Text

SDAA - FSER Chapter 19 - Probabilistic Risk Assessment and Severe Accident Evaluation
	ML25085A425
Person / Time
Site:	05200050
Issue date:	05/22/2025
From:	; NRC/NRR/DNRL
To:	;
References
	Download: ML25085A425 (78)
	v • d • e

19-1 19 PROBABILISTIC RISK ASSESSMENT AND SEVERE ACCIDENT EVALUATION 19.1 Probabilistic Risk Assessment This chapter of the safety evaluation report (SER) documents the U.S. Nuclear Regulatory Commission (NRC) staffs (hereafter referred to as the staff) review of Chapter 19, Probabilistic Risk Assessment and Severe Accident Evaluation, of the NuScale Power, LLC (hereafter referred to as the applicant), Standard Design Approval Application (SDAA), Part 2, Final Safety Analysis Report (FSAR), for the US460 standard plant design. The staffs regulatory findings documented in this report are based on Revision 2 of the US460 SDAA, dated April 9, 2025 (Agencywide Documents Access and Management System Accession No. ML25099A237). The precise parameter values, as reviewed by the staff in this safety evaluation, are provided by the applicant in the SDAA using the English system of measure.

Where appropriate, the NRC staff converted these values for presentation in this safety evaluation to the International System (SI) units of measure based on the NRCs standard convention. In these cases, the SI converted value is approximate and is presented first, followed by the applicant-provided parameter value in English units within parentheses. If only one value appears in either SI or English units, it is directly quoted from the SDAA and not converted.

Introduction The staffs review ensures that the applicant has adequately addressed the NRCs objectives for the probabilistic risk assessment (PRA) as applied to the NuScale US460 SDAA. These objectives are drawn from Title 10 of the Code of Federal Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, and several policy statements listed in SER Section 19.1.3. The objectives include the following:

identifying and addressing potential design features and plant operational vulnerabilities reducing or eliminating the significant risk contributors at existing operating plants that apply to the new design selecting among alternative features, operational strategies, and design options identifying risk-informed safety insights based on systematic evaluations of the risk determining how the risk associated with the design compares with the Commissions goals of less than 1x10-4 per year for core damage frequency (CDF) and less than 1x10-6 per year for large release frequency (LRF) demonstrating whether the plant design represents a reduction in risk compared to existing operating plants, using the results and insights to support other programs, such as the following:

regulatory treatment of non-safety-related systems (RTNSS)

19-2 regulatory oversight processes (e.g., Mitigating Systems Performance Index, significance determination process) operational programs (e.g., Maintenance Rule) operational requirements that support the design, inspection, construction, and operation of the plant (e.g., inspections, tests, analyses, and acceptance criteria (ITAAC); the reliability assurance program; technical specifications (TS);

combined license (COL) action items; and interface requirements)

The staff reviewed the key elements of the PRA and evaluated its uses for the NuScale US460 SDAA based on relevant staff guidance and industry standards or best practices.

Summary of Application SDAA Part 2 (FSAR): FSAR Section 19.1.1, Uses and Applications of the Probabilistic Risk Assessment, describes the uses and applications of the PRA to support standard design approval, COL, construction, and operational activities, and describes the limitations associated with the level of detail available at the design stage. FSAR Chapter 19 and Section 19.1, Probabilistic Risk Assessment, summarize the Level 1 and Level 2 PRAs and describe the PRA performed for the NuScale US460 design, which evaluates the risk associated with all modes of operation for both internal and external initiating events. The PRA was performed for a single module and used to develop insights for multiple modules. FSAR Section 19.1 includes topics such as PRA quality, design features to minimize risk, methodology, data, uncertainties, sensitivities, insights, and results.

FSAR Table 19.1-60, Summary of Results, summarizes the at-power operations, low-power and shutdown (LPSD) operations, and multi-module PRA results. In the multi-module risk evaluation, qualitative risk insights are developed for external events and LPSD operations.

ITAAC: There are no ITAAC associated with this area of review.

Technical Specifications/Availability Controls Manual: FSAR Section 8.3.2.1.1, Augmented Direct Current Power System, states that controls over the reliability and availability of the module specific (MS) augmented direct current (dc) power subsystem (EDAS) power circuitry and supply are included in the owner-controlled requirements manual (OCRM), described in FSAR Section 16.1, Technical Specifications. The staffs evaluation of the OCRM is provided in SER Chapter 16. Further, FSAR Section 8.3.2.1.1 states that EDAS is included in the Maintenance Rule program in accordance with 10 CFR 50.65. SER Section 17.6 provides the staffs evaluation of the designs compliance with the Maintenance Rule. Including the EDAS in the Maintenance Rule program combined with including the EDAS in the OCRM ensures that the functional criteria (availability and reliability) are maintained consistent with the Chapter 19 PRA EDAS modeling and results.

Technical Reports: There are no technical reports associated with this area of review.

Topical Reports: FSAR Section 19.1.4.1.1.9, Risk-Significance Determination, references Section D, Section 3.0, Analysis/Methodology, of the staff-approved, NuScale topical report, TR-0515-13952-NP-A, Revision 0, Risk Significance Determination, issued October 2016

19-3 (ML16284A016), and is incorporated by reference in FSAR Table 1.6-1, NuScale Topical Reports.

Regulatory Basis In 10 CFR 52.137(a)(25), the NRC states that an SDAA must contain an FSAR that includes a description of the design-specific PRA and its results.

The following Commission-level policy statements give the expectations for the use of PRA:

Severe Reactor Accidents Regarding Future Designs and Existing Plants, Volume 50 of the Federal Register, page 32138 (50 FR 32138; August 8, 1985)

Safety Goals for the Operations of Nuclear Power Plants (51 FR 28044; August 4, 1986)

Regulation of Advanced Nuclear Power Plants (59 FR 35461; July 12, 1994)

Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities (60 FR 42622; August 16, 1995)

Policy Statement on the Regulation of Advanced Reactors (73 FR 60612; October 14, 2008)

SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated April 2, 1993 (ML003708021), and SECY-90-016, Evolutionary Light Water Reactor (LWR) Certification Issues and Their Relationship to Current Regulatory Requirements, dated January 12, 1990 (ML003707849),

and the related staff requirements memoranda (SRM), respectively dated July 21, 1993 (ML003708056), and June 26, 1990 (ML003707885), provide more specific Commission direction and staff guidance on PRAs relevant to licensing reviews.

To review this area, the staff uses guidance in NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (SRP), Section 19.0, Revision 3, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, issued December 2015 (ML15089A068). The acceptance criteria are derived from the regulatory requirements and Commission policies noted above.

Design Certification/Combined License Interim Staff Guidance (DC/COL-ISG)-028, Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application, issued November 2016 (ML16130A468), addresses how the applicant can use American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) RA-Sa-2009, Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, as endorsed by Regulatory Guide (RG) 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, issued March 2009 (ML090410014), with exceptions and clarifications. This guidance was issued because the PRA standard was developed based on current operating reactors. As a result, for PRAs developed for Part 52 applicants, some supporting requirements in the PRA standard are not applicable or cannot be

19-4 achieved as written, while other supporting requirements need some clarification to understand how they can be achieved.

SRP Section 19.0 and DC/COL ISG-028 refer to other guidance documents (e.g., RGs, NUREGs, industry documents) that are not repeated in this section, although some of these documents are discussed in the technical evaluation of specific topics.

Technical Evaluation The staff reviewed the description and results of the PRA contained in the FSAR. During the review, the staff performed a regulatory audit between March 27, 2023, and August 31, 2024 (ML24211A089), consisting of document reviews, clarification calls, and audit questions, and issued requests for additional information when items could not be resolved in the audit. The staff coordinated and worked with other technical disciplines (e.g., reactor systems, plant systems, radiation protection, electrical engineering, structural engineering, mechanical engineering, and instrumentation and controls) for an interdisciplinary review. This section summarizes the results of the staffs review important to the overall conclusion on the NuScale PRA for the US460 standard plant design and its conformance to the applicable regulatory requirements.

Uses and Application of the Probabilistic Risk Assessment The staff reviewed FSAR Chapter 19 and Section 19.1.1, Uses and Applications of the Probabilistic Risk Assessment, to confirm that the applicant used the PRA in a manner consistent with the Commissions objectives for a design-phase PRA. Because the design-phase PRA is limited to the design details available without a constructed plant or operational experience with the plant (i.e., the as-built, as-operated plant), the staff focused its review on the risk insights from the PRA. The staff confirmed that the risk insights developed can reasonably support the uses of the PRA listed in FSAR Table 19.1-1, Uses of the Probabilistic Risk Assessment at the Design Phase. The staff finds that the applicants uses of the PRA during the design phase conform to SRP Section 19.0 and therefore are reasonable and acceptable for the US460 standard design approval (SDA).

Consistent with SRP Section 19.0, for a design-phase PRA, an applicant need not address the uses of the PRA that require site-specific or plant-specific information relevant to a COL application. In FSAR Section 19.1, the applicant established eight COL information items to address uses of the PRA by a COL applicant. The staff finds that the proposed COL information items are acceptable because these items will enable the staff to assess the uses of the PRA by a COL applicant consistent with the guidance in SRP Section 19.0.

Acceptability of the Probabilistic Risk Assessment The staff reviewed FSAR Section 19.1.2., Quality of the Probabilistic Risk Assessment, to evaluate the acceptability of NuScales US460 design-phase PRA. In its evaluation, the staff considered the scope, level of detail, conformance with PRA technical elements (i.e., technical adequacy), and plant representation of the NuScale US460 PRA. In FSAR Table 1.9-4, Conformance with Interim Staff Guidance, the applicant stated that the NuScale SDAA conforms to DC/COL-ISG-028. The staff also reviewed details in other sections of the FSAR Chapter 19 to assess the PRA acceptability.

19-5 The staff finds that the scope of the PRA is consistent with the expected scope for a design-phase PRA as described in SRP Section 19.0. The PRA scope is appropriate for this SDAA because it characterizes risk in terms of CDF and LRF and addresses applicable internal and external events for all operating modes. The scope includes the use of a PRA-based seismic margins analysis (SMA) for the risk insights from seismic initiating events, which is appropriate for this SDAA because site-specific hazard information is unavailable. The scope also includes a multimodule risk evaluation of a six-module plant configuration. In the multi-module risk evaluation, the applicant addressed the potential impact of one module on other modules in the reactor pool, or near a module experiencing an event, and qualitatively addressed the risk associated with the impact of external events on multiple modules.

SRP Section 19.0 states that, if detailed design information is not available or it can be shown that detailed modeling does not provide additional significant information, it is acceptable to make assumptions consistent with the guidelines in DC/COL-ISG-028. The staff finds the level of detail in the design-phase PRA acceptable because the applicant has limited detailed design information (such as cable routing information, operating and maintenance procedures) and operating experience, and the applicant has identified a reasonably complete list of limitations that contribute to uncertainties. The applicants approach of using conservative but reasonable assumptions to account for these uncertainties is acceptable for the design-stage PRA for this SDAA because the risk insights are not expected to be masked. The staff finds that the level of detail in the NuScale PRA is consistent with the relevant guidance in SRP Section 19.0. This level of detail is commensurate with the uses of the PRA in this SDAA and is therefore sufficient to gain risk insights in conjunction with the acceptable assumptions made in the PRA for the SDAA. The staff finds that the NuScale PRA reasonably reflects the standard plant design in the SDAA.

Based on the staffs evaluation of the full-scope PRA documented in SER Sections 19.1.4.4 through 19.1.4.9, the staff finds that the PRA for the SDAA is of sufficient technical adequacy because it conforms to SRP Section 19.0 and DC/COL-ISG-028. The staffs guidance states that a design certification application (DCA) PRA is not required to have a peer review. The staff has determined that this is also applicable to the SDAA. The applicant did not perform a peer review in support of the SDAA; however, the applicant conducted a self-assessment of the PRA against the ASME/ANS RA-Sa-2009 standard. The staff finds the applicants self-assessment of the PRA against the consensus PRA standards to be an acceptable approach consistent with SRP Section 19.0, which states that a self-assessment is an acceptable tool for evaluating the technical adequacy of a PRA performed in support of an SDAA. The staff audited a sample of the self-assessment during the review and did not identify any issues of concern.

The staff finds the PRA maintenance and upgrade approach described in FSAR Section 19.1.2.4, Probabilistic Risk Assessment Maintenance and Upgrade, acceptable because it addresses the key elements of the maintenance of the design-stage PRA for this SDAA, including consistency with the design; configuration control of software; and documentation of assumptions, sensitivity studies, and PRA results. The approach conforms to the guidance in SRP Section 19.0.

Special Design/Operational Features The staff reviewed FSAR Section 19.1.3, Special Design and Operational Features, and considered NuScales design and operational features for preventing core damage, mitigating the consequences of core damage, preventing releases from containment, and mitigating the

19-6 consequences of releases from containment, as well as the uses of the PRA in the design process. The staff also evaluated FSAR Table 19.1-2, Design Features/Operational Strategies to Reduce Risk, and FSAR Table 19.1-3, Use of Probabilistic Risk Assessment in Selection of Design Alternatives. The staff finds that the applicant identified a reasonable list of design and operational features that enhance plant safety in comparison to existing operating plants. These features represent a significant improvement on the vulnerabilities of earlier reactor designs by reducing the number of components and systems required to respond to a plant event and relying on passive systems and the ultimate heat sink (UHS). The staff finds that the applicants design process benefited from using the PRA to identify design enhancements to reduce plant risk and that the applicant listed the design decisions supported by the PRA. The staff finds the use of the PRA in the design process acceptable because the use of PRA risk insights resulted in an improved design and lowered the NuScale US460 designs risk profile.

Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated FSAR Section 19.1.4.1, Level 1 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.1 Initiating Event Analysis FSAR Section 19.1.4.1.1.2, Internal Initiating Events, and Section 19.1.4.1.1.5, Data Sources and Analysis, describe the initiating events analysis for the internal events PRA. The staff reviewed the applicants analysis to determine whether the applicants identification of initiators and estimation of the corresponding initiating event frequencies are adequate for the intended uses of the PRA.

The applicant used a structured, systematic process, which accounts for design-specific features, to identify initiating events. The applicant used a failure modes and effects analysis and a master logic diagram to identify design-specific system and support system faults that could lead to an initiating event or adversely affect the modules ability to respond to an upset condition. These approaches supplemented the applicants review of potential initiating events from industry operating experience data sources and PRA studies.

The applicant identified 11 internal event at-power initiators in the PRA. The design, in conjunction with the use of simplifying assumptions, allows the spectrum of potential accident sequences to be reasonably represented by these 11 initiators. This representation was possible because the design uses fail-safe features, passive core cooling, and passive heat removal capabilities, thereby relying less on active systems than traditional large light-water pressurized-water reactors (PWRs).

For loss-of-coolant accidents (LOCAs), the applicant modeled event trees for chemical and volume control system (CVCS) injection and discharge line breaks outside containment; LOCAs inside containment including pipe breaks in the reactor coolant system (RCS) injection line, discharge line, and the reactor pressure vessel (RPV) high-point degasification line, spurious opening of a reactor safety valve (RSV), and a failure in the pressurizer heater penetration; and spurious opening of an emergency core cooling system (ECCS) valve. In reality, many RPV penetrations exist, such as those needed for pressure and temperature instrument taps. For these additional smaller RPV penetrations, the staff finds that the plant response can be expected to be similar to, or bounded by, an explicitly modeled CVCS line break because the

19-7 plant response is similar to and the scenarios rely on similar mitigation structures, systems, and components (SSCs). Therefore, representing pipe breaks of RPV penetrations with the CVCS line breaks is acceptable. Similarly, the staff finds that spurious opening of an RSV and spurious opening of an ECCS valve initiating events reasonably represent the non-pipe-break LOCAs, and the containment bypass events are adequately identified by the CVCS line breaks outside containment and the steam generator tube failure (SGTF).

The staff reviewed the applicants approach to estimating the LOCA and pipe break frequencies for the NuScale design. Frequencies are calculated using pipe lengths taken from system drawings and industry failure rate data in the Idaho National Laboratory (INL)

INL/EXT-21-65055, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants: 2020 Update, issued November 2021, for nonemergency service water piping. The applicant also consulted NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies Through the Elicitation Process, dated March 2008 (ML080630015), for LOCA frequency determination. The applicant performed sensitivities doubling the initiating frequency for CVCS LOCA inside containment and did not identify any impacts to the risk insights. The staff finds the approach reasonable for this SDAA because the applicant used an applicable data source to develop the frequencies, the applicants sensitivity study did not identify any impacts on the risk insights, and the SDAA PRA initiating event frequency for a LOCA inside containment is higher than that for equivalent sized breaks from NUREG-1829.

The secondary-side line break initiator includes several different pipe break scenarios (e.g., main steamline, feedwater line, and decay heat removal system (DHRS) line, both inside and outside containment). The staff reviewed the applicants approach to estimating the secondary-side line break frequency for the NuScale US460 standard design. The applicant evaluated degradation mechanisms to obtain data sets by screening out the mechanisms not applicable to the NuScale US460 standard design. Using the field experience data and failure rate information, the applicant estimated conditional rupture probabilities given the size, component type, and degradation mechanism. The likelihood of a pipe flaw propagating to a significant structural failure is expressed by the conditional failure probability. The frequency of pipe breaks is then summed for the conditional rupture probabilities and corresponding component types. The staff finds that this approach is reasonable because it is based on systematic, logical steps adequate for the SDA PRA. For the initiating event frequencies associated with breaks in the main steamlines, feedwater lines, the DHRS, and steam generator tubes, the applicant performed sensitivity studies that showed that the CDF and LRF, and risk insights, are relatively insensitive to specific estimates for these initiating event frequencies.

The loss of electrical power initiator consists of loss-of-offsite power (LOOP) and loss of dc (LODC) power scenarios. The LOOP scenario represents a loss of alternating current (ac) power to the station. The LODC power scenario is modeled in the PRA as a failure of any two power channels of the EDAS-MS which results in reactor trip, DHRS actuation, containment isolation, and ECCS actuation and includes a divisional failure of a modules EDAS-MS. The ECCS reactor vent valves (RVVs) are held closed by dc power. FSAR Section 8.3.2.1.1 states that all channels of EDAS-MS provide power for ECCS hold mode to preclude unnecessary ECCS valve actuation. By letter dated March 28, 2025 (ML25087A222), the applicant stated that each channel within an EDAS-MS division powers the ECCS trip valve solenoids associated with the applicable division of the module protection system (MPS), and FSAR Figure 7.0-9, Module Protection System Power Distribution, shows the power supply and auctioneering scheme provided in the MPS power supply to downstream loads (e.g., trip valve

19-8 solenoids). The staff considers EDAS to be a non-safety-related or non-Class 1E SSC that performs an important to safety function, based on its role to protect specified acceptable fuel design limits, as discussed in SER Section 15.0.0.6.2, and there is reasonable assurance the system will function as designed.

The calculation of the LODC initiating frequency did not model common-cause failures (CCFs) between electrical buses in separate compartments based on information in Electric Power Research Institute (EPRI) 1016741, Support System Initiating Events, issued December 2008, for passive component failures. The LODC initiating event frequency uses common-cause factors from INL/EXT-21-62940, CCF Parameter Estimates, 2020 Update, issued November 2021, which is derived from operating plants. As documented in FSAR Section 8.3, the OCRM described in FSAR Section 16.1 includes controls over the reliability and availability of EDAS-MS-power circuitry and supply. As documented in FSAR Section 8.3, the EDAS is also included in the Maintenance Rule program in accordance with 10 CFR 50.65. The inclusion of the EDAS in the OCRM and the Maintenance Rule ensures that the functional criteria (availability and reliability) are maintained consistent with the Chapter 19 PRA EDAS modeling and results. The staff confirmed that the following PRA assumptions are captured in the FSAR to ensure consistency between the PRA EDAS modeling assumptions and the EDAS design as documented in FSAR Section 8.3:

CCF remains the dominant failure mode.

Reliability is equivalent to a class 1E system.

Test and maintenance unavailability (excluding batteries) is minimal and limited to a single channel.

Test and maintenance unavailability of the batteries are negligible.

The general reactor trip initiator represents transients that lead to a loss of normal heat sink (i.e., power conversion system) and general transients. The loss of support systems initiator captures reactor trip events that also disable systems that support the CVCS, the containment flood and drain system (CFDS), or both, as well as the loss of the non-safety-related ac power buses that result in a reactor trip. The general reactor trip initiating event frequency is based on PWR operating experience from general transients, loss of condenser heat sink, loss of feedwater, partial loss of service water, partial loss of component cooling water, and loss of instrument air. The staff finds the approach reasonable since this category captures internal initiating events that are not included in other categories, and the events identified using industry experience, a failure modes and effects analysis, and a master logic diagram are comprehensive.

For the NuScale US460 design, the assumed initiating event frequency estimates contain uncertainties, as plant-specific operating experience and associated data are not available to inform design-specific initiating event frequency estimates. The staff reviewed the assumed frequency estimates and finds that the applicant reasonably estimated the frequencies based on comparisons with industry databases and past PRA studies. The applicant performed sensitivity studies that varied the initiating event frequencies within reasonable ranges, which are listed in FSAR Table 19.1-22, Sensitivity Studies. The results of the sensitivity studies showed that the CDF, LRF, and risk insights are relatively insensitive to specific estimates for initiating event frequencies.

19-9 Based on the above considerations, the staff is reasonably confident that no risk-significant initiators for the US460 standard design have been excluded from the PRA for this SDAA. The staff also finds that the assumed initiating event frequency estimates, in conjunction with the evaluation of associated uncertainties, are acceptable for SDA purposes. Therefore, the staff finds the applicants initiating event analysis acceptable for this SDA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028.

19.1.4.4.2 Success Criteria FSAR Section 19.1.4.1.1.3, Success Criteria, describes the success criteria analysis for the US460 standard design PRA. The staff evaluated whether the determination of minimum requirements for critical safety functions, supporting SSCs, and operator actions to prevent core damage, given an initiating event, is adequate for the intended uses of the PRA. The staff also audited a sample of the engineering analyses used to support these success criteria.

The applicant defined the Level 1 PRA success criteria for an accident sequence as preventing core damage for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following an initiating event, with module conditions being stable or improving. The 72-hour minimum mission time is consistent with Commission policy for passive plants and is longer than the 24-hour mission time referenced in ASME/ANS RA-Sa-2009 to account for the dynamic behavior of the NuScale passive cooling systems. Core damage is defined as fuel peak cladding temperature exceeding 1,200 degrees Celsius (°C)

(2,200 degrees Fahrenheit (°F)) with a concurrent, sustained collapsed liquid level in the reactor such that active fuel in the core has been uncovered. Also, core damage is assumed for RPV overpressure sequences, where the RSVs fail to open and the ECCS fails to actuate on high-high RCS pressure or high-high RCS average temperature.

For LOCAs inside containment (e.g., inadvertent RVV opening) and other events that call on the ECCS to prevent core damage, the applicant did not include containment isolation as part of the success criteria. FSAR Table 19.1-6, Success Criteria per Top Event, describes a coincident failure of both containment evacuation system (CES) containment isolation valves (CIVs) and a failure of the downstream section of the CES (which isolates on a diverse closure signal) as not credible. FSAR Chapter 9, Auxiliary Systems, describes the backup containment isolation function. In a letter dated December 11, 2024 (ML24346A310), the applicant concluded that for initiators that involve a loss-of-coolant inside containment with success of the reactor trip system (RTS), ((. In a letter dated August 13, 2024 (ML24226A402), the applicant submitted changes to its FSAR to fully describe the non-safety-related CES isolation valves and their function. Based on its review, the staff finds that the modeling approach and the success criteria analysis are acceptable and that including the CES function in the PRA model for every ECCS actuation would not impact the results or insights. The applicant used the thermal-hydraulic system code NRELAP5 to support the determination of the Level 1 PRA and system success criteria. As discussed in FSAR Chapter 15, Transient and Accident Analyses, Table 15.0-9, Referenced Topical Reports, LOCA Evaluation Model (Topical), the applicant validated the NRELAP5 against separate effects tests and integral effects tests. As discussed in FSAR Section 1.5.1, NuScale Testing Programs, the data collected by the applicant provide system characterization data required for validation of NRELAP5.

19-10 The NRELAP5 model used for the PRA is a modification of the model that is used for design-basis-LOCA and non-LOCA system transient calculations provided in Chapter 15. The PRA model modifications provide best estimate analysis of beyond-design-basis transient and for benchmarking the thermal hydraulics of the severe accident code, MELCOR. Although the NRELAP5 code was not validated for PRA success criteria, the staff reviewed a selection of key parameters and modifications to the base model. The staff found that the key parameters and modifications are reasonable for supporting the PRA. The staff ran confirmatory calculations and reviewed thermal-hydraulic simulations supporting the PRA on a case-specific basis to support its review. Weld failures at the junction between the CNV and the CVCS CIVs with no possibility for containment isolation (as discussed in Chapter 3 SER Section 3.6.2.4.1.1 and Chapter 15 SER Section 15.6.5.1.5) ((

}}. However, the consequences of an un-isolated CVCS LOCA outside of containment are modeled in the PRA as a CVCS break downstream of containment isolation with failure of containment isolation. The staff ran confirmatory calculations, as discussed in SER Section 15.6.5.1.5, using the NRELAP PRA model and found the NRELAP PRA model to be adequate to evaluate LOCAs outside of containment. The weld failure frequency is highlighted as a key source of Level 2 uncertainty in FSAR Table 19.1-28, Design-Specific Sources of Level 2 Model Uncertainty. As discussed in Table 19.1-28, the impact on LRF is minimized by leak identification and operator response requirements which are discussed in the NuScale Loss-of-Coolant Accident Safety Case (ML25031A444). The staff finds NuScales approach of identifying this source of uncertainty in the model coupled with the ability to mitigate the event is acceptable because the PRA captures the relevant risk insights for the US460 SDAA.

