ML21225A101

From kanterella
Revision as of 00:53, 9 September 2021 by StriderTol (talk | contribs) (StriderTol Bot change)
Jump to navigation Jump to search
Technology Inclusive and Risk Informed Reviews for Advanced Reactors: Comparing the Us Licensing Modernization Project with the Canadian Regulatory Approach
ML21225A101
Person / Time
Issue date: 08/12/2021
From: Mohamed Shams
NRC/NRR/DANU
To:
Muniz A
References
Download: ML21225A101 (85)


Text

Technology Inclusive and Risk-Informed Reviews for Advanced Reactors:

Comparing the US Licensing Modernization Project with the Canadian Regulatory Approach

Approved by: Date:

Mohamed Digitally signed by Mohamed K. Shams X K. Shams Date: 2021.08.12 11:34:44 -04'00' ____________________

Dr. Mohamed K. Shams, Director Division of Advanced Reactors and Non-Power Production and Utilization Facilities United States Nuclear Regulatory Commission Approved by: Date:

Recoverable Signature X Caroline Ducros _____________________

Signed by: Ducros, Caroline Dr. Caroline Ducros, Director General Directorate of Regulatory Improvement and Major Projects Management Canadian Nuclear Safety Commission Approved by: Date:

Recoverable Signature X Mike Rinker _____________________

Signed by: Rinker, Michael Michael Rinker, Director General Directorate of Assessment and Analysis Canadian Nuclear Safety Commission

Executive summary In August 2019, the Canadian Nuclear Safety Commission (CNSC) and the U.S. Nuclear Regulatory Commission (NRC) signed a memorandum of cooperation (MOC) to increase collaboration on technical reviews of advanced reactor and small modular reactor technologies.

The MOC builds on the joint memorandum of understanding signed in August 2017 and further strengthens the CNSC and USNRC commitment to share best practices and experience from design reviews. Under this MOC, a terms of reference was prepared to describe the administration of the cooperation and to facilitate the establishment of a program of work to accomplish specific cooperative activities.

As part of the program of work, a work plan was approved for exploring and seeking convergence on the regulatory approaches and guidance for applicants and regulatory reviewers in both countries.

The outcome of this work plan is a report documenting the results of the combined efforts of the CNSC and the NRC with a focus on:

o areas of commonalities and differences between the Canadian approach and US Licensing Modernization Project (LMP) - new technology inclusive risk informed and performance based (TI-RIPB) for advanced reactors.

o suggestions for future work needed for developing, to the extent practicable, shared technical requirements, guidance and review approaches.

The outcomes of this cooperative activity are intended to help each jurisdiction leverage information from each other in reviewing advanced reactor designs and further facilitate the capability to perform joint technical reviews of advanced reactor designs that have been submitted for review in Canada and the United States. The activity aims to promote a mutual understanding of each organizations regulatory framework with a focus mainly on safety analysis expectations which are fundamental to the safety case that would support a licence application.

Completion of this work demonstrates that the NRC and CNSC are ready to increase collaboration and facilitate joint technical reviews of advanced reactor and small modular reactor designs to ensure safety and to facilitate each agencys regulatory reviews. Under the MOC, the NRC may consider insights from CNSC pre-licensing vendor design reviews and licensing review processes. The CNSC may also take into consideration NRC review results if an applicant proposes the construction and operation of a reactor using a design that is currently under review or that was previously reviewed by the NRC.

Both countries have recognized the increased use of risk information in regulatory decision-making. As a result, the report focused on reviewing and comparing the technology-inclusive and risk-informed application approaches in each country. More specifically, it examined the technology-inclusive, risk-informed, and performance based (TI-RIPB) process developed as part of the Licensing Modernization Project (LMP) led by the U.S. nuclear industry, sponsored by the U.S. Department of Energy and endorsed by the NRC, and compared it with the requirements set out in CNSC regulatory requirements. In both approaches, vendors and applicants need to identify licensing basis events, to classify structures, systems and components, and to ensure adequate defence-in-depth, which are the fundamental building blocks for establishing the licensing basis and content of a licence application.

i

Regulatory frameworks and regulatory decision-making address legal, technical and policy matters. This work plan focused on technical matters and the ability to perform joint technical reviews. Legal and policy matters associated with each countrys regulatory framework were not addressed and would still need to be considered by each regulator when it makes its independent regulatory findings and decisions.

The Canadian and U.S. regulatory frameworks for the licensing and operation of nuclear power plants have been effective in ensuring the health and safety of the public, workers, and the environment, as defined by each nations regulatory body. There are many similarities in the CNSCs and NRCs overall licensing approaches with respect to safety objectives, fundamental safety functions, and the topical areas identified as the focus of each regulators safety review.

In addition, both the CNSC and NRC use technology-neutral and risk-informed approaches to demonstrate that the safety goals and objectives have been met for new design applications while ensuring that each new design can adequately perform the fundamental safety functions of reactivity control, heat removal from the reactor core, and confinement of radioactive materials.

Any differences in the CNSC- and NRC-accepted approaches, examined as part of this work plan, were considered to be at the implementation level of detail and to have no impact on the outcome of regulatory decisions necessary to ensure the health and safety of the public, workers, and the environment.

The general conclusion of this report is:

It appears that there is much common ground in safety case assessment reviews and acceptance criteria that can be used as a foundation for technical reviews performed by one regulator (i.e., CNSC or NRC) to be leveraged by the other (i.e., CNSC or NRC), in order to inform the independent regulatory findings and decisions required by law. Initial analysis indicates that the goal of performing joint technical reviews could be possible and other work plans under this MOC will focus on piloting initial steps towards achieving that goal. CNSC and NRC collaboration on technical reviews is in the early stages; however, there have been early successes, and additional learning opportunities have been identified. This report includes suggestions for consideration by both the CNSC and NRC regarding future work that would help improve the overall efficiency and effectiveness of technical review collaborations, which may lead to achieving the ultimate goal of joint technical reviews.

Nothing in this report fetters the powers, duties or discretion of CNSC or NRC designated officers, CNSC or NRC inspectors or the respective Commissions regarding making regulatory decisions or taking regulatory action. Nothing in this report is to be construed or interpreted as affecting the jurisdiction and discretion of the CNSC in any assessment of any application for licensing purposes under the Nuclear Safety and Control Act ], its associated regulations or the Canadian Nuclear Safety Commission Rules of Procedure [5]. Likewise, nothing in this report is to be construed or interpreted as affecting the jurisdiction and discretion of the NRC in any assessment of any application for licensing purposes under the Atomic Energy Act of 1954, as amended, its associated regulations and the NRC Management Directives. This report does not involve the issuance of a licence under section 24 of the Nuclear Safety and Control Act or under section 103 of the Atomic Energy Act of 1954. The conclusions in this collaborative report are of the CNSC and NRC staff.

ii

Table of Contents

1. Purpose .............................................................................................................................. 1
2. Overview of Regulatory Processes for New Designs........................................................... 2 2.1 Pre-Application Interactions ....................................................................................... 2 2.1.1 Canada .......................................................................................................... 2 2.1.1.1 Vendor Design Review ..................................................................... 3 2.1.1.2 Application Assessment Strategy ..................................................... 4 2.1.2 United States.................................................................................................. 6 2.1.2.1 Meetings........................................................................................... 6 2.1.2.2 Correspondence, white papers, and technical reports ...................... 7 2.1.2.3 Topical reports.................................................................................. 7 2.1.2.4 Regulatory Engagement Plan ........................................................... 8 2.1.2.5 Research and development plans .................................................... 8 2.1.2.6 Pre-application safety evaluation reports .......................................... 8 2.1.2.7 Other supporting documents/programs............................................. 8 2.2 Application interactions .............................................................................................. 9 2.2.1 Canada .......................................................................................................... 9 2.2.1.1 Licensing process ............................................................................10 2.2.1.2 Licence to prepare site ....................................................................12 2.2.1.3 Licence to construct.........................................................................13 2.2.1.4 Licence to operate ...........................................................................14 2.2.1.5 CNSC conduct of reviews ................................................................15 2.2.1.6 Licensing Basis ...............................................................................15 2.2.2 United States.................................................................................................16 2.2.2.1 Construction Permit .........................................................................16 2.2.2.2 Operating License ...........................................................................18 2.2.2.3 Design Certification .........................................................................18 2.2.2.4 Early Site Permits ............................................................................19 2.2.2.5 Combined License ...........................................................................19 2.2.2.6 Standard Design Approval ...............................................................19 2.2.2.7 Manufacturing License ....................................................................20 2.2.2.8 Research and Test Reactors and Prototype Plants .........................20 2.2.3 Comparison table of regulatory interactions...................................................21 2.3 Overview of regulatory safety objectives and dose limits ..........................................22 2.3.1 Canada .........................................................................................................22 iii

2.3.1.1 Safety Objectives ............................................................................22 2.3.1.2 Dose acceptance criteria .................................................................24 2.3.2 United States.................................................................................................24 2.4 Technology inclusive, risk-informed, performance-based licensing approaches........25 2.4.1 Canada .........................................................................................................25 2.4.1.1 CNSC Approach to Identification and Classification of Postulated Initiating Events (PIEs) in the Safety Analysis..................................25 2.4.1.2 CNSC Approach to Safety Assessment ...........................................27 2.4.1.3 Regulatory Framework Related to Safety Classification ..................30 2.4.1.4 CNSC Risk Informed Policy .............................................................38 2.4.2 United States.................................................................................................39 2.4.2.1 Licensing Basis Event Definitions ....................................................40 2.4.2.2 LMP Frequency-Consequence Target .............................................41 2.4.2.3 LMP Approach to Selecting LBEs ....................................................44 2.4.2.4 LMP Approach to Classifying Systems, Structures, and Components ....................................................................................45 2.4.2.5 LMP Evaluation of DiD Adequacy ....................................................47 2.4.2.6 Required PRA Scope to Support the LMP Process .........................52

3. Assessment of Technology-Inclusive, Risk-Informed Approaches......................................53 3.1 Safety goals and objectives ......................................................................................56 3.2 Fundamental Safety Functions .................................................................................57 3.3 Licensing Basis Events / Postulated Initiating Events................................................58 3.3.1 Anticipated Operational Occurrences (AOOs) ...............................................60 3.3.2 Design Basis Accidents / Design Basis Events (DBAs/DBEs) .......................61 3.3.3 Beyond Design Basis Events (BDBEs) / Beyond Design Basis Accidents (BDBAs) / Design Extension Conditions (DECs) ...........................................61 3.4 Safety Analyses ........................................................................................................62 3.4.1 Deterministic Safety Analysis ........................................................................62 3.4.2 Probabilistic Safety Analyses ........................................................................63 3.5 Safety Classification of Structures, Systems and Components (SSCs) .....................63 3.6 Defense-in-Depth ......................................................................................................64 3.7 Summary Comparison of PRA-related information ....................................................64
4. Suggestions for Future Work..............................................................................................71 4.1 Further comparison of regulatory approaches ...........................................................71 4.2 Pursue other areas of collaboration ..........................................................................71
5. Conclusion .........................................................................................................................72
6. References ........................................................................................................................73 iv

List of Tables Table 1. Regulations under the Nuclear Safety and Control Act ............................................ 9 Table 2. Comparison of Regulatory Interactions ...................................................................19 Table 3. CNSC Dose Limits..................................................................................................20 Table 4. CNSC Defence-in-Depth Levels .............................................................................33 Table 5. LBE Frequency Bases ............................................................................................40 Table 6. Bases for LMP F-C Target ......................................................................................42 Table 7. Scope of Review Comparison: CNSC and U.S. NRC .............................................49 Table 8. Fundamental Safety Functions ...............................................................................51 Table 9. LBE Frequency and Dose Criteria: US and CDN ....................................................53 Table 10. PRA Topics within CNSC and NRC Frameworks....................................................58 List of Figures Figure 1. Diagram of CNSC licensing and pre-licensing processes .......................................11 Figure 2. NRC Licensing-Related Processes .........................................................................17 Figure 3. IAEA Safety Classification Flow Diagram ...............................................................32 Figure 4. CNSC Approach to Defence-in-Depth ....................................................................36 Figure 5. LBE F-C Target Curve ............................................................................................41 Figure 6. Relationship Between PRA Categories of SSCs .....................................................45 Figure 7. U.S. Nuclear Regulatory Commissions Defense-in-Depth Concept .......................46 Figure 8. Framework for Establishing DiD Adequacy .............................................................48 Figure 9. Comparison of NRC and CNSC Frequency-Consequence Targets ........................59 v

Abbreviations ACRS Advisory Committee on Reactor Safeguards ADAMS Agency wide Documents Access and Management Systems AEA Atomic Energy Act AEC Atomic Energy Commission ALARA as low as reasonably achievable AMP administrative monetary policies AOO anticipated operational occurrence ASLB Atomic Safety and Licensing Board ASME American Society of Mechanical Engineers BDBA beyond-design-basis accident BDBE beyond design basis event CANDU Canada Deuterium Uranium CDF core damage frequency CFR Code of Federal Regulations CNSC Canadian Nuclear Safety Commission COL combined license CP construction permit CSA Canadian Standards Association DBA design basis accident DBE design basis event DC design certification DEC design extension condition DOE Department of Energy DSA deterministic safety analysis EAB exclusion area boundary EPA Environmental Protection Agency ESP early site permit F-C frequency-consequence FOAK first-of-a-kind FV Fussell-Vesely GEH General Electric Hitachi HFE human failure event vi

I&C instrumentation and control IAEA International Atomic Energy Agency ICRP International Commission on Radiological Protection IDP integrated decision-making process ITAAC inspections, tests, analyses, and acceptance criteria LBE licensing basis event LERF large early release frequency LMP licensing modernization project LRF large release frequency LTPS licence to prepare site LWR light-water reactor MOC memorandum of cooperation NCSA Nuclear Safety and Control Act NEI Nuclear Energy Institute NEPA National Environmental Policy Act NLWR non-light water reactor NRC Nuclear Regulatory Commission NPP nuclear power plant NSRST non-safety-related with special treatment NST no special treatment OLC operational limits and conditions PAG Protective Action Guide PIE postulated initiating events PRA probabilistic risk assessment PSA probabilistic safety assessment PSAR preliminary safety analysis report QHO quantitative health objective R&D research and development RAW risk achievement worth REGDOC regulatory document RG regulatory guide RIDM risk-informed decision making RIPB risk-informed and performance-based RIS regulatory information summary vii

RSF required safety function SA severe accident SCA safety and control area SDA standard design approval SR safety related SRF small release frequency SRP standard review plan SSCs systems, structures, and components TEDE total effective dose equivalent TI-RIPB technology-inclusive, risk-informed, and performance-based TICAP Technology Inclusive Contents of Application Project VDR vendor design review viii

1. Purpose The Canadian Nuclear Safety Commission (CNSC) and the U.S. Nuclear Regulatory Commission (NRC) signed a Memorandum of Cooperation (MOC) in August of 2019 to further expand their cooperation on activities associated with advanced reactor and SMR technologies. This was done under the auspices of the CNSC-USNRC Steering Committee (established in August 2017) and to further strengthen the CNSC and USNRC commitment to share best practices and experience from design reviews [1]. Under this MOC, a terms of reference was prepared to describe the administration of the cooperation, and to facilitate the establishment of a program of work to accomplish specific cooperative activities [2]. As part of the program of work, a work plan [3] was approved to explore and seek convergence on the regulatory approaches and guidance for applicants and reviewers to develop the information needed to support applications for reactors in both countries.

The purpose of this report is to document the results of the combined efforts of the CNSC and the NRC under this work plan. The focus of these efforts is to:

document areas of commonalities and differences between the Canadian regulatory approach and the US regulatory approach regarding design and safety analysis; propose suggestions for future work needed for developing, to the extent practicable, shared technical requirements, guidance and review approaches.

The outcomes of this cooperative activity are intended to help each jurisdiction leverage information from each other in reviewing advanced reactor designs and further facilitate the capability to perform joint technical reviews of advanced reactor designs that have been submitted for review in Canada and the United States. The focus of the work plan was mainly on safety analysis expectations, which are fundamental to the safety case that support a licence application.

Please note that this report maintains terminology and spelling that is consistent with use in the country of origin and no attempt to harmonize these is made in the report (e.g., license and licence; defense and defence, etc.).

Nothing in this report fetters the powers, duties or discretion of CNSC or NRC designated officers, CNSC or NRC inspectors or the respective Commissions regarding regulatory decisions or taking regulatory action. Nothing in this report is to be construed or interpreted as affecting the jurisdiction and discretion of the Canadian Nuclear Safety Commission in any assessment of any application for licensing purposes under the Nuclear Safety and Control Act

[4], its associated regulations or the CNSC Rules of Procedure [5]. Likewise, nothing in this report is to be construed or interpreted as affecting the jurisdiction and discretion of the US Nuclear Regulatory Commission in any assessment of any application for licensing purposes under the Atomic Energy Act of 1954, as amended, its associated regulations and the NRC Management Directives. This report does not involve the issuance of a licence under section 24 of the Nuclear Safety and Control Act or under section 103 of the Atomic Energy Act. The Conclusions in this collaborative report are of the CNSC and NRC staff.

1

2. Overview of Regulatory Processes for New Designs The CNSCs regulatory philosophy is based on the following:

Licensees are directly responsible for managing regulated activities in a manner that protects health, safety, security, and the environment, and that conforms with Canadas domestic and international obligations on the peaceful use of nuclear energy.

The CNSC is accountable to Parliament and to Canadians for assuring that these responsibilities are properly discharged.

The CNSC therefore ensures that regulated parties are informed about requirements and provided with guidance on how to meet them, and then verifies that all regulatory requirements are, and continue, to be met.

Likewise, the NRCs regulatory philosophy is based on the following:

Licensees are directly responsible for managing regulated activities in a manner that protects health, safety, security and the environment, and that complies with the NRCs regulations.

The NRC is accountable to the Congress and to U.S. citizens for assuring that these responsibilities are properly discharged.

This section of the report focuses on the regulatory processes in place and available in Canada and the United States for use by both reactor designers/vendors and by applicants/licensees to engage with nuclear regulators. The regulatory processes considered are not limited to licensing, permitting, or approvals but encompass a larger set of potential engagements with the regulatory bodies. A comparison of these processes is instructive in understanding the level of detail involved in these interactions, assessing the degree to which leveraging of regulator reviews can be performed, and in identifying any associated limitations. The interactions are grouped into pre-application interactions, which can include both formal and informal processes, and licensing interactions, which predominantly include formal interactions between applicant and regulator.

2.1 Pre-Application Interactions 2.1.1 Canada Pre-licensing activities can vary in complexity from process-related questions to technical assessments that provide feedback to a potential applicant. Pre-licensing activities may allow potential regulatory or technical issues to be identified early on and improve an applicants understanding of the CNSCs regulatory processes and requirements.

There are two main types of pre-licensing engagement with the CNSC:

the vendor design review (VDR) process; the process for establishing an appropriate application assessment strategy for a small modular reactor (SMR).

2

2.1.1.1 Vendor Design Review The VDR process is described in Regulatory Document (REGDOC) 3.5.4, Pre-Licensing Review of a Vendors Reactor Design [6], which addresses the scope and objectives of a VDR. This REGDOC does not contain assessment criteria. Instead, it refers to requirements and guidance in the regulatory framework.

The VDR is an optional process where vendors/designers engage with the CNSC under a service agreement. A VDR can begin once a vendor has, at a minimum, made reasonable progress in the basic engineering phase of the design where the basic architecture of systems important to safety has been laid out following the vendors reactor design guides and design requirements.

The VDR is an opportunity for both the CNSC, and the vendor, where:

the CNSC provides feedback on the vendors efforts to address Canadian regulatory requirements and identifies fundamental barriers to licensing (if any), early in the design, and; the CNSC staff are able to develop an understanding of the vendor design process and its proposed design and identify regulatory challenges along with early resolutions.

The VDRs are carried out in up to 3 phases, with each phase representing an increasing level of detail.

Phase 1 review -CNSC staff assess the information submitted in support of the vendors design and determine if, at a general level, the vendor design and design processes are demonstrating implementation of CNSC design requirements, and related regulatory requirements.

Phase 2 review - This phase goes into further detail, with a focus on identifying if any potential fundamental barriers to licensing exist or are emerging with respect to the reactors design.

Phase 3 review - Pre-construction follow-up: In this phase, the vendor can choose to follow up on one or more focus areas covered in phases 1 and 2 against CNSC requirements pertaining to a licence to construct. For those areas, the vendors anticipated goal is to avoid a detailed revisit by the CNSC during the review of the construction licence application.

