BASIC PROFESSIONAL TRAINING COURSE Module V Safety classification
BASIC PROFESSIONAL TRAINING COURSE Module V Safety classification of structures, systems and components Version 1. 0, May 2015 This material was prepared by the IAEA and co-funded by the European Union.
2 INTRODUCTION TO SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: 1. Define the purpose of the safety classification. 2. List important general safety requirements for plant design. 3. Explain which items are important to safety. 4. Define terms items important to safety and the safety system. 5. List typical plant specific safety functions. 6. List and explain the purpose of defence-in-depth levels. Basic Professional Training Course; Module V Safety classification of structures, systems and components
3 The purpose of safety classification • Design of NPPs - safety classification of structures, systems and components (SSCs); • Identification and categorization of the safety functions; • Identification and classification of the SSC items; • Establish relationships between safety class and requirements for design and manufacturing commensurate to their safety significance. Basic Professional Training Course; Module V Safety classification of structures, systems and components
General safety requirements for the plant design • To control the reactivity of the reactor; • The capability to safely shut down the reactor and to maintain it in the safe shutdown condition; • To remove heat from the core; • To remove residual heat from the spent fuel storage; • To confine radioactive material and control operational discharges; • To assure that any releases are within prescribed limits; • To ensure protection of the workers against radiations. Basic Professional Training Course; Module V Safety classification of structures, systems and components 4
5 Safety classification of the plant equipment Basic Professional Training Course; Module V Safety classification of structures, systems and components
6 Definitions Accident conditions Deviations from normal operation that are less frequent and more severe than anticipated operational occurrences, and which include design basis accidents and design extension conditions. Design Basis Accident An accident causing accident conditions for which a facility is designed in accordance with established design criteria and conservative methodology, and for which releases of radioactive material are kept within acceptable limits. Basic Professional Training Course; Module V Safety classification of structures, systems and components
7 Definitions (cont. ) Design extension conditions Postulated accident conditions that are not considered for design basis accidents, but that are considered in the design process of the facility in accordance with best estimate methodology, and for which releases of radioactive material are kept within acceptable limits. Design extension conditions include conditions in events without significant fuel degradation and conditions with core melting. Are being used to define the design basis for safety features and for the design of all other items important to safety that are necessary for preventing such conditions from arising, or, if they do arise, for controlling them and mitigating their consequences. Basic Professional Training Course; Module V Safety classification of structures, systems and components
8 Definitions (cont. ) Item important to safety An item that is part of a safety group and/or whose malfunction or failure could lead to radiation exposure of the site personnel or public. Safety system System required to ensure the safe shutdown of the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents. Safety systems are designed to mitigate the radiological consequences of the Design Basis Accidents within the prescribed limits. Basic Professional Training Course; Module V Safety classification of structures, systems and components
9 Definitions (cont. ) Safety Features for DEC Item designed to perform a safety function in design extension conditions. Basic Professional Training Course; Module V Safety classification of structures, systems and components
10 SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: 1. Explain when and how the safety classification should be performed. 2. List the main steps in the classification process. 3. Define terms function and design provisions. 4. List examples of design provisions. 5. List and briefly explain the three levels of severity. 6. List the categorization of functions. Basic Professional Training Course; Module V Safety classification of structures, systems and components
11 SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: 7. Describe three safety categories. 8. Explain how the adequacy of the safety classification should be verified. Basic Professional Training Course; Module V Safety classification of structures, systems and components
