ML23132A324
| ML23132A324 | |
| Person / Time | |
|---|---|
| Site: | 99902078, 05200050 |
| Issue date: | 05/12/2023 |
| From: | Shaver M NuScale |
| To: | Office of Nuclear Reactor Regulation, Document Control Desk |
| Shared Package | |
| ML23132A323 | List: |
| References | |
| LO-139918 | |
| Download: ML23132A324 (1) | |
Text
LO-139918 May 12, 2023 Docket No. 052-050 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
SUBJECT:
NuScale Power, LLC Submittal of White Paper, EDAS Supplemental White Paper, Revision 0
REFERENCES:
- 1. NuScale Power, LLC Submittal of White Paper, Treatment of the Augmented DC Power System (EDAS) after safety-enhancing changes are made to the Emergency Core Cooling System (ECCS), LO-129764, dated December 2, 2022 (ML22336A130)
This letter transmits NuScale Power, LLC's (NuScale) white paper, EDAS Supplemental White Paper, Revision 0, which supplements Reference 1. is the proprietary version of the white paper entitled EDAS Supplemental White Paper. NuScale requests that the proprietary version be withheld from public disclosure in accordance with the requirements of 10 CFR § 2.390. The enclosed affidavit (Enclosure 3) supports this request. Enclosure 2 contains the nonproprietary version.
This letter makes no regulatory commitments and no revisions to any existing regulatory commitments.
If you have any questions, please contact Brian Meadors at 541-452-7846 or bmeadors@nuscalepower.com.
Sincerely, Mark W. Shaver Acting Director, Regulatory Affairs NuScale Power, LLC Distribution: Michael Dudek, NRC Getachew Tesfaye, NRC Andrea Kock, NRC Brian Smith, NRC Rob Taylor, NRC NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com
LO-139918 Page 2 of 2 05/12/23 Enclosure 1: EDAS Supplemental White Paper, WP-139876-P, Revision 0 (proprietary version)
Enclosure 2: EDAS Supplemental White Paper, WP-139876-NP, Revision 0 (nonproprietary version)
Enclosure 3: Affidavit of Mark W. Shaver AF-140414 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com
LO-139918 :
EDAS Supplemental White Paper, WP-139876-P, Revision 0 (proprietary version)
NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com
LO-139918 :
EDAS Supplemental White Paper, WP-139876-NP, Revision 0 (nonproprietary version)
NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com
WP-139876-NP Revision 0 Page 1 of 14 EDAS Supplemental White Paper Executive Summary Re-classifying the NuScale Power Plants augmented DC power system (EDAS) as safety-related is inconsistent with precedents, guidance, and the Standard Review Plan. In addition, the event sequence of concern has a frequency on the order of E-8/year and has no consequence on the health and safety of the public.
SRM-SECY-19-0036 requires that, in any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria [are] unnecessary to provide for reasonable assurance of adequate protection of public health and safety. In this case, NuScale can show reasonable assurance of adequate protection of public health and safety.
The text of 50.2s definition of safety-related, when harmonized with precedents, guidance, and the Standard Review Plan, supports NuScales nonsafety classification.
The event sequence has no consequences challenging public health and safety.
1. Background
The Commission certified NuScales twelve module, 50 MWe design (US600) at 10 CFR Appendix G. The highly reliable DC power system (EDSS) in the certified design is classified as nonsafety-related with augmented design, qualification, and QA provisions.
At issue in audit question A-15-1 and the overall high impact technical issues (HITI) is the safety classification of the successor to the EDSS, the augmented DC power system (EDAS), in the pending application for the US460 Standard Plant Design.
The EDAS has augmented design requirements and is single failure proof. No single component failure causes a loss of EDAS. A loss of EDAS initiating event (i.e., multiple failures leading to a loss of EDAS) has a frequency of 2.6E-04 mcyr [per module critical year]).1 The modifications to the certified US600 design include a change to the emergency core cooling system (ECCS), specifically modifications to the valves to allow for a more rapid activation of ECCS. As a result of the cumulative modifications, the large release frequency (LRF) for the US460 Standard Plant Design is reduced by more than an order of magnitude as indicated in Table 1 below. The table also demonstrates that the new US460 design and the previously approved US600 design have risk profiles far exceeding NRC safety goals.
1 NuScale Power, LLC, Treatment of DC Power in Safety Analyses, TR-102621-P (submitted Dec 2022). Tables B-1 and B-2 provide augmented design requirements. Figure 8.3-4a and 8.3-4b, in FSAR Section 8.3, show the module specific EDAS simplified drawings.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 2 of 14 Table 1:US600, US460, and NRC Safety Goal Comparison DesignModel CDF LRF US600, base model E-10 E-11 US460, base model E-9 E-13 NRC Safety Goal E-4 E-6
- 2. The Scenario at Issue The scenario giving rise to the classification issue is an event sequence that increases reactor power, combined with a subsequent smart failure of EDAS. A smart failure is defined here as a random failure unrelated to the initiating event occurring in a particular, narrow window of time with the result of exacerbating the plant response. An example scenario is:
- 1) a failure of the control rod drive system, and
- 2) that failure causes control rod(s) to withdraw, increasing reactor power and temperature, and
- 3) in a particular, limited time frame while power and temperature are high, but before completion of the reactor trip actuated by the safety-related module protection system (MPS), the single failure proof EDAS has multiple failures, causing the reactor vent valves (RVVs) to immediately open.