Phase 1 and 2 reviews have 19 review focus areas related to design and safety analysis, which represent key areas of importance for a future application for a licence to construct.

1. General plant description, defence-in-depth, safety goals and objectives, dose acceptance criteria
2. Classification of structures systems, and components
3. Reactor core nuclear design
4. Fuel design and qualification
5. Control system and facilities 3
6. Means of reactor shutdown
7. Emergency core cooling and emergency heat removal systems
8. Containment/confinement and safety-important civil structures
9. Beyond-design-basis accidents (BDBAs) and severe accidents (SA) prevention and mitigation including Design Extension Conditions (DECs)
10. Safety analysis (deterministic safety analysis, probabilistic safety analysis) and internal and external hazards
11. Pressure boundary design
12. Fire protection
13. Radiation protection
14. Out-of-core criticality
15. Robustness, safeguards and security
16. Vendor research and development program
17. Management system of design process and quality assurance in design and safety analysis
18. Human factors
19. Incorporation of decommissioning in design considerations The Phase 3 review is tailored on a case-by-case basis. When issues are identified early in the design process, it provides time for the vendor to resolve them before the issues arise during a licensing process.

2.1.1.2 Application Assessment Strategy The process described in section 4.2 of REGDOC-1.1.5, Supplemental Information for Small Modular Reactor Proponents [7] is an optional process that establishes an application assessment strategy to enable potential proponents to understand:

the overall licensing process; the specific licensing process for the proposed activity; regulatory framework tools available to support the licensing process (e.g., regulations, licence application guides and other regulatory documents) and how they are used to establish the licensing basis; licensee obligations (should the licence application be approved).

The process is divided into the following four activities:

Activity A: Prepare for and establish preliminary description of activities and hazards.

Activity B: Conduct risk assessment and document proposed strategy for novel nuclear technology.

Activity C: Decide on application assessment strategy.

Activity D: Communicate application assessment strategy via letter.

4

While establishing an appropriate application assessment strategy is optional, it could be especially beneficial for a proponent whose application includes one or more of the following:

new organizational models for conducting a project; a proposal for new types of activities, for which there is little or no past experience (e.g.,

potential demonstration activities to be performed in a demonstration facility);

new ways to conduct activities (e.g., construction approaches);

new technological approaches that require extensive interpretation of requirements.

The scope of this pre-licensing process differs from the VDR. While the VDR is limited to a vendors basic engineering program to address the 19 focus areas related to design and safety analysis, this process considers all 14 CNSC safety and control areas (SCAs) involved in the conduct of a potential activity by a pre-licence applicant. The 14 SCAs are:

1. Management system
2. Human performance management
3. Operating performance
4. Safety analysis
5. Physical design
6. Fitness for service
7. Radiation protection
8. Conventional health and safety
9. Environmental protection
10. Emergency management and fire protection
11. Waste management
12. Security
13. Safeguards and non-proliferation
14. Packaging and transport The process for establishing an appropriate application assessment strategy consists of a high-level analysis of the proposed project and the identification of applicable regulatory documents and practices. The outcome is an appropriate risk-informed application assessment strategy, which CNSC staff will ultimately use in developing supplemental guidance for an applicant on how to prepare a licence application for a given project. The process is iterative, with several interactions between the CNSC and an applicant before the CNSC develops this supplemental guidance.

Overall, early engagement enables stakeholders and CNSC staff to foresee regulatory challenges and establish a path to resolve them in a timely manner. It also prepares the applicant for engagement in regulatory processes with high-quality information. Through these activities, efficiencies in the licensing process can be realized. While pre-licensing 5

engagement offers benefits, it is separate from the licensing process and does not bind or otherwise influence decisions made by the Commission.

2.1.2 United States In the United States, the NRCs regulatory framework provides both informal and formal opportunities for designers and applicants to interact with the NRC. The following provides a brief listing of these types of interactions. Additional discussions regarding these interactions follows.

Pre-application interactions.

White papers.

Drop-in meetings (discussion of plans and schedules only).

Public meetings.

Response to Regulatory Information Summary (RIS) 20-02, Review of New Licensing Applications for Light-Water Reactors (LWRs) and Non-Light Water Reactors (non-binding) [8].

Topical reports (conditional findings with associated limitations and conditions in the safety evaluation report) (Office Instruction LIC-500, Topical Report Process) [9].

Regulatory engagement plans (non-binding).

Pre-application safety evaluation reports (conditional findings).

In December 2017, the NRC published A Regulatory Review Roadmap for Non-Light Water Reactors (Agency-wide Documents Access and Management Systems (ADAMS)

Accession No. ML17312B567) [10]. In this document, the NRC provides a discussion of the options available in its regulatory framework for engagement with the NRC by designers and applicants on new reactor designs, informal and formal interactions, and licensing, permitting and approval processes. The discussion herein on pre-application interactions borrows substantially from the discussion in the regulatory review roadmap.

The primary interactions between the NRC staff and applicants, reactor designers, industry organizations, and other stakeholders are discussed in the following sections. These interactions are used to exchange information between designers and the NRC and can result in the NRC providing varying degrees of feedback for use in the design process and application development for licenses, certifications, or design approvals. The discussions and feedback could also involve conceptual or preliminary designs as discussed in the roadmap above. A discussion of how the design process and regulatory engagement plan for non-LWRs can use these interactions and the formal application processes defined in NRC regulation follows in section 2.2.2.

2.1.2.1 Meetings Meetings with the NRC staff can provide initial feedback on design options and support ongoing reviews of submitted material. The NRC staff can hold meetings with individual designers, technology or design-centered groups, industry organizations (e.g., Nuclear Energy Institute, U.S. Nuclear Infrastructure Council, Nuclear Innovation Alliance),

Department of Energy (DOE), and other stakeholders. The feedback applicants and 6

designers receive from the NRC during meetings can include preliminary questions from the NRC staff on the design, sharing regulatory perspectives with the applicants and designers, or NRC staff describing needed information to complete a more formal review supporting a higher-level outcome. Unless they involve discussion of sensitive information (e.g., proprietary or security-related information), meetings with the NRC staff are open to the public. The NRC prepares meeting summaries to document these interactions but does not use these summaries to document staff findings or regulatory positions.

2.1.2.2 Correspondence, white papers, and technical reports Letters and reports outlining policy or technical positions can be used to provide information to the NRC staff and to solicit feedback in the form of initial, conditional, or conclusive regulatory positions. Although the NRC has no formal guidelines or naming conventions for these interactions, the following describes the agencys general practices:

Correspondence without an attached report is usually used for project management issues (e.g., costs and schedules), to clarify processes and procedures, and to provide informal feedback on technical issues not needing detailed supporting information. Stakeholders may also request the NRC to provide information on regulations, including regulatory interpretations in accordance with Title 10 of the Code of Federal Regulations (10 CFR)

Section 50.3, Interpretations, and 10 CFR 52.2, Interpretations. [11, 12].

Documents often referred to as white papers can be used to request general feedback, to obtain preliminary regulatory feedback (e.g., a template could be submitted to propose a reasonable format and content for a submittal), or regulatory interpretations (e.g.,

applicability of a regulatory requirement to the design). Note that staff responses for these types of documents are generally less specific and provide less regulatory certainty than responses for topical reports and formal applications.

Documents often referred to as technical reports can be used to provide results of research, testing, or analyses that help verify or validate computer models, expected performance of components or systems, or other supporting information of an application. The NRCs assessment of the relevance and adequacy of technical reports is usually documented in safety evaluations related to specific topical reports or applications. For example, technical reports for the AP1000 design were referenced in the NRC staffs final safety evaluation report (see Section 1.10 of NUREG-1793, Supplement 2) [13].

2.1.2.3 Topical reports A topical report is a standalone report containing technical information about a reactor, structures, systems, and components (SSCs), or a safety topic that can be submitted to the NRC for its review and approval. Topical reports improve the efficiency of the licensing process by allowing the staff to review proposed methodologies, designs, operational requirements, or other subjects for subsequent referencing in licensing applications. An NRC-approved topical report can provide a technical basis for a licensing action. Topical reports have traditionally been used to obtain NRC conditional approval with associated limitations and conditions via a safety evaluation report for the design of key SSCs, methodologies, and computer codes and models.

7

Topical reports have been used extensively in the review of LWR designs and are expected to be an important vehicle for obtaining conditional NRC staff findings on proposed design features and analysis methodologies for non-LWR designs.

2.1.2.4 Regulatory Engagement Plan Before submitting the pre-application design documents, the NRC expects that applicants and designers will have held meetings with the NRC staff to describe the design and the licensing strategy being pursued. The regulatory engagement plan and preliminary design information should describe the design; relationships to previously submitted or planned white papers, topical reports, consensus standards, and other activities supporting the design; research and development (R&D) and confirmatory testing programs (see also to NRCs Regulatory Review Roadmap (ADAMS Accession No. ML17312B567

[10]); historical and foreign operating experience; and other relevant information. The preliminary design can describe the principal design criteria being proposed and the acceptance criteria being established for the plant SSCs for normal and abnormal operation, and for a range of possible transients and accidents. Past NRC interactions with non-LWR vendors have included the early submittal of white papers on key licensing matters such as licensing-basis event selection and classification of SSCs.

The use of such white papers or adoption of related consensus codes and standards can allow the preliminary design review to be focused on the technical issues related to the safety of the design.

2.1.2.5 Research and development plans Entities may submit R&D plans supporting reactor technologies or designs. An applicants R&D plan is an important part of the overall testing plan. This information is useful for the NRC to be aware of what data may become available for verification and validation of computer models, what test facilities may need to be inspected for quality assurance, and which tests the NRC may wish to observe; it may also help determine what related independent research the NRC may wish to conduct. The results from the R&D programs can be provided in technical reports or within applications, including topical reports.

2.1.2.6 Pre-application safety evaluation reports For pre-application design interactions where there is a high degree of design completeness, such as the pre-application safety analysis reports previously reviewed by the NRC, a preliminary design review could result in a statement from the NRC similar to that in the pre-application safety evaluation reports prepared in the 1990s that is, that the NRC has identified no obvious impediments to the licensing of the subject non-LWR design or major parts of the design provided for review. For preliminary designs with a lesser degree of maturity, the staffs safety evaluation of the design would have a commensurate, and likely lesser degree of regulatory certainty. If the NRC does identify impediments to licensing during the preliminary design review, that feedback will also be valuable to the potential applicant.

2.1.2.7 Other supporting documents/programs The design and licensing of non-LWRs are expected to introduce topics such as the use of historical Atomic Energy Commission (AEC) or DOE research programs, operating experience outside the United States, and increased use of advanced computer simulation 8

tools. Designers and applicants may identify other available supporting documents that may be submitted to the NRC within their regulatory engagement plan and discuss the desired outcomes with the NRC staff.

2.2 Application interactions 2.2.1 Canada The Nuclear Safety and Control Act (NSCA) [4] establishes the CNSCs mandate to regulate the development, production, and use of nuclear energy and the production, possession and use of nuclear substances, prescribed equipment and prescribed information in Canada.

The mandate of the CNSC is informed by the objects of the Commission, set out in Section 9 of the NSCA, which are:

a. to regulate the development, production and use of nuclear energy and the production, possession and use of nuclear substances, prescribed equipment and prescribed information in order to:

(i) prevent unreasonable risk, to the environment and to the health and safety of persons, associated with that development, production, possession or use; (ii) prevent unreasonable risk to national security associated with that development, production, possession or use; and (iii) achieve conformity with measures of control and international obligations to which Canada has agreed.

b. to disseminate objective scientific, technical and regulatory information to the public concerning the activities of the Commission and the effects, on the environment and on the health and safety of persons, of the development, production, possession and use referred to in paragraph (a).

When making licensing decisions, the Commission is guided by Section 24, paragraph 4 of the NSCA, which states:

No licence shall be issued, renewed, amended or replaced and no authorization to transfer one given unless, in the opinion of the Commission, the applicant or, in the case of an application for an authorization to transfer the licence, the transferee:

a. is qualified to carry on the activity that the licence will authorize the licensee to carry on; and
b. will, in carrying on that activity, make adequate provision for the protection of the environment, the health and safety of persons and the maintenance of national security and measures required to implement international obligations to which Canada has agreed.

The CNSCs regulatory framework includes a set of regulations that covers the full extent of the facilities and activities and practices regulated by the CNSC. A full set of the regulations can be found on the CNSC website:

https://laws.justice.gc.ca/eng/regulations/SOR-2019-285/FullText.html.

9

The CNSCs regulatory framework program aims to provide regulatory instruments that clearly state CNSCs regulatory expectations, and guidance material. The regulatory framework balances prescriptive and performance-based requirements based on a risk-informed approach to the regulated nuclear activity. With regards to application of the Regulatory Framework, the NSCA and regulations must be complied with. There is more flexibility with regards to requirements and guidance articulated in REGDOCs.

Requirements in REGDOCs need to be addressed; however, an applicant or licensee may put forward a case to demonstrate that the intent of a requirement is addressed by other means. Such a case must be demonstrated with supportable evidence. This does not mean that the requirement is waived; rather, it is an indication that the regulatory framework provides flexibility for licensees to propose alternative means of achieving the intent of the requirement. The Commission decides whether or not the requirements have been met.The Commission is always the final authority as to whether the requirement has been met.

2.2.1.1 Licensing process The CNSC regulates using a risk-informed approach, which is long-established and forms the foundation of its regulatory activities. The CNSC sets requirements and provides guidance on how to meet them, and the applicant or licensee may put forward a case to demonstrate that the intent of a requirement is addressed by other means. Such a case must be demonstrated with suitable supporting evidence. CNSC staff consider all relevant guidance when evaluating any proposal submitted. This includes application of the graded approach, and consideration of alternative means of meeting requirements.

The CNSCs licensing process follows the stages laid out in the Class I Nuclear Facilities Regulations [14] which is elaborated in REGDOC-3.5.1, Licensing Process for Class I Nuclear Facilities and Uranium Mines and Mills, Version 2 [15]. Licensees/applicants who wish to carry out licensed activities can refer to the licence application guides listed below and their referenced regulatory documents and standards. These provide the regulatory expectations on the information to submit for a new or renewal of a licence. Licence application guides point to key regulatory documents by relevant activity:

REGDOC-1.1.1, Licence Application Guide: Site Evaluation and Site Preparation for New Reactor Facilities [16].

REGDOC-1.1.2, Licence Application Guide: Licence to Construct a Nuclear Power Plant [17].

REGDOC-1.1.3, Licence Application Guide: Licence to Operate a Nuclear Power Plant

[18].

The CNSC requires that the environmental effects of all nuclear facilities or activities be considered when licensing decisions are made.

The CNSC conducts environmental reviews for new nuclear projects to determine their effects on people and the environment. The type of review depends on the geographic location as well as the scope and complexity of the project. An environmental review may either be done in parallel or sequentially with the CNSCs licensing process.

An impact assessment is conducted if a project has the potential for adverse environmental effects in the area of federal jurisdiction. These are projects that are listed as designated projects in the Physical Activities Regulations (or Project List) under the 10

Impact Assessment Act (IAA) [19] or designated by the Minister of Environment. For example, a new reactor project would be subject to an impact assessment if it is proposed to:

o Have a combined thermal capacity of more than 900MWth on a site that is within the boundaries of an existing licensed Class 1A nuclear facility (i.e., existing reactor site).

o Have a combined thermal capacity of more than 200MWth on a site that is not located within the boundaries of an existing licensed Class 1A nuclear facility.

If a new reactor project is not on the Project List but proposed to be carried out on federal lands and regulated by the CNSC, it would be subject to a federal lands review under the IAA. The scope of a federal lands review under the IAA is different than the scope of a full impact assessment.

For a new reactor project where the IAA does not apply, the project may be subject to a provincial environmental assessment (EA) or EA processes under land claim agreements. The information gathered from these EA process would then be used to inform the licensing decision under the NSCA.

For a project where the IAA does not apply, as part of its licensing process, the CNSC also conducts an environmental protection review under the Nuclear Safety and Control Act. An environmental protection review is a summary of CNSC staffs technical assessment of a proponents environmental protection framework.

Additional details on the different environmental reviews that may apply under CNSCs regulatory framework is provided in REGDOC-2.9.1, Environmental Principles, Assessments and Protection Measures (version 1.2) [20].

To complement these licence application guides, the CNSC has also published additional regulatory guidance for SMRs in REGDOC-1.1.5 [7]. This regulatory document provides specific information intended to be used in conjunction with other licence application guides and regulatory documents to assist SMR proponents in developing risk-informed proposals that take into account CNSC expectations regarding all safety and control areas, to support the safety case for the site. This guidance encourages proponents and applicants to describe measures and supporting evidence proportionate to the complexity, novelty and potential for harm of the activities and technologies proposed.

The CNSC regulatory documents draw on a variety of national and international codes, standards and publications produced by relevant professional bodies or other regulators containing additional information which informs the CNSC approach, including International Atomic Energy Agency (IAEA) and Canadian Standards Association (CSA) Group safety standards.

11

Figure 1. Diagram of CNSC licensing and pre-licensing processes Source: CNSC website: Readiness to Regulate Advanced Reactor Technologies 2.2.1.2 Licence to prepare site When applying for a licence to prepare a site, it is the applicants responsibility to demonstrate to the CNSC that the proposed site is suitable for future development and that the activities encompassed by the licence will not pose unreasonable risks to health, safety, security and the environment for the site and its surrounding region. In addition to addressing the activities pertaining to site evaluation and site preparation, submissions for selected topics for the licence to prepare a site are expected to consider the entire lifecycle of the proposed facility. The applicant must also demonstrate that the proposed licensed activity meets all applicable regulatory requirements.

The CNSC regulatory document REGDOC-1.1.1 [16] describes the general process for evaluating a reactor facility site in Canada. It supplements the related application requirements contained in the regulations, codifies experience from recent assessments for potential new reactor facilities, and addresses lessons learned. Specifically, it:

provides site evaluation criteria (e.g., to address the impact of the site on the environment, emergency planning and natural and human-induced external hazards);

sets expectations for collecting site-related data; sets expectations for quality assurance of design activities, the conduct of site preparation activities, as well as public and Indigenous engagement.

Regulatory efficiencies can be maximized if the applicant thoroughly evaluates the proposed site for the project and fully documents the site selection case before initiating the licensing and environmental review.

REGDOC-1.1.1 includes criteria for the level of facility design information needed to support the site selection case. An application for a licence to prepare site may be submitted without the selection of a specific facility technology; however, an applicant should ensure the 12

bounding parameters encompass all technologies under consideration and all design information necessary to support proposed site preparation activities.

2.2.1.3 Licence to construct When applying for a licence to construct, it is the applicants responsibility to demonstrate to the CNSC that the proposed reactor facility design conforms to regulatory requirements for the safe conduct of activities over the proposed facilitys life. This also includes that the proposed construction and prior to fuel loading commissioning activities meet all applicable regulatory requirements.

The CNSC regulatory document REGDOC-1.1.2 [17], identifies the information that is expected to be submitted in support of an application for a licence to construct. The specific information required for an application for a licence to construct a Class I nuclear facility is given in Sections 3 and 5 of the Class I Nuclear Facilities Regulations [14]. A few Examples of information submitted in support of an application to construct are:

a description of the proposed design of the nuclear facility, including the manner in which the physical and environmental characteristics of the site are taken into account in the design; a description of the environmental baseline characteristics of the site and the surrounding area; the proposed construction program, including its schedule; a description of the structures proposed to be built as part of the nuclear facility, including their design and their design characteristics; a description of the systems and equipment proposed to be installed at the nuclear facility, including their design and their design operating conditions; a preliminary safety analysis report demonstrating the adequacy of the design of the nuclear facility; the proposed quality assurance program for the design of the nuclear facility; the proposed measures to facilitate Canada's compliance with any applicable safeguards agreements; the effects on the environment and the health and safety of persons that may result from the construction, operation and decommissioning of the nuclear facility, and the measures that will be taken to prevent or mitigate those effects; the proposed location of points of release, the proposed maximum quantities and concentrations, and the anticipated volume and flow rate of releases of nuclear substances and hazardous substances into the environment, including their physical, chemical and radiological characteristics; the proposed measures to control releases of nuclear substances and hazardous substances into the environment; the proposed program and schedule for recruiting, training and qualifying workers in respect of the operation and maintenance of the nuclear facility; and a description of any proposed full-scope training simulator for the nuclear facility.

