Text

19-1 19 PROBABILISTIC RISK ASSESSMENT AND SEVERE ACCIDENT EVALUATION FOR NEW REACTORS This chapter documents the U.S. Nuclear Regulatory Commission (NRC or Commission) staff (hereafter referred to as the staff) review of Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation, of the NuScale Power, LLC (hereafter referred to as the applicant)

Design Certification Application (DCA), Part 2, Final Safety Analysis Report (FSAR),

Revision 2.

In this chapter, the NRC staff uses the term non-safety-related to refer to structures, systems and components (SSCs) that are not classified as safety-related SSCs as described in 10 CFR 50.2. However, among the non-safety-related SSCs, there are those that are important to safety as that term is used in the General Design Criteria (GDC) listed in Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50, and others that are not considered important to safety.

19.1 Probabilistic Risk Assessment Introduction The staffs review is intended to ensure that the applicant has adequately addressed the Commissions objectives for the probabilistic risk assessment (PRA) as applied to the NuScale DCA. These objectives are drawn from Title 10 of the Code of Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, and several policy statements listed in Section 19.1.3 of this report. They include the following:

Identifying and addressing potential design features and plant operational vulnerabilities.

Reducing or eliminating the significant risk contributors at existing operating plants that apply to the new design.

Selecting among alternative features, operational strategies, and design options.

Identifying risk-informed safety insights based on systematic evaluations of the risk.

Determining how the risk associated with the design compares against the Commissions goals of less than 1x10-4 per year for core damage frequency (CDF) and less than 1x10-6 per year for large release frequency (LRF). In addition, comparing the design against the Commissions approved use of containment performance goals, which include (1) a deterministic goal that containment integrity be maintained for approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the onset of core damage for the more likely severe accident challenges and (2) a probabilistic goal that the conditional containment failure probability (CCFP) be less than 0.1 for the composite of all core damage sequences assessed in the PRA.

Demonstrating whether the plant design represents a reduction in risk compared to existing operating plants.

19-2 Using the results and insights to support other programs such as the following:

regulatory treatment of non-safety-related systems (RTNSS) regulatory oversight processes (e.g., Mitigating Systems Performance Index, significance determination process, and Maintenance Rule) operational programs that support the design, inspection, construction, and operation of the plant (e.g., inspections, tests, analyses and acceptance criteria (ITAAC), the Reliability Assurance Program, technical specifications (TS),

combined license (COL) action items, and interface requirements In achieving the objectives, the staff reviewed the key elements of the PRA and evaluated its uses for the NuScale DCA based on relevant staff guidance and industry standards or best practices.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Sections 19.0 and 19.1, describe the PRA performed for the NuScale design and summarize the Level 1 and Level 2 PRA, which evaluates the risk associated with all modes of operation for both internal and external initiating events. The PRA was performed for a single module and used to develop insights for multiple modules. DCA Part 2, Tier 2, Section 19.1, includes major topics such as PRA quality, design features to minimize risk, methodology, data, uncertainties, sensitivities, insights, and results.

Internal and external event PRAs for at-power and other modes of operations are described, and the risk associated with multiple modules is also discussed. Table 19.1-1 summarizes the PRA results for at-power operations.

Table 19.1-1 Summary of NuScale PRA Results for At-Power Operations Hazard CDF (per module critical year)Mean LRF (per module critical year)Mean Internal Events 3x10-10 2.3x10-11 Internal Fires 9.7x10-10 4.3x10-11 Internal Floods 6.1x10-11

<1x10-15 External Floods 1.3x10-9 1.0x10-13 High Winds (Tornado) 1.5x10-10

<1x10-15 High Winds (Hurricane) 1.0x10-9 6.6x10-14 Seismic (Seismic Margin Analysis (SMA))

0.88g 0.88g

19-3 Table 19.1-2 summarizes the PRA results for low-power shutdown (LPSD) operations.

Table 19.1-2 Summary of NuScale PRA Results for LPSD Operations Hazard CDF (per module critical year)Mean LRF (per module critical year)Mean Internal Events 4.5x10-13 2.0x10-14 Module Drop 8.8x10-8 No large release Internal Fires Negligible Negligible Internal Floods Negligible Negligible External Floods Negligible Negligible High Winds (Tornado) 1.4x10-13 1

<1x10-15 1 High Winds (Hurricane) 2.3x10-11 1 2.7x10-15 1 Seismic (SMA)

Negligible Negligible Table 19.1-3 summarizes the multimodule PRA results.

Table 19.1-3 Summary of NuScale Multimodule PRA Results Hazard CDF (per module critical year)Mean LRF (per module critical year)Mean Internal Events for Operations at Power 4.1x10-11 1.7x10-13 Risk insights associated with external events and LPSD operations are qualitatively developed for the multimodule risk.

DCA Part 2, Tier 2, Chapter 19, also describes the uses and applications of the PRA to support design certification (DC), COL, construction, and operational activities. Chapter 19 also describes the limitations associated with the level of detail in the DC PRA and the treatment of corresponding uncertainties to account for those limitations. The applicant performed sensitivity analyses to address some of the uncertainties associated with the limited knowledge of the design and use of assumptions for the PRA.

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no technical specifications associated with this area of review.

Technical Reports: There are no technical reports associated with this area of review.

Regulatory Basis The NRC regulation in 10 CFR 52.47(a)(27) contains the relevant requirements for this review.

It states that a DCA must contain an FSAR that includes a description of the design-specific PRA and its results.

1 The risk estimates for high winds are point values.

19-4 Multiple Commission-level documents lay out expectations for the use of PRA including the following:

Policy Statement, Severe Reactor Accidents Regarding Future Designs and Existing Plants, Volume 50 of the Federal Register, page 32138 (50 FR 32138; August 8, 1985)

Policy Statement, Safety Goals for the Operations of Nuclear Power Plants (51 FR 28044; August 4, 1986)

Policy Statement, Regulation of Advanced Nuclear Power Plants (59 FR 35461; July 12, 1994)

Policy Statement, The Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities (60 FR 42622; August 16, 1995)

SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated April 2, 1993 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML003708021) and the related staff requirements memorandum (SRM), dated July 21, 1993 (ADAMS Accession No. ML003708056), provide more specific Commission direction and staff guidance on PRAs relevant to licensing reviews.

NUREG-0800, Revision 3, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (also called the SRP), specifically Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, is the guidance that the staff uses to review this area. The acceptance criteria are derived from the regulatory requirements and Commission policies noted above.

Design Certification/Combined License Interim Staff Guidance (DC/COL-ISG)-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, issued November 2016 (ADAMS Accession No. ML16130A468), provides additional staff guidance. This guidance addresses how the applicant can use American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) RA-Sa-2009, Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, as endorsed by Regulatory Guide (RG) 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, issued March 2009, with exceptions and clarifications.

SRP Section 19.0 and DC/COL-ISG-028 refer to other guidance documents (such as RGs, NUREGs, industry documents) that are not repeated in this section, although some of these documents are discussed in the technical evaluation of specific topics.

Technical Evaluation The staff reviewed the relevant information on the PRA contained in DCA Part 2, Tier 2. During the review, the staff issued requests for additional information (RAIs), conducted a series of public meetings with the applicant, and performed two regulatory audits with reports dated November 3, 2017 (ADAMS Accession No. ML17305A024) and September 13, 2018 (ADAMS

19-5 Accession No. ML18254A340) to examine documents that are not docketed. All references to an audit or audits in this report refer to either or both of these regulatory audits. The staff coordinated and worked with other technical disciplines (such as reactor systems, plant systems, radiation protection, electrical engineering, structural engineering, mechanical engineering, and instrumentation and controls) for an efficient and effective review of this area.

This section summarizes the results of the staff review that are important to the overall conclusion on the NuScale PRA and its conformance to the applicable regulatory requirements.

Uses and Application of the Probabilistic Risk Assessment The staff reviewed DCA Part 2, Tier 2, Sections 19.0.2, Uses of the PRA and Severe Accident Evaluation, and 19.1.1, Uses and Applications of the Probabilistic Risk Assessment, to confirm that the applicant performed the PRA in a manner consistent with the Commissions objectives for a design-phase PRA. Because the design-phase PRA is limited to the design details available without a constructed plant or operational experience, the staff focused its review on the risk insights from the PRA. The staff confirmed that the risk insights developed can reasonably support the uses of the PRA listed in DCA Part 2, Tier 2, Table 19.1-1, Uses of Probabilistic Risk Assessment at the Design Phase. This table summarizes the specific uses of the NuScale PRA and references other DCA Part 2 Tier 2 sections where each specific use is described in more detail. The staff finds that the applicants uses of the PRA during the design phase conform to SRP Section 19.0 and therefore are reasonable and acceptable.

SRP Section 19.0 provides that a DCA applicant need not address the uses of the PRA that require site-specific or plant-specific information relevant to a COL application. In DCA Part 2, Tier 2, Section 19.1.1, the applicant established six COL information items to cover uses of the PRA by a COL applicant. The staff finds that the proposed COL information items are acceptable because these items will enable the staff to assess the uses of the PRA by a COL applicant consistent with the guidance in SRP Chapter 19.0.

Quality of the Probabilistic Risk Assessment The staff reviewed DCA Part 2, Tier 2, Section 19.1.2, Quality of the Probabilistic Risk Assessment, to evaluate the quality of NuScales design-phase PRA. In its evaluation, the staff considered the scope, level of detail, and technical adequacy of the NuScale PRA. In DCA Part 2, Tier 2, Table 1.9-4, Conformance with Interim Staff Guidance, the applicant stated that the NuScale DCA conforms to DC/COL-ISG-028. The staff also reviewed the details in other sections of DCA Part 2 Tier 2, Chapter 19, to assess the PRA quality.

The staff finds that the scope of the PRA is consistent with the expected scope for a design-phase PRA as described in SRP Section 19.0. The risk assessment is comprehensive and addresses applicable internal and external events for all operating modes. It appropriately includes the use of an SMA, versus a seismic PRA, for the risk insights from seismic initiating events. The applicant adequately includes the multimodule risk evaluation of a 12-module configuration in the PRA scope. The applicant addresses the potential impact of one module on other modules in the reactor pool or near a module experiencing an event and qualitatively addresses the risk associated with the impact of external events on multiple modules.

SRP Section 19.0 states that if detailed design information is not available or it can be shown that detailed modeling does not provide additional significant information, it is acceptable to

19-6 make bounding-type assumptions consistent with the guidelines in DC/COL-ISG-028. The staff finds the level of detail in the PRA acceptable because, during the design phase, the applicant has limited detailed design information (such as cable routing information, operating and maintenance procedures) and operating experience. In addition, the staff finds that the applicant identified a reasonably complete list of limitations that contribute to the uncertainties in a design-phase PRA. The applicants approach of using conservative but realistic assumptions to account for these uncertainties is acceptable for the design stage because the risk insights are not expected to be masked. The staff finds that the level of detail in the NuScale PRA is consistent with the relevant guidance in SRP Section 19.0. This level of detail is commensurate with the uses of the PRA and is therefore sufficient to gain risk insights, in conjunction with the acceptable assumptions made in the PRA at the DC stage. The staff finds that the NuScale PRA reasonably reflects the actual plant design.

The staff finds that the PRA conforms to DC/COL-ISG-028 and therefore is of sufficient technical adequacy. The staffs guidance states that the DCA PRA is not required to have a peer review. The applicant did not perform a peer review; however, an expert panel, with members from outside NuScale with expertise in PRA, thermal-hydraulics, seismic evaluation, and regulatory requirements, did review the PRA. In addition, the applicant conducted a self-assessment of the PRA, which external consultants reviewed to ensure its accuracy. The development of the PRA reflected this feedback from the expert panel and self-assessment.

The staff finds the applicants expert panel review and self-assessment of the PRA against industry PRA standards to be an acceptable approach consistent with SRP Section 19.0, which states that a self-assessment is an acceptable tool for evaluating the technical acceptability of a PRA performed in support of an application for a DCA. The staff audited documents related to the expert panel review and self-assessment and did not identify any issues of concern.

The staff finds the PRA maintenance and upgrade approach for the DCA acceptable because it addresses the key elements of the maintenance for the DC stage, including consistency with the design; configuration control of software; and documentation of assumptions, sensitivity studies, and PRA results. This approach conforms to the guidance in SRP Section 19.0. After certification of the design, the COL applicant maintains and upgrades the PRA as required by 10 CFR 50.71(h)(1). After the NRC issues a license, the COL holder maintains and upgrades the PRA as required by 10 CFR 50.71(h)(2).

Special Design/Operational Features The staff reviewed DCA Part 2, Tier 2, Section 19.1.3, Special Design and Operational Features, and considered NuScales special design and operational features for preventing core damage, mitigating the consequences of core damage, preventing releases from containment, and mitigating the consequences of releases from containment, as well as the uses of the PRA in the design process. The staff also evaluated DCA Part 2, Tier 2, Table 19.1-2, Design Features/Operational Strategies to Reduce Risk, and DCA Part 2, Tier 2, Table 19.1-3, Use of Probabilistic Risk Assessment in Selection of Design Alternatives. The staff performed the review using guidance in SRP Section 19.0. The staff finds that the applicant identified a reasonable list of design and operational features that enhance plant safety in comparison to existing operating plants. These features represent a significant improvement on the vulnerabilities of earlier reactor designs by reducing the number of components and systems required to respond to a plant event, relying heavily on passive systems and the ultimate heat sink (UHS). The staff finds that the applicants design process

19-7 benefited from using the PRA to identify design enhancements to reduce plant risk and that the applicant provided a list of design decisions supported by the PRA. The staff finds the use of the PRA in the design process acceptable because the use of PRA risk insights resulted in an improved design and lowered the NuScale design risk profile.

Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated DCA Part 2, Tier 2, Section 19.1.4.1, Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.1 Initiating Event Analysis In DCA Part 2, Tier 2, Sections 19.1.4.1.1.2, Internal Initiating Events, and 19.1.4.1.1.5, Data Sources and Analysis, describe the internal initiating event analysis. The staff reviewed the applicants analysis to determine whether the applicants identification of initiators and estimation of the annual frequencies are adequate for the intended uses of the PRA.

The applicant used a structured, systematic process, which accounts for design-specific features, to identify initiating events. The applicant used techniques such as a failure modes and effects analysis and a master logic diagram to identify design-specific system and support system faults that could lead to an initiating event or adversely affect the modules ability to respond to an upset condition. These approaches supplemented the review of potential initiating events from industry operating experience data sources and PRA studies.

The applicant identified 11 internal initiators in the PRA. The design, in conjunction with the use of simplifying assumptions, allows the potential accident sequences to be reasonably represented by these 11 initiators. This was possible because the design uses fail-safe features, passive core cooling, and heat removal capabilities, thereby relying less on active systems than a traditional large light-water pressurized-water reactor (PWR).

For loss-of-coolant accidents (LOCAs), the applicant assumed that chemical and volume control system (CVCS) line breaks, spurious opening of a reactor safety valve (RSV), and spurious opening of an emergency core cooling system (ECCS) valve sufficiently represent all LOCAs.

In reality, many more reactor pressure vessel (RPV) penetrations exist, such as those needed for the control rod drive mechanism, pressure and temperature instrument taps, and instrumentation and controls. For these additional smaller RPV penetrations, the staff finds that the plant response can be expected to be similar to, or be bounded by, an explicitly modeled CVCS line break because they have similar mitigation requirements. Therefore, representing pipe breaks of RPV penetrations with the CVCS line breaks is acceptable. Similarly, the staff finds that spurious opening of an RSV and spurious opening of an ECCS valve initiating events reasonably capture the non-pipe-break LOCAs, and the containment bypass events are adequately identified by the CVCS line breaks outside containment and steam generator tube failure (SGTF).

The secondary-side line break initiator includes several different pipe break scenarios (e.g., main steamline, feedwater line, and decay heat removal system (DHRS) line, both inside and outside containment). The staff reviewed the applicants approach to estimating the secondary-side line break frequency for the NuScale design. The applicant evaluated

19-8 degradation mechanisms to obtain data sets by screening out the mechanisms not applicable to the NuScale design. Using the field experience data and failure rate information, the applicant estimated conditional rupture probabilities given size, component type, and degradation mechanism. The likelihood of a pipe flaw propagating to a significant structural failure is expressed by the conditional failure probability. The frequency of pipe breaks is then summed for the conditional rupture probabilities and corresponding component types. The staff finds that the approach is reasonable because it is based on systematic, logical steps adequate for the DC PRA.

The loss of electrical power initiator consists of a loss of offsite power (LOOP) and a loss of direct current (dc) power scenarios. The LOOP scenario represents a loss of alternating current (ac) power to the station, and the loss of dc power scenario represents a deenergization of two or more highly reliable dc buses. The staff finds that the applicants use of the generic data to calculate the initiator frequencies is acceptable for the design stage because the generic data are useful information sources that reasonably support the calculation.

The general reactor trip initiator represents every transient that leads to a loss of normal heat sink (i.e., power conversion system) and general transients. The loss of support systems initiator captures reactor trip events that also disable systems that support the CVCS, the containment flood and drain system (CFDS), or both.

For the NuScale design, the assumed initiating event frequencies contain large uncertainties as plant-specific operating experience and associated data are not available to inform design-specific initiating event frequency estimates. The staff reviewed the assumed frequency estimates and finds that the applicant reasonably estimated the frequencies based on comparisons with industry databases and past PRA studies. For the initiating event frequencies associated with breaks in the main steamlines, feedwater lines, the DHRS, and steam generator tubes, the applicant performed sensitivity studies which showed that the CDF and LRF are relatively insensitive to specific estimates for these initiating event frequencies.

Based on the above considerations, the staff is reasonably confident that no risk-significant initiators have been excluded from the identified initiators. The staff also finds that the assumed initiating event frequency estimates, in conjunction with the evaluation of associated uncertainties, are acceptable for DC purposes. Therefore, the staff finds that the applicants initiating event analysis acceptable for the DCA because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.2 Success Criteria DCA Part 2, Tier 2, Section 19.1.4.1.1.3, Success Criteria, describes the success criteria analysis. The staff evaluated whether the determination of minimum requirements for critical safety functions, supporting structures, systems, and components (SSCs), and operator actions to prevent core damage, given an initiating event, is adequate for the intended uses of the PRA.

The staff also reviewed the adequacy of the engineering analyses used to support these success criteria.

The applicant defined the Level 1 PRA success criteria for an accident sequence as preventing core damage for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following an initiating event, with module conditions being stable or improving. The 72-hour mission time is conservatively longer than the 24-hour mission time in

19-9 ASME/ANS RA-Sa-2009 to account for the slower plant response of the NuScale design. Core damage is defined as fuel peak cladding temperature exceeding 2,200 degrees Fahrenheit (F).

Also, core damage is assumed, and the ECCS is considered unavailable for accident mitigation if analysis shows that the RPV ultimate pressure is exceeded.

The applicant used the thermal hydraulic system code, NRELAP5, to support the determination of the Level 1 PRA and system success criteria. The applicant developed the NRELAP5 model based on the design-basis NRELAP model to support the PRA. The design-basis NRELAP model was validated against the NuScale Integral Test Facility data.

The staff audited the thermal-hydraulic simulations performed to develop the minimum set of system performance requirements to prevent core damage. Best estimate inputs and assumptions were generally used for the success criteria and are appropriate for analyses supporting the PRA, in contrast to the conservative inputs and assumptions used in the design-basis approach. These simulations confirmed redundancy in the safety systems, demonstrating that one successful train results in that systems success in achieving the safety function. For example, for non-LOCA events, only one of two RSVs needs to successfully cycle to achieve a safe state. Also, for non-LOCA events, the same safety function can be achieved with one of two trains of the DHRS. For LOCA events, one of two reactor recirculation valves (RRVs) and one of three reactor vent valves (RVVs) need to open to achieve a safe state. For LOCAs inside containment, one of two CVCS makeup trains provides a backup to the ECCS function. The CFDS provides a backup for LOCAs outside containment and certain non-LOCA scenarios.

On May 22, 2017, the staff issued RAI 8840, Question 19-2 (ADAMS Accession No. ML17142A249), asking the applicant for additional information on the containment isolation function for LOCAs inside containment for Level 1 accident sequences. In DCA Part 2 Tier 2, Table 19.1-6, System Success Criteria per Event Tree Sequence, the applicant assumed that for events other than CVCS line breaks outside containment and SGTF, the containment isolation function is not necessary to support the passive core cooling and heat removal functions. For LOCAs inside containment (e.g., inadvertent RVV opening), the applicant performed NRELAP5 simulations assuming failed containment isolation valves (CIVs) on the containment evacuation system (CES) line penetration to demonstrate that the reactor module retains sufficient water inventory in the containment to ensure passive heat removal to the UHS without containment isolation.

Specifically, in this NRELAP5 model, the applicant modified the nodalization around the RRVs to improve numerical stability and increased the available UHS volume used for heat removal, among other changes. As NRELAP5 assumes that the bulk UHS volume heats up uniformly, the whole UHS volume is credited for heat removal. To support the assumption that the UHS can be represented as a bulk volume, the applicant used the results of a computational fluid dynamics (CFD) analysis that demonstrated effective heat transfer and mixing in the UHS. The staff audited the summary of the CFD analysis and met with the applicant to discuss details, including the assumed UHS temperature, postulated transient scenario for heat load to the UHS, multimodule considerations, spent fuel heat load, boundary conditions, and analysis interface with NRELAP5.

Based on NRELAP5 simulations, the applicant concluded that for initiators that involve a loss of coolant inside of containment, with success of the reactor trip system and a failure of

19-10 containment isolation, the ECCS provides passive fuel cooling without the need for inventory makeup. DCA Part 2, Tier 2, Table 19.1-7, Success Criteria per Top Event, presents this conclusion for the ECCS. Based on the above information, including the results of the thermal-hydraulic and CFD analyses, the applicant concluded that passive heat removal to the UHS without containment isolation is achievable indefinitely. Pending additional information regarding whether the thermal-hydraulic and CFD analyses realistically model the behavior of the module and UHS, the staff cannot conclude that LOCAs inside containment are reasonably modeled in the PRA consistent with the as-designed plant. Therefore, RAI 8840, Question 19-2, associated with the above request, is being tracked as an open item.

Another novel design feature in the NuScale design is that for non-LOCA events, with or without a successful reactor trip, a single RSV that successfully cycles (i.e., opens and closes as needed to relieve steam into the CNV) is sufficient to achieve a safe and stable state. The staff audited the applicants analysis of the general transient anticipated transient without scram (ATWS) event with cycling of the RSV. The staff also performed a confirmatory analysis (ADAMS Accession No. ML19073A072 (non-publicly available)) of this scenario using the TRAC/RELAP Advanced Computational Engine (TRACE) code to evaluate the validity of the applicants assumption that a single cycling RSV provides sufficient passive decay heat removal (DHR) to the UHS for ATWS conditions. The staffs confirmatory analysis showed that with the DHRS unavailable, the reactor coolant system (RCS) temperature continues to increase, and the reactor reaches and remains at a subcritical state. The temperature increases until a combination of high temperature and fluid in the CNV from RSV relief contributes to heat removal from the RPV to the CNV, then to the UHS. Once heat loss through the CNV is sufficient to balance the decay heat, RSV cycling stops. Based on the staffs review of the applicants analysis and the staffs confirmatory analysis, the staff finds that the passive heat removal capability is sufficient to prevent core damage if a single RSV successfully cycles for this scenario. The staffs confirmatory analysis was based on a preliminary applicability determination. Finalization of the applicability which includes updates to the TRACE model to account for NPM design changes, is not expected to meaningfully impact the results. The staff will confirm that this is the case and update the SER with the reference to the final confirmatory analysis report.

