ML22316A054

From kanterella
Revision as of 00:14, 12 December 2022 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Safety Evaluation Report for Shine Technologies, LLC Operating License Application - Chapter 7
ML22316A054
Person / Time
Site: SHINE Medical Technologies
Issue date: 11/12/2022
From: Michael Balazik
NRC/NRR/DANU/UNPL
To: Piefer G
SHINE Technologies
References
Download: ML22316A054 (127)
v  d  e


Text

7.0 INSTRUMENTATION AND CONTROL SYSTEMS Instrumentation and control (I&C) systems comprise the sensors, electronic circuitry, displays, and actuating devices that provide the information and means to safely control the SHINE Medical Technologies, LLC (SHINE, the applicant) irradiation facility (IF) and radioisotope production facility (RPF) and to avoid or mitigate accidents. Together, the IF and RPF constitute the SHINE facility. The final design description of the I&C systems in the SHINE Final Safety Analysis Report (FSAR) focuses on those structures, systems, and components (SSCs) and associated equipment that constitute the I&C systems and includes the overall design bases, system classifications, functional requirements, and system architecture.

This chapter of the SHINE operating license application safety evaluation report (SER) describes the review and evaluation of the U.S. Nuclear Regulatory Commission (NRC, the Commission) staff of the final design of the SHINE I&C systems as presented in Chapter 7, Instrumentation and Control Systems, of the SHINE FSAR and supplemented by the applicants responses to staff requests for additional information (RAIs).

7.1 Areas of Review The NRC staff reviewed SHINE FSAR Chapter 7 against applicable regulatory requirements, using appropriate regulatory guidance and acceptance criteria, to assess the sufficiency of the final design and performance of SHINEs I&C systems. The final design of SHINEs I&C systems was evaluated to ensure that the design bases and functions of the systems and components are presented in sufficient detail to allow a clear understanding of the facility and that the facility can be operated for its intended purpose and within regulatory limits for ensuring the health and safety of the operating staff and the public. Drawings and diagrams were evaluated to ensure that they present a clear and general understanding of the physical facility features and of the processes involved. In addition, the staff evaluated the sufficiency of SHINEs proposed technical specifications (TSs) for the facility.

7.2 Summary of Application SHINE FSAR Chapter 7 describes the I&C systems, which provide the capability to monitor, control, and protect the facility systems manually and automatically during normal and accident conditions.

Systems and topics addressed in SHINE FSAR Chapter 7 include:

  • The process integrated control system (PICS) and vendor-provided control systems;
  • The target solution vessel (TSV) reactivity protection system (TRPS);
  • The engineered safety features actuation system (ESFAS);
  • The highly integrated protection system (HIPS) platform implementing the TRPS and ESFAS;
  • The SHINE facility control room control consoles and displays; 7-1
  • The radiation monitoring systems (RMS), including Process radiation monitors considered part of the ESFAS, TRPS, and tritium purification system (TPS)

Process radiation monitors included as part of other facility processes The radiation area monitoring system (RAMS)

The continuous air monitoring system (CAMS)

The stack release monitoring system (SRMS); and

  • The neutron flux detection system (NFDS).

7.3 Regulatory Requirements and Guidance and Acceptance Criteria The NRC staff reviewed SHINE FSAR Chapter 7 against the applicable regulatory requirements, using appropriate regulatory guidance and acceptance criteria, to assess the sufficiency of the bases and the information provided by SHINE for the issuance of an operating license.

7.3.1 Applicable Regulatory Requirements The applicable regulatory requirements for the evaluation of SHINEs I&C systems are as follows:

  • 10 CFR 50.34, Contents of applications; technical information, paragraph (b),

Final safety analysis report

  • 10 CFR Part 20, Standards for protection against radiation 7.3.2 Applicable Regulatory Guidance and Acceptance Criteria In determining the regulatory guidance and acceptance criteria to apply, the NRC staff used its technical judgment, as the available guidance and acceptance criteria were typically developed for nuclear reactors. Given the similarities between the SHINE facility and non-power research reactors, the staff determined to use the following regulatory guidance and acceptance criteria:
  • NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996.
  • NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996.
  • Final Interim Staff Guidance Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power 7-2

Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012.

  • Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012.

As stated in the interim staff guidance (ISG) augmenting NUREG-1537, the NRC staff determined that certain guidance originally developed for heterogeneous non-power research and test reactors is applicable to aqueous homogenous facilities and production facilities.

SHINE used this guidance to inform the design of its facility and to prepare its FSAR. The staffs use of reactor-based guidance in its evaluation of the SHINE FSAR is consistent with the ISG augmenting NUREG-1537.

As appropriate, the NRC staff used additional guidance (e.g., NRC regulatory guides, Institute of Electrical and Electronics Engineers (IEEE) standards, American National Standards Institute/American Nuclear Society (ANSI/ANS) standards, etc.) in the review of the SHINE FSAR. The additional guidance was used based on the technical judgment of the reviewer, as well as references in NUREG-1537, Parts 1 and 2; the ISG augmenting NUREG-1537, Parts 1 and 2; and the SHINE FSAR. Additional guidance documents used to evaluate the SHINE FSAR are provided as references in Appendix B, References, of this SER.

7.4 Review Procedures, Technical Evaluation, and Evaluation Findings The NRC staff performed a review of the technical information presented in SHINE FSAR Chapter 7, as supplemented, to assess the sufficiency of the final design and performance of SHINEs I&C systems for the issuance of an operating license. The sufficiency of the final design and performance of SHINEs I&C systems is determined by ensuring that it meets applicable regulatory requirements, guidance, and acceptance criteria, as discussed in section 7.3, Regulatory Requirements and Guidance and Acceptance Criteria, of this SER.

The findings of the staff review are described in SER section 7.5, Review Findings.

7.4.1 Summary Description The NRC staff evaluated the sufficiency of the summary description of the SHINE facility I&C systems, as presented in SHINE FSAR section 7.1, Summary Description, using the applicable guidance and acceptance criteria from section 7.1, Summary Description, of NUREG-1537, Parts 1 and 2, and section 7b.1, Summary Description, of the ISG augmenting NUREG-1537, Parts 1 and 2.

7.4.1.1 Design of Instrumentation and Control Systems The SHINE facility is monitored and controlled through the PICS. The PICS performs the monitoring and control functions of the IFs eight irradiation units (IUs) and at the facility level.

This includes transferring target solution from one location to another, adjusting cooling systems, and the monitoring of temperature, pressure, level, and flow in various locations throughout the facility.

7-3

Each of the eight IUs has an independent TRPS and NFDS. PICS also controls certain systems in the RPF as described in SHINE FSAR section 4b, Radioisotope Production Facility Description. The ESFAS is provided for protective functions that are common to the entire facility. The RMS monitors radiation levels within the facility and emissions from the facility.

The purpose of the TRPS is to monitor process variables and provide automatic initiating signals in response to off-normal conditions, providing protection against unsafe IU operation during the IU filling, irradiation, and post-irradiation modes of operation.

The SHINE facility includes engineered safety features (ESF) to mitigate the consequences of postulated accidents.

The SHINE facility control consoles and displays (i.e., operator workstations and main control board) are provided as the human system interface (HSI). A single PICS provides the monitoring and control functions of the IUs and facility level monitoring and control functions.

The SHINE facility also includes the RMS, which consists of the inputs to the TRPS, and ESFAS, the RAMS, the SRMS, and the CAMS. The systems monitor radiation at a facility level separate from the IUs. The criticality accident alarm system (CAAS) is discussed in SHINE FSAR section 6b.3.3, Criticality Accident Alarm System, and the criticality safety program relies on two of the ESFAS safety functions for satisfying the double contingency principal.

The NFDS is used for monitoring the reactivity and power of the subcritical assembly system in each IU. The NFDS is a system with redundant channels of neutron flux detectors. The NFDS detects and provides remote indication of the neutron flux levels during TSV filling and irradiation to determine the multiplication factor and power levels, respectively. The NFDS provides outputs to the TRPS used for trip determination. The TRPS also provides these same outputs to the PICS, which are used for the monitoring of conditions within the IU.

7.4.1.2 System Description 7.4.1.2.1 Design Criteria NUREG-1537, Part 1, section 3.1, Design Criteria, states, in part:

In this section the applicant should specify the design criteria for the facility structures, systems, and components.... The design criteria should be both specific and general.

SHINE FSAR section 3.1, Design Criteria, includes tables 3.1-1 and 3.1-2, which list the design criteria applicable to each I&C system. In addition, the SHINE FSAR identifies additional design criteria for each I&C system; these criteria are provided in SHINE FSAR sections 7.3 through 7.8 and evaluated for each I&C system below. In effect, the SHINE FSAR identifies two types of design criteria: (1) SHINE Design Criteria (i.e., those listed in SHINE FSAR table 3.1-3) and (2) system-specific design criteria (e.g., PICS Criterion 1). SHINE FSAR table 3.1-1, Note 2 states that the generally applicable SHINE Design Criteria 1-8 from SHINE FSAR table 3.1-3 are not specifically listed even though they are generally applicable to most SSCs.

7-4

NUREG-1537, Part 1, section 7.2.1, Design Criteria, states, in part:

In this section of the [F]SAR, the applicant should discuss the criteria for developing the design bases for the I&C systems. The basis for evaluating the reliability and performance of the I&C systems should be included.

There are a few design criteria that are applicable to multiple I&C systems, in part, because the required functionality is only achieved through the interaction of these I&C systems. For example, the NFDS includes the neutron flux sensors and dedicated electronics, while the TRPS includes the logic for initiating the associated protective actions, while the PICS displays the flux values to the operator. The PICS displays are part of the SHINE facility control console and display instruments.

The NRC staffs evaluation of the I&C systems against the applicable SHINE Design Criteria considers only the role that the I&C system plays in meeting the design criteria and should not be understood to mean that the I&C system, by itself, satisfies all of the aspects of the SHINE Design Criteria.

The SHINE FSAR identifies the following design principles:

  • Independence Physical Electrical Communication Functional
  • Redundancy
  • Predictability and repeatability
  • Diversity
  • Simplicity These design principles are incorporated into the additional design criteria for I&C systems, as applicable.

7.4.1.2.2 Design Bases NUREG-1537, Part 1, section 7.2.2, Design-Basis Requirements, states, in part:

I&C system design requirements are generally derived from the results of analyses of normal operating conditions and of accidents and transients that could occur.

The I&C design bases describe I&C system-specific functions to be performed, operational characteristics, specific values or ranges of values chosen for monitoring and controlling parameters, and design principles. The design basis for the I&C systems is described in SHINE FSAR sections 7.3 through 7.8 and evaluated below.

7-5

SHINE FSAR tables 7.2.1 through 7.2.6 identify the design radiation and environmental parameters for the different areas in the SHINE facility where the I&C systems are installed.

7.4.2 HIPS Design The NRC staff evaluated the sufficiency of the design of the SHINE facility I&C systems, as presented in SHINE FSAR section 7.2, Design of Instrumentation and Control Systems, using the applicable guidance and acceptance criteria from section 7.2, Design of Instrumentation and Control Systems, of NUREG-1537, Parts 1 and 2, and section 7b.2, Design of Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.

SHINE FSAR section 7.4.5 states that the HIPS platform is used for the TRPS and ESFAS design and incorporates by reference the HIPS platform topical report (TR), TR-1015-18653, Revision 2, Design of the Highly Integrated Protection System Platform (Agencywide Documents Access and Management System Accession No. ML17256A892). In its safety evaluation of the HIPS TR, the NRC staff concluded that the HIPS platform meets the standards of IEEE Std. 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, including the correction sheet dated January 30, 1995, IEEE Std. 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, NRC Digital I&C Interim Staff Guidance (DI&C-ISG)-04, Highly-Integrated Control RoomsCommunications Issues, and the NRC Staff Requirements Memorandum (SRM), dated July 21, 1993, to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs. The staff safety evaluation of the HIPS TR requires the user to address 65 application-specific action items (ASAIs) to ensure that the generic approval granted by the safety evaluation remains valid for a specific system or plant application using the HIPS platform.

In its response to RAI 7-10 (ML22144A231), SHINE provided technical report TECRPT-2018-0028, Revision 2, HIPS Platform Application Specific Action Item Report for the TRPS and ESFAS. This technical report addresses the 65 ASAIs in relation to the design of the TRPS and ESFAS for the SHINE facility and evaluates each ASAI for applicability to SHINEs operating license application. If the ASAI is determined to be not applicable, justification for why it is not considered applicable is provided. If the ASAI is determined to be applicable, a reference is given for the appropriate sections of the SHINE FSAR or for the appropriate design basis document that provides the material that addresses the ASAI. The results of the applicants disposition of the ASAIs are provided in table 3-1 of TECRPT-2018-0028. The ASAIs specified in the HIPS TR safety evaluation are intended for power reactor applications and therefore some of the ASAIs are not applicable to the SHINE application of the HIPS platform. Based on its evaluation of SHINE technical report TECRPT-2018-0028, the NRC staff finds the applicants dispositions of the ASAIs acceptable.

For the TRPS and ESFAS applications, the applicant has made a few modifications and additions to the fundamental HIPS platform equipment design and functionality as described in the HIPS TR. The following modifications and additions to the HIPS platform are described in section 5 of TECRPT-2018-0028. These changes to the fundamental HIPS platform equipment design and functionality, listed below, are evaluated in applicable sections of section 7.4.2 of this SER.

  • Hardwired Module (HWM) Input Routing
  • Use of Fiber Optic Communications 7-6
  • Communications Module (CM) Bi-Directional Communications
  • Implementation of Equipment Interface Modules (EIM) Switching Outputs
  • Specific Implementation of Communications Modules Scheduling, Bypass, and Voting Modules (SBVM)

Gateway Communications Modules (GWCM)

  • SBVM Safety Data Bus Frame
  • Self-Testing Analog to Digital Converter EIM Input and Output Testing HWM Input Channel Test End-to-End Testing
  • HIPS Module LEDs
  • Remote Input Submodule (RISM)
  • SBVM Manual Testing Capability 7.4.2.1 System Description The HIPS is a digital system that uses field programmable gate array (FPGA) and discrete components. The HIPS uses different modules installed in a chassis. These modules and inputs and outputs (I/O) are connected to each other through the back panel and backplane of the chassis. The back panel provides structural support to mount the backplane to the chassis. The backplane consists of a printed circuit board, connectors (to connect modules), and copper traces (for communication). The HIPS TR includes a representative architecture to illustrate how the HIPS platform meets the fundamental digital I&C principles of independence, redundancy, predictability and repeatability, and diversity and defense-in-depth. The architectures of the TRPS and ESFAS are described in SHINE FSAR sections 7.4.1 and 7.5.1, respectively, and include modifications and additions made to the generic architecture described in the TR.

The HIPS platform supports an installation that provides redundant electrical power sources to the HIPS chassis backplane. The TRPS divisions A and B are powered from a separate division of the uninterruptible electrical power supply system (UPSS); TRPS division C receives auctioneered power from both UPSS divisions A and B. While the UPSS is not classified as a Class 1E system, portions of Class 1E standards are applied to the UPSS. The acceptability of the UPSS is evaluated in Chapter 8, Electrical Power Systems, of this SER.

HIPS Modules The HIPS platform consists of a system of modules that are interchangeable between chassis.

The platform is designed to work with different module types configured to the individual application where multiple chassis can be connected to create a larger system as needed. The different HIPS modules and platform inputs and outputs are connected to each other through backplane and back panel of the chassis. As a part of the NRC staffs review of the HIPS TR, 7-7

fundamental building blocks of the HIPS platform consisting of safety function modules (SFM),

CM, EIM, and HWM were found to be acceptable for use in a safety-related I&C architecture based on the HIPS platform. The same fundamental building blocks of the HIPS platform have been customized in building the TRPS and ESFAS. HIPS modules used in the TRPS and ESFAS are:

  • Safety Function Modules Remote Input Submodule (RISM)

Self-Testing of Analog to Digital Converter

  • Communications Modules configured as:

Scheduling and Bypass Modules (SBM)

Scheduling Bypass and Voting Modules (SBVM)

SBVM Safety Data Bus Frame Gateway Communications Modules (GWCM)

Maintenance & Indication CM (MI-CB)

CM Bi-Directional Communications

  • Hard-Wired Modules Hard-Wired Sub-Modules (HW-SM)

HWM Input Routing Self-Testing of HWM Input Channel Test FPGA on HWM for Operational Status

  • Equipment Interface Modules Implementation of EIM Switching Outputs Self-Testing of EIM Input and Output
  • Maintenance Work Station (MWS)
  • HIPS Module LEDs In its response to RAI 7-10, the applicant provided technical report TECRPT-2018-0028, which describes the design differences between the generic HIPS platform modules presented in the HIPS TR and the specific HIPS modules implemented in the TRPS and ESFAS. The following is the NRC staffs technical evaluation of the modifications and additions to the generic HIPS platform module design and functionality for SHINE applications.

Safety Function Module (SFM)

Fundamental design and functionality of the SFMs used in the TRPS and ESFAS are the same as those evaluated in the HIPS TR. SFMs used in the SHINE applications are composed of three functional areas: (1) input sub-module; (2) SFM digital logic circuits; and (3) communications engines, which are the same as described in section 2.5.1 of the HIPS TR. For the SHINE applications, the SFMs have been modified to accept remote input signals via a new input sub-module (ISM) designated as RISM. The RISM is directly associated with a single SFM that allows for remotely locating one ISM from its associated SFM. The ISM used on an RISM is the same as described in the HIPS TR. Once an input signal is in digital format on the ISM, the input information is provided by the RISM via an isolated, one-way RS-485 connection to its 7-8

associated SFM within the division for triplication and trip determination. There is an additional RS-485 connection between the RISM and its associated SFM which independently supports modification of tunable parameters necessary on the RISM. The technical evaluation of ISM in section 3.1.4.1.1 of the NRC staffs safety evaluation of the HIPS TR is not affected by this additional application of ISM. Therefore, the staff finds this modification of SFM acceptable.

Section 8.2.1 of the HIPS TR describes an auto calibration feature for the analog to digital converter (ADC) for an ISM. The auto-calibration function includes the use of external passive components, whereas the analog ISM used in the TRPS and ESFAS incorporates critical passive components onto the ADC chip. This results in very precise values that are factory calibrated and are significantly less prone to drift over time and temperature; therefore, the auto-calibration function is not implemented for the TRPS and ESFAS designs. Since all analog input signals to the TRPS and ESFAS will be periodically surveilled for accuracy, the NRC staff finds the modification to ISM acceptable.

Communications Module (CM)

Fundamental design and functionality of the CMs used in the TRPS and ESFAS architecture is the same as that evaluated in the HIPS TR. Specific configurations of HIPS CMs used in the TRPS and ESFAS design are SBM, SBVM, MI-CM, and GWCM.

Throughout the HIPS TR, the use of SBM and SVM is discussed as part of a representative architecture, which is provided in the TR to help describe the design principles implemented within the HIPS platform. Both modules are example configurations of the HIPS CM. The TRPS and ESFAS designs use a configuration of CM that is referred to as a SBVM in Divisions A and B. The SBVM combines all functions, capabilities, and design principles described in the HIPS TR for a SBM and a SVM into a single module. This was implemented to minimize the total number of HIPS hardware modules necessary for the required TRPS and ESFAS functionality. As such, the use of a SBVM in the TRPS and ESFAS designs does not represent a modification or addition to the HIPS Platform as described in the HIPS TR. Since the SVM functionality on each SBVM will load each of the specific TRPS or ESFAS applications voting registers with the partial trip determination actuation (PTDA) information received by its SBM functionality, figure 7-8 of the HIPS TR is modified in TECRPT-2018-0028, figure 5-1 to add a note that the Wait for Sync is not necessary for the SBVMs. Because the TRPS and ESFAS implement 1-out-of-2, 2-out-of-2, or 2-out-of-3 voting, which is different than the 2-out-of-4 voting discussed in the HIPS TR, this figure has also been modified to show the three TRPS/ESFAS divisions as opposed to the four divisions of the representative architecture in the HIPS TR.

Sections 7.6.3 through 7.7.1 of the HIPS TR describe the operations and safety data bus frames for the SBM and SVM. The TRPS and ESFAS will incorporate a change to how the SBVM votes on the PTDA and communicates actuation data to the EIMs. Instead of sending separate trip determination actuation (TDA) information for each safety function group (SFG) to the EIMs, all SFGs are voted on at the same time and the TDA for all SFGs are then transferred to the EIMs at once. To reflect this change, figure 7-12 of the HIPS TR is modified in TECRPT-2018-0028, figure 5-3 to show a single transaction for the TRPS and ESFAS implementation. Figure 7-14 of the HIPS TR is also modified in TECRPT-2018-0028, figure 5-3 to show the SBM and SVM functionality being performed by the SBVM module.

The GWCM is a HIPS platform communications module not described in the HIPS TR, which performs only monitoring and indication functions. The TRPS and ESFAS monitoring and 7-9

indication information is transmitted redundantly from each systems divisional monitoring and indication communications module (MI-CM) via one-way isolated RS-485 connections to respective redundant GWCMs, which are in two redundant gateway chassis. Figure 7-15-1, TRPS and ESFAS Gateway Communications Architecture, of RAI response 7-15 (ML22144A231) depicts the TRPS and ESFAS communications architecture. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. They are physically located within two chassis and located in the ESFAS Division C cabinet. This figure shows the specific inputs and outputs from the independent TRPS GWCMs and the independent ESFAS GWCMs. As described in section 2.5.3 of the HIPS TR, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only. Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Two-way communication is a departure from the HIPS TR description of a communications module. The staff finds this is acceptable because the communication from each MI-CM to a GWCM is isolated and one-way only.

Hard-Wired Module (HWM)

Fundamental design and functionality of the HWMs used in the TRPS and ESFAS architecture is the same as those evaluated in the HIPS TR. The HWM converts hard-wired contact inputs into logic levels for direct connection on dedicated backplane traces to particular modules as per the detail application design. The following are the TRPS and ESFAS design specific HWM configurations.

Section 3.1.1, Independence of TECRPT-2019-0048, Rev. 5, TRPS System Design Description, states that hard-wired submodules (HW-SB) on the SBVMs are used for signals between TRPS Division A to ESFAS Division A or between TRPS Division B to ESFAS Division B (for actuations impacting both systems), which are processed using unidirectional communications type cables via divisional raceways / wireways.

Section 2.5.2 of the HIPS TR states that Trip/Bypass inputs to the HWM are routed only to the scheduling and bypass modules (SBMs) where it is used. There are two differences for this statement in the TRPS and ESFAS designs. The first is that the inputs to the HWMs are used at the SBMs (Division C), the SBVMs (Divisions A and B), the MI-CMs (for monitoring and indication information), and at the EIMs for manual actuation of protective functions and manual functions. The second difference is that the inputs to the HWMs are made available to all modules in the same chassis. The modules listed above use the signals that are made available on the backplane from the HWMs. Additionally, discussion of the use of the trip/bypass switches with the SBMs in the TR applies the same to the use of the trip/bypass switches with the SBVMs in Divisions A and B of the TRPS and ESFAS designs. Input channel self-test identified in section 8.2.7, Module Testing of the HIPS TR for HWM input signals is not being implemented for the TRPS and ESFAS designs.

In response to RAI 7-14 (ML21239A049), the applicant states that the HWM includes an FPGA, which is a departure from the HIPS TR description of an HWM. Function of the FPGA on the HWM is only to drive the module front panel LED indications and to provide module operational status to the MI-CM. The NRC staff concludes that the FPGA on the HWM cannot affect the function of receiving hardwired inputs and making them available on the backplane of the chassis; therefore, this change is acceptable.

7-10

Equipment Interface Module (EIM)

Fundamental design and functionality of the EIMs used in the TRPS and ESFAS architecture is same as the ones evaluated in the HIPS TR. The configuration of EIMs for the TRPS and ESFAS design is discussed below.

Section 2.5.4.4 of the HIPS TR states that each EIM can control two groups of field components and each group can have up to two field devices. The HIPS platform has been modified for the TRPS and ESFAS designs such that each EIM can control up to eight field devices. Redundancy of dual high side and dual low side contacts for each output switch is not implemented in the TRPS and ESFAS EIM designs. Loads actuated by the TRPS and ESFAS are small solenoids, therefore a single high side and a single low side EIM contact was used.

Section 3.1, System Architecture of TECRPT-2019-0048, Rev. 5, TRPS System Design Description and TECRPT-2020-0002, Engineered Safety Features Actuation System Design Description, state that an EIM is included in each actuation division (Divisions A and B) for each component actuated by the TRPS and ESFAS. Each EIM has two separate logic paths to allow for connection to separate actuated components. Each component is connected to two separate EIMs, resulting in two EIMs providing redundant control to each component as shown in figure 3-6, Equipment Interface Module Configuration. This allows an EIM to be taken out of service and replaced online without actuating the connected equipment.

The self-testing described in sections 8.2.3.2 and 8.2.3.4 of the HIPS TR for discrete input circuitry (open/closed contact tests) and high drive output testing is not being implemented for the TRPS and ESFAS designs. In accordance with SHINE TSs surveillance requirements (SR) 3.2.1 and SR 3.2.2, operability of EIMs will be periodically tested, therefore the NRC staff finds the lack of a EIM self-test feature acceptable.

Maintenance Workstation (MWS)

Each division of the TRPS and ESFAS has a MWS for the purpose of online monitoring and offline maintenance and calibration. The HIPS platform MWS supports online monitoring through one-way isolated communication ports. The MWS is used to update setpoints and tunable parameters in the HIPS chassis when the safety function is out of service. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function. A temporary cable and OOS switch are required to be activated before any changes can be made to an SFM. Application of the MWS in the TRPS and ESFAS design is same as described in the HIPS TR. The response to RAI 7-18 (ADAMS Accession No. ML21239A049) describes the use of MWS in the TRPS and ESFAS design for modification of setpoints and tunable parameters and FSAR section 7.4.5.3.3 provides additional detail on how the MWS is used to change setpoints and tunable parameters.

HIPS Module ACTIVE and FAULT LEDs Section 8.2.7 of the HIPS TR identifies that LED tests will be performed to identify if an incorrect LED status is being displayed. This test will not be performed on a continuous basis for the TRPS and ESFAS designs for the following reasons:

  • Module front panel indication is not a safety function
  • Correct LED operation will be tested as part of factory and installation testing 7-11

Section 8.4 of the HIPS TR describes the two LEDs on the front of each HIPS module which are used to indicate the state of the module latches, the operational state of the module, and the presence of any faults for the module. The TRPS and ESFAS designs will include the following changes to the function of the LEDs from that presented in the TR:

  • The ACTIVE and FAULT LEDs are Green during normal operation with no fault present
  • The ACTIVE LED will turn Red on a vital fault or when the module has one latch open
  • The FAULT LED will never flash and not turn Red
  • The FAULT LED will turn Yellow for any fault (non-vital or vital)

The NRC staff finds this change does not affect the acceptability of the HIPS Module ACTIVE and FAULT LEDs.

7.4.2.1.1 HIPS Communication Data communication in the TRPS and ESFAS design is same as described in the HIPS TR. For the TRPS and ESFAS design, copper RS-485 physical layer is being implemented. Whereas the representative protection system architecture in the HIPS TR is based on fiber optic physical layer. Sections 2.5.3, 4.3, and 4.6.2 of the HIPS TR describe the use of fiber optic ports for inter-divisional transmit-only or receive-only fiber optic ports. The TRPS and ESFAS designs do not use fiber optic ports for inter-divisional communications. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections.

7.4.2.1.2 HIPS Operation The HIPS TR describes operation of the HIPS platform with an example of a representative four channel protection system architecture. SHINE FSAR sections 7.1.2, 7.1.3, 7.4.1, and 7.5.1 and figures 7.1-1, 7.1-2, and 7.1-3 and TSs Bases for Limiting Condition for Operation (LCO) 3.2.1 and LCO 3.2.2 describe how operation of the HIPS is implemented for the TRPS and ESFAS.

Differences between the representative HIPS platform presented in the HIPS TR and the specific SHINE implementation for the TRPS and ESFAS are documented in section 5 of TECRPT-2018-0028, which the applicant submitted in response to RAI 7-10. Detailed documentation of TRPS and ESFAS architecture is contained in TRPS and ESFAS system design descriptions. Consistent with the HIPS TR, the TRPS and ESFAS designs incorporate the fundamental I&C design principles as well as functionality including the capability for test and calibration.

TRPS and ESFAS are comprised of three independent divisions of equipment identified as Division A, Division B, and Division C. The TRPS and ESFAS use redundant and independent sensor inputs to each of these three divisions to complete the logical decisions necessary to initiate the required protective trip and actuations in Division A and Division B.

7-12

The HIPS architecture for TRPS and ESFAS consists primarily of SFMs, which receive the sensor signals and initiate trip signals that is communicated to the SBVMs via three safety data buses (SDBs). The output of the three redundant SBVMs in Divisions A and B is communicated via three independent SDBs to the associated EIMs. Division C uses a SBM instead of an SBVM to pass signals through to Division A and B where the voting and actuations occur. When an input channel exceeds a predetermined limit, the SFMs in each division initiate redundant trip signals that are sent to the Division A and Division B SBVMs. The SBVMs perform coincident logic voting to initiate trip or actuation signals to the TRPS and ESFAS components through EIMs. Either 1-out-of-2 or 2-out-of-3 voting is used so that a single failure of a trip signal will not prevent an equipment actuation from occurring when required. Each voting layer receives trip or actuation information from the SFMs via the SDB. When the TRPS or ESFAS logic and voting determine a trip is required, the SBVM sends the trip demand signal to the appropriate EIMs, via the SDB, which then trip or actuate the appropriate equipment via dedicated copper wire. An EIM is included in each actuation division (Divisions A and B) for each component actuated by the TRPS and ESFAS. Each EIM has two separate logic paths to allow for connection to separate actuated components. Each component is connected to two separate EIMs, resulting in two EIMs providing redundant control to each component. Both EIMs associated with a component are required to be deenergized for actuation of component(s) (fail-safe) to their actuated (deenergized) states. Use of redundant EIMs allows for one of the EIMs to be taken out of service and replaced online without actuating the connected equipment.

When a trip signal is generated in the SBVM, the appropriate switching outputs from the EIM open, power is interrupted to the actuation components, and the components change state to their deenergized position. Normal operation of the facility is performed from the facility control room (FCR) using the PICS. There are no required operator actions under postulated accident conditions. However, both automatic and manual initiation capability for all safety functions are provided in the TRPS and ESFAS design.

7.4.2.1.3 Equipment Qualification The HIPS TR does not include environmental qualification of the HIPS platform. SHINE Design Criterion 16 states, in part, the protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis. To comply with the SHINE Design Criterion 16, the HIPS equipment for the TRPS and ESFAS is required to be qualified for the postulated environmental conditions. In response to RAI 7-16 (ML21239A049), the applicant provided additional information on HIPS equipment qualification and proposed changes to SHINE FSAR sections 7.4.2.2.11, 7.4.3.5, 7.4.3.6, 7.5.2.2.11, 7.5.3.4, and 7.5.3.5. These SHINE FSAR changes provide additional description of the environmental, seismic, radiation, and EMI/RFI qualification testing of the HIPS equipment.

Applicants response to RAI 7-16 states that the HIPS equipment for the TRPS and the ESFAS has been qualified by the vendor. A discussion of the environmental, seismic, radiation, and EMI/RFI qualifications of the HIPS equipment for TRPS and ESFAS follows.

Environmental Qualification Mild environmental qualification was performed for the HIPS equipment for TRPS and ESFAS using guidance provided in sections 4.1, 5.1, 6.1, and 7 of IEEE Standard 323-2003, Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations. Environmental 7-13

qualification was performed considering temperature, relative humidity, radiation, and pressure.

Because the HIPS equipment for TRPS and ESFAS is in a mild environment and will not be subject to harsh environmental conditions during normal operation or transient conditions, a qualified life determination is not required. The HIPS equipment has been designed for continuous operation up to 140 degrees Fahrenheit (°F) and limited operation up to 158 °F. A proof test was performed in an environmental chamber, which verified the normal and abnormal temperature exposure levels for the HIPS equipment. The temperature conditions under which the proof test was performed and satisfactorily completed envelop the normal and transient temperature conditions that the HIPS equipment is expected to operate in, as provided in SHINE FSAR tables 7.2-2 and 7.2-3.

The HIPS equipment for the TRPS and ESFAS is acceptable for mild environment relative humidity conditions. Non-condensing humidity does not represent a credible failure mode applicable to the HIPS equipment. During the proof test discussed above, humidity was not controlled and varied based upon the temperature at the time of testing. Acceptance criteria of the proof test were met, demonstrating that the equipment is expected to operate under required conditions for humidity.

As provided in SHINE FSAR table 7.2-1, the total integrated dose (TID) for areas of the facility that the HIPS equipment will be installed is calculated as 1.0E+03 rad TID. When performing the HIPS equipment qualification, the vendor reviewed industry studies that compiled radiation effects data on a wide range of materials showing that the least radiation resistance threshold for organic compounds (i.e., nonmetallic materials) is greater than 1.0E+04 rad gamma. For electronic components, studies have shown that metal oxide semiconductor devices may be susceptible at a lower level of 3.0E+03 rad gamma. Since the service conditions for the HIPS equipment for the TRPS and ESFAS is less than these bounding values, no further evaluation for radiation in the environmental qualification was required.

The HIPS equipment for the TRPS and ESFAS is acceptable for normal atmospheric pressure, which is the normal and transient pressures provided in SHINE FSAR tables 7.2-2 and 7.2-3.

Normal atmospheric pressure is not considered adverse to the HIPS equipment operation; the HIPS components are not pressure sealed, and therefore, do not create any differential pressure or failure mechanism.

Seismic Qualification The HIPS equipment for the TRPS and ESFAS was subjected to a proof test in accordance with section 8 of IEEE Standard 344-2013, Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Generating Stations. The HIPS equipment for the TRPS and ESFAS underwent biaxial and triaxial excitation testing. Five operating basis earthquake (OBE) tests were performed in each direction for a total of 20 OBE runs. One safe shutdown earthquake (SSE) test was performed in each direction for a total of four SSE runs. For the triaxial excitation testing, the HIPS equipment was tested in each of three orientations with respect to the excitation. The triaxial excitation test was performed in all three directions for each test. A total of five OBE tests were performed. The results of the proof test demonstrated that for all test runs, structural integrity of the HIPS equipment was maintained, and no mechanical damage was observed. In response to RAI 7-16, SHINE states that the acceptance criteria of the seismic testing were met to demonstrate qualification of the equipment for the TRPS and ESFAS.

7-14

Electromagnetic Interference (EMI)/Radio-Frequency Interference (RFI) Qualification Although the regulatory positions of Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems are specific to nuclear power plants and are not applicable to non-power production and utilization facilities, this regulatory guide, which provides an acceptable method for qualifying computer-based digital systems, informed the EMI/RFI qualification of the HIPS equipment. Installation of HIPS equipment in SHINE facility will be grounded per section 5.2.1 of IEEE Standard 1050-2004, Guide for Instrumentation and Control Equipment Grounding in Generating Stations.

Emissions testing for HIPS equipment was performed using the testing methods listed in Regulatory Position 3, table 2, of Regulatory Guide 1.180.

Susceptibility Testing for HIPS equipment was performed using the testing methods listed in Regulatory Position 4, table 6, of Regulatory Guide 1.180.

Surge withstand testing for HIPS equipment was performed using the International Electrotechnical Committee (IEC) methods listed in Regulatory Position 5, table 21, of Regulatory Guide 1.180.

The results of this testing were satisfactory and demonstrates that the HIPS equipment for the TRPS and ESFAS and confirms that the effects of EMI/RFI and power surges are addressed.

Based on the successful equipment qualification of the HIPS equipment for TRPS and ESFAS, the NRC staff finds that the SHINE protection systems meet the applicable parts of the SHINE Design Criterion 16, which ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function.

7.4.2.1.4 HIPS Diagnostic and Self-testing In response to RAI 7-15, the applicant provided the following details related to the HIPS diagnostics and self-testing features and SHINE FSAR section 7.4.5.5 provides additional description of the diagnostic and maintenance features associated with the HIPS platform for the TRPS and ESFAS.

The TRPS and ESFAS are designed with the capability for calibration and surveillance testing, including channel checks, calibration verification, and time response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow SSCs to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of self-testing and periodic surveillance testing.

Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.

7-15

The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the EIM. This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic. The actuation priority logic consists of discrete components and directly causes actuation of field components.

The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the IU is in Mode 0.

While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESFAS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provide a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation. This capability is provided by one of the following methods:

  • Perturbing the monitored variable
  • Cross-checking between channels that have a known relationship (channel check)
  • Introducing and varying a substitute input to the sensor The TRPS and ESFAS have redundant gateways which gather the output of the MI-CMs for each of the three divisions. The data for each of the three divisions are compared to perform a channel check, and the results are provided to the PICS.

The TRPS and ESFAS incorporate failure detection and isolation techniques. Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Self-testing will generate an alarm and report a failure to the operator and place the component (e.g., SFM; SBVM; or EIM components) in a fail-safe state.

The self-testing features of the HIPS platform are designed, developed, and validated at the same level as the functional logic. The overlapped self-test features of the HIPS platform are integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the rest of the platform.

Diagnostic data for the division of the TRPS and ESFAS are provided to the MWS. Diagnostics data is communicated via the MIB, which is a physically separate communications path from the safety data path, ensuring the diagnostics functionality is independent of the safety functionality.

Self-testing features and use of the MWS employed in the TRPS and ESFAS design is the same as described in Appendix B of the HIPS TR and complies with sections 5.5.2 and 5.5.3 of the IEEE Standard 7-4.3.2-2003. By incorporating diagnostic and maintenance test features that test from the sensor inputs of the TRPS and ESFAS through to the actuated equipment, the necessary test coverage is provided in the SHINE application of the HIPS platform.

The NRC staff assessed these self-testing features of the SFM and EIM modules and finds that they do not affect the ability of any module to perform its safety function.

