NRC-Industry Ticap Workshop 06-23-2021-Combined Slides

ML21173A262
Person / Time
Issue date:	06/23/2021
From:	Joseph Sebrosky Office of Nuclear Reactor Regulation
To:
Uribe J
Shared Package
ML21173A261	List: ML21173A262
References
Download: ML21173A262 (62)
v • d • e

Text

Technology Inclusive Content of Application Project Workshop June 23, 2021 Microsoft Teams Meeting Bridgeline: 301-576-2978 Conference ID: 395 169 492#

Agenda Time Topic*

Speaker 10:00 - 10:10 am Opening Remarks NRC/Southern 10:10 - 11:50 am First Issue - principal design criteria (issue #6 from TICAP workshops)

NRC/Southern 11:50 - 12:00 pm Stakeholder Questions All 12:00 - 1:00 pm Break All 1:00 - 1:10 pm Opening Remarks NRC/Southern 1:10 - 2:50 pm Second issue to be discussed - reliability and capability targets (issue #9 from TICAP workshops)

NRC/Southern 2:50 - 3:00 pm Stakeholder Questions All 3:00 - 3:30 pm Continuation of Discussion NRC/Southern 3:30 - 3:45 pm Stakeholder Questions All 3:45 - 4:00 pm Next Steps and Closing Remarks NRC/Southern

• Note that list of topics from TICAP workshops including status of the items is available from the May 26, 2021, TICAP workshop meeting summary (see:

https://www.nrc.gov/docs/ML2115/ML21158A223.pdf) 2

TICAP Workshop - Continued 3

The purpose of this meeting is to discuss with the nuclear industry issues related to the draft guidance document for Safety Analysis Report (SAR) content for an advanced reactor application based on the licensing modernization project Key documents associated with the workshop are referenced in the meeting notice and include:

Industry-developed draft TICAP guidance document (ADAMS Accession No. ML21106A013)

Continuation of TICAP workshops held in May of 2021 May 26th meeting summary includes a table with the status of the workshop items up to the date of that meeting (ADAMS Accession No. ML21158A223)

Additional Background Available on NRC ARCAP/TICAP public webpage (see: https://www.nrc.gov/reactors/new-reactors/advanced/details.html#advRxContentAppProj)

ARCAP and TICAP - Nexus

• Additional contents of application outside of SAR are still under discussion. The above list is draft and for illustration purposes only.

Principal Design Criteria 5

• Principal Design Criteria (PDCs) are required by regulations: 10 CFR 50.34; 10 CFR 52.47, 52.79, 52.137, and 52.157 General Design Criteria (GDCs) in 10 CFR Part 50, Appendix A are applicable to LWRs (minimum requirements)

GDCs in 10 CFR 50, Appendix A are not applicable to non-LWRs, therefore, non-LWR applicants would not need to request an exemption from the GDC in 10 CFR Part 50 when proposing PDC for a specific design.

RG 1.232 provides guidance for developing PDCs for non-LWR advanced reactors

Principal Design Criteria 6

Applicant must provide supporting information that justifies to the NRC how their design meets the proposed PDC and how the proposed PDC demonstrate adequate assurance of safety ARDCs developed by the NRC staff are intended to provide insight into the staffs views on how the underlying safety bases for the GDC could be applied to address non-LWR design features; however, these are not considered to be final or binding regarding what may eventually be required from a non-LWR applicant ARDCs are an important first step - NRC recognizes the future benefits to risk informing the non-LWR design criteria to the extent possible NRC recognizes that the LMP process provides a risk-informed, performance-based approach to developing proposed PDCs

Principal Design Criteria 7

NRC recognizes that using the LMP process may not address all aspects considered necessary for demonstrating adequate assurance of safety (e.g., normal operations, subcriticality, etc.) and is interested in how these would be proposed to be addressed via the TICAP guidance.

Example:

The LMP design process is focused on off-normal events from AOOs to BDBEs and identifies the design features, performance and special treatment needed to keep those events within the F-C curve and cumulative individual risk targets. Dose at the EAB and cumulative individual risk are the only measures used as acceptance criteria.

However, LMP does not address other concerns associated with the normal operation portion of the design basis, prevention of severe accidents, recovery from off-normal events or non-reactor on-site hazards.

Principal Design Criteria 8

Examples:

• ARDC 26 - specifies that a means be provided to shutdown the reactor and maintain a safe shutdown condition after postulated accidents (DBAs). LMP does not require safe shutdown, only that the dose at the EAB not exceed 25 rem. Safe shutdown is required to terminate the event and provide for refueling, inspections, and/or repair of the facility. Terminating the event is an essential part of safety.

ARDC 62 - addresses the prevention of criticality in fuel storage and handling. LMP does not address criticality prevention. Such events can result in doses to the public.

Principal Design Criteria 9

Examples:

ARDC 10 - protects against fuel damage during normal operation, including AOOs (SAFDLs). This allows continued operation and prevents contaminating the primary coolant system during events which may occur multiple times during the plant lifetime. Such contamination and failed fuel generate additional waste to be disposed of and provide additional radiation hazard to operating personnel. Minimizing waste is a requirement in 10 CFR 20.1406.

LMP does not address this concern. Its also noted that a SAFDL limit could be a surrogate for the dose criteria.

Principal Design Criteria 10 Examples:

ARDC 35 - specifies that during and following postulated accidents (DBAs), fuel and clad damage do not interfere with effective core cooling. LMP does not require effective core cooling during or after DBAs, only that the dose at the EAB not exceed 25 rem. In effect, LMP would allow a DBA to result in a severe accident as long as the dose does not exceed 25 rem. Loss of effective core cooling should be prevented in the DBE/DBA region to be consistent with the current LWR safety philosophy (as expressed in the LWR regulatory requirements).

Principal Design Criteria 11 NRC recognizes that the LMP process assigns special treatments to several design attributes (e.g., quality assurance, protection from external hazards, testability, inspectability, etc.) that are addressed in specific and cross-cutting ARDCs and is interested in how the TICAP guidance could address these (e.g., applicant justifies or demonstrates that these design attributes are integral to LMP-based design process and specification through determination of special treatments based on defense-in-depth adequacy assessment).

Examples:

Various ARDCs (39 & 40 as examples) include requirements that the design of certain SSCs accommodate the capability for their inspection and testing. These kinds of considerations should be included when translating SSC special treatments into associated PDCs, where applicable.

23 June 2021 Brandon Chisholm, Southern Company Ed Wallace, GNBC Associates Steve Nesbit, LMNT Consulting Amir Afzali, Southern Company TICAP Proposal on Formulation of Principal Design Criteria (PDC)

13 13

• A future conversation will be held between TICAP and NRC/INL staff regarding the definition [description] of Principal Design Criteria (PDC) in Appendix A of 10 CFR Part 50 and the most efficient way for TICAP PDC to comply with existing [applicable]

regulations while not losing the advantages provided by an RIPB approach. One specific aspect to discuss is the amount of specificity (i.e., how detailed a PDC must be) that is appropriate and/or required for the set of PDC (e.g., are derived requirements necessary to be identified as PDC?).

• Potentially relevant references:

- 10 CFR Part 50

>> 10 CFR 50.34 (plus 10 CFR 52.47, 52.79, 52.137, and 52.157)

>> Appendix A

- Regulatory Guide 1.232 Resolution from TICAP Workshop #3

14 14

• PDC are described in the introduction of Appendix A of 10 CFR Part 50:

- The principal design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety; that is, structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public.

• Although both are fundamental (and necessary) aspects of a design-specific safety case, the philosophy of the TICAP approach to PDC formulation separates the functions (How?) from the programs and configurations applied to the SSCs performing the functions (How Well?)

How do plant capabilities (functional and structural) demonstrate that the performance objectives of the Fundamental Safety Functions are met?

>> E.g., SSC design and performance requirements How Well do these capabilities need to be performed to provide reasonable assurance of adequate protection to the public?

>> E.g., special treatments related to fabrication, construction, and/or testing PDC Description and RIPB Approach

15 15 Aspect of Safety Case LMP/TICAP GDC/ARDC Adequate protection of the health and safety of the public RFDC ensure plant capabilities satisfy the performance objectives of the FSFs via plant functions.

SRDC ensure SSCs are designed to perform these capabilities Principal design criteria cover both adequate protection and reasonable assurance Reasonable assurance (of adequate protection)

Reasonable assurance is provided by RIPB Special Treatments (e.g.,

Plant Programs)

Other aspects of safety case Additional design margins & Defense-in-Depth Complementary Design Criteria (CDC) associated with NSRST SSCs Prescriptive wording in GDC/ARDC (e.g.,

single failure criterion)

PDC and Elements of a Safety Case The proposed TICAP framework for an LMP-based affirmative safety case includes all elements of the safety case related to the PDC relating to LBEs

16 16

• By LMP design (to allow for graded approach for defining requirements), PDC established based on the proposed TICAP approach (i.e., PDC RFDC) will not include information regarding items such as fabrication, construction, and testing requirements for structures, systems, and components.

- These topics are included in an affirmative LMP-based safety case as design philosophies, programmatic capabilities, and defense-in-depth measures As a result, PDC defined based on the TICAPs proposed approach do not include all attributes from the description in Appendix A of 10 CFR Part 50 o Additionally, as discussed during Workshop #3, the TICAP PDC are focused on LBEs and not on normal operations (e.g., waste effluents addressed via ARCAP)

PDC Formulation Challenges and Opportunities

17 17

• From Appendix A of 10 CFR Part 50: The development of these General Design Criteria is not yet complete. For example, some of the definitions need further amplification. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined.

• From RG 1.232: The non-LWR design criteria developed by the NRC staff and included in Appendices A to C of this regulatory guide are intended to provide stakeholders with insight into the staffs views on how the GDC could be interpreted to address non-LWR design features; however, these are not considered to be final or binding regarding what may eventually be required from a non-LWR applicant.

PDC Formulation Challenges and Opportunities

18 18

• From RG 1.232: It is the applicants responsibility to develop the PDC for its facility based on the specifics of its unique design, using the GDC, non-LWR design criteria, or other design criteria as the foundation. Further, the applicant is responsible for considering public safety matters and fundamental concepts, such as defense in depth, in the design of their specific facility and for identifying and satisfying necessary safety requirements.

The GDC/ARDC (the current precedent for PDC) do not provide a comprehensive basis for the safety of a non-LWR design PDC Formulation Challenges and Opportunities

19 19

• From RG 1.233: This methodology also provides a logical and structured approach to identifying the safety or risk significance of SSCs and associated programmatic controls. The methodologys focus on those measures needed to address risks posed by non-LWR technologies will help an applicant provide sufficient information on the design and programmatic controls, while avoiding an excessive level of detail on less important parts of a plant.

• From RG 1.233: A designer can use safety-analysis methods appropriate to early stages of design, such as failure modes and effects analyses and process hazard analyses. Designers may likewise use the design criteria from RG 1.232 and confirm or refine them throughout the design process to develop the final PDC provided in an application.

PDC Formulation Challenges and Opportunities

20 20

• From RG 1.233:

- The staff finds that the NEI 18-04 methodology, including assessments of event sequences and DID, obviates the need to use the single-failure criterion as it is applied to the deterministic evaluations of AOOs and DBAs for LWRs.

- The staffs finding is based primarily on the integrated methodology described in NEI 18-04 and to a lesser degree on the design attributes of non-LWRs.

