Text

1 STAFF DISCUSSION OF SUBPART C (DESIGN & ANALYSIS) - PRELIMINARY RULE LANGUAGE, DECEMBER 2020 Preliminary Language Discussion Subpart C - Design and Analysis Requirements This subpart addresses requirements for designing advanced nuclear plants and performing the supporting analyses, including the analyses of licensing basis events (§ 53.240).

§ 53.400 Design Objectives and Design Features Design features must be provided for each advanced nuclear plant such that, when combined with associated programmatic controls and human actions, the plant will satisfy the first and second tier safety criteria defined in

§§ 53.220 and 53.230. Design features must ensure that the safety functions identified in § 53.210, of limiting the release of radioactive materials from the facility, is maintained during routine operations and licensing basis events by controlling the release of radioactive materials and by supporting other safety functions.

This section establishes the overall design objectives by referring to the underlying safety criteria in § 53.220 (first tier) and § 53.230 (second tier) and the related identification of safety functions provided in § 53.210. Design features are provided to meet the design objectives in this section. Subsequent sections in this Subpart address the need to define functional design criteria for the design features used to meet the design objectives.

Note that per the discussions at the November 18, 2020, Part 53 public meeting, safety functions and safety criteria may be reordered in Subpart B. This version of Subpart C refers to Subpart B as it was released to support the November 2020 public meeting (ADAMS Accession No. ML20289A591).

THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS. THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILL CONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS SUCH AS NUMERICAL VALUES FOR VARIOUS CRITERIA.

2

§ 53.410 Functional Design Criteria for First Tier Safety Criteria (a) Functional design criteria must be defined for each design feature required by § 53.400 to demonstrate compliance with the first tier safety criteria defined in

§ 53.220(a). Corresponding programmatic controls, including monitoring programs, must be established to confirm the established functional design criteria and the first tier safety criteria required in § 53.220(a) are not exceeded during normal operations.

(b) Functional design criteria must be defined for each design feature required by § 53.400 relied upon to demonstrate compliance with the first tier safety criteria defined in § 53.220(b). Corresponding programmatic controls and interfaces must be established in accordance with this and [other subparts to achieve and maintain the reliability and capability of SSCs relied upon to meet the established functional design criteria and the first tier safety criteria required in § 53.220(b), and to maintain consistency with analyses required by § 53.450.

(a) Design features and associated functional design criteria are provided to ensure that effluents during normal operation

(§ 53.220(a)) do not result in a dose to an individual member of the public exceeding 100 millirem. This requirement relates to an ongoing effort under the Advanced Reactor Content of Application Project (ARCAP), which is defining a performance-based approach to achieve an appropriate level of detail in applications by referring to programmatic controls such as monitoring programs for routine effluents.

(b) Design features and functional design criteria for unplanned events are determined through analyses e.g., PRA and design basis accidents). This section addresses the first tier safety criteria from Subpart B and the analyses are defined in a subsequent section for a design basis accident (i.e., a deterministic analysis relying on safety related structures, systems, and components (SSCs)). Other sections within this and other Subparts will likely establish the highest level of controls on these design features (e.g., safety classification, protection from external hazards, quality assurance, and technical specifications).

§ 53.420 Functional Design Criteria for Second Tier Safety Criteria.

(a) Design features must be provided for each advanced nuclear plant such that, when combined with associated programmatic controls and human actions, the total effective dose equivalent to individual members of the public from effluents resulting from normal plant operation are as low as is reasonably achievable taking into account the state of technology, the economics of improvements in relation to the state of technology, operating experience, and benefits to the public health and safety, and other factors included in the assessments performed under the facility safety program required by § 53.80, and the safety (a) Design features and functional design criteria are provided to ensure that effluents during normal operation are able to be as low as reasonably achievable. This requirement relates to an ongoing effort under ARCAP, which is defining a performance-based approach to achieve an appropriate level of detail in applications by referring to programmatic controls such as monitoring programs for routine effluents.

(b) Design features and functional design criteria for unplanned events are determined through analyses. This section addresses the second tier safety criteria from Subpart B. The analyses are defined in § 53.450 as being from a probabilistic risk assessment methodology. These analyses are expected to use best-estimate approaches and address uncertainties with our state of

3 criteria and performance objectives in § 53.230(a).

