Public Meeting Presentation to Advisory Committee on Reactor Safeguards 10 CFR Part 53 Licensing and Regulation of Advanced Nuclear Reactors

ML21124A055
Person / Time
Issue date:	05/05/2021
From:	Robert Beall NRC/NMSS/DREFS/RRPB
To:
Beall, Robert
References
10 CFR Part 53, NRC-2019-0062, RIN 3150-AK31
Download: ML21124A055 (66)
v • d • e

Text

Advisory Committee on Reactor Safeguards (ACRS) 10 CFR Part 53 Licensing and Regulation of Advanced Nuclear Reactors May 5, 2021 1

Agenda

• Opening Remarks

• Overall Structure (Framework)

• Subpart B - Technology-Inclusive Safety Requirements

• Subpart C - Design and Analysis Requirements

• Discussion 2

Background

• Nuclear Energy Innovation and Modernization Act (NEIMA; Public Law 115-439) signed into law in January 2019 requires the NRC to complete a rulemaking to establish a technology-inclusive, regulatory framework for optional use for commercial advanced nuclear reactors no later than December 2027 o (1) ADVANCED NUCLEAR REACTORThe term advanced nuclear reactor means a nuclear fission or fusion reactor, including a prototype plant with significant improvements compared to commercial nuclear reactors under construction as of the date of enactment of this Act, 3

NRC Staff Plan to Develop Part 53 Subpart B Subpart C Subpart D Subpart E Subpart F Subpart G Project Life Cycle Design and Siting Construction Operation Retirement Requirements Definition Analysis

• Safety Objectives External Facility Safety

• Safety Criteria System Hazards Construction/ Program

• Safety Functions & Component Manufacturing Design Site Surveillance Characteristics Ensuring Maintenance Analysis Capabilities/

Requirements Environmental Reliabilities Configuration Considerations Control Safety Change Control Categorization Staffing &

& Special Environmental Human Factors Treatment Considerations Programs Security, EP Other Plant/Site (Design, Construction, Configuration Control) Clarify Controls Subpart A Analyses (Prevention, Mitigation, Compare to Criteria) and General Provisions Distinctions Plant Documents (Systems, Procedures, etc.) Between Subpart J Admin & Reporting LB Documents (Applications, SAR, TS, etc.) Subparts H & I 4

Part 53 Contents (A) General Provisions (including definitions)

(B) Safety Criteria (two tiers/categories, as low as reasonably achievable (ALARA), defense in depth (DiD)

(C) Design and Analysis (design criteria, role of probabilistic risk assessment (PRA))

(D) Siting (external hazards, population)

(E) Construction and Manufacturing (factory fueling)

(F) Operations (structures, systems and components (SSCs),

staffing, programs)

(G) Decommissioning (H) Licensing (siting, design, licenses)

(I) Maintaining Licensing Basis (J) Administrative and Reporting 5

Subpart B Technology-Inclusive Safety Requirements Preliminary Language 6

Rulemaking Plan (SECY-20-0032)

The staff plans to build upon ongoing activities such as those described in SECY-19-0117, Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors, dated December 2, 2019 (ADAMS Accession No. ML18311A264), to develop the associated performance criteria.

The methodology described in SECY-19-0117, includes identifying the potential benefits provided by design features and programmatic controls in terms of the margins between estimated doses and the reference values in NRC regulations and the margins between estimated health effects and the NRCs safety goals. SECY-18-0096, Functional Containment Performance Criteria for Non-Light-Water-Reactors, dated September 28, 2018 (ADAMS Accession No. ML18115A157), and SECY-18-0103, Proposed Rule: Emergency Preparedness for Small Modular Reactors and Other New Technologies (RIN 3150-AJ68; NRC-2015-0225, dated October 12, 2018 (ADAMS Accession No. ML18134A076),

provide examples of how those margins are used within performance criteria for potential operational flexibilities.

7

First Principles See: SECY-18-0096, Functional Containment Performance Criteria for Non-Light-Water-Reactors, INL/EXT-20-58717, Technology-Inclusive Determination of Mechanistic Source Terms for Offsite Dose-Related Assessments for Advanced Nuclear Reactor Facilities, and SECY-19-0117, Technology-Inclusive, Risk-Informed, and Performance-Based Methodology..

8

Subpart B - Safety Criteria

• Safety Objectives

• First Tier Safety Criteria (B) Safety Criteria What function(s)

- Immediate threat to public health (e.g., a barrier, cooling) and safety are needed to satisfy safety criteria

• Second Tier Safety Criteria

- Appropriate to address potential (B) Safety Functions risks to public health and safety What design features (e.g., a structure, system)

• Safety Functions are provided to fulfill the safety function(s)

• Licensing Basis Events (C) Design Features (LBEs) (and Human Actions) What design criteria (e.g., leak rate, cooling

• Defense in Depth capacity) are needed for design feature

• Protection of Plant Workers (C) Functional Design Criteria (Personnel; Concept of Operations) 9

Technology-Inclusive Methodology Primary Safety Function What function(s)

(e.g., a barrier, cooling) are (limiting release of radioactive materials) needed to satisfy safety Primary (MHTGR example) criteria Safety Functions Additional Reactivity/Heat Chemical Heat Removal Generation Interactions What design features (e.g., a structure, system)

Design Features Design Features Design Features are provided to fulfill the safety function(s)

(and Human Actions)

Functional Functional What design criteria (e.g., leak rate, cooling Functional Design Criteria Design Criteria Design Criteria capacity) are needed for (Personnel; Concept of design feature Operations) 10

Modular High-Temperature Gas-Cooled Reactor (MHTGR) Example (Safety Functions)

Design Features Design Features Design Features Functional Design Functional Design Functional Design Criteria Criteria Criteria 11

Addressing Functions & Design Criteria (B) Safety Functions (C) Design Features (C) Functional Design Criteria 10 CFR 50, Appendix A General Design Criteria Quality Standards and Records 1 Design Bases for Protection Against Natural Phenomena 2 I. Overall Requirements: Fire Protection 3 Environmental and Dynamic Effects Design Bases 4 Sharing of Structures, Systems, and Components 5 Reactor Design 10 Reactor inherent Protection 11 Suppression of Reactor Power Oscillations 12 Instrumentation and Control 13 II. Protection by Multiple Fission Product Reactor Coolant Pressure Boundary 14 Reactor Coolant System Design 15 Barriers: Containment Design 16 Electric Power Systems 17 Inspection and Testing of Electric Power Systems 18 Control Room 19 Protection System Functions 20 Protection System Reliability and Testability 21 Protection System Independence 22 Protection System Failure Modes 23 III. Protection and Reactivity Control Separation of Protection and Control Systems Protection System Requirements for Reactivity Control 24 25 Systems: Malfunctions Reactivity Control System Redundancy and Capability 26 Combined Reactivity Control Systems Capability 27 Reactivity Limits 28 Protection Against Anticipated Operational Occurrences 29 12

Addressing Functions & Design Criteria (B) Safety Functions (C) Design Features Quality of Reactor Coolant Pressure Boundary 30 Fracture Prevention of Reactor Coolant Pressure Boundary 31 (C) Functional Design Criteria Inspection of Reactor Coolant Pressure Boundary 32 Reactor Coolant Makeup 33 Residual Heat Removal 34 Emergency Core Cooling 35 Inspection of Emergency Core Cooling System 36 Testing of Emergency Core Cooling System 37 IV. Fluid Systems: Containment Heat Removal 38 Inspection of Containment Heat Removal System 39 Testing of Containment Heat Removal System 40 Containment Atmosphere Cleanup 41 Inspection of Containment Atmosphere Cleanup Systems 42 Testing of Containment Atmosphere Cleanup Systems 43 Cooling Water 44 Inspection of Cooling Water System 45 Testing of Cooling Water System 46 Containment Design Basis 50 Fracture Prevention of Containment Pressure Boundary 51 Capability for Containment Leakage Rate Testing 52 Provisions for Containment Testing and Inspection 53 V. Reactor Containment: Systems Penetrating Containment 54 Reactor Coolant Pressure Boundary Penetrating Containment 55 Primary Containment Isolation 56 Closed Systems Isolation Valves 57 Control of Releases of Radioactive Materials to the 60 Environment Fuel Storage and Handling and Radioactivity Control 61 VI. Fuel and Radioactivity Control: Prevention of Criticality in Fuel Storage and Handling 62 Monitoring Fuel and Waste Storage 63 Monitoring Radioactivity Releases 64 13

Part 50 and Part 53 Comparing Licensing Frameworks

• Safety criteria o Same safety criteria in Parts 50 and 53 o Quantitative health objectives (QHOs) used in guidance under Part 50

• Design and Analyses o Design Basis Accidents (DBAs)

Part 50: Assessed using prescriptive, highly conservative analyses Including single failure criterion (SFC)

Part 53: Assessed methodically considering event frequencies and assuming only safety-related SSCs are available o Beyond Design Basis Events (BDBEs)

Part 50: Identified & assessed by largely ad-hoc, prescriptive approach with uncertainties addressed through conservatisms Part 53: Derived methodically using event frequencies with explicit consideration for uncertainties Including combinations of various equipment failures

• Special Treatment for Non-Safety-Related but Risk-Significant SSCs o Part 50: Ad-hoc (e.g., § 50.69 programs, Reliability Assurance Programs (RAP))

o Part 53: Systematic approach to control frequencies and consequences of the LBEs in relation to safety criteria 14

Second Iteration - Objectives

§ 53.200 Safety Objectives.

Each advanced nuclear plant must be designed, constructed, operated, and decommissioned to limit the possibility of an immediate threat to the public health and safety. In addition, each advanced nuclear plant must take such additional measures as may be appropriate when considering potential risks to public health and safety. These safety objectives shall be carried out by meeting the safety criteria identified in this subpart.

• Discussion o Generally aligns with requirements for content of technical specifications and regulatory treatment of non-safety systems o Addresses concerns related to tying tiers to authorities provided in the Atomic Energy Act (e.g., adequate protection and minimize danger to life or property) 15

Second Iteration - First Tier

§ 53.210 First Tier Safety Criteria.

(a) Public dose does not exceed Part 20 limit (0.1 rem) from normal plant operation (b) Provide design features and programmatic controls such that events with frequencies greater than once per 10,000 years meet the following (1) 2-hour dose below 25 rem at EAB (2) Duration dose below 25 rem at LPZ boundary

• Discussion o Maintains technical criteria from first iteration o Generally aligns with requirements for content of technical specifications and regulatory treatment of non-safety systems o Deleted paragraph (c) since the first tier criteria are no longer tied to adequate protection standard o Added existing footnote on 25 roentgen equivalent man (rem) as reference value o General note that staff assessing terminology (tiers) 16

Additional Discussion - First Tier

• Possible Applications of First Tier Safety Criteria o Minimally acceptable level of safety o Met by satisfying the safety functions needed for dose < 25 rem o Provides basis for safety classification of safety-related SSCs o Demonstration of meeting the first tier safety criteria supported by analyses of DBA o Provides basis for identifying SSCs needing protection against external events up to the design basis external hazard levels o Provides basis for identifying appropriate content of technical specifications (TS)

Reserved for the most significant safety requirements Necessary to obviate the possibility of an abnormal situation or event giving rise to an immediate threat to the public health and safety o May provide basis for staffing and operator licensing decisions o Greatest level of detail for information in licensing documents 17

Second Iteration - Second Tier

• Second Tier Safety Criteria FIRST ITERATION/SECOND ITERATION

§ 53.220 Second Tier Safety Criteria.

(a) Normal operations. Design features and programmatic controls must be provided for each advanced nuclear plant to ensure the estimated total effective dose equivalent to individual members of the public from effluents resulting from normal plant operation are as low as is reasonably achievable taking into account the state of technology, the economics of improvements in relation to the state of technology, operating experience, and the benefits to the public health and safety. Design features and programmatic controls must be established such that [to be reworded for consistency with 10 CFR part 20 and 40 CFR part 190].

(b) Unplanned events. Design features and programmatic controls must be provided to:

(1) Ensure plant SSCs, personnel, and programs provide the necessary capabilities and maintain the necessary reliability to address licensing basis events in accordance with

§ 53.240 and provide measures for defense-in-depth in accordance with § 53.250; and (2) Maintain overall cumulative plant risk from licensing basis events such that the risk to an average individual within the vicinity of the plant receiving a radiation dose with the potential for immediate health effects remains below five in 10 million years, and the risk to such an individual receiving a radiation dose with the potential to cause latent health effects remains below two in one million years.

18

Feedback - 2nd Tier, ALARA

• ALARA o Proposal by some stakeholders to eliminate all ALARA requirements under Part 53.

• NRC Iteration: Maintained requirements for normal operations and occupational exposures to be ALARA Note that concerns related to ALARA and NRC reviews of design-related applications are also being addressed through the Advanced Reactor Content of Application Project with current drafts of Chapter 9 released to support stakeholder interactions:

... in lieu of providing detailed system descriptions and analysis of estimated effluent releases as required by 10 CFR 50.34, 50.34a, 52.47, and 52.79, an application may demonstrate compliance with the applicable regulations by describing a radiation protection program and an effluent release monitoring program that will ensure that effluent release limits will be met during normal operations for the life of the plant.

Information related to physical systems can be limited to general descriptions of layout and technologies used to limit the release of the various inventories of radioactive materials within the plant.

19

Feedback - 2nd Tier, QHOs

• QHOs o Proposal by some stakeholders to maintain QHOs as policy but exclude from rule Some concern over use of QHOs related to inclusion of requirement to perform PRA o Proposal by some stakeholders to use a metric other than QHOs as second tier Range of stakeholder views, from use of QHOs to use of cost-benefit assessment for second tier, which in NRC practice includes assessment against QHOs

• NRC Iteration: Maintained QHOs within the second tier safety criteria o The QHOs are a well-established measure used in NRC risk-informed decision making and are a logical performance metric to support the risk management approaches to operations that will be reflected in Subpart F, Operations.

o Note that using less defined criteria for the second tier would decrease the predictability of the regulations in terms of the desired graded approach (e.g., differentiation between SSCs that are safety related and non-safety related with special treatment) 20

Additional Discussion - Second Tier

• Possible Applications of Second Tier Safety Criteria o With first tier, ensures appropriate level of safety for long-term, risk-informed operations o Met by satisfying the safety functions for meeting QHOs o Demonstration of meeting the second tier safety criteria supported by systematic analyses (i.e., PRA) o Provides basis for identifying additional risk-informed requirements o Provides basis for identifying appropriate special treatment for non-safety related SSCs (e.g., functional design requirements & reliability) o Provides basis for enabling risk management approach to operations o May provide basis for staffing and operator licensing decisions o Enables appropriate level of detail in licensing basis documentation based on a risk-informed, function-oriented and performance-based approach 21

Second Iteration - Safety Functions

§ 53.230 Safety Functions (a) The primary safety function is limiting the release of radioactive materials from the facility and must be maintained during routine operation and for licensing basis events over the life of the plant.

(b) Additional safety functions supporting the retention of radioactive materials during routine operation and licensing basis eventssuch as controlling [reactivity], heat generation, heat removal, and chemical interactions--must be defined.

(c) The primary and additional safety functions are required to meet the first and second tier safety criteria and are fulfilled by the design features and programmatic controls specified throughout this part.

• Discussion (Safety Functions) o Maintains mention of fundamental safety functions as examples to maintain technology-inclusive framework (with potential use for multiple inventories of radionuclides within plants and possibly technologies such as fusion energy systems) o Reinforces general hierarchy of safety criteria, safety function, design feature, and functional design criteria.

22

Second Iteration - LBEs

§ 53.240 Licensing Basis Events Licensing basis events must be identified for each advanced nuclear plant and analyzed in accordance with § 53.450 to support assessments of the safety requirements in this subpart B. The licensing basis events must address combinations of malfunctions of plant SSCs, human errors, and the effects of external hazards ranging from anticipated operational occurrences to very unlikely event sequences with estimated frequencies well below the frequency of events expected to occur in the life of the advanced nuclear plant. The evaluation of licensing basis events must be used to confirm the adequacy of design features and programmatic controls needed to satisfy first and second tier safety criteria of this subpart and to establish related functional requirements for plant SSCs, personnel, and programs.

• Discussion (LBEs) o Changes to clarify the range of scenarios to be addressed by LBEs 23

Licensing Basis Events - Light-Water Reactor (LWR) Summary ANSI/ANS-51.1-1983; nuclear safety criteria for the design of stationary pressurized water reactor plants (withdrawn 1989) 24

Licensing Modernization Project (LMP):

Event Selection & Analysis

• Introduction of an actual frequency-consequence curve as part of the regulatory process (vs. general relationship of decreased consequences expected for more frequent events) 25

Tabletop Exercise (MHTGR; Xe-100)

Report: ADAMS Accession No. ML18228A779 26

LMP: Event Selection & Analysis Anticipated Operational Occurrences (AOOs)

[Part 53 - AOOs]

Anticipated event sequences expected to occur one or more times during the life of a nuclear power plant, which may include one or more reactor modules. Event sequences with mean frequencies of 1x10-2/plant-year and greater are classified as AOOs. AOOs take into account the expected response of all SSCs within the plant, regardless of safety classification.

DBEs

[Part 53 - Unlikely events]

Infrequent event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than AOOs. Event sequences with mean frequencies of 1x10-4/plant-year to 1x10-2/plant-year are classified as DBEs. DBEs take into account the expected response of all SSCs within the plant regardless of safety classification.

BDBEs

[Part 53 - Very unlikely events]

Rare event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than a DBE. Event sequences with mean frequencies of 5x10-7/plant-year to 1x10-4/plant-year are classified as BDBEs. BDBEs take into account the expected response of all SSCs within the plant regardless of safety classification.

27

LMP: Required Safety Functions Required Safety Function (RSF): A PRA Safety Function that is required to be fulfilled to maintain the consequence of one or more DBEs or the frequency of one or more high-consequence BDBEs inside the F-C Target Provides connection to Safety-Related Classification Note - in Part 53, RSFs would translate to those functions needed to address first tier safety criteria 28

RSF Example

• MHTGR RSFs Required Safety Functions 29

Design Basis Accidents DBAs

[Part 53 - DBAs]

Postulated event sequences that are used to set design criteria and performance objectives for the design of Safety Related SSCs. DBAs are derived from DBEs based on the capabilities and reliabilities of Safety-Related SSCs needed to mitigate and prevent event sequences, respectively. DBAs are derived from the DBEs by prescriptively assuming that only Safety Related SSCs are available to mitigate postulated event sequence consequences to within the 10 CFR 50.34 dose limits.

30

Second Iteration - DiD

§ 53.250 Defense in Depth Measures must be taken for each advanced nuclear plant to ensure appropriate defense in depth is provided to compensate for uncertainties such that there is high confidence that the safety criteria in this subpart are met over the life of the plant. The uncertainties to be considered include those related to the state of knowledge and modeling capabilities, the ability of barriers to limit the release of radioactive materials from the facility during routine operation and for licensing basis events, and those related to the reliability and performance of plant SSCs, personnel, and programmatic controls. No single engineered design feature, human action, or programmatic control, no matter how robust, should be exclusively relied upon to meet the safety criteria of § 53.220(b) or the safety functions defined in accordance with § 53.230.

• Discussion (DiD) o Maintains defense in depth within Subpart B because of historical and continued importance of its role in addressing risk o Parts 50/52 do not include a similar section because the defense-in-depth philosophy is incorporated into prescriptive technical requirements for light-water reactors o Possibility that this section could be addressed within Subpart C can be considered as part of the later review of the technical requirements o Reflects possible crediting of inherent characteristics within the design and analysis for advanced reactors and the reduced uncertainties associated with such characteristics 31

Second Iteration - Protection of Plant Workers

§ 53.260 Protection of Plant Workers (a) Design features and programmatic controls must exist for each advanced nuclear plant to ensure that radiological dose to plant workers does not exceed the occupational dose limits provided in subpart C to 10 CFR part 20.

(b) As required by Subpart B to 10 CFR part 20, design features and programmatic controls must, to the extent practical, be based upon sound radiation protection principles to achieve occupational doses that are as low as is reasonably achievable.

