Text

RAIO-174435 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com September 27, 2024 Docket No.52-050 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Response to NRC Request for Additional Information No.026 (RAI-10199 R1) on the NuScale Standard Design Approval Application

REFERENCE:

1. NRC Letter to NuScale, Request for Additional Information No. 026 (RAI-10199 R1), dated May 25, 2024 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) response to the referenced NRC Request for Additional Information (RAI).

The enclosure to this letter contains the NuScale response to the following RAI question from NRC RAI-10199 R1:

x 17.4-11 This letter makes no regulatory commitments and no revisions to any existing regulatory commitments.

If you have any questions, please contact Elisa Fairbanks at 541-452-7872 or at efairbanks@nuscalepower.com.

I declare under penalty of perjury that the foregoing is true and correct. Executed on September 27, 2024.

Sincerely, Mark W. Shaver Director, Regulatory Affairs NuScale Power, LLC Distribution:

Mahmoud Jardaneh, Chief New Reactor Licensing Branch, NRC Getachew Tesfaye, Senior Project Manager, NRC Prosanta Chowdhury, Senior Project Manager, NRC : NuScale Response to NRC Request for Additional Information RAI-10199 R1, nonproprietary

RAIO-174435 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360.0500 Fax 541.207.3928 www.nuscalepower.com NuScale Response to NRC Request for Additional Information RAI-10199 R1, nonproprietary

Response to Request for Additional Information Docket: 052000050 RAI No.: 10199 Date of RAI Issue: 05/25/2024 NRC Question No.: 17.4-11 Regulatory Basis

• 10 CFR 52.137(a)(9) requires that an application must contain a final safety analysis report which must include, in part, the following: for applications for light-watercooled nuclear power plants, an evaluation of the standard plant design against the Standard Review Plan (SRP) revision in effect 6 months before the docket date of the application. The evaluation required by this section shall include an identification and description of all differences in design features, analytical techniques, and procedural measures proposed for the design and those corresponding features, techniques, and measures given in the SRP acceptance criteria.

• The purpose, scope, and criteria of the Reliability Assurance Program (RAP), as discussed in section 17.4 of NUREG-0800, are established in:

• SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Nonsafety Systems in Passive Plant Designs, dated March 28, 1994 (ML003708068), and associated Staff Requirements Memorandum (SRM), dated June 30, 1994 (ML003708098), and

• SECY-95-132, Policy and Technical Issues Associated with the Regulatory Treatment of Nonsafety Systems (RTNSS) in Passive Plant Designs (SECY94084), dated May 22, 1995 (ML003708005), and associated SRM, dated June 28, 1995 (ML003708019).

Issue The NuScale US460 (SDA) design is a passive advanced light-water reactor (ALWR), which is covered by the regulations and Commission policies identified above. The SRM to SECY 084 states that the purposes of the RAP program are to provide reasonable assurance that NuScale Nonproprietary NuScale Nonproprietary

(1) an ALWR is designed, constructed, and operated in a manner that is consistent with the assumptions and risk insights for these risk-significant structures, systems, and components (SSCs), (2) the risk-significant SSCs do not degrade to an unacceptable level during plant operations, (3) the frequency of transients that challenge ALWR SSCs are minimized, and (4) these SSCs function reliably when challenged.

In SDAA FSAR Section 17.4.3.1, Structures, Systems, and Components Classification and Categorization Process, the applicant described the overall SSC classification process. The applicant stated, System functions and the SSC that perform those functions are evaluated for risk-significance based on a consideration of probabilistic, deterministic, and other methods of analysis, including industry operating experience, expert panel reviews, and severe accident evaluations.

In SDAA FSAR Section 17.4.3.2, Identification of Design Reliability Assurance Program Structures, Systems, and Components, the applicant stated, Concurrence by the expert panel constitutes the final classification of the SSC. The applicant also stated, The risk-significance classification for safety-related equipment is the default classification unless the PRA determined that the SSC functionalities are not risk-significant.

In SDAA FSAR Figure 17.4-1, Structures, Systems, and Components within the Scope of the Reliability Assurance Program, the applicant illustrated its process for determining the risk significance of SSCs. This figure explicitly identified operating experience, PRA and severe accident insights and assumptions, defense in depth, and systems interactions as additional considerations when the expert panel considers the safety and risk categorizations.