The staff audited a sample of the thermal-hydraulic simulations performed to develop the minimum set of system performance requirements to prevent core damage. Best estimate inputs and assumptions were generally used for the success criteria and are appropriate for analyses supporting the PRA, in contrast to the conservative inputs and assumptions used in the design-basis analyses. These simulations confirmed redundancy in the design of safety systems. For example, for non-LOCA events, only one of two RSVs needs to successfully cycle to achieve a safe state. Also, for non-LOCA events, the same safety function can be achieved with one of two trains of the DHRS. For LOCA events, one of two reactor recirculation valves (RRVs) and one of two RVVs need to open to achieve a safe state. For LOCAs inside containment, one of two CVCS makeup trains provides a backup to the ECCS function. For certain LOCAs outside containment, the CFDS provides a backup to the CVCS. 19.1.4.4.2.1 Boron Redistribution For Chapter 19 scenarios such as LOCAs outside containment with successful containment isolation, SGTFs with successful steam generator isolation, LOOPs, and reactor trip scenarios, extended decay heat removal (DHR) using the DHRS will result in the activation of an 8-hour ECCS timer. Once the operators verify reactivity conditions, the 8-hour ECCS timer is bypassed. If the ECCS timer is not blocked, then the ECCS will actuate. As described in FSAR Section 15.0.5.1, Decay and Residual Heat Removal Scenarios, the DHRS cools the NuScale Power Module (NPM) and provides long-term removal of decay heat while the RRVs and RVVs remain closed. In some scenarios, the DHRS can cool the RCS such that the level drops below the top of the riser. Condensation of steam on the outside of the

19-11 steam generator tubes could reduce the downcomer boron concentration. Diverse flowpaths in the riser allow continued primary coolant flow and promote mixing to preclude unacceptable positive reactivity insertion if the ECCS actuates. For non-LOCA events that result in a reactor trip and DHRS actuation, the ECCS actuates 8 hours after a reactor trip unless the operators bypass the ECCS timer. Operators bypass the ECCS timer if RCS hydrogen conditions are met and if reactivity conditions indicate that the additional negative reactivity provided by the ECCS supplemental boron (ESB) function is not needed to maintain subcriticality under cold conditions. The staff evaluated design features that prevent or mitigate boron redistribution phenomena to determine the impact on the PRA and resulting risk insights. During its regulatory audit, the staff reviewed NuScales thermal-hydraulic evaluations (ML24215A222; ML24215A223 nonpublic) for anticipated transient without scram (ATWS) events demonstrating that the ESB function is unnecessary to achieve the PRA success criteria. The staffs review notes that the ESB function is identified as safety-related in the FSAR and is included in the US460 standard design TS. Based on its review, the staff finds that the modeling of the ECCS actuation timer in the PRA is appropriate and that including the ESB function in the PRA model would not change the success criteria. 19.1.4.4.2.2 Unisolated CVCS Line Breaks Outside Containment If a CVCS line pipe break outside containment occurs, the expected module response is a reactor trip due to low pressurizer level or low pressurizer pressure, isolation of the break in the CVCS line, actuation of the DHRS, and operator confirmation of shutdown margin with bypass of the 8-hour ECCS timer. For sequences where isolation of the injection line break fails, core damage is avoided if a single train of the DHRS and all ECCS valves function. Core damage is also avoided if a single RVV, a single RRV, and the CFDS function. For the unisolated CVCS line breaks outside containment, ECCS actuation occurs on low RPV riser level regardless of RCS pressure and preserves inventory early in the progression that would otherwise be lost through the break. As noted in FSAR Table 19.1-3, Use of Probabilistic Risk Assessment in Selection of Design Alternatives, the US460 design includes flow-restricting venturis in the safe-ends of the CVCS line penetration nozzles on the containment vessel (CNV) to control the inventory loss through the break and support passive mitigation of CVCS breaks outside containment when CVCS isolation has failed. Although ECCS actuation occurs when the level in the CNV is well below the RRV elevation, the thermal-hydraulic analysis shows that if at least one train of the DHRS is available and all ECCS valves are open, PRA success criteria are met. For unisolated CVCS line breaks outside containment, with or without the DHRS, operator action to add inventory via CFDS is required to achieve PRA success criteria when not all ECCS valves open. ECCS actuation occurs when the level in the CNV is well below the RRV elevation. As a result, following ECCS actuation, the core becomes uncovered, the fuel heat up occurs, and core damage occurs unless operators restore coolant sufficiently to minimize the time the core is uncovered and thus prevent core damage. Failure of operator action to add inventory via the CFDS causes this scenario to lead to containment bypass, which is a significant large release sequence. Based on its review, the staff finds that the modeling approach and the success criteria analysis for isolated and unisolated CVCS line breaks outside containment are acceptable.

19-12 19.1.4.4.2.3 LOCAs Inside Containment If a CVCS injection line LOCA inside containment were to occur, the expected module response is a reactor trip due to rapid pressurization of the CNV reaching the containment pressure setpoint. Reaching the containment pressure setpoint also initiates containment isolation. The low riser level signals an ECCS actuation. Successful actuation of the ECCS prevents core damage. Should the ECCS fail, one train of the DHRS and RCS inventory addition through an alternate injection path are needed to prevent core damage. FSAR Figure 19.1-4, Event Tree for Chemical and Volume Control System Injection Line Loss-of-Coolant Accident Inside Containment, illustrates this success criterion. The operator action requires reopening CIVs, aligning a flowpath from the boron addition system (BAS), activating a CVCS makeup pump, and aligning the CVCS to provide cooling through either the injection line or pressurizer spray line, as appropriate. For other LOCAs inside containment (e.g., spurious RSV opening, CVCS discharge line), successful actuation of the ECCS prevents core damage. Should the ECCS fail, only RCS inventory addition through the CVCS is needed to prevent core damage. This action requires reopening of the CIVs, aligning a flowpath from the BAS, and activating a CVCS makeup pump. For some permutations of these sequences, the top of active fuel is exposed for a short period before makeup is established or realigned. Should a spurious opening of either an ECCS RRV or RVV occur, the result is discharge of RCS fluid into the CNV, resulting in containment isolation and ECCS actuation. Should the other ECCS valves fail to open, RCS inventory addition using the CVCS prevents core damage. Based on its review, the staff finds that the PRA modeling of LOCAs inside containment is acceptable because it reasonably represents the US460 design and plant behavior for LOCAs inside containment. 19.1.4.4.2.4 Non-LOCA Events For non-LOCA events with successful reactor trip including SGTF (assuming the steam generator with tube failure is isolated), secondary line breaks, general reactor trip, and LOOP recovered within 24 hours, a single train of the DHRS is sufficient for core cooling, assuming successful closure of the RSV if demanded (1 cycle). As discussed in SER Section 19.1.4.4.5.1, for non-LOCA events that result in a reactor trip and DHRS actuation, the ECCS actuates 8 hours after reactor trip unless the operators bypass the ECCS timer. Operators bypass the ECCS timer if reactivity conditions indicate that the additional negative reactivity provided by ESB is not needed to maintain subcriticality under cold conditions. The staff reviewed the possibility of multiple SGTFs. The applicant stated that ((

}}. For SGTF sequences involving a failure of the secondary system to isolate, the loss-of-coolant inventory from the primary to secondary system is terminated when both pressures reach equilibrium. This equilibrium state is reached following ECCS actuation, where ECCS is then credited to prevent core damage. Similarly, the applicant stated that if a tube failure occurred in both steam generators, the speed of the transient would be faster. The distinguishing feature of both steam generators having failed

19-13 tubes (versus a single steam generator) would be a loss of both trains of the DHRS. In either case, successful actuation of the ECCS prevents core damage. The sensitivity analysis discussed in the applicants August 2, 2024 (ML24215A224) letter demonstrates that the PRA results and insights are insensitive to the initiating frequencies of a SGTF and a loss of both trains of DHRS. The staff determined that if an SGTF is caused by density wave oscillation (DWO) phenomena, its behavior and insights will be similar to an SGTF caused by any other initiator and the sensitivities performed by the applicant remain applicable. In addition, the risk posed by a potential DWO induced SGTF is addressed by multiple prevention strategies. As discussed in SER Section 5.4.1.2.1, SGTF caused by DWO is a gradual degradation mechanism. Further, SER Section 5.4.1.4.2.1 discusses that the time in a potential DWO condition is tracked and limited using an approach temperature limit. Steam generator tube degradation is monitored through the Steam Generator Program, as required by the US460 Generic Technical Specifications, Volume 1, Technical Specification 5.5.4. The dynamic effects of DWO on the steam generators is addressed in SER Section 3.9.2.4.3.11, while secondary side oscillation impacts on the NuScale Design Specific Review Standard Section 15.0 (ML15355A302) are addressed in SER Section 15.9.4.4.9. Based on the staffs review of the applicants analysis, a single train of the DHRS is sufficient for core cooling, assuming successful closure of the RSV if demanded (1 cycle) for non-LOCA events with a successful reactor trip. For events that involve multiple SGTFs and a resulting loss of both trains of the DHRS, the staff finds that the passive heat removal capability is sufficient to prevent core damage if the ECCS actuates successfully. Based on the staffs review and information provided during the audit, the staff finds NuScales success criteria for non-LOCA events to be technically adequate and consistent with SRP Section 19.0. 19.1.4.4.2.5 ATWS and Impact of Boron Redistribution The staff audited the applicants analysis of the general transient ATWS event. ATWS is defined in FSAR Table 19.1-8, Basic Events with Modified Generic Data, as a failure of the RTS resulting in at least 2 of 16 control rods failing to insert, which the applicant assumed to result in the reactor remaining critical. The staff reviewed thermal-hydraulic simulations in the ATWS PRA notebook that assume total failure of the RTS (all rods out). Although the RSVs will be demanded on ATWS, if the RSVs fail to open, RPV pressure continues increasing until the ECCS is actuated on the high-high RCS pressure signal. Opening of at least one RVV and one RRV prevents core damage. If the RSVs fail open, coolant continues to pass from the RPV to the CNV through the RSV, and the ECCS actuates on low riser level. As indicated in FSAR Table 19.1-8, since the ATWS event trees cover all combinations of stuck rods (i.e., 2 rods out to 16 rods out), ECCS actuation does not presume that the reactor is subcritical. For several initiators, such as the SGTF, secondary line breaks, and the general reactor transient, in the event trees for sequences that result in ATWS, CVCS injection is credited to add inventory and prevent core damage for sequences in which RSVs cycle and ECCS fails. The staff confirmed that CVCS injection following postulated ATWS and small-break LOCAs with ECCS failure does not exacerbate the scenario consequences due to a possible reactivity insertion due to the addition of diluted water or flow incursion induced by void collapse. As indicated in FSAR Table 19.1-5, System Dependency Matrix, the BAS is the initial inventory

19-14 source to support CVCS injection. BAS failures causing boration or dilution events are included in the general reactor trip initiator. FSAR Section 9.3.4.1, Design Bases, additionally states that the CVCS includes two automatic, safety-related, fail-closed, demineralized water isolation valves to ensure that CVCS operation does not inadvertently cause a dilution of the RCS boron concentration. FSAR Table 17.4-1, Design Reliability Assurance Program Structures, Systems, and Components Functions, Categorization and Categorization Basis, identifies the SSCs required to remove electrical power to the trip solenoids of the demineralized water system (DWS) isolation valves on a DWS isolation signal as being safety related and risk significant. As described in SER Section 19.1.4.4.2.4, for the NuScale DCA, the staff performed confirmatory calculations to assess this postulated reactivity insertion during the NuScale DCA review and determined that rapid insurge of diluted coolant in response to CVCS activation would require a combination of conditions that are unlikely to occur and are further avoidable by following emergency operating procedures. The staff updated these confirmatory calculations for the SDA power level, which illustrate that the heightened power, and therefore heightened steaming rate, narrow the conditions that may lead to void collapse and surge of diluted-boron coolant into the core. The staff estimated the net shrinkage rate above the core for different RCS pressures, power levels, and CVCS flow rates. While positive net shrinkage rates are present, the potential for return to criticality assumes a LOCA with failure to scram, failure of the ECCS, significant time for boron dilution to occur, and the decision of operators to use the CVCS to inject at a higher flow rate than the injection rate for one pump as specified in FSAR Table 9.3.4-1, Chemical and Volume Control System/Module Heatup System Major Equipment with Design Data and Parameters. It is reasonable to assume that procedures would direct the operators to inject at a lower rate or to inject into the downcomer as opposed to the riser. If the CVCS injects into the downcomer, then there would be no void collapse in the riser to cause the surge. Based on the staffs independent evaluation and information provided during the audit, the staff finds NuScales success criteria assumptions for ATWS sequences to be technically adequate and consistent with SRP Section 19.0. 19.1.4.4.2.6 Success Criteria Conclusion Based on the review of the thermal-hydraulic simulations for a representative sample of sequences as discussed above, the staff determined that the engineering analyses used to support the success criteria are reasonable and that the applicant adequately determined the minimum requirements and assumptions for critical safety functions, supporting SSCs, and operator actions to prevent core damage, given an initiating event, for the intended uses of the PRA. Therefore, the staff finds the applicants success criteria acceptable for the SDAA because they are technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.3 Passive System Uncertainty FSAR Section 19.1.4.1.1.5 summarizes the applicants analysis of the thermal-hydraulic uncertainty for the passive safety system reliability (PSSR) evaluation. NuScale performed a full-scope PSSR evaluation to support the US600 certified design (Docket Number 52-048). To support the US460 standard design, NuScale performed a limited scope evaluation that consisted of identifying the most challenging scenarios and thermal-hydraulic parameter biases for the full-scope evaluation, incorporating changes reflecting the US460 design and simulating

19-15 the responses with a US460-specific RELAP model. NuScale stated that the results confirm that the passive reliability failure probabilities for the ECCS and the DHRS from the full-scope evaluation are applicable to the US460 design. To confirm the PSSR results reported in FSAR Chapter 19, during its regulatory audit, the staff reviewed the limited-scope evaluation summarized above, which is specific to the US460 design. Consistent with the US600 design certification evaluation, the PSSR of the ECCS and DHRS during ATWS scenarios was not evaluated for the SDAA due to a low contribution to total CDF. The sequences selected for evaluation include those that rely on passive safety system function for success and occur with a frequency of at least 1 percent of the CDF. The supporting reports and results of RELAP analyses provided in the regulatory audit confirm the probabilities of the ECCS failing to prevent core damage and of the DHRS failing to protect the reactor coolant pressure boundary. These probabilities are used in determining the overall CDF of a single NPM in support of the NuScale plant SDAA PRA. The staffs review focused on passive failures of the ECCS and DHRS to remove decay heat. The staff evaluated the applicants approach to calculating uncertainty for scenarios in which best estimate thermal-hydraulic analyses do not predict core damage. The staff reviewed the applicants selection of failure metrics for the ECCS and DHRS: core damage and RPV failure pressure, respectively. The definition of core damage used for the NuScale US460 design is fuel peak cladding temperature of 2,200°F or higher and collapsed liquid level below top of active fuel for a sustained period. For the DHRS, the metric of exceeding RPV failure pressure with no other mitigating systems available is used. For both systems, the staff reviewed how accident scenarios were grouped to identify which accident scenarios were evaluated with NRELAP5. The applicants ECCS evaluation focused on the following: RRV LOCAspurious opening of an RRV with successful scram. All other systems were considered not relevant or unavailable. CVCS LOCALOCAs outside of containment that are successfully isolated with successful scram. The DHRS is not available, and RPV pressure increases until the RSV cycles and sticks open. Inventory transfers from the RPV to CNV until the ECCS actuates. The applicants DHRS evaluation focused on a general transient with successful scram, in which one train of the DHRS is operating. No other systems are credited. The staff found the scenario selection for the thermal-hydraulic analysis acceptable and consistent with SRP Section 19.0. The applicant used NRELAP5 to evaluate the sequences and accident progression. To represent the thermal-hydraulic parameter uncertainty, the applicant used probability distributions to model certain critical parameters (e.g., ECCS valve flow coefficients, pressurizer level, noncondensable gas content) to determine the thermal-hydraulic reliability of the passive systems with respect to the defined failure metrics. The staff reviewed the applicants NRELAP5 thermal-hydraulic inputs, their distributions, and their ranges.

19-16 The staff confirmed that the applicant identified key thermal-hydraulic parameters in the US460 design that could affect ECCS and DHRS reliability and introduced uncertainty into the determination of success criteria, consistent with SRP Section 19.0. The sensitivity study documented in FSAR Table 19.1-22 involves increasing the failure probability for both the ECCS and DHRS by an order of magnitude. The results show no impact on CDF or LRF. The staff finds the applicants passive system reliability analysis acceptable because it is technically adequate and sufficiently consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.4 Accident Sequence Analysis FSAR Section 19.1.4.1.1.4, Accident Sequence Determination, describes the accident sequence analysis. The staff reviewed the applicants analysis to evaluate whether the development of design-specific accident sequences is adequate for the intended uses of the PRA and whether it sufficiently accounts for the required systems, operator actions, and any potential dependencies. The applicant used an event tree structure to model the plant scenarios affecting key safety functions that could lead to core damage following an initiating event. The staff reviewed the 11 event trees corresponding to the initiators evaluated in SER Section 19.1.4.4.1. For each initiating event, the applicant included the mitigation systems, operator actions, and phenomena that can alter the accident sequences in the model event tree structure. The staff confirmed that the logic used for each event tree is consistent with the success criteria and human reliability analysis (HRA). Based on its review, the staff finds the applicants accident sequence analysis acceptable for this SDAA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.5 Systems Analysis As described in FSAR Section 19.1.4.1.1.1, Methodology, and Table 19.1-4, Systems Modeled in the Probabilistic Risk Assessment, the applicant explicitly modeled the RCS, ECCS, DHRS, MPS, containment system (CNTS), CVCS, DWS, CFDS, electrical power systems, BAS, control rod drive system (CRDS), and UHS in the PRA. The staff audited a sample of systems, including failures and unavailability modes, CCFs, dependencies, and model completeness to support the determination that the systems are modeled adequately and reflect the as-designed plant. 19.1.4.4.5.1 ECCS Incomplete ECCS actuations are significant risk contributors for the NuScale design. The ECCS model includes RVVs, RRVs, trip valves, RRV inadvertent actuation blocks (IABs), RRV passive opening, and heat transfer to the reactor pool. The staff reviewed the ECCS model and evaluated the acceptability of excluding the failure of the reset valves and plugging of the ECCS hydraulic control system trip line from the ECCS model. These components are not included in the ECCS model because they do not affect the successful opening of the ECCS valves. Table 19.1-6 notes that low differential pressure across the RVVs (passive opening of the RVVs) is not modeled in the PRA because low differential pressure is not reached in time to prevent core damage based on NRELAP PRA results.

19-17 In the NuScale US460 design, only the RRVs have IABs. The IAB is a normally open valve designed to close when the ECCS actuates and RPV to CNV differential pressure is high and to reopen when the differential pressure decreases. The IAB is designed to not change positions for most scenarios that call on the ECCS function to achieve a safe end state. This is accomplished by setting the IAB setpoint sufficiently high to allow the RPV-to-CNV differential pressure to clear the IAB setpoint before an ECCS actuation setpoint is reached. Some scenarios, such as an LODC, may require the IAB to change state, but as RPV-to-CNV differential pressure decreases, the main spring, assisted by reactor coolant pressure, will open the main valve and support the safety function. For potential plugging of the reactor trip line and potential failure modes that support the CIVs, which were not explicitly modeled, the system design is not sufficiently complete to support a detailed system model. The staff finds that the PRA does not rely on these quantitative results, and the level of detail is adequate for SDAA purposes because the applicant performed a sensitivity study that conservatively modeled all CCF basic events. The staff finds that excluding potential plugging of the reactor trip line from the ECCS model is acceptable because the resulting risk, using conservative assumptions for CCF basic events, is within the Commissions CDF and LRF goals and supports the determination of risk insights commensurate with the uses of the PRA for the NuScale US460 design. The staff reviewed the operator action to manually bypass the 8-hour ECCS timer upon confirmation of shutdown margin. Operators may manually block the actuation if subcriticality at cold conditions is confirmed and if it is confirmed that sufficient hydrogen concentration will be maintained in the RCS throughout the DHRS cooldown to preclude radiolytic generation of combustible gases. FSAR Section 6.2.5, Combustible Gas Control in the Containment Vessel, describes the operation of the passive autocatalytic recombiner (PAR) to maintain the containment inert. The PAR is not needed to maintain containment integrity following a severe accident for the mission time of the PRA. This operator confirmation to bypass the 8-hour ECCS timer is conducted following every reactor trip. This confirmation prevents ECCS actuation for isolated pipe breaks outside containment and non-LOCA DHRS cooldown scenarios with intact RCS boundary for which the ECCS is not warranted. Based on the sensitivity studies reported in FSAR Table 19.1-22, the PRA results are not sensitive to human error (including operator confirmation of shutdown margin and hydrogen concentration). The applicant performed the NRELAP5 thermal-hydraulic analyses for various PRA scenarios to determine whether the RCS temperatures and pressures would satisfy the conditions for ECCS actuation. For the DHRS cooldown scenario, the hot-leg temperature was shown to be below the interlock temperature of 226°C (440°F) when the low RPV riser level setpoint is reached even with only one DHRS train operating. The staff finds that both trains of the DHRS would most likely operate, providing additional margin to the interlock temperature and assurance that the unnecessary ECCS actuation would be avoided following operator confirmation of shutdown margin and bypass of the 8-hour timer. The staff noted that, as the RCS cools down through the DHRS or through the condenser, the module would pass through the low RPV riser level ECCS actuation setpoint during every controlled or uncontrolled shutdown, which is a frequent occurrence. If the RCS temperature bypass fails, an incomplete ECCS actuation could occur. For example, an operator miscalibration of sensors may introduce a failure mode. To address this concern, the applicant explained that NuScales MPS design includes continuous self-diagnosis and testing, which reports channel operation status as described in FSAR Section 7.1.3.1, Redundancy in Module

19-18 Protection System Design. The actuation priority logic is the only portion of the MPS that does not have built-in self-testing capabilities and is periodically tested in accordance with the plant TS. Based on these considerations, the staff finds that sensor miscalibration concerns are adequately addressed. The staff reviewed a sample of thermal-hydraulic runs and finds that the applicants conclusions are reasonable. The PRA event trees in the SDAA reflect the expected event progression. Based on the above, the staff finds that the modeling of the ECCS demands have been appropriately reflected in the PRA for this SDAA. As discussed in FSAR Section 6.3.2.2.1, ECCS Core Cooling System Supplemental Boron, upon actuation of the ECCS, an ESB function provides additional boron concentration to ensure that the reactor remains subcritical for at least 72 hours following an event. For design-basis events, the combined reactivity of the control rod assemblies and the ESB ensure General Design Criterion 27, Combined Reactivity Control Systems Capability, of Appendix A to 10 CFR Part 50, General Design Criteria for Nuclear Power Plants, is met regarding reactivity control systems. As described in FSAR Chapter 6, Engineered Safety Features, the safety-related components of the ESB do not rely on power or nonsafety systems to perform their function. The operability of the ESB for Mode 1 is required by TS Limiting Condition for Operation 3.5.4, Emergency Core Cooling System Supplemental Boron (ESB). During its regulatory audit, the staff reviewed NuScales thermal-hydraulic evaluations for ATWS events that demonstrated that the ESB function is unnecessary to achieve the PRA success criteria. Based on its review, the staff finds that the modeling of the ECCS actuation timer in the PRA is appropriate and that the PRA model does not need to include the ESB function. The staff finds that the system models reflect the design and expected operation of the plant and are sufficiently detailed to identify appropriate risk insights for this SDAA. Therefore, the staff finds the applicants systems analysis acceptable for this SDAA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.6 Human Reliability Analysis FSAR Section 19.1.4.1.1.5 states that the HRA is based on the Accident Sequence Evaluation Program Human Reliability Analysis Procedure methodology for pre-initiator human actions and the Standard Plant Analysis Risk-Human Reliability Analysis (SPAR-H) methodology for post-initiator human actions. The applicant used a joint lower bound of 1.0x10-5 for cutsets containing more than one human action. The staff reviewed the applicants analysis to determine whether the identification and definition of human failure events are adequate and the quantification of associated human error probabilities are appropriate for the intended uses of the PRA. At the design stage, the emergency, abnormal, and system operating procedures, main control room (MCR) indications and layout, and other aspects of plant layout and equipment access are not established. Therefore, the HRA is based on general design and guidance documents and on a simplified approach to model pre-initiator and post-initiator operator actions. For this reason, considerable uncertainty exists in the HRA and the human error probability estimations. In the NuScale US460 design, the ECCS timer bypass operation action is performed after every reactor trip, following the success of both the RTS and DHRS, and not in response to an equipment failure. The human error probability documented in the FSAR reflects this condition.

