ML21292A327

From kanterella
Jump to navigation Jump to search

Oklo Inc., Performance-Based Licensing Methodology Topical, Revision 1
ML21292A327
Person / Time
Site: 05200049
Issue date: 10/31/2021
From:
Oklo Inc
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21292A325 List:
References
Oklo-2021-R20-NP, Rev 1
Download: ML21292A327 (31)


Text

Performance-Based Licensing Methodology October 2021 Oklo Inc., Non-proprietary Revision 1

2 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Executive summary Advanced fission technologies offer a range of beneficial attributes, as well as fundamentally different characteristics, that set them apart from most commercial plants that the U.S.

Nuclear Regulatory Commission (NRC) and predecessor agencies have reviewed and licensed.

It has also been broadly recognized that regulations cannot remain prescriptive based on assumptions of historical plant types, fuels, coolants, energy spectra, and sizes, which have generally been those of large light water reactors. Instead, regulations should evolve toward specific performance goals related to safety, security, and the environment. It would then be the role of the NRC applicant to prove how their design meets these performance goals, instead of attempting to either comply with or exempt from specific and possibly outdated or inapplicable requirements.

As Oklo Inc. (Oklo) developed the Aurora at the Idaho National Laboratory Site (Aurora-INL) combined license application (COLA), it became clear that new methods for license application development and review would be necessary to demonstrate compliance with the regulations.

This is true both because of the fundamental differences between the Aurora powerhouse and historical designs, and because the safety-by-design - as well as the security-by-design-of the Aurora powerhouse relied primarily not on active component function, or even passive component function, but inherent characteristics (i.e., features). From design to construction to operation, the methods for analyzing, tracking, and ensuring the key functions and features of the design had to take on a novel approach, rather than the historically assumed binaries for active and even passive component function (e.g., failed or not and safety-related or not).

This topical report describes the Performance-Based Licensing Methodology created as a solution to these needs and challenges, and Congress has mandated through the Nuclear Energy Innovation and Modernization Act1 that the NRC consider such an approach. A performance-based approach is ultimately necessary for the commercial entities in the U.S. who are working to bring the promise of advanced fission technologies to the market, both because it can be technology-inclusive, as mandated by Congress, and because it can make reviews of the range of technologies more effective and efficient than piecemeal translations of past prescriptive requirements. This approach can substantially reduce the regulatory risk that U.S.

companies assume when designing new technologies and can streamline the effort of the regulator, by explicitly identifying the regulatory controls used to demonstrate the safety of as-built systems, from design to construction to operation of those facilities.

It is in the public interest for the NRC to license plants with improved safety characteristics, in particular passive functions and inherent features. Further, it is in the public interest to ensure that regulatory controls are more efficiently and effectively applied directly to these functions and features. A better regulatory framework both ensures designs that are safe and facilitates the commercialization of advanced nuclear power.

The NRC has indicated for many years that it is ready to receive and review applications for advanced fission technologies and, specifically, that it is ready to regulate in a performance-based manner. The NRC acceptance of the Aurora-INL COLA further showed this aptitude and inclination. Such applications will necessarily deviate from existing guidance, but ultimately all 1 S.512 - Nuclear Energy Innovation and Modernization Act of 2019, 115th Congress (2017-2018),

https://www.congress.gov/bill/115th-congress/senate-bill/512/

3 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 applications must outline how the regulatory requirements are met. The shift to reviewing these advanced technologies therefore requires that applications be submitted using performance-based approaches and that they are reviewed against performance-based objectives.

This topical report describes a performance-based approach for assessing the functions and features of a design for their relevance to safety, and developing the appropriate regulatory controls to track and uphold those functions and features from design to construction to operation. These regulatory controls include design bases, design commitments, and programmatic controls (pre-operational testing, startup testing, license conditions, technical specifications, and quality assurance). Collectively, the regulatory controls are developed with defense-in-depth in mind and assure the safety of the plant throughout the lifecycle of the facility.

The approach proposed by Oklo complies with the requirements in Title 10 of the Code of Federal Regulations, but it does not commit to existing voluntary regulatory guidance for light water reactors. The proposed Performance-Based Licensing Methodology is presented in this report and is an appropriate fit not just for the new designs proposed by Oklo but, in principle, for all new technologies presented to the NRC for licensing.

4 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Table of contents Executive summary................................................................................................................. 2 1 Purpose and scope................................................................................................................ 5 2 Safety-by-design.................................................................................................................... 7 2.1 Iterative design process......................................................................................... 7 2.2 Assurance of safety by regulatory controls....................................................... 8 3 Designating regulatory controls..................................................................................... 10 3.1 Overview.................................................................................................................. 10 3.2 Identifying licensing basis event(s)................................................................... 10 3.3 Establishing evaluation criteria......................................................................... 12 3.4 Classifying functions and features.................................................................... 12 3.4.1 Evaluation approach.......................................................................................... 12 3.4.2 Evaluation against supporting criteria............................................................ 14 3.4.3 Evaluation against acceptance criteria............................................................ 15 3.5 Assigning design bases and commitments....................................................... 16 3.6 The role of quality assurance as a programmatic control: assigning quality assurance requirements.................................................................................... 18 4 Conclusion and expectations for NRC review............................................................. 21 Appendix A Performance-based structure...................................................................... 23 A.1 Overall application structure............................................................................. 23 A.2 Introduction to performance-based application elements.......................... 24 A.3 Components of the performance-based application...................................... 25 A.3.1 Regulatory controls............................................................................................ 25 A.3.2 Design bases and design commitments............................................................ 25 A.3.3 Programmatic controls...................................................................................... 25 A.3.4 Operational bases.............................................................................................. 26 A.4 Organization of the performance-based application components............. 27 A.4.1 Description and analysis of SSCs..................................................................... 28 A.4.2 Transient analysis............................................................................................. 28 A.4.3 Programmatic controls...................................................................................... 29 A.4.4 Principal design criteria.................................................................................... 29 A.5 Conclusion............................................................................................................... 31

5 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 1 Purpose and scope The purpose of this topical report is to describe the Performance-Based Licensing Methodology that Oklo Inc. (Oklo) uses for identifying the functions and features2 of the design that impact safety, and for assuring the safety of the plant through its lifecycle, including: construction, pre-operational testing, startup testing, and operation. Oklo Power LLC is requesting U.S. Nuclear Regulatory Commission (NRC) review and approval of the methodology outlined in this report.

This topical report describes a performance-based approach for assessing the functions and features of a design for their relevance to safety, and developing the appropriate regulatory controls to track and uphold those functions and features from design to construction to operation. These regulatory controls include design bases, design commitments, and programmatic controls (pre-operational testing, startup testing, license conditions, technical specifications, and quality assurance). Collectively, the regulatory controls are developed with defense-in-depth in mind, and assure the safety of the plant throughout its lifecycle. The extensive suite of programmatic controls that can be selected for regulatory control, and to uphold the required and optional design bases and design commitments, provides an NRC applicant with a comprehensive set of tools to consider when evaluating for and applying defense-in-depth. The methodology described in this report also describes an alternative approach to traditional structure, system, and component (SSC) classification, and it specifically describes how quality assurance is applied as one among a suite of programmatic controls.

