E-DOCS-#3391646-v2A-The Evolution of System Safety in the ...

nuclearsafety.gc.canuclearsafety.gc.ca

Canadian NuclearSafety Commission

Commission canadiennede sûreté nucléaire

The Evolution of System Safety in the Canadian Nuclear Industry

The Evolution of System Safety in the Canadian Nuclear Industry

System Safety Society, Eastern Canada Chapter, June 18, 2009Philip Webster; Director, Darlington Regulatory Program

System Safety Society, Eastern Canada Chapter, June 18, 2009Philip Webster; Director, Darlington Regulatory Program

System Safety Society, Eastern Canada Chapter, June 18, 2009 - 2

Nuclear safety means protecting CanadiansNuclear safety means protecting Canadians

Canadian Nuclear Safety Commission (CNSC)

– Canada’s nuclear watchdog– Quasi-judicial body– Independent of, but not isolated

from, governmentRegulates the use of nuclear energy and materials to protect the health, safety and securityof persons and the environment; and to respect Canada’s international commitments on the peaceful use of nuclear energy


Nuclear regulation…Nuclear regulation…

CNSC regulates all nuclear facilities and activities in Canada, including:

Nuclear power plants Uranium mines & millsUranium fuel fabrication and processing Nuclear substance processing Industrial and medical applications of nuclear substances, such as nuclear medicine and cancer treatment centersResearch and educational facilities Import/export of nuclear and dual-use substances, equipment and technologyWaste management facilities

…is a federal responsibility


Darlington NGS-ADarlington NGS-A


SummarySummary

• Initially little recognition of need for safety systems

• Need for safety systems to be independent• Increasing complexity of safety systems

– Multiplicity, availability, testability• Contribution of support systems to safety• Increasing analysis• Probabilistic risk assessments• Management systems approach• Modern standards for design, analysis• Licensees vs. Regulator


NRX Reactor - 1952NRX Reactor - 1952

• Reactor started operation at CRNL in 1947• Produced Pu, other isotopes, fuel testing,

research• Maintaining operation was important• Combined control/shutdown rods

– Manual procedures to withdraw them– Errors made during startup– Major power excursion, fuel melting

• Lessons learned:– Indicated need for fast shutdown capacity– Independent of any control system


Reactor Safety Criteria - 1964Reactor Safety Criteria - 1964

• Process equipment– Equipment and systems for normal operation

• Protective devices– Prevent fuel damage from failure in process

equipment• Containment provisions

– Limit or restrict release of radioactivity• Structurally and operationally independent

– Rate of cross-linked faults less than rate of coincident independent faults


Application of Reactor Safety CriteriaApplication of Reactor Safety Criteria

• Frequency of process failures < 1 in 3 years

• Unreliability of protective devices < 0.003• Unreliability of containment < 0.003• Safety systems to be physically and

functionally independent from process systems and each other

• Safety systems must be testable to verify• Exclusion zone


Two shutdown systems - 1977Two shutdown systems - 1977

• Regulatory Document R-10• New reactors to have two shutdown systems

– Independent, diverse– Physically and functionally separate

• All serious process failures can be handled by either one– Failure to shutdown is beyond design basis

• Unavailability of each < 1E-3 per year• Testable, fail-safe• Two diverse trip parameters for each SPF


General Safety Requirements - 1982General Safety Requirements - 1982

• Dose limits: normal operation & accidents• Five dose classes defined

– Individual dose/Sum of probabilities• Safety requirements for siting, design,

safety analysis, construction, commissioning, operation, effluent and waste management, decommissioning.

• ALARA


Grouping and SeparationGrouping and Separation

• Group I– SDS 1– ECCS

• Group II– SDS 2– Containment

• Important process and SSS are triplicated– Permits testing without making unavailable, or

inadvertently triggering– 2oo3 logic

• Two control rooms


Probabilistic Safety AssesmentsProbabilistic Safety Assesments

• Validate for completeness the list of design basis accidents– i.e. those identified for analysis

• Assist confirmation of accident sequence classification

• Identify dominant failure sequences• Demonstrate cumulative frequencies of

accidents are less than targets


PSA - Event Tree ExamplePSA - Event Tree Example

MHS6

Moderator Acts as Heat Sink

FW2L

Main or Aux. Feedwater

System

ECCHMD-M

ECC Initiatedby Operator. HP and MP

Only are Available.

