Text

Shine Medical Technologies, LLC Supplement 1 to Final Safety Analysis Report, Chapter 7, Instrumentation and Control
	ML19331A648
Person / Time
Site:	SHINE Medical Technologies, 99902034
Issue date:	11/14/2019
From:	; SHINE Medical Technologies
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML19331A832	List: ML19331A647; ML19331A648; ML19331A649; ML19331A652; ML19331A654; ML19331A657; ML19331A659; ML19331A660; ML19331A661; ML19331A662; ML19331A663; ML19331A664; ML19331A665; ML19331A667; ML19331A669; ML19331A672; ML19331A674; ML19331A676; ML19331A679; ML19331A681; ML19331A682; ML19337A275;
References
	2019-SMT-0119
	Download: ML19331A648 (198)
	v • d • e

INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS tion Title Page

SUMMARY

DESCRIPTION ................................................................................. 7.1-1 7.1.1 PROCESS INTEGRATED CONTROL SYSTEM ............................... 7.1-1 7.1.2 TARGET SOLUTION VESSEL REACTIVITY PROTECTION SYSTEM ............................................................................................. 7.1-2 7.1.3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM ........... 7.1-2 7.1.4 HIGHLY INTEGRATED PROTECTION SYSTEM DESIGN ............... 7.1-3 7.1.5 CONTROL CONSOLE AND DISPLAYS ............................................ 7.1-5 7.1.6 RADIATION MONITORING................................................................. 7.1-6 7.1.7 NEUTRON FLUX DETECTION SYSTEM .......................................... 7.1-6 DESIGN OF INSTRUMENTATION AND CONTROL SYSTEMS ......................... 7.2-1 7.2.1 DESIGN CRITERIA ............................................................................ 7.2-1 7.2.2 DESIGN BASES ................................................................................. 7.2-1 7.2.3 SYSTEM DESCRIPTION ................................................................... 7.2-7 7.2.4 SYSTEM PERFORMANCE ANALYSIS ............................................. 7.2-8 7.2.5 ACCESS CONTROL AND CYBER SECURITY ............................... 7.2-10 7.2.6 SOFTWARE REQUIREMENTS DEVELOPMENT ........................... 7.2-11 PROCESS INTEGRATED CONTROL SYSTEM ................................................. 7.3-1 7.3.1 DESIGN CRITERIA ............................................................................ 7.3-1 7.3.2 DESIGN BASIS .................................................................................. 7.3-2 7.

3.3 DESCRIPTION

................................................................................... 7.3-2 7.3.4 OPERATION AND PERFORMANCE ................................................. 7.3-6 7.3.5 ACCESS CONTROL AND CYBER SECURITY ................................. 7.3-6 NE Medical Technologies 7-i Rev. 0

INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS tion Title Page 7.3.6 SOFTWARE DEVELOPMENT ........................................................... 7.3-7 7.3.7 TECHNICAL SPECIFICATIONS ........................................................ 7.3-7 TARGET SOLUTION VESSEL REACTIVITY PROTECTION SYSTEM .............. 7.4-1 7.4.1 SYSTEM DESCRIPTION ................................................................... 7.4-1 7.4.2 DESIGN CRITERIA ............................................................................ 7.4-1 7.4.3 DESIGN BASIS .................................................................................. 7.4-6 7.4.4 DESIGN ATTRIBUTES .................................................................... 7.4-12 7.4.5 OPERATION AND PERFORMANCE ............................................... 7.4-18 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM ............................. 7.5-1 7.5.1 SYSTEM DESCRIPTION ................................................................... 7.5-1 7.5.2 DESIGN CRITERIA ............................................................................ 7.5-1 7.5.3 DESIGN BASIS .................................................................................. 7.5-7 7.5.4 DESIGN ATTRIBUTES .................................................................... 7.5-16 7.5.5 OPERATION AND PERFORMANCE ............................................... 7.5-20 CONTROL CONSOLE AND DISPLAY INSTRUMENTS ..................................... 7.6-1 7.

6.1 DESCRIPTION

................................................................................... 7.6-1 7.6.2 DESIGN CRITERIA ............................................................................ 7.6-3 7.6.3 DESIGN BASIS .................................................................................. 7.6-5 7.6.4 OPERATIONAL PERFORMANCE OVERVIEW ................................. 7.6-6 7.6.5 TECHNICAL SPECIFICATIONS ........................................................ 7.6-9 NE Medical Technologies 7-ii Rev. 0

INSTRUMENTATION AND CONTROL SYSTEMS TABLE OF CONTENTS tion Title Page RADIATION MONITORING SYSTEMS ............................................................... 7.7-1 7.7.1 SAFETY-RELATED PROCESS RADIATION MONITORING ............ 7.7-1 7.7.2 NONSAFETY-RELATED PROCESS RADIATION MONITORING .... 7.7-5 7.7.3 AREA RADIATION MONITORING ..................................................... 7.7-5 7.7.4 CONTINUOUS AIR MONITORING .................................................... 7.7-7 7.7.5 EFFLUENT MONITORING ................................................................. 7.7-8 7.7.6 CRITICALITY MONITORING ........................................................... 7.7-10 NEUTRON FLUX DETECTION SYSTEM ............................................................ 7.8-1 7.8.1 SYSTEM DESCRIPTION ................................................................... 7.8-1 7.8.2 DESIGN CRITERIA ............................................................................ 7.8-1 7.8.3 DESIGN BASIS .................................................................................. 7.8-4 7.8.4 DESIGN ATTRIBUTES ...................................................................... 7.8-6 REFERENCES ..................................................................................................... 7.9-1 NE Medical Technologies 7-iii Rev. 0

1 Design Radiation Environments 2 Facility Control Room Design Environmental Parameters 3 RPF and IF General Area Design Environmental Parameters 4 IU Cell Interior Design Environmental Parameters 5 TOGS Cell Interior Design Environmental Parameters 6 Primary Cooling Room Interior Design Environmental Parameters 1 TRPS Monitored Variables 1 ESFAS Monitored Variables 2 Fail Safe Component Positions on ESFAS Loss of Power 1 Safety-Related Process Radiation Monitors 2 Radiation Area Monitor Locations 3 Continuous Airborne Monitor Locations NE Medical Technologies 7-iv Rev. 0

1 Instrumentation and Control System Architecture 2 Target Solution Vessel Reactivity Protection System Architecture 3 Engineered Safety Feature Actuation System Architecture 1 HIPS Platform Timing 2 TRPS and ESFAS Programmable Logic Lifecycle Process 1 Process Integrated Control System Interfaces 1 TRPS Logic Diagrams 2 TRPS Mode State Diagram 1 ESFAS Logic Diagrams 2 Extraction Hot Cell 3 Vacuum Transfer System 4 Radiologically Controlled Area Isolation 1 Facility Control Room Layout 2 Status Indication Panels 3 Maintenance Workstation 1 Effluent Monitor Locations NE Medical Technologies 7-v Rev. 1

onym/Abbreviation Definition ARA as low as reasonably achievable S American Nuclear Society SI American National Standards Institute L actuation and priority logic IS accelerator tritium interface system ST built-in self-test AS criticality accident alarm system MS continuous air monitoring system cubic centimeter F common cause failure A critical digital asset BEM carbon delay bed effluent monitor curie communication modules TS commercial off-the-shelf s counts per second NE Medical Technologies 7-vi Rev. 0

onym/Abbreviation Definition C cyclic redundancy checks B calibration and test bus direct current M equipment interface module I electromagnetic interference FAS engineered safety features actuation system T factory acceptance test HS facility chilled water system R facility control room CS facility data and communications system WS facility demineralized water system WS facility heating water system HS facility nitrogen handling system GA field programmable gate array SS glovebox stripper system NE Medical Technologies 7-vii Rev. 0

onym/Abbreviation Definition PS highly integrated protection system S hardware requirements specification I human system interfaces AC heating, ventilation, and air conditioning PS high voltage power supply WM hardwired module C instrumentation and control E integrated development environment N isolated development network EE Institute of Electrical and Electronic Engineers irradiation facility G interim staff guidance M input submodule irradiation unit P iodine and xenon purification i microcurie NE Medical Technologies 7-viii Rev. 0

onym/Abbreviation Definition subcritical multiplication factor molybdenum extraction and purification EPS system monitoring and indication communication

-CM module B monitoring and indication bus molybdenum isotope product packaging PS system WS maintenance workstation PS nitrogen purge system AS neutron driver assembly system DS neutron flux detection system National Institute of Standards and ST Technology SS normal electrical power supply system M nonvolatile memory OS out of service LS primary closed loop cooling system CS process integrated control system NE Medical Technologies 7-ix Rev. 0

onym/Abbreviation Definition DS programmable logic design specification programmable logic requirements RS specification DA partial trip determination actuation VS process vessel vent system quality assurance MS radiation area monitoring system A radiologically controlled area S radioactive drain system I radio-frequency interference WI radioactive liquid waste immobilization WS radioactive liquid waste storage CS radioisotope process facility cooling system F radioisotope production facility Z1 radiological ventilation zone 1 Z2 radiological ventilation zone 2 Z3 radiological ventilation zone 3 NE Medical Technologies 7-x Rev. 0

onym/Abbreviation Definition SS subcritical assembly support structure M scheduling and bypass modules AS subcritical assembly system B1 safety data bus 1 B2 safety data bus 2 B3 safety data bus 3 E secure development environment M safety function module S standby generator system M stack release monitor MS stack release monitoring system M scheduling and voting module RS system requirements specification D total integrated dose GS TSV off-gas system S tritium purification system NE Medical Technologies 7-xi Rev. 0

onym/Abbreviation Definition target solution vessel reactivity protection PS system PS target solution preparation system SS target solution storage system V target solution vessel SS uninterruptible electrical power supply system SS uranium receipt and storage system V verification & validation S vacuum transfer system NE Medical Technologies 7-xii Rev. 0

SUMMARY

DESCRIPTION instrumentation and control (I&C) systems provide the capability to monitor and control the NE facility systems manually and automatically during normal conditions and maintain the lity in a safe condition under accident conditions.

chapter describes the design of the I&C systems, including classification, functional uirements and architecture, and demonstrates the systems capabilities to perform safety and safety-related functions. The scope of the information provided in this chapter includes tems that are safety-related as defined by SHINEs Quality Assurance Program Description nonsafety-related I&C systems that perform specific regulatory required functions.

tion 7.1 provides an introduction and overview of I&C systems, which include safety-related nonsafety-related systems. Systems and topics addressed in this chapter include:

the process integrated control system (PICS)

the target solution vessel (TSV) reactivity protection system (TRPS)

the engineered safety feature actuation system (ESFAS)

the highly integrated protection system (HIPS) underlying TRPS and ESFAS

facility control room control consoles and displays

radiation monitoring, including

- safety-related process radiation monitors considered part of the ESFAS, TRPS, and tritium purification system (TPS)

- nonsafety-related process radiation monitors included as part of other facility processes

- the radiation area monitoring system (RAMS)

- the continuous air monitoring system (CAMS)

- the stack release monitoring system (SRMS)

- the criticality accident alarm system (CAAS)

the neutron flux detection system (NFDS) architectural design of I&C systems is based on providing clear interconnection interfaces of lity I&C structures, systems, and components. Each irradiation unit (IU) has an independent ty-related TRPS and NFDS. A single nonsafety-related PICS provides the nonsafety tions of the IUs and facility level nonsafety-related functions. An ESFAS is provided for ty-related functions that are common to the entire facility. The CAAS, RAMS, CAMS, and MS provide their functions at a facility level separate from the irradiation units.

mplified block diagram of the overall I&C system architecture is provided in Figure 7.1-1.

1 PROCESS INTEGRATED CONTROL SYSTEM PICS is a nonsafety-related distributed digital control system that provides monitoring and trol of the various processes throughout the SHINE facility. The PICS includes system trols, both automated and manual, and human system interfaces (HSIs) necessary to provide operator interaction with the necessary process control mechanism. The HSIs are provided in facility control room (FCR) and are described in Section 7.6.

NE Medical Technologies 7.1-1 Rev. 0

the systems and components in the radioisotope production facility (RPF).

functions of the PICS enable the operator to perform irradiation cycles, transfer target tion to and from the IU as well as throughout the RPF, and interface with the TPS, processes e supercell, waste handling operations, and the auxiliary systems.

PICS is further described in Section 7.3.

2 TARGET SOLUTION VESSEL REACTIVITY PROTECTION SYSTEM purpose of the TRPS is to monitor process variables and provide automatic initiating signals esponse to off-normal conditions, providing protection against unsafe IU operation during the illing, irradiation, and post-irradiation modes of operation. Each IU has its own TRPS, figured as shown in Figure 7.1-2. The major safety function of the TRPS is to monitor ables associated with the IU and trip the neutron driver and actuate the engineered safety ures when specified setpoints, based on analytical limits, are reached or exceeded.

TRPS maintains the modes of operation of the IU and creates the necessary interlocks and missives on each safety function needed for the different modes. Modes are transitioned uentially using an operator input.

TRPS also transmits status and information signals to the nonsafety-related maintenance kstation (MWS) and to the PICS for display in the FCR, trending, and historian purposes.

TRPS is built utilizing the HIPS as described in Subsection 7.1.4. HIPS is a field grammable gate array (FPGA)-based system. The TRPS incorporates the fundamental I&C ciples of independence, redundancy, predictability and repeatability, and diversity and ense-in-depth as used by the HIPS platform.

TRPS includes the following safety-related (except where noted otherwise) components:

three divisions of input modules, signal conditioning, and trip determination

two divisions of power distribution panels

power supplies for sensors and TRPS components

two nonsafety-related MWSs

two divisions of voting and actuation equipment

manual input switches boundary of the TRPS extends from the terminations of the cabling at the output of the sors to the terminations of the cabling to each actuation component of the TRPS.

TRPS is further described in Section 7.4.

3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM purpose of the ESFAS is to monitor process variables and provide automatic initiating als in response to off-normal conditions, providing protection against unsafe conditions in the NE facility. The ESFAS is a plant level control system not specific to any operating unit or NE Medical Technologies 7.1-2 Rev. 0

sense and command functions necessary to maintain the facility confinement strategy and

process actuation functions as required by the safety analysis.

ESFAS also transmits status and information signals to the nonsafety-related MWS and to PICS for display in the FCR, trending, and historian purposes.

ESFAS, like the TRPS, is also built using the HIPS platform as described in section 7.1.4. The ESFAS incorporates the fundamental I&C principles of independence, undancy, predictability and repeatability, and diversity and defense-in-depth as used by the S platform.

ESFAS includes the following safety-related components (except where noted otherwise):

three divisions of input modules, signal conditioning, and trip determination

two divisions of power distribution panels

power supplies for sensors and ESFAS components

two nonsafety-related MWSs

two divisions of voting and actuation equipment

manual input switches boundary of the ESFAS extends from the terminations of the cabling at the output of the sors to the terminations of the cabling to each actuation component of the ESFAS.

ESFAS is further described in Section 7.5.

4 HIGHLY INTEGRATED PROTECTION SYSTEM DESIGN HIPS is used for both the TRPS and ESFAS as shown in Figure 7.1-2 and Figure 7.1-3. This section describes the design characteristics of the HIPS.

safety function module (SFM) receives sensor inputs to the HIPS platform at the signal ditioning circuitry to measure variables important to the safe operation of the IU. The SFM orms three main functions with the sensor inputs:

Signal conditioning

Trip determination

Communication to the TRPS communication modules signal conditioning function is comprised of input submodules that are part of the SFM sisting of a signal conditioning circuit, analog to digital converter, and a serial interface. The al conditioning function is responsible for conditioning, measuring, filtering, and sampling inputs.

trip determination receives sensor input values in a digital format from the signal conditioning

k. The trip determination performs the comparison of the sensor inputs to setpoints grammed into the FPGA and makes a trip determination based on the output of the NE Medical Technologies 7.1-3 Rev. 0

SFM also provides monitoring and indication bus (MIB) functionality and calibration and test (CTB) functionality. The MIB is responsible for obtaining variables, parameters, trip ermination results, status, and diagnostic information from each of the core logic paths. The B allows for the MWS to update the tunable parameters (i.e., setpoints) in the nonvolatile mory when the SFM is taken out of service (OOS).

SFM has three core logic paths that are separated at the output of the signal condition uitry. The three core logic paths each perform trip determination and send the results to the e safety data buses (SDB1, SDB2, and SDB3). In two of the three divisions, SFMs send the a via the chassis backplane directly to the scheduling and voting module (SVM) associated the respective safety data bus where the two-out-of-three voting occurs. The third division ds the data to scheduling and bypass modules (SBMs) local to that division, which collects data and transmits the collected data to each of the SVMs to complete the two-out-of-three ng inputs. Both the SBM and SVM are the master of the respective safety data bus to the Ms. Transmission from the third divisions SBM to the SVMs is point-to-point one-way munication.

results of the two-out-of-three voting are transmitted through the chassis backplane in a nd robin fashion to each of the equipment interface modules (EIMs). There the EIMs combine input from the three SVMs associated with the three different safety data buses in a two-out-hree vote to determine if a protective function requiring deenergizing the output of that EIM is essary.

status and diagnostic information from each of the individual module types is provided to the

. The monitoring and indication communication module (MI-CM) is the bus master for all munications on the MIB. The MI-CM provides status and diagnostic information from all dules through isolated, transmit-only communication ports to nonsafety-related equipment.

h SFM has an associated trip/bypass switch connected to a hardwired module (HWM) that ates the signal and places the trip or bypass information on the backplane where it is routed ither the SBMs or SVMs where it is used. Each SFM also has an OOS switch installed on its t plate. When the OOS switch on the SFM is activated, the SBM forces the safety function either trip or bypass, depending on the position of the trip/bypass switch, and takes the nnel OOS. It also provides the appropriate alarm output information.

nual switches in the FCR, as well as any other discrete signal inputs from other systems, are eived via the hardwired module. A manual switch for each safety function is provided. The nual switch is directly input into the actuation and priority logic (APL) in the EIM downstream ll programmable logic.

priority on the different control signals provided to the logic from within the HIPS platform is ned by the APL. There are five different command signals that the APL accepts:

Automated trip signal passed down from the SFM

Manual trip signal from the FCR

Enable nonsafety enabled NE Medical Technologies 7.1-4 Rev. 0

crete logic is used for the APL for actuation of components based on the prioritization design.

S is only allowed control by the APL logic if the enable nonsafety enable permissive signal is ve and no manual or automated protective functions are present.

circuitry of the APL is designed so that, when an actuation signal is received, either through safety data path or manually through the HWM, the APL ensures the action carries through l completion. Upon a reset of the sense and command features, the APL continues to hold actuated components on the requested position until deliberate operator action is taken to nge the components state.

5 CONTROL CONSOLE AND DISPLAYS operator workstations and main control board are provided as the HSI subset of components he FCR. These components are included as part of the PICS and are classified as nonsafety-ted.

two operator workstations provide operators with interactive displays to perform daily vities for the SHINE facility. The displays at the operator workstation are capable of being nged to the appropriate screen applicable to the activities that the operator is performing ng day-to-day operations of the SHINE facility.

main control board, located in front of the two operator workstations, includes both digital lays and limited manual interfaces.

main control board provides the operator with multiple digital displays, configured to tinuously display variables important to safety-related system status for individual IUs and the nce of the production facility. The displays on the main control board are used to support nual actuation of safety-related systems and to verify correct operation of the safety-related tems in the event of an actuation.

main control board provides operator interfaces for:

manual actuation of the TRPS and ESFAS protective functions,

the enable nonsafety function, which allows PICS control of the APL output state (i.e.,

deenergized or energized), and

the facility operating permissive key, which is used to place the SHINE facility into a secure state.

supervisor workstation is located at the rear of the facility control room and acts as an nsion of the operator workstations. The supervisor workstation is equipped with equipment lay screens that allow the supervisor to monitor system status, but not control facility ponents.

ility controls are designed and located using consideration of human factors engineering ciples. The SHINE Human Factors Engineering Program is used to facilitate the safe, ient, and reliable performance of operations, maintenance, tests, inspections, and NE Medical Technologies 7.1-5 Rev. 0

se systems are further described in Section 7.6.

6 RADIATION MONITORING iation monitoring is used to monitor radiation levels within the SHINE facility, to provide ms for personnel within the facility and the control room, to provide actuation signals to ty-related control systems, and to monitor airborne effluent streams from the facility.

ety-related process radiation monitoring is performed by ESFAS, TRPS and TPS radiation nitors. These monitors provide input into the safety-related controls to provide input for safety ations and interlocks, and provide indication and alarm signals to the FCR.

safety-related process radiation monitors are used in select facility processes to provide us information and diagnose off-normal process conditions.

a radiation monitoring and local alarms within the general areas of the facility radiologically trolled area (RCA) are provided by the RAMS. This nonsafety-related system also provides als to the FCR to inform operators of abnormal conditions within the facility.

orne contamination monitoring within general areas of the facility RCA is performed by the MS. The CAMS units are nonsafety-related devices that provide local alarms and provide als to the FCR to inform operators of the occurrence and approximate location of abnormal ditions.

mal airborne facility effluents are directed into a single facility stack and are monitored by the k release monitor. An alternate safety-related vent path for the nitrogen purge system is nitored by the carbon delay bed effluent monitor. These nonsafety-related effluent monitors vide control room indication and alarm. The SHINE facility does not have a normal liquid ent path from the RCA, and as such no liquid effluent monitoring system is provided.

icality accident monitoring and alarm is provided by the facility CAAS. The CAAS provides ms both locally and within the FCR.

se systems are further described in Section 7.7.

7 NEUTRON FLUX DETECTION SYSTEM NFDS is used for monitoring the reactivity and power of the subcritical assembly system in IU. The NFDS is a safety-related system with redundant channels of neutron flux detectors.

NFDS detects and provides remote indication of the neutron flux levels during TSV filling irradiation to determine the multiplication factor and power levels, respectively. The NFDS vides safety-related outputs to the TRPS used for trip determination. The NFDS also provides safety-related outputs to the PICS, which are used for monitoring of conditions within the IU.

ee watertight fission chamber NFDS detectors are provided for each IU, located in the light er pool surrounding the subcritical assembly support structure (SASS).

NE Medical Technologies 7.1-6 Rev. 0

each NFDS division maintains electrical and physical separation with the other divisions for same IU cell.

NFDS is further described in Section 7.8.

NE Medical Technologies 7.1-7 Rev. 0

Chapter 7 - Instrumentation and Control Systems Summary Description Figure 7.1 Instrumentation and Control System Architecture SHINE Medical Technologies 7.1-8 Rev. 0

Chapter 7 - Instrumentation and Control Systems Summary Description Figure 7.1 Target Solution Vessel Reactivity Protection System Architecture SHINE Medical Technologies 7.1-9 Rev. 0

Chapter 7 - Instrumentation and Control Systems Summary Description Figure 7.1 Engineered Safety Feature Actuation System Architecture SHINE Medical Technologies 7.1-10 Rev. 0

design of the safety-related instrumentation and control (I&C) systems is based on four damental design principles:

independence

redundancy

predictability and repeatability

diversity design criteria of the I&C systems were derived from the criteria in 10 CFR 50, Appendix A, 10 CFR 70.64(a), as described in Table 3.1-3, as well as the draft interim staff guidance G) for Chapter 7 of NUREG-1537. The criteria were applied in a graded approach to each I&C tem.

1 DESIGN CRITERIA SHINE design criteria are described in Section 3.1. Table 3.1-1 and Table 3.1-2 show how criteria are applied to each I&C system. Additional design criteria for individual systems and systems are provided in Sections 7.3 through 7.8. Codes and standards used in the design of h I&C system are also identified in Sections 7.3 through 7.8.

2 DESIGN BASES design bases for safety-related I&C systems (i.e., target solution vessel [TSV] reactivity ection system [TRPS], engineered safety features actuation system [ESFAS], and neutron detection system [NFDS]) were derived using a graded approach from the criteria identified e draft ISG for NUREG-1537 as they applied to the four fundamental design principles and described in this subsection.

des of operation, safety functions, permissive conditions, monitored variables and their ges, conditions for manual control, and any other special design bases requirements specific ach of the I&C systems are described in Sections 7.3 through 7.8.

ironmental and radiological parameters for I&C components located in different areas of the lity are provided in Tables 7.2-1 through 7.2-6 and are referred to in Sections 7.3 through 7.8.

ironmental parameters inside the main production facility are maintained by the facility ting, ventilation, and air conditioning (HVAC) systems, which are described in Section 9a2.1.

2.1 Independence physical, electrical, communications, and functional independence attributes are discussed is subsection.

2.1.1 Physical Separation TRPS and ESFAS structures, systems and components that comprise a division are sically separated to retain the capability of performing the required safety functions during a ign basis accident. Division independence is maintained throughout both systems, extending NE Medical Technologies 7.2-1 Rev. 0

aration and isolation to provide independence for circuits. Separation of wiring is achieved g separate wireways and cable trays for each of Division A, Division B and Division C.

sion A and C of the TRPS and ESFAS are located on the opposite side of the facility control m from where Division B is located. Safety-related equipment for different divisions is located eparate fire areas when practicable. Exceptions include components for all three divisions are ted in the facility control room, in individual irradiation unit (IU) and TSV off-gas system GS) cells, and in other locations where end devices are installed.

NFDS divisions are physically separate. The NFDS detectors are installed 120 degrees idistant around the subcritical assembly structure in relation to the target solution vessel and cabling is routed in physically separate cable trays and raceways.

2.1.2 Electrical Isolation electrical isolation devices that are used as a safety system boundary are considered part of safety-related system (i.e., TRPS and ESFAS). The electrical isolation devices are tested to firm that credible failures on the nonsafety side of the isolation device do not prevent the ociated safety system channel from meeting minimum performance requirements.

ctrical isolation between the safety-related and nonsafety-related systems is provided by the wing devices:

Nonsafety-related inputs. The equipment interface module (EIM) provides isolation via galvanic isolation between the nonsafety inputs (e.g., actuation component position indication feedback) and the safety system. The isolation is a passive safety-related feature that does not rely on power to provide the required protection.

Safety-related to nonsafety-related communication interface. Communication with nonsafety-related systems is provided through transmit-only or receive-only ports, which provide isolation through unidirectional communication links. The monitoring and indication communication module (MI-CM) provides isolation from the safety systems (TRPS or ESFAS) to the nonsafety systems (the process integrated control system

[PICS] and the maintenance workstation [MWS]) via communication ports configured as one-way transmit only on the device. A single data port on the MI-CM is configured as receive-only, and can receive information from the MWS through a temporary cable that is connected during maintenance activities.

Hardwired inputs into the safety-related systems. The hardwired module (HWM) receives signals from the manual switches in the facility control room, discrete hardwired signals from the PICS, and from the safety function module (SFM) trip/bypass switches. The HWM is constructed only from discrete logic components. The HWM provides direct current (DC)-to-DC and galvanic isolation between the TRPS and ESFAS and any input to the HWM.

2.1.3 Communications Independence TRPS and ESFAS each use five separate and independent serial communication bus ctures:

NE Medical Technologies 7.2-2 Rev. 0

Safety data bus 3 (SDB3)

Monitoring and indication bus (MIB)

Calibration and test bus (CTB) communication buses are used for intradivisional communication via a backplane. Each kplane is specific to either the TRPS or ESFAS. The backplane contains point-to-point per signal traces that are the signal paths for SDB1, SDB2, SDB3, MIB, and CTB. Each bus eparate, asynchronous, and can be active simultaneously and operate independently. The es use a master-slave protocol, using simple, different RS-485 virtual point-to-point or point-ultipoint communication.

h exception of the interdivisional voting, the communication within the TRPS and ESFAS sion is independent and does not rely on communication from outside the respective division erform a safety function. The SFM performs independent signal conditioning and trip ermination, and provides the result to either the scheduling and voting module (SVM) in sion A and B or the scheduling and bypass module (SBM) in Division C (used for two-out-of-e votes, when provided).

safety function is processed through three redundant communication modules (CMs) to vide error detection and fault tolerance of the safety function. Data communications going out r into the highly integrated protection system (HIPS) chassis use one-way isolated munication ports on the CMs. The CMs are part of the safety-related HIPS platform and are sidered safety-related modules, isolated from nonsafety-related equipment.

PS or ESFAS communication to nonsafety systems is provided by one-way, isolated data munication paths from the MIB. The communication from the TRPS or ESFAS to the PICS or S is through a MI-CM in each division. The MWS provides communication to the ESFAS or PS using a temporary cable. This communication is only allowed when the SFM is taken out ervice by placing the out of service switch on the face plate of the SFM in the "out of service" ition.

NFDS is an analog system with no digital communications. Communication independence the NFDS is maintained by implementing separate hardwired connections to the TRPS and S.

2.1.4 Functional Independence SFMs in ESFAS and TRPS are responsible for both signal conditioning and trip ermination from input signals. The trip determination portions of each SFM receive process t values from the signal conditioning portions of that SFM. Each independent SFM is icated to implementing one safety function or a limited group of functions. This results in the e-level implementation of each group of safety functions being different from other safety tions performed on a separate SFM. A removal of one SFM only affects the safety function up that is implemented by that SFM and no other SFM. This design attribute supports ctional independence.

built-in self-test (BIST) feature in the field programmable gate array (FPGA) logic is separate independent of the FPGA safety function logic; thus, the programming of the FPGA safety NE Medical Technologies 7.2-3 Rev. 0

2.2 Redundancy undancy is used to ensure that the safety-related I&C systems can perform the required ty functions during a design basis event. Redundancy features of the safety-related I&C tems are also used to improve system reliability.

2.2.1 Redundancy in the Target Solution Vessel Reactivity Protection System and Engineered Safety Feature Actuation System safety I&C system platform design includes redundancy in the areas of power, module, munication, equipment interface, and platform. These features ensure that no single failure ults in loss of the protection function, and removal from service of any component or channel s not result in loss of the required minimum redundancy unless the acceptable reliability of ration of the protection system can be otherwise demonstrated.

SFM is designed with three redundant signal paths and begins the communication paths for o-out-of-three comparison. This internal redundancy provides for easy fault detection, giving er reliability from spurious actuation without increasing the complexity of the design.

undancy within the safety I&C system platform architecture is achieved by employing two or e divisions of sensors, detectors, and trip determination, and two divisions of trip and ation circuitry. Three divisions of sensors, detectors and trip determination are selected for tions where spurious actuation may significantly impact overall facility operation or for rational convenience; two divisions are used for other functions. Using multiple divisions of sors and detectors and trip and actuation determination is one of the mechanisms employed atisfy single-failure criteria and improve system availability.

ncidence voting on functions with three divisions of trip determination is implemented so that ngle failure of an input process signal will not prevent a trip or actuation from occurring when uired. In addition, a single failure of an input process signal with three divisions of trip ermination will not cause spurious actuation or inadvertent trips or actuations when they are required. Figures 7.1-2 and 7.1-3 show typical signal data flow paths in the HIPS platform.

following features are provided to improve the reliability of the systems:

The equipment chassis provide for redundant auctioneered DC power feeds to supply both the general logic design and the FPGA core supply power requirements. Fuses are used to protect the modules from cases of severe overcurrent and board failures.

The safety I&C system platform provides triple redundant communication paths. These redundant paths provide fault tolerance and the ability to replace a CM on line without causing a trip or actuation. From the output of the input submodule to the EIM voting, the three redundant safety data signal paths remain independent and redundant.

