Text

RAIO-0618-60457 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com June 14, 2018 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Supplemental Response to NRC Request for Additional Information No. 292 (eRAI No. 9128) on the NuScale Design Certification Application

REFERENCES:

1. U.S. Nuclear Regulatory Commission, "Request for Additional Information No. 292 (eRAI No. 9128)," dated December 06, 2017

2. NuScale Power, LLC Response to NRC "Request for Additional Information No. 292 (eRAI No.9128)," dated February 05, 2018 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) supplemental

response to the referenced NRC Request for Additional Information (RAI).

The Enclosure to this letter contains NuScale's supplemental response to the following RAI

Question from NRC eRAI No. 9128:

19-37 If you have any questions on this response, please contact Paul Infanger at 541-452-7351 or at

pinfanger@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Gregory Cranston, NRC, OWFN-8G9A Samuel Lee, NRC, OWFN-8G9A Rani Franovich, NRC, OWFN-8G9A : NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 9128 7KLVOHWWHUDQGWKHHQFORVHGUHVSRQVHPDNHQRQHZUHJXODWRU\\FRPPLWPHQWVDQGQRUHYLVLRQVWRDQ\\

H[LVWLQJUHJXODWRU\\FRPPLWPHQWV

Zackary W. Rad Director Regulatory Affairs

RAIO-0618-60457 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com :

NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 9128

NuScale Nonproprietary Response to Request for Additional Information Docket No.52-048 eRAI No.: 9128 Date of RAI Issue: 12/06/2017 NRC Question No.: 19-37 Regulatory Basis:

10 CFR 52.47(a)(27) states that a design certification application must contain an final safety

analysis report (FSAR) that includes description of the design-specific probabilistic risk

assessment (PRA) and its results.

In accordance with the Statement of Consideration (72 Federal Register 49387) for the revised

10 CFR Part 52, the staff reviews the information contained in the applicants FSAR Chapter 19,

and issues requests for additional information (RAI) and conducts audits of the complete PRA

(e.g., models, analyses, data, and codes) to obtain clarifying information as needed.

The staff uses guidance contained in Standard Review Plan (SRP) Chapter 19.0 Revision 3, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors.

In accordance with SRP Chapter 19.0 Revision 3, the staff determines whether, The applicant

has performed sensitivity studies sufficient to gain insights about the impact of uncertainties (and the potential lack of detailed models) on the estimated risk. The objectives of the sensitivity

studies should include (1) determining the sensitivity of the estimated risk to potential biases in

numerical values, such as initiating event frequencies, failure probabilities, and equipment

unavailabilities, (2) determining the impact of the potential lack of modeling details on the

estimated risk, and (3) determining the sensitivity of the estimated risk to previously raised

issues (e.g., motor-operated valve reliability).

Standard Review Plan (SRP) Section 19.0, Revision 3, also states, Shutdown and refueling

operations for small, modular reactor designs may be performed in ways that are new and

completely different from those used at large traditional light water reactors (LWRs) either

licensed or under review by the NRC. In these cases, a more in-depth review will be needed to

ensure that the PRA model is of acceptable scope, level of detail, and technical adequacy.

As documented in SRP 19.0 Revision 3, the staff will determine whether the applicant has

identified risk-informed safety insights based on systematic evaluations of the risk associated

with the design. The applicant should identify and describe the following:

A. The designs robustness, levels of defense-in-depth, and tolerance of severe accidents

NuScale Nonproprietary initiated by either internal or external events B. The risk significance of potential human errors associated with the design.

Request for Additional Information Per Chapter 19 of the FSAR, module drop events dominate the NuScale core damage frequency. As such, the staff reviewed the Probabilistic Risk Assessment Notebook for the Reactor Building Crane, ER-P050-3815, Rev. 1 (notebook) and noted that key risk insights from the notebook are not reported in the FSAR.

FSAR Table 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and 1.

Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment, identifies the reactor building crane as a single entry, with no supporting detail. However, as described in the notebook, the safety stop function for the main hoist is critical to the safe operation of the crane and its ability to hold the load following any failure or abnormal lift. There are several single failure points for this system including: the main hoist drive controller VFD403 fails to cut power to the motor, the lower command CR1606 fails closed, the raising command CR1602 fails closed, the main hoist safety stop related fails closed CR1733, the main hoist under voltage related TD1744 fails closed, and the common cause of the hoist shoe brakes fail to close. The staff is requesting the reactor building crane entry in Table 19.1-70 be expanded to include the risk importance results of the critical SSCs (listed above) for the crane or justify why these additions are not necessary.

In the notebook, several operator errors of commission, which are challenging to quantify 2.

in PRAs, were estimated to be important in the module drop frequency including: bridge over speed with an intact module, trolley over speed with an intact module, over travel raise with an intact module, over travel lower with an intact module, over speed event with an intact module, and over load with an intact module. The staff is requesting these operator actions and their risk importance results be added to the FSAR or justify why these additions are not necessary.

