ML25133A110

From kanterella
Jump to navigation Jump to search
Non-Concurrence on NuScale SDAA Chapter 15 Safety Evaluation Report
ML25133A110
Person / Time
Issue date: 03/07/2025
From: Antonio Barrett, Craig Harbuck, John Lehning, Zhian Li, John Miller, Ryan Nolan, Patton R, Marie Pohida, Rau A, Sheila Ray, Thomas Scarbrough
Office of Nuclear Reactor Regulation
To:
References
NCP-2025-002
Download: ML25133A110 (1)
v  d  e


Text

NRC FORM 757 (06-2019)

U.S. NUCLEAR REGULATORY COMMISSION NRC MD 10.158 NON-CONCURRENCE PROCESS COVER PAGE The U.S. Nuclear Regulatory Commission (NRC) strives to establish and maintain an environment that encourages all employees to promptly raise concerns and differing views without fear of reprisal and to promote methods for raising concerns that will enhance a strong safety culture and support the agency's mission.

Employees are expected to discuss their views and concerns with their immediate supervisors on a regular, ongoing basis. If informal discussions do not resolve concerns, employees have various mechanisms for expressing and having their concerns and differing views heard and considered by management.

Management Directive (MD) 10.158, "NRC Non-Concurrence Process," describes the Non-Concurrence Process (NCP).

The NCP allows employees to document their differing views and concerns early in the decision-making process, have them responded to (if requested), and include them with proposed documents moving through the management approval chain to support the decision-making process.

NRC Form 757, "Non-Concurrence Process," is used to document the process.

Section A of the form includes the personal opinions, views, and concerns of a non-concurring NRC employee.

Section B of the form includes the personal opinions and views of the non-concurring employee's immediate supervisor.

Section C of the form includes the agency's evaluation of the concerns and the agency's final position and outcome.

NOTE: Content in Sections A and B reflects personal opinions and views and does not represent the official agency's position of the issues, nor official rationale for the agency decision. Section C includes the agency's official position on the facts, issues, and rationale for the final decision.

1. Was this process discontinued? If so, please indicate the reason and skip questions 2 and 3:

Process was not discontinued

2. At the completion of the process, the non-concurring employee(s):

Continued to non-concur 3.

For record keeping purposes:

This record has been reviewed and approved for public dissemination NRC FORM 757 (06-2019)

Page 1 of 16

ML25094A166

ML25094A166

ML25094A166

ML25094A166

ML25094A166

ML25094A166

ML25094A166

ML25094A166

NRC FORM 757 (06-2019)

U.S. NUCLEAR REGULATORY COMMISSION NRC MD 10.158 NON-CONCURRENCE PROCESS (Continued)

Section C-To Be Completed by NCP Coordinator

2.

Title of Subject Document NuScale SDAA Chapter 15 Safety Evaluation Report

4.

Name of NCP Coordinator Jay Robinson - SENIOR FIRE PROTECTION ENGINEER

5.

NCP Coordinator's Email Jay.Robinson@nrc.gov

1.

NCP Tracking Number NCP-2025-002 Date 2025-04-22

6.

Office NRR

7.

Agreed Upon Summary of Issues On December 31, 2022, NuScale submitted Revision O of its standard design approval application (SDAA) for its US460 standard plant design. Prior to and during the NRC staff review, the NRC staff identified several issues related to the augmented direct current (DC) power system (EDAS) that had the potential to impact the staff's ability to complete its review. As NRC staff and management worked through these issues, impasses developed between the staff and management which resulted in several NRC staff submitting a nonconcurrence in regard to Safety Evaluation (SE) Chapter 15, "Transient and Accident Analysis." The issues identified in the non-concurrence are discussed below:

1. Classifying EDAS as Non-Safety-Related NuScale has deemed the EDAS as a non-safety-related SSC. Non-concurring staff contend that the EDAS meets Criteria 1 and 2 of the definition of safety-related structure, system, or component (SSC) as defined in 10 CFR 50.2. Criteria 1 and 2 include SSCs that are relied upon to remain functional during and following design basis events to, 1. assure the integrity of the reactor coolant pressure boundary, and 2. to assure the capability to shut down the reactor and maintain it in a safe shutdown condition. Because NuScale is not classifying EDAS as safety-related, it is not in compliance with the applicable special treatment requirements which include 10 CFR Part 50, Appendix B, quality assurance requirements, and 10 CFR 50.55a(h). While SE Chapter 8 does discuss exemptions from GDCs 17 and 18, it does not provide any level of justification for an exemption from the requirements applicable to safety-related systems. The non-concurring technical staff proposed several approaches to address the exemptions as discussed below:
a. Request an exemption under 10 CFR 50.12 (which is referenced by 10 CFR 52.7) for the EDAS from the safety-related definition in 10 CFR 50.2 with subsequent classification of the EDAS as within the scope of the Regulatory Treatment of Non Safety Systems (RTNSS) as a risk significant non-safety related system.
b. Apply the risk-informed classification process of 10 CFR 50.69 which may be suited to the SSC classification issue for EDAS because it would allow relaxation to the scope of equipment subject to special regulatory treatment and better focus both licensee and NRC attention and resources on equipment that has higher risk and safety significance.
c. Allow the option to use a graded approach to the quality of the EDAS that mirrors the reasonable confidence concept of 10 CFR 50.69. Since this would not provide compliance with the safety-related special treatment requirements, justification for exemptions to applicable requirements would be needed in accordance with 10 CFR 50.12.
2. Not Requiring Technical Specifications for EDAS 10 CFR 50.36(c)(2) states that limiting conditions for operation (LCOs) are the lowest functional capability or performance levels of equipment required for safe operation of the facility, and that a technical specification (TS) LCO of a nuclear reactor must be established for each item meeting one or more of four LCO criteria.

The non-concurring technical staff finds that the EDAS meets LCO Criterion 2, which is defined as a process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

The non-concurring technical staff concludes that redundancy of EDAS DC electrical power to the RWs to ensure reactor coolant pressure boundary integrity, is a design feature that is an analysis initial condition of a design basis transient that presents a challenge to the integrity of a fission product barrier, thus requiring an LCO consistent with the Commission's Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors and in accordance with 10 CFR 50.36(c)

(2).

The non-concurring technical staff also finds that the EDAS meets LCO Criterion 3, which is defined as a structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

NRC FORM 757 (06-2019)

Page 10 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

ADAMS Accession Number ML25094A166

The non-concurring technical staff concludes that EDAS, in part, bears the primary functions to mitigate a design-basis transient that presents a challenge to the integrity of a fission product barrier, thus requiring an LCO consistent with the Commission's Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors and in accordance with 10 CFR 50.36(c)(2).

The non-concurring staff has proposed an approach to satisfy the requirement to establish an LCO for EDAS support of the emergency core cooling system (ECCS) hold function. This would be to clarify in the TS Bases that operability of the reactor vent valves (RWs) also requires the RWs to perform the ECCS hold function to support maintaining reactor coolant pressure boundary integrity and adding a surveillance requirement (SR) (and appropriate Bases) that periodically verifies EDAS is providing redundant battery-backed DC electrical power to maintain the RWs closed except as allowed by availability controls in the owner-controlled requirements manual (OCRM) of the FSAR. These EDAS availability controls would provide appropriate risk-informed limits on repair times for EDAS DC power channels and suitable testing requirements to assure channel availability. Changes to the OCRM EDAS availability controls would be adequately controlled under 10 CFR 50.59 because the availability controls would be included in the FSAR. Exceeding an availability control allowed EDAS channel repair time limit would require declaring the affected RW inoperable because the SR acceptance criterion of redundant EDAS DC electrical power to the affected RW would not be met.

3. Use of First of Its Kind Technology The non-concurring technical staff notes that the use of valveregulated lead acid (VRLA) batteries is a first-of-a-kind application in a nuclear power plant and that operating plants and other nuclear facilities typically use vented lead-acid batteries in standby applications, which have a proven record of capacity, capability and reliable performance. Because VRLA batteries are not typically used in standby applications in nuclear power plants (NPPs), which is how they would be used in the EDAS, additional review is warranted to ensure reasonable assurance of public health and safety.

The currently licensed to operate power reactors all use vented lead-acid storage batteries for which the staff developed regulatory guide 1.128, "Installation Design and Installation of Vented Lead-Acid Storage Batteries for Nuclear Power Reactor," (ML070080013) for installation design of large lead-acid storage batteries that are used in power reactors which in endorses Institute of Electrical and Electronics Engineers (IEEE) Standard IEEE 484-2002. However, there is no established NRC guidance for what is defined as augmented quality for this first-of-a kind technology nor what is determined to be "highly reliable," and these are not terms that are defined in the regulations or in Commission policy, nor was any technical basis provided for how staff should evaluate applications for this particular first of its kind technology.

