Text

NuScale Nonproprietary NuScale Nonproprietary Response to SDAA Audit Question Question Number: A-19.1-40 Receipt Date: 09/04/2023 Question:

In FSAR Section 19.1.5.1.1 (Page 19.1-42), the applicant states that [t]he plant-level HCLPF ground motion capacity must be 167 percent of the RE used for design, or the review level earthquake (RLE). However, SRM-SECY-93-087,Section II.N states that the Commission approves the use of 1.67 times the Design Basis SSE for a margin-type assessment of seismic events. Although the NuScale SDAA uses the CSDRS as the reference earthquake (RE) and the RE in this case coincides with the SSE, the terms RE or RLE are generally defined as having a different meaning than the SSE and therefore the quoted statement above may not accurately convey the intent of the Commission direction and NuScales ability to meet it.

Please review the adequacy of the quoted statement and, if needed, provide an FSAR markup revising the quoted statement to be consistent with the referenced Commission direction.

Response

The reference earthquake used as the seismic input to the US460 PRA-based SMA is the safe shutdown earthquake. The ground motion response of the safe shutdown earthquake is the certified seismic design response spectra (CSDRS). Therefore, to meet the Commissions direction in SRM-SECY-93-087, the plant-level high confidence of low probability of failure (HCLPF) capacity must be at least 167 percent of the CSDRS peak ground acceleration (PGA).

NuScale has changed the wording in FSAR Section 19.1 to clarify that the design conforms with NUREG-0800, Section 19.0, Acceptance Criterion 37: The staff will determine whether the design-specific plant-level HCLPF value has been demonstrated to be equal to or greater than 1.67 times the CSDRS PGA.

Markups of the affected changes, as described in the response, are provided below:

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-42 Draft Revision 2 19.1.5.1 Seismic Risk Evaluation Evaluation of the risk due to seismic events is performed using a seismic margins assessment (SMA) to determine the plant-level high confidence of low probability of failure (HCLPF) ground motion capacity. A PRA-based SMA provides information related to the dominant contributors to seismic risk by determining plant responses from different ground motion demands, i.e., a range of reference earthquakes (REs). Because the plant lacks a reliance on electrical power, added water, or operator actions, the design is less susceptible to low capacity accident progressions (i.e., those from small ground motions) than typical operating nuclear power plants. Consequently, seismically-induced major structural failures associated with higher ground motions, which are typically a minor contributor to the seismic risk for operating plants, represent a significant risk contributor for the NuScale design. A PRA-based SMA is developed to confirm that plant responses initiated from large ground motions are accounted for.

The SMA for the NPM is performed in accordance with NRC guidance from Section 19.0 of NUREG-0800, Revision 3 and the applicable SMA guidance in Part 5 of ASME/ANS RA-Sa-2009 as endorsed by Regulatory Guide 1.200.

19.1.5.1.1 Description of the Seismic Risk Evaluation Audit Issue A-19.1-40 The primary goal of an SMA is to identify the SSC that contribute to seismic risk. The SSC identification is done by evaluating SSC risk contributors and determining the plant-level HCLPF ground motion capacity. The reference earthquake used as the seismic input to the PRA-based SMA is the safe shutdown earthquake. The ground motion response of the safe shutdown earthquake is the certified seismic design response spectra (CSDRS). The plant-level HCLPF ground motion capacity must be 167 percent of the RE used for design, or the review level earthquake (RLE). The RE is the CSDRS with a horizontal PGA ofCSDRS peak ground acceleration (PGA), which is 0.5g. Thus the plant-level HCLPF ground motion capacity requirement is 0.84g PGA (i.e., 1.67

• 0.5g). There are two main tasks associated with performing an SMA: seismic fragility analysis (structures and components),

and seismic plant response analysis (accident sequence analysis and plant level response).

19.1.5.1.1.1 Seismic Analysis Methodology and Approach A seismic fragility analysis is completed as part of an SMA. Fragility describes the probability of failure of a component under specific capacity and demand parameters and their uncertainties. All SSC modeled in the internal events PRA are included in fragility analysis, with the exception of basic events that are not subject to seismically-induced failure (e.g.,

phenomenological events, filters, control logic components). No pre-screening is performed to establish a seismic equipment list (SEL) or safe shutdown equipment list (SSEL). SSC that contribute to the seismic

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-47 Draft Revision 2 By using conservatively applied NuScale-specific seismic demands derived from RXB and NPM ISRS, and generic spectral acceleration capacities developed from EPRI 3002000507 (Reference 19.1-25) and NUREG/CR-2680 (1983).

