ML24346A306

From kanterella
Jump to navigation Jump to search
LLC - Response to SDAA Audit Question Number A-19.1-5
ML24346A306
Person / Time
Site: 05200050
Issue date: 12/11/2024
From:
NuScale
To:
Office of Nuclear Reactor Regulation
Shared Package
ML24346A130 List: ... further results
References
LO-175762
Download: ML24346A306 (1)
v  d  e


Text

Response to SDAA Audit Question Question Number: A-19.1-5 Receipt Date: 04/03/2023 Question:

1. Section 6.4 of the Technical Report on EDAS treatment appended to Chapter 15 of the SAR states, Through the design reliability assurance program (D-RAP), augmented requirements have been applied to the design to support performance of these functions. This statement seems to indicate that the EDAS is captured by D-RAP. Figure 3-1 indicates that all SSCs are addressed in the D-RAP Summary Report; however, since EDAS is not listed in SDA Table 17.4-1, Design Reliability Assurance Program Structures, System, and Components Functions, Categorization, and Categorization Basis, it is not clear how augmented quality will be ensured or the relationship of EDAS to D-RAP. a) Since EDAS appears not to be included in D-RAP, how will augmented quality be ensured? b) If EDAS is not a D-RAP SSC, please identify the program or approach used to ensure augmented quality and provide a comparison with D-RAP requirements? c) Additionally, please address any differences between the augmented quality requirements listed in Table B-2 of the Technical Report and the requirements that would be imposed on EDAS if the system were safety-related or part of RTNSS.
2. During the information collection conducted between the NRC and NuScale on risk insights in December 2022, NuScale stated that EPRI Report 1016741 was used as the basis to not model the CCF of 4/4 DC batteries in PRA. This modeling decision can potentially impact the PRA results, including the potential risk significance of the EDAS. a) Please provide results of any sensitivities demonstrating the impact of including 4 or 4 CCF of EDAS in the PRA on EDAS risk significance. b) If a sensitivity study shows that EDAS is risk significant, add EDAS to the appropriate program(s) (e.g., RTNSS, D-RAP) or provide the detailed technical basis, data, and applicability to the NuScale design for excluding 4 of 4 CCF of EDAS from the PRA model.
3. On Page 15.0-12, the SDAA states that failure of the EDAS is not expected to occur during an NPM lifetime; a loss of EDAS after event initiation, but before control rods are fully inserted is not considered; and that the probability of a DBE combined with a random failure of EDAS is a beyond-design-basis event. Please provide the evaluation of the design-basis-event of a DBE NuScale Nonproprietary NuScale Nonproprietary

combined with random failure of EDAS and include:

How the frequency was calculated for an EDAS smart failure, including the basis for the 1-hour exposure time used to determine frequency of O(E-8) in the Technical Report appended to Chapter 15. How were reactivity insertion transients that can proceed for longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> accounted for in the calculation?

How the consequences of an event that includes a loss of EDAS after event initiation were considered in the evaluation of the BDBE.

Any impacts to the evaluation if the frequency of 4 of 4 CCF for EDAS is included in the calculation.

Response

1. a) For systems that are not included in Table 17.4-1 of the standard design approval application (SDAA), classification and subsequent identification of structures, systems, and components (SSC) are discussed in section 3.2 of the SDAA.

As identified in Section 3.2 of the SDAA, Structures, systems, and components (SSC) are classified according to nuclear safety classification, seismic category, and quality group. This classification aids in the determination of the appropriate quality standards and the identification of applicable codes and standards. The SSC classifications are based on a consideration of both safety-related functions (consistent with the definition of safety-related in 10 CFR 50.2) and risk-significant functions determined as part of the Design Reliability Assurance Program (D-RAP)...The SSC classification process is applied at a component level based upon the system functions performed. At the system level, system functions are designated as safety-related or nonsafety-related, and risk-significant or not risk-significant.

Additionally, Section 3.2 of the SDAA discusses that In addition to safety and risk-significance, the classification methodology includes consideration for augmented requirements for those SSC that are by definition nonsafety-related (based on the definition in 10 CFR 50.2). The selection of augmented requirements is based on a consideration of the important functionality to be performed by the nonsafety-related SSC and regulatory guidance applicable to the functionality.

b) As identified in subpart a of this question, the SSC classification process is applied at a component level based upon the system functions performed. At the system level, system functions are designated as safety-related or nonsafety-related, and risk-significant or not risk-significant.

NuScale Nonproprietary NuScale Nonproprietary

As discussed in Section 17.4.3 of the SDAA, The objective of the SSC Classification Program is to classify the SSCs that comprise the plant in terms of safety, risk, augmenting requirements, seismic class, and quality group. System-level functions are evaluated and classified as to their risk-significance to determine whether associated SSC are part of the D-RAP.

Additionally, in Section 17.4.3.1 of the SDAA it is identified that The SSC classification process is described in Section 3.2 and considers both safety and risk. Risk significance is determined by the identification and review of each system function. Each system-level function is evaluated to determine the SSC required to fulfill the function. System functions and the SSC that perform those functions are evaluated for risk-significance based on a consideration of probabilistic, deterministic, and other methods of analysis, including industry operating experience, expert panel reviews, and severe accident evaluations. The SSC risk categorization is determined by the SME and confirmed by expert panel review.

System functions are addressed by the D-RAP process and categorized as A1, A2, B1, or B2, as identified in SDAA Section 17.4.3.2, which also identifies that Table 17.4-1 lists the system functions and associated SSC determined by this process to be risk-significant. The table also provides the basis for the determination.

