Nuclear Safety Standards Committee

Transcription

1 Nuclear Safety Standards Committee 41 st Meeting, IAEA Topical June, Issues 2016 Conference in Nuclear Installation Safety Agenda item Safety Demonstration of Advanced Water Cooled NPPs Title Workshop on Design Extension Conditions J.Yllera IAEA Safety Assessment Section Division of Nuclear Installation Safety Vienna, 7 June 2017 Name, Section - Division

2 Contents Historical perspective on the IAEA Safety Standards and the introduction of the concept of Design Extension Conditions (DEC) DEC in SSR 2/1 (Rev.1) Elaboration on the concept and use of DEC (IAEA-TECDOC-1791) Implementation of DEC in IAEA Safety guides 2

3 Plant States and Design envelope Earlier Concept Operational States Design Basis Accident Conditions Beyond Design Basis (Accident Management) NO AOO DBAs (safety systems) BDBA Severe Accidents (core melting) The need for reinforcing some aspects of the design and expanding the design envelope was progressively recognized after TMI and Chernobyl accidents and considering the available operational experience. Some design improvements and associated regulations related to: Station Blackout ATWS Hydrogen control F&B Containment venting, etc. Different regulations, acceptance criteria, rules for design and safety analysis different from those for DBA were allowed 3

4 1993 Safety Standards Feedback Fukushima accident

5 NS-R-1 (2000): General Design Basis 6) Design Basis Accidents (DBAs) Conservative set of bounding accidents determined with pessimistic assumptions on the evolution of the sequence and for which SSC important to safety are designed. Use of automatic safety systems only. Established conservative acceptance criteria. 7) Severe Accidents (SAs) Definition: Accident condition more severe than a DBA with significant core degradation Identification of sequences (which may arise owing to multiple failures of safety systems) that may lead to SAs accidents. Selection of few sequences, using deterministic and probabilistic methods and engineering judgement, to be considered in the design. Definition of design measures and procedures to deal with the selected sequences Measures to cope with SAs less stringent than those used to cope with DBAs Note: Term DEC already in use in 2000 but not adopted in NS-R-1

6 NS-G 1.10 Design of Reactor Containment Systems for NPPs (2004) 6.5. For new plants, possible severe accidents should be considered at the design stage of the containment systems. The consideration of severe accidents should be aimed at practically eliminating the following conditions: Severe accident conditions that could damage the containment in an early phase as a result of direct containment heating, steam explosion or hydrogen detonation; Severe accident conditions that could damage the containment in a late phase as a result of basemat melt-through or containment overpressurization; Severe accident conditions with an open containment notably in shutdown states; Severe accident conditions with containment bypass, such as conditions relating to the rupture of a steam generator tube or an interfacing system LOCA. 6

7 SSR 2/1: Requirements for Design of NPPs Safety Fundamentals Safety objectives and Safety principles Safety Requirements Functional conditions required for safety Safety Guides Guidance on how to fulfil the requirements Approved in Published in 2012 Rev. 1 published in Limited revision to consider the feedback from the Fukushima Daiichi accident 7

8 Importance of the Requirements for the Design of NPPs Define a common safety approach and terminology and establish the safety level for designs of nuclear power plants reflect the state of the art reflect the views and the licensing practices of the majority of IAEA Member States document of large consensus provide the links with the requirements for site evaluation and for operation, taking into consideration the impact of the site on the design and providing for easy and safe operation used as reference for establishing licensing regulations in several countries adopted as national regulation used to integrate existing national regulations are the main reference to perform design safety reviews 8

9

10 SSR 2/1 -Requirement 20: DECS (1/2) A set of design extension conditions shall be derived on the basis of engineering judgment, deterministic assessments and probabilistic assessments for the purpose of further improving the safety of the nuclear power plant by enhancing the plant s capabilities to withstand, without unacceptable radiological consequences, accidents that are either more severe than design basis accidents or that involve additional failures. These design extension conditions shall be used to identify the additional accident scenarios to be addressed in the design and to plan practicable provisions for the prevention of such accidents or mitigation of their consequences - The main purpose of DECs is to ensure that accident conditions not considered as DBAs are prevented and/or mitigated as far as reasonably practicable - DECs are used to define the design basis for the safety features and for the other items important to safety necessary to prevent and to mitigate core damage - Safety features for DECs are not required to comply with the single failure criterion - Design Extension Conditions can be analysed with a best estimate analysis 10 10

11 SSR 2/1 -Requirement 20: DECs (2/2) Safety features for DEC: - Shall be independent, to the extent practicable, of those used in more frequent accidents; - Shall be capable of performing in the environmental conditions related to DEC, including severe accidents, where appropriate; - In particular, the containment and its safety features shall be able to withstand extreme scenarios that include, among other things, melting of the reactor core. These scenarios shall be selected using engineering judgement The design shall be such that the possibility of plant states arising that could lead to early or to large releases is practically eliminated. For DEC, protective measures that are limited in terms of times and areas of application shall be sufficient for the protection of the public, and sufficient time shall be available to take such measures. (*) The possibility of certain conditions occurring is considered to have been practically eliminated if it is physically impossible for the conditions to occur or if the conditions can be considered with a high degree of confidence to be extremely unlikely to arise

12 TECDOC Objectives / Scope TECDOC 1791 is aimed at facilitating the understanding and provide more explicit information on selected topics introduced in SSR-2/1 (rev.0) and its new revision (rev.1). It addresses the following topics: Plant States considered in the design (for reactor and SFP), Design Extension Conditions without and with fuel damage. Design basis of plant equipment Defence in Depth (DiD) strategy for new plants. Independence of the levels of DiD and prevention of common cause failures. Reliability of the heat transfer to the ultimate heat sink Design margins and prevention of cliff-edge effects Concept of practical elimination of early or large releases Design for external hazards Use of mobile sources of electric power and coolant 12