19-19 Given the large uncertainty, the staff reviewed the HRA sensitivity analyses summarized in FSAR Table 19.1-22 to assess the impact of uncertainties in the HRA on risk estimates and to support the determination that the applicants simplified approach is appropriate. The staff reviewed the results of a sensitivity study in which all human error probabilities were set to their 95th percentile values, and the resulting CDF and LRF increased by a factor of 2.8 and 6.4, respectively. Even with this conservative sensitivity, the resulting risk from the internal events PRA is within the Commissions CDF and LRF goals. Based on the above evaluation, the staff finds the applicants HRA acceptable for this SDAA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.7 Data Analysis FSAR Section 19.1.4.1.1.5 discusses the data analysis performed to support the numerical data used in the PRA. The staffs review focused on ensuring that the applicants parameter estimations are adequate for the intended uses of the PRA for the SDAA. Because the NuScale design has no operating experience, much of the basic event data are based on generic failure probabilities (e.g., INL/EXT-21-65055). For basic events in the NuScale design that are similar to basic events in PWRs, the staff finds that the applicants use of generic data for components that are not unique to the NuScale design is appropriate for an SDAA. For some components unique to NuScale, such as the ECCS valves, the applicant calculated estimated failure rates and probabilities using a fault tree model with inputs based on a combination of generic data, licensee event reports, operating experience, and design-specific information. The staff finds that, at the SDAA stage, with no operating experience, confidence in these data is limited. COL Item 19.1-8 states that an applicant that references the NuScale Power Plant US460 standard design will confirm the validity of the key assumptions and data used in the SDAA PRA and modify, as necessary, for applicability to the as-built, as-operated PRA. Therefore, these failure rates and probabilities are considered assumptions to be confirmed during the COL stage if the PRA is to be used for other applications. Additionally, the staff reviewed the results of sensitivity studies for component failure rates, which demonstrated that the risk from the internal events PRA continues to remain within the Commissions CDF and LRF goals and supported the determination of risk insights commensurate with the uses of the PRA for the NuScale US460 design. Based on the above evaluation, the staff finds the applicants data analysis acceptable for this SDAA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.8 Quantification and Risk Insights FSAR Section 19.1.4.1.1.7, Quantification, discusses the PRA quantification process. The applicant used the Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) code for this purpose, as stated in FSAR Section 19.1.4.1.1.6, Software. The applicant discussed that use of the code is within SAPHIREs capabilities and limitations as presented in NUREG/CR-7039, Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) Version 8, issued June 2011 (ML11195A300).

19-20 The staff reviewed the PRA quantification and finds that the applicant identified significant contributors to CDF, including initiating events, accident sequences, and basic events (equipment unavailability and human failure events). The applicant reported a very low numerical value for the CDF. The reported CDF is based on existing information, which is limited by incomplete design and construction, undeveloped procedures, and a lack of operating experience. Additionally, parameter, model, and completeness uncertainties, including the reliability of novel and risk-significant SSCs (e.g., the ECCS valves), are addressed by estimates that rely on assumptions. Because the uncertainty bands on the CDF reported by the applicant account for only parameter uncertainties, not model uncertainties, the staff finds that the uncertainty could be larger than indicated; however, even with greater uncertainty, the low CDF estimate reflects deliberate engineering and design effort to reduce or eliminate the contributors to CDF found in previous designs. This observation applies generally to the numerical results for the CDF and LRF for all hazard groups (e.g., the external events PRA for operations at power and LPSD). SER Section 19.1.4.5.5 includes the staffs evaluation of the PRA quantification with respect to LRF. The staff reviewed the top core damage sequences from the Level 1 internal events PRA for operations at power for a single module. Approximately 90 percent of core damage scenarios involve incomplete ECCS actuation. The staff finds that the applicant appropriately identified the ECCS to be risk significant, as discussed below. The staff reviewed the insights into the risk significance of SSCs and operator actions from the NuScale PRA. FSAR Table 19.1-19, Criteria for Risk Significance, presents the criteria for determining the risk significance based on absolute importance measures of conditional CDF and conditional LRF from the aggregated risk across all hazards and based on the overall percent contribution to the total risk (Fussell-Vesely (FV) importance) for calculated risk from individual hazards. The applicant used Section D, Section 3.0, of the approved NuScale licensing topical report TR-0515-13952-NP-A, Revision 0, to derive the criteria shown in FSAR Table 19.1-19. FV criteria used by the applicant for the risk-significance determination of component basic events are based on the absolute value of the CDF. During the staff audit, the staff questioned whether PRA modeling uncertainty for extremely low CDF calculations could cause significant contributors to be incorrectly categorized as not risk significant. The applicant stated in the SDAA that the FV thresholds are scaled to maintain an equivalent level of absolute risk, with additional margin added as risk decreases to compensate for potential increase in PRA uncertainty and ensure that significant contributors do not screen out of the risk significance determination. The staff confirmed that the applicant met the conditions and limitations stated in TR-0515-13952-NP-A, Revision 0, as follows: The topical report is applicable to the NuScale generic design. The applicant considered uncertainties, sensitivities, traditional engineering evaluations and regulations, defense in depth, and safety margin, in addition to risk insights, to determine the risk significance of SSCs. SER Section 17.4 includes additional discussion of the determination of risk-significant SSCs. The PRA, as evaluated in SER Section 19.1, is technically adequate and addresses internal and external hazards and all operating modes and considers the impact of other

19-21 modules or shared SSCs. Also, as discussed in SER Section 19.1.4.9, the staff determined that the applicants approach for evaluating multi-module risk is acceptable for an SDAA. The CDF is very low (i.e., approximately 1x10-7per year or less). Because the applicant applied the risk-significance determination for this SDAA consistent with the approved topical report and provided additional justification for scaling the FV threshold, the staff finds the application of this methodology to the NuScale design acceptable for determining candidate risk-significant SSCs for the Level 1 internal events PRA (this section), the Level 2 internal events PRA, Level 1 and 2 internal events LPSD PRAs, external events PRAs, and the multi-module risk evaluation (subsequent sections). Based on the above evaluation, the staff finds the applicants quantification and risk insights acceptable for this SDAA because they are technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.4.9 Key Assumptions COL Item 19.1-8 provides guidance to the COL applicant so that all key PRA assumptions identified in FSAR Table 19.1-21, Key Assumptions for the Probabilistic Risk Assessment, will be appropriately evaluated and dispositioned during the COL stage. Although the COL information item does not reference FSAR Table 19.1-21, the key assumptions in the COL information item refer to those assumptions, tabulated for each internal and external hazard and operating mode evaluated in the NuScale PRA. Therefore, the staff finds this COL information item applicable to FSAR Table 19.1-21 and has reasonable assurance that the key assumptions, which are relied on to account for the incomplete design and operational details in the SDAA PRA, will be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. The staffs evaluation, as described throughout this chapter, verified that the key assumptions are appropriate for the level of information available in the SDAA. 19.1.4.4.10 Conclusion Based on the staffs review of the initiating events, success criteria, passive system safety reliability, accident sequence analysis, systems analysis, HRA, data analysis, and quantification and risk insights discussed above, the applicants Level 1 internal events PRA for operations at power is acceptable for an SDAA because it is consistent with SRP Section 19.0 and DC/COL-ISG-028. Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power The staff evaluated FSAR Section 19.1.4.2, Level 2 Internal Events Probabilistic Risk Assessment for Operations at Power, for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.5.1 Methodology In FSAR Section 19.1.4.2.1.1, Methodology, the applicant described the methodology used for the Level 2 PRA. The applicant stated that the design and operating characteristics of an NPM

19-22 are such that multiple plant damage states do not need to be defined to support the PRA evaluation of a large release. The staff reviewed how core damage sequences are grouped into plant damage states and how the accident progression analyses impacted the evaluation of the contributors to a large release. The staff focused on the evaluation of the containment structural capability for those containment challenges that would result in a large release. The applicant did not combine Level 1 core damage sequences into plant damage states (such as Level 2 PRAs performed for evolutionary and operating LWRs. Instead, because the Level 1 PRA has only a few end states, the end states were directly transferred to a single containment event tree (CET). The CET characterizes the effect of each sequence for the potential for a radionuclide release. The staff finds the applicants methodology acceptable for an SDAA because it is technically adequate and consistent with the guidance in SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.5.2 Containment Event Tree In FSAR Section 19.1.4.2.1.2, Containment Event Tree, the applicant described the CET used in the Level 2 PRA. The applicant used two CET end states, NR and LR, to model radionuclide release. The end state NR represents a release with intact containment. For this end state, the release is due to allowable leakage as defined by the TS. The end state LR represents a large release with containment failure. The applicant assigned each of these end states to a release category to represent the radionuclide source term. The applicant stated that it evaluated potential severe accident phenomena referenced in ASME/ANS RA-Sa-2009; SRP Section 19.0; NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, issued January 1983 (ML063560439 and ML063560440); and NUREG/CR-6595, Revision 1, An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events, issued October 2004 (ML043240040), for applicability to the NuScale design. The applicant stated that the severe accident phenomena that may challenge containment in operating plants are shown by analysis in FSAR Section 19.2, Severe Accident Evaluation, to not challenge containment integrity. Therefore, the only mode of containment failure the applicant depicted in the CET is containment failure due to bypass or CIV failure. SER Section 19.1.4.4.2 contains the staffs review and evaluation of the modeling of the containment isolation for PRA sequences. SER Section 6.2.5 gives the staffs review and evaluation of the PAR. In a letter dated November 22, 2024 (ML24327A149), the applicant stated that the analyses demonstrated that the structural integrity of the RPV and CNV are not threatened by the energy produced in a postulated hydrogen combustion. The applicant also described that a loss of the PAR and assumed subsequent containment failure does not lead to (1) core damage or (2) a large release in accident sequences that do not involve core damage. The applicant concluded that the PAR does not impact PRA success criteria and, therefore, is not included in the PRA model. The staff finds the applicants CET acceptable for an SDAA because it is sufficiently complete, technically adequate, and consistent with SRP Section 19.0 and DC/COL-ISG-028. SER Section 19.2 describes the staff evaluation of severe accident phenomena.

19-23 19.1.4.5.3 Success Criteria In FSAR Section 19.1.4.2.1.3, Success Criteria, the applicant discussed the success criteria for the Level 2 PRA. The applicant stated that the Level 2 PRA is bounding in that it does not credit mitigating systems or physical characteristics that are relevant to mitigating a radionuclide release (e.g., deposition on reactor building (RXB) surfaces) or recovery of the containment boundary if it is failed. The staff agrees that not crediting deposition on RXB surfaces and recovery of the containment boundary is a bounding assumption. The applicant further stated that the only mitigating function modeled in the CET is containment isolation. The applicant noted that containment isolation failure and resulting bypass were associated with fault tree modeling for (1) CES containment isolation fails and results in bypass, (2) CVCS containment isolation fails and results in bypass, and (3) SGTF and containment are bypassed. FSAR Table 19.1-24, Containment Penetrations, summarizes containment penetrations, the isolation methods, and their treatment in the PRA. From the PRA perspective, containment penetrations are evaluated as (1) piping connections, (2) bolted flange inspection ports, including electrical penetration assemblies, and (3) ECCS trip and reset pilot valve penetrations. The staff audited the fault trees for CES and CVCS isolation functions for completeness and to review the basic event quantification. The staff finds the fault trees to be reasonable to gain risk insights for the uses of the PRA in the SDAA. The impact of weld failures at the junction between the CNV and the CVCS CIVs with no possibility for containment isolation is addressed in SER Section 19.1.4.4.2. FSAR Table 19.1-28 identifies the weld failure frequency as a key source of PRA Level 2 uncertainty As discussed in FSAR Section 6.2.6, Containment Leakage Testing, the CIVs on CNV piping penetrations and the passive containment isolation barriers are designed to permit periodic leakage testing, which ensures that leakage through the CNTS and components does not exceed the allowable leakage rate specified in the TS. Therefore, the staff finds the applicants approach to the screening of containment penetrations for evaluation in the CET acceptable for an SDAA because it is technically adequate and consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.5.4 Large Release Frequency In FSAR Section 19.1.4.2.1.4, Release Categories, the applicant described its approach to demonstrating conformance with the Commissions LRF safety goal. The applicant used an LRF goal of 1x10-6 large releases per year to demonstrate that the prompt fatality quantitative health objective (QHO) of 5x10-7 probability of prompt death per year is met. The applicant defined a large release as one causing a 2 sievert (Sv) (200 rem) whole body dose at the site boundary over 96 hours. The staff considers the applicants definition of a large release to be acceptable. The applicant used the MELCOR Accident Consequence Code System (MACCS) to calculate the iodine core inventory release fraction that results in an acute 2 Sv (200 rem) whole body dose at the site boundary. The applicant evaluated three types of potential radionuclide releases to the environment: (1) a core damage sequence with containment and reactor pool bypassed, (2) a core damage sequence with leakage of radionuclides through the CNV and reactor pool bypassed, and (3) a release of the full core inventory to the bottom of the reactor pool (bypassing containment). The applicant concluded that a release fraction of 1.4 percent of the

19-24 iodine core inventory results in an acute 2 Sv whole body dose at the site boundary and used this threshold to distinguish between release categories 1 and 2. Release category 1 represents the release from core damage sequences with successful containment isolation and is associated with the CET end state NR. Release category 2 represents the release from core damage sequences with unsuccessful containment isolation that are not scrubbed by the UHS and is associated with CET end state LR. The applicant stated that the accident sequences in release category 2 are the contributors to LRF and conditional containment failure probability (CCFP). The staff notes that the risk of prompt fatality given a large release, as defined by the applicant, is low. The applicants large release definition, together with the LRF goal of 1x10-6 large releases per year, provides reasonable assurance that the Commissions QHO of 5x10-7 probability of individual prompt death per year is met. Therefore, the large release definition used by NuScale is consistent with the objectives of the Commissions Safety Goal Policy Statement. SER Section 19.2 documents the staffs review of the containment performance goals. 19.1.4.5.5 Quantification and Risk Insights In FSAR Section 19.1.4.2.2, Results from the Level 2 Probabilistic Risk Assessment for Operations at Power, the applicant discussed the results of the Level 2 PRA. The applicant reported the LRF associated with internal events in FSAR Table 19.1-60 and the contribution of each initiator to the LRF in FSAR Table 19.1-16, Initiating Event Contribution to Risk. The applicant stated that the LRF is several orders of magnitude less than the safety goal and is not dominated by a specific initiating event. The applicant further stated that several initiators contribute to risk, including a variety of transients and LOCAs. The applicant evaluated the risk significance of SSCs and operator actions using the methodology described in FSAR Section 19.1.4.1.1.9 and reported the results in FSAR Table 19.1-20, Summary of Candidate Risk-Significant Structures, Systems, and Components. These results identify the MPS as the only candidate risk-significant SSC due to the large release criteria for risk significance for the full power internal events model and do not identify any candidate risk-significant operator actions due to the large release criteria for risk significance. The applicants determination of candidate risk-significant SSCs and operator actions is acceptable because it uses an acceptable methodology, as discussed in SER Section 19.1.4.4.8, and is consistent with SRP Section 19.0 and DC/COL-ISG-028. 19.1.4.5.6 Conclusion Based on the above, the staff finds the applicants Level 2 PRA analyses for internal events to be adequate for demonstrating that the Commissions LRF goal is met and for identifying risk insights. Level 1 Internal Events Probabilistic Risk Assessment for Low-Power and Shutdown Operations The staff evaluated the internal events PRA for LPSD operations as described in FSAR Section 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of

19-25 Operation. The staff reviewed the applicants LPSD PRA for consistency with SRP Section 19.0, DC/COL-ISG-028, and ANS/ASME-58.22-2014, Low Power and Shutdown PRA Methodology, which has been issued for trial use. Although the NRC has not endorsed ANS/ASME-58.22-2014, the staff finds the applicants use of this standard to be reasonable because it is considered the state-of-the-art method available in the industry. The staff reviewed the acceptability of the NuScale LPSD PRA to ensure an appropriate level of confidence in the results and risk insights and that the modeling was adequate to support an evaluation against the Commissions CDF and LRF goals. 19.1.4.6.1 Plant Operating State Analysis FSAR Section 19.1.6.1, Description of the Low Power and Shutdown Operations Probabilistic Risk Assessment, and Table 19.1-46, Plant Operating States for Low Power and Shutdown Probabilistic Risk Assessment, summarize the NuScale refueling process and the plant operating states (POSs) development. POSs define the time intervals within the refueling process during which the plant conditions are assumed constant based on their impact on the accident sequence analysis. Based on the design and the anticipated refueling process, the applicant identified the seven POSs summarized in SER Table 19.1-4. The staff reviewed how the identified POSs reflect the unique aspects of the NuScale design and its refueling approach. One such unique design feature is the reliance on passive DHR for most of the refueling evolution. By ensuring passive DHR, the design eliminates dependency on active support systems typically relied on by large LWRs. Another notable design feature is that NuScale precludes midloop operation or reduction of primary coolant inventory while fuel is present in the RPV to support steam generator inspection. Therefore, consistent with the design, a POS is not identified for reduced inventory operations. The decay heat during POSs 2, 3, 4, and 5 is removed passively either through the flooded CNV to the UHS or directly to the UHS. POS 3 accounts for the transportation of the reactor module with the reactor core from the operating bay to the refueling area and back to the operating bay. During POSs 1, 6, and 7, the configuration of the module is similar to normal operation, and initiating events considered for full power are applicable to LPSD. The staff reviewed the systems assumed to be available during each POS. POSs 1 and 6 correspond to TS Mode 2 or 3 (i.e., hot shutdown or safe shutdown), and POS 7 corresponds to TS Mode 1 (i.e., operations). For POS 7, systems credited in the full-power PRA are nominally available, with the only difference in configuration being that the turbine is bypassed. In POSs 1 and 6, systems assumed to be available during at-power conditions (e.g., the DHRS, ECCS, CNTS, CVCS, and CFDS) are also assumed to be available. POS 2 through POS 5 correspond to TS Modes 4 and 5 and span the period with passive cooling either through the flooded CNV to the UHS or directly to the UHS. Therefore, the DHRS, ECCS, CNTS, CVCS, and CFDS are not required to maintain a safe and stable state for POS 2 through POS 5.

19-26 Table 19.1-4 Identification of Plant Operating States POS Description Key Activities NPM Configuration Exiting POS Duration (hours) 1 Shutdown and initial cooling Normal secondary cooling through the turbine bypass until CNV can be flooded LTOP is enabled when RCS temp. < 290F LTOP assumed in service entire duration of POS CNV flood complete 6.0 2 Cooling through containment Passive cooling through flooded CNV. RBC connected to NPM lift points NPM lifted by RBC 41.5 3 Transport NPM to refueling pool via RBC Core in RPV lower head remains in the refueling pool Upper CNV head and upper RPV head moved to dry dock 6.0 3 Transport NPM back to operating bay via RBC NPM placed in operating bay (occurs after POS 4) 3.0 4 Disassembly, refueling, reassembly Fuel moves, steam generator inspection, RPV inspection Upper CNV head and upper RPV head moved out of dry dock 132.5 5 NPM reconnection Piping and power connections restored. RRVs and RVVs closed. CVCS initiated CNV drain begins 40.5 6 Heatup Systems credited in full-power PRA available Control rods withdrawn to criticality 15.0 7 Low-power operation Systems credited in full-power PRA available Turbine synchronized with grid 1.0 Total 245.5 The POS analysis is based on the nominal refueling procedure because there is no refueling operating experience. Because an as-built, as-operated plant is not available, there are potential uncertainties that were not accounted for in the POS analysis. However, the staff finds that the applicant identified and defined a sufficient set of POSs to support the identification of risk-significant accident scenarios for the uses of PRA in the SDAA. 19.1.4.6.2 Initiating Event Analysis FSAR Section 19.1.6.1.2, Low Power and Shutdown Initiating Events, describes the LPSD internal initiating events analysis. The applicant first determined which at power initiating events are applicable during each POS. The applicant then reviewed the operating experience database (EPRI TR-1021167, An Analysis of Loss of Decay Heat Removal and Loss of Inventory Event Trends (1990-2009), issued December 2010) for events that have occurred

19-27 during LPSD evolutions that may apply to the NuScale design. Finally, the applicant evaluated potential NuScale design-specific initiating events. FSAR Table 19.1-47, Applicability of Internal Initiating Events to Low Power and Shutdown Probabilistic Risk Assessment, summarizes the full-power initiating events and their applicability during LPSD to the seven POSs. The applicant assumed that all 11 at-power initiating events are applicable during POSs 1, 6, and 7. Because the configuration of the reactor module and the available systems during these POSs are essentially the same as those during at-power conditions, this is a reasonable assumption. The applicant assumed that once the CNV is flooded and passive cooling is in place (i.e., POS 2 through POS 5), most of the at-power initiating events can be screened out. The applicant retained the CVCS injection line break outside containment and the CVCS discharge line break outside containment for POS 2 and POS 5, as the CVCS lines are unisolated and part of the RCS boundary for some portions of these POSs. In these POSs, the ECCS valves are also closed. For the at-power initiating events that were screened out for POS 2 through POS 5, the staff considered the decay heat level and the availability of passive cooling through the flooded CNV. Indefinite stable cooling can be achieved without safety system actuations for these POSs as adequate DHR and water inventory are maintained. Since at-power initiating events, except for CVCS line breaks outside containment, are unlikely to challenge passive cooling, the staff finds it acceptable that they are screened out of POS 2 through POS 5. Low-temperature overpressure (LTOP) events were screened from the PRA. TS 3.4.10, Low Temperature Overpressure Protection (LTOP) Valves, requires that each closed RVV shall be operable in Mode 3 when the wide range RCS cold temperature is below the T-1 interlock. The RVVs provide LTOP protection as referenced in FSAR Table 5.2-5, Low Temperature Overpressure Protection Pressure Setpoint as Function of Cold Temperature. To prevent LTOP actuation, as discussed in FSAR Section 5.2.2, Overpressure Protection, TS also require automatic isolation of the CVCS injection line on high pressurizer water level in safe shutdown to preclude pressurizer water solid conditions, as referenced in US460 SDA Part 4, Generic Technical Specifications, Table 3.3.1-1, Module Protection System (MPS) Instrumentation. The RVV LTOP actuation setpoints are different from those in the NuScale US600 DCA. The LTOP setpoint in the SDA is 1,750 pounds per square inch absolute (psia) at 79°C (175°F) compared to the LTOP setpoint in the DCA of 380 psia at 175°F. The staff understands that when LTOP is required, the CNV is being flooded in preparation for the module to be moved. When considering if LTOP were to actuate at 1,750 psia into the CNV that is being filled with water, the staff questioned whether the CNV could be overpressurized. Regarding the potential for overpressurization of the CNV following an LTOP actuation, FSAR Section 9.3.7.2.1, System Operation, states the following: During normal flooding operation, when the water level in the containment reaches the target level, the running CFDS pump stops automatically and the applicable CFDS interface valve closes automatically, ensuring containment does not overfill and open volume is maintained in the CNV. The staff finds that the applicant sufficiently addressed overpressurization of the CNV following a postulated LTOP actuation. 19.1.4.6.2.1 Reactor Building Crane Failure Resulting in Postulated Module Drop

19-28 Based on information in FSAR Table 19.1-60, module drop (i.e., drop of a module that is being moved for refueling) contributes over 34 percent of the total NuScale US460 SDA CDF results. During the staffs audit of the reactor building crane (RBC) PRA, the staff confirmed that operator errors leading to module drop (e.g., load hangup, mis-spooling) are negligible contributors to the module drop probability because of the highly redundant RBC control system (based on NuScales letter dated August 2, 2024 (ML24215A218; ML24215A219 nonpublic)). The digital RBC control system is a new design feature in the US460 SDA. The RBC control system supports automated operation and protection of the RBC and minimizes the contribution of operator errors of commission. The RBC control system results in redundant load path failures (i.e., catastrophic gear box and wire rope failures) to the dominant contributors to module drop. Reactor Building Crane Control System The RBC control system uses a digital control system based on a single programmable logic controller for control, operation, and monitoring. As described in FSAR Section 9.1.5.5, Instrumentation and Control, the control system uses limit switches to prevent overtravel. The digital control system uses position feedback devices such as motor encoders, cameras, and laser measurement devices. Devices such as load cells and inclinometers control load sensing and handling. Software interlocks prevent collisions with other SSCs and operation outside of the equipment design capabilities. Zone controls provide speed, hoist load positioning, and load control. As documented in the applicants response to an audit question (ML24215A218; ML24215A219 nonpublic), the RBC components and the control system are designed to be fail-safe, and hardware and software-related boundaries and restrictions on RBC travel defend against travel-related errors of commission and prevent load drops by stopping crane motion and setting brakes (fail-safe design feature). The RBC control system has two functional parts. The first is the fail-safe protection function, which uses sensor feedback, limit switches, and interlocks to maintain the RBC within travel boundaries and secure the load in response to an upset (e.g., overtravel). The second function is the control automation, which supports automated motion of the RBC. The RBC digital control system and associated embedded digital devices are developed in accordance with NuScales digital instrumentation and control (I&C) development life cycle commensurate with its assigned software integrity level (SIL). The RBC digital control system is classified as non-safety related, risk significant, and SIL3. Because of the risk significance of the RBC control system, this system is developed in accordance with the digital I&C software quality assurance plan described in FSAR Section 7.2.1, Quality, and evaluated in SER Section 7.2. Applicable industry standards are applied throughout the RBC control system development life cycle. The software verification and validation (V&V) plan, based on Institute of Electrical and Electronics Engineers (IEEE), IEEE Standard for Software Verification and Validation, IEEE Std 1012-2004 (issued 2005) as endorsed by RG 1.168, Revision 2, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, issued July 2013 (ML13073A210), outlines the V&V activities performed during each phase of the RBC control system development life cycle. The RBC power cabinet and control cabinet are classified as B1 in FSAR Table 17.4-1. The staff finds the PRA modeling of the RBC and the RBC control system to be acceptable for the SDA because it is technically adequate and consistent with SRP Section 19.0.

