Proposed Recommendation for ARCs Review of Nuscale Power, LLC, Design Certification Application - Advanced Safety Evaluation with No Open Items for Chapter 13, Conduct of Operations & Chapter 18 Human Factors Engineering

ML20050G994
Person / Time
Issue date:	02/19/2020
From:	Dennis Bley Advisory Committee on Reactor Safeguards
To:	Matthew Sunseri Advisory Committee on Reactor Safeguards
Widmayer, D, ACRS
Shared Package
ML20044D595	List: ML20044D532 ML20044D549 ML20044D589 ML20044D648 ML20049A007 ML20049A046 ML20049D685 ML20050D019 ML20050G994 ML20054B758 ML20054B888 ML20054B988
References
Download: ML20050G994 (7)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 February 19, 2020 MEMORANDUM TO: Matthew W. Sunseri, Chairman Advisory Committee on Reactor Safeguards FROM: Dennis C. Bley, Member /RA/

NuScale Subcommittee Advisory Committee on Reactor Safeguards

SUBJECT:

PROPOSED RECOMMENDATION FOR ACRS REVIEW OF NUSCALE POWER, LLC, DESIGN CERTIFICATION APPLICATION - ADVANCED SAFETY EVALUATION WITH NO OPEN ITEMS FOR CHAPTER 13, CONDUCT OF OPERATIONS & CHAPTER 18 HUMAN FACTORS ENGINEERING In response to the Committees request, I have reviewed the NRC staffs advanced safety evaluation report (SER) with no open items for Chapter 13, Conduct of Operations, dated October 17, 2019 (ML19165A286) and December 16, 2019 (ML19182A241), and Chapter 18, Human Factors Engineering, dated December 16, 2019 (ML19340A065). The following is my recommended course of action concerning further review of these chapters of the design certification application and the staffs associated safety evaluation.

There is significant overlap among Sections 13.2, Training, 13.4, Operational Programs, 13.5, Plant Procedures, and all of Chapter 18. The Committee wrote a combined Phase 3 letter on the two chapters, and I address them together here.

SER Phase 4 Summary Chapters 13 and 18 of the advanced SER document the staffs reviews of Chapters 13, Conduct of Operations, and Chapter 18, Human Factors Engineering, of the NuScale Power, LLC Design Certification Application (DCA), Part 2, Final Safety Analysis Report (FSAR),

Revision 3 (ML19241A315).

The NuScale DCA and the staffs SER of Chapter 13 describe the NuScale conduct of operations. SER Chapter 18 cites Sections 13.2 and 13.5, respectively, for the staff review of training and plant procedures. The staff views all open items from their Phase 2 review as closed and, with the following caveats and clarifications, I agree:

• Section 13.2 notes that the combined license (COL) applicant is responsible for development of the site-specific training program. It identifies two COL items related to training.

M. Sunseri

• Section 13.3 addresses emergency planning (EP) and Section 13.3.2 provides a list of the EP features of the design bases for the NuScale plant. Between Phases 2 and 4, the staff eliminated a paragraph on the process sampling system (PSS) and its use in post-accident monitoring without explanation. There are four COL items related to EP features, specifically covering the onsite operational support center, the emergency operations facility, the emergency plan, and ITAAC.

• Section 13.5 on plant procedures states that the staff reviewed the NuScale Generic Technical Guidelines (GTG) but did not make a regulatory finding because they will review the guidelines when a COL applicant submits a procedure generation package.

Nevertheless, they provided a description of the GTGs and their use during integrated system validation (ISV) testing.

The NuScale DCA and the staffs SER for Chapter 18 describe the twelve elements of the NuScale human factors engineering (HFE) program. The staff finds that the NuScale HFE program conforms with regulatory guidance. Their analysis in Phase 4 goes further than the previous version, extending their observations of meeting detailed criteria, to physical and engineering evaluations. For example, in their description of the function allocation activity, the staff makes the important point that, while automation has the potential to reduce operator errors, it may also create new types of errors during operation. They then examine the development of the human system interface (HSI) design against that concern.

Next, they claim that the applicant had appropriately identified those human actions considered to be more important relative to others, citing no evidence to support the claim. They point out that no operator actions are credited in Chapter 15 or in the defense-in-depth coping analysis of Chapter 7 and draw the conclusion that there are no deterministically important human actions.

However, despite a discussion of errors of commission in Chapters 13 and 18 and their linked reference reports, no systematic search for such events is documented. The same goes for stochastic events considered in the plant probabilistic risk assessment (PRA).

The staff documents the depth and breadth of NuScales examination of operating experience, including relevant data from other industries, where operators could be faced with similar situations, as could occur in a twelve module NuScale plant. The NuScale staffing plan was examined based on NRC guidance and from the results of the Staffing Plan Validation (SPV) test and found to be acceptable. During the SPV, the staff observed that NuScale identified specific roles and responsibilities, including the required qualifications, for the three SROs and the three ROs. The test scenarios were well-defined and acceptable. The staff evaluated operator performance under both high workload (challenging) situations as tested during the SPV, and also during very low workload situations tested during the ISV, which can also challenge human performance. The staff found that both the SPV and ISV provided evidence that the proposed staffing was acceptable.

