Ivica Basic and Ivan Vrbanic

Transcription

1 Ivica Basic and Ivan Vrbanic OVERVIEW AND COMPARISON OF INTERNATIONAL PRACTICES CONCERNING THE REQUIREMENTS ON SINGLE FAILURE CRITERION WITH EMPHASIZE ON NEW WATER-COOLED REACTOR DESIGNS I. BASIC APoSS Zabok, Croatia I.VRBANIC APoSS Zabok, Croatia Abstract The Single Failure Criterion (SFC) ensures reliable performance of safety systems in nuclear power plants in response to design basis initiating events. The SFC, basically, requires that the system must be capable of performing its task in the presence of any single failure. The paper provides an overview of the regulatory design requirements for new reactors addressing the SFC at international level. It considers the SCF in relation to in-service testing, maintenance, repair, inspection and monitoring of systems, structures and components important to safety, as well as to severe challenges not included in the design envelope. A comparison is provided of the current SFC requirements and guidelines published by the IAEA, WENRA, EUR and nuclear regulators in several selected countries. Also, paper addresses some specific issues concerning the application of SFC such as the allowable equipment outage times and exemptions to SFC requirements. Based on the comparative evaluation, the conclusions are provided concerning the need for the harmonization at the international level. 1. INTRODUCTION The Single Failure Criterion (SFC) ensures reliable performance of safety systems in nuclear power plants in response to design basis initiating events. The SFC, basically, requires that the system must be capable of performing its task in the presence of any single failure. When applied to plant s response to a postulated design-basis initiating event, the SFC usually represents a requirement that particular safety system performs its safety functions as designed under the conditions which can include: All failures caused by a single failure; All identifiable but non-detectable failures, including those in the non-tested components; All failures and spurious system actions that cause (or are caused by) the postulated event. In practice, the SFC exists in two major contexts: (1) system design requirements, largely associated with the general design criteria which require designing safety-related systems to perform safety functions to mitigate design-basis initiating events, assuming a single failure (and calling for the principles of redundancy, independency, separation, and those associated), and, (2) guidance on design-basis-accident (DBA) analysis, directed towards demonstrating adequate design safety margins based upon defined acceptance criteria. 2. OVERVIEW OF INTERNATIONAL REQUIREMENTS CONCERNING SFC The IAEA, in the major document related to the design of the nuclear power plants, SSR-2/1, [1], provides under section 5 (General Plant Design) the requirement concerning the single failure criterion (Requirement 25): The single failure criterion shall be applied to each safety group incorporated in the plant design Spurious action shall be considered to be one mode of failure when applying the single failure criterion17 to a safety group or safety system. 1

2 IAEA-CN The design shall take due account of the failure of a passive component, unless it has been justified in the single failure analysis with a high level of confidence that a failure of that component is very unlikely and that its function would remain unaffected by the postulated initiating event. It is, furthermore, explained: A single failure is a failure that results in the loss of capability of a system or component to perform its intended safety function(s) and any consequential failure(s) that result from it. The single failure criterion is a criterion (or requirement) applied to a system such that it must be capable of performing its task in the presence of any single failure. Generally, based on the SSR-2/1, IAEA requires the application of the single failure criterion (SFC) for all safety systems, which is further covered by the IAEA NS-G guidelines, e.g. NS-G-1.9, Design of the Reactor Coolant System and Associated Systems in Nuclear Power Plants, [2] or NS-G-1.10 Design of Reactor Containment System for Nuclear Power Plants, [3]. For example, NS-G-1.9 states: In order to achieve a well balanced design, appropriate consideration should be given to the redundancy and diversity of systems and components. For safety systems, this consideration should be based on a deterministic approach such as the application of the single failure criterion, supplemented by a risk informed approach. Generally, in applicable IAEA NS-G guides it is discussed that the all evaluations performed for design basis accidents should be made using an adequately conservative approach. In a conservative approach, the combination of assumptions, computer codes and methods chosen for evaluating the consequences of a postulated initiating event should