Text

1 NUSCALE POWER, LLC SAFETY EVALUATION FOR TOPICAL REPORT TR-0815-16497, REVISION 1, SAFETY CLASSIFICATION OF PASSIVE NUCLEAR POWER PLANT ELECTRICAL SYSTEMS (CAC. NO. RQ6002) 1.0 Introduction By letter dated October 29, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15306A263), NuScale Power, LLC (the applicant or NuScale),

submitted Topical Report (TR)-0815-16497, Revision 0, Safety Classification of Passive Nuclear Power Plant Electrical Systems. By letter dated February 7, 2017, NuScale submitted Revision 1 to TR-0815-16497 (February 2017) in proprietary (-P) and nonproprietary (-NP) versions (letter and -NP version available at ADAMS Accession No. ML17048A459).

Section 1.1, Purpose of TR-0815-16497-NP, Rev. 1 states the purpose of the submittal and describes the review and approval that the applicant seeks from the U.S. Nuclear Regulatory Commission (NRC or Commission) staff, as follows:

The purpose of this topical report is to request Nuclear Regulatory Commission (NRC) review and approval of what are termed herein as conditions of applicability, and the methodology and bases used in their development. The conditions of applicability comprise a set of passive reactor plant design and operational attributes that, if met in full by a reactor design or license applicant, justify the applicants determination that none of the plant electrical systems fulfill functions that, per the regulatory definitions of safety-related and Class 1E, would warrant a Class 1E classification. The conditions of applicability are presented in Table 3-1, Conditions of applicability.

This topical report also seeks NRC review and approval of augmented design, qualification, and quality assurance (QA) provisions that are an extension of the conditions of applicability (via Item II.1 of Table 3-1). The augmented provisions are described in Table 3-2. For reasons detailed in Section 3.2, these augmented design, qualification, and QA provisions would be applied as minimum requirements to electrical systems that have been determined to be nonsafety-related but yet are essential to the post-accident monitoring of Type B and Type C variables. Provided the conditions of applicability are fully satisfied, the approved augmented provisions would represent an acceptable alternative to the portion of Regulatory Guide 1.97, Revision 4 (Reference 4.39), that specifies a Class 1E power source for instrumentation associated with Type B and Type C variables.

Based on its review of the TR, the NRC staff issued requests for additional information (RAI) related to passive nuclear power plant electrical systems; in particular, the direct current (dc) equipment and system, post-accident monitoring, and reactor coolant pressure boundary (RCPB) integrity and safe shutdown (ADAMS Accession No. ML16281A298). In response to the NRC staffs request, NuScale provided supplemental information in a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339).

2 2.0 Regulatory Evaluation The electric power systems for power plants include onsite electrical power systems providing AC power and DC power. Safety-related electric equipment is referred to as "Class 1E" equipment in Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 323-1974, IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations. As defined therein, the safety-related or Class 1E classification is the safety classification of the electric equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or otherwise are essential in preventing significant release of radioactive material to the environment. As used in IEEE Std. 323-1974, Class 1E equipment includes appropriate interfaces.

If a reactor design was such that no electrical equipment was essential such that it met the definition of Class 1E, i.e., the reactor plant design did not include safety-related equipment dependent on electrical power, then the design would not require Class 1E AC or DC power systems. Where no Class 1E equipment is used, the basic requirements for qualifying Class 1E equipment and interfaces, which are provided in IEEE Std. 323-1974, are inapplicable. In TR-0815-16497-NP, NuScale Power provides a method to justify that the plant electrical power supplies need not be classified as Class 1E.

In TR Section 3.1, Methodology Used to Develop Conditions of Applicability, the applicant stated that the application of augmented provisions is consistent with the process established in the NRC regulatory framework for special treatment of nonsafety-related SSCs (structures, systems, and components) that are determined to have risk-significance.

In TR Table 3-2, Augmented design, qualification, and quality assurance provisions, the applicant listed the regulatory requirements and guidance documents that a future passive plant applicant would need to apply or consider for the augmented design, qualification, and QA provisions of the non-Class 1E electrical systems - termed the highly reliable DC electrical system(s) - for powering the post-accident monitoring instrumentation for Type B and Type C variables and for the plant emergency lighting systems.

The NRC staff evaluated the conditions of applicability in TR Table 3-1, Conditions of applicability, by first identifying the design bases information, as defined in Title 10 of the Code of Federal Regulations (10 CFR), Section 50.2, Definitions. Design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. The staff then ensured that these specific functions are addressed by the conditions of applicability in Table 3-1.

Per 10 CFR 52.47(a)(3), an application for a design certification must include the design of the facility, including:

(i)

The principal design criteria for the facility. Appendix A to 10 CFR part 50, general design criteria (GDC), establishes minimum requirements for the principal design criteria for watercooled nuclear power plants similar in design and location to plants for which construction permits have previously been issued

3 by the Commission and provides guidance to applicants in establishing principal design criteria for other types of nuclear power units; (ii)

The design bases and the relation of the design bases to the principal design criteria; (iii)

Information relative to materials of construction, general arrangement, and approximate dimensions, sufficient to provide reasonable assurance that the design will conform to the design bases with an adequate margin for safety; The staffs review considered if the design would meet the following minimum requirements for principal design criteria even if no electrical equipment was classified as Class 1E:

Criterion 10, Reactor Design, requires that the reactor core and associated coolant, control, and protection systems be provided with appropriate margin to assure that specified acceptable fuel design limits (SAFDLs) are not exceeded during any condition of normal operation, including the effect of anticipated operational occurrences (AOOs).

Criterion 13, Instrumentation and Control, requires, in part, that the applicant provide instrumentation to monitor variables and systems over their anticipated ranges for normal operation, AOOs, and accident conditions as appropriate to assure adequate safety.

Criterion 15, Reactor Coolant System Design, requires that the reactor coolant system and associated auxiliary, control, and protection systems be designed with sufficient margin to assure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including AOOs.

Criterion 16, Containment Design, requires that the reactor containment and associated systems shall be provided to establish an essentially leak-tight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require.

Criterion 19, Control Room, requires, in part, that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents.

Criterion 20, Protection System Functions, requires, in part, that the protection system be designed to initiate automatically the operation of appropriate systems, including the reactivity control systems, to assure that SAFDLs are not exceeded as a result of AOOs.

Criterion 26, Reactivity Control System Redundancy and Capability, requires, in part, that the control rods be capable of reliably controlling reactivity changes to assure that SAFDLs are not exceeded under conditions of normal operation, including AOOs, and with appropriate margin for stuck rods.

4 Criterion 27, Combined Reactivity Control Systems Capability, requires that the reactivity control systems be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that the capability to cool the core is maintained under postulated accident conditions and with appropriate margin for stuck rods.