The first modeling approach is used for SSC that contribute to the seismic margin, such as components located on top of or inside the NPM (e.g.,

containment isolation valves, ECCS valves, ECCS trip solenoid valves, reactor safety valves).

The second modeling approach is used for components located outside the NPM (e.g., diesel generators), or components that, if failed, would not directly affect safe shutdown. This approach allows for the use of design-specific ISRS data and generic spectral acceleration capacities to determine the component fragilities.

Components sharing common type, location, and elevation within a building are similarly impacted by earthquakes. Components sharing seismically relevant characteristics are grouped based on these similarities. Seismic failures are assigned to groups and are modeled as basic events within the SMA model. For the purposes of seismic grouping, components of the same type in the same building (or general area) with the same elevation class are considered 100 percent correlated. Seismic groupings are independent of each other.

Fragilities and High Confidence of Low Probability of Failure The seismically induced failure probability of a component (fragility) is a function of its median capacity, median capacity uncertainty, and fragility randomness.

Separation of variables fragility analysis is performed on SSC that contribute to the seismic margin and SSC for which the NuScale Power Plant US460 standard design is different from operating plants. These SSC are structures or components inside the NPM. Generic capacities and NuScale-specific response factors are used for components either located outside the module or components that do not show a substantial impact on the plant risk profile.

Audit Issue A-19.1-40 For generic capacity fragility calculations, a spectral acceleration capacity is used. This capacity describes the spectral acceleration level (in g) where a component is expected to fail at a 50 percent probability. To convert this value to a PGA-grounded capacity, the nominal value is divided by a conservatively applied seismic demand derived from RXB or NPM ISRS, and multiplied by the RE PGA of the CSDRS (0.5g).

Conservative seismic demands are determined according to whether a component may be considered rigid (e.g., valves). If an SSC is rigid,

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-48 Draft Revision 2 indicating a high natural frequency, seismic demands are applied using a zero period acceleration. If an SSC is not rigid, the peak acceleration of the ISRS is used. For SSC located in the RXB, an enveloped floor ISRS for all locations on an elevation is used to describe the SSC seismic demand. For SSC located on or near the NPM, but do not contribute to the seismic margin (e.g., DHRS heat exchangers), broadened ISRS is used at the equipment anchorage location.

Audit Issue A-19.1-40 Each SSC fragility is calculated based on floor responses. Consequently, each fragility is multiplied by the PGA of the CSDRSRE (0.5g) to anchor the median capacity to the seismic input defined for design (i.e., the CSDRS). Each component fragility is then determined as a function of design loads, placement, and site response.

The HCLPF is then defined as the acceleration level where there is a 95 percent confidence of less than 5 percent failure probability. The HCLPF can also be approximated as the acceleration with a one percent probability of failure on the mean fragility curve.

Results of the fragility calculation for the NPM supports are shown in Table 19.1-32.

19.1.5.1.1.2 Systems and Accident Sequence Analysis Plant response analysis maps the consequences of seismic initiators combined with seismic and random failures. This analysis produces event trees with seismically induced initiating events, component and structural events, and non-seismic unavailability.

The SAPHIRE computer code is used for quantification of the logic models utilized in the NuScale SMA.

Seismically-Induced Initiators Plant response after a seismic event is mapped using seismically-induced initiating events, as illustrated in Figure 19.1-14. These events are modeled using similar logic to corresponding random internal events PRA initiating events. Plant response is modeled only for earthquakes with a non-negligible probability of causing a reactor trip.

