Overview And Comparison Of International Practices Concerning The Requirements On Single Failure Criterion With Emphasize On New Water-Cooled Reactor Designs Presentation on International Conference on Topical Issues in Nuclear Installation Safety: Safety Demonstration of Advanced Water Cooled Nuclear Power Plants IAEA Headquarters in Vienna, Austria 6 to 9 June 2017 Ref No.: CN-251 Ivica Bašić, Ivan Vrbanić APoSS d.o.o.
Single Failure Criteria? Similar definition through various regulatory framework (IAEA, USA NRC, WENRA, EUR, national regulation,...) IAEA SSR-2/1 rev.1: The single failure is a failure that results in the loss of capability of a system or component to perform its intended safety function(s) and any consequential failure(s) that result from it. 5.39. Spurious action shall be considered to be one mode of failure when applying the concept to a safety group or safety system. 5.40. The design shall take due account of the failure of a passive component, unless it has been justified in the single failure analysis with a high level of confidence that a failure of that component is very unlikely and that its function would remain unaffected by the postulated initiating event.
Single Failure Criteria? Different demonstration of SFC. Concerns? Applicability in Defense in Depth (DiD) Definition of SSC boundary Definition of SSC intended safety function Definition of required SSCs capability Demontration of capability with different DSA approcahes (conservative, BE, BE+uncertanity...) Definition consequential failure US NRC SECY-77-439 (1977!) among other things identified also potential problems have been encounted: additional passive failures (long term and accelerated wear), valve failures (passive failures of dropping a valve disc), electrical power (and I&C, now very actual due to lot digital I&C), operator error, etc.
Level of Defence in Depth (DiD) for the design of new NPPS Level of defense Level 1 Level 2 Level 3a Level 3b Level 4 Level 5 Objective Essential design means Essential operational means Prevention of abnormal operation and failures Control of abnormal operation and detection of failures Control of design basis accidents (postulated single initiating events) Control of design extension conditions to prevent core melt Control of design extension conditions to mitigate the consequences of severe accidents Mitigation of radiological consequences of significant releases of radioactive materials Conservative design and high quality in construction of normal operation systems, including monitoring and control systems Limitation and protection systems and other surveillance features Engineered safety features (safety systems) Safety features for design extension conditions without core melt Safety features for design extension conditions with core melt. Technical Support Centre On-site and off-site emergency response facilities Operational rules and normal operating procedures Abnormal operating procedures/emergency operating procedures Emergency operating procedures Emergency operating procedures Complementary emergency operating procedures/ severe accident management guidelines On-site and off-site emergency plans Based on INSAG-10, presents the current approach as derived from SSR-2/1 Rev. 1
Level of DiD 1 2 Level of Defence in Depth (DiD) vs PDC various approcahes IE Frq. / yr EUR WENRA STUK US-NRC ASME Service Levels f=1 f>10-1 3 10-1 <f<10-2 4a 10-2 <f<10-4 10-4 <f<10-6 DBC 1, Normal Operation DBC 2 Incidents DBC 3, Accidents of low Frequency DBC 4, Accidents of very low Frequency Complex Sequences Normal Operation Anticipated Operational Occurances Design Basis Accidents 3.a Postulated Single Initiating Events Design Basis Accidents 3.b Postulated Multiple Initiating events DEC A for which prevention of severe fuel damage in the core or in the spent fuel storage can be achieved; DBC 1, Normal Operation DBC 2, Anticipated Operational Occurances DBC 3, Class 1 postulated accidents 10-2 <f<10-3 DBC 4, Class 2 postulated accidents f<10-3 DEC A DEC B Normal Operation Anticipated Operational Occurances (AOO) Design Basis Accidents (DBA) (Limiting Faults) Beyond Design Basis Accidents A B C D 10-6 >f N/A 4b 5 Severe Accidents DEC B with postulated severe fuel damage. DEC C Severe Accidents
Safety Demonstration - Deterministic Approach Safety Limits and Limiting Conditions for Operation Peak cladding temperature (PCT) Departure of nucleate boiling (DNB) Negative Reactivity Coefficient Primary and secondary pressures Hydrogen production Adequate Safety Margins Safety Functions Reactor Trip Decay Heat Removal Subcriticality Single Failure Criteria Redundancy Diversity Reliability Human-Machine Interface Procedure Training (simulators)
Design of SSC The conditions generated by external and internal hazards and criteria for capability, layout, margins, reliability and availability, provide input to the design basis of the SSCs. Although the figure does not differentiate these conditions and criteria for the different families of equipment, it should be considered that the conditions and criteria depend on the safety classification of the specific plant equipment. For example, SSR-2/1 requires the application of the SFC for the design of safety systems for DBA it is not required for the design of safety features for DECs.
