ML21278B098

From kanterella
Jump to navigation Jump to search

Oklo, Inc. - Maximum Credible Accident Methodology
ML21278B098
Person / Time
Site: 05200049
Issue date: 10/05/2021
From:
Oklo Inc
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21278B096 List:
References
Download: ML21278B098 (19)
v  d  e


Text

Maximum Credible Accident Methodology October 2021 Oklo Inc., Non-proprietary Revision 3

Maximum Credible Accident Methodology Table of contents 1 Purpose and scope ................................................................................................................ 3 1.1 Interfaces ................................................................................................................... 4 1.2 Regulatory requirements ....................................................................................... 5 2 Analysis approach ................................................................................................................ 6 3 Identification of possible events ....................................................................................... 8 4 Determination of applicability .......................................................................................... 9 5 Evaluating credibility of events ...................................................................................... 10 6 Grouping of events ............................................................................................................. 12 7 Performing bounding analyses ....................................................................................... 13 8 Selecting the MCA .............................................................................................................. 15 9 Applying the defense-in-depth consideration ............................................................. 16 10 Inclusion of risk insights ................................................................................................ 18 11 Conclusion .......................................................................................................................... 19 Oklo-2021-R19-NP, Rev. 3 2

Maximum Credible Accident Methodology 1 Purpose and scope The purpose of this document is to summarize the safety analysis methodology performed by Oklo Inc. (Oklo) for the licensing bases of its designs.

This methodology is used to guide event analyses broadly, ultimately resulting in the identification of a specific event, the maximum credible accident (MCA), which becomes the licensing basis event for the design. The concept of an MCA has roots to the beginning of U.S.

nuclear regulation,1 and the concept has informed regulation to the present time. At the core of this concept is the idea of identifying a sufficiently bounding accident to represent a credible but conservatively bounding worst case scenario in terms of possible accident scenarios. The concept of a credible accident differs from a hypothetical accident, in that the MCA is intended to identify a credible bounding event in a systematic way instead of assuming a hypothetical worst case, without consideration of applicable events and sufficiently bounding event propagation and outcomes.

Existing U.S. Nuclear Regulatory Commission (NRC) regulations do not require the categorization of events into either design basis accidents or design basis events, and this type of categorization is not required under this methodology. Instead, the regulations require an evaluation of normal operations and transient conditions anticipated during the life of the facility and a presentation of design bases, which focus on the functions and features of the system. This focus on design bases allows for design and analysis flexibility and even suggests a need for a methodology for identification of key events as well as functions and features for novel plant designs. This methodology accomplishes that need and captures the defense-in-depth principle long held by the NRC by incorporating a process of applying the most limiting single failure to the safety analysis.

This methodology could be utilized by any NRC applicant for the safety analyses2 of their reactor designs and is not limited to use by Oklo. The results of the safety analyses demonstrate a response to challenging conditions that ensures adequate protection of the public is maintained during the facility lifecycle. Although rooted in determinism, this methodology does not preclude the use of risk insights such as informing the identification of possible events and including additional defense-in-depth considerations. The goal of this methodology is to provide a high-level safety analysis methodology that can be broadly applied to many reactor types. This methodology does not prescriptively define the details of its implementation but instead, this methodology expects the NRC applicant to appropriately document their justification and implementation in the NRC license application and during the NRC review process.

Oklo is requesting NRC review and approval of the methodology outlined in this report. Oklo is requesting U.S. Nuclear Regulatory Commission (NRC) review and approval of the methodology outlined in this report.

1 G. T. Mazuzan and J. S. Walker, Controlling the Atom: The Beginnings of Nuclear Regulation 1946-1962 (NUREG-1610). University of California Press, 1984.

2 These safety analyses do not cover external hazards and how the facility responds to those hazards.

Oklo-2021-R19-NP, Rev. 3 3

Maximum Credible Accident Methodology 1.1 Interfaces This report outlines the MCA Methodology and may be used as a stand-alone methodology for licensing basis event selection with application of defense-in-depth considerations. It also may be integrated with the Oklo topical report, Performance-Based Licensing Methodology, which systematically identifies key functions and features3 of the design to ultimately propose where regulatory controls should be applied. Both methodologies are appropriate for use in the licensing of novel plant designs that not only use active functions but that may rely on passive functions and features to assure safety.