Criterion 34, Residual Heat Removal, requires, in part, that a residual heat removal system be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that SAFDLs and the design conditions of the RCPB are not exceeded.

Criterion 35, Emergency Core Cooling, requires, in part, that a system to provide abundant core cooling be provided. The system safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.

Criterion 38, Containment Heat Removal, requires, in part, the provision of a system to remove heat from the reactor containment. The system safety function shall be to rapidly reduce, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and to maintain them at acceptably low levels.

Criterion 41, Containment Atmosphere Cleanup, requires, in part, systems to control fission products, hydrogen, oxygen, and other substances that may be released into the reactor containment as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained.

Criterion 50, Containment Design Basis, requires, in part, that the reactor containment structure, including access openings, penetrations, and the containment heat removal system, shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident.

Criterion 54, Piping Systems Penetrating Containment, requires, in part, that piping systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities that have redundancy, reliability, and performance capabilities that reflect the importance to safety of isolating these piping systems.

Criterion 55, Reactor Coolant Pressure Boundary Penetrating Containment, requires, in part, that each line that is part of the RCPB and that penetrates primary reactor containment shall be provided with containment isolation valves.

5 Criterion 56, Primary Containment Isolation, requires, in part, that each line that connects directly to the containment atmosphere and penetrates the primary reactor containment shall be provided with containment isolation valves.

Criterion 57, Closed System Isolation Valves, requires each line that penetrates primary reactor containment and is neither part of the RCPB nor connected directly to the containment atmosphere to have at least one containment isolation valve that shall be either automatic or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

Criterion 61, Fuel Storage and Handling and Radioactivity Control, requires, in part, that fuel storage and handling, radioactive waste, and other systems that may contain radioactivity be designed to assure adequate safety under normal and postulated accident conditions. This Criterion specifies that such systems shall be designed to include appropriate containment, confinement, and filtering systems.

Criterion 63, Monitoring Fuel and Waste Storage, requires, in part, appropriate systems in fuel storage and radioactive waste systems and handling areas to detect conditions that may cause a loss of residual heat removal capability and excessive radiation levels and to initiate appropriate safety actions.

Criterion 64, Monitoring Radioactive Releases, requires, in part, the means for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released as a result of postulated accidents.

The NRC staff also determined that the following regulatory requirements and guidance documents are applicable to the review of this TR:

Per 10 CFR 52.47(a)(8), an application for a design certification must include the information necessary to demonstrate compliance with any technically-relevant portions of the Three Mile Island requirements set forth in 10 CFR 50.34(f), except paragraphs (f)(1)(xii), (f)(2)(ix), and (f)(3)(v). In turn, 10 CFR 50.34(f)(2) states that to satisfy the requirements in 50.34(f)(2)(i)-(xxviii), the application shall provide sufficient information to demonstrate that the required actions will be satisfactorily completed by the operating license stage. Those required actions under 10 CFR 50.34(f)(2) include:

(viii)

Provide a capability to promptly obtain and analyze samples from the reactor coolant system and containment that may contain accident source term radioactive materials without radiation exposures to any individual exceeding 5 rems to the whole body or 50 rems to the extremities.

Materials to be analyzed and quantified include certain radionuclides that are indicators of the degree of core damage (e.g., noble gases, radioiodines and cesium, and nonvolatile isotopes), hydrogen in the containment atmosphere, dissolved gases, chloride, and boron concentrations.

6 (xvii) Provide instrumentation to measure, record and readout in the control room: (A) containment pressure, (B) containment water level, (C) containment hydrogen concentration, (D) containment radiation intensity (high level), and (E) noble gas effluents at all potential, accident release points. Provide for continuous sampling of radioactive iodines and particulates in gaseous effluents from all potential accident release points, and for onsite capability to analyze and measure these samples.

(xix)

Provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage.

(xx)

Provide power supplies for pressurizer relief valves, block valves, and level indicators such that: (A) Level indicators are powered from vital buses; (B) motive and control power connections to the emergency power sources are through devices qualified in accordance with requirements applicable to systems important to safety and (C) electric power is provided from emergency power sources. (Applicable to PWR's only).

Per 10 CFR 52.47(a)(12), an application for a design certification must include an analysis and description of the equipment and systems for combustible gas control as required by 10 CFR 50.44. In turn, 10 CFR 50.44, Combustible Gas Control for Nuclear Power Reactors, requires, in part, that an applicant must perform an analysis that demonstrates containment structural integrity. The analysis must address an accident that releases hydrogen generated from a 100-percent fuel clad-coolant reaction accompanied by the hydrogen burning. Systems necessary to ensure containment integrity must also be demonstrated to perform their function under these conditions.

Per 10 CFR 52.47(a)(4), an application for a design certification must include an analysis and evaluation of the design and performance of structures, systems, and components with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of structures, systems, and components provided for the prevention of accidents and the mitigation of the consequences of accidents. Analysis and evaluation of emergency core cooling system (ECCS) cooling performance and the need for high-point vents following postulated loss-of-coolant accidents shall be performed in accordance with the requirements of 10 CFR 50.46 and 50.46a. In turn, 10 CFR 50.46, sets forth acceptance criteria for ECCS for light-water nuclear power reactors, and 10 CFR 50.46a sets forth acceptance criteria for reactor coolant system venting systems.

10 CFR 50.55a(h)(3) states that applications for design certifications must meet the requirements for safety systems in IEEE Std. 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations and the correction sheet dated January 30, 1995.

Per 10 CFR 52.47(a)(16), an application for a design certification must include a coping analysis, and any design features necessary to address station blackout, as required by 10 CFR 50.63. In turn, 10 CFR 50.63(a)(1) requires that each design for a light-water-

7 cooled nuclear power plant approved under a standard design certification must be able to withstand for a specified duration and recover from a station blackout as defined in § 50.2. The specified station blackout duration shall be based on the following factors:

(i) The redundancy of the onsite emergency ac power sources; (ii) The reliability of the onsite emergency ac power sources; (iii) The expected frequency of loss of offsite power; and (iv) The probable time needed to restore offsite power.

10 CFR 50.63(a)(2) states that the reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. The capability for coping with a station blackout of specified duration shall be determined by an appropriate coping analysis. Applicants are expected to have the baseline assumptions, analyses, and related information used in their coping evaluations available for NRC review.

Per 10 CFR 52.47(a)(2), applications for standard design certification for nuclear power reactors shall present a safety analysis of the facility design in terms of site parameters postulated for the design. Specifically, 10 CFR 52.47(a)(iv) requires an analysis of the radiological consequences of postulated accidents to include:

The safety features that are to be engineered into the facility and those barriers that must be breached as a result of an accident before a release of radioactive material to the environment can occur. Special attention must be directed to plant design features intended to mitigate the radiological consequences of accidents.

In performing this assessment, an applicant shall assume a fission product release from the core into the containment assuming that the facility is operated at the ultimate power level contemplated.

