ML20149K596

From kanterella
Jump to navigation Jump to search
Nuscale Areas of Focus - Probabilistic Risk Assessment and Emergency Core Cooling System Valve Performance
ML20149K596
Person / Time
Issue date: 06/01/2020
From: Matthew Sunseri
Advisory Committee on Reactor Safeguards
To: Margaret Doane
NRC/EDO
Snodderly, M, ACRS
References
Download: ML20149K596 (9)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 June 1, 2020 Ms. Margaret M. Doane Executive Director for Operations U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

SUBJECT:

NUSCALE AREAS OF FOCUS - PROBABILISTIC RISK ASSESSMENT AND EMERGENCY CORE COOLING SYSTEM VALVE PERFORMANCE

Dear Ms. Doane:

During the 672nd and 673rd meetings of the Advisory Committee on Reactor Safeguards, April 8-10, 2020, and May 6-8, 2020, we conducted our Probabilistic Risk Assessment (PRA) and Emergency Core Cooling System (ECCS) Valve Performance area of focus reviews for the NuScale design certification application (DCA) as discussed in our September 25, 2019 letter.

Our review is based on information in Revision 3 of the NuScale DCA and the associated safety evaluation report chapters. Our NuScale Subcommittee also reviewed these matters on March 3, 2020. During these meetings, we had the benefit of discussions with NuScale and the staff. We also had the benefit of the referenced documents. A finding relative to the requirements of Title 10 of the Code of Federal Regulations (10 CFR) 52.53 awaits completion of our review.

CONCLUSIONS AND RECOMMENDATIONS

1. The NuScale DCA meets the 10 CFR 52.47(a)(27) requirement to include a description of the design-specific PRA and its results in the DCA.
2. A primary purpose of the PRA at the DCA stage is to inform the design to reduce risk. The PRA scope is sufficient to enable the discussion of risk results and insights, and the level of detail in the PRA is consistent with its intended uses in support of design certification; i.e., to identify design alternatives, operational vulnerabilities, and to provide risk-informed support for other programs. However, the risk insights identified in Chapter 19 should not be considered final because there are omissions in the existing Final Safety Analysis Report (FSAR) that need to be properly reflected in the PRA.
3. In our Chapter 15 letter, we identified a boron dilution issue that remains open. We are concerned that this class of events could lead to a potential reactivity insertion accident and core damage. The applicant is working on resolution of this issue. This resolution needs to

M. Doane be evaluated to determine if these scenarios should be included in the PRA at the DCA stage. Such inclusion could impact the reported risk measures and the risk insights as presented in Chapter 19.

4. The risk measures of core damage frequency (CDF) and large release frequency (LRF),

quantified in the PRA, suggest that the NuScale design meets the Commissions Safety Goals with large margins. However, recently identified design issues, underlying omissions, and uncertainties indicate that the large margins between CDF and LRF and safety goals cannot be substantiated at this time.

5. To promote identification of valid risk insights through the Combined License (COL) process, we provide recommendations on several other topics: ECCS valve performance and qualification; risk importance of the chemical and volume control system (CVCS); errors of commission associated with reactor building crane (RBC) operations; risk increase to single unit operation with multiple unit operation and buildout; steam generator integrity; post-accident combustible gas monitoring; and more rigorous treatment of sensitivities and uncertainties.

The risk insights will be better supported when the COL applicant addresses the requirements of the NuScale design certification rule appendix to 10 CFR Part 52. This includes addressing the COL items, closing the Inspections, Tests, Analyses, and Acceptance Criteria items, updating the site and plant-specific PRA before fuel load, and, of particular interest with respect to the NuScale design, addressing the additional requirements and restrictions in the rule appendix to address design completeness.

6. We cannot reach a final conclusion on the safety of the NuScale design until the issue of the potential for a reactivity insertion accident due to boron dilution in the downcomer is resolved to our satisfaction.