13

The information that will be required at the time of the operating licence application will be added to this construction safety case. The operating licence application needs to update or make reference to documents previously provided in the preceding construction licence application. It will constitute the facility reference safety case. The reference safety case is then kept up to date over the facilitys lifetime to reflect its current state and condition.

Once granted by the Commission, a licence to construct permits a licensee to construct, commission and operate some components of the facility (e.g., security systems). Some commissioning activities may be allowed in order to demonstrate the facility has been constructed in accordance with the approved design and that the SSCs important to safety are functioning as intended. The applicant must demonstrate that the proposed design of the facility conforms to regulatory requirements and will provide for the safe operation on the designated site over the proposed life of the facility. The applicant is expected to address all follow-up activities identified during the environmental review or impact assessments, including those relevant to the design, construction and commissioning stages and verify that any outstanding issues from the site preparation stage have been resolved.

For the latter part of construction, regulatory attention focuses on the commissioning program and associated activities, to demonstrate to the extent practicable that all the SSCs have been built and function as intended. The applicant is also expected to describe general plans for the development of the operating organization, training, certification and operational procedures in order to demonstrate that the applicant has given due consideration to the preparation of an operating organization that is ready to commission and operate the facility.

2.2.1.4 Licence to operate The CNSC regulatory document REGDOC-1.1.3 [18] identifies the information that is expected to be submitted in support of an application for a licence to operate.

A licence to operate will enable a licensee to complete final commissioning activities, including nuclear commissioning, and to operate the facility. Commissioning activities provide assurance that the facility has been properly designed and constructed and it is ready for safe operation. The specific information required for an application for a licence to operate a Class I nuclear facility is in Sections 3 and 6 of the Class I Nuclear Facilities Regulations [14]. A few examples of information submitted in support of an application to operate are:

a description of the structures, systems, and equipment of the facility, including their design and operating conditions; the final safety analysis report:

o the proposed measures, policies, methods and procedures for:

commissioning systems and equipment; operating and maintaining the nuclear facility; handling nuclear substances and hazardous materials; controlling the release of nuclear substances and hazardous materials into the environment; 14

preventing and mitigating the effects on the environment and health and safety that result from the operation and subsequent decommissioning of the facility; assisting offsite authorities in emergency preparedness activities, including assistance to deal with an accidental offsite release; developing and maintaining nuclear security.

a description of the public information and disclosure program to keep the public and target audiences informed of the anticipated effects of the facilitys operation on their health and safety and on the environment, as well as the program to identify public opinions and concerns in relation to the licensed activities; the updated preliminary decommissioning plan; the proposed financial guarantee for the activities to be licensed under the licence to operate.

The first licence to operate the facility is typically issued with conditions (hold points). All the relevant commissioning tests must be satisfactorily completed before the hold points can be removed.

2.2.1.5 CNSC conduct of reviews The CNSC staff performs technical assessments of licence applications by reviewing the application against all regulatory criteria as established by the Nuclear Safety and Control Act [4], relevant regulations, CNSC requirements and expectations, international and domestic standards and applicable international obligations. A project-specific assessment plan is developed that outlines the logistics for conducting the review, and the activity specific Technical Assessment Reference Matrix is a reference tool that provides criteria to be used for technical assessments in support of a licensees proposed safety and control measures.

The CNSC does not certify reactor designs nor does it licence reactor facilities. The CNSC licences the activities associated with reactor facilities, as well as certifies key positions referred to in the licence. An applicant must demonstrate that it is qualified to carry on the proposed licensed activity, and will, in carrying on that activity make adequate provision for the protection of the environment, the health and safety of persons and the maintenance of national security and measures required to implement international obligations to which Canada has agreed. An applicant may reference a submission made for a similar facility owned and operated by the applicant that has been assessed and licensed by either the CNSC or a foreign national regulatory body, however, a licence application must address site specific criteria and include information to address the specific activity proposed. This is articulated in Section 3.3 of REGDOC-1.1.3 [18].

2.2.1.6 Licensing Basis The licensing basis as described in REGDOC-3.5.3 [21] sets the boundary conditions for a regulated activity and establishes the basis of CNSCs compliance program for that regulated activity. All licensees are required to conduct their activities in accordance with the licensing basis, which is defined as a set of requirements and documents for a regulated activity comprising the following:

15

regulatory requirements set out in the applicable laws and regulations; conditions and safety and control measures described in the licence, and the documents directly referenced in that licence; safety and control measures described in the licence application and the documents needed to support that licence application.

Where referenced in a licence or Licence Condition Handbook, REGDOCs form part of the licensing basis for a regulated facility or activity.

Documents needed to support the licence application are those which demonstrate that the applicant is qualified to carry on the licensed activity, and that appropriate provisions are in place to protect worker and public health and safety, to protect the environment, and to maintain national security and measures required to implement international obligations to which Canada has agreed. Examples are detailed documents supporting the design, safety analyses and all aspects of operation to which the licensee makes reference, such as documents describing conduct of operations, and conduct of maintenance.

2.2.2 United States In the United States, the NRCs regulatory framework provides several options for designers and applicants for license and permit applications as well as design approvals. These options are all formal application processes. The following provides a listing of these options. Additional discussions regarding these options follows:

Construction Permit and Limited Work Authorization (10 CFR Part 50)

Operating License (10 CFR Part 50)

Early Site Permit (10 CFR Part 52).

Combined License (10 CFR Part 52)

Design Certification (10 CFR Part 52)

Standard Design Approval (10 CFR Part 52}

Manufacturing License (10 CFR Part 52)

In December 2017, the NRC published A Regulatory Review Roadmap for Non-Light Water Reactors (ADAMS Accession No. ML17312B567) [10]. In this document, the NRC provides a discussion of the licensing, permitting, approval options available in its regulatory framework for designers and applicants for new reactor designs. The discussion herein borrows substantially from the discussion in the regulatory review roadmap. Additional details and insights may be gleaned from a detailed review of the regulatory review roadmap.

2.2.2.1 Construction Permit Under 10 CFR Part 50 Domestic Licensing of Production and Utilization Facilities [11], a construction permit (CP) from the NRC authorizes construction of a nuclear power plant.

The NRC focuses on the preliminary design and the suitability of the site before authorizing construction of the nuclear power plant. The NRC reviews the application and documents its findings on site safety characteristics and emergency planning in a safety evaluation 16

report. The NRC also conducts an environmental review, in accordance with the National Environmental Policy Act (NEPA) [22], to evaluate the potential environmental impacts of the proposed plant. The Advisory Committee on Reactor Safeguards (ACRS) reviews each CP application and the NRCs related safety evaluation and reports its findings and recommendations to the Commission. The Commission conducts a mandatory public hearing, but may delegate this responsibility to the Atomic Safety and Licensing Board (ASLB).

The NRC may authorize an applicant to do some work at a site before a CP is issued. The agency can grant a limited work authorization after issuing a final environmental impact statement and other conditions in accordance with 10 CFR 50.10(e) [11].

The 10 CFR Part 50 [11] process allows beginning the licensing process and, if the applicant wishes, starting construction earlier in the design process (at the preliminary design stage) than would be required by 10 CFR Part 52 Licenses, Certifications, and Approvals for Nuclear Power Plants [12]. While offering some flexibilities, the design-as-you-build approach in Part 50 introduces some project risks in the regulatory arena if the NRC imposes additional requirements as a condition of receiving an operating license at a later date. This approach also provides less finality before making a significant financial investment in plant construction.

An overall licensing plan for non-LWR technology might include multiple reactors (e.g., test reactors, first-of-a-kind (FOAK) large-scale reactors, and subsequent commercial units) and include a CP application within the regulatory engagement plan for the test or FOAK reactors. As shown below, CP applicants may benefit from pre-application interactions during the conceptual and preliminary design processes. Pre-application interactions, previous NRC staff findings and final agency positions, and pre-application submittals can help prepare the NRC for receipt and review of the CP application. The CP application may reference a Standard Design Approval (SDA) or cite staff reports that document existing conclusive staff findings associated with the application. The application may also reference an early site permit (ESP), which represents a final agency position, provided the proposed plant remains bounded by the parameters defined in the ESP.

17

Figure 2. NRC Licensing-Related Processes Source: A Regulatory Review Roadmap for Non-Light Water Reactors 2.2.2.2 Operating License As the second step under the 10 CFR Part 50 licensing process, an applicant develops final design information and plans for operation during the construction of the nuclear plant and then submits an application to the NRC for an operating license. The application contains a final safety analysis report and an updated environmental report in accordance with NEPA requirements. The safety analysis report describes the plants final design, operational limits, anticipated response of the plant to postulated accidents, and plans for coping with emergencies. The ACRS reviews each operating license application and the NRCs related final safety evaluation report and offers findings and recommendations to the Commission.

The NRC provides an opportunity for any person whose interests might be affected by the proceeding to petition the NRC for a hearing. A mandatory hearing for an OL will not be conducted, however, if a public hearing is requested, the ASLB conducts it as described in NUREG/BR-0249, The Atomic Safety and Licensing Board Panel, Revision 4, issued December 2013 [23].

2.2.2.3 Design Certification The NRC can certify a reactor design for 15 years through the rulemaking process, independent of a specific site. A certified design, as defined by 10 CFR 52.41, Scope of Subpart, [12] consists of an essentially complete nuclear power plant design. The application must also contain a level of design information sufficient to enable the Commission to reach a final conclusion on all safety questions associated with the design before the certification is granted. The ACRS reviews each application for a design certification (DC), together with the NRC staffs safety evaluation report. If the design is found to be acceptable, the NRC certifies it through a rulemaking. Under this process, the 18

NRC issues a public notice of the proposed rule in the Federal Register seeking public comments. The NRC resolves the comments in the final rule, and then publishes it in the Federal Register. The design is certified as an appendix to 10 CFR Part 52. The NRC has previously certified five designs as Appendices A through E to 10 CFR Part 52 and is currently pursuing rulemaking to certify the NuScale small modular reactor design as proposed in SECY-21-0004 [24]. The rulemaking process and related Commission decisions establish final agency positions on the certified design, which can then be referenced in future combined license (COL) applications.

2.2.2.4 Early Site Permits Under the regulations in 10 CFR Part 52 [12] and NEPA [22], the NRC can issue an ESP for approval of one or more specific sites separate from an application for a CP or COL.

Issuance of an ESP includes ACRS reviews and a mandatory hearing, which the Commission either holds or delegates to the ASLB, and results in a final agency position suitable for referencing in subsequent applications for a CP or COL. Such permits are good for 10 to 20 years and can be renewed for an additional 10 to 20 years. They address site safety and environmental protection issues and can address complete plans for coping with emergencies or major features of such plans, independent of the review of a specific nuclear plant design.

2.2.2.5 Combined License Under the regulations in 10 CFR Part 52 [12] and NEPA [22], the NRC may issue a COL to authorize construction and conditional operation of a nuclear power plant. The application for a COL must contain essentially the same information required in an application for an operating license issued under 10 CFR Part 50 [11]. An application for a COL may reference a DC or an SDA; an ESP; both; or neither. The ACRS reviews each application for a COL.

A hearing opportunity also provides the public an opportunity to participate in the licensing process. The ASLB conducts hearings on any contested matters, while the Commission conducts a mandatory hearing before issuance of every COL. After issuing a COL, the NRC verifies that the licensee has completed the required inspections, tests, and analyses, and that the acceptance criteria have been met before the plant can operate. The NRC publishes a notice providing an opportunity for members of the public to participate in a hearing related to satisfaction of the inspections, tests, analyses and acceptance criteria before plant operation.

2.2.2.6 Standard Design Approval A designer may submit a proposed final standard design for the entire nuclear power plant or major portions of it to the NRC for review. Unlike a DC, the SDA documents the NRC staffs conclusive findings but does not prevent issues resolved by the design review process from being reconsidered during a rulemaking for a DC or during hearings associated with a CP or COL application. An SDA can nevertheless be a useful tool within a regulatory engagement plan, in combination with pre-application interactions held during the conceptual and preliminary design processes. The SDA and the related safety evaluation report document NRC staff findings, involve ACRS reviews, and provide a reference for subsequent applications. As such, the SDA can provide incremental progress towards the licensing or certification of a non-LWR design in what can be referred to as a staged-licensing process.

19

A potentially useful feature of an SDA is that its scope is defined in 10 CFR 52.131, Scope of Subpart, to include the design of a nuclear power plant or major portions thereof. This differs from the scope of a DC, which is defined by 10 CFR 52.41, Scope of Subpart, [12]

to consist of an essentially complete nuclear power plant design. The ability to limit the scope of an SDA to major portions of a design provides an opportunity for regulatory interactions to focus on those plant features most related to controlling the risks to public health and safety or those plant features whose design has been finalized under a staged design and licensing strategy. Power conversion systems or other plant features may either remain in a conceptual or preliminary design process or not be included in information provided for NRC staff review. Defining a major portion of a design for the purpose of an SDA may be challenging given the relationships between various plant systems and the contributions of safety and non-safety systems to plant risk. Regulatory engagement plans and other interactions between a designer and the staff will need to include a rationale for which portion(s) of a plant will be included in the application and which can be excluded from the review or addressed though concepts similar to the conceptual design information or design acceptance criteria used for some DCs.

Non-LWR developers considering seeking an SDA may find additional insights in the Nuclear Innovation Alliance report Clarifying Major Portions of a Reactor Design in Support of a Standard Design Approval (ADAMS Accession No. ML17128A507) [25]. The NRC staff provided feedback on this report on July 20, 2017 (ADAMS Accession No. ML17201Q109) [26].

An applicant for a construction permit or combined license may reference an SDA for those portions of the plant included in the scope of the SDA.

As in other pre-application interactions, the regulatory engagement plan and associated NRC review plans should establish expectations in terms of outcomes, resources, and schedules. Periodic project management meetings will be conducted during the SDA review process to monitor project progress and costs.

2.2.2.7 Manufacturing License This option is not discussed in detail as there has not been any recent NRC experience with manufacturing licenses for a power reactor. Efforts are currently underway by the NRC to develop proposed guidance for manufacturing licenses in conjunction with the effort to develop a proposed new technology inclusive, risk-informed, performance-based regulation (i.e., 10 CFR Part 53 ).

2.2.2.8 Research and Test Reactors and Prototype Plants An overall or integrated plan for developing non-LWR technologies and specific designs may include the construction and operation of research and test reactors or prototype plants. The development of such reactors and potential NRC licensing of these facilities are major activities in and of themselves. The importance of such facilities warrants a mention and emphasis early in the development of any technology or design-specific regulatory engagement plan. to the NRCs Regulatory Review Roadmap (ADAMS Accession No. ML17312B567) [10] provides background information and guidance on the potential use of a FOAK unit for prototype testing or other validations, considerations in the use of research 20

and test reactors as part of the design development, and additional information on planning for performing testing (including prototypes) to support the design.

2.2.3 Comparison table of regulatory interactions The table below provides a summary of the regulatory engagement options available for applicants in the United States and Canada.

Table 2. Comparison of Regulatory Interactions Designer/Vendor Licensee/Applicant Pre-Country Application Country Pre-Application Application Application Both Regulatory Both Regulatory Engagement Engagement Plan Plan Both Drop-in Drop-in Both Drop-in meetings Drop-in meetings meetings meetings US Regulatory US Regulatory Information Information Summary* Summary* (RIS-(RIS-20-02) 20-02) response response Canada Vendor Canada Application Licence to:

Design Assessment Prepare Site; Review Strategy Construct; Operate US Part 52: US Part 50:

Design Construction Certification; Permit; Standard Operating Design License Approval; Manufacturing License US Part 52:

Early Site Permit; Combined License US Topical Topical US Topical Reports Topical Reports Reports Reports US White Papers White Papers US White papers White Papers US Conceptual or preliminary design assessment 21

Designer/Vendor Licensee/Applicant Pre-Country Application Country Pre-Application Application Application

  • Responses to RIS-20-02 are voluntary and typically provided on an annual basis. The purpose is to inform the NRC of applicant intentions for regulatory engagement with the NRC over the projected 3-year period following response date to assist the NRC in work planning and budget development.

2.3 Overview of regulatory safety objectives and dose limits The following section provides an overview of the bases for each regulatory authority for the establishment of safety objectives with respect to new nuclear reactors. In addition, this section identifies regulatory dose limits on radiation exposure established by each regulator. This report makes no representations or conclusions regarding differences except to say that each regulatory framework is effective in protecting the health and safety of the public.

2.3.1 Canada The CNSC derives its regulatory authority from the Nuclear Safety and Control Act (NCSA)

[4] that came into force in May 2000. The CNSC has the statutory authority to establish dose limits and make regulations that set requirements to prevent unreasonable risk to the health and safety of persons. These dose limits set out in the Radiation Protection Regulations [27] and are consistent with the recommendations of the International Commission on Radiological Protection (ICRP). Regulatory dose limits during normal operation are described in sections 13 and 14 of the regulations, while emergency dose limits for persons participating in the control of an emergency are described in section 15 of the regulations. The yearly dose limit for a member of the public is 1 milliSievert (mSv) (100 mRem) of effective dose. Irrespective of the dose limits, paragraph 4(a) of the Radiation Protection Regulations requires that doses to persons be maintained as low as reasonably achievable (ALARA), taking into account social and economic factors.

2.3.1.1 Safety Objectives The CNSC endorses the general safety objective established by the International Atomic Energy Agency (IAEA) that nuclear installations be designed and operated in a manner that will protect individuals, society and the environment from harm, by establishing and maintaining effective defences against radiological hazards. For abnormal conditions in the plant, this general objective is supported by three complementary safety objectives, as documented in section 4 of REGDOC 2.5.2, Design of Reactor Facilities: Nuclear Power Plants1 [28]. These are summarized in the following sections.

2.3.1.1.1 Radiation protection objectives during normal operation and anticipated operational occurrences (AOOs)

The radiation protection objective is to provide that during normal operation, or during anticipated operational occurrences (AOOs), radiation exposures within the plant or due to any planned release of radioactive material from the plant, are kept below prescribed limits and ALARA.

1 REGDOC-2.5.2 version 2 is now out for public consultation and is a merger of REGDOC-2.5.2 with RD-367 Design of Small Reactor Facilities. References to REGDOC-2.5.2 within this report refer to the earlier May 2014 version.

22

2.3.1.1.2 Technical safety objectives The technical safety objectives are to provide all reasonably practicable measures to prevent accidents in the nuclear power plant (NPP), and to mitigate the consequences of accidents if they do occur. This takes into account all possible accidents considered in the design, including those of very low probability. When these objectives are achieved, radiological consequences will be evaluated to demonstrate that they will remain below regulatory limits, and the likelihood of accidents with serious radiological consequences will be extremely low. The technical safety objectives provide the basis for the dose acceptance criteria discussed in Section 2.3.1.3 below and the following safety goals:

Qualitative safety goals A limit is placed on the societal risks posed by NPP operation. For this purpose, the following two qualitative safety goals have been established:

1. Individual members of the public shall be provided a level of protection from the consequences of NPP operation, such that there is no significant additional risk to the life and health of individuals.
2. Societal risks to life and health from NPP operation shall be comparable to or less than the risks of generating electricity by viable competing technologies and shall not significantly add to other societal risks.

Quantitative application of the safety goals The quantitative safety goals are established to achieve the intent of the qualitative safety goals.

1. Core damage frequency (CDF) - The calculated CDF should demonstrate that the sum of frequencies of all event sequences that can lead to significant core degradation shall be less than 10-5 per reactor year.
2. Small release frequency (SRF) - The calculated SRF should demonstrate that the sum of frequencies of all event sequences that can lead to a release to the environment of more than 1015 becquerels of iodine-131 shall be less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population.
3. Large release frequency (LRF) - The calculated LRF should demonstrate that the sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 becquerels of cesium-137 shall be less than 10-6 per reactor year. A greater release may require long-term relocation of the local population.

Safety analyses are expected to be performed to confirm that these criteria and goals are met, to demonstrate effectiveness of measures for preventing accidents, and mitigating radiological consequences of accidents if they do occur. The CDF is determined by a Level 1 probabilistic safety analysis (PSA)2, which identifies and quantifies the sequence of events that may lead to significant core degradation. The SRF and LRF are determined by a Level 2 Probabilistic safety assessment (PSA) is the term used by CNSC whereas probabilistic risk assessment (PRA) is the term used by NRC and these terms are considered interchangeable.

23

2 PSA, which starts from the results of a Level 1 PSA, analyzes the containment behaviour, evaluates the radionuclides released, and quantifies the releases to the environment.