The notebook assumes the crane will not be permitted to operate with the bypass in place, 3.

and the bypass switch itself, a keyed switch, will be locked open during a lift to prevent its inadvertent actuation. The safety stop system contains a bypass function that will permit the load to be lowered after the safety stop system has been actuated and inhibit the automatic actuation of the safety stop due to any fault. The staff requests this key assumption either be added to Table 19.1-71, Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment, or that the applicant explain why the addition is not necessary..

The notebook reports the failure for the crane operator to activate the safety stop as 1E-3.

4.

Given the importance of this action and the absence of operating procedures, please provide the results of a sensitivity study assessing the risk significance of this error on the NuScale core damage frequency or explain why it is not necessary.

The notebook states an unmitigated bridge overspeed event may cause the module to 5.

collide with a pool wall. The staff requests this event and the consequences (failure of the

NuScale Nonproprietary Ultimate Heat Sink damage another module) be added to the FSAR or explain why this addition is not necessary.

NuScale Response:

NuScale is supplementing its response to RAI 9128 (Question 19-37) originally provided in letter RAIO-0218-58534, dated February 5, 2018. This supplemental response is provided as a result of discussions with the NRC during a public meeting held on May 8, 2018. The following information is added to the response to Item 1, as provided in RAIO-0218-58534:

The estimate of RBC failure probability (i.e., the probability of a module drop) for the representative design was developed using a fault tree approach because it was judged that available industry data were not applicable to the NuScale design. Using this approach, the probability of a module drop during refueling movement is 2.2E-7, as indicated in FSAR Table 19.1-68. The probability per lift is evaluated as 1.1E-7, which reflects the probability of a dropped load during the process of attaching the module, movement between the module operating location, the containment flange tool (CFT) and reactor flange tool (RFT), and detachment of the RBC from the module components, i.e., the sum of 5E-8 and 6E-8 as shown in Table 19.1-68. The RBC failure probability reflects the use of unique features for moving a module with the RBC, e.g., the module lifting adaptor (MLA). The RBC failure probability considers some basic safety features that are associated with single failure proof crane designs and commitment to ASME NOG-1. However, because the NuScale RBC design is not finalized, additional features may be present that have not been explicitly credited in the PRA analysis.

The resultant RBC failure probability reflects that the primary purpose of the RBC is to move a module for refueling (FSAR Section 9.1.5).

the design specific MLA eliminates the need for unique rigging configurations (FSAR Section 9.1.5.2.2).

the design eliminates single failures that contribute to observed industry failures, e.g., the NuScale design includes redundant wire ropes and gear boxes (FSAR Section 9.1.5.1).

RBC traverse and hoist speeds are limited by the control system; the control system allows the operator to position the RBC according to defined coordinates (FSAR Sections 9.1.5.2.2 and 9.1.5.5).

limit switches control the RBC travel path and lift heights (FSAR Section 9.1.5.2.1).

RBC instrumentation is provided for critical aspects of system operation (FSAR Section 9.1.5.5).

based on a nominal two-year fuel cycle (FSAR Section 4.3.2.1), refueling outages for a NuScale plant are relatively common events (i.e., every two months for a 12-module configuration).

refueling and RBC operations will be covered by procedures and training (COL Item 9.1-7).

With these considerations in the NuScale design-specific evaluation, the RBC failure probability is evaluated to be lower than documented elsewhere (e.g., considering equipment and operator error, the crane system failure rate estimate is 3.3E-6 per lift, as illustrated in Table 3 of

NuScale Nonproprietary NUREG-1774, "Survey of Crane Operating Experience at U.S. Nuclear Power Plants from 1968 through 2002 and EPRI 1009691, Probabilistic Risk Assessment of Bolted Storage Casks provides a load drop estimate of 5.3E-6 per lift).

FSAR Table 19.1-71 includes an assumption that administrative controls will be implemented to assure that RBC safety features are functional during module movement. That assumption has been modified to include an example of a safety feature that has been considered in the evaluation of RBC load drop probability.

Although the RBC reliability assessment was performed to develop an initiating event frequency to be used in the LPSD PRA, the assumptions used in the reliability assessment must be validated, and modified as needed, for applicability to the as-built, as-operated plant, as required by COL Item 19.1-8. The reliability assessment reflects RBC design commitments as well as inspection and testing requirements. FSAR Section 9.1.5 identifies the RBC design commitments (e.g., single-failure-proof crane in accordance with the requirements of NUREG-0554 and ASME NOG-1 for Type I cranes), design-specific rigging device (i.e., the MLA), redundant design features (e.g., dual gearboxes), and safety features (e.g., limit switches for travel and lift). FSAR Section 9.1.5.4 also addresses pre-operational inspection and testing of the RBC, as governed by ASME NOG-1 and includes: operational testing with 100 percent load to demonstrate function and speed controls for bridge, trolley, and hoist drives; as well as proper functioning of limit switches, locking, and safety devices. Regular service, including inspections, testing, and maintenance of the RBC are performed in accordance with ASME B30.2. COL Items 9.1-5, 9.1-6, and 9.1-7 address applicant requirements for heavy load handling programs, including operation and maintenance procedures, inspection and test plans, and personnel qualification and operator training.

The design commitments for the RBC that are discussed in the FSAR, and associated COL items, together with the COL item related to PRA assumptions, assure that the RBC, when operational, can be demonstrated to be highly reliable.