The safety I&C system platform provides redundant EIMs. These parallel EIMs allow for more thorough testing and equipment removal, thus providing a higher reliability of the field components from spurious actuation.

NE Medical Technologies 7.2-4 Rev. 0

undancy within the NFDS platform is achieved by utilizing three divisions of detectors, plifiers and process circuits.

2.3 Predictability and Repeatability behavior of the functions within the FPGA of each module is deterministic. Deterministic avior allows implementation of a simple communication protocol using a predefined message cture with fixed time intervals. This simple, periodic communication scheme is used ughout the architecture. Communication between modules within a chassis is implemented ugh an RS-485 physical layer. The configurable transmit-only or receive-only ports on a CM a point-to-point physical layer. Communication between modules is done asynchronously, ch simplifies implementation by avoiding complex syncing techniques.

cess input values are communicated using a deterministic path and are provided to a specific M. Input values are converted to engineering units to determine what safety function or group afety functions is implemented on that specific SFM. The SFMs make a trip determination g the engineering units. A trip determination is based on a predetermined set point and vides a trip or no-trip demand signal to each actuation division through an isolated transmit-serial data path.

I&C safety system platform uses a virtual point-to-point connection of the trip decision to the ng level of the architecture. It also uses the point-to-multipoint arrangement achieved within a ster-relay-to-slave-relay connection.

h SVM of the two actuation divisions receives inputs from the trip determination portions of SFMs through isolated receive-only serial data paths. The trip determinations are combined e voting logic so that two or more trip inputs from the trip determination modules produce an ation output demand signal, which is sent to dedicated actuation and priority logic (APL) uits to actuate the appropriate equipment associated with that division. Manual trip and ation capability also provide a direct trip or actuation of equipment, as well as input to the omatic portion of the system, to ensure the sequence is maintained.

tinuous self-test and calibration checks are performed on the analog input submodule analog igital converters. These tests verify the calibration of the analog portion and that the input module is working. The continuous calibration check verifies that the analog to digital verter is within the desired accuracy and that it has not drifted out of calibration. These ures support the predictable and repeatable platform design.

FPGA functions on the EIM consist of deterministic-state machines. The EIM uses discrete c for the actuation and priority logic, high-drive switching outputs, hard-wired signals, and ipment feedback circuitry. This architecture performs manual actuations downstream of any grammable logic. The EIM is a slave module to the three SVMs and the MI-CM. The EIM uses FPGA device to implement the logic circuits for automatic trip signal voting, handling of the cation and diagnostic information, and bus communication logic. The EIM is equipped with t high-drive switching outputs. The high-drive output is implemented as a redundant output, re a single failure in one of the driving components is automatically detected and mitigated out affecting the output operation.

NE Medical Technologies 7.2-5 Rev. 0

ermination actuation (PTDA) from the SFM to the EIM. The timing diagram is focused on the grammable logic portion. The blue line indicates that t1 and t2 are asynchronous. The ram includes the analog input delay on the left and the analog output delay on the right side.

se analog delays are dependent on the application and are simply added to the overall timing ulation. The diagram also shows the logic delays of the modules that are included in the saction times. These logic delays are very small compared to the communications timing; as h, they are added as an element in the worst-case timing calculation.

meet a response time performance requirement of 500 ms, a HIPS platform-based system st acquire the input signal that represents the start of a response time performance uirement, perform logic processing associated with the response time performance uirement, and generate an output signal that represents the end of a response time ormance requirement. These HIPS platform response time components exclude (1) the ier plant process delays through the sensor input to the platform, and (2) the latter delays ugh a final actuating device to affect the plant process. The required response times for the PS and ESFAS, which cover the analog delays, logic delays, and times t1 and t2 of ure 7.2-1, are provided in Sections 7.4 and 7.5, respectively.

2.4 Diversity HIPS platform provides functional diversity with the use of different protection logic on each M in order to implement the unique safety function(s) assigned to that SFM. As a result, grammable logic design for an SFM is unique when compared to the protection logic for any er SFM. A failure of an SFM would be limited to the safety functions of that SFM and would prevent other SFMs from performing their safety functions.

2.5 Simplicity section provides a description of the simplicity attributes that have been considered and rporated into the design of the I&C architecture. Simplicity is an evaluation performed across fundamental design principles: independence, redundancy, predictability and repeatability, diversity.

plicity has been considered throughout the development of the TRPS, ESFAS, and NFDS tems. The I&C system architecture is consistent with proven safety systems designs used for lear production facilities.

HIPS technology used for the TRPS and ESFAS is based on only four core modules. The of FPGA technology allows for modules to perform a broader range of unique functions yet ze the same core components. Increased flexibility with core components provides simplified ntainability. The quantity of spare parts can be reduced to blank modules that are grammed and configured as needed.

ctions within the FPGA of each module are implemented with finite state machines in order to ieve deterministic behavior. The HIPS platform does not rely on complex system/platform trollers. Dedicating SFMs to a function or group of functions based on its input provides rent function segmentation creating simpler and separate SFMs that can be more easily ed. This segmentation also helps limit module failures to a subset of safety functions.

NE Medical Technologies 7.2-6 Rev. 0

munication protocol. Autonomous modules allow for simpler component testing, lementation, and integration.

of fundamentally different FPGA architectures provides a simple and verifiable approach to ipment and design diversity. By simply implementing safety functions on an SFM based on its ts, safety functions have been segmented to provide functional diversity. The discrete and grammable logic circuits on an EIM provide a clear distinction between those portions that are are not vulnerable to a software common cause failure (CCF). These diversity attributes plify the TRPS and ESFAS systems design by not having to install a separate diverse ation system to address software CCF concerns.

lementation of triple redundant communication within a division of a HIPS platform increases number of components (e.g., additional communication modules) but provides simpler ntenance and self-testing. A single communication path would be vulnerable to undetectable res. Failure of a data path or CM with triple redundant communication is simpler in parison. A single failure does not cause all safety functions of that division to be inoperable.

ctions within the FPGA of each module are implemented with finite state machines in order to ieve deterministic behavior. Deterministic behavior allows implementation of a simple munication protocol using a predefined message structure with fixed time intervals. This ple periodic communication scheme is used throughout the architecture. Communication ween SFMs and CMs is implemented through a simple and well-established RS-485 physical

r. The configurable transmit-only or receive-only ports on a communication module use a t-to-point physical layer. Communication between modules is done asynchronously which plifies implementation by avoiding complex syncing techniques.

NFDS is an analog system with no digital communications.

3 SYSTEM DESCRIPTION he SHINE facility, instrumentation and controls are composed of the following systems:

PICS

TRPS

ESFAS

facility control room control consoles and displays

radiation monitoring, including

- the radiation area monitoring system (RAMS)

- the continuous air monitoring system (CAMS)

- safety-related process radiation monitoring considered part of the ESFAS and tritium purification system (TPS)

- nonsafety-related process radiation monitoring included within individual process systems

- the stack release monitoring system (SRMS)

- the criticality accident alarm system (CAAS)

NFDS mplified block diagram of the overall I&C system architecture is provided in Figure 7.1-1.

NE Medical Technologies 7.2-7 Rev. 0

uirements are provided in Sections 7.3 through 7.8.

NE uses a documented methodology for establishing and calibrating setpoints for safety-ted I&C functions. A combination of statistical and algebraic methods is used to combine rument uncertainties to determine the total instrument loop uncertainty for each setpoint. The hodology considers both random and non-random uncertainties, and considers process asurement and miscellaneous effects uncertainties, sensor uncertainties, and protection tem processing uncertainties. The methodology is used to ensure an adequate margin exists ween analytical limits and instrument setpoints so that protective actions are initiated before ty limits are exceeded.

4 SYSTEM PERFORMANCE ANALYSIS section includes performance analysis information related to the HIPS platform, which is d for both the TRPS and ESFAS safety-related control system. Information specific to the PS and ESFAS is contained in Sections 7.4 and 7.5, respectively. Performance analysis rmation related to other I&C systems is contained in Sections 7.3, 7.6, 7.7 and 7.8.

gnostic and maintenance features provided by the HIPS platform features include the use of T, cyclic redundancy checks (CRC), periodic surveillance testing, and other tests in each type odule, as appropriate, to verify normal operation.

hassis calibration of the defined setpoints and tunable parameters can be performed for the M. Other modules are only capable of maintenance changes when taken out of the chassis.

calibration uses the MWS as the primary interface. The CMs do not require calibration.

re are no setpoints and tunable parameters in the CM that need monitoring. Calibration of the M involves the analog input submodules. The discrete input submodule does not require bration.

HIPS platform has end-to-end self-testing that covers each module from sensor input to the put switching logic (except for the discrete circuitry of the APL). The individual self-tests on different components of the HIPS platform evaluate whether the entire platform is functioning ectly. The APL (which contains discrete logic) periodic surveillance testing, as required in the nical specifications, determines if the APL is functioning correctly. In the overlap method, the dules check if each module is functioning correctly, and the error checking on the munication buses verifies that the transfer of data is correct.

surveillance testing on analog and temperature input submodule (ISM) types uses the MWS he primary test interface. Self-testing for an SFM with a discrete ISM is sufficient for checking performance of the submodule, since there are no calibration requirements. The self-testing a discrete input submodule verifies pins for "stuck low," "stuck high," "shorts," or "open."

-testing performed by the SFM includes the following:

SFM BIST including startup and operational testing of the FPGA and nonvolatile memory (NVM)

SFM FPGA voltage checks during startup and operation

SFM monitors work-cycle performance NE Medical Technologies 7.2-8 Rev. 0

-testing performed by the EIM includes the following:

EIM BIST including startup and operational testing of the FPGA and NVMs

EIM FPGA voltage checks during startup and operation

EIM monitors work-cycle performance

the data message error checking

discrete input operation self-testing

high-drive output self-testing

two-out-of-three voting logic for the three safety data bus inputs CMs do not require surveillance testing. Self-testing of the logic is incorporated into the T feature provided by the FPGA the logic is built into. The data message error checking also ects any failures that may occur in the CM.

BIST feature in the FPGA logic is separate and independent of the FPGA safety function c; thus, the programming of the safety function FPGA logic is not made more complex by the usion of the diagnostic and self-test FPGA logic.

GAs on the SFM and EIM use the BIST feature provided by the FPGA. The BIST in a static dom-access memory-based FPGA is used for checking the functionality of the NVM and the GAs included on each module. The BIST checks both the NVM and the FPGA upon startup continuously during normal operation. NVM and FPGA self-test errors during startup result in l faults. The BIST in a one-time programmable or flash-based FPGA does not check the logic figuration because the logic in this type of FPGA is a fixed configuration. Once this figuration is established, it remains fixed when the FPGA is powered or when it is not ered.

communication integrity self-testing performed on the SDBs (i.e., redundancy failure ection, synchronization/timing failure detection, CRC failure detection, and protocol failure) ects communication errors caused by an upstream module, communication data links, or munication processing with the module itself.

ification of the integrity of the communicated information between modules by CRC check is ther type of test provided by the HIPS platform. This capability includes a high degree of fault ection on the HIPS bus, since the data that is sampled on the bus must match the calculated e and must be there at the correct time of the HIPS bus transaction to be declared valid.

ification of the integrity of the NVM memory by CRC check is another type of self-test vided by the HIPS platform. This capability during startup and operation includes an omatic check to ensure that NVM has not been changed or corrupted.

performance of the core logic within the SFM FPGA, as well as the SDB communications es, can be monitored by reviewing the results of the periodic injection of a PTDA test signal one core logic within the SFM FPGA in a round robin fashion. The effects of the PTDA can observed by reviewing actuation status data information transmitted out of the HIPS platform g the MIB. The test injection can be used to confirm that the core logic and the SDBs are tioning correctly from the SFM output through the two-out-of-three triple modular redundant NE Medical Technologies 7.2-9 Rev. 0

functional and can process PTDA decisions made in the SFM logic.

HIPS platform has design features that directly support methods to perform cross-checking ween redundant safety-system channel sensors or between sensor channels that bear a wn relationship to each other. The HIPS platform design features use coincidence logic port implementation of application-specific diagnostic logic and confirmation of continued cution with the use of the MWS.

S modules include light emitting diodes that are used to determine the state of the module hes, the operational state of the module, and the presence of any faults. The HIPS platform

-testing features and the associated front panel light emitting diodes allow for the timely tification of certain malfunctions within the HIPS equipment.

5 ACCESS CONTROL AND CYBER SECURITY safety-related control systems, TRPS and ESFAS, are implemented using the HIPS form. Access control and cyber security requirements described in this section, which consist e secure development and operating environment, are applied to these safety-related control tems. Access control and cyber security requirements for the nonsafety-related PICS are cribed in Section 7.3.

5.1 Secure Development Operating Environment developmental process for the TRPS and ESFAS has been delegated to SHINE's safety-ted control system vendor. The process addresses the potential cyber security vulnerabilities ysical and electronic) in the developmental phases of the software and the controls to prevent uthorized physical and electronic access. The secure development controls are applied from eloping the requirements of the software, designing the software, integrating the hardware software, and testing the system. The development controls include physical access controls he development facility, personnel access controls that limit access to the TRPS and ESFAS ign information to authorized individuals, and the use of an isolated development network N).

HIPS platform contains design features that reduce the susceptibility to inadvertent access oth hardware and software and undesirable behavior from connected systems. These form features support the establishment and use of a secure operational environment and ective measures to maintain it.

cific requirements are defined for the TRPS and ESFAS that provide and maintain a secure rational environment during the defined modes of operation. A requirements traceability rix is used throughout the development process. Bi-directional traceability is independently fied to ensure that requirements are implemented (forward tracing) and that no unwanted or ecessary code has been introduced (backward tracing).

5.2 Cyber Security Design Features TRPS and ESFAS are designed using a defensive system architecture, as shown in ure 7.1-1.

NE Medical Technologies 7.2-10 Rev. 0

Communication outside of the TRPS and ESFAS system while in service is through one-way isolated communication ports over point-to point cables.

Communication ports that are for communication outside of a HIPS chassis implement the one-way communication with hardware.

Communication from an MWS to a HIPS chassis is only allowed when the affected module is placed out of service by activating the out of service (OOS) switch using a temporary cable that is attached from the MWS to a HIPS chassis.

No capability for remote access to the safety system is included with the HIPS platform design.

5.3 Access Control TRPS and ESFAS have additional access control features:

TRPS and ESFAS require a physical key at the main control board to prevent unauthorized use of the TRPS and ESFAS.

TRPS and ESFAS rack mounted equipment are installed within cabinets that can be locked so access can be administratively controlled.

FPGAs on any of the HIPS modules cannot be modified (for static random-access memory type) or replaced (for one-time programmable or flash types) while installed in the HIPS chassis.

Capability to modify modules installed in the HIPS chassis is limited to setpoints and tunable parameters that may require periodic modification.

h division of TRPS and ESFAS systems has a nonsafety-related MWS for the purpose of ne monitoring and offline maintenance and calibration. The HIPS platform MWS supports ne monitoring through one-way isolated communication ports. The MWS is used to update oints and tunable parameters in the HIPS chassis when the safety function is out of service.

sical and logical controls are put in place to prevent modifications to a safety channel when it eing relied upon to perform a safety function. A temporary cable and OOS switch are required e activated before any changes can be made to an SFM. When the safety function is oved from service, either in bypass or trip, an indication is provided by the HIPS platform that be used to drive an alarm in the facility control room to inform the operator. Adjustments to ameters are performed in accordance with facility technical specifications, including any that blish the minimum number of redundant safety channels that must remain operable for the licable operating mode and conditions.

6 SOFTWARE REQUIREMENTS DEVELOPMENT TRPS and ESFAS are designed and implemented using a programmable logic-based I&C form that is based on fundamental safety-related I&C design principles of independence, undancy, predictability and repeatability, and diversity, and was developed specifically to vide a simple and reliable solution for safety-related applications. These design principles contribute to simplicity in both the functionality of the system and in its implementation.

TRPS and ESFAS are implemented on a logic-based platform that does not utilize traditional ware or microprocessors for operation. It is composed of logic implemented using discrete ponents and FPGA technology. The platform design was developed to support meeting the NE Medical Technologies 7.2-11 Rev. 0

form has been reviewed and approved by the NRC for use in safety-related applications for mercial nuclear power plants (NuScale, 2017).

development of the TRPS and ESFAS have been delegated to SHINE's safety-related trol system vendor. Any modifications to the TRPS or ESFAS logic required to be lemented after initial development activities are complete are also delegated to the vendor.

TRPS and ESFAS are developed using the vendor's Project Management Plan, which cribes a planned and systematic approach to design, implement, test, and deliver the TRPS ESFAS. The approach defines the technical and managerial processes necessary to elop high-quality products that satisfy the specified requirements.

TRPS and ESFAS are developed in accordance with the vendor's Project Quality Assurance n, which defines the techniques, procedures, and methodologies used to develop and lement the TRPS and ESFAS.

6.1 Key Responsibilities NE is responsible for providing oversight of the vendor, verifying deliverables are developed ccordance with approved quality and procurement documents, and maintaining the vendor as approved supplier on the SHINE approved supplier list.

vendor is responsible for developing and delivering the TRPS and ESFAS control systems in ordance with the processes identified in this section.

key responsibilities for the TRPS and ESFAS activities are identified in the vendor's Project nagement Plan and project implementing procedures.

6.2 Programmable Logic Lifecycle Process TRPS and ESFAS programmable logic lifecycle process shown in Figure 7.2-2 provides an rview of the programmable logic development process from planning through installation. The grammable logic lifecycle process is implemented through the vendor system design control cedure. The procedure defines the minimum system design control tasks from the planning se through the shipment phase.

ign interfaces are established during the design development process, and during the design ew and approval process. Design interfaces are controlled in accordance with the Project nagement Plan.

6.2.1 Planning Phase NE procurement and technical documents (e.g., specifications, drawings, input/output abase, etc.) are inputs to the planning phase. These documents are reviewed by the vendor entify design input documents containing TRPS and ESFAS requirements. The design input uments are formally received from SHINE and controlled by version and date. Design output uments and data required by SHINE are identified and scheduled for development.

NE Medical Technologies 7.2-12 Rev. 0

cification development procedure. A system design description is generated to define the tem design details.

nning documents for the implementation of the programmable logic lifecycle process are eloped:

Project Configuration Management Plan

Project Verification and Validation (V&V) Plan

Project Equipment Qualification Plan

Project Test Plan

Project Security Plan

Project Integration Plan nning phase documents are verified and processed in accordance with the vendor design ument and data control procedures.

6.2.2 Requirements Phase ardware requirements specification (HRS) is generated by the vendor to define the system dware requirements detail. The HRS is generated in accordance with the vendor hardware uirements specification development procedure.

ogrammable logic requirements specification (PLRS) is generated to translate the conformed ign specification into project-specific programmable logic requirements. The PLRS is erated in accordance with the vendor programmable logic requirements specification elopment procedure.

PLRS is reviewed in accordance with the vendor verification process procedure.

grammable logic lifecycle activities from this point forward are performed within a secure elopment environment (SDE) using an IDN. Exceptions for the use of an SDE and IDN may pecified by management in accordance with contract requirements and/or regulatory uirements, as defined in the vendor SDE and IDN Security Plan.

PLRS defines what the programmable logic should do, but not how the programmable logic ets the requirements. The complete description of the functions to be performed by the grammable logic are included in the PLRS.

en the programmable logic requirements are expressed by a requirement specification del, the model elements are categorized as either:

Model elements that represent programmable logic requirements including derived requirements, or

Model elements that do not represent programmable logic requirements.

requirement specification model is developed to define the programmable logic functionality ccordance with the vendor model-based development procedure and reviewed in accordance the vendor verification process procedure.

NE Medical Technologies 7.2-13 Rev. 0

input documents to the design phase are the SyRS, HRS, and PLRS.

ardware design specification is generated to define the system hardware design details. The dware design specification is generated in accordance with the vendor hardware design cification development procedure.

rogrammable logic design specification (PLDS) is generated to translate the PLRS into:

A description of the functional requirements

A description of the system or component architecture

A description of the control logic, data structures, input/output formats, interface descriptions, and algorithms PLDS is generated in accordance with the vendor programmable logic design specification elopment procedure and reviewed in accordance with the vendor verification process cedure.

he case when a programmable logic design specification is expressed by a design cification model, model elements that do not represent programmable logic requirements or hitecture and are not input to a subsequent development activity may be included in a model example, comment elements). These elements will not be implemented in the executable e and therefore need to be clearly identified. Model elements are categorized as described in vendor model-based development procedure as either:

Model elements that represent programmable logic design, including derived requirements or architecture, or

Model elements that do not represent programmable logic design or architecture.

ign specification models are developed in accordance with the vendor model-based elopment procedure and are traceable, verifiable, and consistent.

ependent design review is performed to verify that the system design meets TRPS and FAS requirements in accordance with the vendor verification process procedure. Design tests performed to validate that the system design meets TRPS and ESFAS requirements in ordance with the vendor test control procedure.

6.2.4 Implementation Phase input documents to the implementation phase are the completed tasks and approved uments from the development phase. Although implementation phase activities may proceed, outputs from the implementation phase are not approved until the development phase uments are approved.

HIPS platform hardware and programmable logic components are integrated into the project ng this phase to provide the target hardware and incorporate the HIPS platform grammable logic that has been previously designed, developed, tested, qualified and lemented.

NE Medical Technologies 7.2-14 Rev. 0

c is ready for validation on target hardware.

implementation phase V&V summary report documents the implementation phase exit. If trol point exit criteria are not met, a conditional release can be issued in accordance with the dor conditional release procedure prior to beginning test phase activities.

roved documents ready for V&V are placed into configuration management prior to lementation phase exit.

6.2.5 Test Phase test phase is the validation phase. Outputs from this phase, which are requirements of the ect but may not serve as inputs to the shipment phase, are completed prior to test phase exit.

ification that test phase tasks are complete and output documents are approved serves as control point to transition the project from the test phase to the shipment phase. The test se V&V summary report documents the test phase exit. Proceeding beyond the control point ore control point exit criteria are met adds risk to the successful completion of the project. If trol point exit criteria are not met, a conditional release may be issued in accordance with the dor conditional release procedure prior to the shipment phase.

roved documents are placed into configuration management prior to test phase exit.

6.2.6 Shipment Phase and Installation shipment phase prepares the system for shipment and ships the system to SHINE. Output uments from this phase are completed prior to shipment phase exit.

shipment phase V&V summary report is completed. The final V&V report documents the pleted project V&V activities.

pment phase documents are verified to be complete and approved prior to transitioning the ect from the shipment phase.

roved documents are placed into configuration management prior to shipment phase exit.

tems are installed and site acceptance tests are performed in accordance with written plans instructions prepared and controlled under the installer's quality assurance program. SHINE sponsible for providing oversight of the installer and maintaining the installer as an approved plier on the SHINE approved supplier list.

6.3 Programmable Logic Regression Analysis al release of a PLRS or PLDS does not require regression analysis. Subsequent releases of S or PLDS require regression analysis to determine the required independent verification validation activities to perform. Regression analysis is performed if changes are made to viously tested programmable logic to determine the impact to all parts of the system. This ession analysis occurs prior to the execution of tests. Any tests based on the identified NE Medical Technologies 7.2-15 Rev. 0

rogrammable logic design is expressed by a design specification model, the regression lysis is performed in accordance with vendor model-based development procedure.

6.4 Project Requirements Traceability Matrix RPS and ESFAS requirements traceability matrix is developed by the vendor during each of project phases. These traceability matrices are used for the traceability analysis tasks in each pective phase. The TRPS and ESFAS requirements traceability matrices are developed in ordance with the vendor traceability matrix development procedure.

en using model-based development, identification of requirements in accordance with the hod defined in the vendor traceability matrix development procedure and vendor modeling dards document are used for bi-directional traceability between model elements and uirements external to the model.

6.5 Verification and Validation NE has delegated verification and validation activities related to the safety-related control tem development to the vendor. The TRPS and ESFAS vendor Project Verification and dation Plan is designed to detect and report errors that may have been introduced during the tem development process. The programmable logic verification process verifies that:

System requirements allocated to programmable logic have been developed into programmable logic requirements that satisfy those system requirements.

Programmable logic requirements have been developed into logic architecture and design that satisfy the programmable logic requirements.

Logic architecture and design have been developed into code that satisfies the logic architecture and design.

Developed code satisfies the requirements and provides confidence that there is no unintended functionality.

Developed code is robust such that it can respond properly to abnormal inputs and conditions.

Methods used to perform this verification are technically correct and complete for the specified programmable logic integrity level.

E Standard 1012-2004 (IEEE, 2004a), Standard for Software Verification and Validation, tion 4, provides guidance on selection of criticality levels for software based on its intended and application. The software and hardware developed for the TRPS and ESFAS are sified as Software Integrity Level 2. The vendor Project Verification and Validation Plan for TRPS and ESFAS system development was tailored and adapted for FPGA technology from guidance in IEEE Standard 1012-2004 (IEEE, 2004a). The V&V activities for the TRPS and FAS are commensurate with the expectations for a Software Integrity Level 2 classification.

V&V activities are performed using an internal verification and validation team from within design organization as defined in IEEE Standard 1012-2004 (IEEE, 2004a), Annex C.4.4. It is ommended, but not required, that the personnel performing the V&V activities are not the e personnel involved directly in the design. The V&V team is independent of the design team both teams in the same reporting structure. This organization structure was selected taking NE Medical Technologies 7.2-16 Rev. 0

the lifecycle phases described in IEEE Standard 1012-2004 (IEEE, 2004a), the lifecycle ses applicable to the vendor work scope are the management and development phases. The V development phase activities follow the TRPS and ESFAS development lifecycle as cribed in Subsection 7.2.6.2.

V&V team is responsible for determining the extent to which a V&V task is repeated when its t or procedure is changed. Design changes are subject to design control measures mensurate with those applied to the original design per the vendor system design control cedure.

V personnel review each design output at the end of its life cycle phase, prior to approving the verable. Revision control is performed in accordance with the TRPS and ESFAS Project figuration Management Plan.

a and document reviews are performed in accordance with the vendor verification process cedure and testing activities are performed in accordance with the vendor test control cedure.

TRPS and ESFAS requirements traceability matrices are used to generate comprehensive dation test procedure(s) that ensure that each requirement is adequately tested and meets TRPS and ESFAS requirements. Test procedure(s) are generated by V&V personnel.

6.5.1 Management Phase V&V V&V effort performs the following V&V tasks for management of V&V:

Project Verification and Validation Plan Generation

Baseline Change Assessment

Management Review of V&V

Management and Technical Review Support

Interface with Organizational and Supporting Processes 6.5.2 Planning Phase V&V ification of the programmable logic planning process is conducted to ensure that the project s and procedures comply with the requirements and guidelines of the development dards and regulatory requirements, and that means are provided to execute the plans.

objectives of the planning phase verification are to:

Determine that the V&V methods enable the objectives of the development standards and regulatory guidelines.

Verify that the development processes can be applied consistently.

Verify that each development process produces evidence that its outputs can be traced to their activity and inputs, showing the degree of independence of the activity, the environment, and the methods used.

NE Medical Technologies 7.2-17 Rev. 0

requirements phase reviews and analysis activities detect and report requirements errors may have been introduced during the requirements process. These reviews and analysis vities confirm that the programmable logic requirements satisfy the following objectives:

Compliance with system requirements

Accuracy and consistency

Compatibility with the target hardware

Testability

Conformance to applicable standards and procedures

Traceability 6.5.4 Design Phase V&V design phase review and analysis activities detect and report design errors that may have n introduced during the programmable logic design process. These reviews and analysis vities confirm that the programmable logic design satisfies the following objectives:

Compliance with programmable logic requirements

Accuracy and consistency

Compatibility with the target hardware

Testability

Conformance to applicable standards and procedures

Traceability ification of the design can be divided into two types: functional verification and timing fication. Functional verification only considers whether the logic functions of the design meet requirements and can be done by simulation or formal proof. Timing verification considers ther the design meets the timing constraints and can be performed using dynamic timing ulation or static timing analysis.

te-box testing techniques are used for analyzing application programmable logic during fication activities.

6.5.5 Implementation Phase V&V implementation phase review and analysis activities detect and report errors that may have n introduced during the coding process. Primary concerns include correctness of the code respect to programmable logic requirements, design, and conformance to coding standards.

se reviews and analysis are confined to the code and confirm that the code satisfies these ctives:

Compliance with programmable logic design

Compliance with the programmable logic architecture

Testability

Conformance to standards

Traceability

Accuracy and consistency NE Medical Technologies 7.2-18 Rev. 0

requirements and can be done by simulation or formal proof. Timing verification considers ther the design meets the timing constraints and can be performed using dynamic timing ulation or static timing analysis.

te-box testing techniques are used for analyzing application programmable logic during fication activities.

6.5.6 Test Phase V&V purpose of the test phase V&V is to uncover errors that may have been introduced during development processes. Testing objectives include the development and execution of test es and procedures to verify the following:

Code complies with the PLRS

Code complies with the PLDS

Code is robust

Code complies with the target hardware ck-box testing techniques are used to execute functional checks on the system components ng system testing.

6.6 Configuration Management 6.6.1 Development Phase Configuration Management figuration management of the development of safety-related control systems has been gated to the vendor and is applied to data and documentation used to produce, verify, test, show compliance with the programmable logic used in the TRPS and ESFAS. The grammable logic configuration management process is described in this subsection.

figuration identification is the first activity of configuration management. Configuration tification identifies items to be controlled, establishes identification schemes for the items their versions, and establishes the tools and methods to be used in acquiring and managing trolled items. Configuration identification provides a starting point for other configuration nagement activities. Configuration identification provides the ability to:

Identify the components of the system throughout the development process, and

Trace between the programmable logic and its development process data.

h configuration item is uniquely identified. The identification method includes a naming vention with version numbers or letters. The configuration identification facilitates storage, eval, tracking, reproduction, and distribution of configuration items. The following figuration items are identified and are placed under configuration management:

Design input documents

Design output documents

System requirements specifications

System design specifications NE Medical Technologies 7.2-19 Rev. 0

Programmable logic requirements models

Programmable logic design models

Programmable logic hardware description language code

Verification and validation data and documents

Programmable logic development environment

Change requests including customer deviation / exception requests and interim change notices

Third-party vendor supplied documents

Third-party vendor supplied software TRPS and ESFAS vendor Configuration Management Plan specifies a numbering scheme project data and documents.

integrated development environment (IDE) tool is used to store and manage configuration

s. Configuration items such as data, requirements, models, code files, reports, and tests are ed and placed under source control in the IDE tool. The IDE tool is used to perform the wing configuration management activities:

Review changes in modified files

Run impact analysis

Run project integrity checks

Commit modified files into source control

Discard modifications made to committed files

Retrieve configuration items from source control

Revert to a previous version of a file

View and report configuration item source control information figuration baselines are established at various points in the project. A baseline is the grammable logic and its data at a point in time. The baseline serves as a basis for further elopment. Once a baseline is established, changes can only be made through the change trol process described in the TRPS and ESFAS Configuration Management Plan.

elines are established after each development phase, at the completion of the formal review he V&V team. The following baselines are established:

Requirements Baseline

Design Baseline

Implementation Baseline

Test Baseline elining is performed by committing phase configuration items into source control and listing configuration item in the master configuration list, as specified in the vendor system design trol procedure. The project file contains and manages programmable logic configuration s in one project folder structure allowing committing of all project phase configuration items g one project file in the IDE tool.

aselined configuration item is traceable to the baselined configuration item from which it was eloped.

