Text

DRAFT Request for Additional Information Issue Date:

Application

Title:

Oklo Aurora COL - Docket 52-049 Operating Company: Oklo Power LLC Docket No.52-049 Review Section: Aurora Step 1 - MCA Application Section: Oklo COL Application Part II.05 Transient analysis Regulatory Basis 10 CFR Part 52.79(a) requires, in part, that: the final safety analysis report must contain certain information at a level of information sufficient to enable the Commission to reach a final conclusion on all safety matters that must be resolved by the Commission before issuance of a combined license, including:

(a)(2) - A description and analysis of the structures, systems, and components of the facility with emphasis upon performance requirements, the bases, with technical justification therefore, upon which these requirements have been established, and the evaluations required to show that safety functions will be accomplished. It is expected that reactors will reflect through their design, construction, and operation an extremely low probability for accidents that could result in the release of significant quantities of radioactive fission products. The descriptions shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

(a)(5) - An analysis and evaluation of the design and performance of structures, systems, and components with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of structures, systems, and components provided for the prevention of accidents and the mitigation of the consequences of accidents.

The applicant has proposed a maximum credible accident (MCA) approach to demonstrate safety functions are accomplished and bound the evaluations required by 52.79(a)(5). Oklo also cites the MCA as part of its justification for the following requested exemptions:

- Licensed operators, associated with portions of 52.79(a)(14) and (34), as well as 50.54(i),(j),(k),(l),(m) and 10 CFR Part 55

- Offsite emergency planning requirements, associated with portions of 10 CFR 50.47(b) and 10 CFR Part 50 Appendix E, Sections IV and VI

- Cybersecurity requirements, associated with 10 CFR 73.54, 10 CFR 73.77, and portions of 10 CFR 52.79(a)(36) and 10 CFR 73.55

- The requirements associated with 10 CFR 52.79(a)(1)(vi) and the associated postulated fission product release The staff understands that the MCA approach would demonstrate the following:

- Satisfy the requirement evaluations required to show that safety functions will be accomplished 1

- Provide the required analysis and evaluation of the design and performance of structures, systems, and components with the objective of assessing the risk to public health and safety resulting from operation of the facility

- Support the technical basis related to meeting the intent of the exemption request related to licensed operators

- Support the technical basis for the exemption request related to cybersecurity requirements

- Support the statement As shown in Chapter 5 of Part II, there are no credible accidents that result in the release of radioactive material; the MCA, which assumes a complete loss of the secondary system in conjunction with a failure to insert one of the shutdown rods, does not result in a radioactive release as it relates to the requested exemption from offsite emergency planning requirements

- Provide the technical basis to support the review of the proposed exemption request from the requirements associated with 10 CFR 52.79(a)(1)(vi), which requires an evaluation and analysis of the postulated fission product release Given that context, the NRC staff has the following questions:

Aurora Step 1 - MCA- Draft Question 1 - Credible Failure Definition/Basis for Exclusion Issue In Final Safety Analysis Report (FSAR) Section 5.1, Oklo provides some historical context regarding the "maximum credible accident" (MCA) concept relating light water reactor (LWR) scenarios to the scenario used in the FSAR for the Aurora design. The FSAR states that the loss of coolant accident (LOCA) MCA "resulted in a core melt." The scenario used for LWRs that ostensibly results in a core melt is not the result of a LOCA plus a single failure as implied in Section 5.1 of the FSAR, but is instead the result of a LOCA plus the failure of the entire emergency core cooling system (ECCS). The design basis is that no postulated event accompanied by the worst single failure will result in a core melt.

10 CFR Part 50 was issued in 1956, following the passage of the Atomic Energy Act in 1954. 10 CFR Part 50 does not refer to the concept of MCA or use the word credible, but instead requires an evaluation of the proposed measures and devices to prevent accidents which would create radioactive hazards or to protect against the consequences should such accidents occur.