Traditional Safety Systems Concepts 8
SFC applications for new designs?
SFC applications for new passive SSCs? Standard PWR AP1000 IRWST PRHR HX CMT Accumulator 10 10
Regulatory Position SFC APPLICATION IN THE CONTEXT NEW WATER- COOLED REACTOR DESIGNS SFC applied to safety group or individual system What systems have to meet SFC? Is SFC applied during planned maintenance? Is SFC applied during a repair within AOT? IAEA Safety system General approach: systems which Not discussed directly in regulations. WENRA Safety system prevent radioactive releases in EUR Assembly of environment. The allowable periods of safety systems Equipment inoperability a nd the cumulative effects of (combina tion of Because of different designs, these periods should be assessed in order to systems and system names and description it ensure that any increase in risk is kept to components that can be related to: acceptable levels. perform a specific Reactor Protection System function) Engineering Safety US NRC Safety system Feature Actuation System Core Decay Heat Removal System Emergency Core Cooling Finish (STUK) Safety system System Containment decay heat Not discussed directly in regulations. removal system The PSA shall be used to determine the Containment Isolation surveillance test intervals and allowed System outage times of systems and components MCR Habitability System important to safety. Actually, it is simila r with Emergency AC/DC power above. Safety System Support System (Component Cooling Water, etc.) YVL B.1 discusses actually the two failure criteria: (N+1) and (N+2) Is SFC applied to passive components? Is SFC applied in addition to assuming failure of a non-tested component? General approach is that the fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming Passive Equipment functions properly) nor (2) a single failure of a Passive Equipment (assuming Active Equipment functions properly) results in a loss of capability of the system to perform its Safety Functions. Exemption for passive components exists if justification of high standa rd and quality design and maintenance is possible. Not discussed directly in regulations. See 4 th column on left side. In other words it means that if assessment of potential failure of any single component designed for the function in stand-by (non-tested) system shows the increase in risks above acceptable levels such test/maintena nce should be excluded. YVL B.1 discusses actually the two failure criteria as described in 4 th column on the left side for Finish (STUK). Some systems need to satisfy criteria (N+1) and some (N+2). UK Safety system See IAEA, WENRA, EUR, US NRC above. See IAEA, WENRA, EUR, US NRC above. Japan Structure, System and Components (SSCs) Korean Safety system Russian Safety features (safety systems elements) China Safety system Canadian Safety group/safety Actually, similar to text for IAEA, system A request for an exception during testing and maintenance should be supported by a satisfactory reliability argument covering the allowable outage time WENRA, EUR, US NRC above even that section 7.6.2 of REG-DOC-2.5.2 [54] refers to the old IAEA, Safety Series No. 50-P-1 [7] which was withdrawn without a pplicable replacement.
