Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nuclear Safety Standards Committee 41st Meeting, 21 – 23 June, 2016

Published byCollin Bennett Modified over 7 years ago

Similar presentations

Presentation on theme: "Nuclear Safety Standards Committee 41st Meeting, 21 – 23 June, 2016"— Presentation transcript:

1 Nuclear Safety Standards Committee 41st Meeting, 21 – 23 June, 2016
Agenda item Title Name, Section - Division

2 Contents IAEA Safety Standards on NPP Design. Evolution
Defense in Depth Design Basis and Plant States Implementation and Assessment of Defense in Depth Practical Elimination of large/early releases Vienna Declaration

3 1993 1996 1996 1995 2000 2016 2012 1998

4 Fundamental Safety Principles
Safety Objective To protect people and the environment from harmful effects of ionizing radiation Responsibility for Safety Role of Government Leadership and Management for Safety Justification of Facilities and Activities Optimization of Protection Limitation of Risks to Individuals Protection of Present and Future Generations Protective Actions to Reduce Existing Or Unregulated Radiation Risks Prevention of Accidents Emergency Preparedness and Response 10 Safety Principles

5 Safety Principle 8: Prevention of Accidents
All practical efforts must be made to prevent and mitigate nuclear or radiation accidents The primary means of preventing and mitigating the consequences of accidents is “defence in depth” Defence in depth is implemented primarily through the combination of a number of consecutive and independent levels of protection When properly implemented, defence in depth ensures that no single technical, human or organizational failure could lead to harmful effects, and that the combinations of failures that could give rise to significant harmful effects are of very low probability. The independent effectiveness of the different levels of defence is a necessary element of defence in depth.

6 Defence in depth is provided by an appropriate combination of:
Safety Principle 8: Prevention of Accidents Defence in depth is provided by an appropriate combination of: An effective management system, strong commitment to safety and strong safety culture Adequate site selection and the incorporation of good design and engineering features providing safety margins, diversity and redundancy mainly by the use of: Design, technology and materials of high quality and reliability Control, limiting and protection systems and surveillance features Appropriate combination of inherent and engineered safety features Comprehensive operational and accident management procedures and practices

7 Design Requirements for NPPs
To be implemented by the designer to fulfill the fundamental safety functions with the appropriate level of defense in depth To be used by the reviewer of the design (e.g. by the Regulatory Authority) to assess the safety of the design Safety objectives and safety principles Functional conditions required for safety Guidance on how to fulfil the requirements Requirements for Design of NPPs (SSR 2/1)

8 Main differences between NS-R-1 (2000) and SSR 2/1 (2012)
Consistency with the new Fundamental Safety Principles Feed back from MS and Review Services New structure of Safety Structure of SSs Reduction of Requirements: Overarching and subordinated requirements Stability, minimization of impact on Safety Guides, Traceability of changes Consistency with other Requirements for: Operation, Management Systems, Safety Assessment (GRS Part 4 ), Radiation Protection Technical Changes Reinforcement of the design against accidents more severe than DBA Design Extension Conditions Practical elimination of large or early releases Inclusion of considerations for security. Reinforced protection against external hazards (e.g. aircraft crash) Less detailed requirements for safety assessment (after publication of GRS Part 4 in 2008)

9 NS-R-1 (2000) General Design Basis
General concept that describes the capabilities and specifications of the plant that are relevant to establish the safety level. The General Design Basis includes: 1) Categories of plant states and acceptance criteria Normal Operation, Anticipated Operational Occurrences, Design Basis Accidents, Severe Accidents 2) Internal Events Equipment failures, fire, missiles, pipe whip, ... 3) External Events Natural and Human Induced External Events 4) Design Rules and Design Limits Specification of the design rules and codes used for the design of SSCs. Standards and practices used.

10 NS-R-1 General Design Basis
5) Operational States The plant is required to operate safely in Normal Operation and to reach safe operation or shutdown following Anticipated Operational Occurrences (AOOs) without progressing into accidents. Specification of the range of the process parameters. Definition of the operational limits and conditions 6) Design Basis Accidents (DBAs) Conservative set of bounding accidents determined with pessimistic assumptions on the evolution of the sequence and for which SSC important to safety are designed. Use of automatic safety systems only. Established conservative acceptance criteria. 7) Severe Accidents (SAs) Definition: Accident condition more severe than a DBA with significant core degradation Identification of sequences (which may arise owing to multiple failures of safety systems) that may lead to SAs accidents. Selection of few sequences, using deterministic and probabilistic methods and engineering judgement, to be considered in the design. Definition of design measures and procedures to deal with the selected sequences Measures to cope with SAs less stringent than those used to cope with DBAs

11 Revision of SSR 2/1 after the Fukushima Daiichi accident
Overview of Main Changes Reinforcement of DiD and the independence of DiD provisions, in particular those for severe accidents Stressing the need for margins to avoid cliff edge effects. More margins for items that ultimately prevent large or early releases Interconnection of units without sharing safety systems /DEC features Reinforced capabilities for heat transfer to the UHS. Implementation of features (design, procedures, etc.) to enable the use (e.g. hook-up) of non permanent equipment Reinforced capabilities for power supply in DECs. Additional measures for spent fuel pool instrumentation, cooling and maintaining inventory.

