XA0102762 ~O?J|

INTERNATIONAL ATOMIC ENERGY AGENCY

Topical Issues in Nuclear Safety

Vienna, 3-6 September 2001

IAEA-CN-82 PLEASE BE AWARE THAT ALL OF THE MISSING PAGES IN THIS DOCUMENT WERE ORIGINALLY BLANK NOTE

The International Atomic Energy Agency is organizing an International Conference on Topical Issues in Nuclear Safety, to be held in Vienna, Austria, from 3 to 6 September 2001.

This book contains concise contributed papers submitted on issues falling within the thematic scope of the Conference which were accepted by the Conference Programme Committee for consideration at the Conference. The material compiled in this book has not been edited by the editorial staff of the IAEA. However, certain modifications were made: a unified format was adopted for all papers and corrections were made in the text where required. It is intended that, after the Conference, the contents of this book will be published in the form of a CD ROM as part of the proceedings of the Conference. Authors wishing to make slight modifications or corrections to their paper are encouraged to contact the Conference Secretariat.

The views expressed in the papers are the responsibility of the named authors. These views are not necessarily those of the Governments of Member States. Neither the IAEA nor Member States assume any responsibility for consequences which may arise from the use of information contained in this book. CONTENTS

Topical Issue 1: Risk-informed decision making

Regulatory approach to risk informed decision making in India (IAEA-CN-82/17) S.K. Chande, J. Koley 3 Risk concepts in UK nuclear safety decision-making (IAEA-CN-82/18) P.W.M. Brighton 8 Risk informed decision making for the allowed outage times changes (IAEA-CN-82/25) Z. Kovdcs, P. Cigdnik, P. Hlavdc. 15 The use of the decision theory and probabilistic analysis in the NPP licensing decision process (IAEA-CN-82/28) D. Serbanescu 19 Experiences and future plan for risk-informed decision making in Korea (IAEA-CN-82/29) D.W. Chung, Y.H.Ryu 26 Risk informed decisions and regulations — STUK's policy and current practice (IAEA-CN-82/33) A. Julin, I. Niemeld, R. Virolainen 32 Using probabilistic safety assessment for making decisions on improving the safety of in-service and newly developed nuclear power stations with WWER reactors (IAEA-CN-82/46) Y.V. Shvyryaev 39 Impediments for the application of risk-informed decision making in nuclear safety (IAEA-CN-82/49) L. Hahn 44 A framework of risk-informed seismic safety evaluation of nuclear power plants in (IAEA-CN-82/58) S. Kondo, M. Sakagami, M. Hirano, M. Shiba 48 The use of PSA in the Dukovany NPP as a support tool for risk-informed decision making (IAEA-CN-82/60) A. Veleba 52 Risk-informed decision making during Bohunice NPP safety upgrading (IAEA-CN-82/63) M. Lipdr, E. Muzikovd, J. Kubdnyi 58 Structuring a risk-informed and performance-based process for optimization of regulation for Laguna Verde NPP (IAEA-CN-82/65) A. Rodriguez-Hernandez 65

Topical Issues 2: Influence of external factors on safety

The Brazilian experience in licensing Angra 2, a 'delayed' nuclear power plant (IAEA-CN-82/03) C. Almeida 75 Nuclear and radiation safety in Kazakhstan (IAEA-CN-82/08) A.A. Kim 80 Nuclear installations in Belarus: Implications of political and technical issues (IAEA-CN-82/10) S.I.Zaitsev 86 Deliberations on nuclear safety regulatory system in a changing industrial environment (IAEA-CN-82/32) H.J.Kim 89 Regulatory concern about economic deregulation in (IAEA-CN-82/34) R. Virolainen, P. Koutaniemi 95 A way of Dukovany NPP to privatization and liberalized market (IAEA-CN-82/36) I.Kouklik 98 The nuclear safety regulation in Japan and the response to changes of circumstances surrounding the nuclear electricity generation (IAEA-CN-82/37) K. Hombu, M. Hirota, T. Taniguchi, N. Tanaka, S. Akimoto 103 Assessment of the effectiveness of the Hungarian nuclear safety regulatory authority by international expert teams (IAEA-CN-82/41) L. Voross, F. Lordnd 107 The UK nuclear regulator's view of external influences on safety (IAEA-CN-82/55) J.L. Summers 113 Requalification of the steam supply systems of Units 3 and 4 of the Kozloduy NPP to a new model WWER-440/B-209M (IAEA-CN-82/57) /. Iordanov, S. Sabinov, V. Ourutchev, M. Stoev 119

Topical Issue 3: Safety of fuel cycle facilities

Success in behaviour-based safety at Los Alamos National Laboratory's plutonium facility (IAEA-CN-82/12) R.E. Wieneke, J.J. Balkey, J.F. Kleinsteuber 125 Criticality accident studies and research performed in the Valduc criticality laboratory, (IAEA-CN-82/26) F. Barbry, P. Fouillaud 134 Recent development in safety regulation of nuclear fuel cycle activities (IAEA-CN-82/38) S.Kato 141 Prospects for safe management of spent nuclear fuel of research reactors (IAEA-CN-82/42) N.S. Yanovskaya, T.F. Makarchuk, V.N. Ershov, N.B. Zaitsev 147 Criticality Studies: One of the two pillars of criticality safety at the Belgonucleaire MOX plant (IAEA-CN-82/44) B. Lance, T. Maldague, G. Renard, P. Kockerols 153 Regulation of fuel cycle facilities in the UK (IAEA-CN-82/54) W.W. Ascroft-Hutton 159

Topical Issue 4: Safety of research reactors

Safety of Ghana (GHARR-1) (IAEA-CN-82/05) J.H. Amuasi, C. Schandorf, J. Yeboah 167 Safety of assessment of various operation modes (IAEA-CN-82/06) M. Pesic, I. Plecas, R. Pavlovic 171 Experience in the implementation of quality assurance programme and safety culture assessment of research reactor operation & maintenance (IAEA-CN-82/14) Syarip, K. Suryopratomo 177 Safety enhancement in CIRUS through ageing management and refurbishing (IAEA-CN-82/16) S.K.Sharma 184 Safety status of Russian research reactors (IAEA-CN-82/19) S.I.Morozov 190 Safety challenges encountered during the operating life of the almost 40 year old research reactor BR2 (IAEA-CN-82/27) E. Koonen, F. Joppen, P. Gubel 196 Strengthening operational safety of the 3MW TRIGA MK-II research reactor of Atomic Energy Commission through modification and upgrade of its water system (IAEA-CN-82/35) MM. Haque, M.A. Zulquarnain, MA. Salam 200 French safety authority projects in the field of research and test reactors (IAEA-CN-82/43) P. Saint Raymond, M. Duthe, H. Abou Yehia 207 Safety operation of training reactor VR-1 (IAEA-CN-82/45) K.Matejka 212 Experiences in controlling the upgrading of TRIGA 200 Bandung reactor (IAEA-CN-82/56) K. Huda, Y.W. Wibowo, M.S. Suprawhardana 219 Ageing of research reactors (IAEA-CN-82/61) M. Ciocanescu 225 Emergency planning and preparedness of the Dalat Nuclear Research Institute (IAEA-CN-82/66) B.V.Luong 230 Safety of research reactors - A regulator's perspective (IAEA-CN-82/67) M.S.Rahman 237

Topical Issue 5: Safety of performance indicators

Performance indicators at Embalse NPP: PSA & safety system indicators based on PSA models (IAEA-CN-82/09) D.A. Fornero 245 Development and use of safety indicators at STUK (IAEA-CN-82/20) P. Tiippana 253 Improvement programme of safety performance indicators (SPIs) in Korea S.Y.Lee. 260 Estimations of actual availability (IAEA-CN-82/23) M.Molan, G.Molan 266 Development of safety performance indicators in Japan (IAEA-CN-82/39) H. Ohashi, S. Tamao, J. Tanaka, T. Sawayama 272 Operational safety performance indicator system at the Dukovany Nuclear Power Plant - Experience with indicator aggregation (IAEA-CN-82/59) J.Mandula 279 Safety assessment, safety performance indicators at the PAKS Nuclear Power Plant (IAEA-CN-82/62) C. Baji, G. Vdmos, J. Toth 284 The establishment and implementation of safety culture policy in (IAEA-CN-82/64) A.R. Antariksawan, Suharano, B. Arbie 291 TOPICAL ISSUE 1:

RISK-INFORMED DECISION MAKING XA0102763

IAEA-CN-82/17

REGULATORY APPROACH TO RISK INFORMED DECISION MAKING IN INDIA

CHANDE, S. K., KOLEY, J. Atomic Energy Regulatory Board Niyamak Bhavan Anushakti Nagar Mumbai 400 094, India Fax: 0091-22-5552879 Email: [email protected]

Abstract

Atomic Energy Regulatory Board (AERB), the authority for licensing and monitoring safety in Indian Nuclear Power Plants (NPPs), makes use of insights gained from PSA together with the results of the other deterministic analyses in taking decisions regarding the acceptability of the safety of the NPPs. PSA provides an estimation of risks; it also gives information on a balanced design by revealing interaction between engineered features and weak areas in a design. For regulatory use, PSA needs to be carried out using standardized methodology and state of the art technology. PSA helps regulators in taking faster and consistent decisions. Keeping in mind the limitations associated with PSA study, AERB has decided to adopt risk-informed decision making in regulatory licensing process.

This paper describes the AERB policy regarding PSA and gives overview of the experience in this area.

1. INTRODUCTION

1.1. Licensing process The licensing process of Indian Nuclear Power Plants is based on deterministic regulatory requirements where the intent is to ensure safety with multiple layers of defense in-depth. Design basis accidents are defined and engineered safety features are incorporated into the design to respond to these accidents;. The safety analysis must then prove the adequacy of safety systems to meet their objective and ensure safety of plant, personnel and environment.

1.2. Deterministic analysis The classical and deterministic safety analysis submitted by the utilities to support license applications cover various areas like reactor physics, fuel design and thermal hydraulics to assess the adequacy of engineered safety systems including reactor shutdown system, containment systems, etc. and safety support systems.

As per AERB Safety Guide D5 [1], all accidents can be broadly classified into two categories: (a) Design basis accidents, which are deterministically analysed to define limiting conditions for operations, limiting safety system settings and safety limits. (b) Beyond design basis accidents, which are analysed using best estimate methods and taking credit for realistic response of systems and operators.

The regulator)^ review of license application ensures that design basis accidents are analysed conservatively and engineered features are able to cope with them. Some identified beyond design basis accidents are also analysed to show that they do not result in unacceptable: risks to the public. 1.3. Probabilistic safety analysis (PSA) The PSA study includes analysis of all potential accidents and confirms the effectiveness of the engineered safety provisions. With the help of state of the art technology, reactor safety studies are being done in an integrated way. PSA systematically integrates information on plant design, phenomenology of accidents, operating practices and history, hardware and human reliability, and health and environmental effects in case of radioactive release. It generates a variety of quantitative information on the events and failures associated with various consequences such as core melt and release of radioactivity.

Although the use of best estimate method is always claimed in PSA study, limitations still exist in a number of areas such as, failure database, knowledge of different modes of core damage phenomenon, failure dependencies, human performances, external events and equipment behaviour under accidents. Therefore, a decision-maker has to understand all significant strengths and limitations to make more effective use of all available analyses, including the information obtained from deterministic and probabilistic evaluation.

2. THE PRESENT REGULATORY POLICY REGARDING PSA The present policy of AERB is to integrate the PSA based study results into regulatory decision- making in an evolutionary and progressive manner. AERB encourages utilities to supplement all license applications with PSA studies as a desirable practice. The results of PSA studies in their present form are used only as complementary tool for risk informed regulatory decision-making.

While making the regulatory policy on PSA, AERB has taken cognizance of the present developmental work of PSA in India, present state of the art of the technology and availability of plant specific failure data. The inherent limitations of database and modelling accuracy particularly in respect of human reliability, common cause failure & uncertainty analysis are considered while binding PSA results into risk informed decision-making process.

AERB's current view on PSA is as follows: - (a) PSA results should be increasingly used in regulatory matters. (b) PSA results supported by the present state of the art and plant specific failure data together with generic database can only be used as complementary tool to current regulatory practice. (c) PSA and associated sensitivity studies and importance measures should be used extensively during designing of new NPPs to get a balanced design. (d) PSA based studies with appropriate consideration of uncertainties should be used during regulatory decision in the context of plant modification, back-fitting of new requirements and resolution of safety significant issues.

Benefit of PSA study comes from getting an understanding of safety status in terms of relative importance of contributors to core damage frequency and in making comparative assessment, rather than in deriving bottom-line absolute numbers for risk/core damage frequency, to be checked against formal numerical goals. AERB only desires that plant should meet some targets as a good practice and not as mandatory requirements.

AERB has decided to enforce in a phased manner, submittal of PSA report and reliability study results (Level-1) along with all new license applications. The requirement also calls for utilities to develop plant specific failure database for components, common cause failures and human reliability within a fixed time frame.

Submissions of PSA level-1 study with only internal events have been considered by AERB during licensing of Kaiga Generating Station. For other new projects such as Tarapur 3&4 and Prototype Fast Breeder Reactor, PSA studies have been insisted and are in progress. PSA level-1 studies with external events like fire & flood will be considered for regulatory purpose in near future. On trial basis Level-1 study with external events is under progress for Madras Atomic Power Station and is likely to be completed by year-end.

It is also proposed to use PSA in the areas like configuration management, technical specification optimization v/ith regard to Allowed Outage Times (AOT) and Surveillance Test Intervals (STI) of components, risk based inspections and maintenance. Ageing management of components, accident management plan and improving operator's training with risk inputs from PSA based studies are also being encouraged. A comprehensive review of India's most vintage BWR plant Tarapur 1&2 has been taken up by AERB as a pa.rt of its programme for improving safety status of older plants. Level-1 PSA for this plant is in the last phase of completion. Findings of this study will be used extensively for this review and subsequent design up-gradation.

In risk informed decision-making process, the regulatory decisions are taken mainly based on deterministic regulatory requirements and other regulatory inputs (e.g. Experience feed back, Inspection results, Performance review, etc.), supported with the findings from PSA study results. In Indian scenario this risk informed decision-making process is being adopted initially to build confidence and increase experience on regulatory decisions using PSA results.

Presently only a few PSA studies are carried out and availability of plant specific failure data is also limited. Consequently, adequate confidence to base decisions on these studies is yet to develop. With directions from regulatory body, the utility has agreed to carry out comprehensive PSA studies for all plants with plant specific failure data in a phased manner. This will help in comparative decision- making. With time, the experience of PSA analysts will increase which will improve the quality of PSA. The expertise and knowledge base of regulators will also increase in this process.

In risk informed decision-making, interpretation of findings of deterministic analysis and judgment of regulators and experts govern the decisions. With the availability of quality PSA report and experience in risk informed decision-making, the regulatory decision-making could be transformed to Risk-based one.

3. LEGAL BASIS FOR RISK BASED DECISION MAKING

At present there are no regulatory stipulations regarding PSA. However, it is considered to be a tool to evolve a balanced design to ensure that no single accident sequence is likely to dominate the total risk. Within the present framework, regulatory guidance is given in AERB Safety Guide D10 [2] regarding plant failures and reliability analysis of engineered safety features. Guidance on Containment failure analysis is provided through AERB Safety Guide D21 and D22 [3,4]. Safety Guide G-l [5] prescribes the methodology for the regulatory body to assess the PSA reports submitted by utilities.

Full scale PSA based on standardized PSA methodology is necessary for use in regulatory decision- making process. AERB has proposed a format for submission of any PSA report for regulatory review.

AERB is also in the process of setting up probability safety goals in almost all applications areas of PSA. Before using PSA study results for risk informed regulatory decision-making, they will undergo detailed regulatory review in accordance with checklist prescribed by AERB.

4. PRESENT STATUS AND EXPERIENCE The importance of PSA in design and operation is already recognized and PSA level-1 study has been carried out in three of the Indian PHWRs. In Kakrapar Atomic Power Station (KAPS), level-1 studies are in advance stages of completion. Some of the PSA reports have been submitted to AERB for assessment. Regulatory evaluations of these PSA results are already in progress. Highlights of such PSA studies are given below. 4.1.Narora Atomic Power Project (NAPP) A PSA study of NAPP was carried out during 1989 to perform design evaluation to improve safety and reliability. The failure rate data from the established sources was used. Bayesian techniques have been used to obtain better estimation in view of the availability of limited information based on experience from Rajasthan Atomic Power Station.

Some design modifications carried out as a result of the analysis are: - (a) Reliability improvement in the design of interlocks and D2O condensate lines in Reactor Building (RB) isolation system to effectively isolate RB in an accident condition. (b) Comparative evaluation of alternate designs for secondary shutdown system to obtain optimum configuration. (c) Provision of isolating valves in the interface of moderator circulation system with liquid poison addition systems to reduce the probability of loss of moderator. (d) Addition of a third Diesel Generator in each unit to reduce the unavailability of emergency power supply by a factor of three. This was done since Station Black Out (SBO) related events are major contributors to Core Damage Frequency (CDF).

4.2.Kaiga Generating Station (KGS) During 1996, the PSA Level-1 study of KGS was carried out as a part of design assessment. Even for this study, failure data based upon the operational experience was found inadequate and hence, component failure data from the established sources was used.

It was observed that accident sequences initiated by failures of Class-IV power supply are highly significant due to high frequency of this initiating event (2/yr). The Fire Fighting System (FFS) was found capable of handling the situations following a station black out. However, there is a need for operator action in FFS. Since human error in FFS was found to be a significant contributor to CDF, well-written operating procedures and improved training were suggested.

4.3. Madras Atomic Power Station (MAPS) PSA Level 1 study of an operating plant was first taken up in 1998. The main feature of this PSA study of MAPS Unit-1 is the use of plant specific data. Human cognitive reliability co-relation method (IAEA TECDOC 591) has been used to determine the human error probability. Common cause failure based on plant specific data has been taken into account. Pipe line failures and cable failures have also been considered based on plant specific data.

The accident sequence, involving medium LOCA followed by failure of ECCS has the highest contribution to the CDF. The importance of ECCS is evident from this analysis with respect to availability. The PSA study suggests the following changes in ECCS, which can reduce the CDF significantly: (a) Introduction of high-pressure ECCS to cater to medium LOCA. (b) Provision for redundancy in the design of ECCS, since single component failures directly lead to the total unavailability in some cases.

4.4. Shutdown risk assessment in MAPS Both the operational feed back from NPPs and the PSA studies indicate that the risk associated with shutdown and low power operations can be significant. Keeping this in mind, an overall risk assessment under Shutdown State is done for MAPS. Based on the presently available data, the overall CDF is estimated to be of the order of 10'5/yr during shutdown state, assuming that the reactor will be in that state for 30% of the time.

5. CONCLUSION In AERB's current policy, the insights gained from PSA are considered together with those from other analyses in decision-making regarding the acceptability of the safety of the NPPs. PSA provides an estimation of risks; it also gives information on a balanced design by revealing interaction between engineered features and weak areas in a design. If PSA is carried out using standardized methodology and the state of the art technology, it can help regulators in taking faster and consistent decisions. Keeping in mind the limitations associated with PSA study AERB has adopted risk-informed decision making in regulatory licensing process. This can be improved to risk based decision-making in a phased manner.

References:

[1] ATOMIC ENERGY REGULATORY BOARD, Design Basis Events Safety Guide No.AERB/SG/D-5, (2000). [2] ATOMIC ENERGY REGULATORY BOARD, Safety Critical Systems Safety Guide No.AERB/SG/D-10, Draft (2000). [3] ATOMIC ENERGY REGULATORY BOARD, Containment Systems Design Safety Guide No.AERB/SG/D-21, (2001). [4] ATOMIC ENERGY REGULATORY BOARD, Vapour Suppression System Safety Guide No.AEEJB/SG/D-22, (2000). [5] ATOMIC ENERGY REGULATORY BOARD, Consenting Process for NPPs & Research Reactors: Documents Submission, Regulatory Review and Assessment of Consent Application Safety Guide No.AERB/SG/G-1, Draft (2001). XAO102764 IAEA-CN-82/18

RISK CONCEPTS IN UK NUCLEAR SAFETY DECISION-MAKING

BRIGHTON, P. W. M. Nuclear Installations Inspectorate, Health & Safety Executive Bootle, Merseyside L20 3LZ, UK Fax: +441519513492; Email: [email protected]

Abstract

This paper discusses the concept of risk as understood in the UK, with particular reference to the use of probabilistic safety assessment (PSA) in nuclear safety decision making. The way 'risk' appears in UK fundamental legislation means that the concept cannot be limited to evaluation of numerical probabilities of physical harm. Rather the focus is on doing all that is reasonably practicable to reduce risks: this entails applying relevant good practice and then seeking further safety measures until the money, time and trouble required are grossly disproportionate to the residual risk. PSA is used to inform rather than dictate such decisions.

This approach is reinforced by considering how far any practical PSA can be said to measure risk. The behaviour of complex socio-technical systems such as nuclear power stations does not meet the conditions under which probability theory can be applied in an absolutely objective statistical sense. Risk is not an intrinsic real property of such systems. Rather PSA is a synthesis of data and subjective expert judgements, dependent on the extent of detailed knowledge of the plant. There are many other aspects of engineering judgement involved in safety decisions which cannot be so captured.

1. INTRODUCTION Risk-informed decision-making is not a new concept in UK nuclear safety regulation. Since 1974, the fundamental law implemented in the nuclear licensing regime has been the Health and Safety at Work (HSW) Act. Section 3 of this Act requires operators to ensure that the public is not "exposed to risks to their health and safety ... so far as is reasonably practicable" (SFAIRP). Under the UK legal system it is ultimately for the courts to rule on the interpretation of these terms. The health and safety of workers is also covered in the Act.

This paper starts with a review of how the Health & Safety Executive (HSE), as the main body responsible for enforcing this law, has developed a range of guidance on its interpretation for industrial major hazards generally and for nuclear safety in particular. The paper then describes how PSA has been used in the periodic safety reviews to assess risk for the older UK power reactors. On the basis of this experience, the paper identifies a number of limitations of PSA as the sole measure of 'risk' (see §5). This reinforces the view in the guidance that a broader definition is needed of this concept in the UK context. The implications for radioactive waste management are briefly discussed, before the final conclusions.

2. DEVELOPMENT OF UK GUIDANCE ON NUCLEAR RISK REGULATION Accounts of health and safety legislation in the UK usually start with the ruling of the judge in a case in 1949 concerning the death of a coal miner when a tunnel collapsed. This ruling stated that the term "reasonably practicable" in safety legislation meant that [1]:

a computation must be made in which the quantum of risk is placed in one scale and the sacrifice, whether in money, time or trouble, involved in the measures necessary to avert the risk is placed on the other; and that, if it be shown that there is a gross disproportion between them, the risk being insignificant in relation to the sacrifice, the person upon whom the duty is laid discharges the burden of proving that compliance was not reasonably practicable. This was a long time before the development of PSA! This test remains the cornerstone of UK safety regulation including the nuclear licensing regime.

The proposals in the 1980s to introduce the pressurised water reactor (PWR) to the UK at Sizewell led to a public inquiry under planning legislation. This examined in depth the magnitude of the risks to the public, and how they were to be controlled as far as reasonably practicable by the design process. The inquiry report called for more clarity in what levels of risk were achieved, in applying the safety assessment principles (SAPs) developed several years previously by HM Nuclear Installations Inspectorate (Nil, a part of HSE); also the costs of potential safety improvements should be considered more explicitly in Nil's assessment. These recommendations led to issue of a discussion document on 'tolerability of risk' in 1988, generally referred to as 'TOR'. Following public: consultation, TOR was reissued [2] along with a revised version of the SAPs [3].

TOR [2] sets out a scheme in which there is a certain level of risk that is regarded as intolerable and unjustifiable in any ordinary circumstances. There is a lower level of risk below which risks are so low that the regulator need not ask operators to seek further improvement provided they are satisfied that these low risks will be attained in practice. This is termed the broadly acceptable level. Between these two levels a more detailed consideration of further measures to reduce risk is required using the test of 'reasonable practicability' outlined above. Risks are then said to be as low as reasonably practicable (ALARP). This approach is termed the 'ALARP principle'.

TOR [2] describes in detail the process of evaluating risk quantitatively as part of the design process for a new nuclear power plant. Both individual and societal risk is addressed. TOR includes several important qualifications relevant to risk-informed decision-making:

• judgement is an indispensable feature (para 53); • there is a rule of conservatism, and great attention is paid to the quality of the plant and its management (para 55); • it would be wrong to claim that the risk estimates are in any way preciise (para 114); • above all, the PSA process ensures a systematic examination of the design (para 121); • it would be wrong to take a risk figure of 1 in a million in a literal sense (para 134).

Ref [2] also considered the application of cost-benefit analysis (CBA) to informing judgement against the ALARP principle. CBA involves balancing the cost of a potential improvement against the overall societal detriment of a reactor accident expressed in monetary terms. In principle, the detriment consists of: a) the value of lives lost adjusted for aversion to multiple fatalities; b) the costs of coping with the emergency, the loss of productive land etc; and c) the costs, if they could be estimated, of shock and disruption to social and political life. However, TOR [2] noted that "we are far from having developed and agreed upon the accounting and valuing conventions that could enable us to perform such calculations".

The revised SAPs [3] specify the key steps of PSA. The concept of a tolerable limit is translated into a set of numerical basic safety limits (BSLs) for various risks, such as that of a large release. The lower basic safety objectives (BSOs) mark the point beyond which Nil assessors need not seek further measures to reduce numerical risk. However, the bulk of Ref [3] covers the qualitative engineering principles, applying to external and internal hazards, structural integrity, safety systems, containment, ventilation etc.

3. OTHER DEVELOPMENTS IN UK RISK REGULATION While the Sizewell B decision was being considered, interest in quantitative risk assessment (QRA) for other major industrial hazards was growing. QRA essentially means PSA in this context. Ref [4] presented a comparative study of 16 cases, including Sizewell B, chemical plants, gas pipelines and flood defences, illustrating the developing experience of how QRA can aid safety decisions. Because of the different nature of the hazards and uncertainties in each application, smd the various types of societal detriment, it was extremely difficult to reach conclusions about the relative riskiness of different industries. One could say more confidently that, in the cases where the decision had been to permit the activity, individual risk was below the maximum tolerable level suggested in [2]. Ref [4] identified 41 factors, many. qualitative, which contributed to the decisions. These fell into four categories: the hazard, risks and benefits; the nature of the risk assessment; broader factors important to the operators, government or regulators; and public attitudes to the activity and to the authorities. Ref [4] concluded that these factors neither could, nor should, be ranked or weighted.

In 1999, HSE issued a further discussion document [1], known colloquially as R2P2. The purpose of this was to explain how HSE was applying the risk management philosophy of [2] across the wide range of activities it regulates. R2P2 [1] specifically addresses the social and political factors affecting policy decisions such as the introduction of new regulations. However, given the high level of public interest and concern about nuclear matters, much of this is applicable to operational regulatory decision-making in this field.

R2P2 [1] gives the principles of good regulation as being: targetting of action on the most serious risks or where hazards are poorly controlled; consistency in similar circumstances; proportionality of action to the risks; transparency on how decisions are made and what their implications are; and accountability without unfair retribution when things go wrong. But the meaning of risk cannot be limited to the probability of physical harm. Ethical and social factors have to be taken into consideration. Moreover, there has been a significant court ruling in which 'risk' in the HSW Act has been interpreted as the possibility of danger, or what has usually been termed 'hazard' in the technical literature.

Ref [1] also discusses how the TOR concept can be applied where risk cannot be quantified, the relevance of good engineering practice to meeting the ALARP principle, the role of QRA or PSA, and the need for a precautionary approach to deal with uncertainty. None of this implies a fundamental change to the risk management approach which has been developed by Nil over many years and articulated in Refs [1] and [2]. The rest of this paper illustrates the implications of this approach for the use of PS A.

4. APPLICATION OF PSA TO UK POWER REACTORS PSA was used during the design of the Sizewell B PWR and of the last two advanced gas-cooled reactors (AGRs) at Heysham and Torness. The past decade has seen the progressive application of PSA to the UK Magnox and earlier AGRs. They are now all covered by a detailed and comprehensive analysis for internal plant faults, though there remain areas such as natural hazards and shutdown states where the extent to which PSA can usefully be applied has been an issue. This development has occurred under the aegis of the long term safety reviews for the Magnox reactors [5] and the periodic safety reviews for the AGRs (eg Ref [6]). It represents an application of 'modern standards' in safety analysis, as PSA has become a standard procedure in the nuclear power industry world wide. Qualitative assessment of human factors issues and human reliability analysis have been integral to these PSAs.

The prime function of these has been as an additional view to the deterministic safety case on the adequacy of the overall configuration of the safety systems. The process of detailed fault tree and event tree analysis teases out in a disciplined fashion the interactions between front-line systems and their support services, and the logic of the success criteria from the fault studies in finer detail than earlier safety case documents. It identifies residual weaknesses and helps achieve balance in the safety provisions. This in itself can help apply deterministic criteria more rigorously, eg in assessing against the single failure criterion. Incorporation of failure probabilities is needed for sorting and prioritising the enormous number of event combinations leading to failure, irrespective of any to attempt to quantify overall risk.

The quantitative criteria of the SAPs [3] have in practice proved effective in driving a reasonable number of improvements to plant which might not have been identified otherwise. Major

10 improvements, such as a tertiary source of feed to the boilers, are almost always required by a systematic application of deterministic principles. The PSAs and the human factors assessments have pinpointed many minor improvements, particularly in refinement of procedures and clarification of the role of the operator in fault scenarios [6]. Further details on the application of PSA in the UK are given inRef[7].

5. LIMITATIONS OF PSA AS A MEASURE OF RISK While R2P2 [1] has discussed the complexity of the concept of risk in the political and legal sphere, there is also much coverage of such issues in the technical literature. A special issue of the journal Reliability Engineering and System Safety has revealed a vigorous debate between technical, sociological and psychological viewpoints on risks from technological s)'stems. Okrent [8] put forward the arguments that a rational public policy striving to allocate resources efficiently and equitably for improving health and safety can only be based on quantitative evaluations of risks, detriments, costs and benefits. While much of the attack on this 'technocratic' approach revolves around how to take account of public perceptions of risk, Horlick- Jones [9] has; illustrated how the role of PSA is often questioned by practical engineers. He summarised evidence from the Sizewell B enquiry as follows:

[The design engineers] do not believe that risks can be accumulated into single numbers or that arty given safety investment necessarily reduces collective risk. They look at design parameters and their implications for operator error and accident sequences

This statement would be an apt comment on difficulties Nil has had with the conclusions of some of the gas-cooled reactor PSAs. In some cases, the PSA generated conclusions that seemed to conflict directly with engineering analyses carried out separately, even though against PSA assessment criteria it was adjudged a high-quality effort. The licensees have gone on to develop* alternative versions of their PSAs with widely varying numerical results depending on the way engineering and human factors knowledge and judgement is built in.

To a certain extent these problems can be attributed to the rather abstract formalism of fault tree analysis and the obscurity and complexity of the masses of output generated. There is a concern that application of probabilistic concepts can undermine established good practice. It may lead to cultural barriers, or internal political conflicts, with PSA being seen as the preserve of theorists making impracticable recommendations based on an inadequate understanding of how the plant really works. Improvements in software may enable such difficulties to be overcome by making PSA more accessible to plant engineers. Underlying these tensions, there is a more fundamental controversy. This is about the nature and use of probability theory itself. Throughout its history there has been a debate between those who would restrict application of the concept of probability to phenomena for which objective statistical information can be gathered, and the subjectivists who regard probability as the expression of a degree of belief.

The frequentist or objectivist approach of classical statistics is concerned with the properties of populations. Given a sufficient quantity of data, the characteristics of random samples from a large population can be predicted, within a quantifiable uncertainty. Fundamentally probability theory is about the relations between subsets of a population. Standard probability distributions may be used to describe a population and statistical tests are used to decide the goodness of fit. Such distributions may be purely empirical, eg the distribution of road accident fatalities according to age, or may come from theoretical considerations, such as the Poisson distribution for radioactive decay or the normal distribution in statistical mechanics.

On the other hand, the subjectivists (also sometimes called Bayesians) take a much more expansive view of the potential applications. Subjective probabilities may be based on statistical data if available, but in their absence the subj'ectivist is prepared to treat expert estimates of probability on an equal footing. The same abstract mathematical tools can applied in both views. There is an extensive

11 literature on how people, especially experts, make probability judgements [10]. This has led to procedures designed to detect and allow for biases and to promote a consensus amongst experts to make best use of available knowledge, eg Ref [11]. The fact remains that even with such safeguards the probability estimate may be an apt expression of the scientific community's view, but there is no guarantee that it is close to 'reality'. It is a statement about the beliefs of a population of experts, rather than about the physical world, in which the outcome may already be determined (eg a volcanic eruption).

In a paper frequently cited as the conceptual basis for reactor PSA, Kaplan and Garrick [12] acknowledged the subjectivity of probability describing a state of knowledge rather than any property of the real world; but they cite a view (attributed to ET Jaynes) that [probability] is completely objective in the sense that it is independent of the personality of the user; two beings faced with the same total background of knowledge must assign the same probabilities.

This seems unconvincing. It must be a fundamental epistemological flaw to put opinions, however expert, on the same footing as physical data. It also seems entirely contrary to common experience of human psychology. Practical engineering decisions are made in organisations of many individuals all having different knowledge and experience. Two similar professionals will make different probability judgements (if they think in those terms at all) because even if their knowledge of the problem in hand is the same they will have different experience and they will be influenced by personal and organisational attitudes.

The approach of Ref [12] demonstrates that the enterprise of PSA has to combine the frequentist and the subjectivist philosophies. To use PSA we must allow subjectivism. This viewpoint has also been strongly stated in the context of offshore QRA in Ref [13]. We cannot claim that the results of PSA or QRA for rare major accidents are on an equal footing with frequentist risk statements such as road death statistics. Subjectivism also arises from the very nature of complex socio-technical systems such as nuclear power plants. Each is an individual which does not behave as a random system. Most incidents are linked to organisational weaknesses and past decisions. Watson [14] has warned against regarding the risk as an inherent property of activities or systems which describes their propensity to accidents and which can be measured by PSA. Based on considerations similar to those above, he argues that risk is too complex a matter to be handled by a single all-embracing index: PSA should be seen as a tool for argument, eg between regulator and licensee (or between different departments within a licensee), rather than an objective representation of truth. In short there is no such thing as the 'real risk value'.

6. RADIOACTIVE WASTE The above philosophy is also illustrated by the UK approach to risks from radioactive waste management activities. There, have been a number of concerns regarding the use of PSA in addressing such risks. At a recent inquiry into UK radioactive waste management policy by a select committee of the House of Lords, the question was asked: how can a rational assessment of the risks associated with a long-term nuclear waste store or repository site be made, and how can one be sure that what is an acceptable risk now will remain so in the future? HSE's evidence in response was as follows:

HSE does not advocate relying solely on quantified risk assessment, particularly as this may be misused to justify poor practice when factors relating to good engineering practice in design or construction may be more meaningful. It is our view that probabilistic estimates, particularly with such low numbers, must always be treated with caution as there are inevitably high levels of uncertainties in both the data they are based upon and the calculational models which produce them. Safety cases must therefore be primarily based on other elements such as defence in depth and good engineering practice. Probabilistic or quantified risk assessment should only be one input in the overall case. The normal approach used for nuclear installations of robust engineering design, defence in depth and the use of deterministic conservative assessments of both normal operation and fault behaviour, with

12 probabilistic risk assessments to judge the significance of uncertainties, should be sufficient to ensure public protection both now and in the future.

(The full report of the select committee has been published [15]). This is in line with the approach in TOR [2], in which PSA can only be built on a foundation of high quality plant and management, and with R2P2 [1],, which similarly emphasises authoritative good practice as the expression of a consensus between operators, regulators, technical experts and others on what risk control measures are reasonably practicable.

7. CONCLUSIONS This paper has discussed the concept of risk in the context of UK legislation applicable to all industries, including nuclear. Numerical risk is just one of a large number of faictors that may be relevant to safety decisions, whether by the industry or by the regulator. QRA or PSA can aid and sometimes challenge engineering judgement. It should not be regarded as a scientific model for predicting risk as an objective physical attribute of a nuclear plant. It should not be the sole basis for judgement in safety decision-making. When it is conducted according to consistent and conservative procedures and conventions it can be used to make comparisons with appropriate risk limits and objectives as described in TOR [2].

Thus, UK nuclear regulation continues to be based on judgements on the application of basic nuclear safety principles and on the quality of engineering practice and management control, as well as on the use of PSA to estimate residual risk and assess the balance of design

Acknowledgements

This paper has benefitted from discussions with many colleagues in NSD and HSE over several years. However, the views expressed remain the author's and do not necessarily represent HSE policy.

References [I] HEALTH AND SAFETY EXECUTIVE, Reducing Risks, Protecting People, Discussion Document, HSE, London (1999), to be reissued in revised form in (2001). [2] HEALTH AND SAFETY EXECUTIVE, The Tolerability of Risk from Nuclear Power Stations, HMSO, London 61pp (1992). [3] HEALTH AND SAFETY EXECUTIVE, Safety Assessment Principles for Nuclear Plants, HMSO, London 46pp (1992). World Wide Web: http://www.hse.gov.uk/nsd/saps.htm [4] HEALTH AND SAFETY EXECUTIVE, Quantified Risk Assessment: its Input to Decision Making, HMSO, London 30pp (1989). [5] HEALTH AND SAFETY EXECUTIVE, Report by HM Nuclear Installations Inspectorate on the Results of Magnox Long Term Safety Reviews (LTSRs) and Periodic Safety Reviews, HSE, Bootle unpaginated (2000). World Wide Web: http://www.hse.gov.uk/ns;d/magnox.pdf [6] HEALTH AND SAFETY EXECUTIVE, Hinkley Point 'B' & Hunterston 'B' Nuclear Power Stations: the Findings of Nil's Assessment of Nuclear Electric's and Scottish Nuclear's Periodic Safety Reviews, HSE Books, Sudbury 29pp (1997). [7] PAPE, R.P., BRIGHTON, P. W.M., The contribution of PSA to nuclear safety, The Nucl. Eng. 39(1) 4-6 (1998). [8] OKRENT, D., Risk perception and risk management: on knowledge, resource allocation and equity, Rel. Eng. & Sys. Safety, 5917-25 (1998). [9] HORLICK-JONES, T., Meaning and contextualisation in risk assessment, Rel. Eng. & Sys. Safety, 59 79-89 (1998). [10] THORNE, M.C., WILLIAMS, M.M.R., A review of expert judgment techniques with reference to nuclear safety, Prog. Nucl. En. 27 83-254 (1992). II1] BUDNITZ, R. J., APOSTOLAKIS, G., Use of technical expert panels: applications to probabilistic seismic hazard analysis, Risk Anal.118 463-9 (1998).

13 [12] KAPLAN, S., GARRICK, B.J., On the quantitative definition of risk, Risk Anal. 1 11-27 (1981). [13] AVEN, T., PORN, K., Expressing and interpreting the results of quantitative risk analyses: review and discussion, Rel. Eng. & Sys. Safety 61 3-10 (1998). [14] WATSON, S.R., The meaning of probability in probabilistic safety analysis, Rel. Eng. & Sys. Safety 45 261-9 (1994). [15] HOUSE OF LORDS, Management of Nuclear Waste, 3rd Report of the Select Committee on Science and Technology, HL 41, HMSO, London (1999). World Wide Web: http://www.publications.parliament.uk/pa/ldl99899/ldselect/ldsctech/41/4101.htm

© Crown Copyright, 2001

14 XA0102765 IAEA-CN-82/25

RISK INFORMED DECISION MAKING FOR THE ALLOWED OUTAGE TIMES CHANGES

KOVACS, Z., CIGANIK, P., HLAVAC, P. RELKO Ltd, Engineering and Consulting Services Racianska 75, P.O.Box 95, 830 08 Bratislava, Slovak Republic Tel.: 00421 7 44460138; Fax: 00421 7 44460139, Email: [email protected]

Abstract

The paper describes the methods for risk informed evaluation of the allowed outage times. Applications of the methods are also provided for the safety related equipment of the J.Bohunice V2 NPP.

1. INTRODUCTION Substantial progress in the probabilistic risk analysis encourages greater use of this analysis technique to improve safety decision making. Support of decisions to modify individual plant technical specification (TS) is important activity in this area. The TS of the nuclear power plants operating all over the world were normally determined using traditional engineering analyses and no risk information was taken into consideration. At the present time, if TS changes are required, both the traditional engineering analyses as well as the risk informed approach are taken into consideration in the regulatory decisions.

Since the mid-1980s, the US NRC (US Nuclear Regulatory Commission) has been reviewing and granting improvements to TS based, at least in part, on risk insights. Typically, the improvements involved the extension or relaxation of one or more allowed outage times (AOT) or surveillance test intervals in TS. The AOT evaluations were performed using only the PSA (Probabilistic Safety Assessment) for full power operation. The risk associated with shutting the plant down because of AOT violations was not considered. The incremental conditional core damage probability (ICCDP) of less than 5.0E-7 was considered small for a single AOT change. This value is based upon the hypothetical situation where the subject equipment at a representative plant is; out of service for five hours, causing the core damage frequency (CDF) of the plant, with an assumed baseline CDF of 1.0E- 4/y, to conditionally increase to l.OE-3/y during the five hours period. This basis assumes that the majority of repairs can be made in five hours or less and that this level of risk is acceptable for the operating plants.

Comparison of the full power risk with the shutdown risk provides more precise approach for calculation of the AOTs. The plant should be shut down only in case, if the shutdown risk is smaller than the risk arising from the full power operation with the failed component. During the last years low power and shutdown analysis has come into the focus of nuclear safety considerations. Operational experience and shutdown probabilistic safety analysis have highlighted that the shutdown risk is significant and could contribute more than 50% to a total core damage frequency [3].

Methods comparing the full power and shutdown risk are used to justify the AOT changes for the regulatory authority in Slovak Republic. In addition to the full power PSA, also the shutdown PSA of the plant is required for this purpose. The advantage of the approach is that AOTs can be calculated not only for full power but also for the shutdown operating modes. The paper presents the methods and application for the safety related equipment of the J.Bohunice V2 NPP.

15 2. CALCULATION OF THE ALLOWED OUTAGE TIMES The AOT is the time the component is allowed to be out of service during power operation or shutdown operating mode of the plant. If the component is not restored during this time, the plant in operation must be shut down or the plant in a given shutdown mode has to go to safer shutdown mode. When deciding on the optimum strategy, the risk exposure for the current operating mode and the new operating mode should be compared. Such comparison can be made for all systems involved in the TS using the full power and shutdown PSA model.

2.1. Methods of calculation The risk in continued operation is compared with the shutdown risk. The AOT is calculated using the following formula: P' r'-r0 where, P'^ is the total shutdown risk including the cooling down and start-up of the reactor, for the level 1 PSA it is the core damage probability. r° is the baseline full power risk, r' is the full power risk with component / unavailable.

i P sd = Fsd.tsd/8760 where, tsd- the total time the plant spent in shutdown operating modes (h) FSd- the total shutdown core damage frequency (1/y).

Similar approach is used when the AOT for shutdown operating mode is optimised. The risk in operating mode/ is compared with the risk in operating modej+1.

2.2. Application of the methods The full power, level 1 PSA model and the low power and shutdown PSA model were harmonised and an integrated level 1 PSA model was developed for unit 3 of J. Bohunice V2 NPP. This integrated model is used for calculation of the full power and shutdown risk to determine the AOT [1]. The model developed in the RISK SPECTRUM PSA code was modified. Contribution from the test, planned and unplanned maintenance to system unavailability were removed and house events were installed to model the component or train outage.

The full power risk with and without failure of component i and the shutdown risk are calculated. The risk is given in the form of core damage frequency (CDF). Using the full power part of the integrated PSA model, first the CDF is calculated under the condition that all components are known to be available and no repair and maintenance is performed (r°). Then, the CDF is calculated under the condition that the component/ is failed (r'J.

The shutdown risk depends on the operating modes which must be achieved after manual reactor shutdown with failure of component i. The risk calculation during cooling down considers that component / is in failure state but during the start-up this component is considered to be repaired and available to perform safety function. The total shutdown risk is sum of the cooling down and start-up risk.

If the AOT is calculated for the shutdown operating mode, the full power risk is not taken into consideration. Given failure of component /, the TS directs the plant to go to higher operational mode. If a component fails in operating mode 3, then the plant goes to operating mode 4. If a component fails in operating mode 4, the plant goes to operating mode 5.

For illustration the calculation of AOTs for the high pressure safety injection system is presented below. The valid TS for the high pressure safety injection system is the following:

16 a. all three safety injection pumps are required to be operable. However one pump can be in maintenance or test for a maximum 72 h; b. at least 2 safety injection pumps are required to be operable. However one pump can be in maintenance for a maximum 24 h; c. at least one safety injection pump is required to be operable.

Limiting condition A is valid for operating mode 1,2,3. Limiting condition B is valid for operating mode 4. Limiting condition C is valid for operating mode 6. If the condition A is not met the plant must be shutdown to operating mode 4. If condition B is not met the plant mvist go to operating mode 5. If condition C is not met, it is not allowed for the plant to go to operating mode 4.

The AOT for limiting condition A is calculated using the formula from section 2.1:

r= 5.81E-77(1.06E-4 - 1.01E-4) = 0.1056 y = 739 h

It is assumed that the reactor is 7000 h per year on power operation. Only during this time period the high pressure safety injection pump can fail in operating mode 1. The proposed AOT for limiting condition A is 504 h, e.g. 21 days.

The AOT is proposed in such a way that the calculated value is modified to the value usually used in TS (for example: 8 h, 24 h, 3 days, 5 days, 14 days, 21. days, etc.). The proposed AOT is always the next shorter value to the calculated AOT. If the calculated AOT is longer as 7000 h, it is proposed to allow the unavailability of a train without limitation. The AOT for limiting condition B is calculated similarly like for full power operation:

T= 1.12E-77(2.70E-6- 1.58E-6) = 0.09940y = 175 h

It is assumed that the reactor 1760 h per year is shut down for refuelling. Only during this time period the high pressure safety injection pump can fail in operating mode 4. The proposed AOT for limiting condition B is 168 h, e.g. 7 days.

No calculation was performed for limiting condition C because there is no possibility for the plant to go from operating mode 5 to safer operating mode.

2.3. Risk-informed decision making for AOTs The regulatory guide [2] issued by NRC provides recommendations for utilizing risk information to evaluate changes to AOTs. In implementing risk-informed decision making,, the AOT changes are expected to meet a set of key principles. The principles are the following: 1. the proposed changes meet the current regulations; 2. the proposed changes are consistent with the defense-in-depth philosophy; 3. the proposed changes maintain sufficient safety margins; 4. when the proposed changes result in increase in core damage frequency, the increase should be small and consistent with the intent of the safety goal policy; 5. the impact of the proposed changes should be monitored using performance measurement strategies. The regulatory guide [2] provides guidance in meeting these principles.

3. CONCLUSIONS Using the risk based approach the AOTs were evaluated for all safety systems; of the plant. The main conclusion from the analysis is that the current deterministic AOTs are conservative and should be extended for the majority of the safety systems. The low power and shutdown risk analysis highlighted that the shutdown risk is significant. This risk was found in some cases up to 50% of the total core damage frequency [3]. The risk based extension of AOTs can prevent the plant to enter into the operating modes with increased risk.

17 References

[1] KOVACS, Z. et al.: Optimization of Allowed Outage Times and Test Intervals for Safety Related Components of V2 NPP, RELKO Report 2R0998, Bratislava (1999). [2] An Approach for Plant-specific, Risk Informed Decision Making: Technical Specifications, US NRC Regulatory Guide, DG1065 (1998). [3] A Compendium of Practices on Safety Improvements in Low-Power and Shutdown Operating Modes, Report NEA/CSNI/R(97)17, OECD Nuclear Energy Agency, (1998).

18 XAO102766 IAEA-CN-82/28

THE USE OF THE DECISION THEORY AND PROBABILISTIC ANALYSES IN THE NPP LICENSING DECISION PROCESS

SERBANESCU, D. National Commission for Nuclear Activities Control Bd. Libertatii 14 PO42-4, Bucharest 5, Fax: +4014111436; Email: [email protected]

Abstract

The licensing process is the place were the use of the decision theory and some specialized analyses, like for instance, the probabilistic analyses is increasing. However this use might be highly misleading if the impact of the actual errors and limitations in the analysis are not considered. The decision theory was actually used in this sense during an actual licensing process of the Cernavoda NPP unit 1 in order to support the decisions taken.

1. METHOD The licensing decision process is part of a hierarchical multilevel system, which is called nuclear safety[l, 2]. For this system goals are defined and criteria to be reached. One of the basic problems to be solved during the licensing process is to define with a desirable quantifiable error a conservative decision on the fact whether the safety goals and criteria are met by the nuclear power plant (NPP). Due to the fad: that the error and uncertainties of such a complex system are difficult to be defined, the evaluation of the degree of conservatism of the licensing decisions taken are usually variable in time. The main aspects inducing an apparent decrease of conservatism is in our opinion mostly related to the conservatism of the error evaluation of the differences between the goals to be met and the actual results on safety for various NPP applications and performances.

This degree of conservatism is mostly dependent on the knowledge during the: plant lifetime, which is reflected also in the safety evaluation method, too. Historically many methods were used during the NPP licensing process. Many times the initial design basis method and the initial licensing basis taken for a plant are subject to evolution and feedback from basic science methodology and the plant operation feedback. The Probabilistic Safety Analysis (PSA) is one example of such a method. It was initially very fast promoted because it is a special method: systemic, systematic and structured. It is a method adapted to the dynamic object, called nuclear safety system. However the basic problem for the use of this method in the licensing process was the evaluation of the error supposed by the decision based on its results. For these purposes a whole system was considered and it is not the intent of this paper to insist on it [3]. It is to be noted however that there are two big possible choices in using PSA results and hence the risk tools: one is the risk-informed regulation and the other one is the risk- based regulation.

Some basic early results and evaluation of the author [1, 2, 4] indicated on the fact that the method to be used would emphasize the decision theory tools as they are reflected in the PSA methodology and from this perspective the error and uncertainty evaluation play a basic role in defining the degree of conservatism of the decision.

The use of this approach in the actual licensing process of Cernavoda NPP Unit 1 and the definition of the licensing process for next units was based on this understanding and made; the connection between basic methodology aspects and real life. One very important advantage in this particular case was the possibility to have feedback from the whole process of safety definition: design, commissioning, early operation and also to use various methods in evaluating it. It was considered that the results of risk

19 analysis form part of the decision making process to evaluate safety margins and the areas of review of these results were related to: • define proposed change;' • conduct engineering evaluation; • develop implementation and monitoring strategies; • document evaluation and submit request.

A set of acceptance criteria was developed so that: • meet the regulation requirements; • be consistent with Defense in Depth concept, i.e. check that the following balance exists; • core damage prevention; • containment failure; • consequence mitigation; • maintain sufficient safety margin; • be consistent with safety goal policy; • monitor impact and assure feedback.

The main features of the use of probabilistic and risk analyses: • use them in an integrated (with the deterministic analyses) manner; • use appropriate methods; • perform independent review; • evaluate uncertainties, using feedback tiers; • use Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) to demonstrate consistency with safety goals; or • consider as safety goals quantitative doses on plant personnel and population as prior determined by other methods; • evaluate carefully the variations of CDF and LERF and the sensitivity/uncertainty calculation results; • evaluate the results in an integrated manner; • formalize the whole system of the adopted practice.

2. MAIN RESULTS The licensing decision process for Cernavoda NPP unit 1 was based on some specific features: • CANDU reactors operate with the concept of Plant damage States (PDS) in order to define the CDF and LERF; • the basic CANDU design includes the probabilistic analyses as Reliability Analyses (RA) and Safety Design Matrices (SDM); • the PSA tools were themselves during a period of about 10 years subject of internal national development and review; • the plant safety concept itself had a certain evolution during the period since acquisition and connection to the grid; • feedback from commissioning and early operation events was considered to review and check both the safety design and licensing decision tools, too; • there were some important mismatches between some elements of the initially adopted regulatory environment and the basic plant safety philosophy, which had to be taken into account and adjusted during the process itself.

As illustrated in Fig.l the pilot PSA results for Cernavoda NPP were mainly used as an information supplementary tool, which has in its turn its own evolution. The various versions were independently reviewed by the regulatory body during the decision process. The review had to consider also that the concepts of important contributors grouped on PDS, as Late Core Damage (LCD), Moderator heat Sink (MHS), Early Core Damage (ECD) and Other PDS (OPDS) had to be correlated with the basic

20 FIG. 1 Results of PSA versions for various PDS

0.0012

• PSA_90 • PSA_B_98 El PSA 95

a.

LCD MHS ECD OPDS TOTAL Frequency

FIG. 2 Mais PDS Contributors to the PSA 1998

OPDS CLCD

• MHS DECD • OPDS

MHS'

safety philosophy of the plant. The PSA results review identified the main contributors, but also a band of variation of the CDF themselves.

The decision process practically performed a Benchmark type exercise as part of the independent review process of PSA results. Fig.2 presents as an example the main contributors to the CDF based on the PSA version 1998 (after the implementation of the most of the IPERS mission recommendations for the 1995 version). The initial 1990 version was a initial pilot study, reviewed also by an IPERS mission in 1991. In all these versions there were some common conclusions, as for instance:

21 ® moderator as a heat sink is an important aspect to be reviewed by other methods; © the importance of the interface systems between the nuclear island and the balance of plant is to be reviewed, too; » some initially considered Beyond Design Basis accidents as for instance Loss of Coolant accidents and coincident Loss of offsite power have to be considered as Design Basis Accidents; ® operator model and actions have to be reviewed carefully. The decision process was done on three main steps in relation with the use of the probabilistic analyses results. The first step of the decision process was to use of PSA level 1 results in the regulatory decisions and consisted on:

(1) identification of the most important contributors to the CDF, in all the versions of PSA level 1. For instance all the above mentioned common conclusions indicated that moderator as a heat sink, interface systems, extension of Beyond Design Basis Accidents (BDBA) list and contribution of operator model are important aspects of the plant risk; (2) based on the identified main contributors the regulator decided to require; • extensive calculations in the Safety Reports for these contributors; • some supplementary actions (mainly new tests) during commissioning; (3) the regulator decided to evaluate in more detail the supplementary actions needed.

There were several safety evaluation methods to be considered during the licensing process (Fig. 3): ® basic design and licensing approaches, as defined in the 1980 version (BASSO); » PSA results for versions 1990, 1995 and 1998; • review of the initial RA and SDM, as a basic design probabilistic analyses; • define and use combined methods for specific topics as resulted during the review.

FIG. 3 Safety Margins for Different Evaluations

SAFMG DUNCTY

GLOBAL I CDF (GLOBAL CDF VXCTY SAFMAG = Safety Margin SAFMG UNCTY = Uncertainty CDF = Core Damage Frequency GLOBAL = Global safety margin indicator

BAS80 = Basic design as per 1980 PSA_90 = PSA 1990 version RA-SDM = RA and SDM reviewed PS A_95 = PS A 1995 version Using decision tables [4] the results were normalized and compared for various methods from the point of view (Fig. 3) of the Safety Margins (SAFMG), Uncertainty/error (UNCTY), Core Damage Frequency (CDF) and the use of the Global indicator, which was defined in [1] as a Lagrange function of the hierarchical system evaluated.

22 The results as presented in Fig. 3 indicate on the fact that a more carefully chosen indicator as the global one, could include not only the departure from an acceptance criteria (safety margin, CDF etc.) but also the error of this evaluation.

At this point of the paper it is the moment to mention that in the second step of the decision process the regulator started to evaluate in more detail if the results of the CDF are confirmed by more refined analyses. These analyses were done for some specific contributors, like for instance for the Nuclear Steam Plant (NSP) — Balance of Plant (BOP) interface systems. The versions considered for the decision process were related (as illustrated in Fig. 3) to the: • basic design as per 1980 (BAS80); • results from reliability analyses and safety design matrices in 1995; • results from PSA in 1995; • results from PSA updated in 1998 as per last IPERS recommendations; and • all the combined conclusions as they resulted from the Final Safety Report in 1998-1999.

The criteria used to evaluate all the above mentioned results were based on the; safety margins, as they resulted from the norms, calculations of the CDF and uncertainties and combination of CDF and importance using a Lagrange function as defined in [1].

The evaluations confirmed that all the tools used indicated that such contributors defined in step 1 of the decision process, as for instance BOP-NSP interface systems, are important for the plant risk. It was also confirmed that these contributors must be supplementary analyzed and tested, even if without those supplementary actions the plant safety could be still considered well within the national and international limits.

The results illustrated in Fig. 3 were based on extensive check lists and decision tables, which might be summarized in risk calculations and importance for the contribution of various systems. The evaluation of importance for various systems (process systems: PI, P2, P3, P4) and safety systems (S1,S2, S3) or human factors (HI) for various sequences (grouped in 3 groups, SEQ_GR1, SEQ_GR2, SEQ_GR3) may be done using classic categories like Fussel Vessely (IMPFV) or modified ones using the Lagrange function as defined in [1] and [4]. The differences between them indicate again mainly the fact that the decision should consider the error of the evaluation method itself. A practical illustration of these results is that the ranking done (Fig. 5) using these different tools indicated the better decisions are those which consider the error, too. All these changes in understanding priority and importance for the licensing decisions on various systems are done so that the global balance

FIG. 4 Importances for Systems

ioo%r • P4 • P3 • H1 • P2 • S3 • S2 HS1

IMP FV BP1 IMP LAGR

23 between fences is no, ^ as consisted on, performmg «d-*» ft was

pplementary deterministic calculations; pplementary commissioning tests. FIG. 5 Systems Ranking

35 HP4 M)["~rH «.. . (H• E1P3 --' HO H'"" ' BH1 2s|... R m....• HP2 20f'.,U 1.. • DS3 151''.--S Fl- H S2 DS1 io]-...M pi.. mpi •3 7

FIG. 6 Sequences Ranking

DSEQ3_GR3 USEQ2_GR2 BSEQ1_GR1

SEQ1..3_GR = Groups of sequences RANK FV = Ranking of sequences/systems using Fussel Vessely Importance RANK_LAGR= Ranking of RANK.FV Sequences/systems RANK_LAGR using Lagrange Function

24 All these requirements are actions actually implemented for a real plant. They all were based on the above described regulatory decision process

To summarize, some important licensing decisions were based on these results: • the importance of the moderator, in the basic design considered a process system, is higher and should be reflected in plant hardware and software; • the importance of interface systems is higher than initially expected and it was reviewed supplementary during commissioning both by analyses and supplementary commissioning tests; • some BD3A accidents like LOCA coincident with loss of off-site power have to be considered DBA and they were demonstrated by analysis and design; • review the decisions based on the event review even from the commissioning phases; • perform and document a,review of the regulatory environment.

3. CONCLUSIONS The licensing decision process for Cernavoda NPP unit 1 included the use of the review from the perspective of decision theory and probabilistic analyses, including the methods errors, uncertainties and modelling limitations. The process had also some specific features, but they highlighted in the author's opinion the fact that any licensing decision has to carefully evaluate their conservatism. The paper also includes some results in using specific tools in order to measure these limitations in the decision process. The path for the evaluations of this type for NPP of including the risk analysis in a global decision theory method may be found in other field, as space techniques and aviation [5]. It might be therefore a deeper problem with a larger application. On the other hand it is important to mention that the further development of the method is being performed [6].

References

[1] SERBANESCU, D., A New Approach in the Decision Phases of the PSA Studies, PSA91, Vienna, (1991). [2] SERBANESCU, D., Metode de Corelare a Defectiunilor provocate de Cresterea de Temperatura in Zona Activa a unui Reactor Nuclear si a Sigurantei in Functionare a unei Centrale Nuclearoelectrice, Teza de doctorat, ICEFIZ, Magurele-Bucuresti, (1987). [3] USNRC, Standard Review Plan, Chpt. 19.0 Use of Probabilistic Risk Assessment in Plant Specific, Risk-Informed Decision making, NUREG 08000 [4] SERBANESCU, D., Final Report on the On-the Job Training at AECB Canada for the Use of Probabilistic Analyses in the Licensing Process of CANDU NPP, Vienna, (1992). [5] ROSENBERG, L. H., HAMMER, T., GALLO A., 'Continuous Risk Management at NASA', Applied Software Measurement / Software management Conference, San Jose, California (1999). [6] SERBANESCU, D., et al. 'Nuclear Safety for Nuclear Power Plants', Master Course being held for the specialization on nuclear safety of the students in Bucharest Polytechnic Institute, Bucharest. Faculty of Energy — in publication.

25 XAO102767 IAEA-CN-82/29

EXPERIENCES AND FUTURE PLAN FOR RISK-INFORMED DECISION MAKING IN KOREA

CHUNG, D.W. and RYU, Y. H. Korea Institute of Nuclear Safety P.O.Box 114, Yusung, Taejon, Republic of Korea Fax: 82-42-861-2535; Email: [email protected]

Abstract

A program for establishing regulatory framework on the use of risk information has been under way since 1995, and several trial applications have been done to evaluate the applicability and usefulness of risk-informed approach to nuclear power plant regulation. The program consists of fifteen general and/or specific items of interest and pilot applications will be initiated in 2003. In parallel, research and development program has been continued to support the regulatory implementation. A task force team has been formed and the official channel has also been opened for cooperation between regulatory body and utility-related organizations. Specifically, a couple of trial applications have been done up to now. First, the risk-based inspection (RBI) program has been implemented to improve regulatory inspection framework by utilizing risk information obtained from plant specific PSA and worldwide operating experiences. Next, optimization of technical specifications has been applied for surveillance test intervals (STIs) and allowed outage time (AOT).

1. INTRODUCTION In 1994, Korean government announced the "Policy Statement on Nuclear Safety", which emphasized the "regulations based on risk information". Since then, research programs have been continued to develop the regulatory framework for the use of risk information. In parallel, investigations have been continued by regulatory staff to identify the area of applicability. Several significant regulatory issues have been investigated and methodologies have been developed for almost four years. Among them, there were a couple of remarkable achievements in the area of regulatory review and inspection. Although applied limitedly, they could be regarded as a milestone in regulatory use of risk information in Korea. They are the risk-based inspection program and the optimization of technical specifications using PSA technique and results. Detailed information will be described in the following chapters.

After years of investigations and developments, a preliminary program for establishing regulatory framework on the use of risk information has been launched to enhance both safety and regulatory effectiveness.

2. FRAMEWORK FOR RISK-INFORMED REGULATION The preliminary program for regulatory use of risk information consists of 3 areas and 15 specific items of interest, which is shown in Figure 1. Currently, following activities are ongoing for each item by the end of 2001; the investigation of domestic and worldwide trend, identification of key issues to be resolved for actual application, assessment of impact to current regulation, and development of regulatory guide. A task force team consisting of 15 staff has been organized and holds a progress meeting quarterly.

26 Director, Safety Evaluation Division

Framework Specific Items Resolving Issues 1. Establish and 1. 1ST 1. PSA Standardization Implement Framework 2. ISI 2. PSA Data 2. General! Guide 3. Tech. Spec. 3. Safety Issue 3. Investigate worldwide 4. I&C Resolution Trends 5. Regulatory Inspection 4. Staff Training 6. Quality Assurance 7. Radiation Safety 8. Site & Structure

FIG.l. KINS Preliminary implementation program for regulatory use of risk information

Also, a council was formed covering regulator, nuclear industries and national laboratory to discuss contents and schedule of preliminary implementation program. By the end of 2001, general guidance for regulatory use of risk information will be prepared, and regulatory guides for specific items will be prepared by 2003. Afterwards, pilot application will be initiated and the implementation program for applicable items will be finalized and formally implemented.

3. RISK-BASED INSPECTION PROGRAM

3.1. Summary The risk-based inspection (RBI) can be understood as a regulatory inspection principle that, for the system and components important to safety, regulatory inspections are conducted more intensively and extensively whereas they are relaxed for the others. By doing so, we can utilize the regulatory resources in such manner that both the efficiency in regulation and the improvement of safety can be achieved.

A comprehensive RBI program has been under development since 1995 to improve regulatory inspection system in Korea. Up to now, two system risk-based inspection guides and two full plant risk-based inspection guides were developed and implemented to four operating units with a view to improving plant safety and tailoring the developed guides. The RBI guides have been developed based on plant-specific PSA results and operating experiences, so they can identify important inspection items in the order of risk significance (importance). It is also included the inspection insights and inspection checklists derived from domestic and worldwide experiences in both operations and PSA results.

A significant number of safety-related findings have been identified by KINS inspectors through four times of special risk-based inspections at the sites and most of them have been voluntarily resolved by plant management and staff. In addition, identified findings have been imparted to the other nuclear units with a view to investigating voluntarily and taking proper actions, if necessary. Moreover, in the light of these inspection results, the contents of risk-based inspection guides can be further improved.

27 3.2. Development of Risk-Based Inspection Guide

3.2.1. Selecting Basic Events for Risk-Based Inspection The starting point in the RBI would be the review of the level 1 PSA results. The key accident sequences important to core damage can be identified and the key basic events that contribute significantly to the occurrence of key accident sequence are selected in the order of importance value for each accident sequence. The importance value of selected basic event is then multiplied by the % contribution of the associated accident sequence to CDF, which produces weighted importance value of the basic event. After tedious algebra, the weighted importance value of each basic event from each accident sequence can be obtained. Then, the priority order of basic events can be determined in terms of weighted importance, regardless of the accident sequence to which the basic event belongs. In case that a basic event is selected from more than two accident sequences, its weighted importance value is determined by summation.

3.2.2. Importance Measures in Selecting Basic Events[1] Two types of importance measures are used in selecting key basic events. Fussel-Vesely importance of basic event is used as primary measure and risk achievement worth (RAW) is used as complementary measure to identify the weak point of plant. RAW is known to be meaningful for inspection and maintenance activities.

The basic events whose Fussel-Vesely importance values are greater than 0.01 are selected for each accident sequence. In addition, basic events having RAW greater than 1,000 are also selected irrespective of their Fussel-Vesely importance values. As discussed in 3.2.1, the weighted importance values of selected basic events can be obtained and the priority order can be determined.

The priority order of basic events is determined in descending sequence of weighted importance values. For YGN 3&4[2], 250 basic events were selected initially. The number of basic events is reduced to 149 after calculating and merging the weighted importance values, and then further reduced to 39 important basic events (inspection items) which have either weighted F-V importance of greater than 1.0 or RAW of greater than 100000.

3.2.3. Developing RBI Guidelines It is necessary to understand the nature, consequences and experiences of the basic event of high priority in order to identify the failure causes, modes and effects, which are essential to determine the inspection guidelines. Detailed investigations may be needed depending on the characteristics of the basic event. Although the failure causes of basic events may be different from one another, in general, they can be grouped as follows; 1) performance degradation of hardware components, 2) various types of human error, 3) common cause failures, 4) design and/or manufacturing deficiencies, 5) procedural errors during operation, test and maintenance, 6) support system/component failures, 7) harsh environments, 8) failures of instrumentation and control, and 9) failures of power supply. All the individual failure causes for basic events would fall into one of these groups even if the failure modes and effects may be different from one another.

Above groups of failure causes may be categorized once again into four major categories, which are the common cause failures, the errors on human performance, the design/ engineering problems, and the independent cause of component failures. Normally, the majority of the basic events of high priority fall into the former two categories and, therefore, the RBI guide focuses on the identifications of possible common cause failures and human errors including preventive measures against their

28 occurrences. Detailed guidelines for those inspection items associated with common cause failures and human errors have been developed considering PSA assumptions and worldwide failure experiences. The guidelines for the other inspection items have also been developed and the main contents are related to equipment performances and engineering problems, if exists.

3.3. RBI Results Totally 71 safety-related findings have been identified through four times of special risk- based inspections and most of them have been voluntarily resolved by plant management and staff. Typical safety-related findings for each unit are described briefly in Table I.

Table I. Inspection Findings and Resolving Status (As of October, 1999) Unit # of Inspection Findings Resolving Status Remarks YGN-1 14 findings including the need of temperature 12 Completed 2 Initial AFWS monitoring for discharge line of AFW pumps On Progress Application to prevent multiple pump failures by steam binding phenomena Kori-3 24 findings including the need of capability 20 Completed 4 AFWS to switch alternate AFWS water source in On Progress case main water source (CST) is unavailable YGN-3 25 findings from EOP, AFWS, HPSIS, I&C, 23 Completed 2 Regulatory Full electrical system On Progress! Inspection Plant Kori-4 8 including the need of improving emergency 7 Completed AFWS lighting system of AFW pump room. lOn Progress

4. Risk Informed Approach to optimize Technical Specifications

4.1. Summary One of the important areas in risk-informed activities is the optimization of plant technical specifications, especially the surveillance test interval (STI) and allowed outage time (AOT). With respect to the impact assessment of current testing and maintenance requirements, particularly those of reactor protection system (RPS) and engineered safety features actuation system (ESFAS), the PSA can be used as an acceptable method for assessing the impact of proposed STI and AOT changes. In Korea, the risik-informed analysis has been performed by the utility to optimize AOTs and STIs requirements of major components in RPS/ESPAS. In April 1998, based on this analysis, the utility applied to regulatory authority for proposed changes in STIs and AOTs. After comprehensive review in various aspects, the proposed changes have been conditionally approved in July 1999.

4.2. Analysis of Unavailability with relaxed AOTs and STIs To analyze the impact of extended AOTs and STIs on standby system unavailability, fault tree analysis for each individual function of RPS/ESFAS was performed. Five contributors to the unavailability of standby component are identified as random failure, test duration, maintenance duration, human error and common cause failure.

• The average unavailability of standby component due to random failure during test interval T is given by; Ur = —£[1- exp( -At)]dt * - j* ltdt = - AT T T ° 2 where XT« 0.1. • Component unavailability due to test can be calculated as Ut=t/T, where t is mean duration of test.

29 • Similarly, component unavailability due to maintenance can be calculated as TJ^ • where tm is mean duration of maintenance. • Human errors associated with test and maintenance are modeled in fault tree adopting • THERP (Technique for Human Error Rate Prediction) method. • Common cause failures are modeled using beta-factor and multiple Greek letter (MGL) models. For reactor trip breakers, master relay, logic cabinet, the common cause failure probabilities are calculated using beta-factor model. For analog channel, MGL model is applied.

The reliability database for the analysis has is based on Westinghouse database, WCAP-10271[3], with Bayesian update using failure data from Kori units 3,4. Fault tree has been constructed for each signal of RPS/ESFAS to allow the calculation of the unavailability of individual trip functions. 17 RPS and 11 ESFAS signals were selected as top events. For sensitivity study, existing and proposed STIs and AOTs are listed in Table II for evaluation of fault tree to produce the core damage frequency.

Table II. Existing and Proposed AOTs and STIs.

Item Current Case 1 Case 2 Case 3 Analog Test Interval 1 month 3 months Test Time 2 hours 4 hours 12 hours 8 hours Logic Test Interval Test Time 2 hours 4 hours Master Test Interval Test Time 2 hours 4 hours Slave Test Interval Test Time 2 hours 4 hours

4.3. Risk Analysis Results The risk analysis has been carried out to determine the impact of changes in AOTs and STIs on plant safety quantitatively. The unavailability analysis provides the impact of changes on signal availability, but it is necessary to perform PSA to evaluate the impact of changes on plant safety. The PSA has been performed with NUPRA code to calculate core damage frequency. The CDFs with current AOTs and STIs were calculated for base case, and for each case in Table II, the CDFs were calculated. In addition, such adverse effects as unnecessary plant transients and challenges to the protection systems caused by test were considered. The effect of forced outage caused by test on CDF was evaluated for Kori units 3 and 4. The core damage frequency and reactor trip risk during test for each case were listed in Table III.

As shown in Table III, the increases in CDF for each case are 1.54%, 2.02% and 1.82%, respectively, which are relatively slight and acceptable judging from worldwide trend[41. Therefore, it is concluded that PSA results show justification of relaxing AOTs and STIs in technical specifications as follows: 1) STIs for analog channels in RPS/ESFAS can be extended from 1 month to 3 month, 2) AOTs for analog channel and component test can be extended from 2 hours to 4 hours for both solid state and relay system. Setpoint drift possibility was assessed in case of increasing the surveillance test interval of the analog channel setpoint. The investigations show slight change in instrument drift due to prolonged operation, but it is acceptable.

30 Table III. Sensitivity analysis of core damage frequency. Initiating Event CDF Change in % Base Case Case 1 Case Case 3 2 LOCA, Transient 7.8E-5 1.44 1.58 1.58 ATWS 1.3E-6 0.13 0.47 0.27 RxTrip Risk During Test -0.03 -0.03 -0.03 Slim 7.9E-5 1.54 2.02 1.82

Table IV. Examples of system upgrades and preventive maintenance. Prevent Maintenance Upgraded System Visual Test Voltage Tap adjustment in backup DC power ICT(In Circuit Test) Dual ruse in NCD card 7300 Function Tester ROMP (Repair Separation of Power Source in Operation And Maintenance Program) NSSS 7300 Cabinet Integrated performance test Install Blower to reduce spurious Signal caused by over heat

Several complementary measures related to testing RPS/ESFAS such as system upgrades and maintenance enhancements that have been applied to compensate for the relaxation are listed in Table 4. Although it is hard to quantify the positive effects of these improvements on CDF, it is expected that these measures increase the plant safety as well as plant availability.

5. CONCLUSIONS Risk-based inspection program and optimization of technical specifications have been implemented as trial applications in Korea. Both results show that PSA technique and its results can be used to enhance safety and/or optimize both regulatory activities and plant operations. For regulatory body, it is particularly important to improve both safety and regulatory efficiency using the risk information obtained from both PSA and operating experiences. In this view, KINS is preparing an implementation program for establishing the regulatory framework for the use of risk information in current regulatory activities.

References [1] FULLWOOD, R.R., HALL, R.E., Probabilistic Risk Assessment in the Nuclear Power Industry - Fundamentals and Applications, Pergamon Press, (1988). [2] KAERI, Final Level IPRA Update for YGN 3&4, Vol. I and II, (1993). [3] WCAP-10271, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, (1989). [4] USNRC Regulatory Guide 1.174, An Approach for Using Probability Risk Assessment in Risk- Informed Decisions on Plant-Specific Changes to the Licensing Basis, (1998).

31 XAO102768 IAEA-CN-82/33

RISK INFORMED DECISIONS AND REGULATIONS - STUK S POLICY AND CURRENT PRACTICE

JULIN, A., NIEMELA, I., VIROLAINEN, R. Radiation and Nuclear Safety Authority (STUK) Nuclear Reactor Regulation P. O. Box 14 FIN-00881 Helsinki, Finland Fax: +358975988382; Email: [email protected]

Abstract

Consideration of severe accidents beyond the traditional design basis, including full core melt accidents, has become an important ingredient of regulatory process in Finland. Accordingly, plant- specific level-1 and level-2 PSA studies are a regulatory requirement. These studies are being used in a living fashion both at the utilities and STUK. Plant specific living PSA's have been completed for all operating Finnish plants, including internal initiators, fires, flooding, harsh weather conditions seismic events for operation mode and internal events for low power mode. Many specific applications of the Living PSA have already been introduced but some are still waiting for further development such as Risk Informed ISI, 1ST and Tech Specs. Examples of safety issues, for which the PSA insights give an improved basis for decisions, are approvals of plant modifications and resolution of testing, inspection and maintenance strategies. PSA insights are also of value in assessing meaningfulness of requirements which are based on traditional engineering judgement but do not form an essential part of defence-in-depth concept. Examples of such requirements are details of safety classification and many Technical Specification requirements. STUK has recently conducted a pilot study on risk- informed ISI. The aim of the study was to explore how the plant specific PSA's could best be used for assessment of the ISI programmes. This paper discusses the findings obtained during the pilot study on risk-informed ISI of pipings. The study produced essential insights of the applied method. Furthermore, the study gave guidance to extract items for further development. Based on these results and overall experience the general suitability of the method for further applications is evaluated.

1. INTRODUCTION The guidelines for applying Living PSA in Finland are set forth in the Regulatory Guide YVL 2.8 issued by STUK in 1987 and renewed in 1997 [1]. Living PSA is formally integrated in the regulatory process of NPPs already in the early design phase and it is to run through the construction and operation phases all through the plant service time. A condensed picture of the topical content of the Regulatory Guide YVL 2.8 is given in Figure 1.

In 1991 STUK and the licensees made a special agreement for introducing the Living PSA as a common information platforni . The agreement included that the identical, reviewed PSA model is used for resolution of safety issues both by the licensee and STUK. In compliance with the requirements posed in the Regulatory Guide YVL 2.8, the licensee has to use the insights of PSA in support of decisions on safety issues at operating plants such as: • plant changes and backfits; • training of plant personnel; • working up of emergency operation procedures; • applications of Tech Specs; • case by case assessment of risks resulted from component failures; • risk follow-up of Licensee Events; • directing and weighting In- Service Inspections and Testing; • maintenance and surveillance program planning; • new plant designs.

32 Risk Risk Based Informed Safety Regulation Management

UTILIZATION OF LIVING PSA

Use of PSA Use of Level 1 Use of Level 2 for Design PSA during PSA for SAM and Operation Strategies Construction I Design and Long Term Issues Uncertainty Recognition Construction • Main Risk Issue of Critical Issues Contributors Quantification Sequences & • Plant Changes and Phenomena • Identification of Backfitting Design • Compliance with Vulnerabilities Safety Objectives • Balancing of • EOP Improvements Safety Features • Analysis of Tech Specs Evaluation of the • Resolutions in • Maintenance planning Significance of the Phenomena Early Design • In-service Testing Process & • In-service Inspection • Evaluation of Human Factor Advanced Designs • Cost-Benefit Analysis Short Term Issues • Exemption from Tech Specs • Analysis of Safety Evaluation of Margins during Mitigation Incidents Measures On-line monitoring Precursor Studies

FIG. 1. Concept of using Living PSA for Risk Informed Regulation and Safety Management.

33 As concerns a possible new plant unit a concise plant specific PSA is required as a prerequisite for issuing Construction Permit and a complete level 2 PSA is a condition for issuing the Operating License.

2. PLANT MODIFICATIONS AND OPERATIONAL EVENTS

PSA has got an important role in the evaluation of candidate plants modifications [1-5]. Accordingly the licensee must provide STUK with the assessment of safety significance of the candidate modification in conjunction with the related pre-inspection documentation. The assessment has to be submitted to STUK independent of the safety class which the systems to be changed belong to. Up to now a number of plant modifications have been done based on insights from level 1 PSA studies, assigning highest priority to modifications with most risk impact. In the course of past several years the core damage probability of Loviisa plant has been reduced with no less than one order of magnitude thanks to a number of plant changes.

In addition to hardware changes also new Emergency Operation Procedures (EOP) have been written to provide guidance for operators to better manage certain accident sequences which the PSA indicated to be of high importance to risk. New insights from PSA have also been taken into account in the contents of operator training programs.

In the area of operational events PSA is a standard tool to assess the safety significance of component failures and incidents. Accordingly systematic risk follow-up studies are being made at STUK on regular basis [6,7]. Two risk follow-up studies for Olkiluoto nuclear power plant's unit 1 and 2 were completed in 1994. These studies were made according to the operating experiences of these units during years 1986-1991 (OL 1) and 1985-1994 (OL 2). All incidents were gathered from Licensee Event Reports and were analysed with the STUK's living PSA-code and the updated version of plant specific PSA model. Today risk follow-up studies are a common practice at STUK. Since 1995 STUK has performed systematic risk follow up studies on the annual basis for each Finnish NPP unit.

The contribution of component failures and operational disturbances to the estimated annual core damage probability during the studied time period has typically been no more than few per cents in both Olkiluoto units. Instead of the operational events, the infrequent, significant precursors (LOCAs, transients, fires etc.) appeared to provide the main contribution to the total risk. The risk contribution from safety related component failures and other operational events seem to remain small.

The insights received from the risk follow-up studies caused STUK to set forth an internal risk based objective for operational events at Finnish NPPs. The annual share of operational events (component failures, preventive maintenance, exemptions from Tech Specs) should be equal to or less than 5 % in the estimated annual core damage probability. This objective constitutes the strategy by STUK to lessen the number and contribution of operational events at NPPs. The need for analysing the actual initiating events and precursor type of events is assessed on case by case basis in conjunction with e.g. INES rating and potential event investigations.

3. ANALYSIS OF TECHNICAL SPECIFICATIONS Insights from PSA are used to give arguments for relaxing Tech Specs. Once a licensee applies for a temporary exemption to Tech Specs, it has to assess the safety significance of the respective exemption with PSA. However, the granting of exemption of Tech Specs provides that the short exceeding of the allowed outage time contributes only a tiny increment to the core damage probability compared with normal operation. The procedure for relaxing Tech Specs includes the use of traditional and probabilistic reviews as complementary methods to each other.

Furthermore, the relevance of Allowed Outage Times of Technical Specifications has been re- evaluated by PSA. Certain inconsistency with the AOT's in comparison with the respective risk

34 impact has been identified between various safety systems as presented in Table I. Analysis indicated that risk contribution of twofold subsystem failure of sea water system is higher than that of fourfold subsystem failure of auxiliary feedwater system. In addition some asymmetry between various, formally similar failure combinations of subsystems has been identified as well. This implies that risk contribution of e.g. twofold failure combinations AB and AC in the sea water system are not identical. One explanation for the asymmetry is that the trains A and C are more sensitive to common cause initiators such as fire and flooding events than trains A and B because of shortages in physical separation.

Table I. Risk based rating of hypothetical safety systems failures at a BWR plant (CDF=l,7-l(r7a).

System Subsystem RAW CCDP % Annual Risk failures (1 month) (lj-io-5) Sea Water System AB 9,2 1,2-1(T5 68% (712) AC 34,5 4,8-10"5 279 % ABCD 5850 8,3-l(r3 48717% Auxialiary Feed Water System AC 1,4 6,H0"7 4% (327), high pressure ABCD 12,5 1,6-KT5 96%

Risk assessment has also questioned the traditional conclusion that in all faulted states the shutdown would be the safest procedure. In certain faulted states (i.e. a loss of equipment important for decay heat removal) it may be safer to continue operation than to shutdown this plant immediately, if required by the current Tech -Specs. Accordingly a licensee has asked for a change of Tech Specs for certain plant configuration (with specific safety system trains inoperable) on the basis of risk studies.

Results from shutdown mode PSA prompted STUK to change the Technical Specifications for Shutdown State [8]. In 1994 STUK set forth a new requirement to keep the lower air lock of the containment closed during the maintenance of main circulation pumps because: this task contributed to increase the probability of large bottom LOCA of the reactor vessel. Should the large LOCA take place and the lower air lock be open, the water would escape out of the containment preventing any core cooling measures and leading to core damage within short time with open reactor vessel and open containment. The traditional rules did not require keeping the lower air lock closed during the aforementioned maintenance but the complementary PSA based review prompted STUK to set such a requirement.

4. ANALYSIS OF PREVENTIVE MAINTENANCE STUK allows preventive maintenance (PM) during power operation provided that the deterministic criteria are fulfilled (e.g. single failure criterion) and the risk contribution of PM is small. On the other hand the shutdown risks are supposed to be reduced and the reliability of respective components maintained. However, the majority of maintenance is performed during annual overhaul.

It is possible to minimise the risk deriving from on-line PM with the help of PSA. Example case of on- line preventive maintenance optimisation is from Olkiluoto BWR plant, which has four redundant subsystems A, B, C and D in parallel. The capacity of safety systems is 4x50 %. In Olkiluto case it is allowed to take one redundancy out of service at a time. Figure 2 shows the risk contribution of all four subsystems' PM to the core damage frequency for the three different maintenance schedule alternatives.

When Olkiluoto PSA was first completed in 1989, the risk contribution of on-line PM was assessed to be approx. 1,25 % per subsystem, altogether more than 5 %. This was considered to be too much. The first change of the PM schedule reduced the risk contribution significantly as can be seen in Fig. 2. Later on the schedule was further optimised and currently the risk contribution of on-line PM to the mean CDF is less than 1 %.

35 1,5 0 %

1,2 5 % u. 0 Id Q O 1,0 0 % P re v io u s 3 C u r r e n t 0,7 5 %

0,5 0 %

0,2 5 %

0,0 0 % B C Subsystem

FIG. 2. Preventive maintenance contribution (%) to core damage frequency.

5. ANALYSIS OF IN-SERVICE INSPECTION/ TESTING STUK is in the process of extending the scope of risk informed regulatory activities to ISI, 1ST and Risk Informed Technical Specifications. A new project dealing with PSA support to regulatory audits has been initiated at STUK in 1998. The aim of the project is to develop a risk-informed method and apply them to consolidate specific regulatory tasks such as ISI, 1ST and Technical Specifications. Use of PSA by STUK has up to now been rather limited for regulating and controlling in-service testing and inspections (ISI/IST).

5.1. Pilot studies on 1ST A pilot study to optimise the MOVs changing program has been performed for Loviisa NPP. Originally, some MOVs were equipped with over-dimensioned actuators, which may damage the valve and result in an external leakage provided that the limit protection function of the valve was unavailable. Because the need for changes for the major portion of the valves was not evident, the risk assessment study was necessary for ranking the valves, which may cause the highest risk contributions. The leading aspect in the study turned out to be the small LOCA induced by the damages in valves, located at the pressure retaining parts of the reactor coolant system, due to over- dimensioned actuators.

The study indicated that the modification of 64 valves from 500 candidates reduced the LOCA contribution by one order of magnitude, which is an insignificant contribution to the total core melt probability. Further the study showed that the importance of MOVs in terms of risk significance deviates in a large range. Accordingly the majority of components was left untouched while a minority of MOVs were modified [9].

Some testing procedures for diesel generators have been modified at Olkiluoto NPP unit 1 and 2 in order to reduce negative impact of tests to the equipment's ageing.

5.2. Pilot study on ISI The pilot applications on ISI of piping both in PWR (Loviisa) and BWR (Olkiluoto) plants have been completed. The pilot study contains the high-pressure injection system and the emergency feed water system at the PWR and the shutdown cooling system and the service water system at the BWR plant. The Finnish licensees contributed to the pilot study by providing qualified systems information data to STUK.

STUK's risk-informed procedure combines both the plant specific PSA information and the traditional insights in support of the system specific detailed ISI program selection. At the starting point all

36 systems important to safety are exposed to the selection procedure irrespective of the ASME class (1, 2, 3 or even non-code piping).

The procedure includes several steps such as selection of systems and identification of the evaluation boundaries and functions, evaluation of the qualitative degradation mechanisms of piping, evaluation of consequences and division of the segments into different categories.

Division of pipe segments into various degradation categories is to be based mainly on qualitative identification of the mechanism to which the pipe segment is exposed (such as erosion corrosion, vibration fatigue, water hammer, thermal fatigue, stress corrosion cracking and others). Recently few probabilistic fracture mechanics methods to estimate the potential pipe break probabilities have been presented. An alternative method is to use expert opinion and pipe failure experience to determine the degradation category of each pipe segment. [10-17].

The division of pipe segments into various consequence categories is based on conditional core damage probability estimated by PSA applications. The pipe segments are: divided into different categories containing high, medium and low risk segments, respectively. Finally the expert panel combines the traditional and probabilistic information. The experts in the patnel represent extensive areas of operational and safety disciplines such as plant design, operation, maintenance, structural and material engineering, probabilistic risk assessment and in-service inspection. The panel itself can be seen both as quality assurance or critical review of the preliminary results and as a support for the decision making for the final categorisation of the pipe segments.

The pilot study on ISI of piping produced essential experience for further RI-ISI applications [18]. Furthermore, the study also gave guidance to further development of the chosen method. The study produced also a new testing strategy for the chosen systems. Based on these results and the overall experiences the general suitability of the method and the PSA application guidelines will be evaluated. It is anticipated that the gain of the pilot application is improvement of safety, more effective use of regulatory resources, and if the optimisation is well accomplished, reduction of unnecessary burden and cost of the licensee.

References

[1] REGULATORY GUIDE YVL. 2.8, Probabilistic Safety Analysis (PSA) in the Licensing and Regulation of Nuclear Power Plants, Finnish Centre for Radiation and Nuclear Safety (STUK), Helsinki (1987). [2] VIROLAINEN, R., NIEMELA, I., Implementation and Introduction of Living PSA in Co- operation with Finnish Utilities and Authorities, PSA'93- International Topical Meeting on PSA, Clearwater Beach; Florida, (1993). [3] OKKONEN, T., NIEMELA, I., SANDBERG, J., VIROLAINEN, R., Development of a parametric containment event tree model for a severe BWR accident. A pilot Study, Proceedings of Probabilistic Safety Assessment and Management"96- ESREL"96 - PSAM-III, Crete (1996). [4] REIMAN, L., Expert Judgment in Analysis of Human and Organizational Behaviour at Nuclear Power Plants, (Doctor Thesis), STUK-A118, Finnish Centre for Radiation and Nuclear Safety, (1994). [5] VAURIO, J., JANKALA, K., Safety Management of a VVER Plant: by Risk Assessment, PSA'96- International Topical Meeting on PSA, Moving toward Risk-Based Regulation, Park City, Utah (1996). [6] JULIN, A., VIROLAINEN, R., PSA Based Event Analysis of Incidents and Failures at TVO BWR, PSA'96- International Topical Meeting on PSA, Moving toward Risk-Based Regulation, Park City, Utah, (1996).

37 [7] TIIPPANA, P., Development of Safety Assessment of Nuclear Power Plants Using Indicators, Diploma thesis (in Finnish), STUK.YTO-TR, Helsinki, 76pp +appendices (1997). [8] SANDBERG J, VIROLAINEN R, NIEMELA I, On the Regulatory Review of the TVOI/II, Low Power and Shutdown Risk Assessment, Proceedings of Probabilistic Safety Assessment and Management^- ESREL/96 - PSAM-III, Crete (1996). [9] MANKAMO, T., JANKALA, K., LUOMA, J., 'Reliability of the motor operated valve actuator', (draft), to be published in Nuclear Technology. [10] US NUCLEAR REGULATORY COMMISSION, 'An Approach for Plant -Specific, Risk- Informed Decision making: In-Service Inspection of Piping', Draft Regulatory Guide DG-1063, (1998). [11] GOSSELIN, S. R., 'EPRTs new in-service inspection program', Nuclear News, (1997). [12] EUROPEAN COMMISSION, report on risk-informed in-service inspection and in-service testing (Draft), Nuclear Regulators Working Group (NRWG), Task Force on Risk-Informed ISI (Revision 10) (1999). [13] SKI Report 97-26, 'Reliability of piping system components, Framework for estimating failure parameters from service data', (1997). [14] JAMALI, K., 'Pipe failures US Commercial Nuclear Power Plants', EPRI TR-100380, Electric Power Research Institute, Palo Alto, California (1992). [15] JAMALI, K., 'Pipe failure Update Study', EPRI TR-100380, Electric Power Research Institute, Palo Alto, California (1993). [16] BERGMAN, M., BRICKSTAD, B., NILSSON, F., 'A procedure for Estimation of Pipe Break Probabilities Due to IGSCC, SAQ kontroll AB, SAQ /FoU-Report 97/06, (1997). [17] HARRIS, D. H., DEDHIA, D. D., 'Theoretical and users manual for PC-PRAISE, A probabilistic fracture mechanics computer code for piping reliability analysis' US NRC, NUREG/CR-5864, (1992). [18] MONONEN, J., NIEMELA, I., VIROLAINEN, R., RANTALA, R., JULIN, A., VALKEAJARVI, O., HINTTALA, J., 'A Pilot Study On Risk Informed In-service Inspection', Proceedings of Probabilistic Safety Assessment and Management 2000- PSAM-V, Osaka, Japan (2000).

38 XA0102769 Ifl£ft-CN-82/46 USING PROBABILISTIC SAFETY ASSESSMENT FOR MAKING DECISIONS ON IMPROVING THE SAFETY OF IN-SERVICE AND NEWLY DEVELOPED NUCLEAR POWER STATIONS WITH WWER REACTORS

SHVYRYAEV, Y.V. Atomenergoprojekt Institute Bakuninskaya Str. 1 Moscow 107005, Russian Federation Fax: 0953159210; Email: [email protected]

Abstract

In this paper the current practice of using a PSA for making the decisions on improving safety of operating and newly designing NPP with WWER reactors is briefly described.

1. INTRODUCTION

At present, more than 30 power-generating nuclear power units with VVER-440 and VVER-1000 reactors are in service in Russia, Ukraine and in Eastern Europe countries. Starting from late 1980s, new designs of nuclear power stations with VVER-1000 reactors have been developed for the second stage of NovoVoronezh NPP, Kudankulam NPP in India, Tyanwan NPP in P.R. China, and the project of completion of Bushehr NPP in Iran.

For developing and making decisions on improving the safety of in-service and newly developed NPPs, methods of probabilistic safety assessment (PSA) are widely used.

In this paper, the results of applying PSA for making decisions on improving safety of in-service and newly developed NPPs with WWER reactors are briefly described.

For in-service NPPs, the results of PSA are used for the following purposes:

- To develop and assess the efficiency of measures on upgrading the NPP; - To develop the routines of carrying out periodic tests on safety systems; - To develop the procedures for control of beyond-the-design basis accidents (BDBA) management.

For new designs of NPPs, PSA is used as a tool for making decisions on determining the main engineering principles and measures that are required to attain a safety level that is qualitatively new compared with that of the in-service NPPs. 2. THE DEVELOPMENT OF MEASURES ON UPGRADING UNIT 3 AT THE NVNPP

Measures on upgrading Unit 3 at the NVNPP were developed using the results of the PSA that was developed within the framework of Project 1.4 of the TACIS-91 Programme and also the NOVISA Project.

The estimated value of core damage frequency as per the Project 1.4 of the TACIS-91 Programme amounted to 1.8 E-3 I/year. The main contributors to this value were accident sequences (AS) associated with the failure to remove heat through the secondary coolant circuit under conditions of initiating events (IE) with transients. Based on these results, recommendations were made on upgrading the heat removal systems through the secondary coolant circuit, including:

39 - An additional emergency system for supplying feed water to the steam generators; - A portable feed water pump driven by a diesel; - A portable diesel-generator.

According to the results of the PSA made within the framework of the NO VIS A Project, the introduction of these measures, will decrease the core damage frequency to 0.97 E-4 I/year. Based on the results of the PSA performed for the NO VIS A Project, the additional upgrading measures were determined to further decrease the core damage:

- To carry out an analysis of processes associated with leaks from the primary coolant system to demonstrate that the temperature of water in the B-8/3 tank does not exceed 75°C, which is the maximum permissible temperature for the pumps of this system. The introduction of this measure will reduce the core damage frequency on 3.0 E-5 I/year. - To have more efficient isolation of leaks from the reactor coolant system, it is recommended to replace manually operated gate valves on the blowdown lines and on the lines for returning the blowdown water of the reactor coolant system (3R-9/1+6 and 3R-11/1-^6), and to introduce an automatic signal for closing them generated when there are leaks from the reactor coolant system. With the introduction of this measure, the core damage frequency will be decreased on 2.0E-5 I/year. - To improve the functional reliability of the spray system, an automatic signal should be introduced for opening the gate valves on the line supplying water to the spray heat exchangers 3T-10/1 and 3T-10/2 - the same as the signal for opening the gate valves 3B-20 and 3B-20A on the recirculation line of the spray pumps to the emergency boron storage tank B-8/3. - To prevent core damage during LOCA because of clogging of the confinement sump with the heat insulation of the reactor coolant pipelines, the design of the sump should be altered. - The implementation of the above-mentioned measures will allow the core damage frequency to be reduced to 3.0 E-5 I/year. - A further decrease in the total core damage frequency, which can be attained by implementing the above-mentioned measures, is associated with coping with the effects due to such dominant contributors as beyond-the-design-basic accidents with large breaks of the reactor coolant pipelines or steam generator headers. Because of this, the scope of activities on assessing and substantiating the safety must include a determination of the frequencies of large breaks of pipelines using probabilistic strength models. In developing these models, a leak before break concept should be taken into account.

To improve the reliability of removing heat through the secondary circuit, the following measures are also suggested:

- To make a provision for automatic actuation of the emergency feed water supply system. - To introduce automatic signals for closing the sectionalizing gate valves of the MSH 3(4)P-123, 3(4)P-624 to isolate the half-sections of the MSH during leaks of steam headers. It is desirable that these gate valves were closed before the gate valves on the connection lines between the MSH and the SG steam lines 3P-10.. .60. - To introduce automatic signals for closing the gate valves on the steam lines of SGs 3P-11.. .61, similar to the signals for gate valves 3P-10...60. - To introduce an automatic signal to close or to prohibit opening of the control valves on the emergency feed water lines when there are leaks of SG steam lines in the non-isolated part.

The above measures on upgrading will be implemented in the Unit 3 at NVNPP during a period from April to September, 2001.

3. DEVELOPING A SAFETY CONCEPT FOR NEW DESIGNS

The design solutions on safety for nuclear power units with WWER reactors of a new generation are aimed at developing an NPP with an enhanced level of safety so that to have the total risk associated

40 with NPP operation as low as reasonably achievable. Here, of course, the requirements of the Russian regulatory documents on safety as well as the recommendations of IAEA, which are now in force, shall be complied with. In particular, the requirements on the target safety performance indices in the NVNPP-2 Project are based on the requirements of Clause 1.2.17 of OPB-88/97. According to these requirements, the frequency of large emergency release shall not exceed 1.0 E-7 per reactor a year. The emergency release is defined as the release of the amount of radioactive products at which evacuation of population may be required beyond the boundaries determined by the existing regulations for sitting NPPs.

The second group of requirements on limiting the risk level are those outlined in Clause 4.2.2 of OPB- 88/97. According to them, the core damage frequency shall not exceed 1.0E-5 per reactor a year. The safety concept for new design of NPP with WWER reactor has been developed to achieve these purposes. The PSA results which have been performed for operating NPP with WWER-1000 (Balakovo NPP) were used for the development of the safety concept for new NPP design.

The results of core damage frequency estimation for unit 4 of Balakovo NPP are presented in Table I. The following insights have been made based on consideration of this results:

1. The estimated value of core damage frequency for unit 4 of Balakovo NF'P 4.26E-5 I/year is not sufficient the requirement of OPB-88/97 and recommendation of INSAG-3 for new NPP design. The main contribution in core damage frequency value give the common cause failures (CCF) of safety system components and operator errors. The NPP with WWER-1000 design is based on using the three-train active safety systems in which similar types of components (diesel-generator, pumps, valve, check valves etc.) are employed in individual trains. The operator actions on safety system control are required for post-accident period. The influence of CCF and operator errors does not allow to decrease the failure probability values of active safety system lower than 10"' - 10"4 on demand. 2. The desiga of NPP with WWER is not good sufficient to be balanced. The contributions from initiating event with transients (96%) exceed the contributions from LOCAs (2.6%). This fact is explained the similar structures of safety systems which need to prevent the core damage at transients and LOCAs while the frequency values of transients are fairly high (in 100 or more times) compared the frequency values of LOCAs.

Based on PSA results of NPP with V-320 the following principles and decision were included in safety concept of new NPP with WWER design:

1. To ensure the deep defence from CCF that is based on using the diversity in safety systems. The mutually redundant systems of passive and active operation principles or systems with diverse design of components are used for performing the main safety functions. • An upgraded emergency protection system with the number of control rods two times more than that used in the V-320 reactor plant and a quick boron injection system to bring the reactor in a subcritical state and maintain it in this state over a wide range of operating parameters (the emergency protection system is capable to maintain the subcritical state up to a temperature below 100°C). • The active and passive systems for emergency heat removal through the secondary coolant circuit. Eloth these systems can remove heat during infinite time, whereas the emergency heat removal system for NPPs with a V-320 reactor can operate only for a limited time (about 30-40 hours), which is determined by the inventory of coolant in its tanks • Active emergency core cooling system (ECCS) and the 1st and 2nd stage: hydro accumulators to maintain the inventory of reactor coolant in the core during leaks from the reactor coolant system. The 2nd stage hydro accumulators together with the 1st stage hydro accumulators provide a redundancy to the active ECCS in terms of the function of maintaining the inventory of coolant in the core during 24 hours after the accident. This time can be used to restore the operability of the active ECCS in case of its failure. The individual trains of active safety systems (the emergency cooldown system and ECCS) can be used to perform functions of normal operation. Here, most of the components of these systems are in

41 the states that are similar to those when the required emergency functions are performed. Using such operating modes of these systems, it is possible to enhance their availability indices and to provide additional protection against common-cause failures. 2. To ensure the deep defence from operator errors that is based on using the passive safety systems which do not require the operator actions for their operation and on using the high level of automatization in active safety systems. 3. To develop the containment system for the mitigation of radioactive releases at severe accidents with core melt. The double containment system with hydrogen removal system and catch for melting core is used in NV NPP-2 design.

The level 1 and 2 PSA were developed for NV NPP-2 design to estimate the effect of new design decision which are described above. The results of CDF estimation are given in Table I. As can be seen from Table I the CDF values for internal initiating groups during power operation amount to 2.58*10-8 I/year for NV NPP-2 and 4.26*10'5 I/year for Balakovo NPP. The total CDF value fromNV NPP-2 taken in account the contribution from shutdown modes amount to 4.8*10*8 I/year.

TABLE I. CONTRIBUTION OF DIFFERENT GROUPS OF INTERNAL INITIATING EVENTS TO CORE DAMAGE FREQUENCY

Initiating event Frequency Contribution of Unit 1 at Contribution of Unit 4 at of IE I/year NVNPP-2 to core damage Balakovo NPP to core frequency damage frequency Absolute, Relative Absolute, Relative I/year % I/year % Leaks from the RCC to the containment 1.1. Small break 3.20E-03 1.26E-09 -2.6 3.40E-07 -0.8 1.2. Intermediate break 1.00E-03 3.64E-10 <1 8.30E-08 -0.2 1.3. Large break 3.20E-04 6.79E-10 -1.4 5.40E-08 -0,1 2. Leaks from the primary to 1.00E-03 1.26E-09 -2.6 1.10E-06 -2.6 secondary circuit 3. Reactor shutdown 1.00E-00 7.38E-09 -15 1.65E-06 -3.9 4. Loss of normal heat l.OOE-01 7.38E-09 -15 6.50E-07 -1.5 removal through the secondary circuit 5. Loss of power supply l.OOE-01 7.91E-09 -16 3.54E-05 -82.9 6. Leak of the steam line in the 1.00E-03 2.67E-11 <1 3.40E-06 -8.0 part isolated from the SG 7. Leak of the steam line in the 4.00E-04 1.29E-10 <1 1.00E-10 -0 part non-isolated from the SG 8. Loss of heat removal from ' 3.50E-05 1.07E-08 -22 the depressurized reactor 9. Loss of power supply with 3.70E-03 1.12E-08 -23 the depressurized reactor AllIEs 4.77E-08 100 4.27E-05 100 he estimated on level 2 PSA results value of large release frequency for NV NPP-2 amount to 0.94*10" 8 I/year. It means that using the new design decisions for NV NPP-2 described above allows to decrease CDF value for NV NPP-2 by factor of about 1700 lower than that for Balakovo NPP and to ensure the requirements of OPB-88/97 and INSAG-3 for new NPP design.

42 4. CONCLUSION

The PSA is very effective method for making and supporting the decisions on safety improving of operating and newly designing NPP. Using the PSA allow to reach the qualitatively new safety level for newly designing NPP and to upgrade the safety of operating NPP.

43 XAO102770 IAEA-CN-82/49

IMPEDIMENTS FOR THE APPLICATION OF RISK-INFORMED DECISION MAKING IN NUCLEAR SAFETY

HAHN,L. Oko-Institut e.V. Elisabethenstrasse 55-57 D-64293 Darmstadt, Fax: 0049-6151-819133; Email: [email protected]

Abstract

A broad application of risk-informed decision making in the regulation of safety of nuclear power plants is hindered by the lack of quantitative risk and safety standards as well as of precise instruments to demonstrate an appropriate safety. An additional severe problem is associated with the difficulty to harmonize deterministic design requirements and probabilistic safety assessment. The problem is strengthened by the vulnerability of PSA for subjective influences and the potential of misuse. Beside this scepticism the nuclear community is encouraged to intensify the efforts to improve the quality standards for probabilistic safety assessments and their quality assurance. A prerequisite for reliable risk-informed decision making processes is also a well-defined and transparent relationship between deterministic and probabilistic safety approaches.

1. INTRODUCTION This paper summarises some main unresolved issues which oppose a broader application of probabilistic evaluations in the routine regulation process. Only technical subjects are investigated; juridical, administrative and political matters are not considered.

Whereas probabilistic safety assessment (PSA) are a necessary and well established part of periodic safety analysis and are conducted for nearly all nuclear power plants in Germany, many controversies exist on probabilistic evaluations within the framework of individual regulation decisions day by day. In order to justify decisions on backfitting measures, corrective actions or maintenance strategies probabilistic arguments seem to be overstrained. According to the authors view of the practice in Germany the methodological reasons for the discussions on risk-informed decision making are the lack of probabilistic acceptance criteria, the insufficient quality of PSA for this purpose and the principal problems of harmonization and compatibility of deterministic and probabilistic safety approaches. This means that the standards as well as the tools to demonstrate an appropriate safety have not yet reached a status which is appropriate for a efficient and reliable risk-informed decision making.

2. LACK OF PROBABILISTIC ACCEPTANCE CRITERIA A main obstacle to the implementation of risk-informed decision making is the fact that quantitative risk acceptance criteria for all categories of regulatory objective do not exist in the most countries. Risk-informed decision making is not possible without general probabilistic safety goals as well as detailed quantitative acceptance criteria on the level of safety function, system and components reliability. The top level safeiy goals, which give answers to the question "How safe is safe enough", have to be defined by the policy and society. Before such a definition did not take place, the elaboration of detailed quantitative acceptance criteria on the safety function, system and component levels by technical expertise would be without normative foundation and therefore meaningless.

In the international context do exist the two INSAG/IAEA-targets of 10-4/a for the core damage frequency (CDF) and 10-5/a for the large early release frequency (LERF); in addition to this the

44 number of 10-5/a is proposed as a quantitative criterion for the classification of sequences in the defense-in-depth levels 3 and 4. Only with these figures an effective risk-infoimed decision making is not possible for several reasons. At first the INSAG/IAEA figures for CDF and LERF are not obligatory in the member States. Secondly they only are strong indicators for immediate actions if PSA's show that the figures are exceeded; in the case that they are not exceeded the absolute PSA- results perform no guidance for regulatory measures. Particularly it cannot derived in such cases that no further actions are needed to fulfill the regulatory requirements. With respect to the criterion for the classification into the defense-in-depth levels 3 and 4 it must be pointed to ithe tendency to exclude some, if not all classical design basis accidents (DBA) from this categorization. The reason is that these events must remain the basis of design due to their enveloping character although their frequencies can be much lower than 10-5/a. Summarizing it can be stated that in the present situation, due to the lack of obligatory overall probabilistic safety goals and of detailed quantitative acceptance criteria, a risk-informed decision making based solely on absolute figures cannot have a reliable foundation.

3. INSUFFICIENT ACCURACY AND QUALITY OF EXISTING PSA Beside the considerable progress in PSA methodology in the last decade, there still remain inherently large uncertainties in PSA results. In addition to the uncertainties induced by the spread of input data, uncertainties due to modelling effects must be considered. Furthermore, in some areas different expert options exists on the appropriate methodological approach, for example in the fields of common-mode failure and human reliability. Other potentially risk-relevant factors such as the influence of organization, management and safety culture are normally not considered in current PSA. These facts lead to the conclusion that even from a methodological point of view the maturity of PSA is not sufficient in order to serve as an adequate basis for risk-informed-decision making processes.

In addition to these facts it must be considered that in practice the PSA for existing plants do vary widely in quality, scope and completeness. Examples of the different scope of PSA application is the treatment of fire, flooding, external hazards and shutdown conditions.

High quality PSA's at least of level 2 (this means that the frequencies of Core Damage and Large Releases are explicitly and comprehensively treated) are a prerequisite for an effective use of probabilistic assessments for decision making processes in nuclear safety regulation. It is acknowledged that sound guideline programs for PSA including guidance for Quality Insurance to guarantee quality and consistency of future PSA's are underway. But for the present situation it must be stated that standards are missing to guarantee that PSA have a sufficient quality and that the results for different plants are comparable.

4. THE RELATION OF DETERMINISTIC SAFETY CONCEPT AND PROBABILISTIC SAFETY ASSESSMENT A fundamental impediment for risk-informed decision making is the fact that existing plants are designed, licensed and constructed on the basis of regulations which are mainly deterministic and were not formulated to be risk-based. The fundamental approach of nuclear safety is the defense-In-depth principle with several levels of protection in connection with multiple, successive barriers to prevent the release of radioactive material in the environmental. The deterministic concept for maintaining at least one barrier in accident situations relies on set of representative design basis accidents and on conservative assumptions. These two elements should compensate unknown phenomena resp. not explicitly treated accidents and introduce large safety margins in the design of the plant. As a result the plant is capable to deal with a large variety of sequences even beyond the design basis. On tiie other hand probabilistic safety assessments of the actual plant status should analyse: all possible sequences and failure combinations individually in a realistic manner. Main challenges on PSA are overall completeness, realistic modelling and accurate quantification of the investigated accident sequences.

45 On these premises probabilistic evaluations are very efficient tools for verifying design deficiencies and identifying plant vulnerabilities. Such probabilistic insights can be used to introduce additional safety measures within the design basis (e.g. if conservative supposed assumptions are not conservative in reality, see the insight that small LOCA's and not large LOCA's put the highest challenge on the safety systems) or beyond the design basis (e.g. if dominant risk distributors are identified, see core melting under high primary system pressure). This complementary approach consisting of a deterministic concept as an overall basis and of additional checks by probabilistic methods is reasonable and in principle suitable to increase the safety. Another use of PSA has the potential to lower the safety level namely if the purpose is to reduce 'unnecessary conservatism' or to remove 'undue burden' associated with current requirements. The decision whether a requirement is unnecessarily conservative or not can only be reliable if the analyst has explicitly in mind the full purpose and the full context of the requirement. This means for example that the analyst must reflect all elements of the background of the conservatism. Without a detailed, complete and transparent analysis of the means of a conservative assumption, a correction of deterministic requirements by probabilistic arguments seems not to be reliable. Changes in deterministic requirements should be justified primarily by deterministic arguments rather than by probabilistic ones.

Because of the fundamental and methodological character of the problems due to the mix of both approaches, deterministic principles such as the defense-in-depth concept must always override probabilistic considerations. Probabilistic safety assessments are an excellent element to supplement deterministic design principles but can never replace them. An vice versa.

5. BENEFITS AND PITFALLS IN USING PSA It is obvious that the existing probabilistic assessments have substantially promoted the knowledge on safety and risks of nuclear power plants. The insight have been generic as well as plant-specific. Important generic insights are related to the phenomena during severe accidents. In connection with the assessment of the consequences of accidents it was necessary to quantify the source term as precisely as possible because the knowledge about the nature, time and amount of radioactive releases are the most important parameters for the determination of the consequences of a nuclear accident. While in early generic risk studies it was assumed that radioactive releases and the potential of catastrophic consequences would be an unrealistic worst-case-scenario (due to steam explosion), recent investigations in the eighties revealed additional phenomena with the potential of early containment failure. Examples are the effects of Direct Containment Heating, the high-pressure core meltdown and the hydrogen problem. With these results, the knowledge about the risks of nuclear reactor accidents was extended dramatically.

Another lesson from generic risk assessments was the result of French studies showing that the risks of shutdown states should not longer be neglected. Conclusions were drawn from the results of these generic risk assessments, for example the implementation of accident management measures, the installation of catalytic hydrogen recombines, or the revision of the instructions for the shutdown states of the plants.

The results of plant-specific probabilistic safety assessments also revealed important insights. In particular, a lot of safety-related weaknesses and vulnerabilities were found in nearly every plant. In many cases, these facts were caused by non-compliance with the deterministic safety requirements. Depending on their probabilistic significance, different kinds of backfitting measures were provided. Perhaps more important than probabilistic numbers is the fact that through the analysis the operator gained a more profound understanding of his plant and that deficiencies were found which were corrected spontaneously.

It can be stated that existing PSA have led to important progress in the knowledge about the risks of nuclear accidents as well as about the safety characteristics of individual plant. In many cases the results of PRA were used for improvements and backfitting measures so that a significant gain in safety was achieved. On the other hand it cannot be ignored that PSA results can be misused as

46 justification to tolerate safety deficiencies or cases of non-compliance with fundamental requirements. There are many cases in which probabilistic numbers are used as an argument to classify corrective measures as not urgent even if fundamental deterministic principles are concerned. Numerous cases are known from the past in which probabilistic arguments were misused in the described sense. This kind of misuse is encouraged by the high degree of subjectivity which can influence the scope and the result of probabilistic assessments. This is another fact beside the insufficient quality described in chapter 3 - that diminishes the value of absolute probabilistic numbers.

6. RECOMMENDATIONS In the preceding chapters several arguments have been put forward against the introduction of risk- informed regulation in the nuclear industry at the present time and for existing nuclear power plants. This does not mean that the benefit of PSA for nuclear safety is disregarded or underestimated by the author. On the contrary, PSA are regarded as an excellent tool to gain deeper insights into the safety and risk characteristics from a generic point of view as well as for individual plant. Particularly for the identification of weakness and vulnerabilities of plant design features, PSA are a modern and highly effective instrument. This is also valid for its application in comparative decisions and for the prioritization of different measures.

Fore these applications, PSA can be used in regulation processes. So far, the further development and a higher degree of standardization are not only desirable but also necessary. Corresponding efforts should be supported as far as possible. It should be an important goal that for each nuclear power plant in the world a comprehensive and high-quality level 2-PSA is performed as soon as possible and that this PSA shoul d be renewed continuously in the sense of living PSA. With this approach, the highest profit of the probabilistic tools can be achieved. On the other hand, it should be avoided to stretch the probabilistic tools in areas where PSA have weakness or to pose question on PSA which cannot be answered by technical experts but only by society and policy. Absolute probabilistic numbers are useless as long as society and policy have not defined what risk is acceptable or not. PSA experts can only analyse and give answers to technical questions. They cannot replace risk acceptance criteria. PSA cannot replace deterministic principles like the defense-in-depth concept; they can only complement them. Probabilistic tools are most useful and effective for enhancing safety. PSA should not be misused to justify deterministic deficiencies; this would limit the profit of probabilis tic tools and their future importance drastically.

47 XAO102771 IAEA-CN-82/58

A FRAMEWORK OF RISK-INFORMED SEISMIC SAFETY EVALUATION OF NUCLEAR POWER PLANTS IN JAPAN

KONDO, S., SAKAGAMI, M.*, HIRANO, M.*, SHIBA, M.* University of Tokyo, Tokyo, Japan *Nuclear Power Engineering Corporation (NUPEC), Tokyo, Japan Fax: +81-3-4512-2799; Email: [email protected]

Abstract

A framework of risk-informed seismic design and safety evaluation of nuclear power plant is under consideration in Japan so as to utilize the progress in the seismic probabilistic safety assessment methodology. Issues resolved to introduce this framework are discussed after the concept, evaluation process and characteristics of the framework are described.

1. INTRODUCTION

Probabilistic safety assessment (PSA) has been applied to improvements in nuclear power plant (NPP) design and maintenance in Japan. Examples are revision of plant maintenance rules, rationalization of in-service testing and inspection (1ST and ISI) of systems and components and evaluation of management measures and procedures against severe accident. Currently it is considered to incorporate risk insight obtained through PSA into safety evaluation of NPPs for external events.

The present paper describes a framework of plant safety evaluation for earthquake based on seismic PSA under consideration. It includes determination of design basis earthquake, acceptable response of structures, systems and components (SSCs) to the design basis earthquake at basic design review stage, and evaluation of seismic risk of detailed design at detail design review stage. After that several technical problems to be solved for applying the framework are summarized.

2. BASIC CONCEPT OF CURRENT SEISMIC DESIGN METHOD

Currently seismic design and safety evaluation of NPP in Japan is performed by the deterministic method. In seismic design SSCs of NPP are categorized into class A and others based on their seismic importance: SSCs which are highly important to safety are categorized into class A and most important facilities of class A such as reactor pressure vessel are categorized as class As. And it is demonstrated that the response of SSCs in class A is within an elastic range against design basis ground motions due to postulated earthquakes around the site. It is also demonstrated that SSCs in class As will not lose their safety function against an extreme ground motion caused by the limiting earthquake. Postulated earthquake is determined based on evidences of past damaging earthquakes and information about active faults which have evidence of dislocation up to recent eras. The limiting earthquake beyond design basis earthquake is determined by taking into account the existence of active faults with lower activity, seismo-tectonic structure and the near field earthquake due to unidentified active faults in the vicinity of the site.

3. NECESSITY OF INTRODUCTION OF PROBABILISTIC METHOD INTO SEISMIC SAFETY EVALUATION

In this procedure there is a possibility that an unreasonably large earthquake of a quite low expected frequency controls the design basis ground motion. It is known that there is a large variability in the design basis ground motion. Experts have relied on their judgment as to the majority opinion in the

48 academic society to prepare so-called conservative set of ground motions and design parameters for both safety design and licensing application and safety evaluation in the licensing review process till now. In this case there is a question how conservative is conservative enough and who should right expert to do such judgment. It is difficult to find appropriate and rational answers to these questions in the current framework.

4. PROPOS ED FRAMEWORK OF SEISMIC DESIGN AND SAFETY EVALUATION

In order to overcome or circumvent these difficulties, we are deliberating a new framework for seismic design and safety evaluation of NPP. A schematic diagram of the proposed framework of seismic design and safety evaluation is shown in Figure 1. In the current framework it is confirmed that important SSCs do not lose their safety function. The proposed framework has two review stages: basic design review stage - evaluation of design basis ground motion and basic design concept of a plant — and detailed design review stage — evaluation of detailed seismic design and seismic risk of a designed plant.

In this framework a plant will be designed such that the plant has seismic safety level enough and rational to meet the safety criteria (safety goal). A concept of 'risk' or 'safety level' is explicitly introduced in each review stage: evaluation of design basis ground motion, basic design and detailed design of a plant.

New key items included in the framework are explained along the figure.

5. SEISMIC SAFETY EVALUATION AT BASIC DESIGN REVIEW STAGE

It is required to demonstrate at basic design review stage that design of SSC of a plant withstand maximum-scale earthquakes predicted for the site in such a way that no failure and no loss of functions of safety related systems occurs. Particularly it is important to evaluate and review on the level of design basis ground motion and the level of a margin for seismic response (stress or strain, etc.) to its permissible limit.

The design basis ground motion is evaluated by taking account of seismic hazard evaluation results. That is, the level of the design basis ground motion is determined with the relation to a necessary safety level (permissible expected risk level), in which succeeding seismic design will be expected to meet a safety goal. Rational design basis ground motion can be established by this procedure. For example, when target CDF is assumed to be 10'5/y, design basis ground motion is determined at an exceedance probability of around 10"Vy in the seismic hazard curve, since the ratio of CDF vs. frequency of design basis ground motion is evaluated around 10"1 to 10"2.

At basic design of a plant, necessary safety margin for seismic response of important SSCs can be determined rationally by referring past experiences and insights obtained from seismic risk (safety) evaluation of existing NPPs.

6. SEISMIC SAFETY EVALUATION AT DETAILED DESIGN REVIEW STAGE

At detailed design review stage, it is necessary to evaluate and review from the following two aspects: confirmation of actual seismic margins of SSCs and risk (safety) evaluation of a designed plant. Concerning the first item, it is necessary to evaluate and review on actual (realized) margins for seismic responses (stress or strain, etc.) of designed important SSCs to their permissible limits according to their seismic importance.

Second, seismic safety evaluation for the designed whole plant is performed by the seismic PSA, which should cover by nature the earthquakes beyond the design basis earthquake, in order to

49 demonstrate that the plant is designed safe sufficient to meet a safety goal. Appropriateness of the seismic design is confirmed with the result of the seismic safety evaluation that core damage frequency, for example, meets the safety criteria.

If a safety goal should not be met, modifications in plant design will be required. In an actual case the PSA result is utilized to pick up seismically induced dominant accident sequences and dominantly contributing factors against seismic events. The result is feed back to detailed seismic design of important SSCs to improve plant safety rationally. The PSA result will be used to pick up important human actions at earthquakes also.

7. SEISMIC SAFETY EVALUATION METHODOLOGY

There have been proposed several kind methodologies for seismic safety evaluation methodology. First recommendation and typical one of methodologies is seismic PSA, which includes seismic hazard evaluation, fragility evaluation for SSCs and system analysis for a plant. Another typical one is seismic margin analysis, which gives a seismic margin of a plant against the design ground motion. The latter method can not give a safety degree directly in comparison with a safety goal, and therefore it does not show quantitatively how enough safe a plant is.

There are some other simplified seismic safety evaluation method, for example, a method in which minimal safety systems necessary for safe shut-down survive at a ground motion larger enough than the design level.

8. TECHNICAL PROBLEMS TO BE SOLVED

This framework will be effectively applied to actual plant seismic design and review with the existing methodologies and database. Methodologies necessary to seismic safety evaluation have been developed and trial evaluations for actual plants have been performed. For example, seismic hazard curves were evaluated with experts' opinion and judgment, and core damage frequency for a standard type BWR was evaluated with components' fragility data of our plants. The result showed that the plant has a large seismic margin.

However, it is desired to continue to develop and improve methodologies and database for more effective application, in order to introduce recent and state-of-the-art progress in science and technology of seismology and relating academic field. Examples of technical problems to be improved are shown below. Evaluation methods for design ground motion — faulting models, evaluation of ground motion from unidentified seismic sources, elicitation of expert opinion and judgment, etc. Seismic design and fragility evaluation — design criteria, new categorization of SSCs, components' fragility database, etc. System analysis method — multiple failure problem, effectiveness of redundancy of safety systems and components against earthquakes, etc.

9. CONCLUSIONS

A framework of risk-informed seismic design and safety evaluation of nuclear plant was proposed, and the concept, procedure and characteristics of the framework were described. This framework can realize rational utilization of resources necessary to secure enough safety. This framework can also give much information on residual risk beyond seismic design base, predicted seismically induced accident scenario and relative plant vulnerabilities, important human actions at earthquakes, etc. Cost-effective countermeasures against earthquakes, if required, can be discussed based on this evaluation method rationally.

50 Along this framework practical procedures will be studied in more detail and methodologies and database necessary to the evaluation will be developed for more practical use in our country.

Investigation for Earthquake data siting i Design basis Seismic hazard ground motion evaluation Ref. level i______. Insight from SPSA of Basic design }-- existing Design (Concept) plants criteria Confirm (Licensing) "~"" safety Basic design function review stage Detail design Seismic safety evaluation «-• (Seismic PSA) (Construction permit) Detailed design Fuel loading review stage

Operation

[Current procedure]

FIG. 1. Schematic diagram of a proposed framework of seismic design and safety evaluation.

51 XAO102772 IAEA-CN-82/60

THE USE OF PSA IN THE DUKOVANY NPP AS A SUPPORT TOOL FOR RISK- INFORMED DECISION MAKING

VELEBA, A. Nuclear Power Plant Dukovany Dukovany, Czech Republic Fax: +429618815152; Email: [email protected]

Abstract

A short overview of the PSA activity at the NPP Dukovany is presented. The information on the scope of studies (level 1, level 2, shutdown analyses, fires), 'living' PSA process, upgrade studies are also included. Several PSA applications that have been used as a support tool for risk-informed decision making are mentioned. The more detailed description is connected with the risk monitor application, risk-based evaluation of technical specifications, modifications of the NPP to decrease a risk, ranking of the NPP reconstruction steps dependently on a risk and PSA application during corrective maintenance.

1. INTRODUCTION The PSA studies for Dukovany NPP are being evaluated by the Nuclear Research Institute Rez (NRI). The first version of the level-1 PSA ('domestic study') for the Dukovany NPP was developed in December 1993. The analyses and results were found to be very useful for the Dukovany NPP personnel and for the Regulatory Authority. The PSA study has had a significant influence on improvements to the Dukovany NPP. An important re-evaluation of the PSA concerning secondary circuit breaks was performed during 1994 and finished in 1995. Previously, no credit had been taken of the number of components (including pipings) affected by secondary side breaks. The main results for influenced initiators showed a large increase in the core damage (CD) frequency (steam line rupture, main steam collector rupture, feedwater lines rupture).

In the following years, the PSA activities were covered under Living PSA Project umbrella. The level- 1 PSA study was extended to include other initiating events such as internal fires (1996), floods and consequences of a high energy pipeline rupture. Similarly, modifications implemented at the plant, which included the design changes, equipment replacement and alternations of the operating procedures, were gradually added to the model. In November 1998 the IPERS IAEA team reviewed the Dukovany level-1 PSA.

The current level-1 PSA model reflects all power plant modifications up to December 2000. The model is valid for NPP Dukovany unit within a full power operation (Fire & Floods risk analyses are included) and reflects new symptom-based emergency operated procedures.

Shutdown and low power unit risk analysis, which is also a part of the Living PSA program, was completed by the NRI in the "end of 1999. Study includes internal initiators, fire & floods, analysis of other sources of radioactive releases (spent fuel storage tank) as far as heavy loads initiators. Results have showed for WER 440/213 type comparable level of unit risk during shutdown and low power states with unit risk within a full power operation.

In the last period the Czech Regulatory Authority - State Office for Nuclear Safety (SUJB) has supported with the help of the Science Applications International Corporation (SAIC), several activities related to the applications of PSA techniques. These activities included the completion of a level-1 PSA ('western study'), the use of PSA results to improve the quality of technical specifications (TS), the development of the Dukovany real-time risk monitoring system, and the development of a

52 level-2 PSA. Initial funding for these activities was provided by SUJB. Subsequent support was provided in the form of grants, from the US Department of Energy. On the basis of a 'domestic study', the level-1 PSA for Dukovany ('western study') was completed in December 1994 by SAIC, in co-operation with NRI. This study was the first level 1 PSA completed for a WWER-440/V 213 type reactor by a western firm. On the basis of the 'western study', the risk monitor SAS (Safety Advisory System), was developed by the SAIC in 1995 and the level-2 PSA was prepared within an American grant (provided to the SUJB) by the SAIC in co-operation with NRI in 1998. The level-2 PSA was updated by NRI in 1999. In 2000 Dukovany NPP implemented an advanced risk monitor 'Safety Monitor™' within an American grant by the SCIENTECH.INC in co-operation with NRI.

2. THE DUKOVANY LIVING PSA PROGRAM A Living PSA program has been established as a framework for all risk assessment related work in nuclear power plant Dukovany. A part of the project is a regular maintenance of PSA models and studies due to: • design and procedures modifications; • new data inputs based on collection; • results of new corresponding analyses, etc. Other part of the project is corresponding with a scope extension of PSA models for other operating states (other than a full power operation) and other sources of radioactive releases as a spent fuel storage tank. A level extension and other more detailed analyses like an HRA and dependency analysis are also included in this part of the PSA project. A Living PSA model, which is developed and maintained under this project, is then a base for any type of PSA applications used in power plant.

Main common goal all of Living PSA program activities is to create on NPP Dukovany such an environment in which PSA models and outputs could be used in real operation as a support decision tools. As a part of the Living PSA Program a specific QA guidelines have been developed to assure consistency of all current activities and to establish a system for exchange of information necessary for PSA models maintenance. For all regular activities also specific schedules have: been defined.

2.0E-04 1.77&04 1'84&04

1.5E-04 0)

1.09E-04 9.93E-05 g, S.1.0E-04

I 5.75E-05 Q § 5.0E-05 O 1.74E-05

0.0E+00 1995 1996 1997 1998 1999 2000 Years

FIG. 1: The results Level-1 PSA for full power operation

53 The highest Dukovany priority is the safe operation. Dukovany's goal is to reach the level of nuclear safety which is recommended for new NPPs. The Dukovany's goal for level of CDF for full power operation is 1E-5 year"1. In the past years millions USD were invested for increasing Dukovany nuclear safety. All planned design modifications at Dukovany were assessed by the level-1 PSA model for the evaluation of the risk reduction. Figure 1. represents increasing of nuclear safety at Dukovany during last years.

In past two years two important changes were realised at Dukovany, These changes were main contributors which caused significant CDF reduction. New symptom-based EOPs were implemented at Dukovany NPP in 1999. The value of CDF was reduced from 9.93E-5 to 5,75E-5 year-i. The emergency feedwater supply pipelines were replaced in 2000 and the value of CDF was reduced from 5,75E-5 to 1.74E-5 year*.

3. ASSESSMENT OF NPP DUKOVANY MODIFICATIONS BY THE PSA MODEL All planned modifications of Dukovany units related to nuclear safety are being evaluated from the aspect of the PSA results, and consequently the priorities of those modifications are being established.

The most comprehensive assessment of modifications by the PSA-1 model was done in 1995. The assessment of the impact of the planned modifications on the risk of reactor core melting reduction was carried out for all modifications which can be assessed by the PSA-1 model: • modifications proposed by specification sheets; • modifications resulting from the PSA project; • modifications required by the operational safety analysis report (OSART); • modifications from the list of IAEