Text

DCA - Safety Evaluation Report with No Open Items - Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors
	ML19143A106
Person / Time
Site:	NuScale
Issue date:	12/12/2019
From:	; NRC/NRR/DNRL/NRLB
To:	;
	Franovich R , 415-7443
Shared Package
ML19143A102	List: ML19143A104; ML19143A105; ML19143A106;
References
	Chapter 19
	Download: ML19143A106 (73)
	v • d • e

19 PROBABILISTIC RISK ASSESSMENT AND SEVERE ACCIDENT EVALUATION FOR NEW REACTORS This chapter documents the U.S. Nuclear Regulatory Commission (NRC or Commission) staff (hereafter referred to as the staff) review of Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation, of the NuScale Power, LLC (hereafter referred to as the applicant)

Design Certification Application (DCA), Part 2, Final Safety Analysis Report (FSAR),

Revision 3.

In this chapter, the NRC staff uses the term non-safety-related to refer to structures, systems and components (SSCs) that are not classified as safety-related SSCs as described in Title 10 of the Code of Federal Regulations (10 CFR) 50.2. However, among the non-safety-related SSCs, there are those that are important to safety as that term is used in the General Design Criteria (GDC) listed in Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, and others that are not considered important to safety.

19.1 Probabilistic Risk Assessment Introduction The staffs review ensures that the applicant has adequately addressed the Commissions objectives for the probabilistic risk assessment (PRA) as applied to the NuScale DCA. These objectives are drawn from 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, and several policy statements listed in Section 19.1.3 of this report. They include the following:

Identifying and addressing potential design features and plant operational vulnerabilities.

Reducing or eliminating the significant risk contributors at existing operating plants that apply to the new design.

Selecting among alternative features, operational strategies, and design options.

Identifying risk-informed safety insights based on systematic evaluations of the risk.

Determining how the risk associated with the design compares against the Commissions goals of less than 1x10-4 per year for core damage frequency (CDF) and less than 1x10-6 per year for large release frequency (LRF).

Demonstrating whether the plant design represents a reduction in risk compared to existing operating plants.

19-1

Using the results and insights to support other programs such as the following:

- regulatory treatment of non-safety-related systems (RTNSS)

- regulatory oversight processes (e.g., Mitigating Systems Performance Index, significance determination process, and Maintenance Rule)

- operational programs that support the design, inspection, construction, and operation of the plant (e.g., inspections, tests, analyses and acceptance criteria (ITAAC), the Reliability Assurance Program, technical specifications (TS),

combined license (COL) action items, and interface requirements The staff reviewed the key elements of the PRA and evaluated its uses for the NuScale DCA based on relevant staff guidance and industry standards or best practices.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Section 19.1.1 describes the uses and applications of the PRA to support design certification (DC), COL, construction, and operational activities, and describes the limitations associated with the level of detail available at the design stage. DCA Part 2, Tier 2, Sections 19.0 and 19.1, describe the PRA performed for the NuScale design and summarize the Level 1 and Level 2 PRA, which evaluates the risk associated with all modes of operation for both internal and external initiating events. The PRA was performed for a single module and used to develop insights for multiple modules. DCA Part 2, Tier 2, Section 19.1, includes topics such as PRA quality, design features to minimize risk, methodology, data, uncertainties, sensitivities, insights, and results.

DCA Part 2, Tier 2, Table 19.1-80, Summary of Results (Mean Values) summarizes the at-power operations, low power shutdown operations (LPSD), and multi-module PRA results.

Qualitative risk insights are developed for external events and LPSD operations in the multi-module risk evaluation.

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no generic technical specifications associated with this area of review.

Technical Reports: There are no technical reports associated with this area of review.

19-2

Regulatory Basis 10 CFR 52.47(a)(27) states that a DCA must contain an FSAR that includes a description of the design-specific PRA and its results.

The following Commission-level documents lay out expectations for the use of PRA:

Policy Statement, Severe Reactor Accidents Regarding Future Designs and Existing Plants, Volume 50 of the Federal Register, page 32138 (50 FR 32138; August 8, 1985)

Policy Statement, Safety Goals for the Operations of Nuclear Power Plants (51 FR 28044; August 4, 1986)

Policy Statement, Regulation of Advanced Nuclear Power Plants (59 FR 35461; July 12, 1994)

Policy Statement, The Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities (60 FR 42622; August 16, 1995)

SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated April 2, 1993 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML003708021) and SECY-90-016, Evolutionary Light Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, dated January 12, 1990 (ADAMS Accession No. ML003707849) and the related staff requirements memorandum (SRM), respectively dated July 21, 1993 (ADAMS Accession No. ML003708056) and June 26, 1990 (ADAMS Accession No. ML003707885), provide more specific Commission direction and staff guidance on PRAs relevant to licensing reviews.

NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (also called the SRP), Section 19.0, Revision 3, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, is the guidance that the staff uses to review this area. The acceptance criteria are derived from the regulatory requirements and Commission policies noted above.

Design Certification/Combined License Interim Staff Guidance (DC/COL-ISG)-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, issued November 2016 (ADAMS Accession No. ML16130A468), provides additional guidance addressing how the applicant can use American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) RA-Sa-2009, Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, as endorsed by Regulatory Guide (RG) 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, issued March 2009, with exceptions and clarifications.

19-3

SRP Section 19.0 and DC/COL-ISG-028 refer to other guidance documents (e.g., RGs, NUREGs, industry documents) that are not repeated in this section, although some of these documents are discussed in the technical evaluation of specific topics.

Technical Evaluation The staff reviewed the description and results of the PRA contained in DCA Part 2, Tier 2.

During the review, the staff issued requests for additional information (RAIs), conducted a series of public meetings with the applicant, and performed two regulatory audits with reports dated November 3, 2017 (ADAMS Accession No. ML17305A024) and September 13, 2018 (ADAMS Accession No. ML18254A340) to examine documents that are not docketed. All references to an audit or audits in this report refer to either or both of these regulatory audits. The staff coordinated and worked with other technical disciplines (e.g., reactor systems, plant systems, radiation protection, electrical engineering, structural engineering, mechanical engineering, and instrumentation and controls) for an efficient and effective review of this area. This section summarizes the results of the staff review that are important to the overall conclusion on the NuScale PRA and its conformance to the applicable regulatory requirements. The Open Items from the Phase 2 SE have been resolved.

Uses and Application of the Probabilistic Risk Assessment The staff reviewed DCA Part 2, Tier 2, Sections 19.0.2, Uses of the PRA and Severe Accident Evaluation, and 19.1.1, Uses and Applications of the Probabilistic Risk Assessment, to confirm that the applicant used the PRA in a manner consistent with the Commissions objectives for a design-phase PRA. Because the design-phase PRA is limited to the design details available without a constructed plant or operational experience, the staff focused its review on the risk insights from the PRA. The staff confirmed that the risk insights developed can reasonably support the uses of the PRA listed in DCA Part 2, Tier 2, Table 19.1-1, Uses of Probabilistic Risk Assessment at the Design Phase. The staff finds that the applicants uses of the PRA during the design phase conform to SRP Section 19.0 and therefore are reasonable and acceptable.

Consistent with SRP Section 19.0, a DCA applicant need not address the uses of the PRA that require site-specific or plant-specific information relevant to a COL application. In DCA Part 2, Tier 2, Section 19.1.1.2, Combined License Application Phase, the applicant established six COL information items to address uses of the PRA by a COL applicant. The staff finds that the proposed COL information items are acceptable because these items will enable the staff to assess the uses of the PRA by a COL applicant consistent with the guidance in SRP Chapter 19.0.

19-4

Acceptability of the Probabilistic Risk Assessment 1 The staff reviewed DCA Part 2, Tier 2, Section 19.1.2, Quality of the Probabilistic Risk Assessment, to evaluate the acceptability of NuScales design-phase PRA. In its evaluation, the staff considered the scope, level of detail, technical adequacy, and plant representation of the NuScale PRA. In DCA Part 2, Tier 2, Table 1.9-4, Conformance with Interim Staff Guidance, the applicant stated that the NuScale DCA conforms to DC/COL-ISG-028. The staff also reviewed details in other sections of DCA Part 2 Tier 2, Chapter 19, to assess the PRA acceptability.

The staff finds that the scope of the PRA is consistent with the expected scope for a design-phase PRA as described in SRP Section 19.0. The PRA scope is appropriate for design certification because it addresses applicable internal and external events for all operating modes. The scope includes the use of a PRA-based seismic margins analysis (SMA), versus a seismic PRA, for the risk insights from seismic initiating events, which is appropriate for a DCA.

The scope also includes a multi-module risk evaluation of a 12-module plant configuration. In the multi-module risk evaluation, the applicant addresses the potential impact of one module on other modules in the reactor pool or near a module experiencing an event and qualitatively addresses the risk associated with the impact of external events on multiple modules.

SRP Section 19.0 states that if detailed design information is not available or it can be shown that detailed modeling does not provide additional significant information, it is acceptable to make bounding-type assumptions consistent with the guidelines in DC/COL-ISG-028. The staff finds the level of detail in the design-phase PRA acceptable because the applicant has limited detailed design information (such as cable routing information, operating and maintenance procedures) and operating experience, and the applicant identified a reasonably complete list of limitations that contribute to uncertainties. The applicants approach of using conservative but reasonable assumptions to account for these uncertainties is acceptable for the design stage because the risk insights are not expected to be masked. The staff finds that the level of detail in the NuScale PRA is consistent with the relevant guidance in SRP Section 19.0. This level of detail is commensurate with the uses of the PRA and is therefore sufficient to gain risk insights, in conjunction with the acceptable assumptions made in the PRA at the DC stage. The staff finds that the NuScale PRA reasonably reflects the actual plant design.

Based on the staffs evaluation of the full scope PRA documented in Sections 19.1.4.4 through 19.1.4.9 of this report, the staff finds that the PRA conforms to DC/COL-ISG-028 and therefore is of sufficient technical adequacy. The staffs guidance states that the DCA PRA is not required to have a peer review. The applicant did not perform a peer review; however, an expert panel, with members from outside NuScale with expertise in PRA, thermal-hydraulics, seismic evaluation, and regulatory requirements, reviewed the PRA for general quality and completeness. In addition, the applicant conducted a self-assessment of the PRA against the ASME/ANS RA-Sa-2009 Standard, which external consultants reviewed for accuracy. The 1

The discussion of PRA acceptability in this report is consistent with the resolution to DPO-2016-001 (ADAMS Accession No. ML17013A015). Acceptability is defined as scope, level of detail, technical adequacy, and plant representation.

19-5

development of the PRA reflected feedback from the expert panel and self-assessment. The staff finds the applicants expert panel review and self-assessment of the PRA against industry PRA standards to be an acceptable approach consistent with SRP Section 19.0, which states that a self-assessment is an acceptable tool for evaluating the technical adequacy of a PRA performed in support of an application for a DCA. The staff audited documents related to the expert panel review and self-assessment and did not identify any issues of concern.

The staff finds the PRA maintenance and upgrade approach described in DCA Part 2, Tier 2 Section 19.1.2.4, Probabilistic Risk Assessment Maintenance and Upgrade acceptable because it addresses the key elements of the maintenance for the DC stage, including consistency with the design; configuration control of software; and documentation of assumptions, sensitivity studies, and PRA results. This approach conforms to the guidance in SRP Section 19.0.

Special Design/Operational Features The staff reviewed DCA Part 2, Tier 2, Section 19.1.3, Special Design and Operational Features, and considered NuScales design and operational features for preventing core damage, mitigating the consequences of core damage, preventing releases from containment, and mitigating the consequences of releases from containment, as well as the uses of the PRA in the design process. The staff also evaluated DCA Part 2, Tier 2, Table 19.1-2, Design Features/Operational Strategies to Reduce Risk, and DCA Part 2, Tier 2, Table 19.1-3, Use of Probabilistic Risk Assessment in Selection of Design Alternatives. The staff finds that the applicant identified a reasonable list of design and operational features that enhance plant safety in comparison to existing operating plants. These features represent a significant improvement on the vulnerabilities of earlier reactor designs by reducing the number of components and systems required to respond to a plant event and relying on passive systems and the ultimate heat sink (UHS). The staff finds that the applicants design process benefited from using the PRA to identify design enhancements to reduce plant risk and that the applicant provided a list of design decisions supported by the PRA. The staff finds the use of the PRA in the design process acceptable because the use of PRA risk insights resulted in an improved design and lowered the NuScale design risk profile.

Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated DCA Part 2, Tier 2, Section 19.1.4.1, Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.1 Initiating Event Analysis In DCA Part 2, Tier 2, Sections 19.1.4.1.1.2, Internal Initiating Events, and 19.1.4.1.1.5, Data Sources and Analysis, describe the internal initiating event analysis. The staff reviewed the applicants analysis to determine whether the applicants identification of initiators and estimation of the annual frequencies are adequate for the intended uses of the PRA.

19-6

The applicant used a structured, systematic process, which accounts for design-specific features, to identify initiating events. The applicant used a failure modes and effects analysis (FMEA) and a master logic diagram (MLD) to identify design-specific system and support system faults that could lead to an initiating event or adversely affect the modules ability to respond to an upset condition. These approaches supplemented the review of potential initiating events from industry operating experience data sources and PRA studies.

The applicant identified 11 internal initiators in the PRA. The design, in conjunction with the use of simplifying assumptions, allows the potential accident sequences to be reasonably represented by these 11 initiators. This was possible because the design uses fail-safe features, passive core cooling, and heat removal capabilities, thereby relying less on active systems than a traditional large light-water pressurized-water reactor (PWR).

For loss-of-coolant accidents (LOCAs), the applicant assumed that chemical and volume control system (CVCS) line breaks, spurious opening of a reactor safety valve (RSV), and spurious opening of an emergency core cooling system (ECCS) valve sufficiently represent all LOCAs.

In reality, many more reactor pressure vessel (RPV) penetrations exist, such as those needed for the control rod drive mechanism, pressure and temperature instrument taps, and instrumentation and controls. For these additional smaller RPV penetrations, the staff finds that the plant response can be expected to be similar to, or bounded by, an explicitly modeled CVCS line break because they have similar mitigation requirements. Therefore, representing pipe breaks of RPV penetrations with the CVCS line breaks is acceptable. Similarly, the staff finds that spurious opening of an RSV and spurious opening of an ECCS valve initiating events reasonably represent the non-pipe-break LOCAs, and the containment bypass events are adequately identified by the CVCS line breaks outside containment and steam generator tube failure (SGTF).

The secondary-side line break initiator includes several different pipe break scenarios (e.g., main steamline, feedwater line, and decay heat removal system (DHRS) line, both inside and outside containment). The staff reviewed the applicants approach to estimating the secondary-side line break frequency for the NuScale design. The applicant evaluated degradation mechanisms to obtain data sets by screening out the mechanisms not applicable to the NuScale design. Using the field experience data and failure rate information, the applicant estimated conditional rupture probabilities given size, component type, and degradation mechanism. The likelihood of a pipe flaw propagating to a significant structural failure is expressed by the conditional failure probability. The frequency of pipe breaks is then summed for the conditional rupture probabilities and corresponding component types. The staff finds that the approach is reasonable because it is based on systematic, logical steps adequate for the DC PRA. For the initiating event frequencies associated with breaks in the main steamlines, feedwater lines, the DHRS, and steam generator tubes, the applicant performed sensitivity studies which showed that the CDF and LRF are relatively insensitive to specific estimates for these initiating event frequencies.

The loss of electrical power initiator consists of a loss of offsite power (LOOP) and a loss of direct current (dc) power scenarios. The LOOP scenario represents a loss of alternating current (ac) power to the station, and the loss of dc power scenario represents a deenergization of two 19-7

or more highly reliable dc buses. The staff finds that the applicants use of generic data to calculate the initiator frequencies acceptable for the design stage because plant-specific information is unavailable.

The general reactor trip initiator represents every transient that leads to a loss of normal heat sink (i.e., power conversion system) and general transients. The loss of support systems initiator captures reactor trip events that also disable systems that support the CVCS, the containment flood and drain system (CFDS), or both. The initiating event frequency is based on PWR operating experience. The staff finds the approach reasonable since this category captures internal initiating events that are not included in other categories and the events identified using industry experience, FMEA, and a MLD are comprehensive.

For the NuScale design, the assumed initiating event frequencies contain large uncertainties as plant-specific operating experience and associated data are not available to inform design-specific initiating event frequency estimates. The staff reviewed the assumed frequency estimates and finds that the applicant reasonably estimated the frequencies based on comparisons with industry databases and past PRA studies.

Based on the above considerations, the staff is reasonably confident that no risk-significant initiators have been excluded from the identified initiators. The staff also finds that the assumed initiating event frequency estimates, in conjunction with the evaluation of associated uncertainties, are acceptable for DC purposes. Therefore, the staff finds the applicants initiating event analysis acceptable for the DCA because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.2 Success Criteria DCA Part 2, Tier 2, Section 19.1.4.1.1.3, Success Criteria, describes the success criteria analysis. The staff evaluated whether the determination of minimum requirements for critical safety functions, supporting SSCs, and operator actions to prevent core damage, given an initiating event, is adequate for the intended uses of the PRA. The staff also reviewed the adequacy of the engineering analyses used to support these success criteria.

The applicant defined the Level 1 PRA success criteria for an accident sequence as preventing core damage for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following an initiating event, with module conditions being stable or improving. The 72-hour minimum mission time is longer than the 24-hour mission time referenced in ASME/ANS RA-Sa-2009 to account for the dynamic behavior of the NuScale passive cooling systems. Core damage is defined as fuel peak cladding temperature exceeding 2,200 degrees Fahrenheit (F). Also, core damage is assumed, and the ECCS is considered unavailable for accident mitigation if analysis shows that the RPV ultimate pressure is exceeded.

The applicant used the thermal hydraulic system code, NRELAP5, to support the determination of the Level 1 PRA and system success criteria. The applicant developed the NRELAP5 model based on the design-basis NRELAP model to support the PRA. The design-basis NRELAP model was validated against the NuScale Integral Test Facility data.

19-8

The staff audited the thermal-hydraulic simulations performed to develop the minimum set of system performance requirements to prevent core damage. Best estimate inputs and assumptions were generally used for the success criteria and are appropriate for analyses supporting the PRA, in contrast to the conservative inputs and assumptions used in the design-basis approach. These simulations confirmed redundancy in the design of safety systems. For example, for non-LOCA events, only one of two RSVs needs to successfully cycle to achieve a safe state. Also for non-LOCA events, the same safety function can be achieved with one of two trains of the DHRS. For LOCA events, one of two reactor recirculation valves (RRVs) and one of three reactor vent valves (RVVs) need to open to achieve a safe state. For LOCAs inside containment, one of two CVCS makeup trains provides a backup to the ECCS function. For certain LOCAs outside containment and certain non-LOCA scenarios, the CFDS provides a backup to the CVCS.

Additionally, for LOCAs inside containment for Level 1 accident sequences, the staff confirmed appropriate modeling of the containment isolation function. In DCA Part 2 Tier 2, Table 19.1-6, System Success Criteria per Event Tree Sequence, the applicant assumed that for events other than CVCS line breaks outside containment and SGTF, the containment isolation function is not necessary to support the passive core cooling and heat removal functions of the safety systems and containment. For LOCAs inside containment (e.g., inadvertent RVV opening), the applicant performed NRELAP5 simulations assuming failed containment isolation valves (CIVs) on the containment evacuation system (CES) line penetration to demonstrate that the module retains sufficient water inventory in containment to provide passive heat removal to the UHS without containment isolation.

Based on NRELAP5 simulations, the applicant concluded that for initiators that involve a loss of coolant inside of containment, with success of the reactor trip system and a failure of containment isolation, the ECCS provides passive fuel cooling without the need for inventory makeup. DCA Part 2, Tier 2, Table 19.1-7, Success Criteria per Top Event, presents this conclusion for the ECCS. Based on the above information, including the results of the thermal-hydraulic and computational fluid dynamics analyses, the applicant concluded that passive heat removal to the UHS is achievable without containment isolation. The staff confirmed the results of the applicants thermal-hydraulic analysis and ensured that the appropriate basis for the applicants success criteria is included in the DCD.

Another novel design feature in the NuScale design is that for non-LOCA events, with or without a successful reactor trip, a single RSV that successfully cycles (i.e., opens and closes as needed to relieve steam into the CNV) is sufficient to achieve a safe and stable state. The staff audited the applicants analysis of the general transient anticipated transient without scram (ATWS) event with cycling of the RSV. The staff also performed a confirmatory analysis (ADAMS Accession No. ML19196A340) of this scenario using the TRAC/RELAP Advanced Computational Engine (TRACE) code to evaluate the validity of the applicants assumption that a single cycling RSV provides sufficient passive decay heat removal (DHR) to the UHS for ATWS conditions. The staffs confirmatory analysis showed that with the DHRS unavailable, the reactor coolant system (RCS) temperature continues to increase, and the reactor reaches and remains at a subcritical state. The temperature increases until a combination of high 19-9

temperature and fluid in the CNV from RSV relief contributes to heat removal from the RPV to the CNV, then to the UHS. Once heat loss through the CNV is sufficient to balance the decay heat, RSV cycling stops. Based on the staffs review of the applicants analysis and the staffs confirmatory analysis, the staff finds that the passive heat removal capability is sufficient to prevent core damage if a single RSV successfully cycles for this scenario.

A key assumption of the PRA is the availability of the UHS to provide an adequate heat sink. To support passive heat removal with the DHRS or ECCS, the reactor modules are housed and partially submerged in the UHS such that most of the outer surface of the CNV directly contacts the UHS, which is a large pool of water in the reactor building (RXB). The applicant demonstrated by analysis that the UHS remains available for more than 30 days assuming a 12-module shutdown.

Based on the review of the above thermal hydraulic simulations for a representative sample of sequences, the staff determined that the engineering analyses used to support the success criteria are reasonable and that the applicant adequately determined the minimum requirements and assumptions for critical safety functions, supporting SSCs, and operator actions to prevent core damage, given an initiating event, for the intended uses of the PRA. Therefore, the staff finds the applicants success criteria acceptable for the DCA because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.3 Passive System Uncertainty DCA Part 2, Tier 2, Section 19.1.4.1.1.5, Data Sources and Analysis, summarizes the applicants analysis of the thermal-hydraulic (TH) uncertainty for the passive system reliability evaluation. The staff reviewed this DCA section and audited the supporting NuScale report, ER-P010-3777-A, Passive System Reliability Probabilistic Risk Assessment Report to assess the adequacy of the passive safety system reliability evaluation used as input to the PRA. The staffs review focused on passive failures of the ECCS and DHRS to remove decay heat. The staff evaluated the applicants approach to calculating uncertainty for scenarios in which best estimate TH analyses do not predict core damage.