- Non-LWR developers that construct a licensing basis for a design using an alternative to the NEI 18-04 methodology would need to maintain or justify not applying the single-failure criterion to those LBEs analyzed in a deterministic or stylized approach, such as DBAs. RG 1.232 describes an approach that maintains the single-failure criterion, but acknowledges the potential future benefits of risk informing the non-LWR design criteria.

PDC Formulation Challenges and Opportunities

21 21

• From RG 1.233:

- For SSCs classified as SR, required functional design criteria (RFDC) and lower-level design criteria are defined to capture design-specific criteria that may supplement or may not be captured by the principal design criteria for a reactor design developed using the guidance in RG 1.232. These criteria are used within the methodology to frame specific design requirements as well as special treatment requirements for SR SSCs.

- The RFDC, design requirements, and special-treatment requirements that result from the methodology in NEI 18-04 also define key aspects of the SSCs that will be described in safety analysis reports.

PDC Formulation Challenges and Opportunities

22 22

• The TICAP team contends that the description of the affirmative LMP-based safety case, as proposed by TICAP, provides:

- A more complete basis for a facilitys safety based on the specifics of its unique design.

>> The RFDC, SRDC, applied special treatments, Complementary Design Criteria (CDC),

and description of both programmatic and configuration specific requirements provide a more complete picture than provided by the GDC (in Appendix A of 10 CFR Part 50) or ARDC (in Regulatory Guide 1.232).

>> As previously noted, the exception to this more complete basis is the set of design criteria pertaining to normal operations

- The same type of information described as PDC in the introductory text to Appendix A of 10 CFR Part 50, although the information is not uniformly identified as PDC.

PDC Formulation Challenges and Opportunities

23 23 1.

NRC finding in the TICAP Regulatory Guide that an applicant with an adequate LMP-based affirmative safety case conforming to NEI 18-04 and to RG 1.233 has provided an acceptable alternative to the requirements of 10 CFR 50.34, 10 CFR 50 Appendix A, 10 CFR 50.47, and 10 CFR 52.79 related to establishing PDC (within the scope of NEI 18-04 and RG 1.233)

Implementation:

Functional plant capabilities necessary to meet the performance objectives of the Fundamental Safety Functions are identified as RFDC Programmatic requirements are identified as Special Treatments and/or Plant Programs TICAP team thoughts:

Removes conflict between PDC description and TICAP approach Maintains advantages of RIPB graded, safety-focused approach Clarifies otherwise competing terminology (i.e., PDC vs. RFDC)

May simplify ARCAP handling of design criteria for normal operation Possible Solutions (in order of preference)

24 24 2.

NRC finding in the TICAP RG that an applicant with an adequate LMP-based affirmative safety case conforming to NEI 18-04 and Reg Guide 1.233 has thereby provided an adequate basis for a departure that satisfies the fabrication, construction, testing, and performance requirements elements of the PDC description in 10 CFR Part 50 Appendix A Implementation:

TICAP guidance would clarify that the RFDC would constitute the set of design-specific PDC Programmatic requirements would be identified as Special Treatments and/or Plant Programs (i.e., not PDC)

TICAP team thoughts:

Enables systematic grouping of requirements (i.e., PDC = functional, programmatic =

Special Treatments and/or Plant Programs)

Would prefer not to include competing terminology (i.e., both RFDC and PDC)

PDC related to normal operations would be identified via ARCAP Possible Solutions (in order of preference)

Discussion Point #2:

Specificity of PDC

26 26

• A future conversation will be held between TICAP and NRC/INL staff regarding the definition [description] of Principal Design Criteria (PDC) in Appendix A of 10 CFR Part 50 and the most efficient way for TICAP PDC to comply with existing regulations while not losing the advantages provided by an RIPB approach.

One specific aspect to discuss is the amount of specificity (i.e., how detailed a PDC must be) that is appropriate and/or required for the set of PDC (e.g., are derived requirements necessary [appropriate]

to be identified as PDC?).

Resolution from TICAP Workshop #3

27 27

• The combination of the following is sufficient to establish reasonable assurance that the facility can be operated without undue risk to the health and safety of the public:

- RFDC: ensures function(s) necessary to satisfy performance objectives of regulation is/are included in design

- SRDC: ensures SR SSC(s) are designed to perform necessary function(s) to satisfy performance objectives

- Special Treatments: ensures SSC(s) perform function(s) with sufficient reliability and capabilities, influenced by RIPB considerations

• There are a number of other requirements that will be developed during the design process of a plant

- Many of these requirements relate to objectives other than protecting the health and safety of the public Other derived requirements should not be included in the PDC TICAP Discussion - PDC Specificity

28 28

• RFDC: The primary system boundary shall be designed to reliably retain fuel and other radionuclides under operating, maintenance, testing, and postulated accident conditions.

• SRDC: The reactor vessel shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions the probability of rupture is minimized. The design shall reflect consideration of service temperatures, service degradation of material properties, creep, fatigue, stress rupture, and other conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of coolant chemistry, and irradiation on material properties, (3) residual, steady state and transient stresses, and (4) size of flaws.

Example - TerraPower MCRE Tabletop Exercise

29 29

• From NEI 18-04, Rev. 1: Table 5-7. Examples of Special Treatments Considered for Programmatic DID Some Example SR SSC Special Treatments

30 30 From Appendix A of 10 CFR Part 50:

• Criterion 32 - Inspection of reactor coolant pressure boundary.

Components which are part of the reactor coolant pressure boundary shall be designed to permit

- (1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and

- (2) an appropriate material surveillance program for the reactor pressure vessel.

• Criterion 39 - Inspection of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system.