A key assumption of the PRA is the availability of the UHS to provide an adequate heat sink. To support passive heat removal with the DHRS or ECCS, the reactor modules are housed and partially submerged in the UHS such that most of the outer surface of the CNV directly contacts the UHS, which is a large pool of water in the reactor building (RXB). The applicant demonstrated by analysis that the UHS remains available for more than 30 days assuming a 12-module shutdown.

Because of the open item associated with RAI 8840, Question 19-2, discussed above, the staff is unable to make a finding on the acceptability of the success criteria used to support the internal events PRA.

19.1.4.4.3 Passive System Uncertainty This section documents the staffs evaluation of the applicants analysis of the thermal-hydraulic uncertainty for the passive system reliability evaluation summarized in DCA Part 2, Tier 2, Section 19.1.4.1.1.5, Data Sources and Analysis. The staff also audited the NuScale report, ER-P010-3777-A, Passive System Reliability Probabilistic Risk Assessment Report.

19-11 The passive safety systems (i.e., ECCS and DHRS) rely on natural circulation instead of forced flow. The small driving forces for natural circulation compared to forced flow (e.g., pumped systems) introduce uncertainty. The staffs review focused on how the applicant assesses this uncertainty for scenarios in which best estimate thermal-hydraulic analyses do not predict core damage but may lead to core damage when PRA models consider thermal-hydraulic uncertainty.

The applicant used methods outlined in Electric Power Research Institute (EPRI)-1016747, Program on Technology Innovation: Comprehensive Risk Assessment Requirements for Passive Safety Systems, and IAEA-TECDOC-1752, Progress in Methodologies for the Assessment of Passive Safety System Reliability in Advanced Reactors, for its evaluation and incorporated an estimated failure probability of the system into the applicable fault trees as an additional contributor to the system failure probability.

To include thermal-hydraulic uncertainty in the PRA model, the applicant first established failure metrics. For the passive ECCS, the applicant used a peak clad temperature of 2,200 degrees F as the failure metric. However, because the peak clad temperature is susceptible to cliff-edge behavior, portions of the ECCS analysis used collapsed liquid level relative to the top of active fuel as a secondary acceptance criterion. For the DHRS, the RPV failure pressure was used as the failure metric. The applicant then selected which scenarios to evaluate to determine the probability that the failure metric is exceeded when uncertainties are included in the inputs to the thermal-hydraulic analysis, considering the following:

Unisolated LOCAs outside containment require an active makeup system for success.

Therefore, these scenarios do not challenge the passive ECCS and were not evaluated.

Sequences contributing at least 1 percent of the CDF were considered. These sequences were then binned according to thermal-hydraulic similarities. Within each group, the most bounding and severe scenarios were evaluated.

The analysis considered only passive failures (relevant heat transfer mechanisms) of the ECCS and DHRS to remove decay heat. Component and operator failures are evaluated separately in the Level 1 model. The applicant selected relevant parameters that may affect heat transfer mechanisms (such as initial CNV vacuum). The staff reviewed these parameters and their distributions during the audit.

The applicants ECCS evaluation focused on the following:

RRV LOCAspurious opening of an RRV or RVV. All other systems were considered not relevant or unavailable.

CVCS LOCALOCAs outside of containment that are successfully isolated. The DHRS is not available, and RPV pressure increases until the RSV cycles and sticks open.

Inventory transfers from the RPV to CNV until the ECCS actuates on high CNV level.

The applicants DHRS evaluation focused on a general transient, in which one train of the DHRS is operating. No other systems are credited.

19-12 The applicant used NRELAP5 to evaluate the sequences and accident progression. DCA Part 2, Tier 2, Section 19.1.4 discusses the capability of NRELAP5 to model the PRA success criteria.

The staff reviewed the thermal-hydraulic parameters used for the reliability analysis, specifically the assumed initial pressure of noncondensable gases in the CNV and the DHRS and the impact on passive system reliability.

DCA Part 2, Tier 2, Table 19.1-12, Phenomena Affecting Decay Heat Removal System Passive Performance, describes the effect of significant phenomena on DHRS passive performance. In a letter dated August 28, 2017 (ADAMS Accession No. ML17240A345), the applicant clarified that a higher noncondensable gas content in the CNV during DHRS operation does not significantly affect the key metric of peak RPV pressure and is therefore not included in DCA Part 2, Tier 2, Table 19.1-12. By contrast, the applicant clarified that the presence of noncondensable gas in the DHRS condenser tubes can significantly inhibit heat removal by condensation and thus is detrimental to peak RPV pressure.

DCA Part 2, Tier 2, Table 19.1-11, Phenomena Affecting Emergency Core Cooling System Passive Performance, describes the impact of increased CNV pressure on ECCS passive performance. In its letter dated August 28, 2017, the applicant clarified that the ECCS function is most challenged when heat removal through the CNV shell is maximized, corresponding to lower CNV pressures. During long-term ECCS recirculation, heat transfer is maximized because condensation on the CNV inside wall can cause a significant pressure differential between the RPV and CNV and can decrease the RPV water level. The presence of noncondensable gases in the CNV reduces condensation heat transfer on the inside CNV wall, thereby decreasing the RPV-CNV pressure differential. The resulting decreased RPV-CNV pressure differential promotes flow from the CNV to the RPV through the recirculation valves, which results in an increased coolant level in the RPV relative to the top of the core. Therefore, the applicant concluded that a higher noncondensable gas content and associated pressure in the CNV lead to an increased coolant level in the RPV and are beneficial for ECCS passive system reliability. Based on the above information, the staff agrees that higher CNV pressures do not adversely affect the passive system reliability.

The computer code, U-RELAP, was used to automate NRELAP5 simulations by generating a series of input files for NRELAP5 simulations, initiating the simulations and generating a report.

Monte Carlo sampling was used. Additional simulations were performed in the low-probability parts of the distribution. U-RELAP automatically performs a quadratic regression using data from the simulation. The staff finds this methodology acceptable and consistent with SRP Section 19.0.

The staffs audit supported the results and insights of the applicants passive system reliability analysis, including thermal-hydraulic uncertainties for failure of passive ECCS heat transfer to the UHS and failure of a passive DHRS train to transfer heat to the UHS. The staff has confirmed that the applicant identified all key thermal-hydraulic parameters that could affect ECCS and DHRS reliability and introduce uncertainty into the determination of success criteria, consistent with SRP 19.0. Therefore, the staff finds the applicants passive system reliability analysis acceptable for a DCA because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028.

19-13 19.1.4.4.4 Accident Sequence Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.4, Accident Sequence Determination, describes the accident sequence analysis. The staff reviewed the applicants analysis to evaluate whether the development of design-specific accident sequences is adequate for the intended uses of the PRA and that it sufficiently accounts for the required systems, operator actions, and any potential dependencies.

The applicant used an event tree structure to model the plant scenarios affecting key safety functions that could lead to core damage following an initiating event. The staff reviewed the 11 event trees corresponding to the initiators evaluated in Section 19.1.4.4.1 of this report.

For each initiating event, the applicant included the mitigation systems, operator actions, and phenomena that can alter the accident sequences in the model event tree structure. The staff confirmed that the logic used for each event tree is consistent with the success criteria and human reliability analysis (HRA).

Based on the above information, the staff finds the applicants accident sequence analysis acceptable for a DCA because is it technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.5 Systems Analysis As described in DCA Part 2, Tier 2, Section 19.1.4.1.1.1, Methodology, the applicant explicitly modeled the RCS, ECCS, DHRS, module protection system (MPS), containment system (CNTS), CVCS, demineralized water system, CFDS, and electrical power system in the PRA.

During an audit, the staff reviewed a sample of systems, including failures and unavailability modes, common cause failures (CCFs), dependencies, and model completeness. The staffs review focused on determining whether the systems modeled adequately reflect the as-designed plant.

The staff reviewed the exclusion of certain failure modes in the ECCS model, such as failure of the inadvertent actuation block (IAB) to reopen and potential plugging of the trip line. DCA Part 2, Tier 2, Table 19.1-7, Success Criteria per Top Event, (in addition to DCA Part 2, Tier 2, Section 6.3.2.2, Equipment and Component Descriptions,) states that failure of the IAB does not affect the successful opening of the ECCS valves. The applicant performed the Level 1 internal events sensitivity analysis for the IAB failure mode. The staff finds that the applicant provided sufficient basis to exclude the IAB failure mode from the ECCS model for a DCA for the following reasons:

The IAB is a normally open valve designed to close when the RPV to CNV differential pressure is high and to reopen when the differential pressure decreases for inadvertent ECCS actuations.

The IAB is designed to not change positions for scenarios (e.g., CVCS line break) that call upon the ECCS function to achieve a safe end state. This is accomplished by setting the IAB setpoint sufficiently high to allow the RPV to CNV differential pressure to clear the IAB setpoint before an ECCS actuation setpoint is reached.

19-14 Some scenarios, such as a loss of dc power, may require the IAB to change state, but as RPV to CNV differential pressure decreases, the main spring, assisted by reactor coolant pressure, will open the main valve and support the safety function.

For potential plugging of the reactor trip line and potential failure modes that support the CIVs, which were not explicitly modeled, the staff finds that the system design is not sufficiently complete to support a detailed system model. However, the staff finds that for a DCA, the PRA does not rely on these quantitative results. Instead, the applicant performed a sensitivity study setting the probability of every CCF basic event to 0.002, which corresponds to that of the most unreliable component. The staff finds that excluding potential plugging of the reactor trip line from the ECCS model is acceptable because the resulting risk, using conservative assumptions for CCF basic events, compares favorably with the Commissions CDF and LRF goals as described in SRP Section 19.0.

The staff finds that the system models reflect the design and expected operation of the plant and are sufficiently detailed to identify appropriate risk insights for a DCA. Therefore, the staff finds the applicants systems analysis acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.6 Human Reliability Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.5 states that the HRA is based on the Accident Sequence Evaluation Program Human Reliability Analysis Procedure methodology for pre-initiator human actions and the SPAR-H methodology for post-initiator human actions. The staff reviewed the applicants analysis to determine whether the identification and definition of human failure events are adequate, and the quantification of associated human error probabilities are appropriate for the intended uses of the PRA. At the design stage, the emergency, abnormal, and system operating procedures, main control room (MCR) indications and layout, and other aspects of plant layout and equipment access are not established. Therefore, the HRA is based on general design and guidance documents and on a simplified approach to model pre-initiator and post-initiator operator actions. For this reason, considerable uncertainty exists in the HRA and the human error probability estimations. Given the uncertainty, the staff finds the applicants simplified approach to the HRA appropriate. To support this conclusion, the staff reviewed the sensitivity analyses summarized in DCA Part 2, Tier 2, Tables 19.1-22, Sensitivity Studies for Level 1 Full Power, Internal Events Evaluation, and 19.1-31, Sensitivity Studies for Level 2 Evaluation, to assess the impact of uncertainties in the HRA on risk estimates. For the sensitive studies where all human error probabilities are set to failure (i.e., all PRA-modeled human actions have a failure probability of 1), the resulting CDF and LRF increase by two orders of magnitude. Even with this conservative assumption, the resulting risk compares favorably with the Commissions CDF and LRF goals.

Based on the above evaluation, the staff finds the applicants HRA acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.7 Data Analysis DCA Part 2, Tier 2, Section 19.1.4.1.1.5 discusses the data analysis performed to support the numerical data used in the PRA. The staffs review focused on ensuring that the parameter estimations by the applicant are adequate for the intended uses of the PRA for a DCA.

19-15 Because the NuScale design has no operating history, much of the basic event data are based on PWR generic failure probabilities (e.g., NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, issued February 2007). For basic events in the NuScale design that are similar to basic events in PWRs, the staff finds that the applicants use of generic data for components that are not unique to the NuScale design is appropriate for a DCA.

For some NuScale-unique components, such as the ECCS valves, the applicant estimated failure rates and probabilities. The staff finds that at the DC stage, with no operating history, confidence in these data is limited. Therefore, these failure rates and probabilities are considered assumptions to be revisited and confirmed during the COL stage if the PRA is to be used for other applications. For the NuScale DCA, the staff relied on the results of sensitivity studies that used conservative assumptions for component failure rates (i.e., the probability of every CCF basic event was set to 0.002) and determined that the resulting risk compares favorably with the Commissions CDF and LRF goals as described in SRP Section 19.0.

Based on the above evaluation, the staff finds the applicants data analysis acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.8 Quantification and Risk Insights DCA Part 2, Tier 2, Section 19.1.4.1.1.7, Quantification, discusses the PRA quantification process using the Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) code. The applicants use of the code, described in DCA Part 2, Tier 2, Section 19.1.4.1.1.6, Software, is within its capabilities and limitations as presented in NUREG/CR-7039, Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) Version 8, issued June 2011.

The staff reviewed the PRA quantification and finds that significant contributors to CDF, including initiating events, accident sequences, and basic events (equipment unavailability and human failure events) are identified.

The applicant reported a very low numerical value for the CDF. The reported CDF is based on existing information, which is limited by incomplete design and construction, undeveloped procedures, and a lack of operating experience. Additionally, parameter, model, and completeness uncertainties, including the reliability of the novel and risk-significant SSCs (e.g., the ECCS valves), are addressed via estimates using assumptions. The uncertainty bands on the CDF reported by the applicant account for only parameter uncertainties, not model uncertainties. Therefore, the staff finds that, at the design stage, the uncertainty could be very large. However, even with the large potential uncertainty, the low CDF estimate may reflect deliberate engineering and design effort to reduce or eliminate the contributors to CDF found in previous PRAs. This observation applies generally to the numerical results for the CDF and LRF for all hazard groups (e.g., the external events PRA for operations at power and LPSD).

COL Information Item 19.1-8 provides adequate guidance to the COL applicant so that all key PRA assumptions identified in various tables in DCA Part 2, Tier 2, will be appropriately evaluated and dispositioned during the COL stage. Although the COL information item does not

19-16 reference specific DCA Part 2 Tier 2 tables that contain the key assumptions, the key assumptions in the COL information item refer to those assumptions tabulated for each internal and external hazard and operating mode evaluated in the NuScale PRA. Therefore, the staff finds this COL information item applicable to DCA Part 2, Tier 2, Tables 19.1-21, 19.1-28, 19.1-40, 19.1-46, 19.1-54, 19.1-58, 19.1-61, and 19.1-71, and has reasonable assurance that the key assumptions, which are relied on to account for the incomplete design and operational details in the DCA PRA, will be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. The staffs evaluation, as described throughout this chapter, verified that the key assumptions are appropriate for the level of information available in the DCA. The COL applicant will modify data used in the DCA PRA for applicability to the as-built, as-operated PRA.

The staff reviewed the top core damage sequences from the Level 1 internal events PRA for operations at power for a single module. Approximately 73 percent of core damage scenarios result from incomplete ECCS actuation. The staff finds that the applicant appropriately identified the ECCS to be risk significant as discussed below.

The staff reviewed the insights into the risk significance of SSCs and operator actions from the NuScale PRA. DCA Part 2, Tier 2, Table 19.1-19, Criteria for Risk Significance, provides the criteria for determining the risk significance based on the potential maximum increase in risk (risk achievement worth) and the overall percent contribution to the total risk (Fussell-Vesely importance). As discussed in Section 17.4 of this report, the staff finds the application of these criteria consistent with NuScale Licensing Topical Report TR-0515-13952-NP-A, Revision 0, Risk Significance Determination, issued October 2016 (ADAMS Accession No. ML16284A016), as approved by the NRC. Therefore, the determination of candidate risk-significant SSCs identified in DCA Part 2, Tier 2, Table 19.1-20, Listing of Candidate Risk-Significant Structures, Systems, and Components (Full Power, Single Module) Level 1 Probabilistic Risk Assessment, used a methodology acceptable to the staff. The applicant identified the ECCS, MPS, and UHS as candidate risk-significant systems and the ECCS RRVs and RVVs, the combustion turbine generator, and the RCS RSV as candidate risk-significant components. The LOCA inside containment initiating event and LOOP are also identified as candidate risk-significant initiating events because they meet the risk achievement worth criterion.

Based on the above evaluation, the staff finds the applicants quantification and risk insights acceptable for a DCA because they are technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.9 Conclusion Because of the open item related to RAI 8840, Question 19-2 discussed above, the staff cannot make a finding on the applicants Level 1 internal events PRA for operations at power.

Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated DCA Part 2, Tier 2, Section 19.1.4.2, Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19-17 19.1.4.5.1 Methodology The staff reviewed how core damage sequences are grouped into plant damage states and how the accident progression analyses evaluated the contributors to a large release. The staff focused on the evaluation of the containment structural capability for those containment challenges that would result in a large release. The applicant did not combine Level 1 core damage sequences into plant damage states similar to Level 2 PRAs performed for evolutionary and operating light-water reactors (LWRs). Because the Level 1 PRA has only a few end states, the end states were directly transferred to a single containment event tree (CET). The CET characterizes the effect of each sequence for the potential for a radionuclide release.

Only two CET end states are used to model radionuclide release. The end state NR is associated with a release that may be attributed to leakage from the boundary of an isolated containment. The end state LR is associated with a release from an unisolated containment.

Each of these end states is assigned to a release category to represent the radionuclide source term. The staff finds the applicants methodology acceptable for a DCA as it is technically acceptable and consistent with the guidance in SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.2 Severe Accident Process and Phenomena The applicant evaluated severe accident phenomena referenced in ASME/ANS RA-Sa-2009, SRP Section 19.0, NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, issued January 1983, and NUREG/CR-6595, Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, issued October 2004, for its applicability to the NuScale design. The applicant concluded that, except for a severe accident-induced SGTF, the severe accident phenomena that may challenge containment in operating plants are shown by analysis in DCA Part 2, Tier 2, Section 19.2, to not challenge containment integrity. DCA Part 2, Tier 2, Section 19.1, further states even if the CNV were postulated to fail, there would not be a large release to the environment.

Section 19.2 of this report has a detailed discussion related to potential failure of the RPV and CNV bottom heads by contact with corium and steam explosion and high-pressure melt ejection. Section 19.2 of this report also concludes that if the CNV were to fail, a large release to the environment would not occur. The applicant defines CCFP as the ratio of LRF to CDF to resolve uncertainties about the potential failure of the RPV and CNV bottom heads. Thus, containment failure because of bypass or CIV failure is the only mode of containment failure evaluated in the CET.

With regard to initial CNV vacuum, the potential for increased oxygen in the CNV and its impact on hydrogen detonation and deflagration following a core damage event with cladding oxidation, DCA Part 2, Tier 2, Section 19.2.3.3.2, Hydrogen Generation and Control, states that a near vacuum is maintained in the CNV during normal operation by the CES. The nominal pressure for normal operation is 0.1 psia, as listed in DCA Part 2, Tier 2, Table 7.1-2, Variables Monitored by Module Protection System. For the PRA analyses, DCA Part 2, Tier 2, Sections 19.1.4.1 and 19.2.3.2, Severe Accident Progression, assume an initial containment pressure of 1 psia, with the exception of the hydrogen generation analysis of core damage with cladding oxidation. The analysis of hydrogen (described in DCA Part 2, Tier 2, Section 19.2.3.3.2) uses an initial containment pressure of 9.5 psia to evaluate the potential for

19-18 hydrogen deflagration and detonation. In Section 6.2.5 of this report, the staff concludes that even if detonation conditions occur, the containment can withstand the resultant pressure pulse and maintain integrity. The applicants calculation was based on an initial containment pressure of 9.5 psia, to maximize oxygen content. In a letter dated November 27, 2017 (ADAMS Accession No. ML17332A127), the applicant stated that the containment pressure must be less than 3 psia for acceptable leak rate detection as required by the technical specification (TS).

Since containment pressure will be monitored for TS compliance, initial containment pressures over 9.5 psia should not be reached due to containment leak rate detection. Thus, the staff finds the applicants screening of hydrogen deflagration and detonation from the CET acceptable.

With regard to containment overpressurizing the RCS and the CNV because of continuous CVCS operation, the applicant stated that operators would have hours to terminate CVCS injection before filling the module with water. The timeframe is based on conservatively accounting for only the volume of the RCS and assumes the maximum flow rate of both CVCS pumps, as indicated in DCA Part 2, Tier 2, Tables 5.1-1, Reactor Coolant System Volumes, and 9.3.4-1, Chemical and Volume Control System/Module Heatup System Major Equipment with Design Data and Parameters, respectively. A high CNV water level alarm is provided to operators by High CNV level, as indicated in DCA Part 2, Tier 2, Table 6.3-1, Emergency Core Cooling System Alarms and Actuation. If operators do not isolate the CVCS, an automatic isolation of the CVCS CIVs will occur on a High Pressurizer Level, as indicated in DCA Part 2, Tier 2, Table 7.1-4, Engineered Safety Feature Actuation System Functions.

Based on the applicants November 27, 2017, response, the staffs concerns about the screening of containment overpressurizing the RCS and the CNV because of continuous CVCS operation from the CET are resolved.

The staff finds that the applicants containment even tree acceptable for a DCA because it is sufficiently complete and consistent with SRP Section 19.0 and DC/COL-ISG-028.

Severe Accident-Induced Steam Generator Tube Failure The staffs review focused on whether the applicants approach discussed in DCA Part 2, Tier 2, Section 19.2.3.3.6, Containment Bypass, was thorough and the assumptions were sufficiently conservative or realistic.

The applicant used a Larson-Miller creep rupture model to estimate the probability of thermally induced SGTF. The applicant developed thermal-hydraulic input distributions using the results of MELCOR simulations for scenarios with high pressure on the primary side, low pressure on the secondary side, and no water in the secondary side. The scenarios involve a LOCA with ECCS failure and main steam isolation valves that fail to close. The applicant also developed input distributions for tube flaw frequency, flaw depth and length, flaw location, and Larson-Miller parameter.

In the postulated scenarios, hot gas produced in an overheating core rises to the top of the riser and turns to enter the steam generator region at the top of the tube bundle. As a result, the top of the tube bundle experiences higher temperatures than the rest of the tube bundle and high temperature creep failure is more challenging there.

19-19 In the NuScale steam generator, the primary coolant is on the outside of the tubes, resulting in the tubes being in a constant state of compression. Because of the absence of creep failure information for externally pressurized tubes (i.e., compression), the high-temperature creep failure evaluation assumed internally pressurized tubes (i.e., tension). DCA Part 2 Tier 2, Section 19.2.3.3.6, states that this assumption results in overestimating the probability of thermally induced SGTF because the tubes are expected to be more susceptible to failure under tension than under compression.

Absent tube flaws, the staff finds that NuScales thermal-hydraulic conditions do not challenge tube integrity. Creep and rupture graphs from Special Metals Corporation, a supplier of Alloy 690, indicate that for the predicted temperature and stress levels, the creep rate for an unflawed tube would be less than 10-5 percent per hour and rupture life would be orders of magnitude beyond the 100,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> maximum value shown on the graph (Inconel Alloy 690, Publication Number SMC-079, Special Metals Corporation, October 2009, www.specialmetals.com). The creep data are from standard tests performed under tension.