The staff reviewed the applicants selection of failure metrics for the ECCS and DHRS, respectively, peak clad temperature and RPV failure pressure. Since peak clad temperature is susceptible to cliff-edge behavior, portions of the ECCS analysis used collapsed liquid level relative to the top of active fuel as a secondary failure metric.

For both systems, the staff reviewed how accident scenarios were grouped to identify which accident scenarios were evaluated with NRELAP. The applicants ECCS evaluation focused on the following:

RRV LOCAspurious opening of an RRV or RVV with successful scram. All other systems were considered not relevant or unavailable.

CVCS LOCALOCAs outside of containment that are successfully isolated with successful scram. The DHRS is not available, and RPV pressure increases until the 19-10

RSV cycles and sticks open. Inventory transfers from the RPV to CNV until the ECCS actuates on high CNV level.

The applicants DHRS evaluation focused on a general transient with successful scram, in which one train of the DHRS is operating. No other systems are credited. The staff found the scenario selection for thermal-hydraulic analysis acceptable and consistent with SRP Chapter 19.0, Revision 3.

The applicant used NRELAP5 to evaluate the sequences and accident progression. DCA Part 2, Tier 2, Section 19.1.4 discusses the capability of NRELAP5 to model the PRA success criteria and passive system thermal-hydraulic reliability. To represent the thermal-hydraulic parameter uncertainty, the applicant used probability distributions to model certain critical parameters (e.g., ECCS valve flow coefficients, pressurizer level) to determine the thermal-hydraulic reliability of the passive systems with respect to the analysis failure metrics. The staff reviewed the applicants NRELAP5 thermal hydraulic inputs, their distributions, and their ranges and compared these inputs to the DCA, as applicable. To address the uncertainty in the thermal-hydraulic system reliability associated with the selection of thermal-hydraulic parameter distributions, the applicant performed a conservative sensitivity analysis where initial parameter distributions (e.g. normal distributions, triangular distributions, etc.) were assumed to be uniform. The staff reviewed the results of this sensitivity analysis for ECCS and DHRS passive failure probabilities at the 5th, 50th, and 95th confidence levels to assess the impact of this assumption on passive system success criteria and thermal-hydraulic system reliability. In a separate sensitivity study, the applicant set system failures due to CCFs (including CCFs for ECCS valves and DHRS valves) to a value of 0.002. Since the ECCS and DHRS passive system failure probabilities were significantly less than .002, this sensitivity represented an appropriately bounding condition for CCF. The staff has confirmed that the applicant identified key thermal-hydraulic parameters in the DCA that could affect ECCS and DHRS reliability and introduced uncertainty into the determination of success criteria, consistent with SRP 19.0. The results of this sensitivity analysis demonstrated margin to the Commissions CDF and LRF Goals for new reactors.

Therefore, the staff finds the applicants passive system reliability analysis acceptable for a DCA because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.4 Accident Sequence Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.4, Accident Sequence Determination, describes the accident sequence analysis. The staff reviewed the applicants analysis to evaluate whether the development of design-specific accident sequences is adequate for the intended uses of the PRA and that it sufficiently accounts for the required systems, operator actions, and any potential dependencies.

The applicant used an event tree structure to model the plant scenarios affecting key safety functions that could lead to core damage following an initiating event. The staff reviewed the 11 event trees corresponding to the initiators evaluated in Section 19.1.4.4.1 of this report.

19-11

For each initiating event, the applicant included the mitigation systems, operator actions, and phenomena that can alter the accident sequences in the model event tree structure. The staff confirmed that the logic used for each event tree is consistent with the success criteria and human reliability analysis (HRA).

Based on the above information, the staff finds the applicants accident sequence analysis acceptable for a DCA because is it technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.5 Systems Analysis As described in DCA Part 2, Tier 2, Section 19.1.4.1.1.1, Methodology, the applicant explicitly modeled the RCS, ECCS, DHRS, module protection system (MPS), containment system (CNTS), CVCS, demineralized water system, CFDS, and electrical power system in the PRA.

The staff additionally conducted an audit to review a sample of systems, including failures and unavailability modes, common cause failures (CCFs), dependencies, and model completeness to support the determination that the systems modeled adequately reflect the as-designed plant.

The staff reviewed the ECCS model and evaluated the acceptability of excluding certain ECCS failure modes, such as the failure of the inadvertent actuation block (IAB) and plugging of the ECCS hydraulic control system trip line. The applicant asserts that the IAB does not need to be included in the ECCS model because it does not affect the successful opening of the ECCS valves. This statement is made in DCA Part 2, Tier 2, Table 19.1-7, Success Criteria per Top Event. The applicant bases this statement on the following IAB design assumptions:

The IAB is a normally open valve designed to close when the RPV to CNV differential pressure is high and to reopen when the differential pressure decreases for inadvertent ECCS actuations.

The IAB is designed to not change positions for most scenarios that call upon the ECCS function to achieve a safe end state. This is accomplished by setting the IAB setpoint sufficiently high to allow the RPV to CNV differential pressure to clear the IAB setpoint before an ECCS actuation setpoint is reached.

Some scenarios, such as a loss of dc power, may require the IAB to change state, but as RPV to CNV differential pressure decreases, the main spring, assisted by reactor coolant pressure, will open the main valve and support the safety function.

The staff reviewed these assumptions and observed that for very small RCS pipe breaks, the IAB may be called upon to change positions, which could affect the reliability of the ECCS. In addition, if the IAB were to fail, the passive actuation of the main valve must always succeed for the ECCS valve to open successfully. The staff notes that the passive actuation of the main valve requires that the RPV to CNV differential pressure reach a very low value. Based on these considerations, the staff views that excluding the IAB failure is a PRA model completeness issue and could also affect the reliability of the ECCS. However, the staff observes that the impact of not modeling this failure is not significant at this stage of the design 19-12

due to the large uncertainty in the overall reliability estimate of the ECCS which the staff is already accounting for to support any quantitative risk findings. It would also not identify any additional significant risk insights used to support the DCA. Therefore, the staff finds the exclusion of the IAB failure from the ECCS model acceptable for the DCA PRA.

For potential plugging of the reactor trip line and potential failure modes that support the CIVs, which were not explicitly modeled, the system design is not sufficiently complete to support a detailed system model. The staff finds that the PRA does not rely on these quantitative results and the level of detail is adequate for DCA purposes because the applicant performed a sensitivity study that conservatively modeled all CCF basic events. The staff finds that excluding potential plugging of the reactor trip line from the ECCS model is acceptable because the resulting risk, using conservative assumptions for CCF basic events, is within the Commissions CDF and LRF goals.

The staff finds that the system models reflect the design and expected operation of the plant and are sufficiently detailed to identify appropriate risk insights for a DCA. Therefore, the staff finds the applicants systems analysis acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.6 Human Reliability Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.5 states that the HRA is based on the Accident Sequence Evaluation Program Human Reliability Analysis Procedure methodology for pre-initiator human actions and the SPAR-H methodology for post-initiator human actions. The staff reviewed the applicants analysis to determine whether the identification and definition of human failure events are adequate, and the quantification of associated human error probabilities are appropriate for the intended uses of the PRA.

At the design stage, the emergency, abnormal, and system operating procedures, main control room (MCR) indications and layout, and other aspects of plant layout and equipment access are not established. Therefore, the HRA is based on general design and guidance documents and on a simplified approach to model pre-initiator and post-initiator operator actions. For this reason, considerable uncertainty exists in the HRA and the human error probability estimations.

Given the large uncertainty, the staff reviewed the HRA sensitivity analyses summarized in DCA Part 2, Tier 2, Tables 19.1-22, and 19.1-31, Sensitivity Studies for Level 2 Evaluation, to assess the impact of uncertainties in the HRA on risk estimates and to support the determination that the applicants simplified approach is appropriate. The staff reviewed the results of a sensitivity study where all human error probabilities are set to failure (i.e., all PRA-modeled human actions have a failure probability of 1), and the resulting CDF and LRF increase by two orders of magnitude. Even with this conservative assumption, the resulting risk from the internal events PRA is within the Commissions CDF and LRF goals.

Based on the above evaluation, the staff finds the applicants HRA acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19-13

19.1.4.4.7 Data Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.5 discusses the data analysis performed to support the numerical data used in the PRA. The staffs review focused on ensuring that the applicants parameter estimations are adequate for the intended uses of the PRA for a DCA.

Because the NuScale design has no operating history, much of the basic event data are based on PWR generic failure probabilities (e.g., NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, issued February 2007). For basic events in the NuScale design that are similar to basic events in PWRs, the staff finds that the applicants use of generic data for components that are not unique to the NuScale design is appropriate for a DCA.

For some NuScale-unique components, such as the ECCS valves, the applicant calculated estimated failure rates and probabilities using a fault tree model with inputs based on a combination of generic data, licensee event reports, operating experience, and design-specific information. The staff finds that at the DC stage, with no operating history, confidence in these data is limited. Therefore, these failure rates and probabilities are considered assumptions to be confirmed during the COL stage if the PRA is to be used for other applications. Additionally, the staff relied on the results of sensitivity studies using conservative assumptions for component failure rates (i.e., conservative treatment of CCF), which demonstrated that the resulting risk from the internal events PRA is within the Commissions CDF and LRF goals.

Based on the above evaluation, the staff finds the applicants data analysis acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.8 Quantification and Risk Insights DCA Part 2, Tier 2, Section 19.1.4.1.1.7, Quantification, discusses the PRA quantification process using the Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) code. The applicants use of the code, described in DCA Part 2, Tier 2, Section 19.1.4.1.1.6, Software, is within its capabilities and limitations as presented in NUREG/CR-7039, Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) Version 8, issued June 2011.

The staff reviewed the PRA quantification and finds that the applicant identified significant contributors to CDF, including initiating events, accident sequences, and basic events (equipment unavailability and human failure events).

The applicant reported a very low numerical value for the CDF. The reported CDF is based on existing information, which is limited by incomplete design and construction, undeveloped procedures, and a lack of operating experience. Additionally, parameter, model, and completeness uncertainties, including the reliability of the novel and risk-significant SSCs (e.g., the ECCS valves), are addressed via estimates that rely on assumptions. Because the uncertainty bands on the CDF reported by the applicant account for only parameter 19-14

uncertainties, not model uncertainties, the staff finds that the uncertainty could be larger than indicated; however, even with greater uncertainty, the low CDF estimate reflects deliberate engineering and design effort to reduce or eliminate the contributors to CDF found in previous designs. This observation applies generally to the numerical results for the CDF and LRF for all hazard groups (e.g., the external events PRA for operations at power and LPSD).

COL Information Item 19.1-8 provides guidance to the COL applicant so that all key PRA assumptions identified in various tables in DCA Part 2, Tier 2, will be appropriately evaluated and dispositioned during the COL stage. Although the COL information item does not reference specific DCA Part 2 Tier 2 tables that contain the key assumptions, the key assumptions in the COL information item refer to those assumptions tabulated for each internal and external hazard and operating mode evaluated in the NuScale PRA. Therefore, the staff finds this COL information item applicable to DCA Part 2, Tier 2, Tables 19.1-21, 19.1-28, 19.1-40, 19.1-46, 19.1-54, 19.1-58, 19.1-61, and 19.1-71, and has reasonable assurance that the key assumptions, which are relied on to account for the incomplete design and operational details in the DCA PRA, will be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. The staffs evaluation, as described throughout this chapter, verified that the key assumptions are appropriate for the level of information available in the DCA.

The staff reviewed the top core damage sequences from the Level 1 internal events PRA for operations at power for a single module. Approximately 73 percent of core damage scenarios result from incomplete ECCS actuation. The staff finds that the applicant appropriately identified the ECCS to be risk-significant as discussed below.

The staff reviewed the insights into the risk significance of SSCs and operator actions from the NuScale PRA. DCA Part 2, Tier 2, Table 19.1-19, Criteria for Risk Significance, provides the criteria for determining the risk significance based on the conditional core damage frequency and the overall percent contribution to the total risk (Fussell-Vesely importance). The NRC approved these criteria, as documented in NuScale Licensing Topical Report TR-0515-13952-NP-A, Revision 0, Risk Significance Determination, issued October 2016 (ADAMS Accession No. ML16284A016) for use in licensing applications for the NuScale small modular reactor design subject to the conditions and limitations delineated in Section A of the topical report. The staff confirmed that the applicant met the conditions and limitations because:

1. The TR is applicable to the NuScale generic design.

2. The applicant appropriately considered uncertainties, sensitivities, traditional engineering evaluations and regulations, defense-in-depth, and safety margin in addition to risk insights to determine risk significance for D-RAP as discussed in Section 17.4 of this report. Therefore, the staff found that the final determination of risk significance is based on a risk-informed approach.

3. The PRA, as evaluated in Section 19.1 of this report, is a technically adequate PRA that addresses internal and external hazards, and all operating modes; and considers the impact of other modules or shared SSCs. Also, as discussed in Section 19.1.4.9 of this 19-15

report, staff determined that the applicants approach for evaluating multi-module risk is acceptable for a DCA.

4. The core damage frequency is very low (i.e., approximately 1x10-7 per year or less).

Because the applicant met the conditions and limitations stipulated in the topical report, the staff finds the application of this methodology to the NuScale design acceptable for determining candidate risk-significant SSCs for the Level 1 internal events PRA (this section) for the Level 2 internal events PRA, Level 1 and 2 internal events LPSD PRAs, external events PRAs, and the multi-module risk evaluation (subsequent sections).

Based on the above evaluation, the staff finds the applicants quantification and risk insights acceptable for a DCA because they are technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.9 Conclusion Based on the staffs review of the initiating events, success criteria, passive system safety reliability, accident sequence analysis, systems analysis, human reliability analysis, data analysis, and quantification and risk insights discussed above, the applicants Level 1 internal events PRA for operations at power is acceptable for a DCA because it is consistent with SRP 19.0 and DC/COL-ISG-028.

Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated DCA Part 2, Tier 2, Section19.1.4.2, Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.1 Methodology The staff reviewed how core damage sequences are grouped into plant damage states and how the accident progression analyses evaluated the contributors to a large release. The staff focused on the evaluation of the containment structural capability for those containment challenges that would result in a large release. The applicant did not combine Level 1 core damage sequences into plant damage states (such as Level 2 PRAs performed for evolutionary and operating light-water reactors (LWRs)). Instead, because the Level 1 PRA has only a few end states, the end states were directly transferred to a single containment event tree (CET).

The CET characterizes the effect of each sequence for the potential for a radionuclide release.

Only two CET end states are used to model radionuclide release. The end state NR is associated with a release that may be attributed to leakage from the boundary of an isolated containment. The end state LR is associated with a release from an unisolated containment.

Each of these end states is assigned to a release category to represent the radionuclide source term. The staff finds the applicants methodology acceptable for a DCA because it is technically adequate and consistent with the guidance in SRP Section 19.0 and DC/COL-ISG-028.

19-16

19.1.4.5.2 Severe Accident Process and Phenomena The applicant evaluated severe accident phenomena referenced in ASME/ANS RA-Sa-2009, SRP Section 19.0, NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, issued January 1983, and NUREG/CR-6595, Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, issued October 2004, for its applicability to the NuScale design. The applicant concluded that, except for a severe accident-induced SGTF (discussed in Section 19.2 of this report), the severe accident phenomena that may challenge containment in operating plants are shown by analysis in DCA Part 2, Tier 2, Section 19.2, to not challenge containment integrity. DCA Part 2, Tier 2, Section 19.1, further states that even if the CNV were postulated to fail, there would not be a large release to the environment. As discussed in Section 19.2 of this report, containment failure because of bypass or CIV failure are the only modes of containment failure that need to be evaluated in the CET.

Regarding initial CNV vacuum, staff reviewed the potential for increased oxygen in the CNV and its impact on hydrogen detonation and deflagration following a core damage event with cladding oxidation. DCA Part 2, Tier 2, Section 19.2.3.3.2, Hydrogen Generation and Control, states that a near vacuum is maintained in the CNV during normal operation by the CES and the nominal pressure for normal operation is 0.1 psia, as listed in DCA Part 2, Tier 2, Table 7.1-2, Variables Monitored by Module Protection System. For the PRA analyses, DCA Part 2, Tier 2, Sections 19.1.4.1 and 19.2.3.2, Severe Accident Progression, assume an initial containment pressure of 1 psia, except for the hydrogen generation analysis of core damage with cladding oxidation. The hydrogen generation analysis, described in DCA Part 2, Tier 2, Section 19.2.3.3.2, uses an initial containment pressure of 9.5 psia to maximize O2 content when evaluating the potential for hydrogen deflagration and detonation. In Section 6.2.5 of this report, the staff concludes that even if detonation conditions occur during the first 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of an event, the containment can withstand the resultant pressure pulse and maintain integrity. In a letter dated November 27, 2017 (ADAMS Accession No. ML17332A127), the applicant stated that the containment pressure must be less than 3 psia for acceptable leak rate detection as required by the technical specification (TS). Since containment pressure will be monitored for TS compliance, initial containment pressures will be less than 9.5 psia. Thus, the staff finds the applicants screening of hydrogen deflagration and detonation from the CET acceptable.

The staff also reviewed the possibility of continuous CVCS operation overpressurizing the RCS and the CNV. In a letter dated November 27, 2017 (ADAMS Accession No. ML17332A127), the applicant described their evaluation, which concluded that operators would have hours to terminate CVCS injection before filling the module with water. The timeframe is based on conservatively accounting for only the volume of the RCS and assuming the maximum flow rate of both CVCS pumps, as indicated in DCA Part 2, Tier 2, Tables 5.1-1, Reactor Coolant System Volumes, and 9.3.4-1, Chemical and Volume Control System/Module Heatup System Major Equipment with Design Data and Parameters, respectively. A high CNV water level alarm is provided to operators as indicated in DCA Part 2, Tier 2, Table 6.3-1, Emergency Core Cooling System Alarms and Actuation. If operators do not isolate the CVCS, the CVCS CIVs will automatically isolate on a high pressurizer level actuation signal, as indicated in DCA Part 2, 19-17

Tier 2, Table 7.1-4, Engineered Safety Feature Actuation System Functions. Based on the above, the staff finds the applicants decision to screen this event from the CET acceptable.

The staff finds the applicants CET acceptable for a DCA because it is sufficiently complete, technically adequate, and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.3 Success Criteria The applicant stated that the Level 2 PRA is bounding in that it does not credit mitigating systems or capabilities that are relevant only to a radionuclide release (e.g., an RXB filtration system or a spray system). The staff agrees that not crediting a spray system or an RXB filtration system is a bounding assumption.

19.1.4.5.4 Containment Event Tree Analysis The CET includes fault trees for the following:

CES containment isolation fails and results in bypass.

CVCS containment isolation fails and results in bypass.

SGTF and containment are bypassed.

DCA Part 2, Tier 2, Table 19.1-24, Containment Penetrations, summarizes containment penetrations, the isolation methods, and their treatment in the PRA. Containment penetrations are grouped into three types: (1) piping connections, (2) bolted flange inspection ports, including electrical penetration assemblies, and (3) ECCS trip and reset pilot valve penetrations. The staff audited the fault trees for CES and CVCS isolation functions for completeness and to review the basic event quantification. The staff finds the fault trees to be reasonable to gain risk insights. As detailed in DCA Part 2, Tier 2, Section 6.2.6, Containment Leakage Testing, the CIVs on CNV piping penetrations, and the passive containment isolation barriers are designed to permit periodic leakage testing. The CIVs are also designed to ensure that the leakage through the CNTS and components does not exceed the allowable leakage rate specified in the TS. Therefore, the staff finds the applicants approach for the screening of containment penetrations for evaluation in the CET acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.5 Large Release Frequency The staff reviewed the applicants approach, as described in DCA Part 2, Tier 2, Section 19.1.4.2.1, Description of the Level 2 Probabilistic Risk Assessment for Operations at Power, for determining that the Commissions LRF goal is met.

The applicant used an LRF goal of 1x10-6 large releases per year to demonstrate that the prompt fatality quantitative health objective (QHO) of 5x10-7 probability of prompt death per year is met. The applicant defined a large release as one causing a 200 rem whole body dose at the site boundary over 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . The staff considers the applicants definition of a large release to be acceptable. The staff notes that the risk of prompt fatality given a large release as defined 19-18

by the applicant is low. Therefore, the applicants large release definition together with the LRF goal of 1x10-6 large releases per year, provides reasonable assurance that the Commissions QHO of 5x10-7 probability of individual prompt death per year is met. Therefore, the large release definition used by NuScale is consistent with the objectives of the Commission Safety Goal Policy Statement.

For at-power accidents, the applicant used the MELCOR Accident Consequence Code System (MACCS) to show that intact containment scenarios assuming TS leakage of 0.2 percent per day would not result in a large release. The TS leakage is based on leak rate testing conducted with air. During a severe accident, the containment atmosphere would be mostly hydrogen.

Because hydrogen has a lower molecular weight than air, the actual leak rate during a severe accident could be higher. Staff independent MELCOR confirmatory analysis for an in-containment LOCA predicted a leak rate of up to 0.7 percent per day. However, this higher leak rate does not impact the applicant meeting the LRF goal, because the applicants analysis includes large margins as discussed below. The staffs independent MELCOR confirmatory analysis is documented in RES/FSCB 2019-01, Independent MELCOR Confirmatory Analysis for NuScale Small Modular Reactor, dated April 2019 (ADAMS Accession No. ML19205A016).

Scenarios with containment bypass or isolation failure were assumed to result in a large release. For module drop accidents, the applicant used MACCS to show that failed containment scenarios would not result in a large release. The applicant used its large release definition conservatively by comparing the highest predicted dose for any azimuthal location along the site boundary against the 200-rem definition. The prompt fatality QHO involves (1) azimuthal averaging over the entire 360 degrees surrounding the site and (2) radial averaging over a 1-mile zone starting at the site boundary.