Section 8.3.2.2.1 of the SDAA identifies The EDAS structures, systems, and components are further augmented by applying design, qualification, and QA provisions typically applied to Class 1E DC power systems using a graded approach. The graded approach is reflected in the EDAS design, qualification, and QA provisions detailed in this Chapter and the Quality Assurance Program Description. Augmented DC power system SSC that provide backup DC electrical power meet Seismic Category I standards.

Topical Report MN-122626, NuScale Power, LLC Quality Assurance Program Description, identifies the applicable Quality Assurance program controls that are applied to nonsafety-related SSCs in Section 3.0.

c) Through the programs and processes described within sections 3.2 and 17.4 of the SDAA, the classification and categorization of the augmented DC power system (EDAS) has been identified in Section 8.3.2.2.1 of the SDAA.

The Augmented Design, Qualification and Quality Assurance Requirements of the EDAS have been described within Table B-1 and Table B-2 of TR-102621-P, which support the EDAS safety classification that has been assigned. These augmented requirements include, but are not limited to, location in Seismic Class I structures and a mild environment, application of the NuScale Nonproprietary NuScale Nonproprietary

QAPD, and reliability equivalent to a Class 1E electrical system. This application is consistent with the programs and procedures described within the above mentioned sections.

2. The EPRI report is used as a basis for modeling common cause failure (CCF) of the EDAS buses (i.e., support system initiating events), not the batteries.

((2(a),(c) Each room also has an independent heating, ventilation, and air conditioning system. The loss of direct current (DC) sensitivity study considered doubling the loss of DC initiating event frequency (FSAR Table 19.1-22 and Table 6-3 of ER-102082, the Quantification Notebook). The results show no impact on core damage frequency (CDF) or large release frequency (LRF). The EDAS is below the criteria for risk significance.

3. As identified in FSAR Table 19.1-7, the loss of DC power is considered an initiating event in the PRA. The loss of DC power considers de-energization of at least two EDAS buses. The frequency of the EDAS smart failure is calculated to be 1.5E-08 per year. The method for calculating this frequency is shown in Footnote 1 of Section 6.5 of the Treatment of DC Power in Safety Analyses technical report (TR-102621-P). Because the smart failure involves two separate independent events in the PRA (i.e., a general transient and a failure of EDAS), an exposure time is used to determine the likelihood of the two initiating events happening concurrently. ((
}}2(a),(c)

(( 

}}2(a),(c) The initiating events that can result in elevated power are cooldown events considered in Section 15.1 and reactivity events considered in Section 15.4. (( 
}}2(a),(c)

NuScale Nonproprietary NuScale Nonproprietary

(( 

}}2(a),(c) This expected operator behavior is consistent with the NEI industry guidance endorsed by the NRC in Regulatory Issue Summary (RIS) 2007-21. The industry guidance states that thermal power is to be closely monitored and timely action is to be taken to ensure that thermal power is less than or equal to the licensed power level limit. (( 
}}2(a),(c) As described above, the failure of EDAS is considered as an initiating event in the PRA. As shown in the event tree, core damage does not occur unless additional failures occur, such as failure of the emergency core cooling system to actuate. The opening of emergency core cooling system valves due to loss of EDAS is a success in the PRA. In cases where subsequent systems fail in response to a loss of DC initiating event, including anticipated transients without scram sequences, core damage and large release are considered (i.e., the surrogates for public health consequences).

Figure 19.1-10 in the FSAR includes the loss of DC event tree, and FSAR Figure 19.1-13 includes the containment event tree. See the response to question 2 for the frequency of 4 of 4 for EDAS. NuScale Nonproprietary NuScale Nonproprietary

NuScales Integrated Response to EDAS Feedback Staffs Feedback on NuScales Responses to Audit Issues A-19.1-5, A-19.1-37, and A-17.4-10 The responses to A-19.1-5, A-19.1-37, and A-17.4-10 make assertions that are not supported by design and operational controls and, therefore, are inconsistent with a risk-informed resolution. In response to A-19.1-5, regarding EDAS, NuScale stated, These augmented requirements, include but are not limited to, location in a seismic class 1 structures, application of the QAPD, and reliability equivalent to a Class 1E electrical system. Based on the statements below, we believe that there is no evidence to support the conclusions that EDAS will have equivalent reliability to a Class 1E system and that EDAS is not risk significant. Therefore, NuScale is requested to include Technical Specifications for EDAS and include EDAS in D-RAP as a risk significant SSC. These actions are necessary to ensure that EDAS reliability and availability is consistent with (1) a Class 1E system, (2) the dominant failure mode assumed for the EDAS in the probabilistic risk assessment (PRA), (3) the aspirational reliability used in the PRA, which is based on data from safety-related DC power systems in operating plants, and (4) a defense-in-depth philosophy consistent with risk-informed decision making.

(( }}2(a),(c) This assumption is based on the expectation that EDAS is single-failure proof. There is no operational control that prevents this assumption from being violated (i.e., a channel can be out-of-service indefinitely and a single random failure on the other channel can fail EDAS).