The HSI design was reviewed against NuScale and NRC guidance documents and found to be acceptable. The staffs key finding on design is that the HSI design supports operators in the safe operation of the plant. The tests further supported NuScales staffing plan. SER Section 18.7.4.5, Main Control Room Design, is particularly relevant to our safety concerns. It defines and defends NuScales selection of only three critical safety functions (CSF)containment integrity, reactivity control, and core heat removal. NuScale and the staff document how other CSFs for existing light water reactor designs are captured within the three for the NuScale-specific design.

M. Sunseri Perhaps most importantly, the staff observed the NuScale ISV test and reviewed the results.

Some problems were observed and identified as human engineering discrepancies to be resolved later. The staff confirmed that the verification and validation implementation plan was complete and met staff guidance, and they found the ISV results confirmed adequacy of the HSI to support operations. One area of the ISV led to deeper examination: the staff was concerned that a minimum of two trials for each ISV scenario does not provide sufficient opportunities to identify problems with the integrated system and may not provide reasonable assurance that the results are indicative of the integrated systems capability to support safe operations. An exchange of RAIs and responses led to the following results for errors of omission and errors of commission.

Errors of Omission: Design basis events (DBEs) do not credit any operator action and, if procedure-directed actions are not carried out, such scenarios cannot be worse than the Chapter 15 accidents. Therefore, the design is not sensitive to errors of omission during DBEs, ATWS, and SBO. The PRA identified errors of omission for beyond design basis events (BDBEs) and, for these to lead to core damage, one of the following conditions must occur:

1. A malfunction of the ECCS to actuate as designed.

2. An isolable loss of coolant accident outside of the containment vessel with a failure to makeup coolant.

3. A situation where both trains of decay heat removal have failed in a manner not to remove RCS heat, and both of the RCS ASME code safety relief valves do not open.

The PRA identified seven BDBE human actions. Six of these preventive actions could be taken from the main control room (MCR) and two of these are considered important human actions.

Since there are only six MCR actions, NuScale plans to sample the performance on all these tasks to ensure confidence in the ISV results. Despite uncertainties in the PRA results due to incomplete design and lack of operating experience, the staff finds the approach acceptable. If satisfactory results are not obtained, compensatory actions will be required.

Errors of Commission: The staff states that, because up to twelve units can be operated from a single operator console in a single control room, there is a relatively higher probability of operators taking an action intended for one unit on a wrong unit.

In RAI responses, NuScale argues that the MCR, module protection system (MPS) and HSI designs help to limit the probability and consequences of safety-significant errors of commission. MCR operators cannot manipulate safety-related SSCs except through the use of the MPS hard-wired manual action switches located at the standup panel for each unit. Such infrequent operations are directed by procedure, and normally requires a peer-checkis also expected to receive supervisory oversight[and] is conspicuous to the operating crew. [This is a significant claim for a plant with no plant procedures or defined training; one would expect a COL item for confirmation.] Furthermore, the MPS cannot be overridden by an operator either before or after initiation, with the exception of the containment isolation override to support adding inventory to the reactor vessel using the CVCS or to containment vessel using the containment flooding and drain system. They cite further automatic functions that protect the plant and conclude, to accidentally perform the action in error or to complete this action on the wrong unit is not deemed credible. [This would appear to ignore a number of initially surprising operator actions in the operating history, where, in response to unusual situations, operator perception of plant needs led to outwardly unexpected actions.]

M. Sunseri Because of the unlikely nature of events that could prompt errors of commission and the variety of design features aligned at minimizing or tolerating such actions, the staff concludes that the design features of the NuScale plant do help reduce the sensitivity of the integrated system to human performance errors and justify the ISV approach. In addition, during the ISV, there were no observed priority 1 human engineering discrepancies associated with wrong unit errors.

[Although there was no systematic search for errors of commission, such a search is beyond current practice. Therefore, we need not raise it now for NuScale. Such a search has been performed in a number of NRC sponsored studies.]

Applicable Concerns from ACRS Phase 3 Letter Report The Committee made two recommendations on Chapters 13 and 18:

1. Operator training drills should include scenarios where computer displays provide misleading or incomplete information to ensure operators maintain alternate diagnostic approaches.

2. The HFE program review needs to be coordinated with the review of reactor building crane design features and operations in subsequent design certification chapters in order to minimize any hazards from heavy load lifts, including module movement.

We further discussed several of the open items identified in the Phase 2 staff SER:

1. The most significant open item in Chapter 13 applies equally well to Chapter 18. It is related to the staff review of NuScale GTGs. At the time of our review, the staff was unable to conclude the NuScale GTGs were acceptable for use as a basis for the development of COL applicant plant-specific technical guidelines. NuScale has now performed ISV testing, which has provided needed input for the staff evaluation, as well as any necessary changes to the GTGs and the associated post-accident monitoring variables.

