ML22278A068
| ML22278A068 | |
| Person / Time | |
|---|---|
| Issue date: | 09/09/2022 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Burkhart, L., Brown, C., ACRS | |
| References | |
| NRC-2076 | |
| Download: ML22278A068 (180) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Docket Number:
(n/a)
Location:
teleconference Date:
Friday, September 9, 2022 Work Order No.:
NRC-2076 Pages 1-127 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 698TH MEETING 4
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5
(ACRS) 6
+ + + + +
7 FRIDAY 8
SEPTEMBER 9, 2022 9
+ + + + +
10 The Advisory Committee met via 11 videoconference at 1:00 p.m., Joy L. Rempe, Chairman, 12 presiding.
13 14 COMMITTEE MEMBERS:
15 JOY L. REMPE, Chairman 16 WALTER L. KIRCHNER, Vice Chairman 17 DAVID A. PETTI, Member-at-Large 18 RONALD G. BALLINGER, Member 19 VICKI M. BIER, Member 20 CHARLES H. BROWN, JR., Member 21 VESNA B. DIMITRIJEVIC, Member 22 GREGORY H. HALNON, Member 23 JOSE A. MARCH-LEUBA, Member 24 MATTHEW W. SUNSERI, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 ACRS CONSULTANTS:
1 DENNIS BLEY 2
4 DESIGNATED FEDERAL OFFICIAL:
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 P R O C E E D I N G S 1
1:00 p.m.
2 CHAIRMAN REMPE: Okay, it's 1:00 p.m. on 3
the East Coast, and we're back in session. And at 4
this time, I'd like to ask Member Ballinger to lead us 5
through the next topic.
6 MEMBER BALLINGER: Thank you, Madam 7
Chairman. The topics this afternoon are from SHINE 8
and the staff on cyber security, which is sprinkled 9
throughout the documents and Chapter 14 on technical 10 specifications. Let's see. The slides themselves, I 11 don't see any slides that are closed --
12 CHAIRMAN REMPE: Ron, your mic is not on.
13 MEMBER BALLINGER: Rewinding, thank you, 14 Madam Chair. And this afternoon we'll hear from SHINE 15 and the staff on cyber security and Chapter 14 16 technical specifications.
17 The schedule calls for a closed session if 18 needed. I don't see any slides from either the staff 19 or SHINE that would be closed, so I suspect that 20 unless we make some -- part of the discussion results 21 in proprietary information being discussed, we will 22 not need to have a closed -- closed session.
23 And let's see what else. I think that 24 pretty much -- pretty much does it. I'll think we'll 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 do cyber security first, and it's up and the SHINE 1
folks are here. So does the staff -- Josh, you want 2
to make any statement?
3 MR. BORROMEO: Sure, my name is Josh 4
Borromeo, I'm Chief of the NPUF Licensing Branch here 5
at the NRC. So thank you, ACRS, for your continued 6
review on this project. It's really important, and I 7
feel like we're working well together moving things 8
along.
9 So today you'll hear about cyber security.
10 This is -- this is unique because it's the first time 11 we're applying cyber security to an NPUF. So this is 12 first time application of this.
13 You'll also hear about tech specs today as 14 well. The interesting thing about this part of the 15 review was we're merging the research test reactor 16 ANSI standard tech specs with the power reactor tech 17 specs. So you'll hear aspects of that.
18 And then the last thing that we're 19 planning on -- well, SHINE is planning on discussing 20 today is software life cycle development. We wanted 21 to give you a head's up of where -- where that review 22 was going.
23 The staff is still working on our safety 24 evaluation for that. We're planning on presenting 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 that at the October Subcommittee meeting, but we just 1
wanted to give you a head's up of a -- of a --
2 MEMBER BALLINGER: I think we have had 3
brief discussions on that in the past, right?
4 MR. BORROMEO: Yeah, yeah, so at the 5
Chapter 7 discussion, we touched on it. We'll touch 6
on it again today, and that'll -- that'll come after 7
the cyber discussion and the tech spec discussion.
8 MEMBER BALLINGER: And I just realized 9
that we are lacking a key participant in this. Member 10 Brown was here.
11 MS. ANTONESCU: I will try to get in touch 12 with him, Ron.
13 MEMBER BALLINGER: Okay, thank you.
14 MR. BORROMEO: But that's all I have, and 15 thank you for --
16 MEMBER BALLINGER: Thank you. So I think 17 we should -- we should begin. And who's the presenter 18 for SHINE?
19 MR. BARTELME: Good afternoon, this is 20 Jeff Bartelme, I'll be -- I'll be presenting.
21 MEMBER BALLINGER: Oh, okay, all right, 22 okay. Good enough. All right, I think we can 23 proceed.
24 MR. BARTELME: Good afternoon again, this 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 is Jeff Bartelme, SHINE's Director of Licensing, and 1
I'll be presenting on the cyber security plan.
2 Just going to go over the outline here.
3 This afternoon we'll be discussion requirements 4
related to the SHINE cyber security plan and SHINE's 5
consideration of cyber security through the design of 6
the SHINE facility. Provide an overview of the SHINE 7
development plan.
8 We'll discuss SHINE's approach to defining 9
consequences of concern. Discuss SHINE's process for 10 identification of critical digital assets, or CDAs and 11 determination of their associated cyber security 12 controls. And then lastly we'll just touch on a 13 number of -- a couple of additional programmatic 14 considerations, which SHINE has incorporated into the 15 cyber security plan.
16 In terms of requirements to develop plan, 17 there's no regulatory requirement for a medical 18 isotope production facility like SHINE to establish a 19 CDA-specific cyber security plan, nor does the 20 application guidance direct the development of such a 21 plan. However, preventing or limiting unauthorized 22 physical and electronic access to digital assets has 23 been considered throughout the design of the SHINE 24 facility.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 Just to note a couple examples of these 1
considerations that are described in the licensing 2
basis. PICS, the process integrated control system, 3
provides information to the facility data and 4
communications system via a one-way data diode such 5
that no inputs can be provides to the PICS from 6
offsite sources, as we described in the FSAR.
7 MEMBER BROWN: This is Charlie Brown.
8 Would you back up and repeat that for me again?
9 MR. BARTELME: Sure. PICS, or the process 10 integrated control system, provides --
11 MEMBER BROWN: Let me ask my question 12 maybe a little clearer. The architecture diagram that 13 I looked at has the, you know, your TRPS systems and 14 the other systems isolated with the HIPS system, and 15 it sends data up to the PICS. Are those data 16 communications also isolated from the operating 17 systems?
18 MS. KOLB: This is Catherine Kolb. Your 19 question is -- is it -- is the question are the TRPS 20 and ESFAS systems separated from the PICS? Is that 21 the --
22 MEMBER BROWN: Oh, no, I know they're 23 separated. They hit -- the one-line diagrams of the 24 architecture that you showed, which was just fine, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 okay, shows data going from about six different parts 1
of those systems, and with the little arrows that go 2
into the -- a box that's called the PICS, you know, 3
that's the process control stuff.
4 And I just wondered if that was one-way 5
communication also at that point, that going into the 6
PICS general architecture, whatever it is. That was 7
my first question.
8 MS. KOLB: Yes, this is Catherine.
9
- Without, you
- know, looking at the diagram 10 specifically, there is communication from the TRPS and 11 ESFAS to the PICS. There is some communication from 12 the PICS back to TRPS and ESFAS, you know, for -- for 13 different reasons.
14 So it does -- it doesn't necessarily 15 communicate on the exact, you know, on the same -- on 16 the same variable in both directions. But the --
17 there is communication in both directions between 18 those systems.
19 MEMBER BROWN: Okay, is that data, is that 20 hardwired stuff like switches to activate, or is that 21 literally instructions that are computer-driven?
22 MS. KOLB: The PICS system, you know, 23 without -- we're looking at the diagram that I think 24 you're referring to right now. It is not just 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 hardwired switches.
1 MEMBER BROWN: Okay.
2 MS. KOLB: If there was an actuation in 3
the TRPS or ESFAS systems, the PICS would be used to 4
send information, you know, from the operator 5
interface in order to reset after an actuation.
6 There is no mechanism for the TRPS or 7
ESFAS to do that independently without X. You know, 8
it -- I guess we, you know, we don't have all of the 9
right people in the room to discuss the details --
10 MEMBER BROWN: Okay, I got it.
11 MS. KOLB: TRPS ESFAS communication, 12 though.
13 MR. GETCHIUS: Charlie, this is Jamie 14 Getchius, Senior Licensing Engineer.
15 MEMBER BROWN: Yeah.
16 MR. GETCHIUS: If you're looking at that 17 diagram, the --
18 MEMBER BROWN: It's in my head right now, 19 I don't have it.
20 MR. GETCHIUS: The lines that are shown in 21 red depict unidirectional communication.
22 MEMBER BROWN: Oh, that was --
23 MR. GETCHIUS: What is shown on the --
24 MEMBER BROWN: Yeah, they come out of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 what's called the M -- MICM or something like that.
1 I've forgotten what, it's a communication module for 2
the HIPS system. And those were -- used to be they 3
were unidirectional back when we looked at it in 4
another project, and that's why I was asking the 5
question.
6 MR. GETCHIUS: And they are still 7
unidirectional.
8 MEMBER BROWN: Okay, that's fine. The 9
next question I had, I just wanted to hit this before 10 you went on through the rest of it. In a previous 11 conversation, the -- I asked about the PICS, because 12 it wasn't really discussed in the previous meeting.
13 You know, that's separate subcommittee meeting.
14 And it was mentioned that the PICS 15 operates with an ethernet run throughout the PICS, 16 overall PICS setup. And I guess my question there was 17 is that ethernet system connected to the internet and, 18 you know, exterior, or is it only feeds internal stuff 19 and stuff within the PICS itself.
20 MS. RADEL: This is Tracy. The PICS is 21 not connected to any kind of external networks or --
22 MEMBER BROWN: Well, the ethernet is --
23 it's an internal network only and not connected 24 external to the plant.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 MS. RADEL: Correct.
1 MEMBER BROWN: Okay.
2 MEMBER BALLINGER: We have a separate 3
subcommittee meeting on PICS.
4 MEMBER BROWN: I know that, but we're 5
talking about cyber security. This is not cyber 6
security, but it's how you communicate with the 7
system. And therefore it embodies it if they connect, 8
so I'm just trying to connect the dots to make sure I 9
understand the picture of where you're flowing through 10 with you, you know, with your presentation, that's 11 all.
12 Go ahead, I'll -- you've calibrated me, 13 and that's what I was looking for. Thank you.
14 MR. GETCHIUS: Okay. A couple other 15 examples describe the licensing basis. Rack-mounted 16 HIPS equipment is installed within locked cabinets.
17 And access to TRPS and ESFAS safety-related control 18 systems via the maintenance work station is password 19 protected, as described in 74 -- Subsection 745 of the 20 FSAR.
21 MEMBER BROWN: But that maintenance work 22 station, from what I understand reading the other 23 document was that's not connected out exterior either.
24 That's a standalone operation that just connects back 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 into those systems. Is that correct, is that correct 1
to understand?
2 MR. GETCHIUS: That's correct.
3 MEMBER BROWN: Okay, thank you.
4 MR. BARTELME: All right, lastly physical 5
access to digital assets is controlled via the access 6
control strategy just described in the SHINE physical 7
security plan.
8 Following a regulatory audit of SHINE's 9
administrative and design controls for preventing or 10 limiting unauthorized physical and electronic access 11 to digital assets at the SHINE facility, the NRC staff 12 informed SHINE of the decision to impose via license 13 condition a requirement for SHINE to develop a CDA-14 specific cyber security plan and provided SHINE a 15 number of elements that the plan should consider, 16 including the sampling of elements shown on the -- on 17 the slide here.
18 The SHINE cyber security plan contains the 19 commitment for SHINE to establish, implement, and 20 maintain a cyber security program to detect, protect 21 against, and respond to a cyber attack capable of 22 causing a consequence of concern. Cyber security plan 23 documents the various, administrative, programmatic 24 controls to prevent or limit the unauthorized physical 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 and electronic access to CDAs.
1 As noted in this slide, SHINE defines a 2
CDA, or critical digital asset, as a digital asset for 3
which no alternate means has been identified to 4
prevent the associated consequence of concern.
5 DR. BLEY: Can I interrupt you? It's 6
Dennis Bley. When you folks did this, do you have an 7
idea of how many critical digital assets you came up 8
with and how burdensome was this analysis?
9 MR. BARTELME: The analysis is ongoing.
10 We don't have that -- we're still working through the 11 CDA identification process. Don't have a number yet, 12 but burdensome, it's, you know, moderately burdensome.
13 There's a number of digital assets that I'm working 14 through the (audio interference) analysis. I think 15 more timely than we expected, but not --
16 DR. BLEY: And the rules NRC set up for 17 how you (audio interference) that's working pretty 18 well for you?
19 MR. BARTELME: I think, yeah, utilizing 20 the guidance, the draft guidance for fuel site 21 facilities was helpful in, you know, in working 22 through the process.
23 DR. BLEY: Okay, thanks.
24 MEMBER HALNON: This is Greg Halnon. Can 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 you explain just briefly how you came up with your 1
consequence of concern scenarios? I don't want you to 2
actually go into the consequence of concerns, but was 3
it a team effort, or was it a single effort, was it 4
the contractor, how did you that?
5 MR. BARTELME: We'll touch on that on the 6
next slide.
7 MEMBER HALNON: Oh, okay.
8 MR. BARTELME: To touch on there, SHINE 9
used the guidance of Draft Regulatory Guide DG-5062 10 and associated rulemaking documentation related to 11 cyber security at fuel site facilities to inform the 12 development of the SHINE cyber security plan.
13 SHINE evaluated the fuel cycle facility-14 specific guidance and incorporated and put the 15 guidance into the SHINE cyber security plan in order 16 to satisfy the elements identified by the NRC staff as 17 needing to be addressed.
18 Through the development of the SHINE cyber 19 security plan, SHINE held clarification calls and 20 public meetings with the NRC staff to ensure those 21 programmatic elements SHINE are proposing, such as the 22 SHINE-defined consequence of concern, planned audit 23 periodicities, and planned event tracking and event 24 reporting were adequately based on the guidance of DG-25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 5062 and met the intent of the planned license 1
conditions to be imposed on SHINE.
2 MEMBER BROWN: This is the draft guide 3
that's currently under -- that hasn't been turned into 4
an official reg guide? Or you're talking about Reg 5
Guide 5.71?
6 MR. BARTELME: It is not. We were using 7
that June, June 20 -- or January 2017 draft.
8 MEMBER BROWN: Okay.
9 MR. BARTELME: Pre-decisional markings on 10 that, yeah.
11 MEMBER BROWN: All right, so you all are 12 at least focusing in on their levels of security, or 13 I've forgotten what they call them, but the defense 14 ring? You were using that as part of your planning?
15 MR. BARTELME: Not explicitly, though.
16 They had discussions with the NRC staff on sort of, 17 you know, the multilevel, you know, controls sets and 18 defense-in-depth, but.
19 MEMBER BROWN: That's what I'm talking 20 about.
21 MR. BARTELME: Okay.
22 MEMBER BROWN: All right, sounds like 23 you're on that page anyway. All right, thank you.
24 MR. BARTELME: As shown in the slide here, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 SHINE-defined consequences of concern are adapted from 1
the four types of consequences of concern for fuel 2
site facilities identified in Table C-1 of DG-5062.
3 Consequences of concern have been adapted 4
to the relative risk of the SHINE facility.
5 Adaptations include modifying the active and latent 6
safety consequences of concern to be relative to the 7
SHINE safety criteria in lieu of the Part 70 8
performance requirements considered in the DG-5062.
9 And SHINE removed the latent security 10 consequence of concern from consideration as SHINE 11 does not possess classified information in relation to 12 the operation -- to the operation of the SHINE 13 facility.
14 SHINE uses the SHINE safety analysis 15 summary report to identify active and latent safety 16 consequences of concern in assessing the vulnerability 17 of the SHINE facility from the direct result of a 18 cyber attack or the result of a cyber attack in 19 conjunction with a secondary event.
20 The use of the SHINE safety criteria in 21 assessing active and latent safety consequences of 22 concern provides a consistent consequence threshold 23 and an existing evaluation of facility response to 24 known hazards.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 SHINE uses the physical security plan to 1
identify latent safeguards consequences of concern 2
providing an existing evaluation of site security 3
strategies credited in the protecting of SNM of 4
moderate strategic significance.
5 The SHINE process for identifying CDAs 6
consisting of steps for a digital asset identification 7
and performance of an alternate means analysis and 8
ultimately the resulting determination of CDAs follows 9
the guidance for vital digital asset identification in 10 DG-5062.
11 This technical evaluation is led by 12 SHINE's safety analysis organization and supplemented 13 by responsible engineers of those systems containing 14 digital assets associated consequences of concern.
15 As stated in the slide, the alternate 16 means analysis performed -- alternate means analysis 17 performed considers a function of the digital asset 18 associated with the consequence of concern to 19 determine whether -- determine when an alternate means 20 exists to prevent the associated consequence of 21 concern.
22 This alternate means (audio interference) 23 various potential alternate means, including physical 24 barriers, existing safety-related controls, other 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 critical digital assets, and manual actions as 1
candidates for credited alternate means.
2 If an alternate means of protection is 3
identified for a digital asset, a brief description of 4
the alternate means is provided in the SHINE technical 5
evaluation.
6 MEMBER MARCH-LEUBA: This is Jose, can I 7
ask a question now? Hello, can you hear me?
8 MR. BARTELME: Yes.
9 MEMBER MARCH-LEUBA: Yeah, okay, will the 10 cyber attack that will prevent production for the next 11 three months because it disables -- it does not 12 produce a consequence of concern, but prevents you to 13 delivering products for the next three months. Would 14 you consider that a critical digital asset? Did you 15 consider it?
16 MR. BARTELME: Based on the definition of 17 consequence of concern, that would not be defined as 18 a critical digital asset.
19 MEMBER MARCH-LEUBA: But in my mind, it's 20 not just a monetary consequence to the company, it's 21 a serious safety consequence to the hospitals that 22 rely on your product. So I'm thinking whether you 23 would consider protection of the production of this 24 very important isotope sufficient to protect.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 DR. BLEY: And this is Dennis Bley too, I 1
want to chime in with Jose on this one. I suspect by 2
orders of magnitude the possible health consequences 3
to the public from an interruption of service could 4
dwarf any radiological risk near the site. It seems 5
to me we're being remiss in not looking at that.
6 MS. RADEL: So this is Tracy. You know, 7
obviously, the -- meeting the patient needs is 8
incredibly important to us, and we will be protecting, 9
you know, protecting assets and our ability to meet 10 those patients' needs.
11 But as far as, you know, the definition of 12 critical digital assets and you know, protection of 13 health and safety of the public, it's been a focus on 14 those direct consequences from the facility versus 15 downstream supply chain, you know, potential impacts.
16 We certainly do consider those aspects in 17 how we -- how we design the facility for reliability 18 and meeting our customer needs and the patient needs.
19 DR. BLEY: I want to speak maybe to the 20 staff rather than you. You're following the rules 21 exactly as you see them, but I want to take the staff 22 back to the
- 1960s, when NRC considered no 23 environmental hazards and ended up in a court case 24 where NRC was essentially directed to include that in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 the future.
1 This strikes me as of the same nature, and 2
I think the staff, and maybe the staff in consultation 3
with the Commission, ought to perhaps reconsider how 4
they're thinking about that in this case.
