Making sense of nuclear safety: Insights from the Overall Safety Concept study Suomalaisen ydintekniikan päivät (SYP) October 2, 2016 Prof. Juhani Hyvärinen LUT, Nuclear Engineering
Why overall safety? Safety requirements and safety justification of nuclear power plants has become very complicated: Tendency Increasing number of Defence-in-Depth - levels Dissimilar postulated event and hazards Multiple kinds of safety : nuclear safety, nuclear security, nuclear materials safeguards Gap widens between legacy plant safety features and future plant regulations Safety requirements developed for large LWRs only Consequence Level independence compromised Inconsistent treatment Both conflicting and synergistic requirements Equipment upgrading impractical if not impossible Licensability of alternate technologies (small reactors, fast reactors) uncertain Organised thinking in terms of an overall safety concept ORSAC at SYP2016 3 helps address such problems!
ORSAC Overall Safety Concept framework development Small study initiated by the national nuclear safety research program SAFIR-2018 (volume 26 k ) topical seminar in December 4, 2015 study launched in April 2016 draft report produced in May-August 2016 discussion seminar in September 2, 2016 final report under SAFIR review Carried out by a team at LUT Nuclear Engineering Seminars well attended by best Finnish experts ORSAC at SYP2016 4
Overall safety concept needs to cover the whole picture [December 2015 seminar] Society Initial ORSAC scope Safety Security Safeguards Core Fresh fuel SF pool SF interim Nuclear Waste Management Sustainability ORSAC at SYP2016 5
Natural starting point: defence-in-depth Surprisingly elusive a notion e.g. the U.S.NRC NUREG/KM-0009, Historical Review and Observations of Defense-in-Depth, April 2016, contains 200+ pages of different definitions from the 1950s till present IAEA TECDOC-1791, Considerations on the application of the IAEA safety requirements for the design of nuclear power plants, 2016, gets by with 70 pages ORSAC study builds mainly on the functional defence-indepth but also uses the structural view ORSAC at SYP2016 6
Defence levels in the 1970 s Operational states Normal operation Anticipated operational occurrences Accident conditions Design basis accidents Non-safety systems N+0 Safety systems 1 Safety systems 2 ORSAC at SYP2016 7
Defence lines according to YVL 1.0 1982 and VNP 395/1991 Operational states Normal operation Anticipated operational occurrences Accident conditions Design basis accidents Core melt accidents Non-safety systems Safety systems Independent SAM systems At the time SAM systems were envisioned to consist mainly of filtered containment venting, so complete independence from other safety systems was easy to achieve. ORSAC at SYP2016 8
Modern IAEA view [SSR-2/1 Rev. 1, 2016]: Plant states and event categories ORSAC at SYP2016 9
STUK definition of Plant states and event categories (before introduction of DECs) STUK before DECs (Operational states) Normal operation Anticipated operational occurrences Postulated accidents Class 1 Class 2 (Accident conditions) DECs Core melt accident ORSAC at SYP2016 10
STUK definition of Plant states and event categories [YVL B.1 Justification memo] STUK with DECs (Operational states) Normal operation Anticipated operational occurrences Postulated accidents Class 1 Class 2 (Accident conditions) Design extension conditions A (CCF) Design extension conditions B (Multi-F), C (Rare event) Core melt accident ORSAC at SYP2016 11
STUK definition of Plant states and event categories [YVL B.1 Justification memo] Operational states Accident conditions IAEA Normal operation Anticipated operational occurrences Design basis accidents Design extension conditions Without significant fuel degradation With core melting STUK (Operational states) Normal operation Anticipated operational occurrences Postulated accidents Class 1 Class 2 (Accident conditions) Design extension conditions A (CCF) Design extension conditions B (Multi-F), C (Rare event) Core melt accident ORSAC at SYP2016 12
Frequency limits for event categories [YVL B.1 Justification memo; YVL A.7] (Operational states) Normal operation Anticipated operational occurrences Postulated accidents Class 1 (Accident conditions) Class 2 DEC A (CCF) DECs B (Multi-F), C (Rare event) Core melt accident Emergency prep ness 10 0 /a 10-2 /a 10-3 /a 10-4 /a 10-5 /a 5 10-7 /a 1 10-7 /a The probabilistic safety goals from YVL A.7 are CDF < 10-5 /a and LERF < 5 10-7 /a; these are compound frequencies. Frequency limits for DECs are indicative. Independent of their exact value, the DECs overlap the Postulated accident Core melt Emergency preparedness region. DEC C lower limit is 10-7 /a has been required informally, but not codified (yet?). ORSAC at YTN 4.11.2016 13