7-16

7.4.2.1.5 Operational and Maintenance Bypass The response to RAI 7-14, provided additional details on the operational and maintenance bypass features employed in the TRPS and ESFAS design. SHINE FSAR sections 7.4.4.2, 7.4.4.3, and 7.5.4.4 describe the design, configuration, and implementation of the bypass function considered for the HIPS equipment for the TRPS and ESFAS. FSAR sections 7.4.2.1.3 and 7.5.2.1.3 provide additional description of how SHINE Design Criterion 15 is met for the TRPS and ESFAS. The RAI response provided the following additional details on operational and maintenance bypass.

Operational Bypass SHINE FSAR section 7.4.4.2 describes the use of operational bypasses for the TRPS during the operation of the IU cells. Operational bypasses for the TRPS are based upon the mode of operation and are automatically implemented within the SBVMs to bypass safety actuations that are not required for each mode. Operator action is required to request the TRPS to transition to the next mode of operation. A mode transition request occurs via separate discrete inputs from PICS to each of the Division A and B HWMs, which then converts the mode transition input to a logic level signal and makes the signal available to the associated SBVMs within the division.

When associated permissives are satisfied and the manual operator action for mode transition occurs, the TRPS progresses to the next mode and the TRPS SBVMs will 1) automatically bypass the final trip determinations for safety actuations that are not required for that particular mode of operation and 2) automatically remove any bypasses of the final trip determinations for safety actuations that are required for that particular mode of operation. If the permissive conditions are not met for transitioning to the next mode and the operator action occurs, the TRPS will not advance to the next mode of operation.

The status of TRPS operational bypasses is first provided by the SBVMs to the associated divisional MI-CM on the MIB. This status information is then provided to PICS for indication to the operators.

Maintenance Bypass For the SHINE application the HIPS platform, maintenance bypasses are associated with the sense and command features only for the TRPS and ESFAS. There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.

Channels associated with an SFM of the TRPS and ESFAS can be taken out of service by direct component replacement or the manipulation of manual switches. Components that are designed to be replaced directly are the SBMs, SBVMs, EIMs, and HWMs.

When a SBM is removed from its chassis, the Division A and B SBVMs, which correspond with the SDB of the removed SBM, will assert all partial trip signals associated with that SBM to the trip state for input to the coincident voting performed in the SBVMs. The impacted SDB will be in a 1-out-of-3 trip state for all safety functions that require Division C input within the SBVM and the other two SDBs will be in a 0-out-of-3 trip state within the SBVMs. When this occurs, the Division C SFMs and Division A and B SBVMs will provide fault indication information to the PICS for alerting the operators that there is an issue with the SBM.

7-17

When a SBVM is removed from its chassis, the other corresponding divisional SBVM will assert all partial trip signals associated with the missing SBVM to the trip state for input to the coincident voting performed in the SBVM. The impacted SDB will be in a 1-out-of-3 trip state within the SBVM and the other two SDBs will be in a 0-out-of-3 trip state within the SBVMs.

When this occurs, the following modules will provide fault indication information to the PICS for alerting the operators that there is an issue with the SBVM:

  • All SFMs in the same division as the removed SBVM
  • All EIMs in the same division as the removed SBVM
  • The other corresponding divisional SBVM When an EIM is removed from its chassis, nothing will occur because the redundant EIM to the one removed will continue to provide actuation capability for all actuation components associated with the EIM. When this occurs, all the SBVMs in the same division as the removed EIM will provide fault indication information to the PICS for alerting the operators that there is an issue with the EIM.

When a HWM is removed from its chassis, all hardwired inputs to the associated division via the HWM will become inactive. For the TRPS, removal of an HWM will effectively bypass the associated TSV Fill Isolation Valve Full Closed and HVPS Breaker Full Open input signals, which are safety inputs to the TRPS. For the ESFAS, a removed HWM will not affect any safety functions because there are no safety inputs to the HWMs.

The HWM includes a FPGA, which is a departure from the HIPS TR description of an HWM.

Function of the FPGA on the HWM is only to drive the module front panel LED indications and to provide module operational status to the MI-CM. The FPGA on the HWM cannot affect the function of receiving hardwired inputs and making them available on the backplane of the chassis. When a HWM is removed from its chassis, the MI-CM for the division will provide fault indication information to the PICS, alerting the operators that there is an issue with the HWM.

SFM input channels of the TRPS and ESFAS can be taken out-of-service (OOS) using the OOS switches located on the front of each SFM, and an associated separate trip/bypass switch located below each SFM. The OOS switch has two positions: Operate and OOS. When the switch is placed in the OOS position, the respective divisional SBMs or SBVMs will force the partial trip information associated with the SFM to the trip or bypass state, depending on the position of the trip/bypass switch, and take the channel OOS. Any time an SFM module is placed in an OOS condition, the SBMs or SBVMs associated with the SFM read the state of the trip or bypass switch to determine if the SFM input channels should be bypassed or treated as a trip when continuing the flow of data through the system. With the OOS switch in the OOS position, the trip/bypass switch is used to activate maintenance trips and maintenance bypasses. The trip/bypass switch signal is input first to an HWM, which then converts the trip/bypass discrete input to a logic level signal and makes the signal available to the associated SBMs or SBVMs within the same division as the trip/bypass switch. When the OOS switch is in the Operate position and the SFM is functioning normally, the SBMs or SBVMs associated with the SFM will ignore the associated trip/bypass switch input.

7-18

The SFMs continually provide the status of their OOS switch to the associated divisional SBMs or SBVMs along with their partial trip information. With an SFMs OOS switch in the OOS position and the associated trip/bypass switch in the trip position, the associated divisional SBMs or SBVMs will then assert all partial trip information associated with the SFM to the trip state for input to coincident logic voting in the SBVMs. All the partial trip information associated with all inputs for this SFM would be in a maintenance trip condition for this case. For those safety functions that use 2-out-of-3 coincident voting, a single failure of the same SFM in another division would not defeat the safety function because the third remaining divisional SFM is available to complete a 2-out-of-3 vote if required. For those safety functions that only use-1-out-of-2 coincident voting, the safety functions would be actuated when the OOS switch is placed into the OOS position with the associated trip/bypass switch in the trip position.

For safety functions that use either 1-out-of-2 or 2-out-of-3 coincident voting, a single failure of the same SFM in another division would defeat the safety function. Placing a single SFM in maintenance bypass is allowed by the SHINE TSs for up to two hours for the purpose of performing required surveillance testing. A time limit of two hours is acceptable based on the small amount of time the channel could be in bypass, the continual attendance by operations or maintenance personnel during the test, the continued operability of the redundant channel(s),

and the low likelihood that an accident would occur during the two-hour period. TSs LCO 3.2.3 and LCO 3.2.4 contain a note that specifies that any single SFM may be bypassed for up to two hours while the variable(s) associated with the SFM is in the condition of applicability for the purpose of performing a Channel Test or Channel Calibration. By only allowing a single SFM to be bypassed at one time, SHINE ensures that the same SFM across multiple divisions (which would be more than one SFM) will not be placed into maintenance bypass. By specifying this in the TSs, SHINE ensures that administrative controls are in place and consistent with the HIPS TR to prevent an operator from placing the same SFM across more than one division into maintenance bypass.

With an SFMs OOS switch in the OOS position and the associated trip/bypass switch in either the trip or bypass position, the input channels associated with the SFM are inoperable. The input to the voting logic for the maintenance trip and bypass states are discussed above. The maintenance bypass function supports the in-service testability requirement of SHINE Design Criterion 15 for the TRPS and ESFAS. By allowing a single SFM module to be placed in maintenance bypass in accordance with the TS requirements, TS surveillances can be performed to verify the operability of TRPS and ESFAS components during system operation.

As described above, the time that the maintenance bypass feature is allowed to be used is limited to two hours. This satisfies the SHINE Design Criterion 15 requirement that the removal from service of any component or channel does not result in the loss of required minimum redundancy unless the acceptability of operation of the protection system can be otherwise demonstrated.

Self-testing capabilities in the TRPS and ESFAS design provide indication of component degradation and failure, which allows action to be taken to ensure that no single failure results in the loss of the protection function. The results of these self-tests, along with the ability to perform in-chassis calibration and modification to configurable variable and set-points with using MWS, ensure that protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. The self-tests provide indications of component degradation or failure, and the MWS provides the ability to obtain diagnostic information and perform maintenance on individual channels to identify and address component failures.

7-19

7.4.2.1.6 Manual Actuation Manual controls in the FCR consist of a single system level manual actuation switch for each automatic TRPS and ESFAS safety function. These manual actuation switches are connected to the HWM in the TRPS and ESFAS chassis. The HWM converts the manual actuation signals to logic level voltages that are placed on the backplane for use by the modules that require them. The manual actuation components are input into the actuation and priority logic (APL) associated with each EIM via the HWM. The APL accepts inputs from the following sources:

  • 1a Digital trip signal from the SBVM
  • 1b Non-digital manual system level trip signal from the FCR
  • 2a Non-digital manual enable nonsafety signal from the FCR
  • 2b Non-digital position indication signal from an HWM
  • 2c Non-digital control signals from the PICS The non-digital signals are diverse from the digital portion of the TRPS and ESFAS. Discrete logic is used by the APL for actuating a single device based on the highest priority. Regardless of the state of the digital trip signal from the SBVM, manual initiation can always be performed at the system level. If the enable nonsafety control permissive is active and there are no automatic or manual actuation signals present, the PICS is capable of operating trip and actuation components. The result from the APL is used to actuate equipment connected to the EIM. Actuation component status is transmitted to the EIM and is sent to the MIB, along with the status of the SDB signals.

7.4.2.2 HIPS Design Attributes SHINE FSAR section 7.4.5.2 states that HIPS design for TRPS and ESFAS incorporates the following fundamental design principals outlined in the HIPS TR that are summarized in the following sections.

  • Independence
  • Redundancy
  • Predictably and Repeatability
  • Diversity In addition, TRPS and ESFAS design includes the following design attributes, which are also summarized below.
  • Completion of Functions 7-20
  • Prioritization of Functions
  • Access Control 7.4.2.2.1 Independence SHINE FSAR section 7.4.5.2.1 states that the HIPS platform based TRPS and ESFAS incorporates the independence principles outlined in the HIPS TR. As discussed above in response to RAI 7-10, the applicant provided acceptable dispositions to ASAIs related to independence design attributes of the TRPS and ESFAS. Through a review of design attributes of the HIPS platform and other design details in the TR, the NRC staff finds that the proposed design exhibits independence among (1) redundant portions of a safety system, (2) safety systems and the effects of design-basis events (DBEs), and (3) safety systems and other systems. For each of these areas, the staff evaluated the following:
  • Physical independence
  • Electrical independence
  • Communications independence
  • Functional independence NUREG-1537 includes acceptance criteria for addressing separation and independence of the control system and the protection system to ensure that failures of other systems wont interfere with the protection system. This attribute includes the physical, electrical, and communications independence of the protection system both within its divisions or channels, as well as independence between the protection system and systems that are not safety-related.

SHINE FSAR section 7.4.5.2.1 summarizes the independence design attributes of the HIPS platform based TRPS and ESFAS.

For physical independence SHINE FSAR section 7.4.5.2.1 states that the TRPS and ESFAS SSCs that comprise a division are physically separated and independent to retain the capability of performing the required safety functions. Physical separation is used to achieve separation of redundant sensors. TRPS and ESFAS Division A and C are located on the opposite side of the FCR from where Division B is located.

For electrical independence, SHINE FSAR section 7.4.5.2.1 states that wiring for redundant divisions uses physical separation and isolation to provide independence for circuits. Separation of wiring is achieved using separate wireways and cable trays for each of Division A, Division B, and Division C. The HIPS modules provide isolation for the nonsafety-related signal path. In response to RAI 7-10, the applicant stated that the results of isolation testing of HIPS platform equipment, consistent with the guidelines of RG 1.75, Rev. 3, Criteria for Independence of Electrical Safety Systems, is provided in the HIPS platform EMI/RFI and isolation test report RCI-942-1000-61001, EMC and Isolation Qualification Report for HIPS Platform EQTS, Revision 0. Section 4 of this test report concludes that isolation testing of the HIPS modules meets the requirements as specified in section 4.6.4 of EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, dated December 1996, which in turns 7-21

references IEEE 384-1981, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits. Each division of TRPS and ESFAS is independently powered, and the power supply for the TRPS and ESFAS is independent and separated from the PICS. In response to RAI 7-10, the applicant stated that the design bases description for the TRPS and ESFAS power source is provided in SHINE FSAR section 8a2.2. Division A of both the TRPS and ESFAS is powered from Division A of the uninterruptible power supply system (UPSS).

Division B of both the TRPS and ESFAS is powered from Division B of the UPSS. Division C of both the TRPS and ESFAS receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above. Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay. These provide independent +5V A and +5V B power channels to each chassis.

For communications independence, SHINE FSAR section 7.4.5.2.1 states that the design of the TRPS and ESFAS is such that each safety division functions independently of other safety divisions. Apart from interdivisional voting, communication within a division does not rely on communication outside the respective division to perform the safety function. Safety-related inputs to the TRPS or ESFAS which originate within a specific division of the TRPS or ESFAS are input to, and processed in, only the same division prior to being provided to any other division of the system for voting purposes. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections. Voting function of the SBVM is not dependent on voting data from other divisions because the SBVM voters will still be able to complete their safety function in the presence of erroneous or missing voting. The SBVM voting function applies a safe default value for the missing inputs. TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional MI-CM via one-way isolated RS-485 connections to respective redundant nonsafety GWCMs, which are in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. They are physically located within two chassis and located in the ESFAS Division C cabinet. As described in section 2.5.3 of HIPS TR, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only. Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Data communication between the GWCM and PICS is a nonsafety function, and the upstream communication from each MI-CM to a GWCM is isolated and one-way only.

For functional independence, SHINE FSAR section 7.4.5.2.5, Simplicity, states that dedicating SFMs to a function or group of functions based on its inputs provides inherent function segmentation creating simpler and separate SFMs that can be more easily tested. This segmentation also helps limit module failures to a subset of safety functions. The discrete and programmable logic circuits on an EIM provide a clear distinction between those portions that are and are not vulnerable to a software common-cause failures (CCF). Implementation of triple redundant communication within a division of TRPS and ESFAS increases the number of components (e.g., additional CMs) but provides simpler maintenance and self-testing. A failure of a data path or CM with triple redundant communication does not cause all safety functions of that division to be inoperable. Based on the NRC staffs evaluation in section 7.4.2.2.4, 7-22

Diversity of this report, the staff finds that adequate functional independence design attributes have been implemented in the TRPS and ESFAS.

Based on the above discussion, the NRC staff finds that the HIPS platform based TRPS and ESFAS incorporate the independence principles outlined in the HIPS TR and the staff confirmed that the proposed design exhibits independence among (1) redundant portions of a safety system, (2) safety systems and the effects of DBEs, and (3) safety systems and other systems.

Therefore, the staff finds that the TRPS and ESFAS design meets the protection system independence requirements of the SHINE Design Criterion 15.

7.4.2.2.2 Redundancy SHINE FSAR section 7.4.5.2.2 states that the HIPS based TRPS and ESFAS design incorporates redundancy principles outlined in the HIPS TR. Use of these redundancy design principles meets portions of the criteria for redundancy in SHINE Design Criterion 15, which requires that no single failure results in loss of the protection function. This FSAR section also states that a failure modes and effects analysis (FMEA) was conducted to analyze failure modes of system components associated with the TRPS and ESFAS for evaluating the consequences of a single system component failure. The results of the FMEA determined that there are no single failures or non-detectable failures that can prevent the TRPS or ESFAS from performing their required safety functions. In conjunction with the FMEA, a single failure analysis of the TRPS and ESFAS was conducted. The assessment was applied to the sense and command and execute features of the TRPS and ESFAS used for safety-related functions.

The scope of the assessment included sensors, trip determination, signal conditioning, DC-DC converters and power supplies, and actuation logic. The single failure analysis determined that for functions requiring either one-out-of-two voting or two-out-of-three voting, a single failure of a channel will not prevent a protective action when required.

To confirm application of single failure criterion to the TRPS and ESFAS design, the NRC staff audited Rock Creek Innovations Report SMT-016-1000-64012, Failure Modes and Effects Analysis, Revision 3 and SHINE technical report TECRPT-2019-0031, Revision 3, TRPS and ESFAS Single Failure Analysis. Scope of this single failure assessment applies to the sense and command and execute features of the TRPS and ESFAS used for safety-related functions.

The actuation devices (e.g., solenoids and valve actuators) are not included in the scope of this analysis except to establish that the actuated systems include independent, redundant means of completing safety functions. Equipment feedback such as valve position is considered if used for an input to a safety function. This analysis applied the following definition of single-failure to the TRPS and ESFAS:

The TRPS and ESFAS shall perform their required functions, for a design basis event, in the presence of the following:

  • Any single detectable failures within the TRPS or ESFAS concurrent with all identifiable, but nondetectable failures
  • All failures cause by the single failure
  • All failures and spurious system actions that cause, or are caused by, the design basis event requiring the safety functions.

7-23

Based on the information in SHINE TECRPT-2019-0031, the NRC staff finds the following conclusions of this report to be consistent with TRPS and ESFAS design and therefore acceptable:

  • For functions that require 1-out-of-2 voting, a single failure of a single measurement channel or process interface division will not prevent a protective actuation when required. For functions that require 2-out-of-3 voting, a single failure of a single measurement channel or process interface division with another channel or process interface division out-of-service will not prevent a protective actuation when required and will not cause a spurious TRPS or ESFAS actuation when it is not required. The single failure criterion is satisfied for all potential failures of an instrument channel.
  • For TRPS and ESFAS functions with 1-out-of-2 voting, the protective action will be initiated if one of the two channels vote to trip. If one of the two channels fail such that it will not produce a trip, the remaining channel can initiate the required protective action. The only TRPS protective actions with 1-out-of-2 voting are for the IU Cell Safety Actuation and Fill Stop based on the TSV Fill Valve Fully Closed inputs.

The TSV Fill Valve position signals input is received into HWMs, which cannot be placed OOS by design. Administrative controls are required on ESFAS input channels for 1-out-of-2 voting functions which do not allow them to be placed OOS in order to satisfy the single failure criterion. SHINE TS actions for LCO 3.2.4 provide adequate administrative controls on ESFAS input channels for 1-out-of-2 voting functions.

  • For TRPS and ESFAS functions with 2-out-of-3 voting, the protective action will be initiated if two of the three channels vote to trip. In the 2-out-of-3 configuration, the single failure criterion is satisfied for all potential failures of an instrument channel with a redundant channel OOS with its respective trip/bypass switch in the trip position.

There is a need for administrative controls on components which are placed OOS. The TRPS and ESFAS satisfy the single failure criterion with administrative controls on OOS conditions. SHINE TS actions for LCO 3.2.3 and 3.2.4 provide adequate administrative controls on TRPS and ESFAS input channels for 2-out-of-3 voting functions.

  • For the TRPS permissives derived from two process interface inputs, administrative controls not allowing bypass of any input channels associated with the permissive are required to satisfy the single failure criterion. SHINE TS action 5 for LCO 3.2.3 provides adequate administrative controls on TRPS input channels for 1-out-of-22 voting functions.

Based on the review of the FMEA and the single failure analysis, the staff finds that the TRPS and ESFAS are capable of initiating protective actions in the presence of a single failure.

Therefore, the staff finds that the TRPS and ESFAS design meets the single failure criteria related requirements of SHINE Design Criterion 15.

7.4.2.2.3 Predictability and Repeatability SHINE FSAR section 7.4.5.2.3 states that the HIPS platform based TRPS and ESFAS design incorporates the predictability and repeatability principles outlined in the HIPS TR and meets portions of the criteria for ensuring an extremely high probability of accomplishing safety functions as required by SHINE Design Criterion 19. As discussed above, the NRC staff finds 7-24

applicants dispositions of ASAIs 19, 56, and 59 that relate to predictability and repeatability design attributes of TRPS and ESFAS to be acceptable.

Predictability and repeatability design features of the TRPS and ESFAS are summarized in SHINE FSAR section 7.4.5.2.3.

To meet a response time performance requirement of 500 milliseconds for the HIPS parts of the TRPS and ESFS, the HIPS platform-based system must acquire the input signal that represents the start of a response time performance requirement, perform logic processing, and generate an output signal that represents the end of a response time performance requirement. These HIPS platform response time components exclude plant process delays through the sensor input to the platform, and the output delays through a final actuating device. The required response times credited in the safety analysis for TRPS, ESFAS include the process delays through the sensor input to the SFM and the delays through the final actuating device.

TECRPT-2018-0028 figure 5-3 represents the overall timing diagram for TRPS and ESFAS.

Subsection 4.1, System Response Time of TECRPT-2019-0048, Revision 5, TRPS System Design Description, states that total response time includes the Analog Input Delay, SFM Logic Delay, t1, t2, EIM Logic Delay, and the Analog Output Delay times. The response times of instrumentation is manufacturer and instrumentation loop dependent. The final design testing of the TRPS platform (during factory acceptance testing and site acceptance testing) will better define the actual response time.

TRPS and ESFAS process safety functions through three redundant CMs to provide error detection and fault tolerance of the safety function. The HIPS uses an independent safety logic and trip determination, using internal dedicated communication buses. The trip determinations are transmitted to the voter, which uses discrete logic to generate the system outputs. In this manner, each channel deterministically performs its function without interferences from other channels or other divisions. section 3.5, Review of Repeatability and Predictability of the HIPS TR SER concludes that functions within the FPGA of each module are implemented with finite-state machines to achieve deterministic behavior. Deterministic behavior allows implementation of a simple communication protocol using a predefined message structure with fixed time intervals. This simple periodic communication scheme is used throughout the architecture.

Communication between SFMs and CMs is implemented through a simple and well-established RS-485 physical layer. The configurable transmit-only or receive-only ports on a CM use a physical point-to-point physical layer. Communication between modules is done asynchronously, which simplifies implementation by avoiding complex syncing techniques.

Based on the discussion above, the NRC staff finds that the TRPS and ESFAS are designed to perform their intended safety functions deterministically. Therefore, the staff finds that the TRPS and ESFAS are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated transients as required by SHINE Design Criterion 19.

7.4.2.2.4 Diversity SHINE FSAR section 7.4.5.2.4, Diversity, states that HIPS based TRPS and ESFAS design incorporates the diversity principals in the HIPS TR. The use of these diversity design principles meets portions of the criteria for diversity in SHINE Design Criterion 16. To ensure performance in the presence of a digital CCF, SHINE performed a diversity and defense-in-depth (D3) assessment of the TRPS and ESFAS to identify potential vulnerabilities to digital CCFs in TECRPT-2019-0041, Revision 3, Diversity and Defense-in-Depth Assessment of TRPS and ESFAS.

7-25

In response to RAI 7-11, the D3 assessment was performed on TRPS and ESFAS and identify potential vulnerabilities to digital-based CCFs. Additionally, the RAI response states that guidance provided in NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems is used in performing the D3 assessment of TRPS and ESFAS. This D3 assessment is based on the following factors:

  • SECY-93-087, two principal factors for defense against CCFs are the use of quality and diversity;
  • Safety-related TRPS and ESFAS are designed and manufactured under a prescribed quality assurance program that provides protection from items such as manufacturing errors and design deficiencies;
  • Digital-based CCFs in TRPS and ESFAS are considered credible but beyond design basis; and
  • BTP 7-19, a diversity strategy is used by combining diversity attributes to make an overall case for eliminating digital-based CCFs in TRPS and ESFAS from further consideration.

SHINE FSAR section 7.4.5.2.4, states the D3 assessment concludes the following:

  • Potential digital-based CCFs associated with the TRPS and ESFAS would not lead to afailure to initiate protective actions when required.
  • Potential digital-based CCFs associated with the TRPS, ESFAS, and some detectorscould lead to spurious actuations without adverse impacts on safety.
  • Potential digital-based CCFs associated with most detectors would not lead to a failure to initiate protective actions when required; however, in each instance where a potential digital-based CCF could cause a failure to initiate protective actions, there exists either an alternate, automatic means of mitigating events or an alternate means for theoperator to identify, initiate, and assess protective actions.

The report states that for the SHINE design, four echelons of defense identified in NUREG/CR-6303 are modified and summarized as follows:

  • Control System - The control system echelon usually consists of equipment that is used in the normal operation and routinely prevents operations in unsafe operational regimes.
  • Engineered Safety Features Actuation System - The ESF echelon (which should not be confused with the SHINE ESFAS) consists of equipment that mitigates design basis events. The ESF echelon spans across both TRPS and ESFAS.

7-26

  • Monitoring and Indicator System - The monitoring and indicator system echelon consists of sensors, safety parameter displays, data communication systems, and independent manual controls relied upon by operators to respond to operating events.

Based on the guidance in NUREG/CR-6303 for D3 assessments, SHINE I&C architecture is sectioned of into following blocks as described in the response to RAI 7-11:

  • Monitoring and Indication Block (Function of PICS)
  • Manual Controls Block
  • Sensor Blocks
  • Safety Blocks
  • PICS Block RAI 7-11 response states that the Blocks are selected to represent a physical subset of equipment and software whose internal failures can be assumed not to propagate to other blocks based on respective attributes. For each of the blocks the report identifies applicable diversity attributes both within and in between blocks.

Diversity attributes within Monitoring and Indication Block - Within this block, there are two types of displays. Displays that provide operators capability for both indication and control (operator workstation) and displays that provide indication only (main control board display).

Displays providing both indication and control receive and transmit information to components within the PICS block. The displays different purposes and different input sources results in functional, software, and design diversity within the same block.

The NRC staff notes that there are no credited diversity attributes within the Manual Control Block. There are no credited diversity attributes within the Sensor Block I of II. Digital-based sensors in these blocks are evaluated separately. Safety Blocks includes software diversity, design diversity, and functional diversity. The PICS Block provides a degree of diversity by segmenting I/O networks by system and facility location.

The diversity attributes between the blocks include, as provided in response to RAI 7-11:

Equipment diversity - Equipment diversity is the use of different equipment to perform similar safety functions. Initiation of protective actions can be done manually by operators using physical switches or done automatically by safety blocks associated with the TRPS and ESFAS. Between blocks, fundamentally different FPGA technology is used to achieve equipment diversity. At the chip level, the three FPGA types operate in fundamentally different ways during operation and programming. The FPGAs require different internal subcomponents and different manufacturing methods. FPGA equipment diversity in the form of three fundamentally different FPGA technologies when coupled with the different development tools is an effective solution for the digital-based CCF vulnerabilities present in the HIPS platform.

7-27

Design diversity - Design diversity is the use of different approaches including both software and hardware to solve the same or similar problem. To limit the potential and the consequences of a digital-based CCF, different FPGA chip architecture or different equipment manufacturers are used. The diverse FPGA technologies or manufacturers inherently have additional design diversity attributes based on the different development tools used for each FPGA technology. This equipment and tool diversity results from the different FPGA chip architectures and programming methods. The diversity in FPGA equipment, chip designs, and development tools are the fundamental methods for mitigating the potential for digital-based CCFs since these diversity attributes directly mitigate CCFs associated with a specific FPGA technology.

Human diversity - The use of different instrumentation and controls (I&C) platforms creates inherent human diversity between certain blocks. Each I&C system implements different functions with different hardware architectures. Safety blocks are primarily designed for safety-related actuation based on trip or no-rip indication.

PICS is primarily designed for monitoring and control of process parameters.

Monitoring and indication blocks have a primary purpose of providing information to the operator and accepting operator input. Human diversity is an implicit attribute of the FPGA equipment, chip design, and software tool diversity of the Safety Block; however, it is neither explicitly defined nor verified for this block.

Software diversity - Software diversity is a subset of design diversity and is the use of different programs designed and implemented by different development groups with different key personnel to accomplish the same safety goals.

Functional diversity - Functional diversity is introduced by having different purposes and functions between blocks. Safety blocks are associated with the TRPS and ESFAS. These blocks will initiate protective actions if operating limits are exceeded to prevent or mitigate design basis events (DBEs). Monitoring and indication blocks allow for an operator to monitor and control both safety and non-safety systems. The operator can maintain a plant within operating limits or initiate necessary protective actions. PICS provides automatic control of systems to maintain the plant within operating limits including constraining certain operational transients. Sensor blocks function to provide parameter information to the safety blocks.

Digital technology-based sensors in this D3 assessment are radiological ventilation zone, IU Cell exhaust radiation, RCA exhaust radiation, and supercell area exhaust radiation, which are evaluated for digital CCF based anomalous readings. Each TRPS has three radiation detectors while ESFAS has twenty-seven radiation detector inputs. In total, the SHINE facility has fifty-one safety-related digital-based radiation detectors.

TECRPT-2019-0041 presents the following conclusions, in part:

  • Potential digital-based CCF within Safety Block I or Safety Block II may lead to spurious initiation of protective actions within TRPS and ESFAS without adverse impacts to safety. There are no potential Type 2 digital-based CCF, failures that do not directly cause transients but are undetected until environmental effects or physical equipment failures cause a transient or design basis accident to which protective equipment may not respond, within 7-28

Safety Block I, II, or II that may lead to failure of initiating protective actions for any AOO or PA. At least two other Safety Blocks remains functional which can result in automatic alarms within the Monitoring and Indication block due to parameters deviating by a predefined amount. The PICS block will continue to monitor, alarm, and attempt to automatically correct parameter deviations. In addition, the operator always retains the capability to manually initiate all protective actions as needed.

  • A digital-based CCF of radiation detector sets may lead to spurious actuations with production impacts without adverse safety impacts.
  • A digital-based CCF of any radiation detector may cause failure to initiate protective actions; however, for each set, there exists alternate means for either the operator to identify, initiate and assess protective actions, or alternate automatic means of mitigating events.

Based on the evaluation of diversity attributes implemented in the TRPS and ESFAS design and assessment in TECRPT-2019-0041 to confirm SHINE FSAR information, the NRC staff finds that the TRPS and ESFAS design has adequate diversity that is commensurate with the potential consequences and large safety margins described in Chapter 13 of this SER. The diversity attributes comply in part with the SHINE Design Criterion 16 that requires that design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function. The staff recognizes that the D3 assessment applies the functional allocation of different process parameters on different SFMs as functional diversity in the context of SHINE Design Criterion 16. However, the staff notes that functional diversity is more commonly defined as the ability to protect against the same event by monitoring two different parameters to initiate protective actions, and the staff did not confirm the existence of functional diversity for all events and credited safety functions.

7.4.2.2.5 Completion of Functions SHINE FSAR sections 7.4.3.3 and 7.5.3.2 state that the TRPS and ESFAS are designed so that once initiated, protective actions will continue to completion. Only deliberate operator action can be taken to reset the TRPS or ESFAS following a protective action.

Based on its review of the logic diagrams of SHINE FSAR figure 7.4-1, Sheets 11 through 13, and figure 7.5-1, Sheets 21 through 26, the NRC staff finds that a protective action, once initiated automatically or manually by either the TRPS or ESFAS, latches-in the actuation signal to maintain the state of a protective action until a deliberate operator action to reset the output to normal operating conditions. An enable nonsafety switch allows an operator, after the switch has been brought to enable, to control state of the TRPS and ESFAS components with a hardwired binary control signal from the nonsafety-related controls. The enable nonsafety switch is used to prevent spurious nonsafety related control signals from adversely affecting safety-related components. If the enable nonsafety switch is active, and no automatic safety actuation or manual actuation signals are present, the operator is capable of energizing or deenergizing any EIM outputs using the nonsafety-related hardwired control signals. If the enable nonsafety switch is not active, the nonsafety-related hardwired control signals are ignored. Therefore, the staff finds that all the protective actions initiated by TRPS and ESFAS are designed to continue to completion and a deliberate operator action is required to reset these protective actions.

7-29

7.4.2.2.6 Prioritization of Functions SHINE FSAR sections 7.4.3.12 and 7.5.3.11 state that the APL in the EIM is designed to provide priority to safety-related signals over nonsafety-related signals. Division A and Division B priority logic of the TRPS and ESFAS prioritizes the automatic safety actuation and manual safety actuation over the manual control of safety components from PICS nonsafety control signals. The manual actuation signals input from the operators in the FCR is brought directly into the discrete APL. The manual safety actuation input into the priority logic does not have the ability to be bypassed and will always have equal priority to the automated actuation signal over any other signals that are present. Failures of the EIM do not defeat APL prioritization of the automatic or manual safety actuations over the PICS control signals.

Based on its review TRPS and ESFAS logic diagrams, SHINE FSAR figure 7.4-1, Sheets 12 and 13, and figure 7.5-1, Sheets 22 through 26, the NRC staff finds that the PICS can only control a safety related component when the Enable Nonsafety Switch is in the Enable (E) position and no automatic safety actuation or manual safety actuation signals are present.

A non-safety control signal from the PICS is provided to the APL via the HWM, which provides electrical isolation between safety and nonsafety circuits. Therefore, the staff finds that the automatic safety actuations and manual safety actuations have priority over the manual control of safety components from PICS nonsafety control signals.

7.4.2.2.7 Access Control SHINE FSAR section 7.4.5.3.3 states that the HIPS platform based TRPS and ESFAS include the following access control features, which are consistent with the access control features evaluated in the safety evaluation for the HIPS TR:

  • Required use of a physical key at the main control board to prevent unauthorized use.
  • Rack mounted equipment is installed within cabinets that can be locked so access can be administratively controlled.
  • FPGAs on any of the HIPS modules cannot be modified or replaced while installed in the HIPS chassis.
  • Capability to modify modules installed in the HIPS chassis is limited to setpoints and tunable parameters that may require periodic modification.

Each division of the TRPS and ESFAS has a nonsafety-related MWS for the purpose of online monitoring and offline maintenance and calibration. The MWS supports online monitoring through one-way isolated communication ports. The MWS is used to update TRPS and ESFAS setpoints and tunable parameters only when the safety function is out of service. Access to the MWS is password protected. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function.

Controls are also put in place to prevent inadvertent changes to a setpoint or tunable parameter.

A temporary cable and OOS switch are required to be activated before any changes can be made to an SFM. When the safety function is removed from service, either in bypass or trip, an indication is provided in the facility control room to inform the operator. Adjustments to 7-30

parameters are performed in accordance with TSs, including any that establish the minimum number of redundant safety channels that must remain operable for the applicable operating modes and conditions. The SFM includes a load switch to update the NVM parameters when setpoints are changed during maintenance.

Based on the above discussion, the NRC staff finds that the HIPS platform based TRPS and ESFAS design incorporates adequate access control features to prevent any inadvertent changes to the TRPS and ESFAS.

7.4.2.3 HIPS Design Process SHINE FSAR section 7.4.5.4 and figure 7.4-3 describe the TRPS and ESFAS programmable logic lifecycle process. The TRPS and ESFAS are implemented on a logic-based HIPS platform that does not use traditional software or microprocessors for operation. It is composed of logic implemented using discrete components and FPGA technology. The same programmable logic development process is used for both systems. SHINE FSAR section 7.4.5.4 states that SHINEs vendor is responsible for developing and delivering the HIPS platform for TRPS and ESFAS in accordance with the vendors programmable logic development plan (PLDP), which describes a planned and systematic approach to design, implement, test, and deliver the programmable logic for the TRPS and ESFAS. SHINE is responsible for providing oversight of the vendor, verifying deliverables are developed in accordance with approved quality and procurement documents, and maintaining the vendor as an approved supplier on the SHINE approved supplier list.

NUREG-1537, Part 1, section 7.2.1, recommends that all systems and components of the I&C systems should be designed, constructed, and tested to quality standards commensurate with the safety importance of the functions to be performed. Further, ANSI/ANS-10.4-2008, Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, provides guidance for the verification and validation of scientific and engineering computer programs for the nuclear industry.

The guidance on QA for design development in ANSI/ANS-15.8-1995, Quality Assurance Program Requirements for Research Reactors, recommends that the applicable design inputs, such as design bases, performance requirements, regulatory requirements, codes, and standards, be identified and documented. ANSI/ANS-15.8 further states that, for purchased items and services, the supplier is responsible for the quality of the product and must provide evidence of that quality. Further, the supplier-generated documents must be controlled, handled, and approved in accordance with established methods.

The following sections describe the system lifecycle activities and the plans used during the development of the HIPS for TRPS and ESFAS.

7.4.2.3.1 Programmable Logic Lifecycle Process SHINE FSAR figure 7.4-3 illustrates the lifecycle process for the TRPS and ESFAS from planning through installation phases. Design interfaces are established during the design development process, and during the design review and approval process. Design interfaces are controlled in accordance with the project management plan. The design interfaces include addressing any impacts on the safety system, control console, or display instruments during the 7-31

lifecycle process. The programmable logic development lifecycle consists of the following phases:

  • Planning
  • Requirements
  • Design
  • Implementation
  • Test
  • Shipment and installation SHINE FSAR sections 7.4.5.4.2.1 through 7.4.5.4.2.6 describe these phases which are being implemented by the vendor. The vendor is performing a programmable logic lifecycle process for HIPS core logic for developing HIPS components for the TRPS/ESFAS (reference number) design. The HIPS core logic project is being conducted independent of the TRPS and ESFAS programmable logic development project. Purpose of the HIPS core logic project is to formally develop HIPS modules/components for safety-related applications. SHINE TRPS and ESFAS are the very first safety-related applications of the HIPS platform. Successful completion of the HIPS core logic project will result in pre-developed HIPS components, a TRPS and ESFAS planning phase activity, as depicted on figure 7.4-3 of the SHINE FSAR. SHINE has delegated V&V activities related to the safety-related control system development to the vendor. The vendor Project V&V Plan is designed to detect and report errors that may have been introduced during the system development process.

IEEE Standard 1012-2004, section 4, provides guidance on selection of criticality levels for software based on its intended use and application. The software and hardware developed for the safety-related systems are classified as Software Integrity Level 2 (SIL2). The vendor Project V&V Plan for the system development was tailored and adapted for FPGA technology from the guidance in IEEE Std. 1012-2004. The V&V activities are commensurate with the expectations for SIL2 software classification. Successful completion of V&V activities is documented in V&V summary report for each of the lifecycle phases.