As discussed in the initiating events analysis notebook, ER-102066, the initiating event frequency (( }}2(a),(c)

In ER-102077, Electrical Systems Notebook, Section 3.1.1.3, Test and Maintenance Unavailability, (( }}2(a),(c)

In ER-102077, Electrical Systems Notebook, Section 3.1.1.4, Battery Maintenance Unavailability, (( }}2(a),(c)

In the Augmented DC power System Function Report, ER-110605, Revision 1, System Function, EDA-03 is, (( }}2(a),(c) NuScale Nonproprietary NuScale Nonproprietary

(( }}2(a),(c) The categorization is B2, and the plant function is (( }}2(a),(c) even though inadvertent ECCS valve actuation results in the inadvertent breach of the reactor coolant pressure boundary. Regarding Defense-in-Depth, RG 1.174 states, Maintain multiple fission product barriers. The EDAS System Function Report indicates function 6 provide electrical power for the prevention of unintended ECCS actuation, which supports the underlying defense-in-depth requirements of GDC 15 which expects the reactor coolant pressure boundary to remain available as a fission product barrier during anticipated operational occurrences. NuScale Response The statement in the NRC feedback that there is no evidence to support the conclusions that EDAS will have equivalent reliability to a Class 1E system is an incorrect statement. NuScale developed the design, qualification, and quality assurance requirements for the augmented DC power system (EDAS) based on the NRC approved topical report TR-0815-16497-P-A, Safety Classification of Passive Nuclear Power Plant Electrical Systems. The topical report provides a set of passive reactor plant design and operational attributes, that if met, justify that none of the plant electrical systems fulfill functions that would warrant a Class 1E classification. NuScale specified a five step approach to compare the reliability of the DC power system to that of a typical Class 1E DC power system. The NRC Safety Evaluation Report (SER) for this topical report found this approach acceptable: ...the NRC staff concludes that the five-step process outlined in the applicants response provides an acceptable approach for demonstrating the relative reliability of a non-Class 1E system with an analogous Class 1E system. Section 8.3 of the US460 Standard Design Approval Application (SDAA) provides a description of the EDAS design, including the augmented requirements for this system. Table B-1 and Table B-2 of TR-102621, Revision 1, Treatment of DC Power in Safety Analyses, provide a consolidated summary of the basis for the safety classification, augmented design, qualification, and quality assurance requirements for EDAS, which are based on Table 3-1 and Table 3-2 of TR-0815-16497-P-A. NuScale provided the comparative reliability study (ER-122556, Revision 0, "Comparative Reliability of the Augmented DC Power System") in response to Audit Question A-8.3-1 and posted this report in the Chapter 8 eRR. The report compares the reliability of EDAS to that of a typical Class 1E (i.e., safety-related) DC power system using the NRC NuScale Nonproprietary NuScale Nonproprietary

approved five-step methodology with the conclusion supporting a determination that the reliability of the [EDAS] is substantially similar to that of a Class 1E DC power system. Subsequent to receiving the above NRC feedback, NuScale and the NRC Electrical Engineering Branch conducted a deep dive meeting on EDAS on April 22nd, 2024. As a result of that meeting, NuScale took several actions to provide additional information and to update Section 8.3 of the Final Safety Analysis Report (FSAR). These updates address the design, reliability, and availability assertions raised in the NRC feedback. The NRC feedback can be classified into three broad categories: reliability, availability, and risk classification. Table 1 provides a matrixed response to correlate the specific statements in the NRC feedback and the resulting actions NuScale took from the April 22nd meeting. NuScale Nonproprietary NuScale Nonproprietary

Table 1 - Augmented Direct Current Power System Matrixed Response NRC Assertion NuScale Deep Dive (4/22/24 Meeting) Action Item Response Notes Reliability We believe that there is no evidence to support conclusions that EDAS will have equivalent reliability to a Class 1E system Bullet #2: Initiating event frequency for loss of DC bus is based on safety related DC power systems. EDAS Deep Dive Action Item #7 provides a summary of the qualification of a valve-regulated lead-acid (VRLA) battery system equivalent to EDAS that provides reasonable assurance of reliability comparable to a Class 1E System. The summary of the qualification performed for an equivalent VRLA battery provides reasonable assurance that EDAS will have a reliability equivalent to a Class 1E system. EDAS condition of safety classification includes maintaining a reliability comparable to a Class 1E system. (TR-102621, Table B-1, Condition 8 satisfied by ER-122556). Provided in eRR. Availability Bullet #1: There is no operational control that prevents a channel being out-of-service indefinitely. Bullet #3: (( }}2(a),(c) Bullet #4: Battery Maintenance Unavailability EDAS Deep Dive Action Item #11 provides a description of the operational controls to ensure availability. Controls over reliability and availability of EDAS-MS power circuitry and supply are included in the owners controlled requirements manual (OCRM) - Same as US600 EDAS is included in a downstream applicants maintenance rule program. Section 8.3 describes the IEEE standards committed to for maintenance - IEEE 1188-2005 NuScale Nonproprietary NuScale Nonproprietary

Table 1 - Augmented Direct Current Power System Matrixed Response (Continued) NRC Assertion NuScale Deep Dive (4/22/24 Meeting) Action Item Response Notes Risk Classification We believe that there is no evidence to support that EDAS is not risk significant. Bullet #5: Inadvertent ECCS actuation results in the inadvertent breach of the RCPB. EDAS supports the underlying defense-in-depth requirements of GDC 15 which expects the RCPB to remain available as a fission product barrier during AOOs. No specific action items addressed risk classification. Demonstration of reliability supports the conclusion that EDAS is not risk-significant. See further response below on risk-classification and defense-in-depth. Loss of EDAS in conjunction with other AOO events (i.e., loss of offsite AC power) is not expected to occur during the lifetime of the module. The specific sequence of events leading to inadvertent ECCS actuation due to random EDAS failure after initiation of a design basis event is shown to not be a design basis event based on its extremely low likelihood of occurrence. Inadvertent ECCS actuation is not a breach of the reactor coolant pressure boundary (RCPB). It is the initiation of a design-basis event function which is described within Chapter 15. General Design Criterion (GDC) 15 is applicable to all normal operating conditions, including anticipated operational occurrences (AOOs). GDC 15 is not applicable to the beyond-design basis event of a loss of multiple trains of DC power subsequent to an AOO. TR-102621, Section B.1, demonstrates that ECCS actuation following an AOO is not expected in the design lifetime of an NPM. This is consistent with the underlying defense-in-depth requirements of GDC 15 as identified by NRC staff in the TR-0815-16497-P-A SER restriction 4.4 (refer to SER discussion of RAI 08.03.02-06.) NuScale Nonproprietary NuScale Nonproprietary