Examples of GDC that might not be RIPB PDC

31 31 From Appendix A of 10 CFR Part 50:

• Criterion 53 - Provisions for containment testing and inspection. The reactor containment shall be designed to permit

- (1) appropriate periodic inspection of all important areas, such as penetrations,

- (2) an appropriate surveillance program, and

- (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows.

Examples of GDC that might not be RIPB PDC

32 32

• The exact solution to this specific concern depends upon handling of prior topic

• Within the LMP-based affirmative safety case, Special Treatments are identified for SR and NSRST SSCs using a RIPB approach

- Chapter 6 of the SAR will identify the STs for each SR SSC (Chapter 7 for the NSRST SSCs)

• If PDC are identified within the TICAP framework, it is the position of the TICAP team that the PDC would not prescribe design criteria to implement the STs for individual SSCs. The ST are derived as part of the execution of the LMP process based on the specific design.

Concluding TICAP Discussion - PDC Specificity

34 34

• From LMP White Paper on SSC Classification - Section 2.4.1, Safety-Significant SSCs (https://doi.org/10.2172/1700535)

- The term important to safety that is used in the NRC regulatory framework including the Advanced Reactor Design Criteria and General Design Criteria is not used within the LMP methodology. All the SSCs that have risk significance or perform functions necessary for DID adequacy are contained within the LMP safety-significant SSCs and are either SR SSCs or NSRST SSCs. There are no non-safety-significant SSCs within the LMP methodology that are judged to be important to safety. Hence it was deemed unnecessary to introduce an additional category called important to safety in order to formulate performance criteria for safety-significant SSCs.

Important to Safety and LMP

[Backup Slide 1]

35 35 TICAP FSF Chart [Backup Slide 2]

Fundamental Safety Functions (FSFs)

PRA Safety Functions (PSFs)

Required Safety Functions (RSFs)

Other Risk Significant Safety Functions Other Safety Functions for Adequate DID Other Safety Functions Safety Related (SR) SSCs Non-SR with ST (NSRST)

SSCs Non-SR With No ST SSCs (NST)

NSRST SSC Performance Targets NSRST SSC Special Treatment Requirements Required Functional Design Criteria (RFDC)

Input to Design and Content of Application SR SSC Performance Targets SR SSC Special Treatment Requirements SR SSC Design Criteria (SRDC)

Functions Provided in the Design Design Basis External Hazard Levels (DBEHLs)

LBEs from LMP (AOOs, DBEs, and BDBEs)

Design Basis Accidents (DBAs)

Frequency-Consequence and Cumulative Risk Targets What?

When?

How?

How Well?

36 36 PDC and CDC are answers to How? [Backup 3]

Fundamental Safety Functions (FSFs)

PRA Safety Functions (PSFs)

Required Safety Functions (RSFs)

Other Risk Significant Safety Functions Other Safety Functions for Adequate DID Other Safety Functions Safety Related (SR) SSCs Non-SR with ST (NSRST)

SSCs Non-SR With No ST SSCs (NST)

NSRST SSC Performance Targets NSRST SSC Special Treatment Requirements Required Functional Design Criteria (RFDC)

Input to Design and Content of Application SR SSC Performance Targets SR SSC Special Treatment Requirements SR SSC Design Criteria (SRDC)

Functions Provided in the Design Design Basis External Hazard Levels (DBEHLs)

LBEs from LMP (AOOs, DBEs, and BDBEs)

Design Basis Accidents (DBAs)

Frequency-Consequence and Cumulative Risk Targets Principal Design Criteria (PDC)

Complementary Design Criteria (CDC)

Reliability and Capability Targets 37 Summary of TICAP Workshop #3 discussion held May 26, 2021:

NRC staff noted that the reliability and capability targets were not proposed to be captured in the safety analysis report (SAR) contrary to guidance in NEI 18-04, Section 4.1, Task 7.

From the NRCs perspective the SAR should describe reliability and capability targets and performance requirements used as input to the PRA and for SR and NSRST SSCs that were used to develop the selection of special treatment requirements (i.e., programmatic actions used to maintain performance within the design reliability targets).

The NRC noted that this information is important to capture in the SAR and in some cases will be used as input to technical specification requirements.

Reliability and Capability Targets 38 Additional observations from the LMP Lessons Learned Report:

(see table of reports under Industry-led Licensing Modernization Project on NRC's public website:

https://www.nrc.gov/reactors/new-reactors/advanced/details.html#modern)

When the SSC safety classification steps of the LMP are applied, reliability and capability targets are set for the safety significant SSCs.

These targets consider how reliable and capable the SSCs were assumed to be when assessed in the PRA, including how much the performance may deviate without adversely impacting the risk significance of LBEs and SSCs relative to Frequency-Consequence Target (F-C Target) and cumulative risk targets.

All safety significant SSCs, which include SR and NSRST SSCs, will have performance targets for reliability and capability. These targets are set as part of the DID adequacy evaluation.

The DID baseline is developed as part of the plant license application.

Reliability and Capability Targets 39 The maintenance of a DID baseline is a necessary component of the design and licensing process and supports plant changes (design or operations) throughout the plant lifetime that may impact nuclear safety. The change management of the DID baseline begins following the submittal of the license application. (See NEI 18-04 Section 5.9.7.)

In response to SSCQ7 on the availability of guidance on how to set reliability and capability targets for safety significant SSCs the concept of using the Reliability and Integrity Management (RIM) was discussed (ref. Section 3.5.1 in the LMP report on SSC safety classification and performance requirements). In the RIM program, the allocation of reliability targets starts at the plant level, which in the LMP methodology is represented by the F-C Target and the cumulative risk targets. SSC level targets are then set based on controlling the frequencies and consequences of the LBEs within those targets.