Planning Phase SHINE procurement and technical documents are inputs to the planning phase. This includes the results of the HIPS core logic development project RCI-940 performed by Rock Creek Innovations (RCI). Model-based development and verification tools are being used by RCI for developing the FPGA programable logic for HIPS core modules, and the TRPS and ESFAS applications. Model based software development are used to develop time-based block diagrams and event-based state machines, respectively. The use of these tools was audited and the NRC staff confirmed that they were appropriate for modeling and verification of the FPGA programmable logic for HIPS core modules.

As described in section 7.4.5.4.5 of the SHINE FSAR, the RCIs project V&V plan for the system development is adapted for the FPGA technology from the guidance in IEEE Standard-1012-2004, IEEE Standard for Software Verification and Validation. The V&V 7-32

activities are commensurate with the expectations for a Software Integrity Level (SIL) 2 classification.

The specific validation process is described in HIPS platform V&V plan. The NRC staff audited V&V of the core programmable logic developed for the HIPS modules, including the summary reports for the conceptual and requirements phases. The staff confirmed that the vendor is applying a reasonable V&V process for the core logic, consistent with IEEE Standard 1012-2004, including the incorporation of specific software logic into the core logic, consistent with the requirement specifications provided for TRPS and ESFAS. The staff confirmed that the vendor has completed the conceptual and requirements phases for development of the core logic for HIPS modules.

In response to staffs Request to Confirm Information 7-15, the applicant states that the core logic for the HIPS modules will be used as safety-related pre-developed HIPS components in the TRPS and ESFAS design. The TRPS and ESFAS applications will use the latest approved version of the HIPS modules for their development and any changes will be tracked under their development project.

The NRC staff audited planning phase of the TRPS and ESFAS programmable logic development lifecycle activities as depicted in the SHINE FSAR section 7.4.5.4.2, Programmable Logic Lifecycle Process and figure 7.4-3, TRPS and ESFAS Programmable Logic Lifecycle Process. In the RCI system design control procedure, planning phase activities as described in the FSAR are performed in the RCIs planning and system concept phases.

During the planning phase RCI reviewed the SHINE procurement requirement specifications, design input documents, and identified design output documents and data required by the SHINE contract. During the system concept phase, RCI generated a system requirements specification (SyRS) defining the system design requirements details, and a system design specification (SyDS) defining the system design details. SHINE FSAR section 7.4.5.4.1, Planning Phase, presents the planning documents for the implementation of the programmable logic lifecycle process as follows:

  • Project PLDP
  • Project Configuration Management Plan
  • Project V&V Plan
  • Project Equipment Qualification Plan
  • Project Test Plan
  • Project Security Plan The following system concept phase documents were created by RCI:
  • Project configuration management plan
  • Project V&V plan
  • Project EQ plan 7-33
  • Project master test plan
  • Security assessment
  • Programmable logic development plan During the audit, the NRC staff confirmed that the vendor implemented similar planning documents for this phase consistent with SHINE FSAR section 7.4.5.4.1.

SHINE FSAR sections 7.4.5.4.5.2, Planning Phase V&V and 7.4.5.4.5.3, Requirements Phase V&V, present the objectives of the planning and requirements phase as follows:

  • Determine that the V&V methods enable the objectives of the development standards and regulatory guidelines
  • Verify that the development processes can be applied consistently
  • Verify that each development process produces evidence that its outputs can be traced to their activity and inputs, showing the degree of independence of the activity, the environment, and the methods used
  • Compliance with system requirements
  • Accuracy and consistency
  • Compatibility with the target hardware
  • Testability
  • Conformance to applicable standards and procedures
  • Traceability RCI performed the following V&V tasks during the concept phase:
  • System requirements review
  • Concept documentation evaluation
  • Criticality analysis
  • Traceability analysis
  • Management review of the V&V effort During the audit, the NRC staff confirmed that the vendor perform similar V&V tasks to support the objectives in SHINE FSAR sections 7.4.5.4.5.2 and 7.4.5.3.5.3.

7-34

The RCIs planning/concept phase for TRPS and ESFAS development activities are similar to SHINE FSAR section 7.4.5.4.2.1, Planning Phase. The NRC staff finds the TRPS and ESFAS planning phase development activities meet the objectives of ANSI/ANS 10.4 2008 and IEEE Standard Std. 7-4.3.2. Results of this audit are documented in the audit report (MLxxxxxxxxx),

which confirms that RCIs TRPS and ESFAS planning, and concept phase development activities are consistent with the development process defined in the SHINE FSAR sections 7.4.5.4.2.1 and 7.4.5.4.2.2.

Requirements Phase During the requirements phase, a programmable logic requirements specification (PLRS) is generated to translate the conformed design specification into project-specific programmable logic requirements.

FSAR section 7.4.5.4.5 describes the verification & validation (V&V) process, which is performed at the end of each lifecycle phase. RCIs project V&V plan for the system development is adapted for the FPGA technology from the guidance in IEEE Standard 1012 2004. The V&V activities are commensurate with the expectations for a Software Integrity Level (SIL) 2 classification. The staff audited the RCI project master test plan which describes the TRPS and ESFAS hardware and programmable logic testing. The staff confirmed that the test activities in the master test plan are consistent with IEEE Standard 1012-2004 and IEEE Standard 829-2008, IEEE Standard for Software and System Test Documentation.

Additionally, as described in section 7.4.5.4.5 of the SHINE FSAR, V&V personnel review each design output at the end of its lifecycle phase prior to approving the deliverables and test procedures are prepared by the V&V personnel based on the project traceability matrix to assure that each requirement is adequately tested.

The NRC staff audited the programmable logic requirements phase of the TRPS and ESFAS development lifecycle activities consistent with the SHINE FSAR section 7.4.5.4.2, and figure 7.4-3. According to the RCIs system design control procedure, the TRPS and ESFAS system programmable logic requirements specification (PLRS) is developed that translates the programmable logic requirements from the conforming specifications into project-specific design requirements. The PLRS is organized consistent with the guidance in IEEE Standard 830-1998, IEEE Recommended Practice for Software Requirements Specifications. Consistent with objectives of the SHINE FSAR section 7.4.5.4.5.3. The staff confirmed during the audit that the vendor performed similar V&V tasks during the programmable logic requirement phase.

RCI performed the following V&V tasks during the programmable logic requirement phase:

  • Evaluation of programmable logic requirements (software requirements) for each HIPS module used in the TRPS and ESFAS architecture
  • Traceability analysis
  • Interface analysis
  • Management review of the V&V effort During the audit, the NRC staff noted that RCI identified several anomalies during the V&V of the system requirement phase, the V&V summary report recommends proceeding to next 7-35

development phase and requires dispositioning of the anomalies before completion of the PL design phase. The staff sampled a number of key anomalies and didnt identify any significant issues that would prevent proceeding to the next development phase.

During the audit, the NRC staff noted a discrepancy between the SHINE FSAR figure 7.4-3 and the RCIs system design control procedure. The SHINE FSAR figure shows development of the test plans during the requirement phase whereas the RCIs procedure calls for developing the test plans during the design phase. The staff confirmed this error in response to staffs Request to Confirm Information 7-11. Based on the information and results reviewed in the system requirement phase audit, the staff has reasonable assurance that the TRPS and ESFAS PL requirement phase development activities meet the objectives of ANSI/ANS 10.4 2008 and IEEE Standard 7-4.3.2. Results of this audit are documented in the audit report (MLxxxxxx),

which concludes that RCIs TRPS and ESFAS PL requirement phase development activities are consistent with the development process defined in the SHINE FSAR section 7.4.5.4.2.2.

Design Phase The SHINE FSAR states a hardware design specification is generated to define the system hardware requirements and design details. The hardware design specification is generated in accordance with the vendor hardware design specification development procedure. A programmable logic design specification (PLDS) is generated to translate the PLRS into a description of the functional requirements, a description of the system or component architecture, and a description of the control logic, data structures, input/output formats, interface descriptions, and algorithms. Design tests are performed to validate that the design meets the system requirements in accordance with the vendor test control procedure. The NRC staff confirmed during the audit that the design phase process described in SHINE FSAR section 7.4.5.4.2.3 is consistent with the vendors system design phase procedure.

Implementation Phase The SHINE FSAR states that the HIPS platform hardware and programmable logic components are integrated into the project during this phase to provide the target hardware and incorporate the HIPS platform programmable logic that has been previously designed, developed, tested, qualified, and implemented. The implementation phase V&V summary report documents the implementation phase exit. If control point exit criteria are not met, a conditional release can be issued in accordance with the vendor conditional release procedure prior to beginning test phase activities. The NRC staff confirmed during the audit that the implementation phase process described in SHINE FSAR section 7.4.5.4.2.4 is consistent with the vendors system implementation phase procedure Test Phase The SHINE FSAR states that the test phase is the validation phase. Outputs from this phase, which are requirements of the project, are completed prior to test phase exit. Verification that test phase tasks are complete and output documents are approved serves as the control point to transition the project from the test phase to the shipment phase. Purpose of the test phase V&V is to uncover errors that may have been introduced during the development 7-36

processes. Testing objectives include the development and execution of test cases and procedures to verify the following:

  • Code complies with the PLRS
  • Code complies with the PLDS
  • Code is robust
  • Code complies with the target hardware The test phase V&V summary report documents the test phase exit. Approved documents are placed into configuration management prior to test phase exit. The NRC staff confirmed during the audit that the test phase process described in SHINE FSAR section 7.4.5.4.2.5 is consistent with the vendors test phase procedure.

Shipment Phase and Installation The SHINE FSAR states that the shipment phase prepares the system for shipment and ships the system to SHINE. Output documents from this phase are completed prior to shipment phase exit. The shipment phase V&V summary report is completed. The final V&V report documents the completed project V&V activities. Shipment phase documents are verified to be complete and approved documents are placed into configuration management prior to shipment phase exit.

Systems are installed and site acceptance tests are performed in accordance with written plans and instructions prepared and controlled under the installer's quality assurance program. SHINE is responsible for providing oversight of the installer and maintaining the installer as an approved supplier on the SHINE approved supplier list.

Programmable Logic Regression Analysis SHINE FSAR section 7.4.5.4.3 states that whenever a modification is made to the PLRS and PLDS a regression analysis is necessary to determine what V&V activities to perform. Also, a regression analysis is performed if changes are made to previously tested programmable logic to determine the impact to all parts of the system.

Project Requirements Traceability Matrix A system requirements traceability matrix is developed during each of the project phases by the vendor. The system requirements traceability matrix is used to generate comprehensive validation test procedures that ensure that each requirement is adequately tested and meets the system requirements. SHINE FSAR section 7.4.5.4.7 describes independent testing that includes factory acceptance testing (FAT) and development of the test phase V&V summary report.

Configuration Management Section 7.4.5.4.6 of the SHINE FSAR describes configuration management of HIPS platform development activities. Configuration management for developing the TRPS and ESFAS 7-37

applications on HIPS platform has been delegated to RCI, which applies to data and documentation used to produce, verify, test and show compliance with programable logic used in the system. As presented in SHINE FSAR section 7.4.5.4.6, any changes to baselined configuration items are planned, documented, approved, and tracked in accordance with a change control process. The NRC staff finds that the configuration management will ensure any changes to the system and/or configuration of the logic is maintained and documented. The staff audited RCIs HIPS platform configuration management plan that applies to the programmable logic and hardware-related documentation developed for HIPS platform applications to confirm the information in SHINE FSAR section 7.4.5.4.6. The staff notes that this project configuration management plan (PCMP) was developed using guidance from RG 1.169, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, and IEEE Standard 828-2005, Standard for Software Configuration Management Plans. The staff confirmed that item storage and management, including version control, revision control, traceability and baselining was appropriately considered in the PCMP. Specifically, RCI uses commercial configuration management software tool for configuration item storage and management which is software that ensures that all files in the project are revision controlled and traceable.

Section 7.4.5.4.6.1 of the SHINE FSAR describes that the programmable logic design models are one item under the configuration management. Each item under configuration management needs to be identified which includes, in part, facilitation of tracking and assigning of version numbers. During the audit of the PCMP, the NRC staff confirmed that, when using the model based software development tool set in the programmable logic development process, the design models are developed with the appropriate mechanisms to ensure assignment of version numbers and tracking to maintain appropriate configuration control of the design models.

Additionally, the PCMP describes the configuration management resources which provides additional assurance of reasonable configuration management.

Based on the description in SHINE FSAR section 7.4.5.4.6, confirmed in part by the audit of the RCI PCMP, the NRC staff finds that the RCIs configuration management of the HIPS application of TRPS and ESFAS is consistent with the configuration management objectives and process described in SHINE FSAR section 7.4.5.4.6 and meets requirements of ANSI/ANS-15.8-1995.

7.4.2.3.2 Conclusion for HIPS Design Process Based on review of the information provided in SHINE FSAR and audit of the TRPS and ESFAS programmable logic development activities, the NRC staff determined that the vendor established and followed a clear and robust software development process for the planning and requirements phase of TRPS and ESFAS development. In addition, the vendor performed the V&V activities described in the V&V plan. The results of these activities are recorded in the V&V summary reports.

The HIPS vendor created a project V&V plan. This plan describes V&V activities performed during each phase of the lifecycle process. In SHINE FSAR section 7.4.5.4.5, the applicant noted that because the HIPS platform is based on FPGA technology, the vendor tailored and adapted the guidance in IEEE Standard 1012-2004 to the V&V activities necessary for the TRPS and ESFAS. The NRC staff agrees that SIL 2 software integrity level for TRPS and ESFAS is acceptable commensurate with the design features and safety importance of the TRPS/ESFAS, including consideration of the potential radiological consequences, and the safety margins associated with the accident analyses that credits TRPS and ESFA functions, as 7-38

described in Chapter 13 of this SER. Therefore, V&V activities are commensurate with the expectations for a SIL 2 classification, as described in IEEE Standard 1012-2004. The vendor performed the system conceptual and requirements phase V&V activities described in the V&V plan and that were accepted by the applicant. Based on the V&V results of the conceptual and requirements phases, along with the V&V activities for the remaining system development phases described in RCIs project V&V plan, the staff has reasonable assurance that design, implementation and testing can be successfully completed by the vendor. Results of these phases will be subject to NRC inspection oversight.

Therefore, the NRC staff finds that the system development process and documents for the TRPS and ESFAS for the SHINE facility meet the design acceptance criteria for a structured development process for safety systems in NUREG-1537, including acceptance criteria that applies to non-power reactor DI&C systems from the guidance and industry standards for digital upgrades referenced in Chapter 7 of NUREG-1537.

7.4.2.4 Conclusion The NRC staff has reasonable assurance that the HIPS digital I&C platform used to implement TRPS and ESFAS is designed to be consistent with the approved HIPS TR and incorporates the fundamental design principals of independence, redundancy, predictably and repeatability, and diversity. The staff has reasonable assurance that the system will be developed and tested to demonstrate quality and reliability commensurate with the safety importance of the functions, in consideration of the safety margins associated with the accident analyses that credits TRPS and ESFAS functions as described in Chapter 13 of the SER. The staff also finds that the HIPS design meets the applicable portions of the SHINE Design Criteria 15, 16, and 19. Therefore, the staff concludes that the HIPS platform used to implement TRPS and ESFAS is capable of performing the allocated design basis safety function under postulated conditions.

7.4.3 Process Integrated Control System The NRC staff evaluated the sufficiency of the SHINE facility PICS, as described in SHINE FSAR section 7.3, Process Integrated Control System, using the applicable guidance and acceptance criteria from section 7.3, Reactor Control System, of NUREG-1537, Parts 1 and 2, and section 7b.3, Process Control Systems, of the ISG augmenting NUREG-1537, Part 2.

NUREG-1537 Part 1 includes and assumed I&C system architecture:

The [protection system] should monitor selected operating parameters [and]

is designed to ensure [facility] and personnel safety by limiting parameters to operate within analyzed operating ranges. The [protection system] can also give the

[engineered safety features actuation system (ESFAS)] information for the operation of ESFs when the instruments indicate that abnormal or accident conditions could occur. The [operational control system(s)] may monitor many of the same parameters as the [safety systems] and give information for automatic or manual control of the operating conditions... The facility instruments present operating parameter and system status information to the operator for monitoring operation and for deciding on manual control actions to be taken. Instrument systems are the means through which automatic or operator control actions are transmitted for execution by the [operational control system(s)]. Radiation instruments show radiation levels in selected areas in the [facility] and could give data to the [safety 7-39

systems(s)] to help in the control of personnel radiation exposure, or monitor the release of radioactive material from the [facility].

For the SHINE facility, the PICS includes the operational control system, instrument systems, and control console described in the NUREG-1537, Part 1. The safety systems and the radiation monitors are considered separate systems in this SER.

7.4.3.1 System Description The PICS is a distributed control system to monitor and control the various processes in the irradiation facility (IF) and radioisotope production facility (RPF). PICS includes the main control board, operator and supervisor workstations, and associated control cabinets.

The PICS interfaces with other controllers or systems, supplied for several equipment and components to maintain the operating characteristics and parameters of the facility irradiation units and radioisotope production facility as further described in section 4 of the SER. SHINE FSAR figure 7.3-1, Process Integrated Control System Architecture, depicts the PICS system architectures, including the vendor-provided control systems, and the control console and displays. SHINE FSAR section 7.3.1 describes these systems, and this description was considered during an audit when SMT20A-FS-001, Revision 1, System Architecture Functional Specification SHINE Process Integrated Control System, was confirmed to be consistent with SHINE FSAR description. The PICS system network routes signals to the main distribution switch located in the server room. Information from the facility control room, remote input/output cabinets, remote human machine interface panels, programmable logic controllers, vendor-provided control systems, and virtual machines communicates through the main distribution switch with a combination of copper cabling and fiber optic cabling. Some key aspects associated with PICS which are described in other FSAR section are summarized below.

Main Control Board The main control board consists of a console, static display screens, and manual actuation interfaces. The configuration of the main control board is shown in SHINE FSAR figure 7.6-2.

The main control board contains eight sections, each containing one column of displays dedicated to a single irradiation unit (IU). This board also includes a ninth section containing two columns of displays dedicated to the facility status. Each column includes three static display screens to display safety functions of the IU cells and other facility processes, so the operator can easily verify the status of the SHINE facility. In addition, these columns include manual actuation devices and the enable nonsafety switch (labeled E/D). The facility status section includes the facility master operating permissive (labeled O/S).

Operator Workstation The operator workstations consist of display screens and human interface equipment to operate the PICS and NDAS. This workstation consists of four desks, two for the PICS and two for the NDAS controls. SHINE FSAR figure 7.6-1 also shows the layout of the operator workstation.

Both PICS workstations can display any screens about the operation in the SHINE facility.

However, only one workstation is assigned to manipulate the controls necessary for operation, while the other can only monitor. The PICS allows for the transfer of controls between the PICS workstations and to the supervisor workstation, if necessary. In addition, a limited set of control 7-40

functions can be transferred to the PICS local control stations. Only one workstation (operator, supervisor, or local) is allowed to input control commands to a particular component at any time.

The PICS workstation includes the screens to operate and monitor the facility. The operator uses the IU screen to advance the modes of operation for the IUs. Also, one of the screens is configured to always display alarms present in the facility.

The NDAS workstations are used to monitor and operate the neutron drivers for each IU cell.

These workstations can only send commands to the NDAS control system, as long as the PICS permissive is satisfied.

Supervisor Workstation The supervisor workstation is similar to the PICS operator workstations and may be used to control a process or IU but is normally used for monitoring facility status only. The supervisor station does not have any NDAS control capabilities.

Maintenance Workstation Although not part of PICS, there are two maintenance workstations for the TRPS and ESFAS.

These workstations will be used to performance maintenance and modify tunable parameters including setpoints of the TRPS or ESFAS. This update is done through a temporary connection to the monitoring and indication communication module of the associated division. Each workstation is assigned to Division A or Division B, for Division C the SHINE staff would use the workstation assigned to Division A. The workstations are in the facility control room, one inside the Division A TRPS cabinet and the other inside Division B TRPS cabinet. SHINE FSAR figure-7.6-3 shows the location of the workstation within the cabinet.

The PICS also includes an engineering workstation located in the PICS server room, which is used to perform system administrator functions.

7.4.3.2 EVALUATION OF PICS DESIGN CRITERIA SHINE FSAR Chapter 3.1, Design Criteria, states:

Safety-related SSCs at SHINE are those physical SSCs whose intended functions are to prevent accidents that could cause undue risk to health and safety of workers and the public; and to control or mitigate the consequences of such accidents.

SHINE FSAR Chapter 3, Design of Structures Systems, and Components, section 3.1, Design Criteria, table 3.1-2, Nonsafety-Related Structures, Systems, and Components, and SHINE FSAR section 7.3.2, Design Criteria, identify the design criterion for PICS, which is classified as nonsafety-related.

The NRC staff concludes that: (1) PICS does not include functions intended to prevent accidents, (2) PICS cannot cause undue risk to the health and safety of workers and the public, and (3) PICS does not control or mitigate the consequences of accidents. The evaluation of PICS documented below is based on this conclusion.

7-41

7.4.3.2.1 SHINE Facility Design Criteria The SHINE design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety that provide reasonable assurance that the SHINE facility can be operated without undue risk to the health and safety of the public. Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

By letter dated April 22, 2022, the response to RAI 7-49 states:

SHINE Design Criteria 3 and 6 are applicable to the process integrated control system (PICS). SHINE does not rely on the PICS to satisfy SHINE Design Criteria 1, 2, 4, 5, 7, and 8. SHINE has revised Subsections 7.3.2.1 and 7.6.2 of the FSAR to describe the relationship between the PICS design basis to SHINE Design Criteria 3 and 6.

These two design criteria below are copied from SHINE FSAR Chapter 3.1.

Criterion 3 - Fire protection Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

Noncombustible and heat resistant materials are used wherever practical throughout the facility, particularly in locations such as confinement boundaries and the control room.

Fire detection and suppression systems of appropriate capacity and capability are provided and designed to minimize the adverse effects of fires on safety-related SSCs. Firefighting systems are designed to ensure that their rupture or inadvertent operation does not significantly impair the safety capability of these SSCs.

The NRC staff evaluation of the fire protection program (and any specific crediting of SSCs) that are found in SHINE FSAR section 9a2.3, Fire Protections Systems and Programs, is addressed in Fire Protection section of this SER.

Criterion 6 - Control room A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.

The NRC staff evaluation of the suitability of the control room for operations (and any specific crediting of SSCs) that are found in section 7.9 of this SER.

SHINE FSAR table 3.1-2 and section 7.3.2.1 state that the SHINE facility design criterion 13 applies to the PICS.

SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, 7-42

and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating ranges.

SHINE FSAR section 7.3.1 describes the PICS functions, as well as the systems that interfaces with it; specifically, section 7.3.1 describes the Monitoring and Alarms, Control Functions, and Interlocks and Permissives, of the PICS with respect to the specific systems identified.

Furthermore, PICS interfaces with the safety-related TRPS, ESFAS, NFDS, and radiation monitors. SHINE FSAR tables 7.4-1 and 7.5-1 identify the monitored variables for the TRPS and ESFAS. SHINE FSAR tables 7.7-1 through 7.7-3 identify the radiation monitors installed in the SHINE facility. The monitored variables and instrument ranges for the safety-related radiation monitors are identified in FSAR tables 7.4-1 and 7.5-1. SHINE FSAR section 7.8.3.1 describes the monitored variables for the NFDS, including instrument operational ranges and analytical limits. SHINE FSAR table 7.4-1 also identifies monitored variables and instrument ranges for the NFDS.

SHINE FSAR section 4a2.8.6, Radiation and Hydrogen Concentration Control/Monitoring, states that The TOGS is designed to maintain hydrogen concentrations at or less than 2 percent during normal operation and if the hydrogen concentration exceeds 2.5 percent by volume, an alarm alerts the operator to take action. SHINE FSAR section 7.3.1.1.2, Target Solution Vessel Off-Gas System describes that PICS directly monitors and provides alarms for TOGS hydrogen concentration. High measured hydrogen concentration is addressed only by control system, and not directly by protection system functions. However, the TRPS initiates an IU Cell Nitrogen Purge when monitored variables indicate a loss of hydrogen recombination capability in the IU (See SHINE FSAR sections 7.4.4.1.10, 7.4.4.1.11, & 7.4.4.1.12). An IU Cell Nitrogen Purge results in purging the primary system boundary for the affected IU with nitrogen.

The NRC staff did not review or evaluate the PICS equipment design to determine the adequacy of the control systems to maintain the required variables within operational limits during facility operation; however, the NRC staff verified that the impact of control system failures is appropriately considered in the accident analyses and is addressed by the protection systems. Based on the system description, confirmed in part by the NRC staff observations of the equipment during an audit where TECRPT-2022-0033 Revision 0, Evaluation of Indirect Safety Impacts of Multiple PICS Failures, was confirmed to support the support the statements made in SHINE FSAR section 7.3.2.2.4, Effects of Control System Operation/Failures, the NRC staff finds that the PICS is designed to meet the design acceptance criteria in the guidance in section 7.3 of NUREG 1537, Part 2, that the instrumentation is designed to provide continuous indication of the neutron flux over the licensed power range in the irradiation units and entire expected range of the monitored process variables for both the IRs and production facility as defined in SHINE TS, and that alarms and/or indications will be provided.

7.4.3.2.2 PICS System Design Criteria SHINE FSAR section 7.3.2.2 provides PICS design criteria that will be incorporated into the PICS design and implementation. The staff reviewed the design criteria and attributes of the PICS, as described below, as part of the basis for verifying appropriate controls can be designed and implemented for PICS and consistent with the acceptance criteria in section 7.3 of NUREG-1537 to the extent practical. The NRC staff did not independently review or confirm 7-43

specific PICS design features, programming logic, or other configurations (e.g., typically developed in the requirements or implementation phase) that demonstrate how the attributes are achieved.

7.4.3.2.2.1 Access Control SHINE FSAR chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable SHINE FSAR chapter describing those SSCs. SHINE FSAR section 7.3.2.2.1 includes PICS Criterion 1. SHINE FSAR section 7.6.2.2.1 includes PICS Criterion 10 for control consoles and displays.

PICS Criterion 1 - The PICS design shall incorporate design or administrative controls to prevent/limit unauthorized physical and electronic access to critical digital assets (CDAs) during the operational phase, including the transition from development to operations. CDAs are defined as digital systems and devices that are used to perform or support, among other things, physical security and access control, safety-related functions, and reactivity control.

PICS Criterion 10 - The operator workstation and main control board design shall incorporate design or administrative controls to prevent or limit unauthorized physical and electronic access to critical digital assets (CDAs) during the operational phase, including the transition from development to operations. CDAs are defined as digital systems and devices that are used to perform or support, among other things, physical security and access control, safety-related functions, and reactivity control.

SHINE FSAR Section 7.3.5 describes how SHINE performs access control and cyber security and states that the PICS and other vendor-provided nonsafety-related control systems do not allow remote access, And that the PICS and other vendor-provided nonsafety-related control systems do not use any wireless interface capabilities for control functions. SHINE FSAR Section 7.6.3.4 describes access control for the facility control room and the facility control systems and states that to use PICS, operators need to request authorization and set up a personal username and password.

Since PICS does not allow remote or wireless access, the NRC staff concludes the PICS design include design features to allow administrative control of access during operation. The specific administrative controls employed are addressed as part of the cyber security assessment.

7.4.3.2.2.2 Software Requirements Development SHINE FSAR Chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable SHINE FSAR Chapter describing those SSCs. SHINE FSAR section 7.3.2.2.2 includes PICS Criteria 2, 3, & 4.

PICS Criterion 2 - A structured process, which is commensurate with the risk associated with its failure or malfunction and the potential for the failures challenging safety systems, shall be used in developing software for the PICS.

7-44

PICS Criterion 3 - The PICS software development lifecycle process requirements shall be described and documented in appropriate plans which shall address verification and validation (V&V) and configuration control activities.

PICS Criterion 4 - The configuration control process shall assure that the required PICS hardware and software are installed in the appropriate system configuration and ensure that the correct version of the software/firmware is installed in the correct hardware components.

SHINE FSAR Section 7.3.2.2.2 describes how SHINE met these criteria. Also, SHINE FSAR Section 7.3.3.4 describes the development process followed for PICS, neutron driver assembly system (NDAS, and third-party developed system (e.g., radioactive liquid waste immobilization (RLWI) system).

ANSI/ANS 10.4-2008 provides guidance for the verification and validation of scientific and engineering computer programs for the nuclear industry. Section 9 of the standard recommends that the test results for the V&V activities during the installation phase be documented and reported as specified in the V&V Plan and, if the findings necessitate any retesting or revision of the test report, the updated test results should be verified again before final program acceptance.

SHINE FSAR Section 7.3.3.4 states that the PICS validation master plan describes the V&V activities.

The NRC staff evaluated the PICS and other non-safety related I&C systems design using the design basis acceptance criteria identified in Section 3.1 Design Criteria, and Section 7.3, Reactor Control System, of NUREG 1537, Part 2. While NURG-1537 Part 2 provides criteria for verifying that the hardware and software for control systems should meet the guidelines of IEEE Standard 7-4.3.2-1993 IEEE Standard Design Criteria for Digital Computer Systems in Safety Systems of Nuclear Power Generation Stations, the staff agrees with the use of ANSI/ANS 10.4-2008 for testing V&V activities given the function of the PICS, associated failure analysis provided for the system (see section 7.4.3.2.2.4), and safety margins described in Section 13 of this SER. Based on the information provided by the licensee and reviewed by the NRC staff, the NRC staff finds that PICS and other non-safety related I&C systems design results in a reliable, redundant and fail-safe system that helps ensure continued operation of the facility within the SL and LSSS established in the SHINE TSs, assuming the final design implementation and testing of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR Section 7.3.

7.4.3.2.2.3 Fail Safe SHINE FSAR chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR cChapter describing those SSCs. SHINE FSAR section 7.3.2.2.3 includes PICS Criterion 5.

PICS Criterion 5 - The PICS shall assume a defined safe state with loss of electrical power to the PICS.

7-45

The fail-safe design acceptance criteria of NUREG 1537 ensure that, on loss of power, the control system and associated equipment are designed to assume a safe state and will enable safe reactor shutdown.

SHINE FSAR Sections 7.3.3.6 and 7.6.3.5 note that there are local batteries for the PICS servers, the operator workstations, and the main control to continue operating for at least 10 minutes after power is lost. If power is not restored to PICS within this time, the PICS control outputs open and all controlled components will transition to their safe states, as confirmed during the audit discussion of Topic 1 Bullet 3. In addition, in case that normal power is interrupted, the SGS will provide backup power to PICS. SHINE FSAR Section 7.3.3.6 states that SGS requires five minutes to start. Finally, SHINE FSAR sections 7.3.2.2.3 and 7.3.3.6 state that components controlled by the PICS assume a defined safe state on loss of electrical power. Fail-safe states are also discussed in the component classification and HAZOP processes when they are relevant to consequences of concerns. PICS will not attempt to reposition those components upon detecting they have gone to their safe state, as confirmed during the audit discussion of Topic 1 Bullet 3.

Based on the above information provided in the SHINE FSAR, the NRC staff finds that the licensees implementation of fail-safe acceptance criteria for the PICS is acceptable. The PICS design includes methods for its components to assume a safe state on loss of electrical power.

7.4.3.2.2.4 Effects of Control System Operation/Failures Effects of Control Failures on TRPS and ESFAS safety functions SHINE FSAR chapter 3.1, Design Criteria, states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR chapter describing those SSCs. SHINE FSAR section 7.3.2.2.4 includes PICS Criterion 6.

PICS Criterion 6 - The PICS shall be designed so that it cannot fail or operate in a mode that could prevent the TRPS or ESFAS from performing its designated functions.

SHINE FSAR section 7.3.2.2.4 describes that any non-safety related signal transmitted from PICS to the TRPS and/or ESFAS wont interfere with their operation. SHINE FSAR sections 7.4.3.4 and 7.5.3.4 describe the communication mechanisms between PICS and TRPS and ESFAS, respectively. In addition, SHINE FSAR section 7.6.4.5 provides additional descriptions for these communications. Finally, response to RAI 7-9 (c) states:

There are no sensor outputs that have both a target solution vessel (TSV) reactivity protection system (TRPS) safety-related protection function and a nonsafety-related control function. As described in Subsection 7.5.2.1.6 of the FSAR, there are no sensor outputs that have both an engineered safety features actuation system (ESFAS) safety-related protection function and a nonsafety-related control function.

SHINE has revised Subsections 7.3.1.1.2 and 7.4.2.1.6 of the FSAR to clarify that there are no sensor outputs that have both a TRPS protection function and a nonsafety-related control function.

7-46

SHINE FSAR section 7.3.1.3.11, Target Solution Vessel Reactivity Protection System and Engineered Safety Features Actuation System, (provided in Supplement 23 by letter dated June 10, 2022) states:

Safety-related components that are capable of being actuated by the TRPS or ESFAS, but also have a nonsafety-related function related to production, achieve their safe state by having power removed. PICS controls these components directly by cycling power through the use of relays and contacts and does not send a signal to the TRPS or ESFAS during these normal operations. Should a safety actuation be required, the TRPS or ESFAS opens a contact in series with the power supply to the component, causing it to achieve its safe state regardless of the control signal from the PICS. Following the safety actuation, the PICS provides a nonsafety-related control signal to the TRPS or ESFAS to allow for component repositioning. The actuation and priority logic (APL) in the TRPS or ESFAS processes these signals based upon the position of the enable nonsafety switch Safety-related components that are capable of being actuated by the TRPS or ESFAS and do not have a nonsafety-related production function are not controlled directly by PICS. Following the safety actuation, the PICS sends a nonsafety-related control signal to the TRPS or ESFAS and the APL in the TRPS or ESFAS processes this signal based upon the position of the enable nonsafety switch. If not prevented by higher priority inputs to the APL, the TRPS or ESFAS will position the component as requested by the PICS.

SHINE also stated that the FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

The NRC staff evaluated the PICS failures using the acceptance criteria identified in section 3.1 Design Criteria, and section 7.3, Reactor Control System, of NUREG 1537, Part 2. For this review, acceptance criteria of NUREG 1537 specify that the systems should assume a safe state, enable safe reactor shutdown, and not prevent the TRPS or ESFAS from performing their designed safety functions in the case of control system action or inaction. Conceptually, this design is the same as that for many reactor-rod-control systems for safe shutdown.

Therefore, the NRC staff has reasonable assurance that this design is adequate for ensuring that PICS cannot fail in mode that would prevent the TRPS or ESFAS from performing their safety functions, assuming the final design implementation and testing of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR section 7.3.

Effects of Control Failures in SHINE Safety Analysis Methodology As stated in the SHINE FSAR and confirmed in the audit of PICS failure analysis described below, the SHINE safety analysis methodology uses process hazards analysis (PHA) methods appropriate to the system or process being analyzed, including HAZOPs, FMEAs, and What-If/Checklist, to identify the necessary inputs to the safety systems (i.e., TRPS and ESFAS) to identify potentially unsafe conditions. These PHA methods are generally focused on the consequences of process deviations and how those deviations can be detected independent of cause. Those variables that need to be monitored to detect process deviations that could lead to undue risk are the monitored variables in TRPS and ESFAS. Therefore, any unsafe conditions caused by PICS would be identified by the TRPS and ESFAS monitored variables and the 7-47

appropriate safety actuation would be initiated. The FMEA for ESFAS and TRPS evaluates the infaces with PICS for any direct impacts and ensures that no failures within the PICS system could directly impact the ability of TRPS or ESFAS to perform their functions.

SHINE also performed a PICS failure analysis to evaluate potential impacts of PICS failures (including a failure of cards and racks) on the ability of the safety-related control systems to detect unsafe conditions and perform the appropriate safety functions in TECRPT-2022-0033, Revision 0 Evaluation of Indirect Safety Impacts of Multiple PICS Failures. Potential impacts on controls listed in the SHINE Safety Analysis (SSA) Summary Report that are not implemented through the safety-related control systems were also evaluated by SHINE. The purpose was to demonstrate that PICS failures will not adversely impact the safety analysis in the SHINE facility as documented in SHINE FSAR Chapters 4 and 13. Where multiple PICS failures could potentially lead to a failure to detect unsafe conditions or perform the appropriate safety function, requirements for separation within the PICS system design have been developed.

The NRC staff evaluated the PICS failure assessment and associated requirements for separation within the PICS system. During the audit, the staff confirmed instances in which PICS design requirements were purposely defined, in part as result of the failure assessment, to maintain the effects of potential PICS failures within the operating conditions and accident basis analyzed in the SHINE FSAR. The staff has reasonable assurance that potential PICS failure events will remain within the bounds of the safety assessment, assuming the final design implementation and testing of the PICS conforms to the PICS criteria and design attributes described in SHINE FSAR section 7.3 and TECRPT-2022-0033, Revision 0 Evaluation of Indirect Safety Impacts of Multiple PICS Failures.

7.4.3.2.2.5 Operational Bypass SHINE FSAR chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR chapter describing those SSCs. SHINE FSAR section 7.3.2.2.5 includes PICS Criterion 7.

PICS Criterion 7 - Bypasses of PICS interlocks, including provisions for testing, shall be under the direct control of a control room operator and shall be indicated on control room displays.

Sections 7.3 and 7.4 of NUREG 1537, Part 2 provides guidance related to operational bypass.

SHINE FSAR section 7.3.2.5 states that a control room operator can bypass nonsafety-related interlocks using the PICS workstation. The PICS workstation display will annunciate when an interlock is bypassed in addition, as confirmed during the audit discussion of Topic 1 Bullet 4 that PICS interlocks or permissives are not credited with performing any safety-related function in order to reduce the likelihood or consequences of an accident sequence.

The Design Criteria in section 7.3, Reactor Control System, of NUREG 1537, Part 2 specify that the control system should include interlocks to limit personnel hazards or prevent damage to systems during the full range of normal operations. SHINE FSAR section 7.3.1 identifies the PICS interlocks for each associated I&C system in the SHINE facility.

7-48

Based on a review of the interlock description against the criteria identified, the NRC staff agrees that the description of bypasses of PICS interlocks and associated provisions for control room indication are acceptable.