Risk-Significance Classification A function of the EDAS is to provide backup power supply to specified loads when AC power supply is not available. The EDAS provides power for post-accident monitoring and power to prevent inadvertent actuation of the ECCS valves, when they are not required to provide cooling. Through the Design Reliability Assurance Program (D-RAP), augmented design requirements are applied to the design to support performance of these functions. For design-basis event progressions when EDAS is initially available to supply power, EDAS continues to perform its functions to supply power as designed. The reliability and availability of EDAS to provide continuous power to its identified functions is ensured through the augmented requirements as discussed in Table 1. Scenarios involving EDAS failure after event initiation (i.e., during event sequences) are prevented by designing EDAS with sufficient reliability and availability, along with redundancy (two independent trains). These performance characteristics ensure that a combination of an AOO with an inadvertent actuation of ECCS is not realistically expected to occur during the lifetime of the module, and therefore this combination of events (i.e., two coincident AOOs) is not considered a design-basis event. Appendix B of TR-102610 details the EDAS safety classification basis, which is summarized in Table B-1. The identification of AOOs in Chapter 15 transient evaluations and their inclusion in the FSAR are defined as low probability events that are expected to occur one or more times during the life of the nuclear power unit. The classification of risk significance is addressed in NUREG-0800, Introduction - Part 2, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear power Plants: Small Modular Reactor Edition : With regard to risk significance, applicants are responsible for determining which SSCs are candidates for RTNSS, and which are included in the RAP list. The staff assesses and verifies the applicants categorization once sufficient design detail, PRA information, and RAP list information are available. The verification of whether an SSC is safety-related (i.e., satisfies any of the criteria in 10 CFR 50.2), risk-significant, or both is accomplished through current evaluation and decision processes. Risk significance is measured relative to the likelihood and consequences of severe accidents which involve core damage and can lead to containment failure with a large release of radioactivity. Consequently, risk significance may be determined with the use of insights from the list of risk-significant SSCs included in the applicants RAP list. The staff reviews the methods and results used by the applicant to establish the list of SSCs included in RAP using guidance in SRP Section 17.4. Guidance for reviewing the selection of SSCs for RTNSS NuScale Nonproprietary NuScale Nonproprietary

is provided in SRP Section 19.3 and on an SSC-specific basis in the applicable DSRS for a given SSC. The combination of an AOO with an inadvertent actuation of ECCS is a low likelihood event and not expected to occur during the lifetime of the module. Actuation of ECCS passively establishes a natural circulation path that provides core heat removal. As indicated in FSAR Table 19.1-20, Summary of Candidate Risk-Significant Structures, Systems, and Components, neither EDAS as a whole, nor individual components within, meet the quantitative criteria to be identified as candidates for risk significance. A sensitivity study documented in FSAR Table 19.1-22 shows that doubling the loss of DC power initiating event frequency has no impact on the core damage frequency or large release frequency. Both PRA insights and expert panel discussion conclude no function of EDAS is risk-significant. Defense-in-Depth During review of TR-0815-16497-P-A, the SER provided the following justification that the nonsafety-related DC power system was consistent with the defense-in-depth purpose of GDC 15: ...the staff identifies that a rapid discharge of reactor coolant directly to the containment atmosphere, in response to an AOO, can result in significant pressurization of the containment, which is required to retain coolant and establish a return path to the reactor pressure vessel. The AOO scenario in TR Appendix D appears to rely on the containment to retain the reactor coolant necessary to ensure fuel cladding integrity during an AOO. Because an AOO, by definition, is expected to occur one or more times during the life of the nuclear power plant, the NRC staff is concerned that such reliance upon the containment may not be consistent with the underlying defense-in-depth purpose of GDC 15, which expects the RCPB to remain available as a fission product barrier during AOOs. Accordingly, the NRC staff established Condition 4.4 on the TR to address reliability requirements for the systems necessary to retain reactor coolant within the RCPB. Condition 4.4 requires a probabilistic determination of the expected frequency of ECCS actuation during AOO mitigation (e.g., dc power system failure that causes ECCS actuation, ECCS pilot valve failure, spurious ECCS actuation). Opening of the ECCS valves during normal, planned plant operations, including recovery from an AOO, is acceptable once a safe, stable state has been established. Based on the overpressure protection of the RCPB and pursuant to Condition 4.4, the NRC NuScale Nonproprietary NuScale Nonproprietary

finds that Condition of Applicability I.1.g is necessary and sufficient for determining that Class 1E power is not required to satisfy GDC 15. NuScale has carried over an identical condition to Condition 4.4 of the topical report to EDAS in TR-102621, Table B-1, Condition 13: The frequency for which a combination of an AOO and an actuation of the NuScale ECCS is not expected to occur during the lifetime of the module. Section B.1 of TR-102621 demonstrates this condition is met, showing that the frequency of an ECCS actuation following an AOO is approximately (( }}2(a),(c) Therefore, inadvertent ECCS actuation following an AOO is not expected in the lifetime of the plant due to EDAS reliability maintaining the RCPB as a fission product barrier, thereby satisfying the underlying defense-in-depth requirements of GDC 15. NuScale Nonproprietary NuScale Nonproprietary