12 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
4.13a. The levels of defence in depth shall be independent as far as practicable to avoid a failure of one level reducing the effectiveness of other levels. In particular, safety features for design extension conditions (especially features for mitigating the consequences of accidents involving the melting of fuel) shall be as far as is practicable independent of safety systems. 5.15a. Items important to safety shall be designed and located, with due consideration to other implications for safety, to withstand the effects of hazards or to be protected, according to their importance to safety, against hazards and against common cause failure mechanisms generated by hazards to minimize, consistent with other safety requirements, the likelihood of external events and their possible harmful consequences. 5.15b. For multiple unit plant sites, the design shall take due account of the potential for specific hazards to give rise to impacts on several or even all units on the site simultaneously.

13 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
5.21a. The design of the plant shall provide for an adequate margin to protect items ultimately necessary to prevent large or early radioactive releases in the event of levels of natural hazards exceeding those to be considered for design taking into account the site hazard evaluation. 5.31a. The design shall be such that for design extension conditions, protective measures that are limited in terms of times and areas of application shall be sufficient for the protection of the public, and sufficient time shall be available to take such measures. Req. 33. Safety systems, and safety features for design extension conditions, of units of a multiple unit nuclear power plant Each unit of a multiple unit nuclear power plant shall have its own safety systems and shall have its own safety features for design extension conditions. 5.63. To further enhance safety, means allowing interconnections between units of a multiple unit nuclear power plant shall be considered in the design.

14 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
5.73. The safety analysis shall provide assurance that uncertainties have been given adequate consideration in the design of the plant and especially that adequate margins are available to avoid cliff edge effects and large or early radioactive releases. 6.19a Systems for transferring heat shall have adequate reliability for the plant states in which they have to fulfil the heat transfer function. This may require the use of a different ultimate heat sink or different access to the ultimate heat sink. 6.19b The heat transfer function shall be fulfilled for levels of natural hazards more severe than those to be considered for design taking into account the site hazard evaluation. 6.28a. Design provision shall be made to prevent the loss of the containment structural integrity in all plant states. The use of this provision shall not lead to early or to large radioactive releases. 6.28b. For defence in depth, the design shall include features to enable the safe use of non-permanent equipment for restoring the capability to remove heat from the containment.

15 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
6.40a. The design of the control room shall provide an adequate margin against levels of natural hazards more severe than those to be considered for design taking into account the site hazard evaluation. Requirement 67: Emergency response facilities on the site control centre. The nuclear power plant shall include the necessary emergency response facilities on the site. Their design shall be such that personnel will be able to perform expected tasks for managing an emergency under conditions generated by accidents and hazards. Requirement 68: Design for withstanding the loss of off-site power. The design of a nuclear power plant shall include an emergency power supply capable of supplying the necessary power in anticipated operational occurrences and design basis accidents, in the event of the loss of off-site power. The design shall include an alternate power source to supply the necessary power in design extension conditions.

16 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
6.44a. The alternate power source shall be capable of supplying the necessary power to preserve the integrity of the reactor coolant system and to prevent significant damage to the core and to spent fuel in the event of the loss of off- site power combined with failure of the emergency power supply. 6.44b. Equipment that is necessary to mitigate the consequences of melting of the reactor core shall be capable of being supplied by any of the available power sources. 6.44c. The alternate power source shall be independent of and physically separated from the emergency power supply. The connection time of the alternate power source shall be consistent with the depletion time of the battery. 6.44d. Continuity of power for the monitoring of the key plant parameters, and for the completion of short term actions necessary for safety shall be maintained in the event of a loss of the AC (Alternating Current) power sources. 6.45a. For defence in depth, the design shall include features to enable the safe use of non-permanent equipment to restore the necessary electrical power supply.

17 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
6.68. For reactors using a water pool system for fuel storage, the design shall prevent the uncovering of fuel assemblies in all plant states that are of relevance for the spent fuel pool, so as to practically eliminate the possibility of early or large radioactive releases and to avoid high radiation fields on the site. The design of the plant: (a) shall provide the necessary fuel cooling capabilities; (b) shall provide features to prevent the uncovering of fuel assemblies in the event of a leak or a pipe break; (c) shall provide a capability to restore the water inventory. For defence in depth, the design shall include features to enable the safe use of non-permanent equipment to ensure sufficient water inventory for the long term cooling of spent fuel and for providing shielding against radiation.

18 Changes in SSR-2/1 (Rev.1) New or significantly modified articles
6.68a. The design shall include the following: (a) Means for monitoring and controlling the water temperature for operational states and for accident conditions that are of relevance for the spent fuel pool; (b) Means for monitoring and controlling the water level for operational states and for accident conditions that are of relevance for the spent fuel pool; (c) Means for monitoring and controlling the activity in water and in air for operational states and means for monitoring the activity in water and in air for accident conditions that are of relevance for the spent fuel pool; (d) Means for monitoring and controlling the water chemistry for operational states.

