1 / 74

SAFETY ASSESSMENT IN SYSTEMS DESIGN

SAFETY ASSESSMENT IN SYSTEMS DESIGN. SUMMARY. Definition of “system” Before assessing a system Assessment method System functional requirements/criteria Place of the system in the defense in depth Safety classification System redundancy Electrical supply Equipment qualification

lucine
Download Presentation

SAFETY ASSESSMENT IN SYSTEMS DESIGN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SAFETY ASSESSMENT IN SYSTEMS DESIGN

  2. SUMMARY • Definition of “system” • Before assessing a system • Assessment method • System functional requirements/criteria • Place of the system in the defense in depth • Safety classification • System redundancy • Electrical supply • Equipment qualification • Protection against hazards • Other requirements • Conclusion

  3. Definition of “systems” A nuclear power plant comprises structures, systems and components “A system comprises several components, assembled in such a way as to perform a specific (active) function”. “Examples of components are wires, transistors, integrated circuits, motors, relays, solenoids, pipes, fittings, pumps, tanks and valves.” “Structures are the passive elements: buildings, vessels, shielding...”

  4. Before assessing a system • Gathering all the information needed to understand the way the system work • (Preliminary) Safety Analysis Report • Technical specifications • Diagrams • Regulatory framework • Requirements • Codes and standards • Past assessments • On the same or similar system • Consistency between different reactors or operators

  5. Assessment method • Safety demonstration of system design relies on deterministic studies • Postulated events or situations • Completed by Probabilistic Safety Analyses • Confirmation of the design in term of redundancy, diversity… • And experience feedback

  6. Systems functional requirements/criteria Consequences The definition and design of the plant systems depend on the safety goals of the plant and on the criteria for the postulated accidents/situations Frequency ? 1 10 - 6 10 - 2

  7. Systems functional requirements/criteria The functional requirements and criteria of a safety system are determined by the conditions (normal operation, incidents/accidents, multiple failure, severe accidents) in which the system is necessary • Exhaustive identification of the conditions in which the system is necessary to ensure completeness of the functional requirements • Determination of the functional design criteria (pump minimum flow rate, tank water volume, boron concentration…) • Definition of the safety class of the system Check consistency between the requirements on a “main system” and its “support systems” (ex: its cooling or venting systems)

  8. Systems functional requirements/criteria • Postulated events/situations in the deterministic safety analysis: • Design basis accidents (DBA) : Single initiating events(ex: pipe break…) • Multiple failures situations (DEC) (ex: total loss of external and internal electrical sources) • Not initially studied for old plants  now included in “beyond design accidents” • Considered for new reactors (ex: EPR) as “design extension accidents” • Severe accidents = accidents with core melt • Not postulated for old plants, even some dedicated features now defined • Considered from the design stage for new reactors (ex: EPR) Analysis of the corresponding risk

  9. Systems functional requirements/criteria Consequences Example: EPR (GEN III) Risk unacceptable Radiological Risk consequences acceptable Risk limited in time residual and space Accidents Different systems required in different situations To ensure the safety functions with core melt No sheltering nor evacuation Accidents without core melt Limits for (single events, multiple failures) radioactive releases in Normal normal Incidents operation operation Frequency ? 1 10 - 6 10 - 2

  10. Systems functional requirements/criteria • Exhaustive identification of the conditions in which the system is necessary to ensure completeness of the functional requirements • EPR Safety injection system (SIS/RHRS) • Normal operation (RHRS mode) • DBA • Most of DBA in RHRS mode • LOCA • SGTR • SLB • DEC • SB-LOCA without LHSI • SB-LOCA without MHSI • Total Loss of SG Feedwater (feed and bleed)

  11. Systems functional requirements/criteria • Exhaustive identification of the conditions in which the system is necessary to ensure completeness of the functional requirements • EPR Extra Boration System • Normal operation (primary pressure test) • Most of DBA • DEC: ATWS, homogeneous dilution • EPR Containment heat removal system • DEC: • SB-LOCA without LHSI • LUHS • Severe Accident

  12. Systems functional requirements/criteria • Exhaustive identification of the functional design criteria • Ex 1: SIS required maximum flow rate: determined for large LOCA • Ex 2: Water volume in the IRWST: shall lead to sufficient water level in the containment sumps to cover the strainers (regarding NPSH and vortex phenomenon) The functional criteria used for the system design are determined for the most penalizing accident which requires the system 100 % Q