5 MEMBER MARCH-LEUBA: I mean, in defense of 6
SHINE, I'm pretty sure they're going to protect all 7
the equipment from cyber attack. I mean, even if you 8
have an office, a shipping office somewhere in the 9
middle of Washington, you protect your computers.
10 I'm concerned that these guys that are 11 attacking you are very smart and they'll always find 12 the weak link. And this is one that is obvious.
13 Anyway, we put it on the record.
14 MR. BARTELME: Continue, lastly, if no 15 alternate means of protection is identified for a 16 digital asset associated with the a consequence of 17 concern, the digital asset is determined to be a CDA 18 and appropriate cyber security controls are identified 19 for protection of the CDA.
20 MEMBER BALLINGER: Let me make sure that 21 I understand what Dennis is saying. What -- we're 22 talking basically about two consequences of concern 23 definitions, one related to the rules as they're 24 written, the other related to the consequences of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 cessation of the product on the customer. But that's 1
a -- that's a very different thing, right?
2 DR. BLEY: It's very different, but to me, 3
the analogy with environmental harm is a pretty good 4
one. And you know, the Commission and the staff might 5
say they have no justification in law for this. I 6
think they need to look at that, I'm not a lawyer.
7 But of -- when you look at potential 8
consequences of this facility, that strikes me as 9
maybe the biggest consequence that can accrue. And 10 the Committee advises the Commission, not just checks 11 to see that all the rules are being carried out.
12 MEMBER HALNON: Dennis, this is Greg. The 13 other analogy that bring more clear is the power-14 producing portion of the nuclear power plants were put 15 under cyber controls because of the critical nature of 16 maintaining base load power, especially during 17 emergency situations.
18 So sort of the same thing, is it going to 19 reduce the ability to make power. That's going to 20 affect the public in a certain adverse way, 21 henceforth, it deserves some level of protection.
22 DR. BLEY: Yeah, I almost brought that one 23 up, Greg, I agree with you completely. But I think 24 these two examples kind of clearly show that if we're 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 thinking about consequences, there are other ones 1
besides direct radiological consequences that are of 2
great concern to the public, society, the government.
3 MEMBER BALLINGER: But to pull that string 4
a little further with respect to the -- to a power 5
plant output, the grid is --
6 PARTICIPANT: Point, because --
7 MEMBER BALLINGER: So that what you're 8
saying is, is that if this were the only facility that 9
can supply the product in a timely manner, that's one 10 thing. And I don't know that that's the case or not.
11 DR.
BLEY:
- Well, Ron, the grid's 12 resilient, but despite that, over the last 40 years, 13 there have been some very significant ties together 14 taking parts of the grid down that have had massive 15 consequences.
16 MEMBER HALNON: Right, but you're making 17 the point, is that there are other power plants that 18 could compensate for a loss of a single nuclear power 19 plant, but there's no other isotope facilities that 20 can make up for the loss of this isotope.
21 MEMBER MARCH-LEUBA: There will be.
22 They're building some in the Netherlands.
23 CHAIRMAN REMPE: Well, okay, let's pull 24 the string another way. We used to get, in more 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 recent years, we used to get the moly-99 up from 1
Canada or some place, right.
2 But there -- at one point, weren't we ever 3
getting it from a place in the U.S., and we get other 4
isotopes. I know at HER they have used it for isotope 5
production.
6 Are we going to start, you know, saying 7
that all isotopes for medical use are so important 8
that all of the facilities need to be considered and 9
have special requirements?
10 MEMBER MARCH-LEUBA: Well, if you have to 11
-- if you get -- if you get a cancer and you're 12 waiting for your CAT scan for -- or the PET scan, you 13 consider it very important.
14 CHAIRMAN REMPE: Yeah, I just am thinking 15 that, you know, I don't know. I --
16 MEMBER MARCH-LEUBA: In a sense, SHINE is 17 a victim of their own success. I mean, they're so 18 good.
19 CHAIRMAN REMPE: But what, okay, what 20 about maintenance? If it takes it out, it's not a 21 cyber security attack, what if they can't do their 22 maintenance in a timely fashion?
23 MEMBER MARCH-LEUBA: Let me give you an 24 example, okay. So they have some filtering beds for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24
-- to clean up the tritium so the accelerator can work 1
properly. If I -- and that's not a safety concern.
2 If I gain control to that, access to that controller, 3
I can mess up their beds so the tritium cannot be 4
cleaned up.
5 So it has no, absolutely no millirem 6
exposure whatsoever, but the plant is down.
7 CHAIRMAN REMPE: There may be other 8
reasons we don't know yet that the plants go offline 9
for three months because of something or other that 10 didn't quite work as expected. So I'm not sure --
11 this is a can of worms.
12 MEMBER HALNON: Well, it's a can of worms, 13 but it's not a can of worms for SHINE. It's whether 14 or not we want to lay another regulatory requirement 15 on top of it. And the NRC has decided not to or staff 16 had decided not to.
17 MEMBER MARCH-LEUBA: I think, I mean, my 18
-- in the letter, we should recommend to the staff 19 that they need to look at it. I mean, we're raising 20 it as a question, we don't have a solution. But this 21 is a function of society, producing moly-99 of such 22 importance that keeping it up and running is important 23 to society.
24 CHAIRMAN REMPE: Maybe the NSA should run 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 a couple of these facilities, it might be cheaper.
1 MEMBER BALLINGER: They are funding.
2 CHAIRMAN REMPE: Then we should put a 3
regulation in just because another one might come 4
online and it's not so important.
5 MEMBER BALLINGER: We have discovered it's 6
another reason why I would -- why I like to be on this 7
committee, learn something every day.
8 MEMBER KIRCHNER: I mean, one could take 9
this argument for a nuclear power plant. This is not 10 just for cable-ized grid, but for averted admissions.
11 But there has to be a line somewhere, I mean, and I 12 think the line here, it's a good point. Obviously a 13 very important societal benefit to this operating.
14 But at some point, you have to draw --
15 MEMBER HALNON: Well, I would say however, 16 we're in that situation right today. Right, because 17 they're not producing.
18 MEMBER BALLINGER: Remember, when Congress 19 considered the rule, the law supporting this, that 20 argument was made.
21 MEMBER HALNON: Yeah, but what I'm saying 22 is that loss of the grid is an emergency. And if loss 23 of moly-99 is an emergency from the SHINE facility, 24 we're in one right now. So, and we're surviving. So 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 there is an alternate means available. Therefore, it 1
wouldn't even --
2 MEMBER MARCH-LEUBA: Once SHINE come into 3
the operation, they're going to displace the other 4
sources because they'll be more efficient. So those 5
other conveyances are going to disappear.
6 Anyway, I'm sorry I brought it up, but 7
it's important that we protect everything, not just 8
the two or three that come up for this analysis. And 9
I'm sure SHINE will protect everything.
10 MEMBER BALLINGER: Josh, I don't think you 11 expected this line of question.
12 MR. BORROMEO: No, this took off in a 13 different direction than what I was thinking, but it 14 is a Friday afternoon. No, but I mean, this seems 15 like a broader concern, right, and we certainly 16 understand it.
17 MEMBER BALLINGER: Okay, can we continue?
18 MR. BARTELME: Yep. As stated on the 19 previous slide, no alternate means of protection is 20 identified for a digital asset associated with a 21 consequence of concern. Appropriate cyber security 22 controls are identified for protection of the CDA.
23 Utilizing the framework for control is 24 offered NIST's special publication 853. CDAs are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 analyzed and multilayered cyber security control sets 1
are tailored to each CDA.
2 Implementing procedures, identify and 3
document the cyber security controls applicable to the 4
identified CDAs. Implementing procedures document in 5
part the configuration and operating environment for 6
the CDAs. Measures taken to address the performance 7
specifications associated with the identified cyber 8
security controls and the verification process for 9
cyber security controls.
10 MEMBER HALNON: And Jeff, this is Greg 11 again. Was there any or is it in your process that 12 you come across a digital asset that you just don't 13 want to make a CDA that you would put an alternate 14 means in relative to either a procedure or some other 15 means of either monitoring or controlling?
16 MR. BARTELME: The approach for assessing 17 alternate means is more, I think more of a top-down 18 approach. We assess if the digital asset is 19 associated with a consequence of concern, is there an 20 alternate means of protecting that digital asset.
21 Less so of, you know, this is a critical 22 digital that we don't want to protect, let's determine 23 an alternate means. We haven't really sort of gone 24 more that thought of approach it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 MEMBER HALNON: Okay, so you haven't --
1 you haven't, for lack of better terms, downgraded any 2
CDAs to just asset, digital assets based on putting 3
new or a different design or alternate means of place 4
yet. I mean, is that on the table, though, to do that 5
if down the road you see something that you're not 6
sure you want to make a CDA?
7 MR. BARTELME: Yeah, per the, you know, 8
the programmatic guides, if, you know, SHINE could 9
establish a not yet existing alternate means for a CDA 10 and then the technical evaluation would be -- would be 11 updated to reflect that, just what new alternate means 12 is or that developed alternate means for that -- what 13 had previously been a CDA.
14 MEMBER HALNON: Okay, and one last 15 question. In taking credit for operator actions, at 16 the end, will you be doing an aggregate analysis to 17 ensure that the operators are not overloaded with too 18 many required actions as an -- as a potential cyber 19 attack?
20 MR. BARTELME: We've not, you know, not 21 got to that point of sort of cataloging or sort of, 22 you know, looking in the aggregate of the alternate 23 means. I don't know that we have any manual -- manual 24 actions identified at this point right now. You know, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 right now my understanding we have not identified any 1
manual actions that are being credited as alternate 2
means.
3 MEMBER HALNON: Okay, I would encourage at 4
the end of this to do some kind of aggregate analysis 5
to make sure that, given a cyber attack, you're not 6
overloading one control system, one, you know, 7
expectations of something, or especially the operators 8
that respond to the.
9 MR. BARTELME: Thank you. Lastly, the 10 SHINE cyber security plan also provides for these 11 additional programmatic controls offering temporary 12 compensatory measures.
Temporary compensatory 13 measures are implemented.
14 It is determined that a cyber security 15 controls -- or determined that cyber security controls 16 are not meeting their defined performance 17 specifications while new controls are developed, 18 tested, and implemented.
19 Documentation is created for each 20 compensatory measure that describes how the measure 21 will effectively address the performance 22 specifications of the cyber security control.
23 For configuration management, SHINE 24 implements a facility-wide configuration management 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 program, which includes cyber security considerations.
1 Specific cyber security considerations and approval or 2
disapproval of conclusions will be included in the 3
documentation related to changes to a CDA.
4 Periodic review. Periodic review of the 5
cyber security plan occurs at least every 36 months.
6 The review includes an audit of the effectiveness and 7
adequacy of the cyber security program, including, you 8
know, roles, responsibilities, requirements, and 9
management commitments to the program.
10 Changes made to implementing procedures.
11 Use of alternate means in defense of our protection 12 for digital assets. SHINE cyber security incident 13 response capability. And configuration management.
14 Define these deficiencies and remediation 15 actions resulting from the periodic review are tracked 16 via SHINE's corrective action program.
17 In terms of event reporting, SHINE informs 18 the NRC Operations Center at the time of making an 19 event-based notification, as prescribed in Sections 20 5(A)(2) and 5(A)(3) of the technical specifications 21 that the event is the result of a cyber attack.
22 If it's later discovered that a previously 23 reportable event was a result of a cyber attack, SHINE 24 notifies the NRC Operations Center within one hour of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 discovery that the previously reported event was the 1
result of a cyber attack.
2 MEMBER BALLINGER: Okay, this is Ron 3
Ballinger. In looking through all of the documents 4
related to this and actually discussing, we've had --
5 we had discussions with something along these lines 6
when we had our visit recently.
7 I may be a little paranoid, but I think 8
that we're almost in never-never land when it comes to 9
cyber security and that a periodic review every 36 10 months just doesn't seem -- that's a -- that's a long 11 time for cyber.
12 And I'm wondering whether or not somebody 13 maybe should consider kind of an ongoing, maybe you're 14 doing it, kind of an ongoing, I'm not sure what you 15 would call it, evaluation, if you will.
16 MEMBER MARCH-LEUBA: I kind of disagree 17 with you. I mean, they're talking about plan, not the 18 19 MEMBER BALLINGER: Oh, the plan, okay.
20 MEMBER MARCH-LEUBA: Not the cyber -- I 21 mean, obviously they're going to be -- there's going 22 to be somebody in the plan that is cognizant of this 23 topic, and they're going to implement on the patches 24 and all the good stuff to make sure they stay on. So 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 I think the plan doesn't need to change more than 1
every three years.
2 MEMBER BALLINGER: Okay, so there is a 3
mechanism by which there's an ongoing --
4 MEMBER MARCH-LEUBA: There better be.
5 MEMBER BALLINGER: Yeah, yeah.
6 MEMBER MARCH-LEUBA: You have your 7
antivirus, it continuously monitor.
8 MR. BARTELME: Yeah, and, you know, broad 9
responsibility within SHINE. But you know, we've got 10 our IT team and others that are constantly saying --
11 staying aware of the threat environment and, you know, 12 making any changes to implementing procedures or plan 13 documents as need by.
14 The 36-month required is just sort of 15 that, you know, really not to exceed timeframe, and 16 the expectation is that we will be auditing the 17 effectiveness of the plan at a more frequent basis 18 than that.
19 MEMBER BALLINGER: Okay, I'm just, I'm 20 kind of a layman here in that every time I start my 21 cellphone up in the morning, there's a notification 22 that there's like ten apps that need upgrading.
23 MR. BARTELME: There's always plenty of 24 fixes.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 MEMBER MARCH-LEUBA: And that -- and that 1
won't happen in the plan because it's not connected to 2
internet.
3 MEMBER BALLINGER: Okay. All right, all 4
right.
5 MEMBER MARCH-LEUBA: It has to be done.
6 Let me -- well, we're on tangents, we all think cyber 7
security has been an internet attack, because I can do 8
it from the comfort of my kitchen in Bulgaria, but 9
there are many other vectors to use for cyber security 10 attacks.
11 The obvious one is USB drives. But you 12 have pulse -- like the famous hard drive that is 13 manufactured in a foreign country and it comes with a 14 flaw in firmware. Does the plan include all those 15 unusual controls, non-internet controls?
16 MR. BARTELME: Yeah, without, you know, 17 having not identified the specific cyber security 18 controls, you know, for each CDA, you know, the 19 technical evaluation doesn't have that level of detail 20 right now.
21 But you know, with the NIST, you know, 22 NIST -- NIST guidance and in discussions we've had 23 internally, there will be -- where -- where portable 24 media is required to be brought into the -- brought 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 into the facility for any software updates or whatnot 1
for a digital asset, you know, there are -- there 2
would be considerations for -- for checking that in 3
the chain of custody thereafter to ensure we don't 4
introduce a vulnerability.
5 MEMBER MARCH-LEUBA: Yeah, my experience 6
is with UF-6 enrichment facilities. And you get shot 7
on site if they see with you two things: a bucket that 8
can contain water and produce a criticality event, or 9
a USB drive. Literally, they -- that thing cannot be 10 seen within five miles of the -- of the fence.
11 Your cyber security plan should include 12 non-standard attack vectors. You have to think about 13 the possible scenarios that bad guy can attack you.
14 And don't go paranoid, but be cognizant of all those 15 ways that they can get you. Thank you.
16 MEMBER BALLINGER: That NIST document has 17 a lot of.
18 MR. BARTELME: And then lastly, event 19 tracking. Within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the discovery, SHINE 20 records and tracks to resolution any failure, 21 compromise, discovered vulnerability or degradation 22 that results in a decrease in effectiveness of a cyber 23 security control or a cyber attack that compromises 24 the CDA associated with a consequence of concern.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 That's the end of the presentation. Any 1
additional questions on the cyber security plan?
2 MEMBER KIRCHNER: Jeff, this is Walt 3
Kirchner. This is kind of -- kind of a clear field or 4
blank sheet of paper thinking. Thank you for the 5
visit, or your colleagues for the visit to your 6
facility last month. I was impressed with the 7
facility.
8 And given the importance of your product, 9
which we talked about earlier in this discussion, and 10 guaranteeing, you know, the reliability of the 11 facility to meet the demand, is there a way to just 12 put an air gap on this facility?
13 What I mean by an air gap is just do not 14 run anything in, and anything that goes out is 15 unidirectional diode-protected. Do you really need to 16 bring the internet into this facility? Or certainly 17 within the -- well, both.
18 I'm trying to think where the line is for 19 seismic and other external threat production. But is 20 it feasible to air gap the facility and then things 21 like Jose just mentioned are then where you spend your 22 effort? To isolate this, make it an island unto 23 itself?
24 MS. KOLB: Yeah, this is Catherine Kolb.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 The equipment, the systems that, you know, directly 1
control plant equipment do have those unidirectional 2
capabilities, right. So that then they're an axis 3
from the outside if we're, you know, transmitting 4
things to servers for data retention and things.
5 But you know, as to completely air gapping 6
the facility, I mean, our document control system in, 7
you know, company-wide. Some people at headquarters 8
need to be able to use it as well as the people in the 9
facility.
So you
- know, email for internal 10 communications.
11 So it's not practical for us to air gap, 12 you know, some of the business software that we have, 13 you know, for day-to-day email communication and data 14 control.
15 MEMBER KIRCHNER: But that's what I worry 16 about. Those become the vulnerabilities. I'm trying 17 to think about it in a way that limits your effort in 18 cataloging all the CDAs by trying to isolate the 19 facility as much as possible.
20 Do you, you know, does corporate a couple 21 of blocks away, where we had lunch, do they really 22 need to be having any input into the plant? They can 23 get the data coming out. But I'm just thinking about 24 it philosophically in a way that makes you, well.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 MS. KOLB: No, we --
1 MEMBER KIRCHNER: As possible to resist 2
cyber events.
3 MS. KOLB: No, as Jeff talked about, you 4
know, we've considered, we're considering, you know, 5
different aspects of this and your point is well-6 taken. But.
7 MEMBER KIRCHNER: Email is a convenience.
8 Email is also a distraction. Email is -- it's useful 9
for exchanging information, maybe.
10 So I'm just saying that to the extent that 11 you can eliminate things coming via internet in 12 particular, as well as control access, then it makes 13 the robustness of your cyber security plan not just 14 with paper but the actual physical protections --
15 MEMBER MARCH-LEUBA: I think that what 16 they're doing, they're creating an island protection 17 system. And it's -- and their unidirectional diode is 18 really good. Trying to isolate the business part, I 19 mean, you have to be able to track the UPS truck that 20 brings you there.
21 MEMBER KIRCHNER: Yeah.
22 MEMBER MARCH-LEUBA: You have to be able 23 to order lunch from the restaurant next door. So --
24 MEMBER KIRCHNER: Do you? Do you?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 MS. KOLB: Our engineering team is located 1
in Headquarters, which is not inside the fence. So we 2
-- I think we do need to be -- because people in the 3
plant do need to be able to communicate with people 4
that are in the Headquarters building.
5 MEMBER MARCH-LEUBA: Yeah, my concern is 6
eventually you need to have one guy that is paranoid 7
and is in charge of this. And everybody thinks of the 8
internet because that's what we think about.
9 But I'm worrying about an instrument 10 technician that has to go calibrating stuff and 11 carries an iPod with him. And that iPod is connected 12 to everything inside to do the calibration. You've 13 got to make sure that iPod is sanitized before it goes 14 anywhere.