19 Considerations on the Application
TECDOC 1791: Considerations on the Application of the IAEA Safety Requirements for the Design of Nuclear Power Plants The new Safety Requirements for the Design of NPPs, SSR - 2/1 and its revision after the Fukushima accident introduced some new concepts and terminology, for which there is not always a common understanding in different Member States. The IAEA has developed TECDOC 1791 aimed at facilitating the understanding and providing more explicit information on selected new topics introduced in SSR-2/1. TECDOC 1791 has been reviewed by volunteer members of NUSSC

20 TECDOC 1791: Scope The TECDOC is aimed at facilitating the understanding and provide more explicit information on selected topics introduced in SSR-2/1: Plant States considered in the design (for reactor and SFP), Design Extension Conditions without and with fuel damage. Design basis of plant equipment Defence in Depth (DiD) strategy for new plants. Independence of the levels of DiD and prevention of common cause failures. Reliability of the heat transfer to the ultimate heat sink Design margins and prevention of cliff-edge effects Concept of “practical elimination” of early or large releases Design for external hazards Use of mobile sources of electric power and coolant

21 Design Basis

22 Design Basis Requirement 13: Categories of plant states
Plant states shall be identified and shall be grouped into a limited number of categories according to their frequency of occurrence. Normal operation; Anticipated operational occurrences, which are expected to occur over the operating lifetime of the plant; Design basis accidents; Design extension conditions, including accidents with core melting. Criteria shall be assigned to each plant state, such that frequently occurring plant states shall have no, or only minor, radiological consequences and plant states that could give rise to serious consequences shall have a very low frequency of occurrence. Operational states Accident conditions Normal operation Anticipated operational occurrences Design Basis Accidents Design Extension Conditions

23 Plant States and Design envelope
Earlier Concept Beyond Design Basis (Accident Management) Design Basis Operational States Accident Conditions NO AOO DBAs (safety systems) Severe Accidents (core melting) BDBA SSR-2/1, 2012 Plant Design Envelope Beyond Plant Design Envelope Operational States Accident Conditions Conditions practically eliminated NO AOO DBAs (safety systems) DECs Proposal for development of a Safety Guide “Assessment of Engineering Aspects of Safety of NPPs” on the basis of the TECDOC (including the coverage of some gaps in the SG identified earlier) Safety features for sequences without significant fuel degradation Safety features for accident with core melting

24 Design Basis Requirement 14: Design basis for items important to safety The design of items important to safety shall specify the necessary capability, reliability and functionality for the required plant operational states, for accident conditions and conditions generated  by internal and external hazards, to meet  the specified acceptance criteria for  the lifetime of the plant. The design basis for each item important to safety shall be systematically justified and documented. The documentation shall provide the necessary information for the operating organization to operate the plant safely.

25 Plant Sates & Design Basis of SSCs

26 Design Basis Requirement 19: Design basis accidents
A set of accident conditions that are to be considered in the design shall be derived from postulated initiating events for the purpose of establishing the boundary conditions for the nuclear power plant to withstand, without acceptable limits for radiation protection being exceeded. DBAs are used to define the design basis of the “safety systems” and for other items important to safety that are necessary to control those accidents Safety systems are designed with the application of the “single failure criterion” Key plant parameters shall not exceed specified design limits. No or only minor radiological impacts, both on and off the site, and do not necessitate any off-site intervention measures Design Basis Accidents shall be analysed in a conservative manner.

27 Design Basis Requirement 20: Design extension conditions (DECs)
A set of design extension conditions shall be derived on the basis of engineering judgment, deterministic assessments and probabilistic assessments for the purpose of further improving the safety of the nuclear power plant by enhancing the plant’s capabilities to withstand, without unacceptable radiological consequences, accidents that are either more severe than design basis accidents or that involve additional failures. These design extension conditions shall be used to identify the additional accident scenarios to be addressed in the design and to plan practicable provisions for the prevention of such accidents or mitigation of their consequences The main purpose of DECs is to ensure that accident conditions not considered as DBAs are prevented and/or mitigated as far as reasonably practicable DECs are used to define the design basis for the “safety features” and for the other items important to safety necessary to prevent and to mitigate core damage Safety features for DECs are not required to comply with the “single failure criterion” Design Extension Conditions can be analysed with a best estimate analysis

28 Design Basis Safety features for DEC:
Shall be independent, to the extent practicable, of those used in more frequent accidents; Shall be capable of performing in the environmental conditions related to DEC, including severe accidents, where appropriate; In particular, the containment and its safety features shall be able to withstand extreme scenarios that include, among other things, melting of the reactor core. These scenarios shall be selected using engineering judgement The design shall be such that the possibility of plant states arising that could lead to early or to large releases is ‘practically eliminated’. For DEC, protective measures that are limited in terms of times and areas of application shall be sufficient for the protection of the public, and sufficient time shall be available to take such measures.

