Safety Assessment of General Design Aspects of NPPs (Part 2) IAEA Training Course on Safety...
32
Safety Assessment of General Safety Assessment of General Design Aspects of NPPs Design Aspects of NPPs (Part 2) (Part 2) IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making Workshop Workshop Information Information IAEA Workshop IAEA Workshop Lecturer Lesson III 1_2 City , Country XX - XX Month, Year
-
Upload
morgan-hopkins -
Category
Documents
-
view
228 -
download
0
description
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 3 Review of Single Failure Criteria “.. protection system shall be designed for high functional reliability and inservice testability commensurate with safety functions performed.” “Redundancy and independence designed into protection system shall be sufficient to assure: “1. No single failure results in the loss of protective function..” “2. Removal from service of any component or channel does not result in loss of required minimum redundancy unless acceptable reliability of operation of protection system can be otherwise demonstrated.”
Transcript of Safety Assessment of General Design Aspects of NPPs (Part 2) IAEA Training Course on Safety...
Safety Assessment of General Design Safety Assessment of General Design Aspects of NPPsAspects of NPPs
(Part 2)(Part 2)
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
Workshop InformationWorkshop InformationIAEA WorkshopIAEA Workshop
LecturerLesson III 1_2
City , CountryXX - XX Month, Year
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
2
Items for DiscussionItems for Discussion Review of Single Failure Criterion System Redundancy System Independence System Diversity Concept of Fail-Safe Design System Interactions and Dependencies Conduct of Single Failure Assessments
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
3
Review of Single Failure CriteriaReview of Single Failure Criteria “.. protection system shall be designed for high functional
reliability and inservice testability commensurate with safety functions performed.”
“Redundancy and independence designed into protection system shall be sufficient to assure:
“1. No single failure results in the loss of protective function..”
“2. Removal from service of any component or channel does not result in loss of required minimum redundancy unless acceptable reliability of operation of protection system can be otherwise demonstrated.”
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
4
Review of Single Failure CriteriaReview of Single Failure Criteria
“..protection system shall be designed to permit periodic testing of its functioning when reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.”
Taken from US Title 10 Code of Federal Regulations, Part 50 Appendix A, General Design Criteria 21
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
5
Example of Potential Single FailureExample of Potential Single Failure
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
9
System RedundancySystem Redundancy System redundancy in all critical components is first step
to meet single failure criteria. System redundancy reduces system failure probability thus
improving reliability. To be redundant requires individual trains have sufficient
capacity (Design Margins) to meet functional requirements.
2 redundant trains alone does not meet single failure criteria.
Provisions also needed for: periodic on-line testing, and ability to remove a channel from service.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
10
System RedundancySystem Redundancy
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
11
System RedundancySystem Redundancy To permit on-line testing and maintenance typically use
minimum of 3 redundant trains or channels. To prevent spurious safety system operation (also potential
safety concern) it is most common to take 2/3 Coincidence in actuation logic.
Current reactor protection systems use either 2/3 or 2/4 coincidence logic.
IEEE Std. 279 (1971), IEEE Std. 379 (1988) provide conservative guidance
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
12
Example of Too Much RedundancyExample of Too Much Redundancy
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
13
System IndependenceSystem Independence
Single Failure Criteria for redundant systems implies redundant trains (or channels) are physically independent of each other.
No common dependencies on power or environmental supports.
Cross-connections are isolated to prevent fault in one train failing redundant train.
IEEE Std. 384 (1984) provides conservative guidance.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
14
Example of Lack of IndependenceExample of Lack of Independence
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
15
Example of Lack of IndependenceExample of Lack of Independence
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
16
System IndependenceSystem Independence
Independence is achieved by: Routing cabling in physically separated metal conduits
according to electrical design standards, such as IEEE Std. 384 (1984).
Cross-connection using qualified electrical isolation devices
Use of Optical Isolators NOT resistors Fluid system cross connections isolated via check valves.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
17
System DiversitySystem Diversity
Reliability of redundant, independent safety system becomes limited by potential for common cause failure.
Example: 2/4 train ECCS system will typically have failure probability in 10-4 to 10-5 range.
It is difficult to mathematically justify common cause failure probability being significantly lower than this range.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
18
Common Cause Failures includeCommon Cause Failures include
Common design error or inadequate Design Margins
Common manufacturing defects
Common testing or system restoration errors
Environmental degradation (dirt, grit, moisture)
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
19
System DiversitySystem Diversity
Potential significance of common cause failure warrants thorough consideration in safety assessments.
