ML17202V093
| ML17202V093 | |
| Person / Time | |
|---|---|
| Site: | NuScale |
| Issue date: | 07/21/2017 |
| From: | Wike J NuScale |
| To: | Document Control Desk, Office of New Reactors |
| References | |
| RAIO-0717-55033 | |
| Download: ML17202V093 (10) | |
Text
RAIO-0717-55033 July 21, 2017 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
SUBJECT:
NuScale Power, LLC Response to NRC Request for Additional Information No.
36 (eRAI No. 8815) on the NuScale Design Certification Application
REFERENCE:
U.S. Nuclear Regulatory Commission, "Request for Additional Information No.
36 (eRAI No. 8815)," dated May 26, 2017 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) response to the referenced NRC Request for Additional Information (RAI).
The Enclosure to this letter contains NuScale's response to the following RAI Question from NRC eRAI No. 8815:
15-2 This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.
If you have any questions on this response, please contact Darrell Gardner at 980-349-4829 or at dgardner@nuscalepower.com.
Sincerely, Jennie ennie Wike Manager, Licensing NuScale Power, LLC Distribution: Gregory Cranston, NRC, TWFN-6E55 Omid Tabatabai, NRC, TWFN-6E55 Samuel Lee, NRC, TWFN-6C20 : NuScale Response to NRC Request for Additional Information eRAI No. 8815 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com
NuScale Response to NRC Request for Additional Information eRAI No. 8815 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com
Response to Request for Additional Information Docket No.52-048 eRAI No.: 8815 Date of RAI Issue: 05/26/2017 NRC Question No.: 15-2 In accordance with 10 CFR 50 Appendix A GDC 35, Emergency Core Cooling, the emergency core cooling system (ECCS) safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. The staff notes that the applicant departs from GDC 35 by adopting principle design criteria (PDC) 35 presented in FSAR Tier 2, Section 3.1.
To meet the requirements mentioned above, as they relate to the ECCS providing abundant core cooling during an accident, the accident analysis should show that fuel and clad damage that could interfere with continued effective core cooling is prevented assuming a single failure.
In FSAR Tier 2, Section 15.0.0.5, Limiting Single Failures, the applicant discusses, in general, how single failures are applied throughout the accident analysis. However, the applicant does not discuss an ECCS valve single failure, in terms of failing to remain closed when required to be closed. The staff notes that when an ECCS valve fails by opening when required to stay closed, the resulting transient could produce more limiting consequences in terms of minimum critical heat flux ratio (MCHFR), containment pressure, etc. One example of this is given in FSAR Tier 2, Section 15.6.6, Inadvertent Operation of Emergency Core Cooling System, and is discussed in the following paragraph.
The staff understands that, for the NuScale design, as discussed in FSAR Tier 2, Section 6.3 and Section 15.6.6, in order for the ECCS valves to open, two things need to happen: 1.) the direct current (DC) solenoid-operated trip pilot valve must open either on an ECCS actuation signal or loss of power; and 2.) the inadvertent actuation block (IAB) valve must open. As stated in FSAR Tier 2, Section 15.6.6.1, Identification and Causes of Accident Description, the staff recognizes that the applicant does not analyze this event assuming the cause described above where two things need to occur. However, the applicant analyzes this event assuming the cause of the ECCS valve opening is a mechanical failure of the valve itself and takes no single failure NuScale Nonproprietary
in the analysis. Assuming a loss of all power and applying a single failure to one IAB valve in the applicants current analysis in FSAR Tier 2, Section 15.6.6, then, concurrent with the initiating event (i.e. one ECCS valve fails mechanically and opens) another ECCS valve opens at time t=0 due to a loss of power to its DC solenoid-operated trip pilot valve and a single failure of its IAB valve. Applying the above assumptions results in two ECCS valves opening at time t=0 with the reactor still at power (the staff notes there is a delay in reactor trip after a loss of all power at time t=0). The resulting minimum departure from nucleate boiling ratio (MDNBR) of this event could be more limiting than how the applicant currently analyzes the event in the FSAR.
Furthermore, reviewing other Chapter 15 events, the staff understands that taking the single failure of an IAB valve may produce more severe consequences than what the applicant has currently analyzed.
Based on docketed information, the staff is unable to determine if the applicants current Chapter 15 analyses represent the most limiting events because the applicant does not apply the single failure assumption to the IAB valve. Furthermore, the staff recognizes that GDC 35 requires application of the single failure. The staff requests the applicant provide justification in the FSAR for why it does not assume the single failure of an IAB valve in any of the Chapter 15 accident analyses. The staff requests the applicant to modify the FSAR as necessary to address the single failure of an IAB concern.