2. In addition to developing a well-defined HFE program, NuScale has gone further at the DCA stage, completing many of the tasks included in their program. The results of this comprehensive work are reported in technical reports cited in Chapter 18 and in citations in those reports. Some have been included by reference in Chapter 1.

3. In reference to our Recommendation 2 and heavy load lifts, NuScale noted that these HFE issues pertaining to module movement will be addressed by the crane vendor. We emphasized that the applicant is responsible for this HFE analysis, and the staff is expected to review it at the DCA or COL stage.

Staff Response to ACRS Letter Report The staff agreed with the concern in our first recommendation of the need to ensure that operators maintain alternative diagnostic approaches. They extended our comment beyond training to cover HSI design features that cue the operator to failed indications, operating procedures that can be performed without automated implementation, and procedures that require operators to verify indications.

M. Sunseri The staff stated their agreement with our Recommendation 2. Then in a paragraph of supposed clarification, they described the coordination of the reviews of Chapters 7, 15, and 19 with Chapter 18, and they state that, if the Chapter 7, 15, and 19 reviews do not identify reactor building crane operations as an important human action, then the Chapter 18 review would not address these actions. In its last incarnation, Chapter 19 does no real analysis of crane operations, it just employs a simple set of assumptions; Chapter 15 dismisses crane operations with no analysis, and Chapter 7 offers no consideration of crane operations. What we were suggesting is a coordinated actual examination of crane operations by PRA and human performance experts on the staff. Finally, this cannot be completed or even contemplated before the promised analysis by the NuScale crane contractor is complete. Such a review may not be completed until after the COL stage.

Open Items from Phase 3 Requiring Further ACRS Review As introduced in the previous paragraphs, we had several significant concerns during our Phase 3 review. The Chapters 13 and 18 SER addresses several of them. Our concerns remain for:

1. Issues on training and plant procedures. These are deferred until our review of the COL SER covering training and plant procedures.

2. NuScale and the staff have agreed that the HFE issues pertaining to module movement will be addressed by the crane vendor. We continue to emphasize that the applicant is responsible for this HFE analysis, and the staff experts in HFE and PRA should review it, whenever it becomes available.

3. We would still like a briefing on the GTGs, their purposes, and how they are expected to be used to develop emergency operating procedures. That should occur during our review of a COL application, after a procedure package has been submitted.

Recommendation As lead reviewer for NuScale Chapters 13 and 18, I recommend no further reviews of these chapters during the design certification review. Several issues remaining from the current review can be addressed in other ways.

Two identified errors of commission that are potentially risk-important are related to crane operation and boron dilution. The crane operation issue should be addressed at the COL stage or later, when the crane vendors analysis of human actions is complete and is reviewed by the staff. The action related to boron dilution will be addressed during the focus area review of boron dilution and return to power.

We should request a presentation during the first COL application review, on the NuScale Generic Technical Guidelines, walking us through the diagrams and explaining exactly how they are expected be used in the development of procedures and other work.

The issue concerning disappearance of the PSS and its use in post-accident monitoring from the list of EP features of the design bases in Section 13.3 can be addressed briefly during the focus area review that includes our concerns on the PSS.

M. Sunseri Three statements on HFE and conduct of operations should be included in our final letter:

1. In addition to developing a well-defined HFE program, NuScale has gone further than required at the DCA stage, completing many of the tasks included in their program. The results of this comprehensive work are reported in technical reports cited in Chapter 18 and in citations in those reports. This early work will serve NuScale, COL applicants, and the staff well.

2. NuScale and the staff have decided that the HFE issues pertaining to module movement will be addressed by the crane vendor. We emphasize that the applicant is responsible for this HFE analysis and the staff is expected to review it at the COL stage. The HFE program and the PRA, and their reviews, need to be coordinated with the review of reactor building crane design features and operations in order to minimize any hazards from heavy load lifts, including module movement.

3. In justification of the exclusion of errors of commission from the Chapter 18 review, the staff cites NuScales declaration that infrequent operations that could lead to safety-significant errors of commission are directed by procedure, normally require a peer-check, is expected to receive supervisory oversight, and should be conspicuous to the operating crew. Staff should ensure that a COL applicant includes these expectations in their plant procedures.

M. Sunseri February 19, 2020

SUBJECT:

PROPOSED RECOMMENDATION FOR ACRS REVIEW OF NUSCALE POWER, LLC, DESIGN CERTIFICATION APPLICATION - ADVANCED SAFETY EVALUATION WITH NO OPEN ITEMS FOR CHAPTER 13, CONDUCT OF OPERATIONS & CHAPTER 18 HUMAN FACTORS ENGINEERING Package No.: ML20044D595 Accession No: ML20050G994 Publicly Available Y Sensitive N Viewing Rights: NRC Users or ACRS Only or See Restricted distribution *via email OFFICE ACRS/TSB SUNSI Review ACRS/TSB ACRS NAME DWidmayer DWidmayer LBurkhart (MSnodderly for) DBley (MSnodderly for)

DATE 2/19/2020 2/19/2020 2/19/2020 2/19/2020 OFFICIAL RECORD COPY