SECY-19-0036, VR-SECY-19-0036: Application of the Single Failure Criterion to NuScale Power Llc'S Inadvertent Actuation Block Valves

From kanterella
(Redirected from SECY-19-0036)
Jump to navigation Jump to search
VR-SECY-19-0036: Application of the Single Failure Criterion to NuScale Power Llc'S Inadvertent Actuation Block Valves
ML19183A434
Person / Time
Issue date: 07/02/2019
From: Commissioners
NRC/OCM
To: Annette Vietti-Cook
NRC/SECY
References
SECY-19-0036
Download: ML19183A434 (11)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 July 2, 2019 SECRETARY COMMISSION VOTING RECORD DECISION ITEM: SECY-19-0036 TITLE: APPLICATION OF THE SINGLE FAILURE CRITERION TO NUSCALE POWER LLC'S INADVERTENT ACTUATION BLOCK VALVES The Commission acted on the subject paper as recorded in the Staff Requirements Memorandum (SRM) of July 2, 2019.

This Record contains a summary of voting on this matter together with the individual vote sheets, views and comments of the Commission.

D~ ci VVL'" .JC)~

Denise L. McGovern Acting Secretary of the Commission

Enclosures:

1. Voting Summary
2. Commissioner Vote Sheets cc: Chairman Svinicki Commissioner Baran Commissioner Caputo Commissioner Wright OGC EDO PDR

VOTING

SUMMARY

- SECY-19-0036 RECORDED VOTES NOT APPROVED DISAPPROVED ABSTAIN PARTICIPATING COMMENTS DATE Chrm. Svinicki X X 06/07/19 Cmr. Baran X X 05/22/19 Cmr. Caputo X X 06/14/19 Cmr. Wright X X 06/11/19

POLICY ISSUE Notation Vote RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: CHAIRMAN SVINICKI

SUBJECT:

SECY-19-0036: Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves Approved_ Disapproved XX Abstain Not Participating _

Comments: Below Attached XX None Entered on "STARS" Yes V No

Chairman Svinicki's Comments on SECY-19-0036 Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves The NRC staff has made impressive progress on its review of this first-of-a-kind design certification application (DCA) for a small modular reactor (SMR) and should take a measure of justifiable pride in this. As expected, the DCA poses unique attributes that necessitate a consideration, or reconsideration, of traditional regulatory paradigms. In this paper, the staff presents such a case for the Commission's consideration . I find that, in applying agency risk-informed approaches and existing regulatory policy, I do not adopt the staff's construct for deciding the issue and, therefore, disapprove the proposed options. Instead, I present here the salient bases upon which I reviewed and decided the question and approve an alternative regulatory outcome.

In the paper, the staff proposes several options for its treatment of the inadvertent actuation block (IAB) valves utilized in the NuScale SMR design then recommends that the Commission "affirm that the most damaging single active failure of safety-related equipment is required to be considered in performing design, and transient and accident analyses, unless such a failure can be shown with high confidence to not be credible" and "approve staff engagement with NuScale." In the alternative, the staff provides an option "to make a design-specific exception to the [single failure criterion] SFC policy in this case, which would quickly bring the issue to resolution with respect to SFC application to the IAB valve during the staff review of the NuScale DCA." None of these alternatives align with my understanding of the purpose, intent, and precedent in the application of the single failure criterion. The staff's options appear to derive from focusing singularly on the function of an individual component rather than assessing the function of the design as an integrated system . An assessment of the function of the integrated system is the appropriate regulatory frame of reference and allows for the protection of public health and safety as its regulatory figure of merit.

My understanding of the relevant regulatory history indicates that the single failure criterion is a deterministic tool that predates the advances in the use of risk information in regulation by the agency. The precedent for the determination of whether a mechanical component should be treated as having an active failure mode, and therefore possibly be subject to the single failure criterion, resides in the Commission's policy on the subject articulated in SECY-77-439 and SECY-94-084. Application of these policy precedents provides the staff ample flexibility to complete this review through the application of risk-informed methods. Failure to do so has resulted in the application of significant time and resources to an issue that carries extremely low risk, based on the documentation accompanying this paper.

Moreover, consistent with the White Paper on Risk-Informed and Performance-Based Regulation (SECY-98-144), the staff should take a risk-informed approach to assessing whether to apply the single failure criterion to the IAB closing function as an active failure. As the staff notes in the paper, the single failure criterion is a review tool that the NRC uses to assure reliable systems as one element of the defense-in-depth approach to reactor safety. However, the Commission policy articulated in SECY-98-144 and published as Yellow Announcement 99-019, dated March 11, 1999, states:

Risk-Informed Approach and Defense-in-Depth: The con.cept of defense-in-depth has always been and will continue to be a fundamental tenet of regulatory practice in the nuclear field, particularly regarding nuclear facilities. Risk insights can make the elements of defense-in-depth more clear by quantifying them to the

extent practicable. Although the uncertainties associated with the importance of some elements of defense may be substantial, the fact that these elements and uncertainties have been quantified can aid in determining how much defense makes regulatory sense. Decisions on the adequacy of or the necessity for elements of defense should reflect risk insights gained through identification of the individual performance of each defense system in relation to overall performance. [emphasis added]

These policy articulations on risk-informed and performance-based regulation are as relevant today as when they were first published, arguably more so. In light of the novel safety attributes of SM Rs and advanced reactors, the appropriate application of these policies will be central to the agency's review of such designs.

The staff has concluded, based on probabilistic risk assessment results provided by NuScale, that the NuScale design is expected to continue to meet the Commission's safety goal policy and associated core damage and large release frequency goals, even without assuming a single active failure . Consequently, and in light of the low risk-significance of this event, I approve the staff reviewing Chapter 15 of the NuScale DCA without assuming a single active failure of the IAB to close.

POLICY ISSUE NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Baran

SUBJECT:

SECY-19-0036: Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves Approved X Disapproved - - Abstain - - Not Participating COMMENTS: Below Attached X None Entered in "STARS" Yes X No DATE

Commissioner Saran's Comments on SECY-19-0036, "Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves" NRC's General Design Criteria for new reactors require nuclear power plant designs to include redundancy and other features to assure that safety functions will perform appropriately even assuming a single failure of equipment. 1 A separate NRC regulation requires the most damaging single failure of Emergency Core Cooling System equipment to be considered in new reactor transient and accident analyses. 2 The goal of this "single failure criterion" is to ensure reliability and redundancy in reactor systems that must perform a safety-related function .3 Active functions are subject to the single failure criterion while passive functions are not.

Five inadvertent actuation block (IAB) valves are safety-significant, first-of-a-kind design features of the proposed NuScale Emergency Core Cooling System . However, in its design certification application, NuScale treats the IAB valves' vital closing function as a passive function not subject to the single failure criterion. This means that NuScale has not assumed a single failure of the IAB valve in its transient and accident analyses.

I agree with the NRC staff that the IAB valve is an active component that should be subject to the single failure criterion. As the staff explains, the IAB valve "is more complex and must operate in a more challenging operational environment" than the simple check valves that NRC has historically treated as performing a passive function .4 Nu Scale's IAB valve "(1) has no operating experience and limited testing to establish performance history or reliability, (2) involves a challenging operational environment that may include steam flashing of high-temperature borated water, and (3) must close rapidly and fully seal to prevent premature opening of the main [emergency core cooling system] valve." 5 Therefore , I approve the NRC staff's recommended Option 2, affirming that the single failure criterion applies to the IAB valve .

In Option 1, the staff also recommends considering "the IAB valve closing function within the broader context of the scenario where the active function is called upon rather than just focusing on the function itself." 6 The idea is that "NuScale could potentially demonstrate the high reliability of the DC power system to the [emergency core cooling system] trip valves,"

which "could reduce the frequency of demands on the IAB valves to perform their closing safety function by keeping the associated trip valve closed." 7 For this approach to work, the "capacity, capability, and augmented quality level of the DC power system would need to be assessed to demonstrate its high reliability." 8 In this particular case , where the NuScale emergency core cooling system as a whole is largely passive, I agree that it would be appropriate for the staff to assess the overall reliability of the IAB valves in the broader context of how often they would be called upon to function if the DC power system were determined to be highly reliable. One advantage of this approach is that it provides increased assurance of the reliability of the DC power system, which is not treated as 1

A "single failure" is defined in Appendix A to 10 C.F.R. Part 50 as "an occurrence which results in the loss of capability of a component to perform its intended safety functions ."

2 10 C.F.R. § 50.46 , Appendix K to 10 C.F.R. Part 50.

3 SECY-77-439.

4 SECY-19-0036 at 6.

5 Id.

6 Id. at 11 .

7 Id.

8 Id.

1

safety-related in the NuScale design. Th is approach provides a reasonable path forward for resolving the IAB valve issue in a timely way while maintaining high safety standards. One straightforward method of demonstrating that NuScale's DC power system is highly reliable could be to add it to the scope of the Reliability Assurance Program, which would be incorporated into the licensing basis of the design. This program is intended to ensure that system performance does not degrade to an unacceptable level during plant operation and that the system will function reliably when called upon . For these reasons , I approve Option 1 for the specific case of the NuScale IAB valves .