NuScale Response:
Background:
The NuScale Power Module (NPM) ECCS reactor vent valves (RVVs) and reactor recirculation valves (RRVs) consist of a main valve welded to the reactor pressure vessel (RPV) and a vent line that connects to trip and reset valves. The main valve disc and the trip valve are pressure retaining and are part of the reactor coolant system (RCS) pressure boundary. During normal operations, the main valve disc is held closed by RCS pressure on the top of the disc. The main valve opening sequence begins when an ECCS actuation signal or a loss of DC Power (EDSS) deenergizes the solenoid that opens the trip valve. After the trip valve opens, RCS fluid in the vent line drains through the trip valve into containment and decreases pressure in the control chamber permitting the main valve to open, unless the fluid draining is prevented by the inadvertent actuation block (IAB) function. The design and function of the IAB is presented in FSAR Section 5.2 and Section 7.2.
If the trip valve opens while the RCS is at high pressure, the downstream side of the IAB rapidly depressurizes and the IAB is pushed closed against the spring force by the high RCS pressure on its upstream side. With the IAB closed, the control chamber remains pressurized and the main ECCS valve remains closed. The IAB will reopen and permit the main valve to open when the force exerted by the RCS pressure decreases below the spring force.
The IAB function is provided by an arming valve. The arming valve is a spring-loaded check valve consisting of a rod that pushes against a spring and slides based on differential pressure between the top and bottom of the rod. The spring provides a force pulling the rod away from NuScale Nonproprietary
the vent line seating surface. The top of the rod is kept off the vent line seat by the pressure of the fluid in the control chamber and the vent line. Under normal operating conditions, the rod inside the arming valve is exposed to system pressure from the RCS at the base and equivalent pressure at the top of the rod from the control chamber. The control chamber is connected to the vent line that leads to the trip and reset valves. Upon receipt of an actuation signal, or loss of power to the solenoid trip valve, the trip valve is actuated and the vent line is opened to containment. The fluid in the vent line starts to dump into containment, dropping the pressure in the vent line to the containment pressure. This places the arming valve rod in a condition with RCS pressure at the base and containment pressure at the top. The pressure from the RCS pushes against the base of the rod and presses the rod into the vent path seat, stopping flow out the vent path before the control chamber depressurizes enough to open the main valve. The RCS pressure pushes the rod against the seat of the arming valve holding the rod in its position until RCS pressure drops below the release threshold. The IAB will prevent the fluid from draining out the trip line if RCS pressure is above the actuation threshold (approximately 1100 psi differential between RCS and containment).
Either an RRV or RVV opening initiating event is an event analyzed in FSAR Section 15.6.6, consistent with Design-Specific Review Standard for NuScale SMR Design (DSRS) Section 15.6.6, Inadvertent Operation of the Emergency Core Cooling system (ECCS). The inadvertent operation of the ECCS is an event unique to the NuScale design. After the first ECCS valve opens, RCS pressure drops rapidly below the IAB release pressure and the remaining ECCS valves open immediately after an ECCS setpoint is reached. The conclusion of FSAR Section 15.6.6 is that the ECCS performs the required safety function considering the initiating ECCS valve failure, with and without AC and DC power. The failure of an ECCS valve to open is evaluated as a single failure. The ECCS will still perform its function with the failure of one ECCS valve to open. If one RRV fails to open, the remaining valve is adequate to perform the safety function. If one RVV fails to open, the other two RVVs will open to perform the safety function.
The IAB function is a simple acting rod motion similar to a check valve. Assuming a loss of DC power to the trip valves, the trip line depressurizes to containment pressure. A large differential pressure between the RCS and the trip line provides the motive force for the IAB to move into its seat. An evaluation of available guidance for addressing failure of this IAB function follows.
Regulatory Guidance:
10 CFR 50 Appendix A defines a single failure as the following:
NuScale Nonproprietary
A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 2
Single Failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.
Although the requirements for considering a passive single failure were never formally issued as suggested in the footnote to the definition, the NRC provided guidance in SECY-77-439, Single Failure Criterion:
The Single Failure Criterion, as a design and analysis tool, has the direct objective of promoting reliability through the enforced provision of redundancy in those systems which must perform a safety-related function. Simply stated, application of the Single Failure Criterion requires that a system which is designed to perform a defined safety function must be capable of meeting its objectives assuming the failure of any major component within the system or in an associated system which supports its operation.