This MCA Methodology and the Performance-Based Licensing Methodology should be used iteratively, ensuring that potential events and analyses associated with those design choices are appropriately evaluated. While an applicant may choose to use both companion topical reports, as is intended by Oklo, they may also choose to use only one of the topical reports to support the development of their licensing basis. When an applicant chooses to use this MCA Methodology and an alternative licensing approach (i.e., not the Performance-Based Licensing Methodology),

they should use a similarly iterative approach for the analysis, to ensure the uncertainty associated with new and novel design choices are appropriately considered in the selection of licensing basis events. In either case, the NRC applicant must justify the use of the methodology selected.

Following iteration between the MCA Methodology and the Performance-Based Licensing Methodology, the final safety analysis should be documented in the NRC application. This analysis is key to determining where regulatory controls should be applied to the design. A simplification of the relationship and interface between these two methodologies is shown in Figure 1.

Figure 1: MCA Methodology and Performance-Based Licensing Methodology relationship and interface 3 When used in these methodologies, functions are usually passive or active (e.g., valve actuation, shutdown rod insertion) and features are typically inherent or intrinsic system characteristics (e.g., reactivity feedback, heat transfer properties, structural configurations).

Oklo-2021-R19-NP, Rev. 3 4

Maximum Credible Accident Methodology 1.2 Regulatory requirements The safety analysis results obtained from the MCA Methodology may be used to develop inputs to demonstrate compliance with NRC requirements for applications for permits, certifications, and licenses. Therefore, it is expected that the NRC applicant is qualified and an expert in their specific reactor design. Further, the NRC applicant must present technical qualifications when filing an NRC licensing action and must have an approved, or be in the process of gaining NRC approval, on their quality assurance program. Specifically, qualifications of the NRC applicant and quality assurance requirements associated with that applicant are contained within 10 CFR 50.34(a)(7), 10 CFR 52.79(a)(32), and Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing for Production and Utilization Facilities. While the requirements outlined in Appendix B to 10 CFR Part 50 are high-level, the execution of those requirements, as detailed in an approved quality assurance program, will include a greater level of specificity to ensure the design work, design review, and documentation, as well as organizational structure and personnel qualifications are sufficient.

The MCA Methodology presented here uses a systematic and analytical approach to ensure a comprehensive set of events have been identified and considered, as a means of complying with any of the following regulations:

  • Title 10 of the Code of Federal Regulations (10 CFR) 50.34, Contents of Applications; Technical Information, paragraph (a)(4)
  • 10 CFR 52.47, Contents of Applications Technical Information, paragraph (a)(4)
  • 10 CFR 52.79, Contents of Applications; Technical Information in Final Safety Analysis Report, paragraph (a)(5)
  • 10 CFR 52.137, Contents of Applications; Technical Information, paragraph (a)(4)
  • 10 CFR 52.157, Contents of Applications; Technical Information in Final Safety Analysis Report, (f)(1)

Oklo-2021-R19-NP, Rev. 3 5

Maximum Credible Accident Methodology 2 Analysis approach Oklo uses this MCA Methodology to identify the events of highest importance in the safety analysis. The MCA Methodology considers the range of potential challenges posed by possible events, groups these events together into event categories based on similar phenomenology of challenge, identifies which events in a category are bounding with respect to consequence, and focuses analysis on these bounding events to ultimately designate a single MCA. The methodology applies the following steps to achieve both a wide-ranging yet focused analysis of the safety of the reactor:

1. Perform a literature review to understand the historical context and past challenges considered for relevant fission reactor systems, both those that have operated and those proposed.
2. In the context of these past events considered, determine which events are applicable for the reactor design, and which, if any, new events specific to the reactor design would be applicable.
3. Screen all applicable events to determine which ones are credible for the reactor design.
4. Group the credible events together into event categories based on similar phenomenology of challenge to safety.
5. Identify and analyze the bounding events in each category. Review this set of bounding events to determine whether the bounding event in one category is also bounded by the bounding event in another category to develop a final set of overarching bounding events.
6. Identify the most challenging event to the safety of the plant based on the worst single failure or worst single cause of common cause failures, which is then designated the MCA.
7. Apply a defense-in-depth consideration by assuming a single additional failure, chosen to be the most limiting single failure at the time of the event, in addition to the MCA.
8. Perform the safety analysis assuming the occurrence of the MCA with the addition of the single failure and demonstrate that the Dose Acceptance Criterion is satisfied.

The event evaluation process funnels a large number of events and systematically screens, bounds, and analyzes events until reaching a single bounding event, which is designated as the MCA. As part of the safety-by-design approach undertaken by Oklo, these steps can be completed iteratively during the design process, such that insights gained in the process of identifying the MCA can drive improvements to the design. When identifying initiating events, hazards, and event sequences, this type of iteration is key to addressing uncertainties in the performance of new and novel features. At the conclusion of this iterative approach, a final MCA analysis is conducted, and the MCA is identified and evaluated.

Figure 2 presents a visual representation of the MCA analysis process. The steps outlined above are described in more detail in Sections 3 through 0. The MCA, combined with the additional single failure for defense-in-depth, is ultimately designated as the licensing basis event.

Oklo-2021-R19-NP, Rev. 3 6

Maximum Credible Accident Methodology Figure 2: Visual representation of the event evaluation process Oklo-2021-R19-NP, Rev. 3 7

Maximum Credible Accident Methodology 3 Identification of possible events The methodology begins with an evaluation of previous reactor design events, both operational and conceptual. This evaluation includes the review of a comprehensive list of events, including all of the following types of resources:

  • Events generic to all nuclear reactors
  • Light water reactor events
  • Reactor events, operating experience, and analytical methods for advanced reactors of similar design (fuel type, size, etc.)
  • Expert opinion on similar conceptual designs It is not intended that all resources have the same relevance and importance. Reactor designs with similar design features are considered most closely, and their events are screened further, while reactor designs that are not sufficiently similar may receive less consideration. However, even for non-light water reactor designs, light water reactors have important operational experience and are a good candidate for event consideration regardless of design type.

This identification process systematically examines aspects of both operational and conceptual designs to ensure completeness in the event identification scope. Expert opinion is used to augment and challenge this process by providing additional perspective on novel or unique safety challenges associated with similar conceptual designs that may not be well characterized in existing literature or alternative resources. This identification process may be supported by a failure modes and effects analysis (FMEA), hazard and operability analysis (HAZOP), and master logic diagrams (MLDs). The use of none, all, or a combination of these processes are acceptable under this methodology, with proper justification and documentation by the NRC applicant. It is expected that the use of new or novel features will require additional justification to ensure comprehensive identification of initiating events, hazards, failure modes, and event sequences based on those features.

This step of the methodology terminates with a list of initial events to consider in the remainder of the methodology. Events may be added to this list at later stages of the methodology, which is in line with the safety-by-design philosophy applied by this methodology.

During the event identification phase, all operating modes of the proposed reactor design including startup, normal operation, shutdown, and maintenance, are considered, and evaluated such that the facility safety profile is sufficiently and comprehensively scoped. If there is ambiguity about the proper operating mode with which to associate an event based on the existing literature or expert opinions, justification for assignment of an event to an operating mode should be documented. The remainder of this methodology is directly utilized for all operating modes with no changes based on the operating mode being considered.

Oklo-2021-R19-NP, Rev. 3 8

Maximum Credible Accident Methodology 4 Determination of applicability After all potential events are identified, a systematic process is used to screen the potential relevance of the identified events to the proposed design. Specifically, this screening process determines whether the event is applicable in terms of phenomenology. This determination is made utilizing Criterion 1, which is summarized in the box below.

Criterion 1: Screening events for applicability An event is applicable if the phenomenology of the event is relevant to the design being reviewed. Events that are deemed applicable to the design under evaluation pass Criterion 1 and proceed for further evaluation.

