ML17215B036: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(StriderTol Bot change)
 
Line 2: Line 2:
| number = ML17215B036
| number = ML17215B036
| issue date = 08/03/2017
| issue date = 08/03/2017
| title = Nuscale Power, LLC Submittal of Changes to Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation.
| title = LLC Submittal of Changes to Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation.
| author name = Rad Z W
| author name = Rad Z
| author affiliation = NuScale Power, LLC
| author affiliation = NuScale Power, LLC
| addressee name =  
| addressee name =  
Line 13: Line 13:
| document type = Final Safety Analysis Report (FSAR), Letter
| document type = Final Safety Analysis Report (FSAR), Letter
| page count = 18
| page count = 18
| project = CAC:MF8993
| stage = Other
}}
}}


=Text=
=Text=
{{#Wiki_filter:LO-0717-54957 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200    Corvallis, Oregon 97330    Office 541.360-0500    Fax 541.207.3928  www.nuscalepower.com August 3, 2017 Docket No. 52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738  
{{#Wiki_filter:LO-0717-54957 August 3, 2017                                                                                             Docket No. 52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738


==SUBJECT:==
==SUBJECT:==
NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report,   Section 19.1.5.1, "Seismic Risk Evaluation" REFERENCE: Letter from NuScale Power, LLC to Nuclear Regulatory Commission, "NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application," dated December 31, 2016 (ML17013A229) During a July 18, 2017 closed teleconference with Mr. Mark Caruso and other members of NRC staff related to the ongoing PRA audit, NuScale Power, LLC (NuScale) discussed potential updates to Final Safety Analysis Report (FSAR) Section 19.1.5.1 "Seismic Risk Evaluation". The Enclosure to this letter provides a mark-up of the FSAR pages incorporating revisions to Section 19.1.5.1, in redline/strikeout format. NuScale will include these changes as part of a future revision to the NuScale Design Certification Application. This letter makes no regulatory commitments or revisions to any existing regulatory commitments. Please contact Darrell Gardner at (980) 349-4829 or at dgardner@nuscalepower.com if you have any questions. Sincerely, Zackary W. Rad Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8G9A Gregory Cranston, NRC, OWFN-8G9A Rani Franovich, NRC, OWFN-8G9A  
NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation
 
==REFERENCE:==
Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, dated December 31, 2016 (ML17013A229)
During a July 18, 2017 closed teleconference with Mr. Mark Caruso and other members of NRC staff related to the ongoing PRA audit, NuScale Power, LLC (NuScale) discussed potential updates to Final Safety Analysis Report (FSAR) Section 19.1.5.1 Seismic Risk Evaluation. The Enclosure to this letter provides a mark-up of the FSAR pages incorporating revisions to Section 19.1.5.1, in redline/strikeout format. NuScale will include these changes as part of a future revision to the NuScale Design Certification Application.
This letter makes no regulatory commitments or revisions to any existing regulatory commitments.
Please contact Darrell Gardner at (980) 349-4829 or at dgardner@nuscalepower.com if you have any questions.
Sincerely, y,
Zackary Z ckary W. Rad Za Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8G9A Gregory Cranston, NRC, OWFN-8G9A Rani Franovich, NRC, OWFN-8G9A


==Enclosure:==
==Enclosure:==
  "Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation" y,ZaZZZZckary W. Rad Director,RegulatoryAffairs LO-0717-54957  NuScale Power, LLC 1100 NE Circle Blvd., Suite 200     Corvallis, Oregon 97330     Office 541.360-0500     Fax 541.207.3928 www.nuscalepower.com
Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
 
LO-0717-54957


==Enclosure:==
==Enclosure:==


"Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation" NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-54Draft Revision 1The SMA covers full power and LPSD operating conditions and includes Level 1 (core damage) and Level 2 (large release) consequences.19.1.5.1.1 Description of the Seismic Risk EvaluationThere are two main tasks associated with performing a PRA-based SMA: seismic fragility analysis (structures and components), and seismic plant response analysis (accident sequence analysis and plant level response). The following sections summarize the SMA approach:*Seismic Analysis Methodology and Approach (Section19.1.5.1.1.1).*Seismic Input Spectrum (Section19.1.5.1.1.2).*Seismic Fragility Evaluation (Section19.1.5.1.1.3).*Seismic Risk Accident Sequence and System Modeling (Section19.1.5.1.1.4). 19.1.5.1.1.1 Seismic Analysis Methodology and ApproachThe PRA-based SMA for the NuScale power plantNuScale Power Module (NPM) (single module) is performed in accordance with the applicable NRC guidance documents DC/COL-ISG-020 (Reference19.1-56), and with the applicable guidance in thePart10of ASME-ANS Ra-Sa-2009 (Reference19.1-2) as endorsed by RG1.200. As discussed in DC/COL-ISG-020, the purpose of a PRA-based SMA is to provide an understanding of significant seismic vulnerabilities and other seismic insights, thus establishing the seismic robustness of a standard design. The SMA analysis must be performed relative to a review level earthquake of 1.67 times the safe shutdown earthquake (SSE).19.1.5.1.1.2 Seismic Input SpectrumComponent fragility is referenced to the peak ground acceleration defining the uniform hazard response spectra for a site, which is the SSE. The certified seismic design response spectra (CSDRS) envelopes this spectrum for the NuScale design with an SSE of 0.5g. 19.1.5.1.1.3 Seismic Fragility EvaluationA seismic fragility analysis is completed as part of an SMA. Fragility describes the probability of failure of a component under specific capacity and demand parameters and their uncertainties. It should be noted that all SSC modeled in the internal events PRA were included in fragility analysis. No pre-screening was performed to establish a seismic equipment list (SEL) or safe shutdown equipment list (SSEL). Seismic capacities for structures and components modeled in the SMA are obtained by performing detailed fragility analysis using either the hybrid method or the separation of variables method described in Reference19.1-21, Reference19.1-57, and Reference19.1-58. For non-critical components, NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-56Draft Revision 1simplification is required because the bioshield, CNV and RPV integrity are not credited following a crane collapse.Reactor Building WallThe fragility of the RXB as a whole is modeled by a fragility analysis of the structural location experiencing maximal loads (both seismic and normal). Failure is assumed to lead to building collapse, core damage and large release.The RXB is modeled using the controlling failure mode of out-of-plane shear cracking at the base of the outer East-West wall. The outer walls have the highest elevation and fewest lateral supports.NuScale Power Module SupportsThe two supporting interfaces between the CNV and the reactor pool are:*The support lugs and wall corbels;*The support skirt and pedestal.The support lug and corbel analysis revealed two controlling failure modes with different consequences: bearing failure of the lugs on the corbel concrete and corbel shear failure. Corbel bearing failure is expected to crush the corbel concrete in compression, causing minor axial rotation of the module resulting in a displacement assumed to be no more than 1 inch for the CNV. Because the flexibility in the piping is in the section between the isolation valve and the wall penetration, there is no credible mechanism for the bearing failure displacement to cause piping on top of the CNV to shear off of the vessel. Therefore, the bounding consequences of such a displacement would be stress concentrations on the piping attached to the top of the CNV, resulting in a potential leak of primary coolant outside containment outside the CIVs. This scenario is therefore modeled as a pipe break outside containment with containment isolation available.Corbel shear failure is expected to occur at a higher loading than bearing failure. Shear failure on any of the three corbels is the controlling failure mode for the reactor module supports. Support failure is assumed to directly cause core damage and a large release because the integrity of the RPV and CNV cannot be ensured if the module becomes detached from its supports.The controlling failure mode for the passive support ring is expected to be horizontal shear force, which is part of the foundation and located inside the outer vessel support skirt ring. Its calculated scale factor of 3.46 is higher than that of the corbel shear failure. It is therefore screened out as a non-controlling failure mode for the reactor supports.
Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com
Reactor Bay Wall NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-60Draft Revision 1the acceleration with a one percent probability of failure on the mean fragility curve.Demand response factors convert peak ground accelerations to the accelerations experienced by components at different locations. For components assigned generic capacities, the local equipment seismicity is scaled up from the peak ground acceleration by using a demand scale factor. This factor is calculated by dividing the peak clipped spectral accelerations by the corresponding CSDRS values in the frequency range of interest, and selecting the maximum ratio. As a result, the implicit safety factors used in the evaluation of the generic spectral acceleration capacity are compared with the design-specific ISRS in evaluating the SSC fragility.This methodology was chosen so that NuScale-specific response data is reflected in the evaluation of component fragility. 19.1.5.1.1.4 Systems and Accident Sequence AnalysisPlant response analysis maps the consequences of seismic initiators combined with seismic and random failures. This analysis produces event trees with seismically induced initiating events, component and structural events, and non-seismic unavailability.The SAPHIRE computer code is used for quantification of the logic models utilized in the NuScale SMA.
 