Staffs Feedback on NuScales Response to Audit issue A-16-8 NRC Feedback Criterion 2 EDAS meets Criterion 2 because an intact reactor coolant pressure boundary, which requires EDAS dc electrical power, is an operating restriction that is an initial condition of a [non-LOCA] transient analysis that presents a challenge to the integrity of a fission product barrier. (B) Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier. The EDAS dc electrical power to the ECCS reactor vent valve (RVV) pilot valve solenoids must be maintained to keep the RVVs closed at least until an automatic reactor trip occurs during non-LOCA postulated events, which assume an intact reactor coolant pressure boundary as a transient analysis initial condition. NuScale Response (Criterion 2) SECY-93-067, Final Policy Statement on Technical Specification Improvements provides additional direction on the intent of the Criterion 2 for improved Technical Specifications: Discussion of Criterion 2: Another basic concept in the adequate protection of the public health and safety is that the plant shall be operated within the bounds of the initial conditions assumed in the existing Design Basis Accident and Transient analyses and that the plant will be operated to preclude unanalyzed transients and accidents. These analyses consist of postulated events, analyzed in the FSAR, for which a structure, system, or component must meet specified functional goals. These analyses are contained in Chapters 6 and 15 of the FSAR (or equivalent chapters) and are identified as Condition II, III or IV events (ANSI N 18.2) (or equivalent) that either assume the failure of or present a challenge to the integrity of a fission product barrier. NuScale Nonproprietary NuScale Nonproprietary

As used in Criterion 2, process variables are only those parameters for which specific values or ranges of values have been chosen as reference bounds in the Design Basis Accident or Transient analyses and which are monitored and controlled during power operation such that process values remain within the analysis bounds. Process variables captured by Criterion 2 are not, however, limited to only those directly monitored and controlled from the control room. These could also include other features or characteristics that are specifically assumed in Design Basis Accident and Transient analyses even if they cannot be directly observed in the control room (e.g., moderator temperature coefficient and hot channel factors). The purpose of this criterion is to capture those process variables that have initial values assumed in the Design Basis Accident and Transient analyses, and which are monitored and controlled during power operation. As long as these variables are maintained within the established values, risk to the public safety is presumed to be acceptably low. This criterion also includes active design features (e.g., high pressure/low pressure system valves and interlocks) and operating restrictions (pressure/temperature limits) needed to preclude unanalyzed accidents and transients. A technical specification for EDAS power supply availability is not necessary to capture a process variable...assumed in safety analyses. As described in Section 15.0.0.6.3, unavailability of EDAS at event initiation is considered and addressed in Chapter 15. Both availability and unavailability of EDAS as an initial condition is considered. Therefore, EDAS unavailability is already an initial value assumed in the Design Basis...transient analyses and there is no process variable, design feature, or operating restriction associated with EDAS necessary to maintain process values within the analysis bounds. In addition, EDAS availability is inherently guaranteed for Mode 1 power operation. If EDAS is unavailable, the control rods are in and ECCS valves are open, conditions which prevent Mode 1 power operation. Because the Design Basis Accident and Transient analyses are associated with Mode 1 power operation, a Design Basis Accident and Transient will not occur if EDAS is not already available. Furthermore, in response to EDAS Deep Dive Action Item #11, NuScale included a provision in Chapter 8 of the FSAR to include availability and reliability controls in the owner control requirement manual (OCRM). NuScale Nonproprietary NuScale Nonproprietary

NRC Feedback Criterion 3 EDAS meets Criterion 3 because it is a system that is part of the primary success path and which functions to mitigate a [non-LOCA] transient that presents a challenge to the integrity of a fission product barrier by maintaining the two RVVs closed, thereby keeping the RCPB intact, at least until an automatic reactor trip occurs. (C) Criterion 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier. The EDAS is the primary source of DC electrical power to mitigate non-LOCA transients by keeping the RCPB intact, by maintaining the RVVs closed, at least until an automatic reactor trip occurs, thereby protecting the integrity of the fuel cladding fission product barrier. NuScale Response (Criterion 3) NuScale previously described how EDAS does not satisfy Criterion 3 in the response to A-16-8:

EDAS is not part of the primary success path for any design-basis accident or transient.

EDAS does not function to mitigate a design-basis accident or transient.

Design-basis accidents or transients are shown to meet applicable acceptance criteria without challenging the integrity of a fission product barrier both with and without EDAS power supply available. The NRC feedback provides no additional information or reasoning that addresses the justification NuScale provided that demonstrates that Criterion 3 is not met. As concluded in the response to A-16-8: The underlying issue of this audit question is the disagreement between the NRC and NuScale regarding whether it is necessary to include extremely unlikely scenarios (( }}2(a),(c) with no core damage as part of the design-basis. Until that issue is resolved, consideration of those scenarios as a basis for creation of technical specifications is premature. NuScale Nonproprietary NuScale Nonproprietary

NuScale impemented changes in the FSAR under CP-3915; markups of the affected changes are provided below: NuScale Nonproprietary NuScale Nonproprietary