The non-concurring staff has proposed several approaches to ensure acceptable reliability with reasonable assurance of public health and safety, including the following:

  • reviewing qualification testing that would provide assurance that the batteries can perform their intended function and demonstrate reliability during their service life
  • recharacterizing that augmented quality is not synonymous with reliability or that it equals high reliability
  • establishing Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) that would enable the NRC staff to determine for use of these first-of-a-kind batteries after installation but prior to initial plant operation.
4. NRR Office Management Decision Making The non-concurring staff believes that NRR office management decision making was not conducted in accordance with applicable policies, procedures, and regulations, and that NRR office management also did not provide defensible technical or regulatory bases for several decisions that were made. The non-concurring staff's concerns with the decisions are listed below:
a. Office management overstepped in its interpretation that the direction provided in SRM-SECY-19-0036 allows the NRC staff latitude to apply different review criteria than those specified in applicable regulations, including 10 CFR 50.2 and 10 CFR 50.36.
b. There was no evidence that risk-informed principles, as stated in SRM-SECY-19-0036, were applied or followed.
c. Office management failed to elaborate and provide specifics of the application of SRM-SECY-19-0036, as it relates to the technical and regulatory aspects on the classification of the EDAS.
d. Office management failed to thoroughly explain technical and regulatory justification of the GDC 17 and 18 exemptions.
e. Office management did not understand that the EDAS is relied upon to assure the integrity of the RCPB during all times of power operation.
f. Office management did not understand that the transients where the EDAS is relied on to function to ensure the specified acceptable fuel design limits (SAFDLs) are not exceeded are categorized as anticipated operational occurrence (AOOs).
g. Office management did not understand that EDAS is relied on to perform safety-related functions for the entire duration of the transient and that its safety function is not just performed "at the worst-case time in the middle of a plant transient."
h. Office management did not understand the inherent differences of the analytical approaches and systems between the US600 certified design and the US460 SDAA.
i. Office management did not understand that the premise that the EDAS does not need to be classified as safety-related because it is perceived to be a highly reliable system that has no regulatory basis or precedent. Data from operating plants, where DC power is safety related and is scoped into Technical Specifications. was used in the NuScale PRA.
j. Office management direction to staff was inconsistent with established policies and procedures for regulatory relaxations and documenting agency decisions.
k. Management Directive 3.53, "NRC Records and Document Management Program," regarding documentation of the office management decision was not followed.

NRC FORM 757 (06-2019)

Page 11 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

I. The office management's decision is inconsistent with the 1995 Commission PRA Policy Statement which states that the existing rules and regulations shall be complied with unless these rule and regulations are revised.

m. The office management's decision is inconsistent with the NRC Princi pies of Good Regulation of efficiency, openness, clarity and reliability.
8.

Evaluation of Non-Concurrence and Rationale for Decision As the non-concurring staff notes, the safety classification of EDAS in NuScale's US460 design was identified as a challenging issue very early in the standard design approval application (SDAA) review, and it's one that NRC staff and management have struggled with throughout the course of the review. I appreciate the efforts of the staff to evaluate the technical and regulatory considerations associated with the issue, to think through options for addressing them using risk-informed principles, and to meet with me to discuss their concerns. I also appreciate the fact that they felt comfortable raising concerns associated with previous decision-making on this topic. Their work has been critically important to helping me reach a fully informed decision.

Background

NuScale's US600 design was certified by the Commission in Appendix G to 10 CFR Part 52 in 2023. On December 31, 2022, NuScale submitted an SDM for its similar US460 standard plant design.

Both the US600 and the US460 are designed to be safely shut down without operator action, the addition of makeup water, or reliance on electrical power. In both designs, the emergency core cooling system (ECCS) includes valves connected to the reactor pressure vessel (RPV) - reactor vent valves (RWs) mounted on the top of the RPV and reactor recirculation valves (RRVs) mounted on the sides of the RPV. During normal operation, the valves are maintained closed by 125-volt direct current (DC) power from the augmented DC power system, referred to as EDAS in the US460 design and EDSS in the US600 design. Loss of EDSS and EDAS are considered anticipated operational occurrences (AOOs), which are events that are expected to occur one or more times during the life of the plant.

As the staff notes in Section A, there is a difference in the design of the RWs between the US600 and US460 that is relevant to the non-concurrence. In the US600 design, each RW and RRV include inadvertent actuation block (IAB) valves. In the event EDSS fails, the module protection system would actuate, resulting in a scram, containment isolation, ECCS actuation signal, and decay heat removal system actuation (DHRS). The JAB valves would maintain the RWs and RRVs closed until cool down from DHRS operation results in reactor coolant system pressure reaching approximately 950 psi, at which point the RWs and RRVs would open, establishing core cooling via recirculation with the large volume of water in the containment. In the US460 design, the RWs are not equipped with JAB valves. With that design, the plant's response to an EDAS failure would be similar, except that the RWs would open at the same time EDAS fails, at the plant's normal operating pressure of approximately 2,000 psi. The US460 design also includes a power uprate.

During the US600 design certification, the NRC staff reviewed topical report (TR)-0815-16497, "Safety Classification of Passive Nuclear Power Plant Electrical Systems,"

which was submitted by NuScale to obtain approval of a set of passive design and operational attributes that if met would justify that no plant electrical systems are safety-related. During its review of that TR, the staff noted that the example safety analysis in Appendix D of the TR showed that plant response to loss of EDSS, which as discussed above is considered an AOO, includes establishment of a direct flow path between the reactor coolant system and the containment. At the time, the staff was concerned that such an approach placed too much reliance on performance of the containment and may be inconsistent with defense-in-depth principles. The staff conditionally approved the TR to, in part ensure that EDSS is designed with sufficient reliability such that a design-basis event that removes the reactor coolant pressure boundary as a fission product barrier does not occur with the frequency of an AOO. That approach was specifically reviewed by the Advisory Committee on Reactor Safeguards, which expressed support. The Commission subsequently approved the US600 design with EDSS not designated as safety-related, but with controls to ensure EDSS is sufficiently reliable. NuScale did not reference TR-0815-16497 in their SDM application for the US460 design. Rather, NuScale chose to incorporate directly into the SDAA the same controls to ensure reliability and availability of EDAS that were used for EDSS.

As discussed in Section A, during the SDAA review, NRC staff and management raised similar concerns with the safety classification of EDAS. These concerns were compounded by the design change associated with the RWs and the power uprate, which could change the consequences of a loss of EDAS as compared to the US600 design. Specifically, as part of the review, staff assessed whether or not EDAS should be classified as safety-related, and whether not classifying it as safety-related would require an exemption from the regulations. After extensive discussions on the topic, NRR management ultimately decided, for reasons articulated in an email included as part of Section A of the non-concurrence, that it would not be necessary for EDAS to be treated as safety-related and that an exemption would not be needed.

The non-concurring staff's concern largely centers around whether an exemption is needed to not classify EDAS as safety-related (Concern 1 below). They also suggest additional controls they believe are warranted to further enhance the reliability and availability of EDAS (Concerns 2 and 3 below). Finally, they raise several concerns about the decisionmaking process documented in the email discussed above (Concern 4 below). Those concerns are included in more detail in the summary of issues section of the non-concurrence. My evaluation of each is provided below.

NRC FORM 757 (06-2019)

Page 12 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

Concern 1: Not Classifying EDAS as Safety-Related 10 CFR S0.2 defines safety-related structures, systems, and components (SSCs) as those SSCs relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the applicable guideline exposures set forth in § 50.34(a)(1) or § 100.11 of this chapter, as applicable.

In their non-concurrence, the non-concurring staff indicate their belief that EDAS is an SSC that meets Criterion 1 and 2.

Application of Criterion (1)

The non-concurring staff argue that the fact that a loss of EDAS will cause the RWs to open represents a loss of the reactor coolant pressure boundary. As such, they believe that Criterion (1) above is met and EDAS should be considered safety-related, absent an exemption. However, I find this argument to be inconsistent with the Commission's decision on the US600 design certification. In that case, the Commission approved treating EDSS, the analogous system to EDAS, as non-safety-related without an exemption, subject to augmented controls being applied. Those same controls are applied to EDAS as part of the SDAA. I recognize that the plant's response to a loss of EDAS in the US460 design is different from that of the US600 design. Specifically, as discussed above, with the US460 design, upon failure of EDAS, the RWs would open at normal operating pressure. However, that distinction is not relevant to the application of Criterion (1). In both cases, the RWs open and in both cases, NuScale has completed analyses to verify that containment integrity is maintained and there are no adverse reactor safety consequences; the fact that the opening of the RWs is delayed in the case of the US600 design does not create a distinction that would invalidate application of the Commission's decision on the design certification to the staff's decision on the SDAA.

