Abstract
The Nuclear Reactor Division PRN) of CEA is in charge of the evaluation of the design options for the future power plant.
The objective of this report is the identification of the safety related concerns (criteria) that must be used to fulfil this task.
Starting from the main levels of Defence in Depth, and taking into account the recommendations for future Nuclear Power Plants, these criteria are obtained using a functional approach (OWhat for ; What is to be doneo). After the identification of these criteria, the exercise is performed, as a matter of example, for three options among those suggested for the Decay Heal Removal (DHR).
L INTRODUCTION
The design options for future fission plant (systems, design features, materials) must be evaluated by the Nuclear Reactor Division (DRN) of CEA on the basis of several types of concerns: operation, safety, fuel cycle, economics, etc.
A task of which the Innovative Reactor Concept Service (CEA/DRN/DER/SIS) is in charge is the contribution to the evaluation of the design options on safety level and licensing. The final goal is the assessment of the coherence between the design choices and the Defence in Depth principles. The first objective of the task is to help formulate the top level interim safety criteria essentials to perform this evaluation. This is why, within the frame of this task, it is requested to develop a standard ad-hoc methodology to identify such a criteria (safety concerns).All the design safety related objectives already formulated by the safety authorities and/or by the international advisory groups for the future power plants must be taken into account. The need for a systematic integrated approach, useful to select the design options, is justified because of number and complexity of the issues involved.
The main goal of the report is to suggest such a pragmatic approach for the identification of these safety related objectives and consequently for the selection of the criteria needed for the final evaluation.
2. RECALL ON THE SAFETY APPROACH FOR NUCLEAR PLANTS 2.1 Safety objectives and approach
An high safety level is advocated for future power plants.
To fulfil this objective the key recommendation is to design future fusion plants implementing the strategy of Defence in Depth (D. in D.). This approach, can be summarized as follows :
1. Priority to the prevention efforts to avoid incidents and accidents.
2. Design effort for an easier management of abnormal situations (protection).
3. Design effort to take into account and to mitigate the consequences of major accidents (mitigation).
Moreover, to cope with general requirements for future plants and still within the frame of a correct D. in D. implementation, it is essential to design the safety systems and their architecture in order to achieve:
1. an extended defence with an effort to prevent systematically potential accident initiators and take severe accidents into account; the aim is to tentatively reduce, at the prevention level, their potential consequences,
2. a balanced defence to avoid singularities among the different accident families contributing to the plant degradation, 3. a gradual defence to avoid short sequences and to allow the operator back-up at intermediate accident stages.
The interest of the proposed design options (and so their evaluation) must be judged on the basis of their coherence when compared to all above objectives.
2.2 Technical guide-lines
Following the reference /!/ the technical guidelines (principles) to concretize the above objectives cover the following items:
"^General technical principlesi^Specific principles: 'Siting; 'Design; •Manufacturing and construction; 'Commissioning; « Operation; 'Accident management; 'Emergency preparedness
The reference 121 recognizes the previous items as mandatory, and recommend the adoption of some complementary generic principles
o The concept of plant design should be extended to include the operating and maintenance procedures required for it
=> Design should avoid complexity
=> Plants should be designed to be "user friendly"
<> Design should further reduce dependence on early operator action
o The design of the system provided to ensure confinement of radioactive materials after a postulated accident should take into account the values of pressure and temperature encountered in severe accident analysis
o Accidents that would be large contributors to risk should be designed out or should be reduced in probability and/or consequences
o The plant should be adequately protected by design against sabotage and conventional armed attack o Design features should reduce the uncertainty in the results of probabilistic safety analysis o Consideration should be given to passive safety features
As a complement of these international guide-lines, French safety authorities ask explicitly for the reduction of common mode failures /3/ The implementation of functional redundancies capabilities (two or more systems to realize the same safety function) is recommended to fulfil this objective Those recommendations have been confirmed within the frame of the E'lropean Pressurized Reactor (EPR) activities A common French and German safety authorities report /4/ precogmze the evolutive appproach for the future EPR. The role of the defence in depth is stressed and a significant reduction of radioactive releases due to all conceivable accidents -including core melt accidents- is exphcitely requested. Among the suggested technical principles it is interesting to recall the following
c? Quality of design, manufacturing, construction and operation to point out the importance for the inspectabthty and (he testability of equipments
o Reduction of frequency of initiating events to reduce the frequency of occurrence of accidents (including core melt accidents)
o Improved plant transient behaviour to avoid unnecessary safety systems actions
<> Redundancy and diversity to be consistent with the general objective of reducing the probabilities of occurrence of accidents
<^ Active and passive systems in order to identify the advantages and the disadvantages of passive systems
