Text

RAIO-0919-67092 September 23, 2019 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Supplemental Response to NRC Request for Additional Information No. 518 (eRAI No. 9659) on the NuScale Design Certification Application

REFERENCES:

1. U.S. Nuclear Regulatory Commission, "Request for Additional Information No. 518 (eRAI No. 9659)," dated March 04, 2019

2. NuScale Power, LLC Response to NRC "Request for Additional Information No. 518 (eRAI No.9659)," dated April 11, 2019 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) supplemental response to the referenced NRC Request for Additional Information (RAI).

The Enclosure to this letter contains NuScale's supplemental response to the following RAI Question from NRC eRAI No. 9659:

19-39 This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.

If you have any questions on this response, please contact Rebecca Norris at 541-602-1260 or at rnorris@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Gregory Cranston, NRC, OWFN-8H12 Samuel Lee, NRC, OWFN-8H12 Rani Franovich, NRC, OWFN-8H12 : NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 9659 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

RAIO-0919-67092 :

NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 9659 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9659 Date of RAI Issue: 03/04/2019 NRC Question No.: 19-39 Regulatory basis 10 CFR 52.47(a)(27) requires a description of the design-specific probabilistic risk assessment (PRA) and its results.

Discussion Standard Review Plan, Chapter 19.0, Revision 3, page 19.0-22 identifies the need for in-depth NRC review of refueling operations for small, modular reactors, which are different from traditional LWRs, to ensure that the PRA model is of acceptable scope and level of detail. This same page also requires staff to verify that applicants for plants with multiple modules use a systematic process to identify accident sequences, including significant human errors that could lead to core damage or large release from multiple modules.

Section 19.1.7.4 of the NuScale Design Certification Application (DCA) discusses how a module dropped during refueling transport might impact other modules. Rev. 1 of the DCA states that if the module is dropped on an operating module near the top, it could damage the DHRS piping or heat exchangers. In Rev. 2 of the DCA, NuScale added that "additional pipe breaks may occur, leading to a [chemical and volume control system] CVCS line break outside containment." Additionally, Rev. 1 of the DCA states that if the operating module was struck near the bottom, the safety systems would remain nominally available, whereas Rev. 2 replaced this conclusion with "the collision is expected to cause a torque about the module support lugs, resulting in similar stresses to the piping on top of the operating module." The risk insights from this evaluation, which is the same in both revisions, are that a dropped module may incur core damage while the struck modules incur initiating events at full power.

NuScale Nonproprietary

Because Rev. 2 of the DCA postulates additional damage to the operating module beyond what was described in Rev. 1, the staff needs additional information to conclude the qualitative multi-module risk assessment is technically adequate and complete.

Request for Additional Information Provide justification that multi-module risk insights for the struck module that is assumed to be operating at full power are unaffected by the additional damage described in Rev. 2 of the DCA.

Specifically, describe which pipes in the CVCS, decay heat removal system and the containment flooding and drain system are assumed to fail and why. Also explain if the capability of the containment isolation valves to close is compromised, given that the strike to the operating module has sufficient force to cause pipe breaks.

NuScale Response:

NuScale is supplementing its response to RAI 9659 (Question 19-39) originally provided in letter RAIO-0419-65197, dated April 11, 2019 (ML19101A453). This supplemental response is provided as a result of discussions with the NRC during a public meeting held on September 4, 2019. The following information is added to NuScale's original response:

As described in FSAR Section 19.1.6.1.2, a reliability assessment of the reactor building crane (RBC) was performed to develop an initiating event frequency for a potential module drop accident. In the low power and shutdown (LPSD) PRA, the RBC is modeled as operator controlled (i.e., not fully automated) with backup safety features such as limit switches and interlocks. FSAR Table 19.1-67 summarizes various faults that could result in load drop as well as design features that mitigate those faults; faults could result from mechanical failure or operator error. As indicated in FSAR Table 19.1-70, the RBC is identified as a risk significant candidate and, as indicated in FSAR Table 17.4-1, the RBC is included within the design reliability assurance program.

Modeling of the RBC, as well as other aspects of the LPSD PRA for the design certification, is based on information that is available during the design certification. To clarify the scope of the RBC reliability assessment that was performed for design certification, clarifications have been added to Section 19.1.6.1.2 to reflect that operator errors were considered as potential causes for the module drop initiating events listed in FSAR Table 19.1-67. In addition, a key assumption for the LPSD PRA has been added to Table 19.1-71 to state that operator control is assumed for RBC movement. As required by COL Item 19.1-8, the validity of the key NuScale Nonproprietary

assumptions and data used in the design certification PRA must be confirmed or modified, if necessary, for applicability to the as-built, as-operated PRA.