NuScale Final Safety Analysis Report Onsite Power Systems NuScale US460 SDAA 8.3-6 Draft Revision 2 supplying 480 Vac input power to the battery chargers via connection to the EMVS to supply the connected loads and recharge the batteries. Audit Question EDAS Deep Dive Action Item 14, Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 The EDAS is a non-Class 1E power system and is non-risk-significant. Augmented design, qualification, and quality assurance (QA) provisions are applied to the EDAS as described throughout Section 8.3.2. Table 8.3-2 identifies SSC classifications for EDAS. Augmented design requirements are applied to the EDAS batteries and EDAS distribution panels as described in Table 8.3-2. Table 8.3-3 provides references to the Final Safety Analysis Report (FSAR) sections that demonstrate compliance with the augmented provisions. An evaluation of EDAS component failures is provided in Table 8.3-1. The evaluation does not assume that each component single failure occurs concurrently with the unavailability of the redundant EDAS channel (EDAS-MS) or EDAS division (EDAS-C). The results demonstrate the reliability of the system to perform its functions and that failures in the EDAS do not prevent safety-related functions from being achieved and maintained. An evaluation of the EDAS reliability was performed. Using the generic failure probabilities from Section 19.1.4, the EDAS supports the mission requirements. The EDAS and equipment is designed to allow testing online or offline during normal operation. The batteries and battery chargers can be isolated from the rest of the subsystem for testing. Local and remote indications in the control room ensure the ability for continuously monitoring the batteries, battery chargers, and DC buses during test conditions. The battery monitor system (BMS) provides continuous monitoring of EDAS battery parameters indicative of battery performance. The EDAS provides DC power only to DC loads. Therefore, inverters are not required or included in the EDAS design. The EDAS operates ungrounded. Therefore, there are no connections to ground from either the positive or negative legs of the EDAS batteries or chargers. An ungrounded DC system ensures system reliability and availability in the event one of the system legs becomes grounded. The EDAS includes ground fault detection devices and relays consistent with the recommendations of IEEE Standard 946-2020 (Reference 8.3-5). Physical separation is achieved by installing equipment in different rooms that are separated by 3-hour fire barriers. The EDAS-MS Division I cables (channels A and C) and raceways are routed separately from EDAS-MS Division II cables (channels B and D) and raceways. Similarly EDAS-C Division I cables and raceways are routed separately from EDAS-C Division II cables and raceways. Although EDAS electrical power is not required to achieve a safe shutdown, this separation ensures that equipment in one fire

NuScale Final Safety Analysis Report Onsite Power Systems NuScale US460 SDAA 8.3-7 Draft Revision 2 area rendered inoperable by fire, smoke, hot gases, or fire suppressant does not affect the availability of the redundant equipment located in another fire area. The fire protection features and analyses are described in Section 9.5.1. The EDAS-MS equipment is shown on Figure 8.3-4a and Figure 8.3-4b. EDAS equipment that provides backup power is designed to Seismic Category I standards as discussed in Section 3.7 and Section 3.10. Audit Question EDAS Deep Dive Action Item 11, Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 Controls over the reliability and availability of EDAS-MS power circuitry and supply are included in the owner-controlled requirements manual, described in Section 16.1. EDAS is also included in the maintenance rule program in accordance with 10 CFR 50.65. Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 The requirement to include EDAS-MS within the owner-controlled requirements manual, as well as adherence to the requirements inherent to the maintenance rule (i.e., system performance and the requirement to assess and manage risk) ensures that the functionality (availability and reliability) of EDAS-MS is maintained consistent with the Probabilistic Risk Assessment modeling in Section 19.1: common cause failure remains the dominant failure mode reliability is equivalent to a typical Class 1E system test and maintenance unavailability, excluding batteries, is minimal and limited to a single channel test and maintenance unavailability of batteries is negligible Augmented Direct Current Power System Batteries Audit Question EDAS Deep Dive Action Item 1 Each EDAS battery comprises valve-regulated lead-acid (VRLA) type cells connected in series to generate 125 Vdc. The EDAS includes augmented design provisions for batteries. The batteries are designed and installed per IEEE Std. 1187-2013. Maintenance and testing is performed in accordance with IEEE Std. 1188-2005(R2010) with 2014 amendment. The batteries are sized per IEEE Std. 485-2020 as endorsed by RG 1.212, Revision 2. Instrumentation, indication, and alarms conform with IEEE Std. 946-2020, IEEE Std. 1491-2012, IEEE Std. 1187-2013, and IEEE 1188-2005. 8.3.2.1.2 Normal Direct Current Power System The EDNS is a non-Class 1E DC power system classified as nonsafety-related and non-risk-significant. Table 8.3-2 identifies SSC classifications for EDNS. The EDNS does not serve safety-related loads, and

NuScale Final Safety Analysis Report Onsite Power Systems NuScale US460 SDAA 8.3-39 Draft Revision 2 Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 Table 8.3-3: Augmented Direct Current Power System Augmented Design, Qualification, and Quality Assurance Provisions Topic Provision FSAR Section Quality Assurance (QA) Graded QA (GQA) Program

  • GQA as described in QA Program Description (QAPD) meets or exceeds augmented QA provisions specified in RG 1.155, Appendix A 17.3 Environmental Qualification (EQ)

Batteries providing backup DC power are environmentally qualified per IEEE 323-2003 and located in a mild environment. 8.3.2.2.1 Batteries Commercial grade valve-regulated lead-acid (VRLA) batteries:

  • Design and installation per IEEE Std. 1187-2013
  • Sizing per IEEE Std. 485-2020 as endorsed by RG 1.212, Revision 2
  • Instrumentation, indication, and alarms per IEEE Std. 946-2020, IEEE Std. 1491-2012, IEEE Std. 1187-2013, and IEEE 1188-2005(R2010) with 2014 amendment 8.3.2.2.1 8.3.2.4 Onsite Standby Power Sources Nonsafety-related backup generators conform with:
  • Standard Review Plan Section 19.3
  • Electric Power Research Institute Utility Requirements Document, Revision 13
  • SECY-94-084, SECY-95-132, and associated Staff Requirements Memoranda 8.3.1.1.2 Identification Identification per IEEE Std. 384-1992 as endorsed with modification by RG 1.75 8.3.2.2.1 Independence Independence maintained via physical separation and electrical isolation per IEEE Std. 384-1992 as endorsed with modification by RG 1.75 8.3.2.2.1 Single Failure Criterion The single-failure criterion is applied to EDAS SSC that provide electrical power to prevent unintended ECCS valve actuation per IEEE 379-2020 as endorsed by RG 1.53.

