ML17322A051
ML17322A051 | |
Person / Time | |
---|---|
Site: | NuScale |
Issue date: | 11/17/2017 |
From: | Rad Z NuScale |
To: | Document Control Desk, Office of New Reactors |
References | |
RAIO-1117-57265 | |
Download: ML17322A051 (12) | |
Text
RAIO-111757265 November 17, 2017 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738
SUBJECT:
NuScale Power, LLC Supplemental Response to NRC Request for Additional Information No. 90 (eRAI No. 8758) on the NuScale Design Certification Application
REFERENCES:
- 1. U.S. Nuclear Regulatory Commission, "Request for Additional Information No. 90 (eRAI No. 8758)," dated July 10, 2017
- 2. NuScale Power, LLC Response to NRC "Request for Additional Information No. 90 (eRAI No.8758)," dated July 26, 2017 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) supplemental response to the referenced NRC Request for Additional Information (RAI).
The Enclosure to this letter contains NuScale's supplemental response to the following RAI Question from NRC eRAI No. 8758:
18-1 The response to supplemental question 18-2 will be provided by December 4, 2017.
This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.
If you have any questions on this response, please contact Steven Mirsky at 240-833-3001 or at smirsky@nuscalepower.com.
Sincerely,
=DFNDU\:5DG
=DFNDU\:5DG
'L W R
'LUHFWRU, l t Regulatory Aff i Affairs
NuScale Power, LLC Distribution: Gregory Cranston, NRC, OWFN-8G9A Samuel Lee, NRC, OWFN-8G9A Demetrius Murray, NRC, OWFN-8G9A : NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 8758 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com
RAIO-1117=57265 :
NuScale Supplemental Response to NRC Request for Additional Information eRAI No. 8758 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com
Response to Request for Additional Information Docket No.52-048 eRAI No.: 8758 Date of RAI Issue: 07/10/2017 NRC Question No.: 18-1 Title 10 of the Code of Federal Regulations (10CFR) Section 52.47(a)(8) requires an applicant for a design certification to provide a final safety analysis report (FSAR) that must include the information necessary to demonstrate compliance with any technically relevant portions of the Three Mile Island requirements set forth in 10 CFR 50.34(f), except paragraphs (f)(1)(xii),
(f)(2)(ix), and (f)(3)(v). Section 10 CFR 50.34(f)(2)(iii) requires an applicant to "Provide, for Commission review, a control room design that reflects state-of-the-art human factor principles prior to committing to fabrication or revision of fabricated control room panels and layouts.
Chapter 18, Human Factors Engineering, of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, and NUREG-0711, "Human Factors Engineering Program Review Model, identify criteria the staff uses to evaluate whether an applicant meets the regulation. The applicant stated in the FSAR, Tier 2, Section 18.0, "Human Factors Engineering - Overview," that the HFE program incorporates accepted HFE standards and guidelines including the applicable guidance provided in NUREG-0711, Revision 3.
Question 1:
Criterion 11.4.3.8, Validation Conclusions, in NUREG-0711, states, the applicant should document the statistical and logical bases for determining that the performance of the integrated system is, and will be acceptable.
The NuScale Verification and Validation Implementation Plan, Section 4.6.1, Scenario Sequencing, says a minimum of two operating crews will perform each scenario. However, the bases for determining that the performance of the integrated system will be acceptable using a minimum of two operating crews per scenario is not described in the application.
Additionally, the NRC Commission has previously taken action based on a greater number of scenario trials. The staff is concerned that a minimum of two trials for each ISV scenario does not provide (1) enough opportunities for users of the integrated system to identify errors with the design or (2) reasonable assurance that results from the ISV test will be indicative of the ability of the integrated system to support safe plant operation. Please describe the bases for determining that performance of the integrated system using a minimum of two operating crews NuScale Nonproprietary
per scenario will be acceptable and will provide reasonable assurance that the health and safety of the public would be protected.