=> Integrity of primary circuit as well as the integrity of the other safety related high energy components and piping within the containment systems to reduce the potential containments loads
=> Man-machine interface to take advantage of the human abilities, while mmiminng the possibilities for human erors and making the plant less sensitive to these errorsi
o Qualification of computerized systems to obtain the necessary high reliability for instrumentation and control systems
The use of probabilistic safety assessment is suggested to support the design options, a well balanced safety concept and the valuation of expected deviations from present French and German safety practices
The reference /4/ also recommend that accident situations which would lead to large early releases have to be "practically eliminated" (when they cannot be considered as physically unpossble, design provisions have to be taken to design them out) reactivity accidents, high pressure core melt situations, global Hydrogen detonation Low pressure core melt accidents have to be "deal with", so that the associated conceivable releases would necessitate only very limited protective measures in area and in tune The objective of significant reduction of the radioactive releases implies a substantial improvement of the containment function To do this, among others, the residual heat must be removed from the containment without venting device For this function, a last-resort heat removal system must be installed this system should be preferably passive with respect to its primary circuit inside the containment
2.3 Defence in Depth (D. in D.) implementation
As stated above, the design effort must be coherent with the D in D approach through the implementation of three genenc goals prevention, protection and mitigation These goals can be expanded to obtain five levels of D mD
f I ^ conservative design, Prevention { quality assurance,
I safety culture
f 2n<l control of abnormal operations and detection of failures Protection {
l3rc* protection and safeguard systems
(4th major accident management including confmment protection Mitigation {
[5th off-site emergency response (consequences mitigation)
MOTE It is essential to note that through the fourth and fifth levels, the Defence in Depth approach requires an ultimate demonstration of the plant safety, taking into account, as a matter of routine, the plant degradation (severe accident) The reasons of this last requirement can be interpreted as follows
56
a. to cover the eventual lack of exhaustivity of the selected deterministic sequences, b. to demonstrate the potential of the concept for mitigating severe accidents, c. to demonstrate the avoidance, by design, of any cliff edge effect.
(The cliff edge is a discontinuity in the relationship between the frequencies and the consequences that defines the risk : Risk = frequency x consequences).
3. SAFETY CONCERNS
The section 2.2 presents some generic recommendations and the technical guide-line that must be taken into account for future nuclear plants. Starting from the Defence in Depth levels (see section 2.3) all these indications are integrated and developed following a functional analysis approach. This approach, currently used for the value analysis, details generic specifications (what for) suggesting more and more detailed technical solutions (what is to be done).
The methodology allows to identify:
• the generical criteria for the evaluation of the main plant design options,
• the specific safety concerns (or specific criteria) for the evaluation of the safely function related system, subsystems or components.
The first steps are presented on Table 1 (left hand). After the generical criteria (level 1 (O)) applicable to the future reactors, the identified safety concerns (or design safety related objectives - level 2 (•)) are still generic and must be applied to all safety related design options. A further step is presented still on Table I (left hand). As a trial measure, the methodology is applied to the decay heat removal identifying the design specifications (safety function related objectives - level 3 (*)) proper to the corresponding systems, subsystems or components.
4. OPTIONS FOR THE DECAY HEAT REMOVAL 4.1 Options
Several options for the decay heat removal coolant have been proposed for the implementation on future NPP. Three among them are choosen to present and discuss the suggested methodology.
OPTION
Passive Decay Heat Removal system implemented on the primary circuit of the AP600 concept.
Studies have been performed at the CEA to implement similar system on a 900 MW PWR (see diagram).
Passive/active Decay Heat Removal system.
Heat exchangers installed within the primary vessel
Studies have been performed at the CEA to design the system for a 900 MW PWR (see diagram; 151 for the performances).
Passive Decay Heat Removal system implemented on the secondary circuit of the SIR concept
Studies have been performed at the CEA to implement similar system on a 900 MW PWR (see diagram; /5/ for the performances).
4.3. Qualitative evaluation of the heat removal
The different options are evaluated using the safety concerns identified and listed on table 1. The appreciation is expressed in term of Favourable ft; unfavourable •&; unaffected O. The preliminary evaluation results arc tentatively (and not compleily) summarized on tables 1 (right hand). This allows to identify the pro and cons of each option. Those results are essential to identify, motivate and prioritize the R & D efforts that support the system design activities.
The details of these results are not commented here. The main objective of the report is to present the methodology. The design objectives presented on table 1 are open for discussion to improve their coherence versus the claimed goals. The system qualitative evaluations are also preliminary and must be discussed in detail.
5. CONCLUSIONS
The discussion of the recommendations already available for future nuclear plants provide clear guidelines directly applicable for the design. The Defence in Depth approach remains the reference. Its correct implementation leads to take care of all the levels (prevention, protection, mitigation) and provide an extended, gradual and well balanced defence.
