Text

RAIO-0717-55003 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com July 19, 2017 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Response to NRC Request for Additional Information No.

26 (eRAI No. 8840) on the NuScale Design Certification Application

REFERENCE:

U.S. Nuclear Regulatory Commission, "Request for Additional Information No.

26 (eRAI No. 8840)," dated May 22, 2017 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) response to the referenced NRC Request for Additional Information (RAI).

The Enclosure to this letter contains NuScale's response to the following RAI Question from NRC eRAI No. 8840:

19-2 This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.

If you have any questions on this response, please contact Darrell Gardner at 980-349-4829 or at dgardner@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution:

Gregory Cranston, NRC, TWFN-6E55 Samuel Lee, NRC, TWFN-6C20 Rani Franovich, NRC, TWFN-6E55 : NuScale Response to NRC Request for Additional Information eRAI No. 8840 Sincerely, Za Z ckary W. Rad Director, Regulatory Affairs

RAIO-0717-55003 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com :

NuScale Response to NRC Request for Additional Information eRAI No. 8840

NuScale Nonproprietary Response to Request for Additional Information Docket No.52-048 eRAI No.: 8840 Date of RAI Issue: 05/22/2017 NRC Question No.: 19-2 10 CFR 52.47(a)(27) states that a DC application must contain a Final Safety Analysis Report (FSAR) that includes a description of the design-specific probabilistic risk assessment (PRA) and its results. In accordance with the Statement of Consideration (72 FR 49387) for the revised 10 CFR Part 52, the staff reviews the information contained in the applicants FSAR Chapter 19, and issues requests for additional information (RAI) and conducts audits of the complete PRA (e.g., models, analyses, data, and codes) to obtain clarifying information as needed. The staff uses guidance contained in Standard Review Plan (SRP) Chapter 19.0 Revision 3, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors.

In accordance with SRP Chapter 19.0 Revision 3, the staff determines if "the PRA reasonably reflects the as-designed, as-built, and as-operated plant, and the PRA maintenance program will ensure that the PRA will continue to reflect the as-designed, as-built, and as-operated plant, consistent with its identified uses and applications.

The staff has reviewed the information in the FSAR and examined additional clarifying information from the audit of the complete PRA and determined that it needs additional information to confirm that the PRA reasonably reflects the as-designed plant. The containment isolation function supports the passive core cooling and heat removal key safety functions by ensuring sufficient coolant inventory in the reactor pressure vessel and the containment vessel.

The staff notes that FSAR Table 19.1-6, System Success Criteria per Event Tree Sequence, assumes that containment isolation is guaranteed to succeed except for the chemical and volume control system (CVCS) pipe breaks outside containment and the steam generator tube failure (SGTF). The containment isolation function is accordingly not questioned in any of the Level 1 event trees except for the CVCS pipe breaks outside containment and the SGTF.

To allow the staff to evaluate the Level 1 model and assumptions related to the containment isolation function, the staff requests the applicant to explain how the containment isolation function can be guaranteed to succeed in the Level 1 accident sequences. In your response, please provide the following:

Identify the potential scenarios (combinations of pathways, equipment failures and human a.

failure events) that could lead to coolant inventory loss from the reactor pressure vessel to outside of the containment vessel.

For the scenarios identified in a), explain how the containment isolation function is b.

NuScale Nonproprietary accounted for in the Level 1 model, if this function is necessary to support any key safety functions (e.g., passive safety functions).

For the scenarios identified in a), if the containment isolation function is not necessary to c.

support any key safety functions, please describe any relevant analyses used to support this conclusion. Describe any uncertainty analyses performed for these supporting analyses.

Augment FSAR Table 19.1-21, Key Assumptions for the Level 1 Full Power Internal d.

Events Probabilistic Risk Assessment, and/or Table 19.1-23, Key Insights from Level 1 Full Power, Internal Events Evaluation, accordingly with a discussion of the dependency of the passive safety functions on the containment isolation function. Include a discussion of the safety-significance of the active backup systems for scenarios resulting in failure of containment isolation.

NuScale Response:

a.) As the RAI states, the containment isolation function is considered only in sequences involving CVCS line breaks outside of containment and SGTFs. For these cases, containment isolation is the key function that determines whether the accident will lead to core damage without makeup coolant. For other initiating events, containment isolation is not necessary to support passive core cooling and heat removal. As discussed in the response to Item c, the redundant depressurization and heat removal systems included in the NuScale design are capable of maintaining passive core cooling in scenarios with a failure of containment isolation.