13 Design Extension Conditions (DECs) Term introduced in the EUR to define some accident sequences selected on deterministic &probabilistic basis that go beyond Design Basis Conditions (DBC), including complex sequences and severe accidents with the intent to improve the safety of the plant extending the design basis. Term adopted by IAEA in SSR 2/1. DECs are a set of conditions induced by accidents more severe than DBA or involving additional multiple failures of safety systems that the plant has to withstand without unacceptable radiological consequences. A similar concept was also adopted by WENRA, although the term DEC was initially not explicitly used. 13

14 Safety features for DEC without significant fuel degradation (1/4) Complement of safety systems for DBA to reach a CDF goal in specific cases. Not a substitute for unreliable safety systems. Intended for rare events/complex sequences Not applicable to all accident sequences. Application of less stringent requirements(with the acceptance of the regulatory body): For example no need for single failure criterion or automatic actuation, different safety class, design rules and codes, use of best estimate analysis, possibly different acceptance criteria, including radiological criteria 14

15 Safety features for DEC without significant fuel degradation (2/4) DECs to be derived systematically on the basis of Engineering judgement Deterministic evaluations (DSA) Probabilistic considerations (PSA) Operating experience DECs are technology dependent Recommended DECs (except for SBO) are not available in IAEA Safety Standards. An alternate independent power supply required for DEC 15

16 Safety features for DEC without significant fuel degradation (3/4) Exemplary listing some countries also refer to as deterministically identified, may include anticipated transient without scram (ATWS) station blackout (SBO) loss of core cooling in the residual heat removal mode Prolonged loss of cooling of fuel pool and inventory loss of normal access to the ultimate heat sink 16

17 Safety features for DEC without significant fuel degradation (3/4) DECs derived from PSA might include (examples) total loss of feed water LOCA plus loss of one emergency core cooling system (high pressure or the low pressure emergency cooling system) loss of the component cooling water system or the essential service water system uncontrolled boron dilution multiple steam generator tube ruptures (for PWRs) steam generator tube ruptures induced by main steam line break (for PWRs) uncontrolled level drop during mid-loop operation (for PWRs) or during refueling 17

18 Safety features for DEC without significant fuel degradation (4/4) Features to mitigate DECs without significant fuel degradation: Systems specifically designed for DEC (independent, if possible diverse) Available safety systems that capable of mitigatinge the DEC using criteria applicable for safety systems. Is it necessary to used the term DEC?) Available safety systems evaluated with the less stringent requirements applicable for DEC Equipment for operational states qualified to oprate for specific DECs Accident management measures using available plant equipment not designed for DEC. Is it DEC or a beyond basis accident? 18

19 DECs with Core Melting SSR 2/1 requires to design for core damage sequences It is necessary to identify a representative group of severe accident conditions to be used for defining the design basis of safety features for DECs Core melt scenarios are bounding cases for severe accidents with core damage Main objective: Practical elimination of early or large releases, i.e preventing the loss of containment integrity, cooling and stabilization of the molten fuel is also necessary Safety features for DEC with core melting are required to be independent to the extent practical from SSCs designed for preventing core damage Adequate margins are required to protect items ultimately necessary to prevent an early radioactive release or a large radioactive release in the event of levels of natural hazards exceeding those considered for design, 19

20 TECDOC: DiD approach of SSR 2/1. Elaboration on the original table form INSAG-10 Level of defence Approach 1 Objective Essential design means Essential operational means Level of defence Approach 2 Level 1 Prevention of abnormal operation and failures Conservative design and high quality in construction of normal operation systems, including monitoring and control systems Operational rules and normal operating procedures Level 1 Level 2 Control of abnormal operation and detection of failures Limitation and protection systems and other surveillance features Abnormal operating procedures/emergency operating procedures Level 2 3a Control of design basis accidents (postulated single initiating events) Engineered safety features (safety systems) Emergency operating procedures Level 3 Level 3 3b Control of design extension conditions to prevent core melting Safety features for design extension conditions without core melting Emergency operating procedures 4a Level 4 Control of design extension conditions to mitigate the consequences of severe accidents Safety features for design extension conditions with core melting. Technical Support Centre Complementary emergency operating procedures/ severe accident management guidelines Level 4 4b Level 5 Mitigation of radiological consequences of significant releases of radioactive materials On-site and off-site emergency response facilities On-site and off-site emergency plans Level 5 20

21 Use of Non Permanent Equipment After the Fukushima accident the revision of SSR 2/1 requires design provisions to enable the connection of some types of non permanent equipment in a smooth and safe manner (for situations exceeding the design envelope). For new plants, the features for connecting and using non permanent equipment should not be necessary for DBA and DEC. 21

22 Implementation of DEC in IAEA Safety guides Recommendations for the Design/safety assessment of safety features for DEC are being / will be provided in a number of SGs: NS-G-1.9 Design of the Reactor Coolant System and Associated Systems in NPPs, under revision NS-G-1.10 Design of Reactor Containment Systems for NPPs, under revision NS-G-1.4 Design of Fuel Handling and Storage Systems for NPPs, under revision SSG-34 Design of Electrical Power Systems for NPPs SSG-39 Design of Instrumentation and Control Systems for NPPs SSG-2 Deterministic Safety Analysis for NPPs, under revision SSG-3: Development and Application of Level 1PSA for NPPs. To be revised SSG-4: Development and Application of Level 2PSA for NPPs. To be revised DS508: Application of Safety Principles and of General Requirements for Design of NPPs. Being proposed 23

23 Thank you for your kind attention! 24