Scenarios like this sequence of events are extraordinarily unlikely, on the order of E-8/year.2 Consistent with the Standard Review Plan and the intent of General Design Criterion 17, the existing Chapter 15 safety analysis already considers: (1) an event sequence where EDAS is not lost; (2) the initiating event itself is the loss of EDAS; and (3) the loss of EDAS is assumed coincident with the separate initiating event. In addition, a loss of EDAS after reactor trip has occurred due to the separate initiating event is non-limiting. Because the smart failure analysis is not required and is an E-8/year frequency sequence, it is not analyzed.
If the E-8/year scenario were to occur, fuel cladding heat flux may briefly exceed a deterministic specified acceptable fuel design limit (SAFDL) of minimum critical heat flux ratio (MCHFR).
MCHFR is used by NuScale as a conservative surrogate for cladding failure in AOO analyses to assure fission product barriers are not challenged.
The EDAS smart failure would cause the safety-related MPS to immediately actuate a reactor trip, limiting the time that fuel cladding heat flux exceeds MCHFR to the few seconds before MPS actuates a trip and control rods are fully inserted. In the NuScale US460 design, control rod insertion time is 2.3 seconds or less.
2 The event is also problematic because it assumes that the reactor is operating outside of its licensed power level for an extended period, an assumption inconsistent with 10 CFR 50.36(c)(2)(ii)(B) and SRP 15.0.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 3 of 14 This brief exceedance of the MCHFR limit has no significant consequences:
There is no sustained cladding heat-up.
There is no core damage with loss of coolable geometry.
There is no challenge to containment design pressure.
Dose consequences would be well below onsite and offsite dose limits.3
- 3. The Staffs and NuScales Positions NuScale and the staff start with the appropriate assumption of an AOO initiating event. At this point, NuScales and the staffs views diverge.
NuScale considers the potential for EDAS to fail because it is a nonsafety-related system and informed by General Design Criteria requirements to address transients with and without power scenarios.
NuScale demonstrates that failure of the EDAS is not caused by the initiating event or the event progression and addresses with and without power scenarios by considering loss of EDAS coincident with event initiation. NuScale believes the technical bases previously provided to the staff, when viewed consistently with engineering judgment, can be used to find reasonable assurance.
In contrast, the staff is requiring a smart failure of the EDAS, based on the staffs new and strict interpretation of 10 CFR 50.2s definition of safety-related. As discussed above, a smart failure of EDAS in certain, narrow windows of time results in a brief exceedance of the MCHFR SAFDL when the RVVs open.
The staff also takes the position that overall sequence probability plays no role in analyzing AOOs after the initiating event.
10 CFR 50.2s definition of safety-related does not allow an applicant to assume operation of nonsafety-related systems in safety analyses.
without an approved Chapter 15 post-CHF methodology, cladding integrity (i.e., safe shutdown) can only be assured by meeting the SAFDL.
3 The core damage event (CDE) analyzed in FSAR Section 15.10 considers the dose consequences of a beyond-design-basis event with substantial core damage, far exceeding the source term possible from the EDAS smart failure scenario. The CDE yields an offsite dose less than 10% of the 52.137(a) offsite dose limit for the exclusion area boundary.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 4 of 14 the RVVs opening (i.e., initiation of ECCS) due to loss of EDAS is equivalent to violating the reactor coolant pressure boundary (RCPB) integrity aspect of 10 CFR 50.2 requirements.4 From these premises, the staff concludes that EDAS must be a safety-related system to prevent the E-8/year scenario.
In this manner, the staffs approach is a strict application of deterministic criteria, specifically, a rigid interpretation of 10 CFR 50.2. In pre-application and clarification meetings, the staff pointed to 50.2s definition of safety-related that applies to SSCs that are relied upon to remain functional during and following design basis events to assure RCPB integrity, safe shutdown, and mitigate offsite exposure. The staff emphasized 50.2s use of the word during as the basis for requiring a smart failure.
After five meetings, a previous white paper, and a technical paper, the staff and NuScale remain at an impasse.
- 4. The most efficient resolution of this issue is to apply SRM-SECY-19-0036.
The events leading up to SRM-SECY-19-0036 are instructive and parallel the EDAS classification issue.
In the original, certified design, NuScale used a type of valve with a passive inadvertent actuation block (IAB) component in its emergency core cooling system (ECCS). NRC staff contended that NuScale was to consider the IAB component as an active failure when applying the single failure criterion, a requirement beyond the scope of NuScales design basis event analyses. NuScale took the position that the ECCS, in the context of an integrated system, met reasonable assurance of adequate protection, regardless of the application of the deterministic single failure criterion.
The Commission resolved the issue succinctly. It first ordered the staff not to assume a single active failure on the IAB valves. But the Commission went further, extending its holding:
In any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria [are]
unnecessary to provide for reasonable assurance of adequate protection of public health and safety.