As this is a fundamentally performance-based methodology, while this topical report describes methods to assessing safety significance and for designating regulatory controls, it does not, prescribe the specific functions or features that must be controlled. Further, while it describes a specific methodology for the development of design bases and design commitments to uphold those functions and features, the development of the full suite of programmatic controls, outside of quality assurance, is beyond the scope of this methodology. This allows key flexibility in the design of programmatic controls to allow for the unique considerations that a technology-inclusive framework requires. The methodology is therefore intended to be used by an NRC applicant to systematically identify the specific functions and features of the design that require regulatory controls, and to identify a complete set of design bases and design commitments required to ensure the safe operation of the facility.

This topical report also explains how to clearly outline the resulting regulatory controls in an application for a combined license, construction permit, or operating license. The implementation of this methodology should be appropriately documented and justified in an NRC license application. The specific application of the methodology, as well as the NRC applicant developed programmatic controls, are expected to be evaluated during the review of the submitted application to ensure that the full suite of regulatory controls are sufficient to assure the safety of the facility.

Oklo initially developed this topical report to support the review of the Aurora at the Idaho National Laboratory Site (Aurora-INL) combined license application (COLA). Some references are contained in this report that identify how this approach is specifically utilized for the Aurora-INL COLA. However, this topical report illustrates a methodology that may be used by 2 When used in both this methodology, functions are usually passive or active (e.g., valve actuation, shutdown rod insertion) and features are typically inherent or intrinsic system characteristics (e.g., reactivity feedback, heat transfer properties, structural configurations).

6 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 any advanced fission applicant and would be expected to be extensible to any design type and any site. This topical report stands alone but may be used as a companion document with Oklos Maximum Credible Accident Methodology topical report (referred to as the MCA Methodology), which describes how to identify a bounding licensing basis event and how to incorporate defense-in-depth in the analysis of the bounding event. It is intended to describe an acceptable methodology for assessing the design of an advanced fission applicant for a Construction Permit and Operating License under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities, or a Combined Operating License under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, with minimal exceptions, which are clearly outlined in this topical report.

Advanced fission technologies are expected to incorporate new and novel design features that may necessitate exemptions from the existing NRC requirements, which have generally evolved under the context of large light water reactor technology. When an NRC applicant applies the methodology described in this report and identifies the need for an exemption for their specific design, the NRC applicant should include the corresponding request in the application submittal along with the associated technical and regulatory basis, pursuant to 10 CFR 50.12, Specific Exemptions.

7 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 2 Safety-by-design 2.1 Iterative design process A philosophy at Oklo is to factor in safety as early as reasonable in the design process, which is made possible through an iterative design process. Figure 1 schematically shows a simplification of the iterative design process, which has the following components:

Isolated component analyses demonstrate that components meet the relevant system requirements.

Analyses of normal operations demonstrate the overall behavior of the system.

Preliminary safety analyses demonstrate the full system response to a wide range of conditions.

Probabilistic risk assessment provides risk insights for the system.

At each stage, insights gained during the iterative design process could prompt design changes and improvements, resulting in a process that continuously improves the design from both a performance perspective and a safety perspective. As the complexity of the design increases with each redesign, the analysis advances in parallel, becoming more complex and more mature.

Figure 1: Iterative design process Throughout this iterative design process, aspects of the system that may be relevant to safety are identified and characterized. Generally, safety characteristics that are rooted in passive functions or inherent features are favored over those rooted in active functions. The results of these analyses inform design changes and simplifications that are used to continuously improve the safety profile of the system. This iterative design process results in a safety-by-design approach that yields simpler designs with clear safety profiles.

This ability to continually iterate is a key component of the Performance-Based Licensing Methodology described in this report and stands in contrast to the application of a prescriptive licensing approach to an existing reactor design, where blanket assumptions are made about

8 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 which components or systems are relevant to safety. Further, practical considerations limit the scope and flexibility of potential design changes or modifications for a system that is already designed. Instead, this methodology provides a systematic framework that evaluates the safety relevance of functions and features to designate where corresponding regulatory controls are needed, leaving flexibility to the NRC applicant on the details of that implementation. The result is the flexibility to design the system and the regulatory controls from the ground up with a focus on safety from the beginning.

2.2 Assurance of safety by regulatory controls Advanced fission technologies are generally smaller and rely more on passive functions and inherent features than the currently operating large light water reactor fleet. The terms functions and features are used throughout this document intentionally to delineate the safety characteristics of advanced fission technologies. Specifically, functions can be active or passive3 and are typically performed by mechanical or electrical systems or components (e.g., valve actuation, shutdown rod insertion). Features are aspects of the design that are usually inherent (e.g., heat transfer properties, structural configurations) and are intrinsic to the physical specifications of the design. This delineation is important because it underlines the safety characteristics of many advanced fission technologies, and because the engineering design and analysis is fundamentally different depending on whether it is applied to a function or a feature.

For example, when analyzing the resultant effects of the failure of a function or feature in an event, it is important to be clear what a failure of the function or feature would realistically entail. Analysis of a failed active function could include an increase or decrease in response time or actuation, and analysis of active components often assumes a binary of whether that active component fails or does not fail. On the other hand, the analysis of a failed inherent feature, such as a material property, could include applying a percentage of degradation or enhancement. As each function or feature is analyzed, the resultant effects of the failure on safe operation should be critically assessed.

Although there is no regulation requiring classification of components regarding safety, there are regulations requiring certain actions for the assurance of safety-related performance. For example, the quality assurance requirements in 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, are to be applied to all activities affecting the safety-related functions of those structures, systems, and components. The ultimate purpose of what is commonly referred to as component classification or safety classification4 is to provide a framework in which different programmatic controls, including quality assurance, can be applied to assure the relevant safety functions. The scope of the regulator is to then assure those functions that are required for the 3 Previous performance-based industry and regulator work has heavily focused on the enhanced safety characteristics of passive functions. This topical report builds on that framework and includes considerations for inherent features of advanced fission technologies.

4 Component classification is a widely used term in the nuclear regulatory space and is generally interpreted as the significance of the components functionality to the safety of the plant. Often, the term safety classification is used in place of component classification, and there is confusion in the meaning of the terms.

Further, safety classification is not used, not defined, and not required by 10 CFR and is therefore not a regulatory requirement for the filing of an NRC license application. Regulatory analysis related to safety classification is not included in this topical report.

9 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 safe operation of the facility, where offsite dose exposures are within the regulatory limits of 10 CFR.

The goal of this methodology is to assure that a safe facility is designed, constructed, and operated, and this philosophy is synonymous to Oklos safety-by-design approach. This approach ultimately results in the classification of functions and features as safety-related and in the subsequent designation of regulatory controls. The assignment of safety-related is deliberate and focuses on the specific functions and features that assure safety is upheld, rather than being an automatic labelling of SSCs that appear similar to the safety-related SSCs of large light water reactors. This is a more systematic methodology for identifying and assuring key functions and features, and a critical improvement over a possible misapplication of definitions and methodologies developed both in the past and for different technologies.

Ultimately, the methodology described in this document identifies the important functions and features for a given design, designates where regulatory controls should be applied, and provides a systematic approach of applying design bases, design commitments, and programmatic controls to the SSCs responsible for carrying out those functions and features.