The applicant shall perform an evaluation and analysis of the postulated fission product release, using the expected demonstrable containment leak rate and any fission product cleanup systems intended to mitigate the consequences of the accidents, together with applicable postulated site parameters, including site meteorology, to evaluate the offsite radiological consequences. The evaluation must determine that:

A) An individual located at any point on the boundary of the exclusion area for any 2-hour period following the onset of the postulated fission product release, would not receive a radiation dose in excess of 25 rem total effective dose equivalent (TEDE);

(B) An individual located at any point on the outer boundary of the low population zone, who is exposed to the radioactive cloud resulting from the postulated fission

8 product release (during the entire period of its passage) would not receive a radiation dose in excess of 25 rem TEDE.

Applications for COLs, CPs and OLs that choose to reference the subject topical report have similar requirements to provide an evaluation of the radiological consequences of postulated accidents in 10 CFR 52.79(a)(1)(vi) and 10 CFR 50.34(a)(1), and there is also a reference to the criteria in 10 CFR 50.34(a)(1) from the siting requirements in 10 CFR 100.21.

Per 10 CFR 52.47(a)(2)(iii), as part of its review of an application for a design certification, the Commission will consider the extent to which the reactor incorporates unique, unusual or enhanced safety features having a significant bearing on the probability or consequences of accidental release of radioactive materials.

As discussed in Section VI. Emergency Response Data System to 10 CFR Part 50, Appendix E, Emergency Planning and Preparedness for Production and Utilization Facilities, the Emergency Response Data System (ERDS) is a direct near real-time electronic data link between the applicant's onsite computer system and the NRC Operations Center that provides for the automated transmission of a limited data set of selected parameters. While it is recognized that ERDS is not a safety system, it is conceivable that an applicant's ERDS interface could communicate with a safety system, and require appropriate isolation devices at these interfaces. Per Section VI.2.a.(i) of App. E, for pressurized water reactors (PWRs), the selected plant parameters to be transmitted include those from radiation monitoring systems, i.e., reactor coolant radioactivity, containment radiation level, condenser air removal radiation level, effluent radiation monitors, and process radiation monitor levels.

In Regulatory Guide (RG) 1.97, Revision 4, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants, issued June 2006, the NRC describes a method that the NRC staff considers acceptable for use in complying with the agencys regulations with respect to satisfying criteria for accident monitoring instrumentation in nuclear power plants. Specifically, the method described RG 1.97 relates to General Design Criteria 13 (Instrumentation and Control), 19 (Control Room), and 64 (Monitoring Radioactivity Releases). The RG endorses (with certain clarifying regulatory positions specified in Section C of the RG) IEEE Std. 497-2002, IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations.

NUREG-0800, Branch Technical Position (BTP) 7-10, Guidance on Application of Regulatory Guide 1.97 Rev. 6, August 2016, provides additional guidelines for reviewing an applicants accident monitoring instrumentation.

In SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems in Passive Plant Designs, dated March 28, 1994 (ADAMS Accession No. ML003708068), the staff presented the Commission with recommended positions pertaining to policy and technical issues affecting passive advanced light water reactor (ALWR) designs and requested that the Commission

9 approve certain staff positions presented in that paper, including approval of EPRI's proposed alternative to the cold shutdown condition required by regulatory guide (RG) 1.139, Guidance for Residual Heat Removal, as a safe stable condition, which the passive decay heat removal systems must be capable of achieving and maintaining following non-LOCA events. This recommendation was predicated on an acceptable passive safety system performance and an acceptable resolution of the issue of regulatory treatment of non-safety systems. In its staff requirements memo (SRM) dated June 30, 1994 on SECY-94-084 Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems and COMSECY-94-024 Implementation of Design Certification and Light-Water Reactor Design Issues, the Commission, among other things, approved the staff's recommendation on this item. In doing so, the Commission stated that, with respect to the 72-hour capacity of the passive residual heat removal (RHR) system water pool, the requirements for replenishing the water in the pool should be based on design-specific attributes and that the applicant's justification of these requirements should not be based solely on the 72-hour criterion of the utility requirement document (URD). Further, the Commission stated that the staff should be receptive to arguments for longer periods, if technically justified. Subsequently, in SECY-95-132, Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems (RTNSS) in Passive Plant Designs, dated May 22, 1995 (ADAMS Accession No. ML003708005), the staff provided the Commission with the staff's response to the SRM of June 30, 1994, pertaining to SECY-94-084, and presented the Commission with a corresponding revision of SECY-94-084 for Commission review and approval. On June 28, 1995, the Commission approved the recommendations in SECY-95-132 (ADAMS Accession No. ML003708019).

3.0 Staff Evaluation The TR Section 1.2, Scope, gives the scope of review specific to the safety classification of plant electrical systems for which the conditions of applicability and augmented provisions apply, as follows:

offsite and onsite ac electrical power systems, and onsite dc electrical power systems.

NuScale stated that the above scope does not include instrumentation and control equipment and circuits, which include both Class 1E and non-Class 1E systems, that serve to monitor and control power to and operation of safety-related and nonsafety-related loads.

The TR contains four appendices to describe the methodology and procedures to be applied to an example power system design to ensure that a dc power system design can be highly reliable:

(1)

Appendix A, Example Overview of Electrical Systems and Instrumentation and Control (I&C) Systems Design gives an overall description of an onsite power system that could

10 serve a passive plant design that meets the conditions of applicability. In addition, Appendix A includes a set of typical one-line diagrams to facilitate an overall understanding of the concepts as applied to a passive plant electrical system.

(2)

Appendix B, Example Safety Classification Assessment for Electrical Systems describes how a hypothetical complete loss of all electrical power (both ac and dc) would affect the various safety functions and explains how the applicant can satisfy the attributes of the conditions of applicability. However, Appendix B does not describe how the requirements of 10 CFR Part 50, Appendix E, Section VI.2.a.(i);

10 CFR 50.34(f)(2)(viii); or 10 CFR 50.34(f)(2)(xvii) would be met.

(3)

Appendix C, Example Failure Modes and Effects AnalysisHighly Reliable DC Power System provides an example failure modes and effects analysis (FMEA) of the example onsite dc power system described in Appendix A. The effects of failure modes and mechanisms for components in the example FMEA establish that no single failure exists that could prevent safety-related functions from being achieved and maintained.

(4)

Appendix D, Example Safety Analysis Results provides example safety analysis results of a passive plant that has the design attributes described in Appendices A and B. The analysis shows that, in each postulated design-basis event (DBE) analyzed, none of the systems credited for mitigating the event require electrical power or operator action.

