ML20267A655
| ML20267A655 | |
| Person / Time | |
|---|---|
| Issue date: | 10/02/2020 |
| From: | Matthew Sunseri Advisory Committee on Reactor Safeguards |
| To: | Kristine Svinicki NRC/Chairman |
| Snodderly M, ACRS | |
| References | |
| Download: ML20267A655 (9) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 October 02, 2020 The Honorable Kristine L. Svinicki Chairman U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
SUBJECT:
OBSERVATIONS AND LESSONS-LEARNED FROM ACRS LICENSING REVIEWS RELEVANT TO FUTURE ADVANCED REACTOR APPLICATIONS
Dear Chairman Svinicki:
During the 678th meeting of the Advisory Committee on Reactor Safeguards (ACRS),
September 9-11, 2020, we completed a self-assessment of our review of the NRC staffs advanced safety evaluation report (SER) with no open items for the NuScale Power, LLC, (NuScale, the applicant) design certification application (DCA) and standard design approval application. This self-assessment was conducted as part of our continuing effort to become more effective and assist the agency in its transformation initiatives. We considered our NuScale DCA review as supported by interactions with representatives of the NRC staff and the applicant. We also had the benefit of the documents referenced, including our prior letter reports on the safety aspects of the NuScale small modular reactor; our past reviews of design certification and early site permit applications; interactions with staff on new initiatives related to proposed non-light water reactor (LWR) advanced reactor licensing regulatory changes; and several recent reviews of topical reports for advanced reactor designs. This letter report provides observations and lessons-learned from this self-assessment for consideration during future license application reviews.
CONCLUSIONS AND RECOMMENDATIONS Observations and lessons-learned from our self-assessment led to the following recommendations:
A cross-cutting approach should be adopted by the staff and ACRS for conducting effective safety reviews of future applications, focused by initial chapter-by-chapter reviews that identify open items and significant cross-cutting design issues.
To avoid significant delays late in the review process, critical topical reports should be submitted and reviewed early, particularly methodology reports that underpin the design bases and accident analyses for advanced reactors.
K. Svinicki Staff should ensure that the completeness of proposed new reactor designs is sufficient to demonstrate that all structures, systems, and components (SSCs) important-to-safety are appropriately identified and to support requested exemptions and waivers from the General Design Criteria.
The time period of transient and accident analyses should be continued to the extent necessary to ensure that applicants demonstrate an effective and reliable means to place the plant in a safe, stable condition, with no ongoing degradation.
The staff should develop guidance for the application of critical deterministic safety examinations, hazards analyses, and risk-informed methods, as well as the need for additional demonstration testing, which could include a prototype. These complementary tools would provide a more effective licensing framework for advanced reactor design applications and their review.
These items should be considered as the NRC embarks on future reviews of advanced reactor designs and in ongoing efforts related to Title 10 of the Code of Federal Regulation (10 CFR)
Part 53 rulemaking.
DISCUSSION Lesson Learned No. 1: Review Approach A thorough technical safety review is often accomplished by breaking the scope down into manageable pieces that can be reviewed by experts in each particular field. However, there is a risk that cross-cutting issues are not easily identified if they do not easily fit into the traditional review structure (i.e., the Standard Review Plan (SRP), NUREG-0800, which is based on and tailored to the existing fleet of operating LWRs). This is especially the case for new, novel reactor concepts.
In our initial review of the staffs NuScale SER with open items, we proceeded on a chapter-by-chapter basis, along with reviews of applicable topical reports, and issued letter reports accordingly. However, to complete our final NuScale review in a more effective and expeditious manner, we proposed, in a September 25, 2019 letter to the Executive Director of Operations, to use a cross-cutting review, focusing on key safety-significant areas for the advanced SER with no open items. For completeness, individual subject matter experts from the Committee were also assigned as leads to conduct an in-depth technical review of each advanced SER chapter. The results of these chapter reviews were presented, reviewed, and approved by the full Committee.
In our focus area reviews, we then concentrated our attention on design-specific and potentially safety-significant issues that were cross-cutting over multiple SER and final safety analysis report (FSAR) chapters. This approach provided for a more complete, in-depth review of design and operational considerations that impact integrated system safety performance. This also allowed us and the staff to examine important technical and safety issues that affect more than a single SER and FSAR chapter in a more effective manner than the traditional chapter-by-chapter approach.
K. Svinicki In the future, in addition to chapter-by-chapter reviews, the staff, as well as ACRS, should establish multidisciplinary, cross-cutting teams with diverse experience to enhance their ability to identify missing pieces of scope or design aspects that do not easily fit into the current SRP structure.
Recommendation 1: A cross-cutting approach should be adopted by the staff and ACRS for conducting effective safety reviews of future applications, focused by initial chapter-by-chapter reviews that identify open items and significant cross-cutting design issues.
Lesson Learned No. 2: Timing of Topical Report Submittals Some key NuScale methodology topical reports were submitted late in the review process, in parallel with related chapters of the DCA instead of the traditional sequential hierarchical order wherein methodology description, demonstration, and verification and validation precede its application. This situation was far from optimal and could lead to a loss of efficiency and increased regulatory uncertainty for future applications. If issues were to be identified during a parallel methodology review, the only remedy would be to recalculate and submit revisions to the DCA, delaying final review and approval. While this approach was manageable for the NuScale review, in large measure because the codes used by NuScale had been applied in similar analyses for LWRs, it should not create a precedent for future submittals.
This is particularly true for non-LWR concepts, which are likely to have more uncertainty associated with analytical methods and their application, underlying experimental bases, and validation of models. Critical methodology topical reports that support the design basis and safety analyses should be reviewed as early in the process as possible because new reactor designs, especially non-LWRs, will generally be more dependent on analytical methods for understanding the safety response of the system.
Recommendation 2: To avoid significant delays late in the review process, critical topical reports should be submitted and reviewed early, particularly methodology reports that underpin the design bases and accident analyses for advanced reactors.
Lesson Learned No. 3: Classification of Structures, Systems, and Components and Exemptions from the General Design Criteria Applicants may seek to gain an early determination of the classification of SSCs, particularly those that are safety-related, and others that are determined to be safety-significant or important-to-safety. Classification of SSCs will have to be reviewed on a case-by-case basis depending on the specific design, its maturity, confirmatory experimental testing, and operational experience. All SSCs important-to-safety - reliably controlling reactivity and achieving shutdown, managing residual and decay heat, and preventing and mitigating fission product release - must be appropriately identified, designed, and tested, to be commensurate with their function and to provide adequate defense in depth.
Design completeness also impacts the ability to assess requested exemptions or waivers from the General Design Criteria, a situation that is anticipated for many advanced non-LWR applications. NuScale was able to obtain exemptions from some of the General Design Criteria because of having an essentially complete design and performing detailed component and system analysis with a high degree of rigor, to substantiate the technical bases for their exemptions. This approach sets an excellent example for future applicants of the burden of
K. Svinicki proof necessary to deviate from historical regulatory requirements. If the design is not complete, accurate system analysis may not be possible, making it difficult for the staff to make a technically sound finding on the requested exemption.
Recommendation 3: Staff should ensure that the completeness of proposed new reactor designs is sufficient to demonstrate that all SSCs important-to-safety are appropriately identified and to support requested exemptions and waivers from the General Design Criteria.
Lesson Learned No. 4: Completeness of Transient and Accident Analyses During our review of the NuScale DCA, the staff stated that the applicant was not required to review recovery or restoration activities as part of any transient and accident analyses and such activities could not be considered until the combined license phase, when operating procedures are developed. Such a delay may be justifiable if the DCA applicant can demonstrate that the plant as designed will attain a safe, stable equilibrium condition in response to a design basis event. We disagree with this approach for cases in which a system may attain a metastable state or continue to degrade. In those cases, the analysis should be carried out to the point that a stable equilibrium state is reached. When the system is metastable, perturbations could lead to a new transient or accident. For example, in the NuScale design, following a small-break loss of coolant accident with emergency core cooling system actuation, the plant can reach a point of metastable equilibrium once the primary coolant level has dropped below the top of the riser, and the downcomer continues to deborate. Under some conditions, the deborated water in the downcomer may be forced into the core region, introducing the possibility of a reactivity insertion accident.
The staff was following a review approach for the DCA that has become standard practice. In most cases for LWRs, the transient and accident analyses reach a point of stable equilibrium in relatively short order. However, when that is not the case, there is no engineering or safety basis for discontinuing the accident progression analysis or its review before the capability to reach a state of stable equilibrium is demonstrated, even if that requires the operator to diagnose the condition and take appropriate recovery actions. In addition, unintended adverse consequences of operator recovery actions deserve thorough examination for metastable system conditions.
The staff provided no documented basis to support their statement that recovery is not part of transient and accident analyses and review. Our own search of the regulations and staff guidance revealed nothing in the 10 CFR Part 50 or 52 regulations or in Chapter 15 of the SRP that invalidates our concern about prematurely terminating transient and accident analyses.