7.4.3.2.2.6 Surveillance SHINE FSAR chapter 3.1, Design Criteria states that design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR chapter describing those SSCs. SHINE FSAR section 7.3.2.2.6 includes PICS Criteria 8 & 9.

PICS Criterion 8 - Subsystems of and equipment in the PICS shall be designed to allow testing, calibration, and inspection to ensure functionality.

PICS Criterion 9 - Testing, calibration, and inspections of the PICS shall be sufficient to confirm that surveillance test and self-test features address failure detection, self-test capabilities, and actions taken upon failure detection.

The guidance in section 7.3 of NUREG 1537, Part 2 recommends application of the functional design and analyses to the development of bases of technical specifications, including surveillance tests and intervals. Additionally, ANSI/ANS 15.15 recommends the system design include capability for periodic checks, tests and calibrations. The standard also recommends that, if on-line periodic testing is necessary, such testing should not reduce the capability of the system to perform its safety function.

SHINE FSAR section 7.3.2.2.6 describes how the PICS meets these criteria. SHINE FSAR section 7.3.4.2 describes the testing and maintenance capabilities of the PICS. SHINE will test PICS during factory acceptance test (FAT) and post installation testing to demonstrate its functionality and demonstrate conformance of the system equipment to the design performance requirements, including requirements for testing.

Therefore, the NRC staff concludes that the PICS allows testing, calibration, and inspection to ensure functionality, and includes features for failure detection and self-test capabilities.

SHINE FSAR section 7.3.4.3 states that PICS is not in the SHINE TS because it does not perform safety-related controls and functions. Therefore, the staff did not evaluate testing or surveillance procedures as referenced in PICS criterion 9. The NRC staff confirmed that an SR is not warranted for the PICS because any failures would not prevent the safety systems (i.e.,

TRPS) from performing their safety functions.

Based on its review of the information provided, the NRC staff concludes the design of the PICS meets the design acceptance criteria in section 7.3 of NUREG1537, Part 2 to include the capability for periodic checks, tests and calibrations to facilitate the performance of the required testing to ensure PICS operability without affecting its ability to perform its intended function.

Also, the staff concludes that the PICS testing provisions provide reasonable assurance of its continued reliable operation.

7.4.3.2.

2.7 CONCLUSION

OF EVALUATION OF PICS DESIGN CRITERIA Based on the information reviewed, the NRC staff concludes that SHINE established the necessary design, fabrication, construction, testing, and performance requirements for the PICS 7-49

to provide reasonable assurance that the facility be operated without undue risk to the health and safety of the public.

7.4.3.3 PICS DESIGN BASIS This section documents the NRC staff review and evaluation of the design basis of the PICS against the design bases acceptance criteria identified in sections 3.1 and 7.3 of NUREG 1537, Part 2. Further, section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

SHINE FSAR sections 7.3.1 and 7.3.3 identify the design bases used for the PICS. The NRC staff reviewed and evaluated the PICS to verify that the impact of control system failures is appropriately included in the FSAR accident analyses.

SHINE FSAR tables 7.4-1 and 7.5-1 show that the sensors used for protective actions (for example, for the neutron flux detectors) can detect process parameter values at the same or over a larger range than required to safely operate the SHINE facility. These channels provide information to both PICS, TRPS and ESFAS to monitor the facility during normal, transient, and accident conditions.

7.4.3.3.1 Design Basis Functions The PICS does not perform safety functions. The PICS is only used to assist operators perform normal operations of the SHINE facility. Also, the PICS receives information from safety systems for operators to monitor process variables and system operation status. The PICS can be used for diverse actuations to the safety systems but is not credited in the SHINE FSAR chapters 7 or 13. In addition, SHINE FSAR section 7.4.2.2.6, Prioritization of Functions, contains a design criterion for prioritization and states: Priority is provided to automatic and manual safety-related actuation signals over nonsafety-related signals as described in Subsection 7.4.3.12.

7.4.3.3.2 Modes of Operation SHINE FSAR section 7.3.1.1 describes the modes of operation and specific monitoring, control, and interlock functions of PICS in each mode of the irradiation unit systems, which includes SCAS, the neutron driver assembly system (NDAS), the TSV off-gas system (TOGS), the primary closed loop cooling system (PCLS), and the neutron flux detection system (NFDS).

SHINE FSAR figure 7.4-1, Sheet 8, shows the transition modes for the IU cell.

The PICS provides a signal to the TRPS, when manually initiated by the operator, to sequentially transition the TRPS from one mode to the next. To advance each mode of operation of the IU cell, the operator manually selects the next mode using PICS. The TRPS controls the transition for these modes by implementing the required mode-specific system interlocks and bypasses to ensure safe operation of the main production facility. Before an operator can manually transition to a different mode, all transition criteria conditions must be met. Note that when an IU cell safety signal is activated, the operation of the IU cell will automatically transition to Mode 3, independently of the operating mode. The PICS is installed in the facility control room, where conditions are designed to be as described in SHINE FSAR table 7.2-2.

7-50

7.4.3.3.3 System Operation Through the main control board and operator workstations, the PICS is used to operate the SHINE facility. PICS functions include signal conditioning, system controls, interlocks, and monitoring of the process variables and system status. SHINE FSAR figure 7.3-1 depicts the PICS architecture.

The building automation system receives commands from the PICS to start and stop select control sequences and provides information to the PICS for monitoring.

The PICS also receives information for monitoring only from the following vendor-provided systems:

  • Supercell control system
  • Radioactive liquid waste immobilization In addition, PICS monitors valve or damper position feedback as needed to perform control functions or implement interlocks and permissives. SHINE FSAR section 7.3.1 describes those components.

7.4.3.4 Conclusion The NRC staff concludes that the design of the PICS is such that any single malfunction in its components would not prevent the TRPS and ESFAS from performing necessary functions, nor prevent achieving a safe shutdown condition of the facility and (based on the review documented above) that there is reasonable assurance the PICS conforms to its design criteria.

7.4.4 Target Solution Vessel Reactivity Protection System The NRC staff evaluated the sufficiency of the SHINE facility TRPS, as described in SHINE FSAR section 7.4, Target Solution Vessel Reactivity Protection System, using the applicable guidance and acceptance criteria from section 7.4, Reactor Protection System, of NUREG-1537, Parts 1 and 2, and Chapter 7, Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.

SHINE FSAR section 7.4, Target Solution Vessel Reactivity Protection System, describes the target solution vessel (TSV) reactivity protection system (TRPS). The NRC staff audited TECRPT-2019-0048, Revision 6, Target Solution Vessel Reactivity Protection System Design Description, to confirm the information in SHINE FSAR section 7.4 The TRPS is an instrumentation and control (I&C) system consisting of eight independent instances, each dedicated to one of the eight irradiation units (IU) in the irradiation facility (IF). Section 7.4.2 of this SER evaluates the HIPS design for implementation of each TRPS.

The IUs operating cycle includes the following steps:

  • Prepared target solution is transferred to the target solution hold tank and then into the TSV.

7-51

  • The neutron driver is energized.
  • The subcritical assembly is operated at power for approximately 5.5 days.
  • The IU is shut down and the target solution heat is allowed to decay.
  • The target solution is transferred to the radioisotope production facility (RPF) for processing.

SHINE FSAR section 7.8, Neutron Flux Detection System, describes three independent sets of two neutron detectors and associated electronics as a system for each TRPS. Each NFDS division includes an ionization chamber detector and a Boron Trifluoride (BF3) detector pair.

These detector types are primarily sensitive to thermal neutrons. The NRC staff evaluated the NFDS as part of the TRPS similar to the other sensor and instrumentation inputs to the TRPS.

Therefore, all findings for the TRPS are applicable to the NFDS as appropriate.

Each TRPS does not have its own dedicated display, rather, all TRPS information (including sensor input values) are sent to process integrated control system (PICS) for display purposes.

All information provided by TRPS to PICS is provided through a transmit only communication mechanism.

7.4.4.1 System Description SHINE FSAR section 7.4.1, System Description, identifies the safety functions of the TRPS system:

The TRPS monitors variables important to the safety functions of the irradiation process during each operating mode of the IU to perform one or more of the following safety functions:

  • IU Cell Safety Actuation
  • IU Cell Tritium Purification System (TPS) Actuation
  • Driver Dropout The TRPS also performs the nonsafety defense-in-depth Fill Stop function.

SHINE FSAR section 7.8.1, System Description, describes the neutron flux system:

The NFDS is a three-division system with six detectors configured in three sets of two detectors (source range power/wide range), with each set positioned around the subcritical assembly support structure (SASS) at approximately 120-degree intervals to the TSV. Each division of the NFDS consists of watertight detectors located in the light water pool and an NFDS amplifier mounted in the radioisotope production facility (RPF) or irradiation facility (IF). The six watertight detectors are located in the light water pool and are supported using brackets attached to the outer shell of the SASS. These brackets serve to locate the flux detectors in a fixed location relative to the TSV, ensuring flux profiles are measured consistently such that the sensitivity in the source range reliably indicates the neutron flux levels through the entire range of filling with the target solution.

7-52

The signal from the NFDS detectors is transmitted to the NFDS amplifiers where signal conditioning is performed. Each NFDS amplifier provides an analog signal representative of neutron flux. The NFDS interfaces with the TRPS for monitoring and indication, which then transmits the flux values to the PICS. The NFDS provides continuous indication of the neutron flux during operation, from filling through maximum power during irradiation. To cover the entire range of neutron flux levels, there are three different ranges provided from the NFDS: source range, wide range, and power range. One set of three independent NFDS detectors is used for the source range input into the TRPS (i.e., measures low flux levels common to what would be expected during the filling of the IU cell prior to irradiation of the target solution). The other set of three independent detectors provides the input for the power range and wide range measurements. Each independent detector provides analog input signals to an independent division of TRPS.

7.4.4.2 Design Criteria Section 50.34(a)(3)(i) of 10 CFR requires that a PSAR include: The principal design criteria for the facility. The principal design criteria for a facility establish the engineering design criteria that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. Once the principal design criteria for a facility are established, the remainder of the SAR includes an explanation of how the principal design criteria for a facility are achieved (in addition to how other regulatory requirements are achieved).

SHINE FSAR section 1.3.3.1, Principal Design Criteria, states:

Principal design criteria for the facility are described in Section 3.1.

SHINE FSAR section 3.1, Design Criteria, states:

Structures, systems, and components (SSCs) present in the SHINE facility are identified in Tables 3.1-1 and 3.1-2, including the applicable FSAR section(s) which describe each SSC and the applicable SHINE design criteria. Design criteria derived from external codes, guides, and standards specific to the design, construction, or inspection of SSCs are included in the applicable FSAR section describing those SSCs. For each SSC, the FSAR section identifies location, function, modes of operation, and type of actuation for specific SSCs, as applicable.

SHINE FSAR section 3.1, SHINE Design Criteria, states:

The SHINE facility uses design criteria to ensure that the SSCs within the facility demonstrate adequate protection against the hazards present. The design criteria are selected to cover:

  • The complete range of irradiation facility and radioisotope production facility operating conditions.
  • The response of SSCs to anticipated transients and potential accidents.
  • Design features for safety-related SSCs including redundancy, environmental qualification, and seismic qualification
  • Inspection, testing, and maintenance of safety-related SSCs.
  • Design features to prevent or mitigate the consequences of fires, explosions, and other manmade or natural conditions.

7-53

  • Quality standards.
  • Analyses and design for meteorological, hydrological, and seismic effects.
  • The bases for technical specifications necessary to ensure the availability and operability of required SSC The SHINE design criteria are described in Table 3.1-3.

The facility, as a whole, should meet the principal design criteria of the facility, and individual SSCs only support the facilities ability to achieve the principal design criteria of the facility. This section of the SER documents the NRC staffs review and evaluation of the proposed TRPS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(b) requirements. The staffs evaluation of the design of the proposed TRPS is based on acceptance criteria in section 7.4 NUREG-1537, including acceptance criteria from the guidance and industry standards referenced by NUREG-1537, as listed in section 7.2 of this SER.

7.4.4.2.1 SHINE Facility Design Criteria Generally, the SHINE Design Criteria are applicable to more than one system, and the determination of whether the SHINE facility as a whole meets the SHINE Design Criteria consists of two parts: (1) Whether each individual system meets the applicable parts of the SHINE Design Criteria, and (2) whether the individual systems together ensure the facility as a whole meets the SHINE Design Criteria.

SHINE FSAR table 3.1-1, Safety-related Structures, Systems, and Components, and section 7.4.2.1, SHINE Facility Design Criteria, state that SHINE Design Criteria 13 through 19, 38, and 39 apply to the TRPS. Each of these SHINE Design Criterion are addressed in a separate subsection below that include an evaluation of the TRPS against each of the applicable SHINE Design Criteria to the extent the TRPS supports the ability of the overall facility to demonstrate adequate protection against the hazards present.

SHINE FSAR table 3.1-1, Note 2, states that the SHINE Design Criteria 1-8 from FSAR table 3.1-3 are not specifically listed even though they are generally applicable to most SSCs.

SHINE FSAR section 7.4.2.1, SHINE Facility Design Criteria, states:

The generally-applicable SHINE facility design criteria 1 through 6 apply to the TRPS. The TRPS is designed, fabricated, and erected to quality standards commensurate to the safety functions to be performed; will perform these safety functions during external events; will perform these safety functions within the environmental conditions associated with normal operation, maintenance, and testing; does not share components between irradiation units; and is able to be manually initiated from the facility control room. These elements of the TRPS design contribute to satisfying SHINE facility design criteria 1 through 6.

Quality Standards and Records NUREG-1537, Part 1, section 7.2.1, Design Criteria, states:

All systems and components of the I&C systems should be designed, constructed, and tested to quality standards commensurate with the safety importance of the functions to be performed. Where generally recognized codes and standards are 7-54

used, they should be named and evaluated for applicability, adequacy, and sufficiency. They should be supplemented or modified as needed in keeping with the safety importance of the function to be performed. Evaluations and modifications of the standards should be described in the SAR.

Consistent with this guidance NUREG-1537, the SHINE FSAR includes SHINE Design Criterion 1 and states that it is applicable to the TRPS.

SHINE Design Criterion 1 - Quality standards and records Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.

A quality assurance program is established and implemented in order to provide adequate assurance that these SSCs satisfactorily perform their safety functions.

Appropriate records of the design, fabrication, erection and testing of safety-related SSCs are maintained by or under the control of SHINE throughout the life of the facility.

SHINE FSAR section 7.4.2.2.2, Software Requirements Development, states:

The developmental process for creating the safety-related TRPS has been delegated to SHINE's safety-related control system vendor (Subsection 7.4.5.3.1),

including any modifications to the system logic after initial development (Subsection 7.4.5.4). SHINE is responsible for providing oversight of the vendor, verifying deliverables are developed in accordance with approved quality and procurement documents, and maintaining the vendor as an approved supplier on the SHINE approved supplier list (Subsection 7.4.5.4.1).

The adequacy of the SHINE quality assurance program is reviewed and found acceptable in chapter 12, Conduct of Operations, of this SER. Inspections of records of the TRPS will evaluate whether this program was adequately applied to the fabrication, erection and testing of the TRPS equipment.

Natural Phenomena Hazards NUREG-1537 Part 1 section 7.2.1, Design Criteria, states:

Systems and components (including I&C systems) determined by the analyses in the SAR to be important to the safe operation should be able to withstand the effects of natural - phenomena without loss of capability to perform their safety function Consistent with this guidance NUREG-1537, the FSAR includes SHINE Design Criterion 2 and states that it is applicable to the TRPS.

7-55

SHINE Design Criterion 2 - Natural phenomena hazards The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.

Safety-related SSCs are designed to withstand the effects of earthquakes without loss of capability to perform their safety functions.

The evaluation of the TRPS against the effects of some natural phenomena is documented in section 7.4.3.6, Seismic, Tornado, Flood, below. SHINE FSAR section 8a2.1.4, Grounding and Lightning Protections, addresses protections from lighting. Additionally, FSAR section 7.4.2.1.4, Protection System Independence and section 7.4.2.2.11, Equipment Qualification, addresses protection from earthquakes, tornados, lightning, and floods. Chapter 3 of this SER evaluates effects of natural phenomena. The NRC staff finds that the safety-related TRPS meets SHINE Design Criterion 2.

Fire Protection NUREG-1537 Part 1 section 7.2.1, Design Criteria, states:

I&C systems and components determined in the SAR-analyses to be important to the safe operation should be 'designed, located, and protected so that the effects of fires or explosions would not prevent them from performing their safety functions.

Consistent with this guidance NUREG-1537, the FSAR includes SHINE Design Criterion 3 and states that it is applicable to the TRPS.

SHINE Design Criterion 3 - Fire protection Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

Noncombustible and heat resistant materials are used wherever practical throughout the facility, particularly in locations such as confinement boundaries and the control room.

Fire detection and suppression systems of appropriate capacity and capability are provided and designed to minimize the adverse effects of fires on safety-related SSCs. Firefighting systems are designed to ensure that their rupture or inadvertent operation does not significantly impair the safety capability of these SSCs.

The evaluation of the TRPS against this criterion is based on the information provided in SHINE FSAR section 7.4.3.9, Fire Protection. Additional information can be found in SHINE FSAR section 9a2.3, Fire Protections Systems and Programs.

SHINE FSAR section 7.4.3.9 describes that the TRPS design uses physical separation to minimize the effects from fire and that equipment for different divisions is located in separate fire areas when practical. The obvious exceptions include components for all three divisions located in the facility control room, in an individual IU or in TOGS cells, and in other locations where end 7-56

devices are installed.

The NRC staff examined these descriptions and finds that the combination of physical separation and the fire protection program provide reasonable assurance this design criteria is met for TRPS.

Environmental and Dynamic Effects NUREG-1537, Part 1, section 7.2.1, Design Criteria, states:

I&C systems and components determined in the SAR to be important to the safe operation should be designed to function reliably under anticipated environmental conditions (e.g., temperature, pressure, humidity, and corrosive atmospheres) for the full range of reactor operation, during maintenance, while testing, and under postulated accident conditions, if the systems and components are assumed to function in the accident analysis.

As described above, the FSAR includes SHINE Design Criterion 4 and states that it is applicable to the TRPS.

SHINE Design Criterion 4 - Environmental and dynamic effects Safety-related SSCs are designed to perform their functions with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.

The SHINE FSAR sections 7.4.2.1.4, Protection System Independence, and 7.4.2.2.11, Equipment Qualification, are further evaluated in section 7.4.4.2.1, Protection System Independence, of this SER. Therefore, the NRC staff finds that the TRPS design meets SHINE design criterion 4.

Sharing of Structures, Systems, and Components As described above, the FSAR states that SHINE Design Criterion 5 is applicable to the TRPS.

SHINE Design Criterion 5 - Sharing of structures, systems, and components Safety-related SSCs are not shared between irradiation units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions.

Each IU contains an independent TRPS that is not shared. All IUs share the ESFAS for mitigation of potential accident consequences and have a common control room. There are three separate TPS trains that shared with certain sets of irradiation unit. The FSAR does not provide a specific evaluation that sharing does not significantly impair the TPS ability to perform its safety functions; however, the NRC staff used engineering judgment and finds that the sharing of I&C related systems would not significantly impair the ability to perform the associated safety functions.

7-57

Control Room As described above, the FSAR states that SHINE Design Criterion 6 is applicable to the TRPS.

SHINE Design Criterion 6 - Control room A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.

SHINE FSAR section 7.6, Control Console and Display instruments, describes the SHINE facility control room. HIPS equipment of the TRPS is in the control room. The adequacy of specific Controls and Displays are evaluated in section 7.4.6 of this SER. The adequacy of the control room is evaluated chapter 13, Accident Analysis, of this SER.

Instrumentation and Controls NUREG-1537 Part 1 section 7.2.2, Design-Basis Requirements, states:

Design bases for the I&C system, subsystems, and components should includeThe range of values that monitored variables may exhibit for normal operation, shutdown conditions, and for postulated accidents.

NUREG-1537, Part 2, section 7.4, Reactor Protection System, states, [t]he range of operation of sensor (detector) channels should be sufficient to cover the expected range of variation of the monitored variable during normal and transientreactor operation.

SHINEFSAR section 7.4.2.1.1, Instrumentation and Controls, states:

SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.

SHINE Design Criterion 13 is applicable to operator displays and controls including PICS, as the first means of defense in maintaining process variables and systems within prescribed operating range. The second barrier against postulated accidents is the automatic protective systems that actuate controls during an accident condition or inadvertent operation. SHINE Design Criterion 14 also provides additional design criteria for protective functions. Finally, as part of post-protective-action accident-mitigation by the operator must be able to determine facility and process parameter states or statuses (e.g., post accident monitoring). In addition, some of the indications (of facility parameter values) to the operator are based solely on TRPS related monitored variables. Therefore, SHINE Design Criterion 13 applies to the TRPS monitored variable sensor ranges.

7-58

SHINE FSAR section 7.4.2.1.1, Instrumentation and Controls, states:

The TRPS monitored variables for performance of design basis functions are presented in Table 7.4-1 and include the instrument range for covering normal and accident conditions...

SHINE FSAR table 7.4-1, TRPS Monitored Variables, identifies the instrument range for each monitored variable; FSAR section 7.4.4.1, Monitored Variables and Response, states:

Table 7.4-1 identifies specific variables that provide input into the TRPS and includes the instrument range for covering normal and accident conditions.

In response to RAI 7-13, the applicant states that each division of the TRPS transmits monitoring and indication information to the PICS. The following information from the TRPS is displayed in the facility control room (FCR):

  • Mode and Fault status for each HIPS module
  • Status and value of the monitored variables identified in SHINE FSAR table 7.4-1
  • Trip/Bypass switch status
  • Divisional partial trip determination status
  • Divisional full trip determination status
  • TRPS IU cell operational mode status
  • Actuation output and fault status
  • Actuated component position feedback status The TRPS monitoring, and indication information is available to the operators in the FCR at the PICS operator workstations. A subset of the TRPS monitoring, and indication information is displayed at the main control board in the FCR near the manual control switches for actuating TRPS safety functions. The TRPS provides redundant outputs to the PICS. The PICS receives the outputs from the TRPS onto a fault-tolerant server comprised of internal redundant physical servers. The use of redundant outputs from the TRPS to redundant internal physical servers on the PICS ensures that a failure would not prevent the operator from obtaining or resolving conflicting information. By displaying TRPS monitoring and indication information at multiple locations in the FCR, including near manual controls for actuating TRPS equipment, the design ensures the operator has sufficient information to operate the facility and take manual operator action, as necessary. SHINE FSAR section 7.4.5.2.4 provides a description of the information available to the operators in the FCR. SHINE FSAR section 7.4.4.1, Monitored Variables and Response provides a discussion of the TRPS response to each monitored variable (signal input) and SHINE FSAR table 7.4-1 provides the instrument range, accuracy, response time, and a specified analytical limit. The staff did not review specific design information or performance data for the sensors/instruments listed in table 7.4-1, and therefore did not specifically confirm the validity of performance parameters assigned to each instrument. SHINE 7-59

will test and qualify the instrumentation in accordance with Technical Specifications and f this SHINE FSAR section 12.11.2.

Based on the information provided, the NRC staff has reasonable assurance that the variables listed in the FSAR are used to measure, display, and to initiate defined protective actuations of the applicable TRPS functions. The adequacy of PICS, consoles, and displays in meeting Criterion 13 are addressed in sections 7.4.3 and 7.4.6 of this SER.

Protection System Functions The design bases (defined in 10 CFR 50.2) predominately include the specific functions to be performed (by SSCs) and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. 10 CFR 50.34(a)(3)(ii) requires that a PSAR include: The design bases and the relation of the design bases to the principal design criteria.

NUREG-1537, Part 1, section 3.1, Design Criteria, states: general design criteria should includeDesign to cope with anticipated transients and potential accidents, including those discussed in Chapter 13, Accident Analyses, of the SAR.

NUREG-1537, Part 1, section 7.2.1, Design Criteria, states:

The RPS should be designed to automatically initiate the operation of systems or give clear warning to the operator to ensure that specified reactor design limits are not exceeded as a result of measured parameters indicating the onset of potential abnormal conditions.

NUREG-1537, Part 2, section 7.4, Reactor Protection System, states, in part, that the safety analysis report (SAR) should describe the protection system, listing the protective functions performed by the [protection system], and the parameters monitored to detect the need for protective action.

SHINE FSAR section 7.4.2.1.2, Protection System Functions, describes how the TRPS meets SHINE Design Criteria 14, which is:

SHINE Design Criterion 14 - The protection systems are designed to: (1) initiate, automatically, the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients; and (2) sense accident conditions and to initiate the operation of safety-related systems and components.

SHINE FSAR section 7.4.2.1.2, Protection System Functions, contains the criteria for the protection system functions to address two types of events: (1) anticipated transients, and (2) accidents. SHINE FSAR section 7.4.2.1.2, Protection System Functions, further states:

There are no anticipated transients that would result in target solution design limits being exceeded.

SHINE applies a tailored, risk-based methodology similar to the guidance described in NUREG-1520, Standard Review Plan for Fuel Cycle Facilities License Applications, in the development of the detailed accident analysis. Design basis accidents (DBAs) were identified as credible accident scenarios that range from anticipated events, such as a loss of electrical 7-60

power, to events that are still credible, but considered unlikely to occur during the lifetime of the plant. The maximum hypothetical accident (MHA) is defined as a fission product-based release that bounds the radiological consequences for all credible fission product-based accident scenarios at the SHINE facility. Section 7.4.4.1 of the SHINE FSAR describes TRPS monitored variables and protective actions against events and references the protective actions to specific scenarios in SHINE FSAR Chapter 13. For selected scenarios, SHINE FSAR Chapter 13 further provides references to SHINE FSAR Chapter 4 power and pressure transient analysis that support the accident scenarios. Portions of the SHINE FSAR do not always clearly distinguish between design basis accidents and anticipated transients. For example, SHINE FSAR section 1.2.4, Potential Accidents at the Facility, states:

Potential design basis accidents (DBAs) at the SHINE facility were identified by the application of hazard analysis methodologies to evaluate the design of the facility and processes for potential hazards, initiating events (IEs), scenarios, and associated controls. As described in Chapter 13, these methodologies were applied to both the IF and the RPF. The list of accident categories and IEs that were the basis for the identification of potential DBAs are described in Chapter 13. The following accident categories and IEs are addressed for the SHINE facility.

Given the approach taken in the SHINE FSAR, the NRC staff could not independently identify and distinguish a set of anticipated transients apart from design basis accidents as described in SHINE FSAR section 7.4.2.1.2 with respect to the specific accident-initiating events and scenarios described in SHINE FSAR Chapter 13. However, the SHINE FSAR explicitly identifies the safety functions of the TRPS (see section 7.4.1 above) and the safety analyses credits these functions in demonstrating reasonable assurance of adequate safety for normal operations and accident-initiating events. The adequacy of the safety analyses is addressed in chapters 5, 6, and 13 of this SER. The staff therefore reviewed SHINE FSAR chapters 4, 5, and 13, to identify the TRPS functions credited by these chapters regardless of its treatment as either a potential transient or accident in the context of SHINE Design Criterion 14. The staff concluded that SHINE FSAR chapter 7.4.3.1, Safety Functions, includes the TRPS functions credited in these SHINE FSAR chapters, and that FSAR section 7.4 references the SHINE FSAR Chapter 13 analyses where these functions are credited. Based on this evaluation the staff concludes that section 7.4 describes the TRPS safety functions explicitly credited in SHINE FSAR cChapters 4, 5, and 13; therefore, the staff finds that the SHINE FSAR section 7.4 includes the appropriate safety functions to meet the applicable principal design criteria of the facility to cope with the scenarios and pressure and power transients described in the SHINE FSAR Chapter 13.

SHINE FSAR section 7.4.2.1.2, Protection System Functions, identify the target solution design limits as being in SHINE FSAR table 4a2.2-2. Furthermore, this SHINE FSAR section references SHINE FSAR section 7.4.4.1, Monitored Variables and Response, which has a subsection for each monitored variable and each of these subsections identifies the specific SHINE FSAR chapter 13 scenarios addressed by each monitored variable. SHINE FSAR Chapter 4 also describes the analysis of events for which TRPS initiates protective actions, but only SHINE FSAR chapter 13 events/scenarios are identified in SHINE FSAR section 7.4.4.1.

The NRC staff traced the references in FSAR chapter 7 to chapter 13 scenarios, and subsequently to Chapter 4 to the extent practical for selected events.

SHINE FSAR Chapter 4, table 4a2.2-2, Target Solution Operating Limits, identifies certain acceptable target solution design limits, and includes temperature and power density, which can 7-61

be protected by TRPS. In addition, the TSs contain LCOs for certain acceptable target solution design limits:

  • LCO 3.1.3 Limits the minimal volume in the TSV (relates to power density)
  • LCO 3.8.4 Limits the uranium concentration SHINE TSs, in LCO 3.1.6, establishes the power density limit on the irradiated solution, which is effectively achieved by controlling power (i.e., controlling tritium). SHINE FSAR section 13a2.1.2.2, Scenario 4, High Power Due to High Neutron Production and High Reactivity at Cold Conditions, states that a high reactivity and power event can occur due to excess tritium injection into the NDAS during cold conditions and that this can occur as a result of a tritium purification system (TPS) control system or component failure during startup that injects excess tritium before the TSV is at operating temperature, and that the TRPS initiates an IU shutdown on high wide range neutron flux. The IU Cell Safety Actuation initiated by the High Wide Range Neutron Flux described in SHINE FSAR section 7.4.4.1.4, High Wide Range Neutron Flux, is well below the transient average power density described in LCO 3.1.7 but is above the average power density limit of LCO 3.1.6 for much of the operating range.

The maximum temperature limit is protected, in part, by actuations initiated by High Time-Averaged Neutron Flux, High PCLS Temperature, and Low PCLS Flow.

NUREG-1537 Part 1 section 7.2.2, Design-Basis Requirements, states:

Design bases for the I&C system, subsystems, and components should include The function or purpose of systems or instruments considering which reactor parameters are monitored or controlled.

SHINE FSAR section 7.4.3.1 describes the TRPS safety functions relied upon for specific accident scenarios. The NRC staff confirmed that credited protection system functions in chapter 4 and 13 were described in Chapter 7. The adequacy of these safety functions in mitigating or preventing the accident-initiating events and scenarios are evaluated in Chapter 4 and 13 of this SER (e.g., component actuations for confinement and criticality safety and physical effects). Based on review of these FSAR Chapters and the TRPS logic diagrams depicted in SHINE FSAR figure 7.4-1, the NRC staff finds that the TRPS is reasonably designed to perform the safety functions credited by the SHINE safety analysis in chapter 13. Therefore, the NRC staff finds that the TRPS design satisfies SHINE Design Criterion 14 for anticipated transients and accident conditions.

Protection System Reliability and Testability 7-62

NUREG-1537, Part 2, section 7.4, states, in part, that the protection system should be designed to perform its safety function after a single failure and to meet requirements for redundancy and independence.

SHINE FSAR section 7.4.2.1.3, Protection System Reliability and Testability, states that the TRPS meets SHINE Design Criterion 15:

SHINE Design Criterion 15 - The protection systems are designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection systems are sufficient to ensure that: (1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

This inputs to the TRPS listed in SHINE FSAR table 7.4.4.1, TRPS Monitored Variables, have associated actuation logic of 2-out-of-3, 1-out-of-2, and 1-out-of-1. The HIPS equipment provides two modes in which an instrument channel can be removed from service: (1) it can be placed in trip, or (2) it can be placed in bypass (i.e., not tripped). If 2-out-of-3 logic is placed in trip, then it becomes 1-out-of-2 logic and does not result in loss of the required minimum redundancy; however, it if is placed in bypass it does result in loss of the required minimum redundancy.

SHINE FSAR section 7.4.2.1.3, Protection System Reliability and Testability, states that the maintenance bypass function allows an individual safety function module to be removed from service for required testing without loss of redundancy and references SHINE FSAR section 7.4.4.3 which states only that the redundant channels are not affected. Effectively, SHINE FSAR section 7.4.4.3 states that the independence aspect of the SHINE Design Criterion 15 is satisfied. The NRC staff finds that with one channel in maintenance bypass, the TRPS cannot continue to be able to perform its safety functions in the presence of certain single failures in the remaining two channels for certain events. SHINE Design Criterion 15 states that the justification states that loss of the required minimum redundancy is not acceptable, unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

The staff has reasonable assurance that the reliability of the HIPS equipment is acceptable, as described in section 7.2 of HIPS, with respect to protecting against a temporary (two hours allowed by TS) reduction of minimum redundancy and given the low likelihood of a single failure of a channel concurrent with an accident event and other channel in bypass and the large safety margins described in Chapter 13 of this SER.

Protection System Independence NUREG-1537 Part 1 section 7.2.1, Design Criteria, states:

I&C systems should be designed so that a single failure will not prevent the safe shutdown of the reactor.

Generally, the single failure criterion is met by having redundant in independent equipment.

SHINE Design Criteria 16 addresses the independence of the redundant portion of the TRPS.

7-63

SHINE Design Criterion 16 - The protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation are used to the extent practical to prevent loss of the protection function.

SHINE Design Criterion 16 address two different aspect of protections system independence (i.e., effects & diversity - see associated subsections below). The criteria are meant to address a particular source of CCF. FSAR section 7.4.2.1.4, Protection System Independence, provides information related to this design criterion. Section 7.2.1.4, Equipment Qualification, of this SER includes additional evaluation applicable to this criterion.

The evaluation of the TRPS against the effects of natural phenomena is documented in section 7.4.3.6, Seismic, Tornado, Flood, of this SER. The TRPS equipment is located in the control room which is a mild environment (i.e., not subject to extreme conditions due to accident conditions). SHINE FSAR section 8a2.1.4, Grounding and Lightning Protections, addresses protections from lighting.

SHINE FSAR sections 7.4.2.1.5, Protection System Failure Modes, and 7.4.3.5, Operating Conditions, state that the TRPS equipment is qualified in the environments in which it is required to operate.

SHINE FSAR section 7.4.2.2.11, Equipment Qualification, addresses the effects of EMI/RFI and power surges, which is evaluated in section 7.4.2.2.11, Equipment Qualification, below.

SHINE FSAR section 7.4.5.2.1, states:

The TRPS control and logic functions operate inside of the facility control room, where the environment is mild, not exposed to the irradiation process, and is protected from earthquakes, tornadoes, and floods (Subsections 7.4.3.5 and 7.4.3.6). The TRPS structures, systems, and components that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident. This division independence is maintained throughout the design, extending from the sensor to the devices actuating the protective function (Subsection 7.4.5.2.1).

Based on a review of the SHINE FSAR Chapters described above, the NRC staff concludes the TRPS design meets the first design attribute of SHINE Design Criterion 16 that protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis.

SHINE FSAR section 7.4.5.2.1, states:

Functional diversity and diversity in component design are used to prevent loss of the protection function. Functional diversity is discussed in Subsection 7.4.5.2.5.

7-64

Field programmable gate arrays (FPGAs) in each division are of a different physical architecture to prevent common cause failure (CCF) (Subsection 7.4.5.2.4).

SHINE FSAR section 7.4.5.2.5 further describes the functional allocation of different process parameters on different SFMs, and diversity in component design are used to prevent loss of the protection function. The NRC staff notes that functional diversity is commonly defined as the ability to protect against the same event by monitoring two different parameters to initiate protective actions. This is different than the allocation of functions to different SFMs. While some TRPS monitored variables can protect against the same event or scenario, the SHINE FSAR and associated RAI response did not credit or evaluate how this type of functional diversity is achieved in the SHINE design. Therefore, the staff determined that the SHINE FSAR does not demonstrate that the existence of functional diversity for all events.

SHINE FSAR section 7.4.5.2.1, Independence, states that the HIPS design incorporates the independence principles outlined in section 4.0 of HIPS TR. Section 4.2, Safety Function Module, of the HIPS TR states that each SFM, which is a TRPS channel, is dedicated to implementing a safety function or function group which results in the gate level implementation of each safety function being different than the other safety functions. However, the implementation of TRPS with HIPS deviates from the HIPS TR because there are many functions on each SFM. Therefore, while the allocation provides some diversity, it does not provide complete functional diversity as previously credited in the HIPS TR.

SHINE FSAR sections, 7.4.2.1.4, Protection System Independence, and 7.4.5.2.4, state that field programmable gate arrays (FPGAs) in each division are of a different FPGA architecture (static random access memory, flash, or one-time programmable) which is consistent with diversity in component design and principles of operation of this design criteria. The only difference is component design identified is the use of different FPGAs, and possibly different tools associated with each FPGA; therefore, this design protects against CCF that are a result of systematic errors in a particular FPGA type (or tool, if different tools are used).

The NRC staff also audited the D3 assessment in TECRPT-2019-0041 of the TRPS and ESFAS and identify potential vulnerabilities to digital-based CCFs. The staff confirmed the information in the FSAR and concludes there is reasonable assurance that the TRPS and ESFAS design have adequate diversity that is commensurate with the potential consequences and large safety margins described in chapter 13 of this SER (also see section 7.4.2.2.4 of this SER).

The NRC staff evaluated the overall diversity strategy and finds the TRPS contains sufficient attributes that is commensurate with the low likelihood of potential CCFs safety functions concurrent with the design basis scenarios and events in Chapter 4 and 13, and the potential consequence and large safety margins described in chapter 13 of this SER.

Protection System Failure Modes NUREG-1537 Part 1 section 7.2.1, Design Criteria, states:

I&C systems should be designed to fail into a safe state on loss of electrical power or exposure to extreme adverse environments.

Consistent with this guidance, the FSAR includes SHINE Design Criterion 17 and states that it is applicable to the TRPS.

7-65

SHINE Design Criterion 17 - The protection systems are designed to fail into a safe state if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments are experienced.

TS LCO 3.2.1 states that each division of the TRPS has two 5V power supplies. TS Bases for LCO 3.6.1 states that the 24V power supplies for the TRPS and ESFAS cabinets are also within the scope of LCO 3.6.1 for the UPSS distribution system. The power for the actuated components originates from other sources, but can be controlled (i.e., removed) from the TRPS.