Section 1.2 of TR-0815-16497-NP, Rev. 1, states The information provided in the appendices is provided to facilitate: (1) the NRCs review of the conditions of applicability and augmented provisions for which approval is sought; and (2) an understanding of how this topical report would be implemented by future applicants (including NuScale). As part of the scope of this topical report, NuScale is not seeking NRC approval of the information in the appendices. Information is provided in this report to demonstrate applicability of the methodology and to aid the readers understanding of the application of these methodologies.

NuScale further stated that its design certification application (DCA) will present the final design information and that the DCA will confirm that the final design meets the conditions of applicability described in TR Table 3-1, which lists the attributes to be satisfied as conditions of applicability.

The TR Table 3-1 has two sections, described by NuScale as follows:

(1)

Section I contains the specific conditions that, if fully met, would adequately justify that no Class 1E electrical supply systems (power sources) are required.

(2)

Section II contains additional conditions to be applied (after meeting Section I).

The TR Table 3-1,Section II, requires augmented design, qualification, and QA provisions. The provisions in TR Table 3-2 are the minimum requirements to be applied to non-Class 1E electrical systems (termed as highly reliable DC electrical system(s)) that will be used to power

11 post-accident monitoring instrumentation for Type B and Type C variables and to power the plant emergency lighting system. If a passive nuclear plant can meet all the conditions listed in TR Table 3-1 without the need for any electrical power, Class 1E ac or dc power supply systems may not be necessary. This is subject to satisfying the capability The NRC staff review of the information in the appendices does not constitute approval of the information in the appendices. Therefore, the NRC staff limited its review to the main body of the TR and focused on the design criteria considered in the conditions of applicability, not an actual design.

Concept of Highly Reliable Non-Class 1E Direct Current System With regard to a fully non-Class 1E dc power system for a completely passive nuclear power plant design, the NRC staff was concerned whether the dc power system would have high reliability. More specifically, the NRC staff was concerned that the valve-regulated, lead-acid (VRLA) battery life could be seriously and suddenly reduced by prolonged high temperatures, the magnitude and frequency of discharge cycles, or overcharging. The NRC staff devised a three-pronged review approach (performance, QA, and quantification) to determine the relative reliability of the conceptual dc power system design (presented in Appendix A to the TR) in comparison to a Class 1E dc power system.

To date, conventional large light-water nuclear power plants have not used VRLA batteries for onsite power. Therefore, the NRC staff requested information on battery life, QA, performance, qualification, and reliability.

RAI 08.03.02-01 In a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339), NuScale acknowledged the NRC staffs concerns with VRLA battery life and stated that these effects can be mitigated by following the recommendations in IEEE Std. 1187-2013, IEEE Recommended Practice for Installation Design and Installation of Valve-Regulated Lead-Acid Batteries for Stationary Applications, and IEEE Std. 1188-2005 (R2010),

IEEE Recommended Practice for Maintenance, Testing, and Replacement of Valve-Regulated Lead-Acid (VRLA) Batteries for Stationary Applications, as noted in TR Table 3-2. Additionally, IEEE Std. 1187-2013 refers to IEEE Std. 1491-2012, IEEE Guide for Selection and Use of Battery Monitoring Equipment in Stationary Applications, and IEEE Std. 1635-2012, IEEE/ASHRAE Guide for the Ventilation and Thermal Management of Batteries for Stationary Applications.

In addition to the use of the industry standard procedures mentioned above for design, testing, and implementation of the VRLA battery-powered dc system, the applicant stated the following:

The backup power supply system delivers backup power to heating, ventilation, and air conditioning systems serving the battery and associated charger rooms to avoid prolonged periods of high ambient temperature.

12 For design consideration for magnitude and frequency of discharge cycle related monitoring, the applicant will follow the guidance in IEEE Std. 1187-2013, IEEE Std. 1188-2005, and specifically IEEE Std. 1491-2012, which provides criteria to detect and monitor a battery for degradation.

Following the guidance in IEEE Std. 1187-2013, as supplemented by IEEE Std. 1491-2012, provides reasonable assurance that the VRLA batteries will not be overcharged and that instances of potential overcharging will be detected prior to degrading a battery to a point where it is not able to perform its intended function.

The electrical power system presented in TR Appendix A depicts an onsite power system design with no Class 1E power sources, assuming the reactor design does not require any safety-related electrical loads to support the safety analyses. The NRC staff reviewed the RAI response and determined that the use of VRLA batteries in a nonsafety dc power system design for a passive nuclear power plant, construction, and monitoring will follow the guidance in IEEE Std. 1187-2013 and IEEE Std. 1188-2005, as supplemented by IEEE Std. 1491-2012 and IEEE Std. 1635-2012. These IEEE standards provide widely established industry guidance for design, testing, and performance of VRLA batteries.

The NRC staff determined that, based on the IEEE standards mentioned above, the design will give reasonable assurance that a dc power system provided by VRLA battery will be prevented from prolonged periods of exposure to high temperature, will be monitored for potential overcharging, and will be monitored for magnitude and frequency of discharge cycles that may degrade the battery performance.

For the reasons discussed above, the NRC staff concludes that, for a nonsafety dc system that uses VRLA batteries, the applicants response gives reasonable assurance that the dc system will be monitored for degradation and the use of VRLA batteries will not adversely affect the dc systems intended function.

The NRC staff asked the applicant to include its response to the NRC staffs RAI 08.03.02-01 in the next revision to the TR. In Revision 1 to the TR, the applicant included the applicable year for the following IEEE standards as requested in the RAI: IEEE Std. 1491-2012 and IEEE Std. 1635-2012. This satisfies the NRC staffs request.

RAI 08.03.02-02 In TR Table 3-2, NuScale stated that a graded QA program will be applied to the dc electrical system that will meet or exceed the augmented QA guidance in Appendix A, Quality Assurance Guidance for Non-Safety Systems and Equipment, to RG 1.155, Station Blackout. The NRC staff asked NuScale to describe the proposed QA program in sufficient detail to enable the NRC staff to verify whether it meets or exceeds the guidance in RG 1.155.

13 In its RAI response letter dated December 5, 2016, NuScale stated that a combined license (COL) applicant that references TR-0815-16487 will be required to follow the guidance in RG 1.155, Appendix A. The NRC staff finds NuScales response reasonable.

The NRC staff has placed Condition 4.1 in Section 4.0 of this SE to ensure that all future applicants that reference TR-0815-16497 address the guidance in RG 1.155, Appendix A, in sufficient detail to verify whether the relevant QA program would meet or exceed the guidance in RG 1.155.

RAI 08.03.02-03 In TR Table 3-2, under Batteries, NuScale stated that the VRLA batteries have augmented design, QA, and qualification provisions. The NRC staff asked NuScale to describe the methods and processes that a passive reactor nuclear power plant will use to verify that VRLA batteries will perform their intended functions during normal operation, AOOs, and postulated DBEs.