Seismically-Induced InitiatorsPlant response after a seismic event is mapped using seismically-induced event initiators, which haveinitiators, as illustrated in Figure19.1-16. The seismically-induced initiators are modeled using similar logic to their corresponding random internal events PRA initiators. Plant response is only modeledmodeled only for earthquakes with a non-negligible probability of causing a reactor trip.The lowest threshold for seismically-induced initiators is a LOOP, which has a median failure capacity of 0.3g. A seismically-induced LOOP credits AC power recovery from the CTG or the BDGs (Am = 0.65g for both). If both the turbine and the diesels fail to restore power, the ECCS valves open after the DC power holding the valves closed, is removed, and the DHRS or the reactor safety valves (RSVs) depressurize the RPV to the point where the inadvertent actuation block (IAB) allows the ECCS valves to open.Seismically-induced SGTF is then modeled with a median failure capacity of 2.9g (failure of the support leads to tube failure). The logic is mapped similarly to a randomly occurring SGTF. Other induced failures include LOCAs inside containment (spurious opening of RSVs or ECCS valves), LOCAsbreaks outside containment (corbel bearing failure or CVCS regenerative heat exchanger failure) and (most severely) structural events.
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment The SMA covers full power and LPSD operating conditions and includes Level 1 (core damage) and Level 2 (large release) consequences.
NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-61Draft Revision 1As noted in Section19.1.5.1.1.2, theThe seismic hazard for the NuScale design has been partitioned into 14 seismic initiating event trees defining the SMA, representing different ground motion accelerations. The underlying logic for each tree is identical. The underlying logic for each tree is identical. However, each tree represents a different ground motion acceleration. Each seismic ground motion initiator is a SAPHIRE initiating event with a frequency set to unity in order to evaluate the conditional core damage or large release probability associated with that ground motion.Each event tree is assigned a ground motion acceleration increasing monotonically from 0.005g to 4.0g. The seismic initiator event tree provided as Figure19.1-16 corresponds to a range of peak ground accelerations from 0.005g to 0.1g. The thirteen remaining event trees represent ground motion ranges spaced accordingly up to 4.0g (0.1g to 0.2g, 0.2g to 0.4g,..., 2.0 to 2.5g,...,3.0g to 4.0g). Component failure probabilities are then evaluated at the mid-point of each range (0.0525g for a range of 0.005g to 0.1g, for instance). This methodology supports site-specific estimates of seismic hazard occurrence frequency. Each ground motion initiator is a SAPHIRE initiating event with a frequency set to unity. This allows for an evaluation of conditional core damage or large release probability at each ground motion.Seismically-induced event trees are initiated based onby the failure of a single component or structural event, as described above. Sequences containing these failure events transfer to other event trees (from the seismic initiating event tree) representing plant response to losses of offsite power (Figure19.1-20), SGTFs (Figure19.1-19), loss of coolant accidents inside containment (Figure19.1-17), and pipe breaks outside containment (Figure19.1-16).event. Sequences containing these failure events transfer from Figure19.1-16 to other seismic event trees that represent plant response to breaks outside containment (Figure19.1-17), LOCAs inside containment (Figure19.1-18), SGTFs (Figure19.1-19), and losses of offsite power (Figure19.1-20). Figure19.1-17 and Figure19.1-19 include a transfer to a loss of DC power event tree (Figure19.1-20a) to reflect battery depletion at 24 hours. These trees are modified from existing internal events PRA event trees to remove credit for the availability of AC power or for offsite power recovery. The LOOP tree is located on the success branches of induced initiators because the conditional probability of its occurrence is higher than the other seismically-induced initiators. Additionally, because offsiteOffsite power loss is the most likely induced initiator (a LOOP would occur from lower ground motions than are expected for any other induced initiator),. As such, credit for offsite power has been removed from the three other induced initiator trees. In the event of a LOOP, credit is given toas illustrated in Figure19.1-20, credit is considered for the combustion turbineCTG and BDGs. If either survives along with the DC bussesbuses, the response to a transient without the power conversion systemgeneral reactor trip is considered, as indicated by the transfer "TGS---TRAN--NPC-ET" (Figure19.1-11). If neither survives, offsite and onsite power has been lost and a station blackout exists. Because backup power is fragile relative to the valves and steam generator tubing for the other three induced initiator trees, the existence of power in those situations cannot NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-62Draft Revision 1reasonably be assumed.is not considered in the other seismic initiator trees. If backup power is unavailable due to the seismic event (Sequence 5 of Figure19.1-20), a transfer is made to the internal event LOOP event tree (Figure19.1-9). In developing the SMA, system fault trees also are modified. Seismic failure modes for structures and components are incorporated by inserting transfer gates for each seismic correlation class into each existing fault tree alongside existing randomly occurring events (failure modes). Events representing failure modes without seismically-relevant equivalents remain in the SMA. They are inserted as the union of existing random failure events with the seismic failure of the seismic correlation class. Once complete, the SMA is representative of seismic failures to different component groups located throughout the plant as well as original random failures. Updated fault tree logic is transferred through the logic of each seismic initiating event tree. Because 14 event trees are utilized to define the seismic hazard, the appropriate ground motion demand corresponding to each event tree is applied with "house" events. These events coincide with the ground motion acceleration modeled with each individual seismic event tree. Project level linkage rules are used to turn house events true or false in order to solve each seismic event tree at the correct ground motion.The appropriate demand level is applied with house events (S-AFLAG-005, S-AFLAG-015, etc., a flag for each seismic hazard bin) that are turned true or false while solving the corresponding seismic event tree. This occurs with project-level event tree linkage rules. When evaluating the SMA model, each seismic event tree may be analyzed independently to determine the conditional core damage cutsets related to a single ground motion acceleration bin. The SMA cutsets contain both random and seismic failures. Cutsets from the model evaluation are subsumed by gathering the cutsets from a particular end state. From the gathered end state interface in SAPHIRE, subsets of cutsets can be viewed by using the SAPHIRE slice function. In the seismic event trees, sequences involving core damage end with "Level2-ET." This indicates a transfer to the containment event tree (Figure19.1-15), which contains the radionuclide release categories.TheIn summary, the SMA event trees terminate in one of four end states:*OK: No core damage*CD: Core Damage*NR: Negligible ReleaseTransfer to another event tree*LR: Large ReleaseTransfer to the Level 2 event tree.RAI 19-419.1.5.1.1.5 Effects of Seismically Failed SSCs on Surviving SSCsPotential failures of seismically qualified components due to physical interaction with a nonseismically qualified SSCs are evaluated consistent with NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-63Draft Revision 1the definition of spatial interaction, as defined by the ASME/ANS PRA standard:RAI 19-4a) Proximity effectsSafe shutdown of an NPM is ensured by opening of the RSVs, combined with successful passive ECCS valve operation, when there is no loss of coolant outside the containment boundary. These components have very high seismic capacities and are physically shielded from nonseismically qualified SSCs by the seismically qualified CNV. These components fail safe on loss of power and are not located in proximity to nonseismically qualified components.RAI 19-4b) Structural failure and fallingThe potential for failure and falling interactions between surviving seismically qualified SSCs and seismically failed SSCs is limited by the nature of the NuScale design. The NPM is physically protected by the pool water, pool walls, bay walls, and, during power operation, the bioshield. Seismically-induced damage to the bay walls and bioshield is modeled in the SMA; the SMA demonstrates that these structures have higher HCLPF values than potential components that could fail due to a seismic event. Thus, these structures would provide a physical barrier between potentially failed components and the NPM.RAI 19-4When the bioshield is removed from an operating bay prior to NPM transport for refueling, piping penetrations atop the CNV, as well as the DHRS piping and heat exchangers on the side of the NPM, could be impacted by a falling or swinging object. However, the module is shut down and flooded prior to its bioshield being removed. In this configuration, safe shutdown is maintained by conduction from the RPV through to the CNV and reactor pool.RAI 19-4c) Flexibility of attached lines and cablesSeismically-induced pipe breaks outside containment are modeled in the SMA and encompass the effects of pipe leaks caused by stresses induced by structural displacements or failing objects.RAI 19-4The NPM is not precluded from achieving safe shutdown as a result of a loss of electrical power or signaling logic. As such, the SMA model does not credit systems requiring electrical power at ground motion levels sufficient to cause both loss of offsite power and failure of backup power sources.
19.1.5.1.1         Description of the Seismic Risk Evaluation There are two main tasks associated with performing a PRA-based SMA: seismic fragility analysis (structures and components), and seismic plant response analysis (accident sequence analysis and plant level response). The following sections summarize the SMA approach:
NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-64Draft Revision 119.1.5.1.2 Results from the Seismic Risk Evaluation Seismic risk is quantified in terms of a plant-level HCLPF g-value. SMAs are required to show that the plant level HCLPF is greater than 1.67 times the design basis SSE, which equates to a 0.84g peak ground acceleration for NuScale. The SMA cutsets are assessed using the MIN-MAX method to determine the sequence level fragility. In this method, a group of inputs combined using OR logic (such as different sequences) is assigned the minimum fragility of the group. Conversely, inputs combined with AND logic (such as seismic events within a sequence) are determined by the maximum fragility of the group. The MIN-MAX method is evaluated at the sequence level. This means that the lowest HCLPF cutset value within a sequence determines the seismic margin. In a cutset containing multiple seismic failures, the highest HCLPF value determines the cutset HCLPF.The resulting HCLPF acceleration for the NuScale design is 0.88g. Structural events are the leading contributor to the seismic margin because of their immediate consequences and relatively low PGA-grounded median capacities as compared to component failures. Table19.1-35 summarizes the fragility analysis for each of the structural events. Each of the structural event parameters has been calculated using design specific fragilities. From Table19.1-35, the structural event with the lowest HCLPF is corbel support bearing failure at 0.68g. While this structural event results in a pipe break outside containment, it is isolable and the seismic capacity of the isolation valves results in a much higher HCLPF for these sequences involving the corbel bearing failure. This leaves corbel shearreactor bay wall failure and RBC failure as having the limiting HCLPFs. The SMA assumes that failure of major structures leads to sufficient damage to the modules such that core damage and a large release would result.Significant SequencesThis section provides brief descriptions of the significant contributors to risk as determined by the SMA.Structural events are by far the leading contributor to the seismic margin. The bounding structural event is weldment failure on the crane bridge seismic restraints, which is modeled to lead directly to crane collapse, core damage and large release. A single SMA sequence (sequence SEISMIC-ET-HCLPF: 6-3) contains all structural events and represents 99.8 percent of the large release conditional failure probability after a HCLPF-level earthquake. In accordance with the MIN-MAX method, the lowest HCLPF value between cutsets in the same sequence is controlling. This is why only the reactor building crane event HCLPF of 0.88g shows up at the sequence level.Risk Significance NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-65Draft Revision 1Potentially risk significant structures, components and operator actions are discussed below.Significant Structural FailuresTable19.1-35 lists nine individual structural failure modes for which seismic fragilities are generated. Of these, eight represent single structures that, if they were to fail during a seismic event, arestructural failure modes assumed to lead directly to core damage and a large release. The fault tree logic for these structures is represented by an "OR" gate with all eight inputs, with any one failure leading to core damage and large release. The accident sequence logic is represented by the first heading of the seismic event tree (Figure19.1-16). The most risk significant of these structural failures is for yielding of the reactor building crane bridge seismic restraint weldments.reactor crane bridge seismic restraint weldment yielding, as it has the lowest HCLPF per Table19.1-35.A ninth structural failure mode, corbel bearing failure, can resultresults in a pipe break outside containment. However, additional structural or random failures must occur in the form of failing to isolate containment before core damage would result. Successful isolation enables the ability of the DHRS and the ECCS to provide adequate core cooling. Therefore, the corbel bearing failure is not considered as risk significant as the other eight structural failures. Significant Component Failure ModesThe NuScale unique passive safety features limits the risk associated with failure of active components (such as pumps, compressors and switches) to perform during or after a seismic event. In addition, mitigating systems are largely fail safe, resulting in their actuation on loss of power or control. As such, very few component failures have the potential to contribute to seismic risk.Moreover, component fragilities reported in Table19.1-38 show very low seismic failure probabilitiesa high degree of component seismic robustness. The fail-safe design of PRA-critical components means that the only credible seismic failures of the valves required to achieve safe shutdown involves physical deformation of the valves themselves, which only occurs under extreme stresses concentrations. As a result, component failures (either seismic or random) do not contribute significantly to the potential for core damage or releases following a seismic event. Rather, similar to the internal events PRA, CCF of key functions have the most potential for controlling risk, e.g., common cause events leading to failure of reactor trip, ECCS valve CCFs and failures to isolate containment (in response to seismically induced SGTF or breakspipe break outside containment).Significant Operator ActionsThe SMA model implements HFE probabilities in the same manner as the internal events PRA. Individual system-specific HFE events are first inserted into cutsets using sequence logic; no seismic-specific operator actions were added to the SMA models.
* Seismic Analysis Methodology and Approach (Section 19.1.5.1.1.1).
NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-66Draft Revision 1The internal events human error probabilities of each HFE in the SMA models are multiplied by a factor of 5 for the SMA, to account for the assumed "extreme stress" environment associated with any seismic event (per SPAR-H methodology, NUREG/CR-6883, Reference19.1-22). This is performed regardless of ground motion, meaning the HEPs at lower ground motion levels are conservative.RAI 19-3The NuScale design incorporates a significant amount of passive safety features, requiring little or no operator intervention to initiate or maintain operation. As a result, seismic cutsets containing HFEs also include other seismically induced or random failures that limit the importance of operator actions. Despite the increase in seismic HEPs described above,There are no recovery actions credited in the SMA. Although the HEPs are increased for the SMA, there are no operator actions that play a substantial role in contributing to, or mitigating, the conditional core damage probability results for the SMA.Key AssumptionsTable19.1-40 summarizes the key assumptions associated with the SMA.UncertaintiesParameters representing aleatory and epistemic uncertainty are used directly in evaluating the plant-level HCLPF. Each SSC in the SMA is modeled with a lognormal uncertainty distribution using randomness (r) and epistemic uncertainty (u) parameters. For PRA-critical SSC that are the subject of detailed fragility, uncertainty parameters are also assigned to each sub-factor that contributes to the overall safety factor.
* Seismic Input Spectrum (Section 19.1.5.1.1.2).
The SMA contains uncertainty from many sources, including:*Ground motion variability*Uncertainty in soil-structure interaction*Uncertainty in structural response factors*Spectral shape (motion frequency) uncertainty*SSC capacity uncertainty (material strength and inelastic energy absorption)The modeling of seismic uncertainty is divided into two composite factors, r and u. Both r and u are included in each seismic event, along with the median capacity Am.
* Seismic Fragility Evaluation (Section 19.1.5.1.1.3).
NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-198Draft Revision 1Table 19.1-35: Structural Fragility Parameters and ResultsStructural EventAm (g)ruHCLPF (g)Controlling Failure ModeAssumed consequenceReactor Building Crane2.640.280.390.88Bridge seismic restraint weldment yieldingCore damage / Large ReleaseReactor Building Wall2.270.200.320.960.97Out-of-plane shear cracking at base of outer E-W wallCore damage / Large ReleaseReactor Module Supports - Corbel bearing failure1.942.050.210.240.420.680.73Reactor module support lug bearing compressive failure on corbel concreteIsolable pipe break outside containmentReactor Module Supports - Corbel shear2.672.830.210.380.411.011.02Corbel concrete diagonal shear failureCore damage / Large ReleaseReactor Bay Wall2.470.190.421.130.91In-plane gross shear failureCore damage / Large ReleaseBio Shield - horizontal shear flexure -normal operation11.620.280.373.983.99Horizontal shield slab bending failureCore damage / Large ReleaseBio shield - pool wall bolt failure -
* Seismic Risk Accident Sequence and System Modeling (Section 19.1.5.1.1.4).
normal operation 5.370.280.351.901.91Shear Failure of pool wall Anchor BoltsCore damage / Large ReleaseBio shield - horizontal shear flexure -
19.1.5.1.1.1           Seismic Analysis Methodology and Approach The PRA-based SMA for the NuScale power plantNuScale Power Module (NPM)
double stacked for refueling of adj. model4.050.280.411.30Bending failure of both stacked shield slabsCore damage / Large Release when configuration presentBio shield - pool wall bolt failure - double stacked for refueling of adj. model3.050.280.351.08Shear Failure of pool wall Anchor BoltsCore damage / Large Release when configuration presentAm = median seismic capacity; u = uncertainty in the median seismic capacity; r = randomness of the fragility evaluation; HCLPF = High-Confidence (95%) of a Low Probability (5%) of Failure, = Am exp [-1.65 (r + u)]
(single module) is performed in accordance with the applicable NRC guidance documents DC/COL-ISG-020 (Reference 19.1-56), and with the applicable guidance in thePart 10 of ASME-ANS Ra-Sa-2009 (Reference 19.1-2) as endorsed by RG1.200. As discussed in DC/COL-ISG-020, the purpose of a PRA-based SMA is to provide an understanding of significant seismic vulnerabilities and other seismic insights, thus establishing the seismic robustness of a standard design. The SMA analysis must be performed relative to a review level earthquake of 1.67 times the safe shutdown earthquake (SSE).
NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-317Draft Revision 1Figure 19.1-16: Representative Seismic Initiating Event TreeIE-SEISMIC-005SEISMIC INITIATING EVENT; 0.005g < PGA <= 0.1gSTRUCT-----SEISSEISMICALLY INDUCED STRUCTURAL FAILURELOCA---OC--SEISSEISMICALLY INDUCED LOCA OUTSIDE CONTAINMENTLOCA---IC--SEISSEISMICALLY INDUCED LOCA INSIDE CONTAINMENTLOCA---SG--SEISSEISMICALLY INDUCED STEAM GENERATOR FAILURELOOP-------SEISSEISMICALLY INDUCED LOSS OF OFFSITE POWER#End State(Phase - PH1)1OK2LOOP-------SEIS-ET3LOCA---SG--SEIS-ET4LOCA---IC--SEIS-ET5LOCA---OC--SEIS-ET6LEVEL2-ET NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-318Draft Revision 1Figure 19.1-17: Seismically Induced Pipe Break Outside Containment Event TreeIE-CVCS--ALOCA-COCCVCS LOCA Charging Line Outside ContainmentRTS-T01Reactor Trip SystemCVCS-T02CVCS Charging Line LOCA Outside Containment IsolationDHRS-T01DHRS (2 Trains Available 1 Required)RCS-T01RCS Reactor Safety Valve OpensRCS-T02RCS Reactor Safety Valves CyclingECCS-T01ECCS RX Vent Valves and RX Recirculation Valves Open#End State(Phase - PH1)1LODC---ECC-SEIS-ET2LODC---ECC-SEIS-ET3OK4LEVEL2-ET5LEVEL2-ET6LEVEL2-ET7LEVEL2-ET8LODC---ECC-SEIS-ET9OK10LEVEL2-ET11LEVEL2-ET12LEVEL2-ET13LEVEL2-ET NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-319Draft Revision 1Figure 19.1-18: Seismically Induced Loss-of-Coolant Accident Inside Containment Event TreeIE-RCS---ALOCA-IC-LOCA Inside ContainmentRTS-T01Reactor Trip SystemECCS-T01ECCS RX Vent Valves and RX Recirculation Valves Open#End State(Phase - PH1)1OK2LEVEL2-ET3OK4LEVEL2-ET NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-320Draft Revision 1Figure 19.1-19: Seismically Induced Steam Generator Tube Failure Event TreeIE-MSS---ALOCA-SG-Steam Generator #2 Tube FailureRTS-T01Reactor Trip SystemRCS-T04SG #2 Tube Failure IsolatedDHRS-T02DHRS (#1 Train Available)RCS-T01RCS Reactor Safety Valve OpensRCS-T02RCS Reactor Safety Valves CyclingECCS-T01ECCS RX Vent Valves and RX Recirculation Valves Open#End State(Phase - PH1)1LODC---ECC-SEIS-ET2LODC---ECC-SEIS-ET3OK4LEVEL2-ET5LEVEL2-ET6LEVEL2-ET7LEVEL2-ET8LODC---ECC-SEIS-ET9OK10LEVEL2-ET11LEVEL2-ET12LEVEL2-ET13LEVEL2-ET NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-321Draft Revision 1Figure 19.1-20: Seismically Induced Loss of Offsite Power Event TreeIE-EHVS--LOOP-----LOSS OF OFFSITE POWEREHVS-T01COMBUSTION TURBINE GENERATORELVS-T01BACKUP DIESEL GENERATORSEDSS-T01DC TRAINS REMAIN ENERGIZED#End State(Phase - PH1)1TGS---TRAN--NPC-ET2TGS---TRAN--NPC-ET3TGS---TRAN--NPC-ET4TGS---TRAN--NPC-ET5EHVS--LOOP-----ET NuScale Final Safety Analysis ReportProbabilistic Risk AssessmentTier 219.1-322Draft Revision 1Figure 19.1-20a: Seismically Induced Loss of DC Power Event TreeIE-EDSS--LODC-----LOSS OF DC POWERECCS-T01ECCS RX Vent Valves and RX Recirculation Valves Open#End State(Phase - PH1)1OK2LEVEL2-ET  
19.1.5.1.1.2           Seismic Input Spectrum Component fragility is referenced to the peak ground acceleration defining the uniform hazard response spectra for a site, which is the SSE. The certified seismic design response spectra (CSDRS) envelopes this spectrum for the NuScale design with an SSE of 0.5g.
}}
19.1.5.1.1.3           Seismic Fragility Evaluation A seismic fragility analysis is completed as part of an SMA. Fragility describes the probability of failure of a component under specific capacity and demand parameters and their uncertainties. It should be noted that all SSC modeled in the internal events PRA were included in fragility analysis. No pre-screening was performed to establish a seismic equipment list (SEL) or safe shutdown equipment list (SSEL).
Seismic capacities for structures and components modeled in the SMA are obtained by performing detailed fragility analysis using either the hybrid method or the separation of variables method described in Reference 19.1-21, Reference 19.1-57, and Reference 19.1-58. For non-critical components, Tier 2                                            19.1-54                                  Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment simplification is required because the bioshield, CNV and RPV integrity are not credited following a crane collapse.
Reactor Building Wall The fragility of the RXB as a whole is modeled by a fragility analysis of the structural location experiencing maximal loads (both seismic and normal).
Failure is assumed to lead to building collapse, core damage and large release.
The RXB is modeled using the controlling failure mode of out-of-plane shear cracking at the base of the outer East-West wall. The outer walls have the highest elevation and fewest lateral supports.
NuScale Power Module Supports The two supporting interfaces between the CNV and the reactor pool are:
* The support lugs and wall corbels;
* The support skirt and pedestal.
The support lug and corbel analysis revealed two controlling failure modes with different consequences: bearing failure of the lugs on the corbel concrete and corbel shear failure.
Corbel bearing failure is expected to crush the corbel concrete in compression, causing minor axial rotation of the module resulting in a displacement assumed to be no more than 1 inch for the CNV. Because the flexibility in the piping is in the section between the isolation valve and the wall penetration, there is no credible mechanism for the bearing failure displacement to cause piping on top of the CNV to shear off of the vessel. Therefore, the bounding consequences of such a displacement would be stress concentrations on the piping attached to the top of the CNV, resulting in a potential leak of primary coolant outside containment outside the CIVs. This scenario is therefore modeled as a pipe break outside containment with containment isolation available.
Corbel shear failure is expected to occur at a higher loading than bearing failure. Shear failure on any of the three corbels is the controlling failure mode for the reactor module supports. Support failure is assumed to directly cause core damage and a large release because the integrity of the RPV and CNV cannot be ensured if the module becomes detached from its supports.
The controlling failure mode for the passive support ring is expected to be horizontal shear force, which is part of the foundation and located inside the outer vessel support skirt ring. Its calculated scale factor of 3.46 is higher than that of the corbel shear failure. It is therefore screened out as a non-controlling failure mode for the reactor supports.
Reactor Bay Wall Tier 2                                          19.1-56                                    Draft Revision 1
 