19-29 19.1.4.6.3 Success Criteria, Accident Sequences, and Systems Analyses The staff reviewed the applicants success criteria supporting the LPSD PRA. For the at-power accident sequences applicable to LPSD conditions, the applicant assumed that the success criteria developed for at-power conditions apply. These include the sequences resulting from the 11 at-power initiating events for POSs 1, 6, and 7, and the two CVCS line breaks outside containment for POSs 2 and 5. For these cases, the assumed availability of systems is the same for the LPSD conditions as that assumed for at-power conditions. The decay heat levels for all POSs will be lower than those at power because the module will be in shutdown or operating at lower power at the time of the initiating event. Therefore, the use of at-power success criteria and the assumed availability of systems for the LPSD scenarios are acceptable. For POS 3, module drop events are explicitly modeled. The applicant assumed that core damage occurs if a dropped module results in a horizontal configuration as the result of inadequate coolant inventory to keep the fuel covered. The staff finds that this approach is appropriate given the uncertainty in the calculation of fuel heatup in this configuration. FSAR Section 19.1.6.1.3, Low Power and Shutdown Accident Sequence Determination, describes the accident sequence analysis for LPSD conditions. The applicant assumed for POSs 1, 6, and 7, where at-power initiating events are assumed to apply, that the at-power event trees are also applicable. The staff finds this acceptable as the at-power success criteria and assumed availability of systems for the LPSD scenarios are acceptable as described above. The staff reviewed the systems analysis supporting the LPSD PRA. When the systems are credited to respond to initiating events, the LPSD PRA uses the system fault trees from the at-power PRA. Because the at-power success criteria, assumed availability of systems, accident sequence determination, and system fault trees are used for the LPSD PRA, the staff finds the systems analysis for LPSD acceptable for the SDA because it is technically adequate and consistent with SRP Section 19.0. 19.1.4.6.4 Human Reliability Analysis The staff reviewed the potential operator actions that may be important during LPSD conditions. As discussed in SER Section 19.1.4.6.1, the module configuration during POSs 1, 6, and 7 is similar to at-power conditions in terms of the available systems (e.g., DHRS, ECCS, CVCS, CFDS) and expected module response to initiating events. Therefore, the staff finds that the HRA performed for at-power conditions remains applicable for these LPSD POSs. Core cooling and DHR during POSs 2 and 4 are accomplished passively either through the flooded CNV to the UHS or directly to the UHS. With passive core cooling and heat removal in place, the staff finds that additional HRA is not necessary for these POSs. POS 3 accounts for the transportation of the reactor module, including the reactor core, between the operating bay and the refueling area. As described in SER Section 19.1.4.6.2.1, the staff audited the PRA modeling of the RBC and the RBC control system, which estimates the module drop probability during POS 3. The RBC is designed to ASME NOG-1-2020, Rules for Construction of Overhead and Gantry Cranes. As documented in the RBC PRA, the calculated drop probability is dominated by catastrophic failure of load-bearing components rather than operator errors due to the highly redundant RBC control system as discussed above.

19-30 19.1.4.6.5 Data Analysis The staff reviewed the data used to support the LPSD PRA. The applicant adjusted the initiating event frequencies to account for the duration of each POS. For the component failure probabilities, the applicant assumed that the data analysis performed for the at-power PRA is applicable. SER Section 19.1.4.6.3 discusses the failure probability assigned to the RBC for POSs with the potential for module drop accidents. Because the LPSD analysis includes no additional systems and components, and the at-power initiating event analysis, success criteria, accident sequences, and systems analysis are used for the LPSD PRA, the staff finds that applying the at-power PRA data, discussed in SER Section 19.1.4.4.7, to the LPSD PRA is reasonable. 19.1.4.6.6 Quantification and Risk Insights The staff reviewed the LPSD PRA quantification described in FSAR Section 19.1.6.1.6, Low Power and Shutdown Quantification. Consistent with the at-power PRA, the applicant used the SAPHIRE code to perform the PRA quantification. The applicant identified the significant contributors to CDF, including initiating events, accident sequences, and basic events. The staff finds that the quantification process used an appropriate truncation that demonstrated acceptable convergence of the CDF. The applicant reported a very low numerical value for the CDF based on the LPSD PRA. LPSD core damage sequences aside from the module drop sequences are extremely small contributors (<0.1 percent) to the NuScale total CDF. As discussed in SER Section 19.1.4.4.8, the staff finds that the uncertainty in the CDF could be larger than indicated at this SDA stage; however, even with greater uncertainty, there is margin to the Commissions CDF and LRF goals. The PRA results and insights rely on key assumptions to account for the incomplete design and operational details. FSAR Table 19.1-21 lists the key assumptions for the PRA. These key assumptions need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights remain valid. As discussed in SER Section 19.1.4.4.9 the applicant identified COL Information Item 19.1-8 for this purpose. The staff finds that the quantification and the identification of risk insights are consistent with SRP Section 19.0. 19.1.4.6.7 Conclusion The at-power initiating events, success criteria, accident sequences, and accident analysis, HRA, data analysis, and quantification methods were used as applicable to evaluate the LPSD conditions for POSs 1, 2, 5, 6, and 7 consistent with SRP Section 19.0. The staff finds the PRA modeling of the RBC and the RBC control system, which evaluates the module drop probability during module movement in POS 3, to be technically adequate for this SDAA. The applicants LPSD risk results are within the Commissions CDF and LRF goals. Thus, the staff finds the Level 1 internal events PRA for LPSD operations acceptable. Level 2 Internal Events Probabilistic Risk Assessment for Low-Power Shutdown Operations The staff evaluated FSAR Section 19.1.6 for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028.

19-31 19.1.4.7.1 Methodology The staff evaluated the definitions of LPSD POSs and the end states from the Level 1 analysis. The staff then reviewed how the contributors to a large release were evaluated in the accident progression analyses. The LPSD Level 2 analysis was performed for each applicable combination of LPSD initiating event provided in FSAR Table 19.1-49, Low Power and Shutdown Initiator Frequencies, and POS listed in FSAR Table 19.1-47. SER Section 19.1.4.5 details the evaluation of the Level 2 PRA modeling for operations at power. Table 19.1-49 provides one LPSD initiating event, RBC failure and module drop, which is not considered in the internal events at-power PRA but is applicable to POS 3. The applicant addressed the consequences of the RBC failure and module drop event in FSAR Section 19.1.6.1.3. The applicant stated that no core damage occurs if the NPM remains upright. The applicant further stated that core damage is assumed to occur if the NPM falls over, and the sequence is assigned the end state core damage-module drop (CD-MD). The applicant evaluated this accident sequence assuming that the CNV is damaged in a manner that provides a radionuclide release path but does not allow inflow of water that would prevent core damage. The staff finds this assumption reasonable because it provides a bounding accident scenario. The applicant concluded that the offsite dose consequences of core damage in a horizontal NPM with a damaged CNV results in a radionuclide release that is a fraction of that associated with a large release. The applicant stated that the radionuclide release is limited because of the scrubbing effect of the reactor pool. The applicant also evaluated the potential radionuclide release from mechanical damage to fuel during transport operations, assuming an instantaneous release of 100 percent of the fission product gases in the fuel-cladding gap. The applicant concluded that the consequences from this accident sequence are bounded by the results of the dropped module with core damage evaluation. The applicant discussed the results of the dropped module with core damage evaluation for the US600 design in DCA Part 2, Tier 2, Section 19.1.6, Safety Insights from the Probabilistic Risk Assessment for Other Modes of Operation. In a letter dated December 11, 2024 (ML24346A320), the applicant described the results of the dropped module with core damage evaluation for the US460 design. The staff evaluation of the dropped module with core damage in DCA final safety evaluation report Section 19.1.4.7, Level 2 Internal Events Probabilistic Risk Assessment for Low-Power Shutdown Operations, concluded that a module drop is not expected to result in a large release. The applicant compared the US460 and US600 designs and identified four relevant changes: (1) the core power is increased, (2) the number of RVVs is decreased, (3) the reactor pool depth is reduced, and (4) ((

}}. The applicant identified that other key aspects are unchanged; namely, (1) the NPM is sealed and penetrations are secured at the time of drop, (2) the NPM comes to rest in the same orientation on the reactor pool floor, and (3) a portion of the core lies above the water line. The applicant concluded that a module drop event does not result in a large release.

The staff reviewed its previous evaluation in DCA final safety evaluation report Section 19.1.4.7 and the applicants comparison of the US460 and US600 designs and finds that the conclusion that a module drop is not expected to result in a large release remains valid for the US460 design.

19-32 19.1.4.7.2 Quantification and Results In FSAR Section 19.1.6.2, Results from the Low Power and Shutdown Operations Probabilistic Risk Assessment, the applicant discussed the results of the LPSD Level 2 PRA. The applicant reported the LRF associated with LPSD operations in FSAR Table 19.1-60. The applicant stated that the dominant contributors to LRF are sequences in POS 1 and POS 6 initiated by either a loss of support systems transient or a LOOP, which contains failure of the backup power supply system, DHRS, and ECCS. The applicant evaluated the risk significance of SSCs and operator actions using the methodology described in FSAR Section 19.1.4.1.1.9 and reported the results in FSAR Table 19.1-20. Based on these results, only the MPS is identified as a candidate risk-significant SSC because of the large release criteria for risk significance for the LPSD model. No operator actions were identified as risk significant because of the large release criteria for risk significance. The staff reviewed the risk insights and assumptions documented in FSAR Table 19.1-21 and FSAR Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, relevant to module movement and potential impacts of module drop. In a letter dated December 11, 2024 (ML24346A322), the applicant stated that the refueling and outage plan for the US460 design does not involve pressurization of the NPM before NPM transport. ((

}}. The applicant stated that, at this water level, there is no risk of releasing noncondensable gas into the refueling pool, but the pressurizer heater terminal could become submerged. The applicant stated that submerging the pressurizer heater terminal is acceptable because it is qualified for submergence. The staff finds that the list of insights regarding multi-module operation is reasonable.

The staff finds that the applicants calculated LRF caused by internal events for a module during LPSD conditions is significantly below the Commissions LRF goal of 1x10-6 per year. The staff finds that the applicants LPSD Level 2 PRA analyses adequately demonstrate that the Commissions LRF goal is met and identify risk insights for an SDAA. 19.1.4.7.3 Conclusion The staff finds that the applicants Level 2 internal events PRA for LPSD, risk insights, and results are acceptable and consistent with relevant portions of SRP Section 19.0 and RG 1.200.

19-33 External Events Probabilistic Risk Assessment for Operations at Power and Low-Power Shutdown 19.1.4.8.1 Seismic Risk Evaluation FSAR Section 19.1.5.1, Seismic Risk Evaluation, describes the PRA-based SMA for operations at power. SECY-93-087 and the associated SRM indicate that, for seismic events, a plant designed to withstand a 0.5g peak ground acceleration (PGA) safe-shutdown earthquake (SSE) should have a plant-level high confidence of low probability of failure (HCLPF) capacity of at least 1.67 times the PGA of the SSE (i.e., 0.84g). The applicant performed the PRA-based SMA based on logic models developed by modifying the design-specific PRA models for internal events to include logic important in considering seismic failures. The applicant determined accident sequences important to the evaluation of seismic margin using event trees and fault trees that included the seismic fragility data for each SSC and failure probabilities for random nonseismic events. The staff reviewed the PRA-based SMA following the guidance in SECY-93-087 and its associated SRM; SRP Section 19.0; and Part 5, Requirements for Seismic Events At-Power PRA, of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. In general, the PRA-based SMA presents significant seismic vulnerabilities and insights to demonstrate the robustness of a standard design. In this context, the staff review focused on the framework for assessing potential significant failures induced by seismic events. The staff assessed the scope of the applicants PRA-based SMA to ensure that the analysis addressed all applicable accident sequences and all plant operating modes. 19.1.4.8.1.1 Evaluation of Seismic Input Spectrum FSAR Section 19.1.5.1.1, Description of the Seismic Risk Evaluation, describes the seismic input spectrum. The staff reviewed the definition of the review-level earthquake, which is defined relative to the certified seismic design response spectra (CSDRS), as shown in FSAR Figure 3.7.1-1, NuScale Horizontal Certified Seismic Design Response Spectra at 5 Percent Damping, and the SSC fragility, which is referenced to the PGA of the CSDRS. The staff finds that the seismic input spectrum for the PRA-based SMA is acceptable on the basis that the seismic fragility calculation uses the response spectrum shape defined as the SDAAs CSDRS, consistent with SRP Section 19.0. 19.1.4.8.1.2 Seismic Fragility Evaluation The staff review of the seismic fragility evaluation focused on the methodology used to select the structural failures, the methodologies used to calculate the seismic fragility for SSCs, and the assumptions made in determining the controlling structural failure modes. The structural failures modeled are those structures that are directly in contact with the module, directly connected to the module interface, or located above the module. A separate fragility analysis was performed for each of the structures and valves in FSAR Table 19.1-32, Seismic Margin Assessment Fragility, including the RBC and RBC supports, bioshield, RXB, NPM supports, and valves (RRVs, RVVs, CIVs, RSVs, trip valves for RRVs, and trip valves for RVVs). The SSCs evaluated for the fragility analysis include SSCs that contribute to the seismic margin and those that do not.

19-34 Regarding the methodology used for SSCs that contribute to the seismic margin, the applicant evaluated their fragilities using the separation of variables method, as described in EPRI 103959, Methodology for Developing Seismic Fragilities, issued June 1994, and endorsed by the staff in SRP Section 19.0, as an acceptable method for determining seismic fragility. For the SSCs that do not contribute to the seismic margin, the applicant evaluated their fragilities using the conservative deterministic failure margin method or by using generic fragilities. In SRP Section 19.0, the staff endorses the conservative deterministic failure margin method as described in EPRI-NP-6041, A Methodology for Assessment of Nuclear Power Plant Seismic Margin, issued August 1991, as an acceptable method for determining seismic fragility. The applicant stated that the use of generic fragilities is conservative for component capacity and included an assumption in FSAR Table 19.1-21 that fragility parameters acquired from generic sources are applicable to the NuScale design, which is to be verified in accordance with COL Item 19.1-8. This methodology is acceptable to the staff because the results are conservative, the COL applicant will verify the applicability of the generic data, and no SSCs evaluated using generic data contribute to the seismic margin. The staff audited a sample of the fragility calculations for SSCs that contribute to the seismic margin, including the RBC, RBC supports, bioshield (in normal and refueling operation), NPM supports, the RXB (including the roof, basemat, bay walls, pool walls, and exterior walls), and the valves (RRVs, RVVs, CIVs, RSVs, trip valves for RRVs, and trip valves for RVVs), and verified that FSAR Table 19.1-21 includes appropriate assumptions. The staff also verified that the supporting calculations demonstrate that the controlling failure mode for the RBC supports is failure of the weld connection between the stiffener top plate and a steel-plate composite wall, and the controlling failure mode for the RXB is in-plane shear failure of the RXB roof. The staff verified the results of the seismic fragility evaluation presented in FSAR Table 19.1-32, which includes the median capacity, uncertainty parameters, HCLPF capacity, controlling failure mode, assumed consequence, and seismic correlation class for SSCs that contribute to the seismic margin. During the audit, the staff verified that no SSCs with HCLPF capacities less than 0.84g PGA contribute to the seismic margin. The staff reviewed the component boundaries because several components (i.e., RSVs and trip valves for RRVs and RVVs) listed in FSAR Table 19.1-32 have HCLPF capacities significantly higher than 0.84g PGA. As stated in FSAR Section 19.1.5.1.1.1, Seismic Analysis Methodology and Approach, these boundaries cover all seismically induced failure mechanisms, including anchorage failures and structural collapse affecting component functions. The defined component boundaries are acceptable to the staff; however, sufficient basis does not exist to verify these HCLPFs without as-built plant information and the results of a seismic walkdown. Therefore, although the staff cannot evaluate the adequacy of individual components listed in FSAR Table 19.1-32, based on the available seismic margins, the staff is able to find that the plant-level HCLPF capacity meets the Commissions policy statement in SECY-93-087. The staff reviewed the assumption in FSAR Table 19.1-21 that seismic Category I structures meet the seismic margin requirement of 1.67 times the CSDRS for site-specific seismic hazards, including sliding and overturning. The staff reviewed the results of the analysis in FSAR Section 3.8.5, Foundations. The analysis results indicate negligible RXB sliding displacements as the result of the design-basis earthquake of 0.5g. SER Section 3.8.5 documents the staffs evaluation of this analysis. Based on the above information, the staff

19-35 concludes that it is reasonable to assume that the seismic Category I structures meet the seismic margin of 1.67 times the CSDRS for seismic-induced sliding and overturning. Additionally, COL Item 19.1-8 specifies that the COL applicant is to confirm the validity of key assumptions. For the LPSD PRA-based SMA, the staff reviewed FSAR Section 19.1.6.3, Safety Insights from the External Events Probabilistic Risk Assessment for Low Power and Shutdown Operation, to determine whether any additional SSCs should be included beyond those considered for the at-power PRA-based SMA. For seismic events, the only potential risk to an NPM during LPSD is during the transport phase before and after refueling, when the RBC is bearing the load of the NPM. Based on the staffs review of the LPSD internal events PRA, the staff concludes no additional SSCs need to be included in the LPSD PRA-based SMA. Section 19.1.4.6 of the SER addresses POSs when the RBC is bearing the load of the NPM. 19.1.4.8.1.3 Evaluation of Systems and Accident Sequence Analysis FSAR Section 19.1.5.1.1.2, Systems and Accident Sequence Analysis, summarizes the applicants method for performing the systems and accident sequence analysis. The staff compared this method against the Commissions expectations described in SECY-93-087 and the associated SRM and finds that the applicants method meets the expectations in those documents. The applicant included all SSCs modeled in the internal events PRA and additional seismic-specific SSCs, such as structures, in the PRA-based SMA. The seismic fragility analysis detailed above supports the determination of sequence-level and plant-level HCLPF capacities. The staffs review of FSAR Section 19.1.5.1.1.2, Systems and Accident Sequence Analysis, and the applicants February 16, 2024, letter (ML24047A252; ML24047A253 nonpublic) determined that the applicant used the MIN-MAX method to calculate the sequence-level and plant-level HCLPF capacities. Use of the MIN-MAX method follows the guidance in SRP Section 19.0 and is acceptable to the staff. In developing sequence-level HCLPF capacities, the applicant used a screening process to eliminate cutsets when the combined probability of random failures was less than 0.01. The staff finds this approach acceptable because, by definition, the HCLPF capacity is the seismic capacity of an SSC described in terms of a specified ground motion parameter corresponding to a 1 percent probability of unacceptable performance of the mean fragility curve, and cutsets having the product of random failure probabilities of less than 0.01 will have a total failure probability of less than 0.01, regardless of the probability associated with the seismic failure. In contrast, all cutsets were considered for the evaluation of seismic risk insights. Because the determination of risk insights did not screen cutsets from consideration, the risk insights are acceptable to the staff. In developing risk insights, the applicant generated cutsets for 14 seismic event trees. The underlying logic for each event tree is identical; however, each event tree represents a different ground motion acceleration. The staff finds that segmenting the seismic hazard into 14 intervals is a typical and acceptable approach to quantifying the seismic risk as described in EPRI 1002989, Seismic Probabilistic Risk Assessment Implementation Guide, issued 2009. The use of multiple ground motion intervals provides insights into the relative contributions of both seismic and random failures at different ground motions.

19-36 The applicant performed a self-assessment of the PRA-based SMA. As part of its regulatory audit (ML24211A089), the staff evaluated the applicants self-assessment and found it adequately considered the elements in ASME/ANS RA-Sa-2009, Part 5. Therefore, the staff finds that the PRA-based SMA is technically adequate for this SDAA. 19.1.4.8.1.4 Insights The applicant described the insights gained from the PRA-based SMA in FSAR Section 19.1.5.1.2, Results from the Seismic Risk Evaluation. To gather these insights, the applicant examined risk-significant accident sequences, structural failure events, component failure modes, and operator actions. Reporting risk insights from the PRA-based SMA adequately addresses the Commissions objective that significant seismic vulnerabilities and other important insights be captured in the PRA-based SMA, as discussed in SECY-93-087 and the associated SRM. 19.1.4.8.1.5 Conclusion Based on the above evaluation, the staff finds that the NuScale design satisfies the expectation of SECY-93-087 and its associated SRM regarding the plant-level HCLPF capacity, which is sufficient to demonstrate adequate seismic margin for an SDAA. Therefore, the staff concludes that the NuScale PRA-based SMA is acceptable and consistent with SRP Section 19.0. 19.1.4.8.2 Internal Fires Risk Evaluation FSAR Section19.1.5.2, Internal Fires Risk Evaluation, describes the internal fire probabilistic risk assessment (FPRA). The staff evaluated the internal FPRA for at-power operations for consistency with the relevant portions of SRP Section19.0 and DC/COL-ISG-028. The staff evaluated the qualitative assessment of risk from internal fires during LPSD as described at the end of this section. The applicants FPRA addressed the technical elements in ASME/ANS RA-Sa-2009, such as component selection, fire scenario analysis, fire ignition frequency, and fire risk quantification. The staff reviewed the extent to which the applicants FPRA information is consistent with the applicable approaches described in NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, issued September 2005. The applicant either did not perform certain tasks or used simpler analyses than those suggested in NUREG/CR-6850. The staff finds this acceptable because certain design details (e.g., specifics of cable routing, ignition sources, and target locations) are unknown at the SDAA stage. The staff focused its review on the reasonableness of assumptions used in the FPRA to address these incomplete aspects of the design and operating procedures. 19.1.4.8.2.1 Fire Probabilistic Risk Assessment Component Selection The staff reviewed the applicants selection of components included in the FPRA. The staff confirmed that the FPRA uses the same systems and accident sequence models as the internal events PRA. The applicant used the information from the post-fire safe-shutdown analysis presented in FSAR Appendix9A, Fire Hazards Analysis, and multiple spurious operation evaluations to identify components to include in the FPRA model. The staff noted that the instrumentation required to perform operator actions is preliminary at this stage. The staff confirmed that the FPRA assumes that instrumentation is available for operator actions when the equipment (e.g.,pumps, valves) required to perform the actions is available.

19-37 19.1.4.8.2.2 Fire-Induced Failures The staff reviewed how the FPRA model accounted for the ability of equipment that may be affected by a fire to perform its intended function. The staff also reviewed a spurious operation induced by a hot short that may either cause a fire-induced initiating event or adversely affect the response of safety systems or operator actions required to respond to a fire. In lieu of detailed circuit analyses, the applicant assumed that fire damage to cabling can either cause a loss of control of the associated component or a spurious operation of the associated component, depending on the cable material (e.g., fiber optic or copper). The applicant assumed that spurious operation induced by a hot short is not credible in fiber optic cables. Therefore, damage to a fiber optic cable is modeled only as a loss of control of the component controlled by the cable. Fire-induced spurious operation of circuits involving copper cabling is considered credible and is included in the model. In FSAR Section 19.1.5.2.2, Results from the Internal Fire Risk Evaluation, the applicant stated that for the ECCS, a spurious actuation is a potential concern because it presents a possibility for an incomplete ECCS actuation; therefore, hot shorts are assumed to cause spurious operation of ECCS valves in one division because separation requirements limit the fire effect to a single division. The staff finds that the applicant included in FSAR Table 19.1-21 this key assumption that redundant divisions of safe-shutdown equipment and cabling are assumed to be appropriately separated to ensure that at least one safe-shutdown train is available following a fire. The PRA does not credit safety-related equipment capability because detailed fire analyses are not performed. The staff finds this approach reasonable and acceptable. The staff also reviewed the applicants circuit failure mode analysis in Task 10 of FSAR Section 19.1.5.2.1, Description of Internal Fire Risk Evaluation, related to the probability of spurious operation occurring. The applicant stated that spurious operation of solenoid-operated valves powered by ungrounded dc supplies has been assigned a probability based on Column 4 of Table 5-2 in NUREG/CR-7150, Joint Assessment of Cable Damage and Quantification of Effects from Fire (JACQUE-FIRE), Volume 2, issued May 2014 (ML14141A129). This probability is applicable to solenoids that require double-break hot shorts from intra-cable and ground fault equivalent sources. The applicant also stated that if a spurious operation can be withstood for longer than 7 minutes, a mean probability value from Table 6-3 in NUREG/CR-7150 is assigned as the probability for the hot short to persist for longer than 7 minutes. This allows for the possibility that a hot short will clear after it initially occurs. The staff finds this approach reasonable and acceptable for this SDAA. 19.1.4.8.2.3 Fire Scenario Analysis The staff reviewed the applicants treatment of the spatial interaction between the ignition sources and the targets. The applicant performed the plant partitioning and identified the fire compartments based on the fire areas as defined in the fire hazards analysis documented in FSAR Chapter 9. At this stage of the design, the specific locations of ignition sources, targets (e.g., cable routing), and intervening combustibles are not fully available. Within individual fire compartments, the FPRA did not take credit for fire suppression, either automatic or manual. Cable routing information was assumed based on the location of component controls and the physical location of the equipment in the plant as identified or inferred from the site plan and the general arrangement drawings.