29 Design Extension Conditions (DECs)
IAEA Design Safety Requirements: to derive the set of DECs systematically on the basis of Engineering judgement Deterministic evaluations (DSA) Probabilistic considerations (PSA) Operating experience, particularly LWR technology DECs are technology dependent Recommended DECs (except for SBO) are not available in IAEA Safety Standards

30 DECs without Fuel Degradation (1/2)
Exemplary listing some countries also refer to as deterministically identified, may include anticipated transient without scram (ATWS) station blackout (SBO) loss of core cooling in the residual heat removal mode extended loss of cooling of fuel pool and inventory loss of normal access to the ultimate heat sink

31 DECs without Fuel Degradation (2/2)
DECs derived from PSA might include (examples) total loss of feed water LOCA plus loss of one emergency core cooling system (high pressure or the low pressure emergency cooling system) loss of the component cooling water system or the essential service water system uncontrolled boron dilution multiple steam generator tube ruptures (for PWRs) steam generator tube ruptures induced by main steam line break (for PWRs) uncontrolled level drop during mid-loop operation (for PWRs) or during refueling

32 DECs with Core Melting Necessary to identify a representative group of severe accident conditions to be used for defining the design basis of the mitigating safety features Important: sufficient knowledge on different severe accident phenomena Main objective: cooling and stabilization of the molten fuel and the removal of heat from the containment Present knowledge on physical and chemical phenomena: sound base for design basis

33 Design Basis for SSCs

34 Defence in Depth INSAG-3, published in 1988
The concept of defence in depth was used in nuclear safety for long time. The term was better defined following the Chernobyl accident but the five levels were first described in INSAG-3, published in 1988. Defence in depth 46. Principle: To compensate for potential human and mechanical failures, a defence in depth concept is implemented, centred on several levels of protection including successive barriers preventing the release of radioactive material to the environment. The concept includes protection of the barriers by averting damage to the plant and to the barriers themselves. It includes further measures to protect the public and the environment from harm in case these barriers are not fully effective. (…) Defence in depth helps to establish that the three basic safety functions (controlling the power, cooling the fuel and confining the radioactive material) are preserved, and that radioactive materials do not reach people or the environment.

35 Defence in Depth INSAG-10, published in 1996
INSAG-10 presented a very detailed description of the concept of defence in depth including a table with the objective and the essential means of each level of defence.

36 Defence in Depth INSAG-10, published in 1996
Level 1: Prevention of abnormal operation and failures Measures at Level 1 include a broad range of conservative provisions in design, from siting through to the end of plant life, aimed at confining radioactive material and minimizing deviations from normal operating conditions (including transient conditions and plant shutdown states). The safety provisions at Level 1 are taken through the choice of site, design, manufacturing, construction, commissioning, operating and maintenance requirements such as: the clear definition of normal and abnormal operating conditions; adequate margins in the design of systems and plant components, including robustness and resistance to accident conditions, in particular aimed at minimizing the need to take measures at Level 2 and Level 3; adequate time for operators to respond to events and appropriate human-machine interfaces, including operator aids, to reduce the burden on the operators; careful selection of materials and use of qualified fabrication processes and proven technology together with extensive testing;

37 Defence in Depth INSAG-10, published in 1996
Level 1: Prevention of abnormal operation and failures comprehensive training of appropriately selected operating personnel whose behaviour is consistent with a sound safety culture; adequate operating instructions and reliable monitoring of plant status and operating conditions; recording, evaluation and utilization of operating experience; comprehensive preventive maintenance prioritized in accordance with the safety significance and reliability requirements of systems. Furthermore, Level 1 provides the initial basis for protection against external and internal hazards (e.g. earthquakes, aircraft crashes, blast waves, fire, flooding), even though some additional protection may be required at higher levels of defence. Level 1 is associated with normal operation (prevention of failures) but includes measures related also the design and operation of equipment needed for other plant states

38 Defence in Depth INSAG-12 (INSAG-3 Rev.1), published in 1999
INSAG-12 elaborates the table of INSAG-10 introducing a link between plant states and levels of defence in depth.

39 Defence in Depth Design Safety Requirements of 2000
NS-R-1 adopted the concepts and the terminology of INSAG-10. Recognizes that defence in depth is a main pillar for generating safety requirements for design of NPPs Includes several requirements that explicitly address defence in depth

40 Defence in Depth SSR-2/1, published in 2012/Revised 2016
SSR-2/1 maintained the structure and the approach to defence in depth of NS-R-1 SSR-2/1 introduced the concept of Design Extension Conditions (DECs) without differentiating between DECs without and with core melting SSR-2/1 did not make explicit associations between plant states and levels of defence in depth in any requirement The introduction of DECs implies some modifications to the table of Defence in Depth correlating plant states and levels of defence; Level 4 is reinforced by requirements for the essential means necessary to mitigate the consequences of severe accidents: SSCs for DECs shall be independent to the extent practicable of those used in more frequent accidents, (SSR-2/1 Req (a); DECs are used to define the specifications of the SSCs necessary to mitigate their consequences, (SSR-2/1 Req. 5.28); SSCs are capable of performing their intended functions under environmental conditions prevailing during DECs (SSR-2/1 Req (b)