NuScale Final Safety Analysis Report                                              Probabilistic Risk Assessment the acceleration with a one percent probability of failure on the mean fragility curve.
Demand response factors convert peak ground accelerations to the accelerations experienced by components at different locations. For components assigned generic capacities, the local equipment seismicity is scaled up from the peak ground acceleration by using a demand scale factor.
This factor is calculated by dividing the peak clipped spectral accelerations by the corresponding CSDRS values in the frequency range of interest, and selecting the maximum ratio. As a result, the implicit safety factors used in the evaluation of the generic spectral acceleration capacity are compared with the design-specific ISRS in evaluating the SSC fragility.
This methodology was chosen so that NuScale-specific response data is reflected in the evaluation of component fragility.
19.1.5.1.1.4         Systems and Accident Sequence Analysis Plant response analysis maps the consequences of seismic initiators combined with seismic and random failures. This analysis produces event trees with seismically induced initiating events, component and structural events, and non-seismic unavailability.
The SAPHIRE computer code is used for quantification of the logic models utilized in the NuScale SMA.
Seismically-Induced Initiators Plant response after a seismic event is mapped using seismically-induced event initiators, which haveinitiators, as illustrated in Figure 19.1-16. The seismically-induced initiators are modeled using similar logic to their corresponding random internal events PRA initiators. Plant response is only modeledmodeled only for earthquakes with a non-negligible probability of causing a reactor trip.
The lowest threshold for seismically-induced initiators is a LOOP, which has a median failure capacity of 0.3g. A seismically-induced LOOP credits AC power recovery from the CTG or the BDGs (Am = 0.65g for both). If both the turbine and the diesels fail to restore power, the ECCS valves open after the DC power holding the valves closed, is removed, and the DHRS or the reactor safety valves (RSVs) depressurize the RPV to the point where the inadvertent actuation block (IAB) allows the ECCS valves to open.
Seismically-induced SGTF is then modeled with a median failure capacity of 2.9g (failure of the support leads to tube failure). The logic is mapped similarly to a randomly occurring SGTF. Other induced failures include LOCAs inside containment (spurious opening of RSVs or ECCS valves), LOCAsbreaks outside containment (corbel bearing failure or CVCS regenerative heat exchanger failure) and (most severely) structural events.
Tier 2                                          19.1-60                                      Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment As noted in Section 19.1.5.1.1.2, theThe seismic hazard for the NuScale design has been partitioned into 14 seismic initiating event trees defining the SMA, representing different ground motion accelerations. The underlying logic for each tree is identical. The underlying logic for each tree is identical. However, each tree represents a different ground motion acceleration. Each seismic ground motion initiator is a SAPHIRE initiating event with a frequency set to unity in order to evaluate the conditional core damage or large release probability associated with that ground motion.
Each event tree is assigned a ground motion acceleration increasing monotonically from 0.005g to 4.0g. The seismic initiator event tree provided as Figure 19.1-16 corresponds to a range of peak ground accelerations from 0.005g to 0.1g. The thirteen remaining event trees represent ground motion ranges spaced accordingly up to 4.0g (0.1g to 0.2g, 0.2g to 0.4g,..., 2.0 to 2.5g,...,3.0g to 4.0g). Component failure probabilities are then evaluated at the mid-point of each range (0.0525g for a range of 0.005g to 0.1g, for instance).
This methodology supports site-specific estimates of seismic hazard occurrence frequency. Each ground motion initiator is a SAPHIRE initiating event with a frequency set to unity. This allows for an evaluation of conditional core damage or large release probability at each ground motion.
Seismically-induced event trees are initiated based onby the failure of a single component or structural event, as described above. Sequences containing these failure events transfer to other event trees (from the seismic initiating event tree) representing plant response to losses of offsite power (Figure 19.1-20), SGTFs (Figure 19.1-19), loss of coolant accidents inside containment (Figure 19.1-17), and pipe breaks outside containment (Figure 19.1-16).event.
Sequences containing these failure events transfer from Figure 19.1-16 to other seismic event trees that represent plant response to breaks outside containment (Figure 19.1-17), LOCAs inside containment (Figure 19.1-18),
SGTFs (Figure 19.1-19), and losses of offsite power (Figure 19.1-20). Figure 19.1-17 and Figure 19.1-19 include a transfer to a loss of DC power event tree (Figure 19.1-20a) to reflect battery depletion at 24 hours. These trees are modified from existing internal events PRA event trees to remove credit for the availability of AC power or for offsite power recovery.
The LOOP tree is located on the success branches of induced initiators because the conditional probability of its occurrence is higher than the other seismically-induced initiators. Additionally, because offsiteOffsite power loss is the most likely induced initiator (a LOOP would occur from lower ground motions than are expected for any other induced initiator),. As such, credit for offsite power has been removed from the three other induced initiator trees. In the event of a LOOP, credit is given toas illustrated in Figure 19.1-20, credit is considered for the combustion turbineCTG and BDGs. If either survives along with the DC bussesbuses, the response to a transient without the power conversion systemgeneral reactor trip is considered, as indicated by the transfer "TGS---TRAN--NPC-ET" (Figure 19.1-11). If neither survives, offsite and onsite power has been lost and a station blackout exists. Because backup power is fragile relative to the valves and steam generator tubing for the other three induced initiator trees, the existence of power in those situations cannot Tier 2                                          19.1-61                                    Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment reasonably be assumed.is not considered in the other seismic initiator trees. If backup power is unavailable due to the seismic event (Sequence 5 of Figure 19.1-20), a transfer is made to the internal event LOOP event tree (Figure 19.1-9).
In developing the SMA, system fault trees also are modified. Seismic failure modes for structures and components are incorporated by inserting transfer gates for each seismic correlation class into each existing fault tree alongside existing randomly occurring events (failure modes). Events representing failure modes without seismically-relevant equivalents remain in the SMA. They are inserted as the union of existing random failure events with the seismic failure of the seismic correlation class. Once complete, the SMA is representative of seismic failures to different component groups located throughout the plant as well as original random failures. Updated fault tree logic is transferred through the logic of each seismic initiating event tree. Because 14 event trees are utilized to define the seismic hazard, the appropriate ground motion demand corresponding to each event tree is applied with "house" events. These events coincide with the ground motion acceleration modeled with each individual seismic event tree. Project level linkage rules are used to turn house events true or false in order to solve each seismic event tree at the correct ground motion.The appropriate demand level is applied with house events (S-AFLAG-005, S-AFLAG-015, etc., a flag for each seismic hazard bin) that are turned true or false while solving the corresponding seismic event tree. This occurs with project-level event tree linkage rules.
When evaluating the SMA model, each seismic event tree may be analyzed independently to determine the conditional core damage cutsets related to a single ground motion acceleration bin. The SMA cutsets contain both random and seismic failures. Cutsets from the model evaluation are subsumed by gathering the cutsets from a particular end state. From the gathered end state interface in SAPHIRE, subsets of cutsets can be viewed by using the SAPHIRE slice function. In the seismic event trees, sequences involving core damage end with "Level2-ET." This indicates a transfer to the containment event tree (Figure 19.1-15), which contains the radionuclide release categories.
TheIn summary, the SMA event trees terminate in one of four end states:
* OK: No core damage
* CD: Core Damage
* NR: Negligible ReleaseTransfer to another event tree
* LR: Large ReleaseTransfer to the Level 2 event tree.
RAI 19-4 19.1.5.1.1.5         Effects of Seismically Failed SSCs on Surviving SSCs Potential failures of seismically qualified components due to physical interaction with a nonseismically qualified SSCs are evaluated consistent with Tier 2                                          19.1-62                                    Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment the definition of spatial interaction, as defined by the ASME/ANS PRA standard:
RAI 19-4 a) Proximity effects Safe shutdown of an NPM is ensured by opening of the RSVs, combined with successful passive ECCS valve operation, when there is no loss of coolant outside the containment boundary. These components have very high seismic capacities and are physically shielded from nonseismically qualified SSCs by the seismically qualified CNV. These components fail safe on loss of power and are not located in proximity to nonseismically qualified components.
RAI 19-4 b) Structural failure and falling The potential for failure and falling interactions between surviving seismically qualified SSCs and seismically failed SSCs is limited by the nature of the NuScale design. The NPM is physically protected by the pool water, pool walls, bay walls, and, during power operation, the bioshield.
Seismically-induced damage to the bay walls and bioshield is modeled in the SMA; the SMA demonstrates that these structures have higher HCLPF values than potential components that could fail due to a seismic event.
Thus, these structures would provide a physical barrier between potentially failed components and the NPM.
RAI 19-4 When the bioshield is removed from an operating bay prior to NPM transport for refueling, piping penetrations atop the CNV, as well as the DHRS piping and heat exchangers on the side of the NPM, could be impacted by a falling or swinging object. However, the module is shut down and flooded prior to its bioshield being removed. In this configuration, safe shutdown is maintained by conduction from the RPV through to the CNV and reactor pool.
RAI 19-4 c) Flexibility of attached lines and cables Seismically-induced pipe breaks outside containment are modeled in the SMA and encompass the effects of pipe leaks caused by stresses induced by structural displacements or failing objects.
RAI 19-4 The NPM is not precluded from achieving safe shutdown as a result of a loss of electrical power or signaling logic. As such, the SMA model does not credit systems requiring electrical power at ground motion levels sufficient to cause both loss of offsite power and failure of backup power sources.
Tier 2                                          19.1-63                                    Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment 19.1.5.1.2         Results from the Seismic Risk Evaluation Seismic risk is quantified in terms of a plant-level HCLPF g-value. SMAs are required to show that the plant level HCLPF is greater than 1.67 times the design basis SSE, which equates to a 0.84g peak ground acceleration for NuScale.
The SMA cutsets are assessed using the MIN-MAX method to determine the sequence level fragility. In this method, a group of inputs combined using OR logic (such as different sequences) is assigned the minimum fragility of the group.
Conversely, inputs combined with AND logic (such as seismic events within a sequence) are determined by the maximum fragility of the group. The MIN-MAX method is evaluated at the sequence level. This means that the lowest HCLPF cutset value within a sequence determines the seismic margin. In a cutset containing multiple seismic failures, the highest HCLPF value determines the cutset HCLPF.
The resulting HCLPF acceleration for the NuScale design is 0.88g. Structural events are the leading contributor to the seismic margin because of their immediate consequences and relatively low PGA-grounded median capacities as compared to component failures. Table 19.1-35 summarizes the fragility analysis for each of the structural events. Each of the structural event parameters has been calculated using design specific fragilities. From Table 19.1-35, the structural event with the lowest HCLPF is corbel support bearing failure at 0.68g. While this structural event results in a pipe break outside containment, it is isolable and the seismic capacity of the isolation valves results in a much higher HCLPF for these sequences involving the corbel bearing failure. This leaves corbel shearreactor bay wall failure and RBC failure as having the limiting HCLPFs. The SMA assumes that failure of major structures leads to sufficient damage to the modules such that core damage and a large release would result.
Significant Sequences This section provides brief descriptions of the significant contributors to risk as determined by the SMA.
Structural events are by far the leading contributor to the seismic margin. The bounding structural event is weldment failure on the crane bridge seismic restraints, which is modeled to lead directly to crane collapse, core damage and large release.
A single SMA sequence (sequence SEISMIC-ET-HCLPF: 6-3) contains all structural events and represents 99.8 percent of the large release conditional failure probability after a HCLPF-level earthquake. In accordance with the MIN-MAX method, the lowest HCLPF value between cutsets in the same sequence is controlling. This is why only the reactor building crane event HCLPF of 0.88g shows up at the sequence level.
Risk Significance Tier 2                                            19.1-64                                    Draft Revision 1
 
