Text

2 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION LICENSING TOPICAL REPORT NEDC-33912P, REVISION 0 BWRX-300 REACTIVITY CONTROL GE-HITACHI NUCLEAR ENERGY AMERICAS, LLC 1.0 Introduction The purpose of GE-Hitachi Nuclear Energy Americas, LLC (GEH), licensing topical report NEDC-33912, Revision 0, BWRX-300 Reactivity Control, dated March 31, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20092A016), and supplemented September 4, 2020 (ADAMS Accession No. ML20248H540), is to provide the design requirements, acceptance criteria, and regulatory basis for the BWRX-300 reactivity control design functions. Specifically, the report specifies design requirements for the following systems or functions:

reactor protection system (RPS)

(( ))

alternate rod insertion (ARI)

(( ))

rod control system In this safety evaluation (SE), the U.S. Nuclear Regulatory Commission (NRC) staff describes its review of NEDC-33912 and the acceptability of licensing topical report provisions for reactivity control for the BWRX-300 small modular reactor (SMR). In response to an NRC staff request for additional information, GEH submitted a letter dated August 3, 2020 (ADAMS Accession No. ML20216A748). The NRC staff will evaluate the compliance of the final design of the reactivity control features for the BWRX-300 SMR during future licensing activities in accordance with Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic licensing of production and utilization facilities, or 10 CFR Part 52, Licenses, certifications, and approvals for nuclear power plants, as applicable. In this SE, double brackets indicate proprietary information.

2.0 Technical Description of Reactivity Control 2.1 General Introduction Section 2.1, General Introduction, of NEDC-33912 provides high-level information about the BWRX-300 and reactivity control. The BWRX-300 is a water-cooled, natural circulation-driven SMR with a power output of about 300 megawatts electric and target applications to include baseload and load-following electrical generation. GEH described how the BWRX-300 built upon nine previous generations of the boiling-water reactor (BWR) and evolved from the NRC-licensed economic simplified boiling-water reactor (ESBWR). GEH stated that the

2 BWRX-300 incorporates design, analysis, and operating experience from the BWR operating fleet, advanced boiling-water reactor (ABWR), and ESBWR and adds design improvements and new defense-in-depth (DID) design features and functions.

2.2 Systems and Components for Control of Reactivity Section 2.2, Systems and Components for Control of Reactivity, of NEDC-33912 states that the BWRX-300 relies on control rods and burnable poisons for reactivity control. Control rods are the primary means of achieving shutdown in normal operations, anticipated operational occurrences (AOOs), postulated accidents, beyond-design-basis events, and severe accident scenarios. GEH provided the following design requirements:

The core design and control rods together provide ample shutdown margin to ensure that the reactor can remain shut down in a cold, xenon-free condition at any time in cycle with the highest worth control rod pair associated with an individual hydraulic control unit (HCU) withdrawn.

Control rods are positioned in fine increments for normal operation and may be inserted rapidly by multiple means to achieve shutdown.

Section 2.2.1, Control Rods, and Section 2.2.2, Control Rod Drives, of NEDC-33912 describe those components for the BWRX-300 and identify associated design requirements.

The control rods are designed for significant power changes during reactor startup and shutdown, for normal power changes during operation, and to provide ample shutdown margin.

The BWRX-300 fine motion control rod drives (FMCRDs) use two diverse motive forces for positioning the control rods. During normal operation, each control rod is positioned by a non-safety-related electric motor drive. For a rapid shutdown, control rods are inserted via a safety-related hydraulic scram that is initiated by opening the scram valves on each accumulator water discharge path.

The staff notes that the BWRX-300 design also relies on (( )) and feedwater level control system to control reactivity and meet pertinent regulatory requirements. Section 4.0 of this SE documents the staffs review of specific regulations associated with reactivity control.

2.3 BWRX-300 Associated Mitigating Systems 2.3.1 Isolation Condenser System The BWRX-300 ICS is a safety-related, passive system designed to remove heat from, and provide overpressure protection for, the reactor when the normal heat removal system is unavailable due to sudden reactor isolation at power operating conditions, station blackout, anticipated transients without scram (ATWS), and loss-of-coolant accidents. NEDC-33910P, BWRX-300 Reactor Pressure Vessel Isolation and Overpressure Protection (ADAMS Accession No. ML20174A574), and associated staff SE (ADAMS Accession No. ML20176A446) describe the ICS in detail. Section 2.3, BWRX-300 Associated Mitigating Systems, of NEDC-33912 states that (( ))

3 resulting from events that require a rapid reactor shutdown if the reactor scram fails or is delayed. Section 2.3.1, Isolation Condenser System, of NEDC-33912 states that the (( )),

which the NRC staff notes would also have the effect of (( )).

Sections 3.7.1 and 4.1.1 of this SE provide additional GEH design requirements for the ICS specific to ATWS and the staffs evaluation regarding the requirements in 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants.