The applicants analysis assumed the release traveled from the site center to the site boundary, which is 269 meters. Because the MACCS code manual (NUREG/CR-6613, Code Manual for MACCS2, Volume 1, issued May 1998) cautions against use of the code for distances less than 500 meters, the applicant compared its MACCS dispersion factor predictions with ARCON results (NUREG/CR-6331, Revision 1, Atmospheric Relative Concentrations in Building Wakes, issued May 1997) to show that the mean dispersion calculated by MACCS was bounded by the mean dispersion calculated by ARCON for distances of 269 meters or more.

The staff finds this approach acceptable because ARCON is valid at these distances.

The applicants analysis assumed the plumes initial dimensions were those of the short face of the reactor building to calculate the mean dose (over the weather trials) at a distance of 269 meters. The applicants atmospheric dispersion modeling approach approximates the plant geometry because part of the path from the release point to the site boundary is through the reactor building and the distance from the short side of the reactor building to the site boundary is 216 meters (as opposed to 269 meters). The staff finds the approximation acceptable because the applicants analysis includes large margins. For example, for at-power accidents without containment bypass, the staff estimates that the applicants assumption of no iodine deposition in containment results in a factor-of-100 margin. Other conservative applicant assumptions for at-power accidents without containment bypass include 100 percent of the iodine core inventory being instantaneously released to containment, the release occurring at 19-19

the top of the module so that there is no reactor pool scrubbing, and no reactor building filtration or spray.

Section 19.2 of this report documents the staffs review of the containment performance goals.

19.1.4.5.6 Quantification and Risk Insights The applicant performed an importance analysis for basic events and operator failures and reported the results in DCA Part 2, Tier 2. DCA Part 2, Tier 2, Table 19.1-27, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module)

Level 2 Probabilistic Risk Assessment.

The staff reviewed the applicants credit for CFDS manual pumped injection given an interlock, shown in DCA Part 2, Tier 2, Table 7.1 5, Module Protection System Interlocks/Permissives/

Overrides. This interlock needs to be defeated to credit the CFDS in a beyond design basis event. DCA Part 2, Tier 2, Table 19.1 14, Modeled Human Actions (Post-Initiator), includes footnote 5 to clarify the override of containment isolation for aligning the CFDS and CVCS.

Defeating this interlock was evaluated in the operator failure probability. The staff found the applicants human error assessment and documentation in the DCA sufficient for DC application.

The applicants importance analysis and determination of candidate risk-significant SSCs and operator actions is acceptable because it uses an acceptable methodology, as discussed in Section 19.1.4.4.8 of this report and is consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.7 Conclusion The staff finds the applicants level 2 PRA analyses for internal events to be adequate for demonstrating that the Commissions LRF goal is met and for the purpose of identifying risk insights. The Commissions containment performance goal is discussed in Section 19.2 of this report.

Level 1 Internal Events Probabilistic Risk Assessment for Low Power- Shutdown Operations The staff evaluated the internal events PRA for LPSD operations as described in DCA Part 2, Tier 2, Section 19.1.6. The staff reviewed the applicants LPSD PRA for consistency with SRP Section 19.0, DC/COL-ISG-028, and ANS/ASME-58.22-2014, Low Power and Shutdown PRA Methodology, which has been issued for trial use. Although the NRC has not endorsed ANS/ASME-58.22-2014, the staff finds the applicants use of this standard to be reasonable because it is considered the state-of-the-art method available in the industry. The staff reviewed the acceptability of the NuScale LPSD PRA to ensure an appropriate level of confidence in the results and risk insights and that the modeling was adequate to support an evaluation against the Commissions CDF and LRF.

19-20

19.1.4.6.1 Plant Operating State Analysis DCA Part 2, Tier 2, Section 19.1.6.1, Description of the Low Power and Shutdown Operations Probabilistic Risk Assessment, and DCA Part 2, Tier 2, Table 19.1-65, Plant Operating States for Low Power and Shutdown Probabilistic Risk Assessment, summarize the NuScale refueling process and the plant operating states (POSs) development. POSs define the time intervals within the refueling process, during which the plant conditions are assumed constant in the ways they impact risk. Based on the design and the anticipated refueling process, the applicant identified the seven POSs as summarized in Table 19.1-4 of this report.

The staff reviewed how the unique aspects of the NuScale design and its refueling approach are reflected in the identified POSs. One such unique design feature is the reliance on passive DHR for most of the refueling evolution. By ensuring passive DHR, the design eliminated dependency on active support systems typically relied on by large LWRs. Another notable design feature is that NuScale precludes midloop operation or reduction of primary coolant inventory while fuel is present in the RPV to support steam generator inspection. Therefore, consistent with the design, a POS is not identified for reduced inventory operations.

The decay heat during POSs 2, 3, 4, and 5 is removed passively either through the flooded CNV to the UHS or directly to the UHS. POSs 3 and 5, respectively, account for the transportation of the reactor module while it contains the reactor core from the operating bay to the refueling area and back to the operating bay.

During POS1, POS6, and POS7, the configuration of the module is similar to normal operation, and initiating events considered for full power are applicable to LPSD. The staff reviewed the systems assumed to be available during each POS. POSs 1 and 6 correspond to TS Mode 2 or 3 (i.e., hot shutdown or safe shutdown), and POS 7 corresponds to TS Mode 1 (i.e.,

operations). For POS 7, systems credited in the full power PRA are nominally available, with the only difference in configuration being that the turbine is bypassed. In POSs 1 and 6, systems assumed to be available during at-power conditions (e.g., the DHRS, ECCS, CNTS, CVCS, and CFDS) are also assumed to be available. POS 2 through POS 5 correspond to TS Modes 4 and 5 and span the period with passive cooling either through the flooded CNV to the UHS or directly to the UHS. Therefore, the DHRS, ECCS, CNTS, CVCS, and CFDS are not required to maintain a safe and stable state for POS 2 through POS 5.

Table 19.1-4 Identification of Plant Operating States POS Description RCS Decay Heat Removal Path Key Activities Duration Condition (available systems) (hours) 1 Shutdown P ~1,850 Secondary cooling Control rods inserted, 14 and initial to turbine tripped, cooling ~200 psia CNV flood begins (DHRS, ECCS, CVCS, CFDS)

T >420 to

~350 °F 19-21

POS Description RCS Decay Heat Removal Path Key Activities Duration Condition (available systems) (hours) 2 Cooling P ~200 to Passive cooling through CNV flood complete, 33 through ~24 psia flooded CNV CVCS removed from containment service, T ~350 to CIVs closed,

~200 °F ECCS valves opened, spool pieces removed, module lifted by RBC 3 Transport P ~24 psia Passive cooling through Module moved to 23 and to pool flooded CNV, vessel flange tools, disassembly pres. passive coolinglower CNV disassembly, CNV detached, RPV disassembly, T ~200 °F passive coolingupper upper vessels moved to pool module detached into dry dock temp.

4 Refueling Pool pres. Passive coolingupper Fuel moves, 75 and and temp. module detached steam generator Maintenance inspection, upper vessels moved out of dry dock 5 Reassembly, P ~ pool Passive coolingupper RPV assembly, 74 transport, pres. to module detached, CNV assembly, and re- 150 psia Passive coolinglower module moved to connection CNV detached, operating bay, T ~ pool Passive cooling through spool pieces installed, temp flooded CNV ECCS valves closed, CIVs opened, CVCS placed in service 6 Heatup P ~150 to Secondary cooling CNV drain completed, 13 1,850 psia secondary coolant (DHRS, ECCS, CVCS, aligned T ~ pool CFDS) temp to

> 420 °F 7 Low-power P ~1,850 Secondary cooling Control rods withdrawn 13 operation psia to criticality, (DHRS, ECCS, CVCS, turbine synchronized T > 420 °F CFDS) with grid Total 245 The POS analysis is based on the nominal refueling procedure because there is no refueling operating experience. Because an as-built, as-operated plant is not available, there are potential uncertainties that were not accounted for in the POS analysis. However, the staff finds that the applicant identified and defined a sufficient set of POSs to support the identification of risk-significant accident scenarios for DCA purposes.

19-22

19.1.4.6.2 Initiating Event Analysis DCA Part 2, Tier 2, Section 19.1.6.1.2, Low Power and Shutdown Initiating Events, describes the LPSD internal initiating events analysis. The applicant first determined which at-power initiating events are applicable during each POS. The applicant then reviewed the operating experience database (EPRI TR-1021167, An Analysis of Loss of Decay Heat Removal and Loss of Inventory Event Trends (1990-2009)) for events that have occurred during LPSD evolutions that may apply to the NuScale design. Finally, the applicant evaluated potential NuScale design-specific initiating events.

DCA Part 2, Tier 2, Table 19.1-66, Low Power and Shutdown Initiating Event, summarizes the applicability of at-power initiating events to the seven POSs. The applicant assumed that all 11 at-power initiating events are applicable during POSs 1, 6, and 7. Because the configuration of the reactor module and the available systems during these POSs are essentially the same as those during at-power conditions, this is a reasonable assumption. The applicant assumed that once the CNV is flooded and passive cooling is in place (i.e., POS 2 through POS 5), most of the at-power initiating events can be screened out. The applicant retained the CVCS charging-line break outside containment and the CVCS letdown-line break outside containment for POS 2 and POS 5 as the CVCS lines are unisolated and part of the RCS boundary for some portions of these POSs.

As for the at-power initiating events that were screened out for POS 2 through POS 5, the staff considered the decay heat level and the availability of passive cooling through the flooded CNV.

By the time the plant enters POS 2 around 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months after shutdown, the decay heat is likely less than a few megawatts. Indefinite stable cooling can be achieved without safety system actuations for these POSs as adequate DHR and water inventory are maintained. Since at-power initiating events, with the exception of CVCS line breaks outside containment, are unlikely to challenge passive cooling, the staff finds it acceptable that they are screened out of POS 2 through POS 5.

19.1.4.6.3 Reactor Building Crane Failure Resulting in Postulated Module Drop Module drop events dominate the NuScale CDF as shown in DCA Part 2, Tier 2, Table 19.1-80, Summary of Results. Therefore, the staff audited ER-P050-3815, Revision 1, The Probabilistic Risk Assessment Notebook for the Reactor Building Crane (RBC), to understand the basis for the module drop probability in relation to (1) DCA Part 2, Tier 2, Table 9.1.5-1, Heavy Load Handling Equipment Design Data, which documents the maximum traverse speed, maximum hoist speed, and maximum lift height for the RBC and (2) DCA Part 2, Tier 2, Section 9.1.5.5, Instrumentation and Control, which discusses the RBC control system devices, including hoist overtravel, hoist load limits, hoist overspeed, hoist drum rope mis-spooling, bridge and trolley overtravel limits, and the restricted handling path. Limit switches provide protection for overtravel, overspeed, overload, and unbalanced load and proper spooling of the hoisting ropes onto the hoist drums. DCA Part 2, Tier 2, states that the RBC is designed to meet single-failure-proof requirements in accordance with NUREG 0554 and supplemented by ASME NOG-1 which is consistent with heavy load cranes for operating plants.

In DCA Part 2, Tier 2, Table 19.1-71, Key Assumptions for the Low Power and Shutdown 19-23

Probabilistic Risk Assessment, the applicant documented that Administrative controls will ensure that RBC safety features (e.g., limit switches, interlocks to prevent undesired movement) are functional during module movement.

In the RBC PRA, the event trees include the top events for mitigating features to detect an abnormal condition (e.g., overspeed, overtravel, misreeving) and to provide safety stops for the bridge, trolley, or hoist. The calculated drop probability is dominated by operator errors of commission (over speed, over raise, over travel, etc.) and failure of instrumentation (interlocks/limit switches). DCA Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment documents that movement of the RBC is modeled as being operator controlled in the PRA. As discussed in SER section 18.1.4.1.4, the design of the RBC Human System Interface is not complete at this time. The staff understands that the design will conform to HFE standards in the Style Guide to the extent possible because HFE guidelines will be included in the purchase specifications. The Human Factors Engineering Design Implementation Implementation Plan, Revision 4 (Report RP-0914-8544) describes a risk-informed process for screening and resolving issues that are related to the human factors process, which have not already been resolved during the design certification process. Section 1.2 indicates that the RBC is within the scope for this process. The validity of the crane assumptions in DCA Table19.1-71 and crane data supporting the PRA will be confirmed by the COL applicant per COL item 19.1-8.

The staff found that NuScales drop probability per lift (1E-7 per lift) is lower than estimated in EPRI Report 1009691, Probabilistic Risk Assessment of Bolted Storage Casks, (5E-6/lift) and lower than very heavy load drops greater than 30 tons (5E-5/demand) estimated in NUREG-1774, A Survey of Crane Operating Experience at U.S. Nuclear Power Plants from 1968 through 2002, issued July 2003. Rigging failures, not crane failures contribute to the NUREG-1774 heavy load drop estimate. The design specific module lift adapter (MLA) for all nuclear power module movement eliminates unique rigging configurations. The risk significance of the RBC resulted in additional ITAAC requirements, for rated load test of the NPM lifting fixtures and the MLA and for inspection of the as-built NPM lifting fixtures and the as-built MLA, which are discussed in Section 14.3 of this report. The RBC, MLA, and the NPM lifting fixture are categorized as B1 (i.e., nonsafety-related and risk-significant) in DCA Table 3.2-1:

Classification of Structures, Systems, and Components and DCA Table 17.4-1: D-RAP SSC Functions, Categorization, and Categorization Basis. As stated in DCA Table 3.2-1, the RBC and the NPM lifting fixture are seismic category 1.

Use of the NuScale module drop probability or the EPRI drop probability yields a module drop core damage frequency that is within the Commission Goals for new reactors. The staff finds that the reactor building crane risk assessment is acceptable for identifying risk insights and input to operational programs, consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.6.4 Success Criteria, Accident Sequences, and Systems Analyses The staff reviewed the applicants success criteria analysis supporting the LPSD PRA. For the at-power accident sequences that are applicable to LPSD conditions, the applicant assumed that the success criteria developed for at-power conditions are also applicable. These include 19-24

the sequences resulting from the 11 at-power initiating events for POSs 1, 6, and 7, and the two CVCS line breaks outside containment for POSs 2 and 5. For these cases, the assumed availability of systems is the same for the LPSD conditions as that assumed for at-power conditions. The decay heat levels for all POSs will be lower than those at power because the module will be in shutdown or operating at lower power at the time of the initiating event.

Therefore, the use of at-power success criteria and the assumed availability of systems for the LPSD scenarios are acceptable.

For POSs 3 and 5, module drop events are explicitly modeled. The applicant assumed that core damage occurs if a dropped module results in a horizontal configuration as the result of inadequate coolant inventory to keep the fuel covered. The staff finds that this approach is appropriate given the uncertainty in the calculation of fuel heatup in this configuration.

DCA Part 2, Tier 2, Section 19.1.6.1.3, Low Power and Shutdown Accident Sequence Determination, describes the accident sequence analysis for LPSD conditions. The applicant assumed for POSs 1, 6, and 7, where at-power initiating events are assumed to apply, that the at-power event trees are also applicable. The staff finds this acceptable as the at-power success criteria and assumed availability of systems for the LPSD scenarios are acceptable as described above.

The staff reviewed the systems analysis supporting the LPSD PRA. Where the systems are credited to respond to initiating events, the LPSD PRA uses the system fault trees from the at-power PRA. Because the at-power success criteria, assumed availability of systems, accident sequence determination, and system fault trees are used for the LPSD PRA, the staff finds the systems analysis for LPSD acceptable for a DCA because it is technically adequate and consistent with SRP 19.0.

19.1.4.6.5 Human Reliability Analysis The staff reviewed the potential operator actions that may be important during LPSD conditions.

As discussed in Section 19.1.4.6.1, Plant Operating State Analysis, the module configuration during POS1, POS6, and POS7 is similar to at-power conditions in terms of the available systems (e.g., DHRS, ECCS, CVCS, CFDS) and expected module response to initiating events.

Therefore, the staff finds the HRA performed for at-power conditions remains applicable for these LPSD POSs. Core cooling and decay heat removal during POSs 2 and 4 are accomplished passively either through the flooded CNV to the UHS or directly to the UHS. With passive core cooling and heat removal in place, the staff finds that additional HRA is not necessary for these POSs.

POSs 3 and 5 account for the transportation of the reactor module between the operating bay and the refueling area while containing the reactor core. As described in Section 19.1.4.6.3 of this report, the staff audited the RBC PRA which estimates the module drop probability during POSs 3 and 5. The calculated drop probability is dominated by operator errors of commission (over speed, over raise, over travel, etc.) and failure of instrumentation (interlocks/limit switches). In letters dated February 5, 2018 and June 14, 2018 (ML18036B203 and ML18165A431 respectively) the applicant stated that operator errors of commission were 19-25

included in the RBC reliability assessment for completeness because historical operating experience for cranes has shown human error to be a significant cause of load drops. In these letters, the applicant stated that the RBC design is not finalized. The information detailing the refueling and RBC operations will be provided by procedures and training (COL Item 9.1-7)).

19.1.4.6.6 Data Analysis The staff reviewed the data used to support the LPSD PRA. The applicant adjusted the initiating event frequencies to account for the duration of each POS. For the component failure probabilities, the applicant assumed that the data analysis performed for the at-power PRA is applicable. Section 19.1.4.6.3 of this report discusses the failure probability assigned to the RBC for POSs with the potential for module drop accidents. Because no additional systems and components are included in the LPSD analysis, and the at-power initiating event analysis, success criteria, accident sequences, and systems analysis are used for the LPSD PRA, the staff finds that applying the at-power PRA data, discussed in Section 19.1.4.4.7 of this report, to the LPSD PRA is reasonable.

19.1.4.6.7 Quantification and Risk Insights The staff reviewed the LPSD PRA quantification described in DCA Part 2, Tier 2, Section 19.1.6.1.6, Low Power and Shutdown Quantification. Consistent with the at-power PRA, the applicant performed the PRA quantification using the SAPHIRE code. The applicant identified the significant contributors to CDF, such as initiating events, accident sequences, and basic events. The staff finds that the quantification process used an appropriate truncation that demonstrated acceptable convergence of the CDF. The applicant reported a very low numerical value for the CDF based on the LPSD PRA. As discussed in more detail in Section 19.1.4.4.8 of this report, the staff finds that the uncertainty in the CDF could be larger than indicated at this DC stage; however, even with greater uncertainty, there is margin to the Commissions CDF and LRF goals.

The LPSD PRA results show that the CDF risk associated with module drop events dominates the risk for the NuScale design. The staff notes that one of the key sources of uncertainty for the CDF risk associated with module drop accidents is related to the operator error of commission. The DC PRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA Part 2, Tier 2, Table 19.1-71, lists the key assumptions for the LPSD PRA. These key assumptions in the DC PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8, to be addressed at a COLA review stage.

Aside from the module drop sequences, the top LPSD core damage sequences are as follows:

spurious opening of an ECCS valve with incomplete ECCS actuation

loss of dc power with incomplete ECCS actuation

RCS LOCAs inside containment and incomplete ECCS actuation 19-26

The above sequences occur during POSs 1, 6, or 7 when the module configuration is similar to at-power conditions. The importance of a spurious opening of an ECCS valve initiating event increases because the IAB is not designed to prevent this event at lower RCS pressures.

As documented in DCA Part 2, Tier 2, Table 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment, two operator actions were found to be candidates for risk significance: the operator failing to un-isolate containment and initiate CFDS injection and the operator failing to un-isolate containment and initiate CVCS injection.

The staff finds that the quantification and the identification of risk insights are consistent with SRP Section 19.0.

19.1.4.6.8 Conclusion The at-power initiating events, success criteria, accident sequences, and accident analysis, human reliability analysis, data analysis, and quantification methods were used as applicable to evaluate low power and shutdown conditions for POSs 1, 2, 5, 6, and 7 consistent with SRP 19.0. The staff found the RBC PRA, which evaluates the module drop probability during module movement in POSs 3 and 5, to be technically adequate for design certification. The applicants low power and shutdown risk results are within the Commissions CDF and LRF goals. Thus, the staff finds the Level 1 internal events PRA for LPSD operations acceptable for design certification.

Level 2 Internal Events Probabilistic Risk Assessment for Low-Power Shutdown Operations The staff evaluated DCA Part 2, Tier 2, Section 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of Operation, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.7.1 Methodology The staff evaluated the definitions of LPSD POSs and the end states from the Level 1 analysis.

The staff then reviewed how the contributors to a large release were evaluated in the accident progression analyses. The LPSD Level 2 analysis was performed for each POS and then for each LPSD initiating event. Table 19.1-4 of this report identifies the POSs.

For POSs 1, 6, and 7, the module configuration is similar to normal operation and was modeled similar to full-power operation. No credit was taken for heat transfer through containment during containment flooding in POS 1 and draining in POS 6. Section 19.1.4.5 of this report presents more detail on the Level 2 PRA modeling for operations at-power. The staff finds this simplifying assumption reasonable because it is conservative.

19-27

The staffs review of the Level 2 LPSD PRA focused on POSs 3 and 5, which include module transport. Three types of module drop accidents, which could result from a failure of the RBC or MLA, were evaluated.

The first type of module drop accident involves dropping a fully assembled module with the CNV intact. The module is in this configuration when transported between the operating bay and the containment flange tool (CFT). In a fully assembled module, the CNV is intact, flooded, pressurized with a fill gas, and the RVVs and RRVs are open. Should the module fall in a horizontal position, the coolant inventory in the CNV would not be sufficient to cover the fuel due to the fill gas, and core damage is assumed to occur.

The applicant used MELCOR and MACCS to evaluate the radiological consequences of dropping a fully assembled module for a range of scenarios. The maximum calculated dose at the site boundary was 0.576 rem. The applicant compared this dose (0.576 rem) to its large release definition of 200 rem to conclude that module drop accidents do not result in a large release and to show that the LRF is less than 1x10-6 per year. The margin for this analysis is a factor of 347 (200/0.576).

