. The approved TR for the HIPS platform describes the diversity attributes utilized in the base HIPS platform (i.e., equipment diversity, design diversity, and functional diversity). The approved HIPS TR identifies ASAIs 11 and 62 as requiring the licensee to demonstrate how diversity would be implemented in its application when referencing the TR in a site-specific application. Section 7.4.2.1.4 of the SHINE FSAR describes how the TRPS design address SHINE Design Criterion 16 by incorporating the diversity principles outlined in the NRC approved HIPS TR.
Further, Section 7.4.5.2.4 of the SHINE FSAR describes diversity attributes, such as diversity within the equipment, considered in the HIPS design for the TRPS and ESFAS. This section also references the HIPS TR for further information on diversity.
The NRC staff agrees that using three redundant divisions with appropriately configured multiple FPGA technologies can ensure accomplishment of safety functions even in the presence of random failures, and that using diverse FPGAs provides diverse means to address vulnerabilities against CCFs. However, additional information is needed to evaluate how the diversity attributes of the HIPS platform for the TRPS and ESFAS (i.e., equipment diversity, design diversity, and functional diversity) assure performance of safety functions under all postulated random and CCFs.
Update the SHINE FSAR to describe the design, configuration, and implementation considered for the HIPS equipment for the TRPS and ESFAS to address single failure and vulnerabilities to CCFs.
The NRC staff need this information for making a finding that the TRPS and ESFAS will perform the required protective actions in the presence of any single failure or malfunction, address vulnerabilities against CCFs, and meet the identified design criteria for single failure. Further, this information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS meet the single failure criterion and use of diversity to address vulnerabilities to CCFs. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Identification and assessment of potential vulnerabilities to CCFs Description of how the use of three FPGA technologies is used to decrease susceptible to CCFs. The HIPS TR described the conceptual
design for two diverse FPGA technologies in a 4-channel architecture to demonstrate acceptable performance in presence of potential CCFs Description of diversity attributes included in the HIPS equipment for the TRPS and ESFAS relied upon to protect against digital CCFs Design and implementation of built-in diversity within the TRPS and ESFAS, and allocation of the safety functions among the diverse divisions to mitigate the effects of postulated failures RAI 7-12 Failure Modes NUREG-1537, Part 2, Section 7.4 states, in part, that the shutdown function of the protection system should be fail-safe against malfunction and electrical power failures.
SHINE Design Criteria 16 and 17 require the protection systems be designed to fail into a safe state if conditions such as disconnection of the system, loss of power, or postulated adverse environments are experienced. Further, TRPS Criterion 16 requires the system be designed to perform its protective functions after experiencing a single random active failure in non-safety control systems or in the TRPS, and such failure should not prevent the TRPS, and credited passive redundant control components, from performing its intended functions.
Section 7.4.2.1.4 of the SHINE FSAR describes how the TRPS design would meet SHINE Design Criterion 16; and Section 7.4.2.1.5 of the SHINE FSAR describes how the TRPS would meet SHINE Design Criterion 17. However, the descriptions provided focus on independence of the safety systems, as well as the requirement for the systems to be protected from earthquakes, adverse environmental conditions, and loss of power. These descriptions do not cover what known failures can affect the systems, how they would be addressed, and the fail-safe state of variables controlled by the safety systems. Also, the provided descriptions in the SHINE FSAR do not demonstrate whether failures of other systems, especially connected non-safety systems, would not prevent the TRPS from performing its safety function.
The TRPS and ESFAS are credited for the safe operation of the SHINE facility.
Therefore, the SHINE FSAR should describe the potential vulnerabilities that can affect their operation and how the systems would behave under specific identified failure modes. Typically, a failure mode and effect analysis (FMEA) are performed to identify potential failures and how the system will behave during such failures. In addition, the failure analysis would determine and describe the safe state that the system outputs would default in conditions such as communication failures, disconnection of the system, or loss of power.
Section 7.4.3.8, Loss of External Power, of the SHINE FSAR identifies and describes the safe-state of controlled components associated with safety actuations during a loss of power. However, information was not provided in the SHINE FSAR for other potential failure modes.
The approved TR for the HIPS platform describes the self-testing features of the system to detect malfunctions in certain modules or functions. Because these features would depend on how they are configured for each application, ASAIs 12 and 57 require an applicant to perform a system-level FMEA to demonstrate that the application-specific use of the HIPS platform identifies each potential failure mode and determines the effects of each failure. These ASAIs also require that the system be configured to alarm and assume a fail-safe state in the event of a failure. Further, ASAI 51 requires that an applicant or licensee demonstrate that the combination of HIPS platform self-tests and system surveillance testing provide the necessary test coverage to ensure that there are no undetectable failures that could adversely affect a required safety function.