Given the low rate of creep indicated in the Special Metals data under postulated accident conditions, the staff did not evaluate or credit the applicants assumption that the tubes would be less susceptible to failure under compression.

For tube flaws, the applicant assumed a flaw distribution based on foreign object wear by adapting steam generator operating experience and placing the highest percentage of flaws at the top of the tube bundle coincident with the location of highest temperature during a severe accident. The staff finds the applicants assumption of foreign object wear reasonable because it is based on operating experience, and wear from foreign objects and support structures continues to be the cause of degradation in Alloy 690 steam generator tubes. The staff finds it reasonable to assume that the highest percentage of flaws would be at the top of the bundle, because that is the highest temperature region and would be most susceptible to thermally induced failure. For flaw depth, the model predicted that very high stress magnification factors (flaws more than 80 percent through-wall) were necessary for any reduction in life. The staff finds this result conservative because the plant TS will require that flaw depths be limited to much lower depths, on the order of 40 percent through-wall.

The Commissions probabilistic goals related to containment bypass including SGTF are a LRF less than 1x10-6 per year and a CCFP less than 0.1. The Commissions LRF and CCFP goals are met when the mean probability of thermally induced SGTF is used. Using the 95th percentile probability of thermally induced SGTF results in a negligible change in LRF such that the LRF goal is still met. The probability of thermally induced SGTF has a small impact on LRF, because thermally induced SGTF leads to a release only if the main steam or feedwater isolation valves fail to close. One conservatism in the PRA is the assumption that tube failure with an unisolated steam generator leads to a large release. NUREG-1935, State-of-the-Art Reactor Consequence Analyses (SOARCA) Report, issued November 2012, showed the potential of aerosol deposition in steam generators to reduce releases below that of a large release. Another conservatism is the assumption that tube failure leads to a hole in the tube instead of tube collapse.

19.1.4.5.3 Level 2 Success Criteria The applicant stated that the Level 2 PRA is bounding in that it does not credit mitigating systems or capabilities that are relevant only to a radionuclide release. These systems include

19-20 the RXB filtration systems and the RXB spray system. The staff agrees that not crediting the RXB spray and the RXB filtration system, neither of which are safety-related, is a bounding assumption.

19.1.4.5.4 Containment Event Tree Analysis The CET includes fault trees for the following:

CES containment isolation fails and results in bypass.

CVCS containment isolation fails and results in bypass.

SGTF and containment are bypassed.

Containment penetrations are grouped into three types: (1) piping connections, (2) bolted flange inspection ports, including electrical penetration assemblies, and (3) ECCS trip and reset pilot valve penetrations. DCA Part 2, Tier 2, Table 19.1-24, Containment Penetrations, summarizes containment penetrations, the isolation methods, and their treatment in the PRA.

The staff audited the fault trees for CES and CVCS isolation functions for completeness and to review the basic event quantification. The staff finds the fault trees to be reasonable to gain risk insights. As detailed in DCA Part 2, Tier 2, Section 6.2.6, Containment Leakage Testing, the CIVs on CNV piping penetrations, the passive containment isolation barriers are designed to permit periodic leakage testing. The CIVs are also designed to ensure that the leakage through the CNTS and components does not exceed the allowable leakage rate specified in the TS.

The staff reviewed the credit for using the CFDS for manual pumped injection given an interlock, as discussed in DCA Part 2, Tier 2, Chapter 9, Auxiliary Systems, and with regard to the screening of the CFDS isolation valve from the Level 2 PRA. DCA Part 2, Tier 2, Table 7.1-5, Module Protection System Interlocks/Permissives/Overrides, has a wide range RCS hot-temperature interlock (T-3 interlock) that establishes CNTS isolation when the RCS temperature is above 350 degrees F. The interlock needs to be defeated to credit the CFDS in a beyond-design-basis event. The applicant also modified DCA Part 2, Tier 2, Table 19.1-14, Modeled Human Actions (Post-Initiator), to include footnote 5 to clarify the override of containment isolation for aligning the CFDS and CVCS. The applicant also stated that, as documented in DCA Part 2, Tier 2, Table 19.1-24, Containment Penetrations, the CFDS penetration was screened from the containment isolation model because it is normally closed during operation. Because the CNV is maintained at a near vacuum, CNV leaks or isolation failures would be readily detected and addressed, and an unisolated CNV would manifest itself in the inability to maintain a containment vacuum during power operation. In addition, the applicant stated that the containment pressure must be less than 3 psia for acceptable leak rate detection as required by the TS. The staff therefore finds the applicants approach for the screening of containment penetrations for evaluation in the containment event tree to be acceptable for a DCA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.5 Large Release Frequency and Conditional Containment Failure Probability The staff reviewed the applicants approach, as described in DCA Part 2, Tier 2, Section 19.1.4.2.1, Description of the Level 2 Probabilistic Risk Assessment for Operations at Power, to determining that the Commissions LRF and CCFP goals are met.

19-21 The applicant used an LRF goal of 1x10-6 large releases per year to demonstrate that the prompt fatality quantitative health objective (QHO) of 5x10-7 probability of prompt death per year is met. The applicant defined a large release as one causing a 200 rem whole body dose at the site boundary over 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. The large release definition of 200 rem, together with the LRF goal of 1x10-6 large releases per year, meets the prompt fatality QHO because 1x10-6 large releases per year times a zero probability of prompt death per large release (for doses below 200 rem) is less than the QHO of 5x10-7 probability of individual prompt death per year.

Therefore, the large release definition used by NuScale is consistent with the objectives of the Commission Safety Goal Policy Statement.

For at-power accidents, the applicant used the MELCOR Accident Consequence Code System (MACCS) to show that intact containment scenarios assuming TS leakage of 0.2 percent per day would not result in a large release. Chapter 15 of this report addresses the technical basis for the containment leak rate value of 0.2 percent per day. The staff responsible for Chapter 15 is currently evaluating the technical basis for the value of 0.2 percent per day. The staff responsible for Chapter 19 is tracking this issue for its potential impact on Chapter 19.

Scenarios with containment bypass or isolation failure were assumed to result in a large release. For module drop accidents, the applicant used MACCS to show that failed containment scenarios would not result in a large release. The applicant used its large release definition conservatively by comparing the highest predicted dose for any azimuthal location along the site boundary against the 200-rem definition. The prompt fatality QHO involves (1) azimuthal averaging over the entire 360 degrees surrounding the site and (2) radial averaging over a 1-mile zone starting at the site boundary.

The applicants analysis assumed the release traveled from the site center to the site boundary, which is 269 meters. Because the MACCS code manual (NUREG/CR-6613, Code Manual for MACCS2, Volume 1, issued May 1998) cautions against use of the code for distances less than 500 meters, the applicant compared its MACCS dispersion factor predictions with ARCON results (NUREG/CR-6331, Revision 1, Atmospheric Relative Concentrations in Building Wakes, issued May 1997) to show that the mean dispersion calculated by MACCS was bounded by the mean dispersion calculated by ARCON for distances of 269 meters or more.

The staff finds this approach acceptable because ARCON is valid at these distances.

The applicants analysis assumed the plumes initial dimensions were those of the short face of the reactor building to calculate the mean dose (over the weather trials) at a distance of 269 meters. The applicants atmospheric dispersion modeling approach approximates the plant geometry because part of the path from the release point to the site boundary is through the reactor building and the distance from the short side of the reactor building to the site boundary is 216 meters (as opposed to 269 meters). The staff finds the approximation acceptable because the applicants analysis includes large margins. For example, for at-power accidents without containment bypass, the staff estimates that the applicants assumption of no iodine deposition in containment results in a factor-of-100 margin. Other conservative applicant assumptions for at-power accidents without containment bypass include 100 percent of the iodine core inventory being instantaneously released to containment, the release occurring at the top of the module so that there is no reactor pool scrubbing, and no reactor building filtration or spray.

19-22 19.1.4.5.6 Importance Analysis The applicant performed and reported the importance analysis for basic events and operator failures in DCA Part 2, Tier 2. DCA Part 2, Tier 2, Table 19.1-27, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module) Level 2 Probabilistic Risk Assessment, lists the CVCS LOCA charging line outside containment initiator as a candidate risk significant SSC and operator action to initiate the CFDS following a CVCS LOCA outside containment as candidate risk significant operator action. The applicants importance analysis is acceptable because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.5.7 Key Sources of Uncertainty and Conclusion Section 19.2 of this report has a detailed discussion related to potential failure of the RPV and CNV bottom heads by contact with corium and steam explosion, and high pressure melt ejection. Section 19.2 of this report also concludes that if the CNV were to fail, a large release to the environment would not occur. The applicant defined CCFP as the ratio of LRF to CDF to resolve uncertainties regarding potential failure of the RPV and CNV bottom heads. The staff finds the applicants level 2 PRA analyses to be adequate for the purpose of demonstrating that the Commissions LRF and CCFP goals are met and for the purpose of identifying risk insights.

Level 1 Internal Events Probabilistic Risk Assessment for Low-Power Shutdown Operations This section documents the staffs evaluation of the internal events PRA for LPSD operations as described in DCA Part 2, Tier 2, Section 19.1.6. The staff reviewed the applicants LPSD PRA for consistency with SRP Section 19.0, DC/COL-ISG-028, and ANS/ASME-58.22-2014, Low Power and Shutdown PRA Methodology, which has been issued for trial use. Although the NRC has not endorsed ANS/ASME-58.22-2014, the staff finds the applicants use of this standard to be reasonable because it is considered the state-of-the-art method available in the industry. The staff reviewed the NuScale PRA to ensure that it is adequate to provide an appropriate level of confidence in the results and risk insights to meet the Commission goals.

19.1.4.6.1 Plant Operating State Analysis DCA Part 2, Tier 2, Section 19.1.6.1, Description of the Low Power and Shutdown Operations Probabilistic Risk Assessment, and DCA Part 2, Tier 2, Table 19.1-65, Plant Operating States for Low Power and Shutdown Probabilistic Risk Assessment, summarize the NuScale refueling process and the plant operating states (POSs) development. POSs define the time intervals within the refueling process, during which the plant conditions are assumed constant in the ways they impact risk. Based on the design and the anticipated refueling process, the applicant identified the seven POSs summarized in Table 19.1-4 of this report.

The staff reviewed how the unique aspects of the NuScale design and its refueling approach are reflected in the identified POSs. A key NuScale design feature is the reliance on passive DHR for most of the refueling evolution. By ensuring passive DHR, the design has eliminated the dependency on active support systems typically relied on by large LWRs. Another notable design difference between the NuScale design and the operating PWR designs is that NuScale precludes midloop operation or reduction of primary coolant inventory while fuel is present in

19-23 the RPV to support steam generator inspection. Hence, there is no need to identify a POS for reduced inventory operations.

The decay heat during POSs 2, 3, 4, and 5 is removed passively either through the flooded CNV to the UHS or directly to the UHS. POSs 3 and 5, respectively, account for the transportation of the reactor module while it contains the reactor core from the operating bay to the refueling area and vice versa.

During POS1, POS6, and POS7, the configuration of the module is similar to normal operation, and initiating events considered for full power are applicable to LPSD. The staff reviewed the systems assumed to be available during each POS. POSs 1 and 6 correspond to TS Mode 2 or 3 (i.e., hot shutdown or safe shutdown), and POS 7 corresponds to TS Mode 1 (i.e.,

operations). For POS 7, systems credited in the full power PRA are nominally available, with the only difference in configuration being that the turbine is bypassed. In POSs 1 and 6, systems assumed to be available during at-power conditions (e.g., the DHRS, ECCS, CNTS, CVCS, and CFDS) are also assumed to be available. POS 2 through POS 5 correspond to TS Modes 4 and 5 and span the period with passive cooling either through the flooded CNV to the UHS or directly to the UHS. Therefore, the DHRS, ECCS, CNTS, CVCS, and CFDS are not required to maintain a safe and stable state for POS 2 through POS 5.

Table 19.1-4 Identification of Plant Operating States POS Description RCS Condition Decay Heat Removal Path (available systems)

Key Activities Duration (hours) 1 Shutdown and initial cooling P ~1,850 to

~200 psia T >420 to

~350 °F Secondary cooling (DHRS, ECCS, CVCS, CFDS)

Control rods inserted, turbine tripped, CNV flood begins 14 2

Cooling through containment P ~200 to

~24 psia T ~350 to

~200 °F Passive cooling through flooded CNV CNV flood complete, CVCS removed from

service, CIVs closed, ECCS valves opened, spool pieces removed, module lifted by RBC 33 3

Transport and disassembly P ~24 psia to pool pres.

T ~200 °F to pool temp.

Passive cooling through flooded CNV, passive coolinglower CNV detached, passive coolingupper module detached Module moved to vessel flange tools, CNV disassembly, RPV disassembly, upper vessels moved into dry dock 23 4

Refueling and Maintenance Pool pres.

and temp.

Passive coolingupper module detached Fuel moves, steam generator inspection, upper vessels moved out of dry dock 75

19-24 POS Description RCS Condition Decay Heat Removal Path (available systems)

Key Activities Duration (hours) 5 Reassembly, transport, and re-connection P ~ pool pres. to 150 psia T ~ pool temp Passive coolingupper module detached, Passive coolinglower CNV detached, Passive cooling through flooded CNV RPV assembly, CNV assembly, module moved to operating bay, spool pieces installed, ECCS valves closed, CIVs opened, CVCS placed in service 74 6

Heatup P ~150 to 1,850 psia T ~ pool temp to

> 420 °F Secondary cooling (DHRS, ECCS, CVCS, CFDS)

CNV drain completed, secondary coolant aligned 13 7

Low-power operation P ~1,850 psia T > 420 °F Secondary cooling (DHRS, ECCS, CVCS, CFDS)

Control rods withdrawn to criticality, turbine synchronized with grid 13 Total 245 The POS analysis is based on the nominal refueling procedure because there is no actual refueling operating experience. Hence, there are uncertainties in how the actual refueling evolution will be accomplished once the plant is built and operated. However, the staff finds that the applicant identified and defined a sufficient set of POSs to support the identification of the risk-significant accident scenarios for the purposes of this DCA.

19.1.4.6.2 Initiating Event Analysis, Including Reactor Building Crane Failures DCA Part 2, Tier 2, Section 19.1.6.1.2, Low Power and Shutdown Initiating Events, describes the LPSD internal initiating events analysis. The applicant first determined which of the at-power initiating events are applicable during each POS. The applicant then reviewed the operating experience database (EPRI TR-1021167, An Analysis of Loss of Decay Heat Removal and Loss of Inventory Event Trends (1990-2009)) for events that have occurred during LPSD evolutions that may apply to the NuScale design. Finally, the applicant evaluated potential NuScale design-specific initiating events.

DCA Part 2, Tier 2, Table 19.1-66, Low Power and Shutdown Initiating Event, summarizes the applicability of at-power initiating events to the seven POSs. The applicant assumed that all 11 at-power initiating events are applicable during POSs 1, 6, and 7. Because the configuration of the reactor module and the available systems during these POSs are essentially the same as those during at-power conditions, this is a reasonable assumption. The applicant assumed that once the CNV is flooded and passive cooling is in place (i.e., POS 2 through POS 5), most of the at-power initiating events can be screened out. The applicant retained the CVCS charging-line break outside containment and the CVCS letdown-line break outside containment for POS 2 and POS 5 as the CVCS lines will continue to be unisolated and be a part of the RCS boundary for some portions of these POSs.

19-25 As for the at-power initiating events that were screened out for POS 2 through POS 5, the staff considered the decay heat level and the availability of the passive cooling function through the flooded CNV or through direct heat transfer to the reactor pool. By the time the plant enters POS 2 around 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> after shutdown, the decay heat is likely less than a few megawatts.

Plant condition allows indefinite stable cooling without safety system actuations for these POSs as adequate DHR and water inventory are maintained. As the at-power initiating events except for CVCS line breaks outside containment are unlikely to challenge these passively maintained safety functions, the staff finds the applicant-proposed screening of these at-power initiating events from POS 2 through POS 5 acceptable.

Module drop events dominate the NuScale CDF as shown in DCA Part 2, Tier 2, Table 19.1-80, Summary of Results. The staff audited ER-P050-3815, Revision 1, The Probabilistic Risk Assessment Notebook for the Reactor Building Crane (RBC), during an audit to understand the basis for the module drop probability. The staff noted that key risk insights from the notebook are not reported in DCA Part 2. During the audit, the applicant stated that the RBC design evolved since the RBC PRA was developed as documented in DCA Part 2, Tier 2, Section 9.1.5, Overhead Heavy Load Handling Systems. DCA Part 2, Tier 2, Table 9.1.5-1, Heavy Load Handling Equipment Design Data, documents the maximum traverse speed, maximum hoist speed, and maximum lift height for the RBC. In DCA Part 2, Tier 2, Section 9.1.5.5, Instrumentation and Control, discusses the following RBC control system devices: hoist overtravel, hoist load limits, hoist overspeed, hoist drum rope mis-spooling, bridge and trolley overtravel limits, and restricted handling path. Limit switches are included in the design to provide protection for overtravel, overspeed, overload, and unbalanced load and proper spooling of the hoisting ropes onto the hoist drums. The limit switches and interlocks are active during all modes of operation and are displayed on the operator control panel.

In the RBC PRA, the event trees include the top events for mitigating features to detect an abnormal condition (e.g., overspeed, overtravel, misreeving) and to provide safety stops for the bridge, the trolley, or the hoist. The model assumes that the RBC will not be operated with the safety stop function in bypass.

The fault trees include the basic events to represent the potential electrical and mechanical failures. The data sources include Institute of Electrical and Electronics Engineers (IEEE)

Standard 500-1984, IEEE Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations; NUREG-0612, Control of Heavy Loads at Nuclear Power Plants: Resolution of Generic Technical Activity A-36, issued January 1980; NUREG/CR-6928; and Electronic Parts Reliability Data 2014 (EPRD-2014), Nonelectric Parts Reliability Data 2011 (NPRD-2011),

Failure Mode/Mechanism Distribution 2013 (FMD-2013), by Quanterion Solutions Incorporated.

The applicant also used engineering judgment to estimate the failure probabilities associated with basic events for which an appropriate data source is not available.

In the RBC PRA, the applicant considered human errors of commission that may cause an initiating event that lead to crane failure events. They are considered as potential causes of events such as overspeed or overtravel of the hoist, bridge, or trolley, unbalanced load, and misreeving. A review of the top cutsets reveals that the dominant failure causing an initiating event is an operator error of commission.

19-26 The staff evaluated and found that the NuScales drop probability per lift is 1 order of magnitude lower than estimated in EPRI Report 1009691, Probabilistic Risk Assessment of Bolted Storage Casks, and 2 orders of magnitude lower than estimated in NUREG-1774, A Survey of Crane Operating Experience at U.S. Nuclear Power Plants from 1968 through 2002, issued July 2003. Based on staff review of NuScales RBC PRA, EPRI Report 1009691, NUREG-1774, and NUREG/CR-7016, Human Reliability Analysis-Informed Insights on Cask Drops, issued February 2012, the staff concluded that operator errors are significant contributors to heavy load drops. The staff finds that NuScales module drop probability assessment to identify risk insights and input to operational programs is reasonable for DC purposes because it is consistent with SRP Section 19.0 and DC/COL-ISG-028.

The staff reviewed key equipment failures and operator actions leading to module drop. DCA Part 2, Tier 2, states, The RBC is designed to meet single-failure-proof requirements in accordance with NUREG-0554 and supplemented by ASME NOG-1. In addition, in DCA Part 2, Tier 2, Table 19.1-71, Key Assumptions for the Low Power and Shutdown Probabilistic Risk Assessment, the applicant documented that Administrative controls will ensure that RBC safety features (e.g., limit switches, interlocks to prevent undesired movement) are functional during module movement. Therefore, the staff finds that the applicant provided sufficient information about key equipment failures and operator actions leading to module drop.

For components within the heavy load handling system that are credited for reducing the likelihood of a module drop event in DCA Part 2, Tier 1, Section 2.1, NuScale Power Module, and Section 3.10, Reactor Building Crane, and in the prerequisite requirements to DCA Part 2, Tier 2, Table 14.2-52, Reactor Building Cranes Test, the staff evaluated ITAAC requirements in Section 14.3 of this report.

19.1.4.6.3 Success Criteria, Accident Sequence, and Systems Analyses The staff reviewed the applicants success criteria analysis supporting the LPSD PRA. For the at-power accident sequences that are applicable to LPSD conditions, the applicant assumed that the success criteria developed for at-power conditions are also applicable. These include the sequences resulting from the 11 at-power initiating events for POSs 1, 6, and 7, and the two CVCS line breaks outside containment for POSs 2 and 5. For these cases, the assumed availability of systems is the same for the LPSD conditions as that assumed for at-power conditions. The decay heat levels for all POSs will be lower than those at power because the module will be in shutdown or operating at lower power at the time of the initiating event.

Therefore, the use of at-power success criteria and the assumed availability for the LPSD scenarios are acceptable.

For POSs 3 and 5, the scenarios that are explicitly modeled are those associated with module drop events. The applicant assumed that core damage would occur if a dropped module results in a horizontal configuration as the result of inadequate coolant inventory to keep the fuel covered. The staff finds that this approach is appropriate given the uncertainty in the calculation of fuel heatup in this configuration.

In DCA Part 2, Tier 2, Section 19.1.6.1.3, Low Power and Shutdown Accident Sequence Determination, describes the accident sequence analysis for LPSD conditions. The applicant assumed for POSs 1, 6, and 7, where at-power initiating events are assumed to apply, that the at-power event trees are also applicable. The staff finds this acceptable as the success criteria

19-27 for at-power conditions can be reasonably used for LPSD conditions and the systems assumed to be available are generally the same for at-power and the applicable LPSD POSs.

The applicant developed specific event trees to account for the risk associated with module drop events during POSs 3 and 5. Based on the proposed load path, the module is to be raised 1 foot in the operating area of the reactor pool. Believing that a drop from 1 foot leaves the possibility of the module remaining upright, the applicant assumed a probability of 0.5 for the module to remain upright. A module drop in the refueling area can be from a height of up to 30 feet, and the module is assumed to have no possibility of remaining upright. The staff finds these assumptions to be reasonable.

The staff reviewed the systems analysis supporting the LPSD PRA. Where the systems are credited to respond to initiating events, the LPSD PRA uses the system fault trees from the at-power PRA without modification. Therefore, the staff finds the systems analysis for LPSD acceptable for a DCA because it is technically adequate and consistent with DC/COL-ISG-028 and SRP 19.0.

19.1.4.6.4 Human Reliability Analysis The staff reviewed the potential operator actions that may be important during LPSD conditions.

A review of the top cutsets reveals that the dominant failure causing an initiating event is an operator error of commission resulting in a module drop event. Section 19.1.4.6.2 of this report discusses operator errors affecting the module drop probability.

19.1.4.6.5 Data Analysis The staff reviewed the data used to support the LPSD PRA. The applicant adjusted the initiating event frequencies to account for the duration of each POS. For the component failure probabilities, the applicant assumed that the data analysis performed for the at-power PRA is applicable. With the exception of the RBC for POSs with the potential for module drop accidents, no additional systems and components are included in the LPSD analysis.

Therefore, the staff finds that applying the at-power PRA data is reasonable, as discussed in Section 19.1.4.4.7 of this report.