2.3.1.1.3 Environmental protection objective The environmental protection objective is to provide all reasonably practical mitigation measures to protect the environment during NPP operation and to mitigate the consequences of an accident. The applicant is expected to demonstrate how this objective is being addressed in design activities and to identify any provisions being implemented in the design to control, treat and monitor releases to the environment and to minimize the generation of radioactive and hazardous wastes.

2.3.1.2 Dose acceptance criteria The committed whole-body dose for average members of the critical groups who are most at risk, at or beyond the site boundary, is expected to be calculated in the deterministic safety analysis for a period of 30 days after the analyzed event. This dose is expected to be less than or equal to the dose acceptance criteria of 0.5 (mSv) (0.05 rem) for any AOO, or 20 mSv (2 rem) for any design basis accident (DBA).

2.3.2 United States The NRC derives its regulatory authority from the Atomic Energy Act (AEA) of 1954, as amended [29]. The AEA also directed that regulations be prepared that would protect public health and safety from radiation hazards. The regulations promulgated to protect public health and safety from radiation hazards associated with the operation of commercial nuclear power plants are included in Title 10 of the Code of Federal Regulations (CFR).

Specifically, 10 CFR Part 20 Standards for Protection Against Radiation [30] includes individual exposure limits of 1 mSv/yr (100 mrem/yr). In addition, 10 CFR 50.34 includes regulatory limits on radiation exposure resulting from design basis events:

An individual located at any point on the boundary of the exclusion area for any 2-hour period following the onset of the postulated fission product release, would not receive a radiation dose in excess of 250 mSv (25 rem) total effective dose equivalent (TEDE).

An individual located at any point on the outer boundary of the low population zone, who is exposed to the radioactive cloud resulting from the postulated fission product release (during the entire period of its passage) would not receive a radiation dose in excess of 250 mSv (25 rem) total effective dose equivalent (TEDE).

In addition to the above radiation exposure limits contained in NRC regulations, the Commission has also included radiation exposure guidelines as part of its Quantitative Health Objectives (QHOs) for early or latent health effects contained in its Policy Statement

[31] that include:

The average individual risk of early fatality within 1.6 kilometers (1 mile) of the exclusion area boundary from all licensing basis events (LBEs) shall not exceed 5 x 10-7/plant-year to ensure that the plant meets the NRC safety goal quantitative health objective for early fatality risk.

The average individual risk of latent cancer fatalities within 16 kilometers (10 miles) of the exclusion area boundary from all LBEs shall not exceed 2 x 10-6/plant-year to 24

ensure that the plant meets the NRC safety goal quantitative health objective for latent cancer fatality risk.

In the LMP process, the NRC also considers the radiation exposure guideline of 10 mSv (1 rem) to correspond to the Environmental Protection Agency (EPA) Protective Action Guide (PAG) [32] recommendations on dose and consistent with the goal of avoiding the need for offsite emergency response for any anticipated operational occurrence.

2.4 Technology inclusive, risk-informed, performance-based licensing approaches In this section the technology-inclusive, risk-informed, performance-based approaches to licensing that are available as part of the regulatory frameworks in Canada and the United States are described.

2.4.1 Canada The CNSC has a long history of including a risk-informed approach to NPP regulation. The approach has been to set high level objectives and allow some flexibility for the licensee on how to meet this objective. A specific set of requirements were developed with the Canada Deuterium Uranium (CANDU) reactors in mind. Over time, and more specifically in the last decade, the CNSCs approach has been modernized to be more technology neutral and more in line with the precepts of the IAEA. These requirements were written with water cooled reactor facilities in mind, however the objectives expressed in these documents can be applied to other reactor technologies. With the development of regulatory documents for new reactors, the CNSC regulatory framework is moving from the traditional CANDU-specific terminology towards more design-neutral and internationally harmonized language largely based on the IAEAs safety standards series.

The summary that follows is the current CNSC practice with respect to nuclear safety requirements for new reactors.

2.4.1.1 CNSC Approach to Identification and Classification of Postulated Initiating Events (PIEs) in the Safety Analysis Regulatory requirements and guidance for deterministic safety analyses (DSAs) and probabilistic safety analyses (PSAs) are included in REGDOC-2.4.1 Deterministic Safety analysis [33] REGDOC-2.4.2 Probabilistic Safety Assessment [34], and REGDOC-2.5.2 Design of Reactor Facilities [28].

2.4.1.1.1 Event Identification REGDOC-2.4.13 Section 4.2 [33] provides requirements and guidance on identification of postulated initiating events (PIEs). A PIE is an event identified in a design as leading to either an anticipated operational occurrence (AOO) or accident condition. Not necessarily an accident itself, a PIE is the event that initiates a sequence that may lead to an operational occurrence, a design-basis accident (DBA), or a beyond-design-basis accident (BDBA).

3 REGDOC-2.4.1 is currently under periodic update, and information provided here may change with the update. For instance, the concept of design extension condition will be introduced in the revised REGDOC-2.4.1 to align with the IAEA and with REGDOC-2.5.2.

25

The PSA is a key source for PIE determination but other sources (such as PIEs for similar designs, engineering judgement, historical precedent) are used to ensure that the list of PIEs is complete. A rigorous, systematic, and documented process should be used to identify events, including events from all sources such as Fuel Handling/Irradiated Fuel Bay events. Event sequences (sometimes referred as events) are PIEs plus additional failures of mitigating systems and are typically modelled in PSA.

PIEs and events include component and system failures or malfunctions, operator errors, and common-cause internally and externally initiated events, including those affecting multiple reactor units on a site. A full list of PIEs and associated sequences is expected to be large. The events are grouped into accident categories based on common initiators and similar phenomena and use of mitigating systems. Events representative of each group are fully analysed. It must be demonstrated, by additional analysis or by argument that the other events in the group lead to less limiting outcomes.

As stated in REGDOC-2.4.1: In the safety analysis of AOOs and DBAs for Level 3 defence-in-depth, bounding events should be identified for each applicable acceptance criterion within each category of events. In some cases, one accident scenario in the same category of events may be more severe in terms of one acceptance criterion (for example, containment pressure limit) and another may be more severe in terms of a different acceptance criterion (for example, public doses). All these scenarios should be considered in the safety analysis process as bounding events for different acceptance criteria. [33].

2.4.1.1.2 Event Classification The representative list of events is then classified into plant states in accordance with REGDOC-2.4.1, Section 4.2.3 and called anticipated operational occurrences (AOOs),

design basis accidents (DBAs) and beyond design basis accidents (BDBAs) / design extension conditions (DECs), as follows:

AOO 10-2 occurrences per reactor year (/yr);

10-2 > DBA 10-5 /yr; and; BDBA/DEC < 10-5 /yr.

BDBA events include DECs which are considered in the design. More severe events than DECs should be practically eliminated.

Event classification should take into account any relevant regulatory requirements or historical practices. Events with a frequency on the border between two classes of events, or with substantial uncertainty over the predicted event frequency, shall be classified into the higher frequency class.

REGDOC-2.4.1 also provides the following examples of event categories that applicants are expected to address:

increase in reactor heat removal; decrease in reactor heat removal; changes in reactor coolant system flow rate; 26

reactivity and power distribution anomalies; increase in reactor coolant inventory; decrease in reactor coolant inventory; release of radioactive material from a subsystem or component.

2.4.1.2 CNSC Approach to Safety Assessment Safety analysis is a systematic evaluation of the potential hazards associated with the conduct of a proposed activity or facility and considers the effectiveness of preventative measures and strategies in reducing the effects of such hazards in support of the siting, design, commissioning, operation, and decommissioning of a reactor facility. In Canada, an overall safety assessment of the reactor facility design includes, deterministic safety analysis (DSA), probabilistic safety assessment (PSA) techniques and hazards analysis. A preliminary safety analysis report (PSAR) is required to be submitted as part of an application to construct an NPP.

CNSCs expectations for safety analysis are primarily captured in: REGDOC-2.4.1, Deterministic Safety Analysis; REGDOC-2.4.2, Probabilistic Safety Assessment for Nuclear Power Plants, and REGDOC-2.5.2, Design of Reactor Facilities: Nuclear Power Plants.

High level expectations include:

systematic managed process applied throughout the design phase to ensure that the design meets all relevant safety requirements; requirements set by the operating organization and by regulatory authorities; data derived from the safety analysis, previous operational experience, results of supporting research, and proven engineering practices; an independent peer review of the safety assessment conducted by individuals or groups separate from those carrying out the design; documentation identifying those aspects of operation, maintenance and management that are important to safety.

The objectives of safety analysis, as simplified from REGDOC-2.4.1 and REGDOC-2.4.2, include:

confirmation that the design of a reactor facility meets design and safety requirements and the applicable requirements for defence-in-depth (DiD); in particular, the deterministic safety analysis shall:

o demonstrate Level 2 defence-in-depth by providing reasonable confidence that control systems acting alone can mitigate a wide range of AOOs without damage to structures, systems or components; o demonstrate Level 3 defence-in-depth by providing high confidence that the safety systems acting alone can mitigate all AOOs and DBAs such that the facility meets the regulatory dose acceptance criteria; o assist in demonstrating Level 4 defence-in-depth by supporting PSA to demonstrate that the facility meets regulatory safety goals.

27

to derive or confirm operational limits and conditions (OLCs) that are consistent with the design and safety requirements for the reactor facility; to assist in establishing and validating accident management procedures and guidelines; demonstration that a balanced design has been achieved; this can be demonstrated as achieved if no particular feature or postulated initiating event makes a disproportionately large or significantly uncertain contribution to the overall risk, and the first two levels of defence-in-depth bear the burden of ensuring nuclear safety; to provide site-specific assessments of the probabilities of occurrence, and the consequences of external hazards; to provide assessments of the probabilities of occurrence for severe core damage states, and assessments of the risks of major radioactive releases to the environment.

2.4.1.2.1 Deterministic Safety Analysis REGDOC-2.4.1 sets out the requirements and technical criteria related to deterministic safety analysis, including the selection of events to be analyzed, acceptance criteria, deterministic safety analysis methods, and safety analysis documentation, review and update, and quality control.

The deterministic safety analysis framework consists of identification of events, grouping of these events, analyzing these events with certain rules of varying conservatism and documenting safety margins and uncertainties to finally calculate the radiological consequences of the events and compare with the dose acceptance criteria. Identification, grouping and classification of events were previously discussed in section 2.4.1.1.1 and 2.4.1.1.2.

2.4.1.2.2 DSA Analysis rules (AOO, DBA and BDBA/DEC)

The analysis rules for events differ depending on the category classification.

For AOO analyses used to demonstrate capability of control systems (level 2 DiD), only a reasonable confidence in the results is required so a low level of conservatism is acceptable.

A best estimate code without accounting for code uncertainty can be used. However, some conservatisms in input data are normally used as this can reduce the effort of producing a fully best-estimate model and simplify regulatory acceptance.

For DBA analysis to demonstrate the capability of safety systems (level 3 DiD),

conservatism is used to ensure high confidence in code predictions. Conservatisms can include accounting for uncertainties in the analysis and using conservative simplifying assumptions such as:

worst single failure assumed in safety systems; initial conditions at the worst operating point in the operating envelope; no operator action before a conservatively defined time; no action from control systems unless it makes conditions worse.

28

In the Level 3 DiD analysis, all key modelling and input uncertainties should be identified, evaluated and accounted for. The safety analysis for Level 3 should incorporate appropriate uncertainty allowances for the parameters relevant to the analyzed accident scenario. Such uncertainties include modelling and input plant parameters uncertainties.

For DEC analysis, reasonable confidence is acceptable and so best-estimate codes and input data can be used.

2.4.1.2.3 Dose Acceptance Criteria In Canada, dose acceptance criteria for new NPPs are specified as requirements in REGDOC-2.5.2, Section 4.2.1 [28] and are set to 0.5 mSv (0.05 rem) for any AOO and 20 mSv (2 rem) for any DBA. In addition, based on the dose acceptance criteria, derived acceptance criteria are established to confirm the effectiveness of plant systems in maintaining the integrity of physical barriers against releases of radioactive material. For some types of NPPs, these barriers are the fuel sheath, the fuel matrix, the primary coolant system boundary and the containment boundary.

Safety analysis results are normally documented in a safety report that describes the nuclear installation design, its operating conditions and provides information required for issuance of an operating licence.

2.4.1.2.4 Probabilistic Safety Assessment REGDOC-2.4.2 sets out the requirements for probabilistic safety assessments (PSAs). It provides insights into plant design and operation, including the identification of dominant risk contributors and safety improvement opportunities, and the comparison of options for reducing risk. The CNSC only requires the conduct of PSA Level 1 and Level 2. The PSA analysis are required to cover all plant operating modes as well as internal events, and internal and external hazards.

2.4.1.2.5 Hazard Analysis Within the context of safety analysis, CNSC does not have specific overall regulatory documents for the conduct of hazards analysis. CSA standards such as N289.1-18, General requirements for seismic design and qualification of nuclear power plants, [35]

and N293-12 (R2017), Fire protection for nuclear power plants, [36] are can be used for the development of the analysis for those hazards.

REGDOC-2.4.1 states that a hazards analysis (such as fire hazard assessment or seismic margin assessment) will demonstrate the ability of the design to effectively respond to credible common-cause events. This analysis is meant to confirm that the NPP design incorporates sufficient diversity and physical separation to cope with credible common-cause events. It also confirms that credited SSCs are qualified to survive and function during credible common-cause events, as applicable.

2.4.1.2.6 CNSC Approach to Safety Classification The traditional approach to safety classification of equipment, systems and components, as is used in the current fleet of CANDUs is largely based on the classification suggested in CSA N285.0-95, General Requirements for Pressure-Retaining Systems and Components 29

in CANDU Nuclear Power Plants [39]. For new NPPs, the safety classification approach has been modernised to be in line with IAEA Standards and Guides (SSG-30) [38]. These standards and guides shift the classification focus from systems, to functions performed by SSCs where the term function derives from the fundamental safety functions and includes the primary function and any supporting functions that are expected to be performed to ensure the accomplishment of the primary function.

2.4.1.3 Regulatory Framework Related to Safety Classification All SSCs shall be identified as either important to safety or not important to safety. The criterion for determining safety importance is based on:

safety function(s) to be performed; consequence(s) of failure; probability that the SSC will be called upon to perform the safety function; the time following a PIE at which the SSC will be called upon to operate, and the expected duration of that operation.

SSCs important to safety shall include:

safety systems; complementary design features; safety support systems; other SSCs whose failure may lead to safety concerns (e.g., process and control systems).

Appropriately designed interfaces shall be provided between SSCs of different classes in order to minimize the risk of having SSCs less important to safety adversely affecting the function or reliability of SSCs of greater importance.

The CNSC also requires a reliability program in accordance with REGDOC-2.6.1, Reliability Programs for Nuclear Power Plants [39]. This document requires a systematic method to identify a subset of SSCs to be included in the plants reliability program. The methodology involves:

a. identifying the SSCs of the NPP associated with the initiation, prevention, detection or mitigation of any failure sequence which could lead to damage of fuel or associated release of radionuclide or both;
b. ranking the identified systems on the basis of their relative importance to safety;
c. screening out those systems that do not contribute significantly to plant safety.

The design authority shall then classify SSCs using a consistent and clearly defined classification method. The SSCs shall be designed, constructed, and maintained such that their quality and reliability is commensurate with this classification (REGDOC 2.5.2, section 7.1).

30

The first step in SSC classification is to define functions in order to enable identification of all of the SSCs that have to operate together to accomplish a particular function, and consequently makes the classification clearer and more consistent. This check for consistency did not exist when systems were classified independently.

Functions are safety-categorized using the severity of consequences, (such as radioactive releases, doses or plant physical parameters exceeding design criteria) should the function fail. For example, IAEA SSG-30 states that three levels of radiological severity could be designated as High, Medium or Low as follows:

High: if failure of the function could, at worst, lead to a release of radioactive material that exceeds the limits accepted by the regulatory body for DBAs; Medium: if failure of the function could, at worst, lead to a release of radioactive material that exceeds limits established for AOOs; or Low: if failure of the function could, at worst, lead to doses to workers above authorized limits.

Severity may also be characterized using key physical parameters and potential for exceeding design criteria. Examples include:

Design acceptance criteria regarding physical parameters (e.g., reactor coolant system (RCS) or heat transport system pressure, fuel cladding temperature, and criticality).

Design acceptance criteria regarding barrier integrity (e.g., departure of nucleate boiling ratio as a surrogate criterion to prevent fuel cladding failure).

Design criteria regarding the non-aggravation of the accident (e.g., non-aggravation from an AOO to a DBA, non-aggravation from a DEC without core melt to a severe accident).

Once the safety functions are categorized, the SSCs necessary for the accomplishment of each safety function need to be identified and classified including those providing support to equipment of the front-line system. Then, on the basis of the classification, a complete set of engineering design rules must be specified to ensure that SSCs will be operated so that their specified quality and reliability is maintained during the life of the plant.

Most classified SSCs are those whose failure, when requested to operate, lead to an increase of doses to workers or to the public. Nevertheless, taking into account that conditions for safe operation of the plant could be significantly affected and degraded by the effects of internal or external hazards, SSCs designed either to prevent or to limit propagation of the effects need to be identified and considered in the safety classification methodology.

The functions that need to be accomplished in the different plant states, and which systems are expected to respond to a PIE, taking into account that the safety category and the safety class, are influenced by the probability of the PIE occurring. Those functions need to be defined at an adequate level of detail, enabling the identification of all of the SSCs necessary for performing the functions. This information is usually available in the plant system description, even if preliminary.

31

The CNSC approach for safety classification is largely based on the IAEA standards and guides. The IAEA approach for safety classification is a top down process that begins with a basic understanding of the plant design, its safety analysis and how the main safety functions will be achieved. It should be noted that under the CNSCs regulatory approach, the applicant is free to propose their own safety classification process and rationale provided that the fundamental objectives of the classification is demonstratively met.

2.4.1.3.1 Steps to undertake for determining Safety Classification The safety classification process steps that are considered as part of an acceptable methodology in REGDOC-2.5.2 are discussed below and shown in Figure 2.

2.4.1.3.1.1 Basic understanding of the plant design The first activity involves a basic understanding of the plant design, its safety analysis and the main safety functions needed to achieve the design objectives. CNSC expects the design authority to provide an understanding of the plant design envelope and plant states and establish the event sequences that can lead to safety challenges in each of the plant states. The process should include pressure retaining components, electrical, instrumentation and control equipment, and civil structures.

2.4.1.3.1.2 Identification of plant-specific safety functions In the next step the safety functions are identified. Safety functions use SSCs in various combinations as the physical means to accomplish their goal. Once the PIEs are known then the safety functions necessary to prevent or mitigate the safety challenges associated with the PIE can be identified. Typically, these include the IAEA designated fundamental safety functions but should also include other safety functions that may be unique to the type of reactor and associated facility being designed. REGDOC-2.5.2 Section 6.2 lists the following safety functions:

Control of reactivity.

Removal of heat from the core and spent fuel.

Confinement of radioactive material.

Shielding against radiation.

Control of operational discharges and hazardous substances, as well as limitation of accidental releases.

Monitoring of safety critical parameters to guide operator actions.

The plant-specific safety functions are necessary to respond to PIEs and are primarily those that are credited in the safety analysis. The scope of safety functions includes those performed at all levels of DiD and plant states, functions for fuel storage and handling and functions necessary to protect design provisions such as physical barriers.

32

Figure 3. IAEA Safety Classification Flow Diagram Source: IAEA SSG-30 2.4.1.3.1.3 Safety categorization of the safety functions Once the safety functions are established, they are expected to be evaluated and categorized into a limited number of safety categories. These categories are established to allow for graded design rules. REGDOC-2.5.2, Section 7.1, states that the criteria for determining safety importance should be based on the following considerations:

Consequences of failure - This can be evaluated in terms of the release of radioactive material or hazardous substances that can result from failure of the function. In general, for a given event frequency, safety functions whose failure causes a larger release would likely be considered to be more important.

33

Probability of being called upon - The probability of being called upon is generally determined by the plant state in which the safety function is required. For a given consequence of failure, a higher probability of being called upon generally means a higher level of importance of the safety functions.

Time available to act following a PIE - In general, the shorter the available time, the more challenging the design considerations are, such as software scheduling, water hammer, and the time available to provide alternate functions. In general, safety functions required immediately or in a very short time (seconds) to stabilize a transient or stop radioactive releases are considered to be more important.