NE Medical Technologies 7.2-20 Rev. 0

ESFAS requirements traceability matrix.

proposed change to a baselined configuration item is subject to the change control and ew requirements in the TRPS and ESFAS Configuration Management Plan. The change in us is flagged in the IDE tool and the file is baselined after the change control and review uirements are satisfied.

e the configuration item is baselined, only authorized personnel can change the configuration

. Changes to baselined configuration items are planned, documented, approved, and ked in accordance with a change control process.

IDE tool records each change to baselined configuration items, including who made the nge, and can discard changes that have been implemented or revert to any previous baseline r the changed configuration item has been baselined.

archival and retrieval process involves the storage of data so that it can be accessed by horized personnel. Project documents and records are retained and filed in the system gration document package and are stored in dual remote storage locations to preclude loss sed by natural disasters. The archival and retrieval process ensures:

Accuracy and completeness

Protection from unauthorized change

Quality of storage media and protection from disaster

Accuracy of retrieval and duplication grammable logic code load controls include approved load procedures, load verification, and marking verification.

programmable logic development environment includes the tools, methods, procedures, gramming languages, and hardware used to develop, verify, control, and produce the grammable logic. The tools identification data, including version numbers, are listed in the ster Configuration List.

code generation tools version is automatically included in the code files. The tool version d to develop the programmable logic is verified as the version on the master configuration list.

nges to the development environment are subject to change control.

figuration reviews are required for configuration items prior to shipment. The configuration its include both document configuration items and programmable logic components.

figuration status accounting involves recording and reporting information that is needed to ctively manage the programmable logic configuration items development, verification, and dation processes. Reports are generated to inform managers, developers, and SHINE about project status. Configuration status accounting reports provide consistent, reliable, and timely us information that enhances communication, avoids duplication, and prevents repeat takes. The configuration status accounting reports provide the following information:

NE Medical Technologies 7.2-21 Rev. 0

Status of released data and files

List of baselined contents and differences from previous baseline figuration status accounting reports include the master configuration list, model development orts, and change request and test anomaly reports.

master configuration list identifies hardware part numbers and the programmable logic code ociated with the hardware. Before loading the code onto the hardware, the identification of the grammable logic code and the hardware is performed to ensure compatibility.

commercial off-the-shelf (COTS) vendor supplied documents or software are edited by the ty-related control system vendor project team. The document versions and software versions recorded upon receipt in the master configuration list and should not change. Therefore, her configuration change procedures nor baselining apply to COTS documents or software.

urchase order issued by the safety-related control system vendor to a third-party vendor for a TS program or technical calculations typically contains:

a description of the major components of the software design, as they relate to the software requirements,

a technical description of the software with respect to the theoretical basis, mathematical model, control flow, data flow, control logic and data structure,

a description of the allowable or prescribed ranges for inputs and outputs, and

the design described in a manner that can be translated into code.

purchase order requires the vendor to provide a software design description and evidence of fication and validation.

third-party vendor software and documentation are verified for sufficiency such that a person is technically qualified in the subject is able to understand the third-party vendor deliverables verify the adequacy of the results without recourse to the originator.

6.6.2 Post-Installation Phase Configuration Management figuration management of any post-installation changes or modifications required to the ty-related control systems has been delegated to the vendor. Processes equivalent to those d for initial development, described in Subsection 7.2.6.6.1, are followed. SHINE maintains rsight of the vendor, authorization of changes, control of the scope of changes, and luation of the change against the requirements of the SHINE facility license.

6.7 Independent Testing elopment, review, and release of V&V generated test documents and execution of tests is ormed by the vendor in accordance with the TRPS and ESFAS Test Plan and Verification Validation Plan. V&V personnel are responsible for hardware and software test setup.

NE Medical Technologies 7.2-22 Rev. 0

Test plan development

Pre-Factory Acceptance Test (FAT) procedures development

FAT procedures development

TRPS and ESFAS requirements traceability matrix update

Test equipment setup

Pre-FAT test procedures execution

Report pre-FAT results and update FAT documents

FAT procedures execution

Report FAT results

Test phase V&V summary report development test documentation includes the following:

Project test plan

Test procedures

Test scripts and test input stimulus files

Test reports

Test anomaly reports

Test phase summary report ting is performed to ensure satisfactory hardware have been developed in accordance with SyRS. Measurement and test equipment calibration is performed before a testing activity and eable to National Institute of Standards and Technology (NIST) standards. Measures are n to establish that tools, gauges, instruments, and other measuring and testing devices used ctivities affecting quality are properly controlled, calibrated, and adjusted at specified periods aintain accuracy within acceptable limits. Testing activities include both pre-FAT and FAT.

pre-FAT ensures that the FAT procedures are developed properly and the TRPS and FAS protection systems components conform to the SyRS in an operating integrated system ironment. The pre-FAT informally executes the FAT procedures to determine their suitability, ectness, completeness, and efficiency of the test procedures.

FAT validates the system hardware conforms to the system requirements as defined in the S and documented in the TRPS and ESFAS requirements traceability matrix.

FAT is performed on each protection system and includes integration tests and system tests.

nsists of a documented series of inspections, power-on tests, and calibration verification s to confirm that the system hardware conforms to the approved requirements and design uments and is in overall proper working order. It also verifies that the test configuration is ect and the required test equipment is properly calibrated.

FAT integration test cases and procedures perform the following:

Test programmable logic interfaces and basic programmable logic operations, and

Test interface characteristics defined in the requirements specifications and design description such as protocols, sequences, and timing.

NE Medical Technologies 7.2-23 Rev. 0

Test system functions as defined in the SyRS

Test voting functions

Test trip or protective outputs

Test system operation in all modes as defined in the SyRS mal and robustness test cases are prepared in the test procedures to demonstrate that ign outputs conform to requirements.

acceptance criteria for each testable requirement are specified in the applicable test case.

acceptance criteria are specified by either qualitative (pass/fail) or quantitative (numerical) eptance criteria. When an acceptance criterion is numerical, the minimum and maximum es are specified.

testable attribute that does not meet the stated acceptance criteria is documented on a Test maly Report. This includes both programmable logic anomalies and hardware deficiencies.

Test Anomaly Report identifies the resolution of the stated problem and describes any sting requirements.

results of the FAT are summarized in the FAT summary report and are incorporated into a arate test phase summary report, which is generated at the end of the test phase. The FAT mary report also incorporates other reports including test anomaly reports (used to ument deficiencies found during testing) and change requests as attachments.

FAT summary report documents the review of the test results with the following criteria:

1. Complete: Test cases and steps have been executed.

2. Acceptable: Results are within the expected results.

3. Anomalies resolved: Test anomaly reports have been resolved.

4. Changes implemented and tested: Change requests submitted during testing have been performed in accordance with the TRPS and ESFAS Configuration Management Plan and are implemented and tested.

re is no process risk associated with either the TRPS and ESFAS test plan or implementation he related FAT. The FAT is conducted using simulated inputs, using either measurement and equipment generated signals or computer-based test systems. The outputs are not nected to any plant process equipment, but are connected to displays, measurement and test ipment, or computer-based indication and data collection equipment. No equipment is rated outside of design parameters; therefore, there is no expectation of equipment failure.

only risks associated with the TRPS and ESFAS test plan are schedule compliance and sfaction of test acceptance criteria.

6.8 Project Risk Management vendor TRPS and ESFAS Project Management Plan describes the risk management vities for the project. The risk management approach consists of five activities:

1. Risk identification

2. Risk analysis NE Medical Technologies 7.2-24 Rev. 0

5. Risk tracking and control k identification activities occur throughout the project lifecycle. Identified risks are umented in a safety-related control system vendor project risk register, which includes a cription of the risk, areas of concern, likelihood, mitigating actions, and possible sequences. The project risk register may also describe the impacts to stakeholders, umptions, constraints, relationship to other project risks, possible alternatives, as well as acts to the project budget, schedule, or deliverables.

h identified risk is analyzed to determine the type and the extent of the impacts should the situation or event occur. The analysis considers several relevant factors and includes any umptions made, constraints, and sensitivity of the risk item.

k mitigation planning involves developing plans for mitigation and/or contingency actions for a cific risk. The risk mitigation plans address topics such as:

Identification of mitigation and contingency actions for funding, schedule, staff or resources

Identification of actions to be taken to reduce the likelihood or consequences of impact on the project

Determination of the planned response based on a cost/benefit analysis

Assignment of responsibility for each mitigation and contingency action k tracking, monitoring, and control assesses how the project risk profile is changing ughout the project lifecycle, as well the effectiveness of any mitigation/contingency plans that e been executed. When changes to the risk occur, the process to identify, analyze, and plan peated. Existing risk mitigation plans are modified to change the approach if the desired ct is not being achieved.

NE Medical Technologies 7.2-25 Rev. 0

Table 7.2 Design Radiation Environments Location Normal Transient dioisotope production facility (RPF) 1.0E+3 Rad TID, 5 mR/hr 100 mR/hr neral area adiation facility (IF) general area 1.0E+3 Rad TID, 5 mR/hr 50 mR/hr tium purification system (TPS) 50 Rad TID, 0.25 mR/hr 5 mR/hr om, glovebox and exhaust duct adiation unit (IU) cell above the light 1.8E+8 Rad TID, 1E+3 R/hr 1E+3 R/hr ter pool cell near dump tank and flux 1.8E+10 Rad TID, 1E+5 R/hr 1E+5 R/hr tectors (in light water pool) ide the target solution vessel (TSV) 5.4E+8 Rad TID, 3E+3 R/hr 3E+3 R/hr

-gas system (TOGS) instrument box ide the TOGS cell, outside 1.2E+10 Rad TID, 7E+4 R/hr 7E+4 R/hr trument box ide the cooling room 1.8E+4 Rad TID, 100 mR/hr 100 R/hr e: (1) Total integrated dose (TID) is calculated over a 20-year timeframe.

(2) Design radiation environments lower than those listed may be defined for specific locations using additional analysis or localized shielding.

NE Medical Technologies 7.2-26 Rev. 0

Table 7.2 Facility Control Room Design Environmental Parameters Parameter Normal Transient mperature 60ºF to 80ºF 40ºF to 120ºF essure Ambient Ambient 10 percent to 80 percent 10 percent to 95 percent lative Humidity (non-condensing) (non-condensing)

NE Medical Technologies 7.2-27 Rev. 0

Table 7.2 RPF and IF General Area Design Environmental Parameters Parameter Normal Transient mperature 65ºF to 85ºF 40ºF to 120ºF essure Ambient Ambient 10 percent to 80 percent 10 percent to 95 percent lative Humidity (non-condensing) (non-condensing)

NE Medical Technologies 7.2-28 Rev. 0

Table 7.2 IU Cell Interior Design Environmental Parameters Parameter Normal Transient mperature 40ºF to 104ºF 40ºF to 120ºF ssure Ambient 14 psia to 19 psia 10 percent to 100 percent 10 percent to 100 percent ative Humidity (condensing) (condensing)

NE Medical Technologies 7.2-29 Rev. 0

Table 7.2 TOGS Cell Interior Design Environmental Parameters Parameter Normal Transient mperature 40ºF to 104ºF 40ºF to 120ºF ssure Ambient 14 psia to 19 psia 10 percent to 100 percent 10 percent to 100 percent ative Humidity (condensing) (condensing)

NE Medical Technologies 7.2-30 Rev. 0

Table 7.2 Primary Cooling Room Interior Design Environmental Parameters Parameter Normal Transient mperature 40ºF to 120ºF 40ºF to 120ºF essure Ambient Ambient 10 percent to 80 percent 10 percent to 95 percent lative Humidity (non-condensing) (non-condensing)

NE Medical Technologies 7.2-31 Rev. 0

NE Medical Technologies 7.2-32 Rev. 0 NE Medical Technologies 7.2-33 Rev. 0 process integrated control system (PICS) is a nonsafety-related digital control system that orms various functions throughout the SHINE facility. PICS functions include signal ditioning, system controls, interlocks, and monitoring of the process variables and system us.

1 DESIGN CRITERIA le 3.1-1 shows the SHINE design criteria applicable to the PICS. The SHINE design criteria described in Section 3.1.

itional criteria applicable to the PICS are as follows:

1.1 Access Control S Criterion 1 - The PICS design shall incorporate design or administrative controls to vent/limit unauthorized physical and electronic access to critical digital assets (CDAs) during operational phase, including the transition from development to operations. CDAs are defined igital systems and devices that are used to perform or support, among other things, physical urity and access control, safety-related functions, and reactivity control.

1.2 Software Requirements Development S Criterion 2 - A structured process, which is commensurate with the risk associated with its re or malfunction and the potential for the failures challenging safety systems, shall be used eveloping software for the PICS.

S Criterion 3 - The PICS software development life cycle process requirements shall be cribed and documented in appropriate plans which shall address verification and validation V) and configuration control activities.

S Criterion 4 - The configuration control process shall assure that the required PICS dware and software are installed in the appropriate system configuration and ensure that the ect version of the software/firmware is installed in the correct hardware components.

1.3 Fail Safe S Criterion 5 - The PICS shall assume a defined safe state with loss of electrical power to the S.

1.4 Effects of Control System Operation/Failures S Criterion 6 - The PICS shall be designed so that it cannot fail or operate in a mode that ld prevent the target solution vessel (TSV) reactivity protection system (TRPS) or engineered ty features actuation system (ESFAS) from performing their designated functions.

NE Medical Technologies 7.3-1 Rev. 0

S Criterion 7 - Bypasses of PICS interlocks, including provisions for testing, shall be under direct control of a control room operator and shall be indicated on control room displays.

1.6 Surveillance S Criterion 8 - Subsystems of and equipment in the PICS shall be designed to allow testing, bration, and inspection to ensure functionality.

S Criterion 9 - Testing, calibration, and inspections of the PICS shall be sufficient to confirm surveillance test and self-test features address failure detection, self-test capabilities, and ons taken upon failure detection.

2 DESIGN BASIS PICS is designed to allow the operator to perform irradiation cycles, transfer target solution nd from the irradiation unit (IU) as well as through the production facility, and interface with tritium purification system (TPS), supercell, waste handling, and auxiliary systems.

modes of operation for the functions of the PICS that interface with individual IUs correspond he mode of that IU (see Subsection 7.3.3). Portions of the PICS that monitor or control mon or facility-wide systems are not mode-dependent.

PICS control cabinets are located in the non-radiologically controlled areas of the main duction facility and PICS components are in various plant areas with varying environmental ditions. The PICS is designed for the normal environmental and radiological conditions vided in Tables 7.2-1 through 7.2-6.

3 DESCRIPTION PICS is a collection of instrumentation and control equipment located throughout the facility upport monitoring, indication, and control of various systems. Decentralized implementation he PICS functions allows subsets of the system to perform functions independent of each er. A portion of the PICS supports the main control board and operator workstations in the lity control room by receiving operator commands and collecting and transmitting facility rmation to the operators, as described in Section 7.6. A summary of the PICS facility system rfaces is provided in Figure 7.3-1.

3.1 Irradiation Unit Systems PICS is used to monitor parameters and perform manual and automatic actions during each he operational modes of a subcritical assembly system (SCAS):

Mode 0 - Solution Removed: No target solution in the SCAS Mode 1 - Startup: Filling the TSV Mode 2 - Irradiation: Operating mode (neutron driver active)

Mode 3 - Post-Irradiation: TSV dump valves open Mode 4 - Transfer to RPF: Dump tank drain valves open to permit solution transfer NE Medical Technologies 7.3-2 Rev. 0

ling system (PCLS), and the neutron flux detection system (NFDS).

de 0 - Solution Removed ode 0, the PICS provides the capability to control equipment needed to transition an diation unit into Mode 1, including closing the TSV fill valves and dump valves and starting the GS blowers as needed to meet mode transition criteria. The PICS also provides monitoring controls of the common TPS, which is integrated with the modes of operation for each ell.

de 1 - Startup Mode r the operator transitions the IU to Mode 1 using the operating mode input to TRPS, the PICS sed to open the TSV fill valves and operate the vacuum transfer system to add target solution he TSV from the associated TSV hold tank. The PICS also provides a defense-in-depth rlock to prevent the TSV fill valves from opening if one or more TOGS blowers is not running, arate from the TRPS Mode 0 to Mode 1 transition criteria.

TSV is filled incrementally. The TSV fill increment is determined by 1/M calculations. The rator may use the PICS as a check to calculate the next required fill volume based on the calculation. The PICS also provides defense-in-depth time limits and interlocks to control the ximum volumetric step addition during the 1/M fill process to prevent challenging the TRPS Stop actuation function described in Section 7.4.

de 2 - Irradiation en the TSV fill has been completed, PICS is used to close the TSV fill valves to meet Mode 2 sition criteria. The PICS provides an interlock with the source range channel of the NFDS to vent TSV irradiation without sufficient neutron counts on the detectors, and when that missive is met, PICS is used to close the neutron driver breakers to enable the target solution e TSV to be irradiated. The PICS interfaces with the NDAS control system to start or stop the er, and is used to control the introduction of tritium into the NDAS target from the TPS.

ing irradiation, PICS is used to monitor neutron flux levels, concentrations of radiolytic gases erated, NDAS performance parameters, and other parameters associated with the irradiation cess.

de 3 - Post-Irradiation neutron driver breakers are opened by the PICS, ending the irradiation period and satisfying mode transition criteria, allowing the operator to transition from Mode 2 to Mode 3. When sitioning from Mode 2 to Mode 3 during normal operations, the PICS uses the mode sition signal from the TRPS to automatically open the TSV dump valves to drain the target tion to the dump tank. While in Mode 3, the PICS is used to monitor TOGS and SCAS rational parameters while the solution is held for decay.

NE Medical Technologies 7.3-3 Rev. 0

r the operator transitions the IU to Mode 4, the PICS is used to open the TSV dump tank n isolation valve allowing the target solution to be vacuum lifted out of the IU cell, pumped ugh an extraction column, and drained to a target solution hold tank. The PICS is used to ct the flow path for the transfer to the desired extraction cell and to operate the vacuum sfer system (VTS) which accomplishes the lift.

en the solution has been removed from the dump tank, the operator uses PICS to verify that

-high TSV dump tank level is inactive, meeting the Mode 4 to Mode 0 transition criteria.

3.2 Process Systems PICS provides the automated and manual control of systems used to prepare target tion, transfer target solution between locations within the facility, extract and purify isotopes terest, and manage radioactive waste.

get Solution Preparation get solution preparation activities are performed by the target solution preparation system PS) and uranium receipt and storage system (URSS) and are described in more detail in tion 4b.4. PICS provides monitoring and alarming functions for parameters associated with TSPS preparation and dissolution tanks, including alarms to alert the operators of potential rflow of the TSPS dissolution tank into the TSPS glovebox. PICS is also used to monitor ameters and provide alarms associated with TSPS and URSS glovebox operation.

get Solution Transfer get solution transfer activities occur throughout the facility in order to remove irradiated tion from the TSV dump tank, extract isotopes, and return target solution to an IU. These vities are accomplished by the VTS and target solution staging system (TSSS), described in e detail in Sections 9b.2 and 4b.4, respectively. PICS provides level information associated VTS and TSSS process tanks and position indication information for process control valves acilitate automatic and manual control of solution transfers between tanks.

ope Extraction and Purification ope extraction and purification activities are performed by the molybdenum extraction and fication system (MEPS), molybdenum isotope product packaging system (MIPS), and iodine xenon purification and packaging (IXP) system, which are described in Section 4b.3. The S is used to transfer irradiated target solution from the TSV dump tank to the extraction cess, as described above. The PICS is also used to monitor parameters associated with the action and purification processes, including reagent additions and tank levels. Process tem control valves are operated by the PICS.

ioactive Liquid Drains ins from vaults, trenches, and other areas where uranium-bearing solutions may be present part of the radioactive drain system (RDS), described in Subsection 9b.7.2. PICS is used to NE Medical Technologies 7.3-4 Rev. 0

ioactive Liquid Waste ioactive liquid waste is stored in the radioactive liquid waste storage system (RLWS) and obilized in the radioactive liquid waste immobilization system (RLWI). These systems are cribed in detail in Section 9b.7. The PICS is used to monitor tank levels and temperatures, trol the operation of system valves, and provide functionality to support administrative trols related to the transfer of radioactive liquid waste between tanks using the VTS.

S is also used to support the RLWI process by providing control of RLWI pumps and trolling the waste drum operation through the waste solidification skid, including drum fill and ing operations.

3.3 Other Facility Systems PICS provides the automated control and operator interface to manually control aspects of facility auxiliary and electrical systems.

ctrical PICS is used to monitor and provide alarms for parameters related to the facility electrical tems, including the uninterruptible electrical power supply system (UPSS), the normal trical power supply system (NPSS), and the standby generator system (SGS). The PICS provides the manual ability to open or close motorized breakers. Electrical systems are ussed in Chapter 8.

PICS remains operational upon a loss of off-site power for a minimum of 10 minutes (see section 7.3.4). The PICS provides automatic and manual control of the SGS, including the omatic function to start and load the SGS after a loss of off-site power event.

PICS also provides the automatic function of disconnecting the on-site electric power tems from the utility on loss of phase, phase reversal, undervoltage, and overvoltage.

tilation, Heating and Cooling ility heating, ventilation, and air conditioning (HVAC) systems are described in Section 9a2.1 facility cooling systems are described in Chapter 5. The PICS is used to interface with the n production facility ventilation local digital control systems to operate the supply, exhaust, recirculation systems in normal operating modes. The PICS monitors temperatures and rential pressure on ventilation systems, and other operational parameters related to the oisotope process facility cooling system (RPCS), facility heating water system (FHWS), and lity chilled water system (FCHS).

ance of Plant PICS provides select monitoring and control capabilities for other balance of plant systems e main production facility, including, but not limited to, the facility nitrogen handling system HS) and the facility demineralized water system (FDWS).

NE Medical Technologies 7.3-5 Rev. 0

PICS contains a seismic monitoring system, which includes instrumentation, control inets, and a dedicated computer for monitoring seismic activity in the safety-related portion of facility. The seismic monitoring system provides event recording time histories for seismic nts and provides indication of a seismic event to the PICS for alarm in the facility control

m. Data may be retrieved from the seismic monitoring system by either the dedicated puter or via the operator workstation in the facility control room.

3.4 Safety-Related Control and Indication Systems PICS contains no safety-related controls and has no safety-related functions, however, the ty-related TRPS, ESFAS, NFDS and safety-related radiation monitors provide nonsafety-ted system status and measured process variable values to the PICS for viewing, recording, trending. The PICS is also used to transmit discrete hardwired signals to the TRPS and FAS for deliberate operator action to return the TRPS or ESFAS to a normal operating state.

4 OPERATION AND PERFORMANCE PICS is designed to operate under normal facility conditions and anticipated transients to ure adequate safety for the facility.

design of the PICS allows operators to remove main control board or operator workstation lays from service without impacting the operation of the remaining portions of the PICS.

PICS includes local battery supplies sufficient to allow the PICS to continue to operate for at t 10 minutes after a loss of external power. The 10-minute design supports starting and ing the defense-in-depth SGS within five minutes following a loss of off-site power event (see tion 8a2.2).

mponents controlled by the PICS assume a defined safe state on loss of electrical power.

5 ACCESS CONTROL AND CYBER SECURITY PICS does not use the secure development and operating environment implemented for the ty-related control systems described in Section 7.2.5, but rather incorporates features mensurate with the risk and magnitude of the harm that would result from unauthorized and propriate access, use disclosure, disruption, or destruction of this nonsafety-related control tem.

PICS does not allow remote access. Remote access is defined as the ability to access the ponents of the operator workstations, main control board, PICS display cabinet, and other S controllers and cabinets from a location with less physical security.

PICS includes the capability to disable, through software or physical disconnection, eeded networks, communication ports and removable media drives or provide engineered iers.

PICS does not use any wireless interface capabilities for control functions.

NE Medical Technologies 7.3-6 Rev. 0

site sources.

6 SOFTWARE DEVELOPMENT PICS is developed under a structured process commensurate with the risk associated with ailure or malfunction. The process includes the definition of functional requirements, a umented development and implementation process, and a plan for verification of software puts.

7 TECHNICAL SPECIFICATIONS tain material in this section provides information that is used in the technical specifications.

includes limiting conditions for operation, setpoints, design features, and means for omplishing surveillances. In addition, significant material is also applicable to, and may be renced by, the bases that are described in the technical specifications.

NE Medical Technologies 7.3-7 Rev. 0

Process Integrated Control System (PICS)

TRPS IF Process Systems ESFAS RPF Process Systems PICS Equipment Outside of Facility Control Room NFDS Auxiliary Systems Other I&C Electrical Systems Systems TRPS Main Control Board and Operator Workstations ESFAS NE Medical Technologies 7.3-8 Rev. 0

1 SYSTEM DESCRIPTION target solution vessel (TSV) reactivity protection system (TRPS) performs various design is safety functions for accelerator-based irradiation processes taking place within each diation unit (IU) cell of the SHINE production facility. While operating, the TRPS performs ous detection, logic processing, control, and actuation functions associated with the SHINE diation process. The TRPS includes input/output capabilities necessary to interface with ous indications and control components located within the facility control room. The TRPS provides nonsafety-related system status and measured process variable values to the lity process integrated control system (PICS) for viewing, recording, and trending.

TRPS monitors variables important to the safety functions of the irradiation process during h operating mode of the IU to perform one or more of the following safety functions:

IU Cell Safety Actuation

IU Cell Nitrogen Purge

Driver Dropout TRPS also performs the nonsafety defense-in-depth Fill Stop function.

TRPS monitors the IU cell from filling of the TSV through irradiation of the target solution, ping of the target solution, and transfer of the target solution to the radioisotope production lity (RPF). All advances to the modes of operation throughout the irradiation process are nually initiated by the operator and the TRPS implements the required mode-specific system rlocks and bypasses; however, the TRPS does not automatically determine the mode of ration. If at any point during the irradiation process a monitored variable indicating unsafe ditions exceeds its setpoint, the TRPS automatically places the IU into a safe state. The PS logic diagrams are shown in Figure 7.4-1.

TRPS uses redundant and independent sensors through three divisions to complete the cal decisions necessary to initiate the required protective trips and actuations. When a TRPS t channel exceeds a predetermined limit, the trip determinations from each division of the PS are sent to voting logic where a two-out-of-three coincident logic vote is performed to ate a trip or actuation. The general architecture of the TRPS is shown in Figure 7.1-2.

en a TRPS output is in its normal, energized state, it does not control the position of the ation component. Instead, the TRPS and the PICS are arranged in a series configuration for PICS to control the component normally, and deenergizing the output of the TRPS forces the ponent to its safe state via the physical design of the valve or breaker. The only exception to control configuration is for the nitrogen purge system inerting gas valves and the radiological tilation IU cell dampers. For these components, the TRPS assumes normal control, and PICS has control of the component when appropriate permissives are active.

2 DESIGN CRITERIA SHINE design criteria are described in Section 3.1. Table 3.1-1 shows the SHINE design ria applicable to the TRPS. Additional system-specific design criteria for the TRPS are cribed in this section.

NE Medical Technologies 7.4-1 Rev. 0

PS Criterion 1 - The TRPS shall require a key or combination authentication input at the trol console to prevent unauthorized use of the TRPS.

PS Criterion 2 - Developmental phases for TRPS software shall address the potential cyber urity vulnerabilities (physical and electronic) to prevent unauthorized physical and electronic ess.

PS Criterion 3 - The TRPS design shall incorporate design or administrative controls to vent/limit unauthorized physical and electronic access to critical digital assets (CDAs) during operational phase, including the transition from development to operations. CDAs are defined igital systems and devices that are used to perform or support, among other things, physical urity and access control, safety-related functions, and reactivity control.

2.2 Software Requirements Development PS Criterion 4 - The functional characteristics of the TRPS software requirements cifications shall be properly and precisely described for each software requirement.

PS Criterion 5 - Development of TRPS software shall follow a formally defined life cycle cess and address potential security vulnerabilities in each phase of the life cycle.

PS Criterion 6 - TRPS development life cycle phase-specific security requirements shall be mensurate with the risk and magnitude of the harm that would result from unauthorized and propriate access, use, disclosure, disruption, or destruction of the TRPS.

PS Criterion 7 - TRPS software development life cycle process requirements shall be cribed and documented in appropriate plans which shall address safety analysis, verification validation (V&V), and configuration control activities.

PS Criterion 8 - Tasks for validating and verifying the TRPS software development activities ll be carried out in their entirety. Independent V&V shall be performed by individuals or ups with appropriate technical competence in an organization separate from the development program management organizations. Successful completion of V&V tasks for each software cycle activity group shall be documented.

PS Criterion 9 - The TRPS software life cycle configuration control program shall trace ware development from software requirement specification to implementation and address impacts on TRPS safety, control console, or display instruments.

PS Criterion 10 - The TRPS configuration control program shall assure that the required PS hardware and software are installed in the appropriate system configuration and ensure the correct version of the software/firmware is installed in the correct hardware components.

PS Criterion 11 - Validation testing shall test all portions of TRPS programmable logic essary to accomplish its safety functions and shall exercise those portions whose operation ailure could impair safety functions during testing.

NE Medical Technologies 7.4-2 Rev. 0

PS Criterion 13 - TRPS equipment not designed under SHINE approved quality assurance

) program shall be accepted under the SHINE commercial-grade dedication program.

2.3 General Instrumentation and Control Requirements PS Criterion 14 - The TRPS safety function shall perform and remain functional during normal ration and during and following a design basis event.

PS Criterion 15 - Manual controls of TRPS actuation components shall be implemented nstream of the digital I&C portions of the safety system.

2.4 Single Failure PS Criterion 16 - The TRPS shall be designed to perform its protective functions after eriencing a single random active failure in nonsafety control systems or in the TRPS, and h failure shall not prevent the TRPS from performing its intended functions or prevent safe tdown of an IU cell.

PS Criterion 17 - The TRPS shall be designed such that no single failure can cause the re of more than one redundant component.

2.5 Independence PS Criterion 18 - Interconnections among TRPS safety divisions shall not adversely affect the tions of the TRPS.

PS Criterion 19 - A logical or software malfunction of any interfacing non-safety systems shall affect the functions of the TRPS.

PS Criterion 20 - The TRPS shall be designed with physical, electrical, and communications pendence of the TRPS both between the TRPS channels and between the TRPS and safety-related systems to ensure that the safety functions required during and following any ign basis event can be accomplished.

PS Criterion 21 - Physical separation and electrical isolation shall be used to maintain the pendence of TRPS circuits and equipment among redundant safety divisions or with safety systems so that the safety functions required during and following any design basis nt can be accomplished.

PS Criterion 22 - The TRPS shall be designed such that no communication - within a single ty channel, between safety channels, and between safety and nonsafety systems -

ersely affects the performance of required safety functions.

PS Criterion 23 - TRPS data communications protocols shall meet the performance uirements of all supported systems.

PS Criterion 24 - The timing of TRPS data communications shall be deterministic.

NE Medical Technologies 7.4-3 Rev. 0

lementations themselves were constructed using a formal design process that ensures sistency between the product and the validated specification.

PS Criterion 26 - The TRPS shall be designed such that no unexpected performance deficits t that could adversely affect the TRPS architecture.

2.6 Prioritization of Functions PS Criterion 27 - TRPS devices that receive signals from safety and nonsafety sources shall ritize the signal from the safety system.

2.7 Fail Safe PS Criterion 28 - The TRPS shall be designed to assume a safe state on loss of electrical er.

2.8 Setpoints PS Criterion 29 - Setpoints for an actuation of the TRPS shall be based on a documented lysis methodology that identifies assumptions and accounts for uncertainties, such as ironmental allowances and measurement computational errors associated with each element e instrument channel. The setpoint analysis parameters and assumptions shall be consistent the safety analysis, system design basis, technical specifications, and facility design, and ected maintenance practices.

PS Criterion 30 - Adequate margin shall exist between setpoints and safety limits so that the PS initiates protective actions before safety limits are exceeded.

PS Criterion 31 - Where it is necessary to provide multiple setpoints for adequate protection ed on particular modes of operation or sets of operating conditions, the TRPS shall provide itive means of ensuring that the more restrictive setpoint is used when required.

PS Criterion 32 - The sensitivity of each TRPS sensor channel shall be commensurate with precision and accuracy to which knowledge of the variable measured is required for the ective function.

2.9 Operational Bypass, Permissives and Interlocks PS Criterion 33 - Permissive conditions for each TRPS operating or maintenance bypass ability shall be documented.

PS Criterion 34 - TRPS interlocks shall ensure that operator actions cannot defeat an omatic safety function during any operating condition where that safety function may be uired.

PS Criterion 35 - TRPS provisions shall exist to prevent activation of an operating bypass ss applicable permissive conditions exist.

NE Medical Technologies 7.4-4 Rev. 0

PS Criterion 37 - If provisions for maintenance or operating bypasses are provided, the TRPS ign shall retain the capability to accomplish its safety function while a bypass is in effect.

PS Criterion 38 - Whenever permissive conditions for bypassing a train or channel in the PS are not met, a feature in the TRPS shall physically prevent or facilitate administrative trols to prevent the unauthorized use of bypasses.

PS Criterion 39 - All TRPS operating bypasses, either manually or automatically initiated, ll be automatically removed when the facility moves to an operating regime where the ective action would be required if an accident occurred.

PS Criterion 40 - If operating conditions change so that an active operating bypass is no er permissible, the TRPS shall automatically accomplish one of the following actions:

Remove the appropriate active operating bypass(es).

Restore conditions so that permissive conditions once again exist.

Initiate the appropriate safety function(s).

PS Criterion 41 - Portions of TRPS execute features with a degree of redundancy of one shall designed so that when a portion is placed in maintenance bypass (i.e., reducing temporarily egree of redundancy to zero), the remaining portions provide acceptable reliability.

PS Criterion 42 - Provisions shall exist to allow the operations staff to confirm that a bypassed PS safety function has been properly returned to service.

2.10 Completion of Protective Actions PS Criterion 43 - The TRPS design shall ensure that once initiated, the safety actions will tinue until the protective function is completed.

PS Criterion 44 - Only deliberate operator action shall be permitted to reset the TRPS or its ponents following manual or automatic actuation.

PS Criterion 45 - Mechanisms for deliberate operator intervention in the TRPS status or its tions shall not be capable of preventing the initiation of TRPS.

2.11 Equipment Qualification PS Criterion 46 - The effects of electromagnetic interference/radio-frequency interference I/RFI) and power surges (such as high-energy faults and lightning) on the TRPS, including programmable gate array (FPGA)-based digital portions, shall be adequately addressed.

2.12 Surveillance PS Criterion 47 - Equipment in the TRPS (from the input circuitry to output actuation circuitry) ll be designed to allow testing, calibration, and inspection to ensure operability. If testing is NE Medical Technologies 7.4-5 Rev. 0

PS Criterion 48 - Testing, calibration, and inspections of the TRPS shall be sufficient to show once performed, they confirm that surveillance test and self-test features address failure ection, self-test features, and actions taken upon failure detection.

PS Criterion 49 - The design of the TRPS and the justification for test intervals shall be sistent with the surveillance testing intervals as part of the facility technical specifications.

2.13 Classification and Identification PS Criterion 50 - TRPS equipment shall be distinctly identified to indicate its safety sification and to associate equipment according to divisional or channel assignments.

2.14 Human Factors PS Criterion 51 - Human factors shall be considered at the initial stages and throughout the PS design process to ensure that the functions allocated in whole or in part to the operator(s) be successfully accomplished to meet TRPS design goals.

PS Criterion 52 - The TRPS shall include readily available means for manual initiation of each ective function at the system level.

PS Criterion 53 - The TRPS shall be designed to provide the information necessary to port annunciation of the channel initiating a protective action to the operator and requiring nual operator reset when all conditions to resume operation are met and satisfied.

2.15 Quality PS Criterion 54 - The quality of the components and modules in the TRPS shall be mensurate with the importance of the safety function to be performed.

PS Criterion 55 - Controls over the design, fabrication, installation, and modification of the PS shall conform to the guidance of ANSI/ANS 15.8-1995, Quality Assurance Program uirements for Research Reactors (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, lity Assurance Program Requirements for Research and Test Reactors (USNRC, 2010).

3 DESIGN BASIS TRPS is used to initiate protective actions of the IU in response to monitored variables eeding predetermined limits. Modes of operation are used within the TRPS to set interlocks he applicable variables for each operating mode in the IU and to create permissives for wing the operator to perform certain actions with the safety-related TRPS components.

3.1 Mode Transition perating modes are described in Subsection 7.3.3.1.

NE Medical Technologies 7.4-6 Rev. 0

rating permissive. Before an operator is able to transition to a different mode, the transition ria conditions must be met. Figure 7.4-2 shows a state diagram of the mode transitions.

de 0 to Mode 1 Transition Criteria TRPS permissives prevent transitioning from Mode 0 to Mode 1 until the TSV dump valves TSV fill isolation valves have been confirmed to be closed and TSV off-gas system (TOGS) nstream flow is at or above the low flow limit. Normal control of actuation component itions when going from Mode 0 to Mode 1 is manual and independent from TRPS mode sition.

de 0 to Mode 3 Transition Criteria nsition from Mode 0 to Mode 3 is initiated automatically by TRPS or manually by an operator manual actuation or the facility master operating permissive. Initiation of this transition erates an IU Cell Safety Actuation.

de 1 to Mode 2 Transition Criteria TRPS permissives prevent transitioning from Mode 1 to Mode 2 until the TSV fill isolation es indicate fully closed and the [

]PROP/ECI. Normal control of actuation ponent positions when going from Mode 1 to Mode 2 is manual and independent from TRPS de transition.

de 1 to Mode 3 Transition Criteria nsition from Mode 1 to Mode 3 is initiated automatically by TRPS or manually by an operator manual actuation or the facility master operating permissive. Initiation of this transition erates IU Cell Safety Actuation.

de 2 to Mode 3 Transition Criteria TRPS permissives prevent transitioning from Mode 2 to Mode 3 until the neutron driver embly system (NDAS) high voltage power supply (HVPS) breakers have been confirmed ned. Normal control of the HVPS breakers from closed to open is manual and independent TRPS mode transition. Normal transition of the dump valves to the open position is omated by PICS upon receipt of a mode transition signal from TRPS to PICS signifying that TRPS has entered Mode 3.

nsition from Mode 2 to Mode 3 may also be initiated automatically by TRPS or manually by an rator via manual actuation or the facility master operating permissive. Initiation of this sition generates an IU Cell Safety Actuation.

NE Medical Technologies 7.4-7 Rev. 0

nsition of the TRPS from Mode 3 to Mode 4 is prevented if an automated IU Cell Safety uation is present. Normal control of actuation components is manual and independent from PS mode transition.

de 3 to Secure State Transition Criteria nsition from Mode 3 to the secure state is initiated manually by an operator via disengaging facility master operating permissive. While operating in the secure state, transition to another de of operation is not allowed.

de 4 to Mode 0 Transition Criteria TRPS permissives prevent the transition from Mode 4 to Mode 0 until the TSV dump tank l is below the low-high dump tank level setpoint. There is no requirement for normal control of actuation components to transition from Mode 4 to Mode 0.

de 4 to Mode 3 Transition Criteria nsition from Mode 4 to Mode 3 is initiated automatically by TRPS or manually by an operator manual actuation or the facility master operating permissive. Initiation of this transition erates an IU Cell Safety Actuation.

ure State to Mode 3 Transition Criteria nsition from the secure state to Mode 3 is initiated manually by an operator via engaging the lity master operating permissive. Initiation of this transition permits a transition to another de of operation.

3.2 Safety Functions 3.2.1 IU Cell Safety Actuation IU Cell Safety Actuation is initiated in response to high neutron flux levels or when other cess variables indicate abnormal conditions. An IU Cell Safety Actuation shuts down the diation process and isolates the primary system boundary and primary confinement ndary.

U Cell Safety Actuation causes a transition of the TRPS to Mode 3 operation, isolation of the ary system boundary, and isolation of the primary confinement boundary via transition of h of the following components to their deenergized state.

de 3 Transition Components

TSV dump valves

NDAS HVPS breakers NE Medical Technologies 7.4-8 Rev. 0

TSV fill isolation valves

TSV dump tank drain isolation valve

TOGS gas supply isolation valves

TOGS vacuum tank isolation valves mary Confinement Boundary Components

Primary closed loop cooling system (PCLS) isolation valves

ATIS deuterium supply line isolation valves

ATIS tritium supply line isolation valves

ATIS mixed-gas return line isolation valves

ATIS evacuation line isolation valves

Radiological ventilation zone 1 exhaust subsystem (RVZ1e) IU cell ventilation dampers

TOGS radioisotope process facility cooling system (RPCS) supply isolation valves

TOGS RPCS return isolation valve

Radiological ventilation zone 1 recirculation subsystem (RVZ1r) RPCS supply isolation valve

RVZ1r RPCS return isolation valve TRPS initiates an IU Cell Safety Actuation based on the following variables:

High source range neutron flux signal

High wide range neutron flux

High time-averaged neutron flux

High RVZ1e IU cell radiation

Low TOGS oxygen concentration

Low TOGS mainstream flow (Train A)

Low TOGS mainstream flow (Train B)

Low TOGS dump tank flow

High TOGS condenser demister outlet temperature (Train A)

High TOGS condenser demister outlet temperature (Train B)

Low PCLS flow (180 second delay)

High PCLS temperature (180 second delay)

Low PCLS temperature

High ATIS mixed-gas return line pressure

Low-high TSV dump tank level signal

High-high TSV dump tank level signal

TSV fill isolation valves not fully closed

Facility master operating permissive 3.2.2 IU Cell Nitrogen Purge IU Cell Nitrogen Purge is initiated when monitored variables indicate a loss of hydrogen ombination capability in the IU. An IU Cell Nitrogen Purge results in purging the primary tem boundary with nitrogen.

IU Cell Nitrogen Purge consists of an automatically or manually initiated transition of each of following components to their deenergized state and providing a signal to the engineered NE Medical Technologies 7.4-9 Rev. 0

Nitrogen purge system (N2PS) inerting gas isolation valves

TOGS nitrogen vent isolation valves

TOGS RPCS supply isolation valves

TOGS RPCS return isolation valve TRPS initiates an IU Cell Nitrogen Purge based on the following variables:

Low-high TSV dump tank level

High-high TSV dump tank level

Low TOGS oxygen concentration

Low TOGS mainstream flow (Train A)

Low TOGS mainstream flow (Train B)

Low TOGS dump tank flow

High TOGS upstream condenser demister outlet temperature (Train A)

High TOGS upstream condenser demister outlet temperature (Train B)

ESFAS loss of external power 3.2.3 Driver Dropout river Dropout responds to monitored variables that indicate a loss of neutron driver output or ss of cooling to allow the SCAS to recover from NDAS or PCLS transients. A Driver Dropout tions differently depending on whether it was initiated based on loss of neutron driver output oss of cooling.

TRPS initiates a Driver Dropout based on:

Low power range neutron flux

Low PCLS flow

High PCLS temperature TRPS initiates a loss of neutron driver Driver Dropout on low power range neutron flux by ning the NDAS HVPS breakers with a timed delay. The breakers are then interlocked open l the [ ]PROP/ECI. This on prevents the neutron driver from restarting in situations when a restart may exceed lyzed conditions for the SCAS. Driver Dropout on low power range neutron flux is bypassed l the power range neutron flux has reached the power range driver dropout permissive. After bypass of Driver Dropout on low power range neutron flux has been removed, it remains oved until a mode transition, the [

]PROP/ECI or both HVPS breakers are open. The TRPS implements a timed y of [ ]PROP/ECI from the time the low power range neutron flux signal is initiated, cating that the neutron flux has exceeded its lower limits, to when the TRPS output to the PS breakers is deenergized. If fewer than two-out-of-three low power range neutron flux ation signals are present before the timer has expired, then the low power range neutron flux r resets. This delay allows the neutron driver to be restarted or to restart automatically within lyzed conditions.

NE Medical Technologies 7.4-10 Rev. 0

ts down the neutron driver to prevent overheating of the target solution, while allowing the et solution to remain within the TSV. The breakers are then interlocked open until the PCLS and temperature are in the allowable range. If PCLS flow and temperature are not in the wable range within 180 seconds, an IU Cell Safety Actuation is initiated, as described in section 7.4.3.2.1.

3.2.4 Fill Stop nonsafety-related Fill Stop function aids in controlling the rate of fill of the TSV. If Fill Stop ameters are not met, then the Fill Stop deenergizes the TSV fill isolation valves blocking the ath into the TSV.

ing Mode 1, after neutron flux detection system (NFDS) source range neutron flux has ched or exceeded 40 percent of the maximum 95 percent fill flux, if the TSV fill isolation valve closed position indication becomes inactive, then a [ ]PROP/ECI timer is initiated. If TSV fill isolation valve fully closed position indication is not active before the end of the

]PROP/ECI duration, then the TRPS initiates a Fill Stop. If the TSV fill isolation valve closed position indication is active prior to the end of the [ ]PROP/ECI duration, then PROP/ECI

[ ] timer resets.

ing Mode 1, after NFDS source range neutron flux has reached or exceeded 40 percent of maximum 95 percent fill flux, if the TSV fill isolation valve fully closed position indication omes active, a 5-minute timer is initiated. If the TSV fill isolation valve fully closed position cation becomes inactive prior to the duration of the 5-minute timer ending, then the TRPS ates a Fill Stop.

Fill Stop parameters ensure that target solution can only be added to the TSV for a imum of [ ]PROP/ECI and that a 5-minute delay occurs between fill steps.

3.3 Target Solution Vessel Reactivity Protection System Monitored Variables le 7.4-1 identifies the specific variables that provide input into the TRPS and includes the rument range for covering normal and accident conditions, the accuracy for each variable, the analytical limit.

3.4 Operating Conditions TRPS control and logic functions are located inside of the facility control room, where the ironment is mild and not exposed to the irradiation process. However, cables providing als to and from the TRPS are routed through the radiologically controlled area (RCA) and the IUs, where those cables are exposed to harsher environments. Many of the sensors viding information to the TRPS are connected to the primary system boundary, so the cable ing to these sensors is exposed to the operating environment of the irradiation process.

ing normal operation, the TRPS equipment will operate in the applicable normal radiation ironments identified in Table 7.2-1 for up to 20 years, replaced at a frequency sufficient such the radiation qualification of the affected components is not exceeded.

NE Medical Technologies 7.4-11 Rev. 0

conditioning (HVAC) systems are relied upon to maintain the temperature and humidity ameters in these areas. The facility HVAC systems are described in Section 9a2.1.

4 DESIGN ATTRIBUTES 4.1 Access Control ess control is detailed in Subsection 7.2.5.

4.2 Software Requirements Development tware requirements development is detailed in Subsection 7.2.6.

4.3 General Instrumentation and Control Design TRPS is powered from the uninterruptible electrical power supply system (UPSS), which vides a reliable source of power to maintain the TRPS functional during normal operation and ng and following a design basis event. The UPSS is designed to provide power to the TRPS wo hours after a loss of off-site power. The UPSS is described in Section 8a2.2.

actuation and priority logic (APL) portions within an equipment interface module (EIM) port the implementation of different actuation methods. The APL is implemented using rete components and is not vulnerable to a software common cause failure (CCF). Having capability for hardwired signals into each EIM supports the capability for additional and rse actuation means from automated actuation. As an example, a division of APL circuits y receive inputs automatically from the programmable logic portion of the TRPS, inputs from nual controls in the facility control room, and input signals from a nonsafety control system.

h the manual controls and nonsafety control system inputs come individually into the APL and downstream of the programmable logic portion of the TRPS architecture as shown in ure 7.1-2.

4.4 Single Failure TRPS consists of three divisions of input processing and trip determination and two divisions ctuation logic (see Figure 7.1-2), arranged such that no single failure can prevent a safety ation when required, and no single failure in a single measurement channel can generate an ecessary safety actuation.

only nonsafety inputs into the TRPS are those from the PICS for control, the discrete mode t, and monitoring and indication only variables. The nonsafety control signals from the PICS implemented through a hardwired parallel interface that requires the PICS to send a binary ress associated to the output state of the EIM along with a mirrored complement address.

mirrored complement address prevents any single incorrectly presented bit from addressing wrong EIM output state. To prevent the PICS from inadvertently presenting a valid address, TRPS contains a safety-related enable nonsafety switch that controls when the hardwired allel interface within the APL is active, thus controlling when the PICS inputs are allowed to s through the input circuitry and for use in the priority logic within the APL. When the enable safety switch is not active, the nonsafety-related control signal is ignored. If the enable NE Medical Technologies 7.4-12 Rev. 0

vides isolation for the nonsafety-related signal path.

discrete mode input has a unique input for each of Division A and Division B. The HWM vides isolation of the signal path into the TRPS. As a discrete input, the three failure modes are addressed are stuck high, stuck low, or oscillating. Because the TRPS only clocks in a mode on the rising edge of the mode input, an input stuck low or high would maintain the PS in the same mode and continue monitoring the variables important to the safe operation of mode. If the mode input began oscillating continuously between a logic high and low, the PS would only allow the mode to change if permissive conditions for the current mode are

. If the permissive conditions place the IU into a state that within the transitioned mode are ide of the predetermined operating limits, then the TRPS would initiate an IU Cell Safety uation and transition to and maintain Mode 3, ignoring any further input from the discrete de input.

h input variable to the TRPS for monitoring and indication only is processed on independent t submodules that are unique to that input. If the variable is not used for a safety function

, no trip determination is performed with the variable), then the variable is not connected to safety data buses and is only placed onto the monitoring and indication bus. The monitoring indication bus is used by the monitoring and indication communication module (MI-CM) out interacting with any of the safety data paths.

4.5 Independence Subsection 7.2.2 for independence applied to the TRPS.

4.6 Prioritization of Functions APL (which is constructed of discrete components and part of the EIM) is designed to vide priority to safety-related signals over nonsafety-related signals. Division A and Division B rity logic of the TRPS prioritizes the following TRPS inputs, with the first input listed having highest priority and each successive input in the list having a lower priority than the previous.

1) Automatic Safety Actuation, Manual Safety Actuation

2) PICS nonsafety control signals 4.7 Fail Safe ety actuations result in deenergizing one or more control outputs, and the controlled ponents are designed such that they go to their safe state when deenergized. On a loss of er to the TRPS, the TRPS deenergizes actuation components to the positions defined below:

de 3 Transition Components

NDAS HVPS breakers

- Open

TSV dump valves

- Open NE Medical Technologies 7.4-13 Rev. 0

TSV fill isolation valves

- Closed

TSV dump tank drain isolation valve

- Closed

TOGS gas supply isolation valves

- Closed

TOGS vacuum tank isolation valves

- Closed mary Confinement Components

N2PS inerting gas isolation valves

- Open

TOGS nitrogen vent isolation valves

- Open

TOGS RPCS supply isolation valves

- Closed

TOGS RPCS return isolation valve

- Closed

RVZ1e IU cell ventilation dampers

- Closed

RVZ1r RPCS supply isolation valve

- Closed

RVZ1r RPCS return isolation valve

- Closed

PCLS isolation valves

- Closed

ATIS deuterium supply line valves

- Closed

ATIS tritium supply line valves

- Closed

ATIS mixed-gas return line valves

- Closed

ATIS evacuation line valves

- Closed 4.8 Setpoints points in the TRPS are based on a documented methodology that identifies each of the umptions and accounts for the uncertainties in each instrument channel. The setpoint hodology is further described in Subsection 7.2.3.

4.9 Operational Bypass, Permissives, and Interlocks ntenance bypasses are described in Subsection 7.1.4.

missive conditions, bypasses, and interlocks are created in each mode of operation specific hat mode to allow the operator to progress the TRPS to the next mode of operation. The PS implements logic associated with each mode of operation to prevent an operator from vating a bypass through changing the IU cell mode out of sequential order. Each mode of NE Medical Technologies 7.4-14 Rev. 0

rams (Figure 7.4-1, Sheet 7) for the transitional sequence of the TRPS. Below are the uired conditions that must be satisfied before a transition to the following mode in the uence can be initiated.

The TRPS shall only transition from Mode 0 to Mode 1 if all TSV dump valve position indications and all TSV fill isolation valve indications indicate valves are fully closed and the TOGS mainstream flow is above the minimum flow rate.

The TRPS shall only transition from Mode 1 to Mode 2 if the TSV fill isolation valve position indications indicate both valves are fully closed and the [

]PROP/ECI.

The TRPS shall only transition from Mode 2 to Mode 3 if all HVPS breaker position indications indicate the breakers are open.

The TRPS shall only transition from Mode 3 to Mode 4 if an IU Cell Safety Actuation is not present.

The TRPS shall only transition from Mode 4 to Mode 0 if the TSV dump tank level is below the low-high TSV dump tank level.

ach mode of operation, the TRPS bypasses different actuation channels when the actuation nnel is not needed for initiation of an IU Cell Safety Actuation, an IU Cell Nitrogen Purge, or er Dropout. The lists below identify each variable that is bypassed during the different modes peration.

ety actuations based on the following instrumentation channels are bypassed in Mode 0:

Low power range neutron flux

Low PCLS temperature

High PCLS temperature

Low PCLS flow

High ATIS mixed-gas return line pressure

Low TOGS mainstream flow

Low TOGS dump tank flow

High TOGS condenser demister outlet temperature

ESFAS loss of external power ety actuations based on the following instrumentation channels are bypassed in Mode 1:

Low power range neutron flux

High ATIS mixed-gas return line pressure

TSV fill isolation valve not fully closed ety actuations and interlocks based on the following instrumentation channels are bypassed ode 2:

High source range neutron flux signal TRPS bypasses Driver Dropout on the low power range neutron flux signal until the power ge neutron flux is above the driver dropout permissive setpoint. The bypass is reapplied if e has been a change in mode of operation, the ATIS mixed-gas return line [

NE Medical Technologies 7.4-15 Rev. 0

en the low power range neutron flux signal becomes active, a timer is started to create a

]PROP/ECI delay before a Driver Dropout is initiated. If fewer than two-out-of-three low er range neutron flux actuation signals are present before the timer has expired, then the low er range neutron flux timer resets.

PCLS flow and high PCLS temperature do not initiate an IU Cell Safety Actuation until after me delay of 180 seconds from the start of the low PCLS flow or high PCLS temperature al. If fewer than two-out-of-three Low PCLS flow or high PCLS temperature signals are sent before the timer has expired, then the 180 second timer resets.

ety actuations and interlocks based on the following instrumentation channels are bypassed ode 3:

High source range neutron flux signal

Low power range neutron flux

High PCLS temperature

Low PCLS temperature

Low PCLS flow

Low-high TSV dump tank level signal

High ATIS mixed-gas return line pressure

TSV fill isolation valve not fully closed TRPS includes the ability for the operator to transition the system from Mode 3 operation to cure state of operation. While in the secure state, an interlock is maintained preventing the PS from transitioning to the next sequential mode. The control key, via use of a facility master rating permissive, is used to place the TRPS into and out of the secure state.

ety actuations and interlocks based on the following instrumentation channels are bypassed ode 4:

High source range neutron flux signal

Low power range neutron flux

High PCLS temperature

Low PCLS temperature

Low PCLS flow

Low-high TSV dump tank level signal

High ATIS mixed-gas return line pressure

TSV fill isolation valve not fully closed en the mode of operation changes, the bypasses are removed from the previous mode where are no longer appropriate. The status of each bypass is provided to the operator through the nitoring and indication bus to the PICS, which allows the operator to confirm that a function been bypassed or returned to service.

manual actuation signals input from the operators in the facility control room are brought ctly into the discrete actuation and priority logic. The manual actuation input into the priority NE Medical Technologies 7.4-16 Rev. 0

4.10 Completion of Protective Actions TRPS is designed so that once initiated, protective actions will continue to completion. Only berate operator action can be taken to reset the TRPS following a protective action.

ure 7.4-1, Sheet 11 and Sheet 12, show how the TRPS latches in a protective action and ntains the state of a protective action until operator input is initiated to reset the output of the PS.

output of the TRPS is designed so that actuation through automatic or manual means of a ty function can only deenergize the output. If there is no signal present from the automatic ty actuation or manual safety actuation, then the output of the EIM remains in its current

e. A safety-related enable nonsafety switch allows a facility operator, after the switch has n brought to enable, to control the output state of the TRPS with a hardwired binary control al from the nonsafety-related controls. The enable nonsafety switch is classified as part of safety system and is used to prevent spurious nonsafety-related control signals from ersely affecting safety-related components. If the enable nonsafety switch is active, and no omatic safety actuation or manual safety actuation signals are present, the operator is able of energizing or deenergizing any EIM outputs using the nonsafety-related hardwired trol signals. If the enable nonsafety switch is not active, the nonsafety-related hardwired trol signals are ignored.

4.11 Equipment Qualification PS rack mounted equipment is installed in a mild operating environment and is designed to et the environmental conditions described in Subsection 7.4.3.4. Rack mounted TRPS ipment is tested to appropriate standards to show that the effects of EMI/RFI and power ges are adequately addressed. Appropriate grounding of the TRPS is performed in ordance with Section 5.2.1 of Institute of Electrical and Electronics Engineers (IEEE) ndard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in erating Stations (IEEE, 2004b).

4.12 Surveillance TRPS supports calibration and testing to ensure operability as described in section 7.2.4.

4.13 Classification and Identification h division of the TRPS is uniquely labeled and identified in accordance with SHINE tification and classification procedures.

4.14 Human Factors TRPS provides manual safety actuation capability for the IU Cell Safety Actuation, the IU Nitrogen Purge and Driver Dropout. To support the use of manual safety actuations, the PS associated with each IU cell includes isolated outputs for each safety-related instrument nnel to provide monitoring and indication information to the PICS. To facilitate operator NE Medical Technologies 7.4-17 Rev. 0

Indication of TRPS variable values

Indication of TRPS parameter values

Indication of TRPS logic status

Indication of TRPS equipment status

Indication of TRPS actuation device status

Indication of TRPS mode 4.15 Quality following codes and standards are applied to the TRPS design:

1) Section 8 of IEEE Standard 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations (IEEE, 2013); invoked as guidance to meet SHINE Design Criterion 2, Natural phenomena hazards.

2) IEEE Standard 379-2000, IEEE Standard Application of Single-Failure Criterion to Nuclear Power Generating Station Safety Systems (IEEE, 2000); invoked to meet SHINE Design Criterion 13, Instrumentation and controls.

3) IEEE Standard 384-2008, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, 2008); invoked for separation of safety-related and nonsafety-related cables and raceways, as described in Subsection 8a2.1.3 and Subsection 8a2.1.5.

4) IEEE Standard 1023-2004, IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities (IEEE, 2004c); invoked as a guidance to support implementation of human factors into the design of I&C systems.

5) Section 5.2.1 of IEEE Standard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations (IEEE, 2004b); invoked as guidance to support electromagnetic compatibility qualification for digital I&C equipment.

6) Regulatory Guide 1.152, Revision 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants (USNRC, 2011); invoked to demonstrate secure development and operating environment.

7) The guidance of ANSI/ANS 15.8-1995, Quality Assurance Program Requirements for Research Reactors (R2013) (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, Quality Assurance Program Requirements for Research and Test Reactors (USNRC, 2010), is applied as part of the SHINE Quality Assurance Program for complying with the programmatic requirements of 10 CFR 50.34(b)(6)(ii).

5 OPERATION AND PERFORMANCE 5.1 High Source Range Neutron Flux high source range neutron flux signal protects against an insertion of excess reactivity during filling process. The TRPS bypasses safety actuations based on the high source range tron flux signal when filling activities cannot be in progress (i.e., Mode 2 and Mode 3),

ause the fill isolation valves are closed. The signal is transmitted as a discrete input to the PS from the NFDS through three independent and redundant channels, one for each division NE Medical Technologies 7.4-18 Rev. 0

5.2 Low Power Range Neutron Flux low power range neutron flux signal protects against loss of the neutron beam followed by a art of the neutron beam outside of analyzed conditions. The low power range neutron flux is used during the irradiation process (Mode 2) and is bypassed in the other modes of ration. Safety actuations based on the low power range neutron flux are bypassed until the er range neutron flux has reached the power range driver dropout permissive. Once power ge neutron flux levels have risen above the high setpoint, then the bypass on the low power ge neutron flux is removed. The power range neutron flux is measured as an analog input to TRPS from the NFDS through three independent and redundant channels, one for each sion of TRPS. When two-out-of-three or more low power range neutron flux signals are ve, a timer is started that must run to completion for a Driver Dropout to be initiated. If, while timer is running, less than two-out-of-three low power range neutron flux actuation signals are ve, the timer is reset and the TRPS continues operating under normal conditions.

5.3 High Time-Averaged Neutron Flux high time-averaged neutron flux signal protects against exceeding analyzed TSV power ls. The high time-averaged neutron flux averages the power range neutron flux over a set period. The power range neutron flux is measured as an analog input to the TRPS from the DS through three independent and redundant channels, one for each division of TRPS. When

-out-of-three or more high time-averaged neutron flux signals are active, an IU Cell Safety uation is initiated.

5.4 High Wide Range Neutron Flux wide power range neutron flux signal protects against exceeding solution power density ts. The wide range neutron flux is measured as an analog input to the TRPS from the NFDS ugh three independent and redundant channels, one for each division of TRPS. When two-of-three or more high wide range neutron flux actuation signals are active, an IU Cell Safety uation is initiated.

5.5 High PCLS Temperature high PCLS temperature signal protects against a loss of cooling that could cause target tion heat-up. The PCLS temperature signal is measured with temperature interface on three rent channels, one for each TRPS division. Safety actuations based on high PCLS perature are not bypassed when target solution is present in the TSV (Mode 1 and Mode 2) are bypassed in all other modes. When two-out-of-three or more PCLS temperature inputs eed the allowable limit, a timer is started that must run to completion before initiating an IU Safety Actuation. If, while the timer is running, less than two-out-of-three high PCLS perature signals are active, the timer is reset and the TRPS continues operating under mal conditions. The timer is based on the acceptability of a complete loss of cooling for up to e minutes prior to transferring target solution to the TSV dump tank.