15 USB drives, we all know about them now, 16 but there are other portable media. You have to worry 17 about everything. Okay.
18 MEMBER BIER: Just one example. I was in 19 a classified meeting a couple of weeks ago where I was 20 told that anybody wearing a Bluetooth hearing aid 21 would need to remove it before entering the classified 22 space. So.
23 CHAIRMAN REMPE: Sign language?
24 MEMBER BIER: I don't know. Fortunately 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 I think it didn't come up in that case.
1 MEMBER MARCH-LEUBA: In classified, we 2
spend the money and we -- and we really -- you know, 3
all of the cables, yeah, that might get classified how 4
you do it. But everything is regarded, absolutely.
5 MEMBER BALLINGER: This whole topic is 6
fascinating and almost depressing sometimes. But 7
okay, are there other questions from the members on 8
this presentation?
9 Okay, so we need to shift to the staff's 10 presentation. And would you like to go away for 15 11 minutes and then redo your presentation in light of 12 the previous questions, or would you like to just keep 13 on going?
14 MR. BORROMEO: We'll just keep on going, 15 we'll do our best.
16 MEMBER BALLINGER: Okay.
17 MR. WARNER: All right, then I guess it's 18 my turn. Good afternoon, my name is Dan Warner, I'm 19 in the Cyber security Branch in the Division of 20 Physical and Cyber security Policy in the Office of 21 Nuclear Security Incident Response. And I have been 22 responsible for the review of cyber security for 23 SHINE. Next slide, please.
24 So kind of going back to where we came 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 from. In September 2019, the Commission issued Staff 1
Requirements Memorandum SRM-18-0063 for non-power 2
production in the utilization facilities intending to 3
possess or use a Category II quantity of special 4
nuclear material for production of moly-99.
5 In the SRM, the Commission approved the 6
staff's approach for addressing cyber security at 7
these facilities through development of appropriate 8
license conditions based on the facility's operating 9
license application. SHINE is the first applicant to 10 submit a license application that is subject to the 11 requirements of this SRM.
12 So as far as how we went about developing.
13 So staff reviewed the proposed rulemaking on cyber 14 security for fuel cycle facilities and developed a 15 similar for use of SHINE and similar facilities.
16 And just as a
- note, just for 17 clarification, I think there might have been a little 18 bit of confusion earlier. The draft guide that Jeff 19 was discussing, DG-5062, is actually the draft guide 20 for nuclear fuel facilities that goes along with the 21 fuel cycle facility rulemaking. And that is what we 22 were presenting as references that they could use when 23 developing their cyber security plan.
24 Staff provided SHINE feedback to consider 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 when identifying applicable consequences of concern, 1
which are events that occur as a result of the 2
compromise of a critical digital asset that have the 3
potential to adversely impact public health and safety 4
or common defense and security.
5 Staff reviewed the SHINE application, 6
determined if there was adequate protections for CDAs 7
that could result in a consequence of concern.
8 During our review, staff reviewed the 9
final safety analysis report for discussions of cyber 10 security with a focus on safety systems. Several 11 sections discussed protections for the highly 12 integrated protection system platform for safety 13 systems.
14 FSAR Chapter 7, Section 7422 identifies 15 protections with design criteria that target solution 16 vessel reactivity protection system, and Section 7522 17 as similar design criteria for the engineered safety 18 feature actuation system.
19 Both of these sections include criterion 20 three that identifies the TRPS and ESFAS systems will 21 incorporate design or administrative controls to 22 prevent and limit unauthorized physical and electronic 23 access to critical digital assets.
24 Also in the FSAR, FSAR Section 74532, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 title Cyber security Design Features, includes the 1
information on a defensive system architecture, which 2
includes features such as one-way isolated 3
communication, outside safety systems, maintenance 4
work station access only when a module is out of 5
service, and no capability for remote access to the 6
safety system.
7 In FSAR Section 74533, Access Control, it 8
identifies several features that are used to restrict 9
- access, including physical keys to prevent 10 unauthorized use, locked cabinets for rack matter 11 equipment with administrative key
- control, 12 modification or replacement of the field programmable 13 gate arrays are restricted when installed in the HIPS 14 chassis.
And the FPGA modules only allow 15 modifications of set points and tunable parameters 16 that may require periodic modification.
17 We also reviewed as part of the 18 application review process the physical security plan.
19 We reviewed it to see if there's any information 20 related to cyber security for the security systems.
21 And then we performed a cyber security audit.
22 Staff conducted a regularly -- regulatory 23 audit with SHINE to gather more information regarding 24 cyber security. SHINE identified CDA access controls 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 and protected features from the FSAR, but indicated 1
there was no specific cyber security program at SHINE.
2 For cyber security of physical security assets, SHINE 3
only identified access of controls.
4 After the audit, we decided to issue a set 5
of requests for additional information to SHINE based 6
on the feedback received at the audit. We looking for 7
information regarding the design, administrative, and 8
programmatic controls that the SHINE cyber security 9
plan will provide.
10 And also included how consequences of 11 concern will be identified, how CDAs will be 12 determined, how cyber security controls will be 13 applied, and other programmatic controls to ensure the 14 cyber security program is documented and maintained.
15 Staff reviewed the SHINE application and 16 then held the regulatory audit, followed by issuing a 17 set of RAIs to gather sufficient information to make 18 a determination. Staff determined additional program 19 elements were required to ensure adequate protection 20 at the SHINE facility and developed a list of 21 important cyber security program elements applicable 22 to SHINE.
23 Staff developed the license condition to 24 address these additional program elements and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 determined the issuance of a SHINE operating license 1
as conditioned in part by the license condition will 2
not be inimicable to common defense and security or to 3
the health and safety of the public. And therefore, 4
meets the requirements of 10 CFR 5057, A(6).
5 So for the license condition, the licensee 6
must have a CSP that describes how the facility's 7
cyber security program provides reasonable assurance 8
that digital computer and communication systems and 9
networks are adequately protected against cyber 10 attacks. This is similar to the approach followed in 11 10 CFR 7354.
12 The licensee may make a change to the CSP 13 provided that the cyber security program elements in 14 the license condition and the performance objection of 15 the CSP remain met.
16 And then just one last note, the intent is 17 to review the cyber security plan as part of the 18 inspection process once a -- once a facility is doing 19 the pre-operational inspections and then afterwards.
20 CHAIRMAN REMPE: So this is Joy, and I had 21 a question. And again, maybe this is what's normally 22 done, but I was stumbling over the beginning of the 23 last paragraph of the draft SE where you had, The 24 licensee may not make a change that would decrease the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 effectiveness of the CSP without a prior approval of 1
the Commission.
2 The beginning of your slides, when you 3
Commission, you're talking about the five 4
Commissioners, are you talking about the five or 5
however many Commissioners are on the Commission at 6
the time, have to approve any changes, or is it the 7
staff?
8 MR. WARNER: It is the staff, but that is 9
the standard wording that is used when we are 10 incorporating those. However, that wording has been 11 removed after consultation with OGC, so that now it 12 basically is just they may make a change as long as it 13 doesn't -- as long as the performance objectives of 14 the plan remain met.
15 CHAIRMAN REMPE: Oh, okay. So the version 16 that we reviewed for this meeting, unless I grabbed 17 the wrong one, is no longer the version that exists 18 that we're supposed to be reviewing? Because I 19 thought it got it from the website not too long ago.
20 MEMBER BALLINGER: We have a new FSAR.
21 CHAIRMAN REMPE: But this is the SE.
22 MR. BORROMEO: So we transmitted the small 23 tweak from OGC, oh, a little bit ago, a week, couple 24 weeks ago, so.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 CHAIRMAN REMPE: Okay, I -- barely -- I 1
may have grabbed a version that's not what Chris told 2
me to review, and I don't know how that happened. But 3
it's happened before.
4 MR. BORROMEO: Yeah, we'll make sure you 5
get the correct version. I mean, the -- that was one 6
change that we made, and there were some other small 7
tweaks based off OGC feedback after that.
8 MEMBER BIER: Another question, this is 9
Vicki Bier. You had said that you plan to review the 10 cyber security program again at the time of 11 operational commissioning, or whatever the term is.
12 Is that a commitment that staff will review at that 13 time, or is it one of a long list of things that staff 14 might review at that time?
15 MR. BALAZIK: This is Mike Balazik, 16 Project Manager for SHINE at the NRC. That's a --
17 it's an inspection module that we've identified that 18 we will review for the pre-operational readiness.
19 We've identified I'd say about a dozen modules, and 20 cyber security is one of them.
21 So there's no, I guess there's no might in 22 it. That is our inspection plan to look at cyber 23 security in the implementation of the program.
24 MEMBER BIER: Thank you.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 MEMBER BALLINGER: We just, apparently 1
there's a bit of confusion of the version of the SE 2
that we have, and we're trying to sort that out. We 3
may have the current, not the current-current.
4 CHAIRMAN REMPE: Well, maybe I grabbed the 5
right one and it changed.
6 MR. BORROMEO: Yeah, this is Josh 7
Borromeo, Chief of the NPUF Licensing Branch. We --
8 OGC -- we're continuing to work with OGC to get a 9
dialogue on these. OGC provided some feedback on it.
10 We made some small tweaks, so we'll get you the right 11 version. But there was a substantive changes to the 12 one that you have versus the on that you'll see.
13 CHAIRMAN REMPE: But my concern that I 14 tripped over has gone away is the other answer to my 15 question. Thank you.
16 MEMBER MARCH-LEUBA: And this morning we 17 were chastising one of our members for putting 18 revision numbers on the documents.
19 MEMBER KIRCHNER: Ron, may I ask kind of 20 a generic question. Dan, this is Walt Kirchner. I've 21
-- so this guidance that the applicant's following, 22 SHINE is following, basically derives the first order 23 from what you apply with the -- to the fuel cycle 24 facility.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 So looking at the SHINE facility from what 1
you know, how many -- you know, they have a lot of 2
plumbing, a lot of actuators and so on. Much of this 3
is obviously going to be modern, so it's going to be 4
digital in one way or other.
5 How many critical digital assets do you 6
think they'll have? Or do you put them into families?
7 MR. WARNER: At this point, I can't answer 8
that question. Part of the reason we did it this way 9
is we wanted to ensure that a solid program was being 10 set up that would then be used to address the CDAs.
11 As far as how many are going to be included, I can't 12 say at this point.
13 MEMBER KIRCHNER: How many do you 14 typically have in a fuel cycle facility?
15 MR. WARNER: I'm not sure, I haven't 16 worked on a fuel cycle review. And actually, there 17 hasn't been a review of that since the proposed 18 rulemaking. It's still before the Commission.
19 MEMBER KIRCHNER: It just seems to me that 20 there are a
lot of digital-actuated
- valves, 21 controllers, motors, pumps.
22 MEMBER BROWN: Might have a revision on 23 what you're looking at. There's a lot of (audio 24 interference).
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 MEMBER KIRCHNER: Yeah.
1 MEMBER BROWN: So I'm just saying if the 2
plant and what they're doing and you look at the --
3 you know, the actions it has to take, the actuations, 4
it wouldn't surprise me that every one of those 5
probably has some type of a computer-based system. It 6
just, particularly it depends on which system, if 7
they've got an ethernet system that's set up.
8 I haven't even been able to figure out how 9
they control those. Were they controlling them via 10 the ethernet coming out whatever it is. It wasn't --
11 wasn't real clear. But I suspect that's a computer-12 based actuation. Because it's -- that's just my 13 assumption right now.
14 MEMBER HALNON: Dan, this is Greg, and I 15 got a question. SHINE mentioned that they were --
16 their program was informed by the DG-5062. Do you 17 have, maybe it's subjective, do you have a feel for 18 how well they complied with that or followed that 19 relative to their program? Or are you approving a 20 program that deviates quite a bit from that?
21 MR. WARNER: From what we reviewed and 22 what we received in the RAI responses, I think they 23 have -- what I've read is fairly consistent with what 24 I read in the fuel cycle rulemaking in the draft 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 guide.
1 MEMBER HALNON: Okay, so it's similar.
2 When all that is issued, would you be able to say that 3
they're reasonably in compliance with the regulation 4
and the reg guide? I say reasonably to give you some 5
wiggle room. I guess I'm looking, you know, are they 6
setting up precedents?
7 MR. WARNER: I mean, to be honest, and I'm 8
speaking for myself here, that is kind of what the 9
intent of this was. We're in situation where we're 10 going to have different types of facilities coming in 11 that are going to be different than what we've 12 typically regulated at the NRC.
13 And we are trying to put together an 14 approach that will be a fairly generic approach that 15 can be used at different types of facilities. You can 16 even see a similar approach is being looked at for 17 advanced reactors that will help provide some 18 consistency when applying cyber security to these 19 different types of facilities.
20 So the fuel cycle rulemaking has a lot of 21 really good stuff. A lot of good work was put into it 22 for the background, and I think it provides a decent 23 framework that can be applied at different types of 24 facilities fairly simply.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 MEMBER HALNON: Okay, fair enough, thanks.
1 MEMBER KIRCHNER: Hi, Dan, this is Walt 2
again. I'm kind of revisiting my question again. I'm 3
just trying to think through this. Would you -- would 4
you consider their PICS system as a whole, looking at 5
it as a whole system, as the critical digital asset?
6 Or do you get down to each of the 7
controllers for every valve, pump? I'm sure this is 8
all modern equipment, so I'm sure they're going to be 9
reliant on programmable logic devices, etc., etc.
10 So does it get down to that level, or can 11 they put them together in families? Or could you just 12 say the PICS system is the critical (audio 13 interference). How do you get the right answer from 14 your perspective, which is not to have a cyber 15 incident result in a consequence of concern matter 16 without making it a bureaucratic nightmare?
17 MR. WARNER: I mean, at this point, that's 18 for SHINE to determine. It's our responsibility, and 19 this is what we've done with power reactors, is set 20 the program and put the program in place, and then 21 allow the licensees to implement the program. And 22 then we come and inspect to determine how well we 23 think they're doing.
24 At this point, I cannot give an answer on 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 this. It's really up to SHINE.
1 MEMBER BALLINGER: Yeah, this might be a 2
better question to ask the SHINE folks. They're out 3
there.
4 MS. RADEL: Yeah, this is Tracy. You 5
know, the evaluation does get down to the individual 6
component level. And you are able to group those 7
components then when looking at the control sets 8
applied to those digital assets. But it's evaluated 9
down to the individual component level.
10 MEMBER MARCH-LEUBA: Yeah, but many of the 11 modern actuators, they all have a microprocessor in --
12 built in. So did you go to the chip level or did you 13 got to the component level? In the component level, 14 PICS is a critical asset. It's one critical asset 15 that has hundreds of components inside.
16 MS. RADEL: We went to the component level 17 in it.
18 MEMBER BALLINGER: Okay.
19 MEMBER MARCH-LEUBA: This is to place a 20 statement on the record. A comment before you close.
21 MEMBER BALLINGER: Sure.
22 MEMBER MARCH-LEUBA: Yeah, so this is 23 going to be above the pay grade for everybody in the 24 conference, so this is not an action item. But what 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 I was saying before of denial of access for the 1
production of the facility is something that is not 2
part of the regulation. It's not part of the rule, 3
it's not part of the license for operation. But it's 4
something that maybe needs to be considered.
5 And I would like for the Committee to 6
discuss it and maybe bring it up as one of the things 7
that we propose to the Commission that is -- needs to 8
be -- needs to be considered. For example, the attack 9
they had on the Colonial Pipeline. Didn't kill 10 anybody, didn't challenge anybody. We can spend a 11 little more at the pump station. So it was a serious 12 attack for society.
13 Same thing can happen with moly-99. And 14 the approach we have of regulation, protecting a 15 radiation dose that can challenge somebody's health is 16 a must. It's a necessary condition. I'm asking is it 17 sufficient.
18 And maybe we need, we as a committee, 19 talking about the ACRS, need to discuss this among 20 ourselves and propose it up. At least have people 21 start thinking about it.
22 CHAIRMAN REMPE: So you're not really 23 saying -- you may have a note in the letter that might 24 say that some additional consideration might be given.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 But then you're also say, just like we have a couple 1
of members, one's online still, saying the safety goal 2
topic is something.
3 So this is something you'd like to 4
consider beyond outside the scope of this. And that 5
sounds like a working group that you should lead, but 6
we can talk about that at P&P.
7 MEMBER MARCH-LEUBA: Let's not overdo the 8
paperwork, but --
9 CHAIRMAN REMPE: No, but you want to 10 discuss it or you want to like have a retreat or 11 something to discuss it.
12 (Simultaneous speaking.)
13 MEMBER MARCH-LEUBA: Yeah, if ACRS --
14 CHAIRMAN REMPE: -- something for P&P to 15 decide in the future.
16 MEMBER MARCH-LEUBA: If ACRS concerns 17 itself only whether the regulation is satisfied, I 18 don't think we're doing our job. We should be raising 19 questions higher.
20 CHAIRMAN REMPE: So, P&P --
21 (Simultaneous speaking.)
22 MEMBER MARCH-LEUBA: We'll work offline.
23 We don't need to do it on the record.
24 CHAIRMAN REMPE: Okay, thank you.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 MEMBER MARCH-LEUBA: And it's not an 1
action item for SHINE or the staff at this moment.
2 MEMBER BALLINGER: Okay, we're at a 3
transition point where if there aren't any questions, 4
additional questions related to the cyber security, we 5
need to transition at least on the schedule to the 6
technical spec presentation, and I guess my question 7
to the staff is, with respect to the software 8
lifecycle, where do you want to put that?
9 MR. BORROMEO: Oh, we can go after tech 10 specs.
11 MEMBER BALLINGER: Okay, after that, okay.
12 MR. BORROMEO: Yeah, and that will be 13 SHINE.
14 MEMBER BALLINGER: Okay, okay, got it.
15 MEMBER BROWN: Before you do that, 16 addressing Jose's question? I'm trying to backtrack 17 to the last, when we've had the discussions on one of 18 the earlier projects.
19 All we really worked with -- and this is 20 not a production facility like this. This was on the 21 power plant, you know, for producing electricity. We 22 focused on the protection system and what we call the 23 plant systems, which were blocked off and shown coming 24 into a network.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 And what we did there was insist -- those 1
were the control functions. That's where you turn 2
stuff on and off and all that other kind of stuff.
3 Anything that went into that network had to be, was a 4
unit directional type of thing.
5 And we got pushback on that because this 6
was not -- that's a cyber security issue, but it's not 7
really a cyber security issue because it's internal to 8
the plant controls. You can't put cyber security 9
software into the actuator for stuff like this.
10 You've got to isolate or not and that's 11 what we -- you know, at least we got it isolated at 12 the network level so that nothing would come through 13 the network. It was all unit directional going up to 14 it.
15
- Here, you've got a
lot of other 16 subsystems. I mean, in looking at Chapter 7, there's 17 a bunch of stuff. I've forgotten the count, but it's 18 a large number of --
19 MEMBER MARCH-LEUBA: Anything from air 20 conditioning to the lights in the room.
21 MEMBER BROWN: That's why I asked the 22 ethernet question. If you isolate the ethernet, then 23 that's where the controls are operating from and then 24 they go out. Now you've put yourself back into a case 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 where you're dealing with physical security on access, 1
people coming in and making changes.