In SDAA FSAR Section 17.4.3.1, the applicant also described that it uses the approach approved in Licensing Topical Report TR-0515-13952-NP-A, Revision 0, Risk Significance Determination (ML16284A016). In the Final Safety Evaluation Report for Licensing Topical Report TR-0515-13952-NP-A, dated July 13, 2016 (ML16181A218), the NRC staff concluded that the methods described in TR-0515-13952-NP-A are acceptable for identifying SSCs as candidates for risk significance in a NuScale design PRA, subject to the conditions and limitations provided. Condition and limitation 2 states, in part:

In keeping with NRC policy on risk-informed regulation, the ultimate determination of risk significance shall be based on the specific application, with appropriate consideration of uncertainties, sensitivities, traditional engineering evaluations and regulations, and maintaining sufficient defense-in-depth and safety margin. As such, PRA risk insights shall be considered NuScale Nonproprietary NuScale Nonproprietary

along with deterministic approaches and defense-in-depth concepts such that the user is implementing a risk-informed rather than a solely risk-based approach.

The NRC staff used the guidance in SRP Section 17.4, Revision 1, to conduct its review of the applicants design reliability assurance (D-RAP) program. The NRC staff focused on SSCs with design changes compared to the certified US600 design to provide a more effective and efficient review and audited the system function reports for the steam generator system, control rod drive system, decay heat removal system, boron addition system, emergency core cooling system, containment system, and reactor coolant system. During the audit, the NRC staff was unable to verify through the review of records an adequate implementation of the D-RAP process; specifically, NRC staff was unable to verify demonstrations, with supporting documentation, of what specific deterministic and defense-in-depth considerations were considered by the D-RAP expert panel and how these inputs were dispositioned by the D-RAP expert panel in its risk significance decisions for the example SSCs and functions for the SDA design. Based on the NRC staffs review of the SDAA FSAR, the system function reports, and documentation in the regulatory audit, the NRC staff is unable to find evidence to conclude that the applicant implemented a risk-informed process for SSC classification. Specifically, the NRC staff is unable to conclude that deterministic considerations and defense-in-depth were appropriately considered in the risk significance determination of SSCs, especially in cases where there are no apparent design differences for the SSCs between the US460 (for which the SSCs were deemed not risk significant) and the certified US600 designs (for which the SSCs were deemed risk significant).

Additionally, in SDAA FSAR Table 19.155, Shared System Hazard Analysis, the applicant stated, [t]he loss of the backup power supply system (BPSS) would reduce defense-in-depth of the station in response to a loss of offsite power event. More than 25 percent of the internal events CDF caused by losses of offsite power is mitigated by the two backup diesel generators (BDGs) without the need to initiate ECCS. The staff also notes that the two BDGs support all six NPMs in the US460 design, compounding the impact of the reliability of the BDGs. Yet, the BDGs are not scoped into D-RAP.

The NRC staff notes that the thresholds for candidate risk significance from the PRA are different between the SDA and certified US600 designs and that these thresholds in the SDAA already account for the low absolute risk of the SDA design compared to legacy plants.

During the audit, the NRC staff requested the primary system or plant design changes in the SDA design that led to a change in categorization of the control rod drive, containment, and NuScale Nonproprietary NuScale Nonproprietary

steam generator systems. In its response, the applicant described that the differences in risk significance classifications from the certified US600 design to the SDA design were not necessarily the result of a design change to the SSC, but instead reflective of performing the evaluations with updated information and no longer assuming a default classification of risk significant for safety-related equipment. The NRC staff determined that this response contradicts information provided in SDAA FSAR Section 17.4.3.2.

Information Requested To support the NRC staffs finding against 10 CFR 52.137(a)(9) on the SDAAs conformance with the Commissions direction on D-RAP, NuScale is requested to:

1. Confirm that the SSC classification process was performed in accordance with SDAA FSAR Section 17.4.3.2, which states, The risk-significance classification for safety-related equipment is the default classification unless the PRA determined that the SSC functionalities are not risk-significant. If the default classification for safety-related equipment is not risk significant, clarify the SSC classification process, with justification, and provide an FSAR markup to reflect that process.

2. For the control rod drive and steam generator systems (i.e., the systems whose functions were categorized as risk significant in the certified US600 design and not risk significant in the SDA design), provide an FSAR markup of Table 17.4-1 that classifies the functions and required SSCs as risk significant. Alternately, justify that the system function categorization and subsequent SSC classification is risk informed. As part of the justification, for each of the above-mentioned systems, (i) describe the specific deterministic and defense-in-depth considerations that were evaluated by the D-RAP expert panel and how these considerations were dispositioned and (ii) discuss the leading system or plant design changes that drove the determination by PRA that the system functions were not risk significant.