3.0 Defense-in-Depth of Reactivity Control Functions 3.1 General Overview of Defense-in-Depth Concept GEH used a plant-level DID concept based on International Atomic Energy Agency (IAEA)

Specific Safety Requirements (SSR)-2/1, Safety of Nuclear Power Plants: Design, for the BWRX-300 design, including the arrangement of design features and functions into defense lines (DLs) analogous to the levels of defense defined in IAEA SSR-2/1. NEDC-33912 states that the IAEA DID concept defines the design and analysis rules governing that arrangement, such that DLs have good alignment with the safety assessments defined in a BWRX-300 safety assessment framework used to demonstrate plant safety. The DID concept is applied to the BWRX-300 systems and equipment responsible for performing functions assigned to one of five DLs. For each DL, NEDC-33912 provides a brief description and a list of design features or measures associated with reactivity control.

Although NEDC-33912 provides detailed information related to design philosophy and the DL approach adopted for the BWRX-300, the staff does not intend to review or make a determination on the acceptability of IAEA SSR-2/1 as part of this SE. Instead, the staff evaluated and based its findings on the design that resulted from the engineering design process applied to develop the BWRX-300.

Sections 3.2 through 3.6 of this SE summarize the five DLs applied to the BWRX-300 related to reactivity control, as described in NEDC-33912. These sections also identify the resultant BWRX-300 reactivity control design features associated with each defense line.

3.2 Defense Line 1 DL1 minimizes the potential for accidents to occur by applying high quality and conservatism in plant design, construction, operations, and maintenance. DL1 does not include performance of plant functions.

3.3 Defense Line 2 DL2 encompasses plant functions designed to control or respond to initiating events before any plant parameters reach a DL3 actuation setpoint. DL2 functions are not considered

4 safety-related; however, appropriate quality and reliability measures are applied to ensure functional performance as a DID measure.

DL2 features important for reactivity control include the following:

(( ))

(( ))

(( ))

normal control of control rod system control rod blocks to mitigate incorrect rod withdrawals NEDC-33912 specifies that the DL2 functions must be performed independently from DL3 and DL4 functions, and any portion of DL2 functions subject to common-cause failure must be performed diversely from corresponding portions of DL3 or DL4 functions.

3.4 Defense Line 3 DL3 contains plant functions that mitigate an initiating event by preventing fuel damage when possible, protecting the integrity of fission product barriers, placing the plant in a safe state, and maintaining the plant in a safe condition following an event until normal operations are resumed.

DL3 functions typically include reactor scram and actuation of engineered safety features. DL3 functions are needed when DL2 is not effective. DL3 functions are considered safety-related.

DL3 features important for reactivity control include the following:

RPS hydraulic scram

(( ))

3.5 Defense Line 4 DL4a functions can place and maintain the plant in a safe state following initiating events with failure of DL3 functions. The DL4a functions are intended to prevent the progression of accidents and radioactive release to the public.

DL4b functions prevent or mitigate a severe accident while maintaining radioactive releases at acceptable levels. DL4b also provides protection for events that exceed DL1 assumptions regarding initiating events as a result of extreme events, multiple events, or multiple failures.

DL4 features important for reactivity control include the following:

ARI, which provides hydraulic scram in the event of an HCU failure electric motor run-in of the FMCRDs

5 3.6 Defense Line 5 DL5 addresses offsite emergency preparedness to protect the public from substantial radioactive releases. DL5 does not include the performance of plant functions.

3.7 Specific Reactivity Control Events Considered in Defense-in-Depth Concept Section 3.7, Specific Reactivity Control Events Considered in Defense-in-Depth Concept, of NEDC-33912 summarizes how the BWRX-300 reactivity control features affect select reactivity events. The descriptions are not intended to capture all BWRX-300 event sequences.

3.7.1 Anticipated Transient Without Scram Section 3.7.1, Anticipated Transient Without Scram (ATWS), of NEDC-33912 describes diverse scram features of the BWRX-300 that prevent or mitigate ATWS events. In addition to the safety-related RPS, the BWRX-300 design includes (( )) to perform a reactor shutdown. As required by 10 CFR 50.62(c)(3), the BWRX-300 includes an ARI system as a backup means to depressurize the HCU air header in the event the HCUs receive a valid scram signal but fail to insert the control rods. If hydraulic insertion fails, (( )).

Because the BWRX-300 uses natural circulation, the typical means to adjust power and flow with recirculation pumps is not applicable. Instead, the BWRX-300 uses the following thermal-hydraulic means of suppressing or limiting power:

(( ))

(( )).

NEDC-33912, Section 3.7.1, also identifies acceptance criteria for evaluating the effectiveness of the diverse reactivity control system shutdown methods and design requirements associated with ATWS prevention and mitigation. The specific design requirements include the following:

((

))

The RPS initiates a reactor scram based on signals and setpoints needed to support safety analysis credited trips.

((

))

The ARI provides a diverse means to actuate the HCUs upon sensing a failure to scram.

FMCRDs receive an electric motor run-in signal upon sensing a parameter requiring a scram.