19-38 The applicant did not perform detailed fire modeling. Instead, the applicant modeled the fire growth by applying a mean probability of loss of other equipment in the fire area of 0.5 with a uniform distribution with a value between 0 and 1 to represent the effect of fire severity factor and subsequent fire growth. When the fire does not spread, the scenario is mapped to a transient sequence. When the fire does spread, all targets in the fire area are assumed to be affected by the fire, and the scenario is mapped to the most challenging accident sequence possible following a fire in the area. The applicant also performed a sensitivity study accounting for the uncertainty in fire growth to address potential shortcomings of a wide probability distribution and capture important risk insights. The staff reviewed how the applicant addressed the MCR fire risk. The applicants modeling of fires affecting the MCR is consistent with how other fire compartments are modeled. Because the MCR contains equipment controlling both divisions of safety systems, a fire left unchecked may result in conditions that challenge entire safety functions. Before leaving the MCR, the operators are expected to respond to an MCR evacuation by tripping the reactors and initiating DHR and containment isolation for each reactor. Following evacuation of the MCR, non-safety-related equipment cannot be controlled outside of the control room, so reactor makeup is not possible in the case of an incomplete ECCS actuation, and safety-related equipment capability is not credited because a detailed fire analysis has not determined the time window for success. As a result, hot shorts are assumed to cause spurious ECCS valve operation in one division but not the other division, because separation requirements limit the fire effect to a single division. The staff reviewed the applicants treatment of multicompartment fires. The frequency of the multicompartment scenario is quantified as the product of the ignition frequency, the severity factor, the probability of nonsuppression, and the fire barrier failure probability. The applicant assumed that all ignited fires in the originating compartment result in a challenge to fire compartment boundaries, such as by the formation of a hot gas layer. The applicant assumed a fire growth factor of 0.5, 0.01 for the probability of nonsuppression, and 0.1 for the probability of barrier failure. The applicant considered the fire compartment layout from the general arrangement drawings and appropriately assessed the combinations of multicompartment fire scenarios. 19.1.4.8.2.4 Fire Ignition Frequency The staff reviewed how the applicant determined the fire ignition frequencies to support the FPRA. The applicant estimated the fire ignition frequency for each identified ignition source and each fire compartment using the generic frequencies from NUREG-2169, Nuclear Power Plant Fire Ignition Frequency and Non-Suppression Probability Estimation Using the Updated Fire Events Database: United States Fire Event Experience Through 2009, issued January 2015 (ML15016A069), and NUREG-2178, Refining and Characterizing Heat Release Rates from Electrical Enclosures During Fire (RACHELLE-FIRE), Volume 2, Fire Modeling Guidance for Electrical Cabinets, Electric Motors, Indoor Dry Transformers, and the Main Control Board, issued June 2020 (ML20168A655). Fire frequencies are based on mapping plant ignition sources to generic fire bins and associated frequencies. They generally include equally weighted transient ignition sources. The applicant estimated the potential ignition sources in unscreened fire compartments based on the general arrangement drawing. The plant layout and the multi-module configuration of the NuScale design differ significantly from the large LWR plant layout on which the NUREG-2169 data are based. Although this introduces additional uncertainties, for SDA purposes, this is a reasonable approach at this stage of the design.

19-39 19.1.4.8.2.5 Quantification and Insights The staff reviewed the fire risk quantification and found that the key elements for the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events), were identified. The internal FPRA results and insights rely on key assumptions to account for the incomplete design and operational details. FSAR Table 19.1-21 lists the key assumptions for the internal FPRA. These key assumptions used in the PRA need to be appropriately evaluated and dispositioned during the COL stage to ensure that the PRA results and insights continue to remain valid. As discussed in SER Section 19.1.4.4.9, the applicant identified COL Item 19.1-8 for this purpose. 19.1.4.8.2.6 Low-Power and Shutdown Internal Fires For LPSD operations, the applicants evaluation of internal fires in FSAR Section 19.1.6.3.2, Internal Fire Risk during Low Power and Shutdown, is a qualitative assessment. The applicant concluded that the risk contribution is insignificant during LPSD operations because of the fail-safe nature of the safety-related systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As described in SER Section 19.1.4.6, the staff finds that the LPSD risk is not a large contributor in the NuScale design because of the passively cooled state, aside from POS3, which is associated with RBC operation. The staff considered the potential for fires to affect the RBC control system in POS 3. FSAR Table 19.1-51, Internal Fire Susceptibility During Low Power and Shutdown Plant Operating States, states that an internal fire event may result in a loss of power to the RBC and that the crane is designed to fail safe on a loss of power or failure of communication or control components, applying the brakes and holding the NPM in position. The staff considers it acceptable that the RBC communication and control components, upon a loss of power, apply the brakes to hold the NPM in position as noted in Table 19.1-51 because the RBC cannot be spuriously operated because of a fire. As discussed in FSAR Section 9.1.5.2.2, Component Descriptions, the RBC hoist motors and brakes operate on three-phase ac power. As concluded in NUREG/CR-7150, Volume 1, a consequential three-phase short is incredible and need not be considered. Since the RBC motors and breaks operate on three-phase ac, the staff concludes that the impacts of fire on the RBC have been adequately addressed and are consistent with SRP Section 19.0. 19.1.4.8.2.7 Conclusion The staff finds that, although many details are tied to assumptions, the applicants FPRA, which uses simplified approaches to address many aspects, as described above, provides results and insights acceptable for at-power and LPSD operations. The FPRA for at-power and LPSD operations is acceptable for an SDAA because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section19.0. 19.1.4.8.3 Internal Flooding Analysis FSAR Section 19.1.5.3, Internal Flooding Risk Evaluation, describes the internal flooding probabilistic risk assessment (IFPRA) for operations. The staff evaluated the IFPRA for consistency with the relevant portions of SRP Section 19.0 and DC/COL-ISG-028. The staff evaluated the qualitative assessment of risk from internal flooding during LPSD, as described at the end of this section. The applicants IFPRA addressed the technical elements in

19-40 ASME/ANS RA-Sa-2009 (i.e., internal plant partitioning, internal flood source identification, internal flood scenario development, internal flood-induced initiating event analysis, and internal flood accident sequence and quantification). However, the applicants approach is based on a simplified model with heavy reliance on assumptions. This is partly because of the lack of established pipe routing and other design and operational details at this stage of the design. Therefore, the staff focused its review on the appropriateness of assumptions used to address these incomplete aspects of the design and operating procedures. 19.1.4.8.3.1 Internal Flood Plant Partitioning The staff reviewed how the applicant performed the internal flood plant partitioning. The applicant performed this task generally at the building level. The applicant used the site plan drawing to assess the buildings that contain flood sources that have the potential to cause plant trips. The applicant screened out buildings from further consideration based on the assumption that either a flood in those areas would not cause a plant trip or adequate flood protection would be provided. For example, the applicant screened out the control building (CRB) from the internal flood model based on the reasoning that, although the CRB contains equipment that may result in a plant trip if flooded, areas containing this equipment are protected from internal flooding, and there are no flood sources that would circumvent the protection. The staff finds that the availability of adequate flood protection is a key assumption that should be validated for the COL stage. The applicant identified COL Items 3.4-1 through 3.4-3 for implementation of flood protection design during the COL stage. The applicant assumed that the equipment located in the flood areas modeled in the PRA is protected, which is acceptable for the uses of the PRA in the SDAA. The staff considers this a key assumption in the PRA that will need to be validated or updated by the COL applicant once the design details are available, as directed by COL Items 3.4-1 through 3.4-3. COL Item 19.1-8 states that the COL applicant is expected to evaluate the key internal flooding assumptions and determine whether the PRA results and insights remain valid for the COL stage. As part of its regulatory audit, the staff reviewed the applicants identification of the internal flood sources. Because little information is available on specific pipe routing and equipment location, the characterization of the flood sources is limited to identifying the building affected by the potential flood (e.g., RXB, turbine building), including buildings that do not have flood sources but contain mitigating equipment that could be impacted by flood propagation. The applicant applied a simplified approach that modeled flooding events in the RXB as reactor trips (general transients) in which makeup by the CVCS and the CFDS is unavailable. The staff finds that the simplified approach for this SDAA is reasonable because the applicant appropriately modeled the internal flood plant partitioning and identified key assumptions related to the availability of adequate flood protection and the protection of equipment located in flood areas. 19.1.4.8.3.2 Internal Flood Scenario Development The staff reviewed how the applicant performed the internal flood scenario development. Potential flooding scenarios consider propagation pathways, mitigation factors, and the affected equipment. Mitigation factors such as curbs, drains, sumps, watertight doors, and equipment mounting have not been considered, with the exception of flood doors protecting certain electrical equipment in the RXB and CRB.

19-41 The applicants internal flood scenario analysis includes an assessment of the impact of flooding on mitigating equipment and the applicability of the PRA top events to internal flooding. PRA modeled equipment in the RXB or CRB is either assumed to be protected from flood or is assumed to be failed; therefore, the internal flooding PRA did not include operator actions. The staff finds this approach to internal flood scenario development reasonable for this SDAA. 19.1.4.8.3.3 Internal Flood-Induced Initiating Event Analysis The staff reviewed how the applicant performed the internal flood-induced initiating event analysis. An internal flood cannot initiate a LOCA or a steamline or feedwater line break because flood damage does not affect passive components. The applicant assumed that an internal flood could initiate a transient because of the potential effects on pumps, control panels, or equipment; therefore, the internal event initiator of general reactor trip applies to internal flooding. An internal flood is assumed to not cause a LOOP or LODC because the EDAS equipment is protected from flooding, and no internal flooding sources are associated with an area containing high voltage ac electrical power distribution system switchgear. This modeling approach assumes that the flooding protection features will be adequately designed. The staff finds that this modeling approach will be validated or updated as appropriate once the design details become available in the COL stage, as directed by COL Items 3.4-1 through 3.4-3. COL Item 19.1-8 states that the COL applicant is expected to evaluate the key internal flooding assumptions and determine whether the PRA results and insights remain valid for the COL stage. The applicants estimation of the internal flooding frequency uses a simplified approach. The applicant assumed that the generic flooding frequency data in NUREG/CR-2300 for the auxiliary building and the turbine building may be applied to the US460 RXB and turbine building. The applicant based this assumption on the similarity in the location and types of equipment in these buildings. The staff finds that this approach limits the ability to gain design-specific insights because it does not consider the NuScale-specific piping configuration and associated break frequency estimations. However, the staff noted that the initiating event frequencies assumed for the RXB and the turbine building are comparable to or somewhat more conservative than the internal flooding analyses for other reactor designs. Hence, although the uncertainty is large, the staff finds that the risk is not significantly underestimated, assuming that key assumptions are valid. The staff also considered that the NuScale design is less dependent on active systems. Internal flooding would adversely affect only the components supporting the CVCS and CFDS, and the mitigating functions provided by these systems are not credited for flooding in the RXB. Based on the above considerations, and because limited design information is available, the staff finds this approach to estimating the internal flooding frequency reasonable for this SDAA. 19.1.4.8.3.4 Quantification and Insights FSAR Section 19.1.5.3.2, Results from the Internal Flooding Risk Evaluation, discusses the results from the internal flooding risk evaluation. The staff reviewed the PRA quantification and finds that the key elements in the PRA quantification, such as initiating events, accident sequences, and basic events (equipment unavailability and human failure events), are identified. The applicant reported a very low internal flooding CDF. As discussed in more detail in SER Section 19.1.4.4.8, the staff finds that the uncertainty in the CDF could be larger than indicated; however, even with greater uncertainty, there is margin to the Commissions CDF and LRF goals.

19-42 The PRA results and insights rely on key assumptions and design features to account for the incomplete design and operational details. FSAR Table 19.1-21 lists the key assumptions for the IFPRA. As discussed in SER Section 19.1.4.4.9 and this section, COL Items 19.1-8 and 3.4-1 through 3.4-3 address the key assumptions and assumptions regarding internal flood protection design features in this SDAA. 19.1.4.8.3.5 Low-Power and Shutdown Internal Flooding The applicant performed a qualitative evaluation of internal flooding risk during LPSD operations, as discussed in FSAR Section 19.1.6.3.3, Internal Flood Risk during Low Power and Shutdown, and FSAR Table 19.1-52, Internal Flooding Susceptibility During Low Power and Shutdown Plant Operating States. The applicant concluded that the risk contribution of internal flooding during LPSD operations is negligible because of the fail-safe nature of the safety systems, as well as the limited time (frequency and duration) that the module is in any POS during LPSD operations. As evaluated in SER Section 19.1.4.6, the staff finds that the reactor module is passively cooled for most of the LPSD duration. Therefore, the staff finds that internal flooding will likely not contribute significantly to risk in POSs 1, 2, 4, 5, 6, and 7. During module movement in POS 3, as discussed in FSAR Section 9.1.5, Overhead Heavy Load Handling System, the RBC is designed to ensure that the system retains its load throughout an SSE which bounds a loss of power event due to a postulated internal flood. As previously described for the at-power internal flood analysis, the applicant assumes that design features protect equipment such as the ac power equipment from internal floods. These design features will be validated or updated once the design details become available in the COL stage as directed by COL Items 3.4-1 through 3.4-3. Additionally, COL Item 19.1-8 states that the COL applicant is expected to evaluate the key internal flooding assumptions and determine whether the PRA results and insights remain valid for the COL stage. 19.1.4.8.3.6 Conclusion Based on the above, the staff finds that the applicants IFPRA for at-power and LPSD operations is acceptable for this SDAA because it is technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0. The applicant identified key assumptions and design features that provide flood protection related to internal floods PRA to address the design details not specified at the SDA stage. These assumptions and design features will be validated or updated as appropriate once the design details become available in the COL stage. The applicant provided relevant COL Items in the SDAA FSAR to address these actions at the COL stage. 19.1.4.8.4 External Flooding Analysis The applicants external flooding risk evaluation described in FSAR Section 19.1.5.4, External Flooding Risk Evaluation, applies the methodology in Part 8 of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. The external flooding risk evaluation includes a hazard analysis, fragility evaluation, and module response. The module response includes accident sequences and quantification of results. The applicant performed a self-assessment of the external flooding PRA against the guidance in ASME/ANS RA-Sa-2009, as endorsed by RG 1.200 and DC/COL-ISG-028. The staff reviewed the key assumptions in FSAR Table 19.1-21. The staff examined the basis for the probable maximum flood frequency of 2.0x10-3 per year. This assumption is consistent

19-43 with ASME/ANS RA-Sa-2009, which states that probable maximum flood annual frequencies are typically in the range of 0.01 to 0.001 per year. Therefore, it is reasonable to use 2.0x10-3 to represent the probable maximum flood frequency at a representative site. Another key assumption is that for 90 percent of external flood events, operators are assumed to stop refueling and crane operations and perform a controlled shutdown before external flood-induced impacts affect equipment. For the other 10 percent of external flood events, a LOOP is assumed to occur. The applicant also performed a sensitivity analysis assuming that 20 percent of external flood events cause a LOOP. Consistent with ASME/ANS RA-Sa-2009, this assumption is based on insights that most large external floods occur only after significant warning time or over a long enough duration to allow the plant operating staff to take appropriate steps to secure the plant and its safety-related SSCs, and it is appropriate to take credit for warning time and compensatory actions as the plants planning and procedures allow. As stated in COL Item 19.1-7, the COL applicant is expected to evaluate this assumption for the site-specific hazard. COL Item 19.1-8 states that the COL applicant is expected to evaluate this assumption and determine whether the PRA results and insights remain valid for the COL stage. The staff reviewed FSAR Table 19.1-53, External Flooding Susceptibility during Low Power and Shutdown Plant Operating States, to determine whether the RBC, following a loss of ac power due to external flooding, has the capability to maintain a hoisted load until power is restored. The staff determined, based on information in FSAR Section 9.1.5, that the applicant sufficiently described the design and operation of the RBC during module transport to conclude that the performance of the RBC is adequate for loss of ac power due to external flooding. The staff examined the potential failure of flooding mitigation features (e.g., watertight doors, curbs). FSAR Section 19.1.5.4.1, Description of External Flooding Risk Evaluation, states that flooding mitigation features, including operator actions, are not credited in the external flooding analysis, and no flooding penetrations were identified as risk significant. The staff finds the applicants approach acceptable. Based on the above, the staff finds that the applicants external flooding PRA for at-power and LPSD operations is acceptable for the SDAA because it is technically acceptable for this application and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0. 19.1.4.8.5 High-Winds Analysis The applicants high-wind risk evaluation, described in FSAR Section 19.1.5.5, High-Wind Risk Evaluation, applies the methodology in Part 7 of ASME/ANS RA-Sa-2009 for the design stage, consistent with DC/COL-ISG-028. The high-winds PRA includes a hazard analysis, fragility evaluation, and plant response evaluation. The high-winds PRA includes the identification of operator actions, quantification, and results. The applicant performed a self-assessment of the PRA against the guidance in ASME/ANS-RA-Sa-2009 as endorsed by RG 1.200 and DC/COL-ISG-028. The applicant developed its tornado hazard characterization with methods and data in NUREG/CR-4461, Revision 2, Tornado Climatology of the Contiguous United States, issued February 2007, and based the tornado hazard frequency on data for the central region of the United States. The staff finds the characterization acceptable for a representative site because it is consistent with SRP Section 19.0 and uses data for the central region of the country, which has the highest occurrence rate of tornadoes and the highest tornado intensities.

19-44 The applicant developed its hurricane and terrestrial high-wind hazard characterization with data in INL/EXT-21-64151, Analysis of Loss-of-Offsite Power Events, 2020 Update, issued November 2021. The staff finds the characterization acceptable for a representative site because it is consistent with SRP Section 19.0 and uses data collected from the currently operating nuclear plants to represent the average frequency for hurricane and terrestrial high-wind hazards. The applicant assumed that a high-winds event results in only a LOOP event with safety system actuation on low ac voltage. FSAR Table 19.1-21 presents the key assumptions made in the high-winds analysis. The staff finds that the key assumptions have been appropriately identified. FSAR Table 19.1-44, Significant Cutsets (Hurricanes, Full Power, Single Module), and Table 19.1-45, Significant Cutsets (Tornadoes, Full Power, Single Module), present the results of the applicants analysis of risk from high winds during power operation. The staff finds these results to be reasonable and reflective of the US460 design where all important accident mitigation features are housed within the robust seismic Category l RXB structure and are therefore protected from the effects of high winds. The staff reviewed FSAR Table 19.1-54, High Wind Susceptibility during Low Power and Shutdown Plant Operating States, to determine whether the RBC, following a loss of ac power due to high winds, has the capability to maintain a hoisted load until power is restored. The staff determined, based on information in FSAR Section 9.1.5, that the applicant sufficiently described the design and operation of the RBC during module transport to conclude that the performance of the RBC is adequate for loss of ac power due to high winds. Based on the above, the staff finds that the applicants high-winds PRA for at-power and LPSD operations are acceptable for the SDAA because they are technically adequate and consistent with the guidance in DC/COL-ISG-028 and SRP Section 19.0. Evaluation of Multi-Module Risk The focus of the staffs review of multimodule risk was to confirm that the unique multimodule configuration of the NuScale design does not contain vulnerabilities that pose a level of risk significantly greater than that associated with accidents involving multiple units at a U.S. nuclear power plant site. The staff used guidance in SRP Section 19.0, which directs the staff to verify that the applicant has (1) used a systematic process to identify accident sequences, including significant human errors, that lead to multi-module core damages or large releases and (2) selected alternative features, operational strategies, and design options to prevent these sequences from occurring and demonstrated that these accident sequences are not significant contributors to risk. The applicant addressed the risk associated with the impact of external events on multiple modules qualitatively. Seismic, internal fire, internal flooding, external flooding, and high-wind events are addressed. The applicant discussed upset conditions in multiple modules that may be caused by these events, as well as the independence of module-specific design features that protect the reactor core under such conditions. 19.1.4.9.1 Multi-Module Internal Events The staff reviewed the information in FSAR Section 19.1.7, Multiple-Module Risk Evaluation, and audited supporting material. For internal events, the applicant identified coupling

19-45 mechanisms that could cause initiating or failure events in two or more modules. The approach involved establishing potential initiating events, equipment failure modes, and human errors from the single-module PRA that could occur in two or more modules. The coupling mechanisms were then characterized numerically with multi-module adjustment factors and multi-module performance-shaping factors that are established based on engineering judgment and applied directly to initiating event frequencies and basic event failure probabilities in the single-module PRA model. FSAR Table 19.1-57 documents multi-module adjustment factors and multi-module performance shaping factors for basic events: The parametrically adjusted single-module model, when quantified, provides an estimate of the frequency of core damage in two or more modules that is approximately 20 percent of the single-module full power CDF. Each individual module is supported by independent module-specific safety-related systems designed to ensure that the module is safely shut down during upset conditions. These systems do not require operator action for initiation. Each NPM includes a CVCS. The EDAS-MS plant subsystem consists of separate and independent dc electrical power supply systems, one for each NPM. A dedicated CES supports each NPM. The staff finds that the applicants approach to quantifying multi-module risk is reasonable, as it is thorough in scope and uses a systematic approach. Although the approach relies heavily on assumptions based on engineering judgment (e.g., multi-module adjustment factors and multi-module performance-shaping factors), and the results of the multi-module risk evaluation contain large uncertainty, the staff finds that the applicants approach is acceptable for the SDA stage. The staff also finds that the applicant described design features and operational strategies to prevent the accident sequences from occurring or to reduce their likelihood. Support systems that are not safety-related that can cause internal initiating events are made up of multiple trains, which limits the likelihood of system failure. The staff considers the applicants multi-module evaluation of internal events adequate since the applicant considered potential system interactions with other reactor modules and documented key assumptions in the FSAR to be confirmed in the COL applicants assessment. The staff also found the applicants multi-module evaluation for internal events to be technically adequate and consistent with the guidance in SRP Section 19.0. 19.1.4.9.2 Multi-Module Internal Fire and Flood For internal fire, the staffs evaluation included the review of the information in FSAR Chapter 9, Appendix 9A, Fire Hazards Analysis, which includes the fire hazards analysis and a description of the fire safe-shutdown path. The staff evaluated potential single fire areas that contain equipment in redundant safety divisions relied on for safe shutdown for multiple modules or that contain safe-shutdown equipment from a single safety division for multiple modules. By reviewing the description of equipment locations in the fire hazards analysis in FSAR Chapter 9, Appendix 9A, the staff confirmed that the MCR is the only single fire area that contains multiple divisions of equipment that are required for safe shutdown of multiple

19-46 modules. The staff finds that the equipment required for safe shutdown is designed to be fail-safe, with the exception of the potential creation of hot short conditions in which equipment is energized and actuated spuriously. Fire protection equipment is provided in the MCR and all other fire areas to arrest and limit the growth of any fire. In addition, operators can manually remove electric power from circuits, which places safety-related equipment in its fail-safe position. The staff finds that the applicant has taken reasonable steps in the design of the facility to limit the extent to which fire can induce unmitigated accident conditions in multiple modules and to allow the safety systems to perform their safety functions during a fire. An internal flooding event can create the demand for more than one module to shut down, but given that the DHRS, ECCS, and CIVs transition to the safe state given a loss of dc and ac power, there are no multi-module dependencies in the design that result in an elevated conditional probability of core damage or large release given core damage in the first module. The staff finds that the safety system components inside the containment and inside the reactor pool are not vulnerable to damage from flooding and that the containment isolation system is designed to fail in a safe state (i.e., isolate containment) if associated electrical components are flooded. As stated in FSAR Section 3.4.1, Internal Flood Protection for Onsite Equipment Failures, mitigation of flooding is accomplished by watertight or water-resistant doors, elevating equipment above the flood level, enclosing or qualifying equipment for submersion, or other similar type of flood protection. In addition, and like most multiunit facilities operating in the United States, separate features for preventing and mitigating core damage are provided in each module and, other than the reactor pool, are not shared among modules. The following COL information items will confirm that the FSAR deterministic internal flooding assumptions are met: COL Item 3.4-1: An applicant that references the NuScale Power Plant US460 standard design will confirm the final location of structures, systems, and components subject to flood protection. The final routing of piping, and site-specific tanks or water source tanks are placed in locations that will not cause unanalyzed flooding to the Reactor Building or Control Building. COL Item 3.4-2: An applicant that references the NuScale Power Plant US460 standard design will develop the on-site program addressing the key points of flood mitigation consistent with the methodology described in Section 3.4.1. The key points to this program include the procedures for mitigating internal flooding events; development of the equipment list of structures, systems, and components subject to flood protection in each plant zone; and analysis providing assurance that the program reliably mitigates flooding to the identified structures, systems, and components consistent with the flood levels identified in Table 3.4-1. COL Item 3.4-3: An applicant that references the NuScale Power Plant US460 standard design will develop an inspection and maintenance program to ensure that each water-tight door, penetration seal, or other degradable measure remains capable of performing its intended function. Based on the design and location of safety system components, the design of the containment isolation system, and the inclusion of COL items to confirm the internal flooding barriers

19-47 assumed in the FSAR internal flooding analysis, the staff finds that the applicants qualitative evaluation of multi-module internal fire and flood hazards is reasonable. The applicant found no potential system interactions with other reactor modules and documented key assumptions in the FSAR to be confirmed in the COL applicants assessment. The staff also finds the applicants multi-module evaluation for internal fire and flood hazards to be technically adequate and consistent with the guidance in SRP Section 19.0 for this SDAA. 19.1.4.9.3 Multi-Module External Events An external flood can affect all modules, and its effect is similar to that of a station blackout following a loss of power. The staff finds that safety systems for prevention and mitigation of a core damage accident are module specific (except the UHS), do not rely on electric power, are fail-safe on loss of power, and are protected from external flooding by their location inside the RXB, which is a robust structure protected from external flooding in accordance with General Design Criterion 2, Design Bases for Protection Against Natural Phenomena. A high-wind event can affect all modules, and its effect is similar to that of a reactor trip and an extended loss of power. The staff finds that the features for preventing and mitigating core damage as described for an external flood also apply to a high-wind event. A seismic event can cause damage in multiple modules because of its sitewide impact. While the PRA-based SMA discussed in FSAR Section 19.1.5, Safety Insights from the External Events Probabilistic Risk Assessment for Operations at Power, addresses the effects of seismic events on a single module, potential initiating events, performance of safety systems, and accident sequences could be the same in multiple modules. The results of the fragility analysis, which the staff evaluated in SER Section 19.1.4.8.1.2, indicate that the controlling failure modes for SSCs relied on to prevent core damage and release in one or more modules (i.e., the reactor trip system, ECCS, DHRS, CIVs, RSVs, and the RXB structure) have HCLPF capacities above 1.67 times the SSE of 0.5g, consistent with the SRM to SECY-93-087. Because the UHS is shared among all modules, the staff evaluated the risk associated with a failure of the RXB structure. If such a failure results in a loss of the UHS, then both core and containment cooling would be lost, potentially leading to core melt and containment failure in multiple modules. However, as stated above, the HCLPF values for the pool walls and floor, as listed in FSAR Table 19.1-32, exceed the sequence level HCLPF value described in the SRM to SECY-93-087. The staff finds that design features included in the evaluation of a multi-module accident following a seismic event are adequate because the seismic margin provided by these design features meet the Commissions guidance for new reactors as described in SECY-93-087. 19.1.4.9.4 Multi-Module Shutdown Events For LPSD operations, the staff evaluated the applicants qualitative analysis (nonmechanistic) of the potential for accidents involving multiple modules during module movement for purposes of refueling. For this review, the staff also considered its review of the RBC design documented in SER Section 9.1.5 and the likelihood of a module drop accident during refueling documented in SER Section 19.1.4.6.3. FSAR Section 19.1.7.4, Insights Regarding Low Power and Shutdown for Multi-Module Operation, discusses how a module dropped during refueling transport might impact other modules.

