ML18036B203

From kanterella
Jump to navigation Jump to search
LLC Response to NRC Request for Additional Information No. 292 (Erai No. 9128) on the NuScale Design Certification Application
ML18036B203
Person / Time
Site: NuScale
Issue date: 02/05/2018
From: Rad Z
NuScale
To:
Document Control Desk, Office of New Reactors
References
RAIO-0218-58534
Download: ML18036B203 (8)
v  d  e


Text

RAIO-0218-58534 February 05, 2018 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Response to NRC Request for Additional Information No.

292 (eRAI No. 9128) on the NuScale Design Certification Application

REFERENCE:

U.S. Nuclear Regulatory Commission, "Request for Additional Information No.

292 (eRAI No. 9128)," dated December 06, 2017 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) response to the referenced NRC Request for Additional Information (RAI).

The Enclosure to this letter contains NuScale's response to the following RAI Question from NRC eRAI No. 9128:

19-37 This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.

If you have any questions on this response, please contact Darrell Gardner at 980-349-4829 or at dgardner@nuscalepower.com.

Sincerely, Zackary W. Rad Zackary Director Regulatory Affairs

Director, NuScale Power, LLC Distribution: Gregory Cranston, NRC, OWFN-8G9A Samuel Lee, NRC, OWFN-8G9A Rani Franovich, NRC, OWFN-8G9A : NuScale Response to NRC Request for Additional Information eRAI No. 9128 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

RAIO-0218-58534 :

NuScale Response to NRC Request for Additional Information eRAI No. 9128 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9128 Date of RAI Issue: 12/06/2017 NRC Question No.: 19-37 Regulatory Basis:

10 CFR 52.47(a)(27) states that a design certification application must contain an final safety analysis report (FSAR) that includes description of the design-specific probabilistic risk assessment (PRA) and its results.

In accordance with the Statement of Consideration (72 Federal Register 49387) for the revised 10 CFR Part 52, the staff reviews the information contained in the applicants FSAR Chapter 19, and issues requests for additional information (RAI) and conducts audits of the complete PRA (e.g., models, analyses, data, and codes) to obtain clarifying information as needed.

The staff uses guidance contained in Standard Review Plan (SRP) Chapter 19.0 Revision 3, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors.

In accordance with SRP Chapter 19.0 Revision 3, the staff determines whether, The applicant has performed sensitivity studies sufficient to gain insights about the impact of uncertainties (and the potential lack of detailed models) on the estimated risk. The objectives of the sensitivity studies should include (1) determining the sensitivity of the estimated risk to potential biases in numerical values, such as initiating event frequencies, failure probabilities, and equipment unavailabilities, (2) determining the impact of the potential lack of modeling details on the estimated risk, and (3) determining the sensitivity of the estimated risk to previously raised issues (e.g., motor-operated valve reliability).

Standard Review Plan (SRP) Section 19.0, Revision 3, also states, Shutdown and refueling operations for small, modular reactor designs may be performed in ways that are new and completely different from those used at large traditional light water reactors (LWRs) either licensed or under review by the NRC. In these cases, a more in-depth review will be needed to ensure that the PRA model is of acceptable scope, level of detail, and technical adequacy.

As documented in SRP 19.0 Revision 3, the staff will determine whether the applicant has identified risk- informed safety insights based on systematic evaluations of the risk associated with the design. The applicant should identify and describe the following:

A. The designs robustness, levels of defense-in-depth, and tolerance of severe accidents NuScale Nonproprietary

initiated by either internal or external events B. The risk significance of potential human errors associated with the design.

Request for Additional Information Per Chapter 19 of the FSAR, module drop events dominate the NuScale core damage frequency. As such, the staff reviewed the Probabilistic Risk Assessment Notebook for the Reactor Building Crane, ER- P050-3815, Rev. 1 (notebook) and noted that key risk insights from the notebook are not reported in the FSAR.