2 If you connect that, any of that stuff to 3
an outside source, then now you're dealing with a 4
separate security system, and if you go through a 5
network, you can deal with it at the network as long 6
as the network goes backwards unit directional back to 7
those other things.
8 So, without seeing how this thing is 9
hooked up, and if you go read 5.71, 5.71 addresses a 10 lot of -- it even addresses the CDA can be a cell 11 phone that somebody communicates with because it's got 12 some type of a link that it can put some information 13 someplace.
14 So, you can go way down in the weeds on 15 this and it gets down to an individual basis. I tried 16 to focus on the regular power plant stuff on isolating 17 all of those with unit directional transmissions, even 18 up the main control room.
19 What we didn't get to do in the main 20 control room, because we don't see the architecture of 21 the main control room, how does that get out to the 22 TSC? Well, we showed the TSC over here getting 23 information only from the systems. So, if you have --
24 so, I mean --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 MEMBER MARCH-LEUBA: My point, Charlie, is 1
that there is more than one attack vector.
2 MEMBER BROWN: Oh, yeah, absolutely.
3 MEMBER MARCH-LEUBA: When I used to work 4
in nonproliferation, I used to tell my sponsor that 5
our meetings should be in Las Vegas and going to see 6
every single magic show in Las Vegas, because if I 7
control the stage, I can make an elephant disappear.
8 MEMBER BROWN: I agree with you.
9 MEMBER MARCH-LEUBA: It never worked.
10 They never paid us to go, but it was a story. You 11 have USB drives, you have fake components from Western 12 Digital or from North Korea Digital. There are so 13 many attack vectors, the famous aquarium in the 14 casino, but this is more a topic for the work group, 15 eventually. We shouldn't be wasting time, SHINE's 16 time.
17 MEMBER BROWN: Well, but your question, I 18 think, deals with us and we, I think, and how we 19 discuss this. Any plant controls, safety controls, et 20 cetera, none of those systems can you embed virus 21 protection software because you've got to constantly 22 update it, so somehow -- and we're not dealing --
23 We have not been able to convince people 24 to separate the variables. In other words, here's a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 set of stuff and here is all of the other stuff in the 1
plant that's not connected to the controls.
2 MEMBER MARCH-LEUBA: And these viruses are 3
very difficult to detect because they activate only 4
once.
5 MEMBER BROWN: And --
6 (Simultaneous speaking.)
7 MEMBER BROWN: And that's not -- you're 8
always reacting. All cyber security software 9
basically, other than some, are reactionary.
10 MEMBER MARCH-LEUBA: Definitely we need to 11 set up a Friday afternoon for a work group.
12 CHAIRMAN REMPE: I think that this should 13 be a working group topic and I think the chairman, 14 chairmen of the working group, and you can figure it 15 out, but let's talk at P&P because that's the way this 16 process should work. That's at least my understanding 17 of it, but yeah, I think it's worth exploring.
18 MEMBER BALLINGER: Okay.
19 MEMBER KIRCHNER: I don't want to belabor 20 it, but I wanted to follow up on Charlie. So we're 21 getting the PICS presentation in October?
22 MEMBER BALLINGER: Yes.
23 MEMBER KIRCHNER: So, the question I would 24 ask just to prepare the SHINE people is I would be 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 very interested in how that ethernet system is laid 1
out for the plant, the equivalent of plant operations 2
and controls, not the size on the trip protection 3
system and the ESFAS system.
4 Because I think they could do a lot to 5
make themselves not entirely immune, but first order 6
much more secure. And as Charlie said, we in the past 7
with power plants haven't been quite so worried about 8
the balance of plant --
9 MEMBER MARCH-LEUBA: What SHINE needs and 10 every facility needs is one person that is paranoid 11 and looking over their shoulder all of the time that 12 owns the problem, and unfortunately, the smaller the 13 facilities they are, the less capability you have to 14 have one person in charge of only one thing.
15 But what you need is somebody looking over 16 their shoulder all of the time and asking questions.
17 What can possibly go wrong? How can I attack this?
18 I've said enough.
19 MEMBER BROWN: Well, we took a shot at 20 trying to get -- I'm more worried about an NRC 21 strategy and that if they -- we keep isolating systems 22 that don't matter, but you've still got to protect 23 where you can embed software and systems that have 24 functionality in terms of the plant that can't have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 any of that.
1 Then there is -- and we keep getting one 2
group talking, you know, past and through another 3
group, and you can't set up a strategy for how you can 4
deal with this and the plant types out of it, whereas 5
in the business stuff, the other, you know, collecting 6
records for maintenance or whatever it is, they can do 7
whatever they want to.
8 You can embed stuff in there because you 9
can let it be constantly updated and just pray that 10 nothing happens, but you ought to be sweating bullets 11 if it does.
12 And there's not a grand strategy. The 13 5.71 doesn't, it's got the zones, but it doesn't deal 14 with the overall arching strategy of you can't embed 15 software in control functions, virus software, can't 16 do it.
17 Otherwise, if you can't do constant 18 updates, you'll be constantly compromising that system 19 and that's not recognized by the staff right now in 20 terms of how we operate or how we deal with applicants 21 and others.
22 MEMBER BALLINGER: Okay.
23 MEMBER BROWN: Is this on the record by 24 the way?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 MEMBER BALLINGER: Yes.
1 MEMBER BROWN: Good, because I'll forget 2
what I said later.
3 MEMBER BALLINGER: With much fear and 4
trepidation, are there any other questions from the 5
members? Okay.
6 MEMBER BROWN: Has the staff presented on 7
this yet? Are they going to present on this cyber 8
part? Are they next? Oh, I saw the SHINE part.
9 MEMBER BALLINGER: Yeah, there's a reason 10 why you didn't see the staff part.
11 (Simultaneous speaking.)
12 MEMBER BROWN: Did I really? I thought I 13 had the slides up. That's okay.
14 CHAIRMAN REMPE: Let's go to the technical 15 specification.
16 MEMBER BALLINGER: Can we work on this?
17 Okay, so the SHINE people are up. Thank you very 18 much, I hope.
19 MS. KOLB: Yeah, all right, this is 20 Catherine Kolb, Senior Director of Operations for the 21 SHINE facility and I'll be talking about technical 22 specifications now.
23 So, we'll go over the different sections 24 of our technical specifications, our proposed 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 technical specifications, including the introduction, 1
safety limits, and limiting safety system settings, 2
limiting conditions of operation, surveillance 3
requirements, design features, and administrative 4
controls.
5 So, the technical specifications that we 6
have proposed for our medical isotope production 7
facilities, these are requirements of 10 CFR 50.36.
8 We used guidance provided by ANSI/ANS-15.1, the 9
standard for the development of technical 10 specifications for research reactors, the guidance in 11 NUREG-1537, and for rules of usage, we used NUREG-12
- 1431, which is the standard tech specs for 13 Westinghouse plants.
14 And we'll talk about that in a little bit, 15 how we used those, but overall, the technical 16 specifications used those guidance documents, but also 17 incorporate the safety-related controls that were 18 identified in our SHINE safety analysis in order to 19 implement them.
20 So, the introduction section of the tech 21 specs includes the definitions and descriptions of 22 logical connectors as well as some introductory 23 paragraphs about the purpose and scope. So, the 24 definition section is primarily based on the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 definitions that are provided in ANSI/ANS-15.1.
1Property "ANSI code" (as page type) with input value "ANSI/ANS-15.1.</br></br>1" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process. We've made some facility-specific 2
modifications of certain terms. For example, the 3
definition of safe shutdown is specific to our 4
facility. The definition of facility secured is 5
specific to us, and we have added some new facility-6 specific terms. For example, we have defined what a 7
neutron driver assembly system is for our main 8
production facility and things along those lines.
9 The logical connector usage rules are 10 based on the descriptions that are found in NUREG-11 1431.
12 MEMBER HALNON: Catherine, this is Greg.
13 Did you use those because that's where you came from 14 and they're familiar or was there a reason you went to 15 the Westinghouse?
16 MS. KOLB: The parts that we used from 1431 17 are, you know, similar across most of the standard 18 tech specs that we looked at, but, yes, the staff that 19 was responsible for writing the tech specs were 20 primarily, you know, Westinghouse power reactor 21 background people.
22 MEMBER HALNON: Okay, thanks.
23 MS. KOLB: Next slide? And in terms of 24 pressure and temperature for the irradiation unit 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 primary system boundary and for process tanks 1
containing irradiated uranyl sulfate solution in the 2
radioisotope production facility, so there's different 3
temperature and pressure actual limits depending on 4
which piece of equipment it is, but those are all 5
limits based on those types of perimeters.
6 Eliminating safety system settings are the 7
variables and their allowable set points for our 8
safety-related entry control system. That would be 9
the target solution vessel reactivity protection 10 system or the TRPS, and then engineered safety 11 features actuation system or the ESFAS, and these are 12 defined to ensure that the automatic protected actions 13 are initiated prior to exceeding any of the safety 14 limits that we've identified.
15 The next section, Section 3 of our 16 proposed tech specs, includes the limiting conditions 17 for operation. Those are the administratively 18 established constraints and our equipment and our 19 operational characteristics. They define the lowest 20 functional capability or performance level for safe 21 operation of our facility.
22 The rules of usage, as I mentioned before, 23 are based on NUREG-1431. We used power reactor 24 guidance because the SHINE facility is a commercial 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 entity. We have an expected operational cadence that 1
is more similar to a continuously running power plant 2
than to a typical research reactor.
3 So, we didn't use much of the, you know, 4
technical items in the NUREG, but the front matter 5
and, you know, the section in 3.0 where it describes 6
how to use the limiting conditions of operation and 7
how to use the tech specs. We used that quite 8
liberally.
9 We have defined actions to be taken upon 10 the discovery of a failure to meet an LCO and 11 specified completion times are generally provided for 12 each of the LCOs. That is different than a typical 13 research reactor tech spec and much more like 14 commercial power reactor tech specs because of the 15 goal of the SHINE facility, which is 24/7 operation.
16 The LCOs provide -- we provide exceptions 17 to the LCOs to allow the performance of specific 18 startup tests. We discussed some of those at a 19 previous ACRS meeting on how we need to measure 20 different reactivity parameters. That is not possible 21 following the normal usage LCOs, so we defined 22 exceptions and compensatory measures in order to do 23 those specific startup tests.
24 We've also included exceptions for the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 performance of defined recovery actions, so, for 1
example, actor and actuation of the TRPS or ESFAS 2
system in order to get back to an operational state in 3
order to reset those things, those actuations, to 4
reopen valves that had been closed. We needed some 5
exceptions to our technical specifications.
6 Any questions on our approach to LCOs?
7 All
- right, we have also defined surveillance 8
requirements. This, the format of how we did these is 9
also similar to commercial power plants where we've 10 identified surveillance requirements for, you know, 11 one or more for each LCO.
12 Typical research reactor tech specs might 13 have those in two separate sections even though 14 they're interrelated. We have them on the same page.
15 That is to increase readability and, you know, for 16 human factors considerations so that it's clear which 17 surveillance requirements apply to which LCOs.
18 The surveillance requirements describe the 19 frequency and the scope of the surveillances that 20 demonstrate the minimum performance levels for each 21 LCO.
22 The frequencies that we chose, you know, 23 how often the surveillance requirements need to be 24 performed, those are generally based on the guidance 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 in ANSI/ANS-15.1, the research reactor standard, where 1
similar areas exist between equipment addressed in 2
that standard and equipment used in the SHINE 3
facility.
4 For the cases where there were no 5
similarities in most
- cases, there were 6
similarities, if not in specific instruments or 7
specific components, in, you know, scope of what it's 8
trying to accomplish, there were similarities there, 9
so we used those, but in the couple of cases where 10 there were no similarities to the research reactor 11 ones, we did use industry experience and some 12 commercial reactor guidance there.
13 The Section 4
of our technical 14 specifications are design features. Those are the 15 design characteristics of the site to the facility 16 that are described in the tech specs to ensure that 17 major alterations to our safety-related components or 18 equipment are not made without appropriate safety 19 reviews or prior approval if necessary.
20 The design features we have identified 21 include descriptions of the sites and the location of 22 our sites, physical characteristics of the main 23 production facility, some important features of 24 equipment that are assumed in the safety analysis such 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 as efficiencies in the carbon delay beds, ventilation 1
features, shielding characteristics that exist in our 2
facility, how we've described the limit that we have 3
on uranium enrichment, and our margin of 4
subcriticality for areas outside of our target 5
solution vessel.
6 MEMBER MARCH-LEUBA: Sorry, this is Jose.
7 You've been talking for too long. On the margin for 8
subcriticality, does the tech spec put in on terms of 9
dollars or in terms of a measured power? Because 10 subcriticality is very difficult to measure.
11 MS. RADEL: So, this is Tracy. That 12 margin of subcriticality is related to the criticality 13 safety program, so that is the required margin for our 14 criticality safety calculations. It's not related to 15 the reactivity in the target solution vessel.
16 MEMBER MARCH-LEUBA: So, why does it 17 belong in tech specs? I mean, this is just an entity 18 of calculations, right?
19 MS. RADEL: The specific margin was 20 approved or is going to be approved as part of the 21 criticality safety review, and I believe that it was 22 included there as part of like originally some of the 23 discussions with some of the criticality safety.
24 That was done a while ago. I'm not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 exactly sure of the discussions we had about why it 1
was there, but it was of sufficient importance so that 2
we wanted to put it in the technical specification --
3 (Simultaneous speaking.)
4 MEMBER MARCH-LEUBA: There is nothing 5
wrong with being over-prescriptive. I was just 6
wondering. I mean, it's okay. It's perfectly good to 7
have it there.
8 MR. BALAZIK: This is Mike Balazik from 9
the NRC staff. The ANSI 15.1 standard in design 10 features actually talks about, it talks about 11 effectiveness for storage, resident storage, so I 12 think that kind of has a link with why SHINE put it 13 there.
14 MEMBER MARCH-LEUBA: Yeah, I was asking 15 why it's in tech specs, and normally an operator looks 16 into an instrument, makes a reading and sees that it's 17 within tech specs.
18 If it's an input to your subcriticality 19 calculations, I mean, it's okay to have it there, but 20 it doesn't make any -- you're never going to not 21 satisfy it.
22 (Simultaneous speaking.)
23 MEMBER MARCH-LEUBA: There's nothing wrong 24 with it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 MS. RADEL: Yeah, I think you're exactly 1
right there. This is the design features portion of 2
our tech specs, so most of the things listed in this 3
section are things that aren't readily changeable by 4
operators, you know, thickness of shielding and the 5
fact that the site is located at this address, you 6
know, things that aren't readily changeable by people 7
except for major modifications, so that's why it's in 8
this particular section.
9 MEMBER KIRCHNER: But your definition of 10 design features includes components or equipment in 11 the introduction there, and obviously you don't want 12 someone going in and changing the diameter of pipe, 13 for example, because that will impact the margin of 14 subcriticality if it has a fissile fluid in it.
15 MS. RADEL: Yes, this is Tracy. That is 16 correct. So, our margin of subcriticality is what 17 defines our single parameter limit, which then define 18 the size of our vessels and tanks, and rather than 19 putting all of those, you know, tank diameters, 20 thicknesses, and the link into tech specs, you know, 21 we're able to capture all of that just by putting the 22 margin of subcriticality that defines, ultimately 23 defines those design features.
24 MEMBER BIER: Another question, for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 equipment that might be used either in operation or in 1
a safety mode, but that would interfere with 2
operation, are there procedures to bypass so that you 3
can test them on a regular basis without interfering 4
with production or whatever?
5 MS. RADEL: Yes, so things of that nature 6
are defined in our Section 3 in the limiting 7
conditions for operation section.
For those 8
instruments, you know, for example, that can't 9
calibrate when you're not in the mode or other 10 condition of applicability, we have put in provisions 11 to the specific LCOs, you know, that the instrument 12 can be bypassed for up to two hours in order to 13 perform the surveillance requirements. Those are 14 listed specifically to which instruments those apply 15 to where you can't readily do it in other modes.
16 MEMBER BIER: Thank you.
17 MS. KOLB: All right, my last slide is 18 about Section 5
of our proposed technical 19 specifications.
20 So, this section mirrors the sections that 21 we have in Chapter 12 of the FSAR that we covered in 22 the conduct of ops ACRS presentation last time, and it 23 includes the organization, the structure, our minimum 24 facility
- staffing, selection and training of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 personnel, activities, and features of the review and 1
audit committee that we have discussed, radiation 2
safety program, procedures and rules about their usage 3
and development at the SHINE facility, programs, which 4
I'll come back to in a second, required actions for 5
cases where if we exceeded safety limits or other 6
specific reportable events, what the required actions 7
are there, reports that we're required to make and 8
records that we're required to keep.
9 The portion of Section 5 administrative 10 controls that is different from Chapter 12 is in the 11 program section. So, here is a list of mostly 12 programs that were identified by our safety analysis 13 as programmatic administrative controls.
14 These include things like maintenance and 15 the fact that we have a nuclear criticality safety 16 program, things of that nature to ensure that it is 17 captured in our technical specifications and those 18 programs be established, implemented, and maintained.
19 Under the configuration control program, 20 one of the programs that we are required to have, 21 we've also listed a table that includes features that 22 were identified in the SSA as controls, in our safety 23 analysis as controls, but didn't readily fit into the 24 design features section of the technical 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 specifications.
1 We did this to ensure that all of the 2
credited safety-related controls that were identified 3
in the SSA are somehow reflected in the technical 4
specifications in order to ensure that they would be 5
maintained and keep our bases behind the safety 6
analysis.
7 And this is my final slide on technical 8
specifications. Are there any other questions?
9 MEMBER BALLINGER: Hearing none, can we 10 transition to the staff? While you're transitioning, 11 this is one person's opinion on this. When we review 12 a light water reactor, we pretty much all know what 13 the technical specifications are likely to be, but in 14 a facility like this, we don't know or there are 15 certainly deviations.
16 And so, the order of review, waiting until 17 this time to do Chapter 14 or at least part of it, to 18 me is probably too late. It's probably not a bad idea 19 to try to at least introduce the reviewers to the 20 technical specifications so that we know, we each have 21 the definitions, actually, and have some of that 22 information even if we don't connect the dots until we 23 actually hear a presentation on a chapter where those 24 technical specifications are discussed.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 So, it's just, for me, it's a lesson 1
learned. It's like in Chapter 3.1, you know, the 2
design criteria, it's kind of a better idea to have 3
them up front than wait, so, just for our own personal 4
information. So, okay, I'm not sure how the members 5
might feel about that.
6 MEMBER SUNSERI: Excuse me, this is Matt.
7 I just want to add, Ron, you know, I've had technical 8
specifications as part of the FSAR since, I don't know 9
when this was issued, but I guess it's an old operator 10 habit in me that whenever I review a system or 11 something, I always go check the tech specs.
12 So, I've been following them all 13 throughout the course of this review and I just went 14
-- I was thumbing through as Tracy was going through 15 this and I think it was a very comprehensive set and, 16 you know.
17 MEMBER BALLINGER: I mean, no doubt it's 18 an extensive and comprehensive list.
19 MEMBER SUNSERI: So, I agree that perhaps 20 an overview up front might have been helpful, but they 21 have been available and they have been used throughout 22 the review.
23 MEMBER BALLINGER: Yeah, yeah.
24 MR. BORROMEO: So, this is Josh Borromeo, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 Chief of the NPUF Licensing Branch. You know, this 1
may be an artifact of the way that we do license 2
renewals for research test reactors. We go through 3
the up-front matter of the FSAR.