Traditional SFC application A number of particular considerations may be summarized via the following two main points regarding traditional SFC application, which can be very frequently encountered in the discussions: traditional application of the SFC has, apparently, sometimes led to redundant system components, which contribute to adequate and acceptable safety margins, but may have only minimal impact on risk, based on conventional risk assessment studies. While maintaining adequate safety margins is a major safety objective, the application of the worst single-failure assumption for all DBAs may, in some cases, result in unnecessary constraints on licensees. traditional implementation of the SFC does not consider potentially risksignificant sequences involving multiple (rather than single) failures as part of the DBA analysis. Common-cause failures, some support system failures, multiple independent failures, and multiple failures caused by spatial dependencies and multiple human errors, are phenomena that impact system reliability, which may not be mitigated by redundant system design alone. Some risk-informed alternatives might consider such failures in DBA analyses if they were more likely than postulated single-failure events.
FMEA I&C
Safety Demonstration - Deterministic Approach RG 1.70 FSAR Hierarchy:
Safety Demonstration - Deterministic Approach Accident: Main Steam Line Break (MSLB) FSAR: Chapter 15.1.5 and 6.2 6.3.1 SLB (Core Response) 6.3.2 (CNT Response) 17 (EQ) Calcnotes 617-1 NPSH from RWST to CI pump 617-2 CI pump NPSH from CNT sump 643-1 CI minimal measure flow CN-SA-98-029 SLB MER Review of results and possible deviations from: Limiting Conditions for Operation Surveillance Requirements Precautions and Limiting Setpoints (PLS) Preventive Maintenance 15
Safety Demonstration - Deterministic Approach MSLB - ANS Condition IV - Limiting Faults - USAR 15.1.5 Necessary protection against a MSLB: ECCS actuation PRZR Press Low Set-points, delay, CNT Press High allowable values SL Press Low RTS SI, PRZR press low, OTDT, OPDT, High neutron flux, High Neutron Flux rate, Low-low SG NR LVL Redundant isolation of the main feedwater lines Main steam isolation Set-points, delay, Codes and methodology: LOFTRAN allowable and values THINC (DNBR criteria) Table 15.0.6-1 Trip points and time delays to trip assumed in accident analyses Table 15.0.8-1 Plant systems and equipment available for transient and accident (15.1.5 - ESFAS: AF + SI) Table 15.0.13-1 Single failures assumed in accident analyses (worst failure: one SI train) Table 15.1.5-5 Equipment Most Likely to be used following a MSLB Table 6.2-50 Containment Isolation Valves Application Dynamic Accident Effects: 3B.3 Incident Analysis for the effects of pipe whip, jet spray and missiles on shutdown and ESFAS 3B.4 Incident Analysis for the environmental pipe break effects of pressure, temperature, humidity on electrical and ventilation Review of results and possible deviations from: Limiting Conditions for Operation Surveillance Requirements Precautions and Limiting Set-points (PLS) Preventive Maintenance 16
Safety Demonstration - Deterministic Approach O&M Programs?
Safety Demonstration - Deterministic Approach Environmental qualification Potential HELBs outside containment Environmental qualification Leakages from containment to sourounding rooms 18
Conclusions The nuclear industry and regulation applications either to SFC or/and DiD are not very well harmonized in the international practice. Additional effort is advisable to be made in order to establish more strict and harmonized design requirements with regard to either SFC or DiD to improve safety of nuclear installations in future. (e.g. it is necessity for standard/guideline for SFC demontration assessment - IAEA GSR Part 4 does not discuss SFC) Past experience with application of SFC which was gained over the period of time stretching over half of a century points out to some weaknesses in rigid application of traditional SFC rules. Those include failing to establish reliability of the functions important to safety which would be commensurate with frequencies of challenges to them.
Conclusions It has been many times repeated that traditional design basis analyses (DBA) are conservative because they assume failure of single train. It has been rarely pointed out that the same analyses may be optimistic because they assume that complementary train will succeed for granted. It seems to be advisable to reconsider and adjust the SFC approach for application to the new water-cooled (or other) reactor designs.
END THANKS FOR YOUR ATTENTION! HVALA NA PAŽNJI!