The seismic hazard for the NuScale design SMA is partitioned into fourteen seismic event trees. The underlying logic for each event tree is identical; however, each event tree represents a different ground motion acceleration (each seismic event tree represents a portion of the ground motion range from 0.0525g to 4.0g). In the SMA, the use of multiple ground motions provides insights into the relative contributions of both seismic and random failures at different ground motions. Figure 19.1-14 is a representative seismic event tree, corresponding to a range of peak

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-51 Draft Revision 2

2. Structural failure and falling Falling and interaction hazards between structures or partitions and SSC housed in utility and gallery areas are negligible contributors to seismic risk. Due to the passive and fail-safe design of the NPM, SSC located in these areas are not relied on for safe shutdown, particularly at ground motion levels capable of damaging surrounding structures and SSC anchorages. Off-site and on-site sources of AC power are fragile in comparison, thus, SSC failed due to interaction hazards are unavailable at ground motion levels capable of compromising substructures and partitions.

The potential for failure and falling interactions between surviving seismically qualified SSC and seismically failed SSC is limited by the nature of the NuScale design. The NPM is physically protected by the pool water, pool walls, bay walls, and, during power operation, the bioshield. Seismically-induced damage to the bay walls and bioshield is modeled in the SMA; the SMA demonstrates that these structures have higher HCLPF values than potential components that could fail because of a seismic event. Thus, these structures would provide a physical barrier between potentially failed components and the NPM.

When the bioshield is removed from an operating bay before NPM transport for refueling, piping penetrations atop the CNV, as well as the DHRS piping and heat exchangers on the side of the NPM, could be impacted by a falling or swinging object. However, the module is shut down and flooded before its bioshield being removed. In this configuration, safe shutdown is maintained by conduction from the RPV through to the CNV and reactor pool.

3. Flexibility of attached lines and cables Seismically-induced pipe breaks outside containment are modeled in the SMA and encompass the effects of pipe leaks caused by stresses induced by structural displacements or failing objects.

The NPM is not precluded from achieving safe shutdown as a result of a loss of electrical power or signaling logic. As such, the SMA model does not credit systems requiring electrical power at ground motion levels sufficient to cause both loss of offsite power and failure of backup power sources.

19.1.5.1.2 Results from the Seismic Risk Evaluation Seismic risk is evaluated in terms of a plant-level HCLPF g-value and a review of SMA accident sequence cutsets for risk insights.

Audit Issue A-19.1-40 The plant-level HCLPF is determined by examining the cutset results from the fourteen seismic event trees. Cutsets are reviewed to screen those that are

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-52 Draft Revision 2 not relevant to the determination of the plant-level HCLPF. Per the MIN-MAX screening cutsets are screened out if the combined probability of random failures is less than one percent. This approach is appropriate because the conditional probability of failure corresponding to the HCLPF (i.e., given an earthquake ground motion equal to the plant-level HCLPF) is required to be greater than or equal to one percent (using the mean fragility curve).

Therefore, even if all seismically induced failure probabilities of a particular cutset were 100 percent, the probability of core damage from non-seismic random failures must be greater than or equal to one percent for the cutset to be a relevant contributor to the HCLPF calculation. If the combined random failure probability of the cutset is below one percent, the cutset would not be a relevant contributor to the HCLPF calculation. The MIN-MAX method is then applied to the remaining cutsets to determine the SSC with the limiting HCLPF for each cutset. The limiting SSC identified for each cutset contributes to the seismic margin. Of the seismic margin contributors, the SSC with the smallest HCLPF value provides the plant-level HCLPF. To demonstrate acceptably low seismic risk at the standard design stage, as indicated by Section 19.0 of NUREG-0800, Revision 3, the resultant plant-level HCLPF must be greater than or equal to 0.84 g, which is the plant-level HCLPF requirement of 1.67 times the PGA of the CSDRSSSE.

Each cutset generated from the seismic event trees is reviewed for seismic risk insights. Differing from the determination of the plant-level HCLPF, no probability-based screening is performed during the review process; all cutsets are considered for potential risk insights.

Plant Level High Confidence of Low Probability of Failure Implementation of the screening process described above results in a plant-level HCLPF for the NuScale design of 0.92 g. Structural events are the leading contributor to the seismic margin because of their immediate consequences and relatively low PGA-grounded median capacities as compared to component failures. Table 19.1-32 summarizes the fragility analysis for each of the structural events. The SMA assumes that failure of major structures leads to sufficient damage to the modules such that core damage and a large release would result.