BACKGROUND The NuScale DCA incorporates a PRA in accordance with the 10 CFR 52.47(a)(27) requirement. The PRA scope includes a Level 1 and a Level 2 PRA for internal and external initiating events and all operating modes. The risk from seismic events was not quantified; rather, a seismic margins analysis was performed, providing confidence that the plant has margin with respect to seismic events. The PRA evaluated the risk associated with operation of a single module. A limited evaluation of multi-module risk was also performed.

The PRA has been performed consistent with the guidance provided in DC/COL-ISG-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, which supplements RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities. The PRA was reviewed by an expert panel with membership external to NuScale. A self-assessment of the PRA was also performed to evaluate conformance with industry standards.

In Revision 3 of the FSAR, NuScale estimates that the mean value of the CDF is 3 x 10-10/module-critical-year (mcyr) and the mean value of the LRF is 2.3 x 10-11/mcyr. If those values are confirmed following the ongoing updates in Revision 5 of the FSAR, the NuScale design will meet the subsidiary risk benchmarks (CDF < 10-4/mcyr and LRF < 10-6/mcyr) with

M. Doane substantial margins and support the Commissions Safety Goals. In addition, NuScale evaluates that the conditional containment failure probability (CCFP) is less than the 0.1 goal.

DISCUSSION As stated in the safety evaluation report, the staff performed their PRA review with a goal to confirm that the Commission guidelines are met. These guidelines include meeting the Commissions Safety Goals, applying PRA to identify and reduce potential design and operational vulnerabilities; and using PRA insights to provide risk-informed support for other programs (e.g., regulatory treatment of non-safety systems, human factors engineering, and the reliability assurance program).

We find the PRA scope and level of detail sufficient for the discussion of risk results and insights at this stage. However, the risk insights identified in Chapter 19 should not be considered final because there are omissions in the existing FSAR that need to be properly reflected in the PRA.

The risk measures of CDF and LRF, quantified in the PRA, would indicate that the NuScale design meets the Commissions Safety Goals with large margins. We agree with the staff conclusion that the low risk estimates reflect deliberate engineering and design effort to reduce or eliminate the contributors to risk found in previous designs. However, recently identified design issues, underlying omissions, and uncertainties indicate that the large margins between CDF and LRF and safety goals cannot be substantiated at this time.

In addition, as stated in the Chapter 19 Safety Evaluation Report, phenomenological uncertainties prevented the staff from confirming that the CCFP or deterministic containment performance goals are met. Severe accident simulations, assuming multiple passive cooling system failures, predict that, should the core overheat, core debris would fall into the reactor vessel lower head. The uncertainties for parameters that could affect containment performance in such an event do not support a conclusion that CCFP is sufficiently low. Nevertheless, containment lower head failure from core debris relocation would not lead to a large release because of the scrubbing effect of the pool water.

In our September 25, 2019 letter, we identified the PRA as one of five areas of focus. In our interim review of the PRA, dated June 19, 2019, we concluded that there are technical items in the PRA that merit further consideration to help identify valid risk insights in this unique design.

These include: further examination of the design of ECCS valves and the associated PRA model, further investigation of the uncertainty and the sensitivity analysis, and identification and evaluation of possible errors of commission associated with the RBC operation. Other focus area reviews identified additional issues not addressed in the PRA. One of these issues, the recently identified omission of boron dilution scenarios, could have a high-risk significance. This and other issues are discussed below.

Boron Dilution In our April 29, 2020 report, NuScale Chapter 15: Open Item Closure and Areas of Focus Reviews - Return to Criticality and Boron Distribution, we expressed concern about boron dilution in the downcomer by steam condensation from the steam generators or from the vessel wall.

The progression and consequences of this event are not fully understood because they were not analyzed in Revision 4 to the FSAR, or the associated methodology technical reports.

M. Doane Operator actions to recover from conditions that uncover the riser were not considered part of the scope of Chapter 15 by the staff. During the 672nd Meeting in April 2020, NuScale informed us that they had identified small break loss of coolant accident as likely being the limiting event, and they intended to modify the ECCS actuation logic to mitigate it. When completed, we expect to review the staff evaluation to consider its impact on the risk and other bounding safety design limits.