In a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339), NuScale stated that the VRLA batteries used in a passive reactor nuclear power plant design are not credited for use in mitigating the consequences of postulated DBEs. NuScale also stated that an applicant using this TR shall implement a testing and monitoring program, as described in IEEE Std. 1188-2005 and IEEE Std. 1491-2012, to ensure that VRLA batteries will perform their intended functions when called upon. These standards provide for a wide variety of operating parameters to be monitored on a continuous basis, including cell-specific parameters.

Furthermore, NuScale stated that applicants would be required to environmentally qualify their VRLA batteries in accordance with IEEE Std. 323-1974, as appropriate, and IEEE Std. 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, and to seismically qualify their batteries in accordance with IEEE Std. 344-2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, as appropriate, to give further assurance that the batteries will perform their intended functions.

The NRC staff also asked NuScale to identify the industry standards or applicable references that will be used for verification purposes. NuScale identified the following industry standards:

IEEE Std. 323-1974, as endorsed by RG 1.89, Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants, for harsh environments.

IEEE Std. 323-2003 for mild environments.

IEEE Std. 344-2004, as endorsed by RG 1.100, Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants.

IEEE Std. 1188-2005.

IEEE Std. 1491-2012.

14 The NRC staff reviewed the applicants response to RAI 08.03.02-03 and determined that the design of the VRLA batteries used as a non-Class 1E dc power source in a passive reactor nuclear power plant design, in accordance with the widely accepted industry practices IEEE Std. 1188-2005 and IEEE Std. 1491-2012 for testing and monitoring, IEEE Std. 323-1974, as appropriate, and IEEE Std. 323-2003, as appropriate, for environmental qualification, and IEEE Std. 344-2004 for seismic qualification, provide reasonable assurance that the VRLA batteries will perform their intended functions.

The NRC staff concludes that NuScales response is acceptable with regard to the methods and processes used to verify that the VRLA batteries will perform as intended.

The TR states that the VRLA batteries will be seismic category I, therefore, an applicant using the TR shall provide a qualification testing plan that includes an environmental and seismic qualification, and also a technical functional requirement for the VRLA batteries to provide reasonable assurance that VRLA batteries will perform their intended functions. For this reason, the NRC staff has established Condition 4.2 on the TR for the applicant to confirm that the VRLA batteries and their structures are seismic Category I. To give reasonable assurance that the VRLA batteries will perform as intended, the applicant that references the TR must provide a COL action item to support that the VRLA batteries and their structures are seismic Category I. A qualification testing plan includes environmental and seismic qualification and a technical functional requirement for VRLA batteries to show they can perform as intended.

RAI 08.03.02-04 In the TR, NuScale has described its dc power system as highly reliable and substantially equal in reliability to that of an analogous Class 1E dc power system. However, the TR did not fully justify these statements. Therefore, to complete its review, the NRC staff asked the applicant to provide additional quantitative information. Specifically, the NRC staff asked the applicant to describe the methodology that it will use to compare the highly reliable dc system that it will describe in its DCA to a Class 1E dc power system to show that the highly reliable dc system is substantially equal in reliability to a typical Class 1E dc power system.

NuScale provided a two-part response. The first part describes the methodology in the TR that design certification applicants would use to perform a quantitative analysis. This methodology comprises the following five steps needed to compare the reliability of the highly reliable dc system to that of a typical Class 1E dc power system:

(1)

(2)

(3)

15 (4)

(5)

The second part of NuScales response gave the results of its comparative analysis using the above methodology. NuScale indicated that its results were favorable in that the augmented non-Class 1E design indicated a reliability greater than that of the Class 1E design. In its response, NuScale further concluded that amending the TR to include the methodology presented is not necessary.

NuScale and the NRC staff held a conference call on January 6, 2017, to address the NRC staffs RAIs. First, the NRC staff asked for clarification on whether NuScales referenced probabilistic risk analysis (PRA) model included common-cause failures among each of the two-battery-in-parallel configurations. NuScale stated that the model included common-cause failure of the two-battery configurations. The concern was that any battery operating in parallel could experience certain common-cause events. Any further questions on PRA methodology would be part of the PRA review of the referencing DCA or COL application.

Second, the NRC staff requested clarification about the statement at the end of the response that the response does not require a revision to the licensing document (i.e., TR-0815-16497).

The NRC staff questioned this statement because TR-0815-16497 is a methodology document and the response to RAI 08.03.02-04 provides additional methodology necessary for use of the TR by any applicant referencing it. Revision 1 to the TR added this methodology to Table 3-1,Section II. This satisfies the NRC staffs request.

Based on the review of this response, the NRC staff concludes that the five-step process outlined in the applicants response provides an acceptable approach for demonstrating the relative reliability of a non-Class 1E system with that of an analogous Class 1E system.

3.1 Post-accident Monitoring The primary purpose of post-accident monitoring instrumentation is to display plant variables that provide information required by the control room operator during and after an accident.

GDC 13, 19, 64, 10 CFR 50.34(f)(2)(xix), 10 CFR 50.34(f)(2)(xx), and 10 CFR 50.55a(h) contain regulatory requirements governing post-accident monitoring instrumentation. The NRC provides the primary guidance for implementing these regulatory requirements in RG 1.97, which describes a method acceptable to the NRC staff for complying with the Commissions regulations to provide instrumentation for monitoring plant variables and systems during and after an accident. RG 1.97, which endorses IEEE Std. 497-2002, with certain clarifying regulatory positions specified in Section C of the RG, specifies that a Class 1E electrical system should be provided to supply the instrumentation that monitors Type A, B, and C variables under post-accident conditions. Under 10 CFR 50.34(f)(2)(xx), the NRC requires that electrical power for pressurizer level indicators must be powered by vital buses.

16 RG 1.97 defines Type A, B, and C variables as follows:

Type A variables provide the primary information required to allow main control room operators to take manual actions for which no automatic control is provided.

Type B variables provide primary information to the control room operators to assess the plant safety functions.

Type C variables provide primary information to the control room operators to indicate the potential for breach or the actual breach of fission product barriers (e.g., fuel cladding, RCPB, and containment pressure boundary).

During its review, the NRC staff considered whether the safety system design to provide accident monitoring instrumentation would require instrumentation to be powered by a Class 1E electrical system for Type B and C variables.

IEEE Std. 603-1991, Clause 5.8.1, Displays for Manually Controlled Actions, specifies that monitoring instrumentation be part of the safety systems and meet the requirements of IEEE Std. 497-2002. For monitoring instrumentation used for these operations, IEEE Std. 603-1991 and IEEE Std. 497-2002 specify a Class 1E electrical power supply.

The NRC staffs evaluation considered the following:

Regulatory requirements in GDC 13, 19, and 64 are applicable to postulated DBEs and do not specify a Class 1E electrical power supply. Therefore, a Class 1E electrical power supply is not required to meet GDC 13, 19, and 64.