A passive failure in a fluid system means a breach in the fluid pressure boundary or a mechanical failure which adversely affects a flow path. Examples include the failure of a simple check valve to move to its correct position when required It should be noted that components important to safety are designed to withstand hazardous events such as earthquakes. Nevertheless, in keeping with the defense in depth approach, the staff does consider the effects of certain passive failures (e.g., check valve failure, medium or high energy pipe failure, valve stem or bonnet failure) as potential accident initiating events.
Therefore, the SECY-77-439 position was that check valve failures were passive in nature and should be evaluated as initiating events similar to pipe failures.
ANSI/ANS 58.9 also provides relevant guidance. ANSI/ANS 58.9 defines a failure of a check valve to move to its correct position as an active failure, but allows such failure to be excluded from consideration:
Where the proper active function of a component can be demonstrated despite any credible condition, then that component may be considered exempt from active failure.
Examples of such component functions may include opening of code safety valves and certain swing check valves. Where such exemption is taken, the basis for the exemption shall be documented in the single failure analysis.
SECY-94-084 readdressed passive failures, specifically with regard to passive plant designs.
NuScale Nonproprietary
The SECY states that "for current plants, the NRC staff normally treats check valves...as passive devices during transients or design-basis accidents," and therefore, "would not consider the failure of a check valve to be a single active failure." However, those valves are typically operated by high pressure and forced flow. The SECY stated that the new plants will be operated under different conditions often with low flow or without pump discharge pressure available to open or close check valves. The SECY concludes that if check valves can be shown to be used in similar applications to current plants with low probability of failure (on the order of 1E-4/yr) and high differential pressure such as pressurized water reactor (PWR) accumulator check valves, the check valve can be excluded from consideration as a single active failure.
NuScale Position:
For Non-LOCA events, the ECCS is not required for accident mitigation. NuScale's PDC 35, consistent with GDC 35, requires that the ECCS perform its core cooling safety function assuming a single failure. Because the ECCS is not required to perform a core cooling safety function in response to non-LOCA events, the PDC 35 single failure assumption does not apply.
Non-LOCA events do not result in conditions that generate a valid ECCS actuation signal on low reactor vessel level or high containment level. However, the Non-LOCA analyses do assume a loss of DC power as a concurrent condition, consistent with the loss of power assumptions normally applied pursuant to GDC 17 (although the NuScale DCA supports an exemption from GDC 17). The loss of DC power results in an ECCS actuation (due to loss of power to rather than an actuation signal) and after the trip valves open, fluid vents from the valve control chambers, which engages the IAB on all five ECCS valves. There is no causal relationship between the Non-LOCA events and the loss of DC power or the functioning of the IAB. Single failures that are relevant to the Non-LOCA events are conditions that are causally related to the functions that initiate or mitigate the Non-LOCA events. Failures of MSIVs, FWIVs, feedwater backflow devices, instrument channels and other components need to be considered in these analyses. Failure of the IAB function is not causally related to these events or the equipment required to mitigate these events. Therefore, the failure of the IAB to keep the ECCS valves closed during a non-LOCA event is not a related single failure that needs to be considered for Non-LOCA events based on the regulatory guidance discussed above.
For design basis LOCAs and inadvertent opening of an ECCS valve, the safety function of the ECCS is to provide emergency core cooling. During these scenarios, water level rises in containment and drops in the reactor vessel. ECCS receives an actuation signal on either low reactor vessel level or high containment level. If DC power is lost, that also serves to actuate ECCS. LOCA scenarios were evaluated considering the failure of one ECCS valve to open. All LOCA scenarios met the acceptance criteria. Inadvertent opening of an ECCS valve is described above and in FSAR Section 15.6.6 and has acceptable results. Therefore, the ECCS performs its safety function during these events considering a single failure of an ECCS valve to open.
Although LOCA scenarios and inadvertent opening of an ECCS valve consider single failures of the ECCS system, the NuScale position is that the function of the ECCS valve IAB is a passive function, and therefore not required to be analyzed as an assumed active single failure in NuScale Nonproprietary
conjunction with other event initiations.
The basis for this position is that after an ECCS valve receives an actuation signal or loss of power, no electrical power or other motive force besides RCS pressure is required to maintain the ECCS valve closed. The arming valve in the IAB is forced into its seat by the large differential pressure between the RCS and containment. The ECCS valve will remain in this condition until RCS pressure decreases below the opening threshold pressure. The IAB function is accomplished by intrinsic forces and involves only simple motion of a rod into a seat. There are no credible active failures that would prevent accomplishment of the design function. Once the arming valve rod is seated, RCS pressure keeps the rod in place and the ECCS valve will not open until RCS pressure decreases. This situation is analogous to the example given in SECY-94-084 where an accumulator check valve was considered passive due to the simple motion required and the large differential pressure available. The design and operation of the arming valve supports treatment of the IAB arming valve as a passive function. Therefore, spurious opening of an ECCS valve due to an arming valve failure is not considered as an active single failure in conjunction with other initiating events.