NuScale Final Safety Analysis Report                                              Probabilistic Risk Assessment Potentially risk significant structures, components and operator actions are discussed below.
Significant Structural Failures Table 19.1-35 lists nine individual structural failure modes for which seismic fragilities are generated. Of these, eight represent single structures that, if they were to fail during a seismic event, arestructural failure modes assumed to lead directly to core damage and a large release. The fault tree logic for these structures is represented by an "OR" gate with all eight inputs, with any one failure leading to core damage and large release. The accident sequence logic is represented by the first heading of the seismic event tree (Figure 19.1-16). The most risk significant of these structural failures is for yielding of the reactor building crane bridge seismic restraint weldments.reactor crane bridge seismic restraint weldment yielding, as it has the lowest HCLPF per Table 19.1-35.
A ninth structural failure mode, corbel bearing failure, can resultresults in a pipe break outside containment. However, additional structural or random failures must occur in the form of failing to isolate containment before core damage would result. Successful isolation enables the ability of the DHRS and the ECCS to provide adequate core cooling. Therefore, the corbel bearing failure is not considered as risk significant as the other eight structural failures.
Significant Component Failure Modes The NuScale unique passive safety features limits the risk associated with failure of active components (such as pumps, compressors and switches) to perform during or after a seismic event. In addition, mitigating systems are largely fail safe, resulting in their actuation on loss of power or control. As such, very few component failures have the potential to contribute to seismic risk.
Moreover, component fragilities reported in Table 19.1-38 show very low seismic failure probabilitiesa high degree of component seismic robustness. The fail-safe design of PRA-critical components means that the only credible seismic failures of the valves required to achieve safe shutdown involves physical deformation of the valves themselves, which only occurs under extreme stresses concentrations. As a result, component failures (either seismic or random) do not contribute significantly to the potential for core damage or releases following a seismic event.
Rather, similar to the internal events PRA, CCF of key functions have the most potential for controlling risk, e.g., common cause events leading to failure of reactor trip, ECCS valve CCFs and failures to isolate containment (in response to seismically induced SGTF or breakspipe break outside containment).
Significant Operator Actions The SMA model implements HFE probabilities in the same manner as the internal events PRA. Individual system-specific HFE events are first inserted into cutsets using sequence logic; no seismic-specific operator actions were added to the SMA models.
Tier 2                                            19.1-65                                      Draft Revision 1
 