6

(( ))

FMCRD insertion time limits are established based on meeting the acceptance criteria of the safety analyses.

The NRC staff considers the BWRX-300 to be an evolutionary design. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants:

LWR Edition (SRP), Section 15.8, Anticipated Transients Without Scram, states, [a]pplicants

[for evolutionary designs] must demonstrate that the failure probability of failing the ATWS success criteria is sufficiently small because either: (1) the criteria are met, or (2) a diverse scram system is installed that reduces significantly the probability of a failure to scram.

The NRC staff finds the acceptance criteria in NEDC-33912, Section 3.7.1, for evaluating reactivity control system effectiveness for ATWS events consistent with SRP Section 15.8 item (1) above and, therefore, acceptable. Alternatively, an applicant for a BWRX-300 SMR could use a probabilistic approach for the reliability of the diverse scram system, as described in Section 4.1.1 of this SE, to satisfy SRP Section 15.8 item (2) above. In addition, the NRC staff finds the above design requirements associated with ATWS prevention and mitigation are consistent with the requirements of 10 CFR 50.62. When the NRC receives an application for a BWRX-300 SMR, the staff will perform a detailed evaluation of the analysis that demonstrates the effectiveness of the ATWS mitigation systems described above to confirm that 10 CFR 50.62 is met or that an appropriate justification for an exemption is included.

Section 4.1.1 of this SE provides a detailed regulatory assessment of 10 CFR 50.62.

3.7.2 Control Rod Drop Accident Section 3.7.2, Control Rod Drop Accident, of NEDC-33912 describes the design features of the BWRX-300 that prevent and mitigate a control rod drop accident (CRDA). Consistent with the NRC-approved ESBWR design, the BWRX-300 uses FMCRDs that use a bayonet-style coupling, which is a different design than that used in the operating fleet. This coupling requires a 45-degree rotation to uncouple, which is physically prevented because the fuel assemblies in the core constrain the cruciform control blade on all sides. In addition, the BWRX-300 employs dual separation detection devices that implement a control rod withdrawal block if they detect separation of the control rod and the drive mechanism.

The NRC staff finds that GEHs design requirements, along with a design-basis safety analysis of the CRDA event for the BWRX-300, as described in Section 4.1.11 of this SE and in conformance with Limitation and Condition 5.2 of this SE, are consistent with the requirements of 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, General Design Criterion (GDC) 28, Reactivity limits, and are therefore acceptable. The NRC staff will perform a detailed evaluation to confirm that the final design features and associated analysis satisfy the regulatory requirements of GDC 28 when the agency receives an application for a BWRX-300 SMR. SE Section 4.1.11 provides a detailed regulatory assessment of GDC 28.

7 3.7.3 Rod Withdrawal Error Section 3.7.3, Rod Withdrawal Error, of NEDC-33912 describes the design and mitigating features for ensuring that specified acceptable fuel design limits (SAFDLs) are not exceeded for rod withdrawal error events. The BWRX-300 rod control system employs redundancy to limit the effect of single failures. If a malfunction of the rod control system during operation results in a rod withdrawal error, nuclear instrumentation is used to generate a rod block or reactor scram.

The NRC staff finds that the design requirements of the (1) source range neutron monitors to provide a period-based rod block function during startup, (2) source range neutron monitors to provide a period-based reactor scram signal during startup, and (3) average power range monitors to provide a high-flux reactor scram signal during power operations, as described in NEDC-33912, Section 3.7.3, are consistent with the requirements of GDC 25, Protection system requirements for reactivity control malfunctions, and are therefore acceptable. The NRC staff will perform a detailed evaluation, relative to rod withdrawal errors, to confirm GDC 25 is met when the agency receives an application for a BWRX-300 SMR. SE Section 4.1.8 provides a detailed regulatory assessment of GDC 25.

4.0 Regulatory Evaluation Section 4.0, Regulatory Evaluation, of NEDC-33912 provides statements of compliance for the regulations in 10 CFR Part 50 GEH determined to be related to the reactivity control design features of the BWRX-300 SMR and design-specific information associated with pertinent NRC guidance.

NEDC-33912 describes the intent to meet each of the relevant regulatory requirements for the BWRX-300 SMR. In some instances, NEDC-33912 indicates that specific design requirements for the BWRX-300 systems and components will be provided during future licensing activities.

The sections below provide the staffs evaluation of the preliminary design information related to each regulation. The staff will conduct additional evaluations during future licensing activities.

4.1 10 CFR Part 50 Regulations This section addresses only those regulations that GEH included in NEDC-33912. When the NRC receives an application for a BWRX-300 SMR, the staff will review the application against all applicable regulatory requirements.

4.1.1 10 CFR 50.62 The regulations in 10 CFR 50.62 address the reduction of risk from ATWS for commercial light-water reactors. In 10 CFR 50.62(c)(3) through (c)(5), the NRC provides requirements specific to BWRs that are discussed below.