Note that applicability screening entails the consideration of structures, systems, and components in the design in question, including consideration of new and novel features that may be part of the design. While events that include design aspects irrelevant to the design in question may be screened out, an alternative event that represents similar phenomenology (i.e.,

a parallel event) may be added as an event to be considered for the applicability screening. Included in this step is that sufficient detail must be documented during this step that identifies the affected equipment or processes for the duration of the event.

Events that do not pass Criterion 1, meaning they are not applicable to the design, are screened out of the safety analysis and are not analyzed further. Events that do pass Criterion 1 continue through the safety analysis process. The following are example applications of Criterion 1:

  • A heat pipe failure event would not be considered for a reactor that does not utilize heat pipes. This event would fail Criterion 1 and would not be analyzed further.
  • A failure of a backup sodium tank would not be considered for a reactor that does not utilize sodium coolant. This event would fail Criterion 1 and would not be analyzed further.
  • A spurious rotation of control drums would be considered for a reactor that uses control drums for reactivity control. This event would pass Criterion 1 and would be analyzed further.
  • Spurious movement of control rods would not be considered for a reactor that uses control drums instead of control rods for reactivity control during core life. Although this event would fail Criterion 1, a parallel event considering spurious control drum rotation would be considered and would be analyzed further.

Oklo-2021-R19-NP, Rev. 3 9

Maximum Credible Accident Methodology 5 Evaluating credibility of events After Criterion 1 has been applied to the list of potential events, the events that met Criterion 1 are further analyzed for credibility. The determination of credibility is made according to Criterion 2, which is summarized in the box below.

Criterion 2: Screening events for credibility The credibility of events is determined via a two-step process, and events must pass both sub-criteria to pass Criterion 2:

A. The event is mechanistically possible.

B. The event could be caused by a single initiating event, that could result in a common set of failures, even if extreme.

Events that are credible for the reactor design under evaluation pass Criterion 2 and proceed for further evaluation.

Criterion 2A is a screening tool for events that are not mechanistically possible because they are precluded by the design of the system. It is different than Criterion 1 because the features analyzed do exist, and therefore the associated events have already been deemed applicable.

Criterion 2A requires that events are mechanistically possible, meaning that there must be a mechanism by which the event can occur in the system.4 Ultimately, this criterion screens out events that are not physically possible and events that are precluded by the design of the system.

Continuing with the example from the previous section that passed Criterion 1, the application of Criterion 2A to the spurious drum rotation would proceed as follows:

  • A spurious drum rotation postulating drum rotation speed that is not physically possible given the mechanical design of the control drum system would fail Criterion 2A and would not be analyzed further.
  • A spurious drum rotation postulating drum rotation speed that is physically possible given the mechanical design of the control drum system would pass Criterion 2A and would be analyzed further.

Criterion 2B is a screening tool for events to ensure that all applicable and mechanistically possible single initiator events are systematically analyzed. Although not prescribed by this methodology, use of a logic diagram or tabulation that accounts for the impact of redundancy and independence, could be a useful tool for this step.

4 In other words, given physical laws, the event is so extremely unlikely to occur that it is not credible. Justification during this step must be clear, convincing, based on these objective criteria, and documented by the NRC applicant.

Oklo-2021-R19-NP, Rev. 3 10

Maximum Credible Accident Methodology As described in Section 3, events are considered for all operating modes. This single initiator could cause subsequent failures, including a common set of failures; however, these subsequent failures must be within the bounds of Criterion 2A. It must be mechanistically possible that subsequent failure(s) could be caused by the single initiating event, and the entire event sequence must be mechanistically possible. The single initiator criterion, in combination with the allowance for the single initiator potentially leading to a common set of failures, provides a generalized basis for scoping events typically associated with the design basis. Further detail on the process of event sequence construction is outside of the scope of this document and is the responsibility of the NRC applicant to justify.