3. The reactor coolant pressure boundary (RCPB) is essential to defense in depth in the SDA design, especially during normal operation when the emergency core cooling system (ECCS) is not activated, which is the dominant operational configuration. Despite its importance, maintaining RCPB is not identified as risk significant for any system in SDAA FSAR Table 17.4-

1. Given the importance of maintaining the RCPB to defense in depth, especially during normal operation when ECCS is not activated, provide an FSAR markup of Table 17.4-1 that classifies this function and the required SSCs as risk significant.

NuScale Nonproprietary NuScale Nonproprietary

4. For the BPSS, whose loss, according to the FSAR, would reduce defense in depth, justify that the system function categorization and subsequent SSC classification is risk-informed, and not solely risk-based, given the successful operation of the BDGs is necessary following an extended loss of AC power to prevent unnecessary ECCS actuation in the SDA design and mitigate more than 25 percent of the CDF. As part of the justification, describe the specific deterministic and defense-in-depth considerations that were evaluated by the D-RAP expert panel for the BPSS and how these considerations were dispositioned.

NuScale Response:

Question 1 Response The statement identified for risk classification having a defaulted recommendation is incorrect and not reflected in NuScale processes. NuScale approaches risk classification independent of safety classification. Section 17.4.3.2, Identification of Design Reliability Assurance Program Structures, Systems, and Components, is clarified to reflect this.

Section 17.4, Reliability Assurance Program, details the conformance with Standard Review Plan 17.4 including a detailed description of the processes and list of Reliability Assurance Program (RAP) structures, systems, and components (SSC). Consistent with SECY-94-084, SRP 17.4, and the Nuclear Regulatory Commission (NRC)-approved Quality Assurance Program Description, MN-122626-A, NuScale has a comprehensive process for determining the safety classification and risk significance for SSC. The process for decision-making is executed in accordance with NuScale procedures for risk significance determination with the final decisions validated through deliberation of the qualified Design Reliability and Assurance Program (D-RAP) expert panel. The SSC classifications reflected in the US460 Standard Design Approval Application (SDAA) represent design documents developed under the classification procedures for the US460 standard plant design. When classifying system functions, the subject matter expert (SME) proposes risk and safety classifications holistically (considering, e.g., the design functions, operating experience, and Probabilistic Risk Assessment [PRA] insights). The D-RAP expert panel confirms the final classification determination, as documented in the resulting system function reports.

Final Safety Analysis Report (FSAR) Section 19.1.3.4, Uses of Probabilistic Risk Assessment in the Design Process, describes one approach to risk NuScale used in the design of the US460:

NuScale Nonproprietary NuScale Nonproprietary

The design was developed in consideration of issues associated with typical currently operated plants. Thus, there are several design features inherent to the design that address characteristics of currently operating plants related to operational risk. Table 19.1-2 [Design Features/Operational Strategies to Reduce Risk] summarizes these features, which contribute to a low risk profile. The PRA was used to further reduce the risk profile by evaluating design options during the design process. Table 19.1-3 [Use of Probabilistic Risk Assessment in Selection of Design Alternatives] summarizes key design decisions that were supported by PRA analyses.

Table 19.1-2 includes design features such as steam generator tubes that are maintained in a constant state of compression. Table 19.1-3 includes design decisions such as adding venturi flow restrictors to the containment vessel safe ends of the chemical and volume control system lines.

Question 2 Response Within the classification process, the SME presents the system function report and makes a recommendation for the categorization of system functions using the available information for the system. Functional analysis, interfaces, function in design-basis events, and other criteria are considered as part of the proposed safety classification of an SSC. For risk significance, the SME reviews available design and analysis information, including but not limited to thermal-hydraulic simulations, severe accident simulations, the list of candidates for risk significance from the PRA, PRA insights, and sensitivity analyses, and recommends a risk classification for confirmation by the expert panel. Thus, the classification is risk-informed for each SSC, not just the steam generator system (SGS) and control rod drive system (CRDS).