Significant Sequences This section provides brief descriptions of the significant contributors to risk as determined by a review of SMA accident sequence cutsets.

Structural events are by far the leading contributor to the seismic margin. The bounding structural event is failure of the RBC support weld connection between the stiffener top plate and the steel-plate composite wall, which is modeled to lead directly to RBC collapse, core damage, and large release.

A single SMA sequence contains all structural events and represents a significant percentage of the large release conditional failure probability after a HCLPF-level earthquake. In accordance with the MIN-MAX method, the

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-55 Draft Revision 2 Sensitivity Studies No sensitivities are performed for the SMA.

Key Insights Audit Issue A-19.1-40 The SMA shows that the current design meets the regulatory HCLPF requirement of 1.67 times the PGA of the CSDRSSSE (i.e., 0.84 g). A structural failure sequence involving collapse of the RBC due to RBC support failure is the most important contributor to the seismic margin. Other sequences include one or more random failures after the seismic event.

These failures occur among the same general components and sequences that lead to core damage in the internal events PRA. An examination of operating nuclear power plant data shows that the seismic survivability of the NuScale design is high because of the low core damage contribution from losses of offsite power. The only dominant cutsets contain structural events leading directly to core damage and large release. Other seismically-induced initiating events require multiple seismic or common-cause random failures for core damage. This seismic risk characteristic is largely a consequence of the low degree of reliance on electrical power for achieving safe shutdown. The passive actuation features of safe shutdown functions also imply a low degree of reliance on operator intervention to mitigate a severe accident.

19.1.5.2 Internal Fires Risk Evaluation An internal fire probabilistic risk assessment (FPRA) for at-power operations has been performed for a single NPM.

19.1.5.2.1 Description of Internal Fire Risk Evaluation The internal fire risk evaluation addresses the potential fire events that may originate within the plant boundary and that affect a single module. The FPRA is based on the Level 1 internal events PRA model, which is supplemented by fire-specific failure modes. The internal fire PRA is developed in accordance with Part 4 of ASME/ANS RA-Sa-2009 (Reference 19.1-2), with consideration of the review clarifications provided in DC/COL-ISG-028, and the internal FPRA applies the methodology provided in NUREG/CR-6850 (September 2005); the methodology consists of multiple interrelated tasks.

Task 1: Global Boundary and Partitioning The initial activity associated with partitioning of the module fire areas is establishing the "global" boundary of a module. The intent of this activity is to identify locations that could contribute to the fire risk. Consistent with NUREG/CR-6850, this task is based on the locations of SSC that are associated with normal or emergency reactor operating or support systems as specified in the site plan. Fire "compartments" are defined to represent areas of fire damage potential and are mapped to plant fire areas that have been

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-125 Draft Revision 2 Audit Issue A-19.1-19, Audit Issue A-19.1-25, Audit Issue A-19.1-40 Table 19.1-21: Key Assumptions for the Probabilistic Risk Assessment FULL POWER, INTERNAL EVENTS Accident Sequence If makeup inventory is needed, operators are assumed to initially align CVCS for coolant addition through the pressurizer spray line. If the RPV water level continues decreasing and operators observe increasing core temperatures, operators are assumed to realign CVCS coolant addition through the injection line.

Success Criteria Procedures are assumed to direct operators to preserve the key safety function to remove fuel assembly heat even in cases where they would need to breach the containment boundary (e.g., operators would open the CVCS CIVs to inject makeup following incomplete ECCS actuation).

In the absence of an effective heat removal mechanism during a nominally intact reactor coolant pressure boundary scenario (that is, DHRS fails and RSVs fail to open), the RPV is expected to develop a leak (e.g., pressurizer heater access port bolted flange), and core damage is assumed.

Systems Analysis Equipment is assumed to be operable without HVAC to support the PRA function. The small size of the equipment together with the slower progression of events provide sufficient time for any mitigating actions that might be needed.

Valve alignment for mitigating systems is assumed to include the capability to open following a loss of support systems (e.g., loss of instrument air) and accessibility for local access.

Shared systems (e.g., CFDS, DWS), are assumed to be available to support accident mitigation.

Failures are assumed to be as-is; failure constitutes the lack of signal generation, transmission, or interpretation through MPS equipment to the end-device.

