Overview And Comparison Of International Practices Concerning The Requirements On Single Failure Criterion With Emphasize On New Water-Cooled Reactor Designs

Presentation on

International Conference on Topical Issues in Nuclear Installation Safety:

Safety Demonstration of Advanced Water Cooled Nuclear Power Plants

IAEA Headquarters in Vienna, Austria

6 to 9 June 2017

Ref No.: CN-251

Ivica Bai, Ivan Vrbani

APoSS d.o.o.

Single Failure Criteria ?

Similar definition through various regulatory framework (IAEA, USA

NRC, WENRA, EUR, national regulation,...)

IAEA SSR-2/1 rev.1:

The single failure is a failure that results in the loss of capability of a system

or component to perform its intended safety function(s) and any

consequential failure(s) that result from it.

5.39. Spurious action shall be considered to be one mode of failure

when applying the concept to a safety group or safety system.

5.40. The design shall take due account of the failure of a passive

component, unless it has been justified in the single failure analysis

with a high level of confidence that a failure of that component is

very unlikely and that its function would remain unaffected by the

postulated initiating event.

Single Failure Criteria ?

Different demonstration of SFC. Concerns?

Applicability in Defense in Depth (DiD)

Definition of SSC boundary

Definition of SSC intended safety function

Definition of required SSCs capability

Demontration of capability with different DSA approcahes (conservative,

BE, BE+uncertanity...)

Definition consequential failure

US NRC SECY-77-439 (1977!) among other things identified also

potential problems have been encounted: additional passive

failures (long term and accelerated wear), valve failures

(passive failures of dropping a valve disc), electrical power

(and I&C, now very actual due to lot digital I&C), operator error,

etc.

Level of Defence in Depth (DiD) for the design of new NPPS

Level of defense

Objective Essential design means Essential operational means

Level 1 Prevention of abnormal operation and failures

Conservative design and high quality in construction of normal operation systems, including monitoring and control systems

Operational rules and normal operating procedures

Level 2 Control of abnormal operation and detection of failures

Limitation and protection systems and other surveillance features

Abnormal operating procedures/emergency operating procedures

Level 3a Control of design basis accidents (postulated single initiating events)

Engineered safety features (safety systems)

Emergency operating procedures

Level 3b Control of design extension conditions to prevent core melt

Safety features for design extension conditions without core melt

Emergency operating procedures

Level 4 Control of design extension conditions to mitigate the consequences of severe accidents

Safety features for design extension conditions with core melt. Technical Support Centre

Complementary emergency operating procedures/ severe accident management guidelines

Level 5 Mitigation of radiological consequences of significant releases of radioactive materials

On-site and off-site emergency response facilities

On-site and off-site emergency plans

Based on INSAG-10, presents the current approach as derived from SSR-2/1 Rev. 1

Level of Defence in Depth (DiD) vs PDC various approcahes

Level of DiD

IE Frq. / yr EUR WENRA STUK US-NRC ASME Service Levels

1 f=1

DBC 1, Normal Operation

Normal Operation DBC 1, Normal Operation

Normal Operation A

2 f>10-1

DBC 2 Incidents

Anticipated Operational Occurances

DBC 2, Anticipated Operational Occurances

Anticipated Oper-ational Occurances (AOO)

B

3 10-1

Safety Demonstration - Deterministic Approach

Safety Limits and Limiting Conditions for Operation

Peak cladding temperature (PCT)

Departure of nucleate boiling (DNB)

Negative Reactivity Coefficient

Primary and secondary pressures

Hydrogen production

Adequate Safety Margins

Safety Functions

Reactor Trip

Decay Heat Removal

Subcriticality

Single Failure Criteria

Redundancy

Diversity

Reliability

Human-Machine Interface

Procedure

Training (simulators)

Design of SSC

The conditions generated by external and internal hazards and criteria for

capability, layout, margins, reliability and availability, provide input to the

design basis of the SSCs. Although the figure does not differentiate these

conditions and criteria for the different families of equipment, it should be considered

that the conditions and criteria depend on the safety classification of the specific plant

equipment. For example, SSR-2/1 requires the application of the SFC for the design of safety systems for DBA it is not required for the design of safety features for DECs.

8

Traditional Safety Systems Concepts

SFC applications for new designs?

10

SFC applications for new passive SSCs?

10

Standard PWR AP1000

IRWST

PRHR HX

CMT

Accumulator

SFC APPLICATION IN THE CONTEXT NEW WATER-COOLED REACTOR DESIGNS

Regulatory Position

SFC applied to safety group or individual system

What systems have to meet SFC? Is SFC applied during planned maintenance?

Is SFC applied during a repair within AOT?

Is SFC applied to passive components? Is SFC applied in addition to assuming failure of a non-tested component?

IAEA Safety system General approach: systems which prevent radioactive releases in environment.

Because of different designs, system names and description it can be related to:

Reactor Protection System Engineering Safety

Feature Actuation System Core Decay Heat Removal

System Emergency Core Cooling

System Containment decay heat

removal system Containment Isolation

System MCR Habitability System Emergency AC/DC power Safety System Support

System (Component Cooling Water, etc.)

Not discussed directly in regulations.

The allowable periods of safety systems inoperability a nd the cumulative effects of these periods should be assessed in order to ensure that any increase in risk is kept to acceptable levels.

General approach is that the fluid and electric systems are considered to be des igned against an assumed single failure if neither

(1) a single failure of any active component (assuming Passive Equipment functions properly) nor

(2) a single failure of a Passive Equipment (assuming Active Equipment functions properly) results in a loss of capability of the system to perform its Safety Functions.

Exemption for passive components exists if justif ication of high standa rd and quality design and maintenance is possible.

Not discussed directly in regulations.

See 4th column on left side. In other words it means that if assessment of potential failure of any single component designed for the function in stand-by (non-tested) system shows the increase in risks above acceptable levels such test/maintena nce should be excluded.

WENRA Safety system EUR Assembly of

Equipment (combina tion of systems and components that perform a specific function)

US NRC Safety system

Finish (STUK) Safety system Not discussed directly in regulations.

The PSA shall be used to determine the surveillance test intervals and allowed outage times of systems and components important to safety. Actually, it is simila r with above.

YVL B.1 discusses actually the two failure criteria: (N+1) and (N+2)

Some systems need to satisfy criteria (N+1) and some (N+2).

YVL B.1 discusses actually the two failure criteria as described in 4th column on the left side for Finish (STUK).

UK Safety system See IAEA, WENRA, EUR, US NRC above. See IAEA, WENRA, EUR, US NRC above.

Japan Structure, System and Components (SSCs)

Korean Safety system Russian Safety features

(safety systems elements)

China Safety system Canadian Safety group/Safety

system A request for an exception during testing and maintenance should be supported by a satisfactory re liability argument covering the allowable outage time

Actually, similar to text for IAEA, WENRA, EUR, US NRC above even that section 7.6.2 of REG-DOC-2.5.2 [54] refers to the old IAEA, Safety Series No. 50-P-1 [7] which was withdrawn without a pplicable replacement.

Traditional SFC application

A number of particular considerations may be summarized via the

following two main points regarding traditional SFC application, which can

be very frequently encountered in the discussions:

traditional application of the SFC has, apparently, sometimes led to redundant

system components, which contribute to adequate and acceptable safety

margins, but may have only minimal impact on risk, based on

conventional risk assessment studies. While maintaining adequate safety

margins is a major safety objective, the application of the worst single-failure

assumption for all DBAs may, in some cases, result in unnecessary

constraints on li