NuScale Response:
NuScale has a uniquely safe design with only a few simple, passive safety systems, few support systems, and no reliance on AC or DC power for mitigating design basis events (DBEs). As a result of NuScale's simple and passive design, no operator actions are required for DBE mitigation and only seven operator actions are identified in the full-power internal events probabilistic risk assessment (PRA) for beyond-design-basis events (BDBEs), six of which are performed in the Main Control Room. The integrated system performance is less sensitive to human performance, as demonstrated by a PRA sensitivity study that concluded that if all human actions failed, the increase to core damage frequency (CDF) and large release frequency (LRF) would remain below the Commissions safety goals of 1.0E4 and 1.0E-5 per reactor-year, respectively. Additionally, the NuScale design makes event recognition and diagnosis less complex, which provides more time for operators to take action.
NUREG/CR-6393, Integrated System Validation: Methodology and Review Criteria, Section 5.4 Plant Personnel, states: The less sensitive the integrated system performance is to human performance, the less that variation needs to be assessed and the lower the needed sample size. NuScale intends to leverage its inherently safe design and lack of sensitivity, both deterministically and probabilistically, to human performance to show that the Integrated System Validation (ISV) can be conducted using two trials for each scenario. Two trials provide reasonable assurance that results from the ISV will substantiate the ability of the integrated system to support safe plant operation. Additionally, NuScale has prior experience conducting tests similar to the ISV utilizing two trials and a robust data collection and analysis process to ensure conclusive results. The following response provides additional detail to support this position.
Minimization of Operator Actions through Design:
NuScale's simple, passive design minimizes the impact and sensitivity of operator actions on the integrated system performance. The NuScale plant design requires no operator actions for DBE mitigation and only seven operator actions are considered in the full power internal events PRA to mitigate BDBEs. Of these seven actions, only two are considered important human actions (IHAs) and both can be completed from the Main Control Room within thirty minutes, with ample margin as demonstrated during the Staffing Plan Validation (SPV) (FSAR Revision 0, Table 19.1-14). Because the NuScale design only credits human actions during BDBEs as documented in the PRA, human performance variability can be bounded by assuming that human actions always fail and analyzing the impact on CDF and LRF.
The Final Safety Analysis Report (FSAR) Chapter 15 Transient and Accident Analyses and NuScale Nonproprietary
Chapter 7 Instrumentation and Controls show that there are no operator actions required for DBE mitigation. The FSAR Chapter 19 Probabilistic Risk Assessment results in only two IHAs, as identified in FSAR Revision 0, Tables 19.1-20, 19.1-27, 19.1-67, or 19.1-70. These two IHAs have been demonstrated to be consistently recognizable and implementable with ample margin to complete within the required times.
The mean value of CDF for a single module due to internal events during power operation is calculated to be 3.0E-10 per module critical year. (FSAR Section 19.1.4.1.2)
The mean value of the LRF for a single module due to internal events during power operation is calculated to be 2.1E-11 per module critical year. (FSAR Section 19.1.4.2.2)
A sensitivity study in which all human error probabilities were set to a guaranteed failure (i.e.,
human actions always fail) concluded that the NuScale CDF would rise to approximately 3.0E-8 per module critical-year. (FSAR Table 19.1-22) The Commission's CDF safety goal for operating reactors is 1.0E-4 per reactor-year. Since the CDF with no reliance on human actions is at least three orders of magnitude below the Commission's CDF safety goal, there is reasonable assurance that two trials will be sufficient to protect the public health and safety.
NUREG/CR-6393, Integrated System Validation: Methodology and Review Criteria, Section 5.4 Plant Personnel, states, Covariation between personnel and system variability - The less sensitive the integrated system performance is to human performance, the less that variation needs to be assessed and the lower the needed sample size. For example, if an integrated system is automated to such a degree that operator input has very little influence upon its performance, then it may not be necessary to include a large sample of personnel. Based on the impacts of operator actions to the overall risk and the margin to the Commission's CDF and LRF safety goals, the operator input for the NuScale design has minimal influence upon the integrated system performance, and therefore, ISV requirements for assessing variation can be met with the lowest reasonable sample size.