Reliability and Capability Targets 40 The NRC is interested in how the TICAP guidance proposes to address the documentation of reliability and capability targets (e.g.,

through the SAR or other documents submitted with the application or auditable, inspectable owner-controlled documents/programs)

The guidance must take into consideration that any of the reliability/capability target information and resulting LBE margins relied upon by the NRC in making its safety findings must be docketed information Examples for discussion:

How would the reliability and capability targets be documented?

in the SAR in the DID baseline document in the RIM program in the Technical Specification are there other potential approaches

Reliability and Capability Targets 41 Examples for discussion:

How would achievement of the reliability and capability targets be demonstrated?

use the Maintenance Rule (10 CFR 50.65) program?

use the ISI and IST programs?

What if a reliability or capability target is not achieved (Tech Spec completion times including RICTs, ROP and SDP, use of fleet-wide or industry-wide reliability data such as EPIX, appropriate and timely enforcement actions, etc.)?

June 23, 2021 Mike Tschiltz, Nuclear Energy Institute Karl Fleming, KNF Consulting Services Travis Chapman, X-energy Stephen Vaughn, X-energy TICAP Proposal on Reliability and Capability Targets

43 43 Issue: NEI 18-04 Section 4.1 notes that the reliability and capability targets for Safety Related (SR) and Non-Safety Related with Special Treatment (NSRST)

Systems Structure and Components (SSCs), and special treatment requirements for SR and NSRST SSCs define safety-significant aspects of the descriptions of SSCs that should be included in safety analysis reports.

- The main purpose of setting reliability and capability targets per NEI 18-04 is to identify special treatment requirements.

- X-energy developed examples of reliability and capability targets to support in determining the level (plant level, functional level or SSC level) for documenting the targets in the SAR.

The purpose of the examples was to provide greater clarify how best to meet the intent of NEI 18-04 Sect 4.1 for reliability and capability targets while avoiding the duplication of information that is documented and maintained in licensee programs.

Reliability and Capability Targets

44 Discussion Topics

• Clarify NEI 18-04 intent of definitions of reliability and capability

• Role of Targets in the Xe-100 Safety Case

- Selection of functional reliability and capability targets

- Allocation of functional reliability and capability targets to individual components

• Example Functional Targets for Control of Helium Pressure Boundary (HPB) and Core Geometry

- Review of applicable RFDC and LBEs which frame the development of targets

- Selection of functional reliability and capability targets

- Identification of SSCs for future component level reliability and capability targets

- Documentation considerations

• Summary and insights for TICAP guidance

45 LMP Intended Definitions of Reliability and Capability

• The term reliability as used informally in NEI 18-04 refers to the reliability performance metrics involved in the estimation of event sequence frequencies and includes:

- Initiating event frequencies

- Metrics such as unavailability, unreliability, event occurrences, time out-of-service, fraction of time in an operating state, etc. as needed to evaluate safety function failure probabilities in the PRA

- Note that reliability is not observable but rather calculated based on observed performance measures and available generic evidence

- LMP intends flexibility in the metrics to be used to express targets

• The term capability is a performance measure used to establish the successful completion of a function; in LMP the functions are the prevention and mitigation of LBEs

• Reliability and capability targets can be established at different levels including:

- Plant level by controlling the frequencies, consequences, and risk significance of the LBEs

- Functional level by controlling the reliabilities and capabilities of SSCs in the performance of safety functions across multiple SSCs

- Component level by controlling the reliabilities and capabilities of individual components supporting a safety function for a specific LBE or set of LBEs.

46 More on Capability

• Capability is linked to the success criterion used to quantify the failure probability

- Example: the reliability target for the failure probability of a pump is 10-2. The capability target is reflected in the success criterion used to evaluate the failure probability, e.g. the pump shall deliver fluid at a flow rate of X gpm at Y psi for 24 hrs in response to the challenge to the pump defined along LBE z.

• Capability is also linked to the plant capabilities to prevent or mitigate the consequences of LBEs

47 Xe-100 Functional Reliability and Capability Targets

• Purpose is to define quantitative targets for capability and reliability:

- at level of functions directly supporting the RSFs and the RFDCs

- linked to controlling the frequency and consequences of LBEs

- to maintain the classification and risk significance of LBEs

- to provide a basis for allocating reliability and capability targets to individual SSCs

• Xe-100 considers functional reliability and capability targets for

- Helium Pressure Boundary and Core Geometry Targets (developed here)

- Fuel performance targets (not developed here)

- Core heat removal control targets (not developed here)

- Core reactivity control targets (not developed here)

- Water/steam ingress control targets (not developed here)

• Functional reliability targets presented in the following slides similar to the Plant Level Reliability Goals in Section 3.5.1 of the LMP SSC Report SC-29980-102 Rev 1

• Functional targets to be allocated to individual components in the formulation of component reliability and capability targets (TBD)

48 Reliability and Capability Targets for Helium Pressure Boundary (HPB) and Core Geometry

• The Xe-100 HPB includes:

- Reactor, steam generator, and cross vessels

- Bolted attachments and connections between vessels

- Interfacing piping and weldments for fuel inlet and outlet, Helium Service System, primary relief valves, and instrument lines

• Xe-100 barriers to radionuclide release:

- Primary barrier is the TRISO particle/pebble matrix fuel

- Helium pressure boundary (HPB) provides a secondary barrier

- Reactor building and its HVAC filtration provide a tertiary barrier

• Xe-100 safety case does not rely on maintaining an inventory of Helium or primary pressure for performance of any Required Safety Function

• Large HPB components are classified as SR for the function of maintaining core geometry and safety valves are SR for controlling system pressure (not for maintaining a leak tight pressure boundary)

• Smaller HPB components are candidates for NSRST because they serve as a barrier to radionuclide release from the fuel pebbles for many LBEs

• Reliability and capability targets based on the Xe-100 RSFs, RFDCs, and LBEs developed in the Xe-100 LMP and TICAP pilots and summarized on following slides

49 Preliminary Xe-100 Required Functional Design Criteria (RFDC) 1 of 4 Required Safety Function Required Functional Design Criteria 1

Retain Radionuclides in Fuel Particles The reactors in the plant shall be designed, fabricated, and operated in such a manner that radionuclide releases from the fuel to the primary heat transport fluid will not exceed acceptable values.