41 TECDOC: DiD approach of SSR 2/1
TECDOC: DiD approach of SSR 2/1. Elaboration on the original table form INSAG-10 Level of defence Approach 1 Objective Essential design means Essential operational means Approach 2 Level 1 Prevention of abnormal operation and failures Conservative design and high quality in construction of normal operation systems, including monitoring and control systems Operational rules and normal operating procedures Level 2 Control of abnormal operation and detection of failures Limitation and protection systems and other surveillance features Abnormal operating procedures/emergency operating procedures 3a Level 3 3b Control of design basis accidents (postulated single initiating events) Engineered safety features (safety systems) Emergency operating procedures Control of design extension conditions to prevent core melting Safety features for design extension conditions without core melting 4a Level 4 4b Control of design extension conditions to mitigate the consequences of severe accidents Safety features for design extension conditions with core melting. Technical Support Centre Complementary emergency operating procedures/ severe accident management guidelines Level 5 Mitigation of radiological consequences of significant releases of radioactive materials On-site and off-site emergency response facilities On-site and off-site emergency plans

42 Defence in Depth ↔ Plant States
Approach 1, i.e. the association of DECs without core melting to level 3, has the advantage that each level has clear objectives regarding the progression of the accident and the protection of the barriers , i.e. level 3 to prevent damage to the reactor core and level 4 to mitigate severe accidents for preventing off site contamination Approach 2, i.e. the grouping of DECs without core melting and with core melting in level 4, facilitates however the differentiation between the set of rules for design and safety assessment to be applied for DECs from those for DBA

43 Independence of DiD Levels Prevention of common cause failures
SSR 2/1: Requirement 24 indicates that “The design of equipment shall take due account of the potential for common cause failures of items important to safety, to determine how the concepts of diversity, redundancy, physical separation and functional independence have to be applied to achieve the necessary reliability. New 4.13a: “The SSC’s at different levels of defence in depth shall be independent as far as practicable to avoid a failure of one level reducing the effectiveness of other levels. In particular, safety features for design extension conditions (especially features for mitigating the consequences of accidents involving the melting of fuel) shall be as far as is practicable independent of safety systems”.

44 Independence of DiD Levels Prevention of common cause failures (CCFs)
The effectiveness of the levels of DiD is reduced by sharing SSCs between DiD levels. In some cases the sharing leads to the bypass of a level, e.g. ATWS or SBO. Each level needs to achieve its own and necessary level of reliability. CCFs (in a broad sense dependent failures) jeopardize the reliability within provisions at a given level of DiD if redundancy exists and the independence between levels of DiD. Diversity is effective against some root causes of common cause failures High reliability requires that vulnerabilities for CCF should be eliminated to a reasonable extent.

45 Independence of DiD Levels Prevention of common cause failures
TECDOC 1791 DiD Levels are not fully independent: Necessary sharing of SSCs (control room, containment, control rods), the operators and the impact of hazards, among other factors. “independence of the levels of DiD” needs be understood as the “degree of independence”, which should be the highest possible. The TECDOC addresses the factors that affect the independence of levels of defence and measures to prevent common cause failures. Main factors are sharing SSCs between DiD levels and exposure to hazards The TECDOC provides general and specific proposals for effective “independence” of levels of DiD The TECDOC addresses specifically: Independence of DiD in relation to I&C systems. The independence of power supply (AC&DC) between provisions for DBA and provisions for DEC without significant fuel degradation and in particular between provisions for DBA and provisions for DEC with core melting

46 Independence of DiD levels
General recommendations: The successive means required for a given PIE should be identified; Safety features specifically designed to mitigate the consequences of core melt accidents should be independent from those designed to prevent such accidents; The ability of SSCs to perform their functions should not be affected by the initiating event and its consequences for which they are designed to respond; Safety features, designed to back up SSCs implementing safety functions, should be independent from SSCs postulated as failed in the sequence; Independence between SSCs or safety features should be achieved through the identification of all dependencies and the elimination of the most significant. The safety analysis should demonstrate that the safety features intended to respond first are not jeopardized by the initiating event;

47 Existing Dependencies within or between DiD levels
Functional Dependencies (Support systems) affecting redundant trains Common system interfaces Systems and components with multiple functions, e.g. for different DiD levels Failures/conditions induced by a PIE on plant SSCs. Operation errors Common cause failures (CCFs): Failure/conditions caused by external hazards Errors in design, manufacturing and construction Errors or inadequate practices during maintenance, surveillance or inspection Environmental or external factors resulting in conditions exceeding the margins of the design Measures to adequately prevent CCFs depend on the causes and coupling mechanisms Root Cause Adequate Defensive Measures? Common Mode Failure Coupling mechanism or triggering condition Proven design and construction Adequate QA practices Physical separation, Redundancy, Diversity (functional and technical) Regular maintenance and Inspection Adequate procedures Automatic announcement of failures, etc.