• Discussion (Protection of Plant Workers) o Maintains the protection of plant workers within Subpart B to capture occupational exposures within the high-level safety requirements o Changed to refer to part 20, as suggested by stakeholders Note that ALARA is not only a long-standing requirement by Atomic Energy Commission/NRC (including maintaining in Part 20 rulemaking) but also is addressed in U.S. Environmental Protection Agency Federal Guidance for Radiation Protection 32

Subpart C Design and Analysis Preliminary Language 33

Subpart C - Design and Analysis

• Design Features

• Functional Design Criteria for First Tier Safety Criteria

- Comparable to Principal Design Criteria for Safety-Related SSCs

• Functional Design Criteria for Second Tier Safety Criteria

- Provides Design Criteria for Safety Significant Non-Safety-Related SSCs

• Functional Design Criteria for Protection of Plant Workers

• Design Requirements

• Analysis Requirements

- Role of PRA

• Safety Categorization and Special Treatment

• Application of Analytical Safety Margins to Operational Flexibilities

• Design Control Quality Assurance

• Design and Analyses Interfaces 34

Design-Related Discussions SFC vs Reliability Criterion Part 53 PRA Required; Reliability Assurance through TS/RAP Subpart F RG 1.233 The staff finds that the NEI 18-04 methodology, including (Licensing assessments of event sequences and DiD, obviates the Modernization) need to use the single-failure criterion (SFC) as it is applied to the deterministic evaluations of AOOs and DBAs for (SECY-19-0117)

LWRs.

SRM-SECY-19-0036 The staff should apply risk-informed principles when strict, (Application of the Single prescriptive application of deterministic criteria such as the Failure Criterion to SFC is unnecessary to provide for reasonable assurance of NuScale IAB Valves) adequate protection of public health and safety.

SECY-03-0047 The SFC would be replaced with a reliability criterion and (Policy Issues Related to the event scenarios identified in the PRA would be Licensing Non-Light- examined against this criterion.

Water Reactor (NLWR)

Designs)

Note that Issue 4 in SECY-03-0047 also described SRM dated 6/26/2003 probabilistic event selection and safety classification 35

The SFC

• The SFC has the direct objective of promoting reliability through the enforced provision of redundancy in those systems which must perform a safety-related function

• In SECY 77-439 (ML060260236), the staff critiqued the SFC at the request of the Commission:

- The SFC has served well in its use as a licensing review tool to assure reliable systems as one element of the defense in depth approach to reactor safety.

- The SFC is just one of several tools applied in systems design and analysis to promote reliability of the systems which are needed in a nuclear power plant for safe shutdown and cooling, and for mitigation of the consequences of postulated accidents.

It is not sufficient by itself.

- The SFC was developed without the benefit of numerical assessments on the probabilities of component or system failure.

- The Reactor Safety Study (WASH-1400, the first nuclear plant PRA) also pointed out that factors such as systems interactions, multiple human errors, and maintenance and testing requirements also have an influence on reliability. Such factors fall outside the scope of the SFC, and supplementary methods must be utilized In their study.

- It is expected that probabilistic methods of the type used in the Reactor Safety Study will gradually come into increasing use and supplement the SFC.

• See also the discussions in SECY-03-0047, SECY-05-0138, SECY-19-0036, SECY-19-0117 and related SRMs 36

Codes and Standards

§ 53.440 Design Requirements.

(a) The design features required to meet the first and second tier safety criteria defined in

§§ 53.210 and 53.220 shall be designed using generally accepted consensus codes and standards wherever applicable.

Preliminary Definition (Subpart A): Consensus code or standard means any technical standard (1) developed or adopted by a voluntary consensus standard body under procedures that assure that persons having interests within the scope of the standard that are affected by the provisions of the standard have reached substantial agreement on its adoption, (2) formulated in a manner that afforded an opportunity for diverse views to be considered, and (3) designated by the standards body as such a standard for the safe design, manufacture, construction, or operation of nuclear power plants.

• Discussion (Codes and Standards)

- Preliminary language encourages use of consensus codes and standards as required by the National Technology Transfer and Advancement Act.

- Recognizes variety of technologies and designs as well as stated desire of some stakeholders to adopt standards outside of typical LWR standards development organizations (e.g., ISO or other international standards).

- Considering using NRC endorsement of guidance documents versus incorporation of standards into the regulations.

- Capture of acceptable standards in guidance increases efficiency by avoiding routine rulemakings related to the revision of incorporated standards in the regulations.

37

Second Iteration - Analysis (PRA)

§ 53.450 Analysis Requirements (a) Requirement to have a probabilistic risk assessment. A probabilistic risk assessment (PRA) of each advanced nuclear plant [reminder - plant definition to include multi-module and multi-source] must be performed to identify potential failures, degradation mechanisms, susceptibility to internal and external hazards, and other contributing factors to unplanned events that might challenge the safety functions identified in § 53.230 and to support demonstrating that each advanced nuclear plant meets the second tier safety criteria of § 53.220(b).

• Discussion (PRA) o Maintains requirement in Part 53 for PRA consistent with evolution of risk-informed approaches but provide alternatives to PRA for design and analysis processes (paragraph (b)) and to support the licensing and regulatory programs being developed in subsequent subparts o Staff is engaged in ongoing discussions on how to ensure the level of effort required for a PRA is commensurate with the complexity of the subject reactor design while also ensuring possible deployment of advanced reactors poses no undue risk to public health and safety.

38

Past and Present Uses of the PRA

• Identify severe accident vulnerabilities and to provide insights which support the conclusion that the plant design, construction, and operation provides reasonable assurance no undue risk to public health and safety.

• Demonstrate that the plant meets the Commissions safety goals.