Per 10 CFR 52.47(a)(8), an application for a design certification must include the information necessary to demonstrate compliance with any technically-relevant portions of the Three Mile Island requirements set forth in 10 CFR 50.34(f), except for paragraphs (f)(1)(xii), (f)(2)(ix), and (f)(3)(v). The regulation in 10 CFR 50.34(f)(2)(xix) requires the design to provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage. This includes core damage that may be more extensive than a postulated DBE. Finally, 10 CFR 50.34(f)(2)(xix) does not specify the quality of the electrical supply; therefore, a Class 1E electrical power supply is not required to meet 10 CFR 50.34(f)(2)(xix).

The regulation in 10 CFR 50.34(f)(2)(xx), which is applicable to PWRs only, requires the design to provide power supplies for pressurizer relief valves, block valves, and level indicators such that: (A) level indicators are powered from vital buses; (B) motive and control power connections to the emergency power sources are through devices

17 qualified in accordance with requirements applicable to systems important to safety and (C) electric power is provided from emergency power sources. On its face, NUREG-0737, Clarification of TMI Action Requirements, issued November 1980, states that the instrument channels for pressurizer level indication instrument channels shall be powered from the vital instrument buses and does not specify a Class 1E electrical power supply requirement; therefore, a Class 1E electrical power supply is not required to meet 10 CFR 50.34(f)(2)(xix).

Clause 5.8.2 of IEEE Std. 603-1991 states, in part, that the display instrumentation provided for safety system status indication need not be part of the safety systems; therefore, a Class 1E electrical power supply is not required to meet Clause 5.8.2 of IEEE Std. 603-1991.

Type B and Type C accident monitoring instrumentation is required to perform its intended function under postulated accident conditions. As such, the reliability of the electrical power supply for these instruments should be substantially similar to that of a Class 1E electrical system (see Section 3.0 of this SE).

In TR Appendix B, Section B.2.7, Post-Accident Monitoring, the applicant provided an alternative to RG 1.97 that uses a highly reliable dc power system in lieu of a Class 1E electrical system to supply electrical power to the post-accident monitoring instrumentation. When performing this review, the NRC staff considered the electrical system reliability of the highly reliable dc electrical system. The NRC staff established a three-pronged approach to establish whether the highly reliable dc electrical system provides a substantially equal reliability to that of a Class 1E design. The three-pronged approach consisted of (1) evaluation of the augmented design, qualification, and QA provisions, (2) consideration of the rigor of the highly reliable dc power system as demonstrated by the failure modes and effect analysis, and (3) quantification via fault tree analysis to compare the NuScale design with an approved passive pressurized-water reactor (PWR) dc system design. The NRC staff discusses its evaluation of the electrical system reliability of the highly reliable dc power system in Section 3.0 of this SE.

Based on its evaluation of the electrical system reliability, the staff concluded that the highly reliable dc electrical system provides a substantially equal reliability to that of a Class 1E design; thus, it provides additional assurance that post-accident monitoring capability is maintained during and following a DBE.

Based on the NRC staffs review of the TR and the regulatory requirements governing accident monitoring instrumentation, the staff found that the augmented design, qualification, and QA provisions of the power sources for Type B and Type C variables represent an acceptable alternative to the guidance in RG 1.97.

, the staff has established Condition 4.3 in SE Section 4.0 for the applicants referencing this SE to confirm that operator actions are not necessary to ensure safety-related functions for any postulated DBE (i.e., the design does not include Type A variables as defined in IEEE Std. 497-2002, as modified in RG 1.97, Regulatory Position C.4).

Spent Fuel Pool Considerations The spent fuel pool (SFP) has the safety function of maintaining the spent fuel assemblies in a safe and subcritical array during all credible storage conditions. Criterion 63 for spent fuel

18 storage facilities requires monitoring systems to (1) detect conditions that may cause the loss of residual heat removal capability and excessive radiation levels and (2) indicate when to take action to initiate appropriate safety actions.

In TR Appendix B, Section B.2.2, Fuel Assembly CoolingSpent Fuel and Module Core Refueling, the applicant described In TR Table 3-1, Conditions of Applicability 3 and 4 specify that for the TR to be applicable to a design, the applicant must demonstrate the following:

3.

4.

The NRC staff determined that Conditions of Applicability 3 and 4, as stated above, are consistent with the staff guidance in NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports: LWR Edition (SRP), Section 19.3, Regulatory Treatment of Non-Safety Systems (RTNSS) for Passive Advanced Light Water Reactors, and, therefore, if a design met these conditions, Class 1E power would not be required for monitoring SFP conditions.

3.2 Safe Shutdown, Core Cooling, and Reactor Coolant Pressure Boundary Integrity The NRC staff used the review guidance in the NUREG-0800 to identify the Commissions regulations associated with safe shutdown, core cooling, and RCPB integrity. The NRC staff identified, per 10CFR52.47(a)(3)(i), as minimum requirements, GDC 10, 15, 20, 26, 27, 34, and 10 CFR 50.46 as associated with safety-related structures, systems, and components (in accordance with the definition in 10 CFR 50.2) that need to be addressed by the conditions of applicability in TR Table 3-1. As described in 10 CFR Part 50, Appendix A, the GDC established the minimum requirements for the principal design criteria for water-cooled nuclear power plants that are similar in design and location to plants for which the Commission has issued construction permits. The GDC are also considered to be generally applicable to other types of nuclear power units and are intended to guide the establishment of the principal design criteria for such other units. Therefore, the NRC staff established Condition 4.4 on the TR to require an applicability determination.

19 Condition of Applicability I.1.a, and Condition of Applicability I.1.c.,

require, in part, The NRC staff finds these requirements to be consistent with Criterion 20. Accordingly, the NRC staff finds that Conditions of Applicability I.1.a and I.1.c are necessary and sufficient for determining that no Class 1E power is required to satisfy Criterion 20.

Condition of Applicability I.1.b states, Safe shutdown requirements are described by NRC staff in SECY-94-084. In the June 30, 1994 SRM on SECY-94-084, the Commission approved the staffs recommendation on safe shutdown requirements. SECY-94-084 clarifies the conditions that constitute a safe shutdown condition to be reactor subcriticality, decay heat removal, and radioactive material containment. Additionally, SECY-94-084 states that an appropriate safety analysis can be used to demonstrate passive system capabilities to bring the plant to a safe, stable condition and to maintain this condition. The staffs views on safe shutdown were not changed in SRM/SECY-95-132 (updating the Commission on matters in SECY-94-084).

The TR provides clarifying examples in Appendix B and Appendix D to illustrate how the conditions of applicability can be demonstrated. The examples did not include a quantitative safety analysis to demonstrate the ability to insert sufficient negative reactivity during and following a DBE to achieve and maintain safe shutdown. This omission caused the NRC staff to question the interpretation of safe shutdown as applied to Condition of Applicability I.1.b.