10 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 3 Designating regulatory controls 3.1 Overview The safety-by-design approach employed by Oklo, described in Section 2, involves analyses of normal operations and transients, as well as incorporation of risk insights. This process iteratively develops a deep understanding of system behavior and helps to identify aspects of the design that may be relevant to safety. The iterative design process results in a mature system model that can be used to evaluate the system response to a broad spectrum of transients. This system model is designed to capture the relevant physics of the reactor system with the ability to perturb inputs, models, and assumptions. The methodology described in this topical report uses the resulting system model to formally identify the functions and features with relevance to safety and applies the appropriate design bases and design commitments to assure those functions and features.

The implementation of the Performance-Based Licensing Methodology can begin as soon as the design is sufficiently stable and the system model is sufficiently representative of the design; both determinations are at the discretion of the designer. A key benefit of this methodology is that preliminary implementation can begin while the design is still fluid enough to be improved in response to insights gained over the course of its implementation. This means that, like the iterative design process described in Section 2, the assignment of regulatory controls is also iterative. Ultimately, once a final design has been reached, a final iteration of assigning regulatory controls is conducted prior to submitting a license application to the NRC.

The goal of the Performance-Based Licensing Methodology is to systematically determine the functions and features of the design that have relevance to safety, and to designate where appropriate regulatory controls should be applied to uphold safety over the entire lifecycle.

Specifically, this methodology addresses the development of the design bases and design commitments that are used to uphold each function and feature, discussed in more detail in Section 3.5. The methodology also describes in detail the application of quality assurance, as one among a suite of programmatic controls, in Section 3.6. Throughout the methodology, other types of programmatic controls are discussed, but the methodology does not provide prescriptive requirements for how the remainder of these programmatic controls are applied.

3.2 Identifying licensing basis event(s)

The process of implementing the Performance-Based Licensing Methodology begins with identifying the licensing basis event(s) for the system. The events are identified using a licensing basis event selection methodology that is independent of the methodology within this topical report.5 The licensing basis event selection methodology also specifies the acceptance criteria and other implementation details for the licensing basis event analysis. These details are outside of the scope of the Performance-Based Licensing Methodology as it does not prescribe a specific methodology for selecting the licensing basis event(s) and leaves optionality for how the NRC applicant chooses to perform the licensing basis event selection process. One 5 While this topical report refers to the potential for multiple licensing basis events, the requirement is for one or more, and the final number of licensing basis events will depend on the licensing basis event selection methodology employed. For example, for applications that utilize a maximum credible accident methodology, such as the Aurora-INL COLA, it is appropriate that a single licensing basis event is identified.

11 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 methodology Oklo has employed for licensing basis event selection is the methodology described in Oklos MCA Methodology. Both this methodology and the MCA Methodology are appropriate for use in the licensing of novel plant designs that not only use active functions but that may rely on passive functions and features to assure safety.

This MCA Methodology and the Performance-Based Licensing Methodology should be used iteratively, ensuring that potential events and analyses associated with those design choices are appropriately evaluated. While an applicant may choose to use both companion topical reports, as is intended by Oklo, they may also choose to use only one of the topical reports to support the development of their licensing basis. When an applicant chooses to use this Performance-Based Licensing Methodology and an alternative licensing basis event selection approach (i.e., not the MCA Methodology), they should use a similarly iterative approach for assigning regulatory controls, to ensure the uncertainty associated with new and novel design choices are appropriately considered. In either case, the NRC applicant must justify the use of the any methodology selected.

Following iteration between the MCA Methodology and the Performance-Based Licensing Methodology, the final safety analysis should be documented in the NRC application. This analysis is key to determining where regulatory controls should be applied to the design. A simplification of the relationship and interface between these two methodologies is shown in Figure 2.

Figure 2: MCA Methodology and Performance-Based Licensing Methodology relationship and interface While conducting the licensing basis event selection, the design is analyzed to ensure it meets the licensing basis event analysis acceptance criteria. In this way, the licensing basis event selection methodology is used to both identify the licensing basis event(s) and demonstrate that the design performs adequately (i.e., meets the acceptance criteria) in response to the identified events. If the design does not perform acceptably, the appropriate design changes are made, and the licensing basis event(s) are re-identified when a final design is reached. The Performance-Based Licensing Methodology then continues by systematically analyzing the licensing basis event(s) to determine which functions and features are relevant to safety and therefore require regulatory controls to ensure that they are upheld.

12 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 3.3 Establishing evaluation criteria The relevance of functions and features to safety is determined using a set of evaluation criteria. The evaluation criteria consist, at a minimum, of the acceptance criteria for the licensing basis event analysis. In addition to these acceptance criteria, the Performance-Based Licensing Methodology allows for the optional establishment of supporting criteria.

Collectively, the acceptance criteria and any optionally-defined supporting criteria make up the evaluation criteria used to classify functions and features.

If implemented, a supporting criterion (or a set of supporting criteria) must be chosen in such a way that they bound the acceptance criteria. In other words, if all supporting criteria are met, all acceptance criteria must also inherently be met. For example, acceptance criteria for licensing basis event analyses are typically based on dose, but supporting criteria may be created for other metrics that impact dose, such as fuel temperature. If it can be shown, for example, that a supporting criterion based on fuel temperature is bounding (i.e., that if an analysis that meets the fuel temperature criterion will inherently meet the dose criterion),

analysis of an event that passes the supporting criterion would obviate the need to analyze the event against the acceptance criteria. Figure 3 illustrates the optional use of supporting criteria as part of the evaluation criteria.

Figure 3: Optional supporting criteria must bound acceptance criteria If supporting criteria are used, the licensing basis event analysis must also pass all supporting criteria. If the event analysis does not pass the supporting criteria, the event is also analyzed against the acceptance criteria. Failure to pass an evaluation criterion could prompt a change in design, or in some cases, the supporting criteria may be defined inappropriately and require reevaluation. However, the designation of regulatory controls should be finalized only once the design meets all evaluation criteria for every licensing basis event.

3.4 Classifying functions and features 3.4.1 Evaluation approach The methodology continues by identifying the relevance of each function and feature of the design to the licensing basis event analysis. To make this determination, each function and feature is evaluated to determine whether the function or feature is relied on to meet the evaluation criteria. This methodology considers a function or feature to be relied on to meet an evaluation criterion if the perturbation of that function or feature results in an analysis end

13 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 state that either exceeds or comes within an unacceptable margin of exceeding the evaluation criterion. This methodology does not prescriptively require the magnitude of the margin, but the specific margin (or lack of margin) should be justified by the designer for each criterion.

Ultimately, the reliance on a function or feature to meet any evaluation criteria is the basis for the need to assign regulatory controls, as shown in Figure 4.

Figure 4: Requirement for regulatory controls The evaluation against the criteria may consist of engineering judgement or additional analysis and should be documented accordingly. The specificity of each type of analysis is not detailed and not prescribed by this topical report. It is expected that the NRC applicant will meet all relevant regulatory requirements (see Section 1), and consider them within the analysis of functions and features against the evaluation criteria. For example, 10 CFR 50.49, Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants, includes requirements for environmental qualification of certain components and those types of environmental considerations are expected to be included in the function and feature analysis as part of this methodology, as relevant.