8.3.2.1.1 Common-Cause Failure (CCF) CCF probability minimized to the extent practicable via:

  • independence (including appropriate use of physical separation and electrical isolation) of redundant divisions and channels
  • protection from environmental and dynamic effects of internal equipment failures design requirements
  • design, environmental qualification, and quality assurance provisions
  • HVAC systems provides EDAS SSC with ventilation, including cooling, heating, and humidity control
  • protection from natural phenomena
  • location of the EDAS within Seismic Category I structures
  • each battery supply shall be immediately available during both normal operations and following the loss of power from the AC system.

EDAS batteries are connected to the DC distribution panel and maintained on a float charge. Upon a loss of AC power the batteries will immediately supply required EDAS loads without interruption. 8.3.2.2.1 Protection Equipment protection and coordination studies are performed in accordance with IEEE 242-2001, IEEE 946-2020, and IEEE 1375-1998. 8.3.2.2.2

NuScale Final Safety Analysis Report Onsite Power Systems NuScale US460 SDAA 8.3-40 Draft Revision 2 Isolation with Class 1E Safety systems protected from variations in voltage, frequency, and waveform Class 1E isolation equipment at each interface between the non-Class 1E electrical system and downstream Class 1E circuits. 8.3.2.2.2 7.0.4.1 7.1.2.2 Location of Indicators and Controls Controls and indication provided inside and outside the MCR

  • EDAS instrumentation, indication, and alarming features are consistent with guidance contained in the IEEE 946-2020, IEEE 1491-2012, IEEE 1187-2013, and IEEE 1188-2005(R2010) with 2014 amendment 8.3.2.2.2 Maintenance, Surveillance and Testing
  • Periodic inspection and testing is performed on the EDAS for operational, commercial, and plant investment protection purposes.
  • Preoperational testing performed according to FSAR Section 14.2
  • Battery maintenance and testing shall be performed in accordance with IEEE Std.

1188-2005(R2010) with 2014 amendment 8.3.2.3 14.2 Multi-Unit Station Considerations No sharing of DC power between units that results in potential adverse interactions. 8.3.2.2.1 Table 8.3-3: Augmented Direct Current Power System Augmented Design, Qualification, and Quality Assurance Provisions (Continued) Topic Provision FSAR Section

NuScale Final Safety Analysis Report Transient and Accident Analyses NuScale US460 SDAA 15.0-13 Draft Revision 2 opening of RVVs opening of RRVs after differential pressure drops below the IAB release pressure threshold Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 The timing of a potential loss of EDAS is assessed based on the conclusions of the deterministic system evaluation and insights from the probabilistic evaluations. A loss of EDAS at event initiation is considered and addressed in the Chapter 15 analyses as described below. A loss of EDAS after reactor trip is completed is non-limiting because the control rods are fully inserted. A loss of EDAS after event initiation, but before control rods are fully inserted, is not considered because deterministic evaluation of the system design does not identify a failure mode that would result in failure during this period. The probability of a DBE combined with a random failure of EDAS during this period is extremelyso low that this postulated scenario is classified as a beyond-design-basis event. The evaluation of beyond-design-basis events is performed in Chapter 19based on the EDAS design meeting the augmented provisions in Table 8.3-3. Therefore, evaluation of DBEs with an assumed loss of EDAS at event initiation is appropriate to demonstrate that the EDAS is not relied upon to remain functional during a DBE to perform safety-related functions. For the DBEs and associated acceptance criteria evaluated with the LOCA evaluation model, described in Section 15.0.2, a loss of EDAS at event initiation is explicitly addressed in the Chapter 15 section for that DBE. For the DBEs that do not use the LOCA evaluation model, a generic assessment of the loss of EDAS at event initiation is performed to confirm EDAS power being available is more limiting for the acceptance criteria being evaluated. A loss of EDAS at event initiation results in immediate reactor trip, containment isolation, secondary system isolation, and DHRS actuation. These MPS actuations immediately mitigate the initiating event. Therefore, the primary and secondary pressure responses are less limiting than if EDAS is assumed to be available and reactor trip is delayed. For evaluation of the SAFDLs, the non-LOCA DBEs are compared to Section 15.6.6, Inadvertent Operation of Emergency Core Cooling System, and found to be bounded by the inadvertent operation of ECCS with EDAS available. Based on the conclusion of this generic assessment, further evaluation of a loss of EDAS power is not provided in the Chapter 15 section of these non-LOCA DBEs. Reference 15.0-14 provides additional information regarding the treatment of EDAS power in the safety analysis.