NuScale Final Safety Analysis Report                                            Probabilistic Risk Assessment The internal events human error probabilities of each HFE in the SMA models are multiplied by a factor of 5 for the SMA, to account for the assumed "extreme stress" environment associated with any seismic event (per SPAR-H methodology, NUREG/
CR-6883, Reference 19.1-22). This is performed regardless of ground motion, meaning the HEPs at lower ground motion levels are conservative.
RAI 19-3 The NuScale design incorporates a significant amount of passive safety features, requiring little or no operator intervention to initiate or maintain operation. As a result, seismic cutsets containing HFEs also include other seismically induced or random failures that limit the importance of operator actions. Despite the increase in seismic HEPs described above,There are no recovery actions credited in the SMA.
Although the HEPs are increased for the SMA, there are no operator actions that play a substantial role in contributing to, or mitigating, the conditional core damage probability results for the SMA.
Key Assumptions Table 19.1-40 summarizes the key assumptions associated with the SMA.
Uncertainties Parameters representing aleatory and epistemic uncertainty are used directly in evaluating the plant-level HCLPF. Each SSC in the SMA is modeled with a lognormal uncertainty distribution using randomness (r) and epistemic uncertainty (u) parameters. For PRA-critical SSC that are the subject of detailed fragility, uncertainty parameters are also assigned to each sub-factor that contributes to the overall safety factor.
The SMA contains uncertainty from many sources, including:
* Ground motion variability
* Uncertainty in soil-structure interaction
* Uncertainty in structural response factors
* Spectral shape (motion frequency) uncertainty
* SSC capacity uncertainty (material strength and inelastic energy absorption)
The modeling of seismic uncertainty is divided into two composite factors, r and
: u. Both r and u are included in each seismic event, along with the median capacity Am.
Tier 2                                          19.1-66                                    Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Table 19.1-35: Structural Fragility Parameters and Results Structural Event                  Am (g)         r              u          HCLPF (g)         Controlling Failure Mode            Assumed consequence Reactor Building Crane                2.64            0.28            0.39            0.88              Bridge seismic restraint           Core damage / Large Release weldment yielding Reactor Building Wall                2.27            0.20            0.32            0.960.97          Out-of-plane shear cracking at     Core damage / Large Release base of outer E-W wall Reactor Module Supports - Corbel     1.942.05        0.21            0.240.42        0.680.73          Reactor module support lug         Isolable pipe break outside bearing failure                                                                                          bearing compressive failure on     containment corbel concrete Reactor Module Supports - Corbel         2.672.83      0.21          0.380.41        1.011.02          Corbel concrete diagonal shear     Core damage / Large Release shear                                                                                                    failure Reactor Bay Wall                        2.47          0.19          0.42            1.130.91          In-plane gross shear failure      Core damage / Large Release Bio Shield - horizontal shear flexure - 11.62          0.28          0.37            3.983.99          Horizontal shield slab bending     Core damage / Large Release normal operation                                                                                        failure Bio shield - pool wall bolt failure -   5.37          0.28          0.35            1.901.91          Shear Failure of pool wall Anchor Core damage / Large Release normal operation                                                                                        Bolts Bio shield - horizontal shear flexure - 4.05            0.28          0.41            1.30              Bending failure of both stacked   Core damage / Large Release 19.1-198 double stacked for refueling of adj.                                                                     shield slabs                      when configuration present model Bio shield - pool wall bolt failure -    3.05          0.28          0.35            1.08              Shear Failure of pool wall Anchor Core damage / Large Release double stacked for refueling of adj.                                                                      Bolts                            when configuration present model Am = median seismic capacity; u = uncertainty in the median seismic capacity; r = randomness of the fragility evaluation; HCLPF = High-Confidence (95%) of a Low Probability (5%) of Failure, = Am exp [-1.65 (r + u)]
Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-16: Representative Seismic Initiating Event Tree SEISMIC INITIATING EVENT;     SEISMICALLY INDUCED    SEISMICALLY INDUCED    SEISMICALLY INDUCED    SEISMICALLY INDUCED    SEISMICALLY INDUCED  #        End State 0.005g < PGA <= 0.1g      STRUCTURAL FAILURE        LOCA OUTSIDE            LOCA INSIDE        STEAM GENERATOR          LOSS OF OFFSITE            (Phase - PH1)
CONTAINMENT            CONTAINMENT              FAILURE                POWER IE-SEISMIC-005              STRUCT-----SEIS        LOCA---OC--SEIS        LOCA---IC--SEIS        LOCA---SG--SEIS        LOOP-------SEIS 1          OK 2  LOOP-------SEIS-ET 3  LOCA---SG--SEIS-ET 4  LOCA---IC--SEIS-ET 5  LOCA---OC--SEIS-ET 6      LEVEL2-ET 19.1-317 Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-17: Seismically Induced Pipe Break Outside Containment Event Tree CVCS LOCA Charging Line     Reactor Trip System  CVCS Charging Line LOCA   DHRS (2 Trains Available 1   RCS Reactor Safety Valve   RCS Reactor Safety Valves   ECCS RX Vent Valves and   #        End State Outside Containment                                Outside Containment            Required)                    Opens                      Cycling              RX Recirculation Valves           (Phase - PH1)
Isolation                                                                                                      Open IE-CVCS--ALOCA-COC        RTS-T01                  CVCS-T02                  DHRS-T01                    RCS-T01                    RCS-T02                    ECCS-T01 1    LODC---ECC-SEIS-ET 2    LODC---ECC-SEIS-ET 3          OK 4        LEVEL2-ET 5        LEVEL2-ET 6        LEVEL2-ET 7        LEVEL2-ET 8    LODC---ECC-SEIS-ET 19.1-318 9          OK 10      LEVEL2-ET 11      LEVEL2-ET 12      LEVEL2-ET 13      LEVEL2-ET Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-18: Seismically Induced Loss-of-Coolant Accident Inside Containment Event Tree LOCA Inside Containment      Reactor Trip System      ECCS RX Vent Valves and        #              End State RX Recirculation Valves                    (Phase - PH1)
Open IE-RCS---ALOCA-IC-         RTS-T01                      ECCS-T01 1                  OK 2             LEVEL2-ET 3                  OK 4              LEVEL2-ET 19.1-319 Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-19: Seismically Induced Steam Generator Tube Failure Event Tree Steam Generator #2 Tube      Reactor Trip System      SG #2 Tube Failure    DHRS (#1 Train Available)   RCS Reactor Safety Valve   RCS Reactor Safety Valves   ECCS RX Vent Valves and   #        End State Failure                                            Isolated                                            Opens                      Cycling              RX Recirculation Valves           (Phase - PH1)
Open IE-MSS---ALOCA-SG-         RTS-T01                  RCS-T04                DHRS-T02                    RCS-T01                    RCS-T02                    ECCS-T01 1    LODC---ECC-SEIS-ET 2    LODC---ECC-SEIS-ET 3          OK 4        LEVEL2-ET 5        LEVEL2-ET 6        LEVEL2-ET 7        LEVEL2-ET 8    LODC---ECC-SEIS-ET 19.1-320 9          OK 10      LEVEL2-ET 11      LEVEL2-ET 12      LEVEL2-ET 13      LEVEL2-ET Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-20: Seismically Induced Loss of Offsite Power Event Tree LOSS OF OFFSITE   COMBUSTION TURBINE         BACKUP DIESEL           DC TRAINS REMAIN         #       End State POWER            GENERATOR                GENERATORS                ENERGIZED                    (Phase - PH1)
IE-EHVS--LOOP-----    EHVS-T01                ELVS-T01                EDSS-T01 1  TGS---TRAN--NPC-ET 2  TGS---TRAN--NPC-ET 3  TGS---TRAN--NPC-ET 4  TGS---TRAN--NPC-ET 5  EHVS--LOOP-----ET 19.1-321 Probabilistic Risk Assessment Draft Revision 1
 