8 10 CFR 50.62(c)(3)

The regulation in 10 CFR 50.62(c)(3) requires that each BWR must have an ARI system that is diverse (from the reactor trip system) from sensor output to the final actuation device. The ARI system must have redundant scram air header exhaust valves. The ARI must be designed to perform its function in a reliable manner and be independent (from the existing reactor trip system) from sensor output to the final actuation device. Section 2.2.2.2 of NEDC-33912 describes the ARI system for the BWRX-300. The ARI system provides a diverse means of depressurizing the scram air header to ensure that the HCU stored energy is released to cause a reactor scram. NEDC-33912 specifies that the BWRX-300 design will meet the requirements of 10 CFR 50.62(c)(3). The staff finds the approach described in NEDC-33912 consistent with 10 CFR 50.62(c)(3) and, therefore, acceptable. The staff will conduct a detailed evaluation to confirm that 10 CFR 50.62(c)(3) is met when the NRC receives an application for a BWRX-300 SMR.

10 CFR 50.62(c)(4)

The regulation in 10 CFR 50.62(c)(4) requires that each BWR must have a standby liquid control system (SLCS), capable of injecting a highly borated water solution into the RPV. The SLCS initiation must be automatic and designed to perform its function in a reliable manner.

Section 4.1.1, 10 CFR 50.62, of NEDC-33912 states that the BWRX-300 includes a (( )).

For example, the reactor can be shut down by using the FMCRD electric motor run-in function.

(( )).

GEH concluded that (( )).

According to GEH, the NRC outlined the basis for ATWS rule requirements in SECY-83-293, Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events, dated July 19, 1983, which concluded that additional ATWS safety requirements were justified and included the stipulation to reduce the risk of core damage because of ATWS to be less than 1x10-5 per reactor year. NUREG-1780, Regulatory Effectiveness of the Anticipated Transient Without Scram Rule, issued September 2003, reiterates that during the ATWS rulemaking, the NRC staff set a goal that the P(ATWS) should be no more than 1x10-5 per reactor year.

P(ATWS) was defined as the annual frequency of an ATWS leading to plant conditions that exceed certain design parameters that can result in core melt, containment failure, and the release of radioactivity and can be viewed as the expected core damage frequency of an unmitigated ATWS. NEDC-33912 states that (( )) GEH asserted that (( ))

Based on the above, GEH concluded (( ))

In addition to the documents GEH referenced in NEDC-33912, the staff notes that Staff Requirements Memorandum (SRM)-SECY-90-016, SECY-90-16Evolutionary Light Water Reactor (LWR) Certification Issues and Their Relationships to Current Regulatory Requirements, dated June 26, 1990, provides the NRC position that if an applicant can demonstrate that the consequences of an ATWS are acceptable, the staff should accept the demonstration as an alternative to the prescriptive requirements of 10 CFR 50.62. While the

9 Commission direction in SRM-SECY-90-016 was specific to the diverse scram requirements of 10 CFR 50.62, the staff considers this direction as also being applicable to the prescriptive requirements for a SLCS, which historically serves as an additional means to shut down the reactor. In addition, SRP Section 15.8 states that applicants for evolutionary designs must demonstrate that the failure probability of failing the ATWS success criteria is sufficiently small because either: (1) the criteria are met, or (2) a diverse scram system is installed that reduces significantly the probability of a failure to scram.

Based on the above, the staff finds use of the risk goal for the BWRX-300, as described in NEDC-33912, of P(ATWS) less than 1x10-5 per reactor year acceptable because it is consistent with the intent of 10 CFR 50.62 as described in SECY 83-293 and NUREG-1780. The staff concludes that an analysis that demonstrates P(ATWS) is less than 1x10-5 per reactor year (( ))

could support an exemption from 10 CFR 50.62(c)(4). When the NRC receives an application for a BWRX-300, the staff will conduct an evaluation of reliability or probabilistic analysis that demonstrates the P(ATWS) criterion is met (( )), conforms with Limitation and Condition 5.1 of this SE, and confirms that special circumstances justify an exemption from 10 CFR 50.62(c)(4).

10 CFR 50.62(c)(5)

The regulation in 10 CFR 50.62(c)(5) requires that each BWR have equipment to automatically trip the reactor coolant recirculation pumps under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner.

NEDC-33912 specifies that the BWRX-300 uses natural circulation for reactor coolant flow; therefore, the action of tripping reactor recirculation pumps to limit core flow and power is not applicable. NEDC-33912 also states that the BWRX-300 (( ))

SRP Section 15.8 provides guidance acceptable to the staff for satisfying 10 CFR 50.62 and states the following:

[f]or evolutionary plants, some of the equipment required to satisfy the rule may not (sic) apply. For example, passive BWRs do not have recirculation pumps; therefore, these designs cannot provide equipment to trip them as required by the rule. For these designs provision of an equivalent action such as reducing the vessel water level may be acceptable.

Based on the above, the staff agrees that the provisions of 10 CFR 50.62(c)(5) are not applicable to the BWRX-300 because it is a passive design and does not include reactor coolant recirculation pumps. In addition, (( )) provides an appropriate compensating measure and is consistent with the staffs expectations described in SRP Section 15.8. The staff will conduct a detailed evaluation to confirm 10 CFR 50.62(c)(5) is not applicable when the NRC receives an application for a BWRX-300 SMR.