The MELCOR analysis assumed nitrogen as the fill gas. Because DCA Part 2 does not specify the fill gas, the applicant also performed a sensitivity analysis with MELCOR assuming air as the fill gas, as discussed in a letter dated May 21, 2018 (ADAMS Accession No. ML18141A882).The applicants sensitivity analysis assumed ignition occurred in the fuel region when the hydrogen concentration reached 7 percent, because of the presence of overheating fuel, and assumed ignition occurred in other regions when the hydrogen concentration reached 10 percent. The sensitivity analysis showed that hydrogen combustion was limited because of the limited oxygen in the module. The sensitivity analysis also showed that much of the hydrogen burned in the fuel region as it was generated, limiting the magnitude of the pressure rise from hydrogen combustion. The applicant noted that any increased ruthenium releases from the fuel associated with air conditions are unlikely to be significant because of aerosol deposition in the module and scrubbing in the reactor pool. The staff finds the applicants sensitivity analysis acceptable for demonstrating that using air as a fill gas would not result in significantly different severe accident progression and source term for estimating LRF.

Although the staff determined that the use of nitrogen fill gas was nonconservative, based on the small change in results when air was used as a fill gas and the significant margin available, the staff determined that the applicants analysis was acceptable.

The applicant assumed reactor pool scrubbing factors of 500 for iodine and of infinity for other radionuclides based on assumptions for fuel handling accidents in RG 1.183, Alternative Radiological Source Terms for Evaluating Design Basis Accidents at Nuclear Power Reactors, which treats iodine releases from fuel as vapor. The applicant evaluated aerosol scrubbing factors for the reactor pool to show that its use of a factor of 500 for iodine was conservative. In addition, the applicant applied a range of scrubbing factors (down to a scrubbing factor of 1) to other radionuclides released from the containment to show that these additional releases did not affect the conclusion that releases from module drop accidents are not classified as large releases. Based on the range of factors considered, the staff finds the applicants approach acceptable.

19-28

The second type of module drop accident involves dropping a partially assembled module when moving it from the CFT to the RFT. If this were to occur, pool water would flow in through the open RVVs and RRVs to keep the fuel covered and prevent core damage. Thus, the LPSD PRA does not further evaluate the drop of a partially assembled module.

The third type of module drop accident includes the possibility of dropping the upper portions of the RPV and CNV as they are moved to or from the dry dock area onto the fuel in the lower RPV, which remains in the RFT. This type of module drop accident is not included as a potential contributor to CDF because while it may cause mechanical fuel damage, it does not result in inadequate heat removal.

The applicant performed an analysis with MELCOR and MACCS to show that dropping the upper portion of the reactor pressure vessel and containment onto the core while refueling would not result in a large release. The analysis assumed the module is lying horizontally on the pool floor, the gap activity is released from all 37 assemblies, and the containment has a hole in it. The assumed containment hole size resulted in the gap activity being released from the containment to the reactor pool over 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The applicant then applied the pool scrubbing factors from RG 1.183 for fuel-handling accidents to predict a dose at the site boundary of 0.1 rem. The applicant concluded that dropping the upper portion of the reactor pressure vessel and containment onto the core would not result in a large release because the predicted dose of 0.1 rem is well below the large release definition of 200 rem.

In the actual plant configuration, the upper portion of the reactor pressure vessel and containment would be removed. The actual configuration eliminates the potential for holdup in the reactor pressure vessel and containment making the release period shorter than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Also, the applicants analysis does not model the presence of the reactor building, which would make the release period longer. To assess the sensitivity of the applicants conclusion to the release duration, the staff multiplied the applicants exclusion area boundary dose consequences for a design-basis fuel-handling accident (as reported in DCA Part 2, Tier 2, Table 15.0-12, Radiological Dose Consequences for Design Basis Analyses) by the number of assemblies in the core to estimate a dose of 20 rem (0.55 rem per assembly x 37 assemblies).

The fuel-handling accident analysis is more conservative than the applicants analysis because it assumes an instantaneous release from the fuel to the environment and a 2-hour dispersion factor. Even with the more conservative timing assumptions of the design-basis fuel-handling accident, the predicted dose is below 200 rem. Therefore, dropping the upper portion of the reactor pressure vessel and containment onto the core is not expected to result in a large release.

19.1.4.7.2 Quantification and Results The staff reviewed key operating assumptions and details on module movement to determine the adequacy of the risk insights obtained from the dropped module consequence analysis.

Specifically, the staff reviewed the risk insights and assumptions documented in DCA Part 2, Tier 2, Table 19.1-71 and Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, relevant to module movement and potential impacts of module drop.

19-29

Additionally, in a letter dated May 21, 2018 (ADAMS Accession No. ML18141A883), the applicant stated that the CNV is pressurized during module transport. The intent of pressurizing the CNV is to limit the exchange of water when the CNV flange is opened. The pressurization is set such that an inflow of water that could submerge components near the top of the CNV is prevented by the presence of the gas bubble; and an outflow of water that could lower the water level enough to release noncondensable gases into the refueling pool does not occur. The staff finds that the list of insights regarding multi-module operation is reasonable.

The staff finds that the applicants calculated LRF caused by internal events for a module during LPSD conditions is significantly below the Commissions LRF goal of 1x10-6 per year. Similar to the LRF at full power, the significant LRF sequences involve an un-isolated CVCS pipe break outside containment in POSs 1, 6, or 7, followed by failures that prevent the CVCS or CFDS from injecting coolant into the CNV. The staff finds the applicants level 2 LPSD PRA analyses to be adequate for the purposes of demonstrating that the Commissions LRF goal is met and identifying risk insights for a DCA.

19.1.4.7.3 Conclusion The staff finds that the applicants Level 2 Internal Events PRA for LPSD, risk insights, and results are consistent with relevant portions of SRP Section 19.0 and RG 1.200.

External Events Probabilistic Risk Assessment for Operations at Power and Low-Power Shutdown DCA Part 2, Tier 2, Sections 19.1.5, Safety Insights from the External Events Probabilistic Risk Assessment for Operations at Power, and 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of Operation describe the external events PRA for operations at power and LPSD. The external event hazards that may affect the NuScale risk profile are identified consistent with ASME/ANS RA-Sa-2009 and DC/COL-ISG-028. The guidance in ASME/ANS RA-Sa-2009 is used to implement a progressive screening process to identify which external events can be screened from detailed evaluation and those that require a quantitative hazard evaluation. The applicant identified 41 specific external hazards for screening evaluation. The screening disposition for each of the hazards is reported in DCA Part 2, Tier 2, Table 19.1-34, External Events Considered for Operations at Power. The applicant determined from the screening analysis that seismic events, internal fires, internal floods, external floods, and extreme winds required detailed quantitative analysis.

The screening of some hazards was based on assumptions about siting requirements. To ensure that the site is enveloped, a bounding analysis of high winds and external floods was performed to allow COL applicants to compare their site characteristics to those assumed in the bounding analyses.

The staff reviewed the applicants screening evaluation of external events and finds it to be acceptable because (1) the screening criteria used by the applicant are consistent with DC/COL-ISG-028 and (2) the results of the screening evaluation are similar to those for passive reactor designs previously certified by the NRC.

19-30

19.1.4.8.1 Seismic Risk Evaluation DCA Part 2, Tier 2, Section 19.1.5.1, Seismic Risk Evaluation describes the PRA-based SMA for operations at power. SECY-93-087 and the associated SRM indicate that, for seismic events, a plant designed to withstand a 0.5g safe-shutdown earthquake (SSE) should have a plant HCLPF capacity of at least 1.67 times the acceleration of the SSE (i.e., 0.84g). The applicant performed the PRA-based SMA based on logic models developed by modifying the design-specific PRA models for internal events to include logic important in considering seismic failures. The applicant determined accident sequences important to the evaluation of seismic margin using event trees and fault trees that included the fragility data for each SSC and failure probabilities for random, non-seismic events.

The staff reviewed the PRA-based SMA following the guidance provided in SECY-93-087 and its associated SRM; SRP Section 19.0; and Part 5, Requirements for Seismic Events At-Power PRA, of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. In general, the PRA-based SMA provides an understanding of significant seismic vulnerabilities and insights to demonstrate the robustness of a standard design. In this context, the staff review focused on the framework for assessing potential significant failures induced by seismic events.

The staff assessed the scope of the applicants PRA-based SMA to ensure that the analysis addressed all applicable accident sequences and all plant operating modes.

Evaluation of Seismic Input Spectrum DCA Part 2, Tier 2, Section 19.1.5.1.1.2, Seismic Input Spectrum describes the seismic input spectrum The staff reviewed the definition of the review-level earthquake, which is defined relative to the Certified Seismic Design Response Spectra (CSDRS), as shown in DCA Part 2, Tier 2, Figure 3.7.1-1, NuScale Horizontal CSDRS at 5 Percent Damping, and the SSC fragility, which is referenced to the peak ground acceleration of the CSDRS. The staff finds that the seismic input spectrum for the PRA-based SMA is acceptable on the basis that the seismic fragility calculation uses the response spectrum shape defined as the DCs CSDRS, consistent with SRP Section 19.0.

Seismic Fragility Evaluation The staff review of the seismic fragility evaluation focused on the methodology used to select the structural failures, the methodologies used to calculate the seismic fragility for SSCs, and the assumptions made in determining the controlling structural failure modes.

The structural failures modeled are those structures that are directly in contact with the module, directly connected to the module interface, or located above the module. A separate fragility analysis was performed for each of the structures in DCA Part 2, Tier 2, Table 19.1-35, Structural Fragility Parameters and Results, including the RBC, RXB exterior walls, module supports, bioshield, pool walls, crane support walls, bay walls, roof, and basemat. The SSCs 19-31

evaluated for the fragility analysis were divided into two categoriesPRA-critical and noncritical SSCs.

Regarding the methodology used for the PRA-critical SSCs, in SRP Section 19.0, the staff endorsed the conservative deterministic failure margin as described in EPRI NP-6041, A Methodology for Assessment of Nuclear Power Plant Seismic Margin, issued August 1991 and the separation of variables methods as described in EPRI 103959, Methodology for Developing Seismic Fragilities, issued June 1994 as acceptable for determining seismic fragility.

EPRI 1019200, Seismic Fragility Applications Guide Update, issued 2009, was referenced for information by the applicant in DCA, Part 2, Tier 2, Section 19.1.5.1.2, and supported their evaluation of seismic fragilities. EPRI 1019200 provides limited updates to the SMA guidance referenced by SRP 19.0, and the staff found its use in the NuScale DCA acceptable. The methodologies used for determining the HCLPF capacity are consistent with staff-endorsed guidance and are therefore acceptable.

Regarding the methodology used for the noncritical SSCs, the applicant stated that the use of generic data is conservative for component capacity and included an assumption in DCA Part 2, Tier 2, Table 19.1-40, Key Assumptions for the Seismic Margin Assessment, that fragility parameters acquired from generic sources are valid and relevant to the NuScale design, which is to be verified in accordance with COL Information Item 19.1-8. This methodology is acceptable to the staff because the results are conservative, the COL applicant will verify the applicability of the generic data, and no SSCs evaluated using generic data contribute to the seismic margin.

The staff audited a summary of the fragility calculations for several PRA-critical SSCs, including the RBC, RVVs, and control rod guide tube and structures, including the reactor bay wall, reactor pool walls, crane walls, RXB exterior wall, basemat, RXB roof, and module supports to verify that appropriate assumptions were included in DCA Part 2, Tier 2, Table 19.1-40. The staff specifically verified that the supporting calculations demonstrate that the controlling failure mode for the RXB is out-of-plane shear cracking at the base of the exterior east-west walls.

The staff verified the results of the seismic evaluation presented in DCA Part 2, Tier 2, Tables 19.1-35 and 19.1-38, Seismic Correlation Class Information, which include the median capacity, uncertainty parameters, and HCLPF capacity. The staff verified that no SSCs with HCLPF capacities less than 0.84g, as indicated in DCA Part 2, Tier 2, Table 19.1-38, contribute to the seismic margin.

The staff reviewed the component boundaries because several components listed in DCA Part 2, Tier 2, Table 19.1-38 have HCLPF capacities significantly in excess of 0.84g. As stated in DCA Part 2, Tier 2, Section 19.1.5.1.1.3, Seismic Fragility Evaluation, these boundaries cover all failure mechanisms, including anchorage failures and structural collapse affecting component functions. The defined component boundaries are acceptable to the staff; however, sufficient basis does not exist to verify these HCLPFs without as-built plant information and the results of a seismic walkdown. Therefore, although the staff cannot evaluate the adequacy of individual components listed in DCA Part 2, Tier 2, Table 19.1-38, based on the available seismic margins, the staff is able to find that the plant-level HCLPF capacity meets the Commissions Policy Statement in SECY-93-087.

19-32

The staff reviewed the assumption listed in DCA Part 2, Tier 2, Table 19.1-40, that seismic Category I structures meet the seismic margin requirement of 1.67 times the CSDRS for site-specific seismic hazards, including sliding and overturning. The staff reviewed the results of the analysis in DCA Part 2, Tier 2, Tables 3.8.5-5, Factors of SafetyRXB Stability, 3.8.5-11, Reactor Building Sliding Displacements for Soil Type 7, 8, and 11 (Dead Weight + Buoyancy),

and 3.8.5-12, Control Building Sliding and Uplift Displacements for Soil Type 7 and 11. The analysis results indicate negligible RXB sliding displacements of 0.11 inches in the east-west direction and 0.06 inches in the north-south direction as the result of the design-basis earthquake of 0.5g. Section 3.8.5 of this report documents the staffs evaluation of this analysis.

Based on the above information, the staff concludes that it is reasonable to assume that the seismic Category I structures meet the seismic margin of 1.67 times the CSDRS for seismic-induced sliding and overturning. Additionally, COL Information Item 19.1-8 specifies that the COL applicant is to confirm the validity of key assumptions.

For the LPSD PRA-based SMA, the staff reviewed DCA Part 2, Tier 2, Section 19.1.6.3, Safety Insights from the External Events Probabilistic Risk Assessment for Low Power and Shutdown Operation, to determine whether any additional SSCs should be included beyond those considered for the at-power PRA-based SMA. The applicant included assumptions in DCA Part 2, Tier 2, Table 19.1-40, for the CFT, RFT, and MLA, which provide the basis for concluding that they do not contribute to the seismic margin. The basis given in DCA Part 2, Tier 2, Table 19.1-40, is acceptable to the staff because operating practice will control the configuration of these SSCs.

Evaluation of Systems and Accident Sequence Analysis DCA Part 2, Tier 2, Section 19.1.5.1.1.4, Systems and Accident Sequence Analysis, summarizes the applicants method for performing the systems and accident sequence analysis.

The staff compared this method against the Commissions expectations described in SECY-93-087 and the associated SRM and found that the NuScale method meets the expectations described therein.

The applicant included all SSCs modeled in the internal events PRA and additional seismic-specific SSCs, such as structures, in the PRA-based SMA. The seismic fragility analysis detailed above supports the determination of sequence-level and plant-level HCLPF capacities. The staff confirmed that the applicant used the MIN-MAX method to calculate the sequence-level and plant-level HCLPF capacities. Use of the MIN-MAX method follows the guidance in SRP Section 19.0 and is acceptable to the staff.

In developing sequence-level HCLPF capacities, the applicant used a screening process to eliminate core damage cutsets that included both seismic-induced failures of SSCs, random failures of SSCs, and human error events. Cutsets were screened out when the product of the failure probabilities for random failures and human error events was less than .01. The staff finds this screening criterion acceptable because, by definition, the HCLPF capacity is the seismic capacity of an SSC described in terms of a specified ground motion parameter corresponding to a 1-percent probability of unacceptable performance of the mean fragility 19-33

curve, and cutsets having the product of random failure probabilities of less than .01 will have a total failure probability of less than .01 regardless of the probability associated with the seismic failure. In contrast, all cutsets were considered for the evaluation of seismic risk insights.

Because the determination of risk insights did not screen cutsets from consideration, the risk insights are acceptable to the staff.

In developing risk insights, the applicant generated cutsets for 14 seismic event trees. The underlying logic for each event tree is identical; however, each event tree represents a different ground motion acceleration. The staff finds that segmenting the seismic hazard into 14 intervals is a typical and acceptable approach to quantifying the seismic risk as described in EPRI 1002989, Seismic Probabilistic Risk Assessment Implementation Guide, issued 2009.

The use of multiple ground motion intervals provides insights into the relative contributions of both seismic and random failures at different ground motions.

Consistent with SRP 19.0, the staff does not expect a peer review in accordance with ASME/ANS RA-Sa-2009, Part 5, Section 5-3, for a PRA-based SMA at the DC stage. However, the staff compared the elements of an SMA peer review specified in ASME/ANS RA-Sa-2009, Part 5, Section 5-3, with those documented in ER-P000-4474, Revision 0, External Review of the NuScale PRA Self-Assessment. The staff determined that the applicants external review of its self-assessment adequately considered the elements in ASME/ANS RA-Sa-2009 and provides the staff with additional confidence that the PRA-based SMA is technically adequate.

Insights The applicant described the insights gained from the PRA-based SMA in DCA Part 2, Tier 2, Section 19.1.5.1.2, Results from the Seismic Risk Evaluation. To gather these insights, the applicant examined risk-significant accident sequences, structural failure events, component failure modes, and operator actions.

Reporting risk insights from the PRA-based SMA adequately addresses the Commissions objective that significant seismic vulnerabilities and other important insights be captured in the PRA-based SMA, as discussed in SECY-93-087 and the associated SRM.

Conclusion Based on the above evaluation, the staff finds that the NuScale design satisfies the expectation of SECY-93-087 and its associated SRM regarding the plant-level HCLPF capacity, which is sufficient to demonstrate adequate seismic margin for a DCA. Therefore, the staff concludes that the NuScale PRA-based SMA is acceptable and consistent with SRP 19.0.

19.1.4.8.2 Internal Fires Risk Evaluation DCA Part 2, Tier 2, Section 19.1.5.2, Internal Fires Risk Evaluation, describes the internal fire probabilistic risk assessment (FPRA). The staff evaluated the internal FPRA for operations at power for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

The staff evaluated the qualitative assessment of risk from internal fires during LPSD as 19-34

described at the end of this section. The applicants FPRA addressed the technical elements in ASME/ANS RA-Sa-2009, such as component selection, fire scenario analysis, fire ignition frequency, and fire risk quantification. The staff reviewed the extent to which the applicants FPRA information is consistent with the applicable approaches described in NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, issued September 2005.

The applicant either did not perform certain tasks or used simpler analyses than suggested in NUREG/CR-6850. The staff finds this acceptable because certain design details (e.g., specifics of cable routing, ignition sources, and target locations) are unknown at the DC stage. The staff focused its review on the reasonableness of assumptions used in the FPRA to address these incomplete aspects of the design and operating procedures.

Fire Probabilistic Risk Assessment Component Selection The staff reviewed the applicants selection of components included in the FPRA. The staff confirmed that the FPRA uses the same systems and accident sequence models as the internal events PRA. The applicant used the information from the Fire Safe Shutdown Plan presented in DCA Part 2, Tier 2, Appendix 9A, Fire Hazards Analysis, and multiple spurious operation evaluations to identify components to include in the FPRA model. The staff noted that the instrumentation required to perform operator actions has not been established. The staff confirmed that the FPRA assumes that instrumentation is available for operator actions when the equipment (e.g., pumps, valves) required to perform the actions is available.

Instrumentation required for the performance of an operator action is assumed to be affected by the same fire event that affects the equipment required to perform the action (e.g., by fire in the area where control circuitry is located). The staff confirmed that this assumption has been included as a key assumption in DCA Part 2, Tier 2, Table 19.1-46, Key Assumptions for the Internal Fire PRA, that will be validated or updated as appropriate once the design details become available in the COL stage.

Fire-Induced Failures The staff reviewed how the FPRA model accounted for the ability of equipment that may be affected by a fire to perform its intended function. The staff also reviewed a spurious operation induced by a hot short that may either cause a fire-induced initiating event or adversely affect the response of safety systems or operator actions required to respond to a fire. In lieu of detailed circuit analyses, the applicant assumed that fire damage to cabling can either cause a loss of control of the associated component or a spurious operation of the associated component depending on the cable material (e.g., fiber optic or copper). The applicant assumed that spurious operation induced by a hot short is not credible in fiber optic cables.

Therefore, damage to a fiber optic cable is modeled only as a loss of control of the component controlled by the cable. Fire-induced spurious operation of circuits involving copper cabling are considered credible and are included in the model.

The staff noted that there are assumed fire scenarios (e.g., IE-FIRE-3-ECCS) during which the ECCS solenoid-operated valves are subject to spurious operation, but not the containment isolation solenoid valveseven though the cabling for both functions appears to be routed through a shared fire area (e.g., Fire Area 010-208).

19-35

In a letter dated December 13, 2017 (ADAMS Accession No. ML17347B711), the applicant stated that for the ECCS, a spurious actuation is a potential concern because it presents a possibility for an incomplete ECCS actuation; therefore, a hot short is modeled as a contributor to an inadvertent ECCS actuation demand. For the CIVs, however, fire damage may result in the valves closing, which is the safe state, and these failures are not modeled in the PRA to avoid crediting a beneficial failure that may mitigate a potential accident progression. The staff finds this approach reasonable and acceptable.

The staff noted another important assumption related to the probability of spurious operation occurring. The applicant assumed that spurious operations of solenoid-operated valves powered by ungrounded dc supplies have been assigned a probability of 7.7x10-2 based on Column 4 of Table 5-2 in NUREG/CR-7150, Joint Assessment of Cable Damage and Quantification of Effects from Fire (JACQUE-FIRE). This probability is applicable to solenoids that require double-break hot shorts from intra-cable and ground fault equivalent sources. The applicant further assumed that if a spurious operation can be withstood for longer than 7 minutes, a value of 2.2x10-2 is assigned as the probability for the hot short to persist for longer than 7 minutes. This is based on Table 6-3 in NUREG/CR-7150 and allows for the possibility for a hot short to clear after it initially occurs. The staff found that the applicant included these as key assumptions in DCA Part 2, Tier 2, Table 19.1-46, which will be validated or updated as appropriate once the design details become available in the COL stage.

Fire Scenario Analysis The staff reviewed the applicants treatment of the spatial interaction between the ignition sources and the targets. The applicant performed the plant partitioning and identified the fire compartments based on the fire areas as defined in the fire hazards analysis documented in DCA Part 2, Tier 2, Chapter 9. At this stage of this design, the specific locations of ignition sources, targets (e.g., cable routing), and intervening combustibles are not available. Within individual fire compartments, the FPRA did not take credit for fire suppression, either automatic or manual. Cable routing information was assumed based on the location of component controls and the physical location of the equipment in the plant as identified or inferred from the site plan and the general arrangement drawings.