  13. Systems functional requirements/criteria • Exhaustive identification of the functional design criteria • EPR Safety injection system (SIS/RHRS) • To evacuate residual heat (Normal operation) • To evacuate residual heat (in RHRS mode and SIS mode) • To inject water to restore primary inventory (LOCA, SGTR) • To inject borated water (SLB) • EPR Extra Boration System • To inject borated water to reach controlled state (DBA - SLB) • To inject borated water to reach safe shutdown state (DBA) • To inject borated water to trip the reactor (ATWS) • To inject borated to avoid re-criticality (homogeneous dilution) • EPR Containment heat removal system • To remove primary circuit residual heat (DEC) • To remove heat from the containment (SA) • To spray water to decrease containment pressure (SA)

  14. Place of the system in the defense in depth Conservative design, high quality in Prevention of abnormal operation N1 construction and operation, “normal and failure systems” reliability … Control, limiting and protection Control of abnormal operation N2 systems and other surveillance and failure features Control of accidents (single events Engineered safety features (safety systems…) or multiple failures) to limit N3 radiological releases and Accident procedures prevent escalation to core melt Levels of Defence in Depth - Control of accidents with core Engineered safety features to melt to limit off - site releases. mitigate core melt (« severe accidents systems »…) N4 - Practical elimination of situation that could lead to early or large Management of core melt accidents releases of radioactive materials. Mitigation of radiological Off - site emergency response N5 consequences of significant Intervention levels releases of radioactive materials.

  15. Place of the system in the defense in depth The levels of defense must be as reliable and as independent as possible Independence between all levels of defense-in-depth “Enhancing the effectiveness of the independence between all levels of defense-in-depth, in particular through diversity provisions (in addition to the strengthening of each of these levels separately) to provide, as far as reasonably achievable, an overall reinforcement of defence-in-depth.”

  16. Place of the system in the defense in depth For each failure envisaged, several levels of defense are provided Prevention of abnormal operation N1 and failure S 1-2 Control of abnormal operation N2 and failure Control of accidents (single events S 3 or multiple failures) to limit N3 radiological releases and prevent escalation to core melt Levels of Defense in Depth - Control of accidents with core S 4 melt to limit off - site releases. N4 - Practical elimination of situation that could lead to early or large releases of radioactive materials. Systems at each level to perform safety functions Mitigation of radiological N5 consequences of significant releases of radioactive materials.

  17. Place of the system in the defense in depth • Example: EPR ELECTRICAL DISTRIBUTION Level 1-2 Level 3 Level 4

  18. Safety classification • Objectives of the classification of SSC • The safety classification of the Structures, Systems and Components aims at ranking them according to their safety significance • They shall then be designed, manufactured and operated with a quality and reliability commensurate with their safety class. • Safety classification applies to: • Mechanical equipment • Electrical and I&C equipment • Civil engineering structures

  19. Safety classification • Principles for the safety classification • The safety significance of a SSC is established by consideration of its role in the fulfillment of the 3 objectives : • integrity of the Reactor Coolant Pressure Boundary • ability to shutdown the reactor and maintain it in a safe state • ability to prevent the accidents or to limit their radiological consequences • The method for classifying the safety significance of a SSC is based on deterministic methods, according the following factors : • the safety function's to be performed by the item; • the consequences of failure of the item to perform its function; • the time following a PIE at which, or the period throughout which, it will be called upon to operate; • the level of defense in depth to which it belongs. • The PSA are used afterwards to refine the classification and to identify possible new PIEs.