NE Medical Technologies 7.4-19 Rev. 0

low PCLS temperature signal protects against an overcooling of the target solution that ld cause an excess reactivity insertion. The PCLS temperature is measured with temperature rface on three different channels, one for each TRPS division. Safety actuations based on LS temperature are not bypassed during filling and irradiation of the target solution vessel de 1 and Mode 2) and are bypassed in all other modes. When two-out-of-three or more LS temperature inputs drop below the allowable limit an IU Cell Safety Actuation is initiated.

5.7 Low PCLS Flow low PCLS flow signal protects against a loss of cooling that could cause target solution bulk ing. The PCLS flow is measured with an analog interface on three different channels, one for h TRPS division. Safety actuation based on PCLS flow is not bypassed during filling and diation of the TSV (Mode 1 and Mode 2) and is bypassed in all other modes. When two-out-hree or more PCLS flow inputs drop below the allowable limit, a timer is started that must run ompletion before initiating an IU Cell Safety Actuation. If, while the timer is running, less than

-out-of-three low PCLS flow signals are active, the timer is reset and the TRPS continues rating under normal conditions. The timer is based on the acceptability of a complete loss of ling for up to three minutes prior to transferring target solution to the TSV dump tank.

5.8 Low-High TSV Dump Tank Level low-high TSV dump tank level signal protects against a leak of liquid into the TSV dump

, preventing the ability to transfer the entire batch of target solution from the TSV into the dump tank. The low-high TSV dump tank level signal also results in a nitrogen purge of the or an anticipatory loss of TSV dump tank headspace after target solution has been sferred to the TSV dump tank. The low-high TSV dump tank level signal is input as a discrete t from a level switch on three different channels, one for each TRPS division. Safety ations based on the low-high TSV dump tank signal are bypassed during post irradiation n target solution is expected to be in the TSV dump tank (Mode 3 and Mode 4). The low-high dump tank signal is used as a permissive condition to transition operational modes from sferring of the target solution to the RPF (Mode 4) to operating with no target solution in the Mode 0). When two-out-of-three or more low-high TSV dump tank signals are active, an IU Safety Actuation and an IU Cell Nitrogen Purge are initiated.

5.9 High-High TSV Dump Tank Level high-high TSV dump tank level signal protects against an overfill of the TSV dump tank ater than the volume of target solution expected to be transferred from the TSV),

promising the ability of the TOGS to remove hydrogen from the TSV dump tank headspace.

high-high TSV dump tank level signal is input as a discrete input from a level switch on three rent channels, one for each TRPS division. When two-out-of-three or more high-high TSV p tank signals are active, an IU Cell Safety Actuation and an IU Cell Nitrogen Purge are ated.

5.10 Low TOGS Oxygen Concentration low TOGS oxygen concentration signal protects against a deflagration in the primary system ndary caused by the inability to recombine hydrogen with oxygen. The TOGS oxygen signal NE Medical Technologies 7.4-20 Rev. 0

t, an IU Cell Safety Actuation and an IU Cell Nitrogen Purge are initiated.

5.11 Low TOGS Mainstream Flow low TOGS mainstream flow signal protects against a deflagration in the primary system ndary caused by the inability to sweep accumulated hydrogen through the TOGS hydrogen ombiners. The TOGS mainstream flow is measured with an analog interface on three different nnels, one for each division of TRPS. Safety actuations based on the low TOGS mainstream are bypassed when no target solution is present in the IU. When two-out-of-three or more GS mainstream flow inputs drop below the allowable limit, an IU Cell Safety Actuation and an Cell Nitrogen Purge are initiated.

5.12 Low TOGS Dump Tank Flow low TOGS dump tank flow signal protects against a deflagration in the TSV dump tank sed by an inability to remove accumulated hydrogen from that tank. The TOGS dump tank is measured with an analog interface on three different channels, one for each division of PS. Safety actuations based on the low TOGS dump tank flow are bypassed when no target tion is present in the IU. When two-out-of-three or more TOGS dump tank flow inputs drop w the allowable limit, an IU Cell Safety Actuation and an IU Cell Nitrogen Purge are initiated.

5.13 High TOGS Condenser Demister Outlet Temperature high TOGS condenser demister outlet temperature signal protects against adverse effects TOGS instrumentation and zeolite beds, causing them to fail to perform their safety functions.

TOGS condenser demister outlet temperature signal is measured with a temperature rface on three different channels, one for each TRPS division. When two-out-of-three or more GS condenser demister outlet temperature inputs exceed the allowable limit, an IU Cell ety Actuation and an IU Cell Nitrogen Purge are initiated.

5.14 ESFAS Loss of External Power ESFAS loss of external power signal is an anticipatory protection against the impending loss OGS blowers and recombiners after the runtime of that equipment on the UPSS has been eeded. TRPS does not receive the loss of external power signal from ESFAS until three utes after the external power loss. The ESFAS loss of external power signal is measured with screte input signal on two different channels, one for each Division A and Division B of TRPS.

en an ESFAS loss of external power signal is active, the division receiving the discrete signal ates an IU Cell Nitrogen Purge.

5.15 High ATIS Gas Return Line Pressure high ATIS gas return line pressure signal protects against a break in the tritium lines in the IU

. The ATIS gas return line pressure is measured with an analog interface on three different nnels, one for each division of TRPS. Safety actuations based on high ATIS gas return line ssure are bypassed except for when the IU is in irradiation (Mode 2). When two-out-of-three ore ATIS gas return line pressure inputs exceed the allowable limit, an IU Cell Safety uation is initiated.

NE Medical Technologies 7.4-21 Rev. 0

high RVZ1 radiation signal protects against a breach in the primary system boundary. The Z1 radiation is measured with an analog interface on three different channels, one for each sion of TRPS. When two-out-of-three or more RVZ1 radiation channels exceed the allowable t, an IU Cell Safety Actuation is initiated.

5.17 TSV Fill Isolation Valves Open SV fill isolation valve open signal protects against the inadvertent addition of target solution to TSV. The TSV valve open position indication is measured with a discrete input on two rent channels for each valve. When one-out-of-two or more TSV fill isolation valve open als are active for both of the TSV fill isolation valves, an IU Cell Safety Actuation is initiated.

Cell Safety Actuation on TSV valves open is only active when the IU cell is undergoing diation (Mode 2).

NE Medical Technologies 7.4-22 Rev. 0

Table 7.4 TRPS Monitored Variables (Sheet 1 of 2)

Instrument Variable Analytical Limit Logic Range Accuracy Response Time 1.5 times the nominal flux Source range neutron flux signal at 95 percent volume of 2/3 1 to 1.0E+05 cps 2 percent 450 milliseconds the critical fill height Wide range neutron flux 240 percent 2/3 1.0E-8 to 250 percent 2 percent 450 milliseconds

[ ]PROP/ECI 2/3 Power range neutron flux 25 percent 2/3 0 to 125 percent 1 percent 1 second 104 percent 2/3 RVZ1e IU cell radiation 5x background radiation 2/3 10-7 to 10-1 µCi/cc 20 percent 15 seconds ATIS mixed gas return line

[ ]PROP/ECI 2/3 1 to 200 kCi/m3 1 percent 5 seconds tritium concentration ATIS gas return line pressure 8 psia 2/3 0 to 19.5 psia 1 percent 10 seconds TOGS oxygen concentration 10 percent 2/3 0 to 25 percent 1 percent 120 seconds TOGS mainstream flow [ ]PROP/ECI 2/3 [ ]PROP/ECI 3 percent 0.5 seconds TOGS dump tank flow [ ]PROP/ECI 2/3 [ ]PROP/ECI 3 percent 0.5 seconds GS upstream condenser demister 25°C 2/3 0 to 100°C 0.65 percent 10 seconds outlet temperature Discrete w-high TSV dump tank level signal Active 2/3 Active/inactive 1.5 seconds input signal Discrete h-high TSV dump tank level signal Active 2/3 Active/inactive 1.5 seconds input signal NE Medical Technologies 7.4-23 Rev. 0

Instrument Variable Analytical Limit Logic Range Accuracy Response Time PCLS flow [ ]PROP/ECI 2/3 [ ]PROP/ECI 1 percent 1 second 15°C 2/3 PCLS temperature -1 to 121°C 1 percent 10 seconds 25°C 2/3 Discrete V fill valve close position indication Inactive full close 1/2 Active/inactive 0.5 seconds input signal Discrete ESFAS loss of external power Inactive 1/1 Active/inactive 0.5 seconds input signal NE Medical Technologies 7.4-24 Rev. 0

Trip Determination and Bypasses NE Medical Technologies 7.4-25 Rev. 0

Trip Determination and Bypasses NE Medical Technologies 7.4-26 Rev. 0

NE Medical Technologies 7.4-27 Rev. 0 NE Medical Technologies 7.4-28 Rev. 0 Trip Determination and Bypasses NE Medical Technologies 7.4-29 Rev. 0

NE Medical Technologies 7.4-30 Rev. 0 NE Medical Technologies 7.4-31 Rev. 0 (Sheet 813)

Safety Function NE Medical Technologies 7.4-32 Rev. 0

Safety Function NE Medical Technologies 7.4-33 Rev. 0

Nonsafety Interface Decode NE Medical Technologies 7.4-34 Rev. 0

Priority Logic NE Medical Technologies 7.4-35 Rev. 0

Priority Logic NE Medical Technologies 7.4-36 Rev. 0

Legend NE Medical Technologies 7.4-37 Rev. 0

NE Medical Technologies 7.4-38 Rev. 0 1 SYSTEM DESCRIPTION engineered safety features actuation system (ESFAS) is a three-division safety-related rumentation and control (I&C) system that performs various control and actuation functions dited by the SHINE safety analysis as required to prevent the occurrence or mitigate the sequences of design basis events within the SHINE facility. The ESFAS provides sense, mand, and execute functions necessary to maintain the facility confinement strategy and vides process actuation functions required to shutdown processes and maintain processes in fe condition. The ESFAS also provides nonsafety-related system status and measured cess variable values to the facility process integrated control system (PICS) for viewing, ording, and trending.

ESFAS monitors variables important to the safety functions for confinement of radiation and m within the irradiation facility (IF) and the radioisotope production facility (RPF) and for cality safety to perform the following functions:

Radiologically Controlled Area (RCA) Isolation

Supercell Isolation

Carbon Delay Bed Isolation

Vacuum Transfer System (VTS) Safety Actuation

Tritium Purification System (TPS) Isolation

Irradiation Unit (IU) Cell Nitrogen Purge

RPF Nitrogen Purge

Molybdenum Extraction and Purification System (MEPS) [ ]PROP/ECI Isolation

Extraction Column Alignment Actuation

Iodine and Xenon Purification and Packaging (IXP) Alignment Actuation

Dissolution Tank Isolation ESFAS monitors the IF and the RPF continually throughout the operation of processes in the main production facility, via the use of radiation monitoring and other instrumentation.

rlocks and bypass logic necessary for operation are implemented within the ESFAS. If at any t a monitored variable exceeds its predetermined limits, the ESFAS automatically initiates associated safety function. ESFAS logic diagrams are provided in Figure 7.5-1 and the eral architecture of the ESFAS is provided in Figure 7.1-3.

2 DESIGN CRITERIA SHINE design criteria are described in Section 3.1. Table 3.1-1 shows the SHINE design ria applicable to the ESFAS.

2.1 Access Control FAS Criterion 1 - The ESFAS shall require a key or combination authentication input at the trol console to prevent unauthorized use of the ESFAS.

FAS Criterion 2 - Developmental phases for ESFAS software shall address the potential er security vulnerabilities (physical and electronic) to prevent unauthorized physical and tronic access.

NE Medical Technologies 7.5-1 Rev. 1

operational phase, including the transition from development to operations. CDAs are defined igital systems and devices that are used to perform or support, among other things, physical urity and access control, safety-related functions, and reactivity control.

2.2 Software Requirements Development FAS Criterion 4 - The functional characteristics of the ESFAS software requirements cifications shall be properly and precisely described for each software requirement.

FAS Criterion 5 - Development of ESFAS software shall follow a formally defined life cycle cess and address potential security vulnerabilities in each phase of the life cycle.

FAS Criterion 6 - ESFAS development life cycle phase-specific security requirements shall be mensurate with the risk and magnitude of the harm that would result from unauthorized and propriate access, use, disclosure, disruption, or destruction of the ESFAS.

FAS Criterion 7 - ESFAS software development life cycle process requirements shall be cribed and documented in appropriate plans which shall address safety analysis, verification validation (V&V), and configuration control activities.

FAS Criterion 8 - Tasks for validating and verifying the ESFAS software development vities shall be carried out in their entirety. Independent V&V tasks shall be performed by viduals or groups with appropriate technical competence in an organization separate from the elopment and program management organizations. Successful completion of V&V tasks for h software life cycle activity group shall be documented.

FAS Criterion 9 - The ESFAS software life cycle configuration control program shall trace ware development from software requirement specification to implementation and address impacts on ESFAS safety, control console, or display instruments.

FAS Criterion 10 - The ESFAS configuration control program shall assure that the required FAS hardware and software are installed in the appropriate system configuration and ensure the correct version of the software/firmware is installed in the correct hardware components.

FAS Criterion 11 - Qualification testing shall test all portions of ESFAS programmable logic essary to accomplish its safety functions, and shall exercise those portions whose operation ailure could impair safety functions during testing.

FAS Criterion 12 - The ESFAS software development life cycle shall include a software risk nagement program which addresses vulnerabilities throughout the software life cycle.

FAS Criterion 13 - ESFAS equipment not designed under a SHINE approved quality urance (QA) program shall be qualified under the SHINE commercial-grade dedication gram.

NE Medical Technologies 7.5-2 Rev. 1

FAS Criterion 14 - The ESFAS safety functions shall perform and remain functional during mal operation and during and following a design basis event.

FAS Criterion 15 - Manual controls of ESFAS actuation components shall be implemented nstream of the digital I&C portions of the safety system.

2.4 Single Failure FAS Criterion 16 - The ESFAS shall be designed to perform its protective functions after eriencing a single random active failure in nonsafety control systems or in the ESFAS, and h failure shall not prevent the ESFAS and credited redundant passive control components performing the intended functions or prevent safe shutdown of an IU cell.

FAS Criterion 17 - The ESFAS shall be designed such that no single failure can cause the re of more than one redundant component.

FAS Criterion 18 - The ESFAS shall be designed so that no single failure within the rumentation or power sources concurrent with failures as a result of a design basis event uld prevent operators from being presented the information necessary to determine the ty status of the facility following the design basis event.

2.5 Independence FAS Criterion 19 - Interconnections among ESFAS safety divisions shall not adversely affect functions of the ESFAS.

FAS Criterion 20 - A logical or software malfunction of any interfacing nonsafety systems ll not affect the functions of the ESFAS.

FAS Criterion 21 - The ESFAS shall be designed with physical, electrical, and munications independence of the ESFAS both between the ESFAS channels and between ESFAS and nonsafety-related systems to ensure that the safety functions required during following any design basis event can be accomplished.

FAS Criterion 22 - Physical separation and electrical isolation shall be used to maintain the pendence of ESFAS circuits and equipment among redundant safety divisions or with safety systems so that the safety functions required during and following any design basis nt can be accomplished.

FAS Criterion 23 - The ESFAS shall be designed such that no communication - within a le safety channel, between safety channels, and between safety and nonsafety systems -

ersely affects the performance of required safety functions.

FAS Criterion 24 - ESFAS data communications protocols shall meet the performance uirements of all supported systems.

FAS Criterion 25 - The timing of ESFAS data communications shall be deterministic.

NE Medical Technologies 7.5-3 Rev. 1

lementations themselves were constructed using a formal design process that ensures sistency between the product and the validated specification.

FAS Criterion 27 - The ESFAS shall be designed such that no unexpected performance cits exist that could adversely affect the ESFAS architecture.

2.6 Prioritization of Functions FAS Criterion 28 - ESFAS devices that receive signals from safety and nonsafety sources ll prioritize the signal from the safety system.

2.7 Fail-Safe FAS Criterion 29 - The ESFAS shall be designed to assume a safe state on loss of electrical er.

2.8 Setpoints FAS Criterion 30 - Setpoints for an actuation of the ESFAS shall be based on a documented lysis methodology that identifies assumptions and accounts for uncertainties, such as ironmental allowances and measurement computational errors associated with each element e instrument channel. The setpoint analysis parameters and assumptions shall be consistent the safety analysis, system design basis, technical specifications, and facility design, and ected maintenance practices.

AS Criterion 31 - Adequate margin shall exist between setpoints and safety limits so that the FAS initiates protective actions before safety limits are exceeded.

FAS Criterion 32 - Where it is necessary to provide multiple setpoints for adequate protection ed on particular modes of operation or sets of operating conditions, the ESFAS shall provide itive means of ensuring that the more restrictive setpoint is used when required.

FAS Criterion 33 - The sensitivity of each ESFAS sensor channel shall be commensurate the precision and accuracy to which knowledge of the variable measured is required for the ective function.

2.9 Operational Bypass, Permissives and Interlocks FAS Criterion 34 - Permissive conditions for each ESFAS operating or maintenance bypass ability shall be documented.

FAS Criterion 35 - ESFAS interlocks shall ensure that operator actions cannot defeat an omatic safety function during any operating condition where that safety function may be uired.

FAS Criterion 36 - ESFAS provisions shall exist to prevent activation of an operating bypass ss applicable permissive conditions exist.

NE Medical Technologies 7.5-4 Rev. 1

FAS Criterion 38 - If provisions for maintenance or operating bypasses are provided, the FAS design shall retain the capability to accomplish its safety function while a bypass is in ct.

FAS Criterion 39 - Whenever permissive conditions for bypassing a train or channel in the FAS are not met, a feature in the ESFAS shall physically prevent or facilitate administrative trols to prevent the unauthorized use of bypasses.

FAS Criterion 40 - All ESFAS operating bypasses, either manually or automatically initiated, ll be automatically removed when the facility moves to an operating regime where the ective action would be required if an accident occurred.

FAS Criterion 41 - If operating conditions change so that an active operating bypass is no er permissible, the ESFAS shall automatically accomplish one of the following actions:

Remove the appropriate active operating bypass(es)

Restore conditions so that permissive conditions once again exist

Initiate the appropriate safety function(s)

FAS Criterion 42 - Portions of ESFAS that execute features with a degree of redundancy of shall be designed so that when a portion is placed in maintenance bypass (i.e., reducing porarily its degree of redundancy to zero), the remaining portions provide acceptable bility to perform the ESFAS action if required.

FAS Criterion 43 - Provisions shall exist to allow the operations staff to confirm that a assed ESFAS safety function has been properly returned to service.

2.10 Completion of Protective Actions FAS Criterion 44 - The ESFAS design shall ensure that once initiated the safety actions will tinue until the protective function is completed.

FAS Criterion 45 - Only deliberate operator action shall be permitted to reset the ESFAS or its ponents following manual or automatic actuation.

AS Criterion 46 - Mechanisms for deliberate operator intervention in the ESFAS status or its tions shall not be capable of preventing the initiation of ESFAS actions.

2.11 Equipment Qualification FAS Criterion 47 - The effects of electromagnetic interference/radio-frequency interference I/RFI) and power surges, such as high-energy faults and lightning, on the ESFAS, including programmable gate array (FPGA)-based digital portions, shall be adequately addressed.

NE Medical Technologies 7.5-5 Rev. 1

FAS Criterion 48 - Equipment in the ESFAS (from the input circuitry to output actuation uitry) shall be designed to allow testing, calibration, and inspection to ensure operability. If ing is required or can be performed as an option during operation, the ESFAS shall retain the ability to accomplish its safety function while under test.

FAS Criterion 49 - Testing, calibration, and inspections of the ESFAS shall be sufficient to w that once performed, they confirm that surveillance test and self-test features address re detection, self-test features, and actions taken upon failure detection.

FAS Criterion 50 - The design of the ESFAS and the justification for test intervals shall be sistent with the surveillance testing intervals as part of the facility technical specifications.

2.13 Classification and Identification FAS Criterion 51 - ESFAS equipment shall be distinctly identified to indicate its safety sification and to associate equipment according to divisional or channel assignments.

2.14 Human Factors AS Criterion 52 - Human factors shall be considered at the initial stages and throughout the FAS design process to ensure that the functions allocated in whole or in part to the operator(s) be successfully accomplished to meet ESFAS design goals.

FAS Criterion 53 - The ESFAS shall include readily available means for manual initiation of h protective function at the system level.

FAS Criterion 54 - The ESFAS shall be designed to provide the information necessary to port annunciation of the channel initiating a protective action to the operator and requiring nual operator reset when all conditions to resume operation are met and satisfied.

2.15 Quality FAS Criterion 55 - The quality of the components and modules in the ESFAS shall be mensurate with the importance of the safety function to be performed.

FAS Criterion 56 - Controls over the design, fabrication, installation, and modification of the FAS shall conform to the guidance of ANSI/ANS 15.8-1995, Quality Assurance Program uirements for Research Reactors (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, lity Assurance Program Requirements for Research and Test Reactors (USNRC, 2010).

NE Medical Technologies 7.5-6 Rev. 1

3.1 Safety Functions 3.1.1 Supercell Area 1 (PVVS Area) Isolation ercell Area 1 (Process Vessel Vent System [PVVS] Area) Isolation initiates the following ty functions:

Deenergize radiological ventilation zone 2 (RVZ2) supercell area 1 (PVVS area) inlet isolation dampers

Deenergize radiological ventilation zone 1 (RVZ1) supercell area 1 (PVVS area) outlet isolation dampers

VTS Safety Actuation which returns the VTS to atmospheric pressure ESFAS initiates a Supercell Area 1 (PVVS Area) Isolation based on the following variable or ty actuation:

High RVZ1 supercell area 1 (PVVS area) radiation

RCA Isolation 3.1.2 Supercell Area 2 (Extraction Area A) Isolation ercell Area 2 (Extraction Area A) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 2 (extraction area A) inlet isolation dampers

Deenergize RVZ1 supercell area 2 (extraction area A) outlet isolation dampers

MEPS A [ ]PROP/ECI Isolation

VTS Safety Actuation ESFAS initiates a Supercell Area 2 (Extraction Area A) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 2 (extraction area A) radiation

RCA Isolation presentation of the Supercell Area 2 Isolation is provided in Figure 7.5-2.

3.1.3 Supercell Area 3 (Purification Area A) Isolation ercell Area 3 (Purification Area A) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 3 (purification area A) inlet isolation dampers

Deenergize RVZ1 supercell area 3 (purification area A) outlet isolation dampers ESFAS initiates a Supercell Area 3 (Purification Area A) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 3 (purification area A) radiation

RCA Isolation NE Medical Technologies 7.5-7 Rev. 1

ercell Area 4 (Packaging Area 1) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 4 (packaging area 1) inlet isolation dampers

Deenergize RVZ1 supercell area 4 (packaging area 1) outlet isolation dampers ESFAS initiates a Supercell Area 4 (Packaging Area 1) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 4 (packaging area 1) radiation

RCA Isolation 3.1.5 Supercell Area 5 (Purification Area B) Isolation ercell Area 5 (Purification Area B) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 5 (purification area B) inlet isolation dampers

Deenergize RVZ1 supercell area 5 (purification area B) outlet isolation dampers ESFAS initiates a Supercell Area 5 (Purification Area B) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 5 (purification area B) radiation

RCA Isolation 3.1.6 Supercell Area 6 (Extraction Area B) Isolation ercell Area 6 (Extraction Area B) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 6 (extraction area B) inlet isolation dampers

Deenergize RVZ1 supercell area 6 (extraction area B) outlet isolation dampers

MEPS B [ ]PROP/ECI Isolation

VTS Safety Actuation ESFAS initiates a Supercell Area 6 (Extraction Area B) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 6 (extraction area B) radiation

RCA Isolation

Supercell Area 10 (IXP area) Isolation 3.1.7 Supercell Area 7 (Extraction Area C) Isolation ercell Area 7 (Extraction Area C) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 7 (purification area C) inlet isolation dampers

Deenergize RVZ1 supercell area 7 (purification area C) outlet isolation dampers

MEPS C [ ]PROP/ECI Isolation

VTS Safety Actuation NE Medical Technologies 7.5-8 Rev. 1

High RVZ1 supercell area 7 (extraction Area C) radiation

RCA Isolation

Supercell Area 10 (IXP area) Isolation 3.1.8 Supercell Area 8 (Purification Area C) Isolation ercell Area 8 (Purification Area C) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 8 (purification area C) inlet isolation dampers

Deenergize RVZ1 supercell area 8 (purification area C) outlet isolation dampers ESFAS initiates a Supercell Area 8 (Purification Area C) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 8 (purification area C) radiation

RCA Isolation 3.1.9 Supercell Area 9 (Packaging Area 2) Isolation ercell Area 9 (Packaging Area 2) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 9 (packaging area 2) inlet isolation dampers

Deenergize RVZ1 supercell area 9 (packaging area 2) outlet isolation dampers ESFAS initiates a Supercell Area 9 (Packaging Area 2) Isolation based on the following able or safety actuation:

High RVZ1 supercell area 9 (packaging area 2) radiation

RCA Isolation 3.1.10 Supercell Area 10 (IXP Area) Isolation ercell Area 10 (IXP Area) Isolation initiates the following safety functions:

Deenergize RVZ2 supercell area 10 (IXP area) inlet isolation dampers

Deenergize RVZ1 supercell area 10 (IXP area) outlet isolation dampers

Supercell Area 6 (extraction area B) Isolation

Supercell Area 7 (extraction area C) Isolation ESFAS initiates a Supercell Area 10 (IXP Area) Isolation based on the following variable or ty actuation:

High RVZ1 supercell area 10 (IXP area) radiation

RCA Isolation NE Medical Technologies 7.5-9 Rev. 1

PS A [ ]PROP/ECI Isolation initiates the following safety functions:

Deenergize MEPS [ ]PROP/ECI A inlet isolation valves

Deenergize MEPS [ ]PROP/ECI A discharge isolation valves

Deenergize MEPS A extraction feed pump breakers ESFAS initiates a MEPS A [ ]PROP/ECI Isolation based on the following variable afety actuation:

High MEPS [ ]PROP/ECI conductivity extraction area A

Radioactive drain system (RDS) liquid detection switch signal

Supercell Area 2 Isolation 3.1.12 MEPS B [ ]PROP/ECI Isolation PS B [ ]PROP/ECI Isolation initiates the following safety functions:

Deenergize MEPS [ ]PROP/ECI B inlet isolation valves

Deenergize MEPS [ ]PROP/ECI B discharge isolation valves

Deenergize MEPS B extraction feed pump breakers ESFAS initiates a MEPS B [ ]PROP/ECI Isolation based on the following variable afety actuation:

High MEPS [ ]PROP/ECI conductivity extraction area B

RDS liquid detection switch signal

Supercell Area 6 Isolation 3.1.13 MEPS C [ ]PROP/ECI Isolation PS C [ ]PROP/ECI Isolation initiates the following safety functions:

Deenergize MEPS [ ]PROP/ECI C inlet isolation valves

Deenergize MEPS [ ]PROP/ECI C discharge isolation valves

Deenergize MEPS C extraction feed pump breakers ESFAS initiates a MEPS C [ ]PROP/ECI Isolation based on the following variable afety actuation:

High MEPS [ ]PROP/ECI conductivity extraction area C

RDS liquid detection switch signal

Supercell Area 7 Isolation NE Medical Technologies 7.5-10 Rev. 1

bon Delay Bed Group 1 Isolation initiates the following safety functions:

Energize PVVS carbon delay bed group 1 three-way valves

Energize PVVS carbon delay bed group 1 outlet isolation valves ESFAS initiates a Carbon Delay Bed Group 1 Isolation based on the following variables:

High carbon delay bed group 1 exhaust carbon monoxide 3.1.15 Carbon Delay Bed Group 2 Isolation bon Delay Bed Group 2 Isolation initiates the following safety functions:

Energize PVVS carbon delay bed group 2 three-way valves

Energize PVVS carbon delay bed group 2 outlet isolation valves ESFAS initiates a Carbon Delay Bed Group 2 Isolation based on the following variables:

High carbon delay bed group 2 exhaust carbon monoxide 3.1.16 Carbon Delay Bed Group 3 Isolation bon Delay Bed Group 3 Isolation initiates the following safety functions:

Energize PVVS carbon delay bed group 3 three-way valves

Energize PVVS carbon delay bed group 3 outlet isolation valves ESFAS initiates a Carbon Delay Bed Group 3 Isolation based on the following variables:

High carbon delay bed group 3 exhaust carbon monoxide 3.1.17 VTS Safety Actuation Safety Actuation Isolation initiates the following safety functions:

Deenergize VTS vacuum transfer pump 1 breakers

Deenergize VTS vacuum transfer pump 2 breakers

Deenergize VTS vacuum transfer pump 3 breakers

Deenergize VTS vacuum break valves

MEPS A extraction column wash supply valve

MEPS A extraction column eluent valve

MEPS A [ ]PROP/ECI wash supply valve

MEPS A [ ]PROP/ECI eluent valve

MEPS B extraction column wash supply valve

MEPS B extraction column eluent valve

MEPS B [ ]PROP/ECI wash supply valve

MEPS B [ ]PROP/ECI eluent valve NE Medical Technologies 7.5-11 Rev. 1

MEPS C [ ]PROP/ECI wash supply valve

MEPS C [ ]PROP/ECI eluent valve

IXP recovery column wash supply valve

IXP recovery column eluent valve

IXP [ ]PROP/ECI wash supply valve

IXP [ ]PROP/ECI eluent valve

IXP FNHS supply valve

IXP liquid nitrogen supply valve ESFAS initiates a VTS Safety Actuation based on the following variables or safety ations:

VTS vacuum header liquid detection switch signal

RDS liquid detection switch signal

Supercell Area 1 Isolation

Supercell Area 2 Isolation

Supercell Area 6 Isolation

Supercell Area 7 Isolation

RCA Isolation

Facility master operating permissive presentation of the VTS Safety Actuation is provided in Figure 7.5-3.

3.1.18 TPS Isolation Isolation initiates the following safety functions:

Deenergize accelerator tritium interface system (ATIS) header glovebox stripper system (GBSS) isolation valves

Deenergize ATIS header GBSS bypass isolation valves

Deenergize GBSS RVZ isolation valves

Deenergize ATIS header return line isolation valves

Deenergize TPS process evacuation header isolation valves

Deenergize ATIS header deuterium supply isolation valves

Deenergize storage and separation system GBSS raffinate isolation valves

Deenergize ATIS header tritium supply isolation valves

Deenergize ATIS glovebox exhaust header isolation valves

Deenergize TPS process evacuation GBSS isolation valves

Deenergize TPS glovebox nitrogen supply valves

Deenergize RVZ TPS ventilation dampers ESFAS initiates a TPS Isolation based on the following variables or safety actuation:

High TPS exhaust to facility stack tritium concentration

High TPS glovebox tritium concentration

RCA Isolation

Facility master operating permissive NE Medical Technologies 7.5-12 Rev. 1

Cell Nitrogen Purge transitions the nitrogen purge system (N2PS) IU cell header valves to r deenergized state.

ESFAS also provides the target solution vessel (TSV) reactivity protection system (TRPS) each IU cell with an actuation signal to initiate an IU Cell Nitrogen purge within the TRPS.