Although the US460 design is evolved from the US600 design, NuScale performed the classification process for the US460 design anew. The SME conducted a classification process based on the criteria of the SSC classification procedure. During this process, the SME presented system information to the D-RAP expert panel, and the classification process was implemented to verify the appropriate risk significance classification for the steam generator and control rod drive mechanism. During the audit process, SMEs and D-RAP expert panel members reviewed the questions raised by the NRC staff against the system classifications, and the classification remains correctly identified in the US460 FSAR.

The detailed deliberations of the D-RAP expert panel are not captured NuScale records, so specific considerations and dispositions are not available for the meetings that were conducted.

NuScale Nonproprietary NuScale Nonproprietary

However, the D-RAP expert panel provided additional insights to the process and history of US460 system classification during a call with NRC staff on August 23, 2024. As noted, the results are available within the system function reports and their classifications. A review of the documented system classifications and the system descriptions reflected within the FSAR provides a comprehensive overview of system interfaces and their design functions during design-basis and beyond-design-basis events.

The US600 design and the derivative US460 design are applications that incorporate lessons learned from decades of nuclear power plant operation to eliminate failure points that are commonly identified among operations lessons learned. These include, but are not limited to, avoidance of necessary operator actions for mitigation of design-basis events and reliance on highly reliable, robust, passive safety systems. Defense-in-depth considerations are inherent to the US460 standard plant design, and while similar at a high level, the specific approach to defense-in-depth has important differences from traditional large light water reactorssuch as intentionally relying on the containment vessel to ensure core cooling and preclude fuel damage for design-basis events, thereby preserving two fission product barriers. Therefore, the D-RAP expert panel considerations and conclusions must account for the overall plant design and objectives rather than being constrained by the regulatory framework developed for the safety strategy and risk considerations inherent in large light water reactors.

Regulatory Guide 1.174 Revision 3 establishes criteria for changes to an approved design or application affecting defense-in-depth considerations so that the defense-in-depth philosophy is not eroded with respect to these changes. NuScale opted instead to implement a design with reliable passive safety features with which operators can use nonsafety-related systems for reliable power generation. The safe operation of the plant is thus a comprehensive defense-in-depth philosophy reflected within the licensing basis. The SGS and CRDS functions in design-basis events are described in the FSAR and are reflected in the component classifications within the system sections.

Question 3 Response NuScale classifies maintaining the reactor coolant pressure boundary (RCPB) integrity as safety-related, not risk-significant for all NuScale Power Module systems. The risk significance classification for the RCPB function was made according to the NuScale D-RAP process in which system SMEs recommend system function classifications and the D-RAP expert panel reviews, challenges, and confirms these classifications as described in the Question 2 response.

NuScale Nonproprietary NuScale Nonproprietary

The NRC's traditional regulatory framework reflects a qualitative judgment of the importance of the RCPB as a layer of defense-in-depth. The NuScale Power Module RCPB is classified as safety-related and designed in accordance with applicable regulatory requirements pursuant to that safety classification. The purpose of risk classification is to consider a specific design and the functions of the SSC within that design. NuScale's risk classification of the RCPB is based on consideration of the RCPB's importance within the overall safety of the NuScale design and the RCPB's role therein. Design documents for the US460 (e.g., system function reports, system equipment lists) support the risk classifications identified in the SDAA. Table 17.4-11 correctly reflects the classifications identified in the design documents for the US460.

Question 4 Response The term defense-in-depth as applied to the backup power supply system in Table 19.1-55, Shared System Hazard Analysis, refers to capabilities that go beyond what is modeled in the PRA and what the deterministic safety analysis requires. For example, by giving operators the flexibility of a backup power source, the backup power supply system can limit the unnecessary use of passive features, such as the control room habitability system, to support protection of plant assets. Because Table 19.1-55 is intended to discuss the backup power supply system in the context of PRA and severe accidents, NuScale has removed this statement from Table 19.1-55.

Impact on US460 SDAA:

FSAR Section 17.4 and 19.1 has been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary NuScale Nonproprietary

NuScale Final Safety Analysis Report Probabilistic Risk Assessment NuScale US460 SDAA 19.1-200 Draft Revision 2 Normal DC power system (EDNS)

Described in Section 8.3 This system does not have a function associated with mitigation of an accident. Since EDNS provides the power to PCS and MCS, it is assumed that failure of EDNS will cause a plant transient that will lead to an automatic trip or manual shutdown and is thus included in the general reactor trip initiator.