10 4.1.2 10 CFR Part 50, Appendix A, General Design Criterion 12, Suppression of Reactor Power Oscillations GDC 12 requires that the reactor core and associated coolant, control, and protection systems be designed to assure that power oscillations that can result in conditions exceeding SAFDLs are not possible or can be reliably and readily detected and suppressed.

Section 4.1.2, 10 CFR 50 Appendix A, GDC 12, in NEDC-33912 states the BWRX-300 design addresses stability by using an RPV chimney that increases natural circulation core flow so that a margin to instability is maintained for all modes of operation. NEDC-33912 specifies that the BWRX-300 maintains a coupled power-flow response such that any initial perturbation that does not cause an immediate scram is naturally damped and decays quickly to steady state. In addition, NEDC-33912, Section 4.1.2, states that the relatively small core of the BWRX-300 prevents it from being susceptible to regional modes of oscillation. NEDC-33912 concludes that the BWRX-300 design will meet the requirements of GDC 12 without the need for stability detection and an associated trip system.

The staff finds the approach, as described in NEDC-33912, in combination with the analysis prescribed in Limitation and Condition 5.3 of this SE, can demonstrate compliance with GDC 12.

The NRC staff will conduct a detailed evaluation of the thermal-hydraulic codes, methods, and analysis results used to demonstrate that GDC 12 is met without the need for a special stability detection and trip system for all modes of operation, including startup, when the NRC receives an application for a BWRX-300 SMR.

4.1.3 10 CFR Part 50, Appendix A, General Design Criterion 20, Protection System Functions GDC 20 requires that the protection system be designed (1) to automatically initiate the operation of appropriate systems, including the reactivity control systems, to assure that SAFDLs are not exceeded as a result of AOOs and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

Section 4.1.3, 10 CFR 50 Appendix A, GDC 20, of NEDC-33912 states, in part, the following:

[t]he RPS provides timely and appropriate protection to provide a reactor scram for events exceeding limits. These systems ensure that SAFDLs are not exceeded. Scram trip settings are selected and verified to be far enough above or below operating levels to provide proper protection but not be subject to spurious scrams.

GEH concludes that the BWRX-300 design will meet the requirements of GDC 20, and the analyses to demonstrate compliance will be provided during future licensing activities.

The staff finds the approach for the RPS, as described in NEDC-33912, consistent with GDC 20 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of the protection systems functions to ensure compliance with GDC 20 when the NRC receives an application for a BWRX-300 SMR.

11 4.1.4 10 CFR Part 50, Appendix A, General Design Criterion 21, Protection System Reliability and Testability GDC 21 requires that the protection system be designed for high-functional reliability and in-service testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

Section 4.1.4, 10 CFR 50 Appendix A, GDC 21, of NEDC-33912 states the following:

[t]he BWRX-300 uses Safety Class 1, safety-related equipment to ensure that high quality is achieved. The system includes redundancy to ensure that trips are reliably enforced, even in the case of a failure of a portion of the system. The ability to test and verify operability is included in the design.

GEH concludes that the BWRX-300 design will meet the requirements of GDC 21.

The staff finds the approach, as described in NEDC-33912, consistent with GDC 21 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of the protection system reliability and testability characteristics to ensure compliance with GDC 21 when the NRC receives an application for a BWRX-300 SMR.

4.1.5 10 CFR Part 50, Appendix A, General Design Criterion 22, Protection System Independence GDC 22 requires that the protection system be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels, do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

Section 4.1.5, 10 CFR 50 Appendix A, GDC 22, of NEDC-33912 states, in part, the following:

RPS provides a reactor scram when pre-set limits are reached. In addition to the diversity provided by these multiple layers of defense, the appropriate redundancy is included to ensure that reliability is maintained even in the event of failures. The RPS is Safety Class 1, safety-related equipment to ensure that high quality is achieved. The RPS and associated sensors and actuation devices are protected from natural phenomena and are designed as fail-safe to ensure that the safety function is maintained.

12 GEH concludes that the BWRX-300 design will meet the requirements of GDC 22.

The staff finds the approach for the RPS, as described in NEDC-33912, consistent with GDC 22 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of the protection system independence characteristics to ensure compliance with GDC 22 when the NRC receives an application for a BWRX-300 SMR.

4.1.6 10 CFR Part 50, Appendix A, General Design Criterion 23, Protection System Failure Modes GDC 23 requires that the protection system be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

Section 4.1.6, 10 CFR 50 Appendix A, GDC 23, of NEDC-33912 states the following:

[t]he BWRX-300 protection system, RPS, is designed such that it fails in a safe state. Upon loss of electrical power or motive force (i.e., air to the HCUs), a reactor scram occurs. The HCUs use stored energy for control rod insertion that are activated by the loss of electrical power to the actuating solenoids. This design ensures a safe state is achieved.