(emphasis added)
Similarly, in the EDAS classification issue, the staff is contending that NuScale classify EDAS as safety-related under 10 CFR 50.2 to prevent an event with both a frequency and consequence beyond risk-informed design basis event analyses. NuScale is taking the position that the 4
In pre-application and clarification meetings, the staff asserts that the opening of an ECCS valve equates to a loss of reactor coolant pressure boundary (RCPB) and insists that a safety function of the ECCS valves is to remain closed. This is incorrect for the NuScale US460 and previously certified US600 plants. With regard to opening and closing, the safety function of NuScales ECCS valves is to open to initiate ECCS, and opening the valves is not a breach of the RCPB. This is further addressed in NuScales response to Audit Question 6.3-2.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 5 of 14 current classification of EDAS, in the context of an integrated system, meets reasonable assurance of adequate protection, regardless of the staffs strict, prescriptive application of its interpretation of 10 CFR 50.2.
Thus, like the result in SRM-SECY-19-0036, NuScale asks that the staffs strict, prescriptive, and deterministic interpretation of 10 CFR 50.2 be found to be unnecessary to provide for reasonable assurance of adequate protection of public health and safety.
- 5. The staffs interpretation of 50.2 cannot be reconciled with half a century of guidance and precedents, nor the Standard Review Plan.
In applying 50.2s safety-related definition, NuScale submits that a better approach is to harmonize the definition with precedents, guidance, and the Standard Review Plan.
5.1. Precedents The ambiguity of 50.2s during and following language can be resolved by looking at how the NRC has historically interpreted it. The NRCs reasonable, consistently applied administrative interpretation of its regulations (i.e., precedent) is controlling law with regard to the NRCs regulations. No. Ind. Pub. Svc. Co. v. Izaak Walton League, 423 U.S. 12, 15 (1975).
Agency action is arbitrary and capricious if it departs from agency precedent without explanation. Ramaprakash v. F.A.A., 346 F.3d 1121, 1124 & 1128 (D.C. Cir. 2003) (reversing the FAA due to FAAs failure to follow its own precedent without providing a reasoned explanation for its decision).
With these legal requirements in mind, NuScale offers five precedents showing that nonsafety-related systems may be assumed to operate without considering smart failure sequences.
5.1.1. Design Certification Application: US-APWR, part one Summary of precedent: The US-APWR Chapter 15 analyses credit a nonsafety-related power supply (i.e., the offsite power system) to power the reactor coolant pump motors on nonsafety-related buses to continue to provide forced coolant flow following reactor/turbine trip. This assumption ensures decreasing flow conditions are not present when evaluating other initiating events for departure from nucleate boiling ratio (DNBR). The justification is based on the reliability of the power supply. Although the design certification was not completed, the NRC did issue SERs that accepted the approach. This precedent shows that nonsafety-related power supplies and components can be credited in safety analyses to remain available after event initiation, when justified to be reliable,5 to ensure that SAFDLs are met for anticipated operational occurrences AOOs. This precedent further shows that loss of power is only assumed at discrete times (either at event initiation or following reactor/turbine generator trip) and mid-event random power failures (i.e., smart failures) are not assumed.
Supporting documents:
ML13262A481: Design Control Document (DCD) Section 15.0.0.7 discusses assumptions for the loss of offsite AC power. Analyses are described as considering both with and without offsite 5
Chapter 8.3 of NuScales SDAA justifies EDASs reliability due to its augmented requirements.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 6 of 14 power available for cases where the event may be accompanied by a reactor/turbine generator trip. The DCD describes that a minimum delay of 3 seconds is assumed between reactor trip/turbine generator trip and a postulated loss of offsite power (LOOP). This 3-second delay allows credit for continued forced flow from reactor coolant pumps (RCPs) while control rods are dropping from the reactor trip. The time delay assures that the loss of flow transient caused by power loss to the RCPs does not occur until after minimum departure from nucleate boiling rate (DNBR) has already occurred. As a result, the LOOP cases are not limiting for DNBR. The justification for the 3-second delay is provided in DCD Section 8.2.3.
ML13262A473: DCD Section 8.2.3 describes how the RCPs are powered following a reactor/turbine trip. Various timer delays associated with the generator are described but not credited. The design is described as ensuring the RCPs remain powered as long as offsite power is available. The stability of the offsite power system is credited as the reason that the RCPs will remain powered for at least 3 seconds. Confirmation of the grid stability is included as an interface requirement for a COL applicant. DCD Section 8.2.1.2 identifies that the offsite power system is a nonsafety-related system. DCD Section 8.2.3 identifies that the RCP motors are connected to the nonsafety-related buses. The RCP motors are also not identified as safety-related in DCD Table 3.2-2 (ML13262A464).
ML12167A444: The safety evaluation report (SER) with open items for Chapter 15 describes the review of the DCD Section 15.0.0.7 LOOP assumptions. The SER describes verification of minimum DNBR for cases with no LOOP compared to cases with LOOP delayed by 3 seconds after reactor/turbine generator trip. Cases assuming a LOOP either just before reactor/turbine generator trip such that the 3-second delay did not apply or in the first 3 seconds after reactor/turbine generator trip are not described nor required to be performed as an open item.
