Version 1.0, May 2015 SHORT COURSE BASIC PROFESSIONAL TRAINING COURSE Module V Safety classification of structures, systems and components Version 1.0, May 2015 SHORT COURSE This material was prepared by the IAEA and co-funded by the European Union. 

INTRODUCTION TO SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Define the purpose of the safety classification. List important general safety requirements for plant design. Explain which items are important to safety. Define terms items important to safety and the safety system. List typical plant specific safety functions. List and explain the purpose of defence-in-depth levels.

The purpose of safety classification Design of NPPs - safety classification of structures, systems and components (SSCs) Identification and categorization of the safety functions Identification and classification of the SSC items Establish relationships between safety class and requirements for design and manufacturing commensurate to their safety significance The purpose of safety classification in a nuclear power plant is to identify and categorize the safety functions and to identify and classify the related SSC items on the basis of their safety significance.   This will ensure that the appropriate engineering design rules are determined for each safety class, so that SSCs are designed, manufactured, constructed, installed, commissioned, quality assured, maintained, tested and inspected to standards appropriate to their safety significance. This Module describes the present requirements agreed by consensus for the classification of SSCs which have a role in the nuclear safety of the plant. It describes a systematic approach to identify and categorize the functions to be considered in the classification process, identify the SSCs which have a role in performing those functions, and a classification of the SSCs in a manner commensurate with their importance for the function and category. Finally it describes how design requirements, such as design codes and standards are set up for each safety class and couple examples of the SSC classification in the existing designs. The functions to be categorized are those required to accomplish the main safety functions for the different plant states and primarily those credited in the safety analysis.

General safety requirements for the plant design To control the reactivity of the reactor The capability to safely shut down the reactor and to maintain it in the safe shutdown condition To remove heat from the core To remove residual heat from the core To remove residual heat from the spent fuel storage To confine radioactive material and control operational discharges To assure that any releases are within prescribed limits To ensure protection of the workers against radiations Important in the power plant is to have structures, systems and components (SSCs) capable to perform safety functions. This will enable the design to meet the general safety requirements.

Safety classification of the plant equipment

Definitions Accident conditions Design Basis Accident Deviations from normal operation that are less frequent and more severe than anticipated operational occurrences, and which include design basis accidents and design extension conditions. An accident causing accident conditions for which a facility is designed in accordance with established design criteria and conservative methodology, and for which releases of radioactive material are kept within acceptable limits.

Definitions (cont.) Design extension conditions Postulated accident conditions that are not considered for design basis accidents, but that are considered in the design process of the facility in accordance with best estimate methodology, and for which releases of radioactive material are kept within acceptable limits. Design extension conditions include conditions in events without significant fuel degradation and conditions with core melting. Are being used to define the design basis for safety features and for the design of all other items important to safety that are necessary for preventing such conditions from arising, or, if they do arise, for controlling them and mitigating their consequences.

Definitions (cont.) Item important to safety Safety system An item that is part of a safety group and/or whose malfunction or failure could lead to radiation exposure of the site personnel or public. System required to ensure the safe shutdown of the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents. Safety systems are designed to mitigate the radiological consequences of the Design Basis Accidents within the prescribed limits

Definitions (cont.) Safety Features for DEC Item designed to perform a safety function in design extension conditions

SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Explain when and how the safety classification should be performed. List the main steps in the classification process. Define terms function and design provisions. List examples of design provisions. List and briefly explain the three levels of severity. List the categorization of functions.

SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Describe three safety categories. Explain how the adequacy of the safety classification should be verified.

Safety classification An iterative process: To be carried out periodically throughout the design process To be maintained and supplemented as necessary throughout the lifetime of the plant Although only SSCs classification is requested, establishing a categorization of the functions first is strongly recommended In general, the operation of several systems is needed for the accomplishment of a single function Categorization of functions gives more confidence in the correctness and consistency of the classification. The categorization of functions recommended in the draft Safety Guide DS 367 [2] is based on the three safety categories. On the basis of their classification, SSCs are designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained in accordance with established processes that ensure design specifications and the expected levels of safety performance are achieved.   Safety classification is an iterative process that should be carried out periodically throughout the design process and maintained throughout the lifetime of the plant. Safety classification should be performed during the plant design, system design and equipment design phases. It should be reviewed for any relevant changes during construction, commissioning, operation and subsequent stages of the plant’s lifetime.

Steps in the classification process SSCs to be classified are all SSCs necessary to accomplish the Fundamental Safety functions as defined in SSR2/1 Req. 4. SSCs candidates for classification cannot be all captured if only systems performing the fundamental safety function for the different plant states are considered. The first step in the classification process is a basic understanding of the plant design, its safety analysis and how the main safety functions will be achieved. Using information from safety assessment (the analysis of postulated initiating events), the functions are categorized on the basis of their safety significance. The SSCs belonging to the categorized functions are identified and classified on the basis of their role in achieving the function.   An SSC implemented as a design provision should be classified directly, because the significance of its postulated failure fully defines its safety class without any need for detailed analysis of the category of the associated safety function. All functions and design provisions necessary to achieve the main safety functions for the different plant states, including all modes of normal operation, should be identified.