Impact on DCA:

FSAR Section 19.1.6.1.2 and Table 19.1-71 have been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary

NuScale Final Safety Analysis Report Probabilistic Risk Assessment initially considered, based on the assembled configuration of the module during RBC movements:

RAI 19-23, RAI 19-23S1

• The first type of module drop reflects the possibility of dropping an assembled module. The module is in this configuration when transported between the operating bay and the CFT. In a fully assembled module, the CNV is intact, flooded, and the RVVs and RRVs are open. Module drops in this configuration are considered for POS3 and POS5.

RAI 19-23S1

• The second type of module drop reflects the possibility of dropping a partially assembled module, without the lower CNV. The module is in this configuration when the RBC lifts the upper CNV and the RPV out of the CFT and places it into the RFT. In this configuration, the water in the RPV communicates freely with the reactor pool through the open RVVs and RRVs. If a module were dropped in this configuration, pool water would flow in through the open RVVs and RRVs to keep the fuel covered and prevent core damage. Thus, a drop of a partially assembled module is not considered further in the LPSD probabilistic risk assessment.

RAI 19-23, RAI 19-23S1

• The third type of module drop reflects the possibility of dropping the upper vessels (i.e., the upper portions of the RPV and CNV) as they are moved to or from the dry dock area. Because the fuel is in the lower RPV, which remains in the RFT, the primary hazard in this situation is the physical impact of the RBC dropping the upper vessels onto the stationary core. While this configuration is not included as a potential contributor to CDF because it involves potential mechanical fuel damage rather than inadequate heat removal, the radiological dose calculation of potential radionuclide release due to damaged fuel indicates that a large release does not occur due to this type of module drop.

Thus, a drop of the upper vessels is not considered further in the LPSD probabilistic risk assessment.

RAI 19-39S1 Module drop initiating events were identified by considering potential causes of RBC failure during all stages of module movement, as defined in Section 19.1.6.1.

The RBC movement is modeled as being controlled by an operator, with the RBC control system described in Section 9.1.5 providing backup safety and mitigation features. Contributors to the module drop initiating event frequency include operator error and hardware failures. Table 19.1-67 summarizes the module drop initiating events associated with an RBC failure and the mitigating features.

Figure 19.1-30 is a representative event tree for evaluating potential NPM drops.

The representative event tree is used to evaluate a full module drop based on the overload (OL) module drop initiating event (Item 7 in Table 19.1-67), in which the load exceeds the rated capacity of the RBC. As indicated on the event tree, a module drop occurs based on combinations of detection and safety system features, for example, Sequence 6 of Figure 19.1-30 involves failure of the weigh circuit in the hoist control system to detect the overload (DET-OL) and failure of the motor overload protection to stop the motor (OL-PROT), which results in a module drop (MD) end state. The top events of the event trees are evaluated using fault Tier 2 19.1-99 Draft Revision 4

NuScale Final Safety Analysis Report Probabilistic Risk Assessment trees. Quantification of the event trees associated with the module drop initiators identified in Table 19.1-67, and accounting for the time that a module is being moved in either the refueling area and operating area, produced probabilities of module drop in each of these areas for POS3 and POS5 as summarized in Table 19.1-68, as well as the determination of the initiating event frequencies that are used in the LPSD probabilistic risk assessment.

19.1.6.1.3 Low Power and Shutdown Accident Sequence Determination The accident sequences modeled in the LPSD probabilistic risk assessment are represented by the various "paths" through the event trees that were developed to depict the module response to initiating event. The changes in the module configuration between full power and LPSD configurations are not significant with regard to success criteria as no new systems are brought online to aid in shutdown cooling or other LPSD functions. For these systems, the LPSD success criteria are bounded by those established for full power condition. The LPSD plant operating states exhibit lower decay heat levels than the full power PRA due to the module being shut down or operating at low power at the time of the initiating event and the systems modeled for mitigation of full power initiators are sufficient for decay heat levels. Thus, for most LPSD initiating events, an LPSD transfer event tree is used to transfer to the full power event trees with the following modifications to the sequence logic to reflect each POS configuration:

• RTS-T01: The RTS is assumed to succeed for the POS in which the module is subcritical (i.e., POS1, POS2, POS3, POS4, POS5, and POS6).

• CFDS-T01: The containment flooding system is assumed to succeed for the POS in which the CNV is already flooded (i.e., POS2, POS3, POS4, and POS5).

• DHRS-T01: The DHRS is not necessary in POS2 and POS5, for which the safety function of decay heat removal is achieved by passively conducting heat to the UHS through the flooded containment.

• RCS-T05: The RCS reactor safety valve demand to open is questioned following actuation of DHRS in transient event trees, when the RCS pressure may rise high enough to open the RSV before sufficient heat has been removed to reduce the pressure. Because the module is already shutdown, it is unlikely that the pressure increases enough to open the RSVs when DHRS is successful.

A representative LPSD transfer event tree is provided as Figure 19.1-31. The tree is used to transfer the initiating event of a CVCS charging line LOCA occurring in POS1 to the full power event tree CVCS-ALOCA-CIC for evaluation of the mitigating system response. Similar transfer trees are used for each of the unscreened LPSD events indicated in Table 19.1-66.