1.1 Control Reactivity The reactors in the plant shall be designed, fabricated, and operated in such a manner that the inherent nuclear feedback characteristics and the reactivity control systems will ensure that the acceptable fuel performance limits are not exceeded.

1.2 Control Heat Removal The reactor characteristics including the geometry, materials, core power density, internals, and vessel, and the passive cooling pathways from the core to the environment shall be designed, fabricated, and operated in such a manner that the fuel performance limits are not exceeded.

1.3 Control Water/Steam Ingress The reactor systems and structures that prevent or mitigate the ingress of water and steam to the primary system shall be designed, fabricated, and operated in such a manner that core geometry is maintained.

50 Preliminary - Xe-100 Required Functional Design Criteria (RFDC) 2 of 4 1.1 Control Reactivity Required Safety Sub-Functions Required Functional Design Criteria (RFDC) 1.1.1 Control with Passive Reactivity Feedback The reactor shall be designed with sufficient negative reactivity feedback to preclude the need for rapid insertion of movable poisons to control heat generation.

1.1.2 Reactor Shutdown Capability The equipment needed to sense, command, and execute insertion of movable poisons, along with any necessary support systems, shall be designed in such a manner that effects and maintains reactor shutdown.

1.1.3 Maintain Geometry for Insertion of Movable Poisons The design of structures such as the guide tubes, graphite reflectors, core support structure, core lateral restraint assemblies, reactor vessel, and reactor vessel supports shall ensure geometry is maintained for insertion of movable poisons.

51 Preliminary Xe-100 Required Functional Design Criteria (RFDC) 3 of 4 1.2 Control Heat Removal Required Safety Sub-Functions Required Functional Design Criteria 1.2.1 Transfer Heat from Fuel to Vessel Wall The reactor shall be designed and configured in a manner that will ensure sufficient heat transfer by conduction, radiation, and convection from the fuel to the reactor vessel wall to maintain fuel temperatures within acceptable limits following a loss of forced cooling. The materials which transfer the heat shall be chosen to withstand the conditions experienced during this passive mode of heat removal. This criterion shall be met regardless of the primary heat transport system pressure and fluid composition.

1.2.2 Radiate Heat from Vessel Wall The vessel shall be designed in a manner that will ensure that sufficient heat is radiated to the reactor cavity to maintain fuel, other core components, and vessel temperatures within acceptable limits. This criterion shall be met regardless of the primary heat transport system pressure and fluid composition.

1.2.3 Transfer Heat from Vessel Wall to Ultimate Heat Sink A means shall be provided to transfer heat from the vessel wall to the ultimate heat sink. Heat shall be removed at a rate which limits fuel, other core components, and reactor vessel temperatures to acceptable levels during a loss of forced circulation.

1.2.4 Maintain Geometry for Conduction and Radiation The design of systems and structures to maintain core geometry such as the core support structure, graphite reflector, core barrel, core lateral restraint assembly, reactor vessel, reactor vessel supports, primary relief valve, and reactor building shall be designed in such a manner that their integrity is sufficiently maintained to transfer heat from the reactor core to the reactor cavity and environment and maintain fuel temperatures within acceptable limits.

52 Preliminary Xe-100 Required Functional Design Criteria (RFDC) 4 of 4 1.3 Control and Mitigate Water and Steam Ingress Required Safety Sub-Functions Required Functional Design Criteria 1.3.1 Control Water and Steam Ingress from SG The steam generator, steam generator isolation systems, and other supporting systems shall include a means to prevent and limit the amount of steam and water that can enter the reactor vessel to an acceptable level.

1.3.2 Control Primary System pressure The helium pressure boundary and its pressure relief system shall be designed and fabricated to control primary system pressure to acceptable levels and maintain core geometry in the event of water or steam ingress.

53 LBE ID Event Seq. ID Initiating Event Plant Response Frequency (per-plant-year)

End State*

AOO-09 SD-01 Small Depressurization Leak isolated, OCS maintains power operation 5.00E-02 I

AOO-10 SD-03 Small Depressurization Fail to isolate leak, reactor trip, forced cooldown on ML 4.62E-02 SNC DBE-01 SG-01 Steam Generator Tube Rupture SG isolation, SG dump valves open and reclose, forced cooling re-established via SU/SD System 9.73E-03 I

DBE-05 SD-09 Small Depressurization Fail to isolate leak, reactor trip, ML failure, forced cooldown on SU/SD system 4.83E-03 SNC DBE-09 MD-01 Medium Depressurization Leak isolated, reactor trip, forced cooldown via SU/SD System, RB filtration 4.93E-04 MNP DBE-10 SD-02 Small Depressurization Leak isolated, OCS fails to maintain power operation, forced cooling via ML 4.85E-04 I

DBE-11 SD-10 Small Depressurization Fail to isolate leak, reactor trip, ML failure, SU/SD failure, primary pump-down, conduction cooldown via RCCS, RB filtration 4.55E-04 SND DBE-12 MD-02 Medium Depressurization Leak not isolated, reactor trip, forced cooldown via SU/SD System, RB dampers open, RB filtration 4.55E-04 MRP BDBE-01 SG-02 Steam Generator Tube Rupture SG isolation, SG dump valves open and reclose, SU/SD system fails, conduction cooldown via RCCS 9.96E-05 I