The SER describes an RAI requesting additional justification of the 3-second delay. The SER describes the response as revising DCD Chapter 15 to point to Section 8.2.3 for the details of the electrical systems, which was tracked as a confirmatory item.
ML19155A293: The advanced SER (with no open items) for DCD Chapter 8 describes the interface with DCD Chapter 15 regarding the 3-second delay for RCPs. The SER indicates that RAIs on the subject were closed by the inclusion of the interface requirement for a COL applicant to confirm the grid stability.
5.1.2. Design Certification Application: US-APWR, part two Summary of precedent: The Chapter 15 analyses credit a nonsafety-related power supply (the offsite power system) to power the RCP motors on nonsafety-related buses to continue to provide forced coolant flow after event initiation and until reactor/turbine trip. The SRP identifies the need to assess loss of offsite power (LOOP) to satisfy GDC 17, but does not require assuming LOOP at event initiation or during the event progression before reactor/turbine trip.
NUREG-0138 identifies that the consequences of the event are more limiting with alternate LOOP assumptions but determines that alternate LOOP assumptions are not required due to the low probability of such sequences.
Supporting documents:
ML13262A481: DCD Section 15.3.3 evaluates the RCP rotor seizure. The event assumes instantaneous RCP rotor seizure of one RCP rotor with a rapid reduction in flow, including reverse flow in that loop. Assumption of a LOOP results in the other three RCPs coasting down and exacerbating the decrease in RCS flow. However, the LOOP is assumed to only occur at the time of turbine trip. (A 3-second delay in RCP coastdown following turbine trip is also assumed, NuScale Nonproprietary
WP-139876-NP Revision 0 Page 7 of 14 but that treatment is addressed separately in § 3.2.1, above.) A LOOP is not assumed either at event initiation or during the event just prior to reactor trip, as demonstrated by DCD Figure 15.3.3-1 which shows no decrease in flow from the other RCPs. The evaluation shows that fuel failure does occur and dose consequences are calculated. No justification is provided for why a LOOP is not assumed at any point prior to turbine trip. DCD Table 1.9.2-15 (ML13262A462) identifies that the Section 15.3.3 evaluation conforms to SRP 15.3.3-15.3.4 with no exceptions.
Since the analysis is not performed with alternate LOOP assumptions, it is not known whether the results still meet offsite limits if alternate assumptions are applied.
ML12167A444: The SER with open items for Chapter 15 describes the review of the DCD Section 15.3.3 LOOP assumptions. The SER describes how GDC 17 is interpreted by Items 7 and 9 in SRP 15.3.3-15.3.4, which include consideration of a LOOP at time of turbine trip. There is no discussion of a LOOP at event initiation or during the event progression prior to turbine trip.
The SER states that the evaluation was acceptable and conforms with the SRP regarding LOOP assumptions.
ML070550012: The SRP 15.3.3-15.3.4 Item 7 states that Only safety-grade equipment should be used to mitigate the consequences of the event. Safety functions should be accomplished assuming the worst single failure of a safety system active component. For new applications, loss of offsite power should not be considered a single failure; reactor coolant pump rotor seizures and shaft breaks should be analyzed with a loss of off-site power (see item 9, below) in combination with a single active failure. (This position is based upon interpretation of GDC 17, as documented in the Final Safety Evaluation Report for the ABB-CE System 80+ design certification.) Item 9 states that This event should be analyzed assuming turbine trip and coincident loss of offsite power and coastdown of undamaged pumps. No discussion of the assumption of a LOOP at other times that generates a more limiting reduction in RCS flow (and therefore increased consequences) is provided.
ML13267A423: NUREG-0138 Item 5 addresses the flow coastdown of undamaged pumps during an RCP rotor seizure or shaft break. The potential for more limiting LOOP assumptions is considered, such as a LOOP coincident with event initiation. The coincident LOOP is identified as resulting in larger calculated radiological consequences, although still within 10 CFR 100 limits.
The review of the issue concludes that it is likely that offsite power remains available and the occurrence of the initiating event with a coincident LOOP is not considered to be a design basis accident and is too improbable to require consideration. The review also assesses a possibility of a LOOP due to turbine trip and states that the impact is minimal as the RCP coastdown likely does not occur until after minimum DNBR because of delays.
5.1.3. Design Certification: AP1000 Summary of precedent: The Chapter 15 analyses credit a nonsafety-related power supply (either from the generator or the offsite power system) to power the nonsafety- related RCP motors to continue to provide forced coolant flow following turbine trip. This assumption ensures decreasing flow conditions are not present when evaluating other initiating events for DNBR.
The justification is based on the design features of the generator and the reliability of the offsite power supply. This precedent shows that nonsafety-related power supplies and components can be credited in safety analyses, when justified to be reliable, to ensure that SAFDLs are met for AOOs. This precedent further shows that loss of power is only assumed when shown to be a consequence of the event progression (i.e., following turbine trip) and mid-event random power failures (i.e., smart failures) are not assumed. Finally, this precedent shows explicit NRC approval of the position that continued operation of nonsafety-related systems is acceptable if NuScale Nonproprietary
WP-139876-NP Revision 0 Page 8 of 14 their failure is not a consequence of the event and the probability of a random independent failure during the timeframe of the initiating event is extremely low.