• Support the environmental review required by 10 CFR Part 51, specifically, the evaluation of severe accident mitigation design alternatives:

- RG 4.2, Preparation of Environmental Reports for Nuclear Power Stations, Rev. 3, September 2018

- COL-ISG-029, Environmental Considerations Associated with Micro-reactors, October 28, 2020

• For applications based on the LMP guidance, the PRA is used to select licensing basis events, classify SSCs, and to inform the DiD evaluation.

39

Past and Present Uses of the PRA (Cont'd)

• For applications not based on the LMP guidance, the PRA may be used to support the process used to demonstrate whether the regulatory treatment of non-safety systems (RTNSS) is sufficient and, if appropriate, identify the SSCs included in RTNSS.

• The results and insights of the PRA are used to identify and support the development of specifications and performance objectives for the plant design, construction, inspection, and operation, such as:

- Inspection, testing, analysis, acceptance criteria,

- TS, and

- Combined operating license action items and interface requirements.

• The PRA may be used to support various voluntary risk-informed applications (e.g., risk-informed inservice inspection) that may be included in the licensing application.

• The PRA may be used to inform the scope of staffs review; see SRM-COMGBJ-10-0004/COMGEA-10-0001 (ML102510405).

• The results and insights of the PRA are used to support the reactor oversight program.

40

Searching for Initiating Events (Adapted from the NLWR PRA Standard)

• Identify initiating events that:

- Challenge normal plant operation (when plant is at-power) or the ability to sustain safe shutdown or low-power conditions (when not at-power), and

- Require successful mitigation to prevent a release of radioactive material.

• Use a structured, systematic process that accounts for plant-or design-specific features, such as:

- Master logic diagrams

- Heat balance fault trees

- Process hazards analysis

- Failure modes and effects analysis

• Analyze operating procedures and practices.

• Review existing lists of known initiators applicable to the specific reactor type and design.

41

Searching for Initiating Events (Cont'd)

(Adapted from the NLWR PRA Standard)

• Consider external hazards (e.g., seismic), including initiating events caused by a combination of hazards (e.g., seismically induced fires).

• Review operating experience, including similar plants.

• Perform a systematic evaluation of each system down to the subsystem or train level and including support systems in each modeled plant operating state.

• Include initiating events resulting from multiple failures if the equipment failures result from a common cause.

• Interview resources knowledgeable in plant design or operation.

• Include initiators that impact two or more sources of radioactive material 42

Addressing Lack of Operating Experience Type of Data/Information Methods Internal initiating event frequencies

• Many can be estimating using LWR or relevant non-nuclear information Component failure rates

• Bayesian estimation methods

• Formal expert elicitation Common-cause failures (CCFs)

• Use existing CCF models (e.g., alpha factors)

• Use existing generic information derived from LWR experience Test/maintenance availabilities

• Use component failure rates

• Controlled by technical specifications (surveillance test intervals and allowed outage times)

Human error probabilities

• Does not require design-specific operating experience External hazard frequencies

• Use existing methods External hazard fragilities 43

Addressing Lack of Operating Experience (Cont'd)

• PRA provides a framework for assessing uncertainties:

- Parametric uncertainties

- Modeling uncertainties

- Completeness uncertainties

• PRA helps to put uncertainties into perspective.

- Which events contribute to the overall uncertainty?

- Are these events also risk significant?

44

Second Iteration - Analysis (Use of PRA)

§ 53.450 Analysis Requirements (b) Requirement to use PRA, other generally accepted risk-informed approach for systematically evaluating engineered systems, or combination thereof to:

• Determine LBEs

• Support safety classification of SSCs

• Evaluate defense in depth

• Discussion (Use of PRA) o Change intended to support alternative approaches to a PRA o Worded in terms of generally accepted to support possible standards or other guidance documents o The use of guidance, Part 53 rule language, or revisions to Part 50 are being explored as possible ways to accommodate deterministic approaches for performing design and analysis 45

Second Iteration - Analysis Requirements (c - g)

§ 53.450 Analysis Requirements (c) Maintenance and upgrade of analyses (d) Qualification of analytical codes (e) Analyses of LBEs (added)

(f) Analysis of DBAs (g) Other required analyses

• Discussion (Analysis Requirements) o Clarification of maintenance and upgrading of analyses (referring to codes and standards) o Maintain placeholder for other required analyses to address fire protection, aircraft impact, and specific beyond design basis accidents.

46

Second Iteration - Analysis Requirements (c - g)

§ 53.450(e) Analyses of licensing basis events [New sub-paragraph]

(e) Analyses of licensing basis events. Analyses must be performed for licensing basis events ranging from anticipated operational occurrences to very unlikely event sequences with estimated frequencies well below the frequency of events expected to occur in the life of the advanced nuclear plant. The licensing basis events must be identified using insights from a PRA, other generally accepted risk-informed approach for systematically evaluating engineered systems, or combination thereof to systematically identify and analyze equipment failures and human errors. The analyses must address event sequences from initiation to a defined end state and demonstrate that the functional design criteria required by § 53.420 provide sufficient barriers to the unplanned release of radionuclides to satisfy the second tier safety criteria of § 53.220(b) and provide defense in depth as required by § 53.250.