4 You know, all of the other chapters in the 5
tech specs is usually last because the design is set 6
and where they want to operate is set, and then we 7
collect everything at the end. We did a similar thing 8
here for SHINE.
9 So, you know, I can certainly understand 10 your perspective on this and will take that into 11 consideration.
12 MEMBER BALLINGER: Okay.
13 MR. BALAZIK: All right, can everybody 14 hear me okay?
15 MEMBER BALLINGER: Yeah.
16 MR. BALAZIK: All right, good afternoon.
17 My name is Balazik. I'm a project manager in the 18 Office of Nuclear Reactor Regulation and I'll be 19 presenting the staff's evaluation of SHINE's proposed 20 technical specifications. Next slide, please?
21 So, I'm going to go through the regulatory 22 basis real quick. 10 CFR 50.34 requires the applicant 23 to include proposed tech specs prepared in accordance 24 with the requirements as detailed in 50.36.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 50.36 specifies what needs to be included 1
in the tech specs and 10 CFR 50.40 and 50.57 specifies 2
common standards and findings for issuance of an 3
operating license. Next slide, please?
4 So, for this review, the staff utilized 5
the guidance in 1537 and the interim staff guidance 6
augmenting 1537, also ANSI-15.1, which is the guidance 7
for the development of technical specifications for a 8
research reactor. While we couldn't use all of the 9
guidance contained within that document, there was a 10 lot of similarities that we could apply to SHINE.
11 And as Catherine said earlier, unique to 12 this review, the staff also used NUREG-1431, standard 13 tech specs, and we use this for Westinghouse plants 14 and we use this for review of the usage rules and the 15 logic connectors in the action statements.
16 Most of the research and test reactor tech 17 specs, a majority of them do not use action statement, 18 logic connectors, or have completion times, so a 19 little bit of a new review for us. Next slide, 20 please?
21 First, I just quickly want to go through 22 a summary of the application. The principle purpose 23 of the tech specs is to maintain system performance 24 and ensure safe operation of the facility, to promote 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 public health and safety. These tech specs will be 1
included with the license.
2 In Section 1, SHINE proposed a lot of 3
standard tech specs that are in ANSI-15.1 and NUREG-4 1537, but SHINE did identify a lot of site-specific 5
definitions, and they also described the use of logic 6
connectors and/or with completion times.
7 In Section 2, SHINE proposed safety limits 8
for both the utilization and production facility with 9
limiting safety system settings to prevent the 10 exceedance of those safety limits. Next slide, 11 please?
12 In Section 3, SHINE proposed limiting 13 conditions for operation and surveillance requirements 14 with the application of usage
- rules, action 15 statements, and completion times.
16 One item I did like that SHINE did is the 17 combination of the LCOs and their surveillance 18 requirements. I think it makes the tech specs a lot 19 straightforward for the operators that are using them.
20 I think for a majority of the RTRs, it 21 might be for all of them, but the tech specs of their 22 surveillances are separated, so again, a little bit of 23 a usability improvement here.
24 Tech spec Section 4.0, SHINE identified 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 major design features. We talked about one earlier, 1
the margin of subcriticality. And these are features 2
that we don't want to be altered or modified that 3
aren't captured in Sections 2 and 3 of the tech specs, 4
so SHINE identified a lot of site-specific design 5
features.
6 And 4 is mostly administrative controls.
7 A lot of this aligned with ANSI-15.1, but SHINE did 8
identify additional organizational and procedural 9
control for the facility. Okay, next slide?
10 All right, so when the staff initially 11 evaluated SHINE's proposed tech specs, it was Revision 12 5 that was submitted to the NRC on January 26 of this 13 year.
14 And in earlier SE sections that we 15 presented to ACRS, we first had the technical 16 reviewers take a look at the tech specs, look at the 17 values, and ensure that they found the values 18 acceptable for tech specs, so that was like the early 19 on review.
20 So, we had them look at Sections 2, 3, and 21 4, along with the surveillance requirements that are 22 specified in tech specs. And so, based on a lot of 23 the conversations or discussions with SHINE on the 24 different chapters of the FSAR, you know, SHINE has 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 been revising the tech specs throughout the process.
1 One thing I would like to add is there is 2
one outstanding section of the tech specs that we 3
still need to include in the evaluation and that's for 4
digital I&C. It's tech spec Section 3.2 and we plan 5
to present that to the ACRS members on October 21.
6 Okay, so the next step in our evaluation, 7
the NRC licensing and project management staff, so 8
that's the staff within DANU, and we also used the 9
power reactor tech spec branch, we evaluated the tech 10 specs in a different manner.
11 We looked to ensure the consistency, 12 clarity, and formatting of the tech specs and mainly 13 focused on definition, the logical connectors in tech 14 spec Section 1, the usage rules in Section 3, and 15 administrative controls in Section 5.
16 And the NRC did audit the tech specs and 17 we are preparing an audit report. It should be issued 18 by next week, and if ACRS members want to see that, we 19 can share that report with them.
20 Based upon that audit, SHINE also, you 21 know -- Holly, could you go back one slide? There's 22 one thing I want to touch upon. Based upon that 23 audit, there was, you know, a lot of discussions on 24 the tech specs, and SHINE did revise the tech specs 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 and they submitted a complete version of the tech 1
specs, which is Revision 6, and that's the version 2
that came in earlier this week that members saw pop up 3
in their box.
4 Now, SHINE has shared this version with us 5
earlier, but I just wanted to let members know that 6
that's the version that showed up in ADAMS a couple of 7
days ago.
8 MEMBER BIER: Quick question, is there 9
either an audit report or a markup showing the 10 difference in the tech specs?
11 MR. BALAZIK: Yeah, well, what we've done 12 with the audit report is we have Revision 5 and we 13 have comments out next to the tech specs, and so it's 14 not going to show the strikeouts, but I guess you 15 could compare the two and what we looked at, the 16 comments we had, and then the adjustments that SHINE 17 made, but it's not going to show the red line 18 strikeouts.
19 MEMBER BIER: That's fine. Thank you.
20 MR. BALAZIK: Okay, so for the evaluation 21 of findings and conclusions, SHINE's proposed tech 22 specs are consistent with the guidance in NUREG-1537, 23 and the ANSI Standard 15.1, and NUREG-1431.
24 As required by 1536, the SHINE operating 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 license application includes a summary statement of 1
the basis or the reason for the proposed tech specs.
2 As required by 1536(b), the operating license 3
application includes proposed tech specs derived from 4
the analysis and evaluation included in the SHINE FSAR 5
as supplemented.
6 The SHINE's tech specs specify safety 7
limits on the wall, temperature, and the differential 8
pressure across the primary system boundary, and the 9
pressures within the process tanks containing the 10 target material, and the connective piping, and to 11 reasonably protect against uncontrolled release of 12 reactivity and the specified limiting safety system 13 settings that satisfy 50.36(c)(1).
14 SHINE's proposed tech specs include LCOs, 15 limiting conditions for operation, which are the 16 lowest functional capability for performance levels of 17 equipment that are required for safe operation of the 18 facility that meet the requirements of 50.36(c)(2).
19 Next slide?
20 SHINE's proposed tech specs include 21 surveillance requirements which relate to testing 22 calibration to ensure the necessary quality of systems 23 and components is maintained and that facility 24 operation will be within the safety limits and the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 LCOs will be met to satisfy the requirements of 1
50.36(c)(3).
2 The tech specs also include design 3
features or those features of the facility such and 4
materials of construction, geometric arrangements, 5
which, if altered, would have a significant effect on 6
safety, and that satisfies 50.36(c)(4).
7 And SHINE also included administrative 8
controls also which discuss the organization and 9
management procedures, recordkeeping review and 10 audits, and the necessary reporting to ensure 11 operation of the facility is operating in a safe 12 manner, and it satisfies C5 of 50.36.
13 And they also included requirements for 14 initial notification, written reports, and records 15 that satisfy 50.36(c)(1)(2) and (7), and also 16 identified special reports to be reported in 17 accordance with 50.36(c)(8).
18 And also that the issuance of the 19 operating license for the facility would not be 20 inimical to the common defense or security, or to the 21 health and safety of the public.
22 One thing I would like to add is that as 23 a result of Revision 6 of the tech specs, the staff 24 will need to go back and evaluate any impact to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 previous SE chapters.
1 For example, I don't remember exactly when 2
we were presented Chapter 4. I think that was in the 3
spring of this year. While none of the technical 4
values have been impacted, some of the wording has 5
been, and that was to ensure clarity and consistency 6
of the tech specs.
7 So, the staff will go back and take a look 8
at that wording to make sure it's consistent with Rev 9
- 6. If the staff does identify any, I'll say 10 significant impacts, we can present that information 11 to the ACRS members during the October 21 subcommittee 12 meeting.
13 That is my last slide. I don't know if 14 there's any additional questions that I could answer.
15 One thing, Professor Ballinger, I would 16 like to add is we did have the technical staff take a 17 look at the tech specs early on, but we wanted to make 18 sure that those FSAR chapters, SE chapters, you know, 19 that they were satisfied with those before we moved on 20 with the tech specs.
21 So, we did have an early look at them even 22 though I know we're presenting them today, but there's 23 been lots of changes that have happened over the last 24 couple of years for tech specs.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 MEMBER BALLINGER: Yeah, I would have 1
assumed that. Okay, thank you. Okay, we're at the 2
end of this phase or section if you will. Are there 3
questions from the members?
4 Okay, if that's the case, then we have one 5
more presentation and that's by the SHINE folks 6
related to life cycle overview, and so I don't -- who 7
is going to do that presentation?
8 MR. BARTELME: Jeff Bartelme from SHINE.
9 We're just, we're waiting. We're running ahead of 10 schedule here, so we're just waiting on the -- oh, I 11 see. Jason, are you here?
12 MR. POTTORF: Yes, I'm on, Jeff.
13 MEMBER BALLINGER: Okay.
14 MR. BARTELME: With the slides shared, we 15 can get started.
16 MR. POTTORF: Do you want me to share the 17 slides or are you going to do that on your side, Jeff?
18 MR. BARTELME: I'll share them. I'm just 19 getting them pulled up.
20 MR. POTTORF: Okay.
21 MR. BARTELME: All right, can everyone see 22 the slides?
23 MEMBER BALLINGER: Okay, we're ready to 24 go.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 MR. BARTELME: All right, go ahead, Jason.
1 MR. POTTORF: All right, good afternoon, 2
everyone. This is Jason Pottorf with Rock Creek 3
Innovations. I'm the Director of Engineering here.
4 Today, I'm going to give an overview of 5
the programmable logic lifecycle process that we 6
implement here at Rock Creek, and I want to start off 7
here on this first slide by pointing out that the 8
programmable logic development is a part of our 9
overall system design and control process for Rock 10 Creek.
11 The programmable lifecycle process 12 includes five phases, starting with planning and then 13 requirements, design, implementation, and test.
14 During the planning phase is where we will 15 identify all system level requirements and trace those 16 into customer requirements and documents that are 17 provided from, say, SHINE from the TRPS and ESFAS 18 system.
19 I want to point out that the V&V 20 activities that we do for programmable logic 21 development is performed in accordance with IEEE 22 Standard 1012, 2004 version, and we will create a V&V 23 plan for every project that provides a clear mapping 24 of what we're doing in our lifecycle to those tasks 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 and activities in IEEE Standard 1012. Next slide, 1
please?
2 So, this figure here is a really high 3
level figure to show kind of how we approach an 4
overall system development, you know, that consists of 5
both hardware and programmable logic.
6 So, we start out there in the beginning in 7
a planning phase, and that really covers both hardware 8
and programmable logic where we'll identify system 9
level requirements, and then after we complete that 10 first planning phase is where we split the lifecycle 11 kind of into a hardware path and a programmable logic 12 path.
13 The programmable path there is shown in 14 green and that coincides with what we call the system 15 design phase. So, in the system design phase, we'll 16 be developing things like hardware design specs for 17 the individual HIPS modules that are needed for a 18 specific application.
19 And then we have a separate programmable 20 logic lifecycle that we go through for all of the 21 modules, and it's important to know that we actually 22 implement the full programmable logic lifecycle for 23 every individual FPGA that will go on a separate 24 module.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 So, say, for example, a safety function 1
module, we will implement the entire programmable 2
logic lifecycle with the requirements phase, design 3
phase, implementation phase, and test phase for that 4
module, and we'll do it separately for every module.
5 You know, and that makes sense because if 6
you look at a HIPS-based system, each of the FPGAs 7
that are implemented on a module operates completely 8
autonomously from each other, so we take the approach 9
that we can develop the requirements for that module 10 separately, create the logic, and do all of the 11 testing, implement it on that hardware and then test 12 that hardware separately for each module.
13 MEMBER MARCH-LEUBA: Can I interrupt you?
14 This is Jose. Is there a feedback loop from the test 15 phase to any of the previous three?
16 Even all the way to requirements, when you 17 test and you find out that you cannot meet the 18 requirements or that you probably need additional 19 requirements, design, or implementation? So, does 20 your plan for lifecycle plan have feedback loops?
21 MR. POTTORF: Yes, absolutely, yeah, all 22 through each step of the lifecycle for programmable 23 logic, you know, V&V will be performing testing and 24 doing reviews of the design activities, and should 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 they find any anomalies or specific tests that are 1
failed, yeah, that would then trigger us to go back up 2
and make modifications, you know, either all the way 3
up to, say, system requirements at the top, or at the 4
programmable logic level, we would go back and update 5
requirements and then go back through the phases.
6 MEMBER MARCH-LEUBA: I do know it is human 7
nature, but none of us like to do documentation.
8 Whenever something like this happens, your plan 9
requires extensive documentation of what happened, why 10 it happened, and how it was solved? Because failures 11 are full of good intentions, last-minute modifications 12 and things like that.
13 MR. POTTORF: Yeah, absolutely, we will --
14 we do maintain configuration control of all of our 15 documentation and we would be required to go back 16 through and update all of that documentation.
17 MEMBER MARCH-LEUBA: I'm not saying keep 18 the documentation as
- built, but keeping the 19 documentation of what failed and probably a root cause 20 of why it failed, and making you think through it, 21 something that you want to just go and fix it because 22 you know this full loop was not properly closed or 23 something like this, but trying to learn from the 24 mistakes.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 MR. POTTORF: Oh, yeah, definitely, we 1
would certainly, as part of our programmable logic 2
development process, you know, we'll categorize any 3
anomalies found, you know, based on severity, and then 4
we'll also, you know, we also have your corrective 5
program as part of our quality assurance program for 6
Rock Creek where we would identify any specific issues 7
or major issues like that where we would want to do a 8
root cause analysis and get that fixed in our program, 9
definitely, yeah.
10 MEMBER MARCH-LEUBA: You used the right 11 key words, corrective action. That's the way to go.
12 Thank you.
13 MR. POTTORF: Yeah, you bet. So, once we 14 complete that programmable logic set of phases for 15 each module and complete it for all of the modules 16 that in the system, then we can move on down into 17 those lower boxes there where we would integrate.
18 At that point, we would then consider each 19 module to be a piece of hardware. We would have fully 20 tested the logic that was implemented in the hardware 21 and then move into integrating different modules into 22 chassis, chassis into cabinets, and then cabinets 23 together and testing them. So, those activities would 24 then be performed in what we call the system 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 implementation and test phase there.
1 The rest of my presentation will primarily 2
focus on the green boxes here. I do have, I want to 3
say three slides where I talk about the details of 4
what we do in the planning phase, and then I have a 5
single slide of each of the green boxes here, and then 6
my final slide kind of covers those last two, the 7
system implementation and test phase.
8 MEMBER BROWN: Can I ask you a question 9
before you go on? You can finish what you're doing, 10 but I just didn't want you to skip it before I ask a 11 question.
12 MR. POTTORF: Yeah, sure, go ahead.
13 MEMBER BROWN: After you finish the 14 modules, you've got the modules assembled into a 15 system, and this is, I think, down in your 16 implementation and system test phase, is there some 17 way you, not model, but is kind of a little 18 engineering model setup where you have the inputs and 19 then you have a mockup of some type of thing that 20 you're trying to control the system you're trying to 21 control, you know, a motor starts, or a valve opens, 22 or something moves something from point A to point B?
23 Have you got a little mockup to show that 24 you get the proper outputs before it ever gets into 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 the plant or is the plant the actual first 1
combinational overall system test?
2 MR.
POTTORF:
So,
- yeah, we would 3
definitely -- that type of testing would be performed 4
down there at that system test phase. We actually use 5
speed good equipment which --
6 MEMBER BROWN: I don't know what that is.
7 Is that a software system that you can program to look 8
like your final actuated system?
9 MR. POTTORF: Yeah, it's basically a set 10 of equipment where we can provide simulated inputs, 11 whether those are 4 to 20s, or R2D, or discrete inputs 12 13 MEMBER BROWN: Okay.
14 MR. POTTORF: -- and then also receive 15 real-time, you know, outputs from the system, 16 providing real-time inputs and outputs to the system 17 and then running through kind of those system level 18 tests to simulate operation of the actual equipment.
19 MEMBER BROWN: Okay, and that's before you 20 actually go down into the plant when it's built and 21 doing your overall installation and confirmation 22 tests?
23 MR. POTTORF: Yeah, that's --
24 MEMBER BROWN: That's probably a wise 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 thing to do. That's why I asked.
1 MR. POTTORF: Yeah, definitely.
2 MEMBER BROWN: Okay, thank you.
3 MEMBER MARCH-LEUBA: Before you get 4
comfortable and start going back again to your 5
presentation, I know we're talking about software 6
lifecycle mostly because that is a well-defined term, 7
but are you planning for hardware obsolescence? And 8
what I'm thinking is the reason there aren't that many 9
customers for a HIPS system.
10 Are you planning 25 years from now there 11 won't be a supplier for it and then how are you going 12 to maintain your system for 40 to 60 years? Is this 13 part of the lifecycle analysis?
14 MR. POTTORF: Not explicitly, and I would 15 say the FPGA-based modules lend themselves quite well 16 to managing that kind of obsolescence down the road.
17 You know, and the way that we would do that, when we 18
-- so we actually have diverse FPGAs, so different 19 types of FPGAs from different vendors that we're 20 implementing across the division of the TRPS and 21 ESFAS.
22 So, when we go through logic development, 23 requirements phase and design phase, and then at the 24 very beginning of the implementation phase is where we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 will generate hardware description language from the 1
logic models that are created in the design phase.
2 That hardware description language is 3
agnostic of the hardware that it actually gets 4
implemented on in the implementation phase. So, you 5
know, for now, what we're implementing for, say, TRPS 6
and ESFAS is specific to, say, Intel or Xilinx FPGA.
7 That hardware description language, that HDL code 8
really isn't specific to any of that hardware.
9 So, say, 25 years from now, you know, 10 whatever the available hardware is, that HDL is really 11 a generic implementation of logic in whatever the 12 hardware happens to be.
13 So, yeah, there would be some work 14 required down the road for whatever that hardware 15 looks like 20 or 30 years from now, but it lends 16 itself to being able to implement the exact same logic 17 on whatever the hardware ends up being.
18 I don't know, Gregg, if you want to jump 19 in here and provide any more on that topic?
20 MR. CLARKSON: Yeah, I can jump in on 21 that. Yeah, actually the obsolescence issue is one of 22 the key reasons we wanted to target utilizing FPGAs, 23 and so there's, you know, in addition to what Jason 24 said, there's another aspect to this and that is make 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 the design as simple as possible.