Section 19.1.4.6.2 of this report evaluates the data analysis for the RBC.

19.1.4.6.6 Quantification and Risk Insights The staff reviewed the LPSD PRA quantification described in DCA Part 2, Tier 2, Section 19.1.6.1.6, Low Power and Shutdown Quantification. Consistent with the at-power PRA, the applicant performed the PRA quantification using the SAPHIRE code. The applicant identified the significant contributors to CDF, such as initiating events, accident sequences, and basic events (equipment unavailability and human failures). The staff finds that the quantification process used an appropriate truncation that demonstrated acceptable convergence of the CDF. The applicant reported a very low numerical value for the CDF based on the LPSD PRA. As discussed in more detail in Section 19.1.4.4.8 of this report, the staff finds that the uncertainty in the CDF could be very large at the DC stage.

19-28 The LPSD PRA results show that the CDF risk associated with module drop events dominates the risk for the NuScale design. The staff notes that one of the key sources of uncertainty related to the CDF risk associated with module drop accidents has to do with the operator error of commission. The DC PRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA Part 2, Tier 2, Table 19.1-71, Key Assumptions for the low Power and Shutdown Probabilistic Risk Assessment, lists the key assumptions for the LPSD PRA. These key assumptions used in the DC PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8, which provides this assurance.

Aside from the module drop sequences, the top LPSD core damage sequences are as follows:

spurious opening of an ECCS valve with incomplete ECCS actuation loss of dc power with incomplete ECCS actuation RCS LOCAs inside containment and incomplete ECCS actuation The above sequences occur during POSs 1, 6, or 7 when the module configuration is similar to at-power conditions. The importance of spurious opening of an ECCS valve increases because of the ineffectiveness of the IAB at lower RCS pressures.

As documented in DCA Part 2, Tier 2, Table 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment, two operator actions were found to be candidates for risk significance: the operator failing to un-isolate containment and initiate CFDS injection and the operator failing to un-isolate containment and initiate CVCS injection.

For the at-power accident sequences that are applicable to LPSD conditions, the applicant assumed that the success criteria developed for at power conditions are also applicable. Due to the open item regarding the success criteria for LOCAs inside of containment for full power conditions, which is applicable for shutdown conditions, the staff cannot make a finding on the applicants LPSD internal events risk results and insights.

19.1.4.6.7 Conclusion Because of the open item discussed above (i.e., RAI 8840, Question 19-2), the staff cannot make a finding on the applicants Level 1 internal events PRA for LPSD operations.

Level 2 Internal Events Probabilistic Risk Assessment for Low-Power Shutdown Operations The staff evaluated DCA Part 2, Tier 2, Section 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of Operation, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.7.1 Methodology The staff evaluated the definitions of LPSD POSs and the end states from the Level 1 analysis.

The staff then reviewed how the accident progression analyses evaluated the contributors to a

19-29 large release. The LPSD Level 2 analysis was performed for each POS and then for each LPSD initiating event. Table 19.1-4 of this report defines the POSs.

For POSs 1, 6, and 7, the module configuration is similar to normal operation and was modeled similar to full-power operation. No credit was taken for heat transfer through containment during containment flooding in POS 1 and draining in POS 6. Section 19.1.4.5 of this report presents more detail on the Level 2 PRA modeling for operations at-power. The staff finds this simplifying assumption reasonable because it is conservative.

The staffs review of the Level 2 LPSD PRA focused on POSs 3 and 5 with module transport and the potential for a module drop resulting from a failure of the RBC or the module lift adapter.

Three types of module drop events were evaluated. The first type of module drop event involves dropping a fully assembled module with the CNV intact. The module is in this configuration when transported between the operating bay and the containment flange tool (CFT). In a fully assembled module, the CNV is intact and flooded, and the RVVs and RRVs are open. Should the module fall and become horizontal, the coolant inventory in the CNV would not be sufficient to cover the fuel, and core damage is assumed to occur.

After the fully assembled module is placed in the CFT, the CNV is then disassembled, and the upper CNV and RPV are moved from the CFT to the reactor flange tool (RFT). In this configuration, the water in the RPV communicates with the reactor pool through the open RVVs and RRVs. If a module were dropped in this configuration, pool water would flow in through the open RVVs and RRVs to keep the fuel covered and prevent core damage. Thus, the LPSD PRA does not further evaluate the drop of a partially assembled module.

The third type of module drop reflects the possibility of dropping the upper vessels (i.e., the upper portions of the RPV and CNV) as they are moved to or from the dry dock area. The fuel is in the lower RPV, which remains in the RFT. The concern is the physical impact of the RBC dropping the upper RPV and CNV onto the stationary core, which remains in the RFT. This configuration is not included as a potential contributor to CDF because it involves potential mechanical fuel damage, not inadequate heat removal. The applicant concluded the potential radionuclide release from a damaged core does not result in a large release.

For module drop events, the applicant showed that deposition in the module and the aerosol scrubbing by the reactor pool result in the dose being less than the applicants large release definition of 200 rem. Therefore, module drop events were not considered to lead to a large release or to contribute to the LRF. To confirm these assumptions, the staff reviewed DCA Part 2, Chapters 9 and 19, and audited the supporting document ER-P060-7085, Revision 1, Dropped Module Consequence Analysis, which contains NuScales analysis of aerosol scrubbing by the reactor pool.

The staff reviewed key operating assumptions and details on module movement for the adequacy of the risk insights obtained from the dropped module consequence analysis.

In a letter dated May 21, 2018 (ADAMS Accession No. ML18141A882 (non-publicly available)),

the applicant stated that the CNV is pressurized during module transport. The intent of pressurizing the CNV is to limit the exchange of water when the CNV flange is opened. With this pressurization, an inflow of water that could submerge components near the top of the CNV is prevented by the presence of the gas bubble; the pressurization is not high enough to cause

19-30 an outflow of water that could lower the water level enough to release noncondensable gases into the refueling pool. DCA Part 2, Tier 2, Table 19.1-71 and Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, document additional module movement assumptions and potential impacts of module drop.

DCA Part 2, Tier 2, Table 19.1-74, External Flooding Susceptibility during Low Power and Shutdown Plant (LPSD), and Table 19.1-75, High-Wind Susceptibility during Low Power and Shutdown Plant Operating States, document that, if ac power is lost, the RBC brakes will set and stop motion. The RBC is designed with redundant holding brakes so that if one brake fails to engage, the other brake automatically holds the load. Because both brake systems are designed and rated to maintain a hoisted load at the maximum allowable crane load, a loss of power will halt operations, but not result in a load drop. The module can be maintained in position, suspended by the RBC, until power is restored, and the lift can resume. This RBC capability to maintain a hoisted load until power is restored resolves the staff concerns about a loss of ac power because of external flooding and high winds.

Fill Gas for Refueling To model the first type of postulated module drop during the movement of a fully assembled module for refueling, the applicant used MELCOR and MACCS for a range of severe accident scenarios to estimate a range of doses at the site boundary. The maximum of the range of doses is 0.576 rem. The applicant then compared this dose (0.576 rem) to its large release definition of 200 rem to conclude that module drop accidents do not result in a large release and show that the surrogate safety goal of an LRF less than 1x10-6 per year is met. The margin for this analysis is a factor of 347 (200/0.576).

DCA Part 2 does not specify the fill gas to be used during refueling. The applicants response to RAI 8926, Question 19-23 dated May 21, 2018 (ADAMS Accession No. ML18141A882), states that, although the fill gas assumed in its analysis is nitrogen, it is not necessary to specify the fill gas in DCA Part 2. As part of a staff audit, the applicant provided a MELCOR sensitivity analysis assuming the fill gas was air to show that using air would not result in a significantly different severe accident progression and source term.

The applicants MELCOR sensitivity analysis assuming the fill gas was air assumed ignition in the fuel region at 7-percent hydrogen because of the presence of overheating fuel and ignition in other regions at 10-percent hydrogen. The analysis showed that hydrogen combustion was limited because of the limited oxygen in the module. The analysis also showed that much of the hydrogen burned in the fuel region as it was generated, limiting the magnitude of the pressure rise from hydrogen combustion. The applicant also noted that any increased ruthenium releases associated with air conditions are unlikely to be significant because of the aerosol deposition in the module and scrubbing in the reactor pool. The staff finds the applicants MELCOR sensitivity analysis acceptable for demonstrating that using air as a fill gas would not result in significantly different severe accident progression and source term for estimating LRF.

The staffs finding is based in part on the margin of a factor of 347 in the analysis assuming nitrogen as a fill gas.

19-31 Pool Scrubbing for Module Drop Accidents For module drop accidents, the applicant assumed reactor pool scrubbing factors of 500 for iodine and of infinity for other radionuclides based on assumptions for fuel handling accidents in RG 1.183, Alternative Radiological Source Terms for Evaluating Design Basis Accidents at Nuclear Power Reactors, which treats iodine releases from fuel as vapor. The applicant evaluated aerosol scrubbing factors for the reactor pool to show that its use of a factor of 500 for iodine was conservative. In addition, the applicant applied a range of scrubbing factors (down to a scrubbing factor of 1) to other radionuclides released from the containment to show that these additional releases did not affect the conclusion being drawn from the analysisnamely, releases from model drop accidents are not classified as large releases. Therefore, the staff finds the applicants approach acceptable.

Dropping Upper Portion of the Reactor Pressure Vessel and Containment Vessel onto the Core while Refueling The applicant performed MELCOR and MACCS analyses to show that dropping the upper internals onto the core while refueling would not result in a large release. The MELCOR analysis assumed the module is lying horizontally on the pool floor, the gap activity is released from all 37 assemblies, and the containment has a hole in it. The assumed containment hole size resulted in nearly all of the gap activity of iodine being released from the containment to the reactor pool over the simulated time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The applicant then applied the pool scrubbing factors from RG 1.183 for fuel-handling accidents and used MACCS to predict a dose at the site boundary of 0.1 rem. The applicant concluded that dropping the upper internals onto the core while refueling would not result in a large release, because the predicted dose of 0.1 rem is less than the large release definition of 200 rem.

Although the applicants analysis simulates the release to the environment as occurring over 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the actual release period could be different. Dropping the upper RPV onto the core could result in a faster release to the pool than modeled by the applicant, because the containment is not present in this situation. This could result in a faster release to the environment. However, the presence of the RXB could result in a slower release from the volume above the reactor pool to the environment. As an independent check on the applicants conclusion, the staff multiplied the applicants exclusion area boundary dose consequences for a design-basis fuel-handling accident (as reported in DCA Part 2, Tier 2, Table 15.0-12, Radiological Dose Consequences for Design Basis Analyses) by the number of assemblies in the core to estimate a dose of 20 rem (0.55 rem per assembly x 37 assemblies). The fuel-handling accident analysis is more conservative than the applicants MELCOR and MACCS analyses because it assumes an instantaneous release from the fuel to the environment and a 2-hour dispersion factor. Even with the more conservative timing assumptions of the design-basis fuel-handling accident, the predicted dose is below 200 rem. Therefore, dropping the upper internals onto the core during refueling is not expected to result in a large release.

19.1.4.7.2 Quantification and Results The staff finds that the applicants calculated LRF caused by internal events for a module during LPSD conditions is significantly below the Commissions LRF goal of 1x10-6 per year. Similar to the LRF at full power, the significant LRF sequences involve an un-isolated CVCS pipe break outside containment in POSs 1, 6, or 7, followed by failures that prevent the CVCS or CFDS

19-32 from injecting coolant into the CNV. The applicant reported a very low number for the LRF for LPSD operations. The staff finds the applicants level 2 LPSD PRA analyses to be adequate for the purpose of demonstrating that the Commissions LRF and CCFP goals are met and for the purpose of identifying risk insights for a DCA.

19.1.4.7.3 Conclusion The staff finds that the applicants calculation of LRF from internal events for a module during LPSD conditions is consistent with relevant portions of SRP Section 19.0, DC/COL-ISG-028, and RG 1.200.

External Events Probabilistic Risk Assessment for Operations at Power and Low-Power Shutdown This section documents the staff evaluation of the external events PRA for operations at power and LPSD as described in DCA Part 2, Tier 2, Sections 19.1.5, Safety Insights from the External Events Probabilistic Risk Assessment for Operations at Power, and 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of Operation. The external event hazards that may affect the NuScale risk profile are identified consistently with ASME/ANS RA-Sa-2009 for the design stage consistent with DC/COL-ISG-028. The guidance in ASME/ANS RA-Sa-2009 is used to implement a progressive screening process to identify which external events can be screened from detailed evaluation and those that require a quantitative hazard evaluation. The applicant identified 41 specific external hazards for screening evaluation. The screening disposition for each of the hazards is reported in DCA Part 2, Tier 2. The applicant determined from the screening analysis that the following external events required detailed quantitative analysis: seismic events, internal fires, internal floods, external floods, and extreme winds.

The screening of some hazards was based on assumptions about siting requirements. To ensure that the site is enveloped, a bounding analysis of high winds and external floods was performed to allow COL applicants to compare their site characteristics to those assumed in the bounding analyses. A PRA-based SMA was performed to allow COL applicants to verify that the results remain valid and reflect site-specific and plant-specific information. The PRA-based SMA also allows COL holders to verify that the design-specific plant-level high confidence of low probability of failure (HCLPF) capacity is maintained for the as-built, as-designed configuration of the plant.

The staff reviewed the applicants screening evaluation of external events and finds it to be acceptable because (1) the screening criteria used by the applicant are consistent with DC/COL-ISG-028 and (2) the results of the screening evaluation are similar to those for passive reactor designs previously certified by the NRC.

19.1.4.8.1 Seismic Risk Evaluation This section documents the staff evaluation of the PRA-based SMA for operations at power as described in DCA Part 2, Tier 2, Section 19.1.5.1, Seismic Risk Evaluation. SECY-93-087 and the associated SRM indicate that, for seismic events, a plant designed to withstand a 0.5g safe-shutdown earthquake (SSE) should have a plant HCLPF capacity of at least 1.67 times the acceleration of the SSE (i.e., 0.84g). The applicant addressed seismic events more severe than

19-33 the design-basis earthquake (i.e., the SSE) using a PRA-based SMA. The applicant performed the PRA-based SMA based on logic models covering the various systems that could be used to prevent core damage. The models were developed by modifying the design-specific PRA models for internal events to include logic important in considering seismic failures. The applicant determined accident sequences important to the evaluation of seismic margin using event trees and fault trees that included the fragility data for each component for each sequence and failure probabilities for random, nonseismic failure events.

The staff reviewed the PRA-based SMA following the guidance provided in SECY-93-087 and its associated SRM; SRP Section 19.0; and Part 5, Requirements for Seismic Events At-Power PRA, of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. In general, the PRA-based SMA provides an understanding of significant seismic vulnerabilities and insights to demonstrate the robustness of a standard design. In this context, the staff review focused on the framework for assessing potential significant failures induced by seismic events.

The staff assessed the scope of the applicants PRA-based SMA to ensure that the analysis addresses all applicable accident sequences and all plant operating modes.

The staff reviewed the PRA-based SMA for at-power and LPSD operations. The staffs review relied on information provided in DCA Part 2, Tier 2, Chapter 19, and information made available during the two audits.

Evaluation of Seismic Input Spectrum The staff reviewed the description of the seismic input spectrum provided in DCA Part 2, Tier 2, Section 19.1.5.1.1.2, Seismic Input Spectrum. The review-level earthquake is defined relative to the Certified Seismic Design Response Spectra (CSDRS), as shown in DCA Part 2, Tier 2, Figure 3.7.1-1, NuScale Horizontal CSDRS at 5 Percent Damping, and the SSC fragility is referenced to the peak ground acceleration of the CSDRS. Based on the description of the applicants input response spectrum, the staff finds that the seismic input spectrum for the PRA-based SMA is acceptable on the basis that the seismic fragility calculation uses the response spectrum shape defined as the DCs CSDRS, consistent with SRP Section 19.0.

Seismic Fragility Evaluation The staff review of the seismic fragility evaluation focused on the methodology used to select the structural failures, the methodologies used to calculate the seismic fragility for SSCs, and the assumptions made in determining the controlling structural failure modes.

The structural failures modeled are those structures that are directly in contact with the module, directly connected to the module interface, or located above the module. A separate fragility analysis was performed for each of the structures in DCA Part 2, Tier 2, Table 19.1-35, Structural Fragility Parameters and Results, including the RBC, RXB exterior walls, module supports, bioshield, pool walls, crane support walls, bay walls, roof, and basemat. The SSCs evaluated for the fragility analysis were divided into two categoriesPRA-critical and noncritical SSCs.

19-34 With regard to the methodology used for the PRA-critical SSCs, in SRP Section 19.0, the staff endorsed the conservative deterministic failure margin and separation of variables methods as acceptable for determining seismic fragility. Endorsed by the staff in DC/COL-ISG-020, EPRI NP-6041, A Methodology for Assessment of Nuclear Power Plant Seismic Margin, issued August 1991 and EPRI 103959, Methodology for Developing Seismic Fragilities, issued June 1994 are acceptable guidance for the seismic fragility evaluation. Because EPRI 1019200, Seismic Fragility Applications Guide Update, issued 2009, which was referenced for information on the evaluation of seismic fragilities, provides limited updates to the above EPRI documents, the staff found its use acceptable. The methodologies used for determining the HCLPF capacity are consistent with staff-endorsed guidance and are therefore acceptable.

With regard to the methodology used for the noncritical SSCs, the applicant stated that the use of generic data is conservative for component capacity and included an assumption in DCA Part 2, Tier 2, Table 19.1-40, Key Assumptions for the Seismic Margin Assessment, that fragility parameters acquired from generic sources are valid and relevant to the NuScale design, which is to be verified in accordance with COL Information Item 19.1-8. This methodology is acceptable to the staff because the results are conservative, the COL applicant will verify the applicability of the generic data, and no SSCs evaluated using generic data contribute to the seismic margin.

To verify assumptions in DCA Part 2, Tier 2 and resolve several RAIs, the staff audited a summary of the fragility calculations for several PRA-critical SSCs, including the RBC, RVVs, and control rod guide tube. The staff also audited portions of the fragility calculations for the structures, including the reactor bay wall, reactor pool walls, crane walls, RXB exterior wall, basemat, RXB roof, and module supports. The staff specifically verified that the supporting calculations demonstrate that the controlling failure mode for the RXB is out-of-plane shear cracking at the base of the exterior east-west walls. The staff verified that results of the seismic evaluation presented in DCA Part 2, Tier 2, Tables 19.1-35 and 19.1-38, Seismic Correlation Class Information, which include the median capacity, uncertainty parameters, and HCLPF capacity, were consistent with audited documents. The staff verified that no SSCs with HCLPF capacities less than 0.84g, as indicated in DCA Part 2, Tier 2, Table 19.1-38, contribute to the seismic margin.

The staff reviewed the component boundaries because several components listed in DCA Part 2, Tier 2, Table 19.1-38 have HCLPF capacities significantly in excess of 0.84g. As stated in DCA Part 2, Tier 2, Section 19.1.5.1.1.3, Seismic Fragility Evaluation, these boundaries cover all failure mechanisms, including anchorage failures and structural collapse affecting component functions. The defined component boundaries are acceptable to the staff; however, sufficient basis does not exist to verify these HCLPFs without as-built plant information and the results of a seismic walkdown. Therefore, although the staff cannot evaluate the adequacy of individual components listed in DCA Part 2, Tier 2, Table 19.1-38, which have comparatively high HCLPF capacities, until the seismic walkdown is performed, the staff is able to find that the plant-level HCLPF capacity meets the Commissions Policy Statement in SECY-93-087. The staff will confirm that the applicable information provided in NuScales letter dated October 25, 2018 (ADAMS Accession No. ML18298A083), is added to the next revision of the DCA. This is a confirmatory item pending the receipt of Revision 3 of DCA Part 2.

19-35 The staff reviewed the assumption listed in DCA Part 2, Tier 2, Table 19.1-40, that seismic Category I structures meet the seismic margin requirement of 1.67 times the CSDRS for site-specific seismic hazards, including sliding and overturning. The staff reviewed the results of the analysis in DCA Part 2, Tier 2, Tables 3.8.5-5, Factors of SafetyRXB Stability, 3.8.5-11, Reactor Building Sliding Displacements for Soil Type 7, 8, and 11 (Dead Weight + Buoyancy),

and 3.8.5-12, Control Building Sliding and Uplift Displacements for Soil Type 7 and 11. The analysis results indicate negligible RXB sliding displacements of 0.11 inches in the east-west direction and 0.06 inches in the north-south direction as the result of the design-basis earthquake of 0.5g. Section 3.8.5 of this report documents the staffs evaluation of this analysis.

Based on the above information, the staff concludes that it is reasonable to assume that the seismic Category I structures meet the seismic margin of 1.67 times the CSDRS for seismic-induced sliding and overturning. Additionally, COL Information Item 19.1-8 specifies that the COL applicant is to confirm the validity of key assumptions.

For the LPSD PRA-based SMA, the staff reviewed DCA Part 2, Tier 2, Section 19.1.6.3, Safety Insights from the External Events Probabilistic Risk Assessment for Low Power and Shutdown Operation, to determine whether any additional SSCs should be included beyond those considered for the at-power PRA-based SMA. The applicant included assumptions in DCA Part 2, Tier 2, Table 19.1-40, for the CFT, RFT, and module lifting adapter, which provide the basis for concluding that they do not contribute to the seismic margin. The basis given in DCA Part 2, Tier 2, Table 19.1-40, is acceptable to the staff because operating practice will control the configuration of these SSCs.

Evaluation of Systems and Accident Sequence Analysis DCA Part 2, Tier 2, Section 19.1.5.1.1.4, Systems and Accident Sequence Analysis, summarizes the applicants method for performing the systems and accident sequence analysis.

The staff compared the steps in this method with the Commissions expectations and found that the NuScale method includes all features described in SECY-93-087 and the associated SRM.

The applicant included all SSCs modeled in the internal events PRA and additional seismic-specific SSCs, such as structures, in the PRA-based SMA. The seismic fragility analysis detailed above supports the determination of sequence-level and plant-level HCLPF capacities. The staff confirmed that the applicant used the MIN-MAX method to calculate the sequence-level and plant-level HCLPF capacities. Use of the MIN-MAX method follows the guidance in SRP Section 19.0 and is acceptable to the staff.

In developing sequence-level HCLPF capacities, the applicant used a screening process to eliminate core damage cutsets that included both seismic-induced failures of SSCs, random failures of SSCs and human error events. Cutsets were screened out when the product of the failure probabilities for random failures and human error events was less than.01. The staff finds this screening criterion acceptable because, by definition, the HCLPF capacity is the seismic capacity of an SSC described in terms of a specified ground motion parameter corresponding to a 1-percent probability of unacceptable performance of the mean fragility curve, and cutsets having the product of random failure probabilities of less than.01 will have a total failure probability of less than.01 regardless of the probability associated with the seismic failure. In contrast, for the evaluation of seismic risk insights, all cutsets were considered. The staff will confirm that the applicable information in NuScales letter dated October 25, 2018

19-36 (ADAMS Accession No. ML18298A083), is added to the next revision of the DCA. This is a confirmatory item pending the receipt of Revision 3 of DCA Part 2.