Application of Criterion (2)

The non-concurring staff also argue that Criterion (2) is met. Specifically, the staff argue that in scenarios involving certain AOOs, such as increase-in-reactivity or increase-in-heat-removal events, failure of EDAS after initiation of the AOO could result in an exceedance of the specified acceptable fuel design limits (SAFDLs). The staff point to SECY-94-084, which describes the term "safe shutdown" as a condition where the reactor is maintained subcritical, sufficient decay heat is removed, and radioactive materials are confined. They also point to General Design Criterion (GDC) 34, which requires, in part that a system to remove decay heat be provided, and that the system be capable of transferring heat at a rate sufficient to avoid exceeding the SAFDLs. Finally, the non-concurring staff point to Table 1S.0-2 in Chapter 15 of the Final Safety Analysis Report for the SDAA, which states that for AOOs, "fuel cladding integrity will be maintained by ensuring the SAFDLs are met." They argue that because the SAFDLs could be exceeded, the fission product barrier is not maintained, and Criterion (2) is met.

As part of discussing this issue with the NRC staff early in the SDAA review, NuScale submitted a proprietary technical report entitled "Treatment of DC Power in Safety Analyses." That report assessed, among other things, impacts on fuel cladding temperature of the SAFDL exceedance discussed above. It also evaluated potential EDAS failure modes and provided insights from NuScale's probabilistic risk assessment (PRA). The report identified that the SAFDL exceedance would be of short duration (on the order of seconds) and that the associated peak cladding temperatures resulting from the exceedance would remain well below the 2,200 °F limit in the regulations.

The report also identified that there are no mechanistic reasons that an unrelated AOO would cause EDAS to fail. As a result, NuScale concluded that the frequency of a random failure of EDAS during an unrelated AOO is very unlikely, occurring with a frequency of approximately once every 100,000,000 years. I acknowledge that the staff did not formally review and endorse this report and may not agree with some of its conclusions, but I find that it provides useful insights into the applicability of Criterion (2) to an AOO followed by an unrelated EDAS failure. I also acknowledge that while NuScale's technical report focused on margin to the peaking cladding temperature limit, there are other fuel failure mechanisms that could occur below 2,200 °F. While not discussed in the report, I also note that in order for the SAFDL exceedance to take place, operators would have to take no action to reduce power to below the licensed power limit following the initial AOO (e.g., the increase-in-reactivity event).

SSCs that are relied on to satisfy the GDCs are generally considered "important to safety," which could include both safety-related and non-safety-related SSCs.

Regardless, the fact that they are used to meet the GDCs make them subject to the quality assurance requirements of GDC 1, "Quality standards and records." GDC 1 specifies that programmatic quality standards for SSCs important to safety provide adequate assurance that these SSCs will satisfactorily perform their safety functions specified in the GDCs. While I acknowledge this may have been the case with past applications, I find that a plain language reading of the regulations does not require that equipment used to prevent exceedance of the SAFDLs under GDC 34 to be designated as safety-related. Rather, GDC 1 requires adequate assurance that such NRC FORM 757 (06-2019)

Page 13 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

equipment will perform its function. Similarly, I don't find that Criterion (2) of 10 CFR S0.2 clearly equates failure to meet the SAFDLs with failure to maintain fuel integrity and, by extension, safe shutdown. In the case of an EDAS failure during an unrelated AOO, there is reasonable assurance that that reactor will scram, decay heat will be removed, and containment and fuel integrity will be maintained, ensuring safe shutdown of the reactor. In addition, as discussed above, the same availability and reliability controls that were used to ensure EDSS failures do not occur with the frequency of an AOO have been applied to EDAS.

I recognize that in this case, the regulations are susceptible to different interpretations. This challenge is likely to continue as the staff applies 10 CFR Parts 50 and 52, which were established with the current fleet of large light water reactors in mind, to innovative technologies associated with Generation Ill and IV reactors. This is evidenced by the challenges in resolving this issue and similar issues the staff is addressing with other new reactor applicants. In the staff requirements memorandum (SRM) to SECY 19 0036, "Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves," the Commission directed, in part In any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria such as the single failure criterion is unnecessary to provide for reasonable assurance of adequate protection of public health and safety.

The discussion in the two sections that immediately follow provides my basis for why the existing controls in place to ensure reliability and availability of the EDAS provide reasonable assurance that it will function as designed, without the need to issue a specific exemption to not classify it as a safety-related SSC. The table at the end of this document demonstrates how risk-informed principles were applied in this case, consistent with the SRM associated with SECY-19-0036.

As part of Concern 1, the non-concurring staff also argue that if an exemption were to be issued, EDAS should be classified as a risk-significant non-safety-related system within the scope of the Regulatory Treatment of Non-Safety Systems (RTNSS) process. While I have decided that an exemption is not necessary, I evaluated the need for such a classification absent an exemption. In completing the US460 design, NuScale screened EDAS through its RTNSS process and concluded that the system is not risk significant. I have determined that requiring NuScale to reclassify EDAS as a risk-significant non-safety-related system does not provide any additional safety benefit and is not necessary. As discussed in the sections below, NuScale has addressed both the reliability assurance activities that occur before initial fuel load, as well as the reliability and availability assurance activities conducted during operations. In addition, I did not identify a safety gap or concern between the items that NuScale will perform related to the engineering design, reliability, and the availability of EDAS, compared to those that would be provided if EDAS were identified as a risk-significant non-safety-related system under the RTNSS process.

Concern 2: Use of First-of-Its-Kind Technology In evaluating the reliability and availability of the EDAS, prior to and during the operation of the plant, the measures currently documented in Chapter 8 of the FSAR for reliability, including capacity and capability of the EDAS, are sufficient to support a reasonable assurance finding. NuScale incorporated by reference Institute of Electrical and Electronics Engineers (IEEE) consensus standards for qualification, installation, operation, maintenance, and testing in Chapter 8 of the FSAR; the commitment to these standards in the NuScale SDAA thereby becomes part of the design basis and subject to NRC oversight.

Prior to the operation of the plant, the EDAS will be qualified per IEEE Standard 535. That standard requires testing that consists of aging the batteries (by natural or accelerated means) by application of environmental factors that can act on them, including radiation, aging, cycling, and seismic qualification. When installed, the batteries will be subjected to the practices and procedures in IEEE Standard 1187, as stated in Chapter 8 of the FSAR. This standard contains practices and procedures for the installation and installation design of valve-regulated lead acid (VRLA) batteries, including storage, location, mounting, ventilation, instrumentation, preassembly, assembly, and charging. Furthermore, before fuel load the EDAS will have to undergo preoperational testing through Initial Test Program Test #SO (see Table 14.2-50 in Chapter 14 of the FSAR) to ascertain its reliability and availability.

To demonstrate reliability of EDAS during operation, the EDAS will be tested in accordance with IEEE Standard 1188. This standard establishes maintenance, test schedules, and testing procedures used to optimize the life and performance of VRLA batteries for stationary applications. For context, these are the same type of testing practices for safety-related batteries used in currently operating reactors. Additionally, the EDAS has a battery monitor connected to provide continuous monitoring of battery performance characteristics, including temperature deviations, discharges, and voltage excursions that exceed predefined tolerances. This information provides trending of battery parameters to ascertain the condition of the battery. The battery monitor will be operated in accordance with IEEE Standard 1491.

With multiple mechanisms to test and assess the reliability of EDAS before and during operation, there is sufficient information in the NuScale SDAA to reach a reasonable assurance finding related to EDAS performance without the need for additional controls.

Concern 3: Not Requiring Technical Specifications for EDAS I conclude that additional technical specification (TS) requirements are not necessary. This is based on the controls afforded by the Owner-Controlled Requirements Manual (OCRM) and the Maintenance Rule, along with the controls discussed above, which provide assurance that EDAS will be available to perform its intended function. While the lack of detail on the contents of the OCRM at this stage makes it challenging to make a detailed safety finding, there is reasonable confidence that the general principles included in the FSAR will indicate to future applicants what needs to be included in the OCRM.

NRC FORM 757 (06-2019)

Page 14 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

In light of the concerns raised by the staff, NRR's management team considered whether an exemption from 10 CFR 50.36 is needed to implement this decision. The NRC regulations at 10 CFR 50.36 require that each operating license issued by the Commission contain TS that set forth the limits, operating conditions, and other requirements imposed upon facility operation for the protection of public health and safety. 10 CFR 50.36(c)(2) states that limiting conditions for operation (LCOs) are the lowest functional capability or performance levels of equipment required for safe operation of the facility, and that a TS LCO of a nuclear reactor must be established for each item meeting one or more of the following criteria:

  • Criterion 1. Installed instrumentation that is used to detect, and indicate in the control room, a significant abnormal degradation of the reactor coolant pressure boundary.
  • Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.
  • Criterion 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.
  • Criterion 4. A structure, system, or component which operating experience or probabilistic risk assessment has shown to be significant to public health and safety.