1. FSAR Table 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment, identifies the reactor building crane as a single entry, with no supporting detail. However, as described in the notebook, the safety stop function for the main hoist is critical to the safe operation of the crane and its ability to hold the load following any failure or abnormal lift. There are several single failure points for this system including: the main hoist drive controller VFD403 fails to cut power to the motor, the lower command CR1606 fails closed, the raising command CR1602 fails closed, the main hoist safety stop related fails closed CR1733, the main hoist under voltage related TD1744 fails closed, and the common cause of the hoist shoe brakes fail to close. The staff is requesting the reactor building crane entry in Table 19.1-70 be expanded to include the risk importance results of the critical SSCs (listed above) for the crane or justify why these additions are not necessary.
2. In the notebook, several operator errors of commission, which are challenging to quantify in PRAs, were estimated to be important in the module drop frequency including: bridge over speed with an intact module, trolley over speed with an intact module, over travel raise with an intact module, over travel lower with an intact module, over speed event with an intact module, and over load with an intact module. The staff is requesting these operator actions and their risk importance results be added to the FSAR or justify why these additions are not necessary.
3. The notebook assumes the crane will not be permitted to operate with the bypass in place, and the bypass switch itself, a keyed switch, will be locked open during a lift to prevent its inadvertent actuation. The safety stop system contains a bypass function that will permit the load to be lowered after the safety stop system has been actuated and inhibit the automatic actuation of the safety stop due to any fault. The staff requests this key assumption either be added to Table 19.1-71, Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment, or that the applicant explain why the addition is not necessary. .
4. The notebook reports the failure for the crane operator to activate the safety stop as 1E-3.

Given the importance of this action and the absence of operating procedures, please provide the results of a sensitivity study assessing the risk significance of this error on the NuScale core damage frequency or explain why it is not necessary.

5. The notebook states an unmitigated bridge overspeed event may cause the module to collide with a pool wall. The staff requests this event and the consequences (failure of the NuScale Nonproprietary

Ultimate Heat Sink damage another module) be added to the FSAR or explain why this addition is not necessary.

NuScale Response:

1. Expanding the level of detail of the reactor building crane (RBC) failure modes to explicitly identify the safety stop feature is not required for the low power and shutdown (LPSD) PRA. The RBC reliability assessment considers combinations of events that can ultimately result in a module drop. The single failures listed in the RAI question are associated with the safety stop feature, which is demanded only if at least one other failure has already occurred; thus, there are no single failures that result in a module drop.

The purpose of the RBC reliability assessment was to develop an initiating event frequency to be used in the LPSD PRA, and was performed in a manner consistent with the ASME/ANS PRA Standard (e.g., supporting requirements IE-B3 and IE-C11 of FSAR Reference 19.1-2), as endorsed by Regulatory Guide 1.200. The assessment used engineering judgment and available design information for a representative crane design that meets the requirements of NUREG-0554 and ASME NOG-1 for Type I cranes as stated in FSAR Section 9.1.5.2.2, and resulted in a conservative estimate of a design-specific RBC failure probability. As modeled in the LPSD PRA, the accident progression following a postulated module drop is not dependent on the specific cause of the drop or RBC failure mechanism, and therefore the RBC failure is modeled as a single initiating event and the RBC is assessed for risk significance without being resolved into further detail.

2. Operator errors of commission were included in the RBC reliability assessment for completeness because historical operating experience for cranes has shown human error to be a significant cause of load drops. In the absence of detailed procedures, error-of-commission events were identified using available design information and engineering judgment, and contribute to a conservative estimate of the RBC failure probability.

Risk importance metrics were not developed for specific errors of commission because detailed evaluation of specific causes of RBC failure was not required for the LPSD PRA, as described in the response to Item 1.

3. The RBC control system contains a bypass that allows the crane to be operated outside of its normal travel limits for special lifting situations (i.e., lifts not involving module movement). The bypass is accessed using a locked key switch that prevents the safety limits from being bypassed during normal operations. The assumption that the bypass will be locked out during module transport is based on engineering judgment that administrative controls will be in place to prevent the key from being inserted in the switch during normal crane operations.

An assumption has been added to FSAR Table 19.1-71 that administrative controls will be implemented to ensure that RBC safety features are functional during module movement.

NuScale Nonproprietary

4. Operator actuation of the safety stop function is modeled as a backup to the automatic detection and actuation capability of the RBC control system, and is credited only for initial failures for which an operator could credibly actuate the safety stop in time to prevent a module drop.

Risk importance metrics were not developed for this operator action for the reasons described in the response to Item 1, and thus, a sensitivity study to determine its importance was not performed.

5. As stated in the response to Item 1, modeling of bridge and trolley overspeed and overtravel events in the RBC reliability assessment was based on available design information and engineering judgment, and does not include detail of the bridge or trolley control system. For example, only operator action was credited with detecting a bridge or trolley overtravel and actuating the safety stop; additional features of the RBC control systems position monitoring function and limit switches described in FSAR Section 9.1.5.5 were not credited. Similarly, bridge and trolley overspeed events do not credit limit switches to actuate the safety stop.