In developing risk insights, the applicant generated cutsets for 14 seismic event trees. The underlying logic for each event tree is identical; however, each event tree represents a different ground motion acceleration. Each event tree is assigned a ground motion acceleration increasing monotonically from 0.005g to 4.0g. During an audit, the applicant elaborated that the 14 sets of cutsets reveal which combinations of seismic and random failures are most likely for different earthquake intensities. The staff finds that segmenting the seismic hazard into 14 intervals is a typical and acceptable approach to quantifying the seismic risk as described in EPRI 1002989, Seismic Probabilistic Risk Assessment Implementation Guide, issued 2009. The use of multiple ground motion intervals provides insights into the relative contributions of both seismic and random failures at different ground motions.

The applicant performed a PRA-based SMA, as described in DCA Part 2 Tier 2 Section 19.1.

The staff does not expect a peer review in accordance with ASME/ANS RA-Sa-2009, Part 5, Section 5-3, for this SMA. However, the staff compared the elements of an SMA peer review specified in ASME/ANS RA-Sa-2009, Part 5, Section 5-3, with those documented in ER-P000-4474, Revision 0, External Review of the NuScale PRA Self-Assessment. The staff determined that the applicants external review adequately considered the elements in ASME/ANS RA-Sa-2009 and provides the staff with additional confidence that the PRA-based SMA is technically adequate.

Insights The applicant described the insights gained from the PRA-based SMA in DCA Part 2, Tier 2, Section 19.1.5.1.2, Results from the Seismic Risk Evaluation. To gather these insights, the applicant examined risk-significant accident sequences, structural failure events, component failure modes, and operator actions.

Reporting risk insights from the PRA-based SMA adequately addresses the Commissions objective that significant seismic vulnerabilities and other important insights be captured in the PRA-based SMA, as discussed in SECY-93-087 and the associated SRM.

Conclusion Based on the above evaluation, the staff finds that the NuScale design satisfies the expectation of SECY-93-087 and its associated SRM regarding the plant-level HCLPF capacity, which is sufficient to demonstrate adequate seismic margin for a DCA. Therefore, the staff concludes that the NuScale PRA-based SMA is acceptable and consistent with SRP 19.0.

19.1.4.8.2 Internal Fires Risk Evaluation The staff evaluated the fire probabilistic risk assessment (FPRA) for operations at power as described in DCA Part 2, Tier 2, Section 19.1.5.2, Internal Fires Risk Evaluation, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028. The applicants FPRA addressed the technical elements in ASME/ANS RA-Sa-2009, such as component selection, fire scenario analysis, fire ignition frequency, and fire risk quantification.

The staff reviewed the extent to which the applicants FPRA information is consistent with the

19-37 applicable approaches described in NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, issued September 2005. The applicant either did not perform certain tasks or used simpler analyses than suggested in NUREG/CR-6850. The staff finds it acceptable because certain design details (e.g., specifics of cable routing, ignition sources, and target locations) are unknown at the DC stage. The staff focused its review on the reasonableness of assumptions used in the FPRA to address these incomplete aspects of the design and operating procedures.

Fire Probabilistic Risk Assessment Component Selection The staff reviewed the applicants selection of components included in the FPRA. The staff confirmed that the FPRA uses the same systems and accident sequence models as the internal events PRA. The applicant used the information from the Fire Safe Shutdown Plan presented in DCA Part 2, Tier 2, Appendix 9A, Fire Hazards Analysis, and multiple spurious operation evaluations to identify components to include in the FPRA model. The staff noted that the instrumentation required to perform operator actions has not been established. The staff confirmed that the FPRA assumes that instrumentation is available for operator actions when the equipment (e.g., pumps, valves) required to perform the actions is available.

Instrumentation required for the performance of an operator action is assumed to be affected by the same fire event that affects the equipment required to perform the action (e.g., by fire in the area where control circuitry is located). The staff confirmed that this assumption has been included as a key assumption in DCA Part 2, Tier 2, Table 19.1-46, Key Assumptions for the Internal Fire PRA, that will be validated or updated as appropriate once the design details become available in the COL stage.

Fire-Induced Failures The staff reviewed how the FPRA model accounted for the ability of equipment that may be affected by a fire to perform its intended function. The staff also reviewed a spurious operation induced by a hot short that may either cause a fire-induced initiating event or adversely affect the response of safety systems or operator actions required to respond to a fire. In lieu of detailed circuit analyses, the applicant assumed that fire damage to cabling can either cause a loss of control of the associated component or a spurious operation of the associated component depending on the cable material (e.g., fiber optic or copper). The applicant assumed that spurious operation induced by a hot short is not credible in fiber optic cables.

Therefore, damage to a fiber optic cable is modeled only as a loss of control of the component controlled by the cable. Fire-induced spurious operation of circuits involving copper cabling are considered credible and are included in the model.

The staff noted that there are assumed fire scenarios (e.g., IE-FIRE-3-ECCS) during which the ECCS solenoid-operated valves are subject to spurious operation, but not the containment isolation solenoid valveseven though the cabling for both functions appears to be routed through a shared fire area (e.g., Fire Area 010-208).

In a letter dated December 13, 2017 (ADAMS Accession No. ML17347B711), the applicant stated that for the ECCS, a spurious actuation is a potential concern because it presents a possibility for an incomplete ECCS actuation; therefore, a hot short is modeled as a contributor to an inadvertent ECCS actuation demand. For the CIVs, however, fire damage may result in the valves closing, which is the safe state, and these failures are not modeled in the PRA to

19-38 avoid crediting a beneficial failure that may mitigate a potential accident progression. The staff finds this approach reasonable and acceptable.

The staff noted another important assumption related to the probability of spurious operation occurring. The applicant assumed that spurious operations of solenoid-operated valves powered by ungrounded dc supplies have been assigned a probability of 7.7x10-2 based on Column 4 of Table 5-2 in NUREG/CR-7150, Joint Assessment of Cable Damage and Quantification of Effects from Fire (JACQUE-FIRE). This probability is applicable to solenoids that require double-break hot shorts from intra-cable and ground fault equivalent sources. The applicant further assumed that if a spurious operation can be withstood for longer than 7 minutes, a value of 2.2x10-2 is assigned as the probability for the hot short to persist for longer than 7 minutes. This is based on Table 6-3 in NUREG/CR-7150 and allows for the possibility for a hot short to clear after it initially occurs. The staff found that the applicant included these as key assumptions in DCA Part 2, Tier 2, Table 19.1-46, which will be validated or updated as appropriate once the design details become available in the COL stage.

Fire Scenario Analysis The staff reviewed the applicants treatment of the spatial interaction between the ignition sources and the targets. The applicant performed the plant partitioning and identified the fire compartments based on the fire areas as defined in the fire hazards analysis documented in DCA Part 2, Tier 2, Chapter 9. At this stage of this design, the specific locations of ignition sources, targets (e.g., cable routing), and intervening combustibles are not available. Within individual fire compartments, the FPRA did not take credit for fire suppression, either automatic or manual. Cable routing information was assumed based on the location of component controls and the physical location of the equipment in the plant as identified or inferred from the site plan and the general arrangement drawings.

The applicant did not perform detailed fire modeling. Instead, the applicant modeled the fire growth by applying a mean probability of 0.5 with a uniform distribution with a value between 0 and 1 to represent the combined effect of a fire severity factor, the probability of nonsuppression, and subsequent fire growth. In cases when the fire does not spread, the scenario is mapped to a transient sequence. When the fire does spread, all targets in the fire are assumed to be affected by the fire, and the scenario is mapped to the most challenging accident sequence considered possible following a fire in the area. The applicant also performed a sensitivity study to evaluate the uncertainty in fire growth.

The staff reviewed how the applicant addressed the MCR fire risk. The applicants modeling of fires affecting the MCR are consistent with how other fire compartments are modeled. Because the MCR contains equipment controlling both divisions of safety systems, a fire left unchecked may result in conditions that challenge entire safety functions. The operators are expected to respond to an MCR evacuation by tripping the reactors and initiating DHR and containment isolation for each reactor before leaving the MCR. Following evacuation of the MCR, the MPS manual switches can be isolated to prevent spurious actuations. As these fire areas are treated identically and combined in a single fire scenario, all of these fire areas need to be viewed as potentially risk significant.

The staff reviewed the applicants treatment of multicompartment fires. The frequency of the multicompartment scenario is quantified as the product of the ignition frequency, the severity

19-39 factor, the probability of nonsuppression, and the fire barrier failure probability. The applicant assumed that all ignited fires in the originating compartment result in a challenge to fire compartment boundaries, such as by the formation of a hot gas layer. The applicant assumed a severity factor of 1, 0.01 for the probability of nonsuppression, and 0.1 for the probability of barrier failure. The applicant considered the fire compartment layout from the general arrangement drawings and appropriately assessed the combinations of multicompartment fire scenarios.

Fire Ignition Frequency The staff reviewed how the applicant determined the fire ignition frequencies to support the FPRA. The applicant estimated the fire ignition frequency for each identified ignition source and each fire compartment using the generic frequencies from NUREG-2169, Nuclear Power Plant Fire Ignition Frequency and Non-Suppression Probability Estimation Using the Updated Fire Events Database: United States Fire Event Experience Through 2009, issued January 2015.

Fire frequencies are based on mapping plant ignition sources to generic fire bins and associated frequencies. They generally include equally weighted transient ignition sources. The applicant estimated the potential ignition sources in unscreened fire compartments based on general arrangement drawing. The plant layout and the multimodule configuration of the NuScale design differs significantly from the large LWR plant layout on which the NUREG-2169 data are based. Although this introduces additional uncertainties, this is a reasonable approach at this stage of the design for DC purposes.

Cables routed in the area under the bioshield have been excluded from the counting of junction boxes. These cables are routed exclusively in steel conduit or metal flexible conduit and are not capable of igniting a fire in this area. This is a key assumption included in DCA Part 2, Tier 2, Table 19.1-46, which will be validated or updated as appropriate once the design details become available in the COL stage. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

Quantification and Insights The staff reviewed the fire risk quantification and found that the key elements for the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events) were identified. The applicant reported a very low number for the internal fire CDF. The internal FPRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA Part 2, Tier 2, Table 19.1-46, lists the key assumptions for the internal FPRA. These key assumptions used in the PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

Low-Power and Shutdown Internal Fires For LPSD operations, the applicants evaluation of internal fires in DCA Part 2, Tier 2, Section 19.1.6.3.2, Internal Fire Risk during Low Power and Shutdown, is a qualitative assessment. The applicant concludes that the risk contribution is insignificant during LPSD operations because of the fail-safe nature of the safety-related systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As

19-40 described in Section 19.1.4.6 of this report, the staff finds that the LPSD risk is not a large contributor in the NuScale design because of the passively cooled state, aside from POSs 3 and 5 associated with RBC operation. The staff considered the potential for fires to affect the RBC control system in POSs 3 and 5. DCA Part 2, Tier 2, Table 19.1-72, Internal Fire Susceptibility During Low Power and Shutdown Plant Operating States, states that the controls for the crane are expected to use fiber optics such that spurious operations of the crane are not judged to be credible. The staff considers the crane control system that precludes spurious operation induced by a hot short to be a key assumption in the PRA. Because DCA Part 2, Tier 2, Table 19.1-46, includes as a key assumption that the RBC cannot be spuriously operated as a result of a fire, in accordance with COL Information Item 19.1-8, the assumption will be validated or updated as appropriate once the design details become available in the COL stage.

Conclusion The staff finds that although many details are tied to assumptions, the applicants FPRA, which uses simplified approaches to address many aspects as described above, provides results and insights acceptable for at-power and LPSD operations; and the FPRA for at power and LPSD operations is acceptable for a DCA because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

19.1.4.8.3 Internal Flooding Analysis The staff evaluated the internal flooding probabilistic risk assessment (IFPRA) for operations at power as described in DCA Part 2, Tier 2, Section 19.1.5.3, Internal Flooding Risk Evaluation, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

The applicants IFPRA addressed the technical elements in ASME/ANS RA-Sa-2009 (i.e., internal plant partitioning, internal flood source identification, internal flood scenario development, internal flood-induced initiating event analysis, and internal flood accident sequence and quantification). However, the applicants approach is based on a simplified model with heavy reliance on assumptions. This is partly because of the lack of established pipe routing and other design and operational details at this stage of the design. Therefore, the staff focused its review on the appropriateness of assumptions used to address these incomplete aspects of the design and operating procedures.

Internal Flood Plant Partitioning The staff reviewed how the applicant performed the internal flood plant partitioning. The applicant performed this task generally at the building level. The applicant used the site plan drawing to assess the buildings that contain flood sources that have the potential to cause plant trips. The applicant screened out buildings from further consideration based on the assumption that either a flood in those areas would not cause a plant trip or adequate flood protection will be provided. For example, the applicant screened out the control building from the internal flood model based on the reasoning that, although the control building contains equipment that may result in a plant trip if flooded, areas containing this equipment are protected from internal flooding. The staff finds that the availability of adequate flood protection is a key assumption that should be validated for the COL stage. The applicant identified COL Information Items 3.4-1 through 3.4-4 for implementation of flood protection design during the COL stage.

19-41 For the equipment modeled in the PRA, the applicant identified the flood areas as shown in DCA Part 2, Tier 2, Table 19.1-49, Assessment of Flood Areas Containing Equipment Modeled in the Probabilistic Risk Assessment. The applicant assumed that the equipment located in these flood areas is protected, which is acceptable to meet the DC requirements. The staff considers this a key assumption in the PRA and finds that the COL applicant, consistent with COL Information Items 3.4-1 through 3.4-4, will provide assurance that adequate flood protection is provided to protect these flood areas in the as-built plant.

Internal Flood Source Identification The staff reviewed the applicants identification of the internal flood sources. DCA Part 2, Tier 2, Table 19.1-48, Internal Flooding Sources, identifies and characterizes the systems that have the potential to cause internal flooding events. Because little information is available on specific pipe routing and equipment location, the characterization of the flood sources is limited to identifying the building affected by the potential flood (e.g., RXB, turbine building). The applicant applied a simplified approach that modeled flooding events in the RXB as reactor trips (general transients) in which makeup by the CVCS and the CFDS is unavailable. The staff finds that the simplified approach is reasonable for the DC stage.

Internal Flood Scenario Development The staff reviewed how the applicant performed the internal flood scenario development. The applicants internal flood scenario analysis is based on the assumption that the equipment identified in DCA Part 2, Tier 2, Table 19.1-49 is protected from internal floods. The staff audit of the information indicated that the required level of flooding protection is determined based on the assumed time available for the operator to successfully isolate the flood source. The applicant stated that a representative internal flooding analysis has been performed which is based, in part, on assumed flood volumes with the expectation that plant personnel will eventually isolate a flood source. The staff finds that the applicant included this assumption as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, Key Assumptions for the Internal Flooding PRA, which will be validated or updated as appropriate once the design details become available in the COL stage (COL Information Item 19.1-8).

Internal Flood-Induced Initiating Event Analysis The staff reviewed how the applicant performed the internal flood-induced initiating event analysis. An internal flood cannot initiate a LOCA or a steamline or feedwater line break because flood damage does not affect passive components. The applicant assumed that an internal flood could initiate a transient because of the potential effects on pumps, control panels or equipment; therefore, the internal event initiators such as loss of support systems and general reactor trip apply to internal flooding. However, the applicant screened out internal flood-induced LOOP or loss of dc power as no internal flooding sources are associated with an area containing the highly reliable dc power system or the high-voltage 13.8-kilovolt and switchyard system switchgear. This modeling approach assumes that the flooding protection features will be adequately designed, and that the operator action will successfully isolate the flood source before equipment is damaged. The staff finds that this modeling approach is included as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, which will be validated or updated as appropriate once the design details become available in the COL stage.

19-42 The applicants estimation of the internal flooding frequency uses a very simplified approach.

The applicant assumes that the generic flooding frequency data in NUREG/CR-2300 for the auxiliary building and the turbine generator building may be applied to the RXB and turbine generator building. The applicant bases this assumption on the similarity in the location and types of equipment in these buildings. The staff finds that this approach limits the ability to gain design-specific insights because it does not consider the NuScale-specific piping configuration and associated break frequency estimations. However, the staff noted that the initiating event frequencies assumed for the RXB and the turbine generator building are comparable to or somewhat more conservative than the internal flooding analyses for other reactor designs.

Hence, although the uncertainty is large, the staff finds that the risk is not significantly underestimated, assuming that key assumptions are valid. The staff also considered that the NuScale design is less dependent on active systems. Internal flooding would adversely affect only the components supporting the CVCS and CFDS, but the mitigating functions provided by these systems are not credited for flooding in the RXB. Based on the above considerations, and because limited design information is available, the staff finds this approach to estimating the internal flooding frequency reasonable for a DCA.

Quantification and Insights DCA Part 2, Tier 2, Section 19.1.5.3.2, Results from the Internal Flooding Risk Evaluation, discusses the results from the internal flooding risk evaluation. The staff reviewed the PRA quantification and finds that the key elements in the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events), are identified. The applicant reported a very low number for the internal flooding CDF.

As discussed in more detail in Section 19.1.4.4.8 of this report, the staff finds that the uncertainty in the CDF could be very large at this DC stage.

The PRA results and insights rely on key assumptions to account for the incomplete design and operational details. DCA Part 2, Tier 2, Table 19.1-54 lists the key assumptions for the IFPRA.

These key assumptions used in the PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

Low-Power and Shutdown Internal Flooding For LPSD operations, the applicants evaluation of internal flooding risk in DCA Part 2, Tier 2, Section 19.1.6.3.3, Internal Flood Risk during Low Power and Shutdown, is a qualitative assessment. The applicant concludes that risk contribution is insignificant during LPSD operations because of the fail-safe nature of the safety systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As evaluated in Section 19.1.4.6 of this report, the staff finds that the reactor module is passively cooled for most of the LPSD duration. Therefore, the staff finds that internal flooding will likely not contribute significantly to risk in POSs 1, 2, 4, 6, and 7. However, the staff considered that internal flooding has the potential to cause a loss of power to the crane during POSs 3 and 5.

As previously described for at-power internal flood analysis, the applicant assumes that design features protect equipment such as the ac power equipment from internal floods. These design features are based on the ability of the operator to isolate any flood source before equipment

19-43 damage occurs. This is a key assumption, and the staff finds that the applicant included it as a key assumption in DCA Part 2, Tier 2, Table 19.1-54, which will be validated or updated as appropriate once the design details become available in the COL stage.

Conclusion Based on the above, the staff finds that the applicants IFPRA for at-power and LPSD operations is acceptable for a DC because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

19.1.4.8.4 External Flooding Analysis The applicants external flooding PRA in DCA Part 2, Tier 2, Section 19.1.5.4, External Flooding Risk Evaluation, applies the methodology in Part 8 of ASME/ANS RA-Sa-2009 for the design stage consistent with DC/COL-ISG-028. The PRA includes a hazard analysis, fragility evaluation, module response, accident sequences, and quantification. The applicant performed a self-assessment of the PRA against the guidance in DC/COL-ISG-028. The staff examined the self-assessment documentation during an audit.

The staff reviewed the key assumptions made in the external flooding analysis that are provided in DCA Part 2, Tier 2, Table 19.1-58, Key Assumptions for the External Flooding PRA. The staff examined the basis for the probable maximum flood frequency of 2.0x10-3 per year. In a letter dated August 16, 2017 (ADAMS Accession No. ML17230A000), the applicant stated that an external flood with a recurrence interval of one in 500 years is assumed to bound the likelihood of exceeding the design-basis flood. Another key assumption is that for 90 percent of external flood events, operators are assumed to cease refueling and crane operations and perform a controlled shutdown before external flood-induced impacts affect equipment. The staff finds that these key assumptions need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in Section 19.1.4.4.8 of this report, the applicant identified COL Information Item 19.1-8 for this purpose.

The staff examined the potential failure of flooding penetrations. DCA Part 2, Tier 2, Section 19.1.5.4.2, Results from the External Flooding Risk Evaluation, states that flooding penetrations (e.g., doors) are not credited in the external flooding analysis, and no flooding penetrations were identified as risk significant. The staff finds the applicants approach acceptable.

DCA Part 2, Tier 2, Tables 19.1-74 and 19.1-75, documents that, if ac power is lost, the RBC brakes will set and stop motion. The RBC is designed with redundant holding brakes so that if one brake fails to engage, the other brake automatically holds the load. Because both brake systems are designed and rated to maintain a hoisted load at the maximum allowable crane load, a loss of power will halt operations, but not result in a load drop. The module can be maintained in position, suspended by the RBC, until power is restored, and the lift can resume.

This RBC capability to maintain a hoisted load until power is restored resolves the staff concerns about a loss of ac as the result of external flooding and high winds.

19-44 Based on the above, the staff finds that the applicants external flooding PRA for at-power and LPSD operations is acceptable for the DCA because it is technically acceptable and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

19.1.4.8.5 High-Winds Analysis The applicants high-winds PRA, described in DCA Part 2, Tier 2, Section 19.1.5.5, High-Wind Risk Evaluation, applies the methodology in Part 7 of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. The PRA includes a hazard analysis, fragility evaluation, plant response, operator actions, and results. The applicant performed a self-assessment of the PRA against the guidance in DC/COL-ISG-028. The staff examined the self-assessment documentation during an audit.

The applicant developed its tornado hazard characterization with methods and data in NUREG/CR-4461, Revision 2, Tornado Climatology of the Contiguous United States, issued February 2007, and based it on data for the central region of the United States. The staff finds the characterization acceptable because it is consistent with SRP Section 19.0 and uses data for the central region of the country, which has the highest occurrence rate of tornadoes and the highest tornado intensities. DCA Part 2, Tier 2, Table 19.1-61, Key Assumptions for the High-Winds Probabilistic Risk Assessment, presents the key assumptions made in the high-winds analysis. The staff has reviewed these assumptions and finds them to be logical and reasonable.

DCA Part 2, Tier 2, Table 19.1-62, Significant Cutsets (Hurricanes, Full Power, Single Module), and Table 19.1-63, Significant Cutsets (Tornadoes, Full Power, Single Module),

present the results of the applicants analysis of risk from high winds during power operation.

These results indicate that the NuScale design is very tolerant of the hazards created by the high winds, and the risk associated with high winds is not significant. The staff finds these results to be reasonable because, in the NuScale design, all important accident mitigation features are housed within the robust seismic Category l RXB structure and are therefore protected from the effects of high winds.

As discussed in Section 19.1.4.8.4 of this report, the RBC capability to maintain a hoisted load until power is restored resolves the staff concerns about losing ac power as the result of external flooding and high winds.

Based on the above, the staff finds that the applicants high-winds PRA for at-power and LPSD operations are acceptable for the DCA because they are technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0.

Evaluation of Multimodule Risk The staffs review of this area is intended to confirm that the unique multimodule configuration of the NuScale design does not contain vulnerabilities that would pose a level of risk significantly greater than that associated with accidents involving multiple units at a U.S. nuclear power plant site. The staff used the relevant guidance in SRP Section 19.0, which directs the staff to verify that the applicant has (1) used a systematic process to identify accident sequences, including significant human errors, that lead to multimodule core damages or large releases and described them in the application and (2) selected alternative features, operational strategies,

19-45 and design options to prevent these sequences from occurring and demonstrated that these accident sequences are not significant contributors to risk.

The staff reviewed the information in DCA Part 2, Tier 2, Section 19.1.7, Multi-Module Risk, about the multimodule risk evaluation and also audited supporting material. Overall, the staff finds that the applicant used a systematic process to evaluate the multimodule risk.