The NRC staff does not recommend Option 3, under which NRC would find that the IAB valve closing function is not subject to the single failure criterion even though it is an active function . I disapprove Option 3 because it would represent a significant reduction in defense-in-depth . In fact, under this approach, NRC would accept potential fuel damage or fuel failure as an outcome of the design basis accident analyses performed for the Nu Scale design.

2

POLICY ISSUE NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Caputo

SUBJECT:

SECY-19-0036: Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves Approved - - Disapproved XX Abstain - - Not Participating COMMENTS: Below Attached XX None Entered in STARS Yes X Si No

Commissioner Caputo's Comments on SECY-19-0036 Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves I appreciate the staffs efforts in the review of the NuScale first-of-a-kind design certification application (DCA) for a small modular reactor (SMR). It is not surprising that the review of a first-of-a-kind application would require reconsideration of the established, accepted NRC regulatory framework. For example, the single failure criteria (SFC) in Part 50 Appendix A were developed for large light water reactors (LWR) and have served the agency well over the years in the review of those reactors. However, the SFC contain the flexibility staff needs in many areas to risk inform their review of applications for SMRs and advanced reactors and confirm that they adequately protect public health and safety.

Staff is reviewing other aspects of the NuScale design using a risk informed approach that acknowledges the unique aspects of the design that provide additional defense in depth. An example of this additional defense in depth is provided in the staff's discussion in SECY 0047, "Containment Performance Goals for the NuScale Small Module Reactor Design," in which the staff informs the Commission of its use of a risk informed review approach related to the prevention of a large radiological release to the environment instead of the physical failure of containment.

In this paper, the staff proposes options for the treatment of the inadvertent actuation block (IAB) valves utilized in the NuScale design. However, none of the proposed options focus on assessing the function of the IAB valve in the context of an integrated system. Instead the staff concentrates on the function of the individual component. Similar to Commissioner Wright, I believe the focus of this review should concentrate on the consequences of the IAB failing to close. Staff reported in SECY-19-0036, that the NuScale Probabilistic Risk Assessment (PRA) supports an outcome that meets the Commission's safety goals for core damage frequency and large release frequency even if the IAB valve is assumed to fail to close. Thus, the failure of the IAB valve to close is not risk-significant. An assessment of the function of the IAB in the context of an integrated system is appropriate, risk-informed method and provides for the protection of public health and safety.

The Chairman's comments on this paper thoroughly describe the relevant regulatory framework which provides the staff ample flexibility to complete the review of the IAB valve through the application of risk-informed methods. As the staff points out, SECY 77-439 acknowledges that a single-failure analysis is not required for any conceivable failure. Instead the analysis should focus on "components which are judged to have a credible chance of failure." SECY-77-439 further notes that certain components "when combined with other unlikely events, are not assumed to fail because the probabilities of the resulting scenarios of events are deemed to be sufficiently small."

Given that the staff has concluded that the NuScale design is expected to continue to meet the Commission's safety goal policy and associat~d core damage and large release frequency goals, even if the IAB valve is assumed to always fail to close, I approve the staff reviewing Chapter 15 of the NuScale DCA without assuming a single active failure of the IAB to close.

POLICY ISSUE NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Wright

SUBJECT:

SECY-19-0036: Application of the Single Failure Criterion to NuScale Power LLC's Inadvertent Actuation Block Valves Approved _ Disapproved _x_ Abstain _ Not Participating _

Comments: Below X Attached None I appreciate the staff's comprehensive description of the issue and the thoughtful options presented in this paper. I approve the staff reviewing Chapter 15 of the NuScale Design Certification Application without assuming a single active failure of the inadvertent actuation block valve (IAB) to close. I view this approach as risk-informed and consistent with the Commission's Safety Goals and the NRC's Principles of Good Regulation .

The debate about whether the IAB is passive is effectively a debate about the likelihood that it will fail to close when exposed to high differential pressure. I agree with the staff that this likelihood is difficult to estimate because of the IAB's first-of-a-kind design and the absence of operating experience. Therefore, I do not take a position on the likelihood or credibility of the IAB failing to close.

Instead, I believe the focus should be on the consequences of the IAB failing to close. Both NuScale and the staff have concluded that the IAB failing to close will not lead to core damage for the relevant accident sequences. Therefore, this function is not risk-significant.

Furthermore, the NuScale design's risk profile is expected to be much lower than the current fleet of reactors and well under the subsidiary risk metrics associated with the Commission's Safety Goals. I considered these factors when making my decision because the Principles of Good Regulation state that "regulatory activities should be consistent with the degree of risk

~:~;~h;: :~::~

Yes ./

~ a ti {h SIGNAT/URE ', ~

No 6 _IL /1j DATE . I