provide reasonable confidence that there is sufficient margin bounding all possible conditions. The assumption of a single failure in a safety system should be part of the conservative approach, as indicated in SSR-2/1 (5.26, DBA definition). On the other hand, care should be taken when introducing adequate conservatism, since: For the same event, an approach considered conservative for designing one specific system could be non-conservative for another; Making assumptions that are too conservative could lead to the imposition of constraints on components that could make them unreliable. In the past, the IAEA had a document Safety Series 50-P-1, Application of the Single Failure Criteria, [4]. This document is outdated and there is no new IAEA document specifically superseding it. In its section 2 it deals with the purpose of the SFC with respect to the safety of a nuclear power plant. It also shows where the criterion has its limitations. The third section explains the difference between active and passive types of failure and the consequences of the failure characteristics for the application of the criterion. Specifically referring to the Design Code [5], it states (in its section 7 dealing with exemptions to SFC) that non-compliance with the SFC may be justified for: very rare PIEs, very improbable consequences of PIEs, or withdrawal from service for limited periods of certain components for purposes of maintenance, repair or periodic testing. It is said that This statement is in line with the relation between the frequency limit for a plant damage state, the frequency of an initiating event and the reliability of all the systems that are provided for dealing with this initiating event (safety group). The limited periods from the last bullet are often referred to as allowable outage times (AOTs). This bullet, therefore, relates the exemptions from SCF to the application of AOTs. However, in the new major document related to the safety aspects of design of the nuclear power plants, SSR-2/1, [1] (which has replaced the Design Core [5]), justifiable exemptions to the SFC are not explicitly addressed anymore. Screening concerning the application of the SFC was performed, additionally to the IAEA s requirements, of the Western European Nuclear Regulators Association (WENRA) safety reference levels, [6], European Utility Requirements (EUR), [7], and of regulatory requirements in selected countries. The comparative discussion of the requirements and positions is given in [8] and [9]. Matrix in Figure 1 attempts to present a concise comparative summary of positions and requirements.

3 Ivica Basic and Ivan Vrbanic Requirements or Regulatory Position SFC applied to: What systems have to meet SFC? Is SFC applied during planned maintenance or repair with AOT? IAEA Safety system General approach: systems which prevent radioactive releases in WENRA Safety system EUR Assembly of equipment (combination of systems and components that perform a specific function) U.S. NRC Safety system environment. Because of different designs, system names and description it can be related to: Reactor Protection System Engineering Safety Feature Actuation System Core Decay Heat Removal System Emergency Core Cooling System Containment decay heat removal system Containment Isolation System MCR Habitability System Emergency AC/DC power Safety System Support System (Component Cooling Water, etc.) Not explicitly discussed in regulations. The allowable periods of safety systems inoperability and the cumulative effects of these periods should be assessed in order to ensure that any increase in risk is kept to acceptable levels. Finish (STUK) Safety system Not explicitly discussed in regulations. The PSA shall be used to determine the surveillance test intervals and allowed outage times of systems and components important to safety. Actually, it is similar with above. YVL B.1 discusses the two failure criteria, (N+1) and (N+2). Some systems need to satisfy criteria (N+1) and some (N+2) UK Safety system See IAEA, WENRA, EUR, U.S. NRC above. Japan Structures, systems and components (SSCs) Korean Safety system Russian Safety features (safety systems elements) China Safety system Canadian Safety group/safety system A request for an exception during testing and maintenance should be supported by a satisfactory reliability argument covering the allowable outage time Is SFC applied to passive components? General approach is that the fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming Passive Equipment functions properly) nor (2) a single failure of a Passive Equipment (assuming Active Equipment functions properly) results in a loss of capability of the system to perform its Safety Functions. Exemption for passive components exists if justification of high standard and quality design and maintenance is possible. Is SFC applied in addition to assuming failure of a non-tested component? Not explicitly discussed in