In the example of spurious rotation of control drums, the postulated drum rotation would only pass Criterion 2B if it could be caused by a single initiating event that results in the postulated rotation. If the postulated drum rotation required multiple, separate initiating events, it would be screened out by Criterion 2B. For example, an event where a single failure in the control drum motor could initiate a spurious rotation of a control drum would pass Criterion 2 and would be analyzed further. In contrast, if the system uses multiple controls drums that are electrically independent, a different event where one actuation system fails would not induce a rotation in all control drums, and therefore an event with all control drums spuriously operating would fail Criterion 2.

The application of Criterion 2 is a systematic review of the events that have passed through Criterion 1. Ultimately, the identification of an event as applicable and credible means that it has passed both Criterion 1 and Criterion 2. Applicable and credible events then proceed to be evaluated further.

Oklo-2021-R19-NP, Rev. 3 11

Maximum Credible Accident Methodology 6 Grouping of events After the initial list of all potential events has been analyzed for applicability under Criterion 1, it is possible that many events remain. These events are then grouped into event categories to reduce the analytical burden. This grouping may occur either before or after the events pass through Criterion 2. The decision for when to group events is left to the judgement of the NRC applicant. In other words, this methodology does not require the NRC applicant to list every variation of a transient.

The grouping of events is a common practice in safety analysis for reactor designs and is intended to reduce the analytical burden. To continue the previous example, if control drums are used to control the reactivity of the plant, different manifestations of these malfunctions could be grouped as reactivity insertion events and reactivity withdrawal events.

Oklo-2021-R19-NP, Rev. 3 12

Maximum Credible Accident Methodology 7 Performing bounding analyses For those events that meet Criterion 2, the applicant conducts an analysis of the system response. Typically, the first step of the analysis is to identify a single bounding event from each event group, if appropriate. This step of identifying a bounding event is optional but allows for the analysis of a single event, rather than many events, in each event group. The purpose of this bounding step is to reduce the overall analytical burden, since analysis of a conservatively large bounding event could encompass analyses of smaller (i.e., less challenging) events within the event group. Events are identified as bounding with respect to dose consequence. This identification may leverage engineering judgement or analysis, as appropriate. The rationale for utilizing a bounding approach by the NRC applicant must be clearly justified and documented.

For example, a partial loss of electrical power could be bounded by an analysis that evaluates a full loss of electrical power if the consequence of that event is greater. This bounding analysis may be deemed appropriate through a combination of engineering judgement and analysis of the potential effects of a loss of electrical power and should be documented as such. Conducting this bounding analysis reduces the analytical burden of having to run multiple event analyses for different degrees of loss of electrical power which are otherwise subsumed in the bounding analysis.

Most events and bounded event groups are not expected to result in a dose consequence above the normal operation of the plant. For the events that have zero dose consequence, this step of the methodology allows for the termination of their analysis. Note that it is still possible that such events could be considered as the MCA in the case that all identified events have zero consequence.

The only applicable metric for measuring and ranking consequence is the offsite dose consequence, and therefore offsite dose consequence is the only acceptance criterion for the safety analyses described in this methodology. Specifically, this criterion is related to the regulatory limit for siting, in accordance with 10 CFR Part 100, Reactor Site Criteria. It is referred to in this methodology as the Dose Acceptance Criterion, and is summarized in the box below. If the safety analysis for an event exceeds the Dose Acceptance Criterion, the methodology is terminated at this step and re-analysis must occur. This re-analysis may be the result of a change in design, or may be an analytical change within the evaluation. Ultimately, the design of the facility must be such that no events exceed this criterion. If the safety analysis passes the Dose Acceptance Criteria for all events, the process can proceed to selecting the MCA.

Oklo-2021-R19-NP, Rev. 3 13

Maximum Credible Accident Methodology Dose Acceptance Criterion The Dose Acceptance Criterion is based on the regulatory limit for siting, as per 10 CFR Part 100. The safety analysis must meet both sub-criteria below to pass this acceptance criterion.

A. An individual located at any point on the boundary of the exclusion area for any 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period following the onset of the postulated fission product release would not receive a radiation dose in excess of 25 rem total effective dose equivalent (TEDE).

