Making sense of nuclear safety: Insights from the Overall ......operation Anticipated operational...
Transcript of Making sense of nuclear safety: Insights from the Overall ......operation Anticipated operational...
Making sense of nuclear safety:Insights from the Overall SafetyConcept studySuomalaisen ydintekniikan päivät (SYP)October 2, 2016Prof. Juhani HyvärinenLUT, Nuclear Engineering
Why ”overall safety”?
Safety requirements and safety justification of nuclearpower plants has become very complicated:
Tendency Consequence
Increasing number of Defence-in-Depth -levels
Level independence compromised
Dissimilar postulated event and hazards Inconsistent treatment
Multiple kinds of “safety”: nuclear safety,nuclear security, nuclear materials safeguards
Both conflicting and synergistic requirements
Gap widens between legacy plant safetyfeatures and future plant regulations
Equipment upgrading impractical if notimpossible
Safety requirements developed for largeLWRs only
Licensability of alternate technologies (smallreactors, fast reactors) uncertain
Organised thinking in terms of an overall safety concepthelps address such problems!ORSAC at SYP2016 3
ORSAC – Overall Safety Conceptframework development
”Small study” initiated by the national nuclear safetyresearch program SAFIR-2018 (volume 26 k€)
− topical seminar in December 4, 2015− study launched in April 2016− draft report produced in May-August 2016− discussion seminar in September 2, 2016− final report under SAFIR review
Carried out by a team at LUT Nuclear EngineeringSeminars well attended by best Finnish experts
ORSAC at SYP2016 4
SF pool
Fresh fuel
Overall safety concept needs to cover … thewhole picture [December 2015 seminar]
ORSAC at SYP2016 5
Safety SafeguardsSecurity
Society
Sustainability
CoreSF interim
Nuclear Waste Management
Initial ORSAC scope
Natural starting point: defence-in-depth
Surprisingly elusive a notion− e.g. the U.S.NRC NUREG/KM-0009, Historical
Review and Observations of Defense-in-Depth, April2016, contains 200+ pages of different definitionsfrom the 1950s till present
− IAEA TECDOC-1791, Considerations on theapplication of the IAEA safety requirements for thedesign of nuclear power plants, 2016, gets by with 70pages
ORSAC study builds mainly on the functional defence-in-depth but also uses the structural view
ORSAC at SYP2016 6
Defence levels in the 1970’s
ORSAC at SYP2016 7
Operational states Accidentconditions
Normaloperation
Anticipatedoperationaloccurrences
Designbasis
accidents
Non-safetysystemsN+0
Safety systems 1
Safety systems 2
Defence lines according to YVL 1.0 1982and VNP 395/1991
ORSAC at SYP2016 8
Operational states Accidentconditions
Core meltaccidents
Normaloperation
Anticipatedoperationaloccurrences
Designbasis
accidents
Non-safety systems Safety systems
At the time SAM systems were envisioned to consist mainly of filtered containmentventing, so complete independence from other safety systems was easy to achieve.
IndependentSAM systems
Modern IAEA view [SSR-2/1 Rev. 1, 2016]:Plant states and event categories
ORSAC at SYP2016 9
STUK definition of Plant states and eventcategories (before introduction of DECs)
ORSAC at SYP2016 10
(Operational states) (Accident conditions)
Normaloperation
Anticipatedoperationaloccurrences
Postulatedaccidents
Class1
Class2
Core meltaccidentST
UK
befo
reDE
Cs
DECs
STUK definition of Plant states and eventcategories [YVL B.1 Justification memo]
ORSAC at SYP2016 11
(Operational states) (Accident conditions)
Normaloperation
Anticipatedoperationaloccurrences
Postulatedaccidents
Designextensionconditions
A (CCF)
Design extensionconditionsB (Multi-F),
C (Rare event)
Class1
Class2
Core meltaccident
STU
Kw
ithDE
Cs
STUK definition of Plant states and eventcategories [YVL B.1 Justification memo]
ORSAC at SYP2016 12
Operational states Accident conditions
Normaloperation
Anticipatedoperationaloccurrences
Design basisaccidents
Design extension conditionsWithout
significant fueldegradation
With coremelting
(Operational states) (Accident conditions)
Normaloperation
Anticipatedoperationaloccurrences
Postulatedaccidents
Designextensionconditions
A (CCF)
Design extensionconditionsB (Multi-F),
C (Rare event)
Class1
Class2
Core meltaccident
IAEA
STU
K
Frequency limits for event categories [YVLB.1 Justification memo; YVL A.7]
ORSAC at YTN 4.11.2016 13
(Operational states) (Accident conditions)
Normaloperation
Anticipatedoperationaloccurrences
Postulatedaccidents
DEC A(CCF)
DECsB (Multi-F),
C (Rareevent)
Class1
Class2
Core meltaccident
Emergencyprep’ness
100/a 10-2/a 10-3/a 10-4/a 5×10-7/aThe probabilistic safety goals from YVL A.7 are CDF < 10-5/a and LERF < 5×10-7/a;these are compound frequencies. Frequency limits for DECs are indicative.Independent of their exact value, the DECs overlap the Postulated accident – Coremelt – Emergency preparedness region.DEC C lower limit is 10-7/a has been required informally, but not codified (yet?).