48 Independence of DiD Levels Prevention of common cause failures
Independence between levels of defence does not replace independence between redundancies implemented within one level, and both of them should be considered for the evaluation of the overall effectiveness of the defence in depth concept. Strengthening one level or the architecture cannot be an excuse to the decrease the reliability of the individual levels. Ideal design where each SSC would be allocated to a single level is unrealistic and could lead to useless complexity, How far independence between levels should be implemented is not totally clear and might explain weaknesses in its application.

49 Safety Reports Series No. 46
In 2005, IAEA published a report in Safety Report Series (No. 46) ‘Assessment of Defence in Depth for Nuclear Power Plants’ Described a screening method for assessing the defence in depth capabilities of an existing plant, including both its design features and the operational measures taken to ensure safety 2005

50 Fundamental and derived safety functions -
Conditions for ensuring integrity of barriers

51 Objective tree (IAEA SR No. 46) New DiD approach (not final)
Elaboration on the original table from INSAG-10 How to ensure completeness of mechanisms? Provisions?

52 Objective Trees Objective trees developed to provide a comprehensive list of the possible options for provisions (not necessarily all of them need to be implemented in parallel). For each safety principle and corresponding level(s) , challenges and mechanisms that affect corresponding safety functions were provided The provisions offered in the objective trees were mainly derived from the IAEA and INSAG safety principles, the IAEA Safety Standards and on the basis of an additional engineering judgment

53 SR-46 Methodology and update needs
SR-46 is a systematic way for screening of comprehensiveness of defence in depth. The screening approach, which uses graphical way of objective trees, offers a tool for determining the strengths and weaknesses of defence in depth at a specific plant. The top down approach has been used for the development of objective trees, i.e. from stating the objectives and relevant safety functions for each level of defence, through the challenges to performance of these safety functions composed of various mechanisms affecting the performance, up to the provisions which may be implemented to prevent challenges to safety functions to take place. The approach did not include any quantification of the extent of defence in depth at a plant nor a prioritization of the provisions of defence.

54 SR-46 Methodology and update needs
It was originally intended only for screening, i.e. for identification of both the strengths and weaknesses for which provision should be considered. There were no strict criteria on what is considered a sufficient level of implementation of individual provisions. The level of detail and completeness of evaluation are at the discretion of the user of the screening approach. Among the IAEA Conference president’s conclusions, further development of the tools based on the methodology described in the Safety Report was recommended as a means for ensuring that defence in depth safety provisions are comprehensive enough. There is a need to align SR-46 with the new Safety requirements for Design (SSR 2/1) and Operation (SSR 2/1), for instance considering new plant states (DEC) and definition of the levels The approach does yield quantitative results within one level or measures of dependencies between levels. However, this is essential for the assessment of DiD

55 IAEA International Conference on Topical Issues in Nuclear Installation Safety: Defence in Depth — Advances and Challenges for Nuclear Installation Safety held in Vienna, October 2013

56 President’s Conclusions and Recommendations
Among the president’s conclusions there was a confirmation of importance and value of DiD for both existing and new plants. In the conclusions a number of ideas were presented with the objective of further strengthening DiD, such us: Strengthening of DiD in accordance with the most recent safety objectives reflected in new IAEA Safety Standards (in particular attention paid to level 4 of defence and to independence of levels) and its maintenance by periodic safety reviews over the entire life of the plants Further development of guidance documents and tools for assessment of required new features of defence in depth Special attention to be paid to potential effects of extreme external hazards jeopardizing simultaneously several levels of defence Providing additional guidance on effects of hazards and combination of hazards, of human factor and reliability of I&C systems on defence in depth Taking into account operational experience feedback and results of research and development in implementation of defence in depth

57 Revision of Safety Guide on Format and Content of SAR for NPPs.
The revised safety guide has been submitted to NUSSC “1.4. The most significant changes made in this Safety Guide are those corresponding to the new Safety Requirements established in SSR-2/1 (Rev. 1) [3], in particular the ones regarding design extension conditions, the strengthening of the independence and effectiveness of the different levels of defence-in-depth, the robustness against extreme external hazards, and the practical elimination of event sequences that would lead to an early radioactive release or a large radioactive release”

58 Revision of Safety Guide on Format and Content of SAR.
Defence in depth This subsection should describe the approach adopted to incorporate the defence in depth concept into the design of the plant. It should be demonstrated that the defence in depth concept has been considered in all stages of the lifetime of the nuclear power plant, for all plant states and for all safety related activities in accordance with SSR- 2/1 (Rev.1), §2.12-§2.18 [3]. It should be demonstrated that there are physical barriers to the release of radioactivity and systems to protect integrity of the barriers and measures are taken to ensure robustness of provisions at each level of defence in depth. It should also be demonstrated that measures are taken for adequate independence of levels. Particular emphasis should be placed on robustness and independence of safety systems and safety features provided for design extension conditions with core melting.