BDBE-02 SG-04 Steam Generator Tube Rupture SG isolation, SG dump valves open and fail to reclose, forced cooling re-established via SU/SD System 9.95E-05 XNC BDBE-03 SG-18 Steam Generator Tube Rupture SG fails to isolate, FW pump trip, Primary safety valves open and reclose, conduction cooldown via RCCS 9.01E-05 VNC BDBE-04 SG-09 Steam Generator Tube Rupture SG isolation, SG dump valves fail to open, primary safety valves open and reclose, forced cooling re-established via SU/SD System 8.86E-05 VNC BDBE-05 SD-14 Steam Generator Tube Rupture Fail to isolate leak, reactor trip, ML failure, SU/SD failure, primary pump-down failure, conduction cooldown via RCCS, RB filtration 5.08E-05 SND-p BDBE-07 MD-14 Medium Depressurization Leak not isolated, reactor trip, conduction cooldown via RCCS, RB dampers open and reclose, RB filtration 4.82E-05 MRD-a BDBE-08 FW-04 Feedwater Pump Trip Circulator fail to trip, primary RV opens, recloses, conduction cooldown via RCCS 4.34E-05 VNC BDBE-11 SD-03 Small Depressurization Leak isolated, ML failure, Forced cooling via SU/SD 2.56E-05 I

• I = Intact HPB with no release, Other codes describe releases with different source term characteristics Xe-100 LBEs informing HPB Targets 1 of 2

54

• I = Intact HPB with no release, Other codes describe releases with different source term characteristics LBE ID Event Seq. ID Initiating Event Plant Response Frequency (per-plant-year)

End State*

BDBE-15 SG-20 Steam Generator Tube Rupture SG fails to isolate, FW pump trip, Primary safety valves open and fail to reclose, conduction cooldown via RCCS, RB HVAC filtration 1.19E-05 VND-w BDBE-16 SG-12 Steam Generator Tube Rupture SG isolation, SG dump valves fail to open, primary safety valves open and fail to reclose, forced cooling re-established via SU/SD System 1.18E-05 VNC BDBE-20 MD-02 Medium Depressurization Leak isolated, reactor trip, forced cooldown via SU/SD System, RB filtration fails 6.20E-06 MNP-u BDBE-21 SD-11 Small Depressurization Fail to isolate leak, reactor trip, ML failure, SU/SD failure, primary pump-down, conduction cooldown via RCCS, RB filtration failure 5.72E-06 SND-u BDBE-22 MD-12 Medium Depressurization Leak not isolated, reactor trip, SU/SD fails, conduction cooldown via RCCS, RB filtration 5.71E-06 MNP BDBE-24 MD-26 Medium Depressurization Leak not isolated, reactor trip, forced cooldown via SU/SD System, RB dampers fail to open, RB filtration 5.24E-06 MRP-u BDBE-25 MD-03 Medium Depressurization Leak isolated, reactor trip, SU/SD fails, conduction cooldown via RCCS 5.05E-06 MFD-au BDBE-27 LD-02 Large Depressurization RB dampers open, Conduction cooldown via RCCS, RB dampers fail to reclose 1.77E-06 LOD-au BDBE-28 LD-09 Large Depressurization RB dampers fail to open, Conduction cooldown via RCCS 1.03E-06 LFD-aud BDBE-29 SG-05 Steam Generator Tube Rupture SG isolation, SG dump valves open and fail to reclose, conduction cooling via RCCS, RB HVAC filtration 1.01E-06 XND-w BDBE-31 SG-10 Steam Generator Tube Rupture SG isolation, SG dump valves fail to open, primary safety valves open and fail to reclose, forced cooling re-established via SU/SD System 9.08E-07 VNC BDBE-32 SG-25 Steam Generator Tube Rupture SG fails to isolate, FW pump fail to trip, Primary safety valves open and reclose, forced cooling via main loops 8.33E-07 VNC BDBE-33 SD-15 Small Depressurization Fail to isolate leak, reactor trip, ML failure, SU/SD failure, primary pump-down failure, conduction cooldown via RCCS, RB filtration failure 6.39E-07 SND-pu Xe-100 LBEs informing HPB Targets 2 of 2

55 Preliminary Functional Reliability Targets for HPB and Core Geometry HPB Failure Mode Target for 4-Unit Plant Related Capabilities Leaks with EBS* > 10mm

< 1 x 10-2/plant-year Xe-100 design objective to rely only on NST SSCs to mitigate LBEs classified as AOOs.

Keeps small leaks in HPB in AOO region.

Leaks with EBS > 65mm

< 1 x 10-4/plant-year Selection of the design basis break size equal to the size of the largest pipe. Keeps HPB breaks between 10 and 65mm in the DBE region, and those greater than 65mm in BDBE region Major structural vessel failure

< 1 x 10-7/plant-year Assures maintenance of core geometry throughout AOO, DBE, and BDBE region Over-pressurization failure of Vessels

< 1 x 10-7/plant-year Controls the frequency of challenges to the primary safety valves and Informs the selection of setpoints, capacities, and reliabilities of the relief valves

• EBS = Equivalent Break size

56 Functional Reliability Targets for HPB and Core Geometry

• Because LBEs involve multiple safety functions, the allocation of functional targets to individual SSCs must be done collectively for all the functional targets in an integrated fashion

• Top-down allocation of functional targets to specific components is based on evolution of PRA and HPB reliability assessments.