Accordingly, the NRC staff issued RAI 08.03.02-05, dated October 7, 2016 (ADAMS Accession No. ML16281A298), asking the applicant to (1) specify the criteria that constitute a safe shutdown as applied to Condition of Applicability I.1.b and (2) describe how a future applicant for a passive plant will demonstrate that electrical power is not necessary to achieve and maintain a safe shutdown for a minimum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The applicants response in its letter dated December 5, 2016 (ADAMS Accession No. ML16340D339), stated that, The criteria that constitute a safe shutdown are subcriticality and decay heat removal in order to maintain fuel clad integrity (radioactive material containment). The NRC staff finds this response acceptable because it is more restrictive than the criteria in SECY-94-084.

The applicants response to RAI 08.03.02-05 further discussed the following approach to demonstrating Condition of Applicability I.1.b:

an applicant will evaluate the reactivity control systems to ensure sufficient shutdown function capability and evaluate the decay heat removal system to ensure sufficient heat removal capability. To ensure that safe shutdown capability is sufficient to address the safety issue of heat removal reliability, a probabilistic risk assessment is used to ensure that the reliability of systems used to achieve and maintain safe shutdown support[s] conformance to the commissions safety goal guidelines.

The applicant further explained that safety analyses of DBEs (as typically presented in Chapter 15 of the final safety analysis report (FSAR)) may not be suitable for demonstrating the

20 ability to achieve and maintain a safe shutdown following a DBE. Specifically, it stated the following in that response:

Conservative assumptions are applied to Chapter 15 safety analysis of DBEs appropriate for the intended purpose of ensuring appropriate margins to protect fuel integrity and core coolability. Although these safety analyses can be used to demonstrate adequate shutdown capability per SECY-94-084, application of the same conservative assumptions may lead to excessive margin with respect to shutdown capability.

The NRC staff previously communicated positions on shutdown margin during and following DBEs in letters discussing GDC 26 and 27, dated December 5, 2016 (ADAMS Accession No. ML16292A589), and September 8, 2016 (ADAMS Accession No. ML16116A083),

respectively. These letters clarify that shutting down the reactor and maintaining a subcritical reactor are safety functions considered in GDC 26 and 27, both of which require margin for malfunctions such as stuck rods. In the letter addressing Criterion 27, the NRC staff stated the following:

Criterion 27 requires that the reactor be reliably controlled and that the reactor achieve and maintain a safe, stable condition, including subcriticality beyond the short term, using only safety related equipment following a postulated accident with margin for stuck rods.

Based on the shutdown margin requirements of GDC 26 and 27, the NRC staff established Condition 4.6 to require a demonstration or appropriate justification of shutdown margin. Based on the applicants criteria for safe shutdown and pursuant to Condition 4.6, the NRC staff finds that Condition of Applicability I.1.b is necessary and sufficient for determining that no Class 1E power is required to satisfy GDC 26 and 27.

Condition of Applicability I.1.c, is a high-level requirement associated with core cooling. GDC 10 (Reactor design),

34 (Residual heat removal), 35 (Emergency core cooling), and 10 CFR 50.46 are design requirements associated with safety-related SSCs that perform core cooling functions. An applicant is required by 10 CFR 50.34, Contents of Applications; Technical Information; 10 CFR 52.47, Contents of Applications; Technical Information; and 10 CFR 52.79, Contents of Applications; Technical Information in Final Safety Analysis Report, to provide a description and analysis of the safety-related systems, structures, and components credited to perform core cooling functions, with emphasis upon performance requirements. The information provided by an applicant under these regulations must be sufficient to demonstrate compliance with GDC 10, 34, 35, and 10 CFR 50.46. Additionally, an applicant referencing the TR is required to perform these evaluations to show that safety functions will be accomplished in the absence of electrical power to demonstrate compliance with Condition of Applicability I.1.c. Accordingly, the NRC staff finds that Condition of Applicability I.1.c is necessary and sufficient for determining that Class 1E power is not required to satisfy GDC 10, 34, 35, and 10 CFR 50.46.

Condition of Applicability I.1.g states, This statement supports Condition of Applicability I.1, which states,

21 The TR gave clarifying examples in Appendix B and Appendix D to illustrate how the conditions of applicability can be demonstrated. The example safety analysis in Appendix D shows that the example passive plant response to an AOO includes establishing a direct coolant flowpath between the reactor core and the containment, thereby removing a fission product barrier. This caused the NRC staff to question whether Condition of Applicability I.1.g is sufficient for demonstrating RCPB integrity. Accordingly, the NRC staff issued RAI 08.03.02-06, dated October 7, 2016 (ADAMS Accession No. ML16281A298), asking the applicant to (1) specify the criteria that constitute RCPB integrity as applied to Condition of Applicability I.1, and (2) explain why the removal of a fission product barrier during an AOO is not considered an event escalation.

The applicants response in a letter dated December 5, 2016 (ADAMS Accession No. ML16340D339), stated that a loss of RCPB integrity involves a mechanical failure in an RCPB component, but it does not include the opening of a valve. The applicant further stated that considering the RCPB to be lost when a valve opens is problematic because (1) it would preclude advanced designs that offer improvements in safety by relying on valves to depressurize the reactor coolant system for safe shutdown, (2) it is not consistent with the licensing basis for PWRs and boiling-water reactors (BWRs), as these designs rely on safety relief valves for overpressure protection, and (3) the GDC address maintaining structural integrity of RCPB components rather than preventing the opening of valves to allow fluid to pass into or out of the RCPB.

Additionally, the applicant stated that opening a valve to depressurize the reactor coolant system and establish long-term cooling is not considered a removal of a fission product barrier, and thus not event escalation, because the functions of the reactor coolant system barrier are not lost. The applicant further stated that events that do not result in unacceptable consequences or significantly increase the risk for radiological release do not challenge the intent of the nonescalation Criterion specified in SRP Section 15.0, IntroductionTransient and Accident Analyses.

The NRC staffs evaluation of the applicants response considered the examples from operating PWRs and BWRs. The applicants response included examples in which valves connected to the reactor coolant system opened and allowed fluid to pass through the RCPB. The NRC staff finds these examples to differ from the scenario that was the basis for RAI 08.03.02-06. In particular, the staff identifies that establishing a direct coolant flowpath between the reactor core and the containment in a manner similar to an emergency depressurization of the reactor coolant system (1) can result in a significant pressurization of the containment, (2) requires the containment to perform an AOO mitigation function by establishing a coolant return path to the reactor pressure vessel, (3) can result in a significant tensile stress on the fuel cladding, and (4) may not be terminated through the closure of the open valve. The AOO scenario in Appendix D to the TR appears to rely on the containment to retain the reactor coolant necessary to ensure fuel cladding integrity during an AOO. Because an AOO, by definition, is expected to occur one or more times during the life of the nuclear power plant, the NRC staff is concerned that such reliance upon the containment may not be consistent with the underlying defense-in-depth purpose of Criterion 15. Accordingly, the NRC staff established Condition 4.5 on the TR to address reliability requirements for the systems necessary to retain reactor coolant within the RCPB. Based on the overpressure protection of the RCPB and pursuant to Condition 4.5, the NRC finds that Condition of Applicability I.1.g is necessary and sufficient for determining that Class 1E power is not required to satisfy Criterion 15.