The concept of a "credible accident" was introduced in 1959 when siting criteria were developed (24 FR 4184). At this time, it was proposed that "the occurrence of any credible accident will not create undue hazard to the health and safety of the public." However, no single definition for what constituted a "credible" accident was provided, and the final version of the siting criteria (documented in 10 CFR Part 100 in 1962) recognized that accidents greater than those deemed "credible" are possible. A source term was prescribed, effectively as a defense-in-depth measure to protect against excessive public exposure. A footnote in 10 CFR 100.11a stated:

"The fission product release assumed for these calculations should be based upon a major accident hypothesized for purposes of site analysis or postulated from considerations of possible accidental events, that would result in potential hazards not exceeded by those from 2

any accident considered credible. Such accidents have generally been assumed to result in substantial meltdown of the core with subsequent release of appreciable quantities of fission products."

In effect, the historical accident analysis concept involves two poles in the safety case:

• Control of anticipated occurrences through conservative design basis safety analysis (involving up to a single failure) demonstrating the efficacy of engineered safety features and that radiological consequences remain acceptably low, and

• Mitigation of consequences, by demonstrating that an event involving core damage with nominal barrier leakage will not cause doses at the exclusion area boundary (EAB) and low population zone (LPZ) distance in excess of 25 rem TEDE.

In the 58+ years since then, numerous technological and analytical advancements have been made. Staff recognizes that non-LWRs may present different safety cases, and the application of operating experience and techniques like probabilistic risk assessment (PRA) might allow for refinement of that source term assumption based on a systematic evaluation of the design and associated events, and that strict application of the single failure criterion may not be necessary to provide for reasonable assurance of adequate protection of public health and safety.

Section 5.2 of the FSAR states that the safety principles of the Aurora are derived from International Atomic Energy Agency (IAEA) specific safety requirements (SSR) 2/1,"Safety of Nuclear Power Plants: Design," and acknowledges that these principles are based on control of radioactive releases, restricting the likelihood of a loss of control, and mitigation of consequences of more severe events. However, the FSAR then states that the design safety principles are to: "Provide power with minimal risk to the public health and safety and the environment" and "Restrict the likelihood and consequence of abnormal events by inherent, physical characteristics", with no stated need to mitigate against the consequences of radiological releases.

In FSAR Section 5.0, Oklo states that "the most challenging event deemed credible is identified and is considered the MCA." The FSAR does not define the term credible explicitly. However, FSAR Section 5.5 does state "[c]redibility in this sense is deterministic" and "[c]redibility is based on whether something is physically, fundamentally, or mechanistically possible." Further, the FSAR states the MCA considers "any plausible single failure as well as any single initiating event to cause a common set of failures." The staff seeks to understand how evaluation of only a single failure adequately describes whether someting is "physically, fundamentally, or mechanistically possible." The MCA, as proposed, is being relied on as the single limiting event to deomonstrate compliance with, or to request exemptions from, multiple regulations (e.g.

offsite emergency planning requirements, licensed operator requirements, certain security requirements) beyond traditional design basis accident requirements. This characterization is important, as events that are not assessed as being credible based on the applicant's definition would in fact not be considered at all within the licensing basis for the design, regardless of their frequency or radiological consequence. Operating experience and the application of PRA for the existing fleet of operating reactors has shown that there are events involving multiple failures or common cause failures that are plausible from a frequency of occurrence perspective, just as there are events involving single failures that may not be plausible.

Request 3

Provide an explicit definition for "credible" as used by Oklo in the FSAR, including how it was used to screen or exclude events as "not applicable & not credible" in FSAR Section 5.4.

Provide the technical basis for why events considered for the MCA using the process described in FSAR Section 5.4 were limited to those involving a single failure, given the MCA is cited to meet all accident analysis requirements as well as provide a supporting basis for the proposed exemption from the requirement to assume a postulated fission product release (10 CFR 52.79(a)(1)(vi)). If this basis incorporates a frequency argument, provide a quantitative threshold for which events are excluded, and provide the technical basis behind the assumptions used to calculate the values used in assessing events against that threshold. If there are assumptions related to the functional capability or reliability of engineered safety features that are needed for an event to remain outside the scope of "credible," update the FSAR with the mechanism to capture these assumptions within the plant licensing basis.