Even modeled conservatively, the probability of an unmitigated bridge or trolley overtravel or overspeed is less than one percent of the probability of RBC failure, which is consistent with the screening philosophy in the ASME/ANS PRA Standard. Therefore, the consequence of RBC failures leading to collision of the module with the pool walls or another module was not evaluated.

Impact on DCA:

FSAR Table 19.1-71 has been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary

Tier 2 NuScale Final Safety Analysis Report RAI 19-23, RAI 19-37 Table 19.1-7: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment Assumption Applicable POS Basis The refueling cycle of a module is two years, giving a frequency of 0.5 refueling outages per year. All Design characteristic Only the refueling outage is analyzed quantitatively in the LPSD PRA; evolutions such as turbine bypass All Common engineering practice and controlled shutdown are only discussed qualitatively. Seven POSs are identified for LPSD conditions.

No credit is taken for heat transfer through containment during containment flooding (i.e., POS1- POS1, POS6 Bounding assumption shutdown and initial cooling) or containment draining (POS6 - heatup).

Control rod withdrawal and reactivity insertion is not credible during LPSD. POS1, POS2, POS3, Control rods are disconnected from their POS4, POS5, POS6 drive mechanisms after insertion to prevent premature withdrawal.

Spurious closure of the ECCS valves is not credible after they are opened. POS2, POS5 Spurious closure is precluded by valve design; separate actions are required to pressurize the control chamber and close the pilot valve. Closure of the valves is also not possible when CVCS is not in service because CVCS flow is required to close the valves.

19.1-281 The inadvertent actuation block (IAB) of the ECCS valves is not credited for reducing the frequency of a POS1, POS6 The IAB is active when the RPV pressure is spurious valve opening when the module is subcritical (i.e., POS1 and POS6). near operating pressure (i.e., POS7).

Scheduled testing and maintenance on module-specific components (i.e., CVCS pumps) is performed POS1, POS6 Common engineering practice during a POS in which the component is not required.

The module is transported by the RBC to the refueling area in POS3 and back to the operating bay in POS3, POS5 Bounding assumption that gives the greatest POS5; postulated module drops are only considered in the operating area or refueling area of the probability of striking another module and reactor pool. tipping horizontally. Also gives the lowest probability that a dropped module lands upright.

If dropped from a height of one foot or less, the probability that the module tips is 0.5, with uncertainty POS3, POS5 Engineering judgment based on the design uniformly distributed between 0 and 1. When dropped from greater than one foot, the module is of the CNV support skirt and seismic assumed to tip. amplification margin.

Probabilistic Risk Assessment A dropped module that tips, falls horizontally to the reactor pool floor and experiences core damage. POS3, POS5 Conservative analysis The CNV is assumed to be damaged and is not credited with preventing the release of radionuclides. The resulting source term is evaluated 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after shutdown, which is approximately the beginning of POS3.

Draft Revision 1 After the bottom of the CNV is removed, primary coolant communicates with water in the reactor pool POS3, POS4, POS5 Engineering judgment through the open RVVs and RRVs and keeps the core covered and cooled.

During an RBC lift, the module is kept below the height that could damage the UHS if dropped. POS3, POS5 Engineering judgmentDesign characteristic

Table 19.1-7: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment (Continued)

Tier 2 NuScale Final Safety Analysis Report Assumption Applicable POS Basis Seismic events during LPSD conditions are only a concern during module transport when the reactor POS3, POS5 Bounding assumption crane is under load. The seismic risk from a dropped module, however, is overestimated because the fragility analysis was performed with loaded module weighting.

Internal fires and internal floods have a minimal impact on LPSD conditions because of the limited All Engineering judgment frequency and duration in each POS, the fail-safe nature of NuScale safety systems, and the very low conditional core damage probability during LPSD conditions.

External floods have a minimal impact on LPSD conditions because of the limited frequency and All Engineering judgment duration in each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time in most cases to perform a controlled shutdown, and the very low conditional core damage probability during LPSD conditions.

High winds have a minimal impact on LPSD conditions because of the limited frequency and duration in All Engineering judgment each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time to move a module from the crane and place it in a safe position, and the very low conditional core damage probability during LPSD conditions.

Administrative controls will ensure that RBC safety features are functional during module movement POS3, POS4, POS5 Engineering judgment 19.1-282 Probabilistic Risk Assessment Draft Revision 1

Retrieved from "https://kanterella.com/w/index.php?title=ML18036B203&oldid=2535242"