12 Safety classification An iterative process: To be carried out periodically throughout the design process. To be maintained and supplemented as necessary throughout the lifetime of the plant. Although only SSCs classification is requested, establishing a categorization of the functions first is strongly recommended. In general, the operation of several systems is needed for the accomplishment of a single function. Categorization of functions gives more confidence in the correctness and consistency of the classification. Basic Professional Training Course; Module V Safety classification of structures, systems and components
13 Steps in the classification process SSCs to be classified are all SSCs necessary to accomplish the Fundamental Safety functions as defined in SSR 2/1 Req. 4. SSCs candidates for classification cannot be all captured if only systems performing the fundamental safety function for the different plant states are considered. Basic Professional Training Course; Module V Safety classification of structures, systems and components
14 Pre-requisites to Safety classification • Prior starting the safety classification process, following inputs are necessary: − Radiological releases limits established by the Regulatory Body for operational conditions and for the different accident conditions; − Plant system description; − Plant states definition and categorization; − Postulated Initiating Events (PIE) considered in the design with their estimated frequency of occurrence. Basic Professional Training Course; Module V Safety classification of structures, systems and components
15 Pre-requisites to Safety classification (cont. ) • Accident analysis; • Application of the Defence in depth concept (which systems belong to the different levels of defence); • PSA level 1 is not a strict pre-requisite for the safety Classification but needed for verification of its correctness. Basic Professional Training Course; Module V Safety classification of structures, systems and components
16 Generic principle for design of NPP • Use of deterministic methodologies. • To make risks (consequences versus frequency) acceptable: − To decrease the probability of an accident to occur; − Functions to make the consequences acceptable with regard to its probability; − A combination of preventive and mitigation measures. Basic Professional Training Course; Module V Safety classification of structures, systems and components
17 Identification and categorization of functions • Functions to be categorized are those requested to accomplish the fundamental safety functions in the different plant states; • Functions are derived from the fundamental Safety functions which are required to be accomplished in all plant states; • The deterministic safety analysis provides information of functions to be accomplished to mitigate the consequences of the different PIEs. “Function” includes the primary function and any supporting functions that are expected to be performed to ensure the accomplishment of the primary function. Basic Professional Training Course; Module V Safety classification of structures, systems and components
18 Generic list of Safety functions to be categorized Fundamental Safety Function Control of Reactivity Heat removal Confinement of radioactive material EXtra Functions to be categorized for the different plant states R 1 - Maintain core criticality control R 2 - Shutdown and maintain core sub-criticality R 3 - Prevention of uncontrolled positive reactivity insertion into the core R 4 - Maintain sufficient sub-criticality of fuel stored outside the RCS but within the site H 1 - Maintain sufficient RCS water inventory for core cooling H 2 - Remove heat from the core to the reactor coolant H 3 - Transfer heat from the reactor coolant to the ultimate heat sink H 4 - Maintain heat removal from fuel stored outside the reactor coolant system but within the site C 1 - Maintain integrity of the fuel cladding C 2 - Maintain integrity of the Reactor Coolant Pressure Boundary C 3 – Limitation of release of radioactive materials from the reactor containment C 4 – Limitation of release of radioactive waste and airborne radioactive material X 1 –Protection and prevention against effects of hazard X 2 - Protect of workers against radiation risks X 3 - Limit the consequence of hazard X 4 – Plant operation in accident conditions and monitoring of plant parameters X 5 - Monitor radiological releases in normal operation X 6 - Limits and conditions for normal operation Basic Professional Training Course; Module V Safety classification of structures, systems and components Can be used as a generic list of functions for pressurized water reactor. Can be used for early classification but has to be more developed once the design is more detailed. For classification purpose, those functions need to be defined for the different plant states taking into account that one single function is often accomplished by different systems, as generally requested by the Defense in depth concept.