Operator actions are analyzed within the FSAR in the following chapters:
Chapter 7, Instrumentation and Controls Chapter 15, Transient and Accident Analyses Chapter 19, Probabilistic Risk Assessment Chapter 20, Mitigation of Beyond-Design-Basis Events Instrumentation and Controls analysis of diversity and defense-in-depth identified no manual operator actions for a design basis event. (FSAR Section 7.1.5)
There are no operator actions credited in the evaluation of NuScale design-basis accidents.
Passive systems and automated (fail-safe) systems place and maintain the unit in a safe state for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after a DBE including assumed failures. Single human errors of both omission and commission were analyzed and the conclusion of the analysis was that operator NuScale Nonproprietary
errors cannot make the consequences more severe than the bounding FSAR Chapter 15 analysis. (FSAR Sections 15.0.0.5 and 15.0.0.6.4)
The PRA evaluated operating sequences that could lead to core damage. All sequences that lead to core damage have very low frequencies (less than 1E-10 per module critical year), and involved BDBEs. For the sequences that led to core damage, one of the following three conditions must occur: (Reference TR-1117-57216 NuScale Generic Technical Guidelines)
- 1. A malfunction of the ECCS to actuate as designed. For example, when the ECCS vent valves open but both of the ECCS recirculation valves do not, inhibiting water from re-entering the core.
- 2. An unisolable loss of coolant accident outside of the containment vessel with a failure to add makeup coolant. In this case, sufficient RCS inventory may be lost leading to core uncovery.
- 3. A situation where both trains of decay heat removal have failed in a manner to not remove RCS heat, and both of the RCS ASME Code safety relief valves do not open.
The PRA identified seven BDBE human actions. Six of the actions that could be taken to mitigate the events occur in the Main Control Room and two of these actions are considered IHAs. These IHAs are the first two listed in Table 1, PRA Credited Operator Actions to Mitigate Core Damage. A single action to mitigate large radiological releases is listed separately in Table 2, PRA Credited Operator Actions to Mitigate Large Radiological Release, however, it is the same action as the first item listed in Table 1.
Table 1. PRA Credited Operator Actions to Mitigate Core Damage (Reference TR-1117-57216 NuScale Generic Technical Guidelines)
Name Description Context Operator fails to unisolate Used for LOCA-OC, SGTF CFDS-HFE-0001C-FOP-N and initiate CFDS injection and transients (IHA) (IHA)
Used for LOCA-IC, LOCA-OC (letdown), transients Operator fails to unisolate and secondary line break, CVCS-HFE-0001C-FOP-N and initiate CVCS injection upon failure of ECCS, and (IHA)
SGTF (IHA)
Operator fails to isolate Backup action to MPS CNTS-HFE-0001C-FTC-N containment auto function failure Operator fails to locally Local unisolation due to CVCS-HFE-0002C-FOP-N unisolate and initiate lack of control from a CVCS injection partial loss of DC power Operator fails to open Backup action to MPS ECCS-HFE-0001C-FTS-N ECCS valves auto function failure NuScale Nonproprietary
Operator fails to start/load Backup action during loss EHVS-HFE-0001C-FTS-N combustion turbine of off-site power generator Operator fails to start/load Backup action during loss ELVS-HFE-0001C-FTS-N backup diesel generator of off-site power Alarms and indications have been specifically designed to notify the operators of these events
so recognition and diagnosis of these BDBEs is simple and assured. (Reference 75-1117-5 NuScale Generic Technical Guidelines) To put these IHAs into perspective, thescenarios are considered in sequences in the full power internal events PRA in which
frequencies are very low (i.e., less than 1E-10 per module critical year).
The IHA of injecting water into the containment vessel mitigates core damage and is important from a radiological release standpoint (FSAR Section 19.2.5) as delineated in Table 2.
Table 2. PRA Credited Operator Actions to Mitigate Large Radiological Release (Reference TR-1117-57216 NuScale Generic Technical Guidelines)
Name Description Context Operator fails to unisolate Used for LOCA-OC, CFDS-HFE-0001C-FOP-N and initiate CFDS injection SGTF, and transients (IHA) (IHA)
Additional evaluations for BDBEs performed and documented in FSAR Chapter 20 identified the following two actions, not included in other programs, that accomplish key safety functions during an extended loss of AC power (ELAP), or mitigate core damage and minimize the spread of radioactive release during a loss of large area (LOLA) event. These actions are described in Table 3, Operator Actions Described in FSAR, Chapter 20 Mitigation of Beyond-Design-Basis Events.