  20. Safety classification • Functional classification of SSC (Example on EPR) • To take into account the time following a PIE at which a mitigation function is used 2 states are defined. • Controlled state (DBA only): state when the fast transient is finished and the plant is stabilized : • Core sub-critical • Core power removed • The activity is tolerable • Safe state : • Core sub-critical • Activity within the limits of corresponding PCC or RRC-A • Core power removed in a sustainable way

  21. Safety classification • Functional classification of SSC (Example on EPR)

  22. Safety classification • Functional classification of SSC (Example on EPR)

  23. Safety classification • Functional classification of SSC (Example on EPR) Requirements are commensurate with their safety class Example: functional classes for EPR FA3. • Active failure ; passive failure after 24 h • Redundancy required • Redundancy or diversity required (4) Qualification to accidental ambient conditions if any (5) The design shall permit the performance of periodic tests

  24. Safety classification • Mechanical classification • It takes into account : • The functional safety role • The retention of active fluid • To define requirements on design, manufacturing and surveillance • Example • M1 : primary circuit including its isolation • M2 : circuits liable to contain active primary fluid in accidental situations : secondary circuit, Emergency Core Cooling System, Containment penetration and isolation • M3 : other mechanical classified safety function • e.g. F1 functions not liable to contain active primary fluid in accidental situations: Emergency Boration System, Emergency Feedwater System, Component Cooling Water System, Essential Service Water System

  25. Safety classification • Seismic classification (Example EPR) • Requirements • The requirement of SC1 SSCs is integrity and operability during or after a design earthquake according to their safety function • Seismic class SC2 concerns non safety related equipment liable to damage SC1 systems in the event of an earthquake (or dedicated to protect them). The requirement of SC2 equipment is stability or integrity after a design earthquake • SSC classification • All F1 classified systems and equipment are assigned to the seismic class SC1, as well as M1 mechanical components. • F2 systems and equipment are seismic classified on a case by case basis, as well as M2 and M3 mechanical components. (example: F2 systems used in situations which may be caused by an earthquake are assigned SC1 (fire protection, SBO diesels))

  26. Safety classification Requirements are commensurate with their safety class. Example: functional classes for EPR FA3. • Active failure ; passive failure after 24 h • Redundancy required • Redundancy or diversity required (4) Qualification to accidental ambient conditions if any (5) The design shall permit the performance of periodic tests

  27. Systems redundancy: Single failure criterion In view of their importance, systems actuated during design basis incidents/accidents (F1 for EPR ) must have a very high level of reliability Deterministic approach in this respect (“approximate but easy”): the single failure criterion = design criterion Safety assessment in System Design

  28. Systems redundancy: Single failure criterion In conservative analyses, the single failure criterion should be applied when determining the availability of systems and components. This criterion stipulates that the safety systems should be able to perform their specified functions when any single failure occurs. A failure should be assumed in the system or component that would have the largest negative effect on the calculated safety parameter. Single failure: A failure which results in the loss of capability of a system or component to perform its intended safety function(s), and any consequential failure(s) whichresultfromit. Single failurecriterion: A criterion (or requirement) applied to a system such that it must be capable of performing its task in the presence of any single failure.

  29. Systems redundancy: Single failure criterion 100 % Q 100 % Q The failures taken into consideration are: • Mechanical systems: • Active failure (pumps, valves…): failure to operate or inadvertent operation • Passive failure (pipes, heat exchangers, simple check valves…): leak or mechanical failure preventing normal flow of the fluid • Electrical systems: failure of any component when the system is actuated 100 % Q 100 % Q

  30. Systems redundancy: Single failure criterion Passive failure: “In the single failure analysis, it may not be necessary to assume the failure of a passive component designed, manufactured, inspected and maintained in service to an extremely high quality, provided that it remains unaffected by the PIE. However, when it is assumed that a passive component does not fail, such an analytical approach shall be justified, with account taken of the loads and environmental conditions, as well as the total period of time after the initiating event for which functioning of the component is necessary.” 100 % Q 100 % Q Safety assessment in System Design

  31. Systems redundancy: Single failure criterion • EPR SIS/RHRS Safety assessment in System Design

  32. Systems redundancy: Single failure criterion • EPR SIS/RHRS Safety assessment in System Design

  33. Systems redundancy: System affected by the event • EPR SIS/RHRS Safety assessment in System Design

  34. Systems redundancy PTR TANK • ECCS on 1450MW French NPPs Accu1 Accu2 Accu3 Accu4 Low pressure TRAIN B TRAIN A TRAIN B HL1 Single failure 1 train 100% available Medium pressure TRAIN B CL1 CL2 CL3 CL4 Low pressure TRAIN A Preventive maintenance no train available HL2 Medium pressure TRAIN A Containment sumps Safety assessment in System Design