The non-concurring staff argue the EDAS meets LCO Criterion 2 because the two RWs will only remain closed if DC electrical power is maintained. Those staff find the "closed" status of the valves could be an operating restriction assumed in the evaluation of postulated AOOs. I find that while this is a potential interpretation of the "operating restriction" language, the requirements are not sufficiently clear to necessitate an exemption from 10 CFR 50.36. The Commission's Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors cites as examples for Criterion 2 "operational restrictions (pressure/temperature limits) needed to preclude unanalyzed accidents and transients." Having an intact pressure boundary could be considered an operational restriction, but pressure boundary leakage is already addressed through another TS. A system that continues to assure an intact pressure boundary does not seem to be within the plain language reading of an operational restriction that is clarified by example as "pressure/temperature limits." In addition, Criterion 2 is focused on precluding unanalyzed accidents and transients; failure of EDAS either as an AOO initiator or during an unrelated AOO is not an unanalyzed accident or transient.

The non-concurring staff also argue that EDAS meets LCO Criterion 3 because the NuScale US460 standard design relies on DC electrical power to keep the ECCS RWs closed during AOOs to protect the fuel clad fission product barrier and the reactor coolant pressure boundary fission product barrier. The non-concurring staff view this as being part of the primary success path of the AOO. While I understand and acknowledge the position of the nonconcurring staff, I relied on this language in the Commission Policy Statement to reach my conclusion:

The primary success path of a safety sequence analysis consists of the combination and sequences of equipment needed to operate (including consideration of the single failure criteria), so that the plant response to Design Basis Accidents and Transients limits the consequences of these events to within the appropriate acceptance criteria.... Also captured by this criterion are those support and actuation systems that are necessary for items in the primary success path to successfully function.

While EDAS needs to continue operating to not escalate the AOO to a more severe event, as discussed above, failure of EDAS would be an event independent from that which initiated the AOO. I find that the functioning of EDAS can be viewed as not, itself, part of the success path and therefore that an LCO is not explicitly required under Criterion 3.

Therefore, having already found that a TS would not provide a significant additional safety benefit, I find that it is not necessary to authorize an exemption to 10 CFR 50.36 because the rule could be read as not requiring a TS for this system.

Concern 4: NRR Office Management Decision-Making In their non-concurrence, the staff raise a number of concerns associated with decision-making on the part of NRR office-level management on the regulatory treatment of EDAS. That includes perceived technical errors in the basis for the decision, procedural errors, and misapplication of the SRM on SECY 19 0036. Those concerns are summarized in the statement of issues section. I don't intend to provide a point-by-point response to each of the concerns, but I acknowledge that engagement between staff and management on this topic could have been better.

With respect to the application of the SRM to SECY-19-0036 to regulatory decision-making in general, I agree with the non-concurring staff that some lack of clarity exists. The Executive Director for Operations recently established a Strategic Direction Initiative (SDI) associated with regulatory decision-making. I have directed that application of that SRM be considered as part of the SDI, to include consultation with the NRC's Office of the General Counsel. An expected outcome of the SDI is clear, durable, and legally defensible guidance to the staff on how to apply the SRM.

Conclusion For the reasons discussed above, I have decided that NuScale's EDAS system is not safety-related, that an exemption is not needed to implement that decision, and that the existing controls established in the SDAA are adequate to ensure EDAS is available and reliable. I have directed staff in the Division of New and Renewed Licenses to work with the technical staff to revise relevant sections of the safety evaluation report (SER) for the SDAA to implement this decision.

NRC FORM 757 (06-2019)

Page 15 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

The basis provided in the SER should reflect the discussion above and not the email referenced in Section A of the nonconcurrence. I note that this decision is based on the specific circumstances that exist in the NuScale SDAA and should not be considered to establish precedence for similar issues in other reviews.

I agree with the non-concurring staff that additional clarity is needed with respect to application of the SRM on SECY 19 0036 and I have directed resolution of that issue be addressed as part of an ongoing SDI associated with regulatory decision-making.

9.

Coordinated By/ Coordinated On 2025-04-22 Jay Robinson

10.

Approved By/ Approved On 2025-04-22 Greg Bowman - DEP. OFFICE DIRECTOR FOR NEW REACTORS NRC FORM 757 (06-2019)

Page 16 of 16 Use ADAMS Template NRC-006 (ML0631201S9)

Attachment for Section A

1 December 13, 2024 FROM: Antonio Barrett, Senior Nuclear Engineer Craig Harbuck, Senior Safety and Plant Systems Engineer John Lehning, Senior Nuclear Engineer Zhian Li, Senior Nuclear Engineer Joshua Miller, Nuclear Engineer Ryan Nolan, Senior Nuclear Engineer Rebecca Patton, Branch Chief Marie Pohida, Senior Reliability and Risk Analyst Adam Rau, Nuclear Engineer Sheila Ray, Senior Electrical Engineer Thomas Scarbrough, Senior Mechanical Engineer

SUBJECT:

Non-concurrence on U.S. Nuclear Regulatory Commission Chapter 15 Safety Evaluation Report for the NuScale Power, LLC US460 Standard Design Approval Application

1.0 INTRODUCTION

This document provides the basis for the technical staffs non-concurrence on the NRC staffs Chapter 15 safety evaluation (ADAMS Accession No. MLXXXX) of the NuScale Power, LLC (NuScale or the applicant) standard design approval application (SDAA) for its US460 standard plant design.

In general, the non-concurring technical staff fundamentally disagree with the NRR office management decision for acceptability of the design and regulatory controls of the NuScale US460 augmented direct current (DC) power system (EDAS), their direction to staff to document a safety evaluation conclusion contrary to the regulations without providing a clear technical or regulatory basis, and their decision that an exemption is not required to approve the design of the EDAS as a non-safety-related system.

The specific issues which resulted in this non-concurrence are documented in Section 3 below and include the following discrete areas:

2 EDAS meets the definition of a safety-related structure, system, or component (SSC) prescribed in 10 CFR 50.2 and is not in compliance with pertinent special treatment requirements EDAS is not in compliance with 10 CFR 50.36 criteria for establishing limiting conditions for operation in the technical specifications Management direction to proceed contrary to these requirements did not provide a sufficient and defensible technical or regulatory basis; was based on a mischaracterization of the issue; applied speculative and risk-based reasoning not afforded in the regulations; and was inconsistent with established policies and procedures, and the principles of good regulation.

Section 4.0 of this document provides acceptable alternative approaches while staying within the well-established and previously-defined regulatory framework under which the application was submitted.

The non-concurrence from Antonio Barrett, John Lehning, Zhian Li, Joshua Miller, Ryan Nolan, Rebecca Patton, Sheila Ray, and Adam Rau is based on the entirety of this document. The non-concurrence from Craig Harbuck is based on the issue discussed in Section 3.2 of this document. The non-concurrence from Marie Pohida is based on the issues discussed in Section 3.2 and Section 3.3 of this document. The non-concurrence from Thomas Scarbrough is based on the issues described in Section 3.1 and Section 3.3. All non-concurring staff endorse the alternative options documented in Section 4.0.

2.0 BACKGROUND

By letter dated December 31, 20221, NuScale submitted Revision 0 of its SDAA for its US460 standard plant design. The applicant submitted the US460 plant SDAA in accordance with the requirements of Title 10 Code of Federal Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, Subpart E, Standard Design Approvals. Revision 1 of the SDAA was submitted on October 31, 20232, and the NRC staff expects future revisions of the SDAA to be submitted prior to completing the review.

The Chapter 15 safety evaluation report provides the NRC staffs evaluation of the transient and accident safety analysis for the US460 design, primarily documented in SDAA Final Safety Analysis Report (FSAR) Chapter 15 titled, Transient and Accident Analyses;3 however, it also includes consideration of other FSAR Chapters as appropriate (e.g., Chapter 34 and Chapter 85).

1 ML22339A066 2 ML23306A033 3 ML23304A365 4 ML23304A321 5 ML23304A354

3 3.0 DISCUSSION The emergency core cooling system (ECCS) for the US460 design is provided by four main valves connected to the reactor pressure vessel (RPV) (two reactor vent valves (RVVs) mounted to the top of the RPV, and two reactor recirculation valves (RRVs) mounted to the side of the RPV in the downcomer region) and associated trip and reset solenoid valves. During normal and most anticipated operational occurrence (AOO) operations, the ECCS valves remain closed to form part of the reactor coolant pressure boundary (RCPB).

The module-specific EDAS (simply referred to as EDAS in the remainder of this document) for the NuScale US460 standard design is a battery system that provides 125 volts DC to, among other components, the ECCS trip solenoid valves to preclude inadvertent ECCS valve actuation.

NuScale has deemed the EDAS as a non-safety-related SSC. In the event EDAS power is lost to the ECCS trip solenoid valves during operation, the two RVVs immediately open. This results in the equivalent of a large break loss-of-coolant-accident (LOCA) with rapid depressurization of the reactor coolant system (RCS) and pressurization of containment. Unlike the RVVs, each RRV includes an inadvertent actuation block (IAB) valve that prevents the main valve from opening under full RCS pressure and temperature conditions until after the differential pressure between the RCS and containment is below a predetermined threshold.