Functional design criteria must be defined for each design feature relied upon to demonstrate compliance with the second tier safety criteria in § 53.230(a). Corresponding programmatic controls, including monitoring programs, must be established to confirm that the established functional design criteria and the safety criteria and performance objectives in § 53.230(a) are not exceeded during normal operations.

(b) Design features must be provided for each advanced nuclear plant such that, when combined with associated programmatic controls and human actions, the analyses required by § 53.450 provide reasonable assurance that the estimated risks from unplanned events will be below the second tier safety criteria in § 53.230(b). Functional design criteria must be defined for each design feature relied upon to demonstrate compliance with the second tier safety criteria in § 53.230(b). Corresponding programmatic controls and interfaces must be established in accordance with this and other subparts to achieve and maintain the reliability and capability of SSCs relied upon to meet the second tier safety criteria in § 53.230(b) and to maintain consistency with analyses required by § 53.450.

knowledge, modeling, and availability of SSCs. SSCs determined to be safety significant would have associated special treatment requirements as specified in § 53.460.

A topic to discuss is whether this subpart and/or § 53.240 (Licensing Basis Events) should define specific event categories such as anticipated operational occurrences, design basis events, and beyond design basis events.

§ 53.430 Functional Design Criteria for Protection of Plant Workers.

Design features must be provided for each advanced nuclear plant such that, when combined with associated programmatic controls and human actions, there is reasonable assurance the requirements for the protection of plant workers in § 53.260 will be met. Functional design criteria must be defined for each design feature relied upon to demonstrate compliance with § 53.260.

Corresponding programmatic controls, including This section addresses design features and functional design criteria related to protection of plant workers.

The broader question of whether to address occupational dose within Part 53 by referring to Part 20 or to avoid duplication and have occupational dose addressed only within Part 20 is a topic of ongoing discussions.

4 monitoring programs, must be established to confirm that the worker protection criteria in § 53.260(a) are not exceeded. In addition, functional design criteria must be defined for each design feature to ensure that plant SSCs and associated programmatic controls, including monitoring programs, achieve occupational doses as low as is reasonably achievable as required by § 53.260(b).

§ 53.440 Design Requirements (a) The design features required to meet the first and second tier safety criteria defined in §§ 53.220 and 53.230shall be designed using generally accepted consensus codes and standards wherever applicable.

(b) The materials used for safety related and non-safety related but safety significant SSCs (as defined in § 53.460) must be qualified for their service conditions over the plant lifetime.

(c) Safety and security must be considered together in the design process such that, where possible, security issues are effectively resolved through design and engineered security features.

(d) Design features must be demonstrated capable of accomplishing the safety functions defined in § 53.210 without adversely affecting other design features. The demonstration must be through analysis consistent with

§ 53.450, appropriate test programs, prototype testing, operating experience, or a combination thereof for the range of conditions under which the analysis required in

§ 53.450 assumes these features will function throughout the plants lifetime.

This section addresses design requirements by defining the means by which functional design criteria are met through practices such as the use of generally accepted consensus codes and standards and qualification of equipment/materials -

including provisions similar to those in 10 CFR 50.43(e).

Paragraph (c) addresses security by design from the Advanced Reactor Policy Statement.

A topic for discussion is the use of generally accepted or similar wording, which is used to encourage use of consensus codes and standards while not being prescriptive. A possible solution is to use a phrase such as generally accepted and then use guidance to differentiate between unique design standards, common but not NRC-endorsed standards, and NRC endorsed standards.

A topic for discussion is the meaning of qualified or the potential use of an alternative word in its place.

5

§ 53.450 Analysis Requirements (a) A probabilistic risk assessment of each advanced nuclear plant [reminder - plant definition to include multi-module and multi-source] must be performed to identify potential failures, degradation mechanisms, susceptibility to internal and external hazards, and other contributing factors to unplanned events that might challenge the safety functions identified in § 53.210.

(b) The probabilistic risk assessment (PRA) must:

(1) Be used in determining the licensing basis events, as described in § 53.240, which must be considered in the design to determine compliance with the safety criteria in Subpart B of this part.