19-48 Based on the applicants response to an audit question (ML24346A312) consistent with FSAR Section 19.1.7.4, if a dropped module strikes an operating module, piping, including pressurizer spray piping and DHRS piping, at the front of the NPM has the potential to be impacted. As indicated by FSAR Figure 6.2-2b, Containment Vessel Assembly, the CFDS piping is located at the back of the CNV head, the CVCS injection and discharge piping is located on the side, and the pressurizer spray piping is located on the front. The safety-related CVCS CIVs are located on top of the CNV and under the NuScale NPM top support structure (TSS). As shown in FSAR Figure 9.1.5-3, Reactor Building Crane Lower Block Assembly Connection to the Top Support Structure, the TSS is composed of diagonal lifting braces and lifting lugs and provides structural support for piping and valves. The lower block assembly is located at the bottom of the main hoist and interfaces with the TSS; the lower block assembly provides the connection method for the RBC to lift and carry an NPM from the operating bay to the refueling bay. The location of the CIVs under the TSS protects them from postulated dropped NPM impacts. The lower block assembly, as part of the RBC, is classified as B1 in FSAR Table 9.1.5-2, Classifications of Structures, Systems, and Components. The TSS is also classified as B1 in FSAR Table 17.4-1. Following postulated breaks in both CVCS discharge and injection lines from a dropped module, it is expected there would be a reactor trip due to low pressurizer level or low pressurizer pressure. As stipulated in TS Table 3.3.1-1, low pressurizer level would result in containment isolation. The redundant safety-related CIVs on the CVCS injection and discharge lines are classified as A1 in FSAR Table 17.4-1 and FSAR Table 6.2-7, Classification of Structures, Systems, and Components. If the CIVs close but both trains of DHRS are unavailable, as discussed in FSAR Section 19.1.4, Safety Insights from the Internal Events Probabilistic Risk Assessment for Operations at Power, then heatup of primary coolant and pressurization of the RPV occur to the point of RSV demand. If one RSV successfully opens, the RCS depressurizes and the ECCS is demanded. Successful ECCS actuation removes heat through containment into the reactor pool by passive convection and conduction to cool the module to a safe, stable, configuration. If the RSVs fail to open, ECCS functioning remains a success path. The staff considers the applicants qualitative evaluation of multi-module shutdown events adequate since the applicant considered potential system interactions with other reactor modules and documented key assumptions in the FSAR to be confirmed in the COL applicants assessment. The staff finds that the applicants evaluation of multi-module shutdown events is also technically adequate and consistent with the guidance in SRP Section 19.0. Combined License Information Items SER Table 19.1-5 lists COL information item numbers and descriptions related to the PRA. The staff finds the COL information items to be reasonable. Table 19.1-5 NuScale COL Information Items for FSAR Section 19.1 Item No. Description FSAR Section 19.1-1 An Applicant that references the NuScale Power Plant US460 standard design will identify and describe the use of the probabilistic risk assessment in support of licensee 19.1.1.2.1

19-49 programs being implemented during the COL application phase. 19.1-2 An applicant that references the NuScale Power Plant US460 standard design will identify and describe specific risk-informed applications being implemented during the COL application phase. 19.1.1.2.2 19.1-3 An applicant that references the NuScale Power Plant US460 standard design will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the construction phase (from issuance of the COL up to initial fuel loading). 19.1.1.3.1 19.1-4 An applicant that references the NuScale Power Plant US460 standard design will specify and describe risk-informed applications during the construction phase (from issuance of the COL up to initial fuel loading). 19.1.1.3.2 19.1-5 An applicant that references the NuScale Power Plant US460 standard design will specify and describe the use of the probabilistic risk assessment in support of licensee programs during the operational phase (from initial fuel loading through commercial operation). 19.1.1.4.1 19.1-6 An applicant that references the NuScale Power Plant US460 standard design will specify and describe risk-informed applications during the operational phase (from initial fuel loading through commercial operation). 19.1.1.4.2 19.1-7 An applicant that references the NuScale Power Plant US460 standard design will evaluate site-specific external event hazards (e.g., liquefaction, slope failure), screen those for risk-significance, and evaluate the risk associated with external hazards that are not bounded by the standard design. 19.1.5 19.1-8 An applicant that references the NuScale Power Plant US460 standard design will confirm the validity of the key assumptions and data used in the standard design approval application PRA and modify, as necessary, for applicability to the as-built, as-operated PRA. 19.1.9.1 Conclusion The staff has reviewed the NuScale US460 design-specific PRA and other PRA-related information in FSAR Section 19.1, in accordance with the guidance in SRP Section 19.0. The applicant addressed the full scope of internal and external initiating events for both full-power and LPSD conditions consistent with the level of detail expected in an SDAA PRA. The staff

19-50 concludes that the application conforms to the guidance in SRP Section 19.0 and that, for the applicable modes and hazards, the US460 standard design PRA conforms to DC/COL-ISG-028. Therefore, the staff finds that the US460 standard design PRA is of sufficient technical adequacy for this SDAA. The staff has reviewed NuScales estimate of CDF and LRF, considering all hazards and all modes, and has evaluated the impact of NuScales sensitivity studies and importance analyses to the PRA results. Based on the staffs evaluation of the integrated risk from all modes and all hazards, the staff concludes that the Commissions CDF and LRF goals have been met with margin. 19.2 Severe Accident Evaluation Introduction This section describes the staff evaluation of FSAR Section 19.2, Severe Accident Evaluation. Summary of Application FSAR Section 19.2 provides a description and analysis of design features for the prevention and mitigation of severe accidents. Specifically, FSAR Section 19.2.2, Severe Accident Prevention, discusses the designs capability to prevent specific severe accidents and addresses prevention of severe accidents resulting from ATWS, fire protection issues, station blackout, and an interfacing system LOCA. FSAR Section 19.2.3, Severe Accident Mitigation, discusses the designs capability to mitigate severe accidents if they occur and addresses the following severe accident issues: external RPV cooling hydrogen combustion high-pressure melt ejection (HPME) in-vessel steam explosion severe accident-induced SGTF equipment survivability FSAR Section 19.2.4, Containment Performance Capability, Section 19.2.5, Accident Management, and Section 19.2.6, Consideration of Potential Design Improvements Under 10 CFR 50.34(f), discuss additional severe accident topics. ITAAC: There are no ITAAC associated with this area of review. SER Section 6.2.5 describes ITAAC associated with the PAR. Technical Specifications: There are no generic TS associated with this area of review. SER Section 6.2.5 describes TS associated with the PAR. Technical Reports: There are no technical reports associated with this area of review. Regulatory Basis The relevant requirements for the severe accident evaluation of an SDA for an LWR appear in 10 CFR 52.137(a)(12) and 10 CFR 52.137(a)(23) as described below:

19-51 10 CFR 52.137(a)(12) requires an analysis and description of the equipment and systems for combustible gas control as required by 10 CFR 50.44, Combustible gas control for nuclear power reactors. 10 CFR 52.137(a)(23) requires a description and analysis of design features for the prevention and mitigation of severe accidents, e.g., challenges to containment integrity caused by core-concrete interaction, steam explosion, high-pressure core melt ejection, hydrogen combustion, and containment bypass. The guidance in SRP Section 19.0 lists the acceptance criteria adequate to meet the requirements for severe accident evaluation in 10 CFR 52.47, which are analogous to the above requirements, as well as review interfaces with other SRP sections, such as SRP Section 6.2.5. The following documents provide the acceptance criteria for the staff to confirm that the above requirements have been adequately addressed: SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs, dated April 2, 1993 (ML003708021) and the associated SRM, dated July 21, 1993 (ML003708056) SECY-94-084, Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems in Passive Plant Designs, dated March 28, 1994 (ML003708068), and the associated SRM, dated June 30, 1994 (ML003708098) SECY-19-0047, Containment Performance Goals for the NuScale Small Modular Reactor Design, dated May 8, 2019 (ML19106A392), with the staffs design-specific implementation for NuScale of the containment performance goals in SECY-93-087, as follows: The conditional probability of containment failure by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1. For core damage accidents for which demonstration of in-vessel retention is inconclusive (i.e., sequences that do not involve containment bypass or steam explosion in the reactor vessel that could potentially lead to containment failure), the radioactive material release to the environment is less than that of a large release as defined by NuScale. Technical Evaluation The staff reviewed the relevant information on the severe accident evaluation in the FSAR. During the review, the staff issued requests for additional information and participated in a regulatory audit to examine supporting technical documents. This section summarizes the results of the staff review that are important to the overall conclusion on the NuScale severe accident evaluation and its conformance to the applicable regulatory requirements.

19-52 Severe Accident Prevention The staff evaluated conformance to SECY-93-087 and the associated SRM for ATWS and fire protection in SER Sections 15.8 and 9.5.1, respectively. The staff evaluated conformance to SECY-94-084 and the associated SRM for station blackout in SER Section 8.4. Regarding interfacing system LOCA prevention, the staff reviewed FSAR Section 9.3.4, Chemical and Volume Control System, which shows that the CVCS is the only system with connections to the RCS with piping outside containment. The staff finds that the CVCS meets the guidance in SECY-93-087 and the associated SRM because it is designed to handle RCS pressure where practical. The portions of the CVCS that are not designed to handle RCS pressure are the makeup line and components upstream of the makeup pumps. Following the guidance in SECY-93-087 and the associated SRM, these portions include pressure-indicating transmitters on the suction of each of the CVCS makeup pumps that provide a high-pressure alarm in the MCR. Severe accident prevention also is reflected in the Level 1 PRA evaluated in SER Section 19.1. The low CDF for at-power internal events for the NuScale SDA, as discussed in FSAR Section 19.1, is a result of unique design features. The unique design features include a passive DHRS, a passive ECCS, and an RPV and CNV geometry that provides core cooling when the only functioning equipment is one RSV. The staff finds that the analysis of design features for the prevention of severe accidents satisfies 10 CFR 52.137(a)(23) and the associated Commission policy in SECY-93-087. Severe Accident Mitigation 19.2.4.2.1 Scenario Selection for At-Power Accidents The applicant performed MELCOR simulations as part of its analysis to show that the containment performance goals, as required by regulation and addressed by the Commission policy statements which are summarized in SER Section 19.2.3, are met. The staff evaluated whether the applicants MELCOR simulations covered the credible core damage sequences as described in FSAR 19.2.3.2, Severe Accident Progression. For the NuScale US460 standard design, a sustained loss of cooling is needed to lead to core damage. A sustained loss of cooling could occur in the NuScale design as a result of a hole in the RPV allowing coolant to escape concurrent with ECCS failure and assuming other mitigating systems are unavailable. One category of a core damage accident scenario includes a break at a higher elevation in the RPV, such as a failed-open RVV with failure of both RRVs to open. In this case, coolant cannot return to the RPV because the break location is at the top of the RPV. Another category of core damage accident scenario includes a break at a lower elevation in the RPV, such as a failed-open RRV. Coolant can reenter the RPV in this case because the break elevation is below the water level in containment produced by discharge of the RPV inventory into the containment. The applicants MELCOR simulations for these scenarios predict core damage with subsequent recovery of core cooling as the result of coolant in the containment reentering the RPV through the RRVs. The staffs review of the FSAR found that the applicants MELCOR simulations covered the credible core damage sequences, which are identified in FSAR Table 19.2-1, Core Damage Simulations for Severe Accident Evaluation.

19-53 19.2.4.2.2 Staffs Independent MELCOR Confirmatory Analysis The staff independently developed a MELCOR input model using plant design data provided by the applicant. ERI/NRC 2023-04-24, 2023 Update of the NuScale Full-Plant MELCOR Model, issued April 2023, documents the staffs model. The staff applied its model to the following three of six scenarios identified in FSAR Table 19.2-1: (1) LEC-05T-00: A stuck-open RRV with subsequent opening of the remaining RRV, while both RVVs fail to open. Both trains of the DHRS are unavailable. This scenario is a liquid space break, with maximum CNV pressure early. Clad oxidation ends at 9 hours. (2) LCC-05T-01: CVCS injection line break inside containment with subsequent opening of the two RVVs and failure of both RRVs to open. This scenario is representative of scenarios with a break at a high elevation in the RPV such that liquid water is discharged through the break. Liquid water cannot return to the RPV because the CVCS piping rupture is in the containment upper plenum. Clad oxidation ends at 17 hours. (3) TRN-07T-01: A general transient with a stuck-open RSV, complete ECCS failure, and DHRS failure. This is the slowest transient, with clad oxidation ending at 57 hours. For each scenario, the staff compared its analysis results with the applicants simulation results and did not identify differences that were likely to affect the applicants analysis of severe accident mitigation. The comparison confirmed the results of the applicants simulation of the accident progression, the analysis methodology, and interpretations of its analyses of the reactor, containment, and system response to severe accidents. The staff documented its independent MELCOR confirmatory analysis in RES/FSCB-2024-02, Confirmatory Calculations for NuScale SDAA Combustible Gas Control in the Containment, issued August 2024. 19.2.4.2.3 External Reactor Vessel Cooling For severe accidents that do not involve containment bypass, the applicant performed a severe accident analysis to show that a damaged core would be retained within the reactor vessel due to water in the containment cooling the reactor vessel outer surface and preventing a breach of the reactor vessel. If the reactor vessel remains intact, the CNV remains an effective fission product boundary. Furthermore, even if the reactor vessel were to fail, the applicant concluded that the containment would remain intact. The staff identified phenomenological uncertainties could affect the conclusion above. Examples of these uncertainties include (1) the potential formation of a metal layer on top of core debris in the reactor vessel lower plenum that would focus a high heat flow on a small area of the reactor vessel lower head, (2) intermetallic reactions that generate heat and could cause a self-propagating attack on the reactor vessel lower head, and (3) the heat transfer modeling for the reactor vessel and containment. Furthermore, should the reactor vessel fail, the CNV also could fail because of similar phenomena. Therefore, these uncertainties prevent the staff from confirming that the CCFP or deterministic containment performance goals are met. However, NuScales containment design is significantly different from other new reactors in that the bottom of the NuScale containment is a steel head submerged in a reactor pool, which would prevent releases of radioactive material from submerged portions of the containment from

19-54 becoming airborne. Severe accident simulations predict that, should the NuScale core overheat, core debris would fall into the reactor vessel lower head. If the accumulated core debris resulted in failure of the reactor vessel lower head, it could then fall into the containment lower head and lead to failure of the containment lower head. Because of this, core debris could fall onto the reactor pool floor. Radioactive material releases from the containment through the failed containment lower head and from core debris on the reactor pool floor would be scrubbed by the reactor pool water, which is 16 meters (53 feet) deep. As a result, NuScales FSAR states that containment lower head failure would not lead to a large release. The applicants conclusion that there would be no large release is supported by the applicants severe accident analysis for postulated module drop events. This analysis includes a severe accident with the NPM lying on the reactor pool floor and with the containment assumed to be breached as a result of the drop impact. The analysis shows that the scrubbing effect of the water in the reactor pool reduces the offsite radiological dose to only a small fraction of the large release criterion defined by NuScale for the SDA. The analysis conservatively models the effect of reactor pool scrubbing on the radiological release to the environment. In the longer term, the reactor pool would continue to provide an effective barrier against the uncontrolled release of fission products beyond the initial 24-hour period following the onset of damage by preventing the radioactive material from becoming airborne again. SECY-19-0047 gives the following four criteria for review of NuScale containment performance: (1) The large release definition used by NuScale is consistent with the objectives of the Safety Goal Policy Statement. (2) The CDF and the LRF are less than the goals of 1x10-4 per year and 1x10-6 per year, respectively. Meeting this criterion ensures that the Safety Goal Policy Statement QHOs for public risk are met. (3) The conditional probability of containment failure by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1. Meeting this criterion ensures that the CCFP performance goal of 0.1 is met. (4) For core damage accidents for which demonstration of in-vessel retention is inconclusive (i.e., sequences that do not involve containment bypass or steam explosion in the reactor vessel that could potentially lead to containment failure), the radioactive material release to the environment is less than that of a large release as defined by NuScale. The following sections of this SER document the staff conclusions that the four review criteria are met: Criterion 1Section 19.1.4.5 Criterion 2Section 19.1.4.4.10 (internal events CDF), Section 19.1.4.5.6 (internal events LRF), Section 19.1.4.6.7 (LPSD CDF and LPSD LRF) Criterion 3Section 19.2.4.2.6 (steam explosion) and Section 19.2.4.2.7 (containment bypass)

19-55 Criterion 4Section 19.2.4.2.3 (external reactor vessel cooling) Because the review criteria described in SECY-19-0047 are met, the staff concluded that containment failure due to inadequate external vessel cooling would not result in a large release. Therefore, the staff determined that the applicants analysis of external vessel cooling is acceptable. 19.2.4.2.4 Hydrogen Generation and Control SER Section 6.2.5 includes the staffs evaluation of hydrogen generation and control in containment. The PAR is a safety-related component whose function and design are evaluated in SER Section 6.2.5. SER Section 19.2.4.2.8 addresses equipment survivability for the PAR. 19.2.4.2.5 High-Pressure Melt Ejection HPME is RPV failure at high pressure, dispersing core debris throughout the CNV. The applicant concluded that HPME is not a challenge because its MELCOR simulations showed that the RPV depressurizes as a result of the hole in the RPV that leads to core damage. During the audit, the staff reviewed the applicants MELCOR analysis and HPME conclusion and confirmed the small pressure differential between the RPV and the CNV in the applicants MELCOR analysis, and that HPME is unlikely to occur. 19.2.4.2.6 Steam Explosion in the Reactor Vessel In FSAR Section 19.2.3.3.5, Fuel-Coolant Interaction, the applicant evaluated a potential in-vessel steam explosion in the reactor vessel due to fuel-coolant interaction. The applicant evaluated the likelihood of CNV failure using a probabilistic framework that applied uncertainty distributions to the physical phenomena involved in a fuel-coolant interaction. The applicant concluded that the conditional probability of alpha-mode failure of the CNV (i.e., containment rupture due to a reactor vessel steam explosion) given a core damage event is less than 1.0x10-5. The staff performed an independent assessment of the US600 design using the methodology in NUREG/CR-5030, An Assessment of Steam-Explosion-Induced Containment Failure, issued February 1989, and documented it in RES/FSCB 2018-02, Independent Assessment of In-Vessel Retention and Steam Explosion for the NuScale Small Modular Reactor, issued September 2018 (ML19196A318). The staffs independent assessment confirmed that a steam explosion in the RPV lower head is unlikely to cause the containment upper head to fail in the US600 design. For this SDAA review, the staff compared the differences in the US460 and US600 designs and the impact of these differences on the results obtained in RES/FSCB 2018-02. The staff confirmed that the results of RES/FSCB 2018-02 remain valid for the US460 design; namely, that a steam explosion in the RPV lower head is unlikely to cause the containment upper head to fail. 19.2.4.2.7 Containment Bypass In FSAR Section 19.2.3.3.6, Containment Bypass, the applicant evaluated a potential containment bypass. The applicant stated that core damage sequences that include containment bypass or failure of containment isolation were assumed to result in a large

19-56 release, as defined in FSAR Section 19.1.4.2.1.4. The applicant made no distinction between early or late releases. The applicant further stated that containment bypass could occur through failure of containment isolation or SGTF concurrent with failure of secondary-side isolation on the failed steam generator. In FSAR Section 19.1.4.2, the applicant described the modeling of containment isolation. The staff evaluates the modeling of containment isolation in SER Section 19.1.4.4.2. In FSAR Section 19.2.3.3.6, the applicant evaluated a potential SGTF. The staffs review of the applicants evaluation of an SGTF focused on whether the applicants evaluation was thorough and the assumptions were sufficiently conservative or realistic. In the steam generators, the steam generator bundles are integrated within the RPV and form part of the RPV reactor coolant pressure boundary. In contrast with conventional PWRs, the primary reactor coolant circulates over the outside of the steam generator tubes. Therefore, the tubes operate with the higher primary pressure on the outside of the tubes and lower secondary pressure on the inside of the tubes. The applicant stated that this results in predominantly compressive stresses on the steam generator tubes versus the typical tensile stresses. Because of the lack of data on thermally induced SGTFs for the steam generator design, the applicant evaluated creep rupture based on historical data for conventional steam generator tube flaws and time-history temperature and pressure conditions representative of severe accident sequences as modeled by MELCOR. The applicant calculated the probability of an SGTF using the tube failure/creep rupture model presented in NUREG-1570, Risk Assessment of Severe Accident-Induced Steam Generator Tube Rupture, issued March 1998 (ML070570094). Because the formulas used to predict creep rupture are based on internally pressurized tubes and these steam generator tubes are externally pressurized, the applicant concluded that the calculated probability of a thermally induced SGTF is overestimated because creep progresses more vigorously under tension than under compression. The applicant derived the nominal temperature and stress conditions that the steam generator tubes are exposed to from a representative MELCOR severe accident simulation for scenarios with high pressure on the primary side, low pressure on the secondary side, and no water in the secondary side. The scenarios involve a LOCA with ECCS failure and main steam isolation valves that fail to close. In a letter dated December 11, 2024 (ML24346A336), the applicant stated that this simulation was the same simulation used in the DCA for the US600 design. The applicant further stated that the simulation for the US600 design produced more limiting time-history temperature and steam generator tube stresses and, therefore, produced a higher SGTF probability. Consequently, the applicant used the higher SGTF probability from the US600 analysis in the PRA model for the US460 design. The applicant accounted for uncertainty by imposing a distribution about the nominal values for temperature, pressure, and the Larson-Miller parameter. The applicant incorporated the probability of an SGTF in the Level 2 PRA and assumed that a core damage event causing a thermally induced SGTF with concurrent failure of the secondary-side isolation valves on the damaged steam generator results in containment bypass and a large release. The staff finds that NuScales thermal-hydraulic conditions, absent tube flaws, do not challenge tube integrity. Creep and rupture graphs from Special Metals Corporation, a supplier of Alloy 690, indicate that, for the predicted temperature and stress levels, the creep rate for an unflawed tube would be less than 1x10-5 percent per hour and rupture life would be orders of

19-57 magnitude beyond the 100,000 hour maximum value (Special Metals Corporation, Publication Number SMC-079, Inconel Alloy 690, issued October 2009). The creep data are from standard tests performed under tension. Given the low rate of creep indicated in the Special Metals data under postulated accident conditions, the staff did not evaluate or credit the applicants assumption that the tubes would be less susceptible to failure under compression. In a letter dated December 11, 2024 (ML24346A339), the applicant stated that, for tube flaws, it used an assumed flaw distribution based on foreign object wear by adapting steam generator operating experience and placing ((

}}. The staff finds the applicants assumption of foreign object wear reasonable because it is based on operating experience, and wear from foreign objects and support structures continues to be the cause of degradation in Alloy 690 steam generator tubes. The staff finds it reasonable to assume that the

((

}}. The staff finds this result conservative because the plant TS will require that flaw depths be limited to much lower depths, on the order of 40 percent through-wall.

As discussed in SER Section 19.2.3, SECY-19-0047 provides the staffs design-specific implementation for NuScale of the containment performance goals in SECY-93-087, including the goal for NuScale that the CCFP by steam explosion in the reactor vessel causing failure of the containment upper head plus the conditional containment bypass probability is less than 0.1. This CCFP goal for NuScale is met when using the mean probability of a thermally induced SGTF. Conservative assumptions in the applicants PRA provide additional margin to this CCFP goal, including the assumption that tube failure with an unisolated steam generator leads to a large release. 19.2.4.2.8 Equipment Survivability In FSAR Section 19.2.3.3.8, Equipment Survivability, the applicant evaluated equipment survivability following a severe accident. The applicant stated that the functions that must be maintained following a severe accident are containment integrity, the capability to control combustible gas, and post-accident monitoring. The applicant further stated that post-accident monitoring is not relied on for mitigating severe accidents but is intended to provide information on severe accident conditions. The staff evaluated conformance to SECY-93-087 and the associated SRM, which state that, for features provided only for severe accident mitigation, there should be high confidence that the equipment will survive severe accident conditions for the period needed to perform its intended function. For mitigation of core damage accidents, the NuScale design does not rely on active systems (e.g., containment spray, cavity flooding) or post-accident monitoring. Instead, it relies on passive design features, such as containment geometry and submergence in the reactor pool, to prevent a large release. To demonstrate reasonable assurance that equipment required to mitigate severe accidents will operate in the severe-accident environment for which they are intended over the time span for which they are needed, severe accident mitigation equipment and its required functions must be

19-58 identified. The time duration and the environmental conditions of pressure, temperature, humidity, and radiological dose for which this function is required must also be identified. In FSAR Table 19.2-8, Equipment Survivability List, the applicant identified each component or post-accident monitoring variable, its required function, and the time duration over which each is needed. In a letter dated December 11, 2024 (ML24346A334), the applicant stated that the most challenging accident sequence with respect to containment temperature and pressure results from ((

}}. The applicant further stated that simulation results confirm that the NPM remains below CNV temperature and pressure limits for all accident sequences considered in the PRA.