Duration of required operation - The duration of required operation is considering all factors affecting the reliability of the safety function, such as the quality of materials, inspections and periodic tests, failure rates of components, and redundancy. In general, safety functions for which there is no available alternative and/or that must operate for longer mission times should be treated as more important.

2.4.1.3.1.4 Identification and classification of SSCs that provide the safety functions Once the safety categorization of the functions is completed, the SSCs required to perform each function are identified. These SSCs are then safety-classified based of their role in achieving the safety function. Generally, safety class corresponds directly to the safety category, however, this will depend on the role of the SSC and the specific classification methodology proposed by the designer. SSCs performing several safety functions in different categories should be assigned the class corresponding to the highest safety category. In addition, rules for the classification of interface components should be provided.

Further specific individual SSC safety classification guidelines are provided in REGDOC-2.5.2 Section 5.1.

2.4.1.3.1.5 Verification of the safety classification results The adequacy of the safety classification is expected to be continuously verified as the design progresses. Deterministic safety analysis is used as all PIEs and all the credited safety functions are demonstrated. This verification should be complemented, as appropriate, by insight from probabilistic safety assessment and by engineering judgement.

Additionally, barriers or isolation devices may be needed between different safety classes.

Safety classification is an iterative process and should be updated as design and safety analysis progress.

2.4.1.3.1.6 Engineering design rules (informing)

The design authority is expected to specify the engineering design rules for all SSCs. These rules should comply with appropriate accepted engineering practices. The engineering design rules for all SSCs should be determined based on their safety class. This allows for graded design rules and technical specifications.

In addition, as per REGDOC 2.6.1, the CNSC requires a systematic method to identify a subset of SSCs to be included in the plants reliability program. The methodology involves:

34

a. identifying the SSCs of the NPP associated with the initiation, prevention, detection or mitigation of any failure sequence which could lead to damage of fuel or associated release of radionuclide or both;
b. ranking the identified systems on the basis of their relative importance to safety;
c. screening out those systems that do not contribute significantly to plant safety.

2.4.1.3.1.7 Defence-in-Depth The CNSCs approach to defence-in-depth follows the IAEAs recommended approach as described in SSR-2/1, Safety of Nuclear Power Plants: Design [40] and INSAG-10, Defence in Depth in Nuclear Safety [41]. As described in Section 4.3.1 of REGDOC-2.5.2, the CNSC expects five levels of defence to be included in the design as outlined in the table below.

Table 4. CNSC Defence-in-Depth Levels DiD Objective Essential Means Level Level 1 To prevent deviations from normal Conservative design operation, and to prevent failures of High quality construction (e.g., appropriate design SSCs important to safety codes and materials, design procedures, equipment qualification, control of component fabrication and plant construction, operational experience)

Level 2 To detect and intercept deviations Inherent and engineered design features to minimize from normal operation, to prevent or exclude uncontrolled transients to the extent AOOs from escalating to accident possible conditions and to return the plant to a state of normal operation Level 3 To minimize the consequences of Inherent safety features, Failsafe design, accidents, and prevent escalation to engineered design features, and procedures that beyond design basis accidents minimize consequences of DBAs Level 4 To ensure that radioactive releases Equipment and procedures to manage accidents caused by severe accidents or and mitigate their consequences as far as Design Extension Conditions are practicable, Robust containment design, kept as low as practicable Complementary design features to prevent accident progression and to mitigate the consequences of Design Extension Conditions, Severe accident management procedures Level 5 To mitigate the radiological Emergency support facilities, consequences of potential releases Onsite and offsite emergency response plans of radioactive materials that may result from accident conditions Source: REGDOC-2.5.2 Ultimately, the CNSC requires that designers and applicants must implement DiD such that:

1. more than one level of defence is in place for a safety objective (cool, control, contain) and that the objective will be achieved even if one level fails;
2. levels must be independent to the extent practicable and that no potential human or mechanical failure relies exclusively on a single level of defence for prevention and mitigation of accidents.

35

The intent of DiD is to minimize the challenges to physical barriers, prevent their failure if there is a challenge, and minimize the probability of propagation of a failure from one level of defence to the next. If a failure were to occur, the DiD approach allows the failure to be detected, and to be compensated for or corrected.

The expectations set forth in CNSC REGDOCs further describe the considerations around this objective and acceptance criteria for DiD and single failure criterion.

Some key principles fundamental to the Canadian approach are described below:

The concept of defence-in-depth shall be applied to all organizational, behavioural, and design-related safety and security activities to ensure they are subject to overlapping provisions. The levels of defence-in-depth shall be independent to the extent practicable.

This concept shall be applied throughout the design process and operation of the plant to provide a series of levels of defence aimed at preventing accidents and ensuring appropriate protection in the event that prevention fails.

To ensure that different levels of defence are independently effective, any design features that aim to prevent an accident should not belong to the same level of defence as design features that aim to mitigate the consequences of the accident.

The design shall also allow for the fact that the existence of multiple levels of defence does not normally represent a sufficient basis for continued power operation in the absence of one defence level.

A balance must be maintained between designs provisions for prevention and mitigation of events.

The regulatory guidance provided in REGDOC-2.4.2, Probabilistic Safety Assessment for Nuclear Power Plants, also identifies that one of the objectives of the PSA is to demonstrate that a balanced design has been achieved; this can be demonstrated as achieved if no particular feature or postulated initiating event makes a disproportionately large or significantly uncertain contribution to the overall risk, and the first two levels of defence-in-depth bear the burden of ensuring nuclear safety.

36

A summary diagram of the CNSCs approach to Defence-in-Depth is shown in Figure 4 below:

Figure 4. CNSC Approach to Defence-in-Depth Source: http://www.nuclearsafety.gc.ca/eng/acts-and-regulations/regulatory-documents/published/html/regdoc2 1v2/index.cfm#appA Single failure criterion The single failure criterion (SFC) is a conservative rule that is applied to demonstrate the reliability of a design. The rule postulates that all safety groups shall function in the presence of a single failure. The single failure criterion rule is applicable to the safety analysis of AOOs and DBAs for Level 3 defence-in-depth and does not need to be applied in the analysis of AOOs for Level 2 defence-in-depth and BDBA/DEC.

Guidance and criteria to the application of the single failure criteria are provided in REGDOC 2.5.2:

Exceptions to the single-failure criterion shall be infrequent, and clearly justified.

The single failure shall be assumed to occur prior to the PIE, or at any time during the mission time for which the safety group is required to function following the PIE. Passive components may be exempt from this requirement.

37

However, exemptions for passive components may be applied only to those components that are designed and manufactured to high standards of quality, that are adequately inspected and maintained in service, and that remain unaffected by the PIE. The justification shall take loads and environmental conditions into account, as well as the total period of time after the PIE for which the functioning of the component is necessary. The justification should also consider the consequences of failure, practicality of alternatives, added complexity and operational considerations. The integrated effect of all exceptions should not significantly degrade safety and defence-in-depth should be preserved.

2.4.1.4 CNSC Risk Informed Policy The CNSCs framework for risk-informed decision-making is described in REGDOC-3.5.3

[21]. The approach provides a framework for applying risk-informed decisions or recommendations pertaining to licensing, certification, compliance and the development of regulatory requirements and guidance.

CNSC regulates in a risk-informed manner by:

allowing proportionality through the articulation of requirements and guidance for activities; allowing applicants/licensees to propose alternative methods to meet regulatory requirements and guidance.

The principles applied when using the risk-informed approach are that regulatory requirements are met, and sufficient safety margins are maintained.

Two important aspects of the risk-informed approach are the application of a graded approach and the evaluation of alternative approaches.

2.4.1.4.1 Graded approach The graded approach is a method or process by which certain factors, such as the level of analysis, the depth of documentation and the scope of actions necessary to comply with requirements are commensurate with matters such as:

the relative risks to health, safety, security, the environment, and the implementation of international obligations to which Canada has agreed; the particular characteristics of a nuclear facility or licensed activity.

The graded approach represents a proportional application of requirements, and not a relaxation of requirements. It enables a proportional demonstration of regulatory requirements in a risk-informed manner to ensure fundamental safety objectives are met; and allows for adjustment of technical assessment and compliance activities based on risk, complexity and novelty.

2.4.1.4.2 Alternative approaches As part of the risk-informed approach, CNSC considers alternative approaches to fulfilling requirements submitted by licensees and proponents as long as the alternative can be 38

demonstrated to result in an equivalent or superior level of safety and serve the underlying purpose of a requirement.

Examples of alternative approaches include:

application of national or industry codes and standards from other jurisdictions; use of an approach proven in another industry or application not yet commonly applied to the nuclear sector; introduction of innovative and emerging technologies.

2.4.2 United States Historically, the NRC has licensed commercial nuclear power plants using a deterministic approach complemented with consideration of risk insights. This deterministic licensing approach uses concepts and strategies such as defense-in-depth (including, but not limited to, the single failure criterion), safety margins, conservative assumptions when performing safety analyses, and programmatic elements such as quality assurance. Risk insights are used to confirm the adequacy of the deterministic approach by searching for severe accident vulnerabilities and demonstrating that the Commissions safety goals are met. The deterministic licensing approach is implemented through various regulations provided in 10 CFR Part 50 and 10 CFR Part 52, non-mandatory regulatory guides which provide acceptable approaches for meeting the regulations, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition [42]

which provides acceptance criteria, endorsement of industry consensus codes and standards, and various Commission policy statements.

The NRCs deterministic licensing approach has continuously evolved since its inception in the late 1950s. It is currently oriented towards licensing LWRs, although the Atomic Energy Commission (the predecessor to the NRC) used it to license several non-LWRs such as the sodium-cooled fast breeder reactor at Fermi Unit 1 and the high-temperature gas-cooled reactors at Peach Bottom Atomic Power Station, Unit 1 and Fort St. Vrain Nuclear Generating Station. Concerned about the potentially long lead time needed to adapt the existing LWR-centric deterministic licensing approach to non-LWRs, the U.S. nuclear industry initiated the licensing modernization project (LMP) in 2017. The fundamental thesis of the LMP is that a probabilistic risk assessment (PRA) should be used early in the design process to help define the licensing basis of a non-LWR rather than to confirm the acceptability of a non-LWR that has been designed using the traditional, deterministic approach.

To this end, the LMP developed a technology-inclusive, risk-informed, and performance-based (TI-RIPB) process for (1) selection of licensing basis events (LBEs); (2) safety classification of SSCs and associated risk-informed special treatments; and (3) determination of DiD adequacy for non-light water reactors (non-LWRs) including, but not limited to, molten salt reactors, high-temperature gas cooled reactors, and a variety of fast reactors at all thermal power capacities. The LMP was conducted by Southern Nuclear Company, sponsored by the Nuclear Energy Institute, and cost-shared by the U.S. DOE.

This industry-led effort is documented in Nuclear Energy Institute (NEI) guidance document, NEI 18-04, Revision 1 (August 2019), Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development [43] and is endorsed by the NRC in Regulatory Guide (RG) 1.233, Rev. 0 (June 2020), Guidance for 39

a Technology-Inclusive, Risk-Informed, Performance-Based Methodology to inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors. [44].

2.4.2.1 Licensing Basis Event Definitions Licensing basis events (LBEs) are the entire collection of event sequences considered in the design and licensing basis of the plant, which may include one or more reactor modules and other non-reactor radiological sources. The LMP approach to selecting LBEs is based on the event sequences delineated by a PRAs logic model (the collection of event trees and fault trees). An event sequence is an initiating event defined for a set of initial plant conditions, followed by a sequence of system, safety function, and operator action failures or successes leading to a specified end state (prevention of release or release in one of several reactor-specific release categories). The term event sequence is used by the LMP in lieu of the more pejorative term accident sequence used by traditional LWR PRAs to emphasize that (1) all sequences delineated by the PRA need to be considered, and (2) some sequences delineated by the PRA do not result in a release of radioactive material.

In the LMP, LBEs are grouped into four categories according to their mean occurrence frequencies as follows:

Anticipated Operational Occurrences (AOOs): AOOs are defined as anticipated event sequences expected to occur one or more times during the life of a nuclear power plant, which may include one or more reactor modules. Event sequences with mean frequencies of 1 x 10-2/plant-year and greater are classified as AOOs. AOOs take into account the expected response of all SSCs within the plant, regardless of safety classification.

Design Basis Events (DBEs): DBEs are defined as infrequent event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than AOOs. Event sequences with mean frequencies of 1 x 10-4/plant-year to 1 x 10-2/plant-year are classified as DBEs. DBEs take into account the expected response of all SSCs within the plant regardless of safety classification.

Beyond Design Basis Events (BDBEs): BDBEs are defined as rare event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than a DBE. Event sequences with mean frequencies of 5 x 10-7/ plant-year to 1 x 10-4/plant-year are classified as BDBEs. BDBEs take into account the expected response of all SSCs within the plant regardless of safety classification.

Design Basis Accident (DBAs): DBAs are defined as postulated event sequences that are used to set design criteria and performance objectives for the design of safety related SSCs. DBAs are derived from DBEs based on the capabilities of and reliabilities of safety-related SSCs needed to mitigate and prevent event sequences, respectively.

DBAs are derived from the DBEs by prescriptively assuming that only safety related SSCs are available to mitigate postulated event sequences to within the 10 CFR 50.34 dose limits.

It should be noted that event sequences with upper 95th-percentile frequencies less than 5 x 10-7/plant-year are retained in the PRA results and used to confirm that there 40

are no cliff-edge effects. They are also taken into account in the risk-informed and performance-based (RIPB) evaluation of DiD.

The frequency basis for defining LBEs using LMP is summarized in the following table:

Table 5. LBE Frequency Bases Licensing Basis Event Event Sequence Mean Frequency AOO > 1 x 10-2/plant-year DBE 1 x 10-4 to 1 x 10-2/plant-year BDBE 5 x 10-7 to 1 x 10-4/plant-year DBA postulated - no frequency defined Source: NEI 18-04, Rev. 1 As discussed above, the mean values of the frequencies are used to classify the LBEs into AOOs, DBEs, and BDBE categories. However, when the uncertainty bands defined by the 5th percentile and 95th percentile of the frequency estimates straddles a frequency boundary, the LBE is evaluated in both LBE categories. An LBE with mean frequency above 10-2/plant-year and 5th percentile less than 10-2/plant-year is evaluated both as an AOO and a DBE.

An LBE with a mean frequency less than 10-4/plant-year with a 95th percentile above 10-4

/plant-year is evaluated both as a BDBE and a DBE. An event sequence family with a mean frequency less than 5 x 10-7/plant-year but with a 95th percentile frequency estimate above 5 x 10-7/plant-year is evaluated as a BDBE. Uncertainties about the mean values are used to help evaluate the results against the frequency-consequence criteria and to identify the margins against the criteria. The uncertainties about these means are considered during the RIPB DiD evaluation.

2.4.2.2 LMP Frequency-Consequence Target To support the LMP, a curve depicting the LBE frequencies and their associated consequences was developed to provide frequency-consequence (F-C) targets for use as a tool in assessing risk significance. The F-C Target curve is provided in Figure 4 below. It is extremely important to understand the limitations and nuances associated with this tool.

Its primary/only purpose is to assess risk significance for LBEs and for use in determining safety classification of SSCs. It is not intended to be used to assess compliance with regulatory limits on radiation exposure.

41

Figure 5. LBE F-C Target Curve4 Source: NEI 18-04, Rev. 1 The following notes summarize the use, limitations, and basis of the F-C Target:

LBE categories are based on mean event sequence frequency of occurrence per plant-year. LBEs may or may not involve release of radioactive material and may involve one or more reactor modules or radionuclide sources.

The regions of the graph separated by the frequency-dose evaluation line are identified as Increasing Risk and Decreasing Risk to emphasize that the purpose of this tool is to evaluate the risk significance of individual AOOs, DBEs, and BDBEs, and to recognize that risk evaluations are not performed on a pass-fail basis, in contrast with deterministic safety evaluation criteria.

4 The EPA PAG dose of 1 rem is the lower bounds of the early phase PAG range of 1 to 5 rem (10 to 50 mSV) projected dose over four days and not a limit as illustrated in Figure 4.

42

The F-C target values should not be considered as a demarcation of acceptable and unacceptable results. The F-C target provides a general frame of reference to assess events, SSCs, and programmatic controls in terms of sensitivities and available margins.

The F-C target for high-frequency AOOs down to a frequency of 1 x 10-1/plant-year are based on an iso-risk profile defined by annual exposure limits of 10 CFR Part 20 (1 mSv/plant-year (100 mrem/plant-year)).

The F-C target for lower frequency AOOs at frequencies of 1 x 10-1/plant-year down to 1 x 10-2/plant-year are set at a reference value of 10 mSv (1 rem) which corresponds with the EPA Protection Action Guide (PAG) limits5 and consistent with the need to avoid emergency offsite response for any AOO.

The F-C target for DBEs range from 10 mSv (1 rem) at 1 x 10-2/plant-year to 250 mSv (25 rem) at 1 x 10-4/plant-year with dose calculated at the exclusion area boundary (EAB) for the 30-day period following the onset of the release. This aligns the lowest frequency DBEs with the 10 CFR 50.34 limits and provides continuity to the lower end of the AOO criteria. The identification of plant capabilities to prevent releases is a factor considered in the determination of SSC safety classification and performance requirements.

The F-C target for the BDBEs range from 250 mSv (25 rem) at 1 x 10-4/plant-year to 7500 mSv (750 rem) at 5 x 10-7/plant-year to ensure the Quantitative Health Objective (QHO) for early health effects is not exceeded for individual BDBEs.

Event sequences with frequencies less than 5 x 10-7/plant-year are retained in the PRA results and used to confirm there are no cliff edge effects. They may also be taken into account in the RIPB evaluation of DiD.

The following table summarizes the basis for the LMP F-C Target:

Table 6. Bases for LMP F-C Target Licensing Mean Frequency Dose Criteria Reference Basis Event 1 mSv Iso-risk line: 1/plant-year 10 CFR Part 20 (100 mrem)

AOO Vertical line: 1 x 10-2 to 10 mSv (1 rem) EPA PAG 1 x 10-1/plant-year 10 to 250 mSv DBE 1 x 10-4 to 1 x 10-2/plant-year 10 CFR 50.34 (1 to 25 rem) 250 to QHO for individual BDBE 5 x 10-7 to 1 x 10-4/plant-year 7500 mSv early fatality risk (25 to 750 rem) 5 NEI 18-04 describes the EPA PAGs as limits. However, EPA-400/R-17/001, PAG Manual: Protective Action Guides and Planning Guidance for Radiological Incidents is guidance and not legally binding. The EPA states the PAGs do not represent the boundary between safe and unsafe conditions.

43

2.4.2.3 LMP Approach to Selecting LBEs As a result of the existing NRC regulatory framework being primarily focused on LWR power reactors, LMP developed a systematic technology-inclusive process to derive an appropriate set of LBEs for non--LWRs reactors as well a tool to assess the LBE frequencies against the consequences to provide a means of identifying risk significance. The individual tasks included in LMP for selecting and evaluating LBEs are shown below to provide a high-level and holistic overview of the process. The tasks do not need to be performed in any specific order and their completion is recognized to be an iterative process. More detail and specific considerations for each task is provided in NEI 18-04.

Task 1: Propose Initial List of LBEs Task 2: Design Development and Analysis Task 3: PRA Development/Update Task 4: Identify/Revise List of AOOs, DBEs and BDBEs Task 5a: Identify Required Safety Functions (RSFs)

Task 5b: Select/Revise Safety Related SSCs Task 6: Select Deterministic DBAs and Design Basis External Hazard Levels Task 7: Perform LBE Evaluations Task 7a: Evaluate LBEs against F-C Target Task 7b: Evaluate Integrated Plant Risk against QHOs and 10 CFR Part 20 Task 7c: Evaluate Risk Significance of LBEs and SSCs including Barriers Task 7d: Perform Deterministic Safety Analysis against 10 CFR 50.34 Task 7e: Risk-Informed, Performance-Based Evaluation of DiD Task 8: Decide on Completion of Design/LBE Development Task 9: Proceed to Next Stage of Design Development Task 10: Finalize List of LBEs and Safety-Related SSCs Finalize List of LBEs and Safety-Related SSCs As part of LMP, a curve depicting the LBE frequencies and their associated consequences was developed to provide frequency-consequence (F-C) targets for use as a tool in assessing risk significance during the iterative design process. The F-C Target curve is provided in Figure 4 above. It is important to understand the limitations and nuances associated with this tool. Its primary purpose is to assess risk significance for LBEs and for use in determining safety classification of SSCs. It is not intended to be used to assess compliance with regulatory limits on radiation exposure.