Even if such guidance existed, we would argue that the metastable equilibrium situation goes beyond the expectations of the authors of 10 CFR Part 52. The statements of consideration for the most recent 10 CFR Part 52 rulemaking in 2007 includes Commission concerns that the process is new and would need to be tested and revised by application.
Recommendation 4: The time period of transient and accident analyses should be continued to the extent necessary to ensure that applicants demonstrate an effective and reliable means to place the plant in a safe, stable condition, with no ongoing degradation.
K. Svinicki Lesson Learned No. 5: Impact of Design and Knowledgebase Completeness on the Licensing Process Advanced non-LWR design maturity, operational performance characteristics, and supporting experimental data base are not likely to be as complete as for evolutionary LWR-based designs.
There may be insufficient operating experience. These knowledge gaps and uncertainties may have important impacts on the staffs regulatory review. 10 CFR Parts 50 and 52 have provisions for technology development programs and prototype plants that may provide the best mechanism for gathering operating experience and gaining confidence in the safety of novel designs.
Traditional and probabilistic safety analyses require a common base:
Identification of hazards, both radioactive materials that must be contained and energetic reactions that could cause direct damage or lead to release of radionuclides; Identification of initiating events that disturb normal operation; Identification of scenarios (event sequences) that could evolve from the initiating events, and their associated consequences; Identification of theoretical and experimental bases for fully understanding the associated physics and chemistry of possible scenarios.
The novel aspects of new technologies make the identification of hazards, initiating events, and scenarios more challenging; systematic searches will be needed. The level of design and knowledgebase completeness affects our confidence regarding the conservatism of assumptions in traditional transient and accident analyses, as well as the calculated margins.
Likewise, the lack of completeness provides a challenge for probabilistic risk assessment (PRA), which addresses the resulting uncertainties explicitly.
To address uncertainties caused by limited information, there is no substitute for critical examination of the design, its safety behavior, and all aspects of operations, starting from a blank sheet of paper to avoid bias. Historically, this examination was based upon engineering judgment tempered by regulatory precedent, operating experience, and previous analyses. The critical examination is based on engineering principles and begins with the available design; later it is prudent to compare the results against previous analyses, relevant data, and operating experience to determine what might have been left out. The staff confirmatory evaluations should make use of simple and bounding engineering analyses, whenever feasible.
There will also be a need for compensatory measures such as performing the search for hazards, initiating events, and accident scenarios with no preconceptions that could limit the creative process. Other measures could include limitations on power ascension and focused surveillance tests during initial operation. A number of analysis tools have been developed to improve the search process and they apply equally to traditional and probabilistic safety analyses. They can help formalize and add structure to the safety assessment and improve completeness. New technologies and first-of-a-kind designs have had to use these types of tools to make their safety assessments more formal and thorough. For example:
K. Svinicki Hazard and Operability Studies (HAZOP) have been adapted from the chemical process industry to develop HAZOP-like searches, in which engineers review the system process flow diagrams, segment-by-segment, identifying the function of each segment and possible deviations from that function, and catalog the potential consequences.
Master Logic Diagrams have been developed to support the search for initiating events in PRAs. Here analysts lay out the ways a facility can depart from normal operations and initiate a sequence of events.
System-level Failure Modes and Effects Analysis has been used, at both the full system level and at the train level, to determine the safety impact of failures.
Dependency Matrices have also been developed to support PRAs. The engineer lays out a matrix of support systems against other support systems and frontline systems (those systems that provide safety and process functions). Notes associated with each element detail the effect of a support system failure on the other systems.
Reframing has proved to be a simple, but effective approach, to help spur the imagination of engineers and avoid bias. The engineer asks, How could I attack this system and make it fail? (This is sometimes called a murder board whose job is to figure out ways to break the system.)
The Lines of Defense approach recommended by the International Atomic Energy Agency has been applied in a systematic manner to determine if the proper level of defense-in-depth has been incorporated into the design and to assure that a balanced approach to accident prevention and mitigation is accomplished.
The collective application of these complementary approaches offers a path to license advanced non-light water designs until more directly applicable experimental and operational experience are gained.
The licensing of a prototype plant may be required to reduce uncertainties to an acceptable level in cases where there is a lack of operating experience or an inability to perform experiments with sufficient similitude to the planned full-scale design. Changes to the Atomic Energy Act of 1954 as amended, eliminated the section describing prototype or demonstration reactors. Nevertheless, prototype plants are allowed under 10 CFR Parts 50 and 52, with additional conditions (such as added safety features or instrumentation) to compensate for uncertainties with unproven safety features. Such an approach was required of previous non-LWR first-of-a-kind applications (e.g., Fort St. Vrain and Fermi Unit 1). The staff may need to evaluate and approve more detailed startup test requirements, limits on the rate of power ascension, and detailed surveillance requirements that must be met for initial operation of the unit to confirm design safety performance as documented in the FSAR. When the period of prototype testing has been successfully completed, the plant can continue to commercial operation.