59 SSR 2/1:Practical Elimination of Large or Early Releases
The design for safety of a nuclear power plant applies the safety principle that practical measures must be taken to mitigate the consequences for human life and health and for the environment of nuclear or radiation accidents (Principle 8 of the Fundamental Safety Principles [1]). Plant event sequences that could result in high radiation doses or in a large radioactive release have to be ‘practically eliminated’ and plant event sequences with a significant frequency of occurrence have to have no, or only minor, potential radiological consequences. An essential objective is that the necessity for off-site protective actions to mitigate radiological consequences be limited or even eliminated in technical terms, although such measures might still be required by the responsible authorities. Similar statements formulated in several requirements Footnote “the possibility of certain conditions occurring is considered to have been practically eliminated if it is physically impossible for the conditions to occur or if the conditions can be considered with a high degree of confidence to be extremely unlikely to arise”

60 Concept of Practical Elimination
The term was already introduced in INSAG 12 (1990) and in the IAEA Safety Standards ( NS-G-1.10 on Containment) in 2004. The “certain conditions” to be addressed referred to hypothetical accident sequences that could lead to early or large radioactive releases due to containment failure than can not be mitigated with implementation of reasonable technical means. The concept of practical elimination should not be misinterpreted or misused. It should be considered as part of a general approach to safety and, its appropriate application, as an enhancement of the defence in depth. Practical elimination describes how, in practice, the design of a nuclear power plant deals with rare phenomena or sequences with the potential to cause unacceptable consequences. These phenomena or sequences are in fact rare because of all the safety provisions made in the multiple levels of defence in depth

61 Approach to the Demonstration of Practical Elimination
The hypothetical accident conditions that require a specific demonstration of their “practical elimination” include at least following categories: Events that could lead to prompt reactor core damage and consequent early containment failure Failure of a large component in the reactor coolant system Uncontrolled reactivity accidents Very energetic phenomena in severe accident conditions for which technical solutions for maintaining containment integrity cannot be ensured. Core meltdown at high pressure (Direct Containment Heating) Steam explosion Hydrogen explosion Containment boundary melt-through Containment failure due to fast overpressurization Non confined severe fuel damage Severe accident with containment by pass. Significant fuel failure in a storage pool

62 Approach to the Demonstration of Practical Elimination
Identification of conditions to be practically eliminated Identification of design and other safety provisions for them Demonstration: When feasible based on physical impossibility (e.g. insufficient hydrogen/oxygen concentration, intrinsic reactivity coefficients, etc.) Justification need to rely on design features and operational means to prevent the conditions Combined use DSA & PSA (not limited to Boolean models) with consideration of uncertainties. Demonstration cannot be achieved alone by showing the compliance with a probabilistic value. This should not be considered as a justification for not implementing reasonable design or operational measures The arguments and methods for justification are highly case specific. Demonstrations can be very challenging

63 Practically Eliminated
DECs NO AOO DBAs (safety systems) Operational States Accident Conditions Plant Design Envelope Beyond Plant Design Envelope Safety features for sequences without significant fuel degradation Safety features for accident with core melting Practically Eliminated Large or Early Releases Large Component Failure Fast Reactivity Excursion HPME MCCI Operational Criteria Acceptance Criteria H2 detonation Cont'ment Bypass Acceptance Criteria Acceptance Criteria Consequences limited in time and area

64 Vienna Declaration (1/2)
……have adopted the following principles to guide them, as appropriate, in the implementation of the objective of the CNS to prevent accidents with radiological consequences and mitigate such consequences should they occur: New nuclear power plants are to be designed, sited, and constructed, consistent with the objective of preventing accidents in the commissioning and operation and, should an accident occur, mitigating possible releases of radionuclides causing long-term off site contamination and avoiding early radioactive releases or radioactive releases large enough to require long-term protective measures and actions.

65 Vienna Declaration (2/2)
……have adopted the following principles to guide them, as appropriate, in the implementation of the objective of the CNS to prevent accidents with radiological consequences and mitigate such consequences should they occur: Comprehensive and systematic safety assessments are to be carried out periodically and regularly for existing installations throughout their lifetime in order to identify safety improvements that are oriented to meet the above objective. Reasonably practicable or achievable safety improvements are to be implemented in a timely manner.

66 Conclusions The new Safety Requirements for NPP design and their revision after the Fukushima Daiichi Accident have introduced important changes that affect the safety approach of the design. Some of the terms had led to different interpretations on MSs IAEA has tried to clarify some aspects of the requirements (TECDOC 1791) and revising the safety guides for design The lessons learned from the Fukushima Daiichi accident called for strengthening DiD, but enhanced methods are necessary to assess DiD (assessment of each level and of independence between levels). IAEA is planning to revise SR-46 and work on methods for the assessment of DiD (deterministic and probabilistic) IAEA is planning to develop a new safety guide on the Safety Approach in NPP design which would address cross cutting issues that don’t belong exclusively to individual plant systems (assessment of DiD, practical elimination of large/early releases, etc.)

67 Thank you for your kind attention! J.Yllera@iaea.org

Download ppt "Nuclear Safety Standards Committee 41st Meeting, 21 – 23 June, 2016"

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Presented by: Muhammad Ayub Pakistan Nuclear Regulatory Authority Safety Enhancement at Nuclear Power Plants in Pakistan Prospects of Nuclear Energy in.