For internal events, the applicant identified coupling mechanisms that could cause initiating or failure events in two or more modules. The approach involved establishing potential initiating events, equipment failure modes, and human errors from the single module PRA that could occur in two or more modules. The coupling mechanisms were then characterized numerically with multimodule adjustment factors (MMAFs) and multimodule performance shaping factors (MMPSFs) that are established based on engineering judgment and applied directly to initiating event frequencies and basic event failure probabilities in the single module PRA model. An MMAF is a conditional probability that an event that has occurred in one module occurs in more than one module. An MMPSF is a multiplicative factor that is greater than or equal to 1 and accounts for the added complexities associated with a multimodule plant configuration not nominally considered in the base model analysis for a single module. The parametrically adjusted single-module model, when quantified, provides an estimate of the frequency of core damage in two or more modules. The staff review finds that this approach is reasonable as it is thorough in scope and uses a systematic approach to evaluate the multimodule risk. The approach relies heavily on assumptions using engineering judgment (e.g., MMAFs and MMPSFs), and the results of the multimodule risk evaluation contain large uncertainty; however, the staff finds that the applicants approach is acceptable for the DC stage.

The staff also finds that the applicant describes design features and operational strategies to prevent the accident sequences from occurring or to reduce their likelihood. These features and strategies include the following:

Support systems that are not safety-related that can cause internal initiating events are made up of multiple trains, which limits the likelihood of system failure.

Each individual module is supported by independent module-specific safety-related systems designed to ensure that the module is safely shut down during upset conditions.

The independent safety-related systems are designed to be fail-safe during upset conditions and do not require operator action for initiation.

Although the safety-related UHS is shared among the modules, its reliability is not threatened by internal initiating events.

The applicant addresses the risk associated with the impact of external events on multiple modules qualitatively. Seismic, internal fire, internal flooding, external flooding, and high-wind events are addressed. The applicant discusses upset conditions in multiple modules that may be caused by these events, as well as the independence of module-specific design features that protect the reactor core under such conditions.

For internal fire, the staffs evaluation included the review of the information in DCA Part 2, Tier 2, Chapter 9, Appendix 9A, which includes the fire hazards analysis and a description of the

19-46 fire safe-shutdown path. The staff evaluated potential single fire areas that contain equipment in redundant safety divisions relied on for safe shutdown for multiple modules or that contain safe-shutdown equipment from a single safety division for multiple modules. By reviewing the description of equipment locations in the fire hazards analysis in DCA Part 2, Chapter 9, Appendix 9A, the staff confirmed that the MCR is the only single fire area that contains multiple divisions of equipment that are required for safe shutdown of multiple modules. The staff finds that the equipment required for safe shutdown is designed to be fail-safe, with the exception of the potential creation of hot short conditions in which equipment is energized and actuated spuriously. Fire protection equipment is provided in the MCR and all other fire areas to arrest and limit the growth of any fire. In addition, operators can manually remove electric power from circuits, which places safety-related equipment in its fail-safe position. The staff finds that the applicant has taken reasonable steps in the design of the facility to limit the extent to which fire can induce unmitigated accident conditions in multiple modules and to allow the safety systems to perform their safety functions during a fire.

An internal flooding event can create the demand for more than one module to shut down, but given that the DHRS, ECCS, and CIVs transition to the safe state given a loss of DC and AC power, there are no multimodule dependencies in the design that result in an elevated conditional probability of core damage or large release given core damage in the first module.

The staff finds that the safety system components inside the containment and inside the reactor pool are not vulnerable to damage from flooding and that the containment isolation system is designed to fail in a safe state (i.e., isolated containment) if associated electrical components are flooded. As stated in DCA Part 2, Tier 1, Table 3.11-2, Reactor Building Inspections, Tests, Analyses, and Acceptance Criteria, the design includes internal flooding barriers to provide confinement so that the impact from internal flooding is contained within the RXB flooding area of origin. These barriers include flood-resistant doors, curbs and sills, walls, watertight penetration seals, and National Electrical Manufacturers Association enclosures. In addition, and like most multiunit facilities operating in the United States, separate features for preventing and mitigating core damage are provided in each module and, other than the reactor pool, are not shared among modules.

An external flood can affect all modules, and its effect is basically that of a station blackout following a loss of power. The staff finds that module-specific safety systems for prevention and mitigation of a core damage accident do not rely on electric power, are fail-safe on loss of power, and are protected from external flooding by their location inside the RXB, which is a robust structure protected from external flooding in accordance with GDC 2, Design Bases for Protection against Natural Phenomena, of Appendix A to 10 CFR Part 50. In addition, the design includes separate features for preventing and mitigating core damage in each module; other than the reactor pool, these features are not shared among modules.

A high-wind event can affect all modules, and its effect is basically that of a reactor trip and a loss of power. The staff finds that the module-specific safety systems for prevention and mitigation of a core damage accident do not rely on electric power, are fail-safe on a loss of power, and are protected from high winds by their location in the RXB, which is a robust structure protected from the effects of high winds in accordance with GDC 2. In addition, separate features for preventing and mitigating core damage are provided in each module, and other than the reactor pool, these features are not shared among modules.

19-47 A seismic event can cause damages in multiple modules because of its sitewide impact in a common timeframe. Specifically, all 12 modules are located in the reactor pool inside the RXB.

The PRA-based SMA included in DCA Part 2, Tier 2, Section 19.1.5, addresses the effects of seismic events on a single module. However, potential initiating events, performance of safety systems, and accident sequences could be the same in multiple modules. The results of the PRA-based SMA described in DCA Part 2, Tier 2, Section 19.1.5, indicate that the SSCs relied on to prevent core damage and release in one or more modules are the reactor trip system, ECCS, DHRS, CIVs, RSVs, and the RXB structure. The values of the metric for HCLPF for the key failure modes of these SSCs were determined to be above the Commissions goal of.84g and in most cases, substantially above the goal. The staff evaluated the risk associated with a failure of the UHS structure. If such a failure results in a loss of the UHS, then both core and containment cooling would be lost, potentially leading to core melt and containment failure in multiple modules. The HCLPF values for the pool walls and floor, as listed in DCA Part 2, Tier 2, Table 19.1-35, are substantially above the Commissions guideline of.84g.

Section 19.1.4.8.1 of this report describes the staffs review of the fragility analysis portion of the PRA-based SMA. The staff finds that features included in the design to mitigate a multimodule accident following a seismic event are adequate because the seismic margin provided by these features exceeds the Commissions goal for new reactors.

For LPSD operations, the staff evaluated the applicants qualitative analysis of the potential for accidents involving multiple modules during module movement for purposes of refueling. The staff also reviewed the design of the RBC (see Section 9.1.5 of this report) and the applicants determination of the likelihood of a module drop accident during refueling (see Section 19.1.4.6.2 of this report). In addition, the staff considered the administrative controls documented in DCA Part 2, Tier 2, Table 19.1-71, which will ensure that RBC safety features (e.g., limit switches, interlocks to prevent undesired movement) are functional during module movement.

DCA Part 2 Tier 2, Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, discusses how a module dropped during refueling transport might impact other modules. Revision 1 of the DCA states that if the module is dropped on an operating module near the top, it could damage the DHRS piping or heat exchangers. In Revision 2 of the DCA, NuScale added that additional pipe breaks may occur, leading to a CVCS line break outside containment. Because Revision 2 postulates additional damage to the operating module beyond what was described in Revision 1, the staff needs additional information to conclude the qualitative multi-module risk assessment is technically adequate and complete.

The staff is requesting additional information on which pipes in the CVCS, DHRS, and CFDS are assumed to fail and why. The staff is also seeking additional information whether the capability of the containment isolation valves to close is compromised, given that the strike to the operating module has sufficient force to cause pipe breaks. Therefore, RAI 9659, Question 19-39, dated April 4, 2019 (ADAMS Accession No. ML19063D404), associated with the above request, is tracked as an open item.

Due to the open item associated with RAI 9659, Question 19-39 the staff cannot make a finding on the applicants assessment of the multi-module risk.

19-48 Combined License Information Items Table 19.1-5 of this report lists COL information item numbers and descriptions related to PRA.

The staff finds the COL information items to be reasonable.

Table 19.1-5 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.1 COL Item No.

Description DCA Part 2, Tier 2, Section 19.1-1 A COL applicant that references the NuScale Power Plant design certification will identify and describe the use of the probabilistic risk assessment in support of licensee programs being implemented during the COL application phase.

19.1.1.2.1 19.1-2 A COL applicant that references the NuScale Power Plant design certification will identify and describe specific risk-informed applications being implemented during the COL application phase.

19.1.1.2.2 19.1-3 A COL applicant that references the NuScale Power Plant design certification will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the construction phase (from issuance of the COL up to initial fuel loading).

19.1.1.3.1 19.1-4 A COL applicant that references the NuScale Power Plant design certification will specify and describe risk-informed applications during the construction phase (from issuance of the COL up to initial fuel loading).

19.1.1.3.2 19.1-5 A COL applicant that references the NuScale Power Plant design certification will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the operational phase (from initial fuel loading through commercial operation).

19.1.1.4.1 19.1-6 A COL applicant that references the NuScale Power Plant design certification will specify and describe risk-informed applications during the operational phase (from initial fuel loading through commercial operation).

19.1.1.4.2 19.1-7 A COL applicant that references the NuScale Power Plant design certification will evaluate site-specific external event hazards (e.g.,

liquefaction, slope failure), screen those for risk-significance, and evaluate the risk associated with external hazards that are not bounded by the design certification.

19.1.5 19.1-8 A COL applicant that references the NuScale Power Plant design certification will confirm the validity of the key assumptions and data used in the design certification application and modify, as necessary, for applicability to the as-built, as-operated PRA.

19.1.9.1 Conclusion The staff has reviewed the NuScale design-specific PRA and other PRA-related information in DCA Part 2, Tier 2, Sections 19.0 and 19.1, in accordance with the guidance in SRP Section 19.0. The NuScale PRA addressed various internal and external initiating events for both full-power and LPSD conditions. The applicant used the PRA-based SMA to evaluate potential vulnerabilities to seismic events in conformance with the SRM on SECY-93-087.

Because of the open items discussed above, the staff cannot make a finding that the information on PRA in DCA Part 2, Tier 2, Sections 19.0 and 19.1, is acceptable.

19-49 19.2 Severe Accident Evaluation Introduction This section describes the staff evaluation of DCA Part 2, Tier 2, Section 19.2, Severe Accident Evaluation.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Section 19.2, provides a description and analysis of design features for the prevention and mitigation of severe accidents. Specifically, DCA Part 2, Tier 2, Section 19.2.2, Severe Accident Prevention, discusses the designs capability to prevent specific severe accidents and addresses prevention of severe accidents resulting from ATWS, fire protection issues, station blackout, and an interfacing system loss-of-coolant accident (ISLOCA). DCA Part 2, Tier 2, Section 19.2.3, Severe Accident Mitigation, discusses the designs capability to mitigate severe accidents if they occur and addresses the following severe accident issues:

external RPV cooling hydrogen combustion high-pressure melt ejection in-vessel steam explosion severe accident-induced SGTF equipment survivability DCA Part 2, Tier 2, Section 19.2.4, Containment Performance Capability, evaluates containment performance capacity; DCA Part 2, Tier 2, Section 19.2.5, Accident Management, discusses accident management; and DCA Part 2, Tier 2, Section 19.2.6, Consideration of Potential Design Improvements Under 10 CFR 50.34(f), discusses potential design improvements under 10 CFR 50.34(f).

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no technical specifications associated with this area of review.

Technical Reports: There are no Technical Reports associated with this area of review.

Regulatory Basis The relevant requirements for this review appear in 10 CFR 52.47(a)(23), which states that a DCA for LWR designs must contain an FSAR that includes a description and analysis of design features for the prevention and mitigation of severe accidents (e.g., challenges to containment integrity caused by core-concrete interaction, steam explosion, high-pressure melt ejection, hydrogen combustion, and containment bypass).

19-50 The guidance in SRP Section 19.0, Revision 3, lists the acceptance criteria adequate to meet the above requirements, as well as review interfaces with other SRP sections. In addition, the following guidance documents provide acceptance criteria that confirm that the above requirements have been adequately addressed:

SECY-93-087 and the associated SRM SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs, dated March 28, 1994 (ADAMS Accession No. ML003708068), and the associated SRM, dated June 30, 1994 (ADAMS Accession No. ML003708098)

Technical Evaluation The staff reviewed the relevant information on the severe accident evaluation contained in DCA Part 2. During the review, the staff issued RAIs, conducted a series of public meetings with the applicant, and performed regulatory audits to examine nondocketed documents. The staff also closely coordinated and worked with other technical disciplines during the review. This section summarizes the results of the staff review that are important to the overall conclusion on the NuScale severe accident evaluation and its conformance to the applicable regulatory requirements.

As noted in Section 19.1.4.6.1 of this report, issues associated with midloop operation are not applicable to the NuScale design and thus are not discussed in this section.

Severe Accident Prevention The staff evaluated conformance to SECY-93-087 and the associated SRM for ATWS and fire protection in Sections 15.8 and 9.5.1, respectively, of this report. The staff evaluated conformance to SECY-94-084 and the associated SRM for station blackout in Section 8.4 of this report.

With regard to the prevention of ISLOCA, the staff reviewed DCA Part 2 Tier 2, Section 9.3.4, Chemical and Volume Control System, which shows that the CVCS is the only system with connections to the RCS with piping outside containment. The staff found that the CVCS meets the guidance in SECY-93-087 and the associated SRM because it is designed to handle RCS pressure where practical. The portions of the CVCS that are not designed to handle RCS pressure are the makeup line and components upstream of the makeup pumps. Following the guidance in SECY-93-087 and the associated SRM, these portions include pressure-indicating transmitters on the suction of each of the CVCS makeup pumps that provide a high-pressure alarm in the MCR.

Severe accident prevention also is relevant to the Level 1 PRA evaluated in Section 19.1 of this report. The low CDF for at-power internal events for the NuScale design as discussed in DCA Part 2, Tier 2, Section 19.1, reflects NuScales unique design features as compared to operating reactors and certified new reactors. Such unique design features include a passive DHRS, a passive ECCS, and an RPV and CNV geometry that provides core cooling when the only functioning equipment is one RSV. The staff finds that the analysis of design features for the

19-51 prevention of severe accidents satisfies 10 CFR 52.47(a)(23) and the associated Commission policy in SECY-93-087.

Severe Accident Mitigation 19.2.4.2.1 Scenario Selection for At-Power Accidents The applicant performed MELCOR simulations as part of its analysis to show that the containment performance goals in Section 19.1.1 of this report were met. The staff evaluated whether the applicants MELCOR simulations covered the credible core-damage sequences.

The conditions needed to lead to core damage are a sustained loss of cooling. Such conditions could occur in the NuScale design as a result of a hole in the RPV for coolant to escape and ECCS failure. One type of core-damage accident scenario includes a break at a higher elevation in the RPV such as a failed-open RVV. In this case, coolant cannot return to the RPV because the break location is at the top of the RPV.

Another type of core-damage accident scenario includes a break at a lower elevation in the RPV such as a failed-open RRV. Coolant can reenter the RPV in this case because the break elevation is below the water level in containment produced by discharge of the RPV inventory into the containment. The applicants MELCOR simulations for these scenarios predict core damage with subsequent recovery of core cooling as the result of coolant in the containment reentering the RPV through the RRVs (TR-0915-17565, Revision 1, Accident Source Term Methodology, issued April 2016 (ADAMS Accession No. ML16099A394)). Because of the uncertainty in modeling coolant reentering the RPV through the RRVs, the applicant also performed MELCOR simulations artificially blocking coolant from reentering the RPV through the RRVs to show that the severe accident evaluations in DCA Part 2, Tier 2, Section 19.2, are insensitive to this uncertainty (response to RAI 8903, Question 19-16, dated September 7, 2017 (ADAMS Accession No. ML17251B163)).

The staffs review of DCA Part 2, Tier 2 found that the applicants MELCOR simulations covered the credible core-damage sequences.

19.2.4.2.2 Staffs Independent MELCOR Confirmatory Analysis The staff independently developed a MELCOR input model using plant design data provided by the applicant in ERI/NRC 13-205, Updated MELCOR Calculation Notebook: NuScale Integral Pressurized Water Reactor, issued September 2017. The staff applied its model to the following three of the seven scenarios in DCA Part 2, Tier 2, Section 19.2:

LEC-06T-00: A stuck-open RVV with subsequent opening of the remaining two RVVs.

This scenario is representative of scenarios with a break at a high elevation in the RPV such that steam is discharged through the break. Liquid water cannot return to the RPV because the break location is at the top of the RPV.

LCC-05T-01: CVCS line break inside containment with subsequent opening of the three RVVs. This scenario is representative of scenarios with a break at a low elevation in the RPV such that liquid water is discharged through the break. Liquid water cannot return to the RPV because the CVCS piping rupture is in the containment upper plenum.

19-52 LCU-03T-01: CVCS line break outside containment. This scenario is representative of a break at a low elevation in the RPV such that liquid water is discharged through the break and bypasses containment.

For each scenario, the staff compared its analysis results with the applicants simulation results and did not identify differences that were likely to affect the applicants analysis of severe accident mitigation. The results of the comparison confirmed the applicants simulation of the accident progression, analysis methodology, and interpretations of its analyses of the reactor, containment, and system response to severe accidents. The staffs independent MELCOR confirmatory analysis is being documented in RES/FSCB 2019-01, Independent MELCOR Confirmatory Analysis for NuScale Small Modular Reactor, and will be added to ADAMS when complete.

External Reactor Vessel Cooling For severe accidents where the containment is not bypassed, NuScales severe accident analysis shows that a damaged core would be retained within the reactor vessel due to water in the containment cooling the reactor vessel outer surface, thus preventing a breach of the reactor vessel. If the reactor vessel remains intact and the containment is not bypassed, the containment vessel will remain an effective fission product boundary. Furthermore, if the reactor vessel should fail, NuScale concludes that the containment would still remain intact.

However, NuScales supplemental response to RAI 9108, Question 19-34, dated February 26, 2019 (ADAMS Accession No. ML19057A618) provides revised NuScale DCA Part 2, Tier 2 text acknowledging that phenomenological uncertainties remain that could affect this conclusion. Examples of large uncertainties impacting the NuScale analysis include: (a) the potential formation of a metal layer on top of core debris in the reactor vessel lower plenum that would focus a high heat flow on a small area of the reactor vessel lower head; (b) intermetallic reactions that can generate heat causing a self-propagating attack on the reactor vessel lower head; and (c) the applicability of the reactor vessel external cooling analysis experimental data cited in the application to NuScales reactor vessel and containment geometry. Furthermore, should the reactor vessel fail, the containment vessel also could fail due to similar phenomena.

These uncertainties prevent the staff from confirming that the CCFP or deterministic containment performance goals are met.

However, the staff acknowledges that NuScales containment design, specifically the bottom of the NuScale containment, which is a steel head submerged in a reactor pool, would prevent releases of radioactive material from submerged portions of the containment from becoming airborne. Severe accident simulations predict that should the NuScale core overheat, core debris would fall into the reactor vessel lower head. If the accumulated core debris results in failure of the reactor vessel lower head, it could then fall into the containment lower head and lead to failure of the containment lower head. As a result, core debris could fall onto the reactor pool floor. Radioactive material releases from the containment through the failed containment lower head and from core debris on the reactor pool floor would be scrubbed by the reactor pool water, which is 21 meters deep. As a result, containment lower head failure would not lead to a large release.

The applicants conclusion of no large release is supported by the applicants severe accident analysis for postulated module drop events. The severe accident analysis for the postulated module drop events considers the NuScale power module lying on the reactor pool floor and

19-53 with the containment assumed to be breached. The analysis shows that the scrubbing effect of the water in the reactor pool reduces the offsite radiological dose to only a small fraction of the large release criterion defined by NuScale in DCA Part 2, Tier 2, Section 19.1.6.2, Results from the Low Power and Shutdown Operations Probabilistic Risk Assessment. The analysis conservatively models the effect of reactor pool scrubbing on the radiological release to the environment, as discussed in the responses to RAI 8882, Question 19-8, dated August 10, 2017 and June 14, 2018 (ADAMS Accession Nos. ML17222A683 and ML18165A438). In the longer term, the reactor pool would continue to provide an effective barrier against the uncontrolled release of fission products beyond the initial 24-hour period following the onset of damage by preventing the radioactive material from becoming airborne again. Therefore, for core damage accidents for which demonstration of in-vessel retention is inconclusive (i.e., sequences that do not involve containment bypass or steam explosion in the reactor vessel that could potentially lead to containment failure), the radioactive material release to the environment is less than a large release as defined by NuScale.

The staff will confirm that the applicable information provided in NuScales supplemental response to RAI 9108, Question 19-34 is added to the next revision of the DCA. This is a confirmatory item pending the receipt of Revision 3 of DCA Part 2.

Hydrogen Generation and Control The staff evaluation of hydrogen combustion inside a module is in Chapter 6 of this report. With regard to hydrogen combustion outside a module, a core-damage sequence caused by an unisolated CVCS line break could lead to a hydrogen combustion event under the bioshield, which could have an impact on other modules. The staff is reviewing the redesigned bioshield, which is described in the response to RAI 9447, Question 03.11-19, dated November 16, 2018 (ADAMS Accession No. ML18320A253). The staff is tracking this issue for its potential impact on the multimodule severe accident risk. This issue is being tracked as an open item.

High-Pressure Melt Ejection The applicant concluded that high-pressure melt ejection is not a challenge because its MELCOR simulations showed that the RPV depressurizes as a result of the hole in the RPV that leads to core damage. The staff confirmed the applicants conclusion by reviewing the applicants MELCOR analysis and by comparing the staffs independent MELCOR confirmatory analysis to the applicants MELCOR analysis.

In-Vessel Steam Explosion Based on its thermodynamic analysis, the applicant concluded that the mechanical load resulting from steam generated by corium relocating into the water inside the RPV lower head is insufficient to fail the CNV. The staff performed an independent assessment using the methodology in NUREG/CR-5030, An Assessment of Steam-Explosion-Induced Containment Failure, issued February 1989. The staffs independent assessment showed that a steam explosion in the RPV lower head is unlikely to cause the containment upper head to fail (RES/FSCB 18-02, Independent Assessment of In-Vessel Retention and Steam Explosion for the NuScale Small Modular Reactor, September 2018 ADAMS Accession No. ML19070A210).

19-54 Severe Accident-Induced Steam Generator Tube Failure Section 19.1.4.5.2 of this report contains the staff evaluation.

Equipment Survivability The staff evaluated conformance to SECY-93-087 and the associated SRM, which state that, for features provided only for severe accident mitigation, there should be high confidence that the equipment will survive severe accident conditions for the period that it is needed to perform its intended function.