Supporting documents:
ML11171A367: DCD Section 15.0.14 discusses assumptions for the loss of offsite AC power. The loss of offsite power is described as a potential consequence of the event. Random loss of power is not assumed as shown by the statement that [e]vent analyses that do not result in a possible consequential disruption of offsite ac power do not assume offsite power is lost. The DCD describes that a minimum delay of 3 seconds is assumed between turbine trip and a postulated LOOP. During this 3-second delay, credit is taken in the safety analyses for continued operation of RCPs, feedwater pumps, and the condenser. The justification for the 3-second delay is provided in DCD Section 8.2.
ML11171A478: DCD Section 8.2.2 describes how the RCPs can receive power from the main generator or the grid for a minimum of 3 seconds following a turbine trip. Neither of these power sources is safety-related. The design of the generator and the stability of the offsite power system are credited as the reasons that the RCPs will remain powered for at least 3 seconds.
Confirmation of the grid stability is included as an interface requirement for a COL applicant as described in DCD Section 8.2.5. The RCP motors are identified as nonsafety-related in DCD Table 3.2-3 (ML11171A425).
NUREG-1793 Chapter 8: The final SER for Chapter 8 accepts the 3-second time delay for continued operation and the associated COL applicant confirmation of grid stability. The SER identifies cases where the initiating event involved an electrical system failure could not rely upon the 3-second delay because the electrical system was known to be failed. The SER notes that a failure modes and effects analysis (FMEA) could be used to address whether the electrical system failures would cause a loss of RCP function. The isophase bus failure is identified as an example, but it is identified that the isophase bus has to be operational at the start of the event for the turbine to be in operation. The SER documents that a failure of a passive component, such as the isophase bus, that is known to be initially operational within a 3-second window is a very low probability event.
NUREG-1793 Chapter 15: The final SER for DCD Chapter 15 describes the continued operation of RCPs for 3 seconds following turbine trip as acceptable based on the generator design features and the COL grid stability analysis. The SER states that Chapter 15 analyses are evaluated with and without LOOP. Based on review of DCD Chapter 15, the cases with LOOP refer to the delay as a reason for DNBR not being limiting compared to the base case without LOOP. The SER also describes situations where nonsafety-related systems are assumed to be operational, including when a detectable and nonconsequential random, independent failure must occur in order to disable the system. For example, the nonsafety-related main feedwater control system is assumed to operate during analysis of events not related to feedwater system malfunction, loss of AC power, or turbine trip. The SER states that [t]he staff concludes that the assumption of MFCS continued operation is acceptable because a failure in the MFCS is not a consequence of the initiating event, and the probability of a random, independent failure occurring in the MFCS within the timeframe of the initiating event is extremely low (emphasis added).
5.1.4. Design Certification: ESBWR Summary of precedent: In evaluating the AOO of turbine trip with turbine bypass, to make its safety finding, the staff relied on the operation of two nonsafety-related systems: the steam bypass and pressure control (SB&PC) system and the turbine bypass system (TBS).
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 9 of 14 Supporting documents:
ML14100A547: ESBWR DCD (Tier 2) Ch. 15, pg. 15.0-4, defines AOOs are defined as abnormal events with an event probability greater than E-2.
ML110030032: ESBWR FSER, § 15.2.2.4.1, states, After turbine actuation, the steam bypass and pressure control (SB&PC) system will initiate opening of the bypass valves in 0.02 seconds.
ML110030032: ESBWER FSER, § 15.2.2.4.3, states, [T]he fast opening of the [turbine] bypass valves is credited in the staffs conclusion that the AOO of turbine trip with turbine bypass is acceptable.
ML14100A493: ESBWR DCD (Tier 1), § 2.11.6, states, The TBS is used to mitigate Abnormal Events.
ML14100A506: ESBWR DCD at pg. 3.2-17 shows that the SB&PC system is classified as nonsafety-related.
ML14100A506: ESBWR DCD at pg. 3.2-30 shows that the TBS is classified as nonsafety-related.
5.1.5. Operating Plants: Vogtle 1 & 2 Summary of precedent: Precedents above, for new plants, are also found in currently operating plants.
Supporting document:
FSAR: Section 15.3.3 identifies that the RCP shaft seizure event only considers a LOOP after reactor trip and not at event initiation or during the event progression. In addition, the analysis assumes that power to the RCPs is not lost until 2 seconds after trip due to grid stability. The RCPs not affected by the shaft seizure are assumed to continue to provide forced flow during the event despite the fact that the nonsafety-related motors (Table 3.2.2-1) are powered by the nonsafety-related offsite power grid.
5.2. Guidance The safety classification requirement of 50.2 is premised on protecting against design basis events (DBEs).6 Because the safety-related classification requires knowing what events each system is protecting against, determining safety-related first requires determining the plants DBEs, including the initial conditions. As shown below, NRC and industry guidance support the proposition that sufficiently low event sequences need not be considered DBEs.