Presented by: Muhammad Ayub Pakistan Nuclear Regulatory Authority Safety Enhancement at Nuclear Power Plants in Pakistan Prospects of Nuclear Energy in.
RISK INFORMED APPROACHES FOR PLANT LIFE MANAGEMENT: REGULATORY AND INDUSTRY PERSPECTIVES Björn Wahlström.

RISK INFORMED APPROACHES FOR PLANT LIFE MANAGEMENT: REGULATORY AND INDUSTRY PERSPECTIVES Björn Wahlström.
1 MANUFACTURING AND PRODUCTION OF BIOLOGICAL PRODUCTS (ERT 455) HAZARD ANALYSIS AND CRITICAL CONTROL POINT (HACCP) SYSTEM Munira Mohamed Nazari School.

1 MANUFACTURING AND PRODUCTION OF BIOLOGICAL PRODUCTS (ERT 455) HAZARD ANALYSIS AND CRITICAL CONTROL POINT (HACCP) SYSTEM Munira Mohamed Nazari School.
MODULE “PROJECT MANAGEMENT AND CONTROL” EMERGENCY PLANNING SAFE DECOMMISSIONING OF NUCLEAR POWER PLANTS Project BG/04/B/F/PP-166005, Programme “Leonardo.

MODULE “PROJECT MANAGEMENT AND CONTROL” EMERGENCY PLANNING SAFE DECOMMISSIONING OF NUCLEAR POWER PLANTS Project BG/04/B/F/PP , Programme “Leonardo.
Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.

Lindy Hughes Fleet Fire Protection Program Engineer Southern Nuclear Operating Company June 4, 2013 Fire Protection.
School for drafting regulations Nuclear Safety Decommissioning Vienna, 2-7 December 2012 Tea Bilic Zabric.

School for drafting regulations Nuclear Safety Decommissioning Vienna, 2-7 December 2012 Tea Bilic Zabric.
Framatome ANP IP-EUROTRANS Meeting WP 1.5 Progress in safety approach development TEE, March 17 2006 Sophie EHSTER.

Framatome ANP IP-EUROTRANS Meeting WP 1.5 Progress in safety approach development TEE, March Sophie EHSTER.
May 22nd & 23rd 2007 Stockholm EUROTRANS: WP 1.5 Task 1.5.4 Containment Assessment IP-EUROTRANS DOMAIN 1 Design WP 1.5 Safety Assessment of the Transmutation.

May 22nd & 23rd 2007 Stockholm EUROTRANS: WP 1.5 Task Containment Assessment IP-EUROTRANS DOMAIN 1 Design WP 1.5 Safety Assessment of the Transmutation.
AREVA NP EUROTRANS WP1.5 Technical Meeting Task 1.5.1 – Safety approach Madrid, November 13-14 2007 Sophie EHSTER.

AREVA NP EUROTRANS WP1.5 Technical Meeting Task – Safety approach Madrid, November Sophie EHSTER.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.7 Commissioning Geoff Vaughan University of Central.

Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.7 Commissioning Geoff Vaughan University of Central.
PART IX: EMERGENCY EXPOSURE SITUATIONS Module IX.1: Generic requirements for emergency exposure situations Lesson IX.1-2: General Requirements Lecture.

PART IX: EMERGENCY EXPOSURE SITUATIONS Module IX.1: Generic requirements for emergency exposure situations Lesson IX.1-2: General Requirements Lecture.
Protection Against Occupational Exposure

Protection Against Occupational Exposure
Codex Guidelines for the Application of HACCP

Codex Guidelines for the Application of HACCP
Definition, Role and Documentation of the Safety Case: Quick Review

Definition, Role and Documentation of the Safety Case: Quick Review
Outcome of the EU Nuclear Safety Stress Tests Andrej Stritar Chairman, ENSREG.

Outcome of the EU Nuclear Safety Stress Tests Andrej Stritar Chairman, ENSREG.
IAEA - Department of Nuclear Safety & Security

IAEA - Department of Nuclear Safety & Security
08 October 2015 M. Ammar Mehdi Introduction to Human Resource Management & SSG-16 Actions 4 th Steering Committee on Competence of Human.

08 October 2015 M. Ammar Mehdi Introduction to Human Resource Management & SSG-16 Actions 4 th Steering Committee on Competence of Human.
Energy Forum 2011, Changing the Energy Paradigm and Outlook for South-Eastern EU Energy Forum 2011 Nuclear Safety Regulation in Romania Recent Developments.

Energy Forum 2011, Changing the Energy Paradigm and Outlook for South-Eastern EU Energy Forum 2011 Nuclear Safety Regulation in Romania Recent Developments.
IAEA International Atomic Energy Agency. IAEA Outline Learning Objectives Introduction IRRS review of regulations and guides Relevant safety standards.

IAEA International Atomic Energy Agency. IAEA Outline Learning Objectives Introduction IRRS review of regulations and guides Relevant safety standards.

Similar presentations

Ads by Google