regulations. See fourth column on the left side. In other words it means that if assessment of potential failure of any single component designed for the function in stand-by (non-tested) system shows the increase in risks above acceptable levels such configuration should not be allowed. YVL B.1 discusses the two failure criteria mentioned in fourth column on the left side for Finish (STUK). See IAEA, WENRA, EUR, US NRC above. Similar position to IAEA, WENRA, EUR, US NRC above even that section of REG- DOC-2.5.2, [14], refers to the old IAEA, Safety Series No. 50-P-1, [4], which was withdrawn without applicable replacement. FIG. 1. Overview of SFC Application Requirements 3. SFC APPLICATION IN THE CONTEXT NEW WATER-COOLED REACTOR DESIGNS Obviously, SFC as a design principle does not have a definitive alternative. However, the experience with application of SFC which was gained over the period of time stretching over half of a century points out to some weaknesses and/or insufficiency in rigid SFC rule which may need to be reconsidered in the context of new water-cooled (or other) reactor designs. A number of particular considerations may be summarized via the following two main points regarding traditional SFC application, which can be very frequently encountered in the discussions: 3

4 IAEA-CN-251 The first point is that traditional application of the SFC has, apparently, sometimes led to redundant system components, which contribute to adequate and acceptable safety margins, but may have only minimal impact on risk, based on conventional risk assessment studies. While maintaining adequate safety margins is a major safety objective, the application of the worst single-failure assumption for all DBAs may, in some cases, result in unnecessary constraints on licensees. The second point is that the traditional implementation of the SFC does not consider potentially risksignificant sequences involving multiple (rather than single) failures as part of the DBA analysis. Common-cause failures, some support system failures, multiple independent failures, and multiple failures caused by spatial dependencies and multiple human errors, are phenomena that impact system reliability, which may not be mitigated by redundant system design alone. Some risk-informed alternatives might consider such failures in DBA analyses if they were more likely than postulated single-failure events. Additionally to those (or, sometimes, coming out from them) there are some other considerations which may become increasingly relevant for the application of SCF to the new water-cooled reactor designs. One consideration is that, apparently, the SFC has not always been uniformly applied to passive failures in fluid systems, and such passive failures may gain an additional level of importance with many of new watercooled reactor designs due to increasing reliance on the passive safety features. Therefore, they may need to be particularly addressed in the new SFC requirements. This would include resolving the question of which passive failures to include in the treatment. For example, the passive failure of a single check valve, pipe, or tank could have significant implications on the DBA analysis. Another consideration is that traditional application of the SFC might have not always led to the design of safety systems having the reliability commensurate with the frequency of important safety challenges. Generally, for more frequent challenges (with same or similar consequences), higher system reliability is desirable to enable safety systems to respond in a manner that results in safe plant shutdown. (As an example from practice, a reference can be made to the discussions in [10]. On the basis of generic safety issue studies, rulemaking, and risk considerations, the U.S. NRC had to supplement the SFC with additional regulations or licensing guidance applicable to selected safety systems. These led to plant modifications and licensee programs in the U.S. to either improve system reliability or demonstrate that the system design was otherwise adequate to cope with the postulated initiating events. Relevant examples include the so-called Station Blackout (SBO) Rule, the Anticipated Transient without Scram (ATWS) Rule, and the guidance to increase availability of PWR auxiliary feedwater systems.) With above in mind, it may be needed to reconsider the traditional, rigid, implementation of the SFC when applying it to new water-cooled (and other) reactor designs. This may include state-of-the-art risk and reliability methods as a basis to adjust the criteria by using quantitative estimates of functional or system reliability as well as quantitative estimates of expected frequency of challenges. As an example, some options for reconsidering the traditional SFC in a way which may be particularly useful for the application to the new water-cooled reactor designs were discussed in the references such as [10] and [11]. Some options, based