1 So, the rest of the supporting hardware on 2
a module or on a circuit board, make that as simple as 3
possible and reduce the component count as much as you 4
can, and that just, that translates to less hardware 5
obsolescence issues down the road.
6 So, get the logic all put into the HDL, 7
the hardware description language, the test factors, 8
you know, all of the stuff that's required to describe 9
the logic, and then test for the logic is completely 10 portable so that ten years from now, you can target a 11 different FPGA or a different type of device, in fact, 12 and retain the design exactly as-is and the test 13 factors exactly as-is, you know, on their first 14 deployment.
15 MEMBER MARCH-LEUBA: Have you given any 16 thought of -- I mean, we're designing plants for 40, 17 60 years, and I was watching on the plane a Big Bang 18 Theory show where he keeps his most important file on 19 an eight-and-a-half-inch floppy. You cannot read it.
20 So, do you have any configuration control?
21 I mean, are all of these files stored in somebody's 22 hard drive or -- it's not easy to ensure that you'll 23 have access to these things and be able to read them 24 and understand them in, what, in 2080.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 MR. CLARKSON: Yeah, we take a systematic 1
approach to that. So, everything that we do is within 2
what we call a repository, an aversion control system.
3 See, so that's important so that you keep everything 4
together that's required for a project, so if you 5
happen to pick it up 20 years from now, you would have 6
all of the files.
7 But then the question arises, well, what 8
about the applications to look at the files and, you 9
know, many, many, many other concerns that you have?
10 So, the systematic approach is to have 11 everything captured in a repository, create, you know, 12 virtual machines of the entire environment, including 13 the applications required to view those files, you 14 know, and make that to where it's as portable as 15 possible.
16 But then finally, there's nothing that can 17 replace just good documentation. We call them 18 artifacts, but they are, in fact, the documents that 19 come out of this process.
20 The specifications, the logic 21 descriptions, the logic drawings, all of that, keep 22 that also as a hard copy and just, you know, really 23 make sure you capture all of those artifacts so that 24 worst-case if all you had was that hard copy, you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 would have the exact logic implemented. You would 1
have the exact listing of the test factors.
2 You know, you'd have to go recreate them 3
in another tool at that time, but you could recreate 4
it, and that's what's important.
5 MEMBER BROWN: You're going to keep paper 6
in other words?
7 MR. CLARKSON: That's right. We're going 8
to keep something to where somebody can look at it 9
physically and not rely on a three-and-a-half-inch 10 floppy from eBay, you know, to make sure it works.
11 MEMBER BROWN: I ask that question for two 12 reasons because Jose's comment about the floppy rang 13 a bell. I mean, I still have my Windows XP computer 14 that I bought back in 19, I don't know, '98 or 15 something like that and I can still read my floppies 16 fortunately. But that's an interesting way to do it, 17 the paper with the HDL. I guess the way you're doing 18 it, you can do that fairly well.
19 One of my worries in a previous program, 20 and I don't know that you'll face this or not because 21 this was a software-based system not a FPGA-based 22 system, was even the language in which you do your 23 programming in becomes obsolete.
24 Right now, it's C++, so we developed 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 standard modules to perform functions so that we knew 1
what the inputs and outputs were, and then we could 2
program that module even if D++ came along and it 3
actually worked. It was kind of a generic approach.
4 Otherwise, the cost was going to drive us crazy. I'm 5
talking 100 applications to put this in, not just one 6
plant.
7 MEMBER MARCH-LEUBA: But I'm glad --
8 MEMBER BROWN: So, you guys seem to be on 9
the right track from what I can see. Thank you.
10 MEMBER MARCH-LEUBA: I'm glad you're 11 thinking about this even though it's not the standard 12 for lifecycle and making some thoughts and effort into 13 it.
14 Because with the old large light-water 15 reactors and you had your I&C, you just pulled the 16 card, take a picture of it, and reverse engineering.
17 You just look at the coils and the resistors and 18 figure out what resistor you have in there.
19 MEMBER BROWN: Even the integrated 20 circuits and --
21 MEMBER MARCH-LEUBA: Yeah.
22 MEMBER BROWN: -- even the logic circuits, 23 you could do that with.
24 MEMBER MARCH-LEUBA: But now systems are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 so complex that unless you document it ahead of time, 1
two years from now, you won't be able to do it, so 2
please do a good job of keeping records. Thank you.
3 MR. CLARKSON: Yeah, a key thing, you 4
know, Charlie, to go along with what you said there on 5
the software system, the key difference between an 6
FPGA-based system or a logic-based system and a 7
software system is, you know, when you get the 8
software, ultimately it comes down to its machine code 9
for whatever the underlying machine that it was -- you 10 know, whether you read it in C++, FORTRAN, or PASCAL, 11 whatever the programming language was, it ultimately 12 gets compiled down into machine code, but if you don't 13 have the underlying machine to execute it, it doesn't 14 do you any good.
15 What's neat about the FPGAs is what 16 results in the FPGA is actual logic, you know, gate 17 level logic. So, I could presumably go and build a 18 fully hardware version of what's in that FPGA using 19 individual logic gates.
20 So, you're not reliant on that underlying, 21 you know, software machine, you know, the computer if 22 you will, and so it makes it much more like hardware.
23 You're designing hardware, you know, with a hardware 24 result.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 So, it gives you a lot -- and you can do 1
a simpler design that way and it gives you just a lot 2
of tools to deal with that future obsolescence that 3
you know you're going to see. It's just part of it.
4 MEMBER BROWN: No, I really like, I do 5
like the FPGA approach to doing this stuff. I found 6
in my other program even changing the compiler to 7
compile your code can screw up the functionality of 8
what you're trying to accomplish.
9 That actually happened. That's why I can 10 make that statement. So, we had to find a way around 11 that. You can do it, just we didn't think of it 12 before. Everybody thinks you compile the code. You 13 compile the code. You gets ones and zeroes and --
14 MEMBER MARCH-LEUBA: You probably won't 15 understand me, but what you have to do is disable 16 optimizations.
17 PARTICIPANT: Okay, yeah.
18 (Laughter.)
19 MEMBER BROWN: Okay, well, thank you.
20 Thank you for the explanation and the expansion of the 21 comment. Thank you.
22 MR. POTTORF: All right, if we're ready to 23 move on, I guess we can jump to the end of the 24 planning phase. This is fairly standard stuff here.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 We start out within the life cycle is design and 1
review, reviewing all -- all things provided from the 2
customer which is SHINE in this case. I have a list 3
here of typical things that we would review and put 4
under configuration control at the start of a project.
5 For SHINE'S TRPS and ESFAS, those main 6
inputs for us are their design criteria documents, as 7
well as their functional requirement specs, that we 8
would bring in and put under configuration control.
9 Next slide.
10 So what we do, we start out by creating a 11 design input list, what we call the design input list 12 to formally track those documents that are the 13 requirements for the system design. Anything that we 14 receive informally from the customer, we would track 15 that as an unverified assumption so we have what we 16 call our UVA process to track anything like that and 17 our life cycle does require that before we do any kind 18 of baselining of program and logic testing or system 19 testing that we must have closed all of those 20 unverified assumptions that might be created during a 21 project.
22 Also, in the planning phase, we will 23 create all of the plans that drive the work for the 24 life cycle so -- and I have those listed here. We 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 create a quality assurance plan, programming and 1
logical development plan. That document would specify 2
all of the individual FPGAs that we're going to 3
develop logic for and test in the system.
4 We'll create a configuration management 5
plan, separate V&V plan that covers V&V of all the 6
program and logic. We'll create a qualification plan, 7
if required, and a separate test plan as well for all 8
testing activities.
9 Then we also do a security assessment. We 10 do have a HIPS platform security plan and in the 11 security assessment what we do there is evaluate the 12 proposed system architecture for cyber security 13 vulnerabilities and how we're going to address those 14 in the system, and identify any security-related 15 requirements for the system there.
16 Next slide.
17 Then the next important design documents 18 that we create in the planning phase would be a system 19 requirements spec. So this is where we're taking 20 those high level system requirements from SHINE, say 21 for the TRPS and ESFAS, and detailing those out into 22 atomic testable requirements for the system, both 23 hardware and programmable logic and user or 24 programmatic-type requirements for the system design.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 So we'll document that in our SyRS system requirement 1
spec and we'll establish traceability from each of 2
those requirements up to SHINE's input, deign input 3
documents.
4 Once we complete a system requirements 5
spec, then we create a system design specification.
6 And this is where we identify the -- all of the 7
individual components for the HIPS-based system. So 8
any divisions, cabinet chassis, and modules that will 9
comprise the system. And this is where we will 10 allocate those system requirements to those individual 11 pieces of hardware so we know which programmable logic 12 requirements are going to be implemented on which 13 FPGAs or modules.
14 That system design spec will include 15 listing of all inputs and outputs for each piece of 16 hardware, including the tag names and descriptions of 17 them, what are the types of the signals and the ranges 18 for those inputs and outputs.
19 Any questions on planning phase before I 20 move on?
21 If not, next slide.
22 So now we move into programmable logic 23 specific phases. And so these activities are, as I 24 showed in that figure before, they are performed in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 conjunction with the system design phase. It includes 1
requirements of the design implementation and tests 2
for programmable logic.
3 For each of those four phases, we will 4
create -- the V&V organization will create phase 5
summary reports as part of the formal exit criteria 6
for moving on to the next phase in the life cycle.
7 As I mentioned before, we do implement this entire 8
life cycle for each field programmable gate array, the 9
logic gets implemented on each one. And we do perform 10 all of the logic development activities within Rock 11 Creek's secure development environment and the 12 isolated development network.
13 Next slide.
14 For the programmable logic requirements 15 phase, this is where we are documenting all of the 16 programmable logic requirements for a given FPGA.
17 This is to translate those system level requirements 18 into the specific detailed programmable logic 19 requirements.
20 As I mentioned before, we create a 21 separate VLRS for each FPGA within the system. We 22 establish feasibility for each of those programmable 23 logic requirements up to the system requirements spec 24 at that time. These requirements are required to be 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 adequate enough to support the implementation and 1
verification of the design.
2 In each of the programmable logic 3
requirements
- specs, we do provide a
virtual 4
description of the logic functions and provide the 5
level of detail to implement that verification of the 6
design. So the programmable logic requirements and 7
their associated traceability are independently 8
reviewed by our V&V organization where they would 9
provide any anomalies identified associated with those 10 and then those would be required to be addressed by 11 the design organization.
12 Next slide.
13 So the next phase, programmable logic 14 design phase. During this phase, we'll create at 15 least one logic model associated with each 16 programmable logic design spec. For an application, 17 it should be a one-to-one. For every programmable 18 logic requirements spec, we'll create a programmable 19 logical design spec in one single model to implement 20 all the logic for that programmable logic requirements 21 spec.
22 The programmable logic design spec 23 provides a description of the logic architecture, 24 control logic, any data structures, I/O format, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 interfaces needed for that logic, and algorithms 1
necessary to implement the programmable logic 2
requirements. These logic models are developed 3
following formal modeling standards, as well as Rock 4
Creek's model based development procedure.
5 Review of the logic model is then 6
performed by V&V to verify that it meets the 7
requirements and then the V&V organization would 8
perform the programmable logic testing for that 9
specific model. The results of that testing would 10 then be reviewed by the design organization to 11 validate that meets the requirements.
12 There are two levels of testing that we 13 perform for the logic. So we have a HIPS platform 14 core logic that we logic that we develop separately 15 that would be used. These are kind of library blocks 16 of logic that we would expect to be implemented in 17 just about every application. We will combine those 18 HIPS library blocks, logic library blocks, with logic 19 blocks that we create that are specific the 20 application for the system. So for say a TRPS system 21 for SHINE, we'll create a separate set of logic to 22 implement that logic specifically. We'll test that 23 separately and then we'll integrate it with the HIPS 24 platform library blocks and then test the integration 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
107 of those together.
1 Also in this design phase is where we 2
would begin preparation for testing of the logic once 3
it is implemented in hardware. And so this includes 4
what we call a module test plan and test designs.
5 The module test is -- would be akin to 6
what is normally called a system-acceptance testing 7
for like a typical software-based system where you're 8
implementing, you know, kind of one piece of software 9
for an entire system. Once you implement all that 10 software into hardware and you do your final 11 acceptance testing, that would be akin to what we are 12 calling the module test because of -- because each 13 module is autonomous and independently operates of 14 itself, we do that kind of acceptance testing at the 15 module level here, so that's what we call module 16 tests. And so in this phase is where we start to 17 create those test plans and test designs to perform 18 that once the logic is implemented in hardware.
19 Next slide.
20 MEMBER MARCH-LEUBA: Before you go on, did 21 you're talking about all the testing -- first, an 22 observation, are you using future tense for almost 23 everything? We didn't towards the end of the project, 24 right? When are we going to have a final anything?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
108 And I see this stuff is right or you want them to 1
answer?
2 MR. BORROMEO: Yes, we can certainly 3
answer. So where we're cutting off the licensing 4
review is the requirements phase and then the rest of 5
the phase we'll look at it in the oversight phase.
6 This is similar to the framework that we've used for 7
HIPS.
8 MEMBER MARCH-LEUBA: What kind of scale 9
are we talking about? Are we talking Christmas? Are 10 we talking 2055?
11 MR. BORROMEO: So they're on track to be 12 completed with the requirements phase in October.
13 MEMBER MARCH-LEUBA: All right. So my 14 next question is related to this. FPGAs are not --
15 this is for SHINE. If FPGAs are not as vulnerable as 16 software systems to memory leaks, database collection, 17 things that build up over time, so whenever we have a 18 module finalized, I would like to see for at least a 19 couple of months before I declare it -- as part of the 20 testing, there should be an extended burnout to ensure 21 that whatever FPGAs are vulnerable over heat up or 22 damage over time, get tested.
23 I wouldn't feel comfortable with less than 24 two months with any of my equipment. What do you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
109 think, SHINE, Jason?
1 MR. POTTORF: Gregg, you want to tackle 2
that one?
3 You know, what I would say we've had -- so 4
we've developed all the hardware already for the TRPS 5
and ESFAS. And we've put out preliminary versions, 6
sometimes multiple versions of the programmable logic 7
models and implemented those. So we've actually had a 8
golden -- what we call a golden unit which is with 9
preliminary sets of logic implemented and running on 10 the actual hardware so -- and we've had that running 11 for close to two years now, I believe.
12 I would also say, you know, this same type 13 of hardware and logic was implemented at Wolf Creek 14 and has been running there since Gregg --- that would 15 have been 2010, '11-ish?
16 MR. CLARKSON: 2009, but to answer -- I 17 hear the question and yes, so one of the approaches we 18 take, as like Jason mentioned, is we build what we 19 call a golden unit as early in the project as we can, 20 even back into the conceptual phases of the project so 21 that as you're capturing the system requirements, 22 system design, allocating that out down into the 23 individual modules and allocating that programmable 24 logic, you can conceptually start to implement early 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
110 instances of that logic into the hardware and run it, 1
you know, and see it running and see it interacting.
2 So this golden unit evolves through the 3
project all the way to the end when you finalize the 4
design and you have your final logic for each of the 5
individual modules implemented into the hardware and 6
then all running as a final, final system.
7 So it gets you that, like you said, those 8
counter overruns or stack -- in this case, we're not 9
stacks or EAPs or anything because we don't have 10 executable code, but it gets you those timing element 11 aspects a good look at those to make sure you don't 12 have any unexpected temporal effects of the system 13 running.
14 MEMBER MARCH-LEUBA:
- Yes, when do 15 software, you always get surprised when you're running 16 more than a few hours. Memory leaks build up. Whenever 17 you do design instrumentation I have all these fights 18 with everybody else because I want to reboot every 19 night, say I can test the equipment I send you for 24 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> guarantee, we'll go for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but no more 21 than that. So then I will reboot. And everybody was 22 supposed to dial completely because that's what I 23 tested it for.
24 So certainly when we have the final, let's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
111 make sure we run it for a week or two, not just a spur 1
of the moment.
2 Another question, with respect to cosmic 3
rays and high-energetic cosmic rays, is there any 4
component on FPGA that could slip a bit and give you 5
the wrong output? If I send you a single event extra 6
gamma ray.
7 MR. CLARKSON: Yes, so if you have like a 8
single event upset or a single upset or however you 9
want to state that, so you know, what that would do is 10 that would impact some physical portion of the silicon 11 on the device. And so presumably, it would take out 12 a transistor or a group of transistors.
13 So one of the things that we do is we 14 develop three legs of the logic in the upper portion 15 of the system, what we call a safety function module.
16 We develop three individual instances of logic that 17 are physically independent from one another and then 18 that three legs of the safety data bus we call it or 19 the safety path, that stays intact through the whole 20 system all the way down to what we call the equipment 21 interface module. That's very effective for a lot of 22 different reasons, but one of them is it's very 23 effective against a single event upset situation. So 24 that if you had a cosmic ray or something -- mutual 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
112 bombardment, you come in and you take out some 1
physical aspect of that -- of a particular FPGA. That 2
logic that's associated with that physical aspect will 3
no longer function properly. It will then behave 4
differently than the other two that weren't impacted 5
by that physical event. And you'll be able to detect 6
that.
7 MEMBER MARCH-LEUBA: Yes. Just remember 8
that SHINE is going to be very unusual, there's going 9
to be an awful lot of 14 MeV neutrons running around.
10 I imagine you have a lot of shielding, but there's 11 going to be a lot of 14 MeV neutrons out there. So we 12 may have -- you may have to consider final testing for 13 single event scenarios. 14 MeV neutrons are very 14 difficult to shield, believe me.
15 Okay, those are all my questions. Thank 16 you.
17 MR. POTTORF: Okay, sounds good. Next 18 slide.
19 So next phase would be implementation of 20 the programmable logic in the hardware is where we're 21 integrating the logic to the target hardware. During 22 this phase, the beginning of this phase, we will 23 generate the hardware description language code from 24 the logic models and trace each of those code 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
113 statements to programmable logic design model 1
elements.
2 V&V will review and analyze that code to 3
ensure compliance with the requirements and then we 4
will perform synthesis and the placement routing of 5
the code and do a review and analysis of that activity 6
as well, the results of that.
7 Also, after that during this phase, the 8
designer would generate all the programming data and 9
program-specific FPGA hardware.
10 At the end of this phase, we would then 11 finish up the planning activities for testing of all 12 of the programmable logic, so we will be do post-13 synthesis testings. We'll create the test plans, 14 designs, cases, and procedures to perform the post-15 synthesis testing, as well as develop the specific 16 module test cases and test procedures.
17 Next slide.
18 And in the programmable logic test phase, 19 this is where we'll execute those -- the post-20 synthesis testing and generate the reports, as well as 21 perform the final module testing once the logic is 22 implemented in hardware -- and produce those test 23 reports as well.
24 Once all of that is complete, then V&V 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
114 will prepare what we call module final report, 1
summarizing all of the V&V activities associated with 2
each of the programming logic -- each programmable 3
logic that gets implemented on each FPGA, so the 4
outputs from this phase are sure to be complete and 5
approved. This is the control point before we move on 6
into that system portion of our overall life cycle 7
where we do the system integration of hardware 8
components and testing of that.