• Discussion (Analyses of LBEs) o Section added to clarify requirements for LBEs, including analysis from initiation to a defined end state o Staff considering further clarification for anticipated operational occurrences in terms of acceptance criteria beyond QHOs and defense in depth 47

Second Iteration - Analysis Requirements (c - g)

§ 53.450 (f) Analysis of design basis accidents (f) Analysis of design basis accidents. The analysis of licensing basis events required by § 53.240 and § 53.450(e) must include analysis of a set of design basis accidents that address possible challenges to the safety functions identified in accordance with § 53.230. Design basis accidents must be selected from those unanticipated event sequences with an upper bound frequency of less than one in 10,000 years as identified using insights from a PRA, other generally accepted risk-informed approach for systematically evaluating engineered systems, or combination thereof to systematically identify and analyze equipment failures and human errors. The events selected as design basis accidents should be those that, if not terminated, have the potential for exceeding the safety criteria in § 53.210(b). The design-basis accidents selected must be analyzed using deterministic methods that address event sequences from initiation to a safe stable end state and assume only the safety-related SSCs identified in § 53.460 and human actions addressed by § 53.8xx (reference to concept of operations sections of Subpart F) are available to perform the safety functions identified in accordance with § 53.230. The analysis must conservatively demonstrate compliance with the safety criteria in § 53.210(b).

• Discussion (DBAs) o Revised to clarify that analysis is to address sequences from initiation to a safe stable end state.

48

Second Iteration - Safety Classification

§ 53.460 Safety Categorization and Special Treatment (a) SSCs and human actions must be classified according to their safety significance.

The categories must include Safety Related (SR), Non-Safety Related but Safety Significant (NSRSS), and Non-Safety Significant (NSS), as defined in subpart A of this part.

• Discussion o Editorial changes to remove material duplicating preliminary rule language in other sections o Maintaining for now the specific categories of safety related, non-safety related but safety significant, and non-safety significant 49

Second Iteration - Analytical Margins and Operating Flexibilities

§ 53.470 Application of Safety Margins to Operational Flexibilities (No Change) Where an applicant or licensee so chooses, design criteria more restrictive than those defined in § 53.220(b) may be adopted to support operational flexibilities (e.g., emergency planning requirements under Subpart F of this part). In such cases, applicants and licensees must ensure that the functional design criteria of § 53.420(b), the analysis requirements of § 53.450, and identification of special treatment of SSCs and human actions under

§ 53.460 reflect and support the use of alternative design criteria to obtain additional analytical safety margins. Licensees must ensure that measures taken to provide the analytical margins supporting operational flexibilities are incorporated into design features and programmatic controls and are maintained within programs required in other Subparts.

• Discussion o No change; Released related requirements in Subpart F to th support public meeting on May 6 50

Feedback - Design Control Quality Assurance and Design Interfaces First Iteration

§ 53.480 Design Control Quality Assurance

§ 53.490 Design Interfaces

• Questions/comments on quality assurance and design interfaces o Many stakeholders reserving comments pending release of other subparts

• Discussion o No change; Released related requirements in Subpart F to support public meeting on May 6th 51

Feedback - Non-Radiological Hazards

• Non-Radiological Hazards o Some ACRS members noted inclusion of non-radiological hazards should be considered in Part 53, such as chemical releases.

Staff has this issue under consideration and recognizes existing frameworks for addressing this multi-jurisdictional topic Does ACRS have feedback on this topic that could inform the Staffs ongoing considerations?

52

Final Discussion and Questions 53

Acronyms and Abbreviations ACRS Advisory Committee on Reactor Safeguards DiD Defense in depth ADAMS Agencywide Document Access EAB Exclusion area boundary Management System EP Emergency planning AEA Atomic Energy Act EPA U.S. Environmental Protection Agency ALARA As low as reasonably achievable F-C Frequency consequence ANS American Nuclear Society FMEA Failure modes and effects analysis AOO Anticipated operational occurrence FW Steam generator feedwater pump trip ASME American Society of Mechanical Engineers BDBEs Beyond design basis events HPB Helium pressure boundary CCF Common cause failure IAB Intake air bypass CFR Code of Federal Regulations ISO International Standards Organization ITAAC Inspection, test, analyses, acceptance CR Control rod withdrawal criteria CT Circulator trip LBEs Licensing basis events DBAs Design basis accidents LD Large helium depressurization DG Draft guidance LF Loss of primary flow 54

Acronyms and Abbreviations LMP Licensing modernization project PC Plant condition LO Loss of offsite power PPC Porcelain polycarbonate PRA Probabilistic risk assessment LPZ Low-population zone LWR Light-water reactor QHO Quantitative health objective MD Medium helium depressurization RAP Reliability assurance program MHTGR Modular high-temperature gas-cooled Rem Roentgen equivalent man reactor ROP Reactor oversight program NEI Nuclear Energy Institute NEIMA Nuclear Energy Innovation and RSF Required safety function Modernization Act RT Reactor trip NLWR Non-light-water reactor RTNSS Regulatory treatment of non-safety systems NRC U.S. Nuclear Regulatory Commission SAR Safety analysis report NSRSS Non-safety related but safety significant SD Small helium depressurization NSS Non-safety significant SDO Standard development organization PAG Protective action guide SFC Single-failure criterion 55