Table 3. Operator Actions Described in FSAR, Chapter 20 Mitigation of Beyond-Design-Basis Events (Reference TR-1117-57216 NuScale Generic Technical Guidelines)
Name Description Context LOLA Phase Long-term extended loss Add inventory to the Ultimate Heat Sink through 2/ELAP of AC power action (> 30 the spent fuel pool assured makeup line Phase 3 days)
Mitigate damage to fuel in the reactor vessel and radiological release - evaluate safety Long-term action loss of LOLA Phase functions, provide a means for water spray large area to support a 3 scrubbing using fog nozzles and available water reduced emergency sources. Address runoff water containment planning zone issues (sandbags, dikes, etc.).
The total list of operator actions as identified above in Tables 1, 2, and 3 are all performed in NuScale Nonproprietary
BDBEs in which sequence frequencies are less than 1E-10 per module critical year; these sequences are more than four orders of magnitude below the Commission's CDF safety goal of 1.0E-4 per reactor-year of operation.
The NuScale ISV test plan and sample of operational conditions was purposely designed to test some of the unique aspects of the NuScale design such as automation failures, operation of multiple units from a single workstation, and manipulating the controls of multiple units simultaneously. It should be noted that all of the actions sampled, those listed in Tables 1, 2, or 3, are considered for reasonable assurance of public health and safety.
Utilization of the Insights from the SPV To develop the ISV test plan, NuScale utilized insights from the methodology of using two trials during the SPV, performed in August 2016 (Reference RP-0516-49116, Control Room Staffing Plan Validation Results). Although the purpose of the SPV is not the same as the ISV, both use similar methodologies for the conduct of the tests and analysis of the resulting data. This experience provides confidence that a minimum of two trials will support an acceptable evaluation of the integrated systems design (i.e., hardware, software, and personnel elements) and will support a conclusion that performance requirements are met in support of safe plant operation. This conclusion is corroborated by the positive results of an NRC audit of the SPV activities where there were no deficiencies or comments related to concerns with using two crews, or quantity, quality, or consistency of data obtained. (ML16259A110)
Numerical Assessment of ISV Results The ISV test plan describes the data collection methods used during each scenario. Time measurement analysis (comparing the time to perform a task to the time allowed) and task load index (TLX) workload measures are both types of numeric data that can by statistically analyzed. HFE questionnaires and situational awareness questionnaires will also provide numeric data based on test scores. The other data collection methods are primarily non-numeric such as observations and crew self-reported comments.
The time measurement of certain primary tasks is evaluated by measuring the actual time of performance and comparing that to the time allowed. The allowed times are derived from PRA analyses, emergency plan notifications, non-emergency notifications per 10 CFR 50.72, or conservative expectations based on the NuScale design. The comparison of actual versus allowed times is calculated as a ratio. When the ratio exceeds 0.60, then the task is flagged for determination if an HED is needed. If the task is listed in Table 1 or Table 2 above and if the ratio exceeds 0.75, then a priority one HED is identified.
Specific statistical data for workload will be analyzed by measuring the TLX scores for each crew. During a single scenario performance at least three TLX measurements will be taken for each crew member. For a crew of six individuals, that results in 18 total TLX measurements per scenario.
NuScale Nonproprietary
The ISV test plan contains the following statistical guidance on how to interpret TLX measurements: At the conclusion of all scenario evaluations, the TLX data for each individual and as a total crew is averaged among all the scenarios. Those scenarios that have either the individual crew members or the crew average exceeding a standard deviation of the data are then specifically analyzed. Past critique or observation comments may be used to correlate results. Follow-up questions to the applicable operator may also be obtained, including using any tools that would aid in understanding such as viewing video recordings of the performance.
Additionally, the calculated deviation is used as a flag to identify potential HEDs. The test plan states: TLX score of 75 or above following scenario performance OR individual scores greater than one standard deviation of the crew average for that scenario are evaluated.
The situation awareness questions that are administered throughout the scenarios will be scored. The ISV test plan states that scores less than 70% will then be flagged to evaluate as potential HEDs.
Using all of the aforementioned numeric and statistical analyses provide quantitative information used to meet the intent of NUREG-0711, Criterion 11.4.3.8, Validation Conclusions. The statistical analysis is supplemented with observation and crew self-reported narratives to provide context to the numerical data.
Since there are only six PRA identified actions that are performed in the control room, NuScale plans to sample the performance on all of those tasks to ensure there is confidence in the results of the testing. In lieu of performing each designed scenario three times, the scenarios have been designed such that the PRA actions are each sampled in at least two separate scenarios and the crews are sequenced such that all three crews perform each of the six PRA actions at least once. Table 4, Control Room Credited Action Matrix, demonstrates how the actions are performed by each ISV crew such that at least four performances of these actions will occur.
Table 4. Control Room Credited Action Matrix Credited Action Matrix PRA credited operator actions Crews Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew Crew sampled Good CFDS injection B A C* A* C* B*
(3 of 3)
Good CVCS injection B A C A (3 of 3)
Good CIS actuation B A A C (3 of 3)
Good ECCS actuation B C C A (3 of 3)
Good Start and load AAPS C A B A (3 of 3)
Good Start and load BDG C A B A (3 of 3)
- CFDS injection during non-emergency conditions NuScale Nonproprietary
Utilization of the Third Crew NuScale intends to utilize three full crews and to rotate each crew through the performance of scenarios as described in the ISV Test Plan Appendix B. The following flowchart illustrates how the use of the third trial is implemented as described in the ISV test plan. The flowchart contains the applicable sections of the ISV test plan listed in the decision or as grouped by the dashed line.
Additionally, the flow chart is separated by "trial" and "retest". A "trial" is an additional test of performance that is used to obtain further diagnostic data. A "retest" is performed after an HED resolution has been implemented to validate that the resolution is effective.
Pilot testing is not specifically discussed within the ISV test plan as it is a development activity.
The number of pilot tests both prior to ISV and prior to performing a retest are based on ensuring that testing activities are ready to be performed. It is expected that any retest will undergo pilot testing to provide confidence of the HED resolution prior to formal testing. If an HED is identified that is classified as priority one, it will be tested by two crews that may have been previously tested until the resolution is satisfactory with those crew members. The formal validation test will be performed by either the third remaining crew or by developing a new scenario which tests the failed function. This formal validation is described in the ISV test plan.
NuScale Nonproprietary
==
Conclusion:==
NuScale has a uniquely safe design with only a few simple, passive safety systems, few support systems, and no reliance on AC or DC electrical power for mitigating DBEs. No operator actions are required for DBE mitigation and only seven operator actions are identified in the full power internal events PRA for BDBEs, six of which are performed in the Main Control Room. Only two IHAs are identified in the full power internal events PRA in which sequence frequencies are very low (i.e., less than 1E-10 per module critical year). The integrated system performance is less sensitive to human performance, as demonstrated by a PRA sensitivity study that concluded that if human actions always failed, the increase to CDF and LRF would remain below the Commissions safety goals of 1.0E-4 and 1.0E-5 per year. As demonstrated by the SPV, the NuScale design makes event recognition and diagnosis less complex, which provides more time for operators to take action.
NUREG/CR-6393, Integrated System Validation: Methodology and Review Criteria, Section 5.4, states: The less sensitive the integrated system performance is to human performance, the less that variation needs to be assessed and the lower the needed sample size. NuScale intends to leverage its inherently safe design and lack of sensitivity, both deterministically and probabilistically, to human performance to show that the ISV can be conducted using two trials NuScale Nonproprietary
for each scenario. NuScale has prior experience conducting tests similar to the ISV utilizing two trials and will utilize a robust data collection and analysis process to ensure conclusive results.
Two trials provide reasonable assurance that results from the ISV will substantiate the ability of the integrated system to support safe plant operation.
Impact on DCA:
There are no impacts to the DCA as a result of this response.
NuScale Nonproprietary