9 Next slide.
10 So this is the -- kind of summarizes those 11 two blocks at the end of the figure I showed earlier 12 wherein the system implementation phase is where we'll 13 integrate all the different hardware components. So 14 this will be a programmed HIPS modules, installing 15 those in the chassis and those chassis in the cabinets 16 and do the integration testing, consistent testing, 17 and acceptance testing. So we'll have some separate 18 tests for -- specific to integration of hardware.
19 What we call system testing, that will be more 20 specific to proving that we've met our HIPS platform 21 requirements whereas our acceptance testing is more 22 for proving that we've met all of SHINE's TRPS and 23 ESFAS functional requirements for the system.
24 So the test cases and procedures for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
115 performing for tests are prepared and approved during 1
the implementation phase which would then lead to 2
executing those test cases and procedures in the 3
system test phase.
4 All the hardware and programmable logic 5
design must be baseline prior to performing the system 6
acceptance testing in the system test phase. We call 7
that our test baseline. Once we create a test 8
baseline, that is where we are required in our process 9
to begin formal design change control.
10 That is really it for the presentation.
11 Any questions?
12 If not, I'll turn it back over.
13 MEMBER BALLINGER:
- Okay, curiosity 14 question. Jason, have you ever fished in Rock Creek?
15 MR. POTTORF: What's the question?
16 MEMBER BALLINGER: It's a Friday afternoon 17 question. Have you ever fished Rock Creek in Montana?
18 MR. POTTORF: I have not.
19 MEMBER BALLINGER: Put it on your list.
20 Beautiful place.
21 MR. POTTORF: All right, will do.
22 CHAIRMAN REMPE: So Member Ballinger, I 23 have a question, but it's not on this particular 24 topic. It pertains to all three of the topics 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
116 discussed today.
1 MEMBER BALLINGER: Yes.
2 CHAIRMAN REMPE: I'm thinking about the 3
memos and when the lead members will be providing 4
their memos to you. And because you're going to be 5
gone during October full committee week, I'd suggest 6
that the decision be made that that November 15th 7
subcommittee meeting be used to discuss the memos.
8 And I believe that's allowed, but Larry Burkhart can 9
weigh in and say yes or no, but I think since the 10 memos were kind of out of our normal routine, then you 11 could have that during that --
12 MEMBER BALLINGER: I'm responsible for one 13 of them.
14 CHAIRMAN REMPE: Well, yes, so that's why 15 I'm bringing it up now because it's different folks 16 that are responsible for them. Is that --
17 MEMBER BALLINGER: That's fine. It's just 18 that we now need to expand the -- from half day to a 19 full day.
20 CHAIRMAN REMPE: Well, there's a tentative 21 subcommittee meeting for the 15th, and you're going to 22 be talking about the letter and we could do a full day 23 or something earlier, but that's why I'm bringing it 24 up now because the SHINE folks as well as the staff 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
117 may want to be present.
1 MEMBER BALLINGER: Yes, that's fine.
2 CHAIRMAN REMPE: And Larry, are you out 3
there? And do you want to start then in the morning 4
on the 15th instead of the afternoon?
5 MEMBER BALLINGER: I don't have the --
6 CHAIRMAN REMPE: It's Tuesday, November 7
15th and it's currently scheduled -- we're going to be 8
in-person to start at 1 p.m.
9 MEMBER BALLINGER: I'm just trying to get 10 at the October --
11 MR. BURKHART: This is Larry. What's the 12 question?
13 MEMBER BALLINGER:
The October 14 subcommittee is virtual, right?
15 CHAIRMAN REMPE: The October subcommittee 16 is virtual and it's on PICS in the phased approach and 17 it's a whole day. You're going to be gone. And 18 normally, we would do this at the full committee 19 meeting.
20 MEMBER BALLINGER: I'll be here for the 21 October subcommittee meeting.
22 CHAIRMAN REMPE: Yes, you'll be gone 23 during the October full committee meeting and you've 24 got these memos, there's three topics. And so are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
118 there three memos? Is that a correct assumption?
1 MEMBER BALLINGER: I don't -- there's 2
definitely two. I don't know about the life cycle.
3 That's not a chapter.
4 CHAIRMAN REMPE: Okay, so maybe just two 5
memos. And so if that's the case, I don't think you 6
don't have need to have an agenda change or the time 7
start change.
8 MEMBER MARCH-LEUBA: I think Josh wants to 9
say something.
10 MR. BORROMEO: Yes, so life cycle will be 11 part of Chapter 7.
12 MEMBER BALLINGER: Okay, so there may --
13 that's Charlie's.
14 MR. BORROMEO: Yes, that's software life 15 cycle.
16 MEMBER BROWN: I don't remember reading it 17 when I read Chapter 7.
18 MEMBER MARCH-LEUBA:
It's under 19 development. We need the SER.
20 MR. BORROMEO: We're well aware.
21 MEMBER BALLINGER: So we have to do a 22 little offline talking.
23 MEMBER BROWN: A lot of offline talking 24 because we'll bring up the other issues. Let's go 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
119 ahead and finish this.
1 MEMBER MARCH-LEUBA: No, let's finish this 2
because I have a delicate question for SHINE.
3 MEMBER BROWN: What was Joy talking about?
4 We're talking about?
5 MEMBER BALLINGER: She's suggesting that 6
we have -- whatever product we produce by way of a 7
memo for this discussion, gets presented and talked 8
about during the November --
9 CHAIRMAN REMPE: November subcommittee.
10 MEMBER BALLINGER: November subcommittee.
11 We have a half day.
12 CHAIRMAN REMPE: You have the November 13 full committee week that we can discuss it, too. It's 14 up to you, but I just was wondering when will this be 15 discussing, it won't be during October. I'm just 16 trying to figure it out.
17 Yes, we have five letters. November is 18 very full. We don't have SHINE on the agenda.
19 MEMBER BROWN: Is there another memo on 20 this for the discussion? You're talking about these 21 little memos, we talked about?
22 MEMBER MARCH-LEUBA: Yes, and it should be 23 part of Chapter 7 and as I told you earlier many times 24 since I was in the Army and you never volunteer for 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
120 nothing, but I want to volunteer to send you a 1
paragraph or two on this.
2 MEMBER BROWN: Right now, I've got 1.152 3
Chapter 7, CCF; and I've still got some Chapter 7 4
thing that I'm supposed to do plus the PICS is coming 5
up in another two weeks.
6 MEMBER MARCH-LEUBA: I'll send you two 7
paragraphs on life cycle for you to attach to the 8
letter for November.
9 CHAIRMAN REMPE: We're not talking about 10 November full committee week. We have too many things 11 going on. We're talking about November subcommittee 12 week.
13 MEMBER BROWN: I'm looking at the little 14 green box. I call that the rainbow chart.
15 CHAIRMAN REMPE: Good. That's what you 16 should -- yes, and so -- it's either that -- I mean 17 the full letter gets done December full committee 18 week, and so that's not the time to do it.
19 MEMBER BALLINGER: Okay, yes.
20 MEMBER BROWN: I read all of Chapter 7.
21 MR. BORROMEO: So this is in the FSAR 22 Chapter 7. The staff has not yet completed their 23 review of life cycle.
24 MEMBER BALLINGER: Okay, so now my 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
121 question is when?
1 MR. BORROMEO: October 21st. So the plan 2
that we were aware of was we're going to -- because 3
there was a lot of questions last time, we wanted to 4
grease the skids -- this is what life cycle looks 5
like.
6 MEMBER BALLINGER: Oh, I see. Okay.
7 MR. BORROMEO: So right now, you don't 8
have an SER from us.
9 MEMBER BALLINGER: So life cycle is just 10 a separate issue. We're talking about now cyber 11 security and the tech spec.
12 MR. BORROMEO: Those are done.
13 MEMBER BALLINGER: Okay. So now let's get 14 back to the --
15 CHAIRMAN REMPE: You have two memos, cyber 16 security and tech
- specs, during the November 17 subcommittee on the 15th.
18 MEMBER BALLINGER: Now wait a minute, we 19 will have -- we will have had a discussion of -- we 20 will have had a presentation on the PICS in October, 21 right? So we're talking about November three, at 22 least three memos because now we have to include the 23 PICS.
24 CHAIRMAN REMPE: So you'll have three 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
122 memos during November 15th subcommittee meeting. Now 1
I hear you're going to get a chapter 7 SDE on October 2
- 21. When is that discussion going to occur? Will 3
there be any other discussion?
4 MEMBER BALLINGER: That's out of sight of 5
any --
6 MR. BORROMEO: So for Chapter 7, we 7
presented the safety related system, the RPS&S.
8 MEMBER BALLINGER: Yes.
9 MR. BORROMEO: Right? We have life cycle 10 and case that's still outstanding.
11 MEMBER BALLINGER: Okay.
12 CHAIRMAN REMPE: So then by December, 13 you're going to -- are you going to have a memo on 14 Chapter 7 or are you just going to go gung-ho for the 15 final letter and not have a memo in Chapter 7?
16 MEMBER BALLINGER: It's a piece of Chapter 17 7.
18 CHAIRMAN REMPE: Okay, so we have to have 19
-- we won't have any other memo on all of this stuff.
20 MEMBER BALLINGER: Right.
21 CHAIRMAN REMPE: We're just going to go 22 gung-ho for the final letter.
23 MEMBER PETTI: But the only question it 24 might be given the timing most expeditious is to just 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
123 take a couple of paragraphs as Jose has agreed and put 1
it and modify it -- go with another revision of the 2
Chapter 7 memo that exists.
3 MEMBER BROWN: But there is no -- I haven't 4
written it --
5 MEMBER PETTI: Oh, you haven't written it 6
yet.
7 MEMBER BROWN: No, I just got the template 8
for it two days ago, three days ago, whenever Chris 9
sent me a template.
10 MEMBER BALLINGER: Well, now we have an 11 opportunity because if you can supply a couple (audio 12 interference) to Charlie, you can kill two birds with 13 one stone.
14 MEMBER BROWN: I don't mind merging them, 15 it's just --
16 CHAIRMAN REMPE: That's not us, that's 17 somebody else on the line.
18 MEMBER BROWN: Look, I'm going to ask one 19 other question. Right now, all I've heard is dates, 20 dates, memo here, memo there, whatever. Send me an 21 email. Tell me when the X memo is supposed to be 22 prepared for whatever meeting we attend, and when.
23 CHAIRMAN REMPE: You're the subcommittee 24 chair.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
124 MEMBER BROWN: I want it in writing, okay?
1 Then I have to produce a memo for something. Right 2
now, it's been up in the air now for months. I was 3
waiting to do the PICS thing to go along with it.
4 MEMBER BALLINGER: It's never been up in 5
the air for months.
6 MEMBER BROWN: Sorry. I've never seen a 7
schedule. All I know is it's just been talky-talk.
8 Okay?
9 MEMBER BALLINGER: We've already published 10 the schedule 20 times. Never mind. Okay.
11 CHAIRMAN REMPE: Okay, so I think I heard 12 that you'll send a memo to Charlie about when the 13 schedule is due. And I've heard that some memos will 14 be discussed on this November 15th and you may like to 15 have the whole day is what I'm hearing.
16 MEMBER BALLINGER: Well, I'm just saying 17 that you suggested that we do -- go through a draft of 18 the letter on that day as well.
19 CHAIRMAN REMPE: Right.
20 MEMBER BALLINGER: So to me that's half a 21 day. And now you're talking about this which is fine 22 which means --
23 CHAIRMAN REMPE: -- a whole day.
24 MEMBER BALLINGER: You can't put ten 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
125 pounds in a five pound paper bag.
1 CHAIRMAN REMPE: Well, let's do a whole 2
day. That sounds good. I'm bringing it up now 3
because I'm thinking about the future. That's the end 4
of that topic.
5 I have another topic that I'd like to talk 6
about that's not pertaining to this subject and I'll 7
be quiet for a while if you want to go first, okay?
8 MEMBER MARCH-LEUBA: Yes, I wanted to go 9
back to Jason and the SHINE -- you guys missed earlier 10 this afternoon the cyber security interesting 11 discussions. When you generate the FPGAs and do the 12 compiling and building the hardware, do you have a 13 cyber security program or plan for your machines you 14 use to do the compiling, right? Because it's a low 15 probability event, but I can be very devious and 16 install an Easter egg in the hardware that only gets 17 triggered on Christmas 2028. You'll never test that.
18 So yes, I think when this comes from the 19 staff and I'm going to ask you guys to see what type 20 of cyber security we have on the generation of highly 21 reliable HIPS systems by going to the -- those are the 22 crown jewels of the protection system.
23 MR. BORROMEO: Understood.
24 MR. POTTORF: I was just going to point 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
126 out, yes, Rock Creek, we do have a secured development 1
environment and isolated development network program 2
complete with all its own procedures and forms and 3
plans, so yes, we do all --
4 MEMBER MARCH-LEUBA: When you submit the 5
final, half a page on the report, saying that you have 6
considered it. It's a very low-probability event that 7
would be difficult to do, but Easter eggs have 8
happened. Okay. Thank you.
9 MEMBER BROWN: So for Chapter 7, we're 10 expecting Chapter 7 on the systems that operate SHINE 11 to do their thing. That was the I&C part.
12 There's a cyber section as well, right?
13 Who's going to do that?
14 MEMBER MARCH-LEUBA: Me.
15 MEMBER BROWN: You're going to prepare a 16 couple on the life cycle.
17 MEMBER MARCH-LEUBA: On the life cycle.
18 MEMBER BROWN: I thought the cyber meeting 19 was later. We've not heard cyber today.
20 MEMBER MARCH-LEUBA: I can work on this 21 until after we come back.
22 CHAIRMAN REMPE: At this point are we done 23 with things that need to be on the transcript and I'll 24 let the court reporter go and then we'll stay and do 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
127 the organizational thing.
1 MEMBER BROWN: Yes, that's fine.
2 CHAIRMAN REMPE: So court reporter, we're 3
going to end this topic and you don't need to record 4
any more, okay?
5 MEMBER BROWN: We have to do public 6
comments.
7 CHAIRMAN REMPE: Oh, wait, court reporter, 8
are you still there? Thank you so much, I forgot.
9 Yes, Ron.
10 MEMBER BALLINGER: Okay, so we need to 11 have -- go out for public comments. If you're a 12 member of the public and you would like to make a 13 comment, please, if you're on the Teams thing, just 14 unmute, and give us your name and make your comment.
15 If you're on the phone, you'll have to do the *6 and 16 make your comment. So please do so.
17 Hearing none, we're done.
18 CHAIRMAN REMPE: Okay. Again, I'll try it 19 this time. Unless I hear elsewise, I think we're done 20 with the court reporter.
21 (Whereupon, the above-entitled matter went 22 off the record at 3:45 p.m.)
23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Advisory Committee on Reactor Safeguards SHINE Medical Technologies Operating License Application Cybersecurity September 9, 2022 - Non-Proprietary Dan Warner Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response
SRM-18-0063
- In September 2019, the Commission issued Staff Requirements Memorandum (SRM) SRM-18-0063 for non-power production and utilization facilities intending to possess or use a Category II quantity of special nuclear material for the production of molybdenum-99 (Mo-99).
- In the SRM, the Commission approved the staffs approach for addressing cybersecurity at these facilities through development of appropriate license conditions based on the facilities operating license applications.
- SHINE is the first applicant to submit a license application that is subject to the requirements of this SRM.
2
Cybersecurity Process Development
- Staff reviewed the proposed rulemaking on cybersecurity for fuel cycle facilities and developed a similar model for use at SHINE and similar facilities.
- Staff provided SHINE feedback to consider when identifying applicable consequences of concern which are events that occur as a result of the compromise of a critical digital asset (CDA) that have the potential to adversely impact public health and safety or common defense and security.
- Staff reviewed the SHINE application to determine if there was adequate protection for CDAs that could result in a consequence of concern.
3
FSAR Review Staff reviewed the Final Safety Analysis Report (FSAR) for discussions of cybersecurity with a focus on safety systems.
Several sections discuss protections for the Highly Integrated Protection System (HIPS) platform for safety systems.
FSAR Chapter 7 Section 7.4.2.2 - Target Solution Vessel Reactivity Protection System (TRPS) System Design Criteria and Section 7.5.2.2 - Engineered Safety Features Actuation System (ESFAS) System Design Criteria include Criterion 3 that identifies the TRPS and ESFAS systems will incorporate design or administrative controls to prevent/limit unauthorized physical and electronic access to critical digital assets.
4
FSAR Review
- FSAR Section 7.4.5.3.2 - Cyber Security Design Features includes information on a defensive system architecture which includes features such as:
- One-way isolated communication outside of safety systems
- Maintenance workstation access only when a module is out of service
- No capability for remote access to the safety system.
5
FSAR Review FSAR Section 7.4.5.3.3 - Access Control identifies several features used to restrict access including:
- Physical keys to prevent unauthorized use.
- Locked cabinets for rack mounted equipment with administrative key control.
- Modification or replacement of Field Programmable Gate Arrays (FPGAs) restricted when installed in the HIPS chassis.
- FPGA modules only allow modification to setpoints and tunable parameters that may require periodic modification.
6
Additional Application Reviews
- Physical Security Plan - Staff reviewed the Physical Security Plan for any information related to cybersecurity for security systems.
- Cybersecurity Audit - Staff conducted a regulatory audit with SHINE to gather more information regarding cybersecurity.
- SHINE identified CDA access controls and protective features from the FSAR but indicated there was no specific cybersecurity program at SHINE.
- For cybersecurity of physical security assets, SHINE only identified access controls.
7
Cybersecurity RAIs
- SHINE submitted a revision to its initial Request for Additional Information (RAI) response based on NRC feedback received.
- Provided information regarding the design, administrative, and programmatic controls that the SHINE Cybersecurity Plan (CSP) will provide.
- Included how consequences of concern will be identified, how CDAs will be determined, how cybersecurity controls will be applied, and other programmatic controls to ensure that the cybersecurity program is documented and maintained.
8
Staff Evaluation of Cybersecurity at SHINE
- Staff reviewed the SHINE application and then held a regulatory audit followed by issuing a set of RAIs to gather sufficient information to make a determination.
- Staff determined additional program elements were required to ensure adequate protection at the SHINE facility and developed a list of important cybersecurity program elements applicable to SHINE.
- Staff developed a license condition to address these additional program elements and determined the issuance of a SHINE operating license, as conditioned, in part, by the license condition, will not be inimical to the common defense and security or to the health and safety of the public and therefore, meets the requirements of 10 CFR 50.57(a)(6).
9
Staff License Condition for Cybersecurity The licensee must have a CSP that describes how the facilitys cybersecurity program provides reasonable assurance that digital computer and communication systems and networks are adequately protected against cyber-attacks.
o Similar to the approach followed in 10 CFR 73.54.
The licensee may make a change to the CSP provided the cybersecurity program elements in the license condition and the performance objectives of the CSP remain met.
10
Questions 11
BACKGROUND 12
Consequences of Concern 13 For facilities intending to produce Mo-99, the following consequences of concern must be considered (but may not necessarily apply):
Latent Safeguards: The concern involves the compromise as a result of a cyberattack of a digital asset performing a security function, which would allow a malicious actor to exploit the degraded security function that was put in place to prevent the unauthorized removal of Special Nuclear Material (SNM) of moderate strategic significance or the loss of Material Control & Accountability (MC&A) for SNM of moderate strategic significance.
Active Safety: In this situation, the cyberattack compromises the function of a digital asset and directly leads to safety-related consequences as defined in the safety criteria found in the licensees Final Safety Analysis Report.