This should be done with sufficient detail to allow assessment of the complexity of the TRPS and evaluation of opportunities for malfunction or operability failure during facility operation. In its responses to RAI 7-4, SHINE described how these ASAIs were dispositioned. However, the SHINE FSAR does not include sufficient information for the NRC staff to evaluate how failures were identified and analyzed for the HIPS platform for the TRPS and ESFAS. Also, the SHINE FSAR does not include sufficient details on the configuration of self-test and diagnostics to conform to the maintenance and testing features described in the HIPS TR.
(a) Update the FSAR to describe the failure modes analyzed, as well as the design, configuration, and implementation of testing and maintenance features considered for the HIPS equipment for the TRPS and ESFAS.
(b) Provide information on how the TRPS and ESFAS would respond to each of the failures in the HIPS platform (i.e., assume a fail-safe state, only alarm failure, or assume a fail-safe state and alarm failure).
The NRC staff needs this information for making a finding that the TRPS and ESFAS will perform the required protective actions in the presence of any single failure or malfunction, including malfunctions from connected systems, and meet the identified design criteria. The information requested in parts (a) and (b) above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS respond to identified failure modes. SHINE should ensure that the responses to parts (a) and (b) of this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
A summary of failure modes identified for the modules included in the HIPS for the TRPS and ESFAS, including a description of the analyses used to confirm the adequacy of relevant design elements and safety features to perform their intended functions
Failures detected by self-tests and diagnostics or periodic surveillance are consistent with the assumed failure detection methods of the TRPS and ESFAS single-failure analysis RAI 7-13 System Operation NUREG-1537, Part 2, Section 7.4, states, in part, that the SAR should describe operation of the protection system, listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action. Further, NUREG-1537, Part 2, Section 7.4, states, in part, that the facility should have operable protection capability in all operating modes and conditions, as analyzed in the SAR and [t]he range of operation of sensor (detector) channels should be sufficient to cover the expected range of variation of the monitored variable during normal and transientoperation.
SHINE Design Criterion 13 requires instrumentation be provided to monitor variables and systems over the expected range of variation of the monitored variable during normal and transient operation. Also, this criterion requires that the information provided be sufficient to verify that individual SLs are protected by independent channels.
Section 7.4 and 7.5 in the SHINE FSAR describe operation of TRPS and ESFAS, respectively. Tables 7.4-1, TRPS Monitored Variables, and 7.5-1, ESFAS Monitored Variables, in the SHINE FSAR list variables monitored, their analytical limits, safety logic, instrument range, accuracy, and instrument response for the TRPS and ESFAS, respectively.
Protection systems should provide necessary information to the operator in the control room related to safety systems process parameters and equipment status for operation, safety, and protection of the facility. SHINE Design Criterion 16 also credits manual actuation as one of the diverse means to provide defense-in-depth. The SHINE FSAR states that an operator can control multiple systems within the facility and provides defense-in-depth to analyzed accidents. For the operator to perform any actions, the operator would require data to act upon.
Further, the control room includes a main control board (described in Section 7.6.1, Description, of the SHINE FSAR) that contains manual actuation interfaces (e.g., switches and pushbuttons) and display screens showing variables important to safety to provide diverse means for operators to actuate automated safety functions.
The SHINE FSAR identifies variable monitored but it does not clearly describe the information to be displayed in the control room console and main control board for operation of the facility and manual actuation of safety functions, if necessary.
In addition, ASAI 30 requires an applicant or licensee to describe how the information displays are accessible to the operator and are visible from the location of any controls used to perform a manually controlled protective action provided by the front panel controls of a HIPS-based system. ASAI 65 requires demonstration that the HIPS platform equipment provides diversity for indication and component control signals to ensure HIPS platform monitoring and control
performance in the presence of a digital CCF. In response to RAI 7-4, SHINE describes how it intends to address these ASAIs and notes that the TRPS and ESFAS is not used to display information for the operator or to affect a manually-controlled protective action. The NRC staff agrees that information is not directly displayed in the TRPS and ESFAS, but instead these systems transmit process parameters and equipment status to PICS for display in the control console and main control board. Based on the information provided, SHINE has not identified the TRPS and ESFAS monitored variables that are transmitted to PICS and main control board for the operator to perform manual protective functions.
Update the SHINE FSAR to describe variables monitored and displayed to operate the facility and provide diversity for manual operator action, if necessary.