Yes Backup power supply system (BPSS)

Described in Section 8.3 The loss of the BPSS would reduce defense-in-depth of the station in response to a loss of offsite power event. The plant is designed to cope with a station blackout beyond 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> through a combination of engineered safety features that actuate on loss of control power and passive cooling to the reactor pool. Therefore, the BPSS does not affect design basis accident mitigation. The backup diesel generators are included in the PRA as a power source for the EMVS buses in the case of loss of power from EHVS.

Yes Plant lighting system Described in Section 9.5 Loss of normal and emergency lighting would hinder operators ability to respond to accidents using normal lighting, but no operator actions are required to design basis mitigate accidents.

In beyond design basis accidents, the operators could perform PRA-modeled actions with the HSIS workstations and use flashlights for field actions.

No Switchyard system Described in Section 8.3 A loss of the switchyard is a loss of offsite power event. The BPSS will supply plant loads.

Moreover, the plant is designed to cope with a station blackout beyond 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> through a combination of engineered safety features that actuate on loss of control power and provide passive cooling to the reactor pool. The switchyard is included in the PRA model as part of the loss of offsite power initiator.

Yes Safety display and indication (SDI)

Described in Section 7.0 The SDI provides post-accident monitoring information to the control room, but does not have an accident mitigation function. No operator actions are required for design basis accident mitigation. Post-accident monitoring is not essential to beyond design basis accident mitigation.

No Plant control system (PCS)

Described in Section 7.0 The PCS is not required for accident mitigation. None of the systems controlled by PCS is required for mitigating an accident. Loss of PCS is included in the general reactor trip initiator.

Yes Plant protection system (PPS)

Described in Section 7.0 PPS isolation of control room envelop and actuation of control room habitability would only be needed in the case of a toxic chemical event or a beyond design basis accident causing a large radioactivity release. A toxic chemical event does not cause plant failures needing mitigation (PPS just protects the operators). A large radioactivity release during a beyond design basis event would mean that mitigation had already failed, so the loss of PPS would not affect mitigation.

No Fixed area radiation monitoring system Described in Section 7.0 This system does not have a function associated with mitigation of an accident.

No Table 19.1-56: Shared System Hazard Analysis (Continued)

System Multiple Module Function Accident Mitigation Implication Included in Base Model for Single NPM

NuScale Final Safety Analysis Report Reliability Assurance Program NuScale US460 SDAA 17.4-4 Draft Revision 2 probabilistic, deterministic, and other methods of analysis, including industry operating experience, expert panel reviews, and severe accident evaluations. The SSC risk categorization is determined by the SME and confirmed by expert panel review.

Risk evaluations cover the spectrum of potential events and the range of plant operating modes considered in the PRA (Section 19.1). This evaluation ranges from full power operation to shutdown and anticipated maintenance conditions.

Beyond-design-basis accidents resulting in core damage and large releases of radioactivity into containment and the environment are also considered. The evaluation of severe accidents is described in Section 19.2.

NuScale uses an alternative approach to Regulatory Guide 1.200 that is described in Topical Report TR-0515-13952-NP-A, Risk Significance Determination (Reference 17.4-1), and Section 19.1 demonstrates applicability to the US460 standard design.

17.4.3.2 Identification of Design Reliability Assurance Program Structures, Systems, and Components The SSC classification process uses a functional hierarchy concept in which system functions are broken down into components that are required to fulfill the function. The process begins by defining system functions and categorizing them in accordance with their contribution to safety and risk-significance.

The defined standard functions are categorized as:

A1 (safety-related and risk-significant)

A2 (safety-related, not risk-significant)

B1 (nonsafety-related, risk-significant)

B2 (nonsafety-related, not risk-significant)

The D-RAP structures, systems, and components are those that are required to perform the system functions that are risk-significant (functions categorized as either A1 or B1). As noted in Section 17.4.3.1, the evaluation for risk-significance is based on probabilistic, deterministic, and other methods of analysis, industry operating experience, expert panel reviews, and severe accident evaluations.

RAI 17.4-11 Concurrence by the expert panel constitutes the final classification of the SSC. If a downgrade in the safety-significance classification is not deemed necessary due to change in the original PRA information, the original classification is retained for the SSC. The risk-significance classification for safety-related equipment is the default classification unless the PRA determined that the SSC functionalities are not risk-significant.

Table 17.4-1 lists the system functions and associated SSC determined by this process to be risk-significant. The table also provides the basis for the determination.