CCD-M

PHT Crash Cooldown

Manually Operated

LI

PHT Loops Isolate at

5.52 MPa(g)

HTT

Trip of PHT Pumps on

Low PHT Pressure

PIC1S

Pressure and Inventory Control System Available

RT15

Reactor Shutdown by RRS SDS1/SDS2

LOCA2-4

Multiple Tube Rupture in Any

RCW-HX

# SEQUENCE-NAMES END-STATE-NAMES

1 LOCA2-4-001 OK

2 LOCA2-4-002 PDS9

3 LOCA2-4-003 NDF

4 LOCA2-4-004 NDF

5 LOCA2-4-005 NDF

6 LOCA2-4-006 PDS3

7 LOCA2-4-007 PDS2

8 LOCA2-4-008 PDS3

9 LOCA2-4-009 PDS2

10 LOCA2-4-010 PDS0

LOCA2-4 - 2008/02/25 Page 46


PSA – Fault Tree ExamplePSA – Fault Tree Example

RT15

SDS1_RT15

1KNOWN_2RND_RT15

6.210E-2

M>1ASSEMBLYM 2RAND_RT15

6982

1TEST_1RAND_RT15

6983

2RND_SORS_F_RT15

2KNOWN_1RND_RT15

1RAND_RT15

6980

1RAND_B1_RT15

6981

1RAND_B2_RT15

2KNOWN

6.210E-2

M>1ASSEMBLYM

1.050E-3

M>ASSEMBLY_8M

3RAND_RT15

1TEST_2RAND_RT15

6984

2_RND_NTEST_RT15

6793

TEST_OR_FW

3RND_SORS_F_RT15

6985

B1_1&B2_2_RND_15

6986

B1_2&B2_1_RND_15

6987

B1_3_FL_RND_RT15

6988

B2_3_FL_RND_RT15

SDS2_RT15

2475

GAD_INJ_COMP

6989

POISON_TK_P_RT15

1 SOR IN-COREFOR TEST OR FAILS

TO WITHDRAW FOLLOWINGTEST

2 OR MORE OF6 LIQUID INJECTION

UNITS FAIL TOINJECT WHEN He

HEADER PRESSURIZED

SDS2 FAILUREINSUFFICIENT

POISON INJECTION(RT15)

3 OF 28 SORsNOT DROPPED FROMFULLY OUT POSITION

WHEN SIGNALED(RT15)

REACTOR FAILSTO TRIP AFTERMULTIPLE TUBE

RUPTURE IN RCWHX

3 RANDOM SORMECHANISM OR

SIGNAL FAILURESIN BANK 2 (RT15)

3 RANDOM SORMECHANISM OR

SIGNAL FAILURESIN BANK 1 (RT15)

2 SOR MECHANISMSOR SIGNAL FAILURES

IN BANK 1 & 1IN BANK 2 (RT15)

1 RANDOM SORMECHANISM ORSIG FAILURE INBANK 1 AND 2

IN BANK 2 (RT15)

POISON TANKSNOT PRESSURIZEDWHEN REQUIRED

(RT15)

3 RANDOM SORFAILURES (RT15)





2 KNOWN AND1 RANDOM SORFAILURES (RT15)

2 KNOWN SORFAILURES

1 TEST RELATEDAND 2 RANDOMSOR FAILURES

(RT15)