The applicant did not perform detailed fire modeling. Instead, the applicant modeled the fire growth by applying a mean probability of loss of other equipment in the fire area of 0.5 with a uniform distribution with a value between 0 and 1 to represent the effect of fire severity factor and subsequent fire growth. In cases when the fire does not spread, the scenario is mapped to a transient sequence. When the fire does spread, all targets in the fire area are assumed to be affected by the fire, and the scenario is mapped to the most challenging accident sequence considered possible following a fire in the area. The applicant also performed a sensitivity study accounting for the uncertainty in fire growth to address potential shortcomings of a wide probability distribution and capture important risk insights.

The staff reviewed how the applicant addressed the MCR fire risk. The applicants modeling of fires affecting the MCR are consistent with how other fire compartments are modeled. Because 19-36

the MCR contains equipment controlling both divisions of safety systems, a fire left unchecked may result in conditions that challenge entire safety functions. The operators are expected to respond to an MCR evacuation by tripping the reactors and initiating DHR and containment isolation for each reactor before leaving the MCR. Following evacuation of the MCR, the MPS manual switches can be isolated to prevent spurious actuations. As these fire areas are treated identically and combined in a single fire scenario, all of these fire areas need to be viewed as potentially risk significant.

The staff reviewed the applicants treatment of multicompartment fires. The frequency of the multicompartment scenario is quantified as the product of the ignition frequency, the severity factor, the probability of nonsuppression, and the fire barrier failure probability. The applicant assumed that all ignited fires in the originating compartment result in a challenge to fire compartment boundaries, such as by the formation of a hot gas layer. The applicant assumed a fire growth factor of 0.5, 0.01 for the probability of nonsuppression, and 0.1 for the probability of barrier failure. The applicant considered the fire compartment layout from the general arrangement drawings and appropriately assessed the combinations of multicompartment fire scenarios.

Fire Ignition Frequency The staff reviewed how the applicant determined the fire ignition frequencies to support the FPRA. The applicant estimated the fire ignition frequency for each identified ignition source and each fire compartment using the generic frequencies from NUREG-2169, Nuclear Power Plant Fire Ignition Frequency and Non-Suppression Probability Estimation Using the Updated Fire Events Database: United States Fire Event Experience Through 2009, issued January 2015.

Fire frequencies are based on mapping plant ignition sources to generic fire bins and associated frequencies. They generally include equally weighted transient ignition sources. The applicant estimated the potential ignition sources in unscreened fire compartments based on general arrangement drawing. The plant layout and the multi-module configuration of the NuScale design differs significantly from the large LWR plant layout on which the NUREG-2169 data are based. Although this introduces additional uncertainties, this is a reasonable approach at this stage of the design for DC purposes.

Cables routed in the area under the bioshield have been excluded from the counting of junction boxes. These cables are routed exclusively in steel conduit or metal flexible conduit and are not capable of igniting a fire in this area. This is a key assumption included in DCA Part 2, Tier 2, Table 19.1-46, which will be validated or updated as appropriate once the design details become available in the COL stage. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

Quantification and Insights The staff reviewed the fire risk quantification and found that the key elements for the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events) were identified. The internal FPRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA 19-37

Part 2, Tier 2, Table 19.1-46, lists the key assumptions for the internal FPRA. These key assumptions used in the PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

Low-Power and Shutdown Internal Fires For LPSD operations, the applicants evaluation of internal fires in DCA Part 2, Tier 2, Section 19.1.6.3.2, Internal Fire Risk during Low Power and Shutdown, is a qualitative assessment. The applicant concludes that the risk contribution is insignificant during LPSD operations because of the fail-safe nature of the safety-related systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As described in Section 19.1.4.6 of this report, the staff finds that the LPSD risk is not a large contributor in the NuScale design because of the passively cooled state, aside from POSs 3 and 5 associated with RBC operation. The staff considered the potential for fires to affect the RBC control system in POSs 3 and 5. DCA Part 2, Tier 2, Table 19.1-72, Internal Fire Susceptibility During Low Power and Shutdown Plant Operating States, states that the controls for the crane are expected to use fiber optics such that spurious operations of the crane are not judged to be credible. The staff considers the crane control system that precludes spurious operation induced by a hot short to be a key assumption in the PRA. Because DCA Part 2, Tier 2, Table 19.1-46, includes as a key assumption that the RBC cannot be spuriously operated as a result of a fire, in accordance with COL Information Item 19.1-8, the assumption will be validated or updated by the COLA as appropriate once the design details are available.

Conclusion The staff finds that although many details are tied to assumptions, the applicants FPRA, which uses simplified approaches to address many aspects as described above, provides results and insights acceptable for at-power and LPSD operations; and the FPRA for at power and LPSD operations is acceptable for a DCA because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

19.1.4.8.3 Internal Flooding Analysis DCA Part 2, Tier 2, Section 19.1.5.3, Internal Flooding Risk Evaluation, describes the internal flooding probabilistic risk assessment (IFPRA) for operations. The staff evaluated the IFPRA for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028. The staff evaluated the qualitative assessment of risk from internal flooding during LPSD as described at the end of this section. The applicants IFPRA addressed the technical elements in ASME/ANS RA-Sa-2009 (i.e., internal plant partitioning, internal flood source identification, internal flood scenario development, internal flood-induced initiating event analysis, and internal flood accident sequence and quantification). However, the applicants approach is based on a simplified model with heavy reliance on assumptions. This is partly because of the lack of established pipe routing and other design and operational details at this stage of the design.

19-38

Therefore, the staff focused its review on the appropriateness of assumptions used to address these incomplete aspects of the design and operating procedures.

Internal Flood Plant Partitioning The staff reviewed how the applicant performed the internal flood plant partitioning. The applicant performed this task generally at the building level. The applicant used the site plan drawing to assess the buildings that contain flood sources that have the potential to cause plant trips. The applicant screened out buildings from further consideration based on the assumption that either a flood in those areas would not cause a plant trip or adequate flood protection will be provided. For example, the applicant screened out the control building from the internal flood model based on the reasoning that, although the control building contains equipment that may result in a plant trip if flooded, areas containing this equipment are protected from internal flooding. The staff finds that the availability of adequate flood protection is a key assumption that should be validated for the COL stage. The applicant identified COL Information Items 3.4-1 through 3.4-4 for implementation of flood protection design during the COL stage.

For the equipment modeled in the PRA, the applicant identified the flood areas as shown in DCA Part 2, Tier 2, Table 19.1-49, Assessment of Flood Areas Containing Equipment Modeled in the Probabilistic Risk Assessment. The applicant assumed that the equipment located in these flood areas are protected, which is acceptable to meet the DC requirements. The staff considers this a key assumption in the PRA which will need to be validated or updated by the COL applicant once the design details are available as directed by COL item 19.1-8. COL Information Items 3.4-1 through 3.4-4 describe the flood protection provisions to be addressed by the COL applicant and the staff finds this acceptable.

Internal Flood Source Identification The staff reviewed the applicants identification of the internal flood sources. DCA Part 2, Tier 2, Table 19.1-48, Internal Flooding Sources, identifies and characterizes the systems that have the potential to cause internal flooding events. Because little information is available on specific pipe routing and equipment location, the characterization of the flood sources is limited to identifying the building affected by the potential flood (e.g., RXB, turbine building). The applicant applied a simplified approach that modeled flooding events in the RXB as reactor trips (general transients) in which makeup by the CVCS and the CFDS is unavailable. The staff finds that the simplified approach is reasonable for the DC stage.

19-39

Internal Flood Scenario Development The staff reviewed how the applicant performed the internal flood scenario development. The applicants internal flood scenario analysis is based on the assumption that the equipment identified in DCA Part 2, Tier 2, Table 19.1-49 is protected from internal floods. The staff audit of the information indicated that the required level of flooding protection is determined based on the assumed time available for the operator to successfully isolate the flood source. The applicant stated that a representative internal flooding analysis has been performed which is based, in part, on assumed flood volumes with the expectation that plant personnel will eventually isolate a flood source. The staff finds that the applicant included this assumption as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, Key Assumptions for the Internal Flooding PRA, which will be validated or updated as appropriate once the design details become available in the COL stage.

Internal Flood-Induced Initiating Event Analysis The staff reviewed how the applicant performed the internal flood-induced initiating event analysis. An internal flood cannot initiate a LOCA or a steamline or feedwater line break because flood damage does not affect passive components. The applicant assumed that an internal flood could initiate a transient because of the potential effects on pumps, control panels or equipment; therefore, the internal event initiators such as loss of support systems and general reactor trip apply to internal flooding. However, the applicant screened out internal flood-induced LOOP or loss of dc power as no internal flooding sources are associated with an area containing the highly reliable dc power system or the high-voltage 13.8-kilovolt and switchyard system switchgear. This modeling approach assumes that the flooding protection features will be adequately designed, and that the operator action will successfully isolate the flood source before equipment is damaged. The staff finds that this modeling approach is included as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, which will be validated or updated as appropriate once the design details become available in the COL stage as directed by COL item 19.1-8.

The applicants estimation of the internal flooding frequency uses a very simplified approach.

The applicant assumes that the generic flooding frequency data in NUREG/CR-2300 for the auxiliary building and the turbine generator building may be applied to the RXB and turbine generator building. The applicant bases this assumption on the similarity in the location and types of equipment in these buildings. The staff finds that this approach limits the ability to gain design-specific insights because it does not consider the NuScale-specific piping configuration and associated break frequency estimations. However, the staff noted that the initiating event frequencies assumed for the RXB and the turbine generator building are comparable to or somewhat more conservative than the internal flooding analyses for other reactor designs.

Hence, although the uncertainty is large, the staff finds that the risk is not significantly underestimated, assuming that key assumptions are valid. The staff also considered that the NuScale design is less dependent on active systems. Internal flooding would adversely affect only the components supporting the CVCS and CFDS, but the mitigating functions provided by these systems are not credited for flooding in the RXB. Based on the above considerations, 19-40

and because limited design information is available, the staff finds this approach to estimating the internal flooding frequency reasonable for a DCA.

Quantification and Insights DCA Part 2, Tier 2, Section 19.1.5.3.2, Results from the Internal Flooding Risk Evaluation, discusses the results from the internal flooding risk evaluation. The staff reviewed the PRA quantification and finds that the key elements in the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events), are identified. The applicant reported a very low number for the internal flooding CDF.

As discussed in more detail in Section 19.1.4.4.8 of this report, the staff finds that the uncertainty in the CDF could be larger than indicated at this DC stage; however, even with greater uncertainty, there is margin to the Commissions CDF and LRF goals.

The PRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA Part 2, Tier 2, Table 19.1-54 lists the key assumptions for the IFPRA.

These key assumptions used in the PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 to address the key assumptions in the DCA.

Low-Power and Shutdown Internal Flooding For LPSD operations, the applicants evaluation of internal flooding risk in DCA Part 2, Tier 2, Section 19.1.6.3.3, Internal Flood Risk during Low Power and Shutdown, is a qualitative assessment. The applicant concludes that risk contribution is insignificant during LPSD operations because of the fail-safe nature of the safety systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As evaluated in Section 19.1.4.6 of this report, the staff finds that the reactor module is passively cooled for most of the LPSD duration. Therefore, the staff finds that internal flooding will likely not contribute significantly to risk in POSs 1, 2, 4, 6, and 7. However, the staff considered that internal flooding has the potential to cause a loss of power to the crane during POSs 3 and 5.

As previously described for at-power internal flood analysis, the applicant assumes that design features protect equipment such as the ac power equipment from internal floods. These design features are based on the ability of the operator to isolate any flood source before equipment damage occurs. This is a key assumption, and the staff finds that the applicant included it as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, which will be validated or updated as appropriate once the design details become available in the COL stage as directed by COL item 19.1-8.

Conclusion Based on the above, the staff finds that the applicants IFPRA for at-power and LPSD operations is acceptable for a DC because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0. The applicant identified key assumptions related to internal floods to address the design details not specified at the design certification 19-41

stage. These assumptions will be validated or updated as appropriate once the design details become available in the COL stage.

19.1.4.8.4 External Flooding Analysis The applicants external flooding PRA described in DCA Part 2, Tier 2, Section 19.1.5.4, External Flooding Risk Evaluation, applies the methodology in Part 8 of ASME/ANS RA-Sa-2009 for the design stage consistent with DC/COL-ISG-028. The external flooding PRA includes a hazard analysis, fragility evaluation, module response, accident sequences, and quantification. The applicant performed a self-assessment of the PRA against the guidance in DC/COL-ISG-028.

The staff reviewed the key assumptions provided in DCA Part 2, Tier 2, Table 19.1-58, Key Assumptions for the External Flooding PRA. The staff examined the basis for the probable maximum flood frequency of 2.0x10-3 per year. In a letter dated August 16, 2017 (ADAMS Accession No. ML17230A000), the applicant stated that an external flood with a recurrence interval of one in 500 years is assumed to bound the likelihood of exceeding the design-basis flood. Another key assumption is that for 90 percent of external flood events, operators are assumed to cease refueling and crane operations and perform a controlled shutdown before external flood-induced impacts affect equipment. Per COL Information Item 19.1-8, the COL applicant is expected to evaluate this assumption and determine whether the PRA results and insights remain valid for the COL stage.

The staff reviewed DCA Part 2, Tier 2, Table 19.1-74, External Flooding Susceptibility during Low Power and Shutdown Plant (LPSD), and Table 19.1-75, High-Wind Susceptibility during Low Power and Shutdown Plant Operating States, to determine whether the RBC, following a loss of ac power due to external flooding or high winds, has the capability to maintain a hoisted load until power is restored. The staff determined that the applicant sufficiently described the design and operation of the RBC crane during module transport to conclude that the performance of the RBC is adequate for a loss of ac power due to these external events.

The staff examined the potential failure of flooding penetrations. DCA Part 2, Tier 2, Section 19.1.5.4.2, Results from the External Flooding Risk Evaluation, states that flooding penetrations (e.g., doors) are not credited in the external flooding analysis, and no flooding penetrations were identified as risk significant. The staff finds the applicants approach acceptable.

Based on the above, the staff finds that the applicants external flooding PRA for at-power and LPSD operations is acceptable for the DCA because it is technically acceptable and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

19.1.4.8.5 High-Winds Analysis The applicants high-winds PRA, described in DCA Part 2, Tier 2, Section 19.1.5.5, High-Wind Risk Evaluation, applies the methodology in Part 7 of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. The high winds PRA includes a hazard analysis, 19-42

fragility evaluation, plant response, operator actions, and results. The applicant performed a self-assessment of the PRA against the guidance in DC/COL-ISG-028.

The applicant developed its tornado hazard characterization with methods and data in NUREG/CR-4461, Revision 2, Tornado Climatology of the Contiguous United States, issued February 2007, and based it on data for the central region of the United States. The staff finds the characterization acceptable because it is consistent with SRP Section 19.0 and uses data for the central region of the country, which has the highest occurrence rate of tornadoes and the highest tornado intensities. DCA Part 2, Tier 2, Table 19.1-61, Key Assumptions for the High-Winds Probabilistic Risk Assessment, presents the key assumptions made in the high-winds analysis. The staff finds these assumptions to be reasonable.

DCA Part 2, Tier 2, Table 19.1-62, Significant Cutsets (Hurricanes, Full Power, Single Module), and Table 19.1-63, Significant Cutsets (Tornadoes, Full Power, Single Module),

present the results of the applicants analysis of risk from high winds during power operation.

These results indicate that the NuScale design is very tolerant of the hazards created by the high winds, and the risk associated with high winds is not significant. The staff finds these results to be reasonable because, in the NuScale design, all important accident mitigation features are housed within the robust seismic Category l RXB structure and are therefore protected from the effects of high winds.

As discussed in Section 19.1.4.8.4 of this report, the RBC capability to maintain a hoisted load until power is restored resolves the staff concerns about losing ac power as the result of external flooding and high winds.

Based on the above, the staff finds that the applicants high-winds PRA for at-power and LPSD operations are acceptable for the DCA because they are technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

Evaluation of Multi-module Risk The focus of the staffs review of multi-module risk is to confirm that the unique multi-module configuration of the NuScale design does not contain vulnerabilities that pose a level of risk significantly greater than that associated with accidents involving multiple units at a U.S. nuclear power plant site. The staff used guidance in SRP Section 19.0, which directs the staff to verify that the applicant has (1) used a systematic process to identify accident sequences, including significant human errors, that lead to multi-module core damages or large releases and (2) selected alternative features, operational strategies, and design options to prevent these sequences from occurring and demonstrated that these accident sequences are not significant contributors to risk.

The staff reviewed the information in DCA Part 2, Tier 2, Section 19.1.7, Multi-Module Risk, and audited supporting material.

For internal events, the applicant identified coupling mechanisms that could cause initiating or failure events in two or more modules. The approach involved establishing potential initiating 19-43

events, equipment failure modes, and human errors from the single module PRA that could occur in two or more modules. The coupling mechanisms were then characterized numerically with multi-module adjustment factors (MMAFs) and multi-module performance shaping factors (MMPSFs) that are established based on engineering judgment and applied directly to initiating event frequencies and basic event failure probabilities in the single module PRA model. The parametrically adjusted single-module model, when quantified, provides an estimate of the frequency of core damage in two or more modules that is almost a factor of ten lower than the single module CDF. The staff finds that this approach is reasonable as it is thorough in scope and uses a systematic approach to evaluate the multi-module risk. Although the approach relies heavily on assumptions based on engineering judgment (e.g., MMAFs and MMPSFs), and the results of the multi-module risk evaluation contain large uncertainty, the staff finds that the applicants approach is acceptable for the DC stage.

The staff also finds that the applicant describes design features and operational strategies to prevent the accident sequences from occurring or to reduce their likelihood. These features and strategies are included in DCA Part 2, Tier 2, Section 19.1.7.2, Results of the Multiple Module Risk Evaluation at Full Power, and include the following:

Support systems that are not safety-related that can cause internal initiating events are made up of multiple trains, which limits the likelihood of system failure.

Each individual module is supported by independent module-specific safety-related systems designed to ensure that the module is safely shut down during upset conditions.

The independent safety-related systems are designed to be fail-safe during upset conditions and do not require operator action for initiation.

Although the safety-related UHS is shared among the modules, its reliability is not threatened by internal initiating events.

The applicant addresses the risk associated with the impact of external events on multiple modules qualitatively. Seismic, internal fire, internal flooding, external flooding, and high-wind events are addressed. The applicant discusses upset conditions in multiple modules that may be caused by these events, as well as the independence of module-specific design features that protect the reactor core under such conditions.

For internal fire, the staffs evaluation included the review of the information in DCA Part 2, Tier 2, Chapter 9, Appendix 9A, which includes the fire hazards analysis and a description of the fire safe-shutdown path. The staff evaluated potential single fire areas that contain equipment in redundant safety divisions relied on for safe shutdown for multiple modules or that contain safe-shutdown equipment from a single safety division for multiple modules. By reviewing the description of equipment locations in the fire hazards analysis in DCA Part 2, Chapter 9, Appendix 9A, the staff confirmed that the MCR is the only single fire area that contains multiple divisions of equipment that are required for safe shutdown of multiple modules. The staff finds that the equipment required for safe shutdown is designed to be fail-safe, with the exception of the potential creation of hot short conditions in which equipment is energized and actuated 19-44

spuriously. Fire protection equipment is provided in the MCR and all other fire areas to arrest and limit the growth of any fire. In addition, operators can manually remove electric power from circuits, which places safety-related equipment in its fail-safe position. The staff finds that the applicant has taken reasonable steps in the design of the facility to limit the extent to which fire can induce unmitigated accident conditions in multiple modules and to allow the safety systems to perform their safety functions during a fire.

An internal flooding event can create the demand for more than one module to shut down, but given that the DHRS, ECCS, and CIVs transition to the safe state given a loss of DC and AC power, there are no multi-module dependencies in the design that result in an elevated conditional probability of core damage or large release given core damage in the first module.

The staff finds that the safety system components inside the containment and inside the reactor pool are not vulnerable to damage from flooding and that the containment isolation system is designed to fail in a safe state (i.e., isolated containment) if associated electrical components are flooded. As stated in DCA Part 2, Tier 1, Table 3.11-2, Reactor Building Inspections, Tests, Analyses, and Acceptance Criteria, the design includes internal flooding barriers to provide confinement so that the impact from internal flooding is contained within the RXB flooding area of origin. These barriers include flood-resistant doors, curbs and sills, walls, watertight penetration seals, and National Electrical Manufacturers Association enclosures. In addition, and like most multiunit facilities operating in the United States, separate features for preventing and mitigating core damage are provided in each module and, other than the reactor pool, are not shared among modules.

An external flood can affect all modules, and its effect is basically that of a station blackout following a loss of power. The staff finds that safety systems for prevention and mitigation of a core damage accident are module specific (except the UHS), do not rely on electric power, are fail-safe on loss of power, and are protected from external flooding by their location inside the RXB, which is a robust structure protected from external flooding in accordance with GDC 2, Design Bases for Protection against Natural Phenomena, of Appendix A to 10 CFR Part 50.

A high-wind event can affect all modules, and its effect is basically that of a reactor trip and a loss of power. The staff finds that the features for preventing and mitigating core damage as described for an external flood also apply to a high-wind event.

A seismic event can cause damage in multiple modules because of its sitewide impact. While the PRA-based SMA included in DCA Part 2, Tier 2, Section 19.1.5, addresses the effects of seismic events on a single module, potential initiating events, performance of safety systems, and accident sequences could be the same in multiple modules. The results of the fragility analysis, which the staff evaluated in Section 19.1.4.8.1 of this report, indicate that the controlling failure modes for SSCs relied on to prevent core damage and release in one or more modules (i.e., the reactor trip system, ECCS, DHRS, CIVs, RSVs, and the RXB structure) have HCLPF capacities above 1.67

the SSE of .5g consistent with the SRM to SECY 93-087.

Because the UHS is shared among all modules, the staff evaluated the risk associated with a failure of the RXB structure. If such a failure results in a loss of the UHS, then both core and containment cooling would be lost, potentially leading to core melt and containment failure in 19-45

multiple modules. However, as stated above, the HCLPF values for the pool walls and floor, as listed in DCA Part 2, Tier 2, Table 19.1-35, exceed the sequence level HCLPF value described in the SRM to SECY 93-087. The staff finds that design features included in the evaluation of a multi-module accident following a seismic event are adequate because the seismic margin provided by these design features meets the Commissions guidance for new reactors as described in SECY-93-087.