Pre-requisites to Safety classification Prior starting the safety classification process, following inputs are necessary: Radiological releases limits established by the Regulatory Body for operational conditions and for the different accident conditions Plant system description Plant states definition and categorization Postulated Initiating Events (PIE) considered in the design with their estimated frequency of occurrence

Pre-requisites to Safety classification (cont.) Accident analysis Application of the Defence in depth concept (which systems belong to the different levels of defence) PSA level 1 is not a strict pre-requisite for the safety Classification but needed for verification of its correctness

Generic principle for design of NPP Use of deterministic methodologies To make risks (consequences versus frequency) acceptable: To decrease the probability of an accident to occur Functions to make the consequences acceptable with regard to its probability A combination of preventive and mitigation measures Categorization of the functions provided by design provisions is not necessary because the safety significance of the SSC can be directly derived from the consequences of its failure.   Next step in the process is to determine the safety classification of all SSCs important to safety. Deterministic methodologies should be applied, complemented where appropriate by probabilistic safety assessment and engineering judgment to achieve an appropriately shaped risk profile, i.e. a plant design for which events with high consequences have a very low predicted frequency of occurrence.   From Fig. we can see that design provisions are primary implemented to decrease the probability of an accident to occur and functions to make the consequences acceptable with regard to its probability. For most of the initiating events, a combination of both preventive and mitigation measures is implemented to decrease its frequency of occurrence and then to make its consequences acceptable first, but also as low as reasonable practicable.

Identification and categorization of functions Functions to be categorized are those requested to accomplish the fundamental safety functions in the different plant states Functions are derived from the fundamental Safety functions which are required to be accomplished in all plant states. The deterministic safety analysis provides information of functions to be accomplished to mitigate the consequences of the different PIEs. “Function” includes the primary function and any supporting functions that are expected to be performed to ensure the accomplishment of the primary function.

Generic list of Safety functions to be categorized Fundamental Safety Function Functions to be categorized for the different plant states Control of Reactivity R1 - Maintain core criticality control R2 - Shutdown and maintain core sub-criticality R3 - Prevention of uncontrolled positive reactivity insertion into the core R4 - Maintain sufficient sub-criticality of fuel stored outside the RCS but within the site Heat removal H1 - Maintain sufficient RCS water inventory for core cooling H2 - Remove heat from the core to the reactor coolant H3 - Transfer heat from the reactor coolant to the ultimate heat sink H4 - Maintain heat removal from fuel stored outside the reactor coolant system but within the site Confinement of radioactive material C1 - Maintain integrity of the fuel cladding C2 - Maintain integrity of the Reactor Coolant Pressure Boundary C3 – Limitation of release of radioactive materials from the reactor containment C4 – Limitation of release of radioactive waste and airborne radioactive material EXtra X1 –Protection and prevention against effects of hazard X2 - Protect of workers against radiation risks X3 - Limit the consequence of hazard X4 – Plant operation in accident conditions and monitoring of plant parameters X5 - Monitor radiological releases in normal operation X6 - Limits and conditions for normal operation Can be used as a generic list of functions for pressurized water reactor Can be used for early classification but has to be more developed once the design is more detailed For classification purpose, those functions need to be defined for the different plant states taking into account that one single function is often accomplished by different systems, as generally requested by the Defense in depth concept.

Identification and categorization of functions Practically, for each PIE, functions necessary to control or mitigate the consequences are identified and categorized. The categorization of functions is performed to reflect the safety significance of every function. Safety significance is assessed by screening the following factors: (1) The consequences of failure to perform the function; (2) The frequency of occurrence of the postulated initiating event for which the function will be called upon; (3) The significance of the contribution of the function in achieving either a controlled state or a safe state. 3 levels of severity: high, medium and low

Categorization of functions Dose limits or acceptance criteria are used to define High, medium and low severity of consequences The severity is either assessed by calculation or derived from the accident deterministic safety analysis * Medium or low severity consequences are not expected to occur in the event of non-response of a dedicated function for the mitigation of design extension conditions.

Categorization of functions (cont.) Safety category 1 Safety category 2 Safety category 3 Safety category 1: Any function required to reach the controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘high’ severity.  Safety category 2: Any function required to reach the controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘medium’ severity; or Any function required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘high’ severity; or Any function designed to provide a backup of a function categorized in safety category 1 and required to control design extension conditions without core melt.  Safety category 3: Any function actuated in the event of an anticipated operational occurrence or design basis accident and whose failure when challenged would result in consequences of ‘low’ severity; or Any function required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘medium’ severity; or Any function required to mitigate the consequences of design extension conditions, unless already required to be categorized in safety category 2, and whose failure, when challenged, would result in consequences of ‘high’ severity; or Any function designed to reduce the actuation frequency of the reactor trip or engineered safety features in the event of a deviation from normal operation, including those designed to maintain the main plant parameters within the normal range of operation of the plant; or Any function relating to the monitoring needed to provide plant staff and off-site emergency services with a sufficient set of reliable information in the event of an accident (design basis accident or design extension conditions), including monitoring and communication means as part of the emergency response plan (defence in depth level 5), unless already assigned to a higher category.

