Harmonized EUR Revision E Requirements Corresponding to Currently Available Technical Solutions
Total Page:16
File Type:pdf, Size:1020Kb
C. TOTH et al.
[1] HARMONIZED EUR REVISION E REQUIREMENTS CORRESPONDING TO CURRENTLY AVAILABLE TECHNICAL SOLUTIONS
Csilla Toth (Member of the EUR Steering Committee) Technical Director MVM Paks II. Ltd. Paks, Hungary Email: [email protected]
Abstract
The revision E of “European Utility Requirements” (EUR) is under publication. Chapter 2.1 “Safety Requirements” has undergone major changes, which induced minor corrections in other chapters. The review consists of comprehensive analysis of IAEA Safety Standards for Design: namely IAEA SSR 2/1 Rev 1, GSR 4 Rev 1, IAEA SSG 2 Deterministic Safety Analysis and IAEA Specific Safety Guide SSG-30. Additionally, WENRA Report on Safety of new NPP design (March 2013) was considered. Among many improvements the defense in depth and the practical elimination concepts have been worked out including the design principles to prevent rare and severe external hazards. The list of external hazards has been extended, strict requirements for strengthening plant autonomy have been formulated. To include the lessons learned from Fukushima Daichii accident was particularly emphasized. New ideas concerning the safety classification have been implemented both for standardization and for extending the compatibility to a broad variety of mobile equipment. The terminology has been updated also in accordance with the IAEA Glossary and the TECDOC-1791 about SSR-2/1. The authors hope that the current revision will contribute to build new power plants withstanding most of the foreseen challenges and to reach the reduced limits of environmental impact. 1. INTRODUCTION The nuclear safety requirements in the European Utility Requirements for LWR Nuclear Power Plants (EUR) Document should be in accordance with the European regulators licensing position and be a guide to the Designer/Vendor to understand these requirements. The common European regulatory requirements and guides are defined through WENRA and IAEA. This must be reflected in the EUR Document in order to make clear the safety level pursued in Europe. The nuclear safety requirements in the EUR Document must also be well-structured, and preferably make up a harmonized set of requirements, in order to facilitate assessments and biddings, of a new Nuclear Power Plant (NPP) in Europe. The present EUR Document (Revision D) suffers from some shortcomings in this regard. The nuclear safety requirements were refined at three inherent levels of the EUR Document: Safety fundamentals, Safety requirements and Design of systems, structures and components. The safety fundamentals highlight the EUR nuclear safety ambition and declare that this is in concordance with the safety principles and objectives stated by IAEA and WENRA. The safety requirements are essential in defining the safety level that should be reached by the new NPP. Requirements for design of systems, structures and components are claimed as contributing to the achievement of the safety requirements, i.e. requirements on design- and engineering principles, necessary to demonstrate that the safety level above is reached throughout the lifetime of the new NPP. The paper illustrates the work done for improving the EUR Document. First, the revision method is presented. Then the changes regarding the fundamental level of safety are shown. After that the improvements induced by the Fukushima Daichii accident are described briefly. The following main part presents the revised concept of safety classification. And finally, the description about physical protection relevant modifications and the interconnection between chapters can be found.
1 IAEA-CN-251
2. REVISION METHOD Since the European regulatory documents have gone through improvements and new approaches have been defined, it was essential to start the work with a comprehensive examination of the relevant currently available publications. EUR Rev. E was intended to be up to date, therefore new versions of IAEA documents at their early draft stages were also considered with the objective of collecting ideas. The following regulatory requirements and guides were considered during the preparation of EUR Rev. E: IAEA SF1 [1], IAEA GSR Part 4 Rev.1 [2] , IAEA SSR 2/1 Rev.1 [3], IAEA SSG 2 Rev.1 (DS491, Step 8a) [4], IAEA SSG 30 [5], IAEA-TECDOC1791 [6], IAEA-TECDOC626 [7], WENRA Booklet (March 2013) [8] , WENRA Revised Reactor Safety Reference Levels (with Fukushima Lessons Learned) [9] . The origin of the new EUR version was EUR Rev. D [10], however the comparison of IAEA SSR 2/1 [11] and EUR Rev. C [12] was also taken into account. The Rev. E also reflects the legislative directives of EURATOM [14-15]. The elaboration of EUR rev. E was performed by the Topical Working Groups (TWG) who prepared the drafts of the chapters. The Technical Coordination Group (TCG) was assigned to perform a technical review of a draft chapter. The overlapping and synchronization between the TWG topics was also discussed by the TCG. The Administration Group (AG) focused on the content of the draft chapters in terms of quality, clarity and expressiveness. In addition, AG was in charge of validating the main technical evolutions of the chapter and the technical topics for which a consensus has been found during the TCG review. The Steering Committee was the highest level of the management team who served as a final approver. Regarding the formulation of the requirements the following criteria were applied. First, the requirements have to be generally and functionally phrased. Second, the requirements of IAEA and WENRA have to retain their original wording as widely as possible for traceability reasons. Third, the EUR terminology is preferred. However, where contradictions occurred among the requirement sources, the IAEA terminology was used. And fourth, the number of the requirements has to be similar to the number of requirements in EUR Rev. D. Elimination of requirement redundancies and the merging of requirements were allowed, while restructuring the requirements for better readability was highly encouraged. 3. CHANGES IN BASIC SAFETY CONCEPT 1.1.1. Levels of defence in depth and design approaches
Defence in depth (DiD) concept in EUR Rev. E corresponds to DiD concept Approach 1 in IAEA-TECDOC-1791 see in Sec. 4.2.3.1 of Ref. [6]. The main problem to be solved was that the off-site emergency response needs to be assigned to level 5, however, actually 6 levels could be identified due to the analysis results of the investigation of postulated initiating events (PIE). More precisely single failures, multiple failures or complex sequences (without core melt) and core melt accidents form three different categories due to their nature, but they need to be assigned to DiD levels 3 and 4. In addition, there is a fundamental difference between the design approaches of systems coping with Design Basic Conditions (DBC) and systems coping with Design Extension Condition (DEC), in which Engineering design rules 1 (EDR 1) and Engineering design rules 2 (EDR 2) shall be applied according to EUR Rev. E, respectively. Design approaches EDR 1 and EDR 2 are superimposed to the DiD concept. Furthermore, WENRA prescribed O1, O2 and O3 radiological safety objectives [8], of which O2 refers to accidents without core melt. Taking into account the nature of initiating event categories, the engineering design rules and the C. TOTH et al.
radiological safety objectives, in EUR Rev. E DiD level 3 is split into sublevels 3a and 3b, and level 4 is kept for core melt accidents. Sublevel 3a. DBC-3 and DBC-4 events belong to this level, EDR 1 is applied (Safety systems are credited), and O2 objective needs to be fulfilled. Sublevel 3b. DEC-1 events (without core melt) belong to this level, which are named Complex Sequences. EDR 2 is applied (Safety features for DEC) and O2 objective needs to be fulfilled. Level 4. DEC-2 events (core melt is supposed) belong to this level, which are named Severe Accidents. EDR 2 is applied (Safety features for DEC) and O3 objective needs to be fulfilled. With such an approach the 5 levels of defence are kept, sublevel 3b is assigned to DEC, and the WENRA approach about radiological consequences is integrated. Nevertheless, the failure of a safety system at level 2 leads to sublevel 3b, so no level is bypassed as written in [8]. Design concepts of redundancy, diversity, independency and separation are emphasized in the requirements. EDR 1 and EDR 2 differ from each other in many points, for example in the application of single failure criterion, analysis method (conservative or best estimate) etc. However, there are no requirements regarding the safety demonstration of independence between systems and system components (SSC) credited at different DiD levels, because they cannot be consistently formulated together with the IAEA requirements and such an aim seems to be economically not feasible. 1.1.2. Introducing the term “practical elimination”
The term “practically eliminated” was mentioned for the first time in INSAG12 [12] in 1999. For new NPPs there is a limit on economic, societal and environmental risks that is acceptable concerning severe accidents and releases. Sequences that are to be practically eliminated are the ones that are leading to early or large releases. In EUR Rev. E the latter limit is interpreted as the sequences that exceed the Criteria for Limited Impact (CLI). The identification of accident sequences should be based on deterministic analysis supported by engineering judgement, and on probabilistic assessment. The practical elimination of an accident sequence can be based on either the physical impossibility of the sequence to occur, or on a demonstration about that the sequence is extremely unlikely to arise with a high degree of confidence. In both instances any claims should be well substantiated and justified. In EUR Rev. E the requirements of practical elimination of sequences leading to early or large releases are included. The requirements are fully compliant on a principal level with both IAEA SSR 2/1 [3] and WENRA Position 5 [8]. The application of practical elimination is an enhancement of the strength of DiD level 4, as it implies that more justification is required for sequences that were previously considered beyond design (cf. Sec. 4.3.). 1.1.3. Description of acceptable deterministic safety analysis methods
Deterministic safety analysis methodologies have been harmonized with IAEA SSG2 Rev. 1 guide [4]. There are two main aspects of changes. One is the introduction of three graded methodology options for DBC 24, while the other is the rules of best estimate analysis in DEC. In DBC 24 the conditions of “best estimate computer codes with conservative and/or realistic input data” coupled with uncertainty analysis is the most preferred method, however, conservative approaches both in input data and in the codes themselves could be applied. This concept shows discrepancy with SSR 2/1 Rev. 1 Req. 5.26 [3], which asks for
3 IAEA-CN-251
conservative approach. EUR position, similarly to the one in SSG2 Rev. 1 [4], is that inserting as much information as possible into the analysis induces less difficulty than the conservative manner. In WENRA report [8] best estimate methodologies are favourable for DEC, however with less stringent rules than in DiD level 3a, but the robustness needs to be shown. This opinion is integrated into EUR Rev. E, requiring best estimate analysis together with sensitivity analysis. Such approach in DEC 1 aims at preventing core melt at adequate level of confidence and at assuring that “there is adequate margin with regard to cliff edge effects”, while in DEC 2 the robustness of the analysis is emphasized by applying best estimate approach in full range of the analysis (hypothesis, input data, initial and boundary conditions, code algorithms etc.). A new definition of best estimate analysis has also been introduced for clear understanding. Nevertheless, requirements dealing with break preclusion and leak before break have been also introduced both in the scope of deterministic safety analysis and in the scope of design approaches. 1.1.4. Improvements in the terminology
The definitions are of crucial importance in a regulatory document which comprehends a whole design of new NPPs. Changing the meaning of requirements induces changes in definitions in most cases. Terminology has undergone a major revision based on IAEA and WENRA used terms. Important modifications were that the term accident conditions has been extended to DEC, and operational states has been extended from normal operation to anticipated operational occurrences. New definitions have been formulated concerning the topics of hazards, security, power supply, SSCs, DiD, loss ultimate heat sink, EDR and safety classification. 4. CHANGES RELATED TO THE TOPIC OF FUKUSHIMA LESSONS LEARNED 1.1. Strengthening plant autonomy
Implementing the Fukushima lessons learnt autonomy requirements were strengthened significantly. 1.4.1. Non-permanent equipment No on-site non-permanent equipment shall be credited (irrespectively whether it is light or heavy) during the first 72 hours following the accident initiation (it was requested only for light mobile equipment and for DBC in EUR Rev. D). Use of light non-permanent equipment after 24 hours in case of complex sequences can be an exception when safety classified. Off- site non-permanent equipment can be credited after 7 days only (in EUR Rev. D the limit was 72 hours). Notion of “non-permanent” is a refinement of the earlier used “mobile” equipment recognising that some equipment on the location of its operation requires certain action enabling of its functioning and this is not considered as mobile, which is assumed to be transported to its functional place in certain designs. Also, precise definition of “light” and “heavy” non-permanent equipment is added. 1.4.2. Ultimate heat sink and electric power supply Loss of the ultimate heat sink is one of the main outcomes of Fukushima Lessons Learned. It is important to take into consideration that the loss of the ultimate heat sink may not have only been caused by unavailability of water intake but also by the failure of the system that transfers the heat to the sink. The heat removal capability of UHS should include not only the heat generated by the radioactive decay, but also the heat from system, structure C. TOTH et al.
and components which are required to remain operable such as spent fuel pool. This capability should be ensured for 7 days without off-site support in all plant states (it was required for 72 hours in EUR Rev. D). Similarly, plant independency from the off-site electrical power supply needs to be assured for 7 days (instead of 72 hours in EUR Rev. D). It is also required, that raw water reserves shall ensure for 30 days autonomy in case the UHS is provided by water reservoirs. Moreover, these autonomy objectives are also valid for the conditions following the occurrence of a rare and severe external hazard (RSEH) whereas it was not specifically required in Rev D (cf. Sec. 4.2.). 1.1.5. Extension of the scope of the external hazards to be considered
Although, the avoidance of the “cliff edge effect” was a definite design objective in the EUR Rev. D when the possible design basis hazards were considered too little help was provided to the designer about how it should be taken into account. In order to implement the lessons learnt from Fukushima Daiichi accident in this aspect two levels of severity were defined for the relevant external hazards: the design basis external hazard (DBEH) and the rare and severe external hazard (RSEH). Specific requirements were formulated then in the EUR Rev. E about how to take this into account in the Design in terms of meeting autonomy objectives, provision of environmental categorization, safety analysis rules, acceptance criteria, to name just a few. Moreover, as an addition to the EUR Standard Design DBEH values and RSEH magnitudes were also defined for a “typical” European site. The determination of this RSEH set of values is based on statistical analysis of the country specific values provided by the member states. See some examples below: Seismic design level value for RSEH (peak horizontal ground acceleration) is 1.5*DBEH, where PGADBEH = 0.25 g; Tornado value for DBEH is 65 m/s, for RSEH it is 84 m/s; Cooling (sea)water temperature for DBEH: - 0.5˚C to + 30˚C, for RSEH: - 0.5˚C to + 32˚C. Specific attention was also paid to the hazard analysis of multiple unit sites. It is now required to take into account that external hazards would probably affect several or even all units on the site simultaneously. 1.1.6. Spent fuel pool cooling
The Fukushima Daiichi accident highlighted the need of robust design of spent fuel pools (SFP) also. This implies that single initiating events, multiple failure events, and internal hazards as well as external hazards should be properly addressed. In particular, the structural integrity of the spent fuel pool needs to be ensured with adequate margin in case of external hazards. Several improvements have been carried out concerning the SFP cooling taking the international recommendations into account. It is prescribed, that during the identification of Complex sequences failures of SFP systems and system components need to be considered. As the spent fuel could be a potential contributor to early and large releases, the safety level of SFP design increased from two points of view. On the one hand, the uncovering of fuel assemblies needs to be practically eliminated. On the other hand, failure of containment integrity following the failure of fuel in spent fuel pool also needs to be practically eliminated.
5 IAEA-CN-251
5. RENEWED SAFETY CLASSIFICATION The aim of the revision of the Safety Classification section of Chapter 2.1 EUR Rev. D was to give a comprehensive and systematic approach to safety classification and environmental categorization of SSCs, which is also harmonized with the IAEA Specific Safety Guide No. SSG30 [5], and reflects related Fukushima lessons learnt. In addition, it specifies basic engineering rules proportionate to the safety classification of SSCs. It is supposed that the Designer will apply the recommended methodology otherwise it shall demonstrate the equivalency of its safety classification system. The formerly used safety function categorization was redefined using the introduction of four factors for safety significance analysis. As a consequence of this new approach direct link between safety function categories and safety classes of the SSCs performing them could be established (three safety classes are defined whereas there were only two in EUR Rev. D). The timescale within which the safety function is required to perform is shown in the Fig. 1. below. Introducing a new threshold value - 7 days after which non-categorized functions can be credited - strengthens the robustness of the plant design and meets more demanding autonomy objectives as well (cf. Sec. 4.1.).
FIG. 1. Timescale of safety functions (a) Cat.2 functions can be credited if it is demonstrated that the consequences of their failure are of “medium severity”; (b) Cat.3 functions can be credited if it is demonstrated that the consequences of their failure are of “medium severity”; (c) Cat.2 if the function is designed to provide a backup of a Cat.1 function; Cat.3 if the function is designed to provide a backup of a Cat.2 function.
Notion of design provisions was also introduced which simplifies the safety classification of those SSCs which are designed for use in normal operation and on the reliability of which plant safety is highly dependent. For the safety classification of design provisions categorization of their function is not required, safety class can be determined on the basis of the consequences of their failure. According to the new revision the safety classification, which is based primarily on deterministic methods can be refined further by in depth functional analysis based on engineering judgement and also probabilistic methods for verification. It is worth to note, that probabilistic safety analysis (PSA) has been updated based on IAEA SSG 3 and 4. Important value is added in subsection of the environmental categorization. The recommended approach gives flexibility to the Designer to define those hazards which are relevant to the given site and elaborate specific environmental categorization for each significant hazard. Also, the recommended approach facilitates integrated application of C. TOTH et al.
safety classification and environmental categorization. Environmental condition resistance levels were introduced enabling the Designer to take into account the role of SSCs during and after a hazard and events leading to DBC2-4 and DEC. Differentiated engineering rules apply to SSCs credited for DBC2-4, complex sequences and design basis hazards, to SSCs credited for severe accidents and RSEH. Also, distinction is suggested when applicable requirements are defined for SSCs that must remain functionally operable, must not operate spuriously and for those which must retain its pressure boundary function and/or leaktightness. 6. OTHER SPECIFIC TEXT IMPROVEMENTS 1.1. Physical protection
The Security requirements in EUR Rev. E are mostly summarized in two chapters regarding general considerations, including intentional aircraft crash issues and plant layout arrangements issues, respectively. The new and updated requirements are primarily based on the recommendations of IAEA-NSS-13 (INFCIRC Rev. 5) [13] and WENRA Report on Safety of new NPP design, Position 7: Intentional crash of commercial airplane [8]. Although the requirements on the security of NPPs are primarily in the responsibility scope of national regulators (definition of Design basis thread) and provided by Security forces of States (Secret services), EUR Rev. E provides some requirements on categorization of Nuclear material (Category I, II and III) and Nuclear facilities and on the distribution of Nuclear facilities into Limited access area, Protected Area, Inner area and Vital areas according to the categories of nuclear material or attractiveness of sabotaging nuclear facilities. The physical protection of the plant relays on three fundamental functions (detection, delay, response). Each function uses DiD principle and applies a graded approach. The other currently important issue EUR Rev. E dealt with extensively is the intentional crash of commercial airplane. 1.1.7. Interconnection between chapters
There are many connection points and overlapping topics between chapters which cannot be perfectly separated. Nuclear safety aspects are important in every stage of the design so necessary to demonstrate it in several chapters. Chapters impacted by the requirements of chapter 2.1 were chapter 2.2 (fuel requirements from SSR 2/1), chapter 2.4 (specific hazards requirements), chapter 2.7 (components specific requirements from SSR 2/1), chapter 2.8 (SFP, emergency power supply) and so on. Also the formal and linguistic properties of the document needed to be in accordance with each other. While the TCG carried out the synchronisation of the technical issues, the AG done the latter. A section called Design of Specific Systems was established to present safety requirements for specific systems very important in terms of nuclear safety. This way, safety requirements for these systems can be found together in one place making the requirement system more transparent and design works less difficult. These sections contain many citations pointing to other chapters, where the other requirement concerning the given system is described. The section prescribes requirement for a wide variety of systems from the reactor core and safety systems through I&C systems to electrical and radioactive waste treatment systems. Furthermore this section together with the other connecting chapters have been revised to be fully in line with ENSTO-E Grid Code and IEC Standards such as 61513, 60880, 62138, 61226.
7 IAEA-CN-251
7. CONCLUSION EUR Rev. D has undergone a major revision, and a new version of EUR requirements named EUR Revision E is under publication. The new version is intended to be up to date, therefore new versions of IAEA documents at their early draft stages were also considered. To include the lessons learned from Fukushima Daichii accident was particularly emphasized. The latter induced major changes in plant autonomy. Nevertheless, the Safety Classification concept was deeply investigated and harmonized with IAEA-SSG-30. The Defence in Depth concept has also been revised according to IAEA-TECDOC-1791 and the WENRA report [8], where the nature of events, designing rules and radiological consequences have been taken into consideration. The grandiose work was planned carefully aiming both at considering the opinion of each participant and at improving the content of Revision D without the loss of any safety related aspect. The state of the art nuclear technologies were taken into account during the formulation of the requirement but keeping in mind the feasibility from the economic point of view. Revision E is expected to be a valuable standard for new NPP designers with the highest possible level of nuclear safety.
REFERENCES
[1] IAEA, Fundamental Safety Principles, SF-1, Vienna, 2006. [2] IAEA, Safety Assessment for Facilities and Activities, GSR Part 4 (Rev. 1), IAEA, Vienna, 2016. [3] IAEA, Safety of Nuclear Power Plants: Design, SSR 2/1 Rev. 1, Vienna, 2016. [4] IAEA, Deterministic Safety Analysis for Nuclear Power Plants, SSG 2 Rev.1 (Step 8a),Vienna, under preparation [5] IAEA, Safety Classification of Structures, Systems and Components in NPP, SSG-30, Vienna, 2014. [6] IAEA, Considerations on the Application of the IAEA Safety Requirements for the Design of NPP, IAEA-TECDOC- 1791, Vienna, 2016. [7] IAEA, Safety related terms for advanced nuclear plants, IAEA-TECDOC-626, Vienna, 1991. [8] WENRA RHWG, Safety of new NPP designs, Report, 2013. [9] WENRA, Safety Reference Levels for Existing Reactors, (updated in relations to lessons learned from TEPCO FUKUSHIMA DAI-ICHI accident), 2014 [10] EUR, European Utility Requirements for LWR NPP, Rev. D, 2012. [11] EUR, European Utility Requirements for LWR NPP, Rev. C, 2007. [12] IAEA, Basic Safety Principles for Nuclear Power Plants 75-INSAG-3 Rev. 1, INSAG-12, Vienna, 1999. [13] IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, NSS No. 13, (INFCIRC/225/Revision 5), Vienna, 2011. [14] EURATOM, Council Directive 2014/87/Euratom, 2014. [15] EURATOM, Council Directive 2013/59/Euratom, 2013.