For LPSD operations, the staff evaluated the applicants qualitative analysis (non-mechanistic) of the potential for accidents involving multiple modules during module movement for purposes of refueling. For this review, the staff also considered its review of the RBC design (see Section 9.1.5 of this report) and the likelihood of a module drop accident during refueling (see Section 19.1.4.6.3 of this report). In addition, the staff considered the administrative controls documented in DCA Part 2, Tier 2, Table 19.1-71, which ensure that RBC safety features (e.g., limit switches, interlocks to prevent undesired movement) are functional during module movement.

DCA Part 2 Tier 2, Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, discusses how a module dropped during refueling transport might impact other modules. In DCA Section 19.1.7.4, the applicant specifically states that DHRS piping or heat exchangers may be damaged on an operating module, and that additional pipe breaks may occur, leading to a CVCS line break outside containment.

Following postulated breaks in both CVCS discharge and charging lines from a dropped module, it is expected there would be a reactor trip due to low pressurizer level or low pressurizer pressure. As stipulated in Technical Specifications, Table 3.3.1-1, Module Protection System Instrumentation, low low pressurizer level would result in containment isolation in the CVCS lines. The redundant safety-related containment isolation valves (CIVs) on the CVCS charging and letdown lines are included in DCA Table 17.4-1: D-RAP SSC Functions, Categorization, and Categorization Basis and DCA Table 3.2-1:

Classification of Structures, Systems, and Components as category A1 (i.e., safety-related and risk-significant). If the CIVs close but both trains of DHRS are unavailable, as discussed in DCA Section 19.1.4, then heat-up of primary coolant and pressurization of the RPV occurs to the point of RSV demand. If one RSV successfully cycles open and closed, as needed, over the 72-hour mission time, then sufficient heat is removed through the containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable configuration.

In a letter dated April 11, 2019 (ADAMS Accession No. ML19101A453), the applicant states these safety-related containment isolation valves are located on top of the containment vessel head under the steel module platform. This platform is comprised of the NPM lifting lugs and top support structure with diagonal lifting braces which together constitute the permanently installed NPM lifting fixture, as discussed in DCA Section 9.1.5. The NPM lifting fixture is designed with dual load paths per the requirements of ANSI N14.6 as a single-failure-proof lifting device. The lifting fixture is categorized as B1 (i.e., nonsafety-related and risk-significant) in DCA Table 3.2-1: Classification of Structures, Systems, and Components and DCA Table 17.4-1: D-RAP SSC Functions, Categorization, and Categorization Basis. As stated in DCA Table 3.2-1, the NPM lifting fixture is seismic classification 1.

19-46

Regarding operator error during RBC movement, DCA Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment documents that movement of the RBC is modeled as being operator controlled in the PRA. As discussed in DCA Section 19.1.6.1.3, Commented [PM1]: 1.DCA Table 19.1-71 appears operator errors potentially leading to module drop are controlled by backup mitigating features in response to RAI 9659, as a DCA draft rev 4 described in DCA Section 9.1.5. As discussed in SER section 18.1.4.1.4, the design of the RBC markup and is confirmatory Human System Interfaces is not complete at this time. The staff understands that the applicant will include HFE guidelines in the purchase specifications to ensure the design conforms to HFE standards in the Style Guide to the extent possible. The Human Factors Engineering Design Implementation Plan, Revision 4 (Report RP-0914-8544) describes a risk-informed process for screening and resolving issues that are related to the human factors process, which have not already been resolved during the design certification process. Section 1.2 indicates that the RBC is within the scope for this process. The validity of the crane assumptions in DCA Table 19.1-71 and crane data supporting the PRA will be confirmed by the COL applicant per COL item 19.1-8.

The staff considers the applicants multi-module evaluation adequate for design certification since the applicant considered potential system interactions with other reactor modules as specified in 10CFR 52.47(c)(3) and documented key assumptions in the DCA to be confirmed in the COL phase. The applicants assessment is also technically adequate and consistent with the guidance in SRP Section 19.0.

Combined License Information Items Table 19.1-5 of this report lists COL information item numbers and descriptions related to the PRA. The staff finds the COL information items to be reasonable.

Table 19.1-5 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.1 COL Item Description DCA No. Part 2, Tier 2, Section 19.1-1 A COL applicant that references the NuScale Power Plant design 19.1.1.2.1 certification will identify and describe the use of the probabilistic risk assessment in support of licensee programs being implemented during the COL application phase.

19.1-2 A COL applicant that references the NuScale Power Plant design 19.1.1.2.2 certification will identify and describe specific risk-informed applications being implemented during the COL application phase.

19.1-3 A COL applicant that references the NuScale Power Plant design 19.1.1.3.1 certification will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the construction phase (from issuance of the COL up to initial fuel loading).

19.1-4 A COL applicant that references the NuScale Power Plant design 19.1.1.3.2 certification will specify and describe risk-informed applications during the construction phase (from issuance of the COL up to initial fuel loading).

19-47

19.1-5 A COL applicant that references the NuScale Power Plant design 19.1.1.4.1 certification will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the operational phase (from initial fuel loading through commercial operation).

19.1-6 A COL applicant that references the NuScale Power Plant design 19.1.1.4.2 certification will specify and describe risk-informed applications during the operational phase (from initial fuel loading through commercial operation).

19.1-7 A COL applicant that references the NuScale Power Plant design 19.1.5 certification will evaluate site-specific external event hazards (e.g.,

liquefaction, slope failure), screen those for risk-significance, and evaluate the risk associated with external hazards that are not bounded by the design certification.

19.1-8 A COL applicant that references the NuScale Power Plant design 19.1.9.1 certification will confirm the validity of the key assumptions and data used in the design certification application and modify, as necessary, for applicability to the as-built, as-operated PRA.

Conclusion The staff has reviewed the NuScale design-specific PRA and other PRA-related information in DCA Part 2, Tier 2, Sections 19.0 and 19.1, in accordance with the guidance in SRP Section 19.0. NuScale addressed the full scope of internal and external initiating events for both full-power and LPSD conditions consistent with the level of detail expected in a DCA PRA.

The staff concludes that the application conforms to the guidance in SRP 19.0; and that for the applicable modes and hazards, the PRA conforms to DC/COL-ISG-028. Therefore, the staff finds that the PRA is of sufficient technical adequacy. The staff has reviewed NuScales estimate of CDF and LRF considering all hazards and all modes and has evaluated the impact of NuScales sensitivity studies and importance analyses to the PRA results. Based on the staffs evaluation of the integrated risk from all modes and all hazards, the staff concludes that the Commissions CDF and LRF goals have been met with margin.

19.2 Severe Accident Evaluation Introduction This section describes the staff evaluation of DCA Part 2, Tier 2, Section 19.2, Severe Accident Evaluation.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Section 19.2, provides a description and analysis of design features for the prevention and mitigation of severe accidents. Specifically, DCA Part 2, Tier 2, Section 19.2.2, Severe Accident Prevention, discusses the designs capability to prevent specific severe accidents and addresses prevention of severe accidents resulting from ATWS, fire protection issues, station blackout, and an interfacing system loss-of-coolant 19-48

accident (ISLOCA). DCA Part 2, Tier 2, Section 19.2.3, Severe Accident Mitigation, discusses the designs capability to mitigate severe accidents if they occur and addresses the following severe accident issues:

external RPV cooling

hydrogen combustion

high-pressure melt ejection

in-vessel steam explosion

severe accident-induced SGTF

equipment survivability Additional severe accident topics are discussed in DCA Part 2, Tier 2, Section 19.2.4, Containment Performance Capability, DCA Part 2, Tier 2, Section 19.2.5, Accident Management, and DCA Part 2, Tier 2, Section 19.2.6, Consideration of Potential Design Improvements Under 10 CFR 50.34(f).

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no generic technical specifications associated with this area of review.

Technical Reports: There are no Technical Reports associated with this area of review.

Regulatory Basis The relevant requirements for this review appear in 10 CFR 52.47(a)(23), which states that a DCA for LWR designs must contain an FSAR that includes a description and analysis of design features for the prevention and mitigation of severe accidents (e.g., challenges to containment integrity caused by core-concrete interaction, steam explosion, high-pressure melt ejection, hydrogen combustion, and containment bypass).

The guidance in SRP Section 19.0, Revision 3, lists the acceptance criteria adequate to meet the above requirements, as well as review interfaces with other SRP sections. The following guidance documents provide acceptance criteria that confirm that the above requirements have been adequately addressed:

SECY-93-087, Policy, Technical and Licensing Issues Pertaining to Evolutionary and Edvanced Light-water Reactor (ALWR) Designs, and the associated SRM

SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs, dated March 28, 1994 (ADAMS Accession No. ML003708068), and the associated SRM, dated June 30, 1994 (ADAMS Accession No. ML003708098) 19-49

SECY-19-0047, Containment Performance Goals for the NuScale Small Modular Reactor Design, dated May 8, 2019 (ADAMS Accession No. ML19106A392) provides the staffs design-specific implementation for NuScale of the containment performance goals in SECY-93-087 as follows:

o The conditional probability of containment failure by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1.

o For core damage accidents for which demonstration of in-vessel retention is inconclusive (i.e., sequences that do not involve containment bypass or steam explosion in the reactor vessel that could potentially lead to containment failure), the radioactive material release to the environment is less than that of a large release as defined by NuScale.

Technical Evaluation The staff reviewed the relevant information on the severe accident evaluation contained in DCA Part 2. During the review, the staff issued RAIs, conducted a series of public meetings with the applicant, and participated in the regulatory audits described in Section 19.1.4 of this report to examine supporting technical documents. The staff also closely coordinated and worked with other technical disciplines during the review. This section summarizes the results of the staff review that are important to the overall conclusion on the NuScale severe accident evaluation and its conformance to the applicable regulatory requirements.

Severe Accident Prevention The staff evaluated conformance to SECY-93-087 and the associated SRM for ATWS and fire protection in Sections 15.8 and 9.5.1, respectively, of this report. The staff evaluated conformance to SECY-94-084 and the associated SRM for station blackout in Section 8.4 of this report.

Regarding ISLOCA prevention, the staff reviewed DCA Part 2 Tier 2, Section 9.3.4, Chemical and Volume Control System, which shows that the CVCS is the only system with connections to the RCS with piping outside containment. The staff found that the CVCS meets the guidance in SECY-93-087 and the associated SRM because it is designed to handle RCS pressure where practical. The portions of the CVCS that are not designed to handle RCS pressure are the makeup line and components upstream of the makeup pumps. Following the guidance in SECY-93-087 and the associated SRM, these portions include pressure-indicating transmitters on the suction of each of the CVCS makeup pumps that provide a high-pressure alarm in the MCR.

Severe accident prevention also is reflected in the Level 1 PRA evaluated in Section 19.1 of this report. The low CDF for at-power internal events for the NuScale design as discussed in DCA Part 2, Tier 2, Section 19.1, reflects NuScales unique design features as compared to operating reactors and certified new reactors. Such unique design features include a passive DHRS, a 19-50

passive ECCS, and an RPV and CNV geometry that provides core cooling when the only functioning equipment is one RSV. The staff finds that the analysis of design features for the prevention of severe accidents satisfies 10 CFR 52.47(a)(23) and the associated Commission policy in SECY-93-087.

Severe Accident Mitigation 19.2.4.2.1 Scenario Selection for At-Power Accidents The applicant performed MELCOR simulations as part of its analysis to show that the containment performance goals in Section 19.2.3 of this report were met. The staff evaluated whether the applicants MELCOR simulations covered the credible core-damage sequences.

The conditions needed to lead to core damage are a sustained loss of cooling. Such conditions could occur in the NuScale design as a result of a hole in the RPV for coolant to escape and ECCS failure. One type of core-damage accident scenario includes a break at a higher elevation in the RPV such as a failed-open RVV. In this case, coolant cannot return to the RPV because the break location is at the top of the RPV.

Another type of core-damage accident scenario includes a break at a lower elevation in the RPV such as a failed-open RRV. Coolant can reenter the RPV in this case because the break elevation is below the water level in containment produced by discharge of the RPV inventory into the containment. The applicants MELCOR simulations for these scenarios predict core damage with subsequent recovery of core cooling as the result of coolant in the containment reentering the RPV through the RRVs (TR-0915-17565, Revision 3, Accident Source Term Methodology, issued April 2019 (ADAMS Accession No. ML19112A172)). Because of the uncertainty in modeling coolant reentering the RPV through the RRVs, the applicant also performed MELCOR simulations artificially blocking coolant from reentering the RPV through the RRVs to show that the severe accident evaluations in DCA Part 2, Tier 2, Section 19.2, are insensitive to this uncertainty and documented the response in a letter dated September 7, 2017 (ADAMS Accession No. ML17251B163).

The staffs review of DCA Part 2, Tier 2 found that the applicants MELCOR simulations covered the credible core-damage sequences.

19.2.4.2.2 Staffs Independent MELCOR Confirmatory Analysis The staff independently developed a MELCOR input model using plant design data provided by the applicant. The staffs model is documented in ERI/NRC 13-205, Updated MELCOR Calculation Notebook: NuScale Integral Pressurized Water Reactor, September 2017. The staff applied its model to the following three of the seven scenarios in DCA Part 2, Tier 2, Section 19.2:

LEC-06T-00: A stuck-open RVV with subsequent opening of the remaining two RVVs.

This scenario is representative of scenarios with a break at a high elevation in the RPV such that steam is discharged through the break. Liquid water cannot return to the RPV because the break location is at the top of the RPV.

19-51

LCC-05T-01: CVCS line break inside containment with subsequent opening of the three RVVs. This scenario is representative of scenarios with a break at a low elevation in the RPV such that liquid water is discharged through the break. Liquid water cannot return to the RPV because the CVCS piping rupture is in the containment upper plenum.

LCU-03T-01: CVCS line break outside containment. This scenario is representative of a break at a low elevation in the RPV such that liquid water is discharged through the break and bypasses containment.

For each scenario, the staff compared its analysis results with the applicants simulation results and did not identify differences that were likely to affect the applicants analysis of severe accident mitigation. The results of the comparison confirmed the applicants simulation of the accident progression, analysis methodology, and interpretations of its analyses of the reactor, containment, and system response to severe accidents. The staffs independent MELCOR confirmatory analysis is documented in RES/FSCB 2019-01, Independent MELCOR Confirmatory Analysis for NuScale Small Modular Reactor, dated April 2019 (ADAMS Accession No. ML19205A016).

19.2.4.2.3 External Reactor Vessel Cooling For severe accidents that do not involve containment bypass, the applicant performed a severe accident analysis to show that a damaged core would be retained within the reactor vessel due to water in the containment cooling the reactor vessel outer surface and preventing a breach of the reactor vessel. If the reactor vessel remains intact, the containment vessel remains an effective fission product boundary. Furthermore, even if the reactor vessel were to fail, the applicant concluded that the containment would remain intact.

In NuScale DCA Part 2, Tier 2, Section 19.2.3.2.2 the applicant acknowledges that phenomenological uncertainties could affect this conclusion. Examples of these uncertainties include: (a) the potential formation of a metal layer on top of core debris in the reactor vessel lower plenum that would focus a high heat flow on a small area of the reactor vessel lower head; (b) intermetallic reactions that generate heat and could cause a self-propagating attack on the reactor vessel lower head; and (c) the heat transfer modeling for the reactor vessel and containment. Furthermore, should the reactor vessel fail, the containment vessel also could fail due to similar phenomena. Therefore, these uncertainties prevent the staff from confirming that the CCFP or deterministic containment performance goals are met.

However, NuScales containment design is significantly different than other new reactors in that the bottom of the NuScale containment is a steel head submerged in a reactor pool, which would prevent releases of radioactive material from submerged portions of the containment from becoming airborne. Severe accident simulations predict that should the NuScale core overheat, core debris would fall into the reactor vessel lower head. If the accumulated core debris resulted in failure of the reactor vessel lower head, it could then fall into the containment lower head and lead to failure of the containment lower head. Due to this, core debris could fall onto the reactor pool floor. Radioactive material releases from the containment through the failed containment 19-52

lower head and from core debris on the reactor pool floor would be scrubbed by the reactor pool water, which is 21 meters deep. As a result, NuScales DCA Part 2, Tier 2 states that containment lower head failure would not lead to a large release.

The applicants conclusion of no large release is supported by the applicants severe accident analysis for postulated module drop events. This analysis includes a severe accident with the NuScale power module lying on the reactor pool floor and with the containment assumed to be breached as a result of the drop impact. The analysis shows that the scrubbing effect of the water in the reactor pool reduces the offsite radiological dose to only a small fraction of the large release criterion defined by NuScale in the application. The analysis conservatively models the effect of reactor pool scrubbing on the radiological release to the environment. In the longer term, the reactor pool would continue to provide an effective barrier against the uncontrolled release of fission products beyond the initial 24-hour period following the onset of damage by preventing the radioactive material from becoming airborne again.

SECY-19-0047, Containment Performance Goals for the NuScale Small Modular Reactor Design, dated May 8, 2019 (ADAMS Accession No. ML19106A392) gives the following four criteria for review of NuScale containment performance:

1. The large release definition used by NuScale is consistent with the objectives of the Safety Goal Policy Statement.

2. The core damage frequency and the large release frequency are less than the goals of 10-4 per year and 10-6 per year, respectively. Meeting this criterion ensures that the Safety Goal Policy Statement quantitative health objectives for public risk are met.

3. The conditional probability of containment failure by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1. Meeting this criterion ensures that the CCFP performance goal of 0.1 is met.

4. For core damage accidents for which demonstration of in-vessel retention is inconclusive (i.e., sequences that do not involve containment bypass or steam explosion in the reactor vessel that could potentially lead to containment failure), the radioactive material release to the environment is less than that of a large release as defined by NuScale.

The staff conclusions that the four review criteria are met are documented in the following sections of this report:

Criterion 1 - Section 19.1.4.5.5

Criterion 2 - Section 19.1.4.4.9 (internal events CDF), Section 19.1.4.5.7 (internal events LRF), Section 19.1.4.6.8 (LPSD CDF), Section 19.1.4.7.3 (LPSD LRF)

Criterion 3 - Section 19.2.4.3.2

Criterion 4 - Section 19.2.4.2.3 Because the review criteria described in SECY 19-0047 were met, the staff concluded that containment failure due to inadequate external vessel cooling would not result in a large 19-53

release. Therefore, the staff determined that the applicants analysis of external vessel cooling is acceptable.

19.2.4.2.4 Hydrogen Generation and Control The staff evaluation of hydrogen combustion inside a module is in Chapter 6 of this report. With regard to hydrogen combustion outside a module, a core-damage sequence caused by an unisolated CVCS line break without ECCS or DHRS could lead to a hydrogen combustion event under the bioshield, which could have an impact on other modules. The staff used guidance in SRP Section 19.0 for multi-modules which directs verification that the applicant has (1) used a systematic process to identify accident sequences that could lead to multi-module core damages or large releases, and (2) selected design options or operational strategies to prevent these sequences from occurring, to demonstrate that these accident sequences are not significant contributors to risk.

The staff performed an independent MELCOR confirmatory analysis to review the time-dependent composition of the vapor space under the bioshield and determine if detonable conditions could occur and generate a missile that could impact other modules. The staffs analysis is documented in ERI/NRC 18-202, Rev. 5, October 2019, Assessment of Hydrogen Combustion during Severe Accidents in a NuScale Plant Module, (ML19312A082). For the case with a single bioshield above the containment, the staffs analysis showed that steam and hydrogen flow from the CVCS line break sweep out air from the area under the bioshield so that flammable conditions never arise. For the case when two bioshields are stacked above the containment during refueling operations, the openings in the bioshields are partially blocked. As a result, the staffs analysis showed that the steam and hydrogen flow from the break sweep out less air, and flammable conditions arise briefly. However, the possibility of a detonation is small, due to the short period of time that detonable concentrations exist. The staff concludes that this scenario does not lead to a significant contribution to risk due to multi-module effects.

19.2.4.2.5 High-Pressure Melt Ejection The applicant concluded that high-pressure melt ejection is not a challenge because its MELCOR simulations showed that the RPV depressurizes as a result of the hole in the RPV that leads to core damage. The staff confirmed the applicants conclusion by reviewing the applicants MELCOR analysis and by comparing the staffs independent MELCOR confirmatory analysis to the applicants MELCOR analysis.

19.2.4.2.6 Steam Explosion in the Reactor Vessel Based on its thermodynamic analysis, the applicant concluded that the mechanical load resulting from steam generated by corium relocating into the water inside the RPV lower head is insufficient to fail the CNV. The staff performed an independent assessment using the methodology in NUREG/CR-5030, An Assessment of Steam-Explosion-Induced Containment Failure, issued February 1989. The staffs independent assessment showed that a steam explosion in the RPV lower head is unlikely to cause the containment upper head to fail 19-54

(RES/FSCB 18-02, Independent Assessment of In-Vessel Retention and Steam Explosion for the NuScale Small Modular Reactor, September 2018 ADAMS Accession No. ML19205A016).

19.2.4.2.7 Severe Accident-Induced Steam Generator Tube Failure The staffs review of DCA Part 2, Tier 2, Section 19.2.3.3.6, Containment Bypass, focused on whether the applicants approach to determining the LRF and CCFP are met was thorough and the assumptions were sufficiently conservative or realistic.

The applicant used a Larson-Miller creep rupture model to estimate the probability of thermally induced SGTF. The applicant developed thermal-hydraulic input distributions using the results of MELCOR simulations for scenarios with high pressure on the primary side, low pressure on the secondary side, and no water in the secondary side. The scenarios involve a LOCA with ECCS failure and main steam isolation valves that fail to close. The applicant also developed input distributions for tube flaw frequency, flaw depth and length, flaw location, and Larson-Miller parameter.

In the NuScale steam generator, the primary coolant is on the outside of the tubes, resulting in the tubes being in a constant state of compression. Because of the absence of creep failure information for externally pressurized tubes (i.e., compression), the high-temperature creep failure evaluation assumed internally pressurized tubes (i.e., tension). DCA Part 2 Tier 2, Section 19.2.3.3.6, states that this assumption results in overestimating the probability of thermally induced SGTF because the tubes are expected to be more susceptible to failure under tension than compression.