44

2.4.2.4 LMP Approach to Classifying Systems, Structures, and Components The LMP also provides an approach to system, structure, and component (SSC) safety classification that makes use of relevant aspects of risk-informed SSC classification approaches that have been developed for existing and advanced LWRs and small modular reactors, including those developed for implementation of 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems, and components at nuclear power plants [11]. The categories for SSC classification using LMP are as follows:

Safety-Related (SR) o SSCs that are available to perform the required safety functions (RSFs) to mitigate the consequences of DBEs to within the LBE F-C target and to mitigate DBAs that only rely on the SR SSCs to meet the dose limits of 10 CFR 50.34 using conservative assumptions.

o SSCs relied upon to perform RSFs to prevent frequency of BDBE with consequences greater than the 10 CFR 50.34 dose limits from increasing into the DBE region and beyond the F-C target.

Non-Safety-Related with Special Treatment (NSRST) o Non-safety-related SSCs relied on to perform risk-significant functions. Risk-significant SSCs are those that perform functions that prevent or mitigate any LBE from exceeding the F-C target or make significant contributions to the cumulative risk metrics for evaluating the total risk from all analyzed LBEs.

o Non-safety-related SSCs relied upon to perform functions requiring special treatment for DiD adequacy.

Non-Safety-Related with No Special Treatment (NST) o All other SSCs (with no special treatment required).

Safety-significant SSCs include all those SSCs classified as SR or NSRST. Risk significant SSCs are a subset of and completely encompassed within the set of safety-significant SSCs. The following Venn diagram shows the relationships among the safety-related SSCs, risk-significant SSCs, safety-significant SSCs, and the SSCs modeled in the PRA.

45

Figure 6. Relationship Between PRA Categories of SSCs Source: NEI 18-04, Rev. 1 The individual steps included in LMP for determining the safety classification of SSCs are shown below to provide a high-level and holistic overview of the process. The process is described as an SSC function classification process rather than an SSC classification process because only those functions that prevent or mitigate events represented in the LBEs are of concern. A given SSC may perform other functions that are not relevant to LBE prevention or mitigation or functions with a different safety classification. More detail and specific considerations for each step of the SSC function classification process is provided in NEI 18-04.

Task 1: Identify SSC Functions in the Prevention and Mitigation of LBEs Task 2: Identify and Evaluate SSC Capabilities and Programs to Support DiD Task 3: Determine the Required and Safety Significant Functions Tasks 4 and 5: Evaluate and Classify SSC Functions o Tasks 4A and 5A: Examination of DBEs and high consequences BDBEs (i.e., those with doses above 10 CFR 50.34 limits) to determine which SSCs are available to perform the RSFs - safety related and safety significant.

o Tasks 4B and 5B: Evaluation of non-safety related SSCs to determine its risk significance - non-safety-related with special treatment (NSRST).

o Tasks 4C and 5C: Evaluation of NSRST and non-risk-significant SSCs for defense-in-depth adequacy.

Task 6: SSC Reliability and Capability Targets Task 7: Determine SSC Specific Design Criteria and Special Treatment Requirements 46

2.4.2.5 LMP Evaluation of DiD Adequacy The concept of defense-in-depth has a long history of use in the nuclear industry dating back to early safety assessments such as WASH-740, Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants in 1957 [45]. The concept of DiD, protection against a single failure, is engrained in the nuclear industry and is not limited to nuclear safety. For example, the DiD has been employed in nuclear security, both physical and cyber which both rely on layered defenses, including prevention, detection, and response (NUREG/KM-0009) [46].

NRC philosophy on DiD as defined in its glossary as follows:

an approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is creating multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon.

Defense in depth includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures.

Figure 7 below illustrates the concept of layers of defense embodied in this philosophy.

Figure 7. U.S. Nuclear Regulatory Commissions Defense-in-Depth Concept Source: NUREG/KM-0009 47

The LMP process embraces the concept of layers of defense for evaluating the adequacy of DiD and provides an approach to establish DiD in design, construction, maintenance, and operation of nuclear facilities. Establishing DiD adequacy involves incorporating DiD design features, operating and emergency procedures, and other programmatic elements. DiD adequacy is evaluated by using a series of RIPB decisions regarding design, plant risk assessment, selection and evaluation of LBEs, safety classification of SSCs, specification of performance requirements for SSCs, and programs to ensure these performance requirements are maintained throughout the life of the plant (i.e. reliability and capability).

The LMP process for establishing DiD adequacy embraces the concept of layers of defense and uses these layers to identify and evaluate DiD attributes. This process is consistent with the levels of defense concept advanced by the 2005 IAEA Safety Report Series No. 46, Assessment of Defense-in-Depth for Nuclear Power Plants. [47].

The framework for establishing DiD adequacy involves the following elements:

Plant capability DiD: This element is used by designers to select functions, SSCs, and their bounding design capabilities to assure safety adequacy. Additionally, excess capability, reflected in the design margins of individual SSCs and the use of redundancy and diversity, is important to the analysis of beyond design basis conditions that could arise. This reserve capacity to perform in severe events is consistent with the DiD philosophy for conservative design capabilities that enable successful outcomes for unexpected events should they occur.

Programmatic DiD: This element is used to address uncertainties when evaluating plant capability DiD as well as when programmatic protective strategies are defined. It provides a means to incorporate special treatment while designing, manufacturing, constructing, operating, maintaining, testing, and inspecting the plant and the associated processes to ensure there is reasonable assurance that the predicted performance can be achieve throughout the lifetime of the plant. The use of performance-based measures, where practical, to monitor plant parameters and equipment performance that have a direct connection to risk management and to equipment and human reliability are considered essential.

Risk-informed and performance-based evaluation of DiD: This element provides a systematic and comprehensive process for examining the DiD adequacy achieved by the combination of plant capability and programmatic elements. This evaluation is performed by a risk-informed (RI) integrated decision-making process (IDP) to assess sufficiency of DiD and to enable consideration of different alternatives for achieving commensurate safety levels at reduced burdens. The outcome of the RI process also establishes a DiD baseline for managing risk throughout the plant lifecycle.

48

The diagram below provides additional details on the considerations included in the elements above.

Figure 8. Framework for Establishing DiD Adequacy Source: NEI 18-04, Rev. 1 DiD is to be considered and incorporated into all phases of defining the design requirements, developing the design, evaluating the design from both deterministic and probabilistic perspectives, and defining the programs to ensure adequate protection of the health and safety of the public. The reactor designer is responsible for ensuring that DiD is achieved and implements these responsibilities through an Integrated Design-Making Process (IDP) that guides the overall design effort (including development of plant capability and programmatic DiD features), conducts the DiD adequacy evaluation of the resulting design, and documents the DiD baseline.

LMP provides an integrated and iterative process for incorporating and evaluating DiD. The incorporation of DiD is performed as an integrated process through the tasks outlined below.

This integrated process includes deterministic (D), probabilistic (P) and risk-informed (RI) tasks which are identified following the task headings by the designators (D), (P), and (RI).

Many actions outlined in the tasks below may have to be performed prior to evaluation of DiD and do not need to be repeated for the purposes of evaluation of DiD adequacy.

Implementation of this process is not a series of discrete tasks but rather an iterative process. It is expected that repeated iteration of the process occurs at tasks that are asterisked (*) until the process is completed and a DiD baseline is established and documented. The following list of tasks provides an overview of the process.

Details and additional discussion on the individual tasks are included in NEI 18-04, Rev. 1.

49

Task 1: Establish Initial Design Capabilities (D)

Task 2: Establish F-C Target Based on Regulatory Objectives and QHOs (D)

Task 3: Define SSC Safety Functions for PRA Modeling (D)

Task 4: Define Scope of PRA for Current Design Phase (D)

Task 5: Perform PRA (P)

Task 6: Identify and Categorize LBEs as AOOs, DBEs, or BDBEs (D)

Task 7*: Evaluate LBE Risks vs. F-C Target (RI)

Task 8*: Evaluate Plant Risks vs. Cumulative Risk Targets (RI)

Task 9: Identify DiD Layers Challenged by Each LBE (D)

Task 10: Select Safety-Related SSCs and Define DBAs (D)

Task 11*: Perform Safety Analysis of DBAs (D)

Task 12*: Confirm Plant Capability DiD Adequacy (P)

Task 13: Identify Non-Safety-Related with Special Treatment SSCs (P)

Task 14*: Define and Evaluate Required Functional Design Criteria for SR SSCs (D)

Task 15*: Evaluate Uncertainties and Margins (P)

Task 16: Specify Special Treatment for Requirements for SR and NSRST SSCs (D)

Task 17*: Confirm Programmatic DiD Adequacy (P)

Task 18: DiD Adequacy Established; Document/Update DiD Baseline Evaluation Adequacy of overall Plant Capability DiD There are two guidelines that have been established for the adequacy of overall plant capability DiD, one qualitative and the other quantitative:

Qualitative: No single design or operational feature, no matter how robust, is exclusively relied upon to satisfy the five layers of defense. This criterion implies no excessive reliance on programmatic activities or human actions and that at least two independent means are provided to meet this objective.

Quantitative: Meet F-C target for all LBEs and cumulative risk metric targets with sufficient margins. The level of margins between the LBE risks and the QHOs provides objective evidence of the plant capabilities for DiD. Sufficiency will be decided via the IDP.

The plant design and operational features and protective strategies employed to support each layer should be functionally independent. These guidelines ensure that two or more independent plant design or operational features be provided to meet the plant capability requirements. Additional qualitative and quantitative guidelines have been established for each layer of defense credited in establishing the adequacy of overall plant capability DiD.

50

Adequacy of Programmatic DiD The adequacy of programmatic DiD is based on meeting the following objectives:

Assuring that adequate margins exist between the assessed LBE risks relative to the F-C target including quantified uncertainties; Assuring the adequate margins exist between the assessed total plant risks relative to the cumulative risk targets; Assuring that appropriate targets for SSC reliability and performance capability are reflected in design and operational programs for each LBE; Providing adequate assurance that the risk, reliability, and performance targets will be met and maintained throughout the life of the plant with adequate consideration of sources of significant uncertainties.

Unlike the plant capabilities for DiD that can be described in physical terms and are amenable to quantitative evaluation, the programmatic DiD adequacy should be established using engineering judgement by determining what package of DiD attributes are sufficient to meet the above objectives. The attributes of programmatic DiD include quality/reliability, compensation for uncertainty, and offsite responses. These attributes complement each other and provide overlapping assurance that the desired plant capability is achieved in design, manufacturing, construction and operations lifecycle phases. The net result of establishing and evaluating programmatic DiD is the selection of special treatment programs for all safety-significant SSCs, which include those classified as SR or NSRST.

Risk-Informed and Performance-Based Evaluation of DiD Adequacy In this methodology, an integrated decision-making process (IDP) is utilized for evaluating the adequacy of DiD. How the process is implemented may vary depending on the state of design development, construction or operations. It may be done integral to the design control process, like many other technical decisions or as part of a standing panel, referred to as the integrated decision-making process panel (IDPP). The decisions of the IDP should be documented and retained as a quality record; this function is critical to future decision-making regarding plant changes which have the potential to affect DiD.

The IDP will use a risk-informed and performance-based integrated decision-making (RIPB-DM) process. Risk-informed decision-making is the structured, repeatable process by which decisions are made on significant nuclear safety matters including consideration of both deterministic and probabilistic inputs. The process is also performance-based as it employs measurable and quantifiable performance metrics to guide the determination of DiD adequacy. RIPB-DM plays a central role in designing and evaluating the DiD layers of defense and establishing measures associated with each plant capability and programmatic DiD attribute.

Integrated decision-making includes attributes such as the use of risk triplet beyond PRA, knowledge level, uncertainty management, and action refinement. Each of these attributes include a set of principal focus areas to guide the evaluation. The RIPB-DM process is expected to be applied at each phase of the design process in conjunction with other integrated processes executed during design development. Meeting the applicable portions of the ASME/ANS PRA Standard for Advanced non-LWRs, which includes the requirement 51

for and completion of the appropriate PRA peer review process, is one means for development of the PRA using the RIPB-DM process. A concept in the DiD adequacy evaluation RIPB-DM is that a graded approach to RIPB-DM is prudently applied such that the decisions on LBEs with the greatest potential risk significance receive corresponding escalated cross-functional and managerial attention.

Completing the evaluation of the DiD adequacy of a design is an iterative process and designers are expected to employ the RIPB-DM process often. Integrated DiD adequacy evaluations would be expected to occur in concert with completion of each major phase of design - conceptual, preliminary, detailed, and final and could occur at intervals within these phases particularly as significant design changes are made or new risk-significant information is identified.

The adequacy of DiD is confirmed when the following actions and decisions via the IDP are completed:

Plant capability DiD is deemed to be adequate: plant capability DiD guidelines are satisfied and the review of LBEs is completed with satisfactory results (e.g., risk margins against F-C target are sufficient, the role of SSCs in prevention and mitigation at each layer of defense challenged by each LBE is understood, prevention/mitigation balance is sufficient, safety classification of SSCs as SR, NSRST, and NST is appropriate, independence among design features at each layer of defense is sufficient, design margins in plant capabilities are adequate to address uncertainties identified in the PRA, etc.).

Programmatic DiD is deemed to be adequate: performance targets for SSC reliability and capability are established, special treatment for all SR and NSRST SSCs is sufficient, and sources of uncertainties in selection and evaluation of LBE risks are identified (i.e., completeness in selection of initiating events and event sequences is sufficient, uncertainties in the estimation of LBE frequencies are evaluated, uncertainties in the evaluation of plant response to events are evaluated, uncertainties on the estimation of the mechanistic source terms are evaluated, and design margins in plant capabilities are adequate to address residual uncertainties).

When DiD adequacy is confirmed, the baseline DiD evaluation should be documented in sufficient detail so it can be efficiently updated in response to changes in physical, functional, operational, or programmatic features to ensure that potential reductions in DiD do not adversely affect the safety case for plant.

Additional details on the LMP process and its expected implementation may be found in RG 1.233 and in NEI 18-04, Rev. 1.

2.4.2.6 Required PRA Scope to Support the LMP Process In order to support the LMP process, the PRA should:

Address all radiological sources at the plant (reactor cores, spent fuel, fuel clean-up systems for molten salt reactors, etc.).

Address all internal hazards (e.g., transients, loss-of-coolant accidents, internal floods, internal fires) and all external hazards (e.g., seismic events, external fires, high winds events such as tornados and hurricanes). Seismic events should always be included.

52

other external hazards may be screened from further consideration with appropriate justification.

Address all plant operating modes (at-power, low-power, shutdown, refueling, etc.).

Calculate the frequencies and consequences of all event sequences (i.e., the PRA should be a Level 3 PRA). It should be noted that the LMP process does not utilize intermediate risk surrogates such as core-damage frequency or large early release frequency that are typically used for LWR PRAs.

3. Assessment of Technology-Inclusive, Risk-Informed Approaches This section provides a comparison of the technology-inclusive, risk-informed licensing approaches in the Canadian and U.S. regulatory frameworks for nuclear power plants. Prior to presenting this comparison, it is important to note that the existing regulatory frameworks for each country have been proved to be equally effective in protecting the health and safety of persons, security, and the environment from the potential radiation hazards associated with nuclear power plants. Consequently, the comparison between the CNSC and NRC approaches does not include justification of differences in regulatory dose limits established in regulations or their bases. In addition, both the CNSC and NRC regulatory frameworks include varying degrees of deterministic and risk-informed elements with varying degrees of regulatory prescriptiveness and that both frameworks have seen an increasing trend towards greater use of risk-informed approaches to complement the deterministic approach.

The CNSCs technology neutral and risk-informed framework provides a flexible approach for licence applications that is compared to the structured technology inclusive, risk-informed, and performance based (TI-RIPB) approach developed under the LMP that was endorsed by the NRC in RG 1.2336. This section discusses the comparison between the CNSC and NRC approaches and identifies commonalities and differences. Regardless of whether the approach is predominantly deterministic or risk-informed, it is instructive to note that the overall scope of application reviews performed by the CNSC and NRC is very similar.

Table 7 below provides a comparison of key licensing application review topics. It identifies the safety and control areas (SCAs) used by CNSC for application reviews as well as the topical areas identified in the Standard Review Plan (SRP) in NUREG-0800 for NRCs reviews. Although the NRCs NUREG-0800 approach for performing application reviews is not considered a technology-inclusive, risk-informed approach and not specifically examined in this report, it is included as additional context in comparing the overall regulatory frameworks. The CNSC licence application guidance documents for Licence to Construct (REGDOC-1.1.2) and Licence to Operate (REGDOC-1.1.3) are organized primarily to correspond to the CNSC SCAs. The CNSC licence application guidance also provides additional guidance for applicants for small modular reactors in REGDOC-1.1.5, Supplemental Information for Small Modular Reactor Proponents. As shown in Table 7, the topical areas focused on by the CNSC and the NRC in their safety reviews and safety analysis reports are generally consistent.

The NRCs NUREG-0800 review approach is applicable to light water reactors. As such, the NRC is currently working on developing guidance for the contents of an application for a non-LWR advanced reactor application as part of its Advanced Reactor Contents of an Application Project 6 The NRC considers that Regulatory Guides provide one acceptable means for complying with regulations and that applicants may propose alternative means with suitable justification.

53

(ARCAP). For an application using the LMP approach, this guidance is intended to leverage the guidance being developed as part of the DOE and industry led Technology Inclusive Contents of an Application Project (TICAP). Current efforts by the NRC staff as part of ARCAP include an outline of expectations for the organization of a safety analysis report (SAR) as currently contemplated for an application that follows the LMP process. This content generally aligns with the scope of safety reviews performed by both the CNSC and the NRC but does so in a performance-based manner and results in more streamlined and focused content.

54

Table 7. Scope of Review Comparison: CNSC and NRC CNSC Safety and NRC Standard Review Plan CNSC REGDOC-1.1.2, Licence ARCAP Proposed Organization Control Areas (NUREG-0800) Application Guide of SAR Management system Introduction and Interfaces Introduction General Plant Information, Site Human performance Site Characteristic and Site Parameters Plant Description Description, and Overview of management Safety Case Design of Structures, Systems, Management of Safety Operating performance Components, Equipment, and Generic Analyses Site Evaluation Safety analysis Systems Licensing Basis Event (LBE)

General Design Aspects and Reactor Analysis Physical design Support Programs Reactor Coolant System and Connected Integrated Plant Analysis Fitness for service Design of Plant Structures, Systems Systems and Components Safety Functions, Design Radiation protection Engineered Safety Features Criteria, and SSC Conventional health and Safety Analyses Categorization safety Instrumentation and Controls Construction and Commissioning Safety Related SSC Criteria Environmental Electric Power Operational Aspects and Capabilities protection Auxiliary Systems Operational Limits and Non-safety related with special Emergency Steam and Power Conversion System Conditions treatment management and fire Radioactive Waste Management Radiation Protection Plant Programs protection Radiation Protection Emergency Preparedness Control of Routine Plan Waste management Conduct of Operations Environmental Protection Radioactive Effluents, Plant Security Communication, and Solid Initial Test Program and ITAAC-Design Radioactive and Hazardous Safeguards and non- Certification Waste Management Waste proliferation Control of Occupational Doses Transient and Accident Analysis Decommissioning and End-of-Packaging and transport Life Aspects Organization Technical Specifications Quality Assurance Safeguards Initial Startup Programs Human Factors Engineering Severe Accidents Color Coding: (the SRP is not applicable to non-LWR reviews however the colors identify where similar SRP chapter subject matter is informed by the LMP process)

Informed by SSC classification Informed by SSC classification and DiD evaluation Informed by LBE selection 55

The following sections highlight the similarities and differences between the technology-neutral and risk-informed approach generally established in the CNSC regulatory framework and the TI-RIPB approach described in the LMP process endorsed in RG 1.233 in the NRCs regulatory framework. With respect to a comparison of LMP to the CNSC approach, it should be noted that LMP is focused only on the process for establishing LBEs, determining safety classifications for SSCs, assessing DiD adequacy, and identifying special treatments for SSCs. As noted in the table above, LMP directly affects a limited number of focus areas of an applicants safety analysis report but has effects throughout the remainder of the analysis. In addition, LMP includes a performance-based approach and is therefore referred to as a TI-RIPB approach. The CNSCs approach has traditionally been risk-informed and objective-oriented rather than performance-based. CNSC regulatory documents describe requirements and provide guidance on possible ways to meet the objectives. The following sections will focus on the design and safety analysis safety and control areas.