Human Reliability Analysis Maintenance on multiple system trains is assumed to be performed on a staggered basis; a maintenance error in the first train is assumed to be discovered before an error in the second train could occur.

For scenarios in which operators unisolate containment to initiate injection, but fail to prevent core damage, they are assumed to restore containment isolation.

Post-initiator human actions that include use of the O-1 override are assumed to require operators open the reactor trip breakers or wait until the high pressurizer level signal is no longer present, if needed.

Operators are assumed to control CVCS flow to provide necessary inventory for cooling; makeup actions are intended to maintain pressurizer level in the normal operating band.

Data Analysis Passive safety system reliability of the DHRS and ECCS natural circulation heat transfer mechanisms are representative of the as-built, as-operated module Component failure rates, based on design-specific analyses, are representative of the as-built module. Examples include fails to operate for the ECCS hydraulic-operated valve and equipment interface module.

FULL POWER, EXTERNAL EVENTS Internal Flooding PRA Flooding frequencies are assumed based on generic data for turbine and auxiliary buildings, including human-induced mechanisms. This is likely conservative since the NuScale design has fewer systems (hence fewer potential sources of internal flooding).

An internal flood does not result in an RSV demand if RTS and DHRS are successful.

Internal Fire PRA Redundant divisions of safe shutdown equipment and cabling are assumed to be appropriately separated to assure at least one safe shutdown train is available following a fire.

Fire barriers are assumed between fire compartments and provide a fire resistance rating of 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

Seismic Margin Assessment Generic spectral acceleration capacities for general component types (e.g., valves, heat exchangers, circuit breakers) are assumed applicable to components used in the NuScale design.

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-126 Draft Revision 2 Generic fragilities are assumed applicable to components in the NuScale design. The RXB is assumed to meet the seismic margin requirements of 167% of the PGA of the CSDRSreference earthquake for site-specific and soil-dependent seismic hazards (e.g., sliding, overturning, slope failure [instability], liquefaction). This is a design expectation.

Seismically-induced damage to reactor internals (e.g., fuel assembly, core supports, riser structure) such that the core may not be cooled is assumed to be not credible. This is a design expectation.

High Winds PRA Although the plant is expected to use forecasting tools, a high winds event is assumed to result in a loss of offsite power with safety system actuation on low AC voltage (i.e., RTS, DHRS, and isolation of CIVs).

A tornado strike hazard is determined from methods described in NUREG/CR-4461.

A hurricane strike hazard is determined from U.S. LWR operating experience.

Seismic Category I structures and equipment in Seismic Category I structures are not susceptible to damage from high winds events.

External Flooding PRA An external flood that exceeds the design basis flood level is assumed to have a recurrence interval of 500 years; external flooding frequency is 2E-3/yr.

Although the plant is expected to use forecasting tools, 90 percent of external floods are assumed to include significant warning time for operators to perform a controlled shutdown, the remaining 10 percent are assumed to result in a loss of offsite power with safety system actuation on low AC voltage (i.e., RTS, DHRS, and isolation of CIVs). Controlled shutdowns are assumed to result in negligible risk, and are not evaluated. Most natural flooding occurs as a result of excessive precipitation, which is relatively slow developing.

LOW POWER and SHUTDOWN1 The mean probability that a dropped NPM fails to remain upright is 0.5, and uncertainty is characterized with a uniform distribution.

MULTIPLE MODULE EVALUATION Accident timing for multiple modules is not considered; that is, multiple module failures are assumed to occur within the same 72-hour mission time as the single module event.

Operator actions for inventory makeup from the CVCS and CFDS occur sequentially rather than simultaneously.

Site-wide events are assumed to affect all modules equally.

Calculated risk metrics apply to a multiple module event, irrespective of the number of installed modules; that is, all modules are assumed to be affected because of to an initiating event.

SEVERE ACCIDENT MODELING (Level 2)

In RPV overpressure scenarios, core damage is assumed with no impact on containment integrity.

Note 1: Key assumptions for the LPSD include key assumptions made in the Full Power PRA, as applicable.

Table 19.1-21: Key Assumptions for the Probabilistic Risk Assessment (Continued)