• Specific components for HPB include, as examples:

Pressure vessels (reactor, steam generator*, and cross vessel)

Primary system safety valves Bolted and seal welded connections between vessels and for vessel attachments (e.g.

control rod standpipes, circulator assemblies, access covers, pipe flanges, many of these)

Interfacing piping and associated weldments (fuel inlet and outlets, HSS, safety valve piping) and associated isolation valves More than 100 individual components to be addressed in individual SSC targets for HPB alone

• Monitoring strategies for passive HPB components focus on degradation mechanisms, leak surveillance, and non-destructive examinations per ASME Section XI Division 2 (RIM)

• At the SSC level the volume of reliability targets and number of LBEs whose risks that they affect leads to documentation that is too voluminous and impractical to include in SAR and better covered in the plant records (i.e., PRA, RIM/RAP, TRM)

Allocation of Targets to Individual SSCs

• Targets for the Steam Generator also addressed by functional targets for water ingress

57 Detailed reliability assessments such as this will be used to inform the allocation of functional level targets to component level targets Preliminary HPB Reliability Assessment

58 HPB Capability Requirements

• Each reliability target is tied to a set of success criteria for specific safety functions tied to a different set of LBEs that are top-level statements of the associated capability target

• A large body of information on capability targets is currently included in TICAP guidance

- Capabilities of SR SSCs are addressed in:

Section 3 for the safety functions credited in mitigating the LBEs Section 5 for the RFDC, and PDCs that the SR SSCs need to support for specific SSC functions and LBEs Section 6 for the SRDC, DBEHLs, STs, and system descriptions that the SR SSCs need to support

- Capabilities for NSRST SSCs are addressed in:

Section 3 for the safety functions credited in the LBEs Section 5 for CDC and success criteria for specific SSC functions and LBEs Section 7 for STs and system descriptions that the NSRST SSCs need to support

• Additional functional capability targets for the Xe-100 HPB example

- Capability targets reflected in the above sections for LBEs, RFDC, DBEHLs, CDCs, and STs

- Capabilities to support the RSFs and RFDC by maintaining core geometry for all identified LBEs

- Capability to maintain the HPB integrity for all LBEs classified with intact HPB

- Additional capabilities to be demonstrated by application of the selected building, structure, and design codes for component and structures necessary to assure core geometry

59

• Reliability and capability targets are targets that can be measured, quantified, and monitored and are developed as part of the LMP Integrated Decision-making Process

• Primary purpose is to inform the selection of STs for safety significant SSCs and to implement the performance-based element of the LMP methodology

• Reliability targets include all the metrics used to determine the frequency of event sequences including the initiating event frequencies, safety function failure probabilities

• Capability targets are linked to the success criteria that are used to derive the reliability targets

• Reliability and capability targets may be defined:

- At the plant level by controlling the frequencies, consequences, classification, and risk significance of LBEs

- At the functional level by controlling the reliability and capability of safety functions across multiple LBEs.

- At the component (and human) level by controlling the reliability and capability of components in the performance of a safety function

• Functional level reliability and capability targets are proposed for inclusion into the SAR consistent with NEI 18-04

• Allocation of functional targets to components is complex and must be done in an integrated fashion due to the many LBEs, components, and safety function interactions on the LBEs

• Component level reliability and capability targets are too voluminous and impractical for inclusion into the SAR and, hence, are proposed for inclusion in the plant records Summary

60 60

• TICAP team planned approach:

In Chapter 8, description of the plant program(s) that capture SSC-level reliability and capability targets that are incorporated by reference in the SAR (i.e., subject to 10 CFR 50.59 change control);

Should be noted that plant level targets are already contained in draft TICAP guidance;

>> Chapter 3, plant-level reliability and capability targets in the form of the Frequency-Consequence Target Risk-informed, performance-based (RIPB) guidance for 10 CFR 50.59 should be developed to allow effective and efficient change control providing flexibility for appropriate owner changes.

• TICAP team recognizes other approaches are also viable, such as one which:

Provides function-level reliability and capability targets in the SAR:

Captures SSC-level reliability and capability targets in description of the plant program(s) in Chapter 8; and Utilizes RIPB guidance for 10 CFR 50.59 as described above.

Reliability and Capability Targets in the SAR

Timeline for Technology Inclusive Content of Application Project (TICAP) Guidance and Advanced Reactor Content of Application Project (ARCAP) Guidance (rev 6/23/2021)

Legend Industry Action NRC Staff Action Industry/NRC Joint Action 2022 Jan Mar May Jul Sep Nov 2022 Mar Southern Revision B of TICAP Guidance Document 4/15/2021 Southern Revision C of TICAP Guidance Document 7/16/2021 NEI Revision 0 of TICAP Guidance Document 8/27/2021 NEI Revision 1 of TICAP Guidance Document 1/19/2022 NRC Comments based on TICAP Workshops 6/10/2021 NRC TICAP Regulatory Guide (Draft) 9/10/2021 NRC TICAP Regulatory Guide 3/25/2022 NRC/Industry update ACRS Subcommittee on status of ARCAP/TICAP guidance documents 7/21/2021 NRC/Industry brief ACRS Subcommittee on ARCAP/TICAP guidance documents (NEI, Rev0 and Staff Draft RG) 10/12/2021 NRC/Industry brief ACRS Subcommittee on final ARCAP/ TICAP guidance 2/9/2022 NRC/Industry brief ACRS Full Committee on final TICAP guidance 3/3/2022 ARCAP Application Outline Updated to be Consistent with TICAP outline 1/30/2021 Draft ARCAP Roadmap ISG, ARCAP ISG for "Site Information," and ARCAP Chapters 9, 10, 11, and 12 issued 9/10/2021 2/1/2021 TICAP Tabletop Exercises 4/2/2021 5/2/2021 TICAP Workshops 5/26/2021 61

Next Steps - Future Milestones TICAP Near-Term Milestones Target Date Southern Revision C to TICAP Guidance Document mid July 2021 ACRS Future Plant Subcommittee Meeting providing status of ARCAP and TICAP Guidance Documents mid July 2021 NEI Revision 0 of TICAP Guidance Document August 2021 ACRS Future Plant Subcommittee Meeting on ARCAP/TICAP Guidance Documents October 2021 62