10-5/a 1×10-7/a
ORSAC at SYP2016
Dose limits and event frequencies in theFinnish system – 1991 (three-level DID)
14
AOO
DBA
Severe AOO and DBA limits dateback to 1970’s.DCS 395/1991introduced an explicitsevere accident limit.
Dose limits and event frequencies in theFinnish system after ~1998
ORSAC at SYP2016 15
AOO
DBA, Class2
Severe
DBA, Class1
DBA category was split intwo. TVO, to justify a 16 %thermal power uprate,upgraded the plant, movinglimiting AOO events to theDBA frequency range.
Dose limits and event frequencies in theFinnish system after ~2008
ORSAC at SYP2016 16
AOO
DBA, Class2
Severe
DBA, Class1
DEC A,B,C DECs were imported withOlkiluoto 3. Unlike theoriginal Franco-Germansafety design, STUK madeDECs parallel to DBA andSAM.
Dose limits and event frequencies in theFinnish system after 2013
ORSAC at SYP2016 17
AOO
DBA, Class2
Severe
DBA, Class1
DEC A,B,C
In the risk equationRisk ~ F×D2
the consequence weightingpower 2 is extremely high.
The drastic reduction of SAMshort-term dose limit is aresult of WENRAharmonisation.
Overall concept idea: main safety functionsoverlaid on defence lines
ORSAC at SYP2016 18
Operational states Accident conditions
Normaloperation
Anticipatedoperationaloccurrences
Design basisaccidents
Design extension conditions
Withoutsignificant fuel
degradation
With coremelting
Subcriticality
Heat removal
Containment
System 1 System 2 N/A
Primary containment structureClosed systems
“Normal” means “Emergency” means “SAM”
Main safety functions depend on supportingsafety functions such as power supply andHVAC
ORSAC at SYP2016 19
Operational states Accident conditions
Normaloperation
Anticipatedoperationaloccurrences
Design basisaccidents
Design extension conditions
Withoutsignificant fuel
degradation
With coremelting
Subcriticality
Heat removal
Containment
Power supply
HVAC
System 1 System 2 N/A
Primary containment structureClosed systems
“Normal” means “Emergency” means “SAM”
Grid connections EDGs “DEC” diesel generators
Natural and explicitpresentation of
redundancy,diversity, andseparation;
independence
External hazard integration option
ORSAC at SYP2016 20
(Operational states) (Accident conditions)NO AOO DBA DEC A DEC B, C
Class 1 Class 2
Core melt100/a 10-2/a 10-3/a 10-4/a 5×10-7/a
External conditions less frequent than ~10-5/a are to be treated asinitiating events under DEC C.
10-5/a
10-1/a
10-2/a
10-3/a10-4/a10-5/a10-6/a10-7/a
Barrier interpretation of Defence-in-Depth:against fission product release (in theory)
ORSAC at SYP2016 21
Fuelmatrix
Fuelcladding
Reactorsystem
Containmentstructure
Plantfence
Security zones [YVL A.11 §324]
ORSAC at SYP2016 22
Fuelcladding
Reactorsystem
Containmentstructure
Plantfence
Vitalarea
Protectedarea
Restrictedarea
Plantarea
Fissile
Vitalsystems
Threat of release
Threat of intrusion
Security parallels [YVL B.1 Justificationmemo; YVL A.11]
ORSAC at SYP2016 23
Level 0 Level 1 Level 2 Level 3
0.1 mSv/s 0.1 mSv 1 mSv 5 mSv 20 mSv
(Operational states) (Accident conditions)
Normaloperation
Anticipatedoperationaloccurrences
Postulatedaccidents DEC A
(CCF)
Design extensionconditionsB (Multi-F),
C (Rare event)
Class1
Class2
Core meltaccident
100/a 10-2/a 10-3/a 10-4/a 5×10-7/a10-5/a
N+1N+2N+1N+1(owner
req.)
N+0
N+1
The security threat levels indicate the principle, not actual levels.
Safety, security, safeguards integration
ORSAC at SYP2016 24
Vitalarea
Protectedarea
Restrictedarea
Plantarea
Fissile(fresh)
Containmentstructure
PlantfenceFissile
(core)
Fissile (spent)
IAEA
Material balance area
Organisation of organisations – new build
ORSAC at SYP2016 25
FunctionalLevel
1Construction
2Ownership
3Technicaloversight
4Administration
By law By opinion
Organisation Constructingconsortia
(CFS, RAOS)
Projectowners(TVO,
Fennovoima)
TechnicalRegulator
(STUK)
TEM /Govern-
ment
Parliament
Support /Stakeholder
Expert services by TSOs, universities
Local populationGeneral public
Intervenors
O&M contractors
Inspection Organisations(independent)
IOs,accredited
Conclusions and future avenues
ORSAC has successfully produced an Overall SafetyConcept that can
− make sense of Defence-in-Depth and factualindependence of defence lines
− naturally and logically integrate initiating events andvarious hazards, up to security and safeguardshazards
The concept is transparent – all assumptions are madevisible – and forces the user to maintain an overall view insight at all times
ORSAC at SYP2016 26
Conclusions and future avenues
Many paths for future development:− practical application to an operating plant− extension to equipment qualification and justification− deepening the security and safeguards treatment− deeper treatment of safety margins at individual levels− deeper analysis of nuclear community as an
organisation-of-organisations− extension to fresh and spent fuel storages and waste
disposal− application to an SMR or GEN4 concept
ORSAC at SYP2016 27