GEH concludes that the BWRX-300 design will meet the requirements of GDC 23.

The staff finds the approach, as described in NEDC-33912, consistent with GDC 23 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of the protection system failure modes to ensure compliance with GDC 23 when the NRC receives an application for a BWRX-300 SMR.

4.1.7 10 CFR Part 50, Appendix A, General Design Criterion 24, Separation of Protection and Control Systems GDC 24 requires that the protection system be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

Section 4.1.7, 10 CFR 50 Appendix A, GDC 24, of NEDC-33912 states, [t]he BWRX-300 protection system, RPS, is separated from the control systems such as the rod control system such that the RPS effectively performs its function independent of the control systems. GEH concluded that the BWRX-300 design will meet the requirements of GDC 24.

13 The staff finds the approach, as described in NEDC-33912, consistent with GDC 24 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of the separation between protection and control systems to ensure compliance with GDC 24 when the NRC receives an application for a BWRX-300 SMR.

4.1.8 10 CFR Part 50, Appendix A, General Design Criterion 25, Protection System Requirements for Reactivity Control Malfunctions GDC 25 requires that the protection system be designed to assure that SAFDLs are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods.

Section 4.1.8, 10 CFR 50 Appendix A, GDC 25, of NEDC-33912 states that the BWRX-300 RPS, together with other mitigating design features, ensures that SAFDLs are not exceeded for reactivity control malfunctions. Design features and operating strategies that limit the effect of single failures in the reactivity control systems include redundancy in the rod control system, rod patterns, and rod blocks. The RPS provides protection for rod control system malfunctions through power-related trips, as discussed in Section 3.7.3 of this SE.

The staff finds the approach, as described in NEDC-33912, consistent with GDC 25 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation of protection system adequacy to mitigate reactivity control malfunctions to ensure compliance with GDC 25 when the NRC receives an application for a BWRX-300 SMR.

4.1.9 10 CFR Part 50, Appendix A, General Design Criterion 26, Reactivity Control System Redundancy and Capability GDC 26 requires that two independent reactivity control systems of different design principles be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including AOOs, and with appropriate margin for malfunctions such as stuck rods, SAFDLs are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.

Section 4.1.9, 10 CFR 50 Appendix A, GDC 26, of NEDC-33912, states that the BWRX-300 includes two independent reactivity control systems of different design principles. The first uses control rods, which can be inserted rapidly through hydraulic scram or more slowly using the FMCRD electric motors. NEDC-33912, Section 4.1.9, cites multiple means to achieve hydraulic scram ((( )), RPS, and ARI) to provide high confidence that a scram will be initiated when required. The rod control system using the FMCRDs would be used to accommodate normal power changes and provide non-safety-related continuous run-in capability to achieve shutdown. In addition, NEDC-33912 states that the control rods are capable of holding the reactor core subcritical under cold conditions.

14 The staff has previously interpreted the GDC 26 terms independent and different design principles to indicate that no credited reactivity control systems or components can be shared and are different enough such that no common failure modes exist. In response to staff questions, GEH revised NEDC-33912, Section 4.1.9, to state that the second independent reactivity control system is the feedwater level control system. The feedwater level control system controls reactivity by controlling the downcomer water level, which affects natural circulation core flow and, therefore, core power. GEH indicated that this function is analogous to the reactor recirculation flow control that is typically credited as the second reactivity control system in forced circulation BWRs. GEH also stated that the feedwater level control system can be used to adjust the downcomer water level during normal power operation, and additional means are available to adjust the water level in other modes of operation.

GEH referenced gadolinium burnable poison in the discussion of compliance with GDC 26. The NRC staff notes that burnable poisons do not constitute a reactivity control system in the context of GDC 26; however, burnable poisons are a means of controlling reactivity and influence the reactivity requirements of the credited reactivity control systems.

The NRC staff finds this approach, as described in NEDC-33912, consistent with GDC 26 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation to confirm the capability of the control rods and the feedwater level control system to reliably control reactivity and prevent exceeding SAFDLs in accordance with GDC 26 when the NRC receives an application for a BWRX-300 SMR.

4.1.10 10 CFR Part 50, Appendix A, General Design Criterion 27, Combined Reactivity Control Systems Capability GDC 27 requires that the reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that, under postulated accident conditions and with appropriate margin for stuck rods, the capability to cool the core is maintained.

Section 4.1.10, 10 CFR 50 Appendix A, GDC 27, of NEDC-33912 describes how the (( ))

provides the core cooling function following a postulated accident, and, as discussed in Section 4.1.1 of this SE, the BWRX-300 design (( )). In addition, NEDC-33912, Section 4.1.10, states that future licensing actions will provide the evaluation to demonstrate compliance with GDC 27 and will consider the highest worth control rod pair associated with an individual HCU to be fully withdrawn. GEH concluded that the BWRX-300 control rods, FMCRDs, and actuation systems ensure adequate shutdown margin, capability, redundancy, and diversity such that there is no need for combined reactivity control systems as required by GDC 27. GEH stated that, in these particular circumstances, GDC 27 would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule. Instead, GEH proposed Principal Design Criterion (PDC) 27, Reactivity control system capability, which states the following:

The BWRX-300 reactivity control system shall be designed to have the capability of reliably controlling reactivity changes to assure that under postulated accident

15 conditions and with appropriate margin for stuck rods the capability to cool the core is maintained.