In a typical analysis of a function or feature, assumptions related to the functions or feature are perturbed in the context of the licensing basis event analysis to characterize their contribution to meeting the evaluation criteria. The nature of the perturbation is specific to the function or feature and varies between active functions, passive functions, and inherent features.

Depending on the function or feature, this perturbation may be a degradation in a material property, boundary condition, or component performance. For an active component, the perturbation may range from an increase in response time to a failure to actuate. While conducting the licensing basis event analysis and the perturbations on the analysis, both the functions and features analyzed and the perturbations of those functions and features, should be based on realistic (best estimate) analysis, as opposed to bounding (conservative) assumptions.

The use of large perturbations, large margins, and conservative assumptions may be utilized, especially when bounding uncertainties. Either or all of these approaches are an adequate way to scope uncertainties across various sources of uncertainty that may be present in the design and analysis of the system (e.g., material properties, manufacturing tolerances, and modeling parameters). These are typical approaches in the analysis of designs that might use new or novel features and functions. For example, the use of radiological inventories at end of life is a conservative assumption for transient analyses at all stages of life.

14 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Figure 5 schematically shows the evaluation process for functions and features described in the following sections. Functions and features from the licensing basis event analysis must be analyzed against the evaluation criteria. For evaluation criteria that do not contain supporting criteria, the function or feature must be evaluated against the acceptance criteria, which is derived from the licensing basis analysis, and if the function or feature is relied on, it must be both classified as safety-related and designated for regulatory controls. For evaluation criteria that contain supporting criteria, the function or feature is first evaluated against the supporting criteria, and if it is relied on, must be both designated for regulatory controls and evaluated against the acceptance criteria to determine if it is safety-related; if the function or feature is not relied on to meet the supporting criteria, it is not classified as safety-related. While applying this process, the designer always has the optionality to designate functions and features for regulatory controls. Regulatory controls and safety-related are concepts used within this methodology and discussed in Section 3.4.2 and Section 3.4.3.

Figure 5: Summary of designation of regulatory controls methodology 3.4.2 Evaluation against supporting criteria Each function and feature is first evaluated against supporting criteria, if they are defined. As described in Section 3.3, the supporting criteria bound the acceptance criteria, such that if a function or feature is not relied on to meet the supporting criteria, it follows that the function or feature is not relied on to meet the acceptance criteria. In the case that the function or feature is not relied on to meet the supporting criteria, the designation of regulatory controls to the function or feature is not required, and this analysis is terminated; such functions or features may nevertheless optionally be assigned regulatory controls at the discretion of the designer.

Functions and features that are relied on to meet supporting criteria are (1) subject to regulatory controls and (2) are evaluated further under the acceptance criteria to determine if they are also safety-related.

15 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 It is key to highlight that supporting criteria increase the regulatory burden on the NRC applicant. In the case that supporting criteria are used to simplify the analysis, regulatory controls must also be designated to the functions and features that relate to that simplification.

Therefore, it becomes the burden of the NRC applicant to prove those simplifications for the as-built system, and ultimately, this is the foundation of a performance-based approach. The resulting increased regulatory oversight because of analytical simplifications is a key aspect of the inherent defense-in-depth nature of this methodology.

3.4.3 Evaluation against acceptance criteria Functions and features are evaluated against the acceptance criteria if either (1) they are relied on to meet the supporting criteria or (2) no supporting criteria are defined. The goal of the acceptance criteria analysis is to determine which functions and features are safety-related and to classify them as such. The implications of this classification are discussed in Section 3.6.

3.4.3.1 Evaluation against acceptance criteria following supporting criteria This methodology requires that functions and features that are relied on to meet the supporting criteria are subsequently evaluated against the acceptance criteria. If this subsequent acceptance criteria analysis determines that the function or feature is not relied upon, then that function or feature is designated for regulatory controls, but not classified as safety-related.

Alternatively, if the function or feature is relied upon, then that function or feature is both designated for regulatory controls and classified as safety-related.

3.4.3.2 Evaluation against acceptance criteria without supporting criteria In the case that no supporting criteria are defined, this methodology requires that functions and features are analyzed against the acceptance criteria. If the function or feature is relied upon to meet the acceptance criteria, then it is (1) subject to regulatory controls and (2) classified as safety-related. If the function or feature is not relied upon to meet the acceptance criteria, then it is not classified as safety-related. Nevertheless, such functions or features may optionally be assigned regulatory controls at the discretion of the designer.

By the definitions given here, it is possible for a function or feature to be needed to meet supporting criteria but not acceptance criteria. While if supporting criteria are met then Regulatory controls A function or feature is designated for regulatory controls if that function or feature is relied on to meet a supporting criterion (or a set of supporting criteria).

Any other function or feature may optionally be designated for regulatory controls at the discretion of the designer.

Safety-related classification A function or feature is safety-related only if that function or feature is relied on to meet the acceptance criteria of the licensing basis event analysis.

16 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 acceptance criteria will be met, supporting criteria need not be met for acceptance criteria to be met. The purpose of the supporting criteria is to ease analytical burden, as described in Section 3.3, but supporting criteria are also expected to highlight key areas for focus or can be used for increased defense-in-depth. Although a function or feature may not be safety-related in that it is not relied upon to meet acceptance criteria, its role in meeting supporting criteria is recognized by the application of regulatory controls.

3.5 Assigning design bases and commitments For the functions and features that this methodology designates for regulatory controls, the next step of the Performance-Based Licensing Methodology is to assign design bases essential to upholding the functions and features, which are the most fundamental regulatory controls in the Performance-Based Licensing Methodology. The requirement for the assignment of design bases is that each function and feature that is designated for regulatory controls must also be assigned a design basis.

A key step in assigning design bases is to choose the appropriate system for the assignment, and this methodology allows for flexibility in making this choice. For example, the design may employ a shutdown function to respond to specific adverse conditions, and that function may be identified as requiring the assignment of a design basis. The design may have multiple systems capable of performing that function (e.g., control rods, control drums, or inherent reactivity feedback). The methodology requires that for the purposes of applying regulatory controls, this function be assigned to at least one of these systems. That system is assigned one or more design bases that serve to ensure it maintains the ability to perform the required function.

When functions or features can be assigned to more than one system, there is also flexibility to assign design bases to multiple systems. Ultimately, design bases are used to trigger elevated programmatic controls, including quality assurance treatment (as described in Section 3.6), and there is flexibility to apply this elevated treatment beyond the minimum requirements.

Each design basis requires certain commitments be met (i.e., design commitments) to ensure the design basis is upheld. These design commitments could be related to a specific quantitative measure of performance (e.g., a time limit or a reactivity worth), or they could be related to the configuration of a system (e.g., the use of a specific type of component). Many of these design commitments correspond with specific modeling assumptions that are incorporated into the final system model. Design commitments are verified through programmatic controls that validate both the as-built system and the modeling assumptions used in the analysis.

Programmatic controls typically include testing, technical specifications, and quality assurance, and Figure 6 graphically summarizes some regulatory controls available to be employed by this methodology. Programmatic controls must collectively ensure that the safety of the facility is upheld throughout the life of the plant, accounting for not just the validation of the of the as-built system, but assurance of the design, analysis, operation, and maintenance of the SSCs or Design basis requirement: Functions and features designated for regulatory controls One or more design bases must be assigned to one or more system(s) to uphold each function or feature of the design that is designated for regulatory controls.