ESFAS initiates an IU Cell Nitrogen Purge based on the following variables:

UPSS loss of external power

TRPS IU cell 1 nitrogen purge signal

TRPS IU cell 2 nitrogen purge signal

TRPS IU cell 3 nitrogen purge signal

TRPS IU cell 4 nitrogen purge signal

TRPS IU cell 5 nitrogen purge signal

TRPS IU cell 6 nitrogen purge signal

TRPS IU cell 7 nitrogen purge signal

TRPS IU cell 8 nitrogen purge signal 3.1.20 RPF Nitrogen Purge F Nitrogen Purge initiates the following safety functions:

Deenergize PVVS blower bypass valves

Deenergize radioactive liquid waste immobilization (RLWI) PVVS isolation valve

Deenergize PVVS carbon guard bed bypass valves

Deenergize N2PS RPF header valves

Deenergize N2PS RVZ2 north header valves

Deenergize N2PS RVZ2 south header valves ESFAS initiates an RPF Nitrogen Purge based on the following variable:

Low PVVS flow 3.1.21 RCA Isolation A Isolation initiates the following safety functions:

Deenergize RVZ1 exhaust isolation dampers

Deenergize RVZ2 exhaust isolation dampers

Deenergize RVZ2 supply train 1 isolation dampers

Deenergize RVZ2 supply train 2 isolation dampers

Deenergize RVZ3 supply isolation dampers shipping/receiving IF

Deenergize RVZ3 supply isolation dampers shipping/receiving RPF

Deenergize RVZ3 supply isolation dampers main RCA ingress/egress

Deenergize RVZ3 supply isolation dampers RPF emergency exit

Deenergize RVZ3 supply isolation dampers IF emergency exit

Deenergize RVZ3 exhaust isolation dampers IF emergency exit NE Medical Technologies 7.5-13 Rev. 1

Deenergize RVZ2 exhaust train 1 blower breakers

Deenergize RVZ2 exhaust train 2 blower breakers

Deenergize RVZ2 supply train 1 blower breakers

Deenergize RVZ2 supply train 2 blower breakers

Supercell Area 1 Isolation

Supercell Area 2 Isolation

Supercell Area 3 Isolation

Supercell Area 4 Isolation

Supercell Area 5 Isolation

Supercell Area 6 Isolation

Supercell Area 7 Isolation

Supercell Area 8 Isolation

Supercell Area 9 Isolation

Supercell Area 10 Isolation

VTS Safety Actuation

TPS Isolation ESFAS initiates an RCA Isolation based on the following variables:

High RVZ1 RCA exhaust radiation

High RVZ2 RCA exhaust radiation presentation of the RCA Isolation is provided in Figure 7.5-4.

3.1.22 Extraction Column A Alignment Actuation action Column A Alignment Actuation initiates the following safety functions:

Deenergize MEPS area A upper three-way valve

Deenergize MEPS area A lower three-way valve

Deenergize MEPS A extraction column eluent valve ESFAS initiates the Extraction Column A Alignment Actuation based on both of the following ts being active:

MEPS area A upper three-way valve supplying position indication

MEPS area A lower three-way valve supplying position indication 3.1.23 Extraction Column B Alignment Actuation action Column B Alignment Actuation initiates the following safety functions:

Deenergize MEPS area B upper three-way valve

Deenergize MEPS area B lower three-way valve

Deenergize MEPS B extraction column eluent valve NE Medical Technologies 7.5-14 Rev. 1

MEPS area B upper three-way valve supplying position indication

MEPS area B lower three-way valve supplying position indication 3.1.24 Extraction Column C Alignment Actuation action Column C Alignment Actuation initiates the following safety functions:

Deenergize MEPS area C upper three-way valve

Deenergize MEPS area C lower three-way valve

Deenergize MEPS C extraction column eluent valve ESFAS initiates the Extraction Column C Alignment Actuation based on both of the following ts being active:

MEPS area C upper three-way valve supplying position indication

MEPS area C lower three-way valve supplying position indication 3.1.25 IXP Alignment Actuation ne and Xenon Purification and Packaging (IXP) Alignment Actuation initiates the following ty functions:

Deenergize IXP upper three-way valve

Deenergize IXP lower three-way valve

Deenergize IXP recovery column eluent valve ESFAS initiates the IXP Alignment Actuation based on both of the following inputs being ve:

IXP upper three-way valve supplying position indication

IXP lower three-way valve supplying position indication 3.1.26 Dissolution Tank Isolation solution Tank Isolation initiates the following safety functions:

Deenergize target solution preparation system (TSPS) radioisotope process facility cooling system (RPCS) supply cooling valves

Deenergize TSPS RPCS return cooling valve

Deenergize RVZ2 TSPS supply damper

Deenergize RVZ1 TSPS exhaust damper ESFAS initiates the Dissolution Tank Isolation based on the following input being active:

High TSPS dissolution tank 1 level switch signal

High TSPS dissolution tank 2 level switch signal NE Medical Technologies 7.5-15 Rev. 1

le 7.5-1 identifies the specific variables that provide input to the ESFAS and includes the rument range for covering normal and accident conditions, the accuracy for each variable, the lytical limit, and the response time of the sensor element.

3.3 Operating Conditions ESFAS control and logic functions operate inside of the facility control room where the ironment is mild and not exposed to the irradiation process. However, the cables for the FAS are routed through the radiologically controlled area to the process areas. The routed les have the potential to be exposed to more harsh conditions than the mild environment of facility control room. The sensors are located inside the process confinement boundary; efore, the terminations of the cables routed to the sensors are exposed to the high radiation ironment.

ing normal operation, the ESFAS equipment will operate in the applicable normal radiation ironments identified in Table 7.2-1 for up to 20 years, replaced at a frequency sufficient such the radiation qualification of the affected components is not exceeded.

environmental conditions for ESFAS components are outlined in Table 7.2-1 through le 7.2-3. The facility heating, ventilation and air conditioning (HVAC) systems are relied upon aintain the temperature and humidity parameters in these areas. The facility HVAC systems described in Section 9a2.1.

4 DESIGN ATTRIBUTES 4.1 Access Control etailed description of access control is provided in Subsection 7.2.5.

4.2 Software Requirements Development etailed description of the development of software requirements is provided in section 7.2.6.

4.3 General Instrumentation and Control Requirements ESFAS is powered from the uninterruptible electrical power supply system (UPSS), which vides a reliable source of power to maintain the ESFAS functional during normal operation during and following a design basis event. The UPSS is designed to provide power to the FAS controls for six hours after a loss of off-site power. The UPSS is described in tion 8a2.2.

actuation and priority logic (APL) portions within an equipment interface module (EIM) port the implementation of different actuation methods. The APL is implemented using rete components and is not vulnerable to a software common cause failure (CCF). Having capability for hardwired signals into each EIM supports the capability for additional and rse actuation means from automated actuation. As an example, a division of APL circuits y receive inputs automatically from the programmable logic portion of the ESFAS, inputs from NE Medical Technologies 7.5-16 Rev. 1

downstream of the programmable logic portion of the ESFAS architecture as shown in ure 7.1-3.

4.4 Single Failure ESFAS consists of three divisions of input processing and trip determination and two sions of actuation logic (see Figure 7.1-2) arranged so that no single failure within the ESFAS ults in the loss of the protective function.

only nonsafety inputs into the ESFAS are those from the PICS for controls. The nonsafety trol signals from the PICS are implemented through a hardwired parallel interface that uires the PICS to send a binary address associated to the output state of the EIM along with a ored complement address. The mirrored complement address prevents any single incorrectly sented bit from addressing the wrong EIM output state. To prevent the PICS from vertently presenting a valid address, the ESFAS contains a safety-related enable nonsafety ch that controls when the hardwired parallel interface within the APL is active, thus controlling n the PICS inputs are allowed to pass through the input circuitry and for use in the priority c within the APL. When the enable nonsafety switch is not active, the nonsafety-related trol signal is ignored. If the enable nonsafety is active, and no automatic or manual actuation mand is present, the nonsafety-related control signal can control the ESFAS output. The dwired module provides isolation for the nonsafety-related signal path.

4.5 Independence escription of the application of independence to the ESFAS is provided in Subsection 7.2.2.

4.6 Prioritization of Functions h division of the ESFAS includes the analog logic circuitry necessary to prioritize the ESFAS ts. Automatic Safety Actuation or Manual Actuation are highest priority and PICS nonsafety trol inputs are lower in priority.

4.7 Fail-Safe fail-safe positions of components upon loss of power to ESFAS are provided in Table 7.5-2.

4.8 Setpoints points in the ESFAS are based on a documented methodology that identifies each of the umptions and accounts for the uncertainties in each instrument channel. The setpoint hodology is described in Subsection 7.2.3.

4.9 Operational Bypass, Permissives and Interlocks ntenance bypasses are described in Subsection 7.1.4.

ESFAS starts a 180 second timer on loss of external power to the UPSS. If the indication of of external power to the UPSS clears prior to the 180 second timer expiring, the timer resets.

NE Medical Technologies 7.5-17 Rev. 1

safety inputs into the ESFAS are transferred from PICS through the hardwired module. The S inputs are bypassed with the enable nonsafety switch permitting the inputs to control FAS outputs when administrative procedures permit the operator to use the switch to enable PICS functionality with the ESFAS.

manual actuation inputs from the operators in the facility control room are connected directly he discrete APL. The manual actuation input into the priority logic does not have the ability to bypassed and will always have equal priority to the automated actuation signals over any er signals that are present.

4.10 Completion of Protective Actions ESFAS is designed so that once initiated, protective actions will continue to completion. Only berate operator action can be taken to reset the ESFAS following a protective action.

ure 7.5-1, Sheets 19 through 23, shows how the ESFAS latches in a protective action and ntains the state of a protective action until operator input is initiated to reset the output of the FAS to normal operating conditions.

output of the ESFAS is designed so that actuation through automatic or manual means of a ty function can only change when a new position is requested. If there is no signal present the automatic safety actuation or manual actuation, then the output of the EIM remains in its ent state. A safety-related enable nonsafety switch allows an operator, after the switch has n brought to enable, to control the output state of the ESFAS with a hardwired binary control al from the nonsafety-related controls. The enable nonsafety switch is classified as part of safety system and is used to prevent spurious nonsafety-related control signals from ersely affecting safety-related components. If the enable nonsafety switch is active, and no omatic safety actuation or manual actuation signals are present, the operator is capable of rgizing or deenergizing any EIM outputs using the nonsafety-related hardwired control als. If the enable nonsafety switch is not active, the nonsafety-related hardwired control als are ignored.

4.11 Equipment Qualification FAS rack mounted equipment is installed in a mild operating environment and is designed to et the environmental conditions described in Subsection 7.4.3.4. Rack mounted ESFAS ipment is tested to appropriate standards to show that the effects of EMI/RFI and power ges are adequately addressed. Appropriate grounding of the ESFAS is performed in ordance with Section 5.2.1 of Institute of Electrical and Electronics Engineers (IEEE) ndard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in erating Stations (IEEE, 2004b).

4.12 Surveillance TRPS supports calibration and testing to ensure operability as described in section 7.2.4.

NE Medical Technologies 7.5-18 Rev. 1

h division of the ESFAS is uniquely labeled and identified in accordance with SHINE tification and classification procedures.

4.14 Human Factors ESFAS provides manual actuation capabilities for each of the safety functions identified in section 7.5.3. To support the use of manual actuations, the ESFAS includes isolated outputs each safety-related instrument channel to provide monitoring and indication information to the S. To facilitate operator indication of ESFAS actuation function status, manual initiation and et of protective actions, the ESFAS, at the division level, includes isolated input/output for the wing:

Indication of ESFAS variable values

Indication of ESFAS parameter values

Indication of ESFAS logic status

Indication of ESFAS equipment status

Indication of ESFAS actuation device status 4.15 Codes and Standards following codes and standards are applied to the ESFAS design.

1) Section 8 of IEEE Standard 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations (IEEE, 2013); invoked as guidance to meet SHINE Design Criterion 2, Natural phenomena hazards.

2) IEEE Standard 379-2000, IEEE Standard Application of Single-Failure Criterion to Nuclear Power Generating Station Safety Systems (IEEE, 2000); invoked to meet SHINE Design Criterion 13, Instrumentation and controls.

3) IEEE Standard 384-2008, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, 2008); invoked for separation of safety-related and nonsafety-related cables and raceways, as described in Subsection 8a2.1.3 and Subsection 8a2.1.5.

4) IEEE Standard 1023-2004, IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities (IEEE, 2004c); invoked as a guidance to support implementation of human factors into the design of I&C systems.

5) Section 5.2.1 of IEEE Standard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations (IEEE, 2004b); invoked as guidance to support electromagnetic compatibility qualification for digital I&C equipment.

6) Regulatory Guide 1.152, Revision 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants (USNRC, 2011); invoked to demonstrate secure development and operating environment.

7) The guidance of ANSI/ANS 15.8-1995, Quality Assurance Program Requirements for Research Reactors (R2013) (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, Quality Assurance Program Requirements for Research and Test Reactors (USNRC, 2010), is applied as part of the SHINE Quality Assurance Program for complying with the programmatic requirements of 10 CFR 50.34(b)(6)(ii).

NE Medical Technologies 7.5-19 Rev. 1

5.1 High RVZ RCA Exhaust Radiation high RVZ RCA exhaust radiation signal protects against confinement leakage or accidents could potentially result in excess radiation doses to the public. The RZV RCA exhaust ation is measured by an analog interface on three different channels, one for each division of FAS. When two-out-of-three or more high RVZ RCA exhaust radiation channels are active, n an RCA Isolation is initiated.

5.2 High RVZ1 Supercell Radiation (PVVS Cell) high RVZ1 supercell radiation signal protects against hot cell equipment leakage or an ident that could potentially result in excess radiation doses to the workers or to the public. The Z1 supercell radiation is measured by an analog interface on three different channels, one for h division of ESFAS. When two-out-of-three or more high RVZ1 supercell radiation channels active, then a Supercell Isolation for that area and VTS Safety Actuation are initiated.

5.3 High RVZ1 Supercell Radiation (MEPS Extraction Cells) high RVZ1 supercell radiation signal protects against hot cell equipment leakage or an ident that could potentially result in excess radiation doses to the workers or to the public. The Z1 supercell radiation is measured by an analog interface on two different channels, one for h Division A and Division B of ESFAS. When one-out-of-two or more high RVZ1 supercell ation channels are active, then a Supercell Isolation for that area, MEPS [

]PROP/ECI Isolation and VTS Safety Actuation are initiated.

5.4 High RVZ1 Supercell Radiation (IXP Extraction Cell) high RVZ1 supercell radiation signal protects against hot cell equipment leakage or an ident that could potentially result in excess radiation doses to the workers or to the public. The Z1 supercell radiation is measured by an analog interface on two different channels, one for h Division A and Division B of ESFAS. When one-out-of-two or more high RVZ1 supercell ation channels are active, then a Supercell Isolation for that area and VTS Safety Actuation initiated.

5.5 High RVZ1 Supercell Radiation (Purification and Packaging Cells) high RVZ1 supercell radiation signal protects against hot cell equipment leakage or an ident that could potentially result in excess radiation doses to the workers or to the public. The Z1 supercell radiation is measured by an analog interface on two different channels, one for h Division A and Division B of ESFAS. When one-out-of-two or more high RVZ1 supercell ation channels are active, then a Supercell Isolation for that area is initiated.

5.6 High MEPS [ ]PROP/ECI Conductivity high MEPS [ ]PROP/ECI conductivity signal protects against leakage of high ation solutions into the [ ]PROP/ECI, which is partially located outside the ercell shielding and could potentially result in an excess dose to the workers. The MEPS

]PROP/ECI conductivity is measured by an analog interface on two different channels, NE Medical Technologies 7.5-20 Rev. 1

ation is initiated.

5.7 High PVVS Carbon Delay Bed Exhaust Carbon Monoxide high PVVS carbon delay bed exhaust carbon monoxide signal protects against a fire in the VS delay bed. The PVVS carbon delay bed exhaust carbon monoxide is measured with an log interface on two different channels, one for each Division A and Division B of ESFAS.

en one-out-of-two or more high PVVS carbon delay bed exhaust carbon monoxide channels active, then a Carbon Delay Bed Isolation for the affected group is initiated.

5.8 VTS Lift Tank Liquid Detection Switch VTS lift tank liquid detection switch signals protect against an overflow of the vacuum lift

s. The VTS lift tank liquid detection switch signals are measured with a discrete input rface with redundant detection signals common to all lift tanks at the VTS vacuum header. If

-out-of-two or more (Division A and Division B) VTS lift tank liquid detection switch signals are ve, then a VTS Safety Actuation is initiated.

5.9 RDS Liquid Detection Switch RDS liquid detection switch signal detects leakage or overflow from other tanks and piping.

RDS liquid detection switch signal is measured with a discrete signal input on two different nnels, one for each Division A and Division B of ESFAS. When one-out-of-two or more RDS id detection switch signal channels are active, then a VTS Safety Actuation is initiated.

5.10 High TPS Exhaust to Facility Stack Tritium high TPS exhaust to facility stack tritium signal protects against a release of tritium from the aust of the TPS glovebox stripper system into the facility ventilation systems. The TPS aust to facility stack tritium is measured with an analog interface on three different channels, for each division of ESFAS. When one-out-of-two or more high TPS exhaust to facility stack m channels are active, then a TPS Isolation is initiated.

5.11 High TPS Glovebox Tritium high TPS glovebox tritium signal protects against a release of tritium from TPS equipment the TPS glovebox. The TPS glovebox tritium is measured with an analog interface on three rent channels, one for each division of ESFAS. When one-out-of-two or more high TPS ebox tritium channels are active, then a TPS Isolation is initiated.

5.12 TRPS IU Cell Nitrogen Purge TRPS IU cell nitrogen purge signal protects against a loss of hydrogen mitigation capabilities e irradiation units. The TRPS IU cell nitrogen purge signal is transmitted with a discrete input the TRPS on two different channels, one for each Division A and Division B of ESFAS.

en a TRPS IU cell nitrogen purge signal is active, then an ESFAS IU Cell Nitrogen Purge is ated.

NE Medical Technologies 7.5-21 Rev. 1

PVVS flow signal protects against loss of hydrogen mitigation capabilities in the RPF. The VS flow is measured with an analog interface on three different channels, one for each sion of ESFAS. When two-out-of-three or more high or low PVVS flow channels are active, n an RPF Nitrogen Purge is initiated.

5.14 MEPS Upper and Lower Three-Way Valves Misaligned MEPS upper and lower three-way valves misalignment signal protects against a alignment of the upper and lower three-way valves, degrading one of the barriers preventing direction of chemical reagents or target solution. The MEPS upper and lower three-way valve ition indication is measured with a discrete input signal through the respective division the e-way valve is designed to. When two-out-of-two MEPS upper and lower three-way valve ition indications indicate they are energized, then a MEPS Alignment Actuation for that area itiated.

5.15 IXP Upper and Lower Three-Way Valves Misaligned IXP upper and lower three-way valves misalignment signal protects against a misalignment e upper and lower three-way valves, degrading one of the barriers preventing misdirection of mical reagents or target solution. The IXP upper and lower three-way valve position cation is measured with a discrete input signal through the respective division the three-way e is designed to. When two-out-of-two IXP upper and lower three-way valve position cations indicate they are energized, then an IXP Alignment Actuation is initiated.

5.16 TSPS Dissolution Tank Level Switch TSPS dissolution tank level switch signal protects against a criticality event due to excess le material in a non-favorable geometry system. The TSPS dissolution tank level switch al is measured with a discrete input signal on two different channels, one for each Division A Division B of ESFAS. When one-out-of-two or more TSPS dissolution tank level switch als are active for either dissolution tank, a Dissolution Tank Isolation is initiated.

5.17 UPSS Loss of External Power UPSS loss of external power signal protects against an anticipatory loss of hydrogen gation in the IU cell (i.e., loss of TSV off-gas system (TOGS) blowers and recombiners after UPSS runtime of that equipment has been exceeded). The UPSS loss of external power al is measured with a discrete input signal on two different channels, one for each Division A Division B of ESFAS. When one-out-of-two or more UPSS loss of external power signals are ve, a timer is started that must run to completion before initiating an IU Cell Nitrogen Purge. If, e the timer is running, less than one-out-of-two UPSS loss of external power signals are ve, the timer is reset and the ESFAS continues operating under normal conditions. The timer et at three minutes to provide margin to the loss of TOGS equipment after five minutes of ime on the UPSS.

NE Medical Technologies 7.5-22 Rev. 1

Table 7.5 ESFAS Monitored Variables (Sheet 1 of 4)

Variable Analytical Limit Logic Range Accuracy Response Time RVZ1 RCA exhaust radiation 5x background radiation 2/3 10-7 to 10-1 µCi/cc 20 percent 15 seconds RVZ2 RCA exhaust radiation 5x background radiation 2/3 10-7 to 10-1 µCi/cc 20 percent 15 seconds Supercell area 1 5x background radiation 2/3 10-7 to 10-1 µCi/cc 20 percent 15 seconds (PVVS area) radiation Supercell area 2 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (extraction area A) radiation Supercell area 3 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (purification area A) radiation Supercell area 4 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (packaging area 1) radiation Supercell area 5 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (purification area B) radiation Supercell area 6 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (extraction area B) radiation Supercell area 7 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (extraction area C) radiation Supercell area 8 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (purification area C) radiation Supercell area 9 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (packaging area 2) radiation Supercell area 10 5x background radiation 1/2 10-7 to 10-1 µCi/cc 20 percent 15 seconds (IXP area) radiation NE Medical Technologies 7.5-23 Rev. 1

Variable Analytical Limit Logic Range Accuracy Response Time MEPS [ ]PROP/ECI 0.1 to 50 8.8 micromho/cm 1/2 3 percent 5 seconds conductivity extraction area A micromho/cm MEPS [ ]PROP/ECI 0.1 to 50 8.8 micromho/cm 1/2 3 percent 5 seconds conductivity extraction area B micromho/cm MEPS [ ]PROP/ECI 0.1 to 50 8.8 micromho/cm 1/2 3 percent 5 seconds conductivity extraction area C micromho/cm Carbon delay bed group 1 20 ppm 1/2 0 to 30 ppm 10 percent 15 seconds exhaust carbon monoxide Carbon delay bed group 2 20 ppm 1/2 0 to 30 ppm 10 percent 15 seconds exhaust carbon monoxide Carbon delay bed group 3 20 ppm 1/2 0 to 30 ppm 10 percent 15 seconds exhaust carbon monoxide VTS vacuum header Discrete Active 1/2 Active/Inactive 5.5 seconds liquid detection switch signal input signal RDS liquid detection Discrete Active 1/2 Active/Inactive 5.5 seconds switch signal input signal TPS exhaust to 80 µCi/m3 2/3 1 to 100 µCi/m3 10 percent 5 seconds facility stack tritium TPS glovebox tritium 150 Ci/m3 2/3 0.001 to 50,000 Ci/m3 10 percent 5 seconds PVVS flow 5.0 scfm 2/3 1-20 scfm 3 percent 0.5 seconds TSPS dissolution tank 1 Discrete Active 1/2 Active/Inactive 1 second level switch signal input signal TSPS dissolution tank 2 Discrete Active 1/2 Active/Inactive 1 second level switch signal input signal NE Medical Technologies 7.5-24 Rev. 1

Variable Analytical Limit Logic Range Accuracy Response Time TRPS IU cell 1 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 2 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 3 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 4 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 5 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 6 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 7 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal TRPS IU cell 8 Discrete Active 1/1 Active/Inactive 500 ms nitrogen purge signal input signal MEPS area A lower Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

MEPS area A upper Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

NE Medical Technologies 7.5-25 Rev. 1

Variable Analytical Limit Logic Range Accuracy Response Time MEPS area B lower Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

MEPS area B upper Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

MEPS area C lower Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

MEPS area C upper Discrete three-way valve supplying Active 1/2 & 1/2 Active/Inactive 1 second input signal position indication(a)

IXP lower three-way valve Discrete Active 1/2 & 1/2 Active/Inactive 1 second supplying position indication(a) input signal IXP upper three-way valve Discrete Active 1/2 & 1/2 Active/Inactive 1 second supplying position indication(a) input signal Discrete UPSS loss of external power Active 1/2 Active/Inactive 1 second input signal A safety actuation is initiated when both the lower and upper three-way valve supplying position indications show one-out-of-two of the redundant indications are active.

NE Medical Technologies 7.5-26 Rev. 1

Table 7.5 Fail Safe Component Positions on ESFAS Loss of Power (Sheet 1 of 2)

FAIL-SAFE POSITION: CLOSED Z1 exhaust isolation dampers RVZ2 supercell area 9 (packaging area 2) inlet isolation dampers Z2 exhaust isolation dampers RVZ1 supercell area 9 (packaging area 2) outlet isolation dampers Z2 supply train 1 isolation dampers RVZ2 supercell area 10 (IXP area) inlet isolation dampers Z2 supply train 2 isolation dampers RVZ1 supercell area 10 (IXP area) outlet isolation dampers Z3 supply isolation dampers shipping/receiving IF RVZ TPS ventilation dampers Z3 supply isolation dampers shipping/receiving RPF RLWI PVVS isolation valve Z3 supply isolation dampers main RCA ingress/egress MEPS [ ]PROP/ECI A inlet isolation valve Z3 supply isolation dampers RPF emergency exit MEPS [ ]PROP/ECI B inlet isolation valve Z3 supply isolation dampers IF emergency exit MEPS [ ]PROP/ECI C inlet isolation valve Z3 exhaust isolation dampers IF emergency exit MEPS [ ]PROP/ECI A discharge isolation valve Z2 TSPS supply damper MEPS [ ]PROP/ECI B discharge isolation valve Z1 TSPS exhaust damper MEPS [ ]PROP/ECI C discharge isolation valve Z2 supercell area 1 (PVVS area) inlet isolation dampers MEPS A extraction column wash supply valve Z1 supercell area 1 (PVVS area) outlet isolation dampers MEPS A extraction column eluent valve Z2 supercell area 2 (extraction area A) inlet isolation dampers MEPS A [ ]PROP/ECI wash supply valve Z1 supercell area 2 (extraction area A) outlet isolation dampers MEPS A [ ]PROP/ECI eluent valve Z2 supercell area 3 (purification area A) inlet isolation dampers MEPS B extraction column wash supply valve Z1 supercell area 3 (purification area A) outlet isolation dampers MEPS B extraction column eluent valve Z2 supercell area 4 (packaging area 1) inlet isolation dampers MEPS B [ ]PROP/ECI wash supply valve Z1 supercell area 4 (packaging area 1) outlet isolation dampers MEPS B [ ]PROP/ECI eluent valve Z2 supercell area 5 (purification area B) inlet isolation dampers MEPS C extraction column wash supply valve Z1 supercell area 5 (purification area B) outlet isolation dampers MEPS C extraction column eluent valve Z2 supercell area 6 (extraction area B) inlet isolation dampers MEPS C [ ]PROP/ECI wash supply valve Z1 supercell area 6 (extraction area B) outlet isolation dampers MEPS C [ ]PROP/ECI eluent valve Z2 supercell area 7 (extraction area C) inlet isolation dampers IXP recovery column wash supply valve Z1 supercell area 7 (extraction area C) outlet isolation dampers IXP recovery column eluent valve Z2 supercell area 8 (purification area C) inlet isolation dampers IXP [ ]PROP/ECI wash supply valve Z1 supercell area 8 (purification area C) outlet isolation dampers IXP [ ]PROP/ECI eluent valve NE Medical Technologies 7.5-27 Rev. 1

FNHS supply valve Storage and separation system GBSS raffinate isolation valves liquid nitrogen supply valve ATIS header tritium supply isolation valves S header GBSS isolation valves ATIS glovebox exhaust header isolation valves S header GBSS bypass isolation valves TPS process evacuation GBSS isolation valves SS RVZ isolation valves TPS glovebox nitrogen supply valves S header return line isolation valves N2PS RVZ2 north header valves S process evacuation header isolation valves N2PS RVZ2 south header valves S header deuterium supply isolation valves TSPS RPCS supply cooling valves TSPS RPCS return cooling valve FAIL-SAFE POSITION: OPEN Z1 exhaust train 1 blower breakers PVVS blower bypass valves Z1 exhaust train 2 blower breakers PVVS carbon guard bed bypass valves Z2 exhaust train 1 blower breakers PVVS carbon delay bed group 1 outlet isolation valves Z2 exhaust train 2 blower breakers PVVS carbon delay bed group 2 outlet isolation valves Z2 supply train 1 blower breakers PVVS carbon delay bed group 3 outlet isolation valves Z2 supply train 2 blower breakers MEPS A extraction feed pump breakers S vacuum transfer pump 1 breakers MEPS B extraction feed pump breakers S vacuum transfer pump 2 breakers MEPS C extraction feed pump breakers S vacuum transfer pump 3 breakers N2PS IU cell header valves S vacuum break valves N2PS RPF header valves FAIL-SAFE POSITION: SUPPLYING VS carbon delay bed group 1 three-way valves VS carbon delay bed group 2 three-way valves VS carbon delay bed group 3 three-way valves FAIL-SAFE POSITION: DISCHARGING PS area A lower three-way valve MEPS area C lower three-way isolation valve PS area A upper three-way valve MEPS area C upper three-way isolation valve PS area B lower three-way valve IXP upper three-way valve PS area B upper three-way valve IXP lower three-way valve NE Medical Technologies 7.5-28 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 1 of 24)

SHINE Medical Technologies 7.5-29 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 2 of 24)

Trip Determination SHINE Medical Technologies 7.5-30 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 3 of 24)

Trip Determination SHINE Medical Technologies 7.5-31 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 4 of 24)

Trip Determination SHINE Medical Technologies 7.5-32 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 5 of 24)

SHINE Medical Technologies 7.5-33 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 6 of 24)

Trip Determination SHINE Medical Technologies 7.5-34 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 7 of 24)

Trip Determination SHINE Medical Technologies 7.5-35 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 8 of 24)

SHINE Medical Technologies 7.5-36 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 9 of 24)

SHINE Medical Technologies 7.5-37 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 10 of 24)

SHINE Medical Technologies 7.5-38 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 11 of 24)

SHINE Medical Technologies 7.5-39 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 12 of 24)

Safety Functions SHINE Medical Technologies 7.5-40 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 13 of 24)

SHINE Medical Technologies 7.5-41 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 14 of 24)

SHINE Medical Technologies 7.5-42 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 15 of 24)

SHINE Medical Technologies 7.5-43 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 16 of 24)

Safety Functions SHINE Medical Technologies 7.5-44 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 17 of 24)

Safety Functions SHINE Medical Technologies 7.5-45 Rev. 1

Chapter 7 - Instrumentation and Control Systems Engineered Safety Features Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 18 of 24)

Nonsafety Decode SHINE Medical Technologies 7.5-46 Rev. 1

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 19 of 24)

SHINE Medical Technologies 7.5-47 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 20 of 24)

Priority Logic SHINE Medical Technologies 7.5-48 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 21 of 24)

Priority Logic SHINE Medical Technologies 7.5-49 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 22 of 24)

Priority Logic SHINE Medical Technologies 7.5-50 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 23 of 24)

Priority Logic SHINE Medical Technologies 7.5-51 Rev. 1

Engineered Safety Features Chapter 7 - Instrumentation and Control Systems Actuation System Figure 7.5 ESFAS Logic Diagrams (Sheet 24 of 24)

Legend SHINE Medical Technologies 7.5-52 Rev. 1

NE Medical Technologies 7.5-53 Rev. 1 NE Medical Technologies 7.5-54 Rev. 1 NE Medical Technologies 7.5-55 Rev. 1 NE Medical Technologies 7.5-56 Rev. 1 NE Medical Technologies 7.5-57 Rev. 1 NE Medical Technologies 7.5-58 Rev. 1 SHINE facility control room contains the necessary workstations, displays, and control inets needed for the operation of the SHINE facility. Within the facility control room there is a n control board, two operator workstations, and a supervisor workstation. The operator kstations consist of equipment control display screens and human interface equipment, and main control board consists of status indication panels, static display screens, and manual ation interfaces. The supervisor workstation is similar to the other operator workstations, with exception that the display screens, called equipment display screens, are for monitoring poses only. The main control board, operator and supervisor workstations, and associated trol cabinets are considered part of the process integrated control system (PICS). As part of PICS, the main control board, operator workstations, and supervisor workstation are not dited with performing safety functions and only assist operators in performance of normal rations or diverse actuations to the safety systems.