The initial guidance on the determination of DBEs is the foundational safety analysis basis ANS-51.1/N18.2-1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plant. This guidance was developed in parallel to and in harmony with the Atomic Energy Commission (AEC) as the AEC created licensing rules and standards, including the General Design Criteria. As previously stated by the NRC staff, ANS-51.1/N18.2-1973 6
E.g., COMSECY-14-0037, Enc. 1, Integration of Mitigating Strategies for Beyond-Design-Basis External Events and the Reevaluation of Flooding Hazards (ML14328A170) (Nov 2014).
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 10 of 14 constitutes a known and established standard that has been reflected in NRC guidance documents and in the licensing basis of each U.S. nuclear power plant.7 ANS-51.1/N18.2-1973 notes that an important part of safety analysis is determining the full spectra of plant conditions are identified in accordance with their anticipated frequency of occurrence and consequences.8 For each considered occurrence, the analysis must account for all variations listed in 4.1 to 4.4 below to the extent they are pertinent 4.1 Initial conditions at the time of incident or fault initiation including, but not restricted to, the effects of (5) status of power systems (for example, electrical, air, hydraulic)9 In 1983, ANSI/ANS rewrote ANS-51.1/N18.2 and developed ANSI-ANS-51.1-1983. The NRC staff gives ANS-51.1-1983 credence and acknowledges licensees wide use of the standard.10 The 1983 version further supports NuScales approach. For nonsafety-related equipment, a failure would be a coincident occurrence. The standard expressly allows a probabilistic approach:
7 Holahan, et al., Report of the Backfit Appeal Review Panel Chartered by the Executive Director for Operations to Evaluate the June 2016 Exelon Backfit Appeal, at page 18 (ML16236A208) (August 2016) 8 ANS-51.1/N18.2-1973, Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plant, at § 2.1.
9 Id. at §§ 4, 4.1 (emphasis added).
10 e.g., NUREG-0800, Chapter 15.0, at page 15.0-2 (ML070710376) (2007) (describing ANS-51.1-1983 as commonly used, oft-cited but unofficial); NRC Regulatory Issue Summary 2005-29, Anticipated Transients That Could Develop Into More Serious Events, (noting that Many licensees have incorporated ANS 51.1, and referencing, with approval, ANS-51.1-1983s non-escalation criterion)
(Dec. 2005); cf. AP-1000s Design Control Document, Chapter 15.0 at §§ 15.0.1, 15.0.16 (citing the 1973 version) (ML11171A367) (2011).
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 11 of 14 The risk-informed principles of ANS-51.1 continue in more recent standards:
ANSI-ANS-58.14-2011,11 § 4.5.2, (low probability events considered not credible)
ANSI-ANS-30.3-2022, § 5.2.1.1 (same)
NEI 18-04,12 at the safety classification flowchart on page 32 (results in a smart failure of EDAS being, at most, a beyond design basis event (BDBE))
In addition to industry guidance, there is NRC guidance to the effect that unlikely smart failures need not be considered.
In NUREG-0933, Section 3, Issue 17, a smart failure of offsite power following a loss of coolant accident (LOCA) would not be considered and analysis of that sequence would be placed in the DROP category. The DROP category is the category for events with a CDF of < 1E-7.13 In NUREG-0138, Issue 4, a loss of offsite power (LOOP) at a certain time after a loss of coolant accident (LOCA) should not be considered in the design basis analyses due to the sufficiently low probability of 2E-8/yr.
In NUREG-0933 Section 3, Issue 171, a postulated LOCA causes a LOOP, followed by an independent failure of the transmission of emergency diesel generator power.
Previously this sequence had been assigned a high priority ranking. However, after considering the low probability of occurrence and consequence ( CDF on the order of E-6), the NRC resolved the issue with no new requirements.
For the US460 design, NuScale has demonstrated that EDAS failure is not a consequence of the AOO initiating event. Thus, NuScales approach of considering the status of EDAS (available vs. unavailable) as an initial condition (rather than a smart failure) is consistent with these NUREGs14 and fifty years of standards and guidance.15 5.3. Standard Review Plan The Standard Review Plan expressly considers the frequencies of event sequences in determining AOO acceptance criteria.
11 The ANS/ANSI-58.14-2011 standard is cited extensively in DG-1371(ML20168A883). DG-1371 qualifies its reliance on the standard, but none of the qualifications affect this analysis.
12 Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, NEI 18-04 (rev 1) at 6 (ML19241A472) (Aug. 2019). NRC endorsed NEI 18-04 in RG 1.233 at 13 (ML20091L698) (June 2020), with clarifications not affecting this analysis. NEI 18-04 is technology-neutral, and while the title says non-LWR, nothing in the body of NEI 18-04 nor its endorsing document, RG 1.233, would make its use inconsistent with LWRs. At a minimum, it confirms the principle of risk-informing accident sequences.
