Making sense of nuclear safety: Insights from the Overall ......operation Anticipated operational...

Making sense of nuclear safety:Insights from the Overall SafetyConcept studySuomalaisen ydintekniikan päivät (SYP)October 2, 2016Prof. Juhani HyvärinenLUT, Nuclear Engineering

Why ”overall safety”?

Safety requirements and safety justification of nuclearpower plants has become very complicated:

Tendency Consequence

Increasing number of Defence-in-Depth -levels

Level independence compromised

Dissimilar postulated event and hazards Inconsistent treatment

Multiple kinds of “safety”: nuclear safety,nuclear security, nuclear materials safeguards

Both conflicting and synergistic requirements

Gap widens between legacy plant safetyfeatures and future plant regulations

Equipment upgrading impractical if notimpossible

Safety requirements developed for largeLWRs only

Licensability of alternate technologies (smallreactors, fast reactors) uncertain

Organised thinking in terms of an overall safety concepthelps address such problems!ORSAC at SYP2016 3

ORSAC – Overall Safety Conceptframework development

”Small study” initiated by the national nuclear safetyresearch program SAFIR-2018 (volume 26 k€)

− topical seminar in December 4, 2015− study launched in April 2016− draft report produced in May-August 2016− discussion seminar in September 2, 2016− final report under SAFIR review

Carried out by a team at LUT Nuclear EngineeringSeminars well attended by best Finnish experts

ORSAC at SYP2016 4

SF pool

Fresh fuel

Overall safety concept needs to cover … thewhole picture [December 2015 seminar]

ORSAC at SYP2016 5

Safety SafeguardsSecurity

Society

Sustainability

CoreSF interim

Nuclear Waste Management

Initial ORSAC scope

Natural starting point: defence-in-depth

Surprisingly elusive a notion− e.g. the U.S.NRC NUREG/KM-0009, Historical

Review and Observations of Defense-in-Depth, April2016, contains 200+ pages of different definitionsfrom the 1950s till present

− IAEA TECDOC-1791, Considerations on theapplication of the IAEA safety requirements for thedesign of nuclear power plants, 2016, gets by with 70pages

ORSAC study builds mainly on the functional defence-in-depth but also uses the structural view

ORSAC at SYP2016 6

Defence levels in the 1970’s

ORSAC at SYP2016 7

Operational states Accidentconditions

Normaloperation

Anticipatedoperationaloccurrences

Designbasis

accidents

Non-safetysystemsN+0

Safety systems 1

Safety systems 2

Defence lines according to YVL 1.0 1982and VNP 395/1991

ORSAC at SYP2016 8

Operational states Accidentconditions

Core meltaccidents

Normaloperation


Designbasis

accidents

Non-safety systems Safety systems

At the time SAM systems were envisioned to consist mainly of filtered containmentventing, so complete independence from other safety systems was easy to achieve.

IndependentSAM systems

Modern IAEA view [SSR-2/1 Rev. 1, 2016]:Plant states and event categories

ORSAC at SYP2016 9

STUK definition of Plant states and eventcategories (before introduction of DECs)

ORSAC at SYP2016 10

(Operational states) (Accident conditions)

Normaloperation


Postulatedaccidents

Class1

Class2

Core meltaccidentST

UK

befo

reDE

Cs

DECs

STUK definition of Plant states and eventcategories [YVL B.1 Justification memo]

ORSAC at SYP2016 11


Normaloperation


Postulatedaccidents

Designextensionconditions

A (CCF)

Design extensionconditionsB (Multi-F),

C (Rare event)

Class1

Class2

Core meltaccident

STU

Kw

ithDE

Cs

STUK definition of Plant states and eventcategories [YVL B.1 Justification memo]

ORSAC at SYP2016 12

Operational states Accident conditions

Normaloperation


Design basisaccidents

Design extension conditionsWithout

significant fueldegradation

With coremelting


Normaloperation


Postulatedaccidents

Designextensionconditions

A (CCF)


C (Rare event)

Class1

Class2

Core meltaccident

IAEA

STU

K

Frequency limits for event categories [YVLB.1 Justification memo; YVL A.7]

ORSAC at YTN 4.11.2016 13


Normaloperation


Postulatedaccidents

DEC A(CCF)

DECsB (Multi-F),

C (Rareevent)

Class1

Class2

Core meltaccident

Emergencyprep’ness

100/a 10-2/a 10-3/a 10-4/a 5×10-7/aThe probabilistic safety goals from YVL A.7 are CDF < 10-5/a and LERF < 5×10-7/a;these are compound frequencies. Frequency limits for DECs are indicative.Independent of their exact value, the DECs overlap the Postulated accident – Coremelt – Emergency preparedness region.DEC C lower limit is 10-7/a has been required informally, but not codified (yet?).

10-5/a 1×10-7/a

ORSAC at SYP2016

Dose limits and event frequencies in theFinnish system – 1991 (three-level DID)

14

AOO

DBA

Severe AOO and DBA limits dateback to 1970’s.DCS 395/1991introduced an explicitsevere accident limit.