17 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 portions of components assigned to perform the functions or features identified relevant to the safety of the facility.

Figure 6: Summary of regulatory controls Ultimately, programmatic controls ensure the safety of the as-built design, and they collectively function to uphold the safety of the facility throughout its lifecycle. This methodology does not prescribe how programmatic controls are to be applied (with the exception of quality assurance, discussed further in Section 3.6), but the sufficiency of the programmatic controls in assuring their respective design commitments must be justified by the NRC applicant in the license application, and will be an important focus of the review by the NRC staff.

This performance-based nature of the programmatic controls provides critical flexibility. Rather than provide specific fabrication or erection methods that will be used for each SSC, analyses are provided that show which functions or features of each SSC are important, specific practical and quantifiable commitments are made to ensure those characteristics will be met, and those characteristics are verified by a comprehensive testing program after the SSCs are fabricated and erected. The initial testing program is also conducted in two stages (preoperational and startup tests) with tests in each stage logically ordered such that the safety of key design elements can be demonstrated prior to the loading of fuel, and that further elements can be demonstrated prior to reaching full power operation.

This approach is particularly important for the construction of a first-of-a-kind facility, because it offers flexibility in how commitments are met and reduces the burden of conducting an expansive test program prior to the beginning of the licensing process, while still establishing a systematic method for demonstrating the safety of the as-built facility. When relevant, the programmatic controls developed to support the application of this methodology should ensure

18 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 that the performance of each safety feature has been appropriately demonstrated for acceptability and is sufficiently understood, as needed when required by 10 CFR 50.43(e).

Ultimately, these programmatic controls are the building blocks that support design commitments and finally design bases. The design bases, along with their respective design commitments, should be clearly outlined in an NRC license application and are expected to be a key subject during the license application review process. This methodology does not prescribe how these design bases and design commitments must be outlined in an NRC application but one example is the Aurora-INL COLA, which makes use of design basis summaries throughout as described in the gray box below.

3.6 The role of quality assurance as a programmatic control:

assigning quality assurance requirements A facility that operates well will also operate safely. Whether a component is treated under the regulatorily-required quality assurance described in this section or treated separately under owner-controlled quality assurance (i.e., functions and features not required to be upheld by design bases), it is of great importance to maintain a reliable and safe system.

Gray summary boxes are used throughout the license application to summarize design bases. These boxes contain the design basis and a listing of the design commitments and programmatic controls that ensure the design basis is met.

The following abbreviations are used in the summaries:

Design basis (DB)

Design commitment (DC)

Preoperational test (POT) (described further in the Initial Test Program)

Startup test (SUT) (described further in the Initial Test Program)

Inspections, tests, and analysis acceptance criteria (ITAAC) (described further in the Proposed License Conditions)

Technical specification (TS) (described further in the Technical Specifications)

For example: a design basis (DB) for an example reactor system (abbreviated with a three letter code, for example AAA), the resulting design commitment (DC), and the required programmatic controls would be listed as follows in the summary box, for example:

DB.AAA.01 The AAA system performs sufficiently.

DC.AAA.01.A The specific characteristic of the AAA system is as follows.

SUT.AAA.01.A1 and A2 (described further in the Initial Test Program)

19 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Quality assurance is a component of the programmatic controls that are the building blocks to assuring the safety of as-built systems. This section of the methodology describes how functions and features are translated to the specific systems, sub-systems, components or portions of components, that perform the relevant function or feature. As an example, this section also describes how quality assurance is applied in accordance with Oklo, Inc. Quality Assurance Program Description (QAPD): Design and Construction OKLO-2019-14-NP, Rev.1 (referred to as the Oklo QAPD). Oklos QAPD was constructed using the Nuclear Energy Institute's, Nuclear Generation Quality Assurance Program Description, Revision 0, template (referred to as NEI 11-04A). The structure of the NEI 11-04A template lends itself to near direct application of the quality assurance approach outlined in this methodology for any NRC applicant that closely mirrors this template. It is acceptable to use alternative templates or structures; however, the delineation must be clear as to which sections of the QAPD are intended for safety-related portions of the design. The two parts of the Oklo QAPD that are relevant to this methodology and are used as examples throughout are the following:

1. Part II, "Quality Assurance Program Description Details"
2. Part III, "Nonsafety-Related SSC Quality Control," Section 1 (referred to in short as Part III)

Quality assurance requirements of an NRC applicants NRC-approved QAPD are applied to all functions and features that are assigned design bases. Safety-related functions and features must be treated under Part II of the QAPD and follow the quality assurance requirements of 10 CFR Part 50, Appendix B. Functions and features designated for regulatory controls that are not safety-related must be treated under Part III of the QAPD.6 Part III refers only to the application of regulatorily-controlled, not owner-controlled, quality assurance. Functions and features that are not assigned design bases are not subject to regulatory controls, and therefore are only subject to owner-controlled quality assurance program.

Regardless of the level of regulatorily-required quality assurance (i.e., Part II or Part III), for practical application the quality assurance requirements on a function or feature must be assigned to specific system(s), sub-system(s), component(s) or portions of component(s) that perform the function or embody the feature. The quality assurance requirements are scoped specifically to ensure the required function or feature, as required by 10 CFR Part 50, Appendix B, which is to be applied to all activities affecting the safety-related functions

[emphasis added] of those structures, systems, and components.

This methodology does not prescribe a specific method for assigning functions or features to systems, sub-systems, components or portions of components, as this must be done at the discretion of the designer. However, it is built into this methodology that regulatory controls always assign a system, sub-system, component, or portions of a component. Therefore, the creation of design bases, design commitments, and the corresponding programmatic controls that are used to uphold the functions or features provide this specificity with regards to which systems, sub-systems, components or portions of components will be used to perform each function or embody each feature. For the purpose of ensuring clarity, these assignments should 6 These functions and features may optionally be treated under Part II of the QAPD at the discretion of the designer, as the requirements of Part II exceed the requirements of Part III.

20 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 be clearly outlined in an NRC application, and clearly indicate the corresponding quality assurance requirements.

This indication within an NRC application comprehensively identifies the SSCs that perform functions or embody features that have importance to safety, as required by Criterion II of Appendix B to 10 CFR Part 50 and 10 CFR 50.34(f)(3). Note that even as assignments to specific systems, sub-systems, components or portions of components are made, it is still the function or feature that is considered safety-related, and all programmatic controls applied, including quality assurance requirements, are scoped specifically to upholding the relevant function or feature.

For example, consider a design basis that is created to uphold a specific feature of fuel, with corresponding design commitments that provide specificity as to the aspects of the fuel that must be upheld. The design basis would be assigned to the system that contains the fuel (e.g.,

the reactor core system). For the purposes of organization and clarity, all design bases related to the reactor core system are presented together in the license application. For quality assurance purposes, a subset of the reactor core system must be identified to uphold this feature. In this case, the fuel is the component that would be identified for higher quality assurance treatment, and the inherent feature to be upheld would become the critical characteristic of that component which must have quality assurance. For instance, the design control would be applied to factors that affect that feature, the procurement would have specifications related to that feature, shipping would ensure that feature was protected, and so forth. In other words, the resulting quality assurance requirements would be focused specifically on activities related to the feature of the fuel that the design commitment specifies, not broadly applied to all activities affecting the fuel.