The development of these levels following a functional approach (what for <-» what is to be done) allows to identify a series of technical generic design objectives for future nuclear plant The development can be pursued to define the objectives/criteria needed for the evaluation of the systems, subsystems or components, related to a safety function. The report provides a first proposal for the methodology and identifies, as a matter of example, the evaluation criteria useful for a comparative qualitative evaluation among different design options for Decay Heat Removal. Similar approach can easily be applied for the evaluation of the design options in charge of the other important safety functions e.g. Reactivity Control and Fission Products Containment.
It is important to point out that the results of this approach are essential to identify, motivate and prioritize the R & D efforts that support the system design activities.
TABLE 1
FUTUREPWR
DECAY HEAT REMOVAL (DHR) FUNCTION - COMPARATIVE EVALUATION AMONG DIFFERENT DHR SYSTEMS Implementation of a PRHR system, or a RRP system, or a SCS system for the Decay Heat removal of a future standard PWR.
Identification of the favourable (tt), unfavourable (-0 ), Indifferent (•*) contributions linked to the systems implementation PRHR system; or RRP system, or SCS system for the Decay Heat Removal of a future standard PWR.
Identification of the contribution linked to the implementation of each system _____ F«vonr«bk fr: unfavourable 0-; iodlfltrctrt *>
SYSTEMS PRHR RRP SCS Comments
1st level: PREVENTION
conservative design, quality assurance, safety culture
*^ Elaborate a simplified design Elaborate a simplified neutronic design Elaborate a simplified thermohydrauuc design Simplify the vessel internals
Simplify the thermohydrauuc for the normal DHR Simplify the thermohydrauuc for the safeguard DHR
Separelhc normal operating DHR function from the safeguard DHR
Increase the range covered by normal DHR systems (forced conv.. natural conv ) Reduce the number of components per system
Standardize the components among normal operating DHR and safeguard DHR Elaborate a simplified thermomecamc design
Simplify the vessel internals
Reduce the number of systems connected to the primary circuit Reduce the impact of transients
Minimise the thermomechanical loads (pressure versus geometry. AP) Reduce the number of components per system____________________
- IneKucd cotopknty withm the veud
•0-tf
-The DHR. ojncooa efficiency B ctiDjumnled
System Car nomul mslec ategata DHR 7 :-^mn< be defined ina iccaac dcn^i)
WU> • IncRued axnploaly withm the veud PKJ1R nptcaxnted «f MI eaeraxKi of die P C PRHW07).SCS D MhtbetmjJvivc The mk faf ovacootmg m eatte of complete system
•ilu Million mutt b Satisfy the design rules
Elaborate a design consistent with all the plausible situations
Take info account the Passive Single Failure criterion for the short term Qualify the materials (mechanical, electrical, etc.)
Qualify the materials for the plannedJunction (performances) Qualify the materials versus the requested reliability Qualify the materials versus the requested availability Qualify the materials for the espected environmental conditions Plan the possibility for representative tests
Standardize the components among systems (improve the feedback experience)
PRHR- Pmmr LOCA.RRP » note of inland beu
RW - Ad boc m
o Sunpur> tbe reactor operations and the maiotenaoce procedures for normal conditions (buman Cuter for operauon and shut down)
• Improve the quality of the information (operational data)
• Implement adequate control on systems behaviour and status
• tmf^ow the man-machine interface
• Sin.pury and automatize the procedures for the operation
• Simplify and automatize the procedures for the inspection
• Simpufv and automatize the procedures for the maintenance and preventive repair
W - CXfficuftKt far DOC MBumsnttton?
(xtyto- itduood ndb) Systow cay to opente SyxUBS c*xy to openlc RW - OdEcuoci lor IHX nspcctwo RJt? - Dd&cuhiel for IHX mimlcnmce «wi iqwr
58
TABLE 1 (cent.)
PRHR system; or RRP system; or SCS system for the Decay Heat Removal of * future standard PWR.
Identification of the conlnbuUon linked to the implementation of etch system Favourable ft; unfavourable ft; Indifferent «*
SYSTEMS PRHR RRP Comjncnls
lit level :PRJEVEMTION
conservative design, quality assurance, safety culture (follows)
<> Integrate the principles of the defence in depth: balanced, gradual and extended defence
• Take care to the balanced character of the implemented defence
* Implement an homogeneous number of Lines of Defence (LOD) for each operating condition (OC: PIE applied to an Initial plant status)
• Take care to the gradual durartcr of the implemented defence
* Implement functional redundancies: mdipendent LOD
• Take care to the extensive character of the implemented defence
* For each operating condition, implement an number of Lines of Defence (LOD) coherent with the probabilistic objectives-^fta-t-b)
M the systems cm be considered u oufepovknl LOD Tfcw comet onpfenwnttfion kids lo improve the
Minimize the personnel exposure during normal operation Minimize the contact dose
Reduce the corrosion phenomena and the radioactive products transport Limit the length of circuits which carry activated fluid
Reduce the portions of circuits that comes primary coolant Minimize the maintenance times for normal conditions Improve the accessibility
Foresee equipments and robots
ft? ft' PRHR, RKJ> lnaeo«lru>&oet of the seoood Inner Ncgfapble rrau the SG?