3.1 Safety goals and objectives The approaches used in the CNSC and NRC regulatory frameworks are both based on similar high-level qualitative safety goals and objectives. These qualitative safety goals are as follows:

1. Individual members of the public shall be provided a level of protection from the consequences of NPP operation, such that there is no significant additional risk to the life and health of individuals.
2. Societal risks to life and health from NPP operation shall be comparable to or less than the risks of generating electricity by viable competing technologies and shall not significantly add to other societal risks.

These high level goals pragmatically translate to:

1. Demonstrating that more frequently occurring plant events have minor potential consequences.
2. Demonstrating that events with severe potential consequences have a very low frequency of occurrence.

These qualitative safety goals are both supported by quantitative safety goals that are expressed in terms of radiological risks.

In accordance with the LMP process, the NRC uses two quantitative health objectives (QHOs) for early or latent health effects as safety goals for high consequence, low frequency events. The cumulative risk associated with all LBEs is evaluated against these two QHOs.

1. The average individual risk of early fatality within 1.6 kilometers (km) (1 mile) of the exclusion area boundary (EAB) shall not exceed 5 x 10-7 per plant-year.
2. The average individual latent cancer fatality risk within 16 km (10 miles) of the EAB shall not exceed 2 x 10-6 per plant-year.

56

CNSC establishes three safety goals to protect the environment and the health and safety of the public:

1. Core damage frequency is the sum of all event sequences that can lead to significant core degradation and shall be less than 10-5 per reactor-year.
2. The small release frequency is the sum of all event sequences that can lead to a release of more than 1015 becquerels (27 kilocuries) of iodine-131 shall be less than 10-5 per reactor-year and may require temporary evacuation.
3. The large release frequency is the sum of all event sequences that can lead to a release of more than 1014 becquerels (2.7 kilocuries) of cesium-137 shall be less than 10-6 per reactor-year and may require long term relocation.

In order to evaluate the performance measures established using the LMP process, a Level 3 PRA is performed. In Canada, core damage frequency is determined by a Level 1 PSA which identifies and quantifies the sequence of events that may lead to significant core degradation.

The Canadian approach requires a Level 2 PSA for which the small and large release frequency is determined and compared to a release category expressed in terms of Cs-137 or I-131 (or releases that could cause evacuation or relocation). Additional discussion and a summary on risk analysis metrics are provided in Section 3.7 and Table 10.

3.2 Fundamental Safety Functions The fundamental safety functions established in both the CNSC and NRC frameworks to ensure protection of the health and safety of the public are essentially identical: (1) reactivity control; (2) heat removal from the core, and; (3) confinement of radioactive material. The following table provides a comparison of the NRC and CNSC fundamental safety functions as referenced in RG 1.233 and REGDOC-2.4.1.

Table 8. Fundamental Safety Functions NRC CNSC Reactivity and Power Control* Control of reactivity Monitoring of safety-critical parameters to guide operator actions Heat Removal Removal of heat from the fuel Radionuclide Retention Confinement of radioactive material Control of operational discharges and hazardous substances, as well as limitation of accidental releases Shielding against radiation

  • RG 1.233 defines reactivity control as control of heat generation.

57

3.3 Licensing Basis Events / Postulated Initiating Events Although the term licensing basis event (LBE) has been used commonly in general discussion, prior to the issuance of RG 1.233, this term had not been previously defined by the NRC or the CNSC. LBE is a term that denotes a particular sequence as determined by the probabilistic risk assessment (PRA). The LBEs are defined in terms of event sequence families. Each individual event sequence modeled in the PRA is comprised of an initiating event, the plant response to the initiating event (which includes a sequence of successes and failures of mitigating systems) and a well-defined end state. The term event sequence is used in lieu of the term accident sequence used in LWR PRA standards because the scope of the LBEs includes anticipated operational occurrences and initiating events with no adverse impacts on public safety. Each individual event sequence is grouped into an event sequence family according to the similarity of the following elements of the event sequence:

Plant operating state at the time of the initiating event.

Initiating events.

Plant response to the initiating event and any independent or consequential failures represented in the event sequence, including the nature of the challenge to the barriers and systems, structures, and components supporting each PRA safety function.

Event sequence end state.

Combination of reactor modules and radionuclide sources affected by the sequence.

Mechanistic source term for sequences involving a radiological release.

The CNSC and the IAEA frameworks use the term postulated initiating event (PIE), where a PIE is an initiating event, postulated for the purpose of safety analysis that triggers a sequence of events. The CNSC also uses events and consists of PIEs and sequences of events or combinations of events.

The LBE/PIE events categorization used in the NRC and CNSC regulatory frameworks are very similar and generally based on frequency of occurrence. Other aspects may factor into the categorization of events for the CNSC such as operational experience or past licensing precedents and the CNSC may request certain events to be analyzed. In general, these categories are described as follows, and illustrated in Table 9:

Anticipated Operational Occurrences (AOOs); where AOO are events that are more complex than operational maneuvers with the potential to challenge the safety of the reactor and which might reasonably be expected to occur during the lifetime of the plant.

Design Basis Events (DBEs)/Design Basis Accidents (DBAs); DBEs/DBAs are events that are not expected to occur during the lifetime of a plant but, in accordance with the principle of defence-in-depth, are considered in the design of NPP.

Beyond Design Basis Events (BDBEs)/Beyond Design Basis Accidents (BDBAs);

BDBEs/BDBAs are extremely rare events. The CNSC follows the IAEA approach and a subset of BDBA is established as Design Extension Conditions (DECs). Both BDBEs and DECs are considered in the design.

Using the LMP process, the NRC classifies LBEs on a per plant-year basis, as opposed to the traditional per reactor-year basis. The purpose of using per plant-year is to address the event 58

sequences involving multiple reactors (or modules) and other non-reactor radiological sources at a plant.

The following table summarizes the comparison between LBE frequencies as well as the associated dose criteria for the U.S. and Canadian approaches.

Table 9. Frequency-Consequences of LBEs/PIEs Frequency Frequency NRC Dose Criteria CNSC Dose Criteria (per plant-year) (per reactor-year)

AOOs High: > 1 x 10-1 1 mSv AOOs > 1 x 10-2 0.5 mSv (100 mrem) (0.05 rem)

Low: 1 x 10-1 to 1 x 10-2 10 mSv (1 rem)

DBEs 1 x 10-2 to 10 mSv to DBAs 1 x 10-2 to 20 mSv (includes 1 x 10-4 250 mSv 1 x 10-5 (2 rem)

DBAs) (1 rem to 25 rem)

BDBEs 1 x 10-4 to 250 mSv to BDBAs < 1 x 10-5 Limits not 5 x 10-7 7500 mSv (lower limit not defined - apply (25 rem to defined) safety goals 750 rem)

Uncertainties in the event frequency are considered and the event may be evaluated in multiple event categories. For the LMP process, when the uncertainty bands defined by the 5th percentile and 95th percentile of the frequency estimates straddle a frequency boundary, the LBE is evaluated in both LBE categories. For example, an LBE with mean frequency above 10-2/plant-year and 5th percentile less than 10-2/plant-year is evaluated as an AOO and a DBE. An LBE with a mean frequency less than 10-4/plant-year with a 95th percentile above 10-4/plant-year is evaluated as a BDBE and a DBE. The CNSC, in accordance with REGDOC-2.4.1, classifies events with a frequency on the border between two classes of events, or with substantial uncertainty over the predicted event frequency, as the higher frequency class. In addition, the CNSCs approach contains further guidance about preventing unreasonable sub-dividing of an event in order to reduce the event frequency and meet the F-C criteria. REGDOC-2.4.1 indicates that an event should not be sub-divided without sufficient justification, for the purpose of reclassifying one of the resulting sub-events from an AOO to a DBA, or from a DBA to a BDBA, or for the purpose of attaining a frequency below the cut-off frequency limits used in PSA.

59

The figure below illustrates a comparison of the frequency-consequence (F-C) targets by superimposing the NRC F-C target curve to CNSC frequency thresholds and dose acceptance criteria.

FREQUENCY-CONSEQUENCE TARGETS (NEI 18-04/ Canada) 1.00E+01 1.00E+00 Anticipated 1.00E-01 Operational Occurence Event sequency frequency (per plant year) 1.00E-02 1.00E-03 Design Basis Event (DBE) Region 1.00E-04 1.00E-05 1.00E-06 Beyond Design Basis Event (BDBE) Region 1.00E-07 1.00E-03 1.00E-02 1.00E-01 1.00E+00 1.00E+01 1.00E+02 1.00E+03 1.00E+04 NEI 18-04 Canada-CNSC 30 days total dose equivalent at site boundary/exclusion area boundary (rem or 10mSv)

Figure 9. Comparison of NRC and CNSC Frequency-Consequence Targets 3.3.1 Anticipated Operational Occurrences (AOOs)

For AOOs, the LMP framework provides a constant risk line (referred to as the iso-risk line) in the F-C target curve for event frequencies equal to or greater than 10-1 per plant year.

The iso-risk line explicitly addresses the concept of higher frequency events having a lower dose target. This iso-risk line is based on the 10 CFR Part 20, 1 mSv (100 mrem) annual dose limit. For event frequencies between 10-1 and 10-2 per plant-year, the lower bound AOO frequency, the target dose is 10 mSv (1000 mrem) effective dose equivalent at the EAB for 30 days. The LMP process includes a cumulative assessment of AOOs, DBE and BDBEs to ensure the frequency of exceeding the 1 mSv (100 mrem) annual limit is less than 1 per plant-year so an individual AOO can be evaluated.

The AOO dose criteria in Canada is 0.5 mSv (0.05 rem) whole-body dose at or beyond the site boundary for a period of 30 days after any event. For AOO events, CNSC uses the same event frequencies as in the LMP framework, however, as shown in Table 9, the dose criteria for this event is different in the two regulatory frameworks. In addition, because the LMP process utilizes the radiation exposure value established by the EPA in their protection action guidelines as a data point in developing the F-C target curve, the differences between the evacuation criteria are included here also. The criteria for evacuation due to a radiological release in the US is defined as 10 mSv (1 rem). In Canada, the evacuation 60

criteria due to a radiological release is defined as 100 mSv in the first 7 days (10 rem)7. In the Canadian approach, the summation of all events with consequences that could lead to short term evacuation and permanent relocation is to be less than 10-5/yr and 10-6/yr, respectively to meet the safety goal expectations.

3.3.2 Design Basis Accidents / Design Basis Events (DBAs/DBEs)

In the LMP process, the F-C Target for DBEs ranges from 10 mSv (1 rem) at 10-2/plant-year to 250 mSv (25 rem) at 10-4/plant-year with the dose calculated at the EAB for the 30-day period following the onset of a release. Events with mean frequencies from either the AOO or BDBE category may also be evaluated as DBEs depending on the event frequency uncertainty. The set of DBAs are derived from the LMP established DBEs and are evaluated using deterministic safety analyses assuming that only safety-related SSCs are available to perform required safety functions (RSFs) to mitigate the event. Non-safety related SSCs performing the same function are assumed to be unavailable. In the LMP process, the NRC distinguishes between DBEs and DBAs in that DBAs are not assigned a frequency threshold but are postulated deterministically based on the set of DBEs established. In RG 1.233, the NRC found that the LMP methodology in NEI 18-04, including the assessment of event sequences and DiD, obviates the need to use the single failure as it is applied to the deterministic evaluations of AOOs and DBAs for LWRs. The results of the deterministic safety analyses are compared to the regulatory dose criteria of 10 CFR 50.34. In the CNSC framework, the events with frequencies between 1 x 10-2 and 1 x 10-5 are defined as DBAs and extend beyond the frequency range defined in LMP for DBEs and into the frequency range defined for BDBEs. The CNSC treats DBAs in a similar manner to the LMP-defined DBAs in terms of credit only being taken for safety related SSCs to mitigate the consequences of these events/accidents.

The CNSCs approach requires conservative assumptions when analyzing DBAs (see section 3.4 below on safety analysis). The dose consequence is also calculated at the site boundary for a period of 30 days after of the analyzed event. The CNSC provides guidance to prevent the unreasonable subdividing of an event that would reduce the event frequency and reclassify it into either a DBA or AOO.

Both the CNSC and the NRC LMP approach uses a similar concept of mechanistic source term that uses realistic estimates of fission product release for the dose consequence calculation for DBAs. As shown in Table 9 above, the dose criteria associated with DBEs/DBAs are different in the two regulatory frameworks.

3.3.3 Beyond Design Basis Events (BDBEs) / Beyond Design Basis Accidents (BDBAs) / Design Extension Conditions (DECs)

In the LMP process, BDBEs have a frequency of occurrence less than 10-4 per plant-year but with a lower bound frequency of greater than 5 x 10-7 per plant-year with dose targets of 250 mSv and 7500 mSv (25 rem and 750 rem), respectively. The 7500 mSv (750 rem) criterion ensures the QHO for early or latent health effects is not exceeded for individual BDBEs. The lower bound BDBE event frequency of 5 x 10-7 per plant-year is not considered a precise threshold but should be considered in the context of other considerations such as, 7 Health Canada GENERIC CRITERIA AND OPERATIONAL INTERVENTION LEVELS FOR NUCLEAR EMERGENCY PLANNING AND RESPONSE, http://publications.gc.ca/collections/collection_2018/sc-hc/H129-86-2018-eng.pdf 61

expert panel evaluations, DiD, and potential for cliff-edge effects where small changes have a large increase in dose consequence. In the LMP approach, event sequences with frequencies less than 5 x 10-7/plant-year are retained in the PRA results (that is, included when determining the cumulative risk metrics) and used to confirm there are no cliff-edge effects. They may also be taken into account in the RIPB evaluation of defense-in-depth.

In the CNSC framework, the events with frequencies lower than 1 x 10-5 are defined as BDBAs/DECs, as shown in Table 9 above. In the CNSC framework, BDBAs are events with a lower frequency than DBAs and do not include a lower threshold event frequency as in the LMP process. The BDBAs include a subset referred to as design-extension conditions (DECs) which are considered in the plant design. Although no prescriptive lower frequency cut-off number is established by the CNSC for BDBAs, the applicant is expected to demonstrate that events with more severe consequences than DEC are practically eliminated. Guidance provided in REGDOC-2.5.2 states that practical elimination of an accident should not be claimed solely based on a probabilistic low value. Even if the probability of an accident sequence is very low, any additional design features, operational measures or accident management procedures, to lower the risk further, should be implemented to the extent practicable.

The concept of DECs, although not explicitly identified in the LMP process is equivalent to the LMP approach with BDBEs from the perspective that these categories of events are of very low frequency but still considered in the design.

3.4 Safety Analyses 3.4.1 Deterministic Safety Analysis In both the CNSC and NRC regulatory frameworks, deterministic safety analysis (DSA) is an important element of the overall safety analysis approach. In the LMP process, the DSA is utilized primarily for analyzing DBAs. Likewise, the Canadian approach also uses DSA to analyze DBAs and both approaches only credit safety-related SSCs for preventing or mitigating postulated events. Both approaches typically use conservative assumptions in their analysis. For the Canadian approach, these include assumptions such as: worst single failure in safety systems, initial conditions at the worst operating point, no operator action before a conservatively defined time and no action from control systems unless it makes conditions worse. In the LMP approach, the DSA is used to inform the probabilistic risk assessment and is used primarily to ensure that dose limits in 10 CFR 50.34 are met for all analyzed events.

The scope of this work plan did not include performing a detailed comparison of the methodologies and assumptions used in the CNSC and NRC regulatory frameworks for performing DSA. In general, however, both approaches use similar assumptions regarding dose calculations for DBA, where the committed whole body dose for an average member of the critical groups who are most at risk, at or beyond the site boundary are calculated for a period of 30 days after an event that results in a release of radiation. Also, both regulatory approaches use a similar source term concept for the analysis. The source term calculation includes best estimate analysis of fission product release resulting from the specific accident sequences being evaluated using best estimate models. The Canadian approach does not prescribe a methodology to be used for source term calculation but provides guidance on how the analysis should be done. The LMP guidance does not specify any additional quality requirements other than those in 10 CFR 50, Appendix B, on the use of specific analytical 62

codes to perform the analysis but expects the use of analytical tools that meet quality standards. In general, the NRC expects the use of verified and validated methodologies or NRC endorsed or approved methodologies. The CNSC expectation is that computer codes used in the safety analysis are to be developed, validated, and used in accordance with a quality assurance program that meets the requirements of CSA N286.7 [48].

3.4.2 Probabilistic Safety Analyses In both the CNSC and NRC regulatory frameworks, probabilistic safety analysis (PSA) or probabilistic risk assessment (PRA) is a key element in the overall technology-inclusive and risk-informed approaches.

In the LMP process, the use of the PRA is described as integral to the iterative risk-informed design process. It is key in establishing frequencies and consequences of licensing basis events and to assess classification of SSCs credited in preventing or mitigating events and margins to the F-C target curve established by this process. The LMP provides flexibility during the design process by using the risk insights from a PRA to continuously improve on the design. In addition, references to standards for performing PRAs are provided in the LMP process which include the use of peer reviews of PRAs. Recently, standard ASME/ANS RA-S-1.4-2021 [49] for performing PRAs for non-LWR advanced reactors was issued and is under NRC endorsement review with an estimated completion date of December 2021. Likewise, the CNSC provides references to standards for performing PSAs in its Regulatory Documents. An important aspect of the LMP approach is that it requires the use of a Level 3 PRA in which dose consequences from events are estimated at the exclusion area boundary.

In the CNSC approach, the PSA provides key inputs to event identification, system classification and is used complementarily with deterministic safety analysis and other requirements. The CNSC approach requires a Level 1 and 2 PSA, where the core damage frequencies are estimated, and the large and small release frequencies are estimated in terms of releases that could cause temporary evacuation or long-term relocation. The CNSC safety goals are established in such a manner that the sum of frequencies for any sequences with releases exceeding the safety goal limit should not exceed 10-5 for the small release and 10-6 for the large release. However, for DBA the dose is calculated at the site boundary.

3.5 Safety Classification of Structures, Systems and Components (SSCs)

For the safety classification of SSCs, it is expected that the NRC and CNSC approaches can yield similar results. Both frameworks begin the safety classification by completing a functional analysis that identifies all safety functions needed to prevent or mitigate the postulated initiating events or event sequences. This functional analysis may include a combination of deterministic and probabilistic methods. Using the LMP process, the NRC has established three fundamental safety classifications that includes a graded approach focused on safety and risk-significance: (1) safety-related (SR); (2) non-safety-related with special treatment (NSRST), and; (3) non-safety-related with no special treatment (NST).

In the CNSC framework, the designer/applicant is expected to classify SSCs, as important to safety or not important to safety, using a consistent and clearly defined classification methodology and design, construct, and maintain those SSCs such that their quality and reliability is commensurate with the classification. Beyond establishing SSCs as systems important to safety, 63

the vendor/applicant also proposes a classification of systems from most important to least important to safety. The number of categories is left to the discretion of the vendor/applicant. All SSCs are identified as either important to safety or not important to safety with safety significance based on:

1. safety function(s) to be performed
2. consequence(s) of failure
3. probability that the SSC will be called upon to perform the safety function
4. the time following a PIE at which the SSC will be called upon to operate, and the expected duration of that operation For reliability purposes, guidance in REGDOC-2.6.1 considers a subset of more risk important SSCs derived using PRA importance measures as criteria to assess the relative contribution of systems to plant risk. These can include risk-increase ratio (risk achievement worth (RAW)) and Fussell-Vesely (FV) importance measures.

The establishment of appropriate engineering design rules is expected to be commensurate with the selected safety class and should be an output of the safety classification process. For example, the CNSC allows the use of a graded approach to quality assurance requirements that is commensurate with these safety classifications. This flexibility has resulted in many safety classification approaches submitted to the CNSC and includes classification categories that could be considered the same as or similar to the NSRST classification used in the LMP process.