The staff notes, as stated in SECY-18-0099, NuScale Power Exemption Request from 10 CFR Part 50, Appendix A, General Design Criteria 27, Combined Reactivity Control Systems Capability, that the intent of GDC 27 is to require reactor designs to achieve and maintain long-term subcriticality using only safety-related equipment following a postulated accident with margin for stuck control rods. NEDC-33912, Section 4.1.9, states that the insertion of the control blades provides the capability to hold the reactor subcritical under cold conditions. The staff finds that an analysis that demonstrates the BWRX-300 control rods alone provide adequate shutdown margin for long-term subcriticality following a postulated accident such that the ability to cool the core is maintained could support an exemption to GDC 27 and replacement with proposed PDC 27. The staff will conduct a detailed evaluation of the safety-related reactivity control system and confirm that special circumstances are present for justification of an exemption when the NRC receives an application for a BWRX-300 SMR.

4.1.11 10 CFR Part 50, Appendix A, General Design Criterion 28 GDC 28 requires the reactivity control systems be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures, or other RPV internals to significantly impair the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold-water addition.

According to GEH, GDC 28 is satisfied by providing reactivity control system features that mitigate the postulated reactivity accidents that could damage the reactor coolant pressure boundary greater than limited local yielding or damage that significantly impairs core cooling capability. These features include the FMCRD system and rod control system, which incorporate appropriate limits on the potential amount and rate of reactivity increase, physical design of the FMCRD system, including the bayonet style coupling, FMCRD mechanism latches, and FMCRD separation switches.

In response to staff questions, GEH stated the following in its letter dated August 3, 2020 (ADAMS Accession No. ML20216A748):

[t]he BWRX-300 uses Global Nuclear Fuel (GNF)-2 fuel, with a core design that is similar to the BWR operating fleet. The approved CRDA methodology

[Licensing Topical Report NEDE-33885P-A, Revision 1, Control Rod Drop Accident Methodology] will be applied to the BWRX-300 to demonstrate that cladding failures do not occur for the postulated (albeit incredible) CRDA. The results of the rod drop calculations will be discussed in the Probabilistic Risk Assessment (PRA) analysis that will be summarized in a [future licensing activity].

16 Section 15.4.7.3 of NUREG-1666, Final Safety Evaluation Report Related to the Certification of the Economic Simplified Boiling-Water Reactor Standard Design, Volume 3, issued April 2014 (ADAMS Accession No. ML14099A532), states that because of the potential consequences of an unrestricted reactivity excursion and to ensure compliance with GDC 28, analysis of a CRDA is required to demonstrate reactor coolant pressure boundary integrity and acceptable radiological consequences for the CRDA, irrespective of the probability of a CRDA. As such, the staff considers a CRDA to be a design-basis postulated reactivity accident. Absent an exemption to GDC 28 justifying a beyond-design-basis CRDA classification, the CRDA analysis should be performed in accordance with design-basis analysis assumptions, and the result of the analysis should be documented consistent with other design-basis transients and accidents (i.e., Chapter 15 of the final safety analysis report). To ensure this treatment, the staff developed Limitation and Condition 5.2 of this SE.

NEDC-33912, Section 4.1.11, states that the safety analyses to demonstrate compliance with GDC 28, including each of the specified transients and accidents, will be provided during future licensing activities. The CRDA event applied to an equilibrium cycle will be analyzed using the approved GNF CRDA methodology (NEDE-33885P-A) following confirmation of its applicability to the final BWRX-300 design. In addition, GNF has indicated plans to deviate from NEDE-33885P-A and will provide information in future licensing activities to support a conclusion that additional cycle-by-cycle CRDA evaluations are not warranted. The staff will review this information and make a finding on the acceptability of this approach at that time.

Based on the design features of the BWRX-300 and, specifically, the ability of the rod control system to implement control rod patterns and control rod blocks, along with the additional analyses described in NEDC-33912 (including a CRDA event analyzed consistent with NEDE-33885P-A and in conformance with Limitation and Condition 5.2 of this SE) that will be performed to support future licensing activities, the NRC staff finds this approach consistent with GDC 28 and, therefore, acceptable. The NRC staff will conduct a detailed evaluation to confirm that GDC 28 is satisfied and cycle-by-cycle CRDA evaluations are not warranted when the NRC receives an application for a BWRX-300 SMR.

4.1.12 10 CFR Part 50, Appendix A, General Design Criterion 29, Protection Against Anticipated Operational Occurrences GDC 29 requires that the protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of AOOs.