As this issue is addressed, possible initiating events and operator actions (including errors of commission) should be identified and evaluated for inclusion in the PRA. This class of events and the corresponding operator actions could lead to new accident sequences.

ECCS Valve Performance The NuScale design has addressed many of the risk-significant scenarios that arise with large light water reactors. The final protection against challenging accidents relies on simplicity and redundancy. Rather than alternative systems with pumps and valves that must operate, each module relies on five passive ECCS valves that open when appropriate signals are received, or when electric power is lost. Successful natural circulation is provided if one-of-three reactor vent valves open and one-of-two reactor recirculation valves open.

Failures of these unique hydraulically-operated ECCS valves are one of the most important risk contributors identified in the NuScale PRA. The PRA results and confidence in the safety of the design depend on ensuring that these valves operate reliably. A number of operational factors could possibly degrade performance of the valves over time, leading to a common cause failure of the system. Design and demonstration tests of the valves have been performed, and the design has been modified based on these test results. Post-modification demonstration testing has been successful. Tests included consideration of the inadvertent actuation block being jammed shut. Under this consideration, when reactor coolant system pressure decreased to near containment pressure, the main valve spring reliably opened the main valve. Evaluation by NuScale has demonstrated that no core damage would occur in this scenario. Therefore, concerns about the block valve preventing ECCS operation were successfully addressed.

Extensive additional qualification testing is planned to gain confidence in the ability of the valves to maintain reliable performance after extended periods in an operational environment. This testing should consider the possibility of degradation mechanisms such as corrosion, deposits, precipitates, and fouling to develop over time in the presence of boric acid and high temperature. The results of such testing should be used to confirm realism of the PRA failure model for the ECCS valves, and the validity of the underlying assumptions, as required in COL item 19.1-8.

Chemical and Volume Control System In our interim letter on Chapters 9, 10, 11, 12, and 16, dated April 17, 2019, we explained that CVCS provides several critical functions for the NuScale reactor design. These include inventory control, chemical control, and boric acid addition. CVCS uses a circuitous process to inject boron into the reactor coolant system and into the core, either by pressurizer spray or directly to the core riser.

M. Doane Because CVCS can provide backup to many functions important to safety, and its anticipated role in boron dilution recovery, the risk importance of CVCS should be reexamined. CVCS can also compensate for uncertainties associated with the performance of the ECCS valves and steam generators.

Uncertainty and Sensitivity Analysis As stated above, the applicant reported very low numerical values for CDF and LRF.

Uncertainties associated with such low values are greater than those seen in the PRA models for the operating fleet. Those uncertainties are impacted by the lack of reliability data for the design-unique and risk-significant components (e.g., ECCS valves or NuScale helical-tube steam generators), and the lack of plant-specific information and operating experience. It is our opinion that these additional uncertainties limit the ability to extract technically sound risk-informed insights from the PRA.

NuScale performed uncertainty and sensitivity evaluations as part of the PRA quantification. In some cases, we find that the selected uncertainty ranges may not be realistic, and that the sensitivity evaluation is overly general, possibly masking relevant risk insights. Because of this, we cannot conclude that all appropriate risk-informed insights are provided by the PRA.

Specifically, a more comprehensive uncertainty/sensitivity analysis, including varying ECCS valve failure rates and steam generator tube failure frequency, could potentially uncover an underlying risk importance of the corresponding backup systems, such as CVCS. Therefore, the risk importance of the backup systems, as well as operator actions to initiate them, should be reexamined by considering their role in reducing design uncertainties associated with the performance of the ECCS valves and steam generators.