The NRC staff needs this information to make a finding that the TRPS and ESFAS will provide all necessary information in the control room for operators to operate IUs and perform manual safety actuation, if necessary, and meet the design criteria. The information requested in above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he protection channels and protective responses are sufficient to ensure that no safety limit, limiting safety system setting, or [protection system]-related limiting condition of operation discussed and analyzed in the SAR will be exceeded.
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS respond to identified failure modes. SHINE should ensure that the response to this RAI address these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Information necessary to be displayed for the operator to manually actuate safety functions, if necessary A description of the PICS design demonstrating how monitored variables from the TRPS and ESFAS are sufficiently diverse such that any failure does not prevent the operator from obtaining or resolving conflicting information RAI 7-14 Bypass NUREG-1537, Part 2, Section 7.4, states that the protection system should be designed for reliable operation. In some circumstances, an applicant or licensee may bypass a function or component. Bypassing a component allows the licensee to take it out of service during operation or maintenance.
Section 7.4.2.2.9 of the SHINE FSAR identifies the TRPS criteria related to bypasses, permissives and interlocks, and removal of equipment from service.
In this section, SHINE explains that the TRPS (and similarly the ESFAS) includes maintenance and operational bypasses, as well as a description of how the design meets the TRPS criteria.
SHINE Design Criterion 15 requires that the removal from service of any [safety system] component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. Sections 7.4.4.2, Operational Bypass, Permissives, and Interlocks, and 7.4.4.3 of the SHINE FSAR describe the HIPS design features to meet these identified criteria.
Section 7.4.4.2 of the SHINE FSAR describes the use of operational bypasses during the operation of the IU cells. Section 7.4.4.3 of the SHINE FSAR describes how the TRPS can be placed in maintenance bypass. Further, the SHINE TSs identify the surveillance requirements needed to demonstrate operability of the system, the use of maintenance bypass, and the maximum amount of time permitted for the maintenance bypass.
In addition, the approved HIPS TR describes features for placing certain modules of the HIPS platform in bypass. Because these were conceptual descriptions of these features, the NRC staff identified ASAIs 42, 43, and 45 to require a licensee using the approved HIPS platform to describe how the HIPS equipment is used for operational and maintenance bypasses and provide the TS requirements. SHINEs response to RAI 7-4 described how these ASAIs were addressed for the TRPS and ESFAS. However, these descriptions do not provide sufficient detail to ensure that the HIPS equipment for TRPS and ESFAS conform to the conceptual designs and features approved in the HIPS TR for using bypass (see RAI 7-10). Additionally, the SHINE FSAR and proposed TSs contain inconsistencies on allowed bypass states and limiting conditions, respectively.
Update the SHINE FSAR to describe the design, configuration, and implementation of the bypass function considered for the HIPS equipment for the TRPS and ESFAS. Further, describe how the HIPS design meets SHINE Design Criterion 15.
The NRC staff requires this information to determine that SHINEs use of maintenance or operational bypasses do not affect the reliability of the system and that the system can perform its safety and protection functions. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate how the TRPS and ESFAS meet the design criteria identified for operational and maintenance bypass. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Design and implementation of bypass capabilities of modules in the HIPS for the TRPS and ESFAS Information on how signals and voting logics are treated during trip, inoperable, and bypass states Use of the out-of-service switch and trip/bypass switches and differences between maintenance bypass and trip states Effects of using bypass at the module level and/or division in the single failure criterion Transmission of trip or bypass signal through the hardwired module and effect on the bypass and voting modules Restrictions identified in the TR of the HIPS platform for placing the same SFM across more than one division in maintenance bypass RAI 7-15 Maintenance and Testing NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system be sufficiently distinct in function from the [control system] that its unique safety features can be readily tested, verified, and calibrated. In addition, NUREG-1537, Part 2, Section 7.4, also states, in part, that the protection system function and time scale should be readily tested to ensure operability of at least minimum protection for alloperations. Therefore, the TRPS and ESFAS should be designed to be readily tested and calibrated to ensure operability.
Additionally, the TSs, including surveillance tests and intervals, should ensure availability and operability of these actuation systems.
SHINE Design Criterion 15 requires the TRPS be designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Section 7.4.4.3 of the SHINE FSAR describes how a channel can be placed in maintenance bypass and its effect on the voting logic. Section 7.4.4.4, Testing Capability, of the SHINE FSAR describes testing capabilities included in the TRPS.
The approved TR for the HIPS platform describes the diagnostic and maintenance features (e.g., built-in self-testing, periodic testing, etc.) available in the HIPS platform. Because the HIPS platform diagnostic and maintenance features were conceptual designs, the NRC staff identified ASAIs 13, 14, 24, 25, 32 ,49, 50, and 51 as necessary for facility-specific implementation. The ASAIs require an applicant or licensee to describe how diagnostic and maintenance features are implemented in the site-specific application. Specifically, an applicant or licensee should (1) demonstrate diagnostic and maintenance features provide necessary test coverage, and (2) demonstrate that the use of these features wont prevent the system from performing its safety and protection functions. In response to RAI 7-4, SHINE described whether these ASAIs are applicable to SHINE and their dispositions.