Absent tube flaws, the staff finds that NuScales thermal-hydraulic conditions do not challenge tube integrity. Creep and rupture graphs from Special Metals Corporation, a supplier of Alloy 690, indicate that for the predicted temperature and stress levels, the creep rate for an unflawed tube would be less than 10-5 percent per hour and rupture life would be orders of magnitude beyond the 100,000 hours0 days 0 hours 0 weeks 0 months maximum value (Inconel Alloy 690, Publication Number SMC-079, Special Metals Corporation, October 2009, www.specialmetals.com). The creep data are from standard tests performed under tension. Given the low rate of creep indicated in the Special Metals data under postulated accident conditions, the staff did not evaluate or credit the applicants assumption that the tubes would be less susceptible to failure under compression.

For tube flaws, the applicant assumed a flaw distribution based on foreign object wear by adapting steam generator operating experience and placing the highest percentage of flaws at the top of the tube bundle coincident with the location of highest temperature during a severe accident. The staff finds the applicants assumption of foreign object wear reasonable because it is based on operating experience, and wear from foreign objects and support structures continues to be the cause of degradation in Alloy 690 steam generator tubes. The staff finds it reasonable to assume that the highest percentage of flaws would be at the top of the bundle, because that is the highest temperature region and would be most susceptible to thermally induced failure. For flaw depth, the model predicted that very high stress magnification factors (flaws more than 80 percent through-wall) were necessary for any reduction in life. The staff 19-55

finds this result conservative because the plant TS will require that flaw depths be limited to much lower depths, on the order of 40 percent through-wall.

As discussed in Section 19.2.3 of this report, SECY-19-0047 provides the staffs design-specific implementation for NuScale of the containment performance goals in SECY-93-087, including the goal for NuScale that the conditional probability of containment failure (CCFP) by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1. This CCFP goal for NuScale is met when using the mean probability of thermally induced SGTF. Conservative assumptions in the applicants PRA provide additional margin to this CCFP goal. One assumption is that tube failure with an unisolated steam generator leads to a large release. Another assumption is that tube failure leads to a hole in the tube instead of tube collapse.

19.2.4.2.8 Equipment Survivability Following a severe accident, the two functions that must be maintained are containment integrity and post-accident monitoring. Post-accident monitoring is intended to provide information on severe accident conditions in containment. The staff evaluated conformance to SECY-93-087 and the associated SRM, which state that, for features provided only for severe accident mitigation, there should be high confidence that the equipment will survive severe accident conditions for the period that it is needed to perform its intended function.

For mitigation of core-damage accidents, the NuScale design does not rely on active systems (e.g., containment spray, cavity flooding) or post-accident monitoring. Instead, it relies on passive design features, such as containment geometry and submergence in the reactor pool, to prevent a large release.

In order to demonstrate reasonable assurance that equipment required to mitigate severe accidents is shown to meet the criteria in SECY-90-016, severe accident mitigation equipment and its required functions must be identified. The time duration and the environmental conditions of pressure, temperature, humidity, and radiological dose for which this function is required must also be identified. These conditions also include exposure to the environmental conditions created by the burning of hydrogen, as required by 10 CFR 50.44(c)(3).

In DCA Part 2, Tier 2, Section 19.2.3.3.8, Equipment Survivability Table 19.2-11, Equipment Survivability List, identifies each component or post-accident monitoring variable, its required function and the time duration over which each is needed. NuScale found that the most Commented [GA2]: 2.This table appears in challenging conditions for containment temperature and pressure were due to an adiabatic response to RAI 9705, as a DCA draft rev 4 markup isochoric with complete combustion (AICC) of hydrogen transient. DCA Part 2 Tier 2, and is confirmatory.

Section 19.2.3.3.8 identifies the resultant AICC containment temperature increase of 75F, which is well below the CNV design temperature. DCA Part 2 Tier 2, Section 19.2.3.3.2, identifies the post-accident AICC pressure in the containment after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , including the effects of radiolysis, at 5% oxygen and 45 days as 920 psia, which is below the CNV design pressure.

The staff evaluation of hydrogen combustion in containment prior to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is in Section 6.2.5, Combustible Gas Control, in this report, and concludes that containment integrity would be maintained. For specific equipment not required to be considered in the EQ program, alternate 19-56

means are necessary to assure survivability. The equipment is qualified to 100-percent humidity.

In DCA Part 2, Tier 2, Section 19.2.3.3.8, Equipment Survivability, NuScales methodology for assuring equipment survivability in terms of post-accident radiological dose is described. This involves comparing the severe accident (core damage) dose with the equipment qualification (EQ) design basis dose. If the EQ dose is larger, no further quantitative survivability assessment is performed. If the severe accident dose is larger, qualitative assessments, testing, and/or additional analyses will need to be performed to assure survivability.

NuScale has evaluated both the EQ and the severe accident doses for each component or variable in a document staff reviewed in the Audit for the Phase IV Regulatory Audit of the Iodine Spike Design Basis Source Term and Sampling and Monitoring Information (ADAMS Accession No. ML19150A284). The results of this evaluation, which provides both the severe accident dose and the EQ dose, for the equipment identified in Table 19.2-11, Equipment Survivability List, can be found in the associated audit report (ADAMS Accession No. ML19308A944). NuScale specifically identified the components whose severe accident dose exceeds, or potentially could exceed, the EQ dose.

At the design certification stage specific components have not yet been selected. Once selected, the COL applicant will confirm or update the EQ for all components identified in Table 19.2-11, as described in COL Items 3.11-1 through 3.11-4. The COL applicant will confirm or update the severe accident doses for all components identified in Table 19.2-11, according to COL Item 19.1-8. Per the NuScale equipment survivability methodology, for those components whose severe accident dose exceeds the EQ dose, qualitative assessments, testing or additional analyses will be provided to demonstrate equipment survivability.

Staff has reviewed the equipment survivability program against the acceptance criteria of SECY 90-016 and 93-087 and finds that the identification of components required for severe accident mitigation, the function of each component and the duration required support the functions that must be maintained - containment integrity and post-accident monitoring. Staff has reviewed conditions generated in the CNV following a hydrogen combustion event as required by 10 CFR 50.44(c)(3) and finds that the conditions do not exceed either the CNV design temperature or pressure. Staff has reviewed the methodology and results for evaluating the radiological dose and finds both reasonable. Containment structural integrity under severe accident radiation challenges is demonstrated by qualifying the containment boundary components to doses associated with core-damage accident scenarios or the EQ design basis accident radiological dose, whichever is greater.

Containment Performance Capability 19.2.4.3.1 Deterministic Containment Performance The staff reviewed the applicants MELCOR severe accident analysis, which showed that the containment pressure initially rises because of the inventory loss from the RPV and then decreases due to steam condensation on the containment inside surface. During this phase of 19-57

the accident, the pressure stays below containment design pressure. Subsequently, the containment pressure rises because of hydrogen generated by cladding oxidation, but the pressure stays below containment design pressure. The staffs independent MELCOR confirmatory analysis confirmed the results of the applicants analysis. Other challenges to containment performance are discussed in Sections 19.2.4.2.3 through 19.2.4.2.8 of this report.

19.2.4.3.2 Probabilistic Containment Performance The staff review of CCFP related to steam explosion in the reactor vessel and containment bypass are in Sections 19.2.4.2.6 and 19.2.4.2.7, respectively, of this report. Using results from these sections, the staff finds the CCFP from steam explosion in the reactor vessel causing failure of the containment upper head plus the CCFP from bypass is less than 0.1.

19.2.4.3.3 Accident Management DCA Part 2, Tier 2, Section 19.2.5, Accident Management, includes a COL information item to develop severe accident management guidelines. Including a COL information item to develop such guidelines is consistent with past practice for DCAs.

19.2.4.3.4 Consideration of Potential Design Improvements The staff evaluation of potential design improvements under 10 CFR 50.34(f) is documented in the staffs environmental assessment and associated technical evaluation report for DCA Part 3, Applicants Environmental ReportStandard Design Certification.

Combined License Information Items Table 19.2-1 below lists COL information item numbers and descriptions related to the severe accident evaluation, which is from DCA Part 2, Tier 2, Section 19.2.

Table 19.2-1 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.2 COL Item No. Description DCA Part 2, Tier 2, Section 19.2-1 A COL applicant that references the NuScale Power Plant 19.2.5.2 design certification will develop severe accident management guidelines and other administrative controls to define the response to beyond-design-basis events.

19.2-2 A COL applicant that references the NuScale Power Plant 19.2.6 design certification will use the site-specific probabilistic risk assessment to evaluate and identify improvements in the reliability of core and containment heat removal systems as specified by 10 CFR 50.34(f)(1)(i).

19.2-3 A COL applicant that references the NuScale Power Plant 19.2.6.4 design certification will evaluate severe accident mitigation design alternatives screened as not required for design certification application.

19-58

Section 19.2.4.4 of this report presents the staffs evaluation of COL Information Item 19.2-1.

The staff evaluation of COL Information Items 19.2-2 and 19.2-3 is documented in the staffs technical evaluation report of Part 3, Applicants Environmental ReportStandard Design Certification, of the NuScale DCA.

Conclusion The staff has reviewed the NuScale DCA Part 2, Tier 2, Section 19.2, a description and analysis of design features for the prevention and mitigation of severe accidents, in accordance with the guidance in SRP section 19.0. The staff reviewed the NuScale design to prevent or mitigate specific severe accidents. The staff utilized the criterion less than a large release to review the safety analysis of external reactor vessel cooling in meeting the containment performance goal, as discussed in SECY-19-0047. The staff concludes that the applicant conforms to the regulations in 10 CFR 50.44(c)(3) and the guidelines in SECY 90-016 and 93-087 and their associated SRMs.

19.3 Regulatory Treatment of Nonsafety Systems for Passive Advanced Light-Water Reactors Introduction This section of the report addresses the regulatory treatment of non-safety-related systems (RTNSS). The scope of an RTNSS program includes those non-safety-related SSCs that satisfy RTNSS criteria. The applicant then proposes regulatory treatment (e.g., inclusion in the design reliability assurance program (D-RAP) or in TS) for SSCs that meet any of these criteria based on their reliability and availability missions.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Section 19.3.2, SSC Identification and Designation within RTNSS Program Scope, evaluates each of the RTNSS scoping criteria. Based on the results, no SSCs that are not safety-related were included in the scope of the RTNSS program, and thus no non-safety-related SSCs require additional regulatory treatment.

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no generic technical specifications associated with this area of review.

Technical Reports: There are no technical reports associated with this review.

19-59

Regulatory Basis The following documents establish the scope, criteria and process used to determine RTNSS for passive plant designs:

SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems in Passive Plant Designs, dated March 28, 1994 (ADAMS Accession No. ML003708068) and its associated SRM, dated June 30, 1994 (ADAMS Accession No. ML003708098)

SECY-95-132, Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems (RTNSS) in Passive Plant Designs, dated May 22, 1995 (ADAMS Accession No. ML003708005), and its associated SRM, dated June 28, 1995 (ADAMS Accession No. ML003708019)

The guidance in SRP Section 19.3, Regulatory Treatment of Non-Safety Systems (RTNSS) for Passive Advanced Light Water Reactors, lists the acceptance criteria adequate to meet the above guidelines, as well as review interfaces with other SRP sections.

Technical Evaluation The staff used guidance from SRP Section 19.3 to review the applicants evaluation of the five RTNSS scoping criteria (Criterion A through E) described in DCA Part 2, Tier 2, Section 19.3.

Criterion A: SSC functions relied on to meet beyond-design-basis deterministic NRC performance requirements such as those stated in 10 CFR 50.62, Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water Cooled Nuclear Power Plants, for mitigating ATWS and in 10 CFR 50.63, Loss of All Alternating Current Power, for station blackout.

For ATWS, the staff considered the evaluation of the applicants ATWS exemption request as documented in Section 7.1.5.4.6 of this report. In its review of the exemption request, the staff found that special circumstances are present in that, first, the NuScale MPS design meets the underlying purpose of 10 CFR 50.62(c)(1) to reduce the risk associated with ATWS events without the turbine trip design attributes required by 10 CFR 50.62(c)(1), and second, that other material circumstances are present in the NuScale design relating to enhanced safety features and simpler configuration of instrumentation and controls, which were not considered when 10 CFR 50.62(c)(1) was adopted. The staff also reviewed DCA Part 2, Chapter 19, risk insights on ATWS and found that the applicants focused PRA showed no reliance on SSCs that are not safety-related to meet the Commissions ATWS CDF goal of 1x10-5 per year stated in SECY-83-293, Amendments to 10 CFR Part 50 Related to Anticipated Transients Without Scram (ATWS) Events, issued July 1983.

For station blackout, the staff reviewed the design of the passive safety systems; the station blackout analysis described in DCA Part 2, Tier 2, Section 8.4; Station Blackout, and the evaluation of station blackout sequences in the PRA description in DCA Part 2, Tier 2, 19-60

Section 19.1. The staff finds that the passive safety-related systems are designed to start automatically on a loss of power to the station and are capable of adequately cooling the reactor and containment following a station blackout event.

The staff finds that the applicant focused its analysis on the two requirements above. The applicant stated that the NRC has not identified any additional beyond-design-basis deterministic requirements within the scope of Criterion A. The staff agrees that no such requirements exist.

Criterion B: SSC functions relied on to ensure long-term safety and to address seismic events.

The staff reviewed the capability of the passive safety-related systems in the NuScale design to remove decay heat following a design basis event as described in DCA Part 2, Tier 2, Section 5.4.3, Decay Heat Removal System, Section 6.3, Emergency Core Cooling System, and Section 9.2.5, Ultimate Heat Sink. The staff found that the DHRS, ECCS and UHS are passive systems that do not depend on any SSCs that are not safety-related to perform their safety functions after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and up to 7 days following an accident. DCA Part 2, Tier 2, Section 19.3.2.2 states, [c]onsistent with Section IV of SECY-96-128, only onsite equipment and supplies are relied on to ensure long-term safety for 7 days following a design basis event. Commented [NR3]: 3.This is a confirmatory item The staff determined that, assuming the reactor remains subcritical, decay heat can be removed pending incorporation into DCA Revision 4. See passively via the UHS through heatup and boil-off of water in the reactor pool for well beyond a change package from NuScale submitted via email on 11/5/19.

period of 7 days without makeup or heat removal with a system that is not safety-related.

The staff reviewed NuScales calculated results (ML19332A120) of the potential for boron to redistribute during extended ECCS operation out to a period of 7 days. The staff agrees that the core would remain subcritical throughout the seven-day period even with one control rod not fully inserted, and boration from CVCS would not be required. The staff confirmed the applied best-estimate initial conditions and assumptions are appropriate for the calculation. Therefore, the staff finds the NuScale design meets the policy of SECY-96-128 regarding the capability to sustain all DBEs with onsite equipment and supplies for 7 days.

More information related to the boron redistribution phenomena is in Section 15.0.6 of this report which also contains the staffs evaluation of the first 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of this event using Chapter 15 inputs and design assumptions.

The staff reviewed the fragilities of the SSCs that are not safety-related and safety-related SSCs determined as part of the SMA in DCA Part 2, Tier 2, Section 19.1.5, and the accident sequence cutsets that lead to core damage as described in DCA Part 2, Tier 2, Chapter 19 (Tables 19.1-17, Significant Core Damage Sequences, and 19.1-18, Significant Core Damage Cutsets, and DCA Part 2, Tier 2, Figures 19.1-2 through 19.1-12). From this review, the staff confirmed the applicants assertion that the seismic margin for the design is not dependent on any SSCs that are not safety-related.

Criterion C: SSC functions relied on under power-operating and shutdown conditions to meet the Commissions safety goal guidelines of a CDF of less than 1x10-4 per year and an LRF of less than 1x10-6 per year.

19-61

The staff reviewed the focused PRA sensitivity studies described in DCA Part 2, Tier 2, Section 19.1, to quantify the importance of systems that are not safety-related in mitigating events. The focused PRA sensitivity studies for the Level 1 internal events at full power and Level 2 models were below the Commissions goal guidelines for CDF and LRF. The staff also finds that the results of the focused PRA are consistent with the assessment of risk significance of SSCs that are not safety-related as reflected in DCA Part 2, Tier 2, Table 17.4-1, D-RAP SSC Functions, Categorization, and Categorization Basis, which shows that no SSCs that are not safety-related that are modeled in the PRA meet the thresholds for risk significance. In addition, the staff finds that the results of the focused PRA demonstrate the Commissions CDF and LRF safety goals to be met with only safety-related SSCs. The staff further observes that non-safety-related systems are not relied on for a majority of modeled non-LOCA events unless failures of redundant components occur in both of the passive safety systems (i.e., DHRS and ECCS). Additionally, the staff observes that non-safety-related systems are not relied on for a majority of modeled LOCA events (which have very low initiating event frequencies) unless failures occur in the redundant components in the passive DHRS or ECCS (or both) or the RSVs. The staffs review of the top Level 1 internal events accident sequence cutsets confirmed that no non-safety-related SSCs are relied on for mitigation of the initiating events.

The staff reviewed the implication of potential risk-significant initiating events caused by non-safety-related SSCs. The staff confirmed that the results of the evaluation of initiating event frequencies are documented in DCA Part 2, Tier 2, Tables 19.1-20, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module) Level 1 Probabilistic Risk Assessment, 19.1-27, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module) Level 2 Probabilistic Risk Assessment, and 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment. The staff finds that the applicant included initiating events caused by non-safety-related SSCs in its evaluation of risk significance. In the NuScale report TR-0515-13952-A, Risk Significance Determination, issued October 2016 (ADAMS Accession No. ML16284A016), the applicant used screening criteria for risk significance approved by the staff, and the staff confirmed that this application met the conditions and limitations for use in this topical report.

Criterion D: SSC functions needed to meet the containment performance goal, including containment bypass, during severe accidents.

The staffs review of the focused PRA, and specifically the results in DCA Part 2, Tier 2, Table 19.1-22, Sensitivity Studies for Level 1 Full Power, Internal Events Evaluation, and Table 19.1-31, Sensitivity Studies for Level 2 Evaluation, confirmed that only safety-related passive systems are relied on to meet the containment performance goal. The staff finds that the safety-related mitigating systems are fail-safe on loss of power and do not rely on non-safety-related support systems such as heating, ventilation, and air conditioning (HVAC) and instrument air. The staffs review of the relevant Level 2 PRA information in DCA Part 2, Tier 2, Section 19.1, found that containment failure resulting from bypass or CIV failure is the only mode of containment failure modeled in the CETs. DCA Part 2, Tier 2, Section 19.2, discusses 19-62

the details of this subject, and Section 19.2 of this report documents the staffs review and its results.

Criterion E: SSC functions relied on to prevent significant adverse system interactions between passive safety-related systems and active non-safety-related SSCs.

The staff reviewed the design of the passive safety-related systems and non-safety-related active systems that interface with the passive systems as described in DCA Part 2. The passive safety-related systems include the ECCS, CNV, DHRS, and UHS. As discussed in DCA Part 2, Tier 2, Sections 6.2.4.2.2.3, Piping Systems Closed to Containment and not Connected to the Reactor Coolant Pressure Boundary, and 6.2.5.2, System Design, respectively, operation of both the DHRS and ECCS occurs normally with the containment isolated. Consequently, with the exception of the pressurizer heaters housed inside the reactor vessel, these systems are isolated from all active non-safety-related systems during operation. This isolation provides reasonable assurance that adverse interaction with active non-safety-related systems outside of containment will be precluded.

The pressurizer heaters are controlled from the non-safety-related module control system via the pressurizer control cabinets. As discussed in DCA Part 2, Tier 2, Section 5.4.5.2, System Design, the MPS provides a safety-related trip function on low pressurizer level that actuates safety-related pressurizer heater circuit breakers to remove power to the heaters before the pressurizer level reaches the top of the pressurizer heaters. This ensures the integrity of the reactor coolant pressure boundary if the heaters were to be uncovered. Thus, safety-related equipment is included in the plant design to prevent an adverse interaction between the non-safety-related pressurizer heaters and the ECCS. This shows that no additional non-safety-related equipment is needed to prevent adverse interaction with the ECCS.

The UHS removes the decay heat from each module, maintaining the core temperature at low levels after a LOCA resulting in the initiation of the ECCS. As discussed in DCA Part 2, Tier 2, Section 9.2.5.2.1, General Description, the UHS pool liner has the function to prevent potential pool inventory leakage from the reactor pool. The reactor pool interfaces with non-safety-related systems for cooling the pool and adding makeup to the pool when needed. As further discussed in DCA Part 2, Tier 2, Section 9.2.5.2.1, penetrations from these systems into the pool are located at a sufficiently high elevation to preclude inadvertent draining of water from the pool that would adversely impact the ability of the pool to act as a heat sink. The staff finds that the design features of the reactor pool show that non-safety-related systems that interface with the reactor pool do not cause adverse interactions.

During the review of the applicants PRA, the staff did not identify SSCs that meet RTNSS Criterion E.

In summary, the staff finds the applicants evaluation of the five RTNSS scoping criteria reasonable and agrees that no non-safety-related SSCs require additional regulatory treatment.

The staff confirmed that (1) non-safety-related SSCs are not relied on to address the beyond-design-basis requirements for an ATWS event or a station blackout event, (2) no non-safety-related SSCs need to be relied on for ensuring long-term safety and addressing 19-63

seismic events, (3) the Commissions safety goal guidelines for CDF and LRF are achieved without reliance on non-safety-related SSCs, (4) the containment performance goal is achieved without reliance on non-safety-related SSCs, and (5) there are no adverse interactions with non-safety-related SSCs that could prevent the performance of passive safety-related SSC functions.

Combined License Information Items Table 19.3-1 lists a COL information item related to RTNSS based on DCA Part 2, Tier 2, Section 19.3.1. The staff finds the COL information item to be reasonable.

Table 19.3-1 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.3 COL Item No. Description DCA Part 2, Tier 2, Section 19.3-1 A COL applicant that references the NuScale Power Plant design 19.3.1 certification will identify site-specific regulatory treatment of non-safety systems (RTNSS) structures, systems, and components and applicable RTNSS process controls Conclusion The staff evaluated the applicants assessment of the need for RTNSS using the guidance in SRP Section 19.3. The staff confirmed that the applicant has adequately addressed each of the five RTNSS criteria in its assessment and found that no SSCs meet the criteria. Therefore, the staff concludes that the applicant conforms to the guidelines in SECY-94-084, SECY-95-132, and their associated SRMs.