B. An individual located at any point on the outer boundary of the low population zone who is exposed to the radioactive cloud resulting from the postulated fission product release (during the entire period of its passage) would not receive a radiation dose in excess of 25 rem TEDE.

Oklo-2021-R19-NP, Rev. 3 14

Maximum Credible Accident Methodology 8 Selecting the MCA The last step in this methodology is to select the MCA, which is the most challenging event to the safety of the plant based on the worst single failure or worst single cause of common cause failures. After every event or bounded event group has been identified and analyzed, it is possible to propose different events to be the MCA. The ultimate decision on which event will be the MCA could vary from one NRC applicant to another. In general, the event with the greatest dose consequence is selected as the MCA, but in the case that all analyzed events have zero dose consequence, or in the unlikely case that multiple events have the same dose consequence, this decision may consider other potential consequences, or even risk insights.

Regardless, this step of the process should be thoroughly documented, including the identification of each event that is considered a candidate for the MCA and the justification by which the MCA is selected.

Note that external hazards are not considered as part of the down-selection process described in this MCA Methodology, which is the process for evaluating internal events only. Nevertheless, external hazards are an important consideration in the licensing process. As such, after the MCA is selected, external hazards are analyzed against the design. If no external hazard is shown to be more challenging than the MCA, the MCA is upheld as chosen. If an external hazard or multiple external hazards are shown to be more challenging than the MCA, further action may need to be taken that could include re-analysis, design changes, further regulatory controls, or designating the external hazard as the MCA.5 5 The detailed methodology for the analysis of external hazards is outside the scope of this summary. The Aurora at Idaho National Laboratory combined license application proposes one external hazards methodology, documented in Appendix A, External hazards evaluation, to Chapter 1, Site envelope and boundary, of Part II, Final Safety Analysis Report.

Oklo-2021-R19-NP, Rev. 3 15

Maximum Credible Accident Methodology 9 Applying the defense-in-depth consideration After the MCA has been identified, a defense-in-depth consideration is applied. Specifically, this defense-in-depth consideration involves the application of a single failure in conjunction with the event sequence as indicated by risk insights.

The following regulatory documents were reviewed in the drafting of this consideration:

  • Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50
  • NEI 18-04, Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, Revision 1, issued August 2019
  • Oklo Inc., DG-1353 Pilot: Submittal to Support NRC Development and Implementation of DG-1353, September 2018
  • Regulatory Guide 1.53, Application of Single-Failure Criterion to Safety Systems, Revision 2, issued November 2003
  • SECY 00-0077, Modifications to the Reactor Safety Goal Policy Statement, issued March 30, 2000
  • SECY 03-0047, Policy Issues Related to Licensing Non-Light-Water Reactor Designs, issued May 28, 2003
  • SECY 05-0138, Risk-Informed and Performance-Based Alternatives to the Single-Failure Criterion, issued August 2, 2005
  • SECY 05-0138, Risk Informed and Performance-Based Alternatives to the Single-Failure Criterion, issued August 2, 2005, Attachment 2, Technical Work to Support Evaluation of a Broader Change to the Single-Failure Criterion
  • SECY 77-0439, Single Failure Criterion, issued August 17, 1977 This methodology is conservative in its application because the NRC has historically taken single failure to only be applied to safety-related components and their safety-related functions, whereas this methodology applies single failure to the most limiting additional failure for the event, regardless of safety classification. Evaluating defense-in-depth across the whole design adds significantly increased levels of conservatism by considering design choices made on all components and ensuring all reasonable additional single failures are considered for their impact on the selected licensing basis event.

This methodology does not dictate what the single failure must be; however, the single failure selected must be the most limiting failure at the time of the event. Typically, this most limiting failure will be within a mitigating system. Since this methodology is largely deterministic, one appropriate method of ensuring defense-in-depth is to use risk insights. Specifically, Oklo uses risk insights from probabilistic risk assessment (PRA) to identify the most limiting single failure at the time of the event, within a reasonable failure frequency. (Generally greater than Oklo-2021-R19-NP, Rev. 3 16

Maximum Credible Accident Methodology 1 ' 10-4 per reactor year, as observed for design basis event analysis, but the threshold may be set to lower frequencies for extra conservatism). While risk insights may be used to support the application of defense-in-depth in the MCA Methodology, other methods are allowed, with proper justification from the NRC applicant. For example, it could be justified to use a simple tree diagram with expected system response to a transient and to provide a narrative summary of the effects of subsequent single failures to identify the most limiting one at the time of the event.