(2) Be used for classifying SSCs and human actions according to their safety significance in accordance with

§ 53.460 and for identifying the environmental conditions under which the SSCs and operating staff must perform their safety functions.

(3) Be used in evaluating the adequacy of defense-in-depth measures required in accordance with § 53.250.

(4) Assess all plant operating states where there is the potential for the uncontrolled release of radioactive material to the environment.

(5) Consider events that challenge plant control and safety systems whose failure could lead to the uncontrolled release of radioactive material to the environment. These include internal events, such as human errors and equipment failures, and external events, such as earthquakes, identified in accordance with Subpart D of this part.

(6) Conform with generally accepted methods, standards, and practices.

(7) Be maintained and upgraded to cover initiating events and modes of operation contained in generally This section addresses analyses requirements for both a probabilistic risk assessment and the design basis accident in paragraph (e).

A requirement to update the PRA is included (similar to 10 CFR 50.71(h)) but Part 53 will include requirements to use the updates to ensure ongoing compliance with the second tier safety criteria and to assess possible risk reduction measures under the proposed facility safety program in Subpart F.

A requirement is included to have deterministic design basis accidents (a subset of licensing basis events) for which the analytical results are compared to the first-tier safety criteria of

§ 53.220(b). The design basis accidents are stylized events (e.g.,

relying on only safety related SSCs) and are to be derived from event sequences with frequencies in the design basis event category as defined in NEI 18-04. These event sequences, which are referred to as unanticipated event sequences, have frequencies (1) below anticipated operational occurrences (i.e.,

those sequences with a frequency above one in one hundred years), and (2) above beyond design basis events (i.e., those sequences with a frequency below one in 10,000 years).

6 accepted methods, standards, and practices in effect one year prior to each required PRA upgrade. The PRA must be upgraded every two years until the permanent cessation of operations under Subpart G of this part.

(c) The analytical codes used in modeling plant behavior during licensing basis events (e.g. thermodynamics, reactor physics, fuel performance, mechanistic source term) must be qualified for the range of conditions for which they are to be used.

(d) If not addressed within the PRA under paragraph (b),

analyses must be performed to assess:

(1) measures provided to protect against, detect and suppress fires that could impact the ability of equipment to perform its safety function and challenge the safety criteria contained in §§ 53.220 and 53.230.

(2) measures provided to protect against aircraft impacts as required by 10 CFR 50.150, and (3) measures to mitigate specific beyond design basis events as required by 10 CFR 50.155.

(e) The analysis of licensing basis events required by

§ 53.240 must include analysis of a set of design basis accidents that address possible challenges to the safety functions identified in accordance with § 53.210. Design basis accidents must be selected from those unanticipated event sequences with an upper bound frequency of less than one in 10,000 years as identified using insights from a design-specific probabilistic risk assessment that systematically identifies and analyzes equipment failures and human errors. The events selected as design basis accidents should be those that, if not terminated, have the potential for exceeding the safety criteria in § 53.220(b).

The design-basis accidents selected must be analyzed

7 using deterministic methods assuming only the safety-related SSCs identified in § 53.460 and human actions addressed by § 53.8xx (reference to concept of operations sections of Subpart F) are available to perform the safety functions identified in accordance with § 53.210.

The analysis must conservatively demonstrate compliance with the safety criteria in § 53.220(b).

§ 53.460 Safety Categorization and Special Treatment (a) SSCs and human actions must be classified according to their safety significance. The categories must include Safety Related (SR), which are those SSCs and human actions relied upon to function in response to design basis accidents to meet the safety criteria in § 53.220(b);

Non-Safety Related but Safety Significant (NSRSS),

which are those SSCs and human actions that perform a function that is necessary to achieve adequate defense-in-depth or are classified as risk significant (i.e., whose failure contributes 1% or more to cumulative plant risk, as defined in § 53.230, or would cause a licensing basis event to exceed the safety criteria in § 53.220(b)); and Non-Safety Significant (NSS), which are those SSCs not warranting special treatment.

This section addresses the safety classification and determination of appropriate special treatments. The terminology used for discussion here is (1) safety related, (2) non-safety-related but safety significant, and (3) non-safety significant.