19.4 Strategies and Guidance to Address Loss of Large Areas of the Plant Because of Explosions and Fires This area of review is summarized and evaluated in Section 20.2 of this report.

19.5 Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts Introduction This section describes the NRC staffs evaluation of design features and functional capabilities credited by the applicant to show that the facility can withstand the effects of a large commercial aircraft impact. NuScale DCA Part 2, Tier 2, Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts, describes these design features, functional capabilities, and the assessment.

The impact of a large commercial aircraft is a beyond-design-basis event. Under 10 CFR 52.47(a)(28) and 10 CFR 50.150, Aircraft Impact Assessment, applicants for new 19-64

nuclear power reactors are required to perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Applicants are required to submit a description of the design features and functional capabilities identified by the assessment (key design features) in their DCA, along with a description of how the identified design features and functional capabilities meet the acceptance criteria in 10 CFR 50.150(a)(1).

The Statement of Considerations for the Aircraft Impact Assessment (AIA) Rule2 pertaining to new nuclear power reactors states the following:

The NRC decision on an application subject to 10 CFR 50.150 will be separate from any NRC determination that may be made with respect to the adequacy of the impact assessment which the rule does not require be submitted to the NRC.

As the AIA is not submitted to the NRC for its review, the staff review described in this section is to determine whether descriptions of the design features and functional capabilities are complete enough so that there is reasonable assurance that the acceptance criteria in 10 CFR 50.150(a)(1) can be met, assuming the design features and functional capabilities perform their intended functions.

Applicants subject to 10 CFR 50.150 must make the complete AIA available for an NRC inspection at the applicants offices or their contractors offices upon the staffs request, in accordance with 10 CFR 50.70, Inspections, 10 CFR 50.71, Maintenance of Records, Making of Reports, and Section 161, General Provisions, item c, of the Atomic Energy Act of 1954, as amended. The outcome of the NRC inspection is not part of this report.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: In DCA Part 2, Tier 2, Section 19.5, the applicant stated that an AIA was performed in accordance with the requirements in 10 CFR 50.150(a)(1), using the methodology described in Nuclear Energy Institute (NEI) 07-13, Revision 8, Methodology for Performing Aircraft Impact Assessments for New Plant Designs, issued April 2011, as endorsed by the NRC in RG 1.217, Guidance for the Assessment of Beyond-Design-Basis Aircraft Impacts, issued August 2011, and SRP Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts, issued April 2013.

Based on the results of the assessment, the applicant has identified a set of key design features to show that the acceptance criteria in 10 CFR 50.150(a)(1) are satisfied. These key design features are reported in NuScale DCA Tier 2, Section 19.5, along with references to other sections of the NuScale DCA that provide additional details.

ITAAC: There are no ITAAC associated with this area of review.

2 Applicants for new nuclear power reactors is defined in the Statement of Considerations for the Aircraft Impact Rule [74 (Federal Register) FR 28112, June 12, 2009].

19-65

Technical Specifications: There are no generic technical specifications associated with this area of review.

Technical Reports: There are no technical reports associated with this review.

Regulatory Basis To perform this review, the NRC staff used the relevant regulations and guidance described below.

Applicable Regulations In 10 CFR 50.150(a)(1), the NRC requires that applicants perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Using realistic analyses, the applicant shall identify and incorporate into the design those features and functional capabilities to show that, with reduced use of operator actions, (1) the reactor core remains cooled, or the containment remains intact, and (2) spent fuel cooling or spent fuel pool (SFP) integrity is maintained.

The applicant indicated that it meets the 10 CFR 50.150(a)(1) acceptance criteria by including features in the NuScale design that can maintain core cooling and keep the containment intact and maintain SFP integrity.

In 10 CFR 50.150(b), the NRC requires that the FSAR include a description of (1) the design features and functional capabilities that the applicant has identified for inclusion in the design to show that the facility can withstand the effects of a large commercial aircraft impact in accordance with 10 CFR 50.150(a)(1) and (2) how those design features and functional capabilities meet the assessment requirements of 10 CFR 50.150(a)(1).

Review Guidance RG 1.217 provides guidance for applicants to demonstrate compliance with NRC regulations for the AIA. In particular, this RG endorses the methodologies described in NEI 07-13, Revision 8.

SRP Section 19.5 provides guidance for meeting the requirements in 10 CFR 50.150(a)(1) and (b).

Technical Evaluation The staff reviewed the AIA information in Section 19.5 of DCA Part 2, Tier 2, as well as the referenced DCA sections discussed below. The staffs evaluation of how the applicants assessment was formulated follows in Section 19.5.3.1 of this report, and the evaluation of the applicants key design feature descriptions appears below in Sections 19.5.3.2 through 19.5.3.5.

Reasonably Formulated Assessment The staff reviewed the AIA application in NuScale DCA Part 2, Tier 2, Section 19.5 to determine 19-66

whether qualified analysts had performed the AIA. DCA Part 2, Tier 2, Section 19.5.1 states the assessments were performed by qualified personnel with experience in applying the approved methodology. Further, in letter dated September 28, 2017, (ADAMS Accession No. ML17271A261) the applicant stated that these contractors are experienced in applying the approved methodology in NEI 07-13, Revision 8, to other nuclear power facilities and thus meet the qualifications listed in SRP Section 19.5. The applicant has provided a well-supported basis for the staff to find that the contractors performing the AIA are qualified, consistent with the guidance of SRP Section 19.5,Section III, Item 2.

The applicant stated in NuScale DCA Part 2, Tier 2, Section 19.5.1, that its AIA is based on the guidance of NEI 07-13, Revision 8, with no exceptions. Based on the applicants use of this NRC-endorsed guidance document combined with the use of qualified analysts, the staff finds that the applicant has performed a reasonably formulated assessment.

Design Features for Core Cooling DCA Part 2, Tier 2, Section 19.5.5.1, identifies and describes the NPMs, RCS, CNV, UHS, and DHRS, as key design features for ensuring core cooling following the impact of a large commercial aircraft. DCA Part 2, Tier 2, Section 19.5.5.1 also identifies and describes containment isolation valves, including the MSIVs and FWIVs, as key design features for core cooling. DCA Part 2, Tier 2, Section 19.5 states that the AIA results show that because of the location of these credited design features inside the RXB, they are not susceptible to physical, fire, and shock damage.

During its review, the staff ensured the DCA appropriately identified and described key design features required for core cooling as required by 10 CFR 50.150(b). The staff used its evaluation documented in other sections of this report to confirm that these features are also suitable for maintaining core cooling following impact by a large commercial aircraft. The staff notes that these systems have been specifically designed to perform core cooling functions during normal power operation and following design basis events initiated during power operation; therefore, this equipment is expected to be appropriately designed with sufficient capability to meet the core cooling requirements of 10 CFR 50.150. The staff also confirmed that all of these design features are automatic or can be initiated and operated from the control room or an alternate location, and require little, if any, further operator intervention to maintain the core cooling function.

The staff notes that DCA Part 2, Tier 2, Section 19.5.5.1 identifies the CRDS as a key design feature for ensuring the reactor is tripped either before or after the aircraft impact. In addition, DCA Part 2, Tier 2, Section 19.5.5.1 states the ability to scram the reactors, isolate containment, and actuate the DHRS from the MCR, as described in Section 7.0.4.1.2, Section 7.0.4.1.3, Section 5.4.3.2, and Section 6.2.4, are key design features for ensuring the reactor is tripped, containment is isolated, and the DHRS is actuated prior to aircraft impact. The staff finds this acceptable because no physical, fire, or shock damage is expected to impact the CRDS because of its design and location within the RXB.

19-67

The staff reviewed the DCA for required operator actions and plant parameters that are available to the operators to monitor and ensure that the identified design features are performing as expected following the impact of a large commercial aircraft. DCA Part 2, Tier 2, Section 19.5.5.5 states that upon notification of the aircraft threat, operators trip the individual NPMs and initiate containment isolation and the decay heat removal systems. Additionally, DCA Part 2, Tier 2, Section 19.5.5.5 states monitoring functions are expected to remain available following the aircraft impact; however, if post-AIA monitoring is determined to be unavailable, the mitigating strategies of DCA Part 2, Tier 2, Section 20.2, Loss of Large Areas of the Plant due to Explosions and Fires, are invoked for the loss of large areas in a beyond-design-basis event. The staff finds this approach acceptable because although plant monitoring is expected to be available following the impact of a large commercial aircraft, if it is lost and operators cannot determine that the identified core cooling design features are performing as expected, operators will transition to the strategies required by 10 CFR 50.54(hh)(2).

Based on the staffs review of DCA Part 2, Tier 2, Section 19.5, and the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, the staff finds that the applicant has performed a reasonably formulated analysis within the AIA to identify key design features necessary for core cooling. In addition, the staff finds the applicants description of the key design features for maintaining core cooling to be adequate and acceptable and therefore meets the requirements of 10 CFR 50.150(b).

Key Design Features that Protect Core Cooling Design Features The key design features and functional capabilities that protect the core cooling design features are described below. They include fire barriers and fire protection features, plant arrangement and plant structural design features, and the ability to survive shock-induced vibrations.

19.5.4.3.1 Fire Barriers and Fire Protection Features The applicant stated in DCA Part 2, Tier 2, Section 19.5.4.3, that the design and location of 3-hour fire barriers and 3-hour, 5-psid fire barriers, including walls, floors, fire dampers, doors, equipment access door, and penetration seals within the RXB are key design features for the protection of core cooling equipment from the impact of a large commercial aircraft. The assessment credited the design and location of fire barriers, as depicted in DCA Part 2, Tier 2, Figures 1.2-10 through 1.2-18 to limit the effects of internal fire within the RXB to just the access vestibules and stairwells. No equipment is required to maintain core cooling or spent fuel cooling in the access vestibules and stairwells. In addition, the design and location of 5-psid, fast acting blast dampers in the RXB HVAC system air intakes and exhaust lines (as described in Section 9.4.2.2.1 and shown in Figure 9.4.2 1) are key design features. The staff reviewed the applicants DCA and found it acceptable because it clearly describes the fire protection design features credited by the applicant in its AIA.

19.5.4.3.2 Reactor Building The staff reviewed the DCA to ensure that the applicant had performed a reasonably formulated assessment of the capability of the RXB to protect core cooling equipment.

19-68

The Design of the Reactor Building In DCA Part 2, Tier 2, Section 19.5.4.1, Physical Damage, the applicant stated that the design of the RXB, as described in DCA Part 2, Tier 2, Appendix 3B.2, is a key design feature for preventing the aircraft from perforating the RXB outer wall. To verify the accuracy of the description, the staff reviewed general arrangement drawings in DCA Part 2, Tier 2, Figures 1.2-1, Conceptual Site Layout; 1.2-4, Layout of a Multi-Module NuScale Power Plant; 1.2-10 through 1.2-20 (plan and section views); and DCA Part 2, Tier 2, Section 3.8.4.1.1, Reactor Building, and Appendix 3B.2.

The staff reviewed the descriptions and figures in DCA Part 2, Tier 2, Section 3.8.4.1.1 and Appendix 3B.2 and finds that the RXB is a seismic Category I reinforced concrete structure that is deeply embedded in soil and supported on a single basemat foundation. The RXB has five 3-foot thick primary floors with embedded reinforced concrete T-beams and a sloped roof on the north and south sides with a flat segment in the middle. The typical thickness of the main structural interior and exterior concrete walls is 5 feet, and the basemat foundation thickness is 10 feet. Reinforced concrete pilaster columns are encased within the exterior walls of the RXB.

In DCA Part 2, Tier 2, Section 19.5.4.1, the applicant stated that its assessment concluded that the RXB external walls have been evaluated and shown to resist physical damage from all postulated aircraft strikes, and there is no perforation of the RXB outer wall. Section 19.5.4.3.5 of this report documents the staffs evaluation of shock damage.

Based on the above review, the staff finds the applicants description of the design of the RXB as a key design feature for ensuring continued core cooling to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design of the Reactor Building Equipment Door In DCA Part 2, Tier 2, Section 19.5.4.1, the applicant stated that the design of the RXB equipment door is a key design feature for protecting core cooling equipment from impacts through the radwaste building (RWB) trolley bay. The staff reviewed DCA Part 2, Tier 2, Figure 1.2-16 and found that the RXB equipment door is located between grids RXB and RXC along grid RX1. The staff also reviewed DCA Part 2, Tier 2, Section 19.5.4.1, and Figures 19.5-1 through 19.5-3, and finds the RXB equipment door is 5-foot thick reinforced concrete with steel plate along the outside, and it is tapered along the top and sides so that it fits like a plug into the exterior wall of the RXB. The applicant also stated that the RXB external walls have been assessed and shown to resist physical damage from all postulated aircraft strikes.

Based on its review, the staff finds the applicants description of the design of the RXB equipment door as a key design feature for protecting core cooling equipment from impact through the RXB trolley to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19-69

The Design of the Reactor Building Intake Awnings and the Pipe Shields In DCA Part 2, Tier 2, Section 19.5.4.1, the applicant stated that the design of the RXB HVAC intake awnings and the design of the pipe shields, shown in DCA Part 2, Tier 2, Figures 1.2-17 through 1.2-19, are key design features for preventing physical damage and fire from entering the RXB. The staff reviewed DCA Part 2, Tier 2, Figures 1.2-17 through 1.2-19, Section 19.5.4.1, and Figure 19.5-4, Reactor Building Structural Concrete, and finds that the awnings are constructed of reinforced concrete structures to protect the HVAC intakes and pipe penetrations.

Based on its review, the staff finds the applicants description of the design of the RXB HVAC intake awnings and design of the pipe shields as key design features for preventing physical damage and fire from entering the RXB to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design and Location of the Reactor Building Crane In DCA Part 2, Tier 2, Section 19.5.4.1, the applicant stated that the design and location of the RBC, as described in DCA Part 2, Tier 2, Section 9.1.5, is a key design feature for protecting the NPMs and reactor pool lining.

The staff reviewed DCA Part 2, Tier 2, Section 9.1.5, and Figure 9.1.5-1 through Figure 9.1.5-3 and finds that the RBC is a bridge that rides on rails anchored to the RXB. The RBC is designed as a single-failure-proof crane in accordance with the requirements of NUREG-0554, Single-Failure-Proof Cranes for Nuclear Power Plants, issued May 1979, and ASME NOG-1, Rules for Construction of Overhead and Gantry Cranes (Top Running Bridge, Multiple Girder),

for Type I cranes. The staff also finds that the heavy-load exclusion zones are marked in DCA Part 2, Tier 2, Figures 9.1.5-1 and 9.1.5-2, so that the load cannot be handled in these areas. In addition, the applicant stated in DCA Part 2, Tier 2, Section 9.1.5.3, Safety Evaluation, that the design of the RBC and the seismic analysis meet the NOG-1 requirements for a Type 1 crane to ensure that SSCs are able to withstand the SSE and not drop the load. Further, the applicant stated in DCA Part 2, Tier 2Section 19.5.4.1, that the design of the RBC ensures that impact loads from an aircraft impact on the exterior wall of the RXB prevent the crane from falling into the reactor pool area and either damaging the NPMs or tearing the reactor pool lining. The applicant accounted for the RBC in an approach similar to that used for damage to the polar crane as specified in Section 3.3.1, Damage Rule Sets for Containment Structures, of NEI 07-13, Revision 8.

Based on its review, the staff finds the applicants description of the design and location of the RBC as key design features for protecting the NPMs and reactor pool cooling to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19-70

19.5.4.3.3 Radwaste Building The staff reviewed the DCA to ensure that the applicant performed a reasonably formulated assessment of the capability of the RWB to protect a portion of the west wall of the RXB.

In DCA Part 2, Tier 2, Section 19.5.3.2, Impact Locations, the applicant stated that the location of the RWB in relation to the RXB is a key design feature that protects a portion of the west wall of the RXB from the aircraft strike. The applicant also stated that the design of the exterior walls of the RWB, as described in Section 3.5.1.1, Concrete Barrier, is a key design feature for crediting the RWB as an intervening structure. The applicant screened the RWB as an intervening structure based on the criteria set in Section 3.2.2, Screening Based on Intervening Structures, of NEI 07-13, Revision 8. The staff reviewed general arrangement drawings in DCA Part 2, Tier 2, Section 3.8.4.1.3, Radioactive Waste Building, Figures 1.2-1, 1.2-4, and 1.2-33, Radioactive Waste Building West Section View; and DCA Part 2, Tier 2, Sections 19.5.3.2 and 3.5.3.1.1, Concrete Barriers, to verify the accuracy of the description.

The staff reviewed the relevant drawings (DCA Part 2, Tier 2, Figures 1.2-1, 1.2-4, and 1.2-33) that show the relative relationship of the locations of the RWB and RXB structures. The RWB extends to approximately 149 feet above grade and spans most of the width of the RXB. The staff confirmed that the location of the relevant structures is fixed at the DC stage. The staff also reviewed DCA Part 2, Tier 2, Section 3.8.4.1.3, and DCA Part 2, Tier 2, Sections 19.5.3.2 and 3.5.3.1.1 and found that the RWB is constructed of reinforced concrete exterior walls, and the RWB is separated from the RXB by approximately 25 feet above the grade. On this basis, the staff finds credit of the RWB as an intervening structure acceptable, and the portion of the west wall of the RXB is protected by the RWB from an aircraft strike.

Based on its review, the staff finds the applicants description of the location of the RWB in relation to the RXB and the design of the exterior walls of the RWB as key design features that protect a portion of the west wall of the RXB from an aircraft strike to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19.5.4.3.4 Shock Damage In DCA Part 2, Tier 2, Section 19.5.2, Scope of Assessment, the applicant stated that the analysis assessed shock-induced vibration on SSCs from a large commercial aircraft impact. In addition, the applicant stated in DCA Part 2, Tier 2, Section 19.5.4.2, that the assessment determined that there are no SSCs susceptible to shock (sensitive electronics or active components) on the NPMs that would interrupt or prevent successful core cooling once the reactor is tripped, the DHRS is actuated, and the containment is isolated.

Based on the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, and the assessment scope that includes shock vibration, the staff finds that the applicant has performed a reasonably formulated shock analysis within the AIA.

19-71

Design Features for Maintaining an Intact Containment In DCA Part 2, Tier 2, Section 19.5.5.1, Containment Intact, the applicant stated that the containment remains fully intact and capable of withstanding the ultimate peak pressures described in DCA Part 2, Tier 2, Section 3.8.2.4.5. In addition, the design of the CNTS, as described in DCA Part 2, Tier 2, Sections 6.2.1 through 6.2.4, and its location, as shown in Figure 1.2-5, are identified as key design features. Because the NuScale design is unique, the RXB protects the CNV and its support systems from physical and fire damage.

Based on the above, the staff finds that the application is consistent with SRP Section 19.5 guidance for an intact containment because the RXB prevents a large commercial aircraft from perforating the CNV, and the containment location and design ensure that ultimate pressure capability is maintained.

Spent Fuel Pool Integrity The Design and Location of the Fuel-Handling Equipment In DCA Part 2, Tier 2, Section 19.5.5.3, Spent Fuel Pool Integrity, the applicant stated that the design and location of the fuel-handling equipment (FHE), as described in Section 9.1.4 and shown in Figures 9.1.4-1 through 9.1.4-4b, are a key design feature for ensuring that the hoists remain intact and cannot fall into the SFP and perforate the SFP liner. The staff reviewed DCA Part 2, Tier 2, Section 9.1.4, and Figure 9.1.4-1 through Figure 9.1.4-4b and found that the FHE consists of the fuel-handling machine, new fuel jib crane, and new fuel elevator. The applicant stated that (1) the seismic restraints and restraining bars prevent the fuel-handling machine bridge from overturning or coming off its rails during a seismic event, (2) the new fuel jib crane beam is an engineered welded composite and the jib structure connects to the building wall via two connection brackets, and (3) the elevator track structure is welded 304 stainless steel and is secured to the pool wall via a bolted connection to permanently welded pads.

Based on its review, the staff finds the applicants description of the design and location of the FHE as key design features for ensuring that the hoists cannot fall into the SFP and perforate the SFP liner, to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design and Location of the Reactor Building Crane Section 19.5.4.3.2 of this report documents the staffs safety evaluation of the design and location of the RBC. The staff finds that the heavy-load exclusion zones are marked in DCA Part 2, Tier 2, Figures 9.1.5-1 and 9.1.5-2, so that the load cannot be handled in the SFP.

The Location of the Spent Fuel Pool In DCA Part 2, Tier 2, Section 19.5.5.3, the applicant stated that the location of the SFP, as described in Section 9.1.2 and shown in Figures 1.2-10 through 1.2-16, is a key design feature for maintaining SFP integrity from a direct aircraft impact. The staff reviewed DCA Part 2, 19-72

Tier 2, Section 3.8.4, Other Seismic Category I Structures; Section 3.8.5, Foundations; Section 9.1.2; Appendix 3B.2; Figures 1.2-10 through 1.2-16; and Section 19.5.3.3. The staff found that the walls, floor, and foundation of the SFP are constructed of thick, reinforced concrete with a stainless steel liner. The SFP is located below grade, and there is no loss of water level as the SFP is completely below grade and an aircraft impact cannot strike the pool or the pool liner. On this basis, the staff finds that the integrity of the SFP is maintained.

Based on its review, the staff finds the location of the SFP and the design and location of the FHE as key design features for (1) maintaining SFP integrity from a direct aircraft impact and (2) ensuring that the hoists cannot fall into the SFP and perforate the SFP liner to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

Combined License Information Items There are no COL information items.

Conclusion The staff determined the applicant has performed an AIA that is reasonably formulated to identify design features and functional capabilities that show, with reduced use of operator action, that the acceptance criteria in 10 CFR 52.47, Contents of Application; Technical Information, and 10 CFR 50.150(a)(1) are met.

In addition, the applicant adequately described the key design features and functional capabilities identified and credited to meet the requirements of 10 CFR 50.150, including descriptions of how the key design features satisfy the acceptance criteria in 10 CFR 50.150(a)(1). This includes describing how the facility can withstand the effects of a large commercial aircraft impact such that the reactor core remains cooled, containment remains intact, and spent fuel pool integrity is maintained. Therefore, the staff finds that the applicant meets the applicable requirements of 10 CFR 50.150(b).

19-73

ML19143A106

Text

Navigation menu

Search