22 3.3 Containment Isolation The TR Condition of Applicability I.1.d specifies that for The provisions in GDC 54 (Systems Penetrating Containment), 55 (Reactor Coolant Pressure Boundary Penetrating Containment), 56 (Primary Containment Isolation), and 57 (Closed Systems Isolation Valves), in part require containment isolation capabilities. Based on consideration of the relevant GDC above, the staff determined that a plant design that is able to satisfy Condition I.1.d should be able to meet the minimum design requirements in GDC 54, 55, 56, and 57. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to achieve the containment isolation function.

3.4 Containment Integrity The TR Condition of Applicability I.1.e specifies that for The provisions in GDC 16 (Containment Design), 38 (Containment Heat Removal),

41 (Containment Atmosphere Cleanup), and 50 (Containment Design Basis) in part require that the containment safety function can be achieved and maintained during DBEs. The provisions in 10 CFR 50.44 address the control of combustible gases in the containment. Based on consideration of the relevant GDC and 10 CFR 50.44 cited above, the staff determined that a plant design that is able to satisfy Condition I.1.e should be able to meet the minimum design requirements in GDC 16, 38, 41, and 50 and the requirements in 10 CFR 50.44. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to assure that containment integrity is achieved and maintained.

3.5 Fission Product Control The TR Condition of Applicability I.1.f specifies that for The provisions in GDC 41 (Containment Atmosphere Cleanup) in part require systems to control fission products. Based on consideration of the relevant GDC and applicable guideline exposure requirements cited above, the staff determined that a plant design that is able to satisfy Condition I.1.f should be able to meet the minimum design requirements in Criterion 41 and applicable guideline exposure requirements. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy Criterion 41 the applicable guideline exposures in 10 CFR 100.21, 10 CFR 50.34(a)(1)(ii)(D),

and 10 CFR 52.47(a)(2)(iv).

3.6 Control Room Habitability The TR Condition of Applicability I.5 specifies that electrical power is not necessary The provisions in GDC 19 (Control Room) in part require that a control room shall be provided

23 from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Based on consideration of the relevant GDC above, the staff determined that a plant design that is able to satisfy Condition I.5 should be able to meet the minimum design requirements in Criterion 19. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy Criterion 19.

3.7 Cooling for Building Areas Containing Safety-Related Equipment The TR Condition of Applicability I.6 specifies that The provisions in 10 CFR 50.63 in part require that the reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration.

Based on consideration of the 10 CFR 50.63 requirement, the staff determined that a plant design that is able to satisfy Condition I.5 should be able to meet the requirements in 10 CFR 50.63. The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy 10 CFR 50.63.

3.8 Building Ventilation The TR Condition of Applicability I.7 specifies that The provisions in Criterion 61 (Fuel Storage and Handling and Radioactivity Control) in part require that fuel storage and handling, radioactive waste, and other systems that may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions. Based on consideration of the relevant GDC and the applicable guideline exposure requirements cited above, the staff determined that a plant design that is able to satisfy Condition I.7 should be able to meet the minimum design requirements in Criterion 61 and applicable guideline exposure requirements.

The NRC staff finds that the condition is necessary to enable the staff to determine that Class 1E electrical power is not required to satisfy Criterion 61 and the applicable guideline exposures in 10 CFR 100.21, 10 CFR 50.34(a)(1)(ii)(D), and 10 CFR 52.47(a)(2)(iv).

3.9 Emergency Lighting The TR, Section 3.2.2, Emergency Lighting, states that portions of the emergency lighting system are powered from the highly reliable dc electrical system, and is classified as non-Class 1E. Additionally, TR Condition of Applicability II.3 (Section II of Table 3-1) specifies that the applicants emergency lighting capability The NRC staff finds that TR Condition of

24 Applicability II.3 is consistent with the NRC staffs guidance on the classification of the emergency lighting system as non-Class 1E and, therefore, is acceptable.

4.0 Limitations and Conditions If an applicant chooses to incorporate by reference TR-0815-16497 as part of its application, the applicant must demonstrate that the reactor design meets all the conditions of applicability in TR Table 3-1 and all the augmented design, qualification, and QA provisions in TR Table 3-2.

Additionally, an applicant referencing this TR must:

4.1 Address the guidance in RG 1.155, Appendix A, in sufficient detail to enable the NRC staff to verify that the relevant QA program would meet or exceed the guidance in RG 1.155.

4.2 Confirm that the VRLA batteries and their structures are seismic Category I. To provide reasonable assurance that the VRLA batteries will perform as intended, an applicant that references the TR shall provide a COL action item to support that the VRLA batteries and their structures are seismic Category I. A qualification testing plan includes environmental and seismic qualification and a technical functional requirement for VRLA batteries to show they can perform as intended.

4.3 Demonstrate that operator actions are not necessary to ensure the performance of safety-related functions for any postulated DBE (i.e., the design does not include Type A variables as defined in IEEE Std. 497-2002, as modified in RG 1.97, Regulatory Position C.4), as presented in Chapter 15 of its FSAR and the human factors analysis in Chapter 18 of its FSAR.

4.4 Demonstrate that the conditions of applicability in Table 3-1 of the TR are consistent with the functional requirements contained in the principal design criteria for the nuclear power plant.

4.5 Demonstrate that system(s) necessary to retain reactor coolant within the RCPB are designed with sufficient reliability such that a DBE that removes the RCPB as a fission product barrier does not occur with the frequency of an AOO.

Alternatively, an applicant referencing the TR may provide justification, for NRC review, that this condition is not applicable to their design.

4.6 Demonstrate that the reactor can be brought to a safe shutdown using only safety-related equipment in the absence of electrical power following a DBE, with margin for stuck rods. Alternatively, an applicant referencing this TR may provide justification, for NRC review, for a less restrictive condition.

5.0 Conclusions The NRC staff approves the use of NuScale TR-0815-16497 as a reference document subject to the conditions and limitations specified in Section 4.0 of this safety evaluation report.

25 Specifically, based on its review of TR-0815-16497, the NRC staff finds that if a reactor design can meet the conditions of applicability and the augmented design, qualification, and QA provisions, Class 1E power sources would not be necessary. This approval of the concepts discussed in the TR does not constitute approval of any specific design.