SHINE FSAR section 7.4.3.8, Loss of External Power, states that on a loss of power to the TRPS, the TRPS deenergizes actuation components and that controlled components associated with safety actuations are designed to go to its safe state when deenergized.

SHINE FSAR sections 7.4.2.1.5, Protection System Failure Modes, and 7.4.3.5, Operating Conditions, state that the TRPS equipment is qualified in the environments in which it is required to operate.

Based on this information provided in these FSAR sections, the NRC staff concludes that the TRPS meets SHINE Design Criterion 17.

Separation of Protection and Control Systems SHINE Design Criteria 18 addresses the separation of protection and control the TRPS.

SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.

Generally, facilities that are designed to meet the single failure criterion (as the SHINE Design Criteria require), are required to protect against certain initiating events concurrent with a single failure (and all associated cascading failures) in the protection system. When the design of the facility has a control system and a separate and independent protection systems that meets the single failure criterion, then the facility can withstand failure of the control system that causes a initiating event that is assumed as a design basis accident, and then subsequent failure of the protection system.

When the control system and the protection system share components in a 2-out-of-3 trip system, then measures are appropriate to provide separation of protection and control as provided in SHINE Design Criterion 18. The redundancy and independence requirements stated in SHINE Design Criterion 15 and referred to in SHINE Design Criterion 18 is equivalent to requiring a system must meet the single failure criterion. In a 2-out-of-3 system, a failure of a shared component would result in a 2-out-of-2 system, which can protect against the event (i.e.,

the failure that has occurred), but not in the presence of a single failure in the protection system provided in SHINE Criterion 18.

A facility that has three sensors that are shared between protection and control system, and where the protection system uses 2-out-of-3 logic cannot meet the criteria as stated in SHINE 7-66

Design Criterion 18, but it can be safe by protecting against the two failures of concern by using other means besides redundancy. The response to RAI 7-9(c) (ML21272A343) stated that SHINE FSAR section 7.4.2.1.6 was revised to enhance the description of how TRPS meets this criterion. The revised section states there is no shared equipment. Since there is no shared equipment or sensors among the protection and control systems, the NRC I&C technical review staff conclude that the SHINE facility meets Criterion 18.

Protection Against Anticipated Transients SHINE Design Criteria 19 addresses protection against anticipated transients.

SHINE Design Criterion 19 - The protection systems are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated transients.

The safety functions of the TRPS are evaluated in section 7.4.4.2.1, Protection System Functions, of this SER. The arrangement of HIPS modules in the TRPS is the same for each safety function; therefore, the evaluation in this section addresses the extremely high probability aspect of this criterion.

SHINE FSAR section 7.4.2.1.7, Protection Against Anticipated Transients, states that the TRPS is extremely reliable because of its: independence, redundancy, and diversity. The NRC staff considered the reliability of the HIPS equipment as evaluated in section 7.4.2 of this SER.

As noted above, power and pressure transients are analyzed in SHINE FSAR chapters 4, 5, and 13, but the staff could not independently identify and distinguish a set of anticipated transients apart from design basis accidents with respect to the specific accident-initiating events and scenarios described in Chapter 13. Therefore, NRC staff reviewed SHINE FSAR chapters 4, 5, and 13, to identify the TRPS functions credited by these chapters regardless of its treatment as either a potential transient or accident. Section 7.4.2.2 and 7.4.2.3 of this SER describes the HIPS design attributes and design process that provides reasonable assurance of TRPS reliability; and Chapter 13 of this SER further describes the TRPS protection functions that are credited for transients. Based on the TRPS having adequate reliability for protecting upset conditions in the subcritical aqueous solution environment of the TSV and the significant safety margins described in Chapter 13 of this SER, the staff has reasonable assurance that the TRPS meets SHINE Design Criterion 19.

Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.

SHINE FSAR section 7.7, Radiation Monitoring Systems, describes the radiation monitoring systems. SHINE FSARy able 7.4-1, TRPS Monitored Variables, identifies only one radiation monitoring sensor (i.e., RVZ1e IU cell radiation) as initiating a TRPS safety function. Therefore, the NRC staff conclude that the TRPS supports the SHINE facility meeting SHINE Design Criterion 38. The radiation monitoring system is further evaluated in section 7.4.6 of this SER.

7-67

Hydrogen Mitigation SHINE Design Criterion 39 - Systems to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen are provided to ensure that the integrity of the system and confinement boundaries is maintained.

SHINE FSAR section 4a2.8, Gas Management System, describes how the target solution vessel (TSV) off-gas system (TOGS), the vacuum transfer system (VTS), the process vessel vent system (PVVS), the process integrated control system (PICS), and the operator work together to control to control the buildup of hydrogen.

The NRC staff did not evaluate the adequacy of PICS and operators to control build-up of hydrogen. The TRPS monitors key parameters of the TOGS system to ensure it is working properly (e.g., per FSAR section 4a2.8.6: minimum TOGS mainstream flow, minimum TOGS dump tank flow, and minimum oxygen concentration). The TRPS, initiates the protective functions evaluated in section 7.4.2.1.2, Protection System Functions, for IU Cell Nitrogen Purge when setpoints are exceeded for these parameters. Therefore, the NRC staff concludes that the TRPS supports the SHINE facility meeting SHINE Design Criterion 39.

7.4.4.2.2 TRPS System Design Criteria SHINE FSAR section 7.4.2.2 outlines several TRPS system specific design criteria for protective actions, single failure, independence, communication, prioritization, setpoints, bypass and permissives, equipment qualification, surveillance, human factors, access control, software requirements development, and quality. The NRC staffs evaluation of the safety significant TRPS system design criteria is documented in section 7.4.4.2.1 of this SER as a part of the SHINE facility design criteria evaluation and in section 7.4.2 of this SER as a part of the HIPS design evaluation. While the NRC staff evaluated the analysis of selected equipment design criteria as subsidiary elements of the broader SHINE Design Criteria, the NRC staff did not independently confirm each TRPS system design criterion and is not specifically making a finding for the TRPS system design criteria.

7.4.3.3 Design Basis The design bases (defined in 10 CFR 50.2) predominately include the specific functions to be performed by SSCs and the specific values or ranges of values chosen for controlling parameters as reference bounds for design.

Other FSAR Chapters demonstrate the design of the facility provides reasonable assurance of safety. SHINE FSAR Chapter 3 provides the design criteria for the facility, FSAR Chapter 4 discusses the intended operations of the facility including I&C, and FSAR Chapter 13 describes accident and transient scenarios that assume protective functions of the TRPS within specified analytical limits. The FSAR Chapter 13 accident analysis and transient scenarios are based on certain required behavior of the TRPS, as described in FSAR Chapter 7.4. This evaluation determines whether FSAR Chapter 7.4 describes the features, credited in other FSAR Chapters, needed to ensure reasonable assurance of safety. This review focused on:

  • the safety functions to be performed, 7-68
  • the prioritization for commands,
  • the facility parameter monitored to determine when a safety function is needed,
  • the value assumed in the analysis at which the safety function is initiated,
  • the time assumed in the analysis to achieve the safety function, and finally,
  • the conditions under which the I&C equipment described in FSAR Chapter 7 (i.e., TRPS, & NFDS) must be able to operate, and
  • the TRPS equipment reliably and predictably performs the functions as described in Chapter 7.

7.4.4.3.1 Safety Functions Generally, the term safety function is used to refer to those design bases functions performed by the safety systems and credited in the safety analysis.

NUREG-1537, Part 1, section 3.1, Design Criteria, states: general design criteria should includeDesign to cope with anticipated transients and potential accidents, including those discussed in Chapter 13, "Accident Analyses," of the SAR.

NUREG-1537 Part 2, section 7.4, Reactor Protection System, states: In this section, the applicant should thoroughly discuss and describe the RPS, listing the protective functions performed by the RPS SHINE FSAR section 7.4.2.1.2, Protection System Functions, includes specific acceptance criteria for two types of design basis events: (1) anticipated transients, and (2) accidents, and states: There are no anticipated transients that would result in target solution design limits being exceeded.

The SHINE FSAR explicitly identifies the safety functions of the TRPS and the safety analyses credits these functions for demonstrating reasonable assurance of adequate safety. The adequacy of the safety analyses is addressed in other chapters of this safety evaluation.

The NRC staff reviewed SHINE FSAR Chapters 4, 5, and 13, to identify the TRPS functions credited in these chapters, and the NRC staff concluded that SHINE FSAR section 7.4.3.1, Safety Functions, includes the TRPS functions credited in these SHINE FSAR chapters, and that SHINE FSAR section 7.4 references the FSAR Chapter 13 analyses where these functions are credited. The staff performed an audit to confirm how specific functions were addressed.

Based on this evaluation the NRC staff has reasonable assurance that section 7.4 describes the TRPS safety functions explicitly credited in SHINE FSAR chapters 4, 5, and 13; therefore, the staff finds that the SHINE FSAR section 7.4 includes the appropriate safety functions to meet the applicable principal design criteria of the facility to cope with anticipated transients and potential accidents, including those discussed in the accident analyses.

7-69

7.4.4.3.2 Prioritization NUREG-1537, Part 1, section 3.1, Design Criteria, states: general design criteria should includedesign to cope with anticipated transients and potential accidents anticipated transients and potential accidents should include malfunction of any control function The SHINE facility sometimes uses the same actuated components for normal operational purposes (e.g., for normal operational control), and for implementing the safety functions of the safety-related systems (e.g., TRPS initiated safety functions) for some processes. In these situations, the design must ensure that the commands from the safety system (e.g., to implement a safety function) have priority over the commands from the nonsafety operational or control systems. This prioritization is necessary to ensure that the safety systems are design to address failures in the operations systems, as described by the preceding paragraph.

SHINE FSAR section 7.4.2.2.6, Prioritization of Functions, contains a design criterion for prioritization and states: Priority is provided to automatic and manual safety-related actuation signals over nonsafety-related signals as described in Subsection 7.4.3.12. Based on this description, the NRC staff has reasonable assurance that TRPS actuation commands have priority over the control system commends.

7.4.4.3.3 Parameters Monitored NUREG-1537, Part 1, section 7.1, Summary Description, states: The general description of each category of I&C subsystem should include the types of parameters monitored, both nuclear and nonnuclear, the number of channels designed to monitor each parameter, the actuating logic that determines the need for actions to change reactor conditions and that takes these actions NUREG-1537 Part 2, section 7.4, Reactor Protection System, states: In this section, the applicant should thoroughly discuss and describe the RPS, listing the parameters monitored to detect the need for protective action.

SHINE FSAR section 7.4.4.1, Monitored Variables and Response, identifies the parameters monitored to determine when to initiate each safety function, and points to the SHINE FSAR Chapter 13 analyses where these monitored variables are credited for initiating each safety function. SHINE FSAR table 7.4-1 identifies the number of sensors used to monitor each parameter. SHINE FSAR figure 7.4-1, TRPS Logic Diagrams, depicts the actuation associated logic. The NRC staff sampled scenarios in SHINE FSAR chapters 4 and 13 to confirm that the TRPS monitored variables, includes the TRPS facility process parameters credited in SHINE FSAR chapters 4 and 13. Based on this description, the NRC staff finds the FSAR adequately describes the parameters monitored by the TRPS.

7.4.4.3.4 Values Assumed in the Analysis Section 50.36(c) of 10 CFR, states: Technical specifications will include items in the following categories: (1) Safety limits, limiting safety system settings(2) Limiting Conditions for operation....

NUREG-1537 Part 2, Chapter 7.4, Reactor Protection System, states: The SAR should containProposed trip setpoints, time delays, accuracy requirements, and actuated equipment response to verify that the RPS is consistent with the SAR analyses of safety limits, limiting 7-70

safety system settings (LSSS), and limiting conditions of operation (LCOs), and that this information is adequately included in the technical specifications as discussed in Chapter 14 SHINE FSAR Chapters 4 & 13 includes an analysis of events which is evaluated by the NRC staff to ensure the analyzed events demonstrate reasonable assurance of adequate safety.

Each event that is addressed by protective action in the safety systems, is analyzed assuming that a protective action is initiated at a certain value. The staff considers this value the analytical limit for purposes of determining the adequacy of instrumentation and control systems. The limiting setpoints in the TS are determined by starting with the analytical limit and accounting for known uncertainties and drift between surveillances.

The safety limits of the SHINE facility are documented in TS section 2.1, Safety Limits. The LSSS and lowest functional capability or performance levels of equipment are in the TS LCOs.

The limiting process parameter value assumed in the analysis, where an automatic protective action is initiated, is generally called the Analytic Limit (AL). FSAR Chapter 13 analyses provide justification for the adequacy of the analytical limit (AL) for protecting the safety limit. SHINE FSAR setpoint chapters describe that the LSSS values in the TS LCO are chosen to be more conservative than the AL by at least the amount associated with uncertainties in the process measurements. Generally, SHINE FSAR section 7.4.4.1, Monitored Variables and Response, includes a subsection for each TRPS-variable monitored, and each of these subsections identifies the SHINE FSAR chapter 13 subsection(s) and scenario(s) that credit(s) that particular monitored variable for performing a TSPS safety function. Furthermore, FSAR table 7.4-1 includes the analytical limit(s) for each variable monitored. Based on this description the NRC staff finds that the SHINE FSAR provides safety analytical limits for which the TRPS is designed to protect.

7.4.4.3.5 Response Time Subparagraph 50.34(b)(2) of 10 CFR requires that the FSAR include:

A description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

NUREG-1537 Part 2, section 7.4, Reactor Protection System, states: The SAR should containactuated equipment response to verify that the RPS is consistent with the SAR analyses NUREG-1537 Part 2, section 7.4, Reactor Protection System, states: The SAR should containtime delaysand actuated equipment response to verify that the RPS is consistent with the SAR analyses of safety limits, limiting safety system settings (LSSS), and limiting conditions of operation (LCOs), and that this information is adequately included in the technical specifications as discussed in Chapter 14 The implementation of a safety function requires that certain protective actions are achieved within a particular time period. To support this need, certain response times should be included in the SHINE FSAR. SHINE FSAR section 7.4.2.1.1, Instrumentation and Controls, states (FSAR section 7.4.4.1 has a similar statement.):

7-71

The TRPS monitored variables for performance of design basis functions are presented in Table 7.4-1 and includethe response time Chapter 13 of this SER provides the determination of overall response time, as appropriate, to ensure target solution limits are not exceeded as a result of transients and accidents. Therefore, the NRC staff finds that the TRPS design meets SHINE Design Criterion 14.

7.4.4.3.6 Seismic, Tornado, Flood SHINE FSAR section 7.4.3.6, Seismic, Tornado, Flood, states: (1) the TRPS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods, and (2) the TRPS equipment is Seismic Category I, designed in accordance with section 8 of IEEE Standard 344-2013 (IEEE, 2013). Evaluation of the ability of the TRPS to withstand seismic, tornado, and flood is evaluated in section 3.4 of this SER.

7.4.4.4 Technical Specifications Section 7.4.10.2, Proposed Technical Specifications, provides the NRC staff review of the SHINE TSs related to the TRPS.

7.4.4.5 Conclusion The NRC staff has reasonable assurance that the SHINE TRPS is designed to 1) mitigate the consequences of design basis events within the main production facility, 2) provides sense, command, and execute functions necessary to maintain the facility confinement strategy, 3) provides process actuation functions required to shut down processes and maintain processes in a safe condition, and provides system status and measured process variable values to the facility process integrated control system (PICS) for viewing, recording, and trending. The staff has reasonable assurance that the NFDS is adequately described in SHINE FSAR section 7.8.

The NFDS is adequately designed for measurement of the neutron flux signal, signal processing, indication, and interfacing with other systems, including providing analog input to the TRPS. The NRC staff also finds that the TRPS design meets SHINE design criteria 1 through 6, 13 through 19, and 37 through 38. The staff review of the lifecycle development process for HIPS is described in section 7.4.2 of this SER and the adequacy of HIPS and TRPS-related TS is evaluated in section 7.4.10 of this SER. Therefore, the NRC staff concludes that the TRPS is capable of performing the allocated design basis safety function under postulated conditions.

7.4.5 Engineered Safety Features Actuation System The NRC staff evaluated the sufficiency of the SHINE facility ESFAS, as described in SHINE FSAR section 7.5, Engineered Safety Features Actuation System, using the applicable guidance and acceptance criteria from section 7.5, Engineered Safety Features Actuation Systems, of NUREG-1537, Parts 1 and 2, and section 7b.4, Engineered Safety Features Actuation Systems, of the ISG augmenting NUREG-1537, Part 2.

7-72

7.4.5.1 System Description The applicant describes the ESFAS in SHINE FSAR section 7.5.1, and the staff audited SHINE TECRPT-2020-0002, Rev. 5, Engineered Safety Features Actuation System Design Description to confirm the information in FSAR section 7.5.1. SHINE FSAR figure 6a2.1-1 is a block diagram of the engineered safety features (ESFs) for the irradiated facility and SHINE FSAR figure 6b.1-1 is a block diagram of the ESF for the radioisotope production facility.

ESFAS is built using the HIPS digital I&C platform. section 7.4.2 of this SER evaluates the HIPS design for implementation of ESFAS. A general architecture of the ESFAS is shown in SHINE FSAR figure 7.1-3, Engineered Safety Feature Actuation System Architecture.

The SHINE facility has a safety-related ESFAS I&C system that provides monitoring and actuation functions credited in the safety analysis described in Chapter 13 to prevent the occurrence or mitigate the consequences of design basis events within the SHINE facility. If a monitored variable exceeds its predetermined limits, the ESFAS automatically initiates the associated safety function. The ESFAS monitors variables important to the safety functions for confinement of fission products and tritium, and for criticality safety to perform the following functions:

  • Radiologically Controlled Area (RCA) Isolation
  • Supercell Isolation
  • Vacuum Transfer System (VTS) Safety Actuation
  • Tritium Purification System (TPS) Train Isolation
  • TPS Process Vent Actuation
  • Irradiation Unit (IU) Cell Nitrogen Purge
  • Molybdenum Extraction and Purification System (MEPS) Heating Loop Isolation
  • Extraction Column Alignment Actuation
  • Iodine and Xenon Purification and Packaging (IXP) Alignment Actuation
  • Dissolution Tank Isolation The ESFAS also provides nonsafety-related system status and measured process variable values to the PICS for viewing, recording, and trending.

7-73

7.4.5.2 Design Criteria SHINE FSAR section 7.5.2.1, SHINE Facility Design Criteria, states that the generally applicable SHINE Design Criteria 1 through 6 and SHINE Design Criteria 13 through 19 and 37 through 39 apply to the ESFAS. The subsections below therefore include an evaluation of the ESFAS against each of the applicable SHINE Design Criteria to the extent the ESFAS supports the ability of the overall facility to demonstrate adequate protection against the hazards present.

This section of the SER documents the NRC staffs review and evaluation of the proposed ESFAS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The staffs evaluation of the design of the proposed ESFAS is based on acceptance criteria in section 7.5 of NUREG-1537, Part 2, including acceptance criteria from the guidance and industry standards referenced by NUREG-1537, as listed in section 7.2 of this SER.

7.4.5.2.1 SHINE Facility Design Criteria Each of the SHINE Design Criterion applicable to ESFAS is addressed in a separate subsection below.

Quality Standards and Records SHINE Design Criterion 1 - Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.

SHINE FSAR section 7.5.2.2.15, Quality, states that the ESFAS design, fabrication, installation, and modification is performed in accordance with a quality assurance program which conforms to the guidance of ANSI/ANS 15.8-1995 as endorsed by Regulatory Guide 2.5 and in accordance with the HIPS platform vendors project quality assurance plan described in SHINE FSAR section 7.4.5.4. SHINE is responsible for oversight of the vendor and maintaining the vendor as an approved supplier on the approved supplier list. SHINE FSAR section 7.5.3.12 outlines the codes and standards applicable to the ESFAS design, fabrication, installation, and testing. Therefore, the NRC staff finds that the safety-related ESFAS meets SHINE Design Criterion 1.

Natural Phenomena Hazards SHINE Design Criterion 2 - The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.

SHINE FSAR section 7.5.3.5 states that the ESFAS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods. The ESFAS equipment is Seismic Category I, tested using biaxial excitation testing and triaxial excitation testing, in accordance with section 8 of IEEE 7-74

Standard 344-2013. Based on the NRC staffs evaluation in chapter 3 of this SER for natural phenomena, and SHINE FSAR section 7.5.3.4 for seismic events, the staff finds that the safety-related ESFAS meets SHINE Design Criterion 2.

Fire Protection SHINE Design Criterion 3 - Safety-related SSCs are designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

SHINE FSAR section 7.5.3.8, Fire Protection, states that the ESFAS design uses physical separation to minimize the effects from fire or explosion. ESFAS equipment in different divisions is located in separate fire areas except for the facility control room and in other locations where end devices are installed. Physical separation is used to achieve separation of redundant sensors. Wiring for redundant divisions uses physical separation and isolation to provide independence for circuits. Separation of wiring is achieved using separate wireways and cable trays for each of Divisions A, B, and C. Field Instruments are located in separate fire areas.

Within the facility control room, Division A and C ESFAS cabinets are separated by a minimum of 4 feet and are located on the opposite side of the facility control room from where Division B cabinets are located. Nonsafety-related ESFAS inputs and outputs are routed in non-divisional cable raceways and are segregated from safety-related inputs and outputs. Spatial separation between cable and raceway groups is in accordance with IEEE Standard 384-2008. Portable Class A and Class C fire extinguishers are located in the control room to extinguish fires originating within a cabinet, console, or connecting cables. Noncombustible and heat resistant materials are used whenever practical in the ESFAS design, particularly in locations such as confinement boundaries and the facility control room. Additional information on fire protection can be found in SHINE FSAR section 9a2.3, Fire Protections Systems and Programs.

Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 3.

Environmental and Dynamic Effects SHINE Design Criterion 4 - Safety-related SSCs are designed to perform their functions with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.

SHINE FSAR section 7.5.2.2.11 states that the ESFAS rack mounted equipment is installed in a mild operating environment and is designed for the facility control room environmental parameters outlined in SHINE FSAR table 7.2-2. Rack mounted ESFAS equipment is tested to appropriate standards to show that the effects of EMI/RFI and power surges are adequately addressed. This testing includes emissions testing, susceptibility testing, and surge withstand testing. Appropriate grounding of the ESFAS is performed in accordance with section 5.2.1 of IEEE Std. 1050-2004. SHINE FSAR section 7.5.3.4 states that the cables for the ESFAS are routed through the radiologically controlled area to the process areas. The routed cables have the potential to be exposed to more harsh conditions than the mild environment of the facility control room. The sensors are located inside the process confinement boundary; therefore, the terminations of the cables routed to the sensors are exposed to the high radiation environment.

During normal operation, the ESFAS equipment will operate in the applicable normal radiation environments identified in SHINE FSAR table 7.2-1 for up to 20 years, replaced at a frequency sufficient such that the radiation qualification of the affected components is not exceeded. The 7-75

radiation qualification of the affected components is based upon the total integrated dose (TID) identified in SHINE FSAR table 7.2-1 being less than the threshold values identified in industry studies. The environmental conditions for ESFAS components are outlined in SHINE FSAR tables 7.2-1 through 7.2-3. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 4.

Sharing of Structures, Systems, and Components SHINE Design Criterion 5 - Safety-related SSCs are not shared between irradiation units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions.

SHINE FSAR section 7.5.2.1 states that the ESFAS does not share components between irradiation units. FSAR section 7.5.2.1.6, Separation of Protection and Control Systems, states that there are no sensor outputs that have both an ESFAS safety-related protection function and a nonsafety-related control function. Based on review of ESFAS monitored variables in SHINE FSAR table 7.5-1, ESFAS Monitored Variables, and ESFAS logic diagrams in SHINE FSAR figure 7.5-1, the NRC staff finds that the ESFAS does not share components between irradiation units. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 5.

Control Room SHINE Design Criterion 6 - A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.

SHINE FSAR section 7.5.2.2.14, Human Factors, states that the ESFAS design provides capability for manual actuation of ESFAS safety function in the facility control room. ESFAS logic diagrams in the SHINE FSAR figure 7.5-1 show the logic for manual actuation of ESFAS safety functions. The ESFAS includes redundantly isolated outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS, which includes indication of ESFAS actuation device status. This supports operator actions under postulated accident conditions. Therefore, the NRC staff finds that the ESFAS design meets SHINE Design Criterion 6.

Instrumentation and Controls SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.

In response to RAI 7-13, the applicant states that each division of the ESFAS transmits monitoring and indication information to the PICS. The following information from the ESFAS is displayed in the facility control room (FCR):

  • Mode and Fault status for each HIPS module 7-76
  • Status and value of the monitored variables identified in table 7.5-1 of the SHINE FSAR
  • Trip/Bypass switch status
  • Divisional partial trip determination status
  • Divisional full trip determination status
  • TRPS IU cell operational mode status
  • Actuation output and fault status
  • Actuated component position feedback status The ESFAS monitoring, and indication information is available to the operators in the FCR at the PICS operator workstations. A subset of the ESFAS monitoring, and indication information is displayed at the main control board in the FCR near the manual control switches for actuating ESFAS safety functions. The ESFAS provides redundant outputs to the PICS. The PICS receives the outputs from the ESFAS onto a fault-tolerant server comprised of internal redundant physical servers. The use of redundant outputs from the ESFAS to redundant internal physical servers on the PICS ensures that a failure would not prevent the operator from obtaining or resolving conflicting information. By displaying ESFAS monitoring and indication information at multiple locations in the FCR, including near manual controls for actuating ESFAS equipment, the design ensures the operator has sufficient information to operate the facility and take manual operator action, as necessary. SHINE FSAR section 7.4.5.2.4 provides a description of the information available to the operators in the FCR. SHINE FSAR section 7.5.4.1, Monitored Variables and Response provides a discussion of the ESFAS response to each monitored variable (signal input). Table 7.5-1 provides the instrument range, accuracy, response time, and a specified analytical limit. The staff did not review specific design information or performance data for the sensors/instruments listed in table 7.5-1, and therefore did not specifically confirm the validly of performance parameters assigned to each instrument.

SHINE will test and qualify the instrumentation in accordance with Technical Specifications and SHINE FSAR section 12.11.2, Startup Tests.

Based on the information provided, the NRC staff confirmed that the variables listed in SHINE FSAR table 7.5-1 are used for display and to initiate defined actuation of the applicable ESF.

Further, these variables have operable protection capability in all operating modes and conditions, as analyzed in the SHINE FSAR for the complete range of normal facility operating conditions and to cope with anticipated transients and potential accidents evaluated. The adequacy of PICS, consoles, and displays in meeting Criterion 13 is addressed separately in section 7.4.6 of this SER.

Protection System Functions SHINE Design Criterion 14 - The protection systems are designed to: (1) initiate, automatically, the operation of appropriate systems to ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated 7-77

transients; and (2) sense accident conditions and to initiate the operation of safety-related systems and components.

SHINE FSAR section 7.5.2.1.2, Protection System Functions, states that there are no anticipated transients that require the initiation of the ESFAS to ensure specified acceptable target solution design limits are not exceeded and refers to SHINE FSAR section 7.5.3.1, Safety Functions, that describes the ESFAS safety functions that are relied upon for specific accident scenarios. Based on review of these SHINE FSAR sections and the ESFAS logic diagrams depicted in SHINE FSAR figure 7.5-1, the NRC staff finds that the ESFAS is designed to perform the safety functions for transients and accidents credited by SHINE FSAR chapter 13 necessary to maintain the facility confinement strategy and provides process actuation functions required to shut down processes and maintain processes in a safe condition. The SHINE FSAR does not appear to describe the total system response time assumed or credited for all event scenarios in chapter 13 and, or how the instrument response time specified in SHINE FSAR table 7.5-1 relates to any associated analyses assumed total system response time. The NRC staff also reviewed selected calculations to confirm that the response time in SHINE FSAR table 7.5-1 is consistent with the total response time assumed in the accident analysis for instrument response time, HIPS response time, and actuation time. The staff audited SHINE CALC-2019-0045, Rev.1, MEPS heating Loop Radiation Extraction Area A/B/C to confirm the basis for the response time values listed in SHINE FSAR table 7.5-1. Chapter 13 of this SER provides the evaluation of overall response times, as appropriate, to ensure target solution limits are not exceeded as a result of transients and accidents. Therefore, the staff finds that the ESFAS design meets SHINE Design Criterion 14.

Protection System Reliability and Testability SHINE Design Criterion 15 - The protection systems are designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection systems are sufficient to ensure that: (1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

SHINE FSAR section 7.5.2.1.3 states that the HIPS platform design for the ESFAS supports high functional reliability by:

  • Incorporating predictability and repeatability principles to ensure an extremely high probability of accomplishing safety functions.
  • ESFAS contains capabilities for inservice testing for those functions that cannot be tested while the associated equipment is out of service. The HIPS maintenance bypass function allows for an individual SFM to be removed from service in accordance with the technical specifications, for the purpose of performing required technical specification surveillance testing to verify the operability of ESFAS components during system operation, which supports in-service testability.

7-78

  • SSCs that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident.
  • Redundancy within the ESFAS consists of two or three divisions of input processing and trip determination and two divisions of actuation logic arranged such that no single failure can prevent a safety actuation when required. An ESFAS channel can be taken out of service without an adverse impact on redundancy.
  • Self-test features are provided for the HIPS components that do not have setpoints or tunable parameters. Self-testing capabilities provide indication of component degradation and failure, which allows action to be taken to ensure that no single failure results in the loss of the protection function.

The NRC staffs evaluation of the HIPS platform design for the TRPS and ESFAS in section 7.4.2, HIPS Design of this SER finds that the high functional reliability features discussed above have been adequately implemented in the HIPS platform. Specifically, the NRC staffs evaluation in sections 7.4.2.1.4, HIPS Diagnostics and Self-testing, 7.4.2.1.5, Operational and Maintenance Bypass, 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.3, Predictability and Repeatability of this SER finds that the HIPS platform design for TRPS and ESFAS provides for high functional reliability and testability thereby meets SHINE Design Criterion 15.

Protection System Independence SHINE Design Criterion 16 - The protection systems are designed to ensure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function or are demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, are used to the extent practical to prevent loss of the protection function.

SHINE FSAR section 7.5.2.1.4, Protection System Independence, states that the ESFAS control and logic functions operate inside of the facility control room where the environment is mild, not exposed to the irradiation process, and is protected from earthquakes, tornadoes, and floods. The ESFAS SSC that comprise a division are physically separated to retain the capability of performing the required safety functions during a design basis accident. Division independence is maintained throughout, extending from the sensor to the devices actuating the protective function. Functional allocation of different process parameters on different SFM and diversity in component design are used to prevent loss of the protection function. SHINE FSAR section 7.5.3.4 states that the ESFAS components are qualified to the environmental and radiological parameters provided in SHINE FSAR tables 7.2-1 through 7.2-3. SHINE FSAR section 7.5.3.5 states that the ESFAS equipment is installed in the seismically qualified portion of the main production facility where it is protected from earthquakes, tornadoes, and floods.

The ESFAS equipment is Seismic Category I, tested using biaxial excitation testing and triaxial excitation testing, in accordance with section 8 of IEEE Standard 344-2013. SHINE FSAR section 7.5.2.2.11 states that the rack mounted ESFAS equipment is tested to appropriate standards to show that the effects of EMI/RFI and power surges are adequately addressed. This testing includes emissions testing, susceptibility testing, and surge withstand testing.

7-79

Appropriate grounding of the ESFAS is performed in accordance with section 5.2.1 of IEEE Standard 1050-2004.

Based on the above discussion and the NRC staffs evaluation of equipment qualification in section 7.4.2.1.3 and diversity in section 7.4.2.2.4 of this SER, the staff finds that the SHINE protection systems meet the SHINE Design Criterion 16, considering the potential consequences and large safety margins described in chapter 13 of this SER. This ensures that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function.

Protection System Failure Modes SHINE Design Criterion 17 - The protection systems are designed to fail into a safe state if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments are experienced.

SHINE FSAR section 7.5.2.1.5, Protection System Failure Modes, states that controlled components associated with safety actuations are designed to go to their safe state when deenergized. SHINE FSAR table 7.5-2 identifies the fail-safe positions of the ESFAS safety actuation components on loss of power. SHINE FSAR section 7.5.3.4 states that the ESFAS equipment is qualified for radiological and environmental hazards present during normal operation and postulated accidents. During normal operation, the ESFAS equipment will operate in the applicable normal radiation environments identified in SHINE FSAR table 7.2-1 for up to 20 years, replaced at a frequency sufficient such that the radiation qualification of the affected components, which is based upon the total integrated dose (TID) identified in SHINE FSAR table 7.2-1, is not exceeded.

Based on the information provided above, the NRC staffs evaluation of equipment qualification, and protection system reliability and testability in sections 7.4.2.1.3 and 7.4.5.2.1 of this SER, and evaluation of the ESFAS logic diagrams in the SHINE FSAR figure 7.5-1, Sheets 1 through 27, the staff finds that the ESFAS is designed to fail into a safe state and will perform its protective actions upon loss of power, loss of an ESFAS component, or adverse environmental conditions. Therefore, the staff concludes that the ESFAS is designed to perform the required protective actions in the presence of any single failure or malfunction and meets the SHINE Design Criterion 17, design acceptance criterion in NUREG-1537, Part 2, for single failure, and the design acceptance criteria in sections 5.1 and 5.4 of ANSI/ANS15.15-1978 for single failure and fail-safe.

Separation of Protection and Control Systems SHINE Design Criterion 18 - The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.

SHINE FSAR section 7.5.2.1.6 states that there are no sensor outputs that have both an ESFAS safety-related protection function and a nonsafety-related control function. There are no 7-80

inputs to the ESFAS from the PICS that are used in the determination of protective actions.

Nonsafety-related inputs to the ESFAS from the PICS are limited to those for controls and monitoring and indication only variables. SHINE FSAR section 7.5.3.3 states that the nonsafety control signals from the PICS are implemented through a hardwired parallel interface that requires the PICS to send a binary address associated to the output state of the EIM along with a mirrored complement address. The mirrored complement address prevents any single incorrectly presented bit from addressing the wrong EIM output state. The ESFAS contains an enable nonsafety switch that controls when the hardwired parallel interface within the APL is active, thus controlling when the PICS inputs can operate ESFAS components. When the enable nonsafety switch is not active, the nonsafety-related control signal is ignored. If the enable nonsafety is active, and no automatic or manual safety actuation command is present, the nonsafety-related control signal can control the ESFAS component. The hardwired module provides isolation for the nonsafety-related signal path.

Based on the information provided above, the NRC staffs evaluation in sections 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.6, Prioritization of Functions of this SER, the staff finds that the ESFAS is adequately separated from the PICS such that failure of any single PICS component, or failure or removal from service of any single ESFAS component or channel, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the ESFAS. Interconnection of the ESFAS and PICS is designed to assure that safety is not significantly impaired. Therefore, the NRC staff concludes that the ESFAS design meets SHINE Design Criterion 18.

Protection Against Anticipated Transients SHINE Design Criterion 19 - The protection systems are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated transients.

SHINE FSAR section 7.5.2.1.7 states that the HIPS platforms implementation of the ESFAS ensures an extremely high probability of accomplishing the required safety functions by applying the attributes of independence, redundancy, and predictability and repeatability. Collectively, these attributes ensure the ESFAS functions in a highly consistent manner with high reliability.

Independence principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring that SSCs that comprise a division are physically separated.

Redundancy principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring that no single failure can prevent a safety actuation. Predictability and repeatability principles contribute to ensuring an extremely high probability of accomplishing safety functions by ensuring the ESFAS produces the same outputs for a given set of input signals within well-defined response time limits.

Based on this information provided above and the NRC staffs evaluation in Sections 7.4.2.2.1, Independence, 7.4.2.2.2, Redundancy, and 7.4.2.2.3, Predictability and Repeatability of this SER, the NRC staff finds that the ESFAS is designed to ensure an extremely high probability of accomplishing its safety functions in the event of anticipated transients. Therefore, the staff finds that the ESFAS meets the SHINE Design Criterion 19 and the acceptance criterion in NUREG-1537, Part 2, for single failure, and the design acceptance criteria in sections 5.1 and 5.4 of ANSI/ANS 15.15-1978 for single failure and fail-safe.

7-81

Criticality Control in the Radioisotope Production Facility SHINE Design Criterion 37 - Criticality in the radioisotope production facility is prevented by physical systems or processes and the use of administrative controls. Use of geometrically safe configurations is preferred. Control of criticality adheres to the double contingency principle. A criticality accident alarm system to detect and alert facility personnel of an inadvertent criticality is provided.

SHINE FSAR section 7.5.2.1.8, Criticality Control in the Radioisotope Production Facility, states that the ESFAS provides the following two safety functions as required by the SHINE criticality safety program described in SHINE FSAR section 6b.3, Nuclear Criticality Safety.

  • Vacuum Transfer System (VTS) Safety Actuation - This safety function stops the transfer of target solution or other radioactive solutions upon indication of potential upset conditions. The VTS vacuum header liquid detection signal protects against an overflow of the vacuum lift tanks to prevent a potential criticality event as described in SHINE FSAR Section 6b.3.2.5, Vacuum Transfer System.
  • TSPS Dissolution Tank Isolation - Dissolution tank isolation is relied upon as a safety-related control for preventing criticality event as described in SHINE FSAR Section 6b.3.2.4, Target Solution Preparation System. This safety function protects against a criticality event due to excess fissile material in a non-favorable geometry system and prevents overflow of the dissolution tank into the uranium handling glovebox or ventilation system.