A topic of discussion is the identification and treatment of human actions needed to support design basis accidents and the first tier safety criteria and those included in safety-significant functions within the PRA.

8 (b) For SR and NSRSS SSCs and human actions, the conditions under which they must perform their safety function in § 53.210 must be identified. Special Treatment (e.g., functional design criteria and programmatic controls) must be established in accordance with this and [other Subparts to provide appropriate confidence that the SSCs will perform under the service conditions and with the reliability assumed in the analysis performed in accordance with § 53.450 to provide reasonable assurance of meeting the safety criteria in §§ 53.220(b) and 53.230(b).

(c) Human actions to prevent or mitigate licensing basis events must be capable of being reliably performed under the postulated environmental conditions present and be addressed by programs established in accordance with Subpart F of this part to provide confidence that those actions will be performed as assumed in the analysis performed in accordance with § 53.450 to provide reasonable assurance of meeting the safety criteria in

§§ 53.220(b) and 53.230(b).

§ 53.470 Application of Analytical Safety Margins to Operational Flexibilities Where an applicant or licensee so chooses, design criteria more restrictive than those defined in § 53.230(b) may be adopted to support operational flexibilities (e.g.,

emergency planning requirements under Subpart F of this part). In such cases, applicants and licensees must ensure that the functional design criteria of § 53.420(b),

the analysis requirements of § 53.450, and identification of special treatment of SSCs and human actions under

§ 53.460 reflect and support the use of alternative design criteria to obtain additional analytical safety margins.

Licensees must ensure that measures taken to provide the This section addresses the possible adoption of more restrictive criteria in order to obtain safety margin for application to other areas - such as emergency planning zones. The section establishes requirements to use the design goal similar to the second tier safety criteria and to ensure analysis, design features, and programmatic controls are established accordingly.

9 analytical margins supporting operational flexibilities are incorporated into design features and programmatic controls and are maintained within programs required in other Subparts.

§ 53.480 Design Control Quality Assurance (a) Measures must be established to assure that the design criteria, analysis, categorization and special treatment of SSCs as required by § 53.460 are correctly translated into specifications, drawings, procedures, and instructions. These measures must include provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled. Measures must also be established for the selection and review for suitability of application of materials, parts, equipment, and processes needed to meet the safety criteria identified per §§ 53.220 and 53.230 in accordance with § 53.xxx (construction and procurement subpart). The QA program must conform with generally accepted consensus codes and standards.

(b) Measures must be established for the identification and control of design interfaces in accordance with § 53.490.

(c) The design control measures must provide for verifying or checking the adequacy of design in a manner commensurate with its safety significance, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. The verifying or checking process must be performed in accordance with appropriate quality standards. Design changes, including field changes, must be subject to design control measures commensurate with those applied to the original design and be approved by the organization that performed the This section addresses quality assurance for design and analysis activities and is derived from Criterion III in Appendix B to 10 CFR Part 50.

10 original design unless the applicant designates another qualified organization.

§ 53.490 Design and Analyses Interfaces Measures must be established for the identification and control of interfaces between (a) the plant design and supporting analyses required by this Subpart and (b) the activities addressed by other Subparts over the life of each advanced nuclear plant. These measures must include procedures for the review, approval, release, distribution, and revision of documents involving design interfaces such that design decisions are made in an integrated fashion considering all aspects of the facility impacted by the design or operational change prior to its implementation. Changes to design features and related programmatic controls over the lifetime of an advanced nuclear plant must be considered along with the state of technology, the economics of improvements in relation to the state of technology, operating experience, and benefits to the public health and safety, and other factors included in the assessments performed under the facility safety program required by § 53.800.

This section requires applicants/licensees to identify, control, and maintain interfaces (i.e., integration) between design and analyses activities and other activities, such as configuration controls in Subpart F and the proposed facility safety program.

Other Possible Topics for Discussion (1)

A topic for possible discussion is the consideration and treatment of inherent design features. An inherent design feature is one where the safety function is achieved through natural processes governed by the physical laws without reliance on the activation or operation of supporting active or passive systems. It may be helpful to develop guidance on how inherent design features are credited in analyses, verified and validated, and considered under safety classification and special treatment provisions of this Subpart.