Additional event trees are developed to account for the design-specific RBC failure initiating events in POS3 and POS5. Module drop scenarios are those that may lead to core damage due to inadequate cooling caused by uncovering the fuel. This occurs in the case of a horizontal or nearly horizontal module, in which the coolant inventory in the CNV is not sufficient to cover the fuel; due to uncertainty in calculations of peak cladding temperature (PCT), core damage is assumed to occur.

Module drop scenarios in which the module comes to rest in such a way that the Tier 2 19.1-100 Draft Revision 4

Tier 2 NuScale Final Safety Analysis Report RAI 19-23, RAI 19-37, RAI 19-37S1, RAI 19-39S1 Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment Assumption Applicable POS Basis The refueling cycle of a module is two years, giving a frequency of 0.5 refueling outages per year. All Design characteristic Only the refueling outage is analyzed quantitatively in the LPSD PRA; evolutions such as turbine bypass All Common engineering practice and controlled shutdown are only discussed qualitatively. Seven POSs are identified for LPSD conditions.

No credit is taken for heat transfer through containment during containment flooding (i.e., POS1- POS1, POS6 Bounding assumption shutdown and initial cooling) or containment draining (POS6 - heatup).

Control rod withdrawal and reactivity insertion is not credible during LPSD. POS1, POS2, POS3, Control rods are disconnected from their POS4, POS5, POS6 drive mechanisms after insertion to prevent premature withdrawal.

Spurious closure of the ECCS valves is not credible after they are opened. POS2, POS5 Spurious closure is precluded by valve design; separate actions are required to pressurize the control chamber and close the pilot valve. Closure of the valves is also not possible when CVCS is not in service because CVCS flow is required to close the valves.

19.1-262 The inadvertent actuation block (IAB) of the ECCS valves is not credited for reducing the frequency of a POS1, POS6 The IAB is active when the RPV pressure is spurious valve opening when the module is subcritical (i.e., POS1 and POS6). near operating pressure (i.e., POS7).

Scheduled testing and maintenance on module-specific components (i.e., CVCS pumps) is performed POS1, POS6 Common engineering practice during a POS in which the component is not required.

The module is transported by the RBC to the refueling area in POS3 and back to the operating bay in POS3, POS5 Bounding assumption that gives the greatest POS5; postulated module drops are only considered in the operating area or refueling area of the probability of striking another module and reactor pool. tipping horizontally. Also gives the lowest probability that a dropped module lands upright.

If dropped from a height of one foot or less, the probability that the module tips is 0.5, with uncertainty POS3, POS5 Engineering judgment based on the design uniformly distributed between 0 and 1. When dropped from greater than one foot, the module is of the CNV support skirt and seismic assumed to tip. amplification margin.

Probabilistic Risk Assessment A dropped module that tips, falls horizontally to the reactor pool floor and experiences core damage. POS3, POS5 Conservative analysis The CNV is assumed to be damaged and is not credited with preventing the release of radionuclides. The resulting source term is evaluated 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after shutdown, which is approximately the beginning of POS3.

Draft Revision 4 After the bottom of the CNV is removed, primary coolant communicates with water in the reactor pool POS3, POS4, POS5 Engineering judgment through the open RVVs and RRVs and keeps the core covered and cooled.

During an RBC lift, the module is kept below the height that could damage the UHS if dropped. POS3, POS5 Design characteristic

Table 19.1-71: Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment (Continued)

Tier 2 NuScale Final Safety Analysis Report Assumption Applicable POS Basis Seismic events during LPSD conditions are only a concern during module transport when the RBC is POS3, POS5 Bounding assumption under load. The seismic risk from a dropped module, however, is overestimated because the fragility analysis was performed with loaded module weighting.

Internal fires and internal floods have a minimal impact on LPSD conditions because of the limited All Engineering judgment frequency and duration in each POS, the fail-safe nature of NuScale safety systems, and the very low conditional core damage probability during LPSD conditions.

External floods have a minimal impact on LPSD conditions because of the limited frequency and All Engineering judgment duration in each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time in most cases to perform a controlled shutdown, and the very low conditional core damage probability during LPSD conditions.

High winds have a minimal impact on LPSD conditions because of the limited frequency and duration in All Engineering judgment each POS, the fail-safe nature of NuScale safety systems, forecasting tools provide ample warning time to move a module from the RBC and place it in a safe position, and the very low conditional core damage probability during LPSD conditions.

Movement of the RBC is modeled as operator controlled. POS3, POS4, POS5 Engineering judgment Administrative controls will ensure that RBC safety features (e.g., limit switches, interlocks to prevent POS3, POS4, POS5 Engineering judgment 19.1-263 undesired movement) are functional during module movement Probabilistic Risk Assessment Draft Revision 4