For mitigation of core-damage accident scenarios, the NuScale design does not rely on active systems (e.g., containment spray, cavity flooding) or postaccident monitoring. Instead, it relies on passive design features, such as containment geometry and submergence in the reactor pool, to prevent a large release. In DCA Part 2, Tier 2, Sections 19.2.3.2.1, Core Damage Progression with Retention in the Reactor Pressure Vessel, (external RPV cooling), 19.2.3.3.2, Hydrogen Generation and Control, (hydrogen combustion), 19.2.3.3.4, High-Pressure Melt Ejection, (high-pressure melt ejection), 19.2.3.3.5, Fuel-Coolant Interaction, (in-vessel steam explosion), and 19.2.3.3.6, Containment Bypass, (severe accident-induced SGTF) describe the applicants evaluation of containment structural integrity under severe accident temperature and pressure challenges. The staffs evaluation of these topics appears in Section 19.2.4.2 of this report.

The mechanical properties of the metallic parts of the containment boundary are not expected to be affected by severe accident radiation challenges. The only nonmetallic parts of the containment boundary are the electrical penetration assemblies, which contain glass insulators.

Containment structural integrity under severe accident radiation challenges is demonstrated by qualifying electrical penetration assemblies to doses associated with core-damage accident scenarios. DCA Part 2, Tier 2, Section 3.11, Environmental Qualification of Mechanical and Electrical Equipment, describes the applicants evaluation of electrical penetration assemblies under radiation challenges, and Section 3.11 of this report presents the staffs review. The applicant subsequently identified an issue with its evaluation of electrical penetration assemblies. The staff held a public meeting with the applicant on this subject on December 12, 2018, and is tracking this issue as part of its review of the accident source term methodology topical report (TR-0915-17565, Revision 1). This issue is being tracked as an open item.

Containment Performance Capability 19.2.4.3.1 Deterministic Containment Performance The staff reviewed the applicants MELCOR severe accident analysis, which showed that the containment pressure initially rises because of the inventory loss from the RPV and then decreases due to steam condensation on the containment inside surface. During this phase of the accident, the pressure stays below containment design pressure. As a result of subsequent core heatup, the containment pressure again rises because of hydrogen generated by cladding oxidation, but the pressure stays below containment design pressure. The staffs independent MELCOR confirmatory analysis confirmed the results of the applicants analysis. Other challenges to containment performance are discussed in Section 19.2.4.2.2 of this report.

19-55 19.2.4.3.2 Probabilistic Containment Performance Section 19.1.4.5.2 of this report contains the staff evaluation of CCFP related to bypass and Section 19.2.4.2.2 of this report contains the staff evaluation of CCFP related to steam explosion in the reactor vessel. Using results from these sections, the staff finds the CCFP from steam explosion in the reactor vessel causing failure of the containment upper head plus the CCFP from bypass is less than 0.1.

Accident Management DCA Part 2, Tier 2, Section 19.2.5, Accident Management, includes a COL information item to develop severe accident management guidelines. Including a COL information item to develop such guidelines is consistent with past practice for DCAs.

Consideration of Potential Design Improvements The staff evaluation of potential design improvements under 10 CFR 50.34(f) is documented in the staffs environmental assessment and associated technical evaluation report for DCA Part 3, Applicants Environmental ReportStandard Design Certification.

Combined License Information Items Table 19.2-1 below lists COL information item numbers and descriptions related to the severe accident evaluation, which is from DCA Part 2, Tier 2, Section 19.2.

Table 19.2-1 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.2 COL Item No.

Description DCA Part 2, Tier 2, Section 19.2-1 A COL applicant that references the NuScale Power Plant design certification will develop severe accident management guidelines and other administrative controls to define the response to beyond-design-basis events.

19.2.5.2 19.2-2 A COL applicant that references the NuScale Power Plant design certification will use the site-specific probabilistic risk assessment to evaluate and identify improvements in the reliability of core and containment heat removal systems as specified by 10 CFR 50.34(f)(1)(i).

19.2.6 19.2-3 A COL applicant that references the NuScale Power Plant design certification will evaluate severe accident mitigation design alternatives screened as not required for design certification application.

19.2.6.4 Section 19.2.4.4 of this report presents the staffs evaluation of COL Information Item 19.2-1.

The staff evaluation of COL Information Items 19.2-2 and 19.2-3 is documented in the staffs technical evaluation report of Part 3, Applicants Environmental ReportStandard Design Certification, of the NuScale DCA.

19-56 Conclusion Because of the open item related to severe accident mitigation, the staff is unable to make a finding on the applicants severe accident evaluation in DCA Part 2, Tier 2, Section 19.2.

19.3 Regulatory Treatment of Nonsafety Systems for Passive Advanced Light-Water Reactors Introduction This section of the report addresses the regulatory treatment of non-safety-related systems (RTNSS). The scope of an RTNSS program includes those non-safety-related SSCs that satisfy RTNSS criteria. The applicant then proposes regulatory treatment (e.g., inclusion in the design reliability assurance program (D-RAP) or in TS) for SSCs that meet any of these criteria based on their reliability and availability missions.

Summary of Application DCA Part 2, Tier 1: There is no Tier 1 information associated with this area of review.

DCA Part 2, Tier 2: DCA Part 2, Tier 2, Section 19.3.2, SSC Identification and Designation within RTNSS Program Scope, evaluates each of the RTNSS scoping criteria. Based on the results, no SSCs that are not safety-related were included in the scope of the RTNSS program, and thus no non-safety-related SSCs require additional regulatory treatment.

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications: There are no technical specifications associated with this area of review.

Technical Reports: There are no technical reports associated with this review.

Regulatory Basis The following documents establish the scope, criteria and process used to determine RTNSS for passive plant designs:

SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems in Passive Plant Designs, dated March 28, 1994 (ADAMS Accession No. ML003708068) and its associated SRM, dated June 30, 1994 (ADAMS Accession No. ML003708098)

SECY-95-132, Policy and Technical Issues Associated with the Regulatory Treatment of Non-safety Systems (RTNSS) in Passive Plant Designs, dated May 22, 1995 (ADAMS Accession No. ML003708005), and its associated SRM, dated June 28, 1995 (ADAMS Accession No. ML003708019)

19-57 The guidance in SRP Section 19.3, Regulatory Treatment of Non-Safety Systems (RTNSS) for Passive Advanced Light Water Reactors, lists the acceptance criteria adequate to meet the above guidelines, as well as review interfaces with other SRP sections.

Technical Evaluation The staff used guidance from SRP Section 19.3 to review the applicants evaluation of the five RTNSS scoping criteria (Criterion A through E) described in DCA Part 2, Tier 2, Section 19.3.

Criterion A: SSC functions relied on to meet beyond-design-basis deterministic NRC performance requirements such as those stated in 10 CFR 50.62, Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water Cooled Nuclear Power Plants, for mitigating ATWS and in 10 CFR 50.63, Loss of All Alternating Current Power, for station blackout.

For ATWS, the staff considered the evaluation of the applicants ATWS exemption request as documented in Section 7.1.5.4.6 of this report. In its review of the exemption request, the staff found that special circumstances are present in that, first, the NuScale MPS design meets the underlying purpose of 10 CFR 50.62(c)(1) to reduce the risk associated with ATWS events without the turbine trip design attributes required by 10 CFR 50.62(c)(1), and second, that other material circumstances are present in the NuScale design relating to enhanced safety features and simpler configuration of instrumentation and controls, which were not considered when 10 CFR 50.62(c)(1) was adopted. The staff also reviewed DCA Part 2, Chapter 19, risk insights on ATWS and found that the applicants focused PRA showed no reliance on SSCs that are not safety-related to meet the Commissions ATWS CDF goal of 1x10-5 per year stated in SECY-83-293, Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events, issued July 1983.

For station blackout, the staff reviewed the design of the passive safety systems; the station blackout analysis described in DCA Part 2, Tier 2, Section 8.4; Station Blackout, and the evaluation of station blackout sequences in the PRA description in DCA Part 2, Tier 2, Section 19.1. The staff finds that the passive safety-related systems are designed to start automatically on a loss of power to the station and are capable of adequately cooling the reactor and containment following a station blackout event.

The staff finds that the applicant focused its analysis on the two requirements above. The applicant stated that the NRC has not identified any additional beyond-design-basis deterministic requirements within the scope of Criterion A. The staff agrees that no such requirements exist.

Criterion B: SSC functions relied on to ensure long-term safety and to address seismic events.

The staff reviewed the capability of the passive safety-related systems in the NuScale design to remove decay heat following a design basis event as described in DCA Part 2, Tier 2, Section 5.4.3, Decay Heat Removal System, Section 6.3, Emergency Core Cooling System, and Section 9.2.5, Ultimate Heat Sink. The staff found that the DHRS, ECCS and UHS are passive systems that do not depend on any SSCs that are not safety-related to perform their safety functions after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following an accident. The staff also determined that decay heat can be removed passively via the UHS through heatup and boil-off of water in the reactor pool

19-58 for well beyond a period of 7 days without makeup or heat removal with a system that is not safety-related.

The staff reviewed the fragilities of the SSCs that are not safety-related and safety-related SSCs determined as part of the SMA in DCA Part 2, Tier 2, Section 19.1.5, and the accident sequence cutsets that lead to core damage as described in DCA Part 2, Tier 2, Chapter 19 (Tables 19.1-17, Significant Core Damage Sequences, and 19.1-18, Significant Core Damage Cutsets, and DCA Part 2, Tier 2, Figures 19.1-2 through 19.1-12). From this review, the staff confirmed the applicants assertion that the seismic margin for the design is not dependent on any SSCs that are not safety-related.

Criterion C: SSC functions relied on under power-operating and shutdown conditions to meet the Commissions safety goal guidelines of a CDF of less than 1x10-4 per year and an LRF of less than 1x10-6 per year.

The staff reviewed the focused PRA sensitivity studies described in DCA Part 2, Tier 2, Section 19.1, to quantify the importance of systems that are not safety-related in mitigating events. The focused PRA sensitivity studies for the Level 1 internal events at full power and Level 2 models were below the Commissions goal guidelines for CDF and LRF. The staff also finds that the results of the focused PRA are consistent with the assessment of risk significance of SSCs that are not safety-related as reflected in DCA Part 2, Tier 2, Table 17.4-1, D-RAP SSC Functions, Categorization, and Categorization Basis, which shows that no SSCs that are not safety-related that are modeled in the PRA meet the thresholds for risk significance. In addition, the staff finds that the results of the focused PRA demonstrate the Commissions safety goals to be met with only safety-related SSCs. The staff further observes that non-safety-related systems are not relied on for a majority of modeled non-LOCA events unless failures of redundant components occur in both of the passive safety systems (i.e., DHRS and ECCS). Additionally, the staff observes that non-safety-related systems are not relied on for a majority of modeled LOCA events (which have very low initiating event frequencies) unless failures occur in the redundant components in the passive DHRS or ECCS (or both) or the RSVs. The staffs review of the top Level 1 internal events accident sequence cutsets confirmed that no non-safety-related SSCs are relied on for mitigation of the initiating events.

The staff reviewed the implication of potential risk-significant initiating events caused by non-safety-related SSCs. The staff confirmed that the results of the evaluation of initiating event frequencies are documented in DCA Part 2, Tier 2, Tables 19.1-20, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module) Level 1 Probabilistic Risk Assessment, 19.1-27, Listing of Candidate Risk Significant Structures, Systems, and Components (Full Power, Single Module) Level 2 Probabilistic Risk Assessment, and 19.1-70, Listing of Candidate Risk Significant Structures, Systems, and Components (Single Module): Low Power and Shutdown Probabilistic Risk Assessment. The staff finds that the applicant included initiating events caused by non-safety-related SSCs in its evaluation of risk significance. In the NuScale report TR-0515-13952-A, Risk Significance Determination, issued October 2016 (ADAMS Accession No. ML16284A016), the applicant used screening criteria for risk significance approved by the staff, and the staff confirmed that this application met the conditions and limitations for use in this technical report.

Criterion D: SSC functions needed to meet the containment performance goal, including containment bypass, during severe accidents.

19-59 The staffs review of the focused PRA, and specifically the results in DCA Part 2, Tier 2, Table 19.1-22, Sensitivity Studies for Level 1 Full Power, Internal Events Evaluation, and Table 19.1-31, Sensitivity Studies for Level 2 Evaluation, confirmed that only safety-related passive systems are relied on to meet the containment performance goal. The staff finds that the safety-related mitigating systems are fail-safe on loss of power and do not rely on non-safety-related support systems such as heating, ventilation, and air conditioning (HVAC) and instrument air. The staffs review of the relevant Level 2 PRA information in DCA Part 2, Tier 2, Section 19.1, found that containment failure resulting from bypass or CIV failure is the only mode of containment failure modeled in the CETs. DCA Part 2, Tier 2, Section 19.2, discusses the details of this subject, and Section 19.2 of this report documents the staffs review and its results.

Criterion E: SSC functions relied on to prevent significant adverse system interactions between passive safety-related systems and active non-safety-related SSCs.

The staff reviewed the design of the passive safety-related systems and non-safety-related active systems that interface with the passive systems as described in DCA Part 2. The passive safety-related systems include the ECCS, CNV, DHRS, and UHS. As discussed in DCA Part 2, Tier 2, Sections 6.2.4.2.2.3, Piping Systems Closed to Containment and not Connected to the Reactor Coolant Pressure Boundary, and 6.2.5.2, System Design, respectively, operation of both the DHRS and ECCS occurs normally with the containment isolated. Consequently, with the exception of the pressurizer heaters housed inside the reactor vessel, these systems are isolated from all active non-safety-related systems during operation. This isolation provides reasonable assurance that adverse interaction with active non-safety-related systems outside of containment will be precluded.

The pressurizer heaters are controlled from the non-safety-related module control system via the pressurizer control cabinets. As discussed in DCA Part 2, Tier 2, Section 5.4.5.2, System Design, the MPS provides a safety-related trip function on low pressurizer level that actuates safety-related pressurizer heater circuit breakers to remove power to the heaters before the pressurizer level reaches the top of the pressurizer heaters. This ensures the integrity of the reactor coolant pressure boundary if the heaters were to be uncovered. Thus, safety-related equipment is included in the plant design to prevent an adverse interaction between the non-safety-related pressurizer heaters and the ECCS. This shows that no additional non-safety-related equipment is needed to prevent adverse interaction with the ECCS.

The UHS removes the decay heat from each module, maintaining the core temperature at low levels after a LOCA resulting in the initiation of the ECCS. As discussed in DCA Part 2, Tier 2, Section 9.2.5.2.1, General Description, the UHS pool liner has the function to prevent potential pool inventory leakage from the reactor pool. The reactor pool interfaces with non-safety-related systems for cooling the pool and adding makeup to the pool when needed. As further discussed in DCA Part 2, Tier 2, Section 9.2.5.2.1, penetrations from these systems into the pool are located at a sufficiently high elevation to preclude inadvertent draining of water from the pool that would adversely impact the ability of the pool to act as a heat sink. The staff finds that the design features of the reactor pool show that non-safety-related systems that interface with the reactor pool do not cause adverse interactions.

19-60 During the review of the applicants PRA, the staff did not identify SSCs that meet RTNSS Criterion E.

In summary, the staff finds the applicants evaluation of the five RTNSS scoping criteria reasonable and agrees that no non-safety-related SSCs require additional regulatory treatment.

The staff confirmed that (1) non-safety-related SSCs are not relied on to address the beyond-design-basis requirements for an ATWS event or a station blackout event, (2) no non-safety-related SSCs need to be relied on for ensuring long-term safety and addressing seismic events, (3) the Commissions safety goal guidelines for CDF and LRF are achieved without reliance on non-safety-related SSCs, (4) the containment performance goal is achieved without reliance on non-safety-related SSCs, and (5) there are no adverse interactions with non-safety-related SSCs that could prevent the performance of passive safety-related SSC functions.

Combined License Information Items Table 19.3-1 lists a COL information item related to RTNSS based on DCA Part 2, Tier 2, Section 19.3.1. The staff finds the COL information item to be reasonable.

Table 19.3-1 NuScale COL Information Items for DCA Part 2, Tier 2, Section 19.3 COL Item No.

Description DCA Part 2, Tier 2, Section 19.3-1 A COL applicant that references the NuScale Power Plant design certification will identify site-specific regulatory treatment of non-safety systems (RTNSS) structures, systems, and components and applicable RTNSS process controls 19.3.1 Conclusion The staff evaluated the applicants assessment of the need for RTNSS using the guidance in SRP Section 19.3. The staff confirmed that the applicant has adequately addressed each of the five RTNSS criteria in its assessment and found that no SSCs meet the criteria. Therefore, the staff concludes that the applicant conforms to the guidelines in SECY-94-084, SECY-95-132, and their associated SRMs.

19.4 Strategies and Guidance To Address Loss of Large Areas of the Plant Because of Explosions and Fires This area of review is summarized and evaluated in Section 20.2 of this report.

19.5 Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts This section describes the NRC staffs evaluation of design features and functional capabilities credited by the applicant to show that the facility can withstand the effects of a large commercial aircraft impact. NuScale DCA Part 2, Tier 2, Revision 1, Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts, describes these design features, functional capabilities, and the assessment.

19-61 The impact of a large commercial aircraft is a beyond-design-basis event. Under 10 CFR 52.47(a)(28) and 10 CFR 50.150, Aircraft Impact Assessment, applicants for new nuclear power reactors are required to perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Applicants are required to submit a description of the design features and functional capabilities identified by the assessment (key design features) in their DCA, along with a description of how the identified design features and functional capabilities meet the acceptance criteria in 10 CFR 50.150(a)(1).

The Statement of Considerations for the Aircraft Impact Assessment (AIA) Rule2 pertaining to new nuclear power reactors states the following:

The NRC decision on an application subject to 10 CFR 50.150 will be separate from any NRC determination that may be made with respect to the adequacy of the impact assessment which the rule does not require be submitted to the NRC.

As the AIA is not submitted to the NRC for its review, the staff review described in this section is to determine whether descriptions of the design features and functional capabilities are complete enough so that there is reasonable assurance that the acceptance criteria in 10 CFR 50.150(a)(1) can be met, assuming the design features and functional capabilities perform their intended functions.

Applicants subject to 10 CFR 50.150 must make the complete AIA available for an NRC inspection at the applicants offices or their contractors offices upon the staffs request, in accordance with 10 CFR 50.70, Inspections, 10 CFR 50.71, Maintenance of Records, Making of Reports, and Section 161, General Provisions, item c, of the Atomic Energy Act of 1954, as amended. The outcome of the NRC inspection is not part of this report.

Summary of Application In DCA Part 2, Tier 2, Revision 1, Section 19.5, the applicant stated that an AIA was performed in accordance with the requirements in 10 CFR 50.150(a)(1), using the methodology described in Nuclear Energy Institute (NEI) 07-13, Revision 8, Methodology for Performing Aircraft Impact Assessments for New Plant Designs, issued April 2011, as endorsed by the NRC in RG 1.217, Guidance for the Assessment of Beyond-Design-Basis Aircraft Impacts, issued August 2011, and SRP Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts, issued April 2013. Based on the results of the assessment, the applicant has identified a set of key design features to show that the acceptance criteria in 10 CFR 50.150(a)(1) are satisfied. These key design features are reported in NuScale DCA Tier 2, Revision 1, Section 19.5, along with references to other sections of the NuScale DCA that provide additional details.

Regulatory Basis To perform this review, the NRC staff used the relevant regulations and guidance described below.

2 Applicants for new nuclear power reactors is defined in the Statement of Considerations for the Aircraft Impact Rule [74 (Federal Register) FR 28112, June 12, 2009].

19-62 Applicable Regulations In 10 CFR 50.150(a)(1), the NRC requires that applicants perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Using realistic analyses, the applicant shall identify and incorporate into the design those features and functional capabilities to show that, with reduced use of operator actions, (1) the reactor core remains cooled, or the containment remains intact, and (2) spent fuel cooling or spent fuel pool (SFP) integrity is maintained.

The applicant indicated that it meets the 10 CFR 50.150(a)(1) acceptance criteria by including features in the NuScale design that can maintain core cooling and keep the containment intact and maintain SFP integrity.

In 10 CFR 50.150(b), the NRC requires that the FSAR include a description of (1) the design features and functional capabilities that the applicant has identified for inclusion in the design to show that the facility can withstand the effects of a large commercial aircraft impact in accordance with 10 CFR 50.150(a)(1) and (2) how those design features and functional capabilities meet the assessment requirements of 10 CFR 50.150(a)(1).

Review Guidance RG 1.217 provides guidance for applicants to demonstrate compliance with NRC regulations for the AIA. In particular, this RG endorses the methodologies described in NEI 07-13, Revision 8.

SRP Section 19.5 provides guidance for meeting the requirements in 10 CFR 50.150(a)(1) and (b).

Technical Evaluation The staff reviewed the AIA information in Section 19.5 of DCA Part 2, Tier 2, Revision 1, as well as the referenced DCA sections discussed below. The staffs evaluation of how the applicants assessment was formulated follows in Section 19.5.4.1 of this report, and the evaluation of the applicants key design feature descriptions appears below in Sections 19.5.4.2 through 19.5.4.5.

Reasonably Formulated Assessment The staff reviewed the AIA application in NuScale DCA Part 2, Tier 2, Revision 0, Section 19.5, and determined that it was unclear whether qualified analysts had performed the AIA.

Therefore, on July 30, 2017, the staff issued RAI 8986, Question 19-19 (ADAMS Accession No. ML17211A004), to address this issue.

In its September 28, 2017, response (ADAMS Accession No. ML17271A261) to RAI 8986, Question 19-19, the applicant stated that qualified personnel had performed the AIA. Further, the applicant stated that these contractors are experienced in applying the approved methodology in NEI 07-13, Revision 8, to other nuclear power facilities and thus meet the qualifications listed in SRP Section 19.5. The staff finds that the applicant adequately addressed this question because these contractors are experts in AIA performance. Thus, the applicant has provided a well-supported basis for the staff to find that the contractors performing the AIA are qualified, consistent with the guidance of SRP Section 19.5,Section III, item 2. The

19-63 applicant revised NuScale DCA Part 2, Tier 2, Revision 1, Section 19.5.1, as shown in the markup attached to the RAI response, to include the statement that the AIA was performed by qualified personnel. Therefore, the staff finds the response to RAI 8986, Question 19-19, acceptable and considers the question resolved and closed.

The applicant stated in NuScale DCA Part 2, Tier 2, Revision 1, Section 19.5, that its AIA is based on the guidance of NEI 07-13, Revision 8, with no exceptions. Based on the applicants use of this NRC-endorsed guidance document, the staff finds that the applicant has performed a reasonably formulated assessment.

Design Features for Core Cooling The staff reviewed NuScale DCA Part 2, Tier 2, Section 19.5, Revision 0, for the identification and description of key design features credited for core cooling as required by 10 CFR 50.150(b). DCA Part 2, Tier 2, Section 19.5.5.1, lists the UHS, DHRS, and ECCS for ensuring core cooling. These systems have been designed specifically to perform core cooling functions during normal power operation and following design-basis events initiated during power operation. The staff used its evaluation documented in other sections of this report to confirm that these features are also suitable for maintaining core cooling following impact by a large commercial aircraft. During the review, the staff also confirmed that all of these design features are automatic or can be initiated and operated from the control room or an alternate location, and require little, if any, further operator intervention to maintain the core cooling function.

DCA Part 2, Tier 2, Revision 0, Section 19.5.5.1, states that the passive design of the DHRS and ECCS ensures continued core cooling capability for all postulated strike locations. In addition, the NPMs, UHS, DHRS components, and ECCS components are located inside the RXB and thus are not susceptible to physical, fire, and shock damage resulting from an aircraft impact. (Note that the ECCS was removed as a core cooling system in DCA Part 2, Tier 2, Revision 1; see the discussion of RAI 9023, Question 19.5-1, item b, below.)

DCA Part 2, Tier 2, Section 19.5.5.7, Revision 0, identifies the location (i.e., physical separation) and functions of the main control room (MCR) and remote shutdown station (RSS) as key design features for monitoring and control of the plant. The module protection system (MPS) cabinets and associated dc power equipment are available to monitor reactor pressure, reactor temperature, reactor water level, containment pressure, and containment water level after an aircraft strike. (Note that this information was subsequently removed; see the discussion of RAI 9023, Question 19.5-1, item d, below.)

During its review, the staff noted that the DCA lacked information to ensure compliance with 10 CFR 50.150. Therefore, the staff issued RAI 9023, Question 19.05-1, to request the missing information. In response to RAI 9023, Question 19.05-1, and other RAIs discussed in this section of the report, the applicant rewrote most of DCA Part 2, Tier 2, Section 19.5. The following describes RAI 9023, Question 19.05-1, and the staffs evaluation of the applicants RAI response (letters dated September 28, 2017 (ADAMS Accession No. ML17271A277), and September 29, 2017 (ADAMS Accession No. ML17272A161)).

DCA Part 2, Tier 2, Section 19.5.5.1, Revision 0, identifies the UHS as a key design feature for core cooling. RAI 9023, Question 19.5-1, item a, asked the applicant to provide a description of

19-64 the UHS as required by 10 CFR 50.150(b). The applicants response provided a description of the UHS by adding references to DCA Part 2, Tier 2, Section 9.2.5 and Section 3B.2. The staff finds the applicants response to RAI 9023, Question 19.5-1, item a, acceptable because it modifies the DCA to contain a description of the design features and functional capabilities of the UHS as required by 10 CFR 50.150(b).

DCA Part 2, Tier 2, Section 19.5.4.1, Revision 0, states that the DHRS and ECCS can provide core cooling to each NMP; however, it was not clear to the staff whether these systems are considered key design features for meeting the requirements of 10 CFR 50.150. Therefore, the staff issued RAI 9023, Question 19.5-1, item b, asking the applicant to clarify the statement and include a description of each identified key design feature. The applicant stated in its response that the NPMs, reactor coolant system (RCS), containment vessel (CNV), DHRS, CIVs, and UHS are key design features for ensuring core cooling. The applicant also provided a DCA markup, which included appropriate pointers to detailed descriptions of the systems that already exist in the DCA. In addition, the applicant stated that the ability to scram the reactors and actuate the DHRS from the MCR, as described in Sections 7.0.4.1.2, 5.4.3.2, and 6.2.4, is a key design feature for ensuring that the reactor is tripped. The staff notes that the ECCS was removed from the DCA as a design feature credited for core cooling; however, the DHRS core cooling capabilities have a sufficient mission time to meet the requirements of 10 CFR 50.150.

(See Section 5.4.4 of this report for the staffs complete evaluation of the DHRS.) The staff finds the applicants response to RAI 9023, Question 19.5-1, item b, acceptable because it modifies the DCA to identify and describe core cooling design features and functional capabilities as required by 10 CFR 50.150(b).

DCA Part 2, Tier 2, Section 19.5.5.4, Revision 0, states that the mass of water of the UHS provides SFP cooling; however, it was not clear to the staff whether this is considered a design feature in the AIA. Therefore, RAI 9023, Question 19.5-1, item c, asked the applicant to clarify whether SFP cooling is a key design feature and if so, to provide a description of SFP cooling.

In response, the applicant revised DCA Part 2, Tier 2, Section 19.5.1, and removed the SFP cooling criteria associated with the AIA. The staff finds this acceptable because, in lieu of SFP cooling, the applicant is ensuring spent fuel integrity, which complies with 10 CFR 50.150. (For the staffs evaluation of SFP integrity, see Section 19.5.4.5 of this report.)

DCA Part 2, Tier 2, Section 19.5.5.7, Revision 0, identifies the MCR, RSS, and MPS cabinets and associated dc power equipment as being capable of monitoring and control of the plant.

Manually tripping the reactor and inserting the control rods before an aircraft impact is assumed as part of the core cooling strategy. Therefore, the staff questioned in RAI 9023, Question 19.5-1, items d and e, whether the MCR, RSS, and MPS cabinets and associated dc power equipment are also credited for core cooling, and noted that the identified equipment were not described, as required by 10 CFR 50.150(b). The applicant stated in response to RAI 9023, Question 19.5-1, items d and e, that once the reactor is tripped, no further operator actions are necessary for core cooling. In addition, the applicant revised DCA Part 2, Tier 2, Section 19.5, to remove all discussion of the MCR, RSS, and plant capability to monitor core and containment parameters. The staff found the response to RAI 9023, Question 19.5-1, item d, unacceptable because, without the capability to monitor plant conditions, operators cannot determine that the identified design features are performing as expected following an aircraft impact.

19-65 Therefore, the staff issued RAI 9241, Question 19.5-23, asking the applicant to identify and describe plant parameters that are available to the operators to monitor and ensure that the identified design features are performing as expected following the impact of a large commercial aircraft. The applicant stated in its December 5, 2018, response to RAI 9241, Question 19.5-23 (ADAMS Accession No. ML18339A035), that it will revise DCA Part 2, Tier 2, Section 19.5.5.5, to specify that following the aircraft impact event, monitoring functions are expected to remain available. However, if post-AIA monitoring is determined to be unavailable, the mitigating strategies of DCA Part 2, Tier 2, Section 20.2, Loss of Large Areas of the Plant due to Explosions and Fires, are invoked for the loss of large areas in a beyond-design-basis event.

The staff finds the applicants response to RAI 9241, Question 19.5-23, acceptable because it clarifies that, although plant monitoring is expected to be available following the impact of a large commercial aircraft, if it is lost, operators will transition to the strategies required by 10 CFR 50.54(hh)(2). This is identified as a confirmatory item pending the incorporation of markups into the next revision of the DCA.

DCA Part 2, Tier 2, Section 19.5.5.7, Revision 0, identifies any support equipment for the DHRS and ECCS as key design features. RAI 9023, Question 19.5-1, item f, asked the applicant to clearly identify and describe any design features necessary to support the operation of the DHRS and ECCS. In response, the applicant revised Section 19.5.5.2 to describe DHRS initiation, including the importance and identification of the closure of the main steam isolation valves and feedwater isolation valves, as a key design feature. As discussed above, this revision to DCA Part 2, Tier 2, Section 19.5 removed the ECCS as a key design feature. The staff finds the applicants response to RAI 9023, Question 19.5-1, item f, acceptable because it modifies the DCA to identify and describe DHRS support equipment necessary for core cooling as required by 10 CFR 50.150(b).

DCA Part 2, Tier 2, Section 19.5, Revision 0, identified relatively few key design features and functional capabilities necessary for core cooling following the impact of an aircraft. RAI 9023, Question 19.5-1, item g, asked the applicant to verify and confirm that DCA Part 2, Tier 2, Section 19.5, contains a complete list of key design features credited in the AIA for core cooling.

The applicant responded that Section 19.5 contains a compilation of the design features credited in the assessment for core cooling. The staff reviewed the revised DCA markup provided in a letter dated September 28, 2017, and notes that the applicant identified additional design features for core cooling. These components and systems include the reactor and containment pressure vessels, RCS, CNTS, and control rod drive system. The staff finds the applicants response to RAI 9023, Question 19.5-1, item g, acceptable because it revises the DCA to identify and describe core cooling design features and functional capabilities as required by 10 CFR 50.150(b).

The staff confirmed that the applicant incorporated the DCA markups associated with RAI 9023, Question 19.5-1, into Revision 1 of the DCA. Therefore, the staff considers RAI 9023, Question 19.5-1, to be resolved and closed, with the exception of items d and e as discussed above. Items d and e are being tracked as a confirmatory item pending the incorporate of markups into the next revision of the DCD.

Based on the staffs review of DCA Part 2, Tier 2, Section 19.5, and the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, the staff finds that the applicant has performed a reasonably formulated analysis within the AIA to identify key design features necessary for core cooling. Also based on the above, the staff finds the applicants description

19-66 of the key design features for maintaining core cooling to be adequate and acceptable and therefore to meet the requirements of 10 CFR 50.150(b).

Key Design Features that Protect Core Cooling Design Features The key design features and functional capabilities that protect the core cooling design features are described below. They include fire barriers and fire protection features, plant arrangement and plant structural design features, and the ability to survive shock-induced vibrations.

19.5.3.3.1 Fire Barriers and Fire Protection Features The applicant stated in DCA Part 2, Tier 2, Revision 0, Section 19.5.4.3, that the RXB design prevents fire propagation, and exterior walls, vestibule walls, and stairwell walls provide at least a 3-hour fire barrier against fire propagation. The RXB exterior doors, including the equipment door, are designed as 5-psid, 3-hour barriers; piping penetrations have 5-psid, 3-hour seals; and the external HVAC penetrations have 5-psid, 3-hour dampers. In addition, concrete shrouds protect the HVAC dampers and the main steam and feedwater penetrations. The staff reviewed DCA Part 2, Tier 2, Figures 1.2-10 through 1.2-27, and did not find information as to which fire barriers were being credited against fire propagation. Also, the figures did not indicate which fire barriers have a 3-hour fire rating and are also rated for a 5 psid. On July 7, 2017, the staff issued RAI 8877, Question 19.05-1 (ADAMS Accession No. ML17188A171), asking the applicant to clearly identify and describe all the key design features credited in the applicants AIA, as well as these features role in helping to mitigate the consequences of the aircraft impact. In its response dated September 28, 2017 (ADAMS Accession No. ML17271A278), the applicant stated that the design and location of 3-hour fire barriers and 3-hour, 5-psid fire barriers, including walls, floors, fire dampers, doors, equipment access door, and penetration seals within the RXB and control building, are key design features for the protection of core cooling equipment from the impact of a large commercial aircraft. The assessment credited the design and location of fire barriers, as depicted in DCA Part 2, Tier 2, Figures 1.2-10 through 1.2-18 and Figures 1.2-21 through 1.2-25, to limit the effects of internal fire within the RXB to just the access vestibules and stairwells. No equipment is required to maintain core cooling or spent fuel cooling in the access vestibules and stairwells. In addition, the design and location of 5-psid, fast-acting blast dampers in RXB HVAC system air intakes and exhaust lines (as described in Section 9.4.2.2.1 and shown in Figure 9.4.2-1) are key design features.

The applicant submitted markups of DCA Part 2, Tier 2, Section 19.5 and 9.4.2.2, Revision 0, describing the fire protection design features that are being credited. The applicant also provided markups of DCA Part 2, Tier 2, Figures 1.2-16, 1.2-17, 1.2-18, 1.2-23, and 9.4.2-1, indicating the fire protection features that are being credited. The staff reviewed the applicants changes to the DCA and found them acceptable because they clearly describe the fire protection design features credited by the applicant in its AIA. The staff verified that the changes associated with RAI 8877, Question 19.05-1, have been incorporated into DCA Part 2, Tier 2, Section 19.5, Revision 1. The RAI is therefore considered resolved and closed.

19.5.3.3.2 Reactor Building The staff reviewed the DCA to ensure that the applicant had performed a reasonably formulated assessment of the capability of the RXB to protect core cooling equipment.

19-67 The Design of the Reactor Building In DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, Physical Damage, the applicant stated that the design of the RXB, as described in DCA Part 2, Tier 2, Appendix 3B.2, is a key design feature for preventing the aircraft from perforating the RXB outer wall. To verify the accuracy of the description, the staff reviewed general arrangement drawings in DCA Part 2, Tier 2, Revision 1, Figures 1.2-1, Conceptual Site Layout; 1.2-4, Layout of a Multi-Module NuScale Power Plant; 1.2-10 through 1.2-20 (plan and section views); and DCA Part 2, Tier 2, Revision 1, Section 3.8.4.1.1, Reactor Building, and Appendix 3B.2.

The staff reviewed the descriptions and figures in DCA Part 2, Tier 2, Revision 1, Section 3.8.4.1.1 and Appendix 3B.2, and finds that the RXB is a seismic Category I reinforced concrete structure that is deeply embedded in soil and supported on a single basemat foundation. The RXB has five 3-foot thick primary floors with embedded reinforced concrete T-beams and a sloped roof on the north and south sides with a flat segment in the middle. The typical thickness of the main structural interior and exterior concrete walls is 5 feet, and the basemat foundation thickness is 10 feet. Reinforced concrete pilaster columns are encased within the exterior walls of the RXB. In DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, the applicant stated that its assessment concluded that the RXB external walls have been evaluated and shown to resist physical damage from all postulated aircraft strikes, and there is no perforation of the RXB outer wall. Section 19.5.4.3.5 of this report documents the staffs evaluation of shock damage.

Based on the above review, the staff finds the applicants description of the design of the RXB as a key design feature for ensuring continued core cooling to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design of the Reactor Building Equipment Door In DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, the applicant stated that the design of the RXB equipment door is a key design feature for protecting core cooling equipment from impacts through the radwaste building (RWB) trolley bay. The staff reviewed DCA Part 2, Tier 2, Revision 1, Figure 1.2-16, and found that the RXB equipment door is located between grids RXB and RXC along grid RX1. The staff also reviewed DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, and Figures 19.5-1 through 19.5-3, and finds the RXB equipment door is 5-foot thick reinforced concrete with steel plate along the outside, and it is tapered along the top and sides so that it fits like a plug into the exterior wall of the RXB. The applicant also stated that the RXB external walls have been assessed and shown to resist physical damage from all postulated aircraft strikes.

Based on its review, the staff finds the applicants description of the design of the RXB equipment door as a key design feature for protecting core cooling equipment from impact through the RXB trolley to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19-68 The Design of the Reactor Building Intake Awnings and the Pipe Shields In DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, the applicant stated that the design of the RXB HVAC intake awnings and the design of the pipe shields, shown in DCA Part 2, Tier 2, Figures 1.2-17 through 1.2-19, are key design features for preventing physical damage and fire from entering the RXB. The staff reviewed DCA Part 2, Tier 2, Revision 1, Figures 1.2-17 through 1.2-19, Section 19.5.4.1, and Figure 19.5-4, Reactor Building Structural Concrete, and finds that the awnings are constructed of reinforced concrete structures to protect the HVAC intakes and pipe penetrations.

Based on its review, the staff finds the applicants description of the design of the RXB HVAC intake awnings and design of the pipe shields as key design features for preventing physical damage and fire from entering the RXB to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design and Location of the Reactor Building Crane In DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, the applicant stated that the design and location of the RBC, as described in DCA Part 2, Tier 2, Section 9.1.5, is a key design feature for protecting the NPMs and reactor pool lining.

The staff reviewed DCA Part 2, Tier 2, Revision 1, Section 9.1.5, and Figure 9.1.5-1 through Figure 9.1.5-3, and finds that the RBC is a bridge that rides on rails anchored to the RXB.

The RBC is designed as a single-failure-proof crane in accordance with the requirements of NUREG-0554, Single-Failure-Proof Cranes for Nuclear Power Plants, issued May 1979, and ASME NOG-1, Rules for Construction of Overhead and Gantry Cranes (Top Running Bridge, Multiple Girder), for Type I cranes. The staff also finds that the heavy-load exclusion zones are marked in DCA Part 2, Tier 2, Figures 9.1.5-1 and 9.1.5-2, so that the load cannot be handled in these areas. In addition, the applicant stated in DCA Part 2, Tier 2, Revision 1, Section 9.1.5.3, Safety Evaluation, that the design of the RBC and the seismic analysis meet the NOG-1 requirements for a Type 1 crane to ensure that SSCs are able to withstand the SSE and not drop the load. Further, the applicant stated in DCA Part 2, Tier 2, Revision 1, Section 19.5.4.1, that the design of the RBC ensures that impact loads from an aircraft impact on the exterior wall of the RXB prevent the crane from falling into the reactor pool area and either damaging the NPMs or tearing the reactor pool lining. The applicant accounted for the RBC in an approach similar to that used for damage to the polar crane as specified in Section 3.3.1, Damage Rule Sets for Containment Structures, of NEI 07-13, Revision 8.

Based on its review, the staff finds the applicants description of the design and location of the RBC as key design features for protecting the NPMs and reactor pool cooling to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19.5.3.3.3 Radwaste Building The staff reviewed the DCA to ensure that the applicant performed a reasonably formulated assessment of the capability of the RWB to protect a portion of the west wall of the RXB.

19-69 In DCA Part 2, Tier 2, Revision 1, Section 19.5.3.2, Impact Locations, the applicant stated that the location of the RWB in relation to the RXB is a key design feature that protects a portion of the west wall of the RXB from the aircraft strike. The applicant also stated that the design of the exterior walls of the RWB, as described in Section 3.5.1.1, Concrete Barrier, is a key design feature for crediting the RWB as an intervening structure. The applicant screened the RWB as an intervening structure based on the criteria set in Section 3.2.2, Screening Based on Intervening Structures, of NEI 07-13, Revision 8. The staff reviewed general arrangement drawings in DCA Part 2, Tier 2, Revision 1, Section 3.8.4.1.3, Radioactive Waste Building, Figures 1.2-1, 1.2-4, and 1.2-33, Radioactive Waste Building West Section View; and DCA Part 2, Tier 2, Revision 1, Sections 19.5.3.2 and 3.5.3.1.1, Concrete Barriers, to verify the accuracy of the description.

The staff reviewed the relevant drawings (DCA Part 2, Tier 2, Revision 1, Figures 1.2-1, 1.2-4, and 1.2-33) that show the relative relationship of the locations of the RWB and RXB structures.

The RWB extends to approximately 149 feet above grade and spans most of the width of the RXB. The staff confirmed that the location of the relevant structures is fixed at the DC stage.

The staff also reviewed DCA Part 2, Tier 2, Section 3.8.4.1.3, and DCA Part 2, Tier 2, Revision 1, Sections 19.5.3.2 and 3.5.3.1.1, and found that the RWB is constructed of reinforced concrete exterior walls, and the RWB is separated from the RXB by approximately 25 feet above the grade. On this basis, the staff finds credit of the RWB as an intervening structure acceptable, and the portion of the west wall of the RXB is protected by the RWB from an aircraft strike.

Based on its review, the staff finds the applicants description of the location of the RWB in relation to the RXB and the design of the exterior walls of the RWB as key design features that protect a portion of the west wall of the RXB from an aircraft strike to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19.5.3.3.4 Shock Damage In DCA Part 2, Tier 2, Revision 1, Section 19.5.2, Scope of Assessment, the applicant stated that the analysis assessed shock-induced vibration on SSCs from a large commercial aircraft impact. In addition, the applicant stated in DCA Part 2, Tier 2, Revision 1, Section 19.5.4.2, that the assessment determined that there are no SSCs susceptible to shock (sensitive electronics or active components) on the NPMs that would interrupt or prevent successful core cooling once the reactor is tripped, the DHRS is actuated, and the containment is isolated.

Based on the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, and the assessment scope that includes shock vibration, the staff finds that the applicant has performed a reasonably formulated shock analysis within the AIA.

Design Features for Maintaining an Intact Containment In DCA Part 2, Tier 2, Revision 1, Section 19.5.5.1, Containment Intact, the applicant stated that the containment remains fully intact and capable of withstanding the ultimate peak pressures described in DCA Part 2, Tier 2, Section 3.8.2.4.5. In addition, the design of the CNTS, as described in DCA Part 2, Tier 2, Sections 6.2.1 through 6.2.4, and its location, as

19-70 shown in Figure 1.2-5, are identified as key design features. Because the NuScale design is unique, the RXB protects the CNV and its support systems from physical and fire damage.

Based on the above, the staff finds that the application is consistent with SRP Section 19.5 guidance for an intact containment because the RXB prevents a large commercial aircraft from perforating the CNV, and the containment location and design ensure that ultimate pressure capability is maintained.

Spent Fuel Pool Integrity The Design and Location of the Fuel-Handling Equipment In DCA Part 2, Tier 2, Revision 1, Section 19.5.5.3, Spent Fuel Pool Integrity, the applicant stated that the design and location of the fuel-handling equipment (FHE), as described in Section 9.1.4 and shown in Figures 9.1.4-1 through 9.1.4-4b, are a key design feature for ensuring that the hoists remain intact and cannot fall into the SFP and perforate the SFP liner.

The staff reviewed DCA Part 2, Tier 2, Revision 1, Section 9.1.4, and Figure 9.1.4-1 through Figure 9.1.4-4b, and found that the FHE consists of the fuel-handling machine, new fuel jib crane, and new fuel elevator. The applicant stated that (1) the seismic restraints and restraining bars prevent the fuel-handling machine bridge from overturning or coming off its rails during a seismic event, (2) the new fuel jib crane beam is an engineered welded composite and the jib structure connects to the building wall via two connection brackets, and (3) the elevator track structure is welded 304 stainless steel and is secured to the pool wall via a bolted connection to permanently welded pads.

Based on its review, the staff finds the applicants description of the design and location of the FHE as key design features for ensuring that the hoists cannot fall into the SFP and perforate the SFP liner, to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

The Design and Location of the Reactor Building Crane Section 19.5.4.3.2 of this report documents the staffs safety evaluation of the design and location of the RBC. The staff finds that the heavy-load exclusion zones are marked in DCA Part 2, Tier 2, Revision 1, Figures 9.1.5-1 and 9.1.5-2, so that the load cannot be handled in the SFP.

The Location of the Spent Fuel Pool In DCA Part 2, Tier 2, Revision 1, Section 19.5.5.3, the applicant stated that the location of the SFP, as described in Section 9.1.2 and shown in Figures 1.2-10 through 1.2-16, is a key design feature for maintaining SFP integrity from a direct aircraft impact. The staff reviewed DCA Part 2, Tier 2, Revision 1, Section 3.8.4, Other Seismic Category I Structures; Section 3.8.5, Foundations; Section 9.1.2; Appendix 3B.2; Figures 1.2-10 through 1.2-16; and Section 19.5.3.3. The staff found that the walls, floor, and foundation of the SFP are constructed of thick, reinforced concrete with a stainless steel liner. The SFP is located below grade, and there is no loss of water level as the SFP is completely below grade and an aircraft impact cannot strike the pool or the pool liner. On this basis, the staff finds that the integrity of the SFP is maintained.

19-71 Based on its review, the staff finds the location of the SFP and the design and location of the FHE as key design features for (1) maintaining SFP integrity from a direct aircraft impact and (2) ensuring that the hoists cannot fall into the SFP and perforate the SFP liner to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

Combined License Information Items There are no COL information items.

Conclusion The staff determined the applicant has performed an AIA that is reasonably formulated to identify design features and functional capabilities that show, with reduced use of operator action, that the acceptance criteria in 10 CFR 52.47, Contents of Application; Technical Information, and 10 CFR 50.150(a)(1) are met.

In addition, the applicant adequately described the key design features and functional capabilities identified and credited to meet the requirements of 10 CFR 50.150, including descriptions of how the key design features satisfy the acceptance criteria in 10 CFR 50.150(a)(1). This includes describing how the facility can withstand the effects of a large commercial aircraft impact such that the reactor core remains cooled, containment remains intact, and spent fuel pool integrity is maintained. Therefore, the staff finds that the applicant meets the applicable requirements of 10 CFR 50.150(b).