SHINE FSAR section 6b.3.1.4, Nuclear Criticality Safety Evaluations, states that for the purposes of nuclear criticality safety evaluations (NCSEs), criticality events are always considered to be high consequence, with a strict emphasis on selection of controls to prevent criticality, and where the double contingency principle (DCP) is employed. The NCSE contains a description of its implementation. SHINE FSAR section 6b.3.2, Criticality Safety Controls, describes the criticality safety controls, which states that the failure of a single nuclear criticality safety (NCS) control which maintains two or more controlled parameters is considered a single process upset when determining whether the DCP is met. Passive engineered geometry controls are the most preferred type of NCS controls. Otherwise, the preferred hierarchy of NCS controls is (1) passive engineered, (2) active engineered, (3) enhanced administrative, and (4) administrative. Generally, control on two independent criticality parameters is preferred over multiple controls on a single parameter. If redundant controls on a single parameter are used, a preference is given to diverse means of control on that parameter. SHINE FSAR section 6b.3.2 describes following systems that require active engineered criticality safety control:

  • SHINE FSAR section 6b.3.2.4: Target Solution Preparation System (TSPS) -

High level within the dissolution tanks requires application of the DCP to prevent criticality accidents. The dissolution tanks are equipped with high level controls that are interlocked with isolation valves on cooling and ventilation lines.

  • SHINE FSAR section 6b.3.2.5: Vacuum Transfer System (VTS) - The inadvertent transfer of solution to a non-fissile system requires application of the DCP to prevent criticality accidents. The VTS piping design and features 7-82

prevent transfer of target solution to non-favorable geometry components within the VTS. The vacuum headers are equipped with liquid detection that stops transfers upon detection of liquid.

  • SHINE FSAR section 6b.3.2.8: Radioactive Drain System (RDS) - Precipitation of solids requires application of the DCP to prevent criticality accidents. The hold tanks are equipped with level instrumentation to detect a leak of solution transferred to RDS. FSAR Section 7.3.1.3.3, Radioactive Drain System, states that drains from vaults, trenches, and other areas where uranium-bearing solutions may be present are part of the RDS. PICS is used to provide indication of leakage and the presence of liquid in the RDS sump tanks to alert the operator of abnormal situations.

The NRC staffs evaluation of the NCSEs and CAAS is documented in section 6b.3.3 of this SER. Based on the information provided above, the NRC staff finds that the TSPS dissolution tank level signals protect against a criticality event due to excess fissile material in a non-favorable geometry system since the TSPS dissolution tank level signal is received by the ESFAS and on high level in either dissolution tank, which initiate TSPS dissolution tank isolation. Additionally, the staff finds that the VTS vacuum header liquid detection signal protects against an overflow of the vacuum lift tanks to prevent a potential criticality event because VTS vacuum header liquid detection signal is received by the ESFAS and upon detection of liquid in the VTS vacuum header a VTS safety actuation is initiated. Further, the NRC staff finds that the RDS liquid detection signal detects leakage or overflow from other tanks and piping since the RDS liquid detection signal is received by the ESFAS and upon detection of liquid in the RDS a VTS Safety Actuation is initiated. Therefore, the staff finds that the ESFAS design meets the SHINE Design Criterion 37.

Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.

SHINE FSAR section 7.5.2.1.9, Monitoring Radioactivity Releases, states the ESFAS monitors for potential radioactivity releases from the following various areas of the main production facility:

  • Radiological Ventilation Zones - SHINE FSAR section 7.5.3.1.24, RCA Isolations, states that ESFAS monitors radiation in the radiological ventilation zone 1 (RVZ1) and RVZ2 exhaust for an RCA isolation actuation.
  • Super Cell Areas - SHINE FSAR sections 7.5.3.1.1 through 7.5.3.1.10 state that the ESFAS monitors radiation at the outlet of each supercell area 1 through area 10 for respective supercell area(s) isolation actuation.

7-83

  • TPS Confinement - SHINE FSAR sections 7.5.3.1.18 through 7.5.3.1.20 state that ESFAS monitors tritium purification system (TPS) confinement tritium for the respective TPS train isolation actuation.

SHINE FSAR section 7.4.4.1.15, High RVZ1e IU Cell Exhaust Radiation, states that the high RVZ1e IU cell exhaust radiation is measured on the exhaust of the PCLS expansion tank located in each IU cell. High RVZ1e IU Cell exhaust radiation signal is generated by TRPS when an RVZ1e IU cell exhaust radiation input exceeds the high level setpoint.

SHINE FSAR section 7.7.2, Nonsafety-Related Process Radiation Monitoring, states that nonsafety-related process radiation monitoring is provided as part of various systems to provide information to the operator on the status and effectiveness of processes. They may be used to diagnose process upsets but are not relied upon to prevent or mitigate accidents.

SHINE FSAR section 7.7.3, Area Radiation Monitoring, states that the area radiation monitoring within the facility is provided by the radiation area monitoring system (RAMS). Area radiation monitors are in areas where personnel may be present and where radiation levels could become significant. The monitors provide local and remote indication of radiation levels and provide local alarms to notify personnel of potentially hazardous conditions.

SHINE FSAR section 7.7.4, Continuous Air Monitoring, states that continuous airborne contamination monitoring within the facility is provided by the continuous air monitoring system (CAMS). Each CAMS unit samples air and provides real time alpha and beta activities or tritium activity to alert personnel when airborne contamination is above preset limits. CAMS units are in areas where personnel may be present and where contamination levels could become significant. Each CAMS unit provides local and remote indication of airborne radiation levels and alarm capabilities.

SHINE FSAR section 7.7.5, Effluent Monitoring, states that effluent monitoring for the facility is provided by the SRMS. The SRMS is composed of two monitoring units: the main facility stack release monitor (SRM), and the carbon delay bed effluent monitor (CDBEM). The SRM is used to demonstrate that gaseous effluents from the main production facility are within regulatory limits and do not have an accident mitigation or personnel protection function. The SRM performs its function by drawing a representative air sample from the stack and providing a means to measure the air sample for noble gases (continuous measurement) and capturing particulates, iodine, and tritium for collective measurement. The CDBEM monitors for noble gases at the exhaust of the process vessel vent system (PVVS) carbon delay beds to provide information about the health of the PVVS carbon delay beds and to provide the ability to monitor the safety-related exhaust point effluent release pathway when it is in use. The CDBEM is used on an as needed basis to demonstrate that gaseous effluents from the main production facility are within regulatory limits (e.g., during a loss of off-site power when the normal heating, ventilation, and air conditioning [HVAC] systems and the PVVS are not operating) and do not have an accident mitigation or personnel protection function. Two particulate and iodine filters (redundant configuration) are provided for in-line capturing and collective measurement when the safety-related exhaust point is in use.

Based on the above discussion, the NRC staff finds that means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, 7-84

including anticipated transients, and from postulated accidents. Therefore, the staff finds that the SHINE facility, including ESFAS meets the SHINE Design Criterion 38.

Hydrogen Mitigation SHINE Design Criterion 39 - Systems to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen are provided to ensure that the integrity of the system and confinement boundaries is maintained.

SHINE FSAR section 7.5.2.1.10 states that the ESFAS monitors variables and provides actuations to protect against hydrogen deflagration in various areas in the SHINE main production facility.

SHINE FSAR section 7.5.4.1.14 states that the TRPS IU cell nitrogen purge signal protects against a loss of hydrogen mitigation capabilities in the irradiation units. The ESFAS initiates an IU Cell nitrogen purge based on the TRPS IU cell nitrogen purge signal. Upon receipt of a TRPS IU cell nitrogen purge initiation signal, ESFAS initiates IU Cell Nitrogen Purge.

SHINE FSAR section 7.5.4.1.15 states that the PVVS flow signal protects against loss of hydrogen mitigation capabilities in the RPF. The ESFAS initiates an RPF nitrogen purge based on low PVVS flow.

SHINE FSAR section 7.5.4.1.19, UPSS Loss of External Power, states that the loss of external power signal protects against an anticipatory loss of hydrogen mitigation in the IU cell. The ESFAS provides an ESFAS loss of external power actuation signal to the TRPS subsystem associated with each IU cell upon receipt of an uninterruptible electrical power supply system (UPSS) loss of external power signal to initiate an IU Cell Nitrogen Purge within the TRPS. The ESFAS initiated IU Cell Nitrogen Purge signal is provided to each of the eight TRPS subsystems as an ESFAS loss of external power signal.

Based on the discussion above, the NRC staff finds that the ESFAS is designed to initiate nitrogen purge to control the buildup of hydrogen that is released into the primary system boundary and tanks or other volumes that contain fission products and produce significant quantities of hydrogen to ensure that the integrity of the system and confinement boundaries is maintained. Therefore, the staff finds that the ESFAS design meets the SHINE Design Criterion 39.

7.4.5.2.2 ESFAS System Design Criteria SHINE FSAR section 7.5.2.2, ESFAS System Design Criteria, outlines several ESFAS system specific design criteria for protective actions, single failure, independence, communication, prioritization, setpoints, bypass and permissives, equipment qualification, surveillance, human factors, access control, software requirements development, and quality. The NRC staffs evaluation of the safety significant ESFAS system design features and attributes is documented in section 7.4.5.2.1 of this SER as a part of the SHINE Design Criteria evaluation and in section 7.4.2 of this SER as a part of the HIPS design evaluation. While the NRC staff evaluated the analysis of selected equipment design criteria as subsidiary elements of the broader SHINE Design Criteria, the staff did not independently confirm each ESFAS system design criterion and is not specifically making a finding for the ESFAS system design criteria.

7-85

7.4.5.3 Design Basis The ESFAS is a safety-related system designed to monitors process variables and provides automatic initiating signals in response to off-normal conditions, providing protection against unsafe conditions in the main production facility. HIPS digital I&C platform is used to implement the ESFAS logic and the design basis associated with the HIPS platform are evaluated in section 7.4.2 of this SER. Following is the NRC staffs evaluation of the ESFAS specific design basis.

7.4.5.3.1 Safety Functions SHINE FSAR section 7.5.3.1 describes the safety functions performed by ESFAS to mitigate the consequences of design basis events credited in SHINE FSAR chapter 13. The ESFAS monitors variables associated with the safety functions for confinement of radiation and tritium within the irradiation facility (IF) and the radioisotope production facility (RPF) and for criticality safety. For each ESFAS safety function, this SHINE FSAR section identifies the components that actuate based on monitored variables and associated system actuation. SHINE FSAR section 7.5.3.6, Human Factors, states that the ESFAS provides manual actuation capabilities for the ESFAS safety functions via the manual push buttons located on the main control board.

To support the use of manual safety actuations and reset of protective actions, the ESFAS provides monitored process parameters information, ESFAS actuated components status and ESFAS actuation function status to the PICS. Based on review of these SHINE FSAR sections and the ESFAS logic diagrams depicted in SHINE FSAR figure 7.5-1, the NRC staff finds that the ESFAS is design to perform the safety functions credited by the safety analysis in SHINE FSAR chapter 13 necessary to maintain the facility confinement strategy and provides process actuation functions required to shut down processes and maintain processes in a safe condition.

7.4.5.3.2 Completion of ESFAS Protective Actions SHINE FSAR section 7.5.3.2 states that ESFAS is designed so that once initiated, protective actions will continue to completion. Only deliberate operator action can be taken to reset the ESFAS following a protective action.

Based on its review of the ESFAS logic diagrams in SHINE FSAR figure 7.5-1, the NRC staff finds that ESFAS latches in a protective action and maintains the state of a protective action until operator input is initiated to reset the output of the ESFAS to normal operating conditions. If there is no signal present from the automatic safety actuation or manual actuation, then the enable nonsafety switch would allow an operator, after the switch has been brought to enable, to control the output state of the ESFAS with a control signal from the nonsafety-related PICS.

Therefore, the staff finds that the ESFAS is design allows the initiated protective actions to completion that can only be manually reset by an operator in the absence of a safety actuation signal.

7.4.5.3.3 Single Failure SHINE FSAR section 7.5.3.3 states that no single failure within the ESFAS results in the loss of the protective function. HIPS digital I&C platform is used to implement ESFAS and the ESFAS single failure criterion associated with the HIPS platform is evaluated in section 7.4.2 of this SER. Following is the NRC staffs evaluation of single failures in the ESFAS design where a passive check valve is credited as a redundant component.

7-86

Based on the SHINE FSAR sections 7.5.3.1.17, VTS Safety Actuation, 7.5.3.1.18, TPS Train A Isolation, 7.5.3.1.19, TPS Train B Isolation, 7.5.3.1.20, TPS Train C Isolation, 7.5.3.1.23, RPF Nitrogen Purge, 7.5.3.3, Single Failure, and ESFAS Logic Diagram SHINE FSAR figure 7.5-1, Sheets 13, 14, 15, 18, 19, 20, the ESFAS is designed to actuate only Division A component for the following select safety functions where a passive check valve is credited as a redundant component:

  • A check valve is provided in series with each of the following components to support isolation during a VTS Safety Actuation:

- MEPS A/B/C extraction column wash supply valve

- MEPS A/B/C extraction column eluent valve

- MEPS A/B/C wash supply valve

- MEPS A/B/C effluent valve

- IXP recovery column wash supply valve

- IXP recovery column effluent valve

- IXP wash supply valve

- IXP effluent valve

- IXP FNHS supply valve

- IXP liquid nitrogen supply valve

  • A TPS helium supply check valve is provided in series with the TPS train A/B/C helium supply isolation valve to support isolation during a TPS Train A/B/C Isolation.
  • An RLWI PVVS check valve is provided in series with the RLWI PVVS isolation valve to support isolation during an RPF Nitrogen Purge.

The NRC staff finds that by using a respective passive check valve in series will prevent backflow should any of the valves fail to close due to a single failure. Therefore, staff finds that in each of the above instances, sufficient redundancy is provided such that no single failure results in the loss of the protective function.

7.4.5.4 Technical Specifications section 7.4.10, Proposed Technical Specifications, provides the staff review of the SHINE TSs related to ESFAS.

7.4.5.5 Conclusion The NRC staff has reasonable assurance that the SHINE ESFAS is designed to 1) mitigate the consequences of design basis events within the main production facility, 2) provides sense, command, and execute functions necessary to maintain the facility confinement strategy, 3) provides process actuation functions required to shut down processes and maintain processes in a safe condition, and provides system status and measured process variable values to the facility process integrated control system (PICS) for viewing, recording, and trending. The NRC staff also finds that the ESFAS design meets SHINE design criteria 1 through 6, 13 through 19, and 37 through 39. The staff review of the lifecycle development process for HIPS is described in section 7.4.2 of this SER and the adequacy of HIPS and ESFAS-related TS is included in 7-87

section 7.4.10 of this SER. Therefore, the NRC staff concludes that the ESFAS is capable of performing the allocated design basis safety function under postulated conditions.

7.4.6 Control Console and Display Instruments The control room, containing the control consoles and other status display instruments is the hub for facility operation. It is the location to which all information necessary and sufficient for safe and effective operation of the facility is transmitted, and the primary location from which control and safety devices are actuated either manually or automatically. The control console and display instruments contain most of the hardware for organizing and processing the information and routing signals to display devices or automatic action of other subsystems.

The NRC staff evaluated the sufficiency of the SHINE facility control console and display instruments as described in SHINE FSAR section 7.6, Control Console and Display Instruments, using the applicable guidance and acceptance criteria from section 7.6, Control Console and Display Instruments, of NUREG-1537, Parts 1 and 2, and section 7b.5, Control Console and Display Instruments, of the ISG augmenting NUREG-1537, Part 2.

As described in section 7.4.3 of this SER, the NRC staff evaluated the control console and display instruments as part of the PICS, as appropriate. Therefore, findings for the PICS are applicable to the control console and display instrument equipment, as appropriate. In addition, the findings for the HFE development of the computer displays and arrangement of discrete indications and controls are also applicable to the control console and display instruments.

The staff has reasonable assurance that the CCDI adequately described in SHINE FSAR section 7.8. Therefore, the staff concludes that applicant has shown that all nuclear and process parameters important to safe and effective operation of the SHINE facility will be displayed at the control console and display instruments. The staff finds that the display devices for these parameters will be easily understood and readily observable by an operator positioned at the controls. The control console design and operator interface will be sufficient to promote safe reactor operation.

7.4.7 Radiation Monitoring Systems The NRC staff evaluated the sufficiency of the SHINE facility RMS, as described in SHINE FSAR section 7.7, Radiation Monitoring Systems, using the applicable guidance and acceptance criteria from section 7.7, Radiation Monitoring Systems, of NUREG-1537, Parts 1 and 2, and section 7b.6, Radiation Monitoring Systems, of the ISG augmenting NUREG-1537, Part 2.

SHINE FSAR section 7.7 states that the SHINE facility uses the RMS to perform radiation monitoring functions within the facility and include the following safety-related and nonsafety-related equipment:

  • Safety-related process radiation monitors as a part of ESFAS, TRPS, and TPS;
  • Nonsafety-related process radiation monitors as a part of other facility processes;
  • Nonsafety-related RAMS; 7-88
  • Nonsafety-related CAMS; and
  • Nonsafety-related SRMS for effluent monitoring is comprised of:

Main facility stack release monitor (SRM)

Carbon delay bed effluent monitor (CDBEM).

SHINE FSAR section 7.7 states that the ESFAS and TRPS receive analog signals from the safety-related process radiation monitors for performing their intended safety functions.

Whereas the non-safety related equipment monitors several areas of the facility and provides information to the operator on the status and effectiveness of processes and effluent monitoring.

Nonsafety-related process radiation monitors may be used to diagnose process upsets and are not used to control personnel or environmental radiological exposures. The RAMS provide local and remote indication of radiation levels and provide local alarms to notify personnel of potentially hazardous conditions. Each CAMS unit samples air and provides real time alpha and beta activities or tritium activity to alert personnel when airborne contamination is above preset limits. Both the RAMS and CAMS provide a nonsafety-related defense-in-depth ALARA function of alerting personnel of the need to evacuate an area if required. The SRM is used to demonstrate that gaseous effluents from the main production facility are within regulatory limits and do not have an accident mitigation or personnel protection function. The CDBEM monitors for noble gases at the exhaust of the PVVS carbon delay beds to provide information about the health of the PVVS carbon delay beds and to provide the ability to monitor the safety-related exhaust point effluent release pathway when it is in use. Although the CDBEM monitors a safety-related point in the PVVS system, the CDBEM is not required to perform a safety function. The CDBEM is used on an as needed basis to demonstrate that gaseous effluents from the main production facility are within regulatory limits (e.g., during a loss of off-site power when the normal HVAC systems and the PVVS are not operating) and do not have an accident mitigation or personnel protection function.

In this section, the NRC staffs evaluation of the RMS is primarily focused on the safety-related process radiation monitors that are used for actuating safety functions performed by ESFAS and TRPS. The evaluation of the non-safety related RMS for radiation protection is addressed in chapter 11, Radiation Protection Program and Waste Management, of this SER.

7.4.7.1 Safety-Related Process Radiation Monitoring 7.4.7.1.1 System Description SHINE FSAR section 7.7.1 states that the safety-related system monitors radiation and actuates safety and protection systems if defined radiation levels are reached. There are different radiation monitors to detect fission products or tritium. The monitors detecting beta and gamma-ray radiation send signals to the TRPS and/or ESFAS to perform safe actuations when abnormal situations within the facility ventilation systems are presented. In addition, radiation monitors will send a signal to the TRPS for interlocking the operation of the neutron driver. The radiation monitors detecting tritium are part of the TPS. If tritium releases to a defined level, then the TPS provides inputs to the ESFAS and provides interlock inputs to the TRPS. SHINE FSAR table 7.7-1 identifies the safety-related radiation monitors, and SHINE FSAR section 7.7.1.4.2 refers to SHINE FSAR tables 7.4-1 and 7.5-1 for the instrument ranges, accuracies, and response times of these process radiation monitors.

7-89

Safety-related process radiation monitors provide analog signals to the ESFAS and TRPS that are then used to generate actuation signals when radiation levels exceed pre-determined setpoints. SHINE FSAR section 7.7.1.4.1 describes the safety-related radiation signals processed to generate the different actuation signals.

7.4.7.1.2 Safety-Related Process Radiation Monitors Design Criteria SHINE FSAR section 7.7.1.2 states that the generally applicable SHINE Design Criteria 1, 2, and 4 apply to the safety-related process radiation monitors. In addition, SHINE Design Criteria 13 and 38 also apply to the safety-related process radiation monitors. The following sections include an evaluation of the safety-related process radiation monitors against each applicable SHINE Design Criteria.

This section of the SER documents the NRC staffs review and evaluation of the proposed RMS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staffs evaluation of the RMS design is based on acceptance criteria in section 7.5 of NUREG 1537, including acceptance criteria from the guidance and industry standards referenced by NUREG 1537, as listed in section 7.2 of this safety evaluation.

Quality Standards and Records SHINE Design Criterion 1 - Safety-related structures, systems, and components (SSCs) are designed, fabricated, erected, and tested to quality standards commensurate with the safety functions to be performed. Where generally recognized codes and standards are used, they are identified and evaluated to determine their applicability, adequacy, and sufficiency and are supplemented or modified as necessary to ensure a quality product in keeping with the required safety function.

SHINE FSAR section 7.7.1.3.9 states that the safety-related process radiation monitors are designed, procured, fabricated, erected, and tested in accordance with the QAPD, and all associated quality records are maintained. The following codes and standards are invoked for design of the safety-related process radiation monitors:

  • IEEE Std. 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, for environmental qualification;
  • IEEE Std. 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations, section 8 for seismic qualification;
  • IEEE Std. 384-2008, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, for separation of safety-related and nonsafety-related cables and raceways; and
  • IEEE Std. 1050-2004, IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations, section 5.2.1 to support electromagnetic compatibility qualification for digital I&C equipment.

7-90

Based on the discussion above, the NRC staff has reasonable assurance that the safety-related process radiation monitors meet SHINE Design Criterion 1.

Natural Phenomena Hazards SHINE Design Criterion 2 - The facility structure supports and protects safety-related SSCs and is designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches as necessary to prevent the loss of capability of safety-related SSCs to perform their safety functions.

SHINE FSAR section 7.7.1.3.8 states that the process radiation monitors are installed in the seismically qualified portion of the main production facility where they are protected from earthquakes, tornadoes, and floods. The process radiation monitors are Seismic Category I, designed and tested using triaxial testing in accordance with section 8 of IEEE Standard 344-2013. Based on the above and the NRC staffs evaluation in Chapter 3 of this SER for natural phenomena, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 2.

Environmental and Dynamic Effects SHINE Design Criterion 4 - Safety-related SSCs are designed to perform their functions with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents. These SSCs are appropriately protected against dynamic effects and from external events and conditions outside the facility.

SHINE FSAR sections 7.7.1.3.2 and 7.7.1.4 state that the process radiation monitors are designed to operate under normal environmental conditions for an expected 20-year lifetime of the equipment, and under transient conditions until the associated protective function has continued to completion. These process radiation monitors are qualified to the environmental parameters provided in SHINE FSAR tables 7.2-1, 7.2-3, and 7.2-6 in accordance with the guidance of IEEE Standard 323-2003 sections 4.1, 5.1, 6.1, and 7. Electromagnetic interference (EMI) / radio-frequency interference (RFI) qualification testing has been performed on these radiation monitors through emissions, susceptibility, and surge withstand capability testing. The process radiation monitors are grounded in accordance with IEEE Standard 1050-2004 section 5.2.1. Therefore, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 4.

Instrumentation and Controls SHINE Design Criterion 13 - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated transients, and for postulated accidents as appropriate to ensure adequate safety, including those variables and systems that can affect the fission process, the integrity of the primary system boundary, the primary confinement and its associated systems, and the process confinement boundary and its associated systems. Appropriate controls are provided to maintain these variables and systems within prescribed operating range.

SHINE FSAR section 7.7.1.2.1 states that the safety-related process radiation monitors are designed to function during normal operation, anticipated transients, and design basis accidents 7-91

to a level required to detect accident conditions and provide safety-related inputs to the ESFAS and TRPS to initiate protective actions, which are evaluated in sections 7.4.4 and 7.4.5 of this SER. Setpoints are selected based on analytical limits and calculated to account for known uncertainties in accordance with the setpoint methodology and these radiation monitors are periodically functionally tested and maintained. SHINE FSAR table 7.7-1 identifies the safety-related radiation monitors and the corresponding analytical limits, ranges, accuracies, and response times are identified in SHINE FSAR tables 7.4-1 and 7.5-1. Therefore, the NRC staff finds that the safety-related process radiation monitors meet SHINE Design Criterion 13.

Monitoring Radioactivity Releases SHINE Design Criterion 38 - Means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.

SHINE FSAR section 7.7.1.2.2 states that the safety-related process radiation monitors provide radiation monitoring for the primary confinement boundary, hot cell, and glovebox atmospheres, and monitor effluent release paths. SHINE FSAR section 7.7.1.4.1 and SHINE FSAR table 7.7-1 identify the location for the safety related radiation monitors. These radiation monitors send an analog signal to the TRPS and ESFAS, which is then sent to PICS for monitoring and alarming purposes. Based on the above information and NRC staffs evaluation in section 7.4.5.2.1 of this SER, the staff finds that design of the safety-related radiation monitors meet SHINE Design Criterion 38.

7.4.7.1.3 Safety-Related Process Radiation Monitors Design Bases Each safety-related process radiation monitor provides an analog signal proportional to the monitored radiation levels to the ESFAS or TRPS for performing the associated safety function.

The TRPS and ESFAS are safety-related systems designed to monitor process variables and provide automatic initiating signals in response to off-normal conditions, providing protection against unsafe conditions. The HIPS digital I&C platform is used to implement the TRPS and ESFAS logic and the design basis associated with the HIPS platform are evaluated in section 7.4.2.5 of this SER. The TRPS and ESFAS specific design basis are evaluated in sections 7.4.4.3 and 7.4.5.3 of this SER, respectively. The following is the NRC staffs evaluation of the safety-related process radiation monitors specific design basis.

Design Bases Functions SHINE FSAR section 7.7.1.3.1 states that the safety related radiation monitors are selected based on the presence of radiation materials in the different areas of the facility. As determined by the safety analysis, each location that requires process radiation monitoring is equipped with a safety-related process radiation monitor. SHINE FSAR table 7.7-1 contains a list of safety-related process radiation monitors along with the monitored location, number of sensing channels, and operability requirements. Process radiation monitors are selected for compatibility with the normal and postulated accident environmental and radiological conditions. The safety-related process radiation monitors are designed to function during normal operation, anticipated transients, and design basis accidents to a level required to detect accident conditions and provide safety-related inputs to the ESFAS and TRPS for initiating protective actions. If the 7-92

measured radiation field goes above the full-scale, the analog output from the safety-related process radiation monitor will be equivalent to the full-scale reading. The TRPS or ESFAS will process this signal as a valid, full-scale value. For defense-in-depth, the RCA exhaust, general area radiation levels, and the airborne particulates are monitored by stack release, radiation area, and continuous area monitors, respectively.

Single Failure SHINE FSAR section 7.7.1.3.3 states that two or three redundant and independent safety-related process radiation monitors are provided for each protection function input parameter, each providing input to the associated division of the TRPS or ESFAS. Channel A safety-related process radiation monitors are powered by UPSS Division A, Channel B safety-related process radiation monitors powered by UPSS Division B, and Channel C safety-related process radiation monitors, when provided, receive auctioneered power from both UPSS Division A and B. On a loss of power to a safety-related process radiation monitor, analog output to the TRPS or ESFAS fails low, and a trip or a partial trip signal is initiated for the associated safety function.

Based on the above information and the NRC staffs evaluation of single failure in TRPS and ESFAS in this SER sections 7.4.4.2.1 and 7.4.5.3.3, respectively, and staffs evaluation of the HIPS design in section 7.4.2 of this SER, the staff finds that a single failure of a safety-related process radiation detector will not adversely impact the associated safety function.

Independence SHINE FSAR section 7.7.1.3.4 states that physical separation is maintained between divisions of safety-related process radiation monitors, and division independence is maintained from the safety-related process radiation monitors, through the TRPS and ESFAS. The safety-related process radiation monitors provide analog signals directly to the TRPS and ESFAS and do not interface electrically with any nonsafety-related system. Safety-related process radiation monitors from separate divisions are independently powered from the associated UPSS division.

Based on the information above, the NRC staff finds that the design of the safety-related radiation monitors demonstrates adequate independence such that a failure in a redundant channel or in a nonsafety-related system would not adversely impact any associated safety function.

Technical Specifications section 7.4.10.4, Radiation Monitoring Technical Specifications, provides the staff review of the SHINE TSs related to radiation monitoring.

7.4.7.2 Conclusion Based on the NRC staffs evaluation above, the staff finds that the SHINE RMS is designed to perform radiation monitoring functions within the facility that includes safety-related and nonsafety-related radiation monitoring equipment. Each safety-related process radiation monitor provides an analog signal proportional to the monitored variable to ESFAS or TRPS for performing the associated safety function. Nonsafety-related process radiation monitors, RAMS, CAMS, and SRMS monitors several areas of the facility that provides information to the operator 7-93

on the status and effectiveness of processes and effluent monitoring. Nonsafety-related process radiation monitors may be used to diagnose process upsets but do not perform an accident mitigation or personnel protection function. The evaluation of the non-safety related RMS for radiation protection is addressed in section 11.4.1.4, Radiation monitoring and Surveying, of this SER. The NRC staff also finds that design of the safety-related process radiation monitors meets SHINE Design Criteria 1, 2, 4, 13, and 38. Therefore, the NRC staff concludes that the RMS is capable of performing the allocated design basis function under postulated conditions.

7.4.8 Neutron Flux Detection System The NRC staff evaluated the sufficiency of the SHINE facility NFDS, as described in SHINE FSAR section 7.8, Neutron Flux Detection System, using the applicable guidance and acceptance criteria from Chapter 7, Instrumentation and Control Systems, of NUREG-1537, Parts 1 and 2, and Chapter 7, Instrumentation and Control Systems, of the ISG augmenting NUREG-1537, Parts 1 and 2.

7.4.8.1 System Description SHINE FSAR section 7.8 states that the NFDS will measure, monitor, and indicate the neutron flux levels in the TSV during filling and irradiation of the target solution. The NFDS consists of three divisions. Each division consists of watertight detectors located in the light water pool and an NFDS amplifier mounted in the RPF or IF. The NFDS provides data to the TRPS for safety functions, monitoring, and indication, and also interfaces with the PICS for nonsafety-related functions.

SHINE FSAR section 7.8 states that the NFDS covers the entire range of neutron flux levels.

There are three different ranges provided from the NFDS: source range, wide range, and power range. Source range covers the low levels expected while the TSV is being filled while power range covers the higher flux levels anticipated while the neutron driver is on and irradiating. The wide range monitors the flux levels between the source and power range with a minimum one decade overlap with the high end of the source range and two decades of overlap with the low end of the power range. SHINE FSAR table 7.4-1 identifies the instrument range, accuracy, instrument response time, logic, and analytical limit. SHINE TS table 3.2.3-a identifies the setpoints for the monitored variables. When any neutron channel reaches its defined setpoint for action, the TRPS will generate and output a signal to isolate the IU Cell.

As summarized above, the SHINE FSAR describes the variables monitored by the NFDS. In the SHINE TSs, the applicant identified the neutron flux to maintain LSSS 2.2.1, 2.2.2, and 2.2.3.

These LSSSs were established to protect the primary system boundary pressure safety limit.

The three detectors for the NFDS are positioned around the SASS at approximately 120-degree intervals to the TSV.

7.4.8.2 Conclusion As described in section 7.4.4 of this SER, the NRC staff evaluated the NFDS as part of the TRPS as instrumentation inputs to the TRPS. Therefore, all findings for the TRPS are applicable to the NFDS as appropriate. The staff has reasonable assurance that the NFDS is adequately described in SHINE FSAR section 7.8. The staff finds that the NFDS is adequately designed for measurement of the neutron flux signal, signal processing, indication, and interfacing with other systems, including providing analog input to the TRPS. The staff review of the lifecycle 7-94

development process for HIPS is described in section 7.4.2 of this SER, and the adequacy of HIPS and TRPS and NFDS related TS is evaluated in section 7.4.10 of this SER. Therefore, the staff concludes that the TRPS and NFDS is capable of performing the allocated design basis safety function under postulated conditions.

7.4.9 Human Factors Engineering The NRC staff evaluated the sufficiency of SHINEs human factors engineering (HFE), as described in SHINE FSAR Chapter 3, Design of Structures, Systems, and Components, Chapter 7, Instrumentation and Control Systems, Chapter 12, Conduct of Operations, and Chapter 13, Accident Analysis, using guidance and acceptance criteria from NUREG-1537, Parts 1 and 2 and the ISG augmenting NUREG-1537, Parts 1 and 2.

The NRC staff reviewed the HFE-related portions of SHINE FSAR Chapters 3, 7, 12, and 13 to assess the sufficiency of the HFE-related design aspects and programmatic considerations for the SHINE facility. To allow for the appropriate scoping and grading of its HFE review, the staff considered the credited operator role in facility safety, including for defense-in-depth (DID),

within the context of the SHINE facility design and operational concept. As part of this review, the staff evaluated the sufficiency of the design criterion for the SHINE facility control room, as well as the ability of the control room to meet the design criterion. Additionally, the staff evaluated whether the control console and display system final design incorporates HFE principles in accordance with relevant guidance. Finally, the staff evaluated whether HFE-related aspects of the administrative controls and management measures programs are sufficient to support the operator role in the safe operation of both the IF and RPF portions of the SHINE facility.

7.4.9.1 SHINE Design Criterion 6 SHINE uses design criteria to ensure that the structures, systems, and components (SSCs) within the SHINE facility demonstrate adequate protection against the hazards present. The design criterion that is within the scope of the NRC staffs HFE review is Criterion 6, Control room, which states:

A control room is provided from which actions can be taken to operate the irradiation units safely under normal conditions and to perform required operator actions under postulated accident conditions.

As part of its HFE review, the NRC staff evaluated the sufficiency of Criterion 6 for the SHINE facility control room, as well as the ability of the control room to, in turn, meet Criterion 6.

In its response to RAI HFE-8 (ML21288A050), SHINE clarified that it developed Criterion 6 using General Design Criterion (GDC) 19, Control room, of Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50 as a basis. GDC 19 states, in part, that

[a] control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions. SHINE explained that the scope of GDC 19 is limited to a nuclear power unit and that SHINEs irradiation units (IUs) represent the closest analog to a nuclear power unit for the SHINE facility. However, SHINE further stated that the scope of Criterion 6, which refers specifically to the IUs, does not limit the scope of the control room functions that are 7-95

incorporated into the final design of the SHINE facility and that the control room allows for operation of systems and components related both to the IUs in the IF and to the RPF.

Regulatory Guide (RG) 1.232, Revision 0, Guidance for Developing Principal Design Criteria for Non-Light-Water Reactors (ML17325A611), contains guidance on how the GDC in Appendix A to 10 CFR Part 50 may be adapted for non-light-water reactor designs. This RG includes Advanced Reactor Design Criterion (ARDC) 19, which is comparable to SHINEs Criterion 6 and states, in part, that [a] control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions.

The NRC staff compared SHINE Criterion 6 to GDC 19 and ARDC 19 and determined that it is consistent with the HFE aspects of these criteria with appropriate changes based on differences in technology. Therefore, the staff finds that SHINE Criterion 6 is sufficient to support the safe operation of the SHINE facility with respect to HFE.

7.4.9.2 The Operators Role in SHINE Facility Safety The SHINE FSAR includes the following characterizations concerning the role of humans at the SHINE facility:

  • Manual actuations of automated safety functions are not required to ensure adequate safety of the facility (SHINE FSAR section 7.6.1.1);
  • There are no time constrained operator-required responses (SHINE FSAR section 7.6.2.2.3);
  • Operator action inside the facility is not required to stabilize accident conditions (SHINE FSAR section 13a2.2);
  • Safe shutdown conditions are capable of being achieved without operator actions (SHINE FSAR section 13b.2.3);
  • The main control board, process integrated control system (PICS), and neutron driver assembly system (NDAS) operator workstations and supervisor workstation are not credited with performing safety functions and only assist operators in performance of normal operations or diverse actuations to the safety systems (SHINE FSAR section 7.6);
  • The target solution vessel (TSV) reactivity protection system (TRPS) and the engineered safety features actuation system (ESFAS) are the safety-related control systems for the main production facility (SHINE FSAR section 7.3.1.3.11);
  • Preventative or mitigative controls are identified to reduce the overall risk of the evaluated scenarios to within acceptable limits (SHINE FSAR section 13b.1.2);

and 7-96

  • The radiological consequences of criticality accidents are not included in the accident analysis because preventative controls are used to ensure criticality events are highly unlikely (SHINE FSAR section 13b.1.2.4).

In its response to RAI HFE-1, SHINE clarified that certain operator actions are credited to prevent or mitigate specific accident sequences and that these credited operator actions (referred to as specific administrative controls (SACs)) occur during routine activities within the facility. SHINE stated that the operator role in facility safety is supported by HFE via implementation of the SHINE HFE Program. This program ensures that the control room and human system interfaces conform to specific style guidance via the use of a checklist that is used to verify that SHINEs HFE design guidelines are met and that the physical installation of systems and components adhere to the HFE design guidelines. SHINE also stated that the operator role in facility safety is supported by procedure development and training programs.

Additionally, SHINE FSAR section 12.1.3 states that there are no postulated accident sequences that credit operator action to mitigate the consequences of the event after initiation of the event and that should an initiating event of a postulated accident sequence occur, operator actions provide a DID, nonsafety-related, diverse means of actuating components.

SHINE FSAR section 7.6.3.3 further states that modifications to safety-related instrumentation and control systems after the SHINE facility is in operation will include human factors considerations and that issues related to human factors will be identified and tracked to resolution using the corrective action program.

The NRC staff assessed and confirmed that the role of operators with respect to safety at the SHINE facility is associated with (1) DID actions and (2) the implementation of administrative controls, with the administrative controls themselves not involving mitigative actions for event response. This information was applied to scope the review used to make the regulatory findings in sections 7.4.9.3, 7.4.9.4, and 7.4.9.5 of this SER.