Dose limits and event frequencies in the Finnish system 1991 (three-level DID) Severe DBA AOO and DBA limits date back to 1970 s. DCS 395/1991 introduced an explicit severe accident limit. AOO ORSAC at SYP2016 14
Dose limits and event frequencies in the Finnish system after ~1998 Severe DBA, Class 2 DBA, Class 1 AOO DBA category was split in two. TVO, to justify a 16 % thermal power uprate, upgraded the plant, moving limiting AOO events to the DBA frequency range. ORSAC at SYP2016 15
Dose limits and event frequencies in the Finnish system after ~2008 Severe DEC A,B,C DBA, Class 2 DBA, Class 1 AOO DECs were imported with Olkiluoto 3. Unlike the original Franco-German safety design, STUK made DECs parallel to DBA and SAM. ORSAC at SYP2016 16
Dose limits and event frequencies in the Finnish system after 2013 The drastic reduction of SAM short-term dose limit is a result of WENRA harmonisation. Severe In the risk equation Risk ~ F D 2 the consequence weighting power 2 is extremely high. DEC A,B,C DBA, Class 2 DBA, Class 1 AOO ORSAC at SYP2016 17
Overall concept idea: main safety functions overlaid on defence lines Operational states Normal operation Anticipated operational occurrences Design basis accidents Accident conditions Design extension conditions Without significant fuel degradation With core melting Subcriticality Heat removal System 1 System 2 N/A Normal means Emergency means SAM Containment Closed systems Primary containment structure ORSAC at SYP2016 18
Main safety functions depend on supporting safety functions such as power supply and HVAC Natural and explicit presentation of redundancy, diversity, and separation; independence Subcriticality Operational states Normal operation Anticipated operational occurrences Design basis accidents Accident conditions Design extension conditions Without significant fuel degradation With core melting System 1 System 2 N/A Heat removal Normal means Emergency means SAM Containment Closed systems Primary containment structure Power supply HVAC Grid connections EDGs DEC diesel generators ORSAC at SYP2016 19
External hazard integration option 10-1 /a 10-2 /a 10-3 /a 10-4 /a 10-5 /a 10-6 /a 10-7 /a (Operational states) (Accident conditions) NO AOO DBA DEC A DEC B, C Class 1 Class 2 Core melt 10 0 /a 10-2 /a 10-3 /a 10-4 /a 10-5 /a 5 10-7 /a External conditions less frequent than ~10-5 /a are to be treated as initiating events under DEC C. ORSAC at SYP2016 20
Barrier interpretation of Defence-in-Depth: against fission product release (in theory) Fuel matrix Fuel cladding Reactor system Containment structure Plant fence ORSAC at SYP2016 21
Security zones [YVL A.11 324] Vital area Protected area Plant area Restricted area Fissile Vital systems Threat of intrusion Fuel Reactor cladding system Containment structure Plant fence Threat of release ORSAC at SYP2016 22
Security parallels [YVL B.1 Justification memo; YVL A.11] The security threat levels indicate the principle, not actual levels. Level 0 Level 1 Level 2 Level 3 0.1 msv/s 0.1 msv 1 msv 5 msv 20 msv (Operational states) Normal operation N+1 (owner req.) Anticipated operational occurrences N+1 Class 1 Postulated accidents N+2 Class 2 (Accident conditions) DEC A (CCF) N+1 Design extension conditions B (Multi-F), C (Rare N+0event) Core melt accident N+1 10 0 /a 10-2 /a 10-3 /a 10-4 /a 10-5 /a 5 10-7 /a ORSAC at SYP2016 23
Safety, security, safeguards integration Vital area Protected area Plant area Restricted area Fissile (fresh) IAEA Fissile (core) Containment structure Plant fence Fissile (spent) Material balance area ORSAC at SYP2016 24
Organisation of organisations new build Functional Level 1 Construction 2 Ownership 3 Technical oversight 4 Administration By law By opinion Organisation Constructing consortia (CFS, RAOS) Project owners (TVO, Fennovoima) Technical Regulator (STUK) TEM/ Government Parliament Support / Stakeholder Expert services by TSOs, universities Inspection Organisations (independent) O&M contractors IOs, accredited Intervenors Local population General public ORSAC at SYP2016 25
Conclusions and future avenues ORSAC has successfully produced an Overall Safety Concept that can make sense of Defence-in-Depth and factual independence of defence lines naturally and logically integrate initiating events and various hazards, up to security and safeguards hazards The concept is transparent all assumptions are made visible and forces the user to maintain an overall view in sight at all times ORSAC at SYP2016 26
Conclusions and future avenues Many paths for future development: practical application to an operating plant extension to equipment qualification and justification deepening the security and safeguards treatment deeper treatment of safety margins at individual levels deeper analysis of nuclear community as an organisation-of-organisations extension to fresh and spent fuel storages and waste disposal application to an SMR or GEN4 concept ORSAC at SYP2016 27
Thank you! juhani.hyvarinen@lut.fi 28