Human Errors of Commission In the Chapter 19 Safety Evaluation Report, Section 19.1.4.6.3, the staff indicated that they have audited the RBC analysis in the PRA and concluded that the calculated module drop likelihood is dominated by operator errors of commission (e.g., over speed, over raise, or over travel) and failure of instrumentation (interlocks/limit switches). However, no errors of commission are discussed or identified as important in Chapter 19, even though the module drop event dominates the CDF calculation. We identified this issue and the need for review of associated analyses, when available in the COL process, in our review of the staffs final safety evaluation on Chapters 13 and 18.

The applicant stated that the RBC design is not finalized, and that information detailing the refueling and RBC operations will be provided by procedures and training per COL Item 9.1-7, and the validity of the crane accident assumptions in the PRA model will be confirmed per COL item 19.1-8. Though we agree with the reasoning behind postponing the inclusion of the hardware failures from the RBC in risk insights (due to lack of the final design details), the corresponding operator errors of commission should be identified and evaluated for risk-significance in the PRA.

Errors of commission are also likely to be a significant contributor to risk in boron dilution scenarios.

If any errors of commission are identified as risk-significant, they should be included in the human factors engineering program, as well as in training and procedure development.

M. Doane Multi-Module Risk A NuScale plant can incorporate up to 12 modules. Evaluation of the risk of multi-module operation is based on the single-module, full-power, internal-events PRA. The multi-module risk as calculated by NuScale is defined as risk from two or more modules, given an accident involving one module. Another component of the multi-module risk is the increase in risk from a single unit associated with the operation of multiple units in the same location. The risk from a single unit would increase with the presence of the other units, not only due to the analyzed module movements, but also due to other multiple unit factors, including common systems interface requirements, sharing of mitigating systems, increases in the operator stress level or work load challenges if multiple units are affected by a common initiator, or adverse conditions that could be created during the construction or startup of a new module, as specified in 10 CFR 52.47(c)(3).

Helical-Tube Steam Generator Design The possibility of steam generator tube damage due to density wave oscillations in the tubes is discussed in our March 24, 2020 letter report, NuScale Area of Focus - Helical Tube Steam Generator Design. After this issue is addressed and the steam generator design and test results are reviewed, the quantification of the steam generator tube failure frequency and multiple tube rupture assumptions in the PRA should be reexamined.

Combustible Gas Monitoring We raised issues related to post-accident sampling of the containment atmosphere in our April 28, 2020 letter report on NuScale Combustible Gas Monitoring. After determining the systems operability, and timing details for post-accident combustible gas monitoring, the impact of its actuation on the containment isolation function and control room habitability, should be evaluated for inclusion to the Level 2 PRA.

Return to Criticality Very unlikely scenarios have been identified that can end in a return to criticality. These have no consequences with respect to fuel damage and are discussed in our April 29, 2020 letter report, NuScale Chapter 15 Analysis and Areas of FocusEmergency Core Cooling System, Return to Criticality, and Boron Distribution. Because there are no consequences associated with those scenarios, it is not important to add them to the PRA.

SUMMARY

The NuScale PRA scope is sufficient to enable the discussion of risk results and insights, and the level of detail in the PRA is consistent with its intended uses in support of design certification; i.e., to identify design alternatives, operational vulnerabilities, and to provide risk-informed support for other programs. However, there are omissions in the existing FSAR that need to be properly reflected in the PRA.

A boron dilution issue was identified and remains open. We are concerned that this class of events could lead to a potential reactivity insertion accident and core damage. The applicant is working on resolution of this issue. This resolution needs to be evaluated to determine if these scenarios should be included in the PRA at the DCA stage. Such inclusion could impact the

M. Doane reported risk measures and the risk insights as presented in Chapter 19. We cannot reach a final conclusion on the safety of the NuScale design until the issue of a potential reactivity insertion accident due to boron dilution in the downcomer is resolved.

To promote identification of valid risk insights through the COL process, we emphasize several other topics: ECCS valve performance and qualification; risk importance of the CVCS; errors of commission; risk increase to single unit operation with multiple unit operation and buildout; steam generator integrity; post-accident combustible gas monitoring; and more rigorous treatment of sensitivities and uncertainties.

We look forward to continuing interactions with the staff on these issues.