1 TEST RELATEDSOR FAILURE AND

1 RANDOM SORFAILURE (RT15)

1 RANDOM SORFAILURE (RT15)

1 RANDOM SORMECHANISM ORSIGNAL FAILUREIN BANK 2 (RT15)

1 RANDOM SORMECHANISM ORSIGNAL FAILUREIN BANK 1 (RT15)

1 KNOWN AND2 RANDOM SORFAILURES (RT15)

ADDITIONAL SORFAILURE REQUIRING

SHUTDOWN

1 KNOWN SORFAILURE

1 KNOWN SORFAILURE


Defence-in-Depth NS-R-1 - 2000Defence-in-Depth NS-R-1 - 2000

1. Prevent deviations from normal operation & system failures

2. Intercept deviations to prevent AOOs escalating to accidents

3. Provide engineered safety features to control, cool and contain accidents

4. Mitigate consequences of severe accidents to prevent off-site release

5. Mitigate off-site radiological consequences


Implementation of D-i-DImplementation of D-i-D

1. Conservative design, documented procedures, well-trained operators

2. Inherently safe response and reliable control systems

3. Safety systems to give high confidence that credible accidents are controlled

4. Mitigation of core damage and containment of radioactivity to minimise releases

5. Emergency measures to protect public in the event of a significant release


Management Systems - 2005Management Systems - 2005

• CSA-N286-05– ‘Management System Requirements for

Nuclear Power Plants’• Replaces N286.0 to .7 (1986-2000)

– Quality Assurance for Nuclear Power Plants• Same management requirements apply to

each phase of plant life (siting to abandon)• Activities for one phase may occur during

another phase


Refurbishments – Late-2000sRefurbishments – Late-2000s

• Pickering A, Bruce A, Point Lepreau• Integrated Safety Review performed

– Comparison of plant, programs, etc against modern safety goals, meets current standards and regulatory requirements for safe and secure long-term operation.

• Pickering B decision imminent• Darlington, Bruce B, Gentilly-2 likely soon


New NPP Build - 2009New NPP Build - 2009

• Environmental Assessment needed– Before any licensing– Covers full life cycle of station

• Site Evaluation: RD-310• Modern Design: RD-337

– Applies to new reactors– Will apply in phased manner to existing

• Safety Analysis: RD-310


Safety Areas and Program AreasSafety Areas and Program Areas

• Comprehensive assessment of performance of all processes, programs, systems, etc relevant to safety

• Developed from IAEA• Darlington overall ‘Fully Satisfactory’• Annual NPP Performance Report

– http://www.nuclearsafety.gc.ca/eng/readingroom/reports/powerindustry/2008/index.cfm


DarlingtonCompliance and Safety Performance in 2008DarlingtonCompliance and Safety Performance in 2008

Safety Area RatingOperating Performance FSPerformance Assurance SADesign and Analysis SAEquipment Fitness for Service SAEmergency Preparedness FSEnvironmental Protection SARadiation Protection FSSafeguards FS


DarlingtonCompliance and Safety Performance in 2008DarlingtonCompliance and Safety Performance in 2008Safety Area Performance

Program Rating Operating Performance FS

Organization and Plant Management FS Operations FS Occupational Health and Safety (non-radiological) FS

Performance Assurance SA Quality Management SA Human Factors FS Training, Examination and Certification SA

Design and Analysis SA Safety Analysis SA Safety Issues SA Design SA

Equipment Fitness for Service SA Maintenance FS Structural Integrity FS Reliability SA Equipment Qualification BE

Emergency Preparedness FS Environmental Protection SA Radiation Protection FS Security Prescribed

Safeguards FS


SummarySummary

• Moved from equipment to humans to management systems

• Full life-cycle considered for new NPPs• Five levels of Defence-in-Depth• Safety principles of separation,

independence, redundancy, diversity• Prevention of process system failures is

fundamental

Canadian Nuclear Safety Commission

Canadian Nuclear Safety Commission

nuclearsafety.gc.canuclearsafety.gc.ca

Canadian NuclearSafety Commission

Commission canadiennede sûreté nucléaire

Canada


Barriers to Fission Produce ReleaseBarriers to Fission Produce Release

• Fuel matrix• Welded sheath cladding• Primary circuit pressure boundary• Containment• Exclusion zone, evacuation

E-DOCS-#3391646-v2A-The Evolution of System Safety in the ...

Documents

Transcript of E-DOCS-#3391646-v2A-The Evolution of System Safety in the ...