Tier 2 NuScale Final Safety Analysis Report Figure 19.1-20a: Seismically Induced Loss of DC Power Event Tree LOSS OF DC POWER          ECCS RX Vent Valves and                   #                  End State RX Recirculation Valves                                   (Phase - PH1)
Open IE-EDSS--LODC-----          ECCS-T01 1                    OK 2                LEVEL2-ET 19.1-322 Probabilistic Risk Assessment Draft Revision 1}}

Latest revision as of 20:07, 8 March 2020

LLC Submittal of Changes to Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation.
ML17215B036
Person / Time
Site: NuScale
Issue date: 08/03/2017
From: Rad Z
NuScale
To:
Document Control Desk, Office of New Reactors
References
LO-0717-54957
Download: ML17215B036 (18)


Text

LO-0717-54957 August 3, 2017 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Submittal of Changes to Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation

REFERENCE:

Letter from NuScale Power, LLC to Nuclear Regulatory Commission, NuScale Power, LLC Submittal of the NuScale Standard Plant Design Certification Application, dated December 31, 2016 (ML17013A229)

During a July 18, 2017 closed teleconference with Mr. Mark Caruso and other members of NRC staff related to the ongoing PRA audit, NuScale Power, LLC (NuScale) discussed potential updates to Final Safety Analysis Report (FSAR) Section 19.1.5.1 Seismic Risk Evaluation. The Enclosure to this letter provides a mark-up of the FSAR pages incorporating revisions to Section 19.1.5.1, in redline/strikeout format. NuScale will include these changes as part of a future revision to the NuScale Design Certification Application.

This letter makes no regulatory commitments or revisions to any existing regulatory commitments.

Please contact Darrell Gardner at (980) 349-4829 or at dgardner@nuscalepower.com if you have any questions.

Sincerely, y,

Zackary Z ckary W. Rad Za Director, Regulatory Affairs NuScale Power, LLC Distribution: Samuel Lee, NRC, OWFN-8G9A Gregory Cranston, NRC, OWFN-8G9A Rani Franovich, NRC, OWFN-8G9A

Enclosure:

Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

LO-0717-54957

Enclosure:

Changes to NuScale Final Safety Analysis Report, Section 19.1.5.1, Seismic Risk Evaluation NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvallis, Oregon 97330 Office 541.360-0500 Fax 541.207.3928 www.nuscalepower.com

NuScale Final Safety Analysis Report Probabilistic Risk Assessment The SMA covers full power and LPSD operating conditions and includes Level 1 (core damage) and Level 2 (large release) consequences.

19.1.5.1.1 Description of the Seismic Risk Evaluation There are two main tasks associated with performing a PRA-based SMA: seismic fragility analysis (structures and components), and seismic plant response analysis (accident sequence analysis and plant level response). The following sections summarize the SMA approach:

  • Seismic Analysis Methodology and Approach (Section 19.1.5.1.1.1).
  • Seismic Input Spectrum (Section 19.1.5.1.1.2).
  • Seismic Fragility Evaluation (Section 19.1.5.1.1.3).
  • Seismic Risk Accident Sequence and System Modeling (Section 19.1.5.1.1.4).

19.1.5.1.1.1 Seismic Analysis Methodology and Approach The PRA-based SMA for the NuScale power plantNuScale Power Module (NPM)

(single module) is performed in accordance with the applicable NRC guidance documents DC/COL-ISG-020 (Reference 19.1-56), and with the applicable guidance in thePart 10 of ASME-ANS Ra-Sa-2009 (Reference 19.1-2) as endorsed by RG1.200. As discussed in DC/COL-ISG-020, the purpose of a PRA-based SMA is to provide an understanding of significant seismic vulnerabilities and other seismic insights, thus establishing the seismic robustness of a standard design. The SMA analysis must be performed relative to a review level earthquake of 1.67 times the safe shutdown earthquake (SSE).

19.1.5.1.1.2 Seismic Input Spectrum Component fragility is referenced to the peak ground acceleration defining the uniform hazard response spectra for a site, which is the SSE. The certified seismic design response spectra (CSDRS) envelopes this spectrum for the NuScale design with an SSE of 0.5g.

19.1.5.1.1.3 Seismic Fragility Evaluation A seismic fragility analysis is completed as part of an SMA. Fragility describes the probability of failure of a component under specific capacity and demand parameters and their uncertainties. It should be noted that all SSC modeled in the internal events PRA were included in fragility analysis. No pre-screening was performed to establish a seismic equipment list (SEL) or safe shutdown equipment list (SSEL).

Seismic capacities for structures and components modeled in the SMA are obtained by performing detailed fragility analysis using either the hybrid method or the separation of variables method described in Reference 19.1-21, Reference 19.1-57, and Reference 19.1-58. For non-critical components, Tier 2 19.1-54 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment simplification is required because the bioshield, CNV and RPV integrity are not credited following a crane collapse.

Reactor Building Wall The fragility of the RXB as a whole is modeled by a fragility analysis of the structural location experiencing maximal loads (both seismic and normal).

Failure is assumed to lead to building collapse, core damage and large release.

The RXB is modeled using the controlling failure mode of out-of-plane shear cracking at the base of the outer East-West wall. The outer walls have the highest elevation and fewest lateral supports.

NuScale Power Module Supports The two supporting interfaces between the CNV and the reactor pool are:

  • The support lugs and wall corbels;
  • The support skirt and pedestal.

The support lug and corbel analysis revealed two controlling failure modes with different consequences: bearing failure of the lugs on the corbel concrete and corbel shear failure.

Corbel bearing failure is expected to crush the corbel concrete in compression, causing minor axial rotation of the module resulting in a displacement assumed to be no more than 1 inch for the CNV. Because the flexibility in the piping is in the section between the isolation valve and the wall penetration, there is no credible mechanism for the bearing failure displacement to cause piping on top of the CNV to shear off of the vessel. Therefore, the bounding consequences of such a displacement would be stress concentrations on the piping attached to the top of the CNV, resulting in a potential leak of primary coolant outside containment outside the CIVs. This scenario is therefore modeled as a pipe break outside containment with containment isolation available.

Corbel shear failure is expected to occur at a higher loading than bearing failure. Shear failure on any of the three corbels is the controlling failure mode for the reactor module supports. Support failure is assumed to directly cause core damage and a large release because the integrity of the RPV and CNV cannot be ensured if the module becomes detached from its supports.

The controlling failure mode for the passive support ring is expected to be horizontal shear force, which is part of the foundation and located inside the outer vessel support skirt ring. Its calculated scale factor of 3.46 is higher than that of the corbel shear failure. It is therefore screened out as a non-controlling failure mode for the reactor supports.

Reactor Bay Wall Tier 2 19.1-56 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment the acceleration with a one percent probability of failure on the mean fragility curve.

Demand response factors convert peak ground accelerations to the accelerations experienced by components at different locations. For components assigned generic capacities, the local equipment seismicity is scaled up from the peak ground acceleration by using a demand scale factor.

This factor is calculated by dividing the peak clipped spectral accelerations by the corresponding CSDRS values in the frequency range of interest, and selecting the maximum ratio. As a result, the implicit safety factors used in the evaluation of the generic spectral acceleration capacity are compared with the design-specific ISRS in evaluating the SSC fragility.

This methodology was chosen so that NuScale-specific response data is reflected in the evaluation of component fragility.

19.1.5.1.1.4 Systems and Accident Sequence Analysis Plant response analysis maps the consequences of seismic initiators combined with seismic and random failures. This analysis produces event trees with seismically induced initiating events, component and structural events, and non-seismic unavailability.