After identifying the most limiting single failure, the MCA is analyzed with the addition of that failure. The event is again compared against the Dose Acceptance Criterion to ensure that the criterion is still met after introduction of the additional failure. If the criterion is not met, the analysis or design of the reactor must be modified in a manner that would ensure that the Dose Acceptance Criterion is met. If the criterion is met, the safety analysis is complete, and the final MCA has been identified and shown to be acceptable.

Oklo-2021-R19-NP, Rev. 3 17

Maximum Credible Accident Methodology 10 Inclusion of risk insights Oklo uses PRA to apply defense-in-depth to its safety analyses, as described in Section 9. Ultimately, the methods used by Oklo for the safety analysis are largely deterministic. As such, limited information related to the methodology and implementation of PRA is included in licensing applications. While risk insights are given a chapter in the license application, as specified in the regulatory requirements for contents of the application, a risk assessment is not included, which is consistent with current and all historical licensing application precedent. Nevertheless, Oklo uses PRA to support the selection of the MCA and generally the PRA used by the NRC applicant should not contradict the event analysis conducted by this methodology.

Oklo utilizes PRA in several ways during the design process of its facilities. One way Oklo uses these risk insights is to understand the reliability of its components; this information is solely for operational reliability, investment protection, and system performance and is therefore not included in a license application. Another way is to evaluate the results of the deterministic analysis by comparing them against the results of the PRA. Since the regulatory requirements are simply to perform a PRA and include the relevant results, license applications using this topical report methodology will include a small subset of the PRA performed on the facility that is relevant to the safety analysis. This approach is well suited for the safety case demonstration of first-of-a-kind reactors, for which sufficient operating experience may not exist to support a holistic PRA. Over time, increased operating experience will inform improvements in the PRA and the role of that analysis may be expanded, but the largely deterministic approach provides sufficient demonstration of adequate protection during normal operation and transient conditions anticipated during the life of the facility.

While this is not an exhaustive description of the application of risk insights, it is key to note that Oklo uses PRA as a valuable tool, starting early in its iterative safety-by-design process.

Just as with analyses of normal operations and transient conditions, the use of risk insights can drive design changes, and in that case, the designer returns to previous steps and continues to iterate.

Oklo-2021-R19-NP, Rev. 3 18

Maximum Credible Accident Methodology 11 Conclusion The methodology provided in this document is one way of systematically selecting a bounding event for the facility, which is designated the MCA, and becomes the licensing basis event. The safety analysis under this methodology starts with a thorough review of all possible events, screens those events for applicability and credibility, allows for the grouping of events, performs bounding analyses, and finally selects an MCA. After the identification of the MCA, a defense-in-depth consideration is applied. This consideration assumes an additional single failure, chosen to be the most limiting single failure for the event. The safety analysis is then conducted assuming the occurrence of the MCA and the additional single failure, and the result is compared against the Dose Acceptance Criterion. If the criterion is satisfied, the final MCA has been identified and shown to be acceptable. After the MCA is selected, external hazards are analyzed against the design to assure that the MCA is upheld.

Following the selection of the licensing basis event, the Performance-Based Licensing Methodology may be applied. The Performance-Based Licensing Methodology systematically identifies key functions and features of the design and designates where appropriate regulatory controls should be applied to assure the safety of the facility. These regulatory controls, including quality assurance measures, ensure that the appropriate functions and features are upheld and therefore that the assumptions and conclusions of the MCA analysis are valid.

Oklo-2021-R19-NP, Rev. 3 19

Retrieved from "https://kanterella.com/w/index.php?title=ML21278B098&oldid=3404708"