The non-concurring technical staff note that the reliance on EDAS and resultant plant response of the US460 is different from its predecessor, the US600 design, which received its design certification in 2020. The US600 design included safety-related IAB valves on all ECCS valves (RVVs and RRVs) so that on a loss of the DC power system event, the IAB valves would ensure the ECCS valves remained closed, thus preventing the loss of RCPB integrity6. In addition, in the transient and accident analysis for the US600 design, power availability of the DC power system was assessed at the time of event initiation and then again as the event progressed, including at the time of reactor/turbine trip.

Based on the inclusion of the IAB valves and the method for assessing the impact of DC power availability, the NRC staff concluded that the highly reliable DC power system for the US600 (EDSS, which serves the same basic functions in the US600 that the EDAS serves in the US460) was not relied on or needed to maintain the RCPB integrity or meet pertinent Chapter 15 safety analysis acceptance criteria, and its failure would not result in an event outside the design basis of the US600 reactor. Therefore, the classification and treatment of the highly reliable DC power system for the US600 as a non-safety-related system was appropriate because it was demonstrated to not be within the scope of the definition of safety-related in 10 CFR 50.2 of the NRC regulations.

In contrast to the above, in the US460 safety analysis NuScale changed the design and method for assessing DC power availability to only consider the potential loss of EDAS at the time of event initiation. That is, if EDAS is assumed to function at initiation of a Chapter 15 event, the safety analysis assumes it will continue to function properly during the entire design basis period 6 Consistent with the staff approval of the US600 design, subsequent release of the IAB valves and opening of the main ECCS valves in the long-term is not considered loss of the RCPB integrity because of the significant amount of time the reactor has been shut down and decay heat removal has been established such that reactor pressure and temperature is well below normal operating conditions by the time the valves open.

4 (up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />). A failure of EDAS during the progression of an AOO event, and the resulting blowdown, would result in more severe consequences for some events where core power increases above rated power during the event (such as a loss of feedwater heating and other events). With both the design change decision to not include IAB valves on the RVVs and the changes in assessing DC power availability, the staff cannot reach the same conclusions for the US460 design that were reached for the US600 design; that is, the DC power system in the US600 design is not relied on or needed to maintain the RCPB integrity or meet the Chapter 15 acceptance criteria. See below illustration for comparison between the DCA US600 and the SDA US460.

The disconnect between the reliance on the EDAS in the US460 design and its non-safety classification was identified during pre-application activities7 and was acknowledged as a high impact technical issue in the NRC acceptance letter8 for the NuScale US460 SDAA. Following acceptance of the SDAA, an interdisciplinary review team (IRT) was established to review the EDAS technical issue. This IRT was made up of technical experts in multiple review areas, including transient and accident safety analysis, electrical, and probabilistic risk assessment.

After extensive review and evaluation by the IRT of both the submitted application and audit of NuScale engineering documentation, including numerous technical exchanges with internal and external stakeholders, the staff concluded that the EDAS meets the definition of a safety-related SSC (discussed in detail below). Contrary to this determination and the associated regulatory requirements that follow, NRR office management directed the staff to complete the review without requiring either compliance with the applicable regulations or justification for an exemption (Attachment 1).9 The following sections explain in more detail each of the three individual elements that resulted in this staff non-concurrence.

7 ML22305A520 (public version); ML22305A519 (non-public version) 8 ML23058A160 9 ML24159A714

5 3.1 The EDAS meets the definition of safety-related in 10 CFR 50.2 The definition of safety-related SSCs is provided in 10 CFR 50.2 and states:

Safety-related structures, systems and components means those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the applicable guideline exposures set forth in § 50.34(a)(1) or § 100.11 of this chapter, as applicable.

If an SSC meets the definition of safety-related, it is subject to certain special treatment requirements in accordance with the NRC regulations. If EDAS is determined to perform safety-related functions, then EDAS must meet 10 CFR Part 50, Appendix B, quality assurance requirements, and 10 CFR 50.55a(h), which requires safety systems to meet Institute of Electrical and Electronics Engineers Std. 603, IEEE [Institute of Electrical and Electronics Engineers] Standard Criteria for Safety Systems for Nuclear Power Generating Stations. The above definition in the NRC regulations stipulates that SSCs relied upon for protection of a fission product barrier are required to be designated as safety-related and thus have the highest quality and reliability. The non-concurring technical staff contend that the EDAS meets Criterion 1 and Criterion 2 of this definition in 10 CFR 50.2.

Regarding Criterion 1 of the safety-related definition, during normal operation the ECCS valves are relied upon to remain closed to assure the integrity of the RCPB in the US460 design. This is clearly presented by the applicant in SDAA FSAR Table 3.9-16, Active Valve List, which identifies that the RVVs, RRVs, and associated trip and reset valves, perform the function to maintain the RCPB. The ability of the ECCS valves to remain closed can only be accomplished if power to the fail-open trip solenoid valves is provided by EDAS. Failure of EDAS would result in immediate opening of the RVVs and loss of the RCS fission product barrier, thus demonstrating EDAS is relied on to assure the integrity of the RCPB.

This safety-related function being performed by the EDAS is articulated in NuScale engineering documentation. Specifically, the staff performed a regulatory audit of NuScales SSC classification procedure.10 This report specifies that the systems that function to provide electric power for the prevention of unintended ECCS actuation support the underlying requirement of 10 CFR Part 50, Appendix A, General Design Criterion (GDC) 15, which requires the RCPB to remain available as a fission product barrier during AOOs. The requirement to assure the RCPB in GDC 15 is the same function identified in Criterion 1 of the definition of safety-related SSCs.

This discussion leads the non-concurring technical staff to find that the EDAS is relied on to 10 ML24211A09

6 assure the integrity of the RCPB in the US460 design; thereby satisfying Criterion 1 of the regulatory definition of safety-related SSCs.

Regarding Criterion 1 of the safety-related definition, NRR office management on several occasions stated during meetings that the EDAS does not need to be classified as safety-related because the loss of EDAS is considered as an AOO, and that for other event initiators, the results are shown to meet Chapter 15 acceptance criteria. The non-concurring technical staff believe that this opinion has no technical merit. Whether a particular failure or malfunction of an SSC is considered an event initiator within the Chapter 15 safety analysis is irrelevant to the classification of that SSC. For example, failure of RCS piping resulting in a LOCA or inadvertent lifting a safety relief valve are transients that result in loss of the RCPB integrity and are considered in the safety analysis for all nuclear power plants; however, having an analysis of these events that shows the Chapter 15 acceptance criteria are met is not a demonstration that these systems and components are not relied on to assure the integrity of the RCPB. The fallacy in this reasoning becomes apparent when considering that applying it more broadly would mean that no SSCs meet Criterion 1 of the safety-related definition because all design-basis events analyzed in the Chapter 15 safety analysis show that the acceptance criteria are met. Further, although the loss of EDAS is considered an AOO when it is the initiating event, EDAS is also relied on for other initiating events, such as a loss of feedwater heating, rod withdrawal, etc., where the failure of EDAS during the progression of the event (other than at time zero) is not analyzed.

Regarding Criterion 2 of the safety-related definition, a safe shutdown condition is described in SECY-94-084,11 and approved by the Commission in SRM-SECY-94-084,12 as properly maintaining reactor subcriticality, decay heat removal, and radioactive materials containment.

For AOOs, the criteria for sufficient decay heat removal are prescribed by 10 CFR Part 50, Appendix A, GDC 34, which states:

A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded.

Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

Specified acceptable fuel design limits (SAFDLs) are design-specific criteria developed by the applicant or licensee and required by GDC 10 to provide figures of merit to demonstrate the integrity of the first fission product barrier (i.e., the fuel clad) during normal operation, including AOOs. The NuScale Chapter 15 acceptance criteria13 states for AOOs, fuel cladding integrity 11 Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs (ML003708068) 12 ML003708098 13 Shown in FSAR Table 15.0-2, Acceptance Criteria-Thermal Hydraulic and Fuel

7 shall be maintained by ensuring the SAFDLs are met. A footnote is provided that clarifies the SAFDLs are met by assuring the minimum critical heat flux ratio (MCHFR) is maintained above the critical heat flux analysis limit. Therefore, for the NuScale US460 design, any SSC relied on to meet MCHFR criteria is performing a safety-related function for ensuring a safe shutdown condition. The importance of this parameter as a figure of merit representing integrity of the fuel barrier is also confirmed by the required inclusion of MCHFR as a safety limit in the NuScale technical specifications.14 As part of its review, the staff evaluated whether the EDAS was relied on to meet the MCHFR figure of merit. The staff determined that the EDAS was relied on to remain functional during the entire transient and is needed to ensure that the MCHFR criteria are not exceeded for certain increase-in-heat-removal and reactivity-insertion AOOs. Examples of transients that require the EDAS for mitigation include decrease in feedwater temperature, increase in feedwater flow, increase in steam flow, and inadvertent rod withdrawal (at power) events. Based on docketed and audited information, the staff observed that the EDAS is relied on to prevent the exceedance of MCHFR during design-basis transients that initiate from within the rated power envelope and experience transient power increases above approximately 110%. Sensitivity analysis performed by the applicant demonstrates that if a cooldown or reactivity event occurs, with the reactor within its operational bounds for pressure and temperature, the loss of the EDAS at any time during this condition will cause the immediate opening of the RVVs, resulting in the rapid depressurization of the RCS and exceedance of the MCHFR limit. To summarize, the EDAS is needed to meet Chapter 15 acceptance criteria of MCHFR, which is the figure of merit for the fuel integrity fission product barrier; thus, EDAS is relied upon to remain functional during and following design-basis events to assure a safe shutdown condition is maintained.

Therefore, the non-concurring technical staff reach the conclusion that the EDAS satisfies Criterion 2 of the definition of a safety-related SSC.

Additionally, it is important to note that for some transient scenarios, including those when nominal initial conditions and slower transient progressions are assumed (i.e., more likely scenarios), reactor power increases until it reaches a steady-state at a new higher power level (e.g., 115%) that remains below the value at which a reactor trip will occur (e.g., 125% reactor power due to a transient decalibration effect on the nuclear instrumentation). Contrary to statements from NuScale and NRR office management, this results in a condition where the EDAS is being relied on for the entire design-basis period of up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Therefore, the notion that an EDAS failure could only impact the ability to meet acceptance criteria for MCHFR if it fails during a very narrow window of time during a highly improbable event (phrased by NRR management as at the exact worst time) is false. This is one of several mischaracterizations of fact by the NRR office management that are identified and discussed in more detail in Section 3.3 below.

Finally, because NuScale relies on the proper functioning of EDAS in the Chapter 15 safety analysis, the dose consequences resulting from exceedance of the MCHFR limit are unknown and could exceed 10 CFR Part 20 dose limits (i.e., the radiological limits for the AOO event category). During the review, the staff repeatedly requested that NuScale determine the number 14 ML23304A387

8 of fuel rod failures that could result and assess the dose consequences, but this evaluation was not performed.

3.2 The EDAS requires a limiting condition for operation in accordance with 10 CFR 50.36 The NRC regulations in 10 CFR 50.36 require that each operating license issued by the Commission contain technical specifications (TS) that set forth the limits, operating conditions, and other requirements imposed upon facility operation for the protection of public health and safety.

10 CFR 50.36(c)(2) states limiting conditions for operation (LCOs) are the lowest functional capability or performance levels of equipment required for safe operation of the facility, and that a TS limiting condition for operation of a nuclear reactor must be established for each item meeting one or more of the following criteria:

(A) Criterion 1. Installed instrumentation that is used to detect, and indicate in the control room, a significant abnormal degradation of the reactor coolant pressure boundary.

(B) Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

(C) Criterion 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

(D) Criterion 4. A structure, system, or component which operating experience or probabilistic risk assessment has shown to be significant to public health and safety.

The non-concurring technical staff find that the EDAS meets LCO Criterion 2. During NPM normal operation in Mode 1, the ECCS hold function of keeping the two ECCS reactor vent valves (RVVs) closed requires DC electrical power from both EDAS divisions to ensure RCPB integrity, which is necessary for normal operation and is also a safety analysis assumed initial condition for postulated AOO events that present a challenge to the integrity of a fission product barrier. The EDAS is an active system necessary to perform the ECCS hold function. Since RCPB integrity is an operating restriction that is an initial condition of most AOOs postulated in FSAR Chapter 15, LCO Criterion 2 requires establishing an LCO in technical specifications for EDAS. The Commissions Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors15 states that Criterion 2 also includes active design features (e.g., high pressure/low pressure system valves and interlocks) and operating restrictions (pressure/temperature limits) needed to preclude unanalyzed accidents and transients. A loss of EDAS resulting in RVV opening and the loss of RCPB integrity during an AOO is not part of 15 58 FR 39132

9 the FSAR Chapter 15 safety analysis. EDAS maintains the operational restriction of RCPB integrity, which precludes such an unanalyzed event, and therefore satisfies LCO Criterion 2.

The non-concurring technical staff also find that the EDAS meets LCO Criterion 3. Note that this is separate and independent from the determination of whether the EDAS is performing a safety-related function, because the criteria of 10 CFR 50.36 for establishing limiting conditions for operation in technical specifications cover both safety-related and non-safety-related SSCs.

As discussed in Section 3.1, the NuScale US460 standard design relies on DC electrical power from EDAS to keep the ECCS RVVs closed during AOOs to protect the fuel clad fission product barrier and the RCPB fission product barrier. While the ECCS RVVs are performing the primary success path function to maintain RCPB integrity, the EDAS is part of the primary success path because the ECCS RVVs cannot remain closed without uninterrupted EDAS DC electrical power to the RVV trip solenoid valves.

During discussions with management on this topic, one NRR manager expressed the view that electrical power is a support system and is therefore not required to have LCOs. This view is not consistent with the Commissions Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors. Regarding Criterion 3, the Commission policy provides the following clarification of equipment that is considered part of the primary success path:

The primary success path of a safety sequence analysis consists of the combination and sequences of equipment needed to operate (including consideration of the single failure criteria), so that the plant response to Design Basis Accidents and Transients limits the consequences of these events to within the appropriate acceptance criteria.

It is the intent of this criterion to capture into Technical Specifications only those structures, systems, and components that are part of the primary success path of a safety sequence analysis. Also captured by this criterion are those support and actuation systems that are necessary for items in the primary success path to successfully function.

Therefore, the non-concurring technical staff conclude that EDAS is part of the primary success path and functions to mitigate a design-basis transient that presents a challenge to the integrity of a fission product barrier, thus requiring an LCO consistent with the Commissions Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors and in accordance with 10 CFR 50.36(c)(2).

3.3 Management Decision-making The NRR office management decision (Attachment 1) did not provide a defensible technical or regulatory basis for the directed approach. The decision is stated to be supported by SRM-SECY-19-0036, Staff Requirements - SECY-19-0036-Application of the Single Failure Criterion to NuScale Power LLCs Inadvertent Actuation Block Valves.

The NRR office management decision states:

10

...the applicability of the Commissions staff requirements memorandum (SRM) on SECY-19-0036, which similarly applied to a NuScale review, although on a different technical issue. In that SRM, the Commission established more general policy on how to handle similar issues in the future. The Commission stated In any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria such as the single failure criterion is unnecessary to provide for reasonable assurance of adequate protection of public health and safety. In evaluating this issue, I have determined that this Commission policy is applicable and supports the decision that is being made.

The non-concurring staff believe that the NRR office management has overstepped in its interpretation that the direction provided in SRM-SECY-19-0036 allows the NRC staff latitude to apply different review criteria than those specified in applicable regulations, including 10 CFR 50.2 and 10 CFR 50.36. While an SRM may provide guidance for the NRC staff to focus its review efforts, Commission statements in an SRM cannot override NRC regulations in the absence of rulemaking. A formal opinion on the status of SRM-SECY-19-0036 should be obtained from OGC to ensure that the NRC management and staff are aware of the extent and limitations for its guidance.

In addition, the NRR office management decision did not provide evidence that risk-informed principles, as stated in SRM-SECY-19-0036, were applied or followed. The risk-informed principles are defined in Regulatory Guide 1.174 and include:

Principle 1: The proposed licensing basis change meets the current regulations unless it is explicitly related to a requested exemption (i.e., a specific exemption under 10 CFR 50.12).

Principle 2: The proposed licensing basis change is consistent with the defense-in-depth philosophy.

Principle 3: The proposed licensing basis change maintains sufficient safety margins.

Principle 4: When proposed licensing basis changes result in an increase in risk, the increases should be small and consistent with the intent of the Commissions policy statement on safety goals for the operations of nuclear power plants.

Principle 5: The impact of the proposed licensing basis change should be monitored using performance measurement strategies.

The staff requested additional clarification on the GDC 17 and GDC 18 exemptions, related to electrical power, and the management responded with the following:

It is not clear to [NRR office management] that the decision that was made on the EDAS results in the need to alter the assessment of NuScales requested exemptions to GDC 17 and 18. Since the GDCs require that an electrical system for components important to safety be provided, and we have determined that such a system is not needed, an exemption should be processed. While the GDCs could be read to not require such an exemption, since Nuscale has requested these exemptions, it is most efficient to process them as requested.

11 The non-concurring staff fully agrees with utilizing risk-informed principles and communicated as such in the meetings with management. However, the NRR office management decision fails to elaborate and provide specifics of the application of SRM-SECY-19-0036, as it relates to the technical and regulatory aspects on the classification of the EDAS. Further, the clarification of the management decision fails to thoroughly explain technical and regulatory justification of the GDC 17 and 18 exemptions, other than that they should be granted since NuScale has requested them.

In addition, NRR office management attempted to describe several elements it used when it directed the staff to complete the review of the EDAS without requiring compliance with the applicable regulations or justification for an exemption. However, NRR managements decision was primarily based on a misunderstanding of facts and mischaracterization of the fundamental issues. For example, the decision states:

In discussing the scenario during our meetings, we discussed the complex and unique initial conditions, event progression, and failure modes that all must exist for there even to be a low risk of violating a SAFDL. It requires a special set of circumstances that must align perfectly for there to be a limited window of time during the event for loss of EDAS to potentially result in a challenge to SAFDLs.

the scenario of interest requires the failure of the EDAS system at the worst-case time in the middle of a plant transient.

First, the non-concurring technical staff would like to clarify that, contrary to NRR office managements statements, the EDAS is in fact relied upon to assure the integrity of the RCPB during all times of power operation, as discussed in Section 3.1. Second, as also noted in Section 3.1, the transients where the EDAS is relied on to function to ensure the SAFDLs are not exceeded are categorized as AOOs, which operating experience shows are common events that may be expected to occur at nuclear power plants annually. Therefore, these are not complex and unique initial conditions nor do they require a special set of circumstances that must align perfectly. To the contrary, these AOOs are the events that will likely occur, perhaps multiple times, during the life of the facility. The third and most often-repeated mischaracterization of the EDAS issue by NRR office management is that there is a limited window of time or a notion that EDAS must fail at the worst-case time in the middle of a plant transient. As described in Section 3.1, during cooldown events, sensitivity results show that reactor power can increase and reach a steady-state at a new higher power level through 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (the Chapter 15 analysis timeframe). This is clear demonstration that the EDAS is relied on to perform safety-related functions for the entire duration of the transient and that this safety function is not just performed at the worst-case time in the middle of a plant transient.

The NRR office management clarification (Attachment 2) also states:

We are not aware that the DCA required an exemption to account for a similar plant design and response. It is not clear why one would be needed for the SDA.

As described in Section 3.0, due to the inclusion of IABs on all ECCS valves, the NPM-160 DCA design and methodology of the previously-approved US600 demonstrated that EDSS (the

12 system with comparable function to EDAS) was not relied on in the Chapter 15 safety analysis and was not needed to perform any safety-related function, which is not the case with the US460 SDA design that is the subject of this non-concurrence. Non-concurring technical staff have engaged in multiple attempts to highlight this difference for NRR office management (see example emails from staff to NRR office management).16 Nonetheless, none of the NRR office management communications referencing the US600 certified design and by comparison the US460 SDA design have given any indication that NRR decision makers understand and acknowledge these inherent differences of the analytical approaches and systems in these two designs.

As a second example, the decision states:

During meetings with NuScale, the staff and applicant have appropriately focused the review on the reliability of the EDAS system. Both sides have acknowledged that the system must be highly reliable.

The clarification states:

We have intended highly reliable and augmented quality to be synonymous, so augmented quality is acceptable for the safety evaluation.

The non-concurring technical staff note the use of valve-regulated lead acid (VRLA) batteries in the US460 design is a first-of-a-kind application in a nuclear power plant. Operating plants and other nuclear facilities typically use vented lead-acid batteries, with a proven record of capacity, capability and reliable performance for 20 years. VRLA batteries on the other hand are not typically used in standby applications in NPPs, which is how they would be used in the EDAS, and additional review is warranted to ensure reasonable assurance of public health and safety.

There is no established guidance for what is defined as augmented quality for this first-of-a kind technology nor what is determined to be highly reliable. These are not terms that are defined in the regulations or in Commission policy, nor did NRR office management provide a technical basis detailing how staff should evaluate applications against these terms. For safety-related Class 1E batteries, successful qualification testing provides assurance that the batteries can perform their intended function and demonstrates reliability during its service life. However, NuScale has not performed any such testing representative of EDAS and its specific 24-and 72-hour duty cycle that would demonstrate reliability, capacity and capability of the EDAS. The mischaracterization that a description of augmented quality is synonymous with reliability is wholly incorrect, and without technical merit. For a first-of-a-kind technology in a unique application, reasonable assurance of adequate protection is not met when the assumption is that a description of augmented quality implies or equals high reliability.

The NRR office management decision was based on the perception of a low likelihood event and predicated on speculative high system reliability that the staff has not been able to verify.

These shortcomings substantially undermine the regulatory soundness and technical validity of the decisions that were reached. For example, the premise that the EDAS does not need to be classified as safety-related because it is perceived to be a highly reliable system has no 16 ML24115A248 and ML24305A274

13 regulatory basis or precedent. SSC classification, and the definition of a safety-related system, do not include reliability of the system as a classification factor. Reliability of an SSC does not dictate its classification. For example, many passive components are very reliable (e.g., large reactor coolant system piping, or the reactor pressure vessel), but this does not make them non-safety-related. In fact, safety-related SSCs generally have higher reliability because classifying an SSC as safety-related invokes special treatment requirements for, among other things, design, quality assurance, programmatic oversight, maintenance, and operation. Therefore, using reliability (especially reliability that has not been demonstrated) as a factor for determining whether the EDAS is performing a safety-related function is not supported by the regulations, or any other pertinent policy or precedent.

In addition to inadequate technical justification for its decision, the NRR office management direction to staff was inconsistent with established policies and procedures for regulatory relaxations and documenting agency decisions. The NRR office decision establishes a precedent by providing a substantial relaxation of regulatory requirements. According to NUREG-1409,17 when a requirement is relaxed the NRC must ensure the new framework provides for the adequate protection of the public health and safety and the common defense and security; typically, this means that the alternative approach has either no decrease in safety or security or, if there is a decrease, it is very small. The non-concurring technical staff note that relying on a non-safety-related system to protect two separate fission product barriers calls into question whether adequate protection of public health and safety is provided. Non-concurring technical staff do not have any basis for believing that NRR office management performed this assessment. For example, NuScale has not performed a dose analysis for a loss of the fuel clad fission product barrier, so the adequate protection requirements of 10 CFR Part 20 cannot be shown to be met.

As a related matter, the NRR office management decision and subsequent SDAA safety evaluation report did not follow Management Directive 3.5318, NRC Records and Document Management Program, regarding documentation of the NRR office management decision. MD 3.53 documents agency policy that all official records made by NRC in the course of its official business comply with the regulations governing Federal records management issued by the National Archives and Records Administration (NARA) and the General Services Administration (GSA). Further, MD 3.53 requires federal records to be created and maintained sufficient to document the formulation and execution of decisions and the necessary actions taken. Of note, MD 3.53 states that a federal record should include items that explain why the agency made a decision. As discussed above, the NRR office management decision does not provide sufficient technical justification. As the NRR office management decision directs the outcome of the staff review, this decision is the basis and rationale for the safety conclusions documented in the safety evaluation report. The staff was instructed to not reference the NRR office management decision, an agency record according to agency policy in MD 3.53, within its safety evaluation report as the basis for the findings. Therefore, the safety evaluations for multiple chapters do not document or explain the formulation or technical rationale of the safety evaluation findings.

17 ML18109A498 18 ML071160026

14 Finally, the non-concurring technical staff believes the management decision is inconsistent with the principles of good regulation of efficiency, openness, clarity and reliability.

Efficiency: This principle states that licensees are entitled to the best possible management of regulatory activities. Where several effective alternatives are available, the option which minimizes the use of resources should be adopted. To formulate a justification without a valid technical or regulatory basis that has the potential to set a precedent with unknown ramifications when clear alternatives are already available through a well-established regulatory process (as discussed below) to accomplish the desired goal indicates a failure to effectively manage regulatory activities. A smooth, efficient regulatory process involves the application of the clearly-defined regulations and the readily-available approaches for seeking exemptions.

Openness: This principle states that nuclear regulation is the public's business, and it must be transacted publicly and candidly. The failure to ensure appropriate documentation of the NRR office management decision making concerning the regulatory treatment of the EDAS fails to meet this principle.

Clarity: This principle means that agency positions should be readily understood and easily applied. The management decision is not well understood, as discussed above, whereby the staff found the decision to lack sufficient and defensible technical and regulatory basis.

Reliability: This principle states that the regulations should be perceived to be reliable and not unjustifiably in a state of transition, and that regulatory actions should always be fully consistent with written regulations and should be promptly, fairly, and decisively administered so as to lend stability to the nuclear operational and planning processes. The management decision is not consistent with the safety-related special treatment requirements or 10 CFR 50.36 criteria regarding the content of technical specifications, as discussed above.