This approach also provides important benefits when implementing change controls throughout the design, construction and operating life of the plant. If an SSC is classified as safety-related without specification of the function or feature that triggered that classification, it may be unclear to various stakeholders (e.g., designers, design reviewers, manufacturers, shippers) what aspect(s) of the SSC are necessary to uphold the safety of the facility. As a result, when modifications are required, it will not be clear how the modifications might affect these important aspects. As an improvement, this methodology identifies the important functions and features that assure safety, leading to timelier response times to plant issues and improved efficiency at multiple levels.

In summary, elevated quality assurance is based on the classification of functions and features, but ultimately applied to specific systems, sub-systems, components or portions of components that ensure those functions or embody those features. This result ensures that the proper functions and features are identified for the application of quality assurance, and the application of quality assurance is properly scoped to ensure those functions and features.

21 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 4 Conclusion and expectations for NRC review The Performance-Based Licensing Methodology described within this report is specifically geared towards developing a license application for a new design. The methodology is designed to clearly identify the functions and features of the system that are relevant to safety and to create the proper regulatory controls to uphold those functions and features. The resulting license application is scoped to contain the appropriate level of information to evaluate the sufficiency of these regulatory controls, while significantly reducing or excluding information about design aspects that do not have importance to safety.

For this approach to be successful, the applicant and the NRC staff must first agree on the methodology employed, then come to agreement on the particulars of the given application of the methodology. The purpose of this report is to achieve the former, an agreement on the methodology employed. The latter is achieved after a license application is submitted, accepted, and docketed. Once the license application review is underway, the first step should be to verify proper application of this Performance-Based Licensing Methodology. The next step should be to verify that the design bases and their relevant design commitments and programmatic controls are adequate. A successful regulatory review concludes that the presented license application follows this Performance-Based Licensing Methodology and supports it through the commitment to an adequate set of regulatory controls. The confirmation of the regulatory controls occurs during construction, pre-operational testing, and startup, and is likely carried out through regulatory audits and inspections. Ultimately, this Performance-Based Licensing Methodology proposes an approach that prohibits any new design from achieving key operational milestones without satisfying all of its regulatory controls.

As described throughout this document, this entire process is iterative. It is expected that additional iterations will take place during the review phase with the NRC staff, as technical or procedural questions are asked. The Performance-Based Licensing Methodology facilitates this iteration, and successful regulation of new designs will depend on the flexibility that this approach offers. However, that flexibility is only possible if the applicant and the NRC staff agree that the employed methodology is appropriate, and critically, is only constructive if the review of the license application is focused on ensuring that the methodology is appropriately applied.

Where the NRC staff sees design details that appear to be missing from the license application, these details should be clearly tied to a design commitment that would justify including those details. Where a design commitment appears to be missing, it should be clearly tied to a design basis (and by extension, to a function or feature requiring regulatory control) and a concern that the design basis will not be properly upheld without the additional commitment. Similarly, where a function or feature is not regulatorily controlled, but the NRC staff believes it should be, the potential deficiency in the design, the system model, or the licensing application that led to the exclusion of this function or feature should be identified. This will ensure that review resources are efficiently focused on the relevant functions and features of the proposed design.

When this method is diligently followed by both the applicant and NRC staff, the result is increased regulatory efficiency. Oklo has already seen the benefit of this approach over the course of reviewing the Aurora-INL COLA, where productive interactions with the NRC staff that have resulted in new design commitments, demonstrating the potential for the iterative review process.

The rigorous application of this Performance-Based Licensing Methodology and the resulting performance-based license structure have the potential to facilitate substantially more focused

22 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 license application reviews as well as targeted, right-sized, and efficient oversight long into the life of the plant. These benefits derive from the comprehensive and honed set of regulatory controls established during the application of this methodology, agreed upon during the review and put in motion with the granting of a license. This methodology is systematic, and the structure developed strives to clearly communicate the resulting regulatory controls. Oklo is confident that this methodology can be successful and is committed to its continued improvement as lessons are learned from its implementation.

23 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Appendix A Performance-based structure This appendix includes a description and discussion of how the Performance-Based Licensing Methodology can be put into a logical structure based on U.S. Nuclear Regulatory Commission (NRC) regulations while maintaining a technology-independent structure. In particular, the Aurora at the Idaho National Laboratory Site (Aurora-INL) combined license application (COLA) is used as an example, although it is expected each major element of the Aurora-INL COLA could be accomplished in a similar way for COLAs for different designs. The Performance-Based Licensing Methodology does not require the use of the companion Maximum Credible Accident Methodology topical report (referred to as MCA Methodology), however in this appendix there are several areas where the discussion of the Aurora-INL COLA also assumes the use of this companion methodology.

A.1 Overall application structure Starting in preapplication discussions with the NRC in 2016, it became apparent that the application structure prescribed for large light water reactors would not be appropriate for an advanced reactor with substantially different characteristics. These characteristics include, but are not limited to: fuel type, coolant, thermal power, neutron spectrum, plant layout, and site footprint. This structure, like the structure assembled in the consortium that proposed the Technology Inclusive Contents of Application Project (TICAP), is based on requirements from 10 CFR Part 52, Licenses, Permits, and Approvals for Nuclear Power Plants, for a combined license application. This structure is directly applicable for combined license applications; however, it is expected that the key elements related to the Performance-Based Licensing Methodology could be structured in a similar way regardless of the regulatory pathway for design and licensing.

In 2018, Oklo Inc. (Oklo) presented an alternate application structure built directly from the regulatory requirements, which are provided in Title 10 of the Code of Federal Regulations (10 CFR), specifically:

10 CFR 52.77, Contents of applications; general information 10 CFR 52.79, Contents of applications; technical information in the final safety analysis report 10 CFR 52.80, Contents of applications, additional technical information This structure piloted with the NRC in 2018 was then honed along with interactions with the NRC staff until the final structure utilized for the COLA. Following 10 CFR 52.77, 10 CFR 52.79, and 10 CFR 52.80 effectively gives four primary parts to the COLA, including the final safety analysis report (FSAR). These four primary parts are the following:

Part I: Company Information and Financial Requirements (10 CFR 50.33 requirements, from 10 CFR 52.77)

Part II: FSAR (from 10 CFR 52.79)

Part VI: Proposed License Conditions, including the proposed inspection, tests, analysis, and acceptance criteria (ITAAC) (from 10 CFR 52.80(a))

24 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 Part III: Environmental Report (from 10 CFR 52.80(b))

Three other parts are added to this structure or separated out from the FSAR requirements section to mimic past application structures:

Part IV: Technical Specifications (which is separated out into its own part of the application from a regulatory subsection for the FSAR, 10 CFR 52.79(a)(30))

Part V: Non-Applicabilities and Requested Exemptions Part VII: Enclosures (which include certain plans referenced in and required for the application, as well as other key supporting documents)

Using this format clearly and intentionally ties the licensing application to the regulations. In general, the order of the FSAR chapters follow the order of the regulations, with the exception of sections that are not applicable or have requested exemptions (these are addressed in Part V of the application but are not the focus of this document). Each major part of the application and each chapter of Part II begins with a section stating the purpose as given in the regulation, to make the tie to the regulation clear. This structure is also envisioned to aid the NRC staff in the writing of a safety evaluation for the approval of the license application since each section of the license application includes the clear regulatory requirement that it should be evaluated against.