NuScale Final Safety Analysis Report Transient and Accident Analyses NuScale US460 SDAA 15.0-41 Draft Revision 2 15.0-2 NuScale Power, LLC, Statistical Subchannel Analysis Methodology, Supplement 1 to TR-0915-17564-P-A, Revision 2, TR-108601-P-A, Revision 42. 15.0-3 NuScale Power, LLC, NuScale Power Critical Heat Flux Correlations, TR-0116-21012-P-A, Revision 1. 15.0-4 NuScale Power, LLC, Applicability Range Extension of NSP4 Critical Heat Flux Correlation, Supplement 1 to TR-0116-21012-P-A, Revision 1, TR-107522-P-A, Revision 1. 15.0-5 NuScale Power, LLC, Loss-of-Coolant Accident Evaluation Model, TR-0516-49422-P, Revision 3. 15.0-6 NuScale Power, LLC, Accident Source Term Methodology, TR-0915-17565-P-A, Revision 4. 15.0-7 NuScale Power, LLC, Non-Loss-of-Coolant Accident Analysis Methodology, TR-0516-49416-P, Revision 4. 15.0-8 NuScale Power, LLC, Extended Passive Cooling and Reactivity Control Methodology, TR-124587-P, Revision 0. 15.0-9 U.S. Environmental Protection Agency, Limiting Values of Radionuclide Intake and Air Concentration and Dose Conversion Factors for Inhalation, Submersion, and Ingestion, Federal Guidance Report 11, EPA-520/1-88-020, 1988. 15.0-10 U.S. Environmental Protection Agency, External Exposure to Radionuclides in Air, Water, and Soil, Federal Guidance Report 12, EPA-402-R-93-081, 1993. 15.0-11 NuScale Power, LLC, Evaluation Methodology for Stability Analysis of NuScale Power Module, TR-0516-49417-P-A, Revision 1. 15.0-12 NuScale Power, LLC, NuScale Rod Ejection Accident Methodology, TR-0716-50350-P, Revision 32. 15.0-13 U.S. Nuclear Regulatory Commission, Staff Requirements - SECY-19-0036 - Application of the Single Failure Criterion to NuScale Power LLCs Inadvertent Actuation Block Valves, July 2, 2019. Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 15.0-14 NuScale Power, LLC, Treatment of DC Power in Safety Analysis, TR-102621-P, Revision 1.

NuScale Final Safety Analysis Report Transient and Accident Analyses NuScale US460 SDAA 15.0-55 Draft Revision 2 Audit Question A-15-14, Audit Question A-15-15, Audit Question A-EDAS Integrated Response to NRC Feedback on A-19.1-5, A-19.1-37, A-17.4-10, A-16-18 Table 15.0-9: Referenced Topical and Technical Reports Topical or Technical Report Report Description LOCA Evaluation Model (Topical) TR-0516-49422-P Summarizes the LOCA PIRT, the NRELAP5 code features and modifications, assessments of NRELAP5 against separate effects tests (SETs) and integral effects tests (IETs), and the applicability evaluation of NRELAP5 to LOCA and inadvertent RPV valve opening analyses. Provides sample cases to demonstrate application of the evaluation model to the NPM design. The transition between the initial LOCA event and long-term cooling is defined in this document. Summarizes the CNV pressure and temperature analysis methodology. Extended Passive Cooling and Reactivity Control Methodology (Topical) TR-124587-P This report summarizes the long-term design-basis event progression following DHRS and ECCS actuation, the regulatory requirements and NuScale-specific design requirements applicable to long-term core cooling, the extended passive cooling (XPC) acceptance criteria, the XPC PIRT, the analysis tools, qualification of the tools, and methodology for demonstrating that the XPC acceptance criteria are met, and example results of XPC analyses for collapsed liquid level above top of core, subcriticality, and boron transport. Evaluation Methodology for Stability Analysis of NuScale Power Module (Topical) TR-0516-49417-P-A Presents a methodology for addressing thermal-hydraulic stability in the NPM. The basis of the NPM stability study is a detailed phenomenological review. Provides generic representations of anticipated transients where unstable oscillations can occur. Identifies the limiting instability mode as natural circulation instability. The adiabatic riser response dominates the response rather than wave propagation in the core. The dynamics of the SG and the fission power response to reactivity feedback influence stability. Describes the computational method for the analysis of the postulated instability modes of the NPM during steady state normal operation and anticipated transients. Identifies that potential instability from loss of subcooling in the riser is excluded by MPS protective actions.

NuScale Final Safety Analysis Report Transient and Accident Analyses NuScale US460 SDAA 15.0-57 Draft Revision 2 Non-LOCA Analysis Methodology (Topical) TR-0516-49416-P Describes evaluation model that simulates the NPM transient response to non-LOCA events. Addresses the EMDAP process used to establish the adequacy of the non-LOCA methodology. Uses a graded approach to the EMDAP for development of the non-LOCA system transient evaluation model considering the overlap in high-ranked phenomena and conservatism applied to input and boundary conditions of the LOCA evaluation model in the non-LOCA plant transient calculations. Describes the non-LOCA PIRT assessment of the relative importance of phenomena and processes that can occur in the NPM during non-LOCA events in relation to specified figures of merit. Describes the requirements for evaluation model capability developed from the non-LOCA PIRT. Explains how NRELAP5 assessments performed for LOCA evaluation model development demonstrate NRELAP5 qualification for high rank/low knowledge-level non-LOCA PIRT phenomena. Treatment of DC Power in Safety Analysis (Technical) TR-102621-P Describes the design-review process to determine the safety and risk classification of SSC, including the application of the process to DC power electrical systems. Provides a deterministic technical basis for the loss of power considerations in the safety analysis. Provides a defense-in-depth evaluation of events with a loss of DC power. Provides a summary of the probabilistic risk assessment, including metrics pertaining to the potential for ECCS valve opening during AOOs. Table 15.0-9: Referenced Topical and Technical Reports (Continued) Topical or Technical Report Report Description}}

Retrieved from "https://kanterella.com/w/index.php?title=ML24346A306&oldid=5465132"