1 DESCRIPTION 1.1 Main Control Board main control board is located on the east wall of the facility control room between the two ances to the room, as shown in Figure 7.6-1. The main control board sits 25 feet wide along east wall and contains eight status indication panels, each dedicated to a single irradiation (IU), and a ninth status indication panel section dedicated to other processes within the lity. The ninth panel for the facility is located between the fourth and fifth IU panel sections.

static display screens, which show the variables important to the safety functions of the IU other facility processes, are located on the upper half of the main control board. The figuration of the status indication panels, including the location of the static display screens, is wn in Figure 7.6-2. The static display screens are used by the operator to verify the status of SHINE facility. The current mode of operation for each IU is displayed on a static display en on the associated status indication panel.

nual actuation interfaces (i.e., physical push buttons and switches), which provide diverse ans to actuate automated safety functions, are located in the space directly below the static lay screens at each status indication panel, as shown in Figure 7.6-2. In the same area as manual actuation interfaces, there is an enable nonsafety switch (labeled E/D for able/Disable), which allows operators to enable the PICS ability to manipulate equipment r control had been overwritten by the target solution vessel (TSV) reactivity protection system PS) or the engineered safety features actuation system (ESFAS). Manual actuations are not uired to ensure adequate safety of the facility, as described in Chapter 13.

facility status indication panel also includes the facility master operating permissive (labeled S for Operating/Secure) in the same area as the manual actuation interfaces.

ility and IU alarms are visually alerted on the main control board above the associated static lay screens.

NE Medical Technologies 7.6-1 Rev. 0

operator workstations are centrally located in the facility control room facing the main control rd. Each workstation contains multiple equipment control display screens. One of the display ens is used to display the alarms present in the facility. Configuration of the operator kstations is shown in Figure 7.6-1.

er workstation can display any of the available PICS display screens for monitoring poses. Control of the IUs is split between the two workstations, with one workstation normally ponsible for control of IUs one through four, and the other workstation normally responsible control of IUs five through eight. Control of the process systems is split between the two kstations to prevent the two operators from inputting conflicting commands. While control of h UI or process is normally assigned to a particular workstation, control can also be sferred between workstations for operational flexibility. Only one workstation is allowed to t control commands to a particular IU at any time. One of the screens at the operator kstation is designated as monitoring only, so that when an alarm is present, the screen omatically changes the content displayed to the current alarms that are present without rrupting a control process. The remaining screens can be used for control or monitoring as operator tasks demand.

des of operation are advanced by the operator at the operator workstation through the use of equipment control screens. Even though the operator has the ability to advance the mode of ration at the workstation, maintaining of the current mode of operation is done in the ty-related control systems. If permissive conditions are not met to achieve the next mode of ration, the operator will not be able to move on to the following mode of operation until missive conditions have been achieved.

1.3 Supervisor Workstation supervisor workstation is located on the west side of the facility control room facing the rator workstations and the main control board. The supervisor workstation is raised from the lity control room floor and contains display screens used for monitoring facility status only.

supervisor workstation allows the supervisor to select and monitor the appropriate screen to current tasks being supported by the supervisor.

1.4 Maintenance Workstation maintenance workstation receives diagnostic and indication information for the TRPS and ESFAS. Any module failure or warning is shown at the maintenance workstation and a log of h is maintained there for use. The maintenance workstation is also used to update setpoints in the safety function module in the chassis. This is done through a temporary connection to monitoring and indication communication module of the associated division, as described in tion 7.2.

Division A maintenance workstation is located in the Division A TRPS cabinet that houses TRPS for IUs 7 and 8. Division A of the TRPS is located on the south side of the facility trol room. The Division A maintenance workstation can also be used for performing ntenance on Division C cabinets.

NE Medical Technologies 7.6-2 Rev. 0

trol room. The typical arrangement of the maintenance workstation in a TRPS cabinet is wn in Figure 7.6-3.

2 DESIGN CRITERIA SHINE design criteria applicable to the control console and display instruments are provided ubsection 7.2.1. The SHINE design criteria are described in Section 3.1.

itional criteria applicable to these components are as follows:

2.1 Access Control S Criterion 10 - The operator workstation and main control board design shall incorporate ign or administrative controls to prevent or limit unauthorized physical and electronic access ritical digital assets (CDAs) during the operational phase, including the transition from elopment to operations. CDAs are defined as digital systems and devices that are used to orm or support, among other things, physical security and access control, safety-related ctions, and reactivity control.

2.2 Software Requirements Development S Criterion 11 - A structured process, which is commensurate with the risk associated with its re or malfunction and the potential for the failures challenging safety systems, shall be used eveloping software for the operator workstations and the main control board.

S Criterion 12 - The operator workstation and main control board development life cycle se-specific security requirements shall be commensurate with the risk and magnitude of the m that would result from unauthorized and inappropriate access, use, disclosure, disruption, estruction of the operator workstation and main control board and display instruments.

S Criterion 13 - The operator workstation and main control board software development life e process requirements shall be described and documented in appropriate plans which shall ress verification and validation (V&V) and configuration control activities.

S Criterion 14 - The operator workstation and main control board configuration control gram shall assure that the required hardware and software are installed in the appropriate tem configuration and ensure that the correct version of the software/firmware is installed in correct hardware components.

2.3 General I&C Requirements S Criterion 15 - The main control board shall be functional, accessible within the time straints of operator responses, and available during operating conditions to confirm safety tem status.

S Criterion 16 - Loss of power, power surges, power interruption, and any other credible nt to the operator workstations shall not result in spurious actuation or stoppage of any tem displaying variables important to the safe operation of the safety systems.

NE Medical Technologies 7.6-3 Rev. 0

ctivity of the target solution vessel, shall be readily accessible and understandable to the rator.

2.4 Independence S Criterion 18 - Operator workstations and the main control board, where associated with h safety and nonsafety functions, shall not impede execution of the safety function.

S Criterion 19 - The operator workstations and main control board data that is transmitted to ote displays shall be protected by one-way communication through the use of hardware ices to a processor that is protected by a firewall.

2.5 Fail Safe S Criterion 20 - The operator workstations and main control board shall be designed to ume a safe state on loss of electrical power or exposure to adverse environments.

S Criterion 21 - When required by the safety analysis, the main control board shall have a ble source of emergency power sufficient to sustain operation of the indications on loss of mal electrical power.

2.6 Surveillance S Criterion 22 - The operator workstations and main control board shall be readily testable.

2.7 Human Factors S Criterion 23 - Human factors shall be considered at the initial stages and throughout the rator workstation and main control board design process to ensure that the outputs and lay devices showing irradiation unit and process facility status are readily observable by the rator while the operator is positioned at the controls and manual actuation switches.

2.8 Annunciators S Criterion 24 - Alarms and annunciators shall clearly show the status of the operating tems, interlocks, engineered safety feature initiations, confinement and containment status, ation fields and concentration, and confinement and containment status.

S Criterion 25 - Hardware and software failures shall be assessed in reliability analyses of annunciators used to support normal and emergency operations.

2.9 Quality S Criterion 26 - Controls over the design, fabrication, installation, and modification of the rator workstations and main control board shall conform to the guidance of SI/ANS 15.8-1995 (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5 (USNRC, 2010).

NE Medical Technologies 7.6-4 Rev. 0

3.1 Display and Control Functions h IU-specific status indication panel indicates variables important for verifying proper ration of safety systems following automatic actuation of the TRPS. The facility specific status cation panel indicates variables important for verifying proper operation of safety systems d in other facility systems following automatic actuation of the ESFAS. Each set of static lay screens on the status indication panels is used to support an operator in performing nual actuation of a safety function. Manual actuations are performed from the main control rd, where the static display screens are visible from the manual actuation push buttons.

operator workstations have multiple equipment control display screens available to support mal control functions and provide indication of alarms. The equipment control display screens e the capability of providing at least 30 minutes of data trending from instrumentation ables obtained from the ESFAS, TRPS, and those variables associated with identifying a ach of the primary system boundary or determining and assessing the magnitude of oactive material release to assist operators actions. Operator interaction with the equipment trol display screens is through a keyboard and mouse interface.

supervisor workstation provides monitoring only displays so that the supervisor can select monitor the appropriate screen to the current tasks being supported by the operator.

3.2 Operating Conditions operator workstations and the main control board are designed to operate in the normal ironmental conditions of the facility control room, presented in Table 7.2-2. The main control rd status indication panels are designed to operate in the transient environmental conditions d in Table 7.2-2 for a minimum of two hours after initiation of a protective action resulting a design basis event.

he event of a loss of ventilation to the facility control room, the environment within the facility trol room is calculated to remain below 120ºF after two hours. This result is based on the wing assumptions:

Initial facility control room temperature: 75ºF

Outdoor air temperature: 102.6ºF

Facility control room occupancy: 10

Facility control room equipment load: 29 kW is within the temperature indicated in Table 7.2-2 for the required two-hour runtime.

refore, no safety-related ventilation or cooling systems are required to ensure the safety-ted I&C systems located in the control room can continue to perform their safety function as uired.

3.3 Human Factors design of the facility control room, display screens, and operator interfaces incorporate an factors principles. The layout of screens presenting the same information on equipment trol display screens and static display screens are identical for each operator workstation, NE Medical Technologies 7.6-5 Rev. 0

rator may use to perform a task are placed such that they are visible from the operator kstation, with the displays most frequently used being placed closest to the operator.

supervisor workstation is placed and arranged so that the supervisor has a visual of both rator workstations, the displays that the operators are working from, and the main control rd. Operator workstations are oriented such that the status indication panels associated with IUs the operator is responsible for are directly ahead of the operator from the operator kstation. The point where the main control board transitions from displays that are associated one operator to the next is occupied by the facility status indication panel, as both operators typically responsible for information on the static display screens located there.

manual actuation push buttons are located directly below the static display screens so that operator can be directly monitoring the variables important to the safe operation of the facility n the manual actuation is performed. The use of selector switch and push buttons in the e product line ensure consistency in look and function. These push buttons also include a itive position indication and a protective guard to prevent inadvertent actuation.

4 OPERATIONAL PERFORMANCE OVERVIEW 4.1 Displays plays of information related to the operation of the SHINE facility are available to the operator he workstations and the main control board. The displays at each of the operator kstations, supervisor workstation, and main control board are digital displays. Displays are gramed such that the range of the displayed information includes the expected range of ation of the monitored variable.

h of the variables listed in Table 7.4-1 and Table 7.5-1 is continuously displayed on the static lays of the main control board. The position indication of actuation components identified in tions 7.4 and 7.5 are also available on the static display screens.

iables available to the PICS, including the variables from Table 7.4-1 and Table 7.5-1, are ilable for display on the various PICS displays on the equipment control displays at the rator workstations and supervisor workstation.

play of interlock and bypass status is available on each of the PICS displays of the equipment trol display screens for the equipment or instrument channel that has been bypassed.

assed channels for the safety systems are also visible on the maintenance workstation.

uded in displayed variables at the equipment control displays, the following variables ociated with a breach of the primary system boundary are uniquely identified:

TSV level

TSV dump tank level o included in displayed variables at the equipment control displays, the following variables d in determining and assessing the magnitude of radioactive material release are provided for lay on equipment control display screens:

NE Medical Technologies 7.6-6 Rev. 0

Radiological ventilation zone 1 (RVZ1) radiologically control area (RCA) exhaust radiation detectors

Radiological ventilation zone 2 (RVZ2) RCA exhaust radiation detectors iation monitoring information is conveyed from the radiation monitoring instruments cribed in Section 7.7 to the PICS and displayed in the facility control room. Radiation nitoring information is available on demand at the operator workstations.

operator workstation provides detailed visual alarms to the operator to represent unfavorable us of the facility systems. Indications at the operator workstation are provided as visual dback as well as visual features to indicate that systems are operating properly. An alarm sent indication is provided for each IU and for the facility process systems on each status cation panel.

play values on each PICS display screen are automatically updated as more current data omes available. Each PICS display screen presented on the operator workstation has a title eader and unique identification to distinguish each display page.

maintenance workstation provides diagnostic information received from the ESFAS and PS on system status to be used as a test interface.

ited function local displays, including radiation monitoring information, are also provided in irradiation facility (IF) and radioisotope production facility (RPF) at select locations.

4.2 Controls nual controls are provided on both of the operator workstations, via input to the PICS, and on main control board.

nual controls for the safety-related protective functions are located at each status indication el. Nonsafety manual push buttons that provide a diverse actuation to the automatically erated safety actuations are located directly below the static display screens for the pective status indication panel that the manual push button is associated. Where the figuration of the actuation components does not allow for regular control of the PICS during mal operation, or in the event that an automated actuation has occurred, a safety-related ble nonsafety switch is located next to the manual push buttons to provide the operator the ity to control actuation components or to reset the safety-related control systems using the S following the actuation of a protective function. The enable nonsafety switch is a e-position return-to-center switch with states for Enable, Disable and the return-to-center rating as-is state. To provide the operators the ability to place the facility into the Facility ure state, an additional manual key switch is located at the facility status indication panel w the static display screens. The switch has two positions of operation, Secured and rating.

trols for normal operation are provided at the operator workstations. Multiple equipment trol displays are set up at each operator workstation for operators to select the PICS display en that coincides with the task that the operator is currently performing. Interface with the ipment control displays is through a keyboard and mouse provided for each operator NE Medical Technologies 7.6-7 Rev. 0

lays provide control functions. For the remaining set of IUs, the PICS displays provide nitoring capabilities only. Control screens that are not specific to an IU are similarly assigned nly one operator workstation at a time. The supervisor workstation is provided each of the e PICS displays; however, no control functions are provided at the supervisor workstation.

y providing control capabilities for each IU or facility system or process to a single workstation vents the operators from entering conflicting commands to a single component or process.

a failure of one operator workstation, control functions assigned to that station can be sferred to the remaining operator workstation.

nual actuation inputs are connected downstream of the safety-related control system grammable logic functions as described in Subsection 7.2.2.3.

4.3 Information Retrieval variables monitored by each of the safety systems, radiation monitoring systems, and the S is recorded into a data historian. The PICS obtains the information that is to be recorded provides that information to the facility data and communication system (FDCS) where the a historian is located. Through the use of the information provided to the FDCS, off-site nitoring is provided. Information from the FDCS historian is able to be retrieved by operations sonnel in the facility control room on demand.

data historian provides the ability to retrieve at least 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of post-event data logging as scribed in the interim staff guidance (ISG) document for Chapter 7 of NUREG-1537.

4.4 Reliability al batteries are provided for PICS servers, the operator workstations, and the main control rd such that the PICS continues to operate for at least 10 minutes after a loss of external er. The standby generator system (SGS) provides back-up power to the PICS if normal er is interrupted.

play screens in the facility control room are industrial flat panel displays to ensure compliance electromagnetic compatibility requirements in an industrial setting.

nsmission of information between systems is through unidirectional data transfers. Each of safety system communications to the nonsafety PICS system is through one-way data munications from the safety systems to the nonsafety system. There are no unidirectional munications that allow the nonsafety system to communicate back to the safety systems venting the ability to propagate a failure from the nonsafety control system displays to the ty control systems. The PICS communication to the FDCS is through a one-way data diode h that no communication from outside of the PICS (other than the inputs from the safety-ted control systems) can have an impact on the operation of the PICS. Communications of indication and diagnostic information of the TRPS and ESFAS to the maintenance kstation are through a unidirectional point-to-point communication bus so that the ntenance workstation does not have an effect on the TRPS or ESFAS.

ilure in the display systems results in distinct display changes, which directly indicate that icted plant conditions are invalid.

NE Medical Technologies 7.6-8 Rev. 0

ions of the PICS displays.

5 TECHNICAL SPECIFICATIONS tain material in this section provide information that is used in the technical specifications.

includes limiting conditions for operation, setpoints, design features, and means for omplishing surveillances. In addition, significant material is also applicable to, and may be renced in the bases that are described in the technical specifications.

NE Medical Technologies 7.6-9 Rev. 0

NE Medical Technologies 7.6-10 Rev. 0 NE Medical Technologies 7.6-11 Rev. 0 NE Medical Technologies 7.6-12 Rev. 0 section describes systems and components that perform radiation monitoring functions in the SHINE facility. Radiation monitoring systems and components include:

safety-related process radiation monitors included as part of the engineered safety features actuation system (ESFAS), target solution vessel (TSV) reactivity protection system (TRPS), and tritium purification system (TPS);

nonsafety-related process radiation monitors included as part of other facility processes;

area radiation monitoring consisting of the radiation area monitoring system (RAMS);

continuous air monitoring consisting of the continuous air monitoring system (CAMS);

effluent monitoring consisting of the stack release monitoring system (SRMS); and

criticality accident monitoring consisting of the criticality accident alarm system (CAAS).

objective of the radiation monitoring systems is to:

provide SHINE facility control room personnel with a continuous record and indication of radiation levels at selected locations within processes and within the facility;

provide local radiation and criticality safety information and alarms for personnel within the facility;

provide input to safety-related control systems to actuate safety systems; and

provide the ability to monitor radioactive releases to the environment.

agram showing how the facility radiation monitoring systems relate to the overall facility rumentation and control (I&C) architecture is provided as Figure 7.1-1.

1 SAFETY-RELATED PROCESS RADIATION MONITORING 1.1 System Description ety-related process radiation monitors provide input to the safety-related ESFAS or TRPS trol systems. These components monitor for either fission products (via beta detection) or

m. Beta detection radiation monitors are part of the ESFAS or TRPS. The type of safety-ted process radiation monitor (fission product or tritium) is selected based on the location and tity of the radioactive material present. The ESFAS and TRPS process radiation monitors a detection) are intended to detect abnormal situations within the facility ventilation systems provide actuation signals to the ESFAS controls. Safety-related tritium monitors are part of TPS. The TPS monitors are installed within various portions of the TPS to detect potential m releases, provide actuation signals to the ESFAS controls, and provide interlock inputs to TRPS controls. Information from safety-related process radiation monitors is displayed in the lity control room on the operator workstations (via the process integrated control system S]).

st of safety-related process radiation monitors is provided in Table 7.7-1.

ic diagrams depicting how the safety-related process radiation monitors provide inputs to FAS and TRPS are provided in Figures 7.4-1 and 7.5-1.

NE Medical Technologies 7.7-1 Rev. 0

SHINE design criteria are described in Section 3.1. The SHINE design criteria applicable to safety-related process radiation monitoring are provided in Table 3.1-1 1.3 Design Bases safety functions of the process radiation monitors are: (1) to detect radioactivity in excess of mal levels and provide an actuation signal to the ESFAS or TRPS controls, or (2) to provide t to TRPS for interlocking the operation of the neutron driver. Additional discussion of TRPS ESFAS functions, interlocks, and bypasses are provided in Sections 7.4 and 7.5.

h location that requires process radiation monitoring as determined by the safety analysis is ipped with safety-related process radiation monitors. The specified minimum number of cess radiation monitors (divisions) are only required to be operable when the location being nitored contains radioactive material, as specified in Table 7.7-1.

cess radiation monitors are selected for compatibility with the normal and postulated accident ironmental and radiological conditions.

ing normal operation, the process radiation monitors are designed to operate in the normal ironmental conditions identified in Table 7.2-2 through 7.2-5 for an expected 20-year lifetime he equipment. During normal operation, the process radiation monitors will operate in the licable normal radiation environments identified in Table 7.2-1 for up to 20 years, replaced at equency sufficient such that the radiation qualification of the affected components are not eeded. The monitors are designed to operate in the transient conditions identified in les 7.2-1 through 7.2-5 until the associated protective function has continued to completion.

st of safety-related process radiation monitors, specifying the monitored location, number of sing divisions provided, and operability requirements, is provided in Table 7.7-1.

variables to be monitored and their ranges, accuracies, setpoints and response times of ty-related process radiation monitors are provided in Table 7.5-1. Instrument accuracies are ropriate for the associated setpoints. Signal processing time for the ESFAS and TRPS is vided in Subsection 7.2.2.3.

ety-related radiation monitoring channels produce a full-scale reading when subject to ation fields higher than the full-scale reading, however, they are expected to remain on-scale ng accident conditions. The safety-related process radiation monitors that provide actuation als are designed to function in the range necessary to detect accident conditions and provide ty-related inputs to the ESFAS and TRPS control systems. For defense-in-depth, the ologically controlled area (RCA) exhaust, general area direct radiation levels, and general a airborne particulates are monitored by stack release, radiation area, and continuous area nitors, respectively.

NE Medical Technologies 7.7-2 Rev. 0

gle Failure east two process radiation monitors are provided for each protection function input parameter, h providing input to the associated division of the safety-related control system. Redundancy onitors ensure that a failure of one monitor will not prevent the control system from orming its safety function.

Division A process radiation monitors receive power from Division A of the uninterruptible er supply system (UPSS), and Division B monitors receive power from UPSS Division B.

sion C monitors, when provided, receive auctioneered power from both UPSS Division A B.

refore, no single failure of a detector, control division, or power division will prevent the ty-related control system from performing its safety function.

ependence ety-related process radiation monitors provide analog communication to the ESFAS and PS controls. Divisional communication independence is maintained by implementing separate dwired connections to the separate ESFAS or TRPS controls divisions.

iation monitoring data provided to nonsafety control systems is through one-way isolated puts.

ety-related process radiation monitors from separate divisions are physically separated from h other and independently powered from the associated UPSS division.

undancy h location that requires engineered safety features to actuate in response to radiation levels, etermined by the safety analysis, is provided with at least two independent safety-related cess radiation monitors, designated as Divisions A and B. For locations where spurious ation of a process radiation monitor could significantly impact overall facility operation, a third sing division (Division C) is provided.

man Factors, Display and Recording ection and display of process radiation monitor variables are designed with consideration of an factors principles.

Section 7.6 for additional discussion of information presented to facility operators and orded for future use.

lity ety-related process radiation monitors are designed, fabricated, erected, and tested to quality dards commensurate with the importance of the safety functions to be performed.

NE Medical Technologies 7.7-3 Rev. 0

Institute of Electrical and Electronics Engineers (IEEE) 344-2013, Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations (IEEE, 2013), Section 8, for seismic qualification of radiation monitors 1.5 Operation and Performance safety-related process radiation monitors are designed to operate under normal conditions, ng anticipated transients, and during design basis accidents such that they will perform their ty function.

ctionality PS process radiation monitors monitor the ventilation line from the primary closed loop cooling tem (PCLS) expansion tanks, which are located in each irradiation unit (IU) cell. These nitors provide an actuation signal when radiation levels exceed pre-determined limits, cative of a release of target solution or fission products within the PCLS or the primary finement atmosphere (with which the tank communicates). The actuation results in an IU Cell ety Actuation for that unit.

FAS process monitors associated with the supercell monitor the ventilation exhaust from each cell and provide an actuation signal when radiation levels exceed pre-determined limits, cative of a release of target solution or fission products within that hot cell. The actuation ults in isolation of the affected hot cell.

FAS process monitors associated with the radiological ventilation zone 1 (RVZ1) and ological ventilation zone 2 (RVZ2) exhaust are designed to provide an actuation signal when ation levels in the RCA ventilation exhaust systems exceed pre-determined limits, indicative failure of a confinement boundary within the facility. The actuation results in isolation of Z1, RVZ2, and radiological ventilation zone 3 (RVZ3) ventilation.

TPS process monitors associated with the TPS glovebox are designed to provide an ation signal when tritium concentrations within the glovebox exceed predetermined limits, cative of a failure of TPS process equipment and release of tritium into the glovebox. The ation results in isolation of the glovebox and ventilation associated with the TPS room.

TPS process monitors associated with the TPS glovebox stripper system (GBSS) exhaust designed to provide an actuation signal when tritium concentrations in the exhaust of the SS exceed predetermined limits, indicative of a failure of the GBSS or release of tritium into TPS glovebox. The actuation results in isolation of the glovebox and ventilation associated the TPS room.

TPS process monitors associated with each IU gas return line are designed to provide an rlock to prevent transition to Mode 2 (irradiation) when [

]PROP/ECI.

itional discussion of safety-related process radiation monitor functionality is provided in tions 7.4 and 7.5.

NE Medical Technologies 7.7-4 Rev. 0

safety-related process radiation monitors are provided for each location requiring nitoring. For locations where spurious actuation of the process radiation monitor could ificantly impact overall facility operation, a third sensing division (Division C) is provided for

-out-of-three voting capability.

rument ranges and response times are provided in Table 7.5-1.

points, Calibration and Surveillance points for safety-related process radiation monitors are selected based on analytical limits calculated to account for known uncertainties in accordance with the setpoint determination hodology described in Subsection 7.2.3.

nitors are periodically functionally tested and maintained in accordance with the facility nical specifications to verify operability.

rument background count rate is observed to ensure proper functioning of the monitors.

ety-related process radiation monitors located in a low background area are equipped with a ck source to be able to verify proper operation.

ety-related process radiation monitors are calibrated using commercial radionuclide dards that have been standardized using a measurement system traceable to the National itute of Standards and Technology (NIST).

1.6 Technical Specifications tain material in this section provides information that is used in the technical specifications.

includes limiting conditions for operation, setpoints, design features, and means for omplishing surveillances. In addition, significant material is also applicable to, and may be renced by the bases that are described in the technical specifications.

2 NONSAFETY-RELATED PROCESS RADIATION MONITORING safety-related process radiation monitoring is provided as part of various systems to provide rmation to the operator on the status and effectiveness of processes. They may be used to nose process upsets but are not relied upon to prevent or mitigate accidents. Nonsafety-ted process radiation monitoring is not used to control personnel or environmental ological exposures.

3 AREA RADIATION MONITORING 3.1 System Description a radiation monitoring within the facility is provided by the RAMS. Area radiation monitors are ted in areas where personnel may be present and where radiation levels could become ificant. The monitors provide local and remote indication of radiation levels and provide local ms to notify personnel of potentially hazardous conditions. The RAMS provides a nonsafety-ted defense-in-depth as low as reasonably achievable (ALARA) function of alerting personnel NE Medical Technologies 7.7-5 Rev. 0

d to evacuate those area if conditions warrant. Additional discussion of radiation protection ctices is provided in Chapter 11.

h RAMS unit consists of a dose rate meter/controller, Geiger Mueller or silicon detector, local ation level display, audible horn, and an alarm beacon. RAMS unit locations are provided in le 7.7-2.

RAMS also provides remote indication of the radiological status of the facility to control room sonnel. RAMS information is provided on both the operator workstations (via the PICS) and a central control terminal located in the control room.

MS units are powered from the normal power supply system and provided backup power from standby generator system (SGS). Electrical power systems are discussed further in pter 8.

3.2 Design Criteria SHINE design criteria are described in Section 3.1. The SHINE design criteria applicable to RAMS are provided in Table 3.1-2.

3.3 Design Bases RAMS functions continuously to alert facility personnel entering or working in low radiation as of increasing or abnormally high radiation levels which, if unnoticed, could possibly result advertent overexposures. The RAMS also serves to inform the control room operator of the urrence and approximate location of an abnormal radiation increase in low-radiation areas.

MS units are designed to operate in the normal environmental conditions presented in le 7.2-2.

3.4 Operation and Performance RAMS area radiation monitors are designed to operate under normal facility conditions and etect radiation that may be indicative of anticipated transients or design basis accidents.

RAMS includes the area radiation monitoring units located in the main production facility A. Each RAMS unit is designed to detect direct radiation from 0.1 mrem/hr up to 10 rem/hr.

m setpoints are set conservatively as required to notify workers to potential hazards or ificant changes to radiological conditions in the area.

MS units have an accuracy of at least 25 percent of the measured value. Monitors are odically calibrated using calibration sources that are traceable to factory tests that verified al calibration and accuracy. The units are calibrated at least annually and as recommended he instrument manufacturer. Monitors are periodically functionally tested using installed ck sources, which simulate a radiation level in the area.

NE Medical Technologies 7.7-6 Rev. 0

re are no technical specifications applicable to the RAMS.

4 CONTINUOUS AIR MONITORING 4.1 System Description tinuous airborne contamination monitoring within the facility is provided by the CAMS. Each MS unit samples air and provides real time alpha and beta activities or tritium activity to alert sonnel when airborne contamination is above preset limits. CAMS units are located in areas re personnel may be present and where contamination levels could become significant. Each MS unit provides local and remote indication of airborne radiation levels and alarm abilities. The CAMS provides a nonsafety-related defense-in-depth ALARA function of ting personnel of the need to evacuate an area if required. Additional discussion of radiation ection practices is provided in Chapter 11.

ticulate continuous air monitors are alpha-beta air monitors, which are self-contained units ipped with a vacuum pump, particulate filter and a silicon-based detector. Real time tritium air nitors are self-contained units equipped with a vacuum pump and dual ionization chambers.

MS unit locations are provided in Table 7.7-3.

MS units are powered from the normal power supply system and provided backup power from SGS. Electrical power systems are discussed further in Chapter 8.

4.2 Design Criteria SHINE design criteria are described in Section 3.1. The SHINE design criteria applicable to CAMS are provided in Table 3.1-2.

4.3 Design Bases CAMS functions continuously to immediately alert facility personnel entering or working in radiation areas of increasing or abnormally high airborne contamination levels which, if oticed, could possibly result in inadvertent overexposures. The CAMS also serves to inform control room operator of the occurrence and approximate location of an abnormal radiation ease in low-radiation areas.

MS units are designed to operate in the normal environmental conditions presented in le 7.2-2.

4.4 Operation and Performance CAMS airborne contamination monitors are designed to operate under normal facility ditions and to detect radiation that may be indicative of anticipated transients or design basis idents.

CAMS includes the continuous airborne contamination monitoring units located in the main duction facility RCA. Each particulate CAMS unit has a minimum sensitivity of 1E-12 Ci/cc a and 1E-10 Ci/cc beta, with a span of at least six decades of monitoring capability. Each NE Medical Technologies 7.7-7 Rev. 0

m setpoints are set conservatively as required to notify workers to potential hazards or ificant changes to radiological conditions in the area. Monitors are periodically calibrated g calibration sources that are traceable to factory tests that verified initial calibration and uracy. The calibration of instrumentation is at least annually and as recommended by the rument manufacturer. Operation and response tests of instruments are performed consistent the manufacturers recommendations and are conducted at a frequency consistent with stry practices.