NEDC-33912 states that the BWRX-300 rod control system enforces control rod withdrawal limits and prevents inappropriate control rod withdrawal. Further, NEDC-33912 states that the safety-related means of quickly inserting the control rods is from the control rod drive hydraulic scram system. Section 4.1.12, 10 CFR 50 Appendix A, GDC 29, of NEDC-33912 states that the RPS hydraulic scram function is designed to high quality, and associated sensors and actuation devices are protected from natural phenomena and are designed as fail safe to ensure that the safety function is maintained. Lastly, NEDC-33912, Section 4.1.12, concludes that the BWRX-300 design will meet the requirements of GDC 29.

17 The staff notes that the BWRX-300 design, as described in NEDC-33912, contains an (( ))

and NEDC-33912 does not describe the design and quality requirements applied to the system.

Therefore, the staff bases its finding on the approach described above related to the safety-related RPS hydraulic scram function. The staff finds this approach consistent with GDC 29 and, therefore, acceptable. The staff will conduct a detailed evaluation of RPS and reactivity control system functional reliability, quality, separation, independence, and testability to confirm GDC 29 is satisfied when the NRC receives an application for a BWRX-300 SMR.

4.2 NUREG-0800 Guidance The BWRX-300 employs novel design features and strategies to ensure safety at the facility.

Section 4.2, NUREG-0800 Standard Review Plan Guidance, of NEDC-33912 identified applicable guidance, clarifications, and departures from SRP Section 4.3, Nuclear Design; Section 7.2, Reactor Trip System; and Section 15.8. Currently, the NRC does not plan to update or develop staff guidance specific to BWRX-300. GEH recommends that the staff can use the existing SRPs during a future licensing review. The staff agrees that the existing SRPs are adequate, and that in the future the staff can use the design-specific information GEH included in NEDC-33912, Section 4.2, as a review aid.

4.3 Generic Issues Section 4.3, Generic Issues, of NEDC-33912 addresses generic issues relevant to the scope of NEDC-33912. Specifically, Section 4.3.1 of NEDC-33912 states that NUREG-1780 sets the risk goal for the probability of an ATWS at no greater than 1x10-5 per reactor year. GEH has committed to achieving this goal, and as discussed in Section 4.1.1 of this SE, the staff finds this approach acceptable and consistent with the underlying purpose of 10 CFR 50.62. The staff will evaluate whether this goal is met when the NRC receives an application for the BWRX-300 SMR.

5.0 Limitations and Conditions If an applicant chooses to incorporate by reference NEDC-33912 as part of a 10 CFR Part 52 design certification application, or if a license applicant uses it for requesting a construction permit and operating license under 10 CFR Part 50 or a combined license under 10 CFR Part 52, it must provide appropriate safety analyses to demonstrate compliance with applicable regulatory requirements.

Additionally, any applicant referencing NEDC-33912 must perform and document in an application the following:

5.1 Reliability analysis or testing, considering applicable operating experience and expected load follow conditions, of the BWRX-300 diverse scram features to demonstrate the probability of an ATWS is less than 1x10-5 per reactor year (( )).

18 5.2 A CRDA design-basis safety analysis applied to an equilibrium cycle in accordance with an approved methodology, providing justification for any deviations (e.g., performing a one-time analysis to bound cycle-by-cycle variations), or request an exemption to justify the CRDA as a beyond-design-basis event and document the CRDA analysis results in the probabilistic risk assessment.

5.3 A stability analysis in accordance with an approved methodology to demonstrate that the BWRX-300 maintains a coupled power-flow response such that any operational perturbation, maneuver, or AOO that does not cause an immediate scram is naturally damped and decays quickly to steady state for all modes of operation; prevents SAFDLs from being exceeded; is not susceptible to regional or radial modes of oscillation; and includes necessary provisions to address cycle-specific conditions.

6.0 Conclusion Based on the above discussion, the NRC staff concludes that the design requirements, acceptance criteria, and regulatory bases for the design functions of BWRX-300 reactivity control design functions, as described in NEDC-33912, are acceptable. In particular, NEDC-33912 describes design requirements for the reactor protection system, (( )),

and alternate rod insertion to meet the acceptance criteria in 10 CFR 50.62 with justification to provide for a (( )), as well as design requirements for the (( )) and diverse means to insert control rods to ensure that the reactor can be shut down. If an applicant for a construction permit under 10 CFR Part 50, or a design certification or combined license under 10 CFR Part 52, is not able to demonstrate compliance with an NRC regulation when the detailed design of the BWRX-300 SMR is complete, the applicant will be expected to justify an exemption from the applicable regulatory requirement. The NRC staff will evaluate the regulatory compliance of the final design of the reactivity control design features for the BWRX-300 SMR during future licensing activities, in accordance with 10 CFR Part 50 or 10 CFR Part 52, as applicable. As discussed in this SE, GEH indicated that the detailed design of the BWRX-300 SMR is not complete at this time. The NRC staff will make a final determination of the BWRX-300 SMRs acceptability when the detailed design is completed and reviewed by the NRC staff during future licensing activities.