13 NUREG-0933, Appendix G.
14 An additional example of a smart failure not being considered is shown in § 5.1.1 of this response.
15 At a January 2023 pre-application meeting, the staff dismissed the industry guidance documents as not approved. NuScale believes that reasoning is insufficient to ignore ANS-51.1/N18.2-1973, its progeny, fifty years of industry reliance, and de facto NRC acceptance.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 12 of 14
[T]he design of the plant should be such that all the AOOs and postulated accidents produce about the same level of risk (i.e., the risk is approximately constant across the spectrum of AOOs and postulated accidents). This is reflected in the general design criteria (GDC), which generally prohibit relatively frequent events (AOOs) from resulting in serious consequences, but allow the relatively rare events (postulated accidents) to produce more severe consequences.16 In addition, the Standard Review Plan expressly allows an applicant to consider operation of nonsafety-related systems.
The reviewer may consider the licensees technical justifications for the operation of nonsafety-related systems or components (e.g., when they are used as backup protection and when they are not disabled, except by a detectable, random, and independent failure).17 NuScale demonstrates that EDAS is not disabled except by a detectable, random, and independent failure. Therefore, performance of safety analyses with continued operation of EDAS is consistent with the Standard Review Plan.
5.4. Harmonizing 50.2 with precedents, guidance, and the Standard Review Plan The safety-related definition of 10 CFR 50.2 encompasses SSCs relied upon to remain functional during and following design basis events.
5.4.1. relied upon to remain functional during and following The staff contends that any SSC whose failure during an event would challenge a safety-related function must be a safety-related SSC. Under this reading, smart failures of nonsafety-related SSCs must be postulated and analyzed to prove that the SSC is not relied upon. This hyper-literal interpretation of the safety-related definition cannot be squared with industry precedents and NRC guidance detailed above: the AP1000s reactor coolant pumps and main feedwater control system, for example, would have to be safety-related because their smart failure could violate acceptance criteria for some design basis events; a nonsafety-related SSC that is not disabled except by a detectable, random, and independent failure could not be assumed to remain in operation as allowed by SRP 15.0.
However, properly interpreted in the context of the safety-related definitions purpose and intent, the definition can readily be reconciled with precedent and guidance. The safety-related definition was not intended to encompass every SSC whose non-mechanistic failure could exacerbate a design-basis event. It was intended as a functional definition to assure SSCs that were provided for the purpose of performing the three safety-related functions were designed to withstand the design basis earthquake (and, later, that they met stringent quality assurance requirements, environmental qualification, etc.).
16 NUREG-0800 at 15.0(I)(2).
17 Id. at 15.0(I)(6)(B).
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 13 of 14 In other words, there is a distinction between a system that provides a mitigative function during an accident, and a system whose failure would merely make the event conditions more challenging.
This distinction is evident in the industry precedents (section 5.1, above). For example, the AP1000s reactor coolant pumps are not intended to mitigate the events for which they are credited, but if they were to lose power at an unfavorable time during an unrelated event, the event could not be mitigated successfully with the systems and components intended for that purpose.
This distinction is also evident in SRP 15.0 (section 5.3, above). A nonsafety systems operation can be considered where it is only subject to a non-mechanistic and detectable failure because that system is not provided for the purpose of meeting a safety-related function; its failure would merely exacerbate plant conditions.
Importantly, that distinction underpins the scope of 10 CFR 50.49, which extends environmental qualification requirements beyond safety-related equipment to include Nonsafety-related electric equipment whose failure under postulated environmental conditions could prevent safety-related equipment from performing safety-related functions. Under the staffs new, strict interpretation of safety-related, this latter category of equipment is rendered meaningless.
Appendix B to Regulatory Guide 1.89 illustrates, however, that certain SSCs that are not designed to perform safety-related functions can hinder their adequate performance, and thus require augmented quality, but not a safety-related classification. Indeed, that same appendix notes that in some cases such equipment has been classified as safety-related, but in other cases it has not; the safety-related definition is not rigidly applied.
NuScale grants that EDAS would be safety-related if it were required to mitigate certain design-basis events. But it is not. Chapter 15 analyses of events with EDAS unavailable prove as much. Those analyses demonstrate that EDAS is not relied upon in the sense intended in the safety-related definition. EDAS is not intended to perform any safety-related function; it exists to maintain plant conditions during normal operations. The failure of EDAS is appropriately considered as an initiating event. During unrelated initiating events, if EDAS is available at the start of the transient, then its non-mechanistic, very unlikely failure within a short time frame would exacerbate plant conditions, but EDAS itself is not performing any safety-related function.
Therefore, it is not relied upon to remain functional during a design-basis event.
5.4.2. design-basis event.
By applying 50.2s safety-related definition to the E-8 scenario, the staff is assuming that the E-8 event sequence is a design-basis event.
However, the industry precedents (section 5.1) and the guidance (section 5.2) categorize events of low probability as beyond (i.e., not) design basis. For this additional reason, the staffs new, strict interpretation of 50.2 is incorrect.
NuScale Nonproprietary
WP-139876-NP Revision 0 Page 14 of 14
- 6. Even if the E-8 scenario occurred, the consequences are not significant.