Aurora Step 1 - MCA- Draft Question 2 - Comprehensive MCA Analysis Issue The safety case for the Aurora design as presented in the FSAR, Part II of the Oklo combined license (COL) application, utilizes a systematic search for a MCA, analyzing and utilizing precedent for historical plant methodology as well as internal and external event analyses, to identify the worst credible accident based on the single worst credible failure or single worst credible common cause of failures. The analyses presented in Section 5.5 of the FSAR consider a spectrum of events, ultimately showing how these events are bounded by an MCA. In review of these events, the NRC staff has identified potential events that may not have been considered in the analysis. Examples include:

• Dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures, such as a supercritical carbon dioxide line break inside the capsule, module shell, or model equipment housing. Section 5.5, "Initiating event selection," of the FSAR discusses only the cooling effects on the fuel,

• Potential for a heat pipe failure as an initiating event with a failure to trip the reactor. The reactor trip system utilizes thermocouple readings on the heat pipe that may or may not respond similar to changes in fuel temperature, and depending on the heat pipe location, may not adequately detect the heat pipe failure and initiate a reactor trip,

• Failure of components that could provide a potential path to the environment, such as a mechanical relief device connected to the capsule or module shell, the seals of the capsule or module shell, or the connection of the argon cover gas supply line. These component failures could lead to a radiological release (the current analyzed MCA does not lead to a release) if the cell can were to leak,

• Information related to the consequences of hazards during off-normal operation. For instance, the impacts of flooding from internal sources such as a fire protection header or a potable water source, or external events when the vessel is open. Flooding within the capsule may represent a potential criticality issue.

Based on these examples, the NRC staff seeks more information on the implementation of the initiating event selection process presented in Section 5.5 of the FSAR.

Request 4

Demonstrate that a comprehensive review of the potential initiating events and various equipment failure modes have been considered and appropriately evaluated in the selection of the MCA. The evaluation should include effects on the reactor, potential releases from those events, and failures of equipment that would be considered non-safety related in order to ensure that all appropriate events are considered. The review should include all operating conditions including normal, abnormal, and accident scenarios during various plant operating modes such as start-up and shutdown conditions. If, after this review, an event different from the current licensing basis is determined to be the MCA, revise the FSAR accordingly. In addition, provide information which discusses the additional scenarios evaluated so that the NRC staff can understand and evaluate the full breadth and scope of events considered.

Aurora Step 1 - MCA- Draft Question 3 - Reactor Cell Can Leakage Issue FSAR Section 5.3.2 states "[t]he small amount of fission products that are not retained within the fuel matrix, primarily fission gases and volatile fission products that escape into the plenum, are retained by the reactor cell cans." The reactor cell can is also identified as a barrier to fission gas release in FSAR Section 5.5.1.1.6. It is not clear to the staff if the MCA provides for any radiological release from the reactor cell can, and it does not appear that provisions are made for indication of leakage (such as an activity monitor) if no radioactive material is assumed to be released from the reactor cell can.

Further, FSAR Section 5.3.2 states "[t]he combination of thick cell can, low plenum gas pressurization, and limited irradiation effects ensure that mechanical failure does not occur."

While the FSAR specifically considers strength, plastic strain and irradiation-induced effects, it does not address other failure mechanisms that are potentially applicable to the Oklo reactor cell can design such as creep, differential thermal stresses due to localized temperature differences, cold-cracking of 316 weldments, or unexpected irradiation swelling due to differences in 10Zr-U vs. U-Fs test data. These other potential failure mechanisms may impact the integrity of the reactor cell can over the life of the Aurora.