Oklo had conversations with the NRC staff regarding the application structure during pre-application, and in late 2018, Oklo completed a pilot of DG-1353 for a novel application structure, documented in, Oklo Inc., DG-1353 Pilot: Submittal to Support NRC Development and Implementation of DG-1353, September 2018. This draft guidance, DG-1353, is the basis of the NRCs Regulatory Guide 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, Revision 0, issued June 2020.

This structure was then used for the Aurora-INL COLA, with some revisions based on lessons learned from the DG-1353 pilot. In 2020, the NRC accepted the Aurora-INL COLA for review, showing NRC flexibility to work with a novel technology and a new application structure.

A.2 Introduction to performance-based application elements The Performance-Based Licensing Methodology and the resulting performance-based application structure employed by Oklo are designed to achieve multiple, related goals:

Make clear, explicit commitments to uphold the safety characteristics of the system Scope licensing actions to include the information required to evaluate the sufficiency of these commitments, while including only a limited amount of information about system characteristics that do not affect safety Tie these commitments to specific programmatic controls, including quality assurance, which ensure the commitments are met at all key phases during the plant lifecycle

25 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 This flexibility is central to the success of the Performance-Based Licensing Methodology. The ability to bring forth designs for regulatory review earlier in the design process is critical to enabling the successful licensing of advanced reactors, both for the regulator and the designer.

Applying clear regulatory controls, with specific and actionable design commitments verified by programmatic controls, is one way of enabling this approach.

Oklo has designed this Performance-Based Licensing Methodology to be explicit about the commitments being made and the programmatic controls that are used to ensure those commitments. This explicit treatment allows for clear focus points for the NRC staffs review, which should seek to determine whether the commitments that have been made are sufficient (i.e., that the commitments comprehensively ensure the performance of the applicable functions and features), and to determine whether the programmatic controls that have been specified are sufficient to ensure that the commitments are met. The following sections describe the performance-based structure that Oklo employs to make these commitments clear and actionable.

A.3 Components of the performance-based application A.3.1 Regulatory controls The building blocks of the performance-based license application structure are referred to as regulatory controls. These controls can be thought of collectively as the levers at the disposal of the applicant and the regulator to ensure that the safety of the design is upheld. They are the combination of design bases, design commitments, and all programmatic controls (e.g., pre-operational tests, startup tests, ITAAC, technical specifications).

A.3.2 Design bases and design commitments The most fundamental regulatory controls in the Performance-Based Licensing Methodology are design bases and design commitments. Design bases are the characteristics of a system that ensure the safe operation of the reactor. Most major systems in the reactor have at least one design basis, but some systems that are not relied on for safe operation may not have any design bases. Each design basis has one or more design commitments, which are the specific commitments made to ensure that the design basis is met. The design aspects that ultimately become design bases are first identified during the iterative design process (described in Section 2), and later codified as regulatory controls (described in Section 3).

Oklo also uses a concept called key dimensions, which are fundamental in the description and analysis of structures, systems, and components (SSCs) and their design bases. Key dimensions are the dimensions with first-order importance to determining the neutronic and thermal-hydraulic behavior of the system, and therefore the dimensions that have importance to safety.

A.3.3 Programmatic controls The application of the Performance-Based Licensing Methodology ultimately culminates in programmatic controls that are designed to verify adequate performance of the as-built system.

Collectively, the programmatic controls are required to uphold the safety of the facility throughout its lifecycle. As described in Section 3.1, the methodology is intentionally flexible with regard to the development of programmatic controls, and does not provide prescriptive requirements for how they are applied. The exception is for quality assurance (QA), for which

26 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 specific requirements are described in Section 3.6. This section describes the types of programmatic controls that Oklo developed for the Aurora-INL COLA, but it does not imply that an NRC applicant must use each of these specific types, nor does it limit an applicant to only these types of controls.

These programmatic controls include preoperational tests (POTs), inspections, tests, and analysis acceptance criteria (ITAAC), startup tests (SUTs), technical specifications (TS), and QA. Collectively, these programmatic controls ensure that the fabrication and erection and operation of the SSCs is done in a way that each of the associated design commitments are met.

The Initial Test Program (ITP) consists of the tests conducted prior to normal operations (i.e.,

POTs and SUTs), with completion of these tests required to meet an ITAAC. Because the completion of preoperational tests is required by an ITAAC, this approach offers assurance that a reactor that does not meet the design commitments cannot start up or operate. The staging of tests in two phases of the ITP is done to ensure that key aspects of the system are demonstrated prior to any safety risk existing (i.e., prior to fuel arriving onsite). The TS ensure that the design commitments that require additional surveillance and testing over the course of normal operations continue to be adequately met. The use of TS ensures that an operating reactor that no longer meets the design commitments will be taken offline and restored to compliance before operating again. All design bases and design commitments are also subject to the requirements of Oklo, Inc. Quality Assurance Program Description (QAPD): Design and Construction OKLO-2019-14-NP, Rev.1, (referred to as the QAPD). Collectively, these programmatic controls guarantee a successful licensing outcome when properly implemented, because a reactor that is not in compliance cannot start up or continue operations, and cannot negatively impact the health and safety of the public.

Programmatic controls may in some cases reference a specific code or standard that must be used to meet the corresponding design commitment. Referencing a code or standard in this way would serve as an explicit commitment to meeting that code or standard as part of fulfilling the design commitment. However, this Performance-Based Licensing Methodology is intended to provide flexibility in how design bases are upheld, and an over-reliance on codes and standards codified as regulatory controls would be counter to this flexibility. As described, the Performance-Based Licensing Methodology relies on verifying functions and features via a suite of programmatic controls prior to and during operation. The programmatic controls will typically be agnostic to design aspects such as specific fabrication methods, and therefore will not commit to codes and standards that constrain the methods available. Instead, they are focused on ensuring performance regardless of the methods selected. In some cases, specific codes or standards may prove to be helpful for meeting a specific design commitment for which they are not explicitly required (i.e., are not specified as a regulatory control). In these cases, the code or standard may be treated as an owner control, as described in the following section.

A.3.4 Operational bases In addition to design bases, the NRC application may include a description of operational bases to provide additional information about the facility for the purpose of improving overall understanding and facilitating the regulatory review7. Operational bases are not relied on for 7 Note that at the time of submission of the Aurora-INL COLA operational bases were referred to as performance bases. This terminology is being changed to avoid confusion between performance bases and the performance-based licensing approach, and the appropriate changes will be propagated to affected documents.

27 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 safety, and as such, they do not require regulatory controls. As a result, analyses related to the operational bases are generally not included in the NRC application. Systems that have no functions or features that are relied on for safe operation of the reactor only have operational bases, and the level of detail in the NRC application for those systems is limited in scope to providing information for overall understanding of the operation of the facility.

Note that although operational bases do not result in regulatory controls, they are subject to analogous owner controls. These controls include operational commitments, and related controls used to ensure those commitments, such as operational testing and owner-controlled quality assurance, as illustrated in Figure A-1. Owner controls are not included in the license application, as they are outside of the scope of the regulator due to their lack of impact on safety.