The NRC staff generally agrees with the SHINEs stated applicability of these ASAIs to the TRPS and ESFAS. However, the description and information in the SHINE FSAR do not include sufficient detail on the configuration of self-testing and diagnostics to evaluate conformance to the maintenance and testing features described in the HIPS TR and how the SHINE design criteria are met.
Update the SHINE FSAR to describe how diagnostic and maintenance features are implemented in the HIPS equipment for the TRPS and ESFAS. Demonstrate that the features provide necessary test coverage. Also, demonstrate that the use of these features wont prevent the systems from performing their safety and protection functions.
The NRC staff need this information to verify that testing and maintenance of the TRPS and ESFAS will ensure operability of the equipment and meet the SHINE Design Criterion 15. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that
[t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate testing and maintenance features implemented in the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Modification of configurable variables and setpoints Features and limitations to perform in-chassis calibration Surveillance tests using automatic sensor cross-check Test and calibration functions of the HIPS platform and compliance with regulatory guidance Validation of self-testing functions in HIPS equipment RAI 7-16 Equipment Qualification NUREG-1537, Part 2, Section 7.4, states, in part, that the design of the protection systems should be adequate to perform the functions necessary to ensure safety. Therefore, the design of the SHINE facility should include provisions for the protection systems to reliably operate in the normal range of environmental conditions and postulated credible accidents, transients, and other events at the facility that could require their operation.
SHINE Design Criterion 16 requires the system be designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis.
Sections 7.4.3.5, Operating Conditions, and 7.4.3.6, Seismic, Tornado, Flood, of the SHINE FSAR describe operating and transient conditions in the facility and seismic requirements. However, these sections do not confirm whether the TRPS and ESFAS have been tested to demonstrate that they will function in these conditions. Further, the approved HIPS TR identifies ASAI 18 for an applicant to demonstrate system qualification for installation and operation in mild environment locations. In response to RAI 7-4, SHINE references Sections 7.4.3.13, Design Codes and Standards, and 7.5.3.12, Design Codes and Standards, of the SHINE FSAR, which identify the codes and standards to be used in qualifying the TRPS and ESFAS equipment. While these sections describe applicable environmental qualification criteria, they do not demonstrate that the TRPS and ESFAS have been qualified to meet the environmental qualification criteria and associated SHINE design criterion.
Update the SHINE FSAR to demonstrate that the HIPS equipment for the TRPS and ESFAS has undergone environmental, seismic, radiation and emissions qualifications. Also, demonstrate that the results envelope the operating and transient conditions identified for the facility.
The NRC staff needs this information to make a finding that the TRPS and ESFAS are qualified to operate under the different conditions in the facility and meet the applicable design criteria. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he [protective system] is designed to prevent or mitigate hazardsso that the full range of normal operations poses no undue radiological risk to the health and safety of the public, the facility staff, or the environment.
The following are examples of the types of information the NRC staff needs to evaluate qualification of the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Confirmation of qualified life for the TRPS and ESFAS equipment Confirmation that the effects of electromagnetic interference/radio-frequency interference (EMI/RFI) and power surges, including computer-based digital systems, are addressed Confirmation that the protection systems meet the site-specific requirements for seismic and normal range and postulated credible accidents and transients of environmental conditions anticipated within the SHINE facility RAI 7-17 Codes and Standards NUREG-1537, Part 2, Section 7.4, states that the protection systems should be designed for reliable operation in the normal range of environmental conditions anticipated within the facility.
The SHINE FSAR identified codes and standards to which SHINE committed to use to demonstrate meeting the SHINE design criteria, meeting NRC guidance and regulations, and developing high quality ICS.
Chapter 7 of the SHINE FSAR includes a list of codes and standards that are applied to the design of the TRPS and ESFAS (e.g., SHINE FSAR Section 7.4.3.13 identifies codes and standards applied to the TRPS design).
However, the SHINE FSAR does not describe how these codes and standards were used or how the current design conforms to the applied standards. In RAI 7-3 (ADAMS Accession No. ML20255A026), the NRC staff requested a description of how codes and standards listed in the SHINE FSAR are used to design each of the ICS. But this information was not included in the response.