7.4.9.3 Application of Human Factors Engineering Principles to the SHINE Facility Control Room The NRC staff evaluated the HFE-related acceptance criteria in section 7.6, Control Console and Display Instruments, of NUREG-1537, Part 2 as they relate to the specifics of the SHINE facilitys design and equipment configuration. The staffs interpretation of these acceptance criteria within the context of the SHINE facility and their evaluation from an HFE perspective is detailed in sections 7.4.9.3.1 through 7.4.9.3.3 of this SER. Additionally, SHINEs HFE Program, which is also relevant to the evaluation of these acceptance criteria, is evaluated in section 7.4.9.3.4 of this SER.

7.4.9.3.1 Outputs and Display Devices Observability Acceptance Criterion The NRC staff evaluated the following acceptance criterion in section 7.6 of NUREG-1537, Part 2 as it relates to the specifics of the SHINE facilitys design and equipment configuration:

The outputs and display devices showing reactor nuclear status should be readily observable by the operator while positioned at the reactor control and manual protection systems.

As explained below, the NRC staff determined that within the context of the SHINE facility, the control systems are the PICS and the NDAS and the protection systems are the TRPS and the ESFAS. The staff then evaluated whether outputs and display devices showing parameters 7-97

related to SHINE facility safety would be readily observable by the operator while positioned at the SHINE facility control room operator PICS and NDAS workstations and the main control board TRPS and ESFAS manual actuation controls.

The NRC staff reviewed the description of outputs and display devices for parameters related to SHINE facility safety provided in the SHINE FSAR. SHINE FSAR section 7.6 describes the SHINE facility control room as containing a main control board, two PICS operator workstations, two NDAS workstations, and a supervisor workstation. The operator workstations consist of display screens and human interface equipment, and the main control board consists of a console, static display screens, and manual actuation interfaces.

SHINE FSAR section 7.6.1.1 states that the main control board static display screens, which show the variables important to the safety functions of the IUs and other facility processes, are located on the upper half of the main control board, aligned in three rows of displays. SHINE FSAR section 7.6.2.2.3 states that the main control board is readily accessible by operators normally located at either PICS operator workstation. SHINE FSAR section 7.6.2.2.3 also states that the parameters required to be displayed for TRPS and ESFAS are displayed on the main control board and are accessible from the operator and supervisor workstations. TRPS and ESFAS indications and manual actuation controls are further evaluated in section 7.4.9.3.2 of this SER.

SHINE FSAR section 7.6.3.3 further states that the design of the SHINE facility control room, display screens, and operator interfaces incorporates HFE principles by means of the implementation of the SHINE HFE Program. The layout of screens presenting the same set of information at multiple locations is identical at each location (i.e., PICS operator workstation, supervisor workstation, local control station, or main control board). The displays and controls are generally grouped by system to aid the operator in the recognition and operation of the controls. The supervisor workstation is placed and arranged so that the supervisor has a visual of both operator workstations, the displays that the operators are working from, and the main control board. Operator workstations are oriented such that the main control board static display screens are directly in front of the operator workstation. During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified these FSAR statements in part through observing that the HFE design guidelines in SHINEs TECRPT-2020-0018, Human Factors Engineering (HFE) Design Guidelines, include guidelines related to the observability, content, readability, and arrangement of displays. Additionally, the staff observed that those guidelines were based, in part, on portions of NUREG-0700, Revision 2, Human-System Interface Design Review Guidelines, issued May 2002 (ML021700337).

Based on the above, the NRC staff finds that the applicant has demonstrated that the outputs and display devices observability acceptance criterion in section 7.6 of NUREG-1537, Part 2 is satisfied because outputs and display devices showing parameters related to SHINE facility safety are readily observable by the operator while positioned at the SHINE facility control room PICS and NDAS operator workstations and at the main control board TRPS and ESFAS manual actuation controls. This finding is further supported by SHINEs HFE Program, which is evaluated in section 7.4.9.3.4 of this SER.

7.4.9.3.2 Accessibility/Understandability of Important Controls and Displays Acceptance Criterion The NRC staff evaluated the following acceptance criterion in section 7.6 of NUREG-1537, Part 2 as it relates to the specifics of the SHINE facilitys design and equipment configuration:

7-98

Other controls and displays of important parameters that the operator should monitor to keep parameters within a limiting value, and those which can affect the reactivity of the core should be readily accessible and understandable to the reactor operator.

As explained below, the NRC staff determined that within the context of the SHINE facility, other controls and displays of important parameters that the operator should monitor to keep parameters within a limiting value, and those that can affect reactivity, are readily accessible and understandable to the operator.

Other Controls and Displays (Not Specific to Manual Protective Actions)

The NRC staff reviewed the description in the SHINE FSAR of other SHINE facility control room controls and displays of important parameters. SHINE FSAR section 7.6.2.2.7 states that the design of the SHINE facility control room, display screens, and operator interfaces incorporates HFE principles. Displays that an operator may use to perform a task are placed such that they are visible from the operator workstation, with the displays most frequently used placed closest to the operator. The supervisor workstation is placed and arranged so that the supervisor can see both operator workstations, the displays that the operators are working from, and the main control board. SHINE FSAR section 7.6.3.1 describes the supervisor workstation as providing displays so that the supervisor can select and monitor the appropriate screen applicable to the current tasks being performed by the operator. SHINE FSAR section 7.6.1.2 describes that there are four desks that make up the main operator workstations, centrally located in front of the main control board, which has TRPS and ESFAS indications and manual actuation controls; the two outermost desks are designated as PICS workstations and the two inner desks are NDAS control stations. SHINE FSAR section 7.6.4.1 describes what displays of information related to the operation of the main production facility are available to the operator on the workstations and the main control board. The displays at each of the operator workstations, supervisor workstation, and main control board are digital displays. Displays are programmed such that the range of the displayed information includes the expected range of variation of the monitored variable.

SHINE FSAR section 7.1.1 describes the PICS as being a nonsafety-related, distributed digital control system that provides monitoring and control of the various processes throughout the SHINE facility. The PICS includes system controls, both automated and manual, and human system interfaces (HSIs) necessary to provide the operator interaction with the necessary process control mechanism. The functions of the PICS enable the operator to perform irradiation cycles, transfer target solution to and from the IU, as well as throughout the RPF, and interface with the tritium purification system (TPS), processes in the supercell, waste handling operations, and the auxiliary systems. SHINE FSAR section 7.6.4.1 states that values on each PICS display screen are automatically updated as more current data becomes available.

Section 7.6.4.1 also states that each PICS display screen presented on the operator workstation has a title or header and unique identification to distinguish each display page. SHINE FSAR section 7.6.4.3 states that manual controls are provided on both of the PICS operator workstations (via input to the PICS) and on the main control board, with controls for normal operation provided at the operator workstations. Multiple equipment control displays are set up at each operator workstation for operators to select the PICS (or NDAS) display screen that coincides with the task that the operator is currently performing. Operators interface with the equipment control displays through a keyboard and mouse provided at each operator workstation. SHINE FSAR section 7.6.4.3 also states that on a failure of one PICS operator 7-99

workstation, the control functions assigned to that station can be transferred to the remaining PICS operator workstation or to the supervisor workstation.

SHINE FSAR section 7.6.4.3 states that an enable nonsafety switch is in each main control board section next to the manual push buttons to allow the operator to control actuation components or to reset the safety-related control systems using the PICS following the actuation of a protective function. The enable nonsafety switch is described as a two-position switch with Enable and Disable positions. Additionally, a single manual key switch is located at the facility process section of the main control board below the static display screens to provide the operators the ability to place the facility into the Facility Secure state. This switch is described as having two positions of operation: Secured and Operating.

Additionally, SHINE FSAR section 7.6.4.1 states that each of the variables associated with TRPS and ESFAS are continuously displayed on the static displays of the main control board.

The position indication of actuation components associated with TRPS and ESFAS are also available on the static display screens. Variables available to the PICS, including variables associated with TRPS and ESFAS, are available for display on the various PICS displays at the operator workstations and supervisor workstation. Display of interlock and bypass status is available on each of the PICS displays of the equipment control display screens for the equipment or instrument channel that has been bypassed. Bypassed channels for the safety systems are also visible on the maintenance workstation. Additionally, the variables displayed at the PICS operator workstation displays include both those that would be associated with a breach of the primary system boundary and those that would be used in determining and assessing the magnitude of a radioactive material release.

SHINE FSAR section 7.6.3.1 describes the NDAS control stations as displaying variables associated with the neutron drivers located in each IU. SHINE FSAR section 7.3.1.1.5 states that the NDAS control system also allows the operator to manually adjust the deuterium beam, control the ion source, manually start and stop various system auxiliaries, and open and close NDAS system valves. The operator uses PICS to provide signals to manually open or close the neutron driver high voltage power supply breakers to meet TRPS mode transition criteria and allow the beam to be energized. The operator is able to use the PICS to manually open and close individual valves that are capable of being actuated by TRPS. SHINE FSAR section 7.6.4.3 states that while the NDAS control stations can each provide control of any of the eight neutron drivers, each NDAS control station can only provide control commands to one neutron driver at any given time.

SHINE FSAR section 7.3.1.1.6 states that the neutron flux detection system (NFDS) monitors the neutron flux in the IU during TSV fill and irradiation. Furthermore, SHINE FSAR section 7.8.3.9 states that the NFDS provides source range, wide range, and power range neutron flux signals to the TRPS to transmit to the PICS for display to the operator. SHINE FSAR section 7.8.1 states that the NFDS performs the task of monitoring and indicating the neutron flux to determine the multiplication factor and power level during filling of the TSV and irradiating the target solution. The NFDS also provides continuous indication of the neutron flux during operation, from filling through maximum power during irradiation.

Finally, SHINE FSAR section 7.6.4.1 states that radiation monitoring information is conveyed from the radiation monitoring instruments to the PICS and displayed in the SHINE facility control room, where it is available on demand at the operator workstations. SHINE FSAR section 7.7.1.1 further states that information from safety-related process radiation monitors is displayed in the SHINE facility control room on the operator workstations via PICS. SHINE 7-100

FSAR section 7.7.1.3.6 states that selection and display of process radiation monitor variables are designed with consideration of HFE principles.

During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified these FSAR statements in part through observing that the HFE design guidelines in SHINEs TECRPT-2020-0018 include guidelines related to the accessibility of controls and displays, as well as guidelines associated with the understandability of displays. Additionally, the staff observed that those guidelines were based, in part, on portions of NUREG-0700, Revision 2.

Other Controls and Displays (Specific to Manual Protective Actions)

The NRC staff also considered controls used for the manual initiation of protective actions under the accessibility and understandability acceptance criterion in section 7.6 of NUREG-1537, Part 2. SHINE FSAR section 7.3.1.3.11 states that the TRPS and ESFAS are the safety-related control systems for the main production facility. Therefore, the staff evaluated the applicants description of how the SHINE HSI supports the operators role in DID by implementing the manual initiation of protective actions that are automatically actuated by the TRPS and ESFAS.

SHINE FSAR section 7.4.3.7 states that the TRPS provides manual actuation capabilities via individual manual push buttons for each TRPS subsystem (i.e., IU Cell Safety Actuation, IU Cell Nitrogen Purge, and Driver Dropout). Both TRPS divisions (i.e., A and B) respond to the activation of a push button. Furthermore, a manual IU Cell TPS actuation on all eight TRPS subsystems is initiated via the manual TPS Isolation push button located on the ESFAS main control board panel. To support the use of manual safety actuations, the TRPS subsystem associated with each IU cell includes outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS. To facilitate operator indication of mode control status, TRPS actuation function status, manual initiation, and reset of protective actions, the TRPS, at the division level, includes indication of TRPS variable values, parameter values, logic status, equipment status, actuation device status, and mode. SHINE FSAR section 7.4.2.2.14 states that human factors are a design consideration for development of the TRPS and that changes to the design throughout the lifecycle process include human factors considerations. The TRPS provides manual safety actuation capability that is supported by human factors design and to support the use of manual safety actuations, the TRPS associated with each IU includes isolated outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS.

SHINE FSAR section 7.5.3.6 states that the ESFAS provides manual actuation capabilities for safety functions (i.e., RCA [radiologically controlled area] Isolation, Supercell Isolation, Vacuum Transfer System Actuation, TPS Isolation, Carbon Delay Bed 1, 2, and 3 Isolations, Extraction Column A, B, and C Alignment Actuations, Iodine and Xenon Purification Alignment Actuation, RPF Nitrogen Purge, and Dissolution Tank Isolation) via manual push buttons located on the main control board. To support the use of manual actuations, the ESFAS includes isolated outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS. To facilitate operator indication of ESFAS actuation function status, manual initiation, and reset of protective actions, the ESFAS, at the division level, includes indication of ESFAS variable values, parameter values, logic status, equipment status, and actuation device status. SHINE FSAR section 7.5.2.2.14 states that human factors are a design consideration for development of the ESFAS and that changes to the design throughout the lifecycle process include human factors considerations. SHINE FSAR section 7.5.2.2.14 also states that the ESFAS provides manual safety actuation capability that is supported by human 7-101

factors design and that to support the use of manual safety actuations, the ESFAS includes isolated outputs for each safety-related instrument channel to provide monitoring and indication information to the PICS.

Additionally, SHINE FSAR section 7.6.3.1 states that each IU-specific set of static display screens on the main control board indicates variables important for verifying proper operation of safety systems following automatic actuation of the TRPS. Similarly, the facility process set of static display screens indicates variables important for verifying proper operation of safety systems used in other facility systems following automatic actuation of the ESFAS. Each set of static display screens on the main control board is used to support an operator in performing manual actuation of a safety function. Manual actuations are performed from the main control board, where the static display screens are visible from the manual actuation push buttons.

SHINE FSAR section 7.6.4.1 states that each of the variables associated with TRPS and ESFAS is continuously displayed on the static displays of the main control board, with the position indication of actuation components associated with TRPS and ESFAS also being available on the static display screens.

In its response to RAI 7-13 (ML21239A049), SHINE stated, in part, that the TRPS and ESFAS information displayed in the SHINE facility control room includes mode and fault status for each Highly Integrated Protection System module, the status and value of the monitored variables identified in SHINE FSAR tables 7.4-1 and 7.5-1, Trip/Bypass switch status, divisional partial and full trip determination status, TRPS IU cell operational mode status, actuation output and fault status, and actuated component position feedback status. SHINE stated that this will enable operators to determine if manual actuation of a safety function is necessary by providing information on TRPS and ESFAS monitored variables, as well as on the status of those systems themselves. Additionally, SHINE stated that TRPS and ESFAS information will be provided to operators via the PICS workstations in the SHINE facility control room, with a subset of the TRPS and ESFAS monitoring and indication information also being displayed at the main control board thus providing this information at multiple locations in the control room (including near the manual controls for actuating TRPS and ESFAS equipment); SHINE described this as being intended to ensure that operators will have the information needed to support manual actions.

Furthermore, SHINE FSAR section 7.6.4.3 states that manual controls for the safety-related TRPS and ESAFS protective functions are located at the main control board and that these nonsafety manual push buttons provide a diverse actuation to the automatically generated safety actuations. SHINE FSAR section 7.6.3.3 states that the manual actuation push buttons are located directly below the static display screens so that the operator can be directly monitoring the variables important to the safe operation of the facility when the manual actuation is performed. SHINE stated that the use of push buttons of the same product line ensures consistency in look and function. These push buttons also include a positive position indication and a protective guard to prevent inadvertent actuation.

The NRC staff finds that the applicant has demonstrated that the HSI will be capable of supporting the manual initiation of protective actions because displays and controls will be available in the SHINE facility control room for the manual, system-level actuation of safety functions and for monitoring those parameters that support them.

7-102

Conclusion on Other Controls and Displays Based on the above, the NRC staff finds that the applicant has demonstrated that the accessibility and understandability of other controls and displays acceptance criterion in section 7.6 of NUREG-1537, Part 2 is satisfied because SHINE facility control room controls and displays of important parameters that the operator should monitor to keep parameters within a limiting value, and those that can affect reactivity, are readily accessible and understandable to the operator. This finding is further supported by SHINEs HFE Program, which is evaluated in section 7.4.9.3.4 of this SER.

7.4.9.3.3 Control Console Annunciators and Alarms Acceptance Criterion The NRC staff evaluated the following acceptance criterion in section 7.6 of NUREG-1537, Part 2 as it relates to the specifics of the SHINE facilitys design and equipment configuration:

Annunciators or alarms on the control console should clearly show the status of systems such as operating systems, interlocks, [engineered safety features]

initiation, radiation fields and concentration, and confinement or containment status.

As explained below, the NRC staff determined that within the context of the SHINE facility, the annunciators and alarms on the control console clearly show the status of systems such as operating systems, interlocks, TRPS and ESFAS initiation, radiation fields and concentration, and confinement.

SHINE FSAR section 7.6.4.2 states that alarms are integrated into the PICS display systems.

The operator workstations provide detailed visual alarms to the operator to represent unfavorable status of the facility systems. Indications at the operator workstation are provided as visual feedback as well as visual features to indicate that systems are operating properly.

Indication of alarms present is also provided for each IU and for the facility process systems at the main control board.

Additionally, SHINE FSAR section 7.6.3.1 states that the PICS operator workstations have multiple equipment control display screens available to support normal control functions and to provide indication of alarms. SHINE FSAR section 7.6.1.2 states that one of the screens at the PICS workstation is used to display the alarms present in the facility. This screen is designated as monitoring only so that, when an alarm is present, the screen automatically changes the content displayed to the current alarms that are present without interrupting a control process.

The remaining screens can be used for control or monitoring as the operator tasks demand.

SHINE FSAR section 7.3.1.3.11 states that the PICS receives input from the TRPS and ESFAS and provides alarms related to the status and functionality of the safety-related control systems (e.g., communication errors, faulted modules, failed power supplies).

Furthermore, SHINE FSAR section 7.1.6 states that radiation monitoring is used to monitor radiation levels within, and airborne effluent streams from, the SHINE facility and provides alarms for personnel within the facility and the control room. Area radiation monitoring and local alarms within the general areas of the facility RCA are provided by the radiation area monitoring system, which provides signals to the control room to inform operators of abnormal conditions within the facility. Airborne contamination monitoring within general areas of the RCA is performed by the continuous air monitoring system, which provides both local alarms and signals to the control room to inform operators of the occurrence and approximate location of 7-103

abnormal conditions. SHINE FSAR section 7.6.1.5 states that the control room also contains a criticality accident alarm system (CAAS) panel for processing alarms and monitoring the status of the CAAS, as well as a fire control panel for monitoring facility fire alarms from the facility fire protection system.

In its response to RAI HFE-3, SHINE clarified that stacklights, which produce audible alarm sounds and are programmed to represent both IU and non-IU alarms, are part of the control room and are evaluated with respect to HFE design guidelines both as part of initial installation and during future modifications. SHINE identified the following conditions as causing audible alarms: ESFAS actuation, TRPS actuation, high radiation or contamination levels, loss of electrical power, and improper transfer of target solution. SHINE also revised SHINE FSAR section 7.6.4.2 to provide additional description of control room alarms. Specifically, SHINE described that configurable stacklights are mounted above the main control board to provide audible and visual alarm indications. Alarms are provided to inform the operator of off-normal operating system status, interlocks, engineered safety feature initiations, confinement status, and radiation fields and concentration.

During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified these applicant statements in part through observing that the HFE design guidelines in SHINEs TECRPT-2020-0018 include guidelines related to the design of alarms. Additionally, the staff observed that those guidelines were based, in part, on portions of NUREG-0700, Revision 2.

Based on the above, the NRC staff finds that the applicant has demonstrated that the control console annunciators and alarms acceptance criterion in section 7.6 of NUREG-1537, Part 2 is satisfied because annunciators and alarms on the control console clearly show the status of systems such as operating systems, interlocks, TRPS and ESFAS initiation, radiation fields and concentration, and confinement. This finding is further supported by SHINEs HFE Program, which is evaluated in section 7.4.9.3.4 of this SER.

7.4.9.3.4 SHINEs Human Factors Engineering Program The NRC staff evaluated SHINEs HFE Program and the way in which it is utilized. To support this evaluation, a regulatory audit was used to supplement the staffs understanding of the scope and nature of SHINEs HFE Program.

During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified the assertions in the SHINE FSAR that SHINE has an HFE program. The staff considered various aspects of SHINEs HFE Program that provide programmatic evidence that SHINE facility control room HSIs have been designed and evaluated in accordance with accepted human factors methods. Specifically, the staff noted that SHINEs HFE Program both establishes HFE design guidelines and implements a checklist-based process for verifying specific HFE attributes during equipment design, and then again following equipment installation. Further observations made regarding the specific content of SHINEs HFE Program, design guidelines, and associated checklists are documented in an audit report (ML22124A073).

SHINE FSAR section 7.6.3.3 states that human factors is a design consideration for the TRPS and ESFAS systems, that modifications to safety-related instrumentation and control systems after the SHINE facility is in operation will include human factors considerations, and that human factors issues are identified and tracked to resolution using the corrective action program.

7-104

The NRC staff finds that SHINE has elected to incorporate certain programmatic elements that include comparing the characteristics of HSIs with HFE guidelines, determining whether the HSI is acceptable according to those guidelines, and tracking and evaluating identified discrepancies. The use of an HFE style guide and checklists helps ensure that HSIs are designed, manufactured, and installed consistent with appropriate human factors principles, thereby supporting the ability of operators to safely operate the facility as required by SHINE Criterion 6. The staff also finds that these programmatic elements will be applicable to changes that are made to the safety-related TRPS and ESFAS systems throughout the lifecycle of the facility.

Based on the technical evaluations described in sections 7.4.9.3.1 through 7.4.9.3.4 of this SER, the NRC staff finds that the applicant has demonstrated that the applicable acceptance criteria in section 7.6 of NUREG-1537, Part 2 for the observability of outputs and display devices, for the accessibility and understandability of important controls and displays, and for control console annunciators and alarms are satisfied. Furthermore, the staff finds that SHINEs HFE Program supports the satisfaction of these acceptance criteria. Therefore, the staff concludes that SHINE has appropriately applied HFE principles to the SHINE facility control room.

7.4.9.4 Review Findings for Sections 7.4.9.1 through 7.4.9.3 In sections 7.4.9.1 through 7.4.9.3 of this SER, the NRC staff evaluated the sufficiency of SHINE Criterion 6 for the SHINE facility control room, as well as the ability of the control room to meet this criterion, and whether the control console and display system final design incorporates HFE principles in accordance with relevant guidance. Based on these evaluations, the staff finds that:

  • The applicant has shown that all nuclear and process parameters important to safe and effective operation of the SHINE facility will be displayed at the control console. The display devices for these parameters are easily understood and readily observable by an operator positioned at the facility controls and the controls are readily accessible.
  • The annunciator and alarm panels on the control console provide assurance of the operability of systems important to safe facility operation.
  • The HSI supports the manual initiation of protective actions at the system level for safety systems and provides displays and controls in the SHINE facility control room for manual, system-level actuation of safety functions, and for monitoring those parameters that support them.

The NRC staff therefore finds that the SHINE operators DID role of manually actuating safety-related systems is reasonably supported by HFE principles and, furthermore, that the HFE-related aspects of SHINE Criterion 6 are met.

7.4.9.5 Administrative Controls Review The NRC staff also evaluated the HFE-related aspects of SHINEs administrative controls.

SHINE FSAR section 13b.1.2 states that accident scenarios that presented potential consequences above the appropriate evaluation guidelines for worker or public exposure were 7-105

subjected to preventative or mitigative controls to reduce the overall risk to within acceptable limits. SHINE FSAR section 13b.1.2.4 states that nuclear criticality safety in the RPF is accomplished by using criticality safety controls to prevent criticality during normal and abnormal conditions and, furthermore, that the radiological consequences of criticality accidents are not included in the accident analysis because preventative controls are used to ensure that criticality events are highly unlikely. To adequately evaluate the applicable acceptance criteria of NUREG-1537, Part 2 and the ISG augmenting NUREG-1537, Part 2 for management measures that support the reliability of administrative controls, the staff determined that it was appropriate to supplement these criteria with relevant guidance from NUREG-1520, Revision 2, Standard Review Plan for Fuel Cycle Facilities License Applications (ADAMS Accession No. ML15176A258). Specifically, section 11, Management Measures, of NUREG-1520 was consulted for general guidance regarding appropriate areas for evaluation.

During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified the SHINE FSAR statements regarding administrative controls related to HFE in part through observing that the SACs and Enhanced SACs identified by the applicant generally appeared to be comprised of activities in which procedures and training would constitute important, as well as cross-cutting, considerations. The staff noted that the SACs appeared to take place in a variety of plant locations and as such would not commonly be associated with any given HSI. Therefore, the staff determined that a scoped and graded review approach that focuses on the general ability of the applicants procedures and training programs to support the reliable implementation of the administrative controls was appropriate. In implementing this review, the staff considered the guidance of NUREG-1520 in conjunction with the acceptance criteria of NUREG-1537, Part 2, and the ISG augmenting NUREG-1537, Part 2, sections 12.1 and 12.3. sections 7.4.9.5.1 and 7.4.9.5.2 of this SER present the staffs resultant evaluation, from an HFE perspective, of SHINEs administrative controls by procedures and training, respectively.

7.4.9.5.1 Procedures Management Program Support of Administrative Controls The NRC staff evaluated whether the ability of SHINE operators to reliably implement administrative controls was adequately supported by SHINEs program for managing procedures. The staff informed this evaluation using areas described in NUREG-1520, section 11.3 and considered the following:

  • The process for the preparation, use, and management control of written procedures;
  • The method for verifying and validating procedures before use; and
  • The method for ensuring that current procedures are available to personnel.

In its response to RAI HFE-6, SHINE provided clarification that SACs are specifically defined, safety-related, administrative controls that are credited within the SHINE safety analysis. The SACs themselves are incorporated into facility procedures. SHINE further clarified that the SHINE HFE Program does not address programmatic administrative controls (i.e., management measures), but that programmatic administrative controls, such as procedures and training, serve to ensure that operators are provided with procedures and trained as needed to ensure the reliability of SACs.

7-106

SHINE FSAR section 12.3 states that procedures for the operation and use of the SHINE facility are written, reviewed, and approved by appropriate management and are controlled and monitored to ensure that the content is technically correct and the wording and format are clear and concise. The process required to make changes to procedures, including substantive and minor permanent changes, and temporary deviations to accommodate special or unusual circumstances during operation conforms to ANSI/ANS 15.1-2007, The Development of Technical Specifications for Research Reactors. Additionally, SHINE will prepare, review, and approve written procedures for topics including administrative controls for operations and maintenance and for the conduct of irradiations that could affect nuclear safety. The extent of detail in a procedure is dependent on the complexity of the task; the experience, education, and training of the users; and the potential significance of the consequences of error. The process for making changes and revisions to procedures is documented; a controlled copy of all operations procedures is maintained in the control room; and tasks are performed in accordance with approved implementing procedures.

In its response to RAI HFE-6, SHINE clarified that procedures are written and reviewed by operations personnel under the SHINE operating procedure development process. Procedures that include SACs are specifically reviewed by the Review and Audit Committee (described in SHINE FSAR section 12.2). Following these review processes, procedures are also verified and validated prior to issuance for use within the facility. Procedures that implement SACs are verified and validated to be technically accurate, comprehensive, explicit, and easy to use, such that assumptions made about the reliability of SACs in the SHINE safety analysis are supported via these processes.

Based on the above, the NRC staff finds that the applicant has demonstrated that the combination of processes used for the preparation, use, and management control of written procedures; the methods used for verifying and validating procedures before use; and the methods used for ensuring that current procedures are available to personnel supports the ability of SHINE operators to reliably implement administrative controls. Therefore, the staff concludes that the applicants procedures management program adequately supports the implementation of administrative controls.

7.4.9.5.2 Training and Qualification Program Support of Administrative Controls The NRC staff evaluated whether the ability of SHINE operators to reliably implement administrative controls was adequately supported by SHINEs training and qualification program. The staff informed this evaluation using areas described in NUREG-1520, section 11.3 and considered the following:

  • Provisions for the initial training of personnel;
  • Personnel qualifications; and
  • Provisions for the retraining of personnel.

SHINE FSAR section 12.10 states that the initial training program for operators was developed to conform to the requirements of 10 CFR Part 55, as it pertains to non-power facilities, following the guidance of ANSI/ANS 15.4-2016, Selection and Training of Personnel for Research Reactors. The initial training program also contains, in part, the additional topics of 7-107

criticality control features and management measures required for processes involving Special Nuclear Material (SNM). During the audit conducted between November 5, 2020, and May 19, 2021, the NRC staff verified the SHINE FSAR statements regarding operator training in part through observing that both the operator initial and requalification training programs included training within the areas of design features (theory and principles of the radioisotope production process involving SNM, theory and principles of the radioisotope extraction and purification process, critical control features and management measures required for each process involving SNM), reactivity, alterations and control systems, and uranium handling.

In its response to RAI HFE-6, SHINE clarified that the operator training program ensures that individuals are trained in the knowledge, skills, and abilities needed to conduct assigned activities. The operator training program utilizes a systems approach to training, with the implementation and evaluation of the program including elements of self-study, classroom, mentoring, and simulation.

Based on the above, the NRC staff finds that the applicant has demonstrated that the combination of provisions for the initial training of personnel, personnel qualifications, and the retraining of personnel supports the ability of SHINE operators to reliably implement administrative controls. Therefore, the staff concludes that the applicants training and qualification program adequately supports the implementation of administrative controls.

7.4.9.6 Conclusion The NRC staff finds that the applicant has demonstrated that SHINE Criterion 6 is sufficient to support the safe operation of the SHINE facility with respect to HFE and that the HFE-related design aspects and programmatic considerations for the SHINE facility meet the HFE-related aspects of Criterion 6 because, within the specific context of the operator role in safety at the SHINE facility, operators will reasonably be able to take actions to control the facility; be provided with controls designed to support safe actions; have sufficient knowledge about the status of the facility; be able to make decisions about the appropriate course of action given a particular operating circumstance; and be provided with indications, displays, alarms, and controls that are designed to reflect cognitive needs.

The NRC staff finds that the applicant has demonstrated that the HFE-related design aspects of the SHINE facility control console and display instruments are acceptable because all nuclear and process parameters important to safe and effective operation of the SHINE facility will be displayed at the control console, the display devices for these parameters are easily understood and readily observable by an operator positioned at the facility controls, the controls are readily accessible, and the annunciator and alarm panels on the control console provide assurance of the operability of systems important to safe facility operation. Furthermore, within the specific context of the operator role in safety at the SHINE facility, the applicant has demonstrated that the HSI supports the manual initiation of protective actions for safety systems and provides displays and controls for manual actuation of safety functions and for monitoring those parameters that support them. Therefore, the staff concludes that the requirement of 10 CFR 50.34(b) for an operating license application to include a final analysis and evaluation of the structures, systems, and components of the facility showing that safety functions will be accomplished is met within the context of the HFE-related aspects of Criterion 6.

7-108

The NRC staff finds that the applicant has demonstrated that the HFE-related programmatic considerations for the SHINE facility, specifically, the programs for procedures management and training and qualification, are acceptable, within the specific context of the operator role in safety at the SHINE facility, because they reasonably support the ability of SHINE operators to reliably implement administrative controls at the facility. Therefore, the staff concludes that the requirement of 10 CFR 50.57(a)(3) for reasonable assurance that activities authorized by the operating license can be conducted without endangering the health and safety of the public is supported by the application of HFE measures within the context of administrative controls.

7.4.10 Proposed Technical Specifications As part of its application, SHINE submitted TSs as required by 10 CFR 50.34(b)(6)(vi) that are stated to be prepared in accordance with the requirements of 10 CFR 50.36. In this section, the NRC staff evaluated the sufficiency of the proposed TSs for the SHINE facility related specifically to SHINE FSAR Chapter 7 against applicable regulatory requirements, using appropriate regulatory guidance and acceptance criteria. SHINE also provides proposed TS section 1.4 to explain the meaning of logical connectors and completion times used throughout the TS. The logical connectors and completion times are reviewed and found acceptable in SER section 14. The SHINE reactivity control mechanisms are reviewed and accepted in section 4a.4.2.2 of this SER. The control console and display instruments are reviewed by the staff and found acceptable in SER section 7.4.6 and section 7.4.9, respectively. Access control and cyber security are reviewed in section 7.4.2.2.7, 7.4.3.2.2.1, and 12.4.14.

7.4.10.1 Setpoint Methodology used for Safety System Setpoints SHINE FSAR section 7.2.1 states that SHINE uses a documented methodology for establishing and calibrating setpoints for safety-related I&C functions. Instrument drift between calibrations is accounted for in the setpoint methodology. SHINE safety limits will not be exceeded if required actions are initiated before analytical limits are exceeded. Analytical limits are chosen to include a conservative margin between the analytical limit and the safety limit. The LSSS is the least conservative value that the instrument setpoint can be and still ensure the analytical limits are not exceeded and the safety limits are protected. The LSSS is separated from the analytical limit by an amount not less than the total loop uncertainty (TLU) for the setpoint determined by the SHINE setpoint methodology.

During the TS audit, as documented in the NRC staffs audit report (ML22220A261), the staff reviewed several setpoint calculations to confirm that the results included conservative margin between the analytical limit and the limiting trip setpoints that accounted for the instrument TLU.

SHINE established usage rules in surveillance requirement (SR) 3.0.1.8 to ensure that during SRs that the instrument setpoint is left within the as-left tolerance determined using the setpoint methodology, but in no case less conservative than the instrument setpoint provided in the limiting condition for operations (LCO). This bounds the equipment performance after calibration and helps assure that a trip will occur before the AL is reached.

Based on the information provided in the SHINE FSAR, as supplemented, and reviewed during the NRC audits, the staff finds that the SHINE methodology for establishing and calibrating setpoints is consistent with the guidance in ANSI/ISA-67.04.01-2006 (R2011), Setpoints for Nuclear Safety-Related Instrumentation, in establishing procedures for determining setpoints, setpoint margins, and test routines in safety-related instrument channels. Therefore, the staff finds SHINEs setpoint methodology used for safety system setpoints acceptable.

7-109

7.4.10.2 TRPS Technical Specifications SHINE FSAR section 7.4.4.5, Technical Specifications and Surveillance, states, in its entirety:

Limiting Conditions for Operation and Surveillance Requirements are established for TRPS logic, voting, and actuation divisions and instrumentation monitored by TRPS as input to safety actuations.

SHINE FSAR section 7.4.4.6 states that limiting conditions for operation (LCO) and surveillance requirements (SR) are established for TRPS logic, voting, and actuation divisions. LCOs are established for components of the safety-related I&C systems that perform safety functions to ensure that the system will remain available to perform safety functions when required. SRs are performed at a frequency to ensure that limiting safety system settings are not exceeded.

Startup-testing conditions and first use of the instrumentation and the TRPS is discussed in FSAR section 12.11.2 The TS and SRs for the TRPS are provided in section 2.2, Limiting Safety System Setpoint, and 3.2 of the SHINE TSs. Proposed SHINE TS 2.2, Limiting Safety System Settings (LSSS),

and table 2.2, Limiting Safety System Settings were reviewed and found acceptable in SER section 4a.4.9. The proposed TS applicable to the TRPS are provided in LCO 3.2.1 and SR 3.2.1, LCO 3.2.3 and SR 3.2.3, LCO 3.8 and SR 3.8. The TRPS is discussed in section 7.4.4 of the SE.

Proposed LCO 3.2.1 and SR 3.2.1 help ensure the TRPS is able to perform its designed safety function.

LCO 3.2.1 Divisions A, B, and C of the target solution vessel reactivity protection system (TRPS) shall be Operable.

Each TRPS Division A or B is Operable if:

1. Three SBVMs are Operable
2. Two 5V power supplies are Operating
3. Two EIMs for each TRPS actuation device are Operable TRPS Division C is Operable if:
1. Three SBMs are Operable
2. Two 5V power supplies are Operating Note - Actions 1, 2, 3, 4, 5, and 6 in Table 3.2.1 may be applied separately to each Division of TRPS associated with each IU.

Note - Action 6 in Table 3.2.1 may be applied separately to each IU.

Applicability Associated IU in Mode 1, 2, 3, or 4 Action According to Table 3.2.1 7-110

SR 3.2.1 1. Check that the TRPS self-diagnostics indicate no failed modules prior to entering Mode 1.

2. Simulated automatic and manual actuation priority logic testing shall be performed every five years.

Note - This SR cannot be deferred.

3. SBVM hardwired communications shall be tested quarterly.
4. Power supply voltages shall be tested semi-annually.

The proposed TS table 3.2.1, TRPS Logic and Actuation Actions, states the following:

Condition and Action Completion Time

1. If one SBVM or SBM in a single Division is inoperable, Confirm that the SBVM or SBM is in the tripped state Immediately AND Restore the module to Operable. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
2. If one 5V power supply in a single Division is inoperable, Restore the power supply to Operable. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
3. If one EIM in a single Division is inoperable, Restore the module to Operable 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> OR Enter the corresponding action(s) for the inoperable component 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> according to LCOs 3.1.5, 3.4.1, or 3.6.2.
4. If two EIMs associated with a single actuation component in a single Division are inoperable (and not actuating), Immediately Enter the corresponding action(s) for the inoperable component according to LCOs 3.1.5, 3.4.1, or 3.6.2.
5. If two or more SBVMs in a single Division A or B are inoperable, OR If two 5V power supplies in a single Division A or B are inoperable, OR Action and associated completion time of Condition 1 or 2 not met for a Division A or B SBVM, Place the associated IU in Mode 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AND Place the associated IU in Mode 0. ((PROP/ECI))

7-111

6. If two or more SBMs in Division C are inoperable, OR If two 5V power supplies in Division C are inoperable, OR Action and associated completion time of Condition 1 or 2 not met for a Division C SBM, Place the associated IU in Mode 3 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> AND Place the associated IU in Mode 0. ((PROP/ECI))
7. If two or more Divisions for an IU are inoperable, Place the associated IU in Mode 3 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Place the associated IU in Mode 0. ((PROP/ECI))

LCO 3.2.1 specifies that all three divisions (Division A, B and C) must be operable during Modes 1, 2, 3, and 4 (startup, irradiation, shutdown, and transfer to the RPF). Operability for each division is specified in the LCO. Division A and B require the scheduling, bypass and voting modules (SBVMs), the equipment interface modules (EIMs), and the associated 5 volt power supplies and Division C requires the scheduling and bypass modules (SBMs) and the associated 5 V power supplies. The TS 3.2.1 required equipment is consistent with SHINE FSAR section 7.4.3.1 because the safety function modules (SFMs) and the input channels are addressed in LCO 3.2.3 and the actuated components are addressed in LCO 3.4.1 (for primary confinement and primary system boundary components) and LCO 3.6.2 (for safety-related breakers). Similarly, the 24-volt power to the 5-volt power supplies is addressed in LCO 3.6.1 for the TRPS cabinets in each division. The proposed TS table 3.2.1, TRPS Logic and Actuation Actions, provides the deviations from LCO 3.2.1 that may be allowed under specified conditions, while restoring the system to operation. The completion time allows for replacement of failed components, while limiting the amount of time an IU is allowed to operate with reduced TRPS reliability. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> duration is acceptable of a single failed SBVM, SBM, 5 volt power supply or EIM within one division because the output is received as a trip signal by the associated EIMs, and the output of a failed SBM is received as a trip signal by the Division A and B SBVMs, preserving the single failure criterion for the remaining operable modules. If more than one module or power supply fails or if the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> completion time to restore operability will be exceeded, table 3.2.1 provides the additional times and steps to place the IU in a condition of applicability where the TRPS safety functions are not required (Mode 3 then Mode 0). The additional time for these transitions is based on the minimum time specified in LCO 3.1.8 to transfer target solution out of the IU to achieve Mode 0 (solution removed), which is acceptable because the redundant TRPS Division(s) are still available to sense adverse conditions. If two or more divisions are inoperable, actions are taken to place the IU in Mode 3 within an hour.