19 Identification and categorization of functions Practically, for each PIE, functions necessary to control or mitigate the consequences are identified and categorized. The categorization of functions is performed to reflect the safety significance of every function. • Safety significance is assessed by screening the following factors: − (1) The consequences of failure to perform the function; − (2) The frequency of occurrence of the postulated initiating event for which the function will be called upon; − (3) The significance of the contribution of the function in achieving either a controlled state or a safe state. 3 levels of severity: high, medium and low Basic Professional Training Course; Module V Safety classification of structures, systems and components
Categorization of functions • Dose limits or acceptance criteria are used to define High, medium and low severity of consequences; • The severity is either assessed by calculation or derived from the accident deterministic safety analysis. * Medium or low severity consequences are not expected to occur in the event of non-response of a dedicated function for the mitigation of design extension conditions. Basic Professional Training Course; Module V Safety classification of structures, systems and components 20
21 Categorization of functions Safety category 1: • Any function that is required to reach the controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘high’ severity. Basic Professional Training Course; Module V Safety classification of structures, systems and components
22 Categorization of functions Safety category 2: • Any function that is required to reach a controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘medium’ severity; or • Any function that is required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘high’ severity; or • Any function that is designed to provide a backup of a function categorized in safety category 1 and that is required to control design extension conditions without core melt. Basic Professional Training Course; Module V Safety classification of structures, systems and components
23 Categorization of functions Safety category 3: • Any function that is actuated in the event of an anticipated operational occurrence or design basis accident and whose failure, when challenged, would result in consequences of ‘low’ severity; or • Any function that is required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘medium’ severity; or Basic Professional Training Course; Module V Safety classification of structures, systems and components
24 Categorization of functions Safety category 3: • Any function that is required to mitigate the consequences of design extension conditions, unless already required to be categorized in safety category 2, and whose failure, when challenged, would result in consequences of ‘high’ severity; or • Any function that is designed to reduce the actuation frequency of the reactor trip or engineered safety features in the event of a deviation from normal operation, including those designed to maintain the main plant parameters within the normal range of operation of the plant; or Basic Professional Training Course; Module V Safety classification of structures, systems and components
25 Categorization of functions Safety category 3: • Any function relating to the monitoring needed to provide plant staff and off-site emergency services with a sufficient set of reliable information in the event of an accident (design basis accident or design extension conditions), including monitoring and communication means as part of the emergency response plan (defence in depth level 5), unless already assigned to a higher category. Basic Professional Training Course; Module V Safety classification of structures, systems and components
26 Example of categorization - PIE: Core melt accident Fundamental Safety Function Confinement radioactive material of Generic function C 3 – Limitation of release of radioactive materials from the reactor containment Sub Function C 3. 1 - Heat removal from the containment C 3. 2 - Minimizing radiological releases C 3. 3 Containment integrity category Main SSCs 3 Containment cooling system or Containment venting system + associated supporting SSCs C 3. 2. 1 – Containment spray 3 Containment spray system + associated supporting SSCs C 3. 2. 2 – Containment Isolation 3 Containment and its isolation system + associated supporting SSCs C 3. 2. 3 - Prevention of unfiltered leakage 3 Filtered ventilation systems in auxiliary buildings + associated supporting SSCs C 3. 3. 1 - molten core stability 3 Core catcher and corium cooling system + associated supporting SSCs C 3. 3. 2 - Combustible gases management 3 H 2 recombiners + associated supporting SSCs C 3. 3. 3 - Prevention of direct containment heating 3 Fast Primary Circuit depressurization system Containment venting system + associated supporting SSCs C 3. 3. 4 - Containment Depressurization 3 Containment venting system + associated supporting SSCs Basic Professional Training Course; Module V Safety classification of structures, systems and components
Classification of Structures, Systems and associated Components 27 Once the safety categorization of the functions is completed, the SSCs performing functions should be assigned to a safety class. Systems are expected to be assigned to a safety corresponding to the safety category defined for the function performed. Basic Professional Training Course; Module V Safety classification of structures, systems and components
Classification of Structures, Systems and associated Components (cont. ) 28 In a single system, individuals components may have different safety classes depending on: (a) The safety role performed by the component (b) The consequences of its failure to perform the safety function; (c) The frequency with which the item will be called upon to perform a safety function (d) The time following a postulated initiating event at which, or the period for which, the item will be called upon to perform a safety function. For individual components containing radioactive materials the consequences of their failure are identified with regards to the activity released and to the capability of the system to perform its intended function. The safety class should be determined on the basis of the highest consequence. Nevertheless the safety class cannot be lower than class 3. Basic Professional Training Course; Module V Safety classification of structures, systems and components