As noted in SECY-77-439, the single failure assumption is intended to promote "reliability through the enforced provision of redundancy in those systems which must perform a safety-related function." Assuming a single failure of the IAB would not serve the purpose of the requirement, as redundancy of the IAB function would not effectuate more reliable performance of the ECCS in performing its intended emergency core cooling safety function.
The low probability that the IAB would fail to close supports the NuScale position. NuScale performed an evaluation using Target Rock main steam safety relief valves (MSSRVs) in use at boiling water reactors as a surrogate for the IAB arming valve. The pilot assembly of the Target Rock MSSRV is of similar design to the IAB valve, is made by the same manufacturer, and operates on the same principle of differential pressure. The operating experience for these valves was reviewed to identify failure events involving the pilot that would be applicable to the IAB, and the results were used to estimate the failure probability for the IAB valve. This evaluation determined the IAB to have a mean failure-to-close probability of 3.5E-4 per demand.
When combined with the frequency of initiating events determined in the PRA that would demand the IAB, the failure frequency for any of the five IAB valves to close is 1.2E-5 per module critical year. Therefore, the reliability of the IAB feature meets the SECY-94-084 criterion of having a failure frequency less than 1E-4 per year.
Based on the above, the failure of the ECCS valve IAB function meets the deterministic and probabilistic criteria for a passive failure and should not be considered an active failure concurrent with other analyzed events. Consistent with guidance for passive components, the inadvertent opening of an ECCS valve, due to a passive failure, should be evaluated as an initiating event in Chapter 15. This conclusion is consistent with the event classification in Section 15.0, Table 15.0-1 and DSRS Section 15.6.6. A statement is added to FSAR Section 15.0.0.5 stating that the ECCS valve IAB is considered a passive component based on meeting the guidance in SECY-94-084.
NuScale Nonproprietary
Impact on DCA:
FSAR Section 15.0.0.5 has been revised as described in the response above and as shown in the markup provided in this response.
NuScale Nonproprietary
NuScale Final Safety Analysis Report Transient and Accident Analyses The principal considerations in applying the single-failure criterion to NPM design basis event evaluations are discussed below.
- 1) Active failures are considered for mechanical components.
- Design basis event mitigation credits valves that are classified as safety related.
Valves move to their safety or "fail safe" position when the externally-applied motive force is removed.
- Check valves in the feedwater system are used to mitigate the consequences of a DBE.
There is one safety-related check valve and one nonsafety-related backup check valve in each feedwater line (four total check valves per NPM). The feedwater system check valves are credited to mitigate the consequences of the feedwater line break event.
The feedwater system check valves are not credited for containment isolation but for short-term retention of decay heat removal system (DHRS) inventory, until the feedwater isolation valve (FWIV) or its backup (nonsafety-related) feedwater regulating valve closes. The FWIV performs the containment isolation function and the feedwater regulating valve serves as a backup to the FWIV.
- 2) Passive failure of a single SSC is considered a potential event initiator, but not as a single failure in the short term.
- Passive failures of fluid systems are considered only on a long-term basis except for check valves whose failure must be postulated coincident with its required response to a DBE.
- For the purpose of considering passive single failures, the short term is defined as the period up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following an initiating event.
- Components whose proper function has been demonstrated and documented are not considered a credible single failure (e.g., American Society of Mechanical Engineers code safety valves).
RAI 15-2
- The ECCS valve inadvertent actuation block (IAB) is considered a passive component. The IAB feature prevents the ECCS valves from opening until RCS pressure drops below the IAB threshold. The IAB operates based on differential pressure between the RCS and containment and requires no external power, signals or motive force to maintain the ECCS valves closed. The IAB function meets the deterministic and probabilistic criteria set out in SECY-94-084 for passive components.
- 3) Active and passive failures are considered for electrical components.
- Protective actions must be accomplished in the presence of a single detectable failure. The effects of non-detectable failures are considered concurrently as part of the most-limiting single failure.
- Both loss of and availability of power is assumed in the analysis of each event and are not considered as a single failure.
Tier 2 15.0-6 Draft Revision 1