The staff understands that the reactor cell can is intended to be a robust barrier to the leakage of fission products. Based on the above, the NRC staff seeks clarification on whether the MCA analysis makes the assumption that the reactor cell can does not release any radioactive material into the capsule and what the design basis is for the reactor cell can.

Request Identify if the MCA analysis assumes that the reactor cell can leaks. Provide the design basis for assumed reactor cell can leakage (including zero, if applicable) and document in the FSAR.

If the design basis for the MCA is that the reactor cell can may leak, provide an evaluation of MCA consequences based on the assumed leakage and update the FSAR accordingly.

5

Aurora Step 1 - MCA- Draft Question 4 - Consideration of Unprotected Events Additional Regulatory Basis 10 CFR 52.79(a)(24) requires, for an application for a nuclear power reactor design that uses innovative means to accomplish their safety function, that the performance of each safety feature of the design be demonstrated through either analysis, appropriate test programs, experience, or a combination thereof as required by 10 CFR 50.43(e).

Issue Final Safety Analysis Report (FSAR) Section 2.7.2.7.2, "Heat pipe temperature sensors,"

describes thermocouples located on heat pipes in the heat exchanger region that are used to infer fuel temperatures, and FSAR Section 2.7.3.4.2.1, "Heat pipe temperature fault signal,"

describes how the heat pipe temperature sensors are used in the reactor trip system (RTS) logic. The reactor trips initiated by the measurement technique described in FSAR Section 2.7.2.7.2 are credited in the MCA evaluation presented in FSAR Section 5.5.1, "Initial event identification and applicability and credibility review." Specifically, FSAR Section 5.5.1.2.2, "Decrease in heat removal by the secondary system," and FSAR Section 5.5.1.2.3, "[Events similar to a PWR] [d]ecrease in reactor coolant system flow rate," discuss the loss of heat sink (LOHS) and single heat pipe degradation/failure events, respectively. FSAR Section 5.6.1.2, "Loss of heat sink," clarifies that the RTS initiates a reactor trip based on an over-temperature condition detected by the thermocouples. The staff determined that the evaluation of a single heat pipe degradation/failure credits a reactor trip based on an under-temperature condition detected by the thermocouples (ML20230A372).

The specific application of thermocouples attached to a heat pipe at a single location in the condenser region to infer fuel temperatures, and in an environment similar to that experienced in the Aurora design, appears to be a first-of-a-kind (innovative) means for the instrumentation and control system to accomplish its safety function. Accordingly, the NRC staff is seeking justification either through analysis, appropriate test programs, experience, or a combination thereof to support crediting a reactor trip initiated through the measurement technique described in FSAR Section 2.7.2.7.2 in the Aurora MCA evaluation.

Request Update the FSAR to incorporate one of the following to support the MCA evaluation presented in FSAR Section 5.5:

1. Provide the analysis, appropriate test programs, experience, or a combination thereof to support the efficacy of the measurement technique described in FSAR Section 2.7.2.7.2, especially as it relates to the statement "fuel temperatures can be inferred from heat pipe temperatures" and demonstrate that a reactor trip initiated through the measurement technique described in FSAR Section 2.7.2.7.2 is sufficiently reliable such that unprotected LOHS or unprotected heat pipe degradation/failure events do not need to be considered as candidates for the MCA.

OR 6

2. Provide evidence of diversity in the instrumentation and control system (i.e., the ability to initiate automatic reactor trip signals based on measurement techniques diverse from the method described in FSAR Section 2.7.2.7.2) to show that the measurement technique described in FSAR Section 2.7.2.7.2 is not the only means to detect adverse conditions, and demonstrate that the credited instrumentation is sufficiently reliable such that unprotected LOHS or unprotected heat pipe degradation/failure events do not need to be considered as candidates for the MCA.

OR

3. Evaluate the unprotected LOHS and unprotected heat pipe degradation/failure events to ensure all appropriate events are included in the MCA.

7