The NRC staff recognizes that NUREG-1537 identifies the guidelines of Institute of Electrical and Electronics Engineers Std. 7-4.3.2-1993, IEEE Standard Criteria for digital Computers in Safety Systems of Nuclear Power Generating Stations, and Regulatory Guide 1.152, Revision 1, Criteria for Digital Computers In Safety Systems of Nuclear Power Plants, American National Standards Institute/American Nuclear Society (ANSI/ANS)-10.4-1987, Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, ANSI/ANS-15.15-1978, Criteria for the Reactor Safety Systems of Research Reactors, and draft ANSI/ANS-15.20, Criteria for the Control and Safety Systems for Research Reactors, but does not identify additional specific codes and standards for the system to conform. Nevertheless, NUREG-1537 states that a reliable system is built using accepted engineering and industrial practices.
Update the SHINE FSAR to describe how codes and standards listed in the SHINE FSAR are used to design each of the ICS.
The NRC staff need this information to verify that engineering and industrial practices were used to design reliable protection systems that will perform the intended safety functions when required and meet the applicable design criteria.
The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate how codes and standards used to design, build, and test the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Codes and standards used for the design and development of the logic for the TRPS and ESFAS, including traceability of the codes and standards to system design and testing documents
Codes and standards used for the environmental, seismic, radiation, and EMI/RFI qualification of the HIPS for the TRPS and ESFAS, including traceability to system design and testing documents RAI 7-18 Setpoints NUREG-1537, Part 2, Section 7.4, states, in part, that [t]he sensitivity of each sensor channel should be commensurate with the precision and accuracy to which knowledge of the variable measured is required for the protective function.
This information is necessary to ensure that adequate margins exist between analytical limits and instrument setpoints so that protective actions are initiated before SLs are exceeded.
Sections 7.4.2.1.3, Protection System Reliability and Testability, 7.4.4, Operation and Performance, and 7.4.5.3.3, Access Control, of the SHINE FSAR note that there are setpoints and tunable parameters that may require periodic modification. To do this, the operator would use the maintenance workstation (MWS) in the HIPS equipment when the safety function is out of service. To prevent inadvertent changes, the HIPS equipment includes physical and logical features to allow changes to these values. The setpoints and tunable parameters are stored in the nonvolatile memory (NVM) in the MWS.
The approved TR for the HIPS equipment states that the MWS was not part of the base platform, and thus was not evaluated by the NRC staff. Nevertheless, the HIPS TR briefly describes how setpoint and tunable parameters can be modified. The TR also mentions that the logic associated with setpoints and tunable parameters is part of the safety function module in the HIPS platform.
Because the MWS was not described in detail and evaluated in the HIPS TR, the NRC staff needs information on how the MWS would be used to change setpoints and tunable parameters.
Update the SHINE FSAR to describe modifications to setpoints and tunable parameters, including operation and configuration of the NVM, separation of the safety logic and calibration functions, modifications of NVM during operation, and controls to prevent inadvertent changes to setpoint and tunable parameters.
This information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he protection channels and protective responses are sufficient to ensure that no safety limit, limiting safety system setting, or [protection system]-related limiting condition of operation discussed and analyzed in the SAR will be exceeded.
RAI 7-19 Power Supply NUREG-1537 states that the protection systems should be fail-safe against malfunction and electrical power failure, should be as close to passive as can be reasonably achieved, should go to completion once initiated, and should go to completion within the time scale derived from applicable analyses in the SAR.
The approved TR for the HIPS platform describes the power requirements for a licensee using the HIPS platform. Because this information would depend on the specific instrumentation and control configuration, the NRC staff identified ASAI 46 to require that an applicant referencing the HIPS TR describe power sources to the HIPS platform equipment and how they meet applicable regulatory requirements.
SHINEs response to RAI 7-4 stated that description of the TRPS and ESFAS power source is provided in Subsection 8a2.2 of the SHINE FSAR. SHINE FSAR, Section 7.4.3.4 describes how the HIPS design meets the single failure criterion, including sources of electrical power supply for each division. The information provided is insufficient to evaluate how the safety system would be powered and how the system would be powered in case of a loss of power.
During the audit performed in May 2021, SHINE staff briefly described how off-site power is supplied to the facility and distributed to the TRPS and ESFAS.
SHINE also described how this approach addresses ASAI 46. This type of information should be provided in the SHINE FSAR.
Update the SHINE FSAR to describe the power supplies and power requirements for the TRPS and ESFAS, and how the safety systems meet the design criteria.
This information is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate the power supply for the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Sources of power supply to each division of the TRPS and ESFAS during normal and emergency operation Sources of power for redundant power supplies within each division of the TRPS and ESFAS Safety classification of power supplies for the TRPS and ESFAS