Additional redundancy is NOT way to address common cause failure.
Component diversity is acceptable way to address common cause failure.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
20
Diversity Can Be Achieved ByDiversity Can Be Achieved By
Use of different physical operating principles (e.g. : steam and electric driven pumps)
Use of different component manufacturers to eliminate common manufacturing defects.
Use of different technicians to test, maintain, or restore operating equipment.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
21
Concept of Fail-Safe Design Concept of Fail-Safe Design
“Fail-safe” concept originated with military concerns over accidental launch of missiles or detonation of weapons.
Fail-safe concept requires systematic identification of safe outcome of system failure (e.g. no missile launch!).
Central issue of Fail-safe concept typically identification of de-energized state of systems and components.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
22
Application of Fail Safe Concept to Application of Fail Safe Concept to NPPsNPPs Control Rod Clutches, electrical breakers should be
designed to TRIP on loss of control power. Relay logic should TRIP on loss of power. Reactor protection system should be designed to TRIP on
loss of power supply. ECCS recirculation valves should typically fail as-is. Pneumatic Valves should be assessed which is safest state
for loss of air pressure. Solenoid operated valves should be assessed which is safest
state for loss of power.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
23
Systems Dependencies & Systems Systems Dependencies & Systems InteractionsInteractions
Most NPP designs have redundant protection systems supported by redundant support systems (e.g. AC/DC Power, cooling water, HVAC, etc.)
Failure of one train of these individual support systems can lead to very complicated transient events involving sudden loss of ½ of all systems.
World operating experience has shown these events can be very severe.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
24
Systems Dependencies & Systems Systems Dependencies & Systems InteractionsInteractions
Systems Interactions caused by single failures (steam line rupture in a compartment, inadvertent automatic fire suppression operation) can cause significant components to fail simultaneously.
Faults initiated by failed support systems and system interaction events should be considered in Single Failure Assessments.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
25
Conduct of Single Failure AssessmentConduct of Single Failure Assessment Excellent guidance on performing single failure
assessments can be found in: IAEA 50-SP-1, IEEE Std. 352 (1987).
Single Failure Assessment is deterministic in nature and documented as FMEA.
Probability only considered in dispositioning of “incredible faults”.
Purpose: document Single Failure Criteria compliance for safety systems credited in Accident Analysis.
Inputs are comparable to those needed for PSA (frequently FMEA conducted in parallel with PSA)
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
26
Conduct of Single Failure AssessmentConduct of Single Failure Assessment Documentation required: All Electrical Schematics, Piping & Instrument Drawings,
Isometrics (fluid systems only). Equivalent Schematics for all Support Systems. All Electrical/Mechanical Specifications. System descriptions. Operating Manuals and Operating Procedures. Test/Maintenance Procedures. Operating History Reports for similar equipment at other
NPPs.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
27
Conduct of Single Failure AssessmentConduct of Single Failure Assessment
Systematic identification of PIEs or Postulated Initiating Events.
Identification of systems credited (timing, operation mode) in Accident Analysis.
Collapse credited systems, support systems into single list of credited functions.
Support system FMEA used to identify any systems interaction transients requiring further accident analysis as new PIEs.
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
28
Conduct of Single Failure AssessmentConduct of Single Failure Assessment
Single Failure Assessments are LARGE Independent review by Regulatory Body or other external
organizations necessitates systematic, auditable documentation.
Typical Format is via: Failure Modes and Effects Analysis Table
Content of FMEA Table found in 50-SP-1 or IEEE Std. 352 (1987).
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
29
Documentation of Single Failure Documentation of Single Failure AssessmentAssessment
Specific component identification - Component function - Failure mode - Effect of the failure on the system - Methods available to detect/correct the
failure - Any relevant further comments -
– FMEA Table systematically documents:
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
30
Example of Actual FMEAExample of Actual FMEA
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
31
IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making
32
Comments from Personal ExperienceComments from Personal Experience
Single Failure assessments and PSA complement each other as tools to investigate safety.
Both tools have identified design weaknesses Single Failure assessment provides a more legal proof of
regulatory compliance to Regulatory Body than does a PSA –because no faults are hidden from consideration.
Support System FMEAs frequently used as critical input to PSA for identifying Special Initiators.