In the unlikely event of an EDAS smart failure during certain AOOs, analyses show that the CHFR remains above the MCHFR limit for the majority of conditions present during the event progression. ((2(a),(c) , well below the peak clad temperature limit of 2200 degrees F for 10 CFR 50.46, preserving a coolable geometry. Containment pressure is not challenged and onsite and offsite dose limits are not exceeded. Therefore, safe shutdown under the 10 CFR 50.2 definition is achieved even when considering the EDAS smart failure.18
- 7. Conclusion The staffs approach to EDAS classification is not risk-informed. In addition, treating augmented, nonsafety-related systems the same as non-augmented systems disincentives applicants from improving safety.
NuScales approach is risk-informed. It is appropriate under SRM-SECY-19-0036 and when the text of 50.2s definition of safety-related is harmonized with precedent, guidance, and the Standard Review Plan. 18 NuScale Power, LLC, Treatment of DC Power in Safety Analyses, TR-102621-P (submitted Dec 2022). NuScale Nonproprietary
LO-139918 : Affidavit of Mark W. Shaver AF-140414 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com
NuScale Power, LLC AFFIDAVIT of Mark W. Shaver I, Mark W. Shaver, state as follows: (1) I am the Acting Director of Regulatory Affairs of NuScale Power, LLC (NuScale), and as such, I have been specifically delegated the function of reviewing the information described in this Affidavit that NuScale seeks to have withheld from public disclosure, and am authorized to apply for its withholding on behalf of NuScale (2) I am knowledgeable of the criteria and procedures used by NuScale in designating information as a trade secret, privileged, or as confidential commercial or financial information. This request to withhold information from public disclosure is driven by one or more of the following: (a) The information requested to be withheld reveals distinguishing aspects of a process (or component, structure, tool, method, etc.) whose use by NuScale competitors, without a license from NuScale, would constitute a competitive economic disadvantage to NuScale. (b) The information requested to be withheld consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), and the application of the data secures a competitive economic advantage, as described more fully in paragraph 3 of this Affidavit. (c) Use by a competitor of the information requested to be withheld would reduce the competitors expenditure of resources, or improve its competitive position, in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product. (d) The information requested to be withheld reveals cost or price information, production capabilities, budget levels, or commercial strategies of NuScale. (e) The information requested to be withheld consists of patentable ideas. (3) Public disclosure of the information sought to be withheld is likely to cause substantial harm to NuScales competitive position and foreclose or reduce the availability of profit-making opportunities. The accompanying response reveals distinguishing aspects about the method by which NuScale develops its Augmented DC Power System (EDAS). NuScale has performed significant research and evaluation to develop a basis for this method and has invested significant resources, including the expenditure of a considerable sum of money. The precise financial value of the information is difficult to quantify, but it is a key element of the design basis for a NuScale plant and, therefore, has substantial value to NuScale. If the information were disclosed to the public, NuScale's competitors would have access to the information without purchasing the right to use it or having been required to undertake a similar expenditure of resources. Such disclosure would constitute a misappropriation of NuScale's intellectual property, and would deprive NuScale of the opportunity to exercise its competitive advantage to seek an adequate return on its investment. (4) The information sought to be withheld is in the enclosed response entitled EDAS Supplemental White Paper. The enclosure contains the designation Proprietary" at the bottom of each page containing proprietary information. The information considered by NuScale to be proprietary is identified within double braces, "(( }}" in the document. (5) The basis for proposing that the information be withheld is that NuScale treats the information as a trade secret, privileged, or as confidential commercial or financial information. NuScale relies upon the exemption from disclosure set forth in the Freedom of Information Act ("FOIA"), 5 USC § AF-140414 Page 1 of 2
552(b)(4), as well as exemptions applicable to the NRC under 10 CFR §§ 2.390(a)(4) and 9.17(a)(4). (6) Pursuant to the provisions set forth in 10 CFR § 2.390(b)(4), the following is provided for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld: (a) The information sought to be withheld is owned and has been held in confidence by NuScale. (b) The information is of a sort customarily held in confidence by NuScale and, to the best of my knowledge and belief, consistently has been held in confidence by NuScale. The procedure for approval of external release of such information typically requires review by the staff manager, project manager, chief technology officer or other equivalent authority, or the manager of the cognizant marketing function (or his delegate), for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside NuScale are limited to regulatory bodies, customers and potential customers and their agents, suppliers, licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or contractual agreements to maintain confidentiality. (c) The information is being transmitted to and received by the NRC in confidence. (d) No public disclosure of the information has been made, and it is not available in public sources. All disclosures to third parties, including any required transmittals to NRC, have been made, or must be made, pursuant to regulatory provisions or contractual agreements that provide for maintenance of the information in confidence. (e) Public disclosure of the information is likely to cause substantial harm to the competitive position of NuScale, taking into account the value of the information to NuScale, the amount of effort and money expended by NuScale in developing the information, and the difficulty others would have in acquiring or duplicating the information. The information sought to be withheld is part of NuScale's technology that provides NuScale with a competitive advantage over other firms in the industry. NuScale has invested significant human and financial capital in developing this technology and NuScale believes it would be difficult for others to duplicate the technology without access to the information sought to be withheld. I declare under penalty of perjury that the foregoing is true and correct. Executed on 5/12/2023. Mark W. Shaver AF-140414 Page 2 of 2}}