This minimal time provides for an orderly IU shutdown. Based on the above, the NRC staff finds that LCO 3.2.1 and the associated table 3.2.1 actions provide the conditions and actions required to help ensure the TRPS is able to perform its safety functions specified by the SHINE safety analysis that are necessary to ensure the IU is maintained in a safe state. Therefore, the staff finds LCO 3.2.1 and TS table 3.2.1 acceptable.

7-112

SR 3.2.1.1 checks for TRPS faults monitored by the end-to-end self-testing that covers each module from sensor input to the output switching logic prior to initiating IU startup. The discrete circuitry of the actuation and priority logic is not tested by self-testing, so SR 3.2.1.2 tests the priority logic for automatic and manual actuation and SR 3.2.1.3, and SR 3.2.1.4 verify operability of the hardwired communication and power supplies. The NRC staff finds that SR 3.2.1 prescribes the frequency and scope of surveillance to demonstrate the performance of the TRPS logic and actuation and the maximum allowable surveillance intervals are consistent with the guidance in ANSI/ANS 15.1, section 4, Surveillance requirements. Therefore, the staff finds SR 3.2.1 acceptable.

Proposed LCO 3.2.3 and SR 3.2.3, help ensure the input devices and the trip determination portions of the TRPS SFMs are able to initiate safety functions specified by the SHINE safety analysis, as described in FSAR Subsection 7.4.3.1.

LCO 3.2.3 TRPS input channels listed in Table 3.2.3-a shall be Operable.

Note - Any single SFM associated with the wide, power, or source range neutron flux channels may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> while the neutron flux variable(s) associated with the SFM is in the condition of applicability for the purpose of performing a Channel Calibration.

Applicability Associated IU in Mode 1, 2, 3 or 4, according to Table 3.2.3-a Action According to Table 3.2.3 SR 3.2.3 Check that the TRPS self-diagnostics indicate no failed modules prior to entering Mode 1.

A Channel Check shall be performed on each channel listed in Table 3.2.3-a weekly.

A Channel Test shall be performed on TRPS instrument channels listed in Table 3.2.3-a quarterly.

A Channel Calibration shall be performed on each channel listed in Table 3.2.3-a annually.

Table 3.2.3-a TRPS Instrumentation Require Applicability Variable Setpoint d (per IU) Action SR Channel s

Wide range

a. neutron flux 176% power 3 Modes 1 and 2 1, 2, 6 2, 4 85% power; averaged over 45 seconds 7-113

Power range

b. neutron flux 3 Modes 1 and 2 1, 2, 6 2, 4

((PROP/ECI))

1.5 times the

c. nominal flux at 3 Mode 1 1, 4, 6 2, 4 Source range 95% volume of neutron flux the critical fill height TSV fill isolation valve
d. position Not Closed 2 Mode 2 5 3 indication

((PROP/ECI));

IU

e. PCLS flow 3 Modes 1 and 2 1, 2, 6 2, 4 Cell Safety Actuation delayed by 180 seconds 72.9°F; IU Cell PCLS Safety Actuation
f. delayed by 3 Modes 1 and 2 1, 2, 6 2, 4 temperature 180 seconds 63.5°F Low-high TSV
g. dump tank High level 3 Modes 1 and 2 1, 2, 6 3 level High-high Modes 1, 2, 3,
h. TSV dump High level 3 1, 3, 7 3 tank level and 4 TOGS 3 Modes 1, 2, 3,
i. mainstream ((PROP/ECI)) (per train) 1, 3, 7 2, 4 and 4 flow The scope of LCO 3.2.3 is for each channel beginning at the input devices and including the associated SFMs and hardwired modules (HWMs) up to the inputs to the SBVMs or SBMs addressed in LCO 3.2.1. The SHINE proposed TS table 3.2.3-a, TRPS Instrumentation provides the list of TRPS input channels required by LCO 3.2.3 and the applicable mode when each input channel variable is required to be operable. The staff finds that, consistent with NUREG-1537, Appendix 14.1, this table specifies the setpoints, the minimum number of channels, and the operating mode, when the channels are required. The table 3.2.3-a setpoints are evaluated in sections 7.4.4 and 7.4.5 of this SER. The staff finds the setpoints are selected based on analytical limits and calculated to account for known uncertainties in accordance with the setpoint methodology (SER section 0) and the variables are periodically functionally tested as required by SR 3.2.3. table B-3.2.3, TRPS Input Variable Allocation, provided in the bases for LCO 3.2.3, shows input device that provides a signal to each SFM or HWM for each division.

7-114

In addition to LCO 3.2.3, the staff also reviewed SHINE proposed table 3.2.3, TRPS Input Channel Actions. Table 3.2.3 which is very similar to proposed TS table 3.2.1. provides actions and completion times for when LCO 3.2.3 is not met and provides the deviations from LCO 3.2.3 that may be allowed under specified conditions, while restoring the system to operation. The completion time allows for replacement of failed components, while limiting the amount of time an IU is allowed to operate with reduced TRPS reliability. More than one input device provides a signal to each SFM or HWM. Each SFM can be placed in maintenance bypass or in a trip state by use of the out-of-service (OOS) switch and an associated trip/bypass switch located below the SFM, as described in SHINE FSAR Subsection 7.4.4.3. Normal actuation of the safety function occurs on 2-out-of-3 voting logic. However, when any single channel is inoperable (except the TSV fill isolation valve), the SFM associated with the inoperable channel is required to be placed in trip within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which changes the voting logic to 1-out-of-2, preserving the single failure protection. If one or more TSV fill valve position indication Is Inoperable, table 3.2.3 actions require shutting a TSV fill Isolation valve or placing the IU In Mode 3 (shutdown). The NRC staff finds that LCO 3.2.3, table 3.2.3, and table 3.2.3-a provide the conditions and actions required to help ensure the TRPS can perform its safety functions specified by the SHINE safety analysis that are necessary to ensure the IU is maintained in a safe condition. Therefore, the staff finds LCO 3.2.3, table 3.2.3, and table 3.2.3-a acceptable.

SR 3.2.3.1 checks for TRPS faults monitored by the end-to-end self-testing that covers each module from sensor input to the output switching logic prior to initiating IU startup. SR 3.2.3.2, SR 3.2.3.3, and SR 3.2.3.4 provide for weekly checks, quarterly tests, and annual calibrations of the channels listed in table 3.2.3-a. To allow the performance of these SRs during IU operation, LCO 3.2.3 allows placing any single SFM in bypass for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> during performance of a required SR on a channel associated with that SFM, effectively changing the voting logic to 2-out-of-2 (with two other channels Operable) or 1-out--of-1 (with one other channel Operable). The staff finds the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time constraint acceptable based on the presence of operations and maintenance personnel performing the test, the operability of the redundant channel(s), and the relatively short time period to perform the testing. Additionally, LCO 3.0.1.6 applies to SR 3.2.3.4 since entry into the mode of applicability (mode 1) Is required to perform the SR. This is a known and accepted deviation for calibrating flux monitoring equipment that is acceptable to the NRC staff. The NRC staff finds that SR 3.2.3 prescribes the frequency and scope of surveillance to demonstrate the continued operability of the process variable instrument channels and the maximum allowable surveillance intervals are consistent with the guidance in ANSI/ANS 15.1, section 4, Surveillance requirements. Therefore, the staff finds SR 3.2.3 acceptable.

Proposed LCO 3.8.5 and SR 3.8.1 for the neutron driver assembly system (NDAS) help minimize the possibility of inadvertent personnel exposure during IU operations and is a part of the SHINE definition for Facility Secured in the proposed SHINE TS definitions.

The Neutron Driver Assembly System (NDAS) is the accelerator-based assembly that accelerates a deuterium ion beam into a gas target chamber producing neutrons from the resulting fusion reaction. The NDAS 2-key interlock disables the beam to prevent inadvertent exposure when personnel are present in the IU cell or neutron driver service cell. The staff finds the proposed LCO 3.8.5 and SR 3.8.5, helps to protect personnel and ensures the interlock is operable when required by the SHINE safety analysis, as described in SHINE FSAR section 13a2.1.12. The staff also finds that TS 3.8 is an appropriate and acceptable means to protect personnel when they are in the IU cell. The staff finds that the incorporation of the NDAS two-key interlocks is an important aspect of when the facility is secured consistent with NUREG-7-115

1537, Part 1, Appendix 14.1 that is appropriately adapted for the SHINE facility. The staff also finds that the requirements to test prior to use and to perform a quarterly operability test are consistent with the periodicity recommendations of ANSI/ANS 15.1-2007. Therefore, the staff finds LCO 3.8.5, and SR 3.8.5 acceptable.

LCO 3.8.5 The NDAS two-key interlocks shall be in the open position.

Applicability Personnel present in the associated IU cell containing an NDAS unit or in the neutron driver service cell (NSC)

SR 3.8.5 The function of the NSC driver interlock shall be tested quarterly.

Note - This SR cannot be deferred.

The function of the IU cell driver interlock shall be tested prior to removal of the IU cell plug, and quarterly thereafter, while the IU cell plug is removed.

Although not specifically discussed in this SER section, the NRC staff also reviewed TS 3.4.1, TS 3.9.1, TS 3.9.2, and TS 3.9.3 related to the TRPS. TS 3.4.1 monitors the operability of the safety-related valves and dampers that are verified to stroke upon demand from TRPS annually.

TS 3.9 is related to specific deviations to the normal LCOs and SRS during startup testing discussed in SHINE FSAR section 12.11.2. LCO 3.9.1 and LCO 3.9.2 permit specific deviations from LCO 3.2.3 and LCO 3.9.3 provides special conditions to permit the initial channel calibration of the NFDS power and wide range neutron flux channels. Based on information provided and reviewed, the staff finds these TSs acceptable.

Based on the review of SHINE TSs applicable to the TRPS, the NRC staff finds that the LCOs and SRs help to ensure the operability of the TRPS, including the TRPS logic, voting, actuation divisions, and instrumentation monitored by TRPS as input to safety actuations. Staff also finds that setpoint values of the SHINE Technical Specifications for the TRPS are based on the SHINE setpoint calculations for the applicable process variables. Therefore, the staff finds the TSs related to the TRPS acceptable.

7.4.10.3 ESFAS Technical Specifications SHINE FSAR section 7.5.4.6, Technical Specifications and Surveillance, states that limiting conditions for operation (LCO) and surveillance requirements (SR) are established for ESFAS logic, voting, and actuation divisions and instrumentation monitored by ESFAS as input to safety actuations. LCOs are established for components of the safety-related I&C systems that perform safety functions to ensure that the system will remain available to perform safety functions when required. SRs are performed at a frequency to ensure that limiting safety system settings are not exceeded. SHINE FSAR section 7.2.1 states that SHINE uses a documented methodology for establishing and calibrating setpoints for safety-related I&C functions.

Instrument drift between calibrations is accounted for in the setpoint methodology. SHINE safety limits will not be exceeded if required actions are initiated before analytical limits are exceeded.

Analytical limits are chosen to include a conservative margin between the analytical limit and the safety limit. The LSSS is the least conservative value that the instrument setpoint can be and still ensure the analytical limits are not exceeded and the safety limits are protected. The LSSS is separated from the analytical limit by an amount not less than the total loop uncertainty for the setpoint determined by the SHINE setpoint methodology. Startup-testing conditions and first use 7-116

of the instrumentation and the ESFAS is discussed in SHINE FSAR section 12.11.2 of the SHINE FSAR. The TRPS input for ESFAS loss of external power signal is addressed in LCO 3.2.1.

The ESFAS is required to perform safety functions as described in FSAR Subsection 7.5.3.1.

The proposed TSs applicable to ESFAS are provided in LCO 3.2.2 and SR 3.2.2, LCO 3.2.4 and SR 3.2.4, LCO 3.4.3 and SR 3.4.3, LCO 3.4.4 and SR 3.4.4, LCO 3.6.2 and SR 3.6.2, LCO 3.8.9 and SR 3.8.9, and LCO 3.8.10 and SR 3.8.10. The staffs review of the ESFAS is discussed in section 7.4.5 of the SE.

Proposed TS 3.2.2 addresses the logic, voting, and actuation portions of the ESFAS to help ensure that the system is able to generate an appropriate actuation signal when required.

LCO 3.2.2 Divisions A, B, and C of the engineered safety features actuation system (ESFAS) shall be Operable.

Each ESFAS Division A or B is Operable if:

1. Three SBVMs or SBMs are Operable
2. Two 5V power supplies are Operating
3. Two EIMs for each ESFAS actuation device are Operable ESFAS Division C is Operable if:
1. Three SBMs are Operable
2. Two 5V power supplies are Operating Note - Actions 1, 2, 3, 4 and 5 in Table 3.2.2 may be applied separately to each division of ESFAS.

Applicability Facility not Secured Action According to Table 3.2.2 SR 3.2.2 1. Check that the ESFAS self-diagnostics indicate no failed modules weekly.

2. Simulated automatic and manual actuation priority logic testing shall be performed every five years.

Note - This SR cannot be deferred.

3. SBVM hardwired communications shall be checked quarterly.
4. Power supply voltages shall be checked semi-annually.

7-117

The proposed TS Table 3.2.2, ESFAS Logic and Actuation Actions, states the following:

Condition and Action Completion Time

1. If one SBVM or SBM in a single Division is inoperable, Confirm that the SBVM or SBM is in the tripped state Immediately AND Restore the module to Operable. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
2. If one 5V power supply in a single Division is inoperable, Restore the power supply to Operable. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
3. If one EIM in a single Division is inoperable, Restore the module to Operable 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> OR Enter the corresponding action(s) for the inoperable component 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> according to LCOs 3.4.3, 3.4.4, 3.6.2, 3.8.9, or 3.8.10.
4. If two EIMs associated with a single actuation component in a single Division are inoperable (and not actuating), Immediately Enter the corresponding action(s) for the inoperable actuation device according to LCOs 3.4.3, 3.4.4, 3.6.2, 3.8.9, or 3.8.10.
5. If two or more SBVMs in a single Division A or B are inoperable, OR If two 5V power supplies in a single Division A or B are inoperable, OR Action and associated completion time of Condition 1 or 2 not met for a Division A or B SBVM, Place all IUs undergoing irradiation in Mode 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AND Open the VTS vacuum pump breakers 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> AND Open at least one VTS vacuum break valve 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> AND Suspend all work involving special nuclear material 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> AND Place tritium in all three trains of TPS process equipment in its 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> storage location OR Initiate a TPS Train Isolation for gloveboxes containing tritium. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 7-118
6. If two or more SBMs in Division C are inoperable, OR If two 5V power supplies in Division C are inoperable, OR Action and associated completion time of Condition 1 or 2 not met for a Division C SBM, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Place all IUs undergoing irradiation in Mode 3 AND 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Open the VTS vacuum pump breakers AND 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Open at least one VTS vacuum break valve AND 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Suspend all work involving special nuclear material AND 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Place tritium in all three trains of TPS process equipment in a storage location OR 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Initiate a TPS Train Isolation for gloveboxes containing tritium.
7. If two or more Divisions are inoperable, Place all IUs undergoing irradiation in Mode 3 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Open the VTS vacuum pump breakers 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Open at least one VTS vacuum break valve 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Initiate a TPS Train Isolation for gloveboxes containing tritium. 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Suspend all work involving special nuclear material 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> LCO 3.2.2 specifies that all three divisions (Division A, B and C) must be operable whenever the SHINE facility is not secured. Operability for each division is specified in the LCO. Division A and B requires three SBVMs or SBMs, two EIMs, and the associated two 5 volt power supplies.

Division C requires three SBMs and the two associated 5 V power supplies. The TS 3.2.2 required equipment is consistent with SHINE FSAR section 7.5.3.1 because the SFMs and the input channels are addressed in LCO 3.2.4 and the actuated components are addressed in LCO 3.4.3 (for tritium Confinement boundary components), LCO 3.4.4 (for supercell Confinement dampers), LCO 3.6.2 (for safety-related breakers), LCO 3.8.9 (for RCA isolation dampers), and LCO 3.8.10 (for facility-specific safety-related valves and dampers). Additionally, 7-119

LCO 3.2.2 addresses the two redundant 5 v power supplies per ESFAS division and LCO 3.6.1 discusses the 24-volt power to the 5-volt power supplies for each Division of ESFAS cabinets.

The proposed TS table 3.2.2, ESFAS Logic and Actuation Actions, provides the deviations from LCO 3.2.2 that may be allowed under specified conditions, while restoring the system to operation. The completion time allows for replacement of failed components, while limiting the amount of time an IU is allowed to operate with reduced ESFAS capability. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> duration is acceptable of a single failed SBVM, SBM, 5 volt power supply or EIM within one division because the output of a failed SBVM is received as a trip signal by the associated EIMs, and the output of a failed SBM is received as a trip signal by the Division A and B SBVMs, preserving the single failure criterion for the remaining operable modules. For a failed EIM, the time allows adequate time to diagnose, repair, and retest the inoperable module while having continued availability of the redundant actuation component (or redundant check valve) to perform the required function. In the case of a failed power supply, the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is deemed acceptable while conducting restoration due to the ability of the redundant ESFAS Division(s) to sense adverse conditions and actuate equipment in response to an event. If more than one EIM for a single actuation component in a single division are inoperable, table 3.2.2 requires that the corresponding action(s) from LCO(s) 3.4.3, 3.4.4, 3.6.2, 3.8.9, or 3.8.10 be entered immediately using the new completion times for associated actions stated in the applicable LCO(s). If more than one SBVM or both power supplies in a single division or two or more SBMs in Division C are inoperable or if the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> completion time to restore operability will be exceeded, the ESFAS is deemed inoperable and the actions in table 3.2.2 must be completed to shut down the facility and systems in an orderly manner, including suspending all work involving special nuclear material within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The staff deems the actions and completion times as acceptable based on the continued availability of the redundant ESFAS Division(s) to sense adverse conditions (two remaining Divisions) and actuate equipment (one remaining Division) in response to an event. In the unlikely event that two or more divisions are inoperable, the TS table 3.2.2 requires all IUs undergoing irradiation to be placed in Mode 3 (shutdown) within one hour and actions are taken to remove the potential for an event by placing facility systems in a condition of applicability where the functionality of the ESFAS is no longer required, including isolating any gloveboxes containing tritium.

The NRC staff finds that LCO 3.2.2 and the associated table 3.2.2 actions provide the conditions and actions required to help ensure the ESFAS is able to perform its safety function specified by the SHINE safety analysis to ensure the facility is maintained in a safe condition.

Therefore, the staff finds LCO 3.2.2 and table 3.2.2 acceptable.

SR 3.2.2.1 is performed weekly to check the status of the self-diagnostics function that checks for ESFAS faults monitored by the end-to-end self-testing. The self-testing covers each module from sensor input to the output switching logic (except for the discrete circuitry of the actuation and priority logic). The HIPS platform self-tests and integral LEDs, as described in SHINE FSAR Subsection 7.5.4.5 and evaluated by the NRC staff in SER section 7.4.2, evaluate the state of the module latches, the operational state of the module, and the presence of any faults to determine if the platform is functioning correctly. The discrete circuitry of the actuation and priority logic is not tested by self-testing, so SR 3.2.2.2 tests the priority logic for automatic and manual actuation. SR 3.2.2.3 verifies operability of the SBVM hardwired communication and SR 3.2.2.4 checks power supply voltages semi-annually. The NRC staff finds that SR 3.2.2 prescribes the frequency and scope of surveillance to demonstrate the performance of the TRPS logic, actuation and power supply voltages and the maximum allowable surveillance intervals are consistent with the guidance in ANSI/ANS 15.1, section 4, Surveillance requirements. Therefore, the staff finds SR 3.2.2 acceptable.

7-120

Proposed LCO 3.2.4 and SR 3.2.4, help ensure the input devices and the trip determination portions of the TRPS SFMs are able to initiate safety functions specified by the SHINE safety analysis, as described in FSAR Subsection 7.4.3.1.

LCO 3.2.4 ESFAS input Channels listed in Table 3.2.4-a shall be Operable.

Note - Any single SFM may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> while the variable is the condition of applicability for the purpose of performing a Channel Test or Channel Calibration.

Applicability According to Table 3.2.4-a when the Facility is not Secured Action According to Table 3.2.4 SR 3.2.4 1. Check that the ESFAS self-diagnostics indicate no failed modules weekly.

2. A Channel Check shall be performed on ESFAS instrument Channels listed in Table 3.2.4-a quarterly.
3. A Channel Calibration shall be performed on ESFAS instrument Channels listed in Table 3.2.4-a annually.
4. A Channel Test shall be performed on ESFAS instrument Channels listed in Table 3.2.4-a quarterly.

The scope of LCO 3.2.4 is for each channel beginning at the input devices and the trip determination portions of ESFAS, including the associated SFMs and hardwired modules (HWMs) up to the inputs to the SBVMs or SBMs addressed in LCO 3.2.2. Radiation monitors that provide inputs to ESFAS are addressed in LCO 3.7.1.

Proposed TS table 3.2.4-a, "ESFAS Process Instrumentation" provides the list of ESFAS instrument channels, the associated setpoints for each variable, and the minimum number of required channels. The ESFAp/eciS process variable instrumentation listed in table 3.2.4-a are required to initiate the safety functions described in SHINE FSAR Section 7.5.3.1. The table also provides a cross reference to the action steps detailed in TS table 3.2.4, "ESFAS Process Instrumentation Actions" for any process variable deemed inoperable and to the applicable SR for each variable.

Table 3.2.4-a ESFAS Process Instrumentation Required Variable Setpoint Applicability Action SR Channels

a. PVVS carbon 219°F 2 Associated carbon 5, 6 2, 3 delay bed (per delay delay bed Operating exhaust bed) temperature
b. VTS vacuum Liquid detected 2 Solution transfers 3, 4 4 header liquid using VTS in-detection progress 7-121
c. RDS liquid Liquid detected 2 Solution transfers 3, 4 4 detection using VTS in-progress
d. PVVS flow 7.1 SCFM 3 RPF Nitrogen Purge 1, 2 2, 3 not Operating when the Facility is not Secured
e. TSPS dissolution High level 2 Dissolution tank or 7, 8 4 tank level TSPS glovebox contains uranium
f. Uninterruptible Loss of Power; 2 Any IU in Mode 1 or 9, 10 4 electrical power actuation 2 supply system delayed by (UPSS) loss of 180 seconds external power
g. MEPS three-way Supplying 2 Target solution 11, 12 4 valve position (per valve) present in the indication associated hot cell
h. IXP three-way Supplying 2 Target solution 11, 12 4 valve position (per valve) present in the IXP hot indication cell
i. TPS target 7.7 psia 2 Tritium present in 13, 14 2, 3 chamber supply (per IU) associated TPS pressure process equipment and not in storage j TPS target 7.7 psia 2 Tritium present in 13, 14 2, 3 chamber exhaust (per IU) associated TPS pressure process equipment and not in storage The NRC staff finds that, consistent with NUREG-1537, Appendix 14.1, this table specifies the setpoints, the minimum number of channels, and the operating mode, when the channels are required. The table 3.2.4-a setpoints are evaluated in Sections 7.4.5 of this SER. The staff finds the setpoints are selected based on analytical limits and calculated to account for known uncertainties in accordance with the setpoint methodology (SER Section 0) and the variables are periodically functionally tested as required by SR 3.2.4. table B-3.2.4, ESFAS Input Variable Allocation, provided in the bases for LCO 3.2.4, shows that more than one input device provides a signal to each SFM.

Based on the review of SHINE TSs Section 3.2, the NRC staff finds that LCO 3.2.2, SR 3.2.2, LCO 3.2.4, and SR 3.2.4 include the ESFAS logic, voting, actuation divisions, and instrumentation monitored by ESFAS as input to safety actuations. The staff also finds that the setpoint values in TS table 3.2.4-a of the SHINE proposed TSs are based on the SHINE setpoint calculations for the applicable ESFAS process variables.

Although not specifically discussed in this SER section, the NRC staff also reviewed TS 3.4,3, TS 3.4.4, TS 3.6.2, TS 3.8.9, and TS 3.8.10 related to the ESFAS. TS 3.4.3 ensures the 7-122

operability of the safety-related tritium Confinement boundary isolation valves actuated on demand by ESFAS. TS 3.4.4 is related to operability of the supercell confinement dampers verified to close on demand from ESFAS annually. TS 3.6.2 ensures operability of the safety-related breakers required to support the ESFAS safety functions. LCO 3.8.9 monitors operability of the safety-related isolation dampers to ensure they are capable of closing on demand from ESFAS and LCO 3.8.10 monitors operability of the safety-related valves to ensure they are capable of opening or closing on demand from ESFAS. Based on information provided and reviewed, the staff finds these TSs acceptable.

Based on the review of SHINE TSs, the NRC staff finds that the LCOs and SRs discussed above help to ensure the operability of the ESFAS, including the ESFAS logic, voting, actuation divisions, and instrumentation monitored by ESFAS as input to safety actuations. Staff also finds that setpoint values of the SHINE Technical Specifications for the ESFAS are based on the SHINE setpoint calculations for the applicable process variables. Therefore, the staff finds the TSs related to the ESFAS acceptable.

7.4.10.4 Radiation Monitoring Technical Specifications SHINE FSAR Section 7.7.1.4.3 states that the safety-related process radiation monitors are periodically tested and maintained in accordance with the TSs to verify operability. The surveillance frequencies for the safety-related process radiation monitoring instruments included in the TSs were selected consistent with the guidance provided in ANSI/ANS 15.1-2007, The Development of Technical Specifications for Research Reactors. The surveillance requirements for the safety-related process radiation monitoring instruments included in the TSs verify the operability of the channel from the safety-related process radiation monitor to the inputs to the SBVM or SBM located in the TRPS or ESFAS. Safety-related process radiation monitors located in a low background area are equipped with a check source to be able to verify proper operation. Startup-testing conditions and first use of safety-related RMS instrumentation is discussed in SHINE FSAR Section 12.11.2 and the startup plan is evaluated in Chapter 12, Conduct of Operations, of this SER.

SHINE TS Section 3.7 identifies the LCOs and SRs for the safety-related process radiation monitoring instruments and gaseous effluents.

LCO 3.7.1 and SR 3.7.1 address the safety-related radiation monitors used to detect elevated levels of radiation that may result in unwanted radiation exposure to workers or individual members of the public in excess of allowable limits, as described in SHINE FSAR Subsection 7.7.1. These radiation monitors also provide input to initiate safety functions specified by the SHINE safety analysis, as described in FSAR Sections 7.4.3.1 and 7.5.3.1.

The scope of LCO 3.7.1 begins at the radiation monitoring input devices (SFMs) up to the inputs to the SBVMs or SBMs, to help ensure radiation levels within the SHINE facility and radiation released to the environment remain below the limits of 10 CFR Part 20.

LCO 3.7.1 Radiation monitoring instruments listed in Table 3.7.1-a shall be Operable.

Note - Any single SFM may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> while in the condition of applicability for the purpose of performing a Channel Calibration.

Applicability According to Table 3.7.1-a when the Facility is not Secured 7-123

Action According to Table 3.7.1 SR 3.7.1 1. A Channel Check shall be performed for radiation monitors monthly.

2. A Channel Calibration shall be performed for radiation monitors annually.

At least two channels of safety-related radiation monitors are provided for each monitored location with some locations having three channels as stated in SHINE FSAR table 7.7-1 and listed in TS table 3.7.1-a, Safety-Related Radiation Monitoring Instruments. Additionally, table B-3.7.1, Safety-Related Radiation Monitoring Input Allocation identifies the SFMs assigned to each monitored location.

Table 3.7.1-a Safety-Related Radiation Monitoring Instruments Applicability Setpoint and Required (per IU, TPS train, Monitored Location Monitored Action Channels or monitored Material location)

RPF Nitrogen

a. RVZ1 supercell 3 Purge not 1, 2, 3 7.6E-05 µCi/cc exhaust ventilation Operating when the (PVVS hot cell) Fission products Facility is not Secured RVZ1 supercell 2 Target solution or exhaust ventilation 7.6E-05 µCi/cc radioactive process
b. (per hot 4, 5 (Extraction and IXP Fission products fluids present in the hot cells) cell) associated hot cell Radioisotope
c. RVZ1 supercell 2 4, 5 7.6E-05 µCi/cc products or exhaust ventilation (per hot radioactive process (Purification and Fission products cell) fluids present in the Packaging hot cells) associated hot cell 1.3E-05 µCi/cc
d. RVZ1 RCA exhaust 3 Facility not Secured 1, 6, 7 Fission products 9.1E-07 µCi/cc
e. RVZ2 RCA exhaust 3 Facility not Secured 1, 6, 7 Fission products RVZ1e IU cell 9.6E-03 µCi/cc 3 Associated IU in
f. 1, 8 exhaust Fission products (per IU) Mode 1, 2, 3, or 4 2 Tritium present in TPS confinement 927 Ci/m3 associated TPS
g. (per TPS 9 A/B/C Tritium process equipment train) and not in storage Tritium present in TPS exhaust to 0.96 Ci/m3 any TPS process
h. 3 1, 10 facility stack Tritium equipment and not in storage 7-124

2 Target solution or MEPS heating loop 1110 mR/hr radioactive process

i. extraction area (per hot 11, 12 Fission products fluids present in the A/B/C cell) associated hot cell The SHINE proposed TS table 3.7.1-a provides the list of radiation monitoring points required by LCO 3.7.1 and the applicable mode when each input channel variable is required to be operable. The staff finds that, consistent with NUREG-1537, Part 1, Appendix 14.1, this table specifies the setpoints, the minimum number of channels, and the operating mode, when the channels are required. The table 3.7.1-a setpoints are evaluated in Sections 7.4.7 of this SER.

The staff finds the setpoints are selected based on analytical limits and calculated to account for known uncertainties in accordance with the setpoint methodology (SER Section 0) and the variables are periodically functionally tested as required by SR 3.7.1. Table B-3.7.1, TRPS Input Variable Allocation, provided in the bases for LCO 3.7.1, shows input device that provides a signal to each SFM for each division consistent with the guidance in NUREG-1537, Part 2, Chapter 7.7 to show the I&C radiation detectors and monitors applicable to the anticipated sources of radiation.

The staff also reviewed SHINE proposed table 3.7.1, Safety-Related Radiation Monitor Actions. Proposed table 3.7.1 provides actions and completion times for when LCO 3.7.1 is not met and provides the deviations from LCO 3.7.1 that may be allowed under specified conditions, while restoring the system to operation. The staff finds the completion times specified in proposed table 3.7.1 allow for replacement of failed components, while limiting the amount of time equipment protected by the TRPS or ESFAS is allowed to operate with reduced safety system reliability.

Each safety-related radiation monitoring input has two or three required radiation monitoring instruments (SHINE TS table 3.7.1-a) and each monitoring input has two or three SFMs (SHINE TS table B-3.7.1). When any single radiation monitoring channel is inoperable for variables provided with three channels, the inoperable channel is required to be placed in trip within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, effectively changing the voting logic to 1-out-of-2, preserving the single failure protection.

For variables provided with only two channels, actuation of the safety function occurs on 1-out-of-2 voting logic. Each SFM can be placed in maintenance bypass or in a trip state by use of the out-of-service (OOS) switch and an associated trip/bypass switch located below the SFM, as described in SHINE FSAR Section 7.4.4.3. Normal actuation of the safety function occurs on 2-out-of-3 voting logic. However, when any single channel is inoperable, the SFM associated with the inoperable channel is required to be placed in trip within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which changes the voting logic to 1-out-of-2, preserving the single failure protection.

The staff reviewed the action times of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore any one channel, which decrease when (a) the number of channels inoperable increases (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for 2 channels and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for three channels) or (b) if the prior condition completion time will not be met and finds that the times appropriately address the various failure/testing conditions. Table 3.7.1-a states the required actions and a reasonable completion time for when a channel is declared inoperable due to an inoperable radiation monitor or when a channel is declared inoperable due to an inoperable module (SFM). TS 3.7.1 also permits rendering radiation monitoring channels inoperable in accordance with LCO 3.0.1.4 to facilitate resetting the TRPS or ESFAS to perform recovery actions or to satisfy required actions of an LCO. This functionality is reviewed by the staff in Section 7.4.2.1 of this SE.

7-125

The NRC staff finds that LCO 3.7.1, table 3.7.1, and table 3.7.1-a provide the conditions and actions required to help ensure to ensure radiation levels within the facility and radiation released to the environment remain below applicable limits specified by the SHINE safety analysis. Therefore, the staff finds LCO 3.7.1, table 3.7.1, and table 3.7.1-a acceptable.

SR 3.7.1.1 provides for monthly checks and SR 3.7.1.2 for annual calibrations of the channels listed in table 3.7.1-a.

Per LCO 3.7.1, the radiation monitors are required to be operable continuously when the facility is not secured according to table 3.7.1-a. To allow the performance of SRs during operation LCO 3.7.1 allows any single channel for any of the radiation monitoring instruments to be placed in bypass for up to two hours during performance of the required SR. The staff finds the two hour time limit acceptable based on the small amount of time the channel is out of service and the fact that the voting logic is changed to 2-out-of-2 (with two other channels operable) or 1-out-of-1 (with one other channel operable), which continues protection under the LCO. The NRC staff finds that SR 3.7.1 prescribes the frequency and scope of surveillance to demonstrate the continued operability of the process variable instrument channels and the maximum allowable surveillance intervals are consistent with the guidance in ANSI/ANS 15.1, Section 4, Surveillance requirements. Therefore, the staff finds SR 3.2.3 acceptable.

Based on the review of SHINE TSs applicable to the radiation monitoring equipment, the NRC staff finds that the LCOs and SRs help to ensure the operability of the TRPS, including the TRPS logic, voting, actuation divisions, and instrumentation monitored by TRPS as input to safety actuations. Staff also finds that setpoint values of the SHINE Technical Specifications for the TRPS are based on the SHINE setpoint calculations for the applicable process variables.

Therefore, the staff finds TS 3.7.1 related to radiation monitoring acceptable.

7.4.10.5 Conclusion TS are required by 10 CFR 50.34(b)(6)(vi) to be prepared in accordance with the requirements of 10 CFR 50.36. Under 10 CFR 50.36, the SHINE operating license application is required to include TSs that state the limits, limiting safety settings, operating conditions, and other requirements for facility operation to protect the environment and preserve the health and safety of the public.

The NRC staff reviewed the safety analyses and proposed TS submitted by SHINE on the of the design, testing, and operation of the proposed TS for TRPS, ESFAS and radiation monitoring instrumentation. Based on its evaluation of the information presented above, the NRC staff concludes:

  • The SHINE TSs for the TRPS, ESFAS, and radiation monitoring equipment satisfy 10 CFR 50.34 and 10 CFR 50.36 because they adequately provide reasonable assurance that the facility will be operable and will perform their designed functions as analyzed in the SHINE FSAR.
  • The SHINE TSs and surveillance tests for the TRPS, ESFAS, and radiation monitoring equipment appropriately address the guidance format and content of ANSI/ANS 15.1 as supplemented in NUREG-1537, Part 1, Appendix 14.1 for nonpower production and utilization facilities.

7-126

  • The SHINE TSs and surveillance tests for the TRPS, ESFAS, and radiation monitoring equipment, including surveillance tests and intervals, are based on analyses in the SHINE FSAR and help establish the necessary confidence in availability and reliable operation of detection channels and control elements and devices.

7.5 Review Findings The NRC staff reviewed the descriptions and discussions of the SHINE facility I&C systems, as described in SHINE FSAR Chapter 7, as supplemented, against the applicable regulatory requirements and using appropriate regulatory guidance and acceptance criteria.

Based on its review of the information in the SHINE FSAR and independent confirmatory review, as appropriate, the NRC staff determined that:

(1) SHINE described the facility I&C systems and identified the major features or components incorporated therein for the protection of the health and safety of the public.

(2) The processes to be performed, the operating procedures, the facility and equipment, the use of the facility, and other TSs provide reasonable assurance that the applicant will comply with the applicable regulations in 10 CFR Part 50 and 10 CFR Part 20 and that the health and safety of the public will be protected.

(3) The issuance of an operating license for the facility would not be inimical to the common defense and security or to the health and safety of the public.

Based on the above determinations, the NRC staff finds that the descriptions and discussions of the SHINE facility I&C systems are sufficient and meet the applicable regulatory requirements and guidance and acceptance criteria for the issuance of an operating license.

7-127

Retrieved from "https://kanterella.com/w/index.php?title=ML22316A054&oldid=3522120"