Acronyms and Abbreviations SG Steam generator rupture SR Safety related SSCs Structures, systems, components TS Technical specifications TT Turbine trip 56

BACKUP SLIDES 57

Part 53 Rulemaking Schedule Milestone Schedule Major Rulemaking Activities/Milestones Schedule Public Outreach, ACRS Interactions and Present to April 2022 Generation of Proposed Rule Package (11 months)

Submit Draft Proposed Rule Package to May 2022 Commission Publish Proposed Rule and Draft Key Guidance October 2022 Public Comment Period - 60 days November and December 2022 Public Outreach and Generation of Final Rule January 2023 to February 2024 Package (14 months)

Submit Draft Final Rule Package to Commission March 2024 Office of Management and Budget and Office of July 2024 to September 2024 the Federal Register Processing Publish Final Rule and Key Guidance October 2024 58

Integrated Approach Siting near densely populated Functional areas EP for SMRs Containment and ONTs Licensing Modernization Project Insurance and Liability Environmental Reviews Consequence Based Security 59

Presenting PRA Results 60

Cumulative Risk Metrics

• QHOs in the Commissions Safety Goal Policy Statement

- The risk to an average individual in the vicinity of a nuclear power plant [1 mile] of prompt fatalities that might results from reactor accidents should not exceed 0.1% of the sum of prompt fatality risk resulting from other accidents to which members of the U.S. population are generally exposed [5E-7/y].

- The risk to the population in the area near a nuclear power plant

[10 miles] that might result from nuclear power plant operation should not exceed 0.1% of the sum of cancer fatality risks resulting from all other causes [2E-6/y].

- Compare mean risks to QHOs, and consider the uncertainties

- Basis: NUREG-0880, Safety Goals for Nuclear Power Plant Operation, Rev. 1, ML071770230, May 1983.

• LMP: The total mean frequency of exceeding a site boundary dose of 100 mrem < 1/plant-year (based on 10 CFR 20).

61

Large Release Frequency (LRF)

• In its safety goal policy statement, the Commission proposed a general performance guideline for further staff examination:

- The overall mean frequency of a large release of radioactive materials to the environment from a reactor accident should be less than 1 in 1,000,000 per year of reactor operation

- Rationale as explained by Forrest Remick (former Director of Office of Policy Evaluation, former ACRS member, and former Commissioner) in a memorandum dated 3/2/1993 (ML051660709) to James Taylor (former EDO):

• The proposed SGPS included a goal for core-damage frequency (CDF) < 1E-4/y

• The ACRS wanted to include a goal for conditional containment failure probability (CCFP) < 0.1

• The LRF goal was developed to break the deadlock between the staff and ACRS

• (1E-4/y CDF) x (0.1 vessel breach probability) x (0.1 CCFP) = 1E-6 LRF

• In SRM-SECY-89-102 (ML051660712), the Commission made clear that LRF applies to all reactor designs (LWRs and NLWRs).

• As discussed in SECY-93-138, the staff abandoned efforts to anchor LRF to the QHOs (LRF is more conservative).

• There is no NRC definition for LRF; Part 52 applicants have been allowed to propose various definitions.

62

Large Release vs.

Large Early Release

• JCNRM definition of large release (approved 4/2/2021): The release of airborne fission products to the environment such that there are significant off-site impacts. Large release and significant off-site impacts may be defined in terms of quantities of fission products released to the environment, status of fission product barriers and scrubbing, or dose levels at specific distances from the release, depending on the specific analysis objectives and regulatory requirements.

• RG 1.200 implied definition of large early release: A rapid, unmitigated release of airborne fission products from the containment to the environment occurring before the effective implementation of offsite emergency response and protective actions such that there is the potential for early health effects. (Such accidents generally include unscrubbed releases associated with early containment failure shortly after vessel breach, containment bypass events, and loss of containment isolation.)

63

Core-Damage Frequency (CDF) and Large Early Release Frequency (LERF)

• For large LWRs:

- Used when developing RG 1.174 (late 1990s)

- Technical basis documented in NUREG-1860, Appendix D (based on NUREG-1150 results)

• In SRM-SECY-12-0081,the Commission approved the staff's recommendation that new reactors transition from LRF to LERF at or before initial fuel load.

64

CCDF Representation of Risk

• Used in traditional PRAs (e.g., WASH-1400, NUREG-1150)

• Considered during development of NUREG-1860, Feasibility Study for a Risk-Informed and Performance-Based Regulatory Structure for Future Plant Licensing

- Deferred - how to establish the acceptance criterion?

- Discussed in ACRS letter dated September 26, 2007

• Public comment on DG-1353 [RG 1.233] by former ACRS Member Rich Denning and Vinod Mubayi (one of the authors of NUREG-1860) recommended the development of a CCDF criterion in lieu of the frequency-consequence target:

- Comment: ML19158A457

- Staff response: ML20091L696

- Discussed at ACRS Future Plant Design Subcommittee meeting held July 20, 2020 65

Frequency-Consequence Plot

• Uses include:

- MHTGR pre-application (1989)

- NUREG-1860 (2007)

- NGNP Licensing Strategy (2008)

- NEI 18-04 (2019)

• In NEI 18-04:

- The F-C Target is used as a tool to identify risk-significant event sequence families and SSCs

- The F-C Target is not an acceptance criterion!

66