29 Design provisions The safety of the plant is also dependent on the reliability of different equipment which, unlike to systems, is not called upon an event. That equipment designated as “Design provision” is necessary to prevent accidents, to limit propagation of the effects of hazards, to protect workers and the public of radiation risks. Basic Professional Training Course; Module V Safety classification of structures, systems and components
30 Design provisions (cont. ) • Design features that are designed to such a quality that their failure could be practically eliminated: − The shells of reactor pressure vessels or steam generators. • Features that are designed to reduce the frequency of accident: − Piping of high quality whose failure would result in a design basis accident. • Passive design features that are designed to protect workers and the public from harmful effects of radiation in normal operation: − Shielding, civil structures and piping. • Passive design features that are designed to protect components important to safety from being damaged by internal or external hazards: − Concrete walls, anti whipping devices. Basic Professional Training Course; Module V Safety classification of structures, systems and components
31 Classification of the design provisions SSC implemented as a design provision can be classified directly by assessing the level of severity of its failure. • Safety class 1 − Any SSC whose failure would lead to consequences of ‘high’ severity; • Safety class 2 − Any SSC whose failure would lead to consequences of ‘medium’ severity; • Safety class 3 − Any SSC whose failure would lead to consequences of ‘low’ severity. Basic Professional Training Course; Module V Safety classification of structures, systems and components
32 Verification of the safety classification • Comparison of the classification established according to a the deterministic approach (e. g. application of the IAEA SSG-30) with insights from probabilistic safety assessment; • Expectation: • − Consistency between the deterministic and probabilistic approaches provides confidence that the safety classification is correct; − If there are differences further assessment should be carried out in order to understand the reasons for these and a final safety class should be assigned; Iterative process to ensure the completeness of the classification. Basic Professional Training Course; Module V Safety classification of structures, systems and components
33 Selection of engineering design rules for SSCs • Three characteristics of the engineering design rules: − Capability; − Dependability; − Robustness. A complete set of engineering design rules should be specified to ensure that the safety classified SSCs will be designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained to appropriate and well proven quality standards. Engineering requirements give confidence that reliability of every SSC is commensurate to their individual safety significance. Basic Professional Training Course; Module V Safety classification of structures, systems and components
34 Selection of engineering design rules for SSCs To achieve the expected reliability: • At the system level, design requirements to be applied may include specific requirements, such as single failure criteria, independence of redundancies, diversity and testability. • For individual structures and components, design requirements to be applied may include specific requirements such as environmental and seismic qualification, and manufacturing quality assurance procedures. They are typically expressed by specifying the codes or standards that apply. • Appropriate codes and standards(for pressure retaining equipment: ASME, RCC-M, etc. , for I&C IEC or IEEE, etc. ) and clear links between safety classes and code acceptance criteria • Regulatory limits and acceptance criteria Basic Professional Training Course; Module V Safety classification of structures, systems and components
35 Environmental qualification of SSCs • Humidity; • Temperature and pressure; • Vibration; • Chemical effects and radiation; • Operating time; • Ageing; • Submergence; • Electromagnetic interference; • Radio frequency; • Interference and voltage surges. Basic Professional Training Course; Module V Safety classification of structures, systems and components
36 Questions 1. When in the life time of the power plant should be the safety classification performed? 2. Which are the main steps in the classification process? 3. What includes the term “function”? 4. Why design provisions have to be considered for classification? 5. Which are the examples of design provisions? 6. Which are three levels of severity? 7. How are the functions categorized? 8. How should be the adequacy of the safety classification verified? 9. Which are three important characteristics in the selection of engineering design rules for the SSCs? Basic Professional Training Course; Module V Safety classification of structures, systems and components
37 IAEA safety standards • Specific Safety requirements SSR-2/1; Safety of Nuclear Power Plants –Design • Safety Guide SSG-30; Safety Classification of Structures, Systems and Components in Nuclear Power Plants • General safety requirements GSR Part 4; Safety for Facilities and Activities • Specific safety guide SSG-2; Deterministic Safety Analysis for Nuclear Power Plants Basic Professional Training Course; Module V Safety classification of structures, systems and components The views expressed in this document do not necessarily reflect the views of the European Commission.
- Slides: 37