The SAPHIRE computer code is used for quantification of the logic models utilized in the NuScale SMA.

Seismically-Induced Initiators Plant response after a seismic event is mapped using seismically-induced event initiators, which haveinitiators, as illustrated in Figure 19.1-16. The seismically-induced initiators are modeled using similar logic to their corresponding random internal events PRA initiators. Plant response is only modeledmodeled only for earthquakes with a non-negligible probability of causing a reactor trip.

The lowest threshold for seismically-induced initiators is a LOOP, which has a median failure capacity of 0.3g. A seismically-induced LOOP credits AC power recovery from the CTG or the BDGs (Am = 0.65g for both). If both the turbine and the diesels fail to restore power, the ECCS valves open after the DC power holding the valves closed, is removed, and the DHRS or the reactor safety valves (RSVs) depressurize the RPV to the point where the inadvertent actuation block (IAB) allows the ECCS valves to open.

Seismically-induced SGTF is then modeled with a median failure capacity of 2.9g (failure of the support leads to tube failure). The logic is mapped similarly to a randomly occurring SGTF. Other induced failures include LOCAs inside containment (spurious opening of RSVs or ECCS valves), LOCAsbreaks outside containment (corbel bearing failure or CVCS regenerative heat exchanger failure) and (most severely) structural events.

Tier 2 19.1-60 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment As noted in Section 19.1.5.1.1.2, theThe seismic hazard for the NuScale design has been partitioned into 14 seismic initiating event trees defining the SMA, representing different ground motion accelerations. The underlying logic for each tree is identical. The underlying logic for each tree is identical. However, each tree represents a different ground motion acceleration. Each seismic ground motion initiator is a SAPHIRE initiating event with a frequency set to unity in order to evaluate the conditional core damage or large release probability associated with that ground motion.

Each event tree is assigned a ground motion acceleration increasing monotonically from 0.005g to 4.0g. The seismic initiator event tree provided as Figure 19.1-16 corresponds to a range of peak ground accelerations from 0.005g to 0.1g. The thirteen remaining event trees represent ground motion ranges spaced accordingly up to 4.0g (0.1g to 0.2g, 0.2g to 0.4g,..., 2.0 to 2.5g,...,3.0g to 4.0g). Component failure probabilities are then evaluated at the mid-point of each range (0.0525g for a range of 0.005g to 0.1g, for instance).

This methodology supports site-specific estimates of seismic hazard occurrence frequency. Each ground motion initiator is a SAPHIRE initiating event with a frequency set to unity. This allows for an evaluation of conditional core damage or large release probability at each ground motion.

Seismically-induced event trees are initiated based onby the failure of a single component or structural event, as described above. Sequences containing these failure events transfer to other event trees (from the seismic initiating event tree) representing plant response to losses of offsite power (Figure 19.1-20), SGTFs (Figure 19.1-19), loss of coolant accidents inside containment (Figure 19.1-17), and pipe breaks outside containment (Figure 19.1-16).event.

Sequences containing these failure events transfer from Figure 19.1-16 to other seismic event trees that represent plant response to breaks outside containment (Figure 19.1-17), LOCAs inside containment (Figure 19.1-18),

SGTFs (Figure 19.1-19), and losses of offsite power (Figure 19.1-20). Figure 19.1-17 and Figure 19.1-19 include a transfer to a loss of DC power event tree (Figure 19.1-20a) to reflect battery depletion at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. These trees are modified from existing internal events PRA event trees to remove credit for the availability of AC power or for offsite power recovery.

The LOOP tree is located on the success branches of induced initiators because the conditional probability of its occurrence is higher than the other seismically-induced initiators. Additionally, because offsiteOffsite power loss is the most likely induced initiator (a LOOP would occur from lower ground motions than are expected for any other induced initiator),. As such, credit for offsite power has been removed from the three other induced initiator trees. In the event of a LOOP, credit is given toas illustrated in Figure 19.1-20, credit is considered for the combustion turbineCTG and BDGs. If either survives along with the DC bussesbuses, the response to a transient without the power conversion systemgeneral reactor trip is considered, as indicated by the transfer "TGS---TRAN--NPC-ET" (Figure 19.1-11). If neither survives, offsite and onsite power has been lost and a station blackout exists. Because backup power is fragile relative to the valves and steam generator tubing for the other three induced initiator trees, the existence of power in those situations cannot Tier 2 19.1-61 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment reasonably be assumed.is not considered in the other seismic initiator trees. If backup power is unavailable due to the seismic event (Sequence 5 of Figure 19.1-20), a transfer is made to the internal event LOOP event tree (Figure 19.1-9).

In developing the SMA, system fault trees also are modified. Seismic failure modes for structures and components are incorporated by inserting transfer gates for each seismic correlation class into each existing fault tree alongside existing randomly occurring events (failure modes). Events representing failure modes without seismically-relevant equivalents remain in the SMA. They are inserted as the union of existing random failure events with the seismic failure of the seismic correlation class. Once complete, the SMA is representative of seismic failures to different component groups located throughout the plant as well as original random failures. Updated fault tree logic is transferred through the logic of each seismic initiating event tree. Because 14 event trees are utilized to define the seismic hazard, the appropriate ground motion demand corresponding to each event tree is applied with "house" events. These events coincide with the ground motion acceleration modeled with each individual seismic event tree. Project level linkage rules are used to turn house events true or false in order to solve each seismic event tree at the correct ground motion.The appropriate demand level is applied with house events (S-AFLAG-005, S-AFLAG-015, etc., a flag for each seismic hazard bin) that are turned true or false while solving the corresponding seismic event tree. This occurs with project-level event tree linkage rules.

When evaluating the SMA model, each seismic event tree may be analyzed independently to determine the conditional core damage cutsets related to a single ground motion acceleration bin. The SMA cutsets contain both random and seismic failures. Cutsets from the model evaluation are subsumed by gathering the cutsets from a particular end state. From the gathered end state interface in SAPHIRE, subsets of cutsets can be viewed by using the SAPHIRE slice function. In the seismic event trees, sequences involving core damage end with "Level2-ET." This indicates a transfer to the containment event tree (Figure 19.1-15), which contains the radionuclide release categories.

TheIn summary, the SMA event trees terminate in one of four end states:

  • OK: No core damage
  • CD: Core Damage
  • NR: Negligible ReleaseTransfer to another event tree
  • LR: Large ReleaseTransfer to the Level 2 event tree.

RAI 19-4 19.1.5.1.1.5 Effects of Seismically Failed SSCs on Surviving SSCs Potential failures of seismically qualified components due to physical interaction with a nonseismically qualified SSCs are evaluated consistent with Tier 2 19.1-62 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment the definition of spatial interaction, as defined by the ASME/ANS PRA standard:

RAI 19-4 a) Proximity effects Safe shutdown of an NPM is ensured by opening of the RSVs, combined with successful passive ECCS valve operation, when there is no loss of coolant outside the containment boundary. These components have very high seismic capacities and are physically shielded from nonseismically qualified SSCs by the seismically qualified CNV. These components fail safe on loss of power and are not located in proximity to nonseismically qualified components.

RAI 19-4 b) Structural failure and falling The potential for failure and falling interactions between surviving seismically qualified SSCs and seismically failed SSCs is limited by the nature of the NuScale design. The NPM is physically protected by the pool water, pool walls, bay walls, and, during power operation, the bioshield.

Seismically-induced damage to the bay walls and bioshield is modeled in the SMA; the SMA demonstrates that these structures have higher HCLPF values than potential components that could fail due to a seismic event.

Thus, these structures would provide a physical barrier between potentially failed components and the NPM.

RAI 19-4 When the bioshield is removed from an operating bay prior to NPM transport for refueling, piping penetrations atop the CNV, as well as the DHRS piping and heat exchangers on the side of the NPM, could be impacted by a falling or swinging object. However, the module is shut down and flooded prior to its bioshield being removed. In this configuration, safe shutdown is maintained by conduction from the RPV through to the CNV and reactor pool.

RAI 19-4 c) Flexibility of attached lines and cables Seismically-induced pipe breaks outside containment are modeled in the SMA and encompass the effects of pipe leaks caused by stresses induced by structural displacements or failing objects.

RAI 19-4 The NPM is not precluded from achieving safe shutdown as a result of a loss of electrical power or signaling logic. As such, the SMA model does not credit systems requiring electrical power at ground motion levels sufficient to cause both loss of offsite power and failure of backup power sources.

Tier 2 19.1-63 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment 19.1.5.1.2 Results from the Seismic Risk Evaluation Seismic risk is quantified in terms of a plant-level HCLPF g-value. SMAs are required to show that the plant level HCLPF is greater than 1.67 times the design basis SSE, which equates to a 0.84g peak ground acceleration for NuScale.

The SMA cutsets are assessed using the MIN-MAX method to determine the sequence level fragility. In this method, a group of inputs combined using OR logic (such as different sequences) is assigned the minimum fragility of the group.

Conversely, inputs combined with AND logic (such as seismic events within a sequence) are determined by the maximum fragility of the group. The MIN-MAX method is evaluated at the sequence level. This means that the lowest HCLPF cutset value within a sequence determines the seismic margin. In a cutset containing multiple seismic failures, the highest HCLPF value determines the cutset HCLPF.

The resulting HCLPF acceleration for the NuScale design is 0.88g. Structural events are the leading contributor to the seismic margin because of their immediate consequences and relatively low PGA-grounded median capacities as compared to component failures. Table 19.1-35 summarizes the fragility analysis for each of the structural events. Each of the structural event parameters has been calculated using design specific fragilities. From Table 19.1-35, the structural event with the lowest HCLPF is corbel support bearing failure at 0.68g. While this structural event results in a pipe break outside containment, it is isolable and the seismic capacity of the isolation valves results in a much higher HCLPF for these sequences involving the corbel bearing failure. This leaves corbel shearreactor bay wall failure and RBC failure as having the limiting HCLPFs. The SMA assumes that failure of major structures leads to sufficient damage to the modules such that core damage and a large release would result.

Significant Sequences This section provides brief descriptions of the significant contributors to risk as determined by the SMA.

Structural events are by far the leading contributor to the seismic margin. The bounding structural event is weldment failure on the crane bridge seismic restraints, which is modeled to lead directly to crane collapse, core damage and large release.