Sincerely, Digitally signed by Matthew W.

Matthew W. Sunseri Sunseri Date: 2020.06.01 10:05:38 -04'00' Matthew W. Sunseri Chairman REFERENCES

1. U. S. Nuclear Regulatory Commission, NuScale Power, LLC, Design Certification Application - Safety Evaluation With No Open Items for Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation, December 12, 2019 (ML19143A106).
2. NuScale Power, Design Certification Application, Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation, Revision 3, August 22, 2019 (ML19241A428).
3. U. S. Nuclear Regulatory Commission, Design Certification/Combined License-ISG-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, November 10, 2016 (ML16130A468).
4. U. S. Nuclear Regulatory Commission, Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, March 1, 2009 (ML090410014).
5. Advisory Committee on Reactor Safeguards, NuScale Chapter 15: Open Item Closure and Area of Focus Reviews - Return to Criticality and Boron Distribution, April 29, 2020 (ML20115E403).
6. Advisory Committee on Reactor Safeguards, NuScale Combustible Gas Monitoring, April 28, 2020 (ML20113F049).
7. Advisory Committee on Reactor Safeguards, NuScale Area of Focus - Helical Tube Steam Generator Design, March 24, 2020 (ML20091G387).

M. Doane 8. Advisory Committee on Reactor Safeguards, Proposed Focus Area Review Approach of the Advanced Safety Evaluation Report With No Open Items for the Design Certification Application of the NuScale Small Modular Reactor, September 25, 2019 (ML19269B682).

9. Scott W. Moore, Executive Director, Advisory Committee on Reactor Safeguards, ACRS Review of NuScale Power, LLC, Design Certification Application - Safety Evaluation With No Open Items for Chapters 1, 3, 4, 6, 9, 13, 14, 15, 16, 18, 19 and 20, February 21, 2020 (ML20044D589).
10. Dennis C. Bley, Member, Advisory Committee on Reactor Safeguards, Proposed Recommendation for ACRS Review of NuScale Power, LLC, Design Certification Application - Advanced Safety Evaluation With No Open Items for Chapter 13, Conduct of Operations & Chapter 18 Human Factors Engineering, February 19, 2020 (ML20050G994).
11. Advisory Committee on Reactor Safeguards, Interim Letter - Chapter 3, Section 3.9.2, and Chapters 14, 19 and 21 of the NRC Staffs Safety Evaluation Report With Open Items Related to the Design Certification Application Review of the NuScale Small Modular Reactor, June 19, 2019 (ML19170A381).
12. Advisory Committee on Reactor Safeguards, Interim Letter: Chapters 9, 10, 11, 12 and 16 of the NRC Staffs Safety Evaluation Report With Open Items Related to the Design Certification Application Review of the NuScale Small Modular Reactor, April 17, 2019 (ML19107A174).
13. NuScale Power, Response to NRC Request for Additional Information No. 292 (eRAI No. 9128) on the NuScale Design Certification Application, February 5, 2018 (ML18036B203).
14. NuScale Power, Supplemental Response to NRC Request for Additional Information No. 292 (eRAI No. 9128) on the NuScale Design Certification Application, June 14, 2018 (ML18165A431).

M. Doane June 1, 2020

SUBJECT:

NUSCALE AREAS OF FOCUS - PROBABILISTIC RISK ASSESSMENT AND EMERGENCY CORE COOLING SYSTEM VALVE PERFORMANCE Accession No: ML20149K596 Publicly Available Y Sensitive N Viewing Rights: NRC Users or ACRS Only or See Restricted distribution *via email OFFICE ACRS/TSB SUNSI Review ACRS/TSB ACRS ACRS NAME MSnodderly MSnodderly LBurkhart SMoore (SWM) MSunseri DATE 5/28/2020 5/28/2020 5/28/2020 5/29/2020 5/31/2020 OFFICIAL RECORD COPY

Retrieved from "https://kanterella.com/w/index.php?title=ML20149K596&oldid=3359581"