Latent Safety or Security: The attack renders one or more digital assets incapable of performing its intended function. When called upon to respond to an event, separate from the cyberattack, the digital asset does not operate as expected and therefore the supported safety or security function is compromised, resulting in safety-related consequences like above, or loss or unauthorized disclosure of classified information or classified matter. In addition, MC&A functions whose compromise could lead to a latent safety consequence of concern, would need to be protected from a cyberattack.
© SHINE Technologies, LLC 1
© SHINE Technologies, LLC Cybersecurity Plan JEFF BARTELME, DIRECTOR OF LICENSING
© SHINE Technologies, LLC 2 Requirement for SHINE to Develop Cybersecurity Plan SHINE Cybersecurity Plan Overview Consequences of Concern Identification of Critical Digital Assets Determination of Cybersecurity Controls Additional Programmatic Considerations Outline
© SHINE Technologies, LLC 3 There is no explicit regulatory requirement for non-power production and utilization facilities to establish a site-specific cybersecurity plan.
o Despite there being no explicit regulatory requirement to establish a critical digital asset-specific cybersecurity plan, cybersecurity considerations informed the design of digital systems at the SHINE facility.
In December 2021, the NRC Staff notified SHINE of the plan to impose, via license condition, a requirement for SHINE to develop a site-specific cybersecurity plan, which accomplishes, in part:
o Identification of digital assets that, if compromised by a cyber attack, would result in a consequence of concern o Determination of which digital assets require protection as critical digital assets o Identification and application of a graded set of cybersecurity controls for critical digital assets o Providing temporary compensatory measures to meet the plan performance objectives when a cybersecurity control is degraded o Reporting and tracking cybersecurity events Requirement for SHINE to Develop Cybersecurity Plan
© SHINE Technologies, LLC 4 SHINE has developed a cybersecurity plan to document the design controls, administrative controls, and programmatic controls to prevent or limit the unauthorized physical and electronic access to critical digital assets.
o SHINE defines critical digital assets as a digital asset for which no alternate means has been identified to prevent the associated consequence of concern.
The cybersecurity plan was informed by the guidance of draft Regulatory Guide DG-5062, Cyber Security Programs for Nuclear Fuel Cycle Facilities (January 2017 Draft).
The performance objective of the cybersecurity plan is to detect, protect against, and respond to a cyber-attack capable of causing a consequence of concern.
SHINE Cybersecurity Plan Overview
© SHINE Technologies, LLC 5 The cybersecurity plan is design to protect against the following consequences of concern:
o Latent Consequences of Concern - Safeguards
The compromise, as a result of a cyber-attack, of a function required to prevent unauthorized removal of special nuclear material (SNM) of moderate strategic significance.
o Active Consequences of Concern - Safety
Exceeding the SHINE Safety Criteria as a direct result of a cyber-attack.
o Latent Consequences of Concern - Safety
The compromise, as a result of a cyber-attack, of a function required to prevent or mitigate the consequences of an accident which could exceed the SHINE Safety Criteria.
Site-specific documents are used to consider the potential consequences of concern from a cyber-attack.
o The SHINE Safety Analysis (SSA) Summary Report is used to identify active and latent safety consequences of concern.
o The Physical Security Plan is used to identify latent safeguards consequences of concern.
Consequences of Concern
© SHINE Technologies, LLC 6 SHINE has established a process for the identification of critical digital assets that includes identifying digital assets associated with consequences of concern, consideration of the function of each digital asset to determine whether an alternate means exists that prevents the consequence of concern, and determination of the resulting critical digital assets requiring protection.
An alternative means analysis is performed for identified digital assets that considers the function of the critical digital asset to determine whether an alternate means exists that could be credited or implemented to prevent the consequence of concern.
If no alternative means exist for a digital asset that prevents the consequence of concern, the digital asset is determined to be a critical digital asset and requires protection.
Identification of Critical Digital Assets
© SHINE Technologies, LLC 7 For each critical digital asset requiring protection, SHINE establishes and maintains cybersecurity controls specific to the associated consequence of concern.
SHINE uses the guidance provided in National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, to derive cybersecurity controls.
Implementing procedures are established and maintained that identify and document the cybersecurity controls applicable to the identified critical digital asset.
o Implementing procedures document, in part:
The location, interconnections, and operating environment of the critical digital assets;
The measures taken to meeting the performance specifications associated with the identified cybersecurity controls; and
The verification process for cybersecurity controls.
Determination of Cybersecurity Controls
© SHINE Technologies, LLC 8 Temporary Compensatory Measures o If it is determined that cybersecurity controls are not meeting defined performance specifications, SHINE implements compensatory measures to ensure adequate protection of critical digital assets.
Configuration Management o The facility-wide configuration management program includes a cybersecurity impact analysis prior to the implementation of a change.
Periodic Review o A review of the cybersecurity plan occurs at least every 36 months.
Event Reporting and Tracking o SHINE informs the NRC Operations Center at the time of making an event-based notification if the event is a result of a cyber-attack.
o SHINE records, and tracks to resolution: (1) Failures, compromises, discovered vulnerabilities, or degradations that result in the decrease in effectiveness of a cybersecurity control; and (2) cyber-attacks that compromise a critical digital asset associated with a consequence of concern.
Additional Programmatic Considerations
Advisory Committee on Reactor Safeguards SHINE Medical Technologies, LLC Operating License Application Chapter 14 - Technical Specifications Michael Balazik Project Manager/Inspector Office of Nuclear Reactor Regulation September 9, 2022
Regulatory Basis
- Regulatory Requirements
10 CFR 50.34, Contents of applications; technical information
10 CFR 50.36, Technical specifications
10 CFR 50.40, Common standards
10 CFR 50.57, Issuance of operating license 2
Guidance and Acceptance Criteria
- NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996;
- NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996;
- Final Interim Staff Guidance (ISG) Augmenting NUREG-1537, Part 1 and Part 2, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors
- ANSI/ANS-15.1-2007 (R2013), "The Devolvement of Technical Specifications for Research Reactors
- NUREG-1431, Standard Technical Specifications -
Westinghouse Plants, Volume 1 3
Summary of Application
- Principal purpose to the Technical Specifications (TS) is to maintain system performance to ensure safe operation of the facility to promote public health and safety.
- TS Section 1.0, SHINE proposed standard and site-specific definitions and describes the use of logic connectors with completion times.
- TS Section 2.0, SHINE proposed safety limits for both the utilization and production facility with limiting safety system settings to prevent exceedance of a safety limit.
4
Summary of Application (continued)
- TS Section 3.0, SHINE proposed limiting conditions of operation (LCO) and surveillance requirements with the application of usage rules, action statements and completion times.
- TS Section 4.0, SHINE proposed major design features (DF) for the facility. These DFs if altered or modified may impact safety of the facility.
- TS Section 5.0, SHINE proposed administrative controls that establish the organizational and procedural controls for the facility.
5
Staff Evaluation
- The staff initially evaluated SHINEs proposed TS (Revision
- 5) submitted to the NRC on January 26, 2022.
- The NRC technical staff evaluated the TS values in Sections 2, 3, and 4, along with the surveillance requirements, as documented in the specific safety evaluation (SE) chapter.
Based on requests for additional information and audits, SHINE revised the proposed TS.
The staff will include an evaluation of the TSs (TS Section 3.2, Instrumentation and Control Safety Systems) associated with digital instrumentation and control in SE Chapter 7, Instrumentation and Control Systems.
6
Staff Evaluation (continued)
- The NRC licensing and project management staff evaluated the TS to ensure consistency, clarity, and formatting of the TS, mainly focused on the definitions and logical connectors in TS Section 1, usage rules in Section 3, and administrative controls in Section 5.
The NRC staff audited the TS and issued an audit report.
Usage rules establish general requirements for TS Section 3.0 for limiting conditions for operation and surveillance requirements.
- The audit resulted in SHINE revising its TS and submitting a complete version of TS (Revision 6).
7
Evaluation Findings and Conclusions SHINEs proposed TS are consistent with the guidance in NUREG-1537, ANSI/ANS-15.1, and NUREG-1431.
As required by 10 CFR 50.36(a)(1), the SHINE operating license application includes a summary statement of the bases or reasons for the proposed TSs, other than those covering administrative controls.
As required by 10 CFR 50.36(b), the SHINE operating license application includes proposed TSs derived from the analyses and evaluation included in the SHINE FSAR, as supplemented.
SHINEs proposed TSs specify SLs on the wall temperature and differential pressure across the primary system boundary and the pressure within process tanks containing irradiated uranyl sulfate and connected piping, which are the important process variable necessary to reasonably protect against the uncontrolled release of radioactivity; and specify LSSSs, that satisfy 10 CFR 50.36(c)(1)(i)(A) and (ii)(A).
SHINEs proposed TSs include LCOs, which are the lowest functional capability or performance levels of equipment required for safe operation of the facility, for each item that meets one or more of the criteria specified in 10 CFR 50.36(c)(2)(ii).
8
Evaluation Findings and Conclusions (continued)
SHINEs proposed TSs include SRs, which relate to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within SLs, and that the LCOs will be met, that satisfy 10 CFR 50.36(c)(3).
SHINEs proposed TSs include design features, which are those features of the facility such as materials of construction and geometric arrangements, which, if altered or modified, would have a significant effect on safety, that satisfy 10 CFR 50.36(c)(4).
SHINEs proposed TSs include administrative controls, which are the provisions relating to organization and management, procedures, recordkeeping, review and audit, and reporting necessary to assure operation of the facility in a safe manner, that satisfy 10 CFR 50.36(c)(5). SHINEs proposed TSs also include requirements for initial notification, written reports, and records that satisfy 10 CFR 50.36(c)(1), (2), and (7) and requirements for special reports that the staff deemed necessary in accordance with 10 CFR 50.36(c)(8).
The issuance of an operating license for the facility would not be inimical to the common defense and security or to the health and safety of the public.
9
© SHINE Technologies, LLC 1
© SHINE Technologies, LLC Technical Specifications CATHERINE KOLB, SENIOR DIRECTOR OF PLANT OPERATIONS
© SHINE Technologies, LLC 2 Overview Introduction Safety Limits and Limiting Safety System Settings Limiting Conditions for Operation Surveillance Requirements Design Features Administrative Controls Outline
© SHINE Technologies, LLC 3 Technical specifications have been proposed for the SHINE Medical Isotope Production Facility to meet the requirements of 10 CFR 50.36.
Guidance provided by:
o ANSI/ANS-15.1-2007, The Development of Technical Specifications for Research Reactors o Appendix 14.1 of NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content o NUREG-1431, Standard Technical Specifications, Westinghouse Plants (for rules of usage)
Safety-related controls identified in the SHINE Safety Analysis (SSA) are incorporated into the SHINE technical specifications.
Overview
© SHINE Technologies, LLC 4 Definitions section provides defined terms used throughout the technical specifications.
o Primarily based on definitions from ANSI/ANS-15.1-2007.
o Facility-specific modifications of certain terms (e.g., Safe Shutdown, Facility Secured) and new facility-specific terms (e.g., Neutron Driver Assembly System, Main Production Facility) are also provided.
Use of logical connectors (and and or) and completion times for actions specified in limiting conditions for operation based on guidance provided in NUREG-1431.
Introduction DEFINITIONS AND USAGE
© SHINE Technologies, LLC 5 Safety limits (SLs) have been defined for the irradiation unit primary system boundary and process tanks containing irradiated uranyl sulfate in the radioisotope production facility.
Limiting safety system settings (LSSSs) are defined as those variables and allowable setpoints for the two safety-related instrumentation and control (I&C) systems (i.e., target solution vessel (TSV) reactivity protection system [TRPS] and engineered safety features actuation system
[ESFAS]) that ensure automatic protective actions are initiated prior to the safety limit being exceeded.
Safety Limits and Limiting Safety System Settings
© SHINE Technologies, LLC 6 Limiting conditions for operation (LCOs) are administratively established constraints on equipment and operational characteristics, defining the lowest functional capability or performance level required for safe operation of the facility.
Rules of usage based on guidance from NUREG-1431.
o Power reactor guidance was chosen because the SHINE facility, as a commercial entity, has an expected operational cadence different from a typical research reactor.
o Actions to be taken upon discovery of a failure to meet an LCO, within specified completion times, are generally provided.
o Exceptions are provided to allow for the performance of specific startup tests.
o Exceptions are also provided to allow for the performance of defined recovery actions.
Limiting Conditions for Operation
© SHINE Technologies, LLC 7 Surveillance requirements (SRs) are provided for each LCO, in the same section of the technical specifications as the LCO, to improve readability and for human factors considerations.
SRs prescribe the frequency and scope of surveillance to demonstrate minimum performance levels established by the LCO.
SR frequencies are generally based on guidance provided in ANSI/ANS-15.1-2007 for cases where similarities exist between equipment addressed in the standard and equipment used in the SHINE facility.
Surveillance Requirements
© SHINE Technologies, LLC 8 Design features (DFs) describe design characteristics of the site and the facility to ensure that major alterations to safety-related components or equipment are not made prior to appropriate safety reviews.
Design features include:
o Site location and description o Main production facility physical characteristics o Features of equipment important in safety analysis assumptions (e.g., carbon delay bed efficiencies, ventilation features, shielding characteristics) o Uranium enrichment limit o Margin of subcriticality limit Design Features
© SHINE Technologies, LLC 9 Organization o Structure o Minimum facility staffing o Selection and training of personnel Review and audit committee Radiation safety Procedures Programs required to be established, implemented, and maintained Required actions Reports Records Administrative Controls
© SHINE Technologies, LLC 1
© SHINE Technologies, LLC Programmable Logic Lifecycle Overview JASON POTTORF, DIRECTOR OF ENGINEERING, ROCK CREEK INNOVATIONS
© SHINE Technologies, LLC 2 Programmable logic development takes place as part of the overall system design control for the highly integrated protection system (HIPS) application to the SHINE facility.
The programmable logic lifecycle process consists of 5 phases: Planning, Requirements, Design, Implementation, and Test.
The Planning Phase includes system level requirements identification and tracing to customer requirements.
Verification and Validation (V&V) of programmable logic activities is performed in accordance with Institute of Electrical and Electronics Engineers (IEEE) Standard 1012-2004, IEEE Standard for Software Verification and Validation.
Programmable Logic Development and System Design Control
© SHINE Technologies, LLC 3 Overall System Lifecycle Planning Phase System Design Phase System Implementation Phase System Test Phase Requirements Phase Design Phase Implementation Phase Test Phase Hardware and Programmable Logic Programmable Logic Hardware
© SHINE Technologies, LLC 4 Design input review o Procurement requirements specifications o Input documents containing project requirements in the procurement requirements specifications o Following inputs are considered (if provided):
Purchase order
Customer requirements
Rock Creek Innovations proposal
Customer system drawings
Customer control room drawings
Customer wiring diagrams
Customer input/output database
Customer piping and instrumentation diagrams
Applicable regulatory requirements, codes, and standards Planning Phase
© SHINE Technologies, LLC 5 Design Input List (DIL) o Lists formally received customer and vendor design input documents o Design input received by non-formal means identified as an unverified assumption (UVA) o UVA process can be used to track design details needed or used which have not been received The following Planning Phase documents for the implementation of the programmable logic lifecycle process are developed:
o Project Quality Assurance Plan o Project Programmable Logic Development Plan (PLDP) o Project Configuration Management Plan o Project V&V Plan o Project Equipment Qualification Plan o Project Test Plan o Project Security Assessment Planning Phase (Contd)
© SHINE Technologies, LLC 6 System Requirements Specification (SyRS) o System design requirement details are defined and documented o Traceability to design inputs established o Requirements allocated to hardware and/or programmable logic in the SyRS System Design Specification (SyDS) o HIPS hardware components specified (i.e., divisions, cabinets, chassis, and modules) o System requirements are allocated to HIPS hardware o Includes input/output list for each module - tag names, descriptions, signal types, and ranges Planning Phase (Contd)
© SHINE Technologies, LLC 7 The following programmable logic lifecycle process activities are performed in conjunction with the System Design Phase:
o Programmable Logic Requirements Phase o Programmable Logic Design Phase o Programmable Logic Implementation Phase o Programmable Logic Test Phase Phase-specific summary reports prepared by V&V organization as part of the formal exit criteria for each phase.
This lifecycle is implemented separately for the field programmable gate arrays (FPGAs) on each HIPS module within the project-specific system.
These activities are performed within a Secure Development Environment (SDE) and Isolated Development Network (IDN).
Programmable Logic Development
© SHINE Technologies, LLC 8 Generate programmable logic requirements specification (PLRS) to translate the project-specific system design requirements into detailed programmable logic requirements.
o A separate PLRS is developed for the FPGA on each HIPS module within the project-specific system.
o A traceability report is developed for each PLRS.
Programmable logic requirements should be adequate to support implementation and verification of the design.
o PLRS provides a functional description of the programmable logic functionality.
o PLRS contain the level of detail that enables the development and verification of the design.
Programmable logic requirements and traceability are reviewed by the V&V organization and any anomalies identified are addressed by Design.
Programmable Logic Requirements Phase
© SHINE Technologies, LLC 9 Create at least one logic model and associated programmable logic design specification (PLDS) document for each PLRS o Provides a description of the logic architecture, control logic, data structures, input/output formats, interfaces, and algorithms necessary to implement programmable logic requirements o Logic models developed following defined modeling standards and model-based development procedure Design review of the logic model is performed by V&V organization to verify the logic design meets programmable logic requirements Programmable logic testing is performed by V&V organization and reviewed by Design to validate the logic design meets requirements o Separate testing of application specific logic blocks o Testing of integration between HIPS Platform and application specific logic blocks Begin preparation for testing of the logic when implemented into hardware (Module Test Plans/Designs)
Programmable Logic Design Phase
© SHINE Technologies, LLC 10 HIPS platform hardware and programmable logic components are integrated into the project during this phase to provide the target hardware and incorporate the HIPS platform programmable logic that has been previously designed, developed, and tested.
o Hardware description language (HDL) code is generated from the logic design models and code statements are traced to the programmable logic design model elements.
o HDL code is review and analyzed to ensure it is accurate, consistent, verifiable, and complies with requirements.
o Synthesis and place and route of HDL code is performed, reviewed and analyzed (synthesis, resource allocation, timing, and power reports).
o Designer generates FPGA programming data and programs the target FPGA.
HDL post-synthesis test preparation developed (Test Plans, Designs, Cases, Procedures)
Hardware implementation test preparation continued (Module Test Cases, Procedures)
Programmable Logic Implementation Phase
© SHINE Technologies, LLC 11 Programmable Logic Test Phase During the Test Phase, requirements of the V&V Plan are completed.
o Post-synthesis testing executed, and reports developed o Module testing executed, and reports developed V&V module final report(s) completed Output documents from the Test Phase are ensured to be complete and approved.
o This serves as the control point to transition from the System Design/Programmable Logic Test Phase to the System Implementation Phase.
© SHINE Technologies, LLC 12 System Implementation Phase o HIPS platform hardware components are integrated into the project system during this phase to prepare the system hardware for system component integration, system, and acceptance testing.
o Test cases and procedures are prepared for each of system component integration testing, system testing, and system acceptance testing.
System Test Phase o Hardware and programmable logic design is baselined prior to system acceptance testing - this is identified as the Test Baseline.
o Change control begins after the Test Baseline.
o Required tests are completed and output documents approved.
System Implementation and System Test Phase