PRKR KBplematied *s «i extauwn of the P C
K n^Aeaienled n in cxlcnAon of the P C RJU> - Dd&ajtoa f« MX >cceuildity
Minimize radioactive waste during normal operation Simplify the chemistry of the primary circuit Reduce the self -generation of radioactive waste Reduce the corrosion phenomenon
Ensure the good materials behaviour under irradiation
Ootefiy ndiffenrt
PRHR, RW InereMcd surfaces of Ac second buncr
>ma (he SCT
Minimize the frequency for the Postulated Initiating Events (PIE - abnormal situations; during normal operation and shut down) : Control rod withdrawal
Uncontrolled boron dilution
LOFA - Sequences initiated by toss of primary coolant Oow Loss of charge / turbine trip
Loss of normal fecdwater
Loss of external electrical power supply
LOCA - Sequences initiated by a leakage of primary coolant Reduce the number of chipping on primary loops Minimise the length of the loops which carry primary fluid Minimise the fluids internal energy (primary pressure) Reduce the corrosion phenomenon
Sequences initiated by toss of secondary coolant or heat sink Minimise the length of the loops vhich carry secondary fluid Minimise the fluids internal energy (secondary pressure) Reduce the corrosion phenomenon
Steam Generator tubes rupture
Minimise the fluids internal energy (AP primary/secondary pressure) Reduce the corrosion phenomenon
PRHR. KX? Inctemal turfed of be icconl httnet
R&P ta4» 0 externl lowfa (pressure outink) ut bnxntfc
RRP. SCS ocrtMdfavhtofttcecidoy loo(a
<RW* - e of loop noxut)
RRP - DOC «4es oKraknt to fte SC ones, nevertfadenlhe cxleinal to*<k (prexcw outoene) »
TABLE 1 (cont.)
PRHR system; or RRJ> system; or SCS system for the Decay Heat Removal of a future standard PWR.
Identification of the contribution linked to the implementation of each system __ _________Favourable ft; unfavourable 4; hwmferent«»
SYS1EMS PRHR RRP SCS Comments
Irt level PREVENTION
conservative design, quality assurance, safety culture (follows) o Minimize the potential for Common Modes (Initiators)
» Separate and diversify the systems
« Divernjy rte components
• Keep segregate the single loops
• Minimize the potential for flooding
• Put out of voter the compnents important for safety
• Minimize the potential for fires
• Implement incombustible materials
• Qualify the material for the earthquake
UU> - tMScuk todmntfr UK IHX
TV ettlhquafce fcspotte imat be carefij&y uutysed
Minimize the inherent potential consequences for the PIE (opcr. and shut down):
Control rod withdrawal Uncontrolled boron dilution
LOFA Sequences initiated by loss of primary coolant flow foresee an adequate pump inertia
Foresee the natural convection behaviour Loss of charge / turbine trip
foresee the natural convection behaviour Loss of normal feedwaler
Foresee the natural convection behaviour Loss of external electrical power supply Foresee the natural convection behaviour
LOCA Sequences initiated by a leakage of primary coolant Minimise the primary depressunsation effects (on the three barriers) Ensure the DHR with reduced primary voter inventory
Sequences initiated by loss of secondary coolant or heat sink
Minimise the secondary depressunsation effects (on the three barriers) Steam Otaerator tubes rupture
ft RRP - Tbe DHR &nctxn efficiency B
o Avoid by design (prevent) the sequences thai can leads to unacceptable consequences and early releues. Reject the risk for the cliff edge effect
« Avoid by design the reactivity excursions
« Avoid by design the core melting under high primary pressure conditions
* Participate efficiently to the primary circuit depressunsation
• Avoid by design the core metting concomitant to the loss of the containment (bypass).
• Foresee an ultimate passive DHR system within the containment
• Set up within the containment all the hops that carry primary coolant f Foresee the isolation of all intermediate loops at the containment level
• Avoid by design the risks for the steam explosions
• Avoid by design the risks for the Hydrogen detonation
Oft
PRHR 0 - SO dxnmjy tsofcJM: pomny Croat Kill
UK fydemi pounlol for DHit m OK oTicvtn
Oft Oft RR? » «W MHU! betl occtunga
Oft Oft RR? » «W MHU! betl occtunga