To provide insight into the potential challenge to containment for a hydrogen deflagration at 72 hours, the applicant evaluated adiabatic isochoric complete combustion using the MELCOR code and the results of the severe accident simulations specified in FSAR Section 19.2.3.2. The applicants evaluation did not credit the PAR as a mitigation feature for combustible gas control. The applicants evaluation showed that the post-deflagration pressure remains below the CNV design pressure. The staff evaluation of hydrogen combustion in containment before 72 hours for severe accidents is in SER Section 6.2.5 and concludes that the containment remains inert and its integrity would be maintained. For specific equipment not required to be considered in the equipment qualification (EQ) program, alternate means are necessary to ensure survivability. The equipment is qualified to 100 percent humidity. The applicant described the methodology for ensuring equipment survivability in terms of post-accident radiological dose, which involves comparing the severe accident dose (based on the source term described in FSAR Section 15.10, Core Damage Event) to the EQ design-basis dose. If the EQ dose is larger, survivability is ensured. If the severe accident dose is larger, qualitative assessments, testing, or additional analyses will be needed to ensure survivability. At the SDAA stage, specific components have not yet been selected. Once the components have been selected, the COL applicant will identify from Table 19.2-8, Equipment Survivability List, the components and their severe accident doses for cases in which the severe accident dose is greater than the EQ dose, as described in COL Item 19.2-4. As part of the NuScale equipment survivability methodology, for those components whose severe accident dose exceeds the EQ dose, qualitative assessments, testing, or additional analyses will be provided to demonstrate equipment survivability. The staff reviewed the equipment survivability program against the positions in SECY-90-016 and SECY-93-087 and the associated SRMs and finds that the identification of components required for severe accident mitigation, the function of each component, and the duration required to support the functions that must be maintainedcontainment integrity, the capability to control combustible gas, and post-accident monitoringis reasonable. The staff reviewed conditions generated in the CNV following a hydrogen combustion event and finds that the conditions do not exceed either the CNV design temperature or pressure. The staff reviewed the methodology and results for evaluating the radiological dose and finds both reasonable. Containment structural integrity under severe accident radiation challenges is demonstrated by

19-59 qualifying the containment boundary components to doses associated with core damage accident scenarios or the EQ design-basis accident radiological dose, whichever is greater. Containment Performance Capability 19.2.4.3.1 Deterministic Containment Performance The staff reviewed the applicants MELCOR severe accident analysis, which showed that the containment pressure initially rises because of the inventory loss from the RPV and then decreases due to steam condensation on the containment inside surface. During this phase of the accident, the pressure stays below containment design pressure. Subsequently, the containment pressure rises because of hydrogen generated by cladding oxidation, but the pressure stays below containment design pressure. The staffs independent MELCOR confirmatory analysis confirmed the results of the applicants analysis. Other challenges to containment performance are discussed in SER Sections 19.2.4.2.3 through 19.2.4.2.8. 19.2.4.3.2 Probabilistic Containment Performance The staff reviews of CCFP related to steam explosion in the reactor vessel and containment bypass are in SER Sections 19.2.4.2.6 and 19.2.4.2.7, respectively. Using results from these sections, the staff finds the CCFP from steam explosion in the reactor vessel causing failure of the containment upper head plus the CCFP from bypass is less than 0.1 and, therefore, the guidance criterion for containment performance is met. Accident Management FSAR Section 19.2.5 includes COL Item 19.2-1 to develop severe accident management guidelines. Including a COL item to develop such guidelines is consistent with past practice and is therefore acceptable. Consideration of Potential Design Improvements In FSAR Section 19.2.6, the applicant summarized the method for identifying and evaluating design improvements under 10 CFR 50.34(f). The applicant stated that it followed the guidance in Nuclear Energy Institute (NEI) 05-01, Revision A, Severe Accident Mitigation Alternatives (SAMA) Analysis Guidance Document, issued November 2005 (ML060530203), to conservatively calculate a maximum benefit associated with eliminating all risk in the design of $110,000 for a six-NPM configuration. The applicant noted that this maximum benefit was bounding for a configuration with a smaller number of NPMs. Key points of the applicants calculation include the following: The PRA provides Level 1 and Level 2 information for all modes of operation, including full power, low power, shutdown internal events, internal flood, internal fire, high winds, external flooding, and seismic hazard. The site characteristics are based on the State-of-the-Art Reactor Consequence Analyses (SOARCA) Project Surry Nuclear Power Station offsite consequence model in NUREG/CR-7110, Volume 2, Revision 1, State-of-the-Art Reactor Consequence Analyses Project, Volume 2: Surry Integrated Analysis, issued August 2013 (ML13240A242), updated with 2022 economic information and 2060 population estimates.

19-60 The applicant stated that it evaluated potential design improvements using the guidance in NEI 05-01 and NUREG/BR-0184, Regulatory Analysis Technical Evaluation Handbook, issued January 1997 (ML050190193), and concluded that there are no design improvements determined to be cost-beneficial for severe accident mitigation. During its regulatory audit, the staff reviewed the applicants calculation of maximum benefit and evaluation of potential design improvements to confirm the applicants conclusion is reasonable for this SDAA. Combined License Information Items Table 19.2-1 NuScale COL Information Items for FSAR Section 19.2 COL Item No. Description FSAR Section 19.2-1 An applicant that references the NuScale Power Plant US460 will develop severe accident management guidelines and other administrative controls to define the response to beyond-design-basis events. 19.2.5.2 19.2-2 An applicant that references the NuScale Power Plant US460 will use the site-specific probabilistic risk assessment to evaluate and identify improvements in the reliability of core and containment heat removal systems as specified by 10 CFR 50.34(f)(1)(i). 19.2.6.7 19.2-3 Not used 19.2-4 An applicant that references the NuScale Power Plant US460 will identify from Table 19.2-8 the components and their severe accident doses for cases where the severe accident dose is greater than the environmental qualification dose. 19.2.3.3.8 The staff finds the COL information items to be reasonable. Conclusion The staff has reviewed NuScales FSAR Section 19.2, a description and analysis of design features for the prevention and mitigation of severe accidents, in accordance with the guidance in SRP Section 19.0. The staff reviewed the NuScale design to prevent or mitigate specific severe accidents. The staff used the criterion less than a large release to review the safety analysis of external reactor vessel cooling in meeting the containment performance goal, as discussed in SECY-19-0047. The staffs evaluation of combustible gas control is documented in SER Section 6.2.5. Based on the staffs evaluation in SER Section 6.2.5 and the discussion above, the staff concludes that the applicant conformed to the regulations in 10 CFR 50.44(d) and the guidelines in RG 1.7, Revision 3, Control of Combustible Gas Concentrations in Containment, issued March 2007 (ML070290080), and SECY-90-016 and SECY-93-087 and their associated SRMs. 19.3 Regulatory Treatment of Nonsafety Systems for Passive Advanced Light-Water Reactors Introduction This section of the SER addresses the regulatory treatment of non-safety-related systems (RTNSS). The scope of an RTNSS program includes those non-safety-related SSCs that satisfy RTNSS criteria. The applicant then proposes regulatory treatment (e.g., inclusion in the design

19-61 reliability assurance program or in TS) for SSCs that meet any of these criteria based on their reliability and availability missions. Summary of Application SDAA Part 2 (FSAR): FSAR Section 19.3.2, Structures, Systems, and Components Identification and Designation within Regulatory Treatment of Nonsafety Systems Program Scope, evaluates each of the RTNSS scoping criteria. Based on the results, no SSCs that are not safety related were included in the scope of the RTNSS program, and thus no non-safety-related SSCs require additional regulatory treatment. ITAAC: There are no ITAAC associated with this area of review. Technical Specifications: There are no generic TS associated with this area of review. Technical Reports: There are no technical reports associated with this review. Regulatory Basis The following documents establish the scope, criteria, and process used to determine RTNSS for passive plant designs: SECY-94-084 and its associated SRM SECY-95-132, Policy and Technical Issues Associated with the Regulatory Treatment of Non-Safety Systems (RTNSS) in Passive Plant Designs, dated May 22, 1995 (ML003708005), and its associated SRM, dated June 28, 1995 (ML003708019) The guidance in SRP Section 19.3, Revision 0, Regulatory Treatment of Nonsafety Systems for Passive Advanced Light Water Reactors, issued June 2014 (ML14035A149), lists the acceptance criteria adequate to meet the above guidelines, as well as review interfaces with other SRP sections. Technical Evaluation The staff used guidance from SRP Section 19.3 to review the applicants evaluation of the five RTNSS scoping criteria (Criterion A through E, as identified in the following) described in FSAR Section 19.3. Criterion A: SSC functions relied on to meet beyond-design-basis deterministic NRC performance requirements such as those stated in 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, for mitigating ATWS and in 10 CFR 50.63, Loss of all alternating current power, for station blackout. For ATWS, the staff considered the rationale provided by the applicant in support of the ATWS exemption request as discussed in SER Section 7.1.5.4.6. In evaluating the rationale provided for the exemption request, the staff determined that the rationale provided would support an exemption request that would demonstrate that special circumstances would be present in that, first, the NuScale MPS design would meet the underlying purpose of 10 CFR 50.62(c)(1) to reduce the risk associated with ATWS events without the turbine trip design attributes required

19-62 by 10 CFR 50.62(c)(1), and second, that other material circumstances would be present in the NuScale US460 design relating to enhanced safety features and simpler configuration of instrumentation and controls, which were not considered when 10 CFR 50.62(c)(1) was adopted. The staff considered NuScales exemption request and determined that the exemption, if shown to be applicable and properly supported in a request for exemption by a COL applicant that references the SDA, would be justified and could be issued to the COL applicant for the reasons provided in NuScales SDAA, provided there are no changes to the design that are material to the bases for the exemption. Where there are changes to the design material to the bases for the exemption, the COL applicant that references the SDA would be required to provide an adequate basis for the exemption. The staff also reviewed FSAR Chapter 19 risk insights on ATWS and found that the applicants focused PRA showed no reliance on SSCs that are not safety-related to meet the Commissions ATWS CDF goal of 1x10-5 per year stated in SECY-83-293, Amendments to 10 CFR Part 50 Related to Anticipated Transients Without Scram (ATWS) Events, issued July 19, 1983. For station blackout, the staff reviewed the design of the passive safety systems; the station blackout analysis described in FSAR Section 8.4, Station Blackout; and the evaluation of station blackout sequences in the PRA description in FSAR Section 19.1. The staff finds that the passive safety-related systems are designed to start automatically on a loss of power to the station and are capable of adequately cooling the reactor and containment following a station blackout event. The staff finds that the applicant focused its analysis on the two requirements above. The applicant stated that the NRC has not identified any additional beyond-design-basis deterministic requirements within the scope of Criterion A. The staff agrees that no such requirements exist. Criterion B: SSC functions relied on to ensure long-term safety and to address seismic events. FSAR Section 19.3.2.2, Regulatory Treatment of Nonsafety Systems B, states core cooling and containment integrity is maintained during the time period beginning 72 hours after a design-basis event and lasting the following 4 days, with only safety-related SSC, consistent with SECY-96-128. The staff reviewed the capability of the passive safety-related systems in the US460 design to remove decay heat following a design-basis event, as described in FSAR Section 5.4.3, Decay Heat Removal System; Section 6.3, Emergency Core Cooling System; and Section 9.2.5, Ultimate Heat Sink. The staff found that the DHRS, ECCS, and UHS are passive systems that do not depend on any SSCs that are not safety-related to perform their safety functions after 72 hours and up to 7 days following an accident. The staff determined that, assuming the reactor remains subcritical, decay heat can be removed passively through the UHS by heatup and boiloff of water in the reactor pool for well beyond 7 days without makeup or heat removal with a system that is not safety-related. The staffs determination is supported by a regulatory audit of selected portions of key NuScale calculations regarding the decay heat load associated with reactor modules and spent fuel, as well as the heat removal capacity of the UHS. The NRC staff identified no concerns during the audit that would impact the determination that the heat removal capacity of the UHS exceeds 7 days following an accident, provided that the core design assumptions described in the calculations are satisfied. See Section 6.3.4.1.7 of this SER for the additional detail of the staffs evaluation of long-term reactivity control.

19-63 The staff determined the applicants condensation and riser hole flow rate assumptions to be reasonable out to 7 days. Therefore, the downcomer concentration is not expected to change significantly from that evaluated at 72 hours as discussed in SER Section 15.0.5. The staff concludes that margin exists between the downcomer and critical boron concentration such that the core remains subcritical out to 7 days. Therefore, the staff finds that the NuScale design meets the policy of SECY-96-128 regarding the capability to sustain all design-basis events with onsite equipment and supplies for 7 days. SER Section 6.3 contains additional evaluation of the subcriticality assessment beyond 72 hours. As noted above, SER Section 15.0.5 gives the staffs evaluation of long-term cooling and reactivity control, including evaluation of the first 72 hours of this event using FSAR Chapter 15 inputs and design assumptions. The staff reviewed the fragilities of non-safety-related SSCs and safety-related SSCs determined as part of the SMA in FSAR Section 19.1.5 and the accident sequence cutsets that lead to core damage as described in FSAR Chapter 19 (Table 19.1-17, Dominant Core Damage Sequences (Full Power, Internal Events, Single Module); Table 19.1-18, Dominant Core Damage Cutsets (Full Power, Internal Events, Single Module); and Figure 19.1-2, Event Tree for Chemical and Volume Control System Injection Line Pipe Break Outside Containment, through Figure 19.1-12, Event Tree for Loss of Support System). Based on this review, the staff confirms the applicants assertion that the seismic margin for the design is not dependent on any SSCs that are not safety related. Criterion C: SSC functions relied on under power-operating and shutdown conditions to meet the Commission goals for CDF of less than 1x10-4 per year and LRF of less than 1x10-6 per year and SSCs needed to maintain initiating event frequencies at the comprehensive baseline PRA levels (SECY-94-084, II. Specific Steps in the RTNSS Process for Each Design, 3. Focused PRA). The staff reviewed the focused PRA sensitivity studies described in FSAR Section 19.1 that quantify the importance of systems that are not safety-related in mitigating events. The focused PRA sensitivity study results for the Level 1 internal events at full power and Level 2 models were below the Commissions goal guidelines for CDF and LRF. The staff confirmed that there are no non-safety-related design features that are needed to reduce the CDF or LRF below the Commission goals and subsequently need to be included in RTNSS. Thus, the staff finds that the results of the focused PRA demonstrate that the Commissions CDF and LRF goals are met with only safety-related SSCs. The staff also reviewed initiators of transients and accidents to verify that the applicant has correctly identified the non-safety-related SSCs that require evaluation of risk significance based on their contribution to PRA initiating event frequencies. The staff reviewed the implications of potential risk-significant initiating events caused by non-safety-related SSCs. The staff found that the core damage risk profile for the US460 (SDA) design is significantly different from the US600 (DCA) design. In the US600 design, drop of a module during refueling accounted for over 95 percent of total CDF. Consequently, the staff did not identify any SSCs that needed to be included under RTNSS. In contrast, in the US460 design, incomplete ECCS actuation dominates the core damage risk profile. Changes in the US460 design result in increased ECCS demand, which increases the potential for incomplete ECCS actuation thereby resulting in core damage. Loss of non-safety-related ac power for longer than 24 hours results in ECCS actuation.

19-64 FSAR Section 19.3.2.3, Regulatory Treatment of Nonsafety Systems C, states the following: No nonsafety-related SSC are credited to meet NRC safety goals, to reduce the occurrence of initiating events, or to compensate for the uncertainties regarding passive systems in the PRA and in the modeling of severe accident phenomenology. Therefore, no nonsafety-related SSC meet the RTNSS C criteria. Based on its review, the staff verified that NuScale addressed the following screening criteria, as stated on page 19.3-10 of SRP Section 19.3, Revision 0:

a.

Does the calculation of the initiating event frequency consider the nonsafety-related SSCs?

b.

Does the unavailability of the nonsafety-related SSCs significantly affect the calculation of the initiating event frequency?

c.

Does the initiating event significantly affect the CDF and LRF? [i.e., contribute to more than 10 percent of the at-power or shutdown internal events CDF as stated in the footnote on page 19.3-10 of SRP Section 19.3, Revision 0] Based on the staffs review of the event trees submitted in FSAR Chapter 19, the two backup diesel generators (BDGs) are the only SSCs that completely avoid the need for ECCS actuation in the US460 design. The staffs review of the core damage sequences from the NuScale internal events PRA, as reported in FSAR Table 19.1-17, identified that over 25 percent of the internal events CDF caused by losses of offsite power is mitigated by the two BDGs without the need to initiate ECCS. Therefore, successful operation of the BDGs directly impacts the SDAA frequency of station blackout and ECCS actuation for each NPM. The staff also notes that the two BDGs support all six NPMs in the US460 design, compounding the impact of the reliability of the BDGs. However, loss of the BDGs does not cause a LOOP or any other initiating event. The BDGs are used to mitigate LOOPs. Since (1) the BDGs do not prevent the occurrence of an initiating event, (2) the BDGs are not needed for long-term, post-accident plant capabilities, and (3) the BDGs are not needed to support defense-in-depth systems, they are not scoped into the RTNSS program consistent with SRP Section 19.3. Based on its review of NuScales letter dated May 24, 2024 (ML24145A106), and the regulatory audit, the staff also noted that the initiating event frequency for LOOP in the internal events PRA includes extratropical straight winds, F0 and F1 tornadoes, and Category 1 and 2 hurricanes. Based on FSAR Table 8.3-2, Classification of Structures, Systems, and Components, all components of the backup power supply system, including the BDG enclosures, are seismic Category III. Based on NuScales May 24, 2024, letter, the BDG enclosure is rated for wind speeds in excess of the weather-related events considered in the LOOP initiating event (F0 and F1 tornadoes and Category 1 and 2 hurricanes). Criterion D: SSC functions needed to meet the containment performance goal, including containment bypass, during severe accidents.

19-65 The staff verified that the applicant evaluated non-safety-related SSCs credited in meeting the following NRC containment performance goals for inclusion in the scope of the RTNSS program: The containment should maintain its role as a reliable, leak-tight barrier by ensuring that containment stresses do not exceed ASME service level C limits for a minimum period of 24 hours following the onset of core damage, and that following this 24-hour period the containment should continue to provide a barrier against the uncontrolled release of fission products. The CCFP determined from the Level II PRA is less than or equal to 0.1. The staff reviewed the focused PRA, and specifically the results in FSAR Table 19.1-22 and Table 19.1-31, External Events Considered for Operations at Power, and confirmed that only safety-related passive systems are relied on to meet the containment performance goal. The staff finds that the safety-related mitigating systems are fail-safe on loss of power and do not rely on non-safety-related support systems such as heating, ventilation, and air conditioning and instrument air. The staff reviewed the relevant Level 2 PRA information in FSAR Section 19.1 and found that containment failure resulting from bypass or CIV failure is the only mode of containment failure modeled in the CETs. FSAR Section 19.2 discusses the Level 2 PRA, and SER Section 19.2 documents the staffs review and its results. Criterion E: SSC functions relied on to prevent significant adverse system interactions between passive safety-related systems and active non-safety-related SSCs. The staff reviewed the design of the passive safety-related systems and non-safety-related active systems that interface with the passive systems as described in the FSAR. The passive safety-related systems include the ECCS, CNV, DHRS, and UHS. As discussed in FSAR Section 6.2.2, Containment Heat Removal, and Section 6.2.4.2.2.3, Piping Systems Closed to Containment and not Connected to the Reactor Coolant Pressure Boundary, respectively, operation of both the ECCS and DHRS occurs normally with the containment isolated. Consequently, with the exception of the pressurizer heaters housed inside the reactor vessel, these systems are isolated from all active non-safety-related systems during operation. This isolation provides reasonable assurance that adverse interaction with active non-safety-related systems outside of containment will be precluded. As stated in FSAR Section 5.4.5.2, System Design, the pressurizer heaters are controlled from the non-safety-related module control system. The MPS provides a safety-related trip function on low pressurizer level that actuates safety-related pressurizer heater circuit breakers to remove power to the heaters before the pressurizer level reaches the top of the pressurizer heaters. This function ensures the integrity of the reactor coolant pressure boundary if the heaters were to be uncovered. Thus, the plant design includes safety-related equipment to prevent an adverse interaction between the non-safety-related pressurizer heaters and the ECCS. This shows that no additional non-safety-related equipment is needed to prevent adverse interaction with the ECCS. The UHS removes the decay heat from each module, maintaining the core temperature at low levels after a LOCA resulting in the initiation of the ECCS. As discussed in FSAR Section 9.2.5.2.1, General Description, and Table 3.8.4-5, Classification of Structures, Systems, and Components, the UHS pool liner has the function of preventing potential pool

19-66 inventory leakage from the reactor pool. The reactor pool interfaces with non-safety-related systems for cooling the pool and adding makeup to the pool when needed. As further discussed in FSAR Section 9.2.5.2.1 and Figure 9.1.3-2, Ultimate Heat Sink Water Level and Plant Feature Elevations, penetrations from these systems into the pool are located at a sufficiently high elevation to preclude the inadvertent draining of water from the pool that would adversely impact the ability of the pool to act as a heat sink. The staff finds that the design features of the reactor pool show that non-safety-related systems that interface with the reactor pool do not cause adverse interactions. During the review of the applicants PRA, the staff did not identify SSCs that meet RTNSS Criterion E. Combined License Information Items Table 19.2-1 NuScale COL Information Items for FSAR Section 19.2 COL Item No. Description FSAR Section 19.3-1 An applicant that references the NuScale Power Plant US460 standard design will identify site-specific Regulatory Treatment of Nonsafety Systems structures, systems, and components and applicable process controls. 19.3.1 The staff finds the COL information item to be reasonable. Conclusion The staff evaluated the applicants assessment of the need for RTNSS using the guidance in SRP Section 19.3. The staff finds the applicants evaluation of the five RTNSS scoping criteria reasonable and agrees that no non-safety-related SSCs require additional regulatory treatment. The staff confirmed that (1) non-safety-related SSCs are not relied on to address the beyond-design-basis requirements for an ATWS event or a station blackout event, (2) no non-safety-related SSCs need to be relied on for ensuring long-term safety and addressing seismic events, (3) the Commission goals for CDF and LRF are achieved without reliance on non-safety-related SSCs, (4) the containment performance goal is achieved without reliance on non-safety-related SSCs, and (5) there are no adverse interactions with non-safety-related SSCs that could prevent the performance of passive safety-related SSC functions. Based on the above, the staff confirms that the applicant has adequately addressed the RTNSS criteria in its assessment and finds that no SSCs meet the criteria for requiring additional regulatory treatment. Therefore, the staff concludes that the applicant conformed to the guidelines in SECY-94-084, SECY-95-132, and their associated SRM. 19.4 Strategies and Guidance to Address Mitigation of Beyond-Design-Basis Events An applicant that references the NuScale Power Plant US460 standard design has the responsibility of addressing mitigation of beyond-design-basis events in accordance with 10 CFR 50.155, Mitigation of beyond-design-basis events.

19-67 19.5 Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts Introduction This section describes the staffs evaluation of design features and functional capabilities credited by the applicant to show that the facility can withstand the effects of a large commercial aircraft impact. NuScale FSAR Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and Described for Withstanding Aircraft Impacts, describes these design features, functional capabilities, and the assessment. The impact of a large commercial aircraft is a beyond-design-basis event. Under 10 CFR 52.137(a)(26) and 10 CFR 50.150, Aircraft impact assessment, applicants for new nuclear power reactors, including applicants for an SDA, are required to perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Applicants are required to submit a description of the design features and functional capabilities identified by the assessment (key design features) in their application, along with a description of how the identified design features and functional capabilities meet the acceptance criteria in 10 CFR 50.150(a)(1). The Statements of Consideration for the Aircraft Impact Assessment (AIA) Rule1 pertaining to new nuclear power reactors states the following: The NRC decision on an application subject to 10 CFR 50.150 will be separate from any NRC determination that may be made with respect to the adequacy of the impact assessment which the rule does not require be submitted to the NRC. As the AIA is not submitted to the NRC for its review, the staffs review described in this section is to determine whether descriptions of the design features and functional capabilities are complete enough so that there is reasonable assurance that the acceptance criteria in 10 CFR 50.150(a)(1) can be met, assuming the design features and functional capabilities perform their intended functions. Applicants subject to 10 CFR 50.150 must make the complete AIA available for an NRC inspection at the applicants offices or their contractors offices upon the staffs request, in accordance with 10 CFR 50.70, Inspections; 10 CFR 50.71, Maintenance of records, making of reports; and Section 161, General Provisions, item c, of the Atomic Energy Act of 1954, as amended. The outcome of an NRC inspection is not part of this report. Summary of Application FSAR: In FSAR Section 19.5, the applicant stated that an AIA was performed in accordance with the requirements in 10 CFR 50.150(a)(1), using the methodology described in NEI 07-13, Revision 8, Methodology for Performing Aircraft Impact Assessments for New Plant Designs, issued April 2011, as endorsed by the NRC in RG 1.217, Guidance for the Assessment of Beyond-Design-Basis Aircraft Impacts, issued August 2011 (ML092900004), and SRP Section 19.5, Adequacy of Design Features and Functional Capabilities Identified and 1 Applicants for new nuclear power reactors is defined in the Statements of Consideration for the Aircraft Impact Rule (74 FR 28112; June 12, 2009).

19-68 Described for Withstanding Aircraft Impacts, issued April 2013 (ML12276A112). Based on the results of the assessment, the applicant identified a set of key design features to show that the acceptance criteria in 10 CFR 50.150(a)(1) are satisfied. These key design features are reported in FSAR Section 19.5, along with references to other sections of the FSAR that provide additional details. ITAAC: There are no ITAAC associated with this area of review. Technical Specifications: There are no generic TS associated with this area of review. Technical Reports: There are no technical reports associated with this review. Regulatory Basis To perform this review, the NRC staff used the relevant regulations and guidance described below. Applicable Regulations In 10 CFR 50.150(a)(1), the NRC requires that applicants perform a design-specific assessment of the effects on the facility of the impact of a large commercial aircraft. Using realistic analyses, the applicant shall identify and incorporate into the design those features and functional capabilities to show that, with reduced use of operator actions, (1) the reactor core remains cooled, or the containment remains intact, and (2) spent fuel cooling or spent fuel pool (SFP) integrity is maintained. The applicant indicated that it meets the 10 CFR 50.150(a)(1) acceptance criteria by including features in the NuScale US460 standard power plant design that can maintain core cooling and keep the containment intact and maintain SFP integrity. In 10 CFR 50.150(b), the NRC requires that the FSAR include a description of (1) the design features and functional capabilities that the applicant has identified for inclusion in the design to show that the facility can withstand the effects of a large commercial aircraft impact in accordance with 10 CFR 50.150(a)(1) and (2) how those design features and functional capabilities meet the assessment requirements of 10 CFR 50.150(a)(1). Review Guidance RG 1.217, Revision 0, provides guidance for applicants to demonstrate compliance with the NRC regulations for the AIA. In particular, this RG endorses the methodologies described in NEI 07-13, Revision 8. SRP Section 19.5 provides guidance for meeting the requirements in 10 CFR 50.150(a)(1) and (b). Technical Evaluation The staff reviewed the AIA information in FSAR Section 19.5 and provides the evaluation of how the applicants assessment was formulated in SER Section 19.5.4.1, and the evaluation of the applicants key design feature descriptions in SER Sections 19.5.4.2 through 19.5.4.5.

19-69 Reasonably Formulated Assessment The staff reviewed the AIA application in FSAR Section 19.5 to determine whether qualified analysts had performed the AIA. In a letter dated October 31, 2023 (ML23304A524), the applicant stated the following: [T]he aircraft impact assessments are performed by qualified and experienced personnel in applying the approved methodology in NEI 07-13 Rev 8. Personnel qualifications meet NuScale Power, LLC Quality Assurance Program Description, MN-122626, Revision 0. The indoctrination, training, and qualification programs are commensurate with scope, complexity, and importance of the activities. The applicant provided a well-supported basis for the staff to find that NuScale employees and contractors performing the AIA are qualified, consistent with the guidance of SRP Section 19.5, Section III, Item 1 and Item 2. The applicant stated in FSAR Section 19.5.2, Scope of the Assessment, that the scope of the AIA included the assessment of physical damages resulting from the impact of the aircraft, shock-induced damages resulting from vibration, and fire damages from aviation fuel fire to SSCs necessary to ensure adequate cooling of the fuel in the reactor cores and maintain SFP integrity. The applicant also stated in FSAR Section 19.5.1, Introduction and Background, and Section 19.5.3, Assessment Methodology, that its AIA is based on the guidance of NEI 07-13, Revision 8, with no exceptions. Based on the applicants use of this NRC-endorsed guidance document, combined with the use of qualified analysts and the comprehensive scope of the analyses, the staff finds that the applicant has performed a reasonably formulated assessment. Design Features for Core Cooling FSAR Section19.5.5.2, Core Cooling, identifies and describes the NPMs, RCS, CNV, DHRS, ECCS, and UHS as key design features for ensuring containment remains intact and core cooling is maintained following the impact of a large commercial aircraft. FSAR Section 19.5.5.2 also identifies and describes CIVs, including the main steam isolation valves and feedwater isolation valves, as key design features for core cooling. FSAR Section 19.5 states that the AIA results show that, because of the location of these credited design features inside the RXB, they are not susceptible to physical, fire, and shock damage. During its review, the staff ensured the FSAR appropriately identified and described key design features required for core cooling as required by 10CFR50.150(b). The staff used its evaluation documented in other sections of this report to confirm that these features are also suitable for maintaining core cooling following impact by a large commercial aircraft.The staff notes that these systems have been specifically designed to perform core cooling functions during normal power operation and following design-basis events initiated during power operation; therefore, this equipment is expected to be appropriately designed with sufficient capability to meet the core cooling requirements of 10CFR50.150. The staff also confirmed that all these design features are automatic or can be initiated and operated from the control room or an alternate location, and require little, if any, further operator intervention to maintain the core cooling function.

19-70 FSAR Section 19.5.5.2 identifies and describes the CRDS as a key design feature for ensuring that the reactor is scrammed. FSAR Section19.5.5.2 states that the abilities to scram the reactors, isolate containment, and actuate the DHRS from the MCR, as described in FSAR Chapter 7, Instrumentation and Controls, are key design features for ensuring the reactor is tripped, containment is isolated, and the DHRS is actuated before aircraft impact. The staff finds this acceptable because no physical, fire, or shock damage is expected to impact the CRDS because of its design and location within the RXB. The staff reviewed the FSAR for required operator actions and plant parameters that are available to the operators to monitor and ensure that the identified design features are performing as expected following the impact of a large commercial aircraft. FSAR Section 19.5.5.5, Plant Monitoring and Control, states that, upon notification of the aircraft threat, operators trip the individual NPMs and initiate containment isolation and the DHRS. FSAR Section 19.5.5.2 adds that the ECCS automatically initiates without requiring manual operator action. Additionally, FSAR Section 19.5.5.5 states that monitoring functions are expected to remain available following the aircraft impact; however, if monitoring after aircraft impact is determined to be unavailable, mitigating strategies for the loss of large area beyond-design-basis event are invoked. The staff finds this approach acceptable because, although plant monitoring is expected to be available following the impact of a large commercial aircraft, if it is lost and operators cannot determine that the identified core cooling design features are performing as expected, operators will transition to the strategies required by 10 CFR 50.155(b)(2). Based on the staffs review of FSAR Section19.5 and the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, the staff finds that the applicant performed a reasonably formulated analysis within the AIA to identify key design features necessary for core cooling. In addition, the staff finds the applicants description of the key design features for maintaining core cooling to be adequate and acceptable, and therefore meeting the requirements of 10 CFR 50.150(b). Key Design Features That Protect Core Cooling Design Features All six NuScale NPMs, the UHS, and the SFP are located inside the RXB. The below-grade portions of the RXB are assumed to be non-susceptible to a direct aircraft impact, and no credit is given to any adjacent buildings or structures as intervening structures. The AIA assesses the effects of core cooling equipment damage footprints, taking into account key design features. Core cooling equipment that is within the damage footprints is assumed to lose the ability to perform its function. The remaining core cooling equipment is then evaluated to determine whether adequate cooling of fuel can be maintained in the reactors and SFP. The key design features and functional capabilities that protect the core cooling design features are described below. They include fire barriers and fire protection features, plant arrangement and plant structural design features, and the ability to survive shock-induced vibrations. 19.5.4.3.1 Fire Barriers and Fire Protection Features The staff reviewed FSAR Section 9.5.1, Fire Protection Program, and verified that the NuScale US460 standard design specifies the use of 3-hour, 5 pounds per square inch differential (psid) rated barriers, including walls, floors, and ceilings, for separating fire areas, and all fire barrier penetrations are protected with 3-hour rated penetration seals, doors, or dampers. This key design feature prevents fire spread between fire areas and limits the fire and shock-induced

19-71 damages in the RXB. Therefore, based on the robust fire barrier design in conjunction with the installed fire protection features such as fire detection and suppression systems in the RXB, the staff determines that the NuScale US460 standard designs fire barriers and fire protection features should provide adequate protection of core cooling equipment from the impact of a large commercial aircraft and to minimize the effects of internal fire spread. Based on its review, the staff finds the applicants description of the design of the RXB fire barriers as a key design feature for protecting core cooling equipment from postulated aircraft impacts to be acceptable because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). 19.5.4.3.2 Reactor Building The staff reviewed the FSAR to ensure that the applicant had performed a reasonably formulated assessment of the capability of the RXB to protect core cooling equipment. 19.5.4.3.2.1 Design of the Reactor Building Design of the Reactor Building FSAR Section 19.5.4.1, Physical Damage, identifies and describes the design of the RXB, as described in Appendix 3B.2, Reactor Building, as a key design feature for the RXB external walls to resist physical damage from postulated aircraft strikes. To verify the accuracy of the description, the staff reviewed general arrangement drawings in FSAR Figure 1.2-1, Conceptual Site Layout; Figure 1.2-3, Cutaway Illustration of 6 Module Configuration; and Figure 1.2-8, Reactor Building 25-0 Elevation, through Figure 1.2-17, Reactor Building North-South Section View (plan and section views); Section 3.8.4.1.1, Reactor Building, and Appendix 3B.2. The staff reviewed the descriptions and figures in FSAR Section 3.8.4.1.1 and Appendix 3B.2 and notes that the RXB consists of reinforced concrete basemat, slabs, and walls and steel-plate composite (SC) walls, and that a seismic Category I portion of the RXB structure is deeply embedded in soil and supported on a single basemat foundation. The RXB has thick, reinforced concrete floor slabs. The RXB roof is a composite section consisting of a concrete slab and steel girders. The RXB also has SC walls in east-west and north-south directions. The staff also reviewed FSAR Section 19.5.1 and the applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic), and notes that the applicants design-specific aircraft assessment includes an analytical evaluation and experimental verification for the RXB external SC walls subjected to the aircraft impact loading in accordance with the guidelines in NEI 07-13, Revision 8, Section 2.4.1(4), without exceptions. The staff further reviewed FSAR Section 19.5.4.1 and finds that the applicants design-specific aircraft assessment demonstrates that the RXB external SC walls have been evaluated and shown to resist physical damage from all postulated aircraft strikes, and there is no perforation of the RXB outer wall. SER Section 19.5.4.3.3 documents the staffs evaluation of shock damage. Based on its review, the staff finds acceptable the applicants description of the design of the RXB as a key design feature for ensuring that the RXB external walls can resist physical damage from postulated aircraft strikes, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19-72 Steel-Plate Composite Wall to Reinforced Concrete Slab Connections FSAR Section 19.5.4.1 identifies and describes the reinforcing of the SC wall to reinforced concrete slab connections at the 146-foot 6-inch elevation and the 187-foot 6-inch elevation in the RXB as a key design feature for strengthening the wall-to-slab. The staff reviewed the slab reinforcement detail and the SC wall to reinforced concrete slab connection detail in Figure 1, Slab Reinforcement Detail, and Figure 2, Section View, shown in the applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic), and the connection detail between roof and SC wall in Figure 1, Connection Between Roof and SC Wall, shown in the same letter. In addition, the staff reviewed FSAR Section 19.5.4.1 and notes that additional concrete slab reinforcing is provided as required and welded to the SC face plates to strengthen the reinforcing concrete slab to SC wall connection at the 146-foot 6-inch elevation and the 187-foot 6-inch elevation during an aircraft impact strike and reinforcement within the slab at the 146-foot 6-inch elevation prevents structural perforations that could allow physical damage and fire into portions of the RXB where safety-related equipment is housed. Based on its review, the staff finds acceptable the applicants description of the reinforcing of the SC wall to reinforced concrete slab connection at the 146-foot 6-inch elevation and the 187-foot 6-inch elevation in the RXB as a key design feature for strengthening the wall-to-slab connection, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Local Detailing with Tie Rods in SC Wall to SC Wall Connection Region FSAR Section 19.5.4.1 identifies and describes local detailing with tie rods spaced horizontally and vertically in the SC wall to SC wall connection region as required at postulated aircraft strike locations as a key design feature for strengthening the SC wall to SC wall connection region. The staff reviewed the details of wall-to-wall connection and the details of wall-to-wall intersections in Figure 1, Details of Wall-to-Wall Connection, and Figure 2, Details of Wall-to-Wall Intersection, shown in the applicants letter dated March 29, 2024, (ML24089A212 public; ML24089A213 nonpublic). In addition, the staff reviewed FSAR Section 19.5.4.1 and notes that the wall-to-wall connections that require tie rods are located at four intersections: RX-1 and RX-B, RX-1 and RX-D and RX-6 and RX-B, and RX-6 and RX-D and these tie rods that connect between front and back steel plates are spaced horizontally and vertically in the SC wall to SC wall connection region of the RXB to strengthen the SC wall to SC wall connection region during an aircraft impact strike. Based on its review, the staff finds the applicants description of local detailing with tie rods spaced horizontally and vertically in the SC wall to SC wall connection region as required at postulated aircraft strike locations to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Structural Steel Beam Seat Connections at Roof

19-73 FSAR Section 19.5.4.1 identifies and describes structural beam seat connections that connect the roof beams to the SC walls on column lines RX-B and RX-D on 187-foot elevation in the RXB as a key design feature for preventing the structural steel beams from falling from the roof. The staff reviewed details of structural beam seat connections in Figure 1, Connection Between Roof and SC Wall, shown in the applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic). In addition, the staff reviewed FSAR Section 19.5.4.1 and notes that these beam seats are constructed with steel brackets and are required to support the structural steel beams during and after an aircraft impact and to prevent the structural steel beams from falling from the roof. Based on its review, the staff finds the applicants description of structural steel beam seat connections that connect the roof beams to the SC walls on column lines RX-B and RX-D on 187-foot elevation to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Local Reinforcement in the Vicinity of the Reactor Building Equipment Door in the SC Wall FSAR Section 19.5.4.1 identifies and describes the local reinforcement in the vicinity of the RXB equipment door in the SC wall as a key design feature for strengthening the SC wall locally around the RXB equipment door. The staff reviewed FSAR Section 19.5.4.1. The staff also reviewed the location and construction details of the RXB equipment door in FSAR Figure 1.2-13, Reactor Building 100-0" Elevation, and Figure 19.5-1, General Arrangement Reactor Building Equipment Door. The staff notes that the RXB equipment door is located on the west end of the 100-foot elevation of the RXB between column grids RX-B and RX-C along column grid RX-1, and local reinforcement in the vicinity of the RXB equipment door in the SC wall is required to support the RXB equipment door. In addition, the applicant stated that the RXB external walls have been assessed and shown to resist physical damage from all postulated aircraft strikes. Based on its review, the staff finds the applicants description of local reinforcement in the vicinity of the RXB equipment door in the SC wall to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Crane Rail Support Corbels FSAR Section 19.5.4.1 identifies and describes the size of the crane rail support corbels as a key design feature for providing secondary protection for supporting crane girder dislodgement. The staff reviewed FSAR Section 19.5.4.1 and FSAR Figure 1.2-17. The staff notes that the crane rail support corbels are designed to provide secondary protection for supporting the crane girder dislodgement. Based on its review, the staff finds the applicants description of the size of the crane support corbels that provides secondary protection for supporting crane girder

19-74 dislodgement to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Connection of the 48 inch and 60 inch SC Walls FSAR Section 19.5.4.1 identifies and describes the connection of the 48 inch and 60 inch SC walls on column lines RX-B and RX-D are key design features for strengthening the SC wall to SC wall connection region. The staff reviewed FSAR Section 19.5.4.1 and FSAR Figure 1.2-17. The staff notes that the connection of the 48 inch and 60 inch SC walls on column lines RX-B and RX-D is strengthened using shear tie plates, the reinforced knuckle, and the continuation of internal face plate along with studs. Based on its review, the staff finds the applicants description of the connection of the 48 inch and 60 inch SC walls on column lines RX-B and RX-D to be acceptable, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). 19.5.4.3.2.2 Design of the Reactor Building Equipment Door FSAR Section 19.5.4.1 identifies and describes the design of the RXB equipment door as a key design feature for protecting core cooling equipment from impacts through the radwaste building trolley bay. The staff reviewed the descriptions in FSAR Section 19.5.4.1 and location and construction details of the RXB equipment door in FSAR Figure 1.2-13, Reactor Building 100-0" Elevation, and Figure 19.5-1, General Arrangement Reactor Building Equipment Door, as well as in the applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic). The staff notes that the RXB equipment door is located on the west end of the 100-foot elevation of the RXB between column grids RX-B and RX-C along column grid RX-1, and it consists of two doors and the outer door (impact door) is designed to serve as a barrier for aircraft impact and other design-basis conditions and to be wider on each side of blast door framing to support bearing on the SC walls. The applicant stated that the RXB external walls have been assessed and shown to resist physical damage from all postulated aircraft strikes. The staff reviewed information on expected frequency and duration of the RXB equipment door in the open position to ensure consistency and applicability of the AIA methodologies prescribed in NEI 07-13 related to assumptions and treatment of openings in structures of concern. FSAR Section 19.5.4.1 states that procedural controls minimize the amount of time the RXB equipment door is open to ensure a low likelihood of exposure to an aircraft impact. The applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic), clarifies that the RXB equipment door ((

}}. The staff finds that procedural controls to minimize the amount of time the RXB equipment door will be open, with the clarification provided in the applicants same letter, are acceptable for ensuring a low likelihood of exposure to an aircraft impact and acceptable for application of the methodologies provided in NEI 07-13.

19-75 Based on its review, the staff finds acceptable the applicants description of the design of the RXB equipment door as a key design feature for protecting core cooling equipment from impacts through the radwaste building trolley bay and the controls to limit the duration the RXB equipment door will remain open because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). 19.5.4.3.2.3 Design of the Reactor Building Penetrations and Piping Protections FSAR Section 19.5.4.1 identifies and describes the design of the RXB penetration and piping protections as key design features for preventing physical damage and fire from damaging equipment necessary to fulfill requirements of 10 CFR 50.150(a)(1)(i) and 10 CFR 50.150(a)(1)(ii). The staff reviewed FSAR Section 19.5.4.1, Figure 1.2-14, Reactor Building 126-0" Elevation, and Figure 1.2-17, and the reinforcing details in Figure 1, Conceptual Reinforcement Layout for the RC Shroud, as shown in the applicants letter dated March 29, 2024 (ML24089A212 public; ML24089A213 nonpublic). The staff notes that the RXB penetration and piping protections are located at exterior wall penetrations above grade, primarily where main steam and feedwater pipes exit the RXB, and they are constructed of reinforced concrete to protect the RXB penetration and piping. Based on its review, the staff finds acceptable the applicants description of the design of the RXB penetration and piping protections as a key design feature for preventing physical damage and fire from entering the RXB, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). 19.5.4.3.2.4 Design of the Reactor Building Crane FSAR Section 19.5.4.1 identifies and describes the design of the RBC, as described in FSAR Section 9.1.5, as a key design feature for ensuring that impact loads on the exterior wall of the RXB do not result in the crane falling into the reactor pool area and damaging the NPM or damaging the RXB structure containing the UHS. The staff reviewed FSAR Section 9.1.5 and Figure 9.1.5-1, Reactor Building Crane Safe Load Path, through Figure 9.1.5-3 and notes that the RBC is a bridge that rides on rails anchored to the RXB. The RBC is designed in accordance with the requirements of ASME NOG-1 for Type I cranes as specified in FSAR Table 9.1.5-1, Heavy Load Handling Equipment Design Data, so a credible failure of a single component does not result in the loss of capability to stop and hold a critical load. The staff also notes the RXB safe load path marked in FSAR Figure 9.1.5-1. In addition, FSAR Section 9.1.5.3, Safety Evaluation, states that the design of the RBC main hoist and the seismic analysis ensure that SSCs are able to withstand the SSE and not drop the load, and the cranes are designed with a system of interlocks that prevents movement in heavy load exclusion zones to prevent impacts. Further, FSAR Section 19.5.4.1 states that the design of the RBC ensures that impact loads from an aircraft impact on the exterior wall of the RXB prevents the crane from falling into the reactor pool area and either damaging the NPMs or damaging the RXB structure containing the UHS. The applicant accounted for the RBC in an approach similar to that used for damage to the polar crane, as specified in Section 3.3.1, Damage Rule Sets for Containment Structures, of NEI 07-13, Revision 8. The staff also reviewed the applicants letter dated March 29, 2024 (ML24089A212 public;

19-76 ML24089A213 nonpublic), and finds that the SFP liner is not a key design feature because the SFP is completely below grade, so an aircraft impact cannot strike the pool or the pool liner. Based on its review, the staff finds acceptable the applicants description of the design of the RBC as a key design feature for preventing damage of the NPMs or the RXB structure containing the UHS, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). 19.5.4.3.2.5 Shock Damage The impact of a commercial aircraft on the RXB structure causes a short-duration, high-acceleration, high-frequency vibration. Shock damage distances are measured from the center of the initial impact along a structural pathway to affected equipment. The applicant stated that there is no SSC susceptible to shock (sensitive electronics or active components) on the NPMs that interrupt or prevent successful core cooling once the reactor is tripped, the DHRS is actuated, and containment is isolated. Since 3-hour, 5-psid fire barriers, including walls, floors, fire dampers, doors, equipment access door, and penetration seals, are provided in the RXB, shock damage is limited to the areas adjacent to the impact location. The applicant has determined that affected equipment at the 55-foot, 70-foot, 85-foot, 100-foot, 126-foot, and 146-foot 6-inch elevations is not required to maintain core cooling or spent fuel cooling. Since the SFP is below grade, shock effects do not affect the SFP structure nor its ability to retain the pool water inventory. Based on the applicants use of the NRC-endorsed guidance document NEI 07-13, Revision 8, and the assessment scope that includes shock vibration, the staff finds that the applicant has performed a reasonably formulated shock analysis within the AIA. Design Features for Maintaining an Intact Containment The CNTS is an integral part of the NPM and provides primary containment for the RCS. The CNTS includes the CNV, CNV supports, CIVs, passive containment isolation barriers, and containment instruments. As discussed above, the various key design features of the RXB preclude physical, fire, or shock damages to the equipment required to maintain core cooling in the NPMs in an aircraft impact event. Therefore, the NRC staff determines that the containment remains fully intact. Spent Fuel Pool Integrity Design and Location of the Fuel-Handling Equipment and Reactor Building Crane FSAR Section 19.5.5.3, Spent Fuel Pool Integrity, identifies and describes how the design and location of the fuel-handling equipment (FHE) and RBC, as described in FSAR Section 9.1.4, Fuel Handling Equipment, and Section 9.1.5, and shown in FSAR Figure 9.1.4-1, Refueling Floor Layout, and Figure 9.1.5-1, are key design features for ensuring that the hoists remain intact and cannot fall into the SFP. The staff reviewed FSAR Section 9.1.4 and Figure 9.1.4-1 and notes that the FHE consists of the fuel-handling machine, new fuel jib crane, and new fuel elevator. The applicant

19-77 stated in FSAR Section 9.1.4.2.2, Major Component Description, that (1) the seismic restraints prevent the fuel-handling machine bridge from overturning or coming off its rails during a seismic event, (2) the new fuel jib crane is mounted to the refueling floor and has a hoist that moves across a jib beam that rotates around the stationary base of the crane, and (3) the new fuel elevator has fixed rails that are mounted to the side of the SFP that carry a removal basket vertically and vertical travel limit controls ensure adequate shielding of spent fuel assemblies. The staff also reviewed FSAR Section 9.1.5 and Figures 9.1.5-1 through 9.1.5-3 and notes that the RBC consists of a bridge, trolley, main hoist, and two auxiliary hoists, and the RBC bridge is supported by runway rails anchored to the RXB. FSAR Section 9.1.5.2.2 states that the RBC trolley is supported by the bridge and travels across the width of the pool on the bridge rails, and the trolley supports and transfers the lifted load to the bridge by the main hoist. The RBC is designed in accordance with the requirements of ASME NOG-1 for Type I cranes, as specified in FSAR Table 9.1.5-1, and the RXB safe load path is marked in FSAR Figure 9.1.5-1. In addition, FSAR Section 9.1.5.3 states that the design of the RBC main hoist and the seismic analysis ensure that SSCs are able to withstand the SSE and not drop the load, and the cranes are designed with a system of interlocks that prevents movement in heavy load exclusion zones to prevent impacts. Further, FSAR Section 19.5.4.1 states that the trolleys cannot be dislodged to fall into the reactor pool. Based on its review, the staff finds acceptable the design and location of the FHE and RBC as key design features for ensuring that the hoists remain intact and cannot fall into the SFP, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b). Design of the Reactor Building Crane SER Section 19.5.4.3.2.4 documents the staffs safety evaluation of the design of the RBC as a key design feature. The staff finds that the RBC safe load path is marked in FSAR Figure 9.1.5-1, so that the load cannot be handled in the SFP. Location of the Spent Fuel Pool FSAR Section 19.5.5.3 identifies and describes the location of the SFP, as described in FSAR Section 9.1.2, New and Spent Fuel Storage, and shown in FSAR Figure 1.2-8 through Figure 1.2-15, Reactor Building 146-6 Elevation, as a key design feature for maintaining SFP integrity from a direct aircraft impact. The staff reviewed FSAR Sections 3.8.4, Other Seismic Category I Structures, 3.8.5, 9.1.2, Appendix 3B.2, and Figures 1.2-8 through 1.2-15, and notes that the walls, floor, and foundation of the SFP are constructed of thick, reinforced concrete with a stainless steel liner. Because the SFP is located below grade, there is no loss of water level, and an aircraft impact cannot strike the pool or the pool liner. On this basis, the staff finds that the integrity of the SFP is maintained. Based on its review, the staff finds acceptable the location of the SFP as a key design feature for maintaining SFP integrity from a direct aircraft impact, because the applicant adequately described the design features and functional capabilities in accordance with 10 CFR 50.150(b).

19-78 Combined License Information Items There are no COL information items. Conclusion The staff determined that the applicant has performed an AIA that is reasonably formulated to identify design features and functional capabilities that show, with reduced use of operator action, that the acceptance criteria in 10 CFR 52.137(a)(26) and 10 CFR 50.150(a)(1) are met. In addition, the applicant adequately described the key design features and functional capabilities identified and credited to meet the requirements of 10 CFR 50.150, including descriptions of how the key design features satisfy the acceptance criteria in 10 CFR 50.150(a)(1). This includes describing how the facility can withstand the effects of a large commercial aircraft impact such that the reactor core remains cooled, containment remains intact, and SFP integrity is maintained. Therefore, the staff finds that the applicant meets the applicable requirements of 10 CFR 50.150(b).}}

ML25085A425

Text

Navigation menu

Search