on considerations in [10], are briefly discussed below. One option for reconsidering the application of SFC is in risk-informing the selection of single- and multiple-failure accident sequences for DBA analysis based upon their frequencies. This could eliminate some single-failure accident sequences from the design basis, while it also could lead to the addition of some multiple-failure sequences. It would require that the reliability of certain components or structures excluded from the DBA analysis would be additionally monitored to assure their continued high reliability or integrity (e.g., reactor coolant pressure boundary). This one can be referred to as sequence-based approach to SFC reconsideration. Another option is in risk-informing the application of the SFC to systems in a manner that is commensurate with their safety significance. This one can be referred to as system-based approach. It would rely on the principles of risk-informed safety categorization of SSC which are already well developed (e.g. 10 CFR 50.69, [12]). For example, for non-safety significant systems which were traditionally safety-classified the requirements of the current SFC may be relaxed. Additional performance monitoring of safety significant systems would be required. Yet another option would be to generalize the SFC by varying the redundancy requirement according to the initiating event category, and providing guidance on diversity. This can be supplemented by allocating

5 Ivica Basic and Ivan Vrbanic system or function reliability on the basis of top-level risk guidelines and targets. This is, also, well established practice in some IAEA member states. The licensee would establish targets for lower-level (train-level) reliability satisfying the functional reliability targets upon which the SSC treatment, including performance monitoring, would be established. The above outlined options include a range of concepts that might be used to pursue risk-informed and performance-based changes to the SFC application to new reactor designs. Other options could be constructed, involving different combinations of the basic concepts. To put into perspective the need for adjusting the traditional SFC approach when applied to the new reactor designs (or, at least, advisability of it), the following points may be included into a consideration: New water cooled reactor designs (at least those into the review of which the authors of this paper were involved) have considerably lower quantitative risk measures (e.g. CDF) and very much different risk profile as compared to the operating plants. This may only amplify the issues discussed above. New water-cooled reactor designs have largely increased reliance on passive safety features, which calls for clarification of position toward the treatment of passive failures in fluid systems. Examples may include the following: Some (actually, many of) new designs rely on single large passive components or structures, e.g. large single tanks or large single heat exchangers relying on natural circulation. How should those be treated in the SFC analysis, in the context of CDF for internal initiating events at the order of magnitude of 1E-07 /y? Some designs rely on check valves (non-return valves) having to open or close at rather low delta pressure (e.g. dictated by gravity force). How should those be treated in the context of SFC (e.g. active or passive failures)? In the case of some designs Safety Analysis Report claims for physical impossibility of certain initiators, such as large LOCAs (opening the questions how large LOCA is to be defined; but, further discussion on this matter is omitted, for the sake of the example) due to the limit on the diameter of the pipes connecting to the reactor vessel. This leaves (if the argument is accepted) the residual risk of the reactor vessel failure. In the case of the operating plants the core damage risk contribution of the reactor vessel failure is at the order of 1% or lower. (Typically, it is claimed that CDF contribution of such initiator is below 1E-07 /y on account of vessel in-service inspections and similar arguments.) However, with considerably reduced CDF (internal initiators) for the new designs this contribution easily becomes 10% or, even, considerably higher. How is the reactor vessel failure to be treated in the SFC evaluation in such a context? Other examples may include failure modes such as filter or screen plugging or clogging. Those have been seen as considerable contributors to core damage risk in some Safety Analyses Reports for the new designs. How are those to be treated in the SFC analysis? With high reliance on passive safety features, the most of the risk coming from active failures is associated with common cause failures. Some of the new designs have been seen to be modified based on the preliminary PSA results due to high contributions of CCF of certain valves. How are CCFs to be treated (or: should they be addressed) in the SFC analysis of a new design with internal initiating evens CDF of 1E-07 /y? Obviously, with high reliance on passive safety features, the structural reliability of the corresponding SSCs becomes correspondingly important. Examples may include seismic fragility (or extreme wind fragility or aircraft crash fragility, or others). How should those be related to the SFC, putting altogether in the context if internal events CDF of 1E-07? Current SFC philosophy is focused on demonstrating the safety margins (e.g. peak cladding temperature or containment pressure) following the design basis initiator accompanied by the worst single failure. Considering that external events such as earthquakes may become dominating risk contributors for inherently safe new designs, should the approaches or concepts such as seismic margins or, more generally, structural load margins, be somehow related to the SFC? With design-specific internal events CDF considerably lowered, the role of the spatial impacts induced by internal hazards (similarly to external) becomes increasingly important. The same questions apply as above. 5

6 IAEA-CN-251 Although most of the new designs with increased role of the passive features are free of the short-term need for human actions, certain human actions may be needed in the longer time frame. Should those be considered in the SFC in the new (low) risk context? How the SFC evaluation should be related to the concept of practical elimination of sequences with large radioactivity releases, promoted in the IAEA documents [1] and [13]? These and other points of consideration may make it advisable to consider adjusting the traditional SFC approaches for applications to the new reactor designs, using some of the options discussed above. 4. CONCLUDING REMARKS One important conclusion which can be made is that nuclear industry and regulation applications either to single failure criterion or defense-in-depth are not very well harmonized in the international practice. Additional effort is advisable to be made in order to establish more strict and harmonized design requirements with regard to either SFC or DiD to improve safety of nuclear installations in future. Past experience with application of SFC which was gained over the period of time stretching over half of a century points out to some weaknesses in rigid application of traditional SFC rules. Those include failing to establish reliability of the functions important to safety which would be commensurate with frequencies of challenges to them. It has been many times repeated that traditional design basis analyses (DBA) are conservative because they assume failure of single train. It has been rarely pointed out that the same analyses may be optimistic because they assume that complementary train will succeed for granted. It seems to be advisable to reconsider and adjust the SFC approach for application to the new watercooled (or other) reactor designs. The options for that have been discussed and identified in the references. REFERENCES [1] IAEA Safety Standard Series, SSR-2/1, Safety of Nuclear power Plants: Design, Rev.1, IAEA, Vienna, 2016 [2] IAEA Safety Standards Series, NS-G-1.9, Design of the Reactor Coolant System and Associated Systems in Nuclear Power Plants, IAEA, Vienna, 2004 [3] IAEA Safety Standards Series, NS-G-1.10, Design of Reactor Containment Systems for Nuclear Power Plants, IAEA, Vienna, 2004 [4] IAEA Safety Series No. 50-P-1, Application of the Single Failure Criterion, 1990 [5] IAEA Safety Series No. 50-C-D, Code on the Safety of Nuclear Power Plants: Design, Rev. 1, 1988 [6] Western European Nuclear Regulators Association Safety Reference Levels for Existing Reactors, WENRA, [7] European Utility Requirements for LWR Nuclear Power Plants, Revision D, October 2012 [8] Bašić, I. Vrbanić, Assessing Regulatory Requirements and Guidelines for the Single Failure Criterion (Research Project R557.1), ENCO FR-(15)-12, June 2015 [9] Bašić, I. Vrbanić, International Context Regarding Application of Single Failure Criterion (SCF) for New Reactors, Proceedings of the 10th International Conference of the Croatian Nuclear Society, Zadar, Croatia, 5-8 June 2016 [10] U.S. NRC SECY , Risk-Informed And Performance-Based Alternatives To The Single-Failure Criterion, U.S. NRC, 2005 [11] NUREG-1860, Feasibility Study for a Risk-Informed and Performance-Based Regulatory Structure for Future Plant Licensing, U.S. NRC, 2007 [12] US NRC 10CFR50, [36 FR 3256, Feb. 20, 1971, as amended at 36 FR 12733, July 7, 1971; 41 FR 6258, Feb. 12, 1976; 43 FR 50163, Oct. 27, 1978; 51 FR 12505, Apr. 11, 1986; 52 FR 41294, Oct. 27, 1987; 64 FR 72002, Dec. 23, 1999; 72 FR 49505, Aug. 28, 2007] [13] IAEA TECDOC-1791, Considerations on the Application of the IAEA Safety Requirements for the Design of Nuclear Power Plants, IAEA, 2016 [14] REGDOC-2.5.2, Design of Reactor Facilities: Nuclear Power Plants, CNSC, May 2014