Potential scenarios that could lead to reactor coolant inventory loss from the reactor pressure vessel to outside of containment are: 1) a CVCS charging line break outside containment with a failure of containment isolation; 2) a CVCS letdown line break outside containment with a failure of containment isolation; and 3) an SGTF with a failure of containment isolation (i.e., on the main steam system or the feedwater system). These scenarios are discussed in FSAR Section 19.1.4.1.1.4 and shown in Figures 19.1-2, 19.1-3, and 19.1-7, respectively.

b.) The containment isolation function is accounted for in event tree top events whose probabilities are developed using system fault tree models. Top event CVCS-T02 in Figure 19.1-2 accounts for containment isolation following a CVCS charging line break outside containment. Top event CVCS-T03 in Figure 19.1-3 accounts for containment isolation following a CVCS letdown line break outside containment. Top event RCS-T04 in Figure 19.1-7 accounts for containment isolation following an SGTF.

c.) For CVCS line breaks outside of containment and SGTFs (as identified in Item a) with a continued loss of coolant (i.e., failure of containment isolation), core damage is avoided only if additional coolant via the CVCS or the containment flooding and drain system (CFDS) is successful. Simulations demonstrate that coolant lost over 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> due to a containment isolation failure can be replenished by makeup coolant. For CVCS line breaks outside of containment and SGTFs, successful containment isolation retains sufficient coolant inventory in

NuScale Nonproprietary the module for the passive cooling functions of DHRS or ECCS such that makeup coolant is not required.

For LOCAs inside containment, simulations have been performed to consider event tree model uncertainty. Simulations were performed including a failure of containment isolation on the CES line penetration. The CES line is open during module operation to maintain sub-atmospheric conditions in the CNV; as such, it is the most likely containment bypass path despite the low probability of failure of both safety-related CES containment isolation valves. Containment penetrations and their methods of isolation are listed in FSAR Table 19.1-24. Simulation results demonstrate that ECCS operation with one train of DHRS following a failure of CES isolation is sufficient to maintain the coolant level in the RPV above the active fuel and in the CNV above the ECCS reactor recirculation valves (RRVs), thereby providing passive fuel cooling for more than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If both trains of DHRS are unavailable, there is adequate inventory to maintain core cooling if the CES is isolated within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. In addition, the CVCS and CFDS have the capability to provide makeup coolant.

d.) The descriptions in Table 19.1-7, Success Criteria per Top Event and Table 19.1-23, Key Insights from Level 1 PRA have been modified to address the containment isolation function with respect to passive core cooling and heat removal via the ECCS.

Impact on DCA:

Table 19.1-7 and Table 19.1-23 have been revised as described in the response above and as shown in the markup provided in this response.

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Tier 2 19.1-138 Draft Revision 1 RAI 19-2 Table 19.1-7: Success Criteria per Top Event Mitigating System1 Top Event Redundancy Description Containment flooding and drain system (CFDS)

CFDS-T01 One of two pumps needed for success.

System is shared by six modules.

In sequences with a loss of RCS inventory (e.g., un-isolated LOCA) and success of the RTS, CFDS, in conjunction with ECCS, can provide control of RCS inventory. In casestransients where DHRS and both RSVs fail and RTS is successful, CFDS can provide fuel assembly heat removal by establishing a convection/conduction heat transfer pathway from the RPV through the CNV to the reactor pool. Operator action to use CFDS to add water to the CNV can prevent core damage in sequences involving:

• Pipe breaks outside containment not isolated

• SGTF not isolated

• General reactor trip Actuation requires an operator action which includes un-isolating containment, aligning a flow path and activating a CFDS pump. It may also require valve realignment because CFDS is a shared system.

CFDS is not credited to mitigate an unisolated break or SGTF if the reactor fails to trip; i.e.,

given the additional power due to the ATWS, CFDS does not guarantee success.

Chemical and volume control system (CVCS) for RCS injection CVCS-T01 One of two pumps needed for success.

Each module supported by a dedicated system.

The CVCS can provide control of RCS inventory. As a modeling simplification, DWS provides CVCS makeup inventory. Operator action to inject CVCS can prevent core damage in sequences involving:

• Failure of ECCS

• Pipe breaks outside containment not isolated

• SGTF not isolated

• Failure of the control rods to insert and both RSVs to open following a general reactor trip (to alleviate RPV pressure through the normal operation of pressurizer spray and CVCS discharge)

Operator action requires un-isolating containment, aligning a flow path from the DWS, and activating a makeup pump.