The design reliability assurance program (D-RAP) is described in FSAR Section 17.4. As discussed in that section, RAP implementation is performed in two stages. In the design stage, the functions and associated structures, systems, and components (SSCs) are evaluated and classified according to their risk-significance. The RBC and MLA are included in the D-RAP, as indicated in FSAR Table 17.4-1. The RBC and MLA are identified as SSCs that are required to perform the risk significant function of structural support and mobility that was included in the D-RAP program. The second stage is conducted during plant operational phases and focuses on ensuring that the reliability of SSCs within the scope of the RAP is maintained. As indicated earlier, the reliability of the RBC, as modeled in the PRA, reflects design features that are identified in FSAR Section 9.1.5. Inclusion of specific safety features associated with RBC reliability in Table 17.4-1 is judged to be inappropriate at the design stage and is left for inclusion at the operational stage when the design is finalized. COL Item 17.4-1 identifies a requirement to describe the RAP during plant operation. COL Item 17.4-2 requires the applicant to identify site-specific SSCs within the scope of the RAP.

NuScale Nonproprietary Impact on DCA:

FSAR Table 19.1-71 has been revised as described in the response above and as shown in the markup provided in this response.

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Tier 2 19.1-277 Draft Revision 2 RAI 19-23, RAI 19-37, RAI 19-37S1 Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment Assumption Applicable POS Basis The refueling cycle of a module is two years, giving a frequency of 0.5 refueling outages per year.

All Design characteristic Only the refueling outage is analyzed quantitatively in the LPSD PRA; evolutions such as turbine bypass and controlled shutdown are only discussed qualitatively. Seven POSs are identified for LPSD conditions.

All Common engineering practice No credit is taken for heat transfer through containment during containment flooding (i.e., POS1-shutdown and initial cooling) or containment draining (POS6 - heatup).

POS1, POS6 Bounding assumption Control rod withdrawal and reactivity insertion is not credible during LPSD.

POS1, POS2, POS3, POS4, POS5, POS6 Control rods are disconnected from their drive mechanisms after insertion to prevent premature withdrawal.

Spurious closure of the ECCS valves is not credible after they are opened.

POS2, POS5 Spurious closure is precluded by valve design; separate actions are required to pressurize the control chamber and close the pilot valve. Closure of the valves is also not possible when CVCS is not in service because CVCS flow is required to close the valves.

The inadvertent actuation block (IAB) of the ECCS valves is not credited for reducing the frequency of a spurious valve opening when the module is subcritical (i.e., POS1 and POS6).

POS1, POS6 The IAB is active when the RPV pressure is near operating pressure (i.e., POS7).

Scheduled testing and maintenance on module-specific components (i.e., CVCS pumps) is performed during a POS in which the component is not required.

POS1, POS6 Common engineering practice The module is transported by the RBC to the refueling area in POS3 and back to the operating bay in POS5; postulated module drops are only considered in the operating area or refueling area of the reactor pool.

POS3, POS5 Bounding assumption that gives the greatest probability of striking another module and tipping horizontally. Also gives the lowest probability that a dropped module lands upright.

If dropped from a height of one foot or less, the probability that the module tips is 0.5, with uncertainty uniformly distributed between 0 and 1. When dropped from greater than one foot, the module is assumed to tip.

POS3, POS5 Engineering judgment based on the design of the CNV support skirt and seismic amplification margin.

A dropped module that tips, falls horizontally to the reactor pool floor and experiences core damage.

The CNV is assumed to be damaged and is not credited with preventing the release of radionuclides. The resulting source term is evaluated 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after shutdown, which is approximately the beginning of POS3.

POS3, POS5 Conservative analysis After the bottom of the CNV is removed, primary coolant communicates with water in the reactor pool through the open RVVs and RRVs and keeps the core covered and cooled.

POS3, POS4, POS5 Engineering judgment During an RBC lift, the module is kept below the height that could damage the UHS if dropped.

POS3, POS5 Design characteristic

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Tier 2 19.1-278 Draft Revision 2 Seismic events during LPSD conditions are only a concern during module transport when the reactor crane is under load. The seismic risk from a dropped module, however, is overestimated because the fragility analysis was performed with loaded module weighting.

POS3, POS5 Bounding assumption Internal fires and internal floods have a minimal impact on LPSD conditions because of the limited frequency and duration in each POS, the fail-safe nature of NuScale safety systems, and the very low conditional core damage probability during LPSD conditions.

All Engineering judgment External floods have a minimal impact on LPSD conditions because of the limited frequency and duration in each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time in most cases to perform a controlled shutdown, and the very low conditional core damage probability during LPSD conditions.

All Engineering judgment High winds have a minimal impact on LPSD conditions because of the limited frequency and duration in each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time to move a module from the crane and place it in a safe position, and the very low conditional core damage probability during LPSD conditions.

All Engineering judgment Administrative controls will ensure that RBC safety features (e.g., limit switches to prevent undesired movement) are functional during module movement POS3, POS4, POS5 Engineering judgment Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment (Continued)

Assumption Applicable POS Basis