  35. Systems redundancy: Preventive maintenance • EPR SIS/RHRS Safety assessment in System Design

  36. Systems redundancy: System affected by the event • EPR SIS/RHRS Safety assessment in System Design

  37. Systems redundancy EPR requirements for system ECCS: 4 trains 100% • 1 train is considered unavailable due to single failure criterion • 1 train may be affected by the accident (primary break) or a hazard • 1 train may be unavailable for preventive maintenance in power states • A 4rth train is necessary to mitigate the accident Same requirement for other systems required in incidents/accidents : • Support systems: Electrical Power Supply System, Component Cooling Water System, Essential Service Water System, some ventilations • Some safety systems not 4 trains 100% due to specific justifications (Emergency Feedwater System: 4 trains 50% but with connections..)

  38. Systems redundancy: Single failure criterion • EPR Extra boration system Safety assessment in System Design

  39. Systems redundancy: Single failure criterion • AP1000 Passive Residual Heat Removal System Safety assessment in System Design

  40. Safety classification Requirements are commensurate with their safety class. Example: functional classes for EPR FA3. • Active failure ; passive failure after 24 h • Redundancy required • Redundancy or diversity required (4) Qualification to accidental ambient conditions if any (5) The design shall permit the performance of periodic tests

  41. Electrical supply (example EPR) Main line 400KV Turbine generator Line breaker Couplingbreaker GRID TS1 TA TS2 LGA LGC LGB LGD G G G G G G Auxiliary line 400KV Diesel generators (10 kV) LGF LGI LGG LGH LHD LHC LHB LHA SBO Diesels (690V) LJA LJD DIVISION 1 DIVISION 3 DIVISION 2 DIVISION 4 Safety assessment in System Design

  42. Safety classification Requirements are commensurate with their safety class. Example: functional classes for EPR FA3. • Active failure ; passive failure after 24 h • Redundancy required • Redundancy or diversity required (4) Qualification to accidental ambient conditions if any (5) The design shall permit the performance of periodic tests

  43. Equipment qualification • The purpose of qualification is to demonstrate that the equipment can fulfill its required function during accident conditions

  44. Equipment qualification • The purpose of qualification is to demonstrate that the equipment can fulfill its required function during accident conditions

  45. Protection against hazards Hazards are taken into account in the safety demonstration External hazards Earthquake Risks induced by industrial environment (ex: explosions, planes crash…) External flooding Extreme climatic/meteorological events Internal hazards Fire Explosions Internal flooding Pipes ruptures (and their effects) Projectiles … Safety assessment in System Design

  46. Protection against hazards Different types of protection measures, depending on the hazards • Physical protection of the building or rooms housing the safety equipment ex: external flooding: platform at a level above the design basis flood… • Design and qualification of equipment ex: resistance to earthquake, extreme temperatures… • Specific devices ex: heaters or cooling devices in case of extreme temperatures… • Redundancy of safety systems to ensure safety functions • Physical or geographical separation (to avoid common cause failure of redundant systems) • … Safety assessment in System Design

  47. Protection against hazards Different types of protection measures, depending on the hazards Example: Diesels & fuel tanks housed in reinforced concrete buildings (EPR) • Diesels & fuel tanks housed in reinforced concrete buildings • Earthquake resistant design • Doors designed to resist external explosions & floods 2 separate buildings located on each side of the reactor building Deterministically impossible for both of them to be damaged by an external impact hazard (explosion, airplane crash…) • Four main 100% redundant diesels • Two additional diversified station blackout diesel generators (SBO) Safety assessment in System Design

  48. Protection against hazards Example: location of the 4 trains of the safety system ECCS in separated divisions (EPR) Safety assessment in System Design

  49. Protection against hazards Safety assessment in System Design

  50. Protection against hazards Different types of protection measures, depending on the hazards Physical protection of the building or rooms housing the safety equipment ex: external flooding: platform at a level above the design basis flood… Design and qualification of equipment ex: resistance to earthquake, extreme temperatures… Specific devices ex: heaters or cooling devices in case of extreme temperatures… Redundancy of safety systems to ensure safety functions Physical or geographical separation (to avoid common cause failure of redundant systems) … Safety assessment in System Design

More Related