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Tier 2 19.1-140 Draft Revision 1 Emergency core cooling system (ECCS)

ECCS-T01 One of three RVVs and one of two RVVs needed for success. Each module is supported by a dedicated system.

The ECCS provides fuel assembly heat removal and control of RCS inventory. The system passively circulates coolant inventory by removing heat from the reactor core to the CNV which transfers heat to the reactor pool. Success requires one RVV and one RRV to open; failure of both RRVs or all three RVVs to open is an incomplete ECCS actuation.

The ECCS is actuated on low RPV water level or high CNV water level. The system is also demanded upon a loss of two or more EDSS busses, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after a loss of AC power.

The system includes an inadvertent actuation block (IAB) that prohibits the valves from opening until the differential pressure between the RPV and CNV is low; this precludes a valve from opening at power.

An operator action to actuate ECCS is considered in cases where automatic initiation fails; the action can be completed from the MCR.

For initiators that involve a continued loss of coolant from the RPV to outside of containment, this top event is credited only if makeup coolant is successful.

For initiators that involve a loss of coolant inside of containment and a failure of containment isolation (as defined in Table 19.1-24), ECCS provides passive fuel cooling for (i) at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> with one train of DHRS available or (ii) for at least 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> with both trains of DHRS unavailable without the need for inventory makeup.

Reactor coolant system RSV opens RCS-T01 One of two RSVs needed for success.

Each module is supported by a dedicated system.

The RSVs provide RPV pressure relief and RCS integrity. The RSVs are self-actuating pressure relief valves and not operator controlled. Cycling of an RSV transfers RCS to containment and removes fuel assembly heat by convection and conduction to the reactor pool; pressure eventually stabilizes below the RSV setpoint. If both trains of DHRS fail and both RSVs fail to open, the ECCS IAB prohibits the ECCS valves from opening and RPV pressure continues to increase.

Table 19.1-7: Success Criteria per Top Event (Continued)

Mitigating System1 Top Event Redundancy Description

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Tier 2 19.1-173 Draft Revision 1 RAI 19-2 Table 19.1-23: Key Insights from Level 1 Full Power, Internal Events Evaluation Insight Comment Failure to scram events (ATWS) do not lead directly to core damage.

Core characteristics result in ATWS power levels that are comparable to decay heat levels. Heat transfer from CNV to reactor pool is adequate to prevent core damage and results in most ATWS sequences requiring approximately the same system success criteria as non-ATWS events.

Passive heat removal capability is sufficient to prevent core damage if RSVs cycle.

RSV cycling transfers adequate RCS water to CNV to allow heat transfer through RPV to CNV and ultimately reactor pool to remove decay heat.

Post-accident heat removal through steam generators or DHRS is unnecessary if RSVs cycle.

The SGs and DHRS provide effective heat removal paths to prevent core damage, but are unnecessary if RSV cycling allows heat transfer to reactor pool.

ECCS functions to preserve RCS inventory, which is sufficient to allow core cooling without RCS makeup from external source.

ECCS function provides natural circulation path through core and CNV, thus providing heat transfer to the reactor pool.

Containment isolation preserves RCS inventory for core cooling without external makeup.

Containment isolation eliminates the potential for breaks outside of containment to result in loss of RCS inventory. For breaks inside of containment, containment isolation is not necessary to support passive core cooling and heat removal.

Support systems are not needed for safety-related (ECCS, DHRS, RSVs) system function. Safety-related mitigating systems are fail-safe on loss of power and do not require supporting systems such as lube oil, air or HVAC to function.

There are no risk significant, post-initiator human actions associated with the full-power PRA.

No operator actions, including backup and recovery actions, are risk significant to the CDF because of passive system reliability and fail-safe system design.

Risk significant SSC for external events are largely the same as those found risk significant for internal events.

The module response to external events is comparable to the response to internal event due to the passive features of the design and independence from support systems such as power. Additional systems and components have been identified as risk significant for external events due to a conservative evaluation.

Active systems providing backup inventory addition to RPV are not risk significant.

Inventory addition is possible by the active systems CVCS and CFDS. Due to the reliability of the passive safety systems, the active systems providing this backup function were found not to be risk significant, as indicated in Table 19.1-20 and Table 19.1-64.