The NRR office management decision on this technical issue sets an inappropriate precedent that regulations are suggestions that can be ignored rather than requirements to be met or specifically evaluated to be justifiably exempted. Many of the staff positions documented in this non-concurrence were also heavily supported by division management leaders. See example email from the Director of the Division of Safety Systems to NRR office management.19 4.0 ACCEPTABLE RISK-INFORMED OPTIONS During the review, the technical staff was clear with both NuScale and NRC management that its position was not that the EDAS must be classified and treated as a safety-related system.

Instead, the staff expressed openness to risk-informed approaches to resolve this technical issue and communicated several alternate approaches, which are described below. Paramount in any alternate approach is that the decisions should have a firmly grounded, risk-informed, technical basis and be made in accordance with current regulatory processes. To that end, they should at a minimum address all five principles of risk-informed decision-making described in Regulatory Guide 1.174:20 meets current regulations or justifies an exemption, consistent with 19 ML24127A208 20 ML17317A256

15 defense-in-depth philosophy, maintains sufficient safety margins, consistent with Commissions Safety Goal Policy Statement, and uses performance monitoring. One approach might involve a request for an exemption under 10 CFR 50.12 (which is referenced by 10 CFR 52.7) for the EDAS from the safety-related definition in 10 CFR 50.2 with subsequent classification of the EDAS as within the scope of the Regulatory Treatment of Non-Safety Systems (RTNSS).21 For example, the EDAS could be screened into the RTNSS program because it is relied upon to prevent adversely impacting a safety function (RTNSS Criterion E). For the EDAS, this would be its function to maintain the trip solenoid-operated valves shut to prevent inadvertent opening of the ECCS reactor vent valves (RVVs) that would cause blowdown of the reactor from full power, pressure, and temperature conditions into a natural circulation cooling mode. Application of the RTNSS program to the EDAS might provide the necessary augmented treatment to support a 10 CFR 50.12 exemption request for the EDAS from the scope of safety-related equipment in the SDA design.

Another potential alternative to traditional safety-related treatment of the EDAS is to apply the risk-informed classification process of 10 CFR 50.69. In the view of the non-concurring technical staff, this process is uniquely suited to the SSC classification issue for EDAS. It would allow relaxation to the scope of equipment subject to special regulatory treatment and better focus both licensee and NRC attention and resources on equipment that has higher risk and safety significance. Under this approach, if the EDAS is shown to be a safety-related system with low safety significant function (RISC-3), the regulation allows for the concept of reasonable confidence and automatically grants exemptions to the special treatment requirements for a safety-related system that would otherwise be applicable to the EDAS (e.g., 10 CFR 50.55a(h) and 10 CFR Part 50, Appendix B).

Another option could be the regulatory option the IRT pursued, and with support from division management. This approach includes the allowance to use a graded approach to the quality of the EDAS that mirrors the reasonable confidence concept of 10 CFR 50.69. Because this option would not provide compliance with the safety-related special treatment requirements, though, justification for exemptions to applicable requirements would be needed in accordance with 10 CFR 50.12. In the view of the IRT and the non-concurring technical staff, a justification for low risk significance and an appropriate graded approach to the quality of the EDAS could provide the demonstration of special circumstances necessary to justify the exemption. This approach would be similar to how certain SSC classifications in 10 CFR 50.69 allow exemptions to safety-related special treatment requirements. The IRT put considerable effort into performing Be riskSMART and risk-informed decision-making evaluations to determine the information needed to reach a finding of reasonable confidence for the EDAS design attributes (e.g.,

capacity, capability, reliability/availability, maintenance and testing, and qualification). Absent a design or analysis change, or reclassification of EDAS to a safety-related system, the non-concurring technical staff believe this is the most efficient and appropriate regulatory option to resolve the EDAS issue.

21 See, e.g., SECY-94-084 (March 28, 1994), Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs, (ML003708068) and SRM-SECY-94-084 (June 30, 1994); and SECY-95-132 (May 22, 1995),

Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems (RTNSS) in Passive Plant Designs, (ML003708005) and SRM-SECY-95-132 (June 28, 1995).

16 Finally, the non-concurring technical staff note that the IRT focused its effort on the holistic design and regulatory treatment of EDAS related to the scope of special treatment requirements specific to safety-related SSCs; therefore, the above risk-informed options consider the issue described in Section 3.2 is addressed (i.e., EDAS complies with 10 CFR 50.36(c)(2)(ii) paragraphs (B) and (C) for establishing an LCO). This ensures the EDAS will remain operable and strongly supports a risk-informed determination that the system will be reliable and available. A reasonable approach to address the issue described in Section 3.2 would be to clarify in the Bases for Specification 3.5.1 that operability of the RVVs also requires the RVVs to perform the ECCS hold function to support maintaining RCPB integrity and adding a surveillance requirement (and appropriate Bases) that periodically (e.g., in accordance with the surveillance frequency control program) verifies EDAS is providing dc electrical power to maintain the RVVs closed in accordance with the availability controls in the owner-controlled requirements manual (OCRM). SER COL Item 16.1-2 requires a COL application referencing the US460 standard design approval to propose establishing in the FSAR an OCRM, which would include an availability control for EDAS. Changes to the OCRM would be controlled under 10 CFR 50.59. The EDAS availability control would be consistent with the options, described above, for addressing the issue about the non-safety-related classification of the EDAS. If the suggested surveillance requirement is not met, then the existing action requirement for an inoperable RVV would apply; or a separate action requirement could be established using risk insights. The EDAS availability control could establish limitations on allowable configurations other than the EDAS design configuration; meeting such limitations would satisfy the surveillance.

2

- NRR Office Management Decision Clarification From:

To:

Cc:

Subject:

RE: NuScale EDAS Decision Date:

Thursday, May 16, 2024 12:36:18 PM

.nd I appreciate the work the LT and staff have done to implement the decision. We also appreciate you seeking clarity from us. We are providing the following proposed initial responses, not to limit communication, but to provide our thinking ahead of the meeting in the interest of the meeting being more effective. We look forward to talking with all of you.

  • How does the decision align with the regulation? Specifically, how will the staff reconcile dassification of the EDAS system as non-safety-related with the regulatory requirement of dassilying SSCs that are relied upon to remain functional during and following design basis events to assure integrity of the reactor coolant pressure boundary as safety related without granting an exemption to the regulation As with the DCA, the design of the NuScale reactor is predicated on a fail-safe approach. This design feature is intended to ensure that under accident scenarios the facility will always default to safe condition. The EDAS system. which provides power to maintain the RWs dosed, conforms to this design. In the unlikely event of a loss of the EDAS, the plant is design to fail to a condition that establishes natural circulation to ensure the fuel remains cooled and necessary fission product barriers are retained. NuScale's analyses show that in this scenario the fuel cladding and containment integrily will be maintained. These barriers provide defense-in depth and safety margin, coupled with the passive safety performance of the natural circulation of the facility, demonstrating in a risk-informed manner that reasonable assurance of public health and safety is assured. We are not aware that the DCA required an exemption to account for a similar plant design and response. It is not clear why one would be needed for the SDA.. Applying the principles of risk to the deterministic regulation per SRM 19-0036, given the probability, consequences, margins, uncertainties, and performance monitoring, coupled with the reliability and capability of the system ( once verified), indicates that it is highly unlikely that the containment boundary would be breached and that SAFDLs would be exceeded, indicating that it's not credible that EDAS would be relied upon in the specific circumstances that would lead to breach of containment or exceedance of SAFDLs.
  • GDC 17 and 18 (DEX) Exemptions Regarding the topic of exemptions, the email dated 4/18/2024 (ADAMS reference?), states, in part that they are, ".. not necessary to reach a reasonable assurance of safety detennination" and that they are,"... a second-tier issue*. NuScale has requested exemptions to GDC 17 and 18 in the SOM (See Part 7 of the application), and exemptions were granted to both requirements in the DCA review. As such, staff is obligated to address in its current evaluation. Please clarify whether the ET direction is that exemptions to GDC 17 and 18 should no longer be required. It is not clear to AK or RT that the decision that was made on the EDAS results in the need to alter the assessment of NuScale's requested exemptions to GDC 17 and 18. Since the GDCs require that an electrical system for components important to safety be provided, and we have determined that such a system is not needed, an exemption should be processed. While the GDCs could be read to not require such an exemption, since Nuscale has requested these exemptions, it is most efficient to process them as requested.
  • Both phrases "highly reliable" and "augmented quality" were used to describe the acceptable level of reliability of EDAS. "Highly reliable" typically denotes a Class 1 E system necessitating a different level of detail to conclude as opposed to reliability through "augmented quality". NuScale does not use the words "highly reliable" in the FSAR regarding the EDAS system The staff cannot use the words "highly reliable" out may be aole to conclude that the system can be reliable oased on qualification, calculations, maintenance/testing, etc. Please clarify whether ET's intended approach to reliability of EDAS is focused on augmented quality. We have intended highly reliaole and augmented quality to be synonymous, so augmented quality is acceptable for the safely evaluation.

1

Retrieved from "https://kanterella.com/w/index.php?title=ML25133A110&oldid=5515970"