Dose limits and event frequencies in theFinnish system after ~1998

ORSAC at SYP2016 15

AOO

DBA, Class2

Severe

DBA, Class1

DBA category was split intwo. TVO, to justify a 16 %thermal power uprate,upgraded the plant, movinglimiting AOO events to theDBA frequency range.

Dose limits and event frequencies in theFinnish system after ~2008

ORSAC at SYP2016 16

AOO

DBA, Class2

Severe

DBA, Class1

DEC A,B,C DECs were imported withOlkiluoto 3. Unlike theoriginal Franco-Germansafety design, STUK madeDECs parallel to DBA andSAM.

Dose limits and event frequencies in theFinnish system after 2013

ORSAC at SYP2016 17

AOO

DBA, Class2

Severe

DBA, Class1

DEC A,B,C

In the risk equationRisk ~ F×D2

the consequence weightingpower 2 is extremely high.

The drastic reduction of SAMshort-term dose limit is aresult of WENRAharmonisation.

Overall concept idea: main safety functionsoverlaid on defence lines

ORSAC at SYP2016 18


Normaloperation



Design extension conditions

Withoutsignificant fuel

degradation

With coremelting

Subcriticality

Heat removal

Containment

System 1 System 2 N/A

Primary containment structureClosed systems

“Normal” means “Emergency” means “SAM”

Main safety functions depend on supportingsafety functions such as power supply andHVAC

ORSAC at SYP2016 19


Normaloperation



Design extension conditions

Withoutsignificant fuel

degradation

With coremelting

Subcriticality

Heat removal

Containment

Power supply

HVAC

System 1 System 2 N/A

Primary containment structureClosed systems

“Normal” means “Emergency” means “SAM”

Grid connections EDGs “DEC” diesel generators

Natural and explicitpresentation of

redundancy,diversity, andseparation;

independence

External hazard integration option

ORSAC at SYP2016 20

(Operational states) (Accident conditions)NO AOO DBA DEC A DEC B, C

Class 1 Class 2

Core melt100/a 10-2/a 10-3/a 10-4/a 5×10-7/a

External conditions less frequent than ~10-5/a are to be treated asinitiating events under DEC C.

10-5/a

10-1/a

10-2/a

10-3/a10-4/a10-5/a10-6/a10-7/a

Barrier interpretation of Defence-in-Depth:against fission product release (in theory)

ORSAC at SYP2016 21

Fuelmatrix

Fuelcladding

Reactorsystem

Containmentstructure

Plantfence

Security zones [YVL A.11 §324]

ORSAC at SYP2016 22

Fuelcladding

Reactorsystem


Plantfence

Vitalarea

Protectedarea

Restrictedarea

Plantarea

Fissile

Vitalsystems

Threat of release

Threat of intrusion

Security parallels [YVL B.1 Justificationmemo; YVL A.11]

ORSAC at SYP2016 23

Level 0 Level 1 Level 2 Level 3

0.1 mSv/s 0.1 mSv 1 mSv 5 mSv 20 mSv


Normaloperation


Postulatedaccidents DEC A

(CCF)


C (Rare event)

Class1

Class2

Core meltaccident

100/a 10-2/a 10-3/a 10-4/a 5×10-7/a10-5/a

N+1N+2N+1N+1(owner

req.)

N+0

N+1

The security threat levels indicate the principle, not actual levels.

Safety, security, safeguards integration

ORSAC at SYP2016 24

Vitalarea

Protectedarea

Restrictedarea

Plantarea

Fissile(fresh)


PlantfenceFissile

(core)

Fissile (spent)

IAEA

Material balance area

Organisation of organisations – new build

ORSAC at SYP2016 25

FunctionalLevel

1Construction

2Ownership

3Technicaloversight

4Administration

By law By opinion

Organisation Constructingconsortia

(CFS, RAOS)

Projectowners(TVO,

Fennovoima)

TechnicalRegulator

(STUK)

TEM /Govern-

ment

Parliament

Support /Stakeholder

Expert services by TSOs, universities

Local populationGeneral public

Intervenors

O&M contractors

Inspection Organisations(independent)

IOs,accredited

Conclusions and future avenues

ORSAC has successfully produced an Overall SafetyConcept that can

− make sense of Defence-in-Depth and factualindependence of defence lines

− naturally and logically integrate initiating events andvarious hazards, up to security and safeguardshazards

The concept is transparent – all assumptions are madevisible – and forces the user to maintain an overall view insight at all times

ORSAC at SYP2016 26

Conclusions and future avenues

Many paths for future development:− practical application to an operating plant− extension to equipment qualification and justification− deepening the security and safeguards treatment− deeper treatment of safety margins at individual levels− deeper analysis of nuclear community as an

organisation-of-organisations− extension to fresh and spent fuel storages and waste

disposal− application to an SMR or GEN4 concept

ORSAC at SYP2016 27

Thank you!

[email protected]

28

Making sense of nuclear safety: Insights from the Overall ......operation Anticipated operational...

Documents

Transcript of Making sense of nuclear safety: Insights from the Overall ......operation Anticipated operational...