Figure A-1: Summary of owner controls A.4 Organization of the performance-based application components The building blocks of Oklos performance-based structure are described in Section A.3. Each of these components has its specific place in the license application, and the connections between these components is clearly highlighted. Throughout the license application, Oklo includes design basis summaries that are depicted by gray boxes. These design basis summaries are included for ease of regulator review and are described in more detail below in an example gray box.

28 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 A.4.1 Description and analysis of SSCs Chapter 2, Description and analysis of structures, systems, and components, of Part II (II.02) of the Aurora-INL COLA contains descriptions of SSCs and analysis of their steady-state behavior. It is organized by major system (e.g., control drum system), and it specifically lists the design bases and performance bases associated with each system. Gray summary boxes summarize the design bases for each major system at the end of the associated section.

Chapter 2 focuses on the expected functions of the SSCs and addresses the requirements in 10 CFR 52.79, including the extent to which generally accepted standards are applied to the design of the reactor and the extent to which the reactor incorporates unique, unusual or enhanced safety features having significant bearing on the probability or consequences of accidental release of radioactive materials.

A.4.2 Transient analysis Chapter 5, Transient analysis, of Part II (II.05) of the Aurora-INL COLA describes both the methodology and the results of the safety analysis of the system. It specifies the methodology Gray summary boxes are used throughout the license application to summarize design bases. These boxes contain the design basis and a listing of the design commitments and programmatic controls that ensure the design basis is met.

The following abbreviations are used in the summaries:

Design basis (DB)

Design commitment (DC)

Preoperational test (POT) (described further in the Initial Test Program)

Startup test (SUT) (described further in the Initial Test Program)

Inspections, tests, and analysis acceptance criteria (ITAAC) (described further in the Proposed License Conditions)

Technical specification (TS) (described further in the Technical Specifications)

For example: a design basis (DB) for an example reactor system (abbreviated with a three letter code, for example AAA), the resulting design commitment (DC), and the required programmatic controls would be listed as follows in the summary box, for example:

DB.AAA.01 The AAA system performs sufficiently.

DC.AAA.01.A The specific characteristic of the AAA system is as follows.

SUT.AAA.01.A1 and A2 (described further in the Initial Test Program)

29 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 used for identifying and evaluating the licensing basis event(s). For example, the Aurora-INL COLA utilized the MCA Methodology, described in the MCA topical report.8 The methodology chosen for evaluating licensing basis event(s) also specifies the acceptance criteria9 for those events and are derived from the regulatory requirements.

In addition to the acceptance criterion from the MCA methodology, which is based on dose, additional conservatism can be specified for the design by supporting criteria, such as maximum fuel temperature as in the Aurora-INL COLA. In other words, applying supporting criteria to the safety analysis to consider fuel temperature inherently bounded the acceptance criterion of the MCA methodology. The result is documented in II.05 and shows that in the case of the maximum credible accident, the final design meets the supporting criteria with substantial margin, which itself is both bounding and conservative when compared to the acceptance criterion derived from regulatorily required dose limits.

Chapter 5 of Part II also contains a summary of the transient analysis conducted, including the details of the system model and the results of the analysis. Abbreviated versions of the gray summary boxes from II.02 are replicated in the section describing the assumptions made in the system model. These replicated gray boxes are used to clearly tie the design bases and design commitments directly to their associated assumptions in the transient analysis.

A.4.3 Programmatic controls Specific programmatic controls are referenced in both II.02 and II.05, and the programmatic controls are summarized in the gray boxes found in each section. The programmatic controls themselves are described in more detail elsewhere in the application.

The POTs are conducted as the first phase of the initial testing program (ITP), which can be found in Chapter 14, Preoperational testing and initial operations, of Part II (II.14). These tests must be completed, and a summary report created, to satisfy an ITAAC. The ITAAC are found in Part VI, Proposed license conditions. The SUTs are conducted during and after initial fuel loading. These are conducted as the second phase of the ITP and are also found in II.14. The TS provide the operating limits for the reactor. These are found in Part IV, Technical Specifications.

A.4.4 Principal design criteria Principal design criteria (PDC) are required to be incorporated in an application for a combined license in accordance with 10 CFR 52.79(a)(4)(i). The Performance-Based Licensing Methodology is intended to be used to develop the design bases, and their corresponding design commitments. This section is included for the purposes of describing how design bases relate to the PDC in the Aurora-INL COLA, but the Performance-Based Licensing Methodology does not prescribe a specific method for developing the PDC. The NRC applicant is free to use methods 8 Oklo Inc., Maximum Credible Accident Methodology, Revision 3, October 2021.

9 In the case of the MCA Methodology, the only acceptance criterion is known as the Dose Acceptance Criterion, and it specifies the dose limits that the system must meet in the event of the maximum credible accident.

30 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 from existing guidance,10 follow the approach taken by Oklo, or to develop their own methodology for identifying PDC. In a license application that utilizes this methodology, the appropriate description should be provided to justify the ultimate selection of PDC.

The approach taken by Oklo for the PDC is described in Chapter 4, Principal design criteria, of Part II (II.04). Rather than starting with prescriptive design criteria, which are not developed fundamentally from a performance-based mindset, and then defining design bases that satisfy each of those design criteria, the methodology applied to the Oklo designs is built from the safety analysis. After the design bases are developed based on a systematic analysis of the design (as described in Section 3), they are then grouped together according to the common goals of each of the design bases. From each of these groups, a PDC is created to ensure that their common goal is upheld. The resulting structure is shown schematically in Figure A-3.

Figure A-2: Relationship of principal design criteria to the design bases 10 Regulatory Guide 1.232, Guidance for Developing Principal Design Criteria for Non-Light-Water Reactors, Revision 0, provides one set of optional guidance that can be used for the development of principal design criteria.

31 Performance-Based Licensing Methodology Oklo-2021-R20-NP, Rev. 1 The process of developing the PDC provides an opportunity to double-check, from a top-down perspective, that the design bases are adequate and encompassing. As with the Performance-Based Licensing Methodology more broadly, the fact that this process is design-driven rather than prescriptive provides the ability to focus both the design work and ensuing NRC review on the aspects of the system that drive the safety of the system.

A.5 Conclusion This appendix includes a description and discussion of how the Performance-Based Licensing Methodology can be put into a logical structure based on NRC regulations while maintaining a technology-independent structure. Years of various discussions with NRC staff highlighted key needs and concerns, such as clearly indicating how the existing regulations are discussed and met, ensuring that the important information relating to safety is clear, and ensuring level of detail is appropriate for the different kinds of content. Key elements to this structure which are generally applicable for applicants using this methodology include:

the structure, in terms of layout and content, the numbering structure of design bases, design commitments, and programmatic controls, which have inherent to them a tie to the relevant system, and the organization of the design bases, design commitments, and programmatic controls into clearly communicated gray boxes which ensure that the functions and features that impact safety are clearly identified and found within the application structure.

The Aurora-INL COLA is used as an example, although it is expected each major element of the Aurora-INL COLA could be accomplished in a similar way for COLAs for different designs. The Performance-Based Licensing Methodology does not require the use of the companion MCA methodology topical report, however in this appendix there are several areas where the discussion of the Aurora-INL COLA also assumes the use of this companion methodology.