Recommendation 5: The staff should develop guidance for the application of critical deterministic safety examinations, hazards analyses, and risk-informed methods, as well as the need for additional demonstration testing, which could include a prototype. These complementary tools would provide a more effective licensing framework for advanced reactor design applications and their review.
K. Svinicki
SUMMARY
This letter summarizes observations and lessons-learned from our NuScale design certification and standard design approval application reviews, informed also by our prior design certification and early site permit reviews, and interactions with staff. It provides recommendations that could improve future NRC reviews of advanced reactor designs. We look forward to working with the staff to implement these recommendations.
Sincerely, Matthew W. Sunseri Chairman REFERENCES
- 1. Advisory Committee on Reactor Safeguards, Proposed Focus Area Review Approach of the Advanced Safety Evaluation Report With no Open Items for the Design Certification Application of the NuScale Small Modular Reactor, September 25, 2019 (ML19269B682).
- 2. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the NuScale Small Modular Reactor, July 29, 2020 (ML20211M386).
- 3. Advisory Committee on Reactor Safeguards, Advanced Boiling Water Reactor Design Certification Renewal, October 31, 2019 (ML19305D117).
- 4. Advisory Committee on Reactor Safeguards, Early Site Permit - Clinch River Nuclear Site, January 9, 2019 (ML19009A286).
- 5. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the APR1400 Pressurized-Water Reactor, July 26, 2018 (ML18206B086).
- 6. Advisory Committee on Reactor Safeguards, Supplemental Final Safety Evaluation Report on the General Electric-Hitachi Nuclear Energy (GEH) Application for Certification of the Economic Simplified Boiling Water Reactor (ESBWR) Design, April 17, 2014 (ML14107A263).
- 7. Advisory Committee on Reactor Safeguards, Revision 19 to the AP1000 Design Control Document and the AP1000 Final Safety Evaluation Report, September 19, 2011 (ML11256A180).
- 8. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the General Electric-Hitachi Nuclear Energy Application for Certification of the Economic Simplified Boiling Water Reactor (ESBWR) Design, October 20, 2010 (ML102850376).
- 9. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the Westinghouse Electric Company Application for Certification of the AP1000 Passive Plant Design, July 20, 2004 (ML042030026).
Matthew W. Sunseri Digitally signed by Matthew W. Sunseri Date: 2020.10.02 16:01:25 -04'00'
K. Svinicki
- 10. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the Westinghouse Electric Company Application for Certification of the AP600 Passive Plant Design, July 23, 1998 (ML091210257).
- 11. Advisory Committee on Reactor Safeguards, Report on the Safety Aspects of the ASEA Brown Boveri - Combustion Engineering Application for Certification of the System 80+
Standard Plant Design, May 11, 1994 (ML20070S449).
- 12. Advisory Committee on Reactor Safeguards, Report on Safety Aspects of the General Electric Nuclear Energy Application for Certification of the Advanced Boiling Water Reactor Design, April 14, 1994 (ML20065M100).
- 13. Crawley, F., Tyler, B. and Preston, M., "HAZOP: Guide to Best Practice," Third Edition, April 21, 2015.
- 14. Power Authority of the State of New York and Consolidated Edison Company of New York, Inc.,Indian Point Probabilistic Safety Study, March 5, 1982 (ML102520197).
- 15. United States Department of Defense, MIL-P-1629A, Procedures for Performing a Failure Mode Effect and Critical Analysis, November 24, 1980.
K. Svinicki October 2, 2020
SUBJECT:
OBSERVATIONS AND LESSONS-LEARNED FROM ACRS LICENSING REVIEWS RELEVANT TO FUTURE ADVANCED REACTOR APPLICATIONS Accession No: ML20267A655 Publicly Available Y Sensitive N Viewing Rights:
NRC Users or ACRS Only or See Restricted distribution *via email OFFICE ACRS/TSB SUNSI Review ACRS/TSB ACRS ACRS NAME MSnodderly MSnodderly LBurkhart SMoore (SWM)
MSunseri DATE 9/22/2020 9/22/2020 9/24/2020 10/2/2020 10/2/2020 OFFICIAL RECORD COPY