Example of categorization - PIE: Core melt accident Fundamental Safety Function Generic function Sub Function   category Main SSCs Confinement of radioactive material C3 – Limitation of release of radioactive materials from the reactor containment C3.1 - Heat removal from the containment 3 Containment cooling system or Containment venting system + associated supporting SSCs C3.2 - Minimizing radiological releases C3.2.1 – Containment spray  Containment spray system + associated supporting SSCs C3.2.2 – Containment Isolation Containment and its isolation system + associated supporting SSCs C3.2.3 - Prevention of unfiltered leakage Filtered ventilation systems in auxiliary buildings + associated supporting SSCs C3.3 Containment integrity C3.3.1 - molten core stability Core catcher and corium cooling system + associated supporting SSCs C3.3.2 - Combustible gases management H2 recombiners + associated supporting SSCs C3.3.3 - Prevention of direct containment heating Fast Primary Circuit depressurization system Containment venting system + associated supporting SSCs C3.3.4 - Containment Depressurization Containment venting system + associated supporting SSCs

Classification of Structures, Systems and associated Components Once the safety categorization of the functions is completed, the SSCs performing functions should be assigned to a safety class. Systems are expected to be assigned to a safety corresponding to the safety category defined for the function performed.

Classification of Structures, Systems and associated Components (cont In a single system, individuals components may have different safety classes depending on: (a) The safety role performed by the component (b) The consequences of its failure to perform the safety function; (c) The frequency with which the item will be called upon to perform a safety function (d) The time following a postulated initiating event at which, or the period for which, the item will be called upon to perform a safety function. For individual components containing radioactive materials the consequences of their failure are identified with regards to the activity released and to the capability of the system to perform its intended function. Nevertheless class 3 at least is recommended.

Design provisions The safety of the plant is also dependent on the reliability of different equipment which, unlike to systems, is not called upon an event. That equipment designated as “Design provision” is necessary to prevent accidents, to limit propagation of the effects of hazards, to protect workers and the public of radiation risks.

Design provisions (cont.) Design features that are designed to such a quality that their failure could be practically eliminated: The shells of reactor pressure vessels or steam generators Features that are designed to reduce the frequency of accident: Piping of high quality whose failure would result in a design basis accident Passive design features that are designed to protect workers and the public from harmful effects of radiation in normal operation: Shielding, civil structures and piping Passive design features that are designed to protect components important to safety from being damaged by internal or external hazards: Concrete walls, anti whipping devices

Classification of the design provisions SSC implemented as a design provision can be classified directly by assessing the level of severity of its failure. Safety class 1 Any SSC whose failure would lead to consequences of ‘high’ severity Safety class 2 Any SSC whose failure would lead to consequences of ‘medium’ severity Safety class 3 Any SSC whose failure would lead to consequences of ‘low’ severity  

Verification of the safety classification Comparison of the classification established according to a the deterministic approach (e.g. application of the IAEA SSG-30) with insights from probabilistic safety assessment Expectation: Consistency between the deterministic and probabilistic approaches provides confidence that the safety classification is correct If there are differences further assessment should be carried out in order to understand the reasons for these and a final safety class should be assigned Iterative process to ensure the completeness of the classification

Selection of engineering design rules for SSCs Three characteristics of the engineering design rules: Capability Dependability Robustness A complete set of engineering design rules should be specified to ensure that the safety classified SSCs will be designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained to appropriate and well proven quality standards. Engineering requirements give confidence that reliability of every SSC is commensurate to their individual safety significance.

Selection of engineering design rules for SSCs To achieve the expected reliability: At the system level, design requirements to be applied may include specific requirements, such as single failure criteria, independence of redundancies, diversity and testability. For individual structures and components, design requirements to be applied may include specific requirements such as environmental and seismic qualification, and manufacturing quality assurance procedures. They are typically expressed by specifying the codes or standards that apply. Appropriate codes and standards(for pressure retaining equipment: ASME, RCC-M, etc., for I&C IEC or IEEE, etc.) and clear links between safety classes and code acceptance criteria Regulatory limits and acceptance criteria

IAEA safety standards Specific Safety requirements SSR-2/1; Safety of Nuclear Power Plants – Design Safety Guide SSG-30; Safety Classification of Structures, Systems and Components in Nuclear Power Plants General safety requirements GSR Part 4; Safety for Facilities and Activities Specific safety guide SSG-2; Deterministic Safety Analysis for Nuclear Power Plants The views expressed in this document do not necessarily reflect the views of the European Commission.