A single SMA sequence (sequence SEISMIC-ET-HCLPF: 6-3) contains all structural events and represents 99.8 percent of the large release conditional failure probability after a HCLPF-level earthquake. In accordance with the MIN-MAX method, the lowest HCLPF value between cutsets in the same sequence is controlling. This is why only the reactor building crane event HCLPF of 0.88g shows up at the sequence level.

Risk Significance Tier 2 19.1-64 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment Potentially risk significant structures, components and operator actions are discussed below.

Significant Structural Failures Table 19.1-35 lists nine individual structural failure modes for which seismic fragilities are generated. Of these, eight represent single structures that, if they were to fail during a seismic event, arestructural failure modes assumed to lead directly to core damage and a large release. The fault tree logic for these structures is represented by an "OR" gate with all eight inputs, with any one failure leading to core damage and large release. The accident sequence logic is represented by the first heading of the seismic event tree (Figure 19.1-16). The most risk significant of these structural failures is for yielding of the reactor building crane bridge seismic restraint weldments.reactor crane bridge seismic restraint weldment yielding, as it has the lowest HCLPF per Table 19.1-35.

A ninth structural failure mode, corbel bearing failure, can resultresults in a pipe break outside containment. However, additional structural or random failures must occur in the form of failing to isolate containment before core damage would result. Successful isolation enables the ability of the DHRS and the ECCS to provide adequate core cooling. Therefore, the corbel bearing failure is not considered as risk significant as the other eight structural failures.

Significant Component Failure Modes The NuScale unique passive safety features limits the risk associated with failure of active components (such as pumps, compressors and switches) to perform during or after a seismic event. In addition, mitigating systems are largely fail safe, resulting in their actuation on loss of power or control. As such, very few component failures have the potential to contribute to seismic risk.

Moreover, component fragilities reported in Table 19.1-38 show very low seismic failure probabilitiesa high degree of component seismic robustness. The fail-safe design of PRA-critical components means that the only credible seismic failures of the valves required to achieve safe shutdown involves physical deformation of the valves themselves, which only occurs under extreme stresses concentrations. As a result, component failures (either seismic or random) do not contribute significantly to the potential for core damage or releases following a seismic event.

Rather, similar to the internal events PRA, CCF of key functions have the most potential for controlling risk, e.g., common cause events leading to failure of reactor trip, ECCS valve CCFs and failures to isolate containment (in response to seismically induced SGTF or breakspipe break outside containment).

Significant Operator Actions The SMA model implements HFE probabilities in the same manner as the internal events PRA. Individual system-specific HFE events are first inserted into cutsets using sequence logic; no seismic-specific operator actions were added to the SMA models.

Tier 2 19.1-65 Draft Revision 1

NuScale Final Safety Analysis Report Probabilistic Risk Assessment The internal events human error probabilities of each HFE in the SMA models are multiplied by a factor of 5 for the SMA, to account for the assumed "extreme stress" environment associated with any seismic event (per SPAR-H methodology, NUREG/

CR-6883, Reference 19.1-22). This is performed regardless of ground motion, meaning the HEPs at lower ground motion levels are conservative.

RAI 19-3 The NuScale design incorporates a significant amount of passive safety features, requiring little or no operator intervention to initiate or maintain operation. As a result, seismic cutsets containing HFEs also include other seismically induced or random failures that limit the importance of operator actions. Despite the increase in seismic HEPs described above,There are no recovery actions credited in the SMA.

Although the HEPs are increased for the SMA, there are no operator actions that play a substantial role in contributing to, or mitigating, the conditional core damage probability results for the SMA.

Key Assumptions Table 19.1-40 summarizes the key assumptions associated with the SMA.

Uncertainties Parameters representing aleatory and epistemic uncertainty are used directly in evaluating the plant-level HCLPF. Each SSC in the SMA is modeled with a lognormal uncertainty distribution using randomness (r) and epistemic uncertainty (u) parameters. For PRA-critical SSC that are the subject of detailed fragility, uncertainty parameters are also assigned to each sub-factor that contributes to the overall safety factor.

The SMA contains uncertainty from many sources, including:

  • Ground motion variability
  • Uncertainty in soil-structure interaction
  • Uncertainty in structural response factors
  • Spectral shape (motion frequency) uncertainty
  • SSC capacity uncertainty (material strength and inelastic energy absorption)

The modeling of seismic uncertainty is divided into two composite factors, r and

u. Both r and u are included in each seismic event, along with the median capacity Am.

Tier 2 19.1-66 Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Table 19.1-35: Structural Fragility Parameters and Results Structural Event Am (g) r u HCLPF (g) Controlling Failure Mode Assumed consequence Reactor Building Crane 2.64 0.28 0.39 0.88 Bridge seismic restraint Core damage / Large Release weldment yielding Reactor Building Wall 2.27 0.20 0.32 0.960.97 Out-of-plane shear cracking at Core damage / Large Release base of outer E-W wall Reactor Module Supports - Corbel 1.942.05 0.21 0.240.42 0.680.73 Reactor module support lug Isolable pipe break outside bearing failure bearing compressive failure on containment corbel concrete Reactor Module Supports - Corbel 2.672.83 0.21 0.380.41 1.011.02 Corbel concrete diagonal shear Core damage / Large Release shear failure Reactor Bay Wall 2.47 0.19 0.42 1.130.91 In-plane gross shear failure Core damage / Large Release Bio Shield - horizontal shear flexure - 11.62 0.28 0.37 3.983.99 Horizontal shield slab bending Core damage / Large Release normal operation failure Bio shield - pool wall bolt failure - 5.37 0.28 0.35 1.901.91 Shear Failure of pool wall Anchor Core damage / Large Release normal operation Bolts Bio shield - horizontal shear flexure - 4.05 0.28 0.41 1.30 Bending failure of both stacked Core damage / Large Release 19.1-198 double stacked for refueling of adj. shield slabs when configuration present model Bio shield - pool wall bolt failure - 3.05 0.28 0.35 1.08 Shear Failure of pool wall Anchor Core damage / Large Release double stacked for refueling of adj. Bolts when configuration present model Am = median seismic capacity; u = uncertainty in the median seismic capacity; r = randomness of the fragility evaluation; HCLPF = High-Confidence (95%) of a Low Probability (5%) of Failure, = Am exp [-1.65 (r + u)]

Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-16: Representative Seismic Initiating Event Tree SEISMIC INITIATING EVENT; SEISMICALLY INDUCED SEISMICALLY INDUCED SEISMICALLY INDUCED SEISMICALLY INDUCED SEISMICALLY INDUCED # End State 0.005g < PGA <= 0.1g STRUCTURAL FAILURE LOCA OUTSIDE LOCA INSIDE STEAM GENERATOR LOSS OF OFFSITE (Phase - PH1)

CONTAINMENT CONTAINMENT FAILURE POWER IE-SEISMIC-005 STRUCT-----SEIS LOCA---OC--SEIS LOCA---IC--SEIS LOCA---SG--SEIS LOOP-------SEIS 1 OK 2 LOOP-------SEIS-ET 3 LOCA---SG--SEIS-ET 4 LOCA---IC--SEIS-ET 5 LOCA---OC--SEIS-ET 6 LEVEL2-ET 19.1-317 Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-17: Seismically Induced Pipe Break Outside Containment Event Tree CVCS LOCA Charging Line Reactor Trip System CVCS Charging Line LOCA DHRS (2 Trains Available 1 RCS Reactor Safety Valve RCS Reactor Safety Valves ECCS RX Vent Valves and # End State Outside Containment Outside Containment Required) Opens Cycling RX Recirculation Valves (Phase - PH1)

Isolation Open IE-CVCS--ALOCA-COC RTS-T01 CVCS-T02 DHRS-T01 RCS-T01 RCS-T02 ECCS-T01 1 LODC---ECC-SEIS-ET 2 LODC---ECC-SEIS-ET 3 OK 4 LEVEL2-ET 5 LEVEL2-ET 6 LEVEL2-ET 7 LEVEL2-ET 8 LODC---ECC-SEIS-ET 19.1-318 9 OK 10 LEVEL2-ET 11 LEVEL2-ET 12 LEVEL2-ET 13 LEVEL2-ET Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-18: Seismically Induced Loss-of-Coolant Accident Inside Containment Event Tree LOCA Inside Containment Reactor Trip System ECCS RX Vent Valves and # End State RX Recirculation Valves (Phase - PH1)

Open IE-RCS---ALOCA-IC- RTS-T01 ECCS-T01 1 OK 2 LEVEL2-ET 3 OK 4 LEVEL2-ET 19.1-319 Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-19: Seismically Induced Steam Generator Tube Failure Event Tree Steam Generator #2 Tube Reactor Trip System SG #2 Tube Failure DHRS (#1 Train Available) RCS Reactor Safety Valve RCS Reactor Safety Valves ECCS RX Vent Valves and # End State Failure Isolated Opens Cycling RX Recirculation Valves (Phase - PH1)

Open IE-MSS---ALOCA-SG- RTS-T01 RCS-T04 DHRS-T02 RCS-T01 RCS-T02 ECCS-T01 1 LODC---ECC-SEIS-ET 2 LODC---ECC-SEIS-ET 3 OK 4 LEVEL2-ET 5 LEVEL2-ET 6 LEVEL2-ET 7 LEVEL2-ET 8 LODC---ECC-SEIS-ET 19.1-320 9 OK 10 LEVEL2-ET 11 LEVEL2-ET 12 LEVEL2-ET 13 LEVEL2-ET Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-20: Seismically Induced Loss of Offsite Power Event Tree LOSS OF OFFSITE COMBUSTION TURBINE BACKUP DIESEL DC TRAINS REMAIN # End State POWER GENERATOR GENERATORS ENERGIZED (Phase - PH1)

IE-EHVS--LOOP----- EHVS-T01 ELVS-T01 EDSS-T01 1 TGS---TRAN--NPC-ET 2 TGS---TRAN--NPC-ET 3 TGS---TRAN--NPC-ET 4 TGS---TRAN--NPC-ET 5 EHVS--LOOP-----ET 19.1-321 Probabilistic Risk Assessment Draft Revision 1

Tier 2 NuScale Final Safety Analysis Report Figure 19.1-20a: Seismically Induced Loss of DC Power Event Tree LOSS OF DC POWER ECCS RX Vent Valves and # End State RX Recirculation Valves (Phase - PH1)

Open IE-EDSS--LODC----- ECCS-T01 1 OK 2 LEVEL2-ET 19.1-322 Probabilistic Risk Assessment Draft Revision 1