4.5 Technical Specifications re are no technical specifications applicable to the CAMS.

5 EFFLUENT MONITORING 5.1 System Description uent monitoring for the facility is provided by the SRMS. The SRMS is composed of two nitoring units: the main facility stack release monitor (SRM), and the carbon delay bed effluent nitor (CDBEM).

SRM is used to demonstrate that gaseous effluents from the SHINE facility are within ulatory limits and does not have an accident mitigation or personnel protection function. The M performs its function by drawing a representative air sample from the stack and providing a ans to measure the air sample for noble gases (continuous measurement) and capturing iculates, iodine, and tritium for collective measurement.

CDBEM monitors for noble gases at the exhaust of the process vessel vent system (PVVS) bon delay beds to provide information about the health of the PVVS carbon delay beds and to vide the ability to monitor the safety-related exhaust point effluent release pathway when it is se. The CDBEM is used on an as needed basis to demonstrate that gaseous effluents from SHINE facility are within regulatory limits (e.g., during a loss of off-site power when the mal heating, ventilation, and air conditioning (HVAC) systems and the PVVS are not rating) and does not have an accident mitigation or personnel protection function. Two iculate and iodine filters (redundant configuration) are provided for in-line capturing and ective measurement when the safety-related exhaust point is in use.

locations of the SRM and CDBEM within the facility ventilation systems are shown in ure 7.7-1.

5.2 Design Criteria SHINE design criteria are described in Section 3.1. The SHINE design criteria applicable to SRMS are provided in Table 3.1-2.

NE Medical Technologies 7.7-8 Rev. 0

SRMS functions to continuously monitor noble gases that are present in facility effluent ams and to allow for the collection and analysis of particulate, iodine, and tritium.

MS units are designed to operate in the normal environmental conditions presented in le 7.2-3 and the radioisotope production facility (RPF) general area radiological environment sented in Table 7.2-1.

5.4 Design Attributes following standard is applied to the design of the facility effluent monitors:

ANSI N13.1-1999, Sampling and Monitoring Release of Airborne Radioactive Substances from the Stacks and Ducts of Nuclear Facilities (ANSI, 1999) 5.5 Operation and Performance SRMS units are designed to operate under normal facility conditions and to detect radiation may be indicative of anticipated transients or design basis accidents.

SRM is used to monitor the main facility stack, which is the normal release path for gaseous ents from the PVVS and RCA ventilation systems. A shrouded probe is used in the SRM to draw air from the main facility stack flow stream. The probe is designed for high efficiency action of aerosols from ventilation stacks, meeting requirements for ANSI N13.1-1999 (ANSI, 9). The SRM includes a mass flow controller to regulate sample flow rate in the isokinetic on relative to stack flow. A vacuum pump is used to draw sampled air through particulate and ne filter cartridges, which are removed and analyzed periodically. The sampled air is then wn into a sample chamber, which houses a beta detector used to measure the noble gas onuclides. The ratemeter for the beta radiation monitor indicates and displays the radiation l inside the sampler from the sampled air. From the sampler, the air is drawn through the flow troller assembly, pump, and exhausted into the return line. Downstream of the particulate and ne filter a connection for the tritium detection system is provided. The tritium monitor has its pump and flow control. The tritium detector is a passive sampler collecting system (i.e.,

ble system) to continuously collect and concentrate elemental tritium and tritiated water in ll vials. The contents of the vials are assayed using a scintillation counter at regular intervals.

CDBEM monitors noble gases at the exhaust of the PVVS carbon delay beds using a pling system. Redundant particulate and iodine filters are installed in-line with the effluent am, upstream of the safety-related exhaust point, which operates at a much lower flow rate proximately 16 standard cubic feet per minute) than the main facility stack. The safety-related aust point is only used while nitrogen purge is in operation. The PVVS system does not eive gases from process locations expected to contain tritium; therefore, the CDBEM does not ude a tritium monitor. See Section 9b.6 for additional discussion on the PVVS and nitrogen ge operations.

SRM noble gas radiation monitor has a range of 1.0E-06 Ci/cc to 1.0E-01 Ci/cc, with a imum sensitivity of 3.1E-07 Ci/cc (xenon-133 equivalent). The SRM tritium monitor has a imum sensitivity of 1.0E-10 Ci/cc.

NE Medical Technologies 7.7-9 Rev. 0

initial channel calibration for the SRM and CDBEM noble gas detectors are performed using dards traceable to NIST.

both the SRM and CDBEM, filter medium collection efficiency is 99 percent for 0.3 micron or er particles. Halogen isotopes are collected on a filter having a collection efficiency of percent or better for iodine.

5.6 Technical Specifications tain material in this section provide information that is used in the technical specifications.

includes limiting conditions for operation, setpoints, design features, and means for omplishing surveillances. In addition, significant material is also applicable to, and may be renced by the bases that are described in the technical specifications.

6 CRITICALITY MONITORING 6.1 System Description icality monitoring of the RPF, a sub-division of the main production facility, is provided by the AS. CAAS coverage is not provided in the irradiation facility (IF) containing the IUs, since er safety control systems (e.g., TRPS) are actively monitoring and detecting conditions ide normal operational limits.

6.2 Design Criteria SHINE design criteria are described in Section 3.1. The SHINE design criteria applicable to CAAS are provided in Table 3.1-2.

6.3 Design Basis, Operation and Performance CAAS meets the requirements of 10 CFR 70.24(a) and follows the guidance of SI/ANS 8.3-1997 (R2017) (ANSI/ANS, 1997). A detailed description of the CAAS is provided ubsection 6b.3.3.

6.4 Technical Specifications tain material in this section provide information that is used in the technical specifications.

includes limiting conditions for operation, setpoints, design features, and means for omplishing surveillances. In addition, significant material is also applicable to, and may be renced by the bases that are described in the technical specifications.

NE Medical Technologies 7.7-10 Rev. 0

Table 7.7 Safety-Related Process Radiation Monitors (Sheet 1 of 4)

Total Minimum Monitored Monitored Unit Available Required Operability it Material Location Location Function Divisions Divisions Requirements Detect elevated Whenever PVVS, radiation levels Supercell VTS, or N2PS is Fission Supercell from process exhaust 3 2 operating and hot cell products exterior vessel ventilation isolation dampers are ventilation cell not closed (input to ESFAS)

Whenever target Detect elevated solution or Supercell radiation levels radioisotope products Fission Supercell exhaust from extraction 2 2 are present in the hot products exterior ventilation cell A (input to cell and hot cell ESFAS) isolation dampers are not closed Detect elevated Supercell radiation levels Fission Supercell exhaust from purification 2 2 products exterior ventilation cell A (input to ESFAS)

Whenever Detect elevated radioisotope products Supercell radiation levels Fission Supercell are present in the hot exhaust from packaging 2 2 products exterior cell and hot cell ventilation cell 1 (input to isolation dampers are ESFAS) not closed Detect elevated Supercell radiation levels Fission Supercell exhaust from purification 2 2 products exterior ventilation cell B (input to ESFAS)

Whenever target Detect elevated solution or Supercell radiation levels radioisotope products Fission Supercell exhaust from extraction 2 2 are present in the hot products exterior ventilation cell B (input to cell and hot cell ESFAS) isolation dampers are not closed Whenever target Detect elevated solution or Supercell radiation levels radioisotope products Fission Supercell exhaust from extraction 2 2 are present in the hot products exterior ventilation cell C (input to cell and hot cell ESFAS) isolation dampers are not closed NE Medical Technologies 7.7-11 Rev. 0

Total Minimum Monitored Monitored Unit Available Required Operability it Material Location Location Function Divisions Divisions Requirements Detect elevated Supercell radiation levels Fission Supercell exhaust from purification 2 2 products exterior ventilation cell C (input to ESFAS)

Detect elevated Whenever Supercell radiation levels radioisotope products Fission Supercell exhaust from packaging 2 2 are present in the hot products exterior ventilation cell 2 (input to cell and hot cell ESFAS) isolation dampers are not closed Detect elevated radiation levels Supercell Fission Supercell from iodine and 0 exhaust 2 2 products exterior xenon ventilation purification cell (input to ESFAS)

Detect elevated Mezzanine radiation levels Fission RVZ1 (RPF 1 from RVZ1 RCA 3 2 products exhaust general exhaust (input to Whenever facility area)

ESFAS) operations are not secured or RVZ Detect elevated isolation dampers are Mezzanine radiation levels not closed Fission RVZ2 (RPF 2 from RVZ2 RCA 3 2 products exhaust general exhaust (input to area)

ESFAS)

Detect elevated tritium Whenever tritium is TPS concentration in present in the TPS 3 Tritium glovebox TPS room tritium 3 2 glovebox in gaseous atmosphere purification form system glovebox (input to ESFAS)

Detect elevated tritium Whenever tritium is concentration in present in the TPS tritium GBSS glovebox in gaseous 4 Tritium TPS room purification 3 2 exhaust form and TPS system glovebox confinement isolation stripper system devices are not closed exhaust to RVZ1 (input to ESFAS)

NE Medical Technologies 7.7-12 Rev. 0

Total Minimum Monitored Monitored Unit Available Required Operability it Material Location Location Function Divisions Divisions Requirements IU 1 Accelerator Detect tritium Mode 1 TPS concentration in (Startup)

IF general 5 Tritium Interface ATIS return line 2 2 area System from IU 1 (input (ATIS) to TRPS) glovebox and Detect tritium concentration in IU 2 ATIS IF general 6 Tritium ATIS return line 2 2 Mode 2 glovebox area from IU 2 (input (Irradiation) to TRPS)

Detect tritium concentration in IU 3 ATIS IF general 7 Tritium ATIS return line 2 2 glovebox area from IU 3 (input to TRPS)

Detect tritium concentration in IU 4 ATIS IF general 8 Tritium ATIS return line 2 2 glovebox area from IU 4 (input to TRPS)

Detect tritium Mode 1 concentration in (Startup)

IU 5 ATIS IF general 9 Tritium ATIS return line 2 2 glovebox area from IU 5 (input to TRPS) and Detect tritium concentration in IU 6 ATIS IF general 0 Tritium ATIS return line 2 2 glovebox area from IU 6 (input Mode 2 to TRPS) (Irradiation)

Detect tritium concentration in IU 7 ATIS IF general 1 Tritium ATIS return line 2 2 glovebox area from IU 7 (input to TRPS)

Detect tritium concentration in IU 8 ATIS IF general 2 Tritium ATIS return line 2 2 glovebox area from IU 8 (input to TRPS)

NE Medical Technologies 7.7-13 Rev. 0

Total Minimum Monitored Monitored Unit Available Required Operability it Material Location Location Function Divisions Divisions Requirements IU 1 primary Detect elevated closed loop radiation levels cooling from IU 1 PCLS Fission Cooling Modes 1 3 system expansion tank 3 2 products room through 4 (PCLS) exhaust (input to expansion TRPS) tank exhaust Detect elevated radiation levels IU 2 PCLS Fission Cooling from IU 2 PCLS Modes 1 4 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 3 PCLS Fission Cooling from IU 3 PCLS Modes 1 5 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 4 PCLS Fission Cooling from IU 4 PCLS Modes 1 6 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 5 PCLS Fission Cooling from IU 5 PCLS Modes 1 7 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 6 PCLS Fission Cooling from IU 6 PCLS Modes 1 8 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 7 PCLS Fission Cooling from IU 7 PCLS Modes 1 9 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

Detect elevated radiation levels IU 8 PCLS Fission Cooling from IU 8 PCLS Modes 1 0 expansion 3 2 products room expansion tank through 4 tank exhaust exhaust (input to TRPS)

NE Medical Technologies 7.7-14 Rev. 0

Table 7.7 Radiation Area Monitor Locations Unit Function Location ea Monitor 1 Alert supercell operators of high radiation Near supercell, ground levels floor ea Monitor 2 Alert personnel of high radiation levels from North end of RPF tank tank vaults near the north-west RPF vaults, ground floor emergency exit ea Monitor 3 Alert personnel of high radiation levels from South end of RPF tank tank vaults near the main RPF exit vaults, ground floor ea Monitor 4 Alert waste cell operators of high radiation Near waste enclosure, levels ground floor ea Monitor 5 Alert personnel of high radiation levels from North end of main IF north off-gas or cooling rooms near the corridor, ground floor north-east IF emergency exit ea Monitor 6 Alert personnel of high radiation levels from South end of main IF south off-gas, cooling rooms, and NDAS corridor, ground floor service cell near the IF overhead doors ea Monitor 7 Alert personnel of high radiation levels from North end of IU vaults, top north IU cells of vault elevation ea Monitor 8 Alert personnel of high radiation levels from South end of IU vaults, top south IU cells of vault elevation ea Monitor 9 Alert personnel of high radiation levels from TPS room roof elevation the NDAS service cell ea Monitor 10 Alert personnel of high radiation levels from Safety-related area, facility filter banks mezzanine NE Medical Technologies 7.7-15 Rev. 0

Table 7.7 Continuous Airborne Monitor Locations (Sheet 1 of 2)

Unit Function Location borne Alert supercell operators of high contamination Near supercell, ground floor nitor 1 levels borne Alert personnel of high contamination levels North end of RPF tank vaults, nitor 2 from tank vaults near the north-west RPF ground floor emergency exit borne Alert personnel of high contamination levels South end of RPF tank vaults, nitor 3 from tank vaults near the main RPF exit ground floor borne Alert waste cell operators of high contamination Near waste enclosure, ground nitor 4 levels floor borne Alert personnel of high contamination levels North end of main IF corridor, nitor 5 from north off-gas or cooling rooms near the ground floor north-east IF emergency exit borne Alert personnel of high contamination levels South end of main IF corridor, nitor 6 from south off-gas or cooling rooms near the IF ground floor overhead doors tium Alert personnel of high tritium levels from north North end of IU vaults, top of nitor 7 ATIS gloveboxes vault tium Alert personnel of high radiation levels from South end of IU vaults, top of nitor 8 south ATIS gloveboxes vault borne Alert personnel of high contamination levels Safety-related area nitor 10 from filter banks mezzanine, facility mezzanine borne Alert laboratory personnel of high contamination North laboratory, ground floor nitor 11 levels borne Alert laboratory personnel of high contamination South laboratory, ground floor nitor 12 levels borne Alert personnel of high contamination levels Target solution preparation nitor 13 from target solution preparation activities room, ground floor borne Alert personnel of high contamination levels Uranium storage room, ground nitor 14 from target solution preparation activities floor tium Alert personnel of high tritium levels from the TPS room, ground floor nitor 15 TPS glovebox NE Medical Technologies 7.7-16 Rev. 0

Unit Function Location tium Alert personnel of high tritium levels in the main Main IF corridor, ground floor nitor 16 IF corridor TE: CAMS unit numbers are not necessarily sequential but correspond to radiation area monitor system (RAMS) unit locations where the two monitors are co-located. See Table 7.7-2 for RAMS locations.

NE Medical Technologies 7.7-17 Rev. 0

NE Medical Technologies 7.7-18 Rev. 0 1 SYSTEM DESCRIPTION neutron flux detection system (NFDS) performs the task of monitoring and indicating the tron flux to determine the multiplication factor and power level during filling of the target tion vessel (TSV) and irradiating the target solution. The signal from the detectors is smitted to the pre-amplifiers where the signal is amplified and filtering for noise reduction is ormed. The output of the pre-amplifier is transmitted to cabinets in the facility control room R) where the signal processing units are located. The signal processing units perform asurement of the neutron flux signal from the pre-amplifier, signal processing, trip ermination, indication and interfacing with other systems. The NFDS interfaces with the TSV ctivity protection system (TRPS) for safety-related interfaces and monitoring and indication, interfaces with the process integrated control system (PICS) for nonsafety-related functions.

NFDS monitors variables important to the safety functions of the irradiation process during h operating mode of the irradiation unit (IU) to provide input to the TRPS to perform its safety tions.

NFDS provides continuous indication of the neutron flux during operation, from filling ugh maximum power during irradiation. To cover the entire range of neutron flux levels, there three different ranges provided from the NFDS: source range, wide range, and power range.

rce range covers the low levels expected while the TSV is being filled while power range ers the higher flux levels anticipated while the neutron driver is on and irradiating. To cover gap between the source and power ranges, the wide range monitors the flux levels between source and power range with a minimum two decade overlap with the high end of the source ge and the low end of the power range. In addition to providing flux levels, both the source ge and wide range provide rate of change.

NFDS is a three-division system with three detectors positioned around the subcritical embly support structure (SASS) at 120-degree intervals to the TSV. Each division of the DS consists of a watertight detector located in the light water pool, a pre-amplifier mounted in radioisotope production facility (RPF), and a signal processing unit inside the FCR. The three ertight detectors located in a light water pool are supported using brackets attached to the er shell of the SASS. These brackets serve to locate the flux detectors in a fixed location tive to the TSV, ensuring flux profiles are measured consistently such that the sensitivity in source range reliably indicates the neutron flux levels through the entire range of the filling target solution.

2 DESIGN CRITERIA 2.1 General Instrumentation and Control DS Criterion 1 - The range of operation of detector channels for the NFDS shall be sufficient over the expected range of variation of monitored neutron flux during normal and transient ration.

DS Criterion 2 - The NFDS shall give continuous indication of the neutron flux from subcritical rce multiplication level through licensed maximum power range. The continuous indication NE Medical Technologies 7.8-1 Rev. 0

DS Criterion 3 - The NFDS power range channels shall provide reliable TSV power level e the source range channel provides count rate information from detectors that directly nitor the neutron flux.

DS Criterion 4 - The NFDS log power range channel (i.e., wide range channel) and a linear monitoring channel (i.e., power range channel) shall accurately sense neutrons during diation, even in the presence of intense high gamma radiation.

DS Criterion 5 - The NFDS shall provide redundant TSV power level indication through the nsed maximum power range.

DS Criterion 6 - The location and sensitivity of at least one NFDS detector in the source range nnel, along with the location and emission rate of the subcritical multiplication source, shall be igned to ensure that changes in reactivity will be reliably indicated even with the TSV shut n.

DS Criterion 7 - The NFDS shall have at least one detector in the power range channel to vide reliable readings to a predetermined power level above the licensed maximum power l.

DS Criterion 8 - The NFDS shall be separated from the PICS to the extent that any removal of mponent or channel common to both the NFDS and the PICS preserves the reliability, undancy, and independence of the NFDS.

DS Criterion 9 - The NFDS detectors shall be qualified for continuous submerged operation in the light water pool. The NFDS detector housings shall be watertight and supported by a ve structure, mounted to the SASS, at specific locations surrounding the SASS.

DS Criterion 10 - The timing of NFDS communications shall be deterministic.

2.2 Single Failure DS Criterion 12 - The NFDS shall be designed to perform its protective functions after eriencing a single random active failure in nonsafety control systems or in the NFDS, and h failure shall not prevent the NFDS from performing its intended functions or prevent safe tdown of an IU cell.

DS Criterion 13 - The NFDS shall be designed such that no single failure can cause the re of more than one redundant component.

2.3 Independence DS Criterion 14 - Physical separation and electrical isolation shall be used to maintain the pendence of NFDS circuits and equipment among redundant safety divisions or with safety systems so that the safety functions required during and following any maximum othetical accident or postulated accident can be accomplished.

NE Medical Technologies 7.8-2 Rev. 0

ersely affects the performance of required safety functions.

2.4 Fail Safe DS Criterion 16 - The NFDS and associated components shall be designed to assume a safe e on loss of electrical power.

DS Criterion 17 - The NFDS shall not be designed to fail or operate in a mode that could vent the TRPS from performing its intended safety function. The design of the NFDS shall sider:

1) The effect of NFDS on accidents

2) The effects of NFDS failures

3) The effects of NFDS failures caused by accidents.

failure analyses shall cover hardware and software failures associated with the NFDS.

2.5 Setpoints DS Criterion 18 - Neutron flux setpoints for an actuation of the NFDS shall be based on a umented analysis methodology that identifies assumptions and accounts for uncertainties, h as environmental allowances and measurement computational errors associated with each ment of the instrument channel. The setpoint analysis parameters and assumptions shall be sistent with the safety analysis, system design basis, technical specifications, facility design, expected maintenance practices.

DS Criterion 19 - Adequate margin shall exist between setpoints and safety limits so that the PS initiates protective actions before safety limits are exceeded.

DS Criterion 20 - The sensitivity of each NFDS sensor channel shall be commensurate with precision and accuracy to which knowledge of the variable measured is required for the ective function.

2.6 Equipment Qualification DS Criterion 21 - The effects of electromagnetic interference/radio-frequency interference I/RFI) and power surges on the NFDS shall be adequately addressed.

2.7 Surveillance DS Criterion 22 - The NFDS shall provide the capability for calibration, inspection, and testing alidate the desired functionality of the NFDS.

DS Criterion 23 - Equipment in the NFDS (from the input circuitry to output actuation circuitry) ll be designed to allow testing, calibration, and inspection to ensure operability. If testing is uired or can be performed as an option during operation, the NFDS shall retain the capability ccomplish its safety function while under test.

NE Medical Technologies 7.8-3 Rev. 0

abilities, and actions taken upon failure detection.

DS Criterion 25 - The design of the NFDS and the justification for test intervals shall be sistent with the surveillance testing intervals as part of the facility technical specifications.

2.8 Classification and Identification DS Criterion 26 - NFDS equipment shall be distinctively identified to indicate its safety sification and to associate equipment according to divisional or channel assignments.

2.9 Human Factors DS Criterion 27 - The NFDS shall be designed to provide the information necessary to port annunciation of the channel initiating a protective action to the operator.

2.10 Quality DS Criterion 28 - Controls over the design, fabrication, installation, and modification of the DS shall conform to the guidance of ANSI/ANS 15.8-1995, Quality Assurance Program uirements for Research Reactors (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, lity Assurance Program Requirements for Research and Test Reactors (USNRC, 2010).

DS Criterion 29 - The quality of the components and modules in the NFDS shall be mensurate with the importance of the safety function to be performed.

3 DESIGN BASIS NFDS monitors neutron flux levels inside the target solution vessel and provides signals to TRPS that predetermined limits have been reached or exceeded as well as continuous cation of flux level to assist in the TRPS initiating its safety functions.

3.1 Monitored Variables NFDS measures the flux over three separate ranges, source range, wide range, and power ge. The source range measures low flux levels common to what would be expected during filling cycle prior to irradiation of the target solution. The power range measures high flux ls in the ranges that are expected when the neutron driver is operating and irradiating the et solution. The wide range connects the gap between the source range and the power range overlap and is usable during both source and power range levels.

he source range, individual pulses are created as a result of neutron interaction with the ector and are recorded by the NFDS. The range of the source range measurement counts es up to 1.0E+05 counts per second (cps). The inverse of the count rate can also be used to mate the critical fill level using the 1/M methodology.

he power range, the neutron flux is measured in terms of the design power levels of the TSV.

range of measurement of the power range is indicated as 0 percent to 125 percent.

NE Medical Technologies 7.8-4 Rev. 0

terium reactions and deuterium-tritium reactions.

source range neutron flux signal has an accuracy of less than or equal to 2 percent of the full ar scale, with a response time of 30 seconds or less in the range of 1 to 100 cps, and a ponse time of less than or equal to 200 milliseconds in the range of 100 to 1.0E+05 cps.

power range neutron flux signal has an accuracy of less than or equal to 1 percent of the full ar scale with a response time of less than or equal to 50 milliseconds.

wide range neutron flux signal has an accuracy of less than or equal to 1 percent of the full rithmic scale, with a response time of 30 seconds or less in the range of 1.0E-08 percent to E-05 percent, and a response time of less than or equal to 200 milliseconds in the range of E-05 percent to 2.5E+02 percent.

3.2 Logic Processing Functions NFDS performs a trip determination for the source range to support filling of the IU cell. The determination is provided to the TRPS of the respective IU as a discrete level signal.

analytical limit for the high source range trip determination is:

Increasing at 1.5 times the nominal flux at 95 percent volume of the critical fill height NFDS has a maximum response time of 250 milliseconds from the time an input signal eeds predetermined limits to the time that the NFDS transmits a trip determination.

NFDS provides the following analog signals to the TRPS in addition to the trip determination puts:

NFDS source range

NFDS source range rate

NFDS wide range

NFDS wide range rate

NFDS power range NFDS also provides a source range missing and power range missing signal to the PICS use as an alarm to the operator in alerting that the NFDS is not operating properly.

3.3 Operating Conditions NFDS control and logic functions are located inside the FCR where the environment is mild not exposed to the irradiation process. The preamplifiers are located in the RPF where rating conditions are a mild operating environment. The detectors are located within the IU where they are exposed to high radiation levels (approximately 3.44E+05 rad/hour) and are lified to survive that environment.

environmental conditions present in areas where NFDS is located are provided in le 7.2-2 through Table 7.2-4. The facility heating, ventilation, and air conditioning (HVAC)

NE Medical Technologies 7.8-5 Rev. 0

ing normal operation, the NFDS equipment will operate in the applicable normal radiation ironments identified in Table 7.2-1 for up to 20 years, and will be replaced at a frequency icient such that the radiation qualification of the affected components is not exceeded.

4 DESIGN ATTRIBUTES 4.1 General Instrumentation and Control NFDS is a fully analog system. Communications from the NFDS to the TRPS and PICS are tinuous through isolated outputs. The output isolation devices only allow for the data to be smitted out of the system so that no failure from an interfacing system can affect the tions of the NFDS.

NFDS is supplied power from the uninterruptible power supply system (UPSS). The UPSS ery backup supplies power to the NFDS for a minimum of 10 minutes following a loss of off-power.

4.2 Single Failure NFDS is comprised of three redundant divisions of detectors, preamplifiers, and processing uits. A single failure of any one of the divisions will not affect the functionality of the other two undant divisions. Interfacing systems with the NFDS are downstream of the NFDS such that a re of an interfacing nonsafety system will not impact the NFDS.

4.3 Independence three divisions of the NFDS are physically and electrically independent of each other.

ectors are placed at 120-degree intervals around the SASS and are routed back to the control m where the cabinets are located through physically and electrically separated routes. Each sion of the NFDS is capable of monitoring the neutron flux levels in the detector, reading and plifying the levels in the preamplifier, and processing the measurement readings within each sion independently without aid of another NFDS division or external safety or nonsafety tem.

4.4 Fail Safe NFDS is designed so that a failure due to loss of power to the NFDS or a removal of an DS channel interacts the same with the TRPS as if there was a positive trip determination put to the TRPS. The interaction between NFDS and TRPS is shown in Figure 7.4-1 eet 3).

4.5 Setpoints points in the NFDS are based on a documented methodology that identifies each of the umptions and accounts for the uncertainties in each instrument channel. The setpoint hodology is further described in Subsection 7.2.3.

NE Medical Technologies 7.8-6 Rev. 0

DS rack mounted equipment is installed in a mild operating environment and is designed to et the environmental conditions described in Subsection 7.8.3.3. Rack mounted TRPS ipment is tested to appropriate standards to show that the effects of EMI/RFI and power ges are adequately addressed. Appropriate grounding of the NFDS is performed in ordance with Section 5.2.1 of Institute of Electrical and Electronics Engineers (IEEE) ndard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in erating Stations (IEEE, 2004b).

4.7 Surveillance NFDS supports testing and calibration to ensure operability as required by the technical cifications. The NFDS is designed to allow operators to remove portions of the NFDS from vice when not required for operation without impacting NFDS components specific to other IU

s. As an all analog system, the only form of fault detection normally available is the source ge missing and power range missing discrete signals provided to the PICS.

4.8 Classification and Identification h division of the NFDS is uniquely labeled and identified in accordance with SHINE tification and classification procedures.

4.9 Human Factors NFDS provides the following signals to the TRPS to transmit to the PICS for display to the rator:

Source range neutron flux

Source range rate

Wide range neutron flux

Wide range rate

Power range neutron flux

Source range missing signal

Power range missing signal rator display criteria and design are addressed in Section 7.6.

4.10 Codes and Standards following codes and standards are applied to the NFDS design:

1) Section 8 of IEEE Standard 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations (IEEE, 2013); invoked as guidance to meet SHINE Design Criterion 2, Natural phenomena hazards.

2) IEEE Standard 379-2000, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems (IEEE, 2000); invoked to meet SHINE Design Criterion 13, Instrumentation and controls.

3) IEEE Standard 384-2008, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, 2008); invoked for separation of safety-related and NE Medical Technologies 7.8-7 Rev. 0

4) Section 5.2.1 of IEEE Standard 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations (IEEE, 2004b); invoked as guidance to support electromagnetic compatibility qualification for digital I&C equipment.

5) The guidance of ANSI/ANS 15.8-1995, Quality Assurance Program Requirements for Research Reactors (R2013) (ANSI/ANS, 1995), as endorsed by Regulatory Guide 2.5, Quality Assurance Program Requirements for Research and Test Reactors (USNRC, 2010), is applied as part of the SHINE Quality Assurance Program for complying with the programmatic requirements of 10 CFR 50.34(b)(6)(ii).

NE Medical Technologies 7.8-8 Rev. 0

SI, 1999. Sampling and Monitoring Releases of Airborne Radioactive Substances from the cks and Ducts of Nuclear Facilities, ANSI N13.1-1999, American National Standards Institute, 9.

SI/ANS, 1995. Quality Assurance Program Requirements for Research Reactors, SI/ANS 15.8-1995 (R2013), American National Standards Institute/American Nuclear Society, 5.

SI/ANS, 1997. Criticality Accident Alarm System, ANSI/ANS 8.3-1997 (R2017), American ional Standards Institute/American Nuclear Society, 1997.

E, 2000. IEEE Standard Application of Single-Failure Criterion to Nuclear Power Generating tion Safety Systems, IEEE 379-2000, Institute of Electrical and Electronics Engineers, 2000.

E, 2004a. IEEE Standard for Software Verification and Validation, IEEE 1012-2004, Institute lectrical and Electronics Engineers, 2004.

E, 2004b. IEEE Guide for Instrumentation and Control Equipment Grounding in Generating tions, IEEE 1050-2004, Institute of Electrical and Electronics Engineers, 2004.

E, 2004c. IEEE Recommended Practice for the Application of Human Factors Engineering to tems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear ilities, IEEE 1023-2004, Institute of Electrical and Electronics Engineers, 2004.

E, 2008. IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, E 384-2008, Institute of Electrical and Electronics Engineers, 2008.

E, 2013. IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating tions, IEEE 344-2013, Institute of Electrical and Electronics Engineers, 2013.

Scale, 2017. NuScale Power, LLC Submittal of the Approved Version of NuScale Topical ort TR-1015-18653, Design of the Highly Integrated Protection System Platform, Revision 2 C No. RQ6005), NuScale Power, LLC, September 13, 2017 (ML17256A892).

NRC, 2010. Quality Assurance Program Requirements for Research and Test Reactors, ulatory Guide 2.5, Revision 1, U.S. Nuclear Regulatory Commission, June 2010.

NRC, 2011. Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, ulatory Guide 1.152, Revision 3, U.S. Nuclear Regulatory Commission, July 2011.

NE Medical Technologies 7.9-1 Rev. 0

ML19331A648

Contents

Text

SUMMARY

3.3 DESCRIPTION

6.1 DESCRIPTION

SUMMARY

Navigation menu

ML19331A648

Text

SUMMARY

3.3 DESCRIPTION

6.1 DESCRIPTION

SUMMARY

Navigation menu

Search