3.6 Defense-in-Depth The assessments of defense-in-depth (DiD) adequacy included in the CNSC and NRC frameworks are very similar. Both approaches to DiD adequacy are generally consistent with the concept of layers of defense described in IAEA standards. In addition, the assessment of DiD adequacy is evaluated for all elements - design, programmatic, and procedural. While the CNSC provides high level guidance, the LMP approach to evaluating DiD consists of a more detailed process and, in particular, for the programmatic DiD evaluation, more precisely defined. The main difference between the defense in depth adequacy assessments between the CNSC and NRC frameworks is associated with the application of single failure criterion. In RG 1.233, the NRC found that the LMP methodology in NEI 18-04, including the assessment of event sequences and DiD, obviates the need to use the single failure, as it is applied to the deterministic evaluations of AOOs and DBAs for LWRs. This new holistic layers-of-defense approach would no longer require such traditional design approaches that would result in redundant, safety-related systems performing the same safety function if justified via the DiD adequacy assessment together with reliability assurance for SSCs. Instead, the process would allow the designer to identify an NSRST SSC to back up the SR SSC in performing its safety function. In the CNSC framework exceptions to the single failure criterion for SSCs are expected to be infrequent and clearly justified. The single failure criterion is applied to each safety group identified in the safety analysis of AOOs and DBAs for Level 3 DiD, however the single-failure criterion does not need to be applied in the analysis of AOOs for Level 2 DiD and for BDBA.

3.7 Summary Comparison of PRA-related information Table 10 below provides a summary comparison of the PRA-related information and risk metrics used in the CNSC and NRC frameworks.

64

In addition to the comparison described in Table 10, the following differences are noted:

The LMP process includes an evaluation of the integrated plant risk against Quantitative Health Objectives (QHO). In this assessment, the total mean frequency of exceeding a site boundary dose of 100 mrem from all LBEs should not exceed 1/plant-year. In Canada, there are no equivalent criteria for evaluating these cumulative risks. The cumulative risk criterion in the CNSC framework is expressed in the qualitative safety goals and the supporting small and large release safety goals8 which should not exceed 10-5 and 10-6/yr, respectively. For AOOs and DBAs, single bounding events are evaluated against the dose criteria, not the cumulative risk/frequency.

The LMP approach allows the use of either relative or absolute risk importance measures.

Historical approaches to evaluating risk importance produced only relative importance of each event due to the formula being normalized against the total calculated risk for the plant. For advanced non-LWR plants, the frequencies of events involving releases of radioactive materials may be very small and those events with releases may involve very small source terms compared with large LWRs, hence the inclusion of the absolute risk measures in the LMP approach. The CNSCs approach uses similar measures but with relative risk measures. Further work is recommended to evaluate the significance of absolute risk measures in the CNSCs risk-informed decision-making assessment for advanced reactors.

8 From REGDOC 2.5.2:

Small release frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1015 becquerels of iodine-131 shall be less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population.

Large release frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 becquerels of cesium-137 shall be less than 10-6 per reactor year. A greater release may require long term relocation of the local population.

65

Table 10. General PRA Topics and Risk Metrics within CNSC and NRC Frameworks CNSC NRC PSA/PRA Scope Level 2 PSA For LWRs:

All radiological sources (includes event sequences that involve Level 1/LRF PRA (transition to LERF prior to initial fuel the release from multiple sources) loading)

All internal and external hazards Reactor core (multi-unit and multi-module scenarios All plant operating modes considered qualitatively)

All internal and external hazards (use seismic margins analysis, not seismic PRA)

All plant operating states For non-LWRs:

Level 3 PRA All radiological sources All internal and external hazards All plant operating modes Qualitative Safety Goal: Individual Risk Individual members of the public shall be provided a level of protection Individual members of the public should be provided a level of from the consequences of NPP operation, such that there is no protection from the consequences of nuclear power plant operations significant additional risk to the life and health of individuals. such that individuals bear no significant additional risk to life and health.

Qualitative Safety Goal: Societal Risk Societal risks to life and health from NPP operation shall be Societal risks to life and health from nuclear power plant operation comparable to or less than the risks of generating electricity by viable should be comparable to or less than the risks of generating electricity competing technologies and shall not significantly add to other societal by viable competing technologies and should not be a significant risks. addition to other societal risks.

Quantitative Safety Goal: Individual Early Fatality Risk No equivalent risk metric. The risk to an average individual in the vicinity of a nuclear power plant of prompt fatalities that might result from reactor accidents should not exceed one-tenth of one percent (0.1 percent) of the sum of prompt fatality risks resulting from other accidents to which members of the U.S. population are generally exposed.

Assessed using individual early fatality risk (IEFR) within 1.6 km (1 mile) of the exclusion area boundary (EAB): IEFR < 5 x 10-7/reactor-year.

66

CNSC NRC Quantitative Safety Objective: Population Cancer Risk No equivalent risk metric but under consideration. The risk to the population in the area near a nuclear power plant of cancer fatalities that might results from nuclear plant operation should not exceed one-tenth of one percent (0.1 percent) of the sum of cancer fatality risks resulting from all other causes.

Assessed using individual latent cancer fatality risk (ILCFR) within 16 km (10 miles) of the EAB: ILCFR < 2 x 10-6/reactor-year.

Quantitative Safety Goal: Core-Damage Frequency The sum of frequencies of all event sequences that can lead to For LWRs, core damage frequency (CDF) is defined as the sum of the significant core degradation shall be less than 10-5 per reactor year. frequencies of those accidents that result in uncovering and heat up of the reactor core to the point at which prolonged oxidation and severe Severe core damage, for CANDU reactors, is defined as a condition fuel damage are anticipated and involving enough of the core, if where there is extensive physical damage to multiple fuel channels, released, to result in offsite public health effects. It should be noted leading to loss-of-core structural integrity. that surrogate risk metrics used in LWR PRAs such as CDF are not applicable to many non-LWR designs and not used in the ASME/ANS PRA Standard for Advanced non-LWRs.

For LWRs, CDF is used as a risk surrogate for ILCFR: CDF < 10-4/

reactor-year Quantitative Safety Goal: Release Frequencies Small release frequency: The sum of frequencies of all event For LWRs, large early release frequency (LERF) is defined as the sum sequences that can lead to a release to the environment of more of the frequencies of those accidents leading to rapid, unmitigated than 1015 becquerels (27 kilocuries) of iodine-131 shall be less than release of airborne fission products from the containment to the 10-5 per reactoryear. A greater release may require temporary environment occurring before the effective implementation of offsite evacuation of the local population. emergency response and protective actions such that there is the potential for early health effects. (Such accidents generally include Large release frequency: The sum of frequencies of all event unscrubbed releases associated with early containment failure shortly sequences that can lead to a release to the environment of more after vessel breach, containment bypass events, and loss of than 1014 becquerels (2.7 kilocuries) of cesium-137 shall be less than containment isolation). It should be noted that surrogate risk metrics 10-6 per reactoryear. A greater release may require long term used in LWR PRAs such as LERF are not applicable to many non-relocation of the local population. LWR designs and not used in the ASME/ANS PRA Standard for Advanced non-LWRs.

CDF and LRF are surrogate to ensure risk of relocation and evacuation of population is kept low. For LWRs, LERF is used as a risk surrogate for IEFR: LERF < 10-5/

reactor-year.

For new plant licensing, the NRC uses large release frequency (LRF) prior to initial fuel loading. There is no formal NRC definition of LRF.

LRF < 10-6/reactor-year.

67

CNSC NRC NEI 18-04 provides the following additional risk metric: The total mean frequency of exceeding a site boundary dose of 100 mrem [1 mSv]

from all LBEs should not exceed 1/plant-year. This metric is introduced to ensure that the consequences from the entire range of LBEs from higher frequency, lower consequences to lower frequency, higher consequences are considered. The value of 100 mrem [1 mSv] is selected from the annual cumulative exposure limits in 10 CFR Part 20.

Relative Risk Significant Sequence No calculated metrics but the overall objective is that the PSA confirms An event sequence or event sequence family that, when rank-ordered that the plant offers a balanced design. This can be demonstrated as by decreasing frequency, contributes a specified percentage of the achieved if no particular feature or postulated initiating event makes a baseline risk, or that individually contributes more than a specified disproportionately large or significantly uncertain contribution to the percentage of the risk. In the ASME/ANS PRA Standard, the overall risk. aggregate percentage for the set is 95%, and the individual event sequence or event sequence family percentage is 1% of the total integrated risk or risk of a specific combination of source of radioactive material, hazard, and plant operating state.

Relative Risk Significant Basic Event/Contributor 68

CNSC NRC From REGDOC-2.6.1: Systems identified as important to safety for A basic event (i.e., equipment unavailabilities/failures and human reliability purpose should be ranked on the basis of their relative failure events (HFEs)) or risk contributor whose Fussell-Vesely importance to safety and according to their contribution to the overall importance measure value is greater than 0.005 or the risk-plant risk (risk of severe core damage and risk of associated achievement worth importance measure value is greater than 2.

radioactive releases).

LMP allows the use of either relative or absolute risk importance This ranking should be performed using the results of a plant-specific measures. Table 3-2 in NEI 18-04, Rev. 1 provides the mathematical PSA, according to the importance measures (FV and RAW) (quadrant definitions of various relative risk importance measures. Absolute risk chart). Systems are ranked as follows: importance measures were developed following the LMP pilot studies 1st category: those systems for which both FV and RAW are in order to reduce the number of important items to a manageable greater than threshold values. size.

2nd category: those systems for which only FV is greater than the threshold value.

3rd category: those systems for which only RAW is greater than the threshold value.

1st category systems with FV 0.05 (or component FV 0.005) and RAW 2 should be considered important to safety.

For 2nd category systems with FV 0.05 (or component FV 0.005) and 3rd category systems with RAW 2, detailed justification should be provided if excluded from the list of systems important to safety.

Absolute Risk Significant Sequence No equivalent risk metric. From ASME/ANS RA-S-1.4-2021 (Standards is currently under NRC endorsement review and is estimated to be complete by December 2021):

An event sequence or event sequence family included in a PRA model, defined at the functional or systematic level that makes a significant contribution to an absolute risk target selected for RIDM. It is defined as any event sequence or event sequence family that contributes at least 1% to any identified absolute risk target.

Note: The absolute risk target may be one of the quantitative safety goals or the frequency-consequence target curve provided in NEI 18-04.

Absolute Risk Significant Basic Event/Contributor 69

CNSC NRC No equivalent risk metric. From ASME/ANS RA-S-1.4-2021 (standard is currently under NRC endorsement review and is estimated to be complete by December 2021):

A basic event that contributes significantly to an absolute risk significance criterion selected for RIDM (risk-informed decision-making). It is defined as any basic event that (a) contributes at least 1% to any identified absolute risk target; or (b) would result in exceeding the criterion if the basic event is assumed to fail with a probability of 1.0.

Note: The absolute risk target may be one of the quantitative safety goals or the frequency-consequence target curve provided in NEI 18-04.

70

4. Suggestions for Future Work The following provides suggestions for future work that could facilitate more effective and efficient leveraging of regulatory reviews and performance of joint technical reviews by the CNSC and NRC staff.

4.1 Further comparison of regulatory approaches This report provides a high-level comparison between the LMP and the Canadian approach regarding the review of advanced reactor technologies. Some areas were identified where additional work could be undertaken to further investigate differences in regulatory approaches and their implications including:

Further assess the basis used to establish key criteria and regulatory limits where differences could exist. These include, but may not be limited to:

o dose acceptance criteria; o classification of SSCs; o categorization of LBEs/PIEs.

Evaluate the implications of the key differences to identify areas where additional convergence could be achieved.

Compare regulatory practices regarding the conduct of deterministic safety analysis in support of assessments of DBA, and related acceptance criteria.

Continue comparing regulatory practices and leverage lessons learned on the specific applications of the LMP methodology and Canadian approach with vendors currently involved in CNSC/NRC project work plans.

Based on lessons learned from work conducted under the MOC, assess the potential to engage in additional work plans that focus on specific issues and applications for individual technologies and technical reviews that may also include technical audits, such as, but not limited to:

o evaluation of differences in LBE thresholds for frequencies and consequences; o application of single failure criterion; o application of DiD as a means to compare both approaches holistically; o application of SSCs classification.

4.2 Pursue other areas of collaboration Investigate the potential for greater harmonization by comparison of consensus codes and standards, related to:

o quality Assurance and management systems; o technical acceptance criteria (e.g., mechanical, electrical, structures, digital instrumentation and control, etc.);

o the conduct of PRA/PSA for advanced reactor technologies.

71

In addition, both organisations will continue to develop and share lessons learned from the conduct of pre-licensing or licensing engagements in both countries, such as engagements using the LMP framework, and collaborate on other technical regulatory issues as deemed beneficial (e.g., functional containment, etc.).

5. Conclusion This report provides a broad high-level overview and comparison of the CNSC and NRC regulatory frameworks for licensing and application reviews of new designs including a focus on the use of technology-inclusive, risk-informed, performance-based (RIPB) approaches. This overview and comparisons are a necessary first steps in developing further understanding of each regulatory framework such that a focus on leveraging already completed technical reviews by each regulator and on performing joint technical reviews can be facilitated. A general conclusion that can be made from this work is that there are many more commonalities in regulatory frameworks of the CNSC and NRC than differences.

The approaches used in each country provide a similar framework for the safety case demonstration of new advanced reactors by identifying events and classifying them and ensuring that consequences from these events meet regulatory expectations. Equipment classification and defense-in-depth approaches follow the same overall objective-based principles in both countries.

Some differences in the application of these approaches are noted in the report and are at the level of implementation, rather than in safety policy or philosophical approaches to societal norms and governance. Based on the results of this review and comparison, it appears that there is much common ground in safety case assessment reviews and acceptance criteria that can be used as a foundation, so that technical reviews performed by one regulator may be leveraged by the other, in order to inform the independent regulatory findings and decisions required by law.

Initial analysis indicates that performing joint technical reviews could be attainable, and that future work, and other work plans under this MOC, should focus on piloting the initial steps required to achieve that goal.

The suggestions for future work in this report will help to facilitate greater efficiency and effectiveness in both leveraging reviews and performing joint technical reviews. Further efforts should also recognize and consider the following:

Respective legal requirements for public transparency in the various processes through which applicants engage with the regulators and document their findings.

Distinctions among the licensing processes, vendor design reviews, and pre-application interactions that may involve limited scope approvals by the regulator that may involve the concept of finality of the review results.

Regulatory limits for radiation exposure and dose acceptance criteria that have been determined by each regulator to ensure public health and safety.

72

6. References
1. Memorandum of Cooperation on Advanced Reactor and Small Reactor Technologies between the Canadian Nuclear Safety Commission and the United States Nuclear Regulatory Commission, 15 August 2019, e-Doc 5976869.
2. Terms of reference for the Memorandum of Cooperation (MOC) on Advanced Reactor and Small Modular Reactor Technologies between the Canadian Nuclear Safety Commission and the United States Nuclear Regulatory Commission, 20 January 2020, e-Doc 6093868.
3. ART and SMR Sub Committee project, Develop Guidance for Staff Review of New Build Licence Applications for Advanced Reactor Projects, 02 July 2020, e-Doc 6323045.
4. Canadian Nuclear Safety and Control Act (S.C. 1997, c. 9). 1997. Available at https://laws-lois.justice.gc.ca/eng/acts/n-28.3/page-1.html.
5. Canadian Nuclear Safety Commission Rules of Procedure, SOR/2000-211, 31 May 2000.
6. CNSC REGDOC-3.5.4, Pre-Licensing Review of a Vendors Reactor Design, November 2018.
7. CNSC REGDOC-1.1.5, Supplemental Information for Small Modular Reactor Proponents, August 2019.
8. NRC Regulatory Information Summary (RIS-20-02), Review of New Licensing Applications for Light-Water Reactors and Non-Light Water Reactors (ADAMS Accession No. ML20202A496).
9. NRC Office Instruction LIC-500, Topical Report Process (ADAMS Accession No. ML19123A252).
10. NRC Publication, A Regulatory Review Roadmap for Non-Light Water Reactors, December 2017 (ADAMS Accession No. ML17312B567).
11. 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities.
12. 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.
13. NUREG-1793, Supplement 2, Section 1.10.
14. Canadian Class I Nuclear Facilities Regulations SOR/2000-204, May 31, 2000.
15. CNSC REGDOC-3.5.1, Licensing Process for Class I Nuclear Facilities and Uranium Mines and Mills, version 2, May 2017.
16. CNSC REGDOC-1.1.1, Licence Application Guide: Site Evaluation and Site Preparation for New Reactor Facilities, July 2018.
17. CNSC REGDOC-1.1.2, Licence Application Guide: Licence to Construct a Nuclear Power Plant, August 2019.
18. CNSC REGDOC-1.1.3, Licence Application Guide: Licence to Operate a Nuclear Power Plant, September 2017.

73

19. Canadian Impact Assessment Act (IAA), S.C. 2019, c.28, s.1 (https://laws-lois.justice.gc.ca/eng/acts/I-2.75).
20. CNSC REGDOC-2.9.1, Environmental Principles, Assessments and Protection Measures (version 1.2), September 2020.
21. CNSC REGDOC-3.5.3, Regulatory Fundamentals, version 2.0, January 2020.
22. US National Environmental Policy Act (NEPA).
23. NUREG/BR-0249, The Atomic Safety and Licensing Board Panel, Revision 4, issued December 2013.
24. USNRC SECY-21-0004 Proposed Rule: NuScale Small Modular Reactor Design Certification (RIN 3150-AJ98; NRC-2017-0029, 01/14/2021.
25. Clarifying Major Portions of a Reactor Design in Support of a Standard Design Approval (ADAMS Accession No. ML17128A507).
26. NRC staff feedback report July 20, 2017 (ADAMS Accession No. ML17201Q109).
27. Canadian Radiation Protection Regulations. 2021. Available at https://laws-lois.justice.gc.ca/PDF/SOR-2000-203.pdf.
28. CNSC REGDOC-2.5.2, Design of Reactor Facilities: Nuclear Power Plants, May 2014.
29. U.S. Atomic Energy Act (AEA) of 1954, as amended.
30. U.S. Code of Federal Regulations (CFR), Standards for Protection Against Radiation, Part 20, Chapter 1, Title 10, Energy. (10 CFR Part 20).
31. Nuclear Regulatory Commission Policy Statement: Safety Goals for the Operation of Nuclear Power Plants, August, 4, 1986 (51 FR 30028).
32. US Environmental Protection Agency (EPA) Protective Action Guide (PAG).
33. CNSC REGDOC-2.4.1, Deterministic Safety Analysis, version 1.0 May 2014.
34. CNSC REGDOC-2.4.2, Probabilistic Safety Assessment (PSA) for Nuclear Power Plants,Version 1 May 2014.
35. CAN/CSA N289.1-18. General requirements for seismic design and qualification of nuclear power plants. 2018. Available at https://www.csagroup.org/store/product/N289.1-18.
36. CSA N293-12 (R2017), Fire protection for nuclear power plants. 2017. Available at https://www.csagroup.org/store/product/N293-12.
37. CAN/CSA N285.0-17/N285.6 Series 17, General requirements for pressure-retaining systems and components in CANDU nuclear power plants / Material Standards for reactor components for CANDU nuclear power plants, published 2017, https://www.csagroup.org/store/product/2701085.
38. IAEA Specific Safety Guide No. SSG-30, Safety Classification of Structures, Systems, and Components in Nuclear Power Plants, Vienna 2014.

74

39. CNSC REGDOC-2.6.1, Reliability Programs for Nuclear Power Plants, August 2017.
40. IAEA Specific Safety Requirements (SSR), No. SSR-2/1, Safety of Nuclear Power Plants: Design. Available at https://www.iaea.org/publications/10885/safety-of-nuclear-power-plants-design.
41. IAEA Publication, Report by the International Nuclear Safety Advisory Group, INSAG Series No. 10, Defence in Depth in Nuclear Safety.
42. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition.
43. Nuclear Energy Institute (NEI) 18-04, Risk-Informed Performance-Based Technology-Inclusive Guidance for Non-Light Water Reactor Licensing Basis.

Development, Revision 1, August 2019. (ADAMS Accession No. ML19241A472).

44. NRC, RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors.
45. WASH-740, Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants in 1957.
46. NUREG/KM 0009 Historical Review and Observations of Defense-in-Depth, April 2016.
47. IAEA Safety Report Series No. 46, Assessment of Defense-in-Depth for Nuclear Power Plants, 2005.
48. CSA N286.7-16 (R2021). Quality assurance of analytical, scientific and design computer programs. Available at https://www.csagroup.org/store/product/N286.7-16.
49. ASME. 2021. RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants. Available at https://www.asme.org/codes-standards/find-codes-standards/ra-s-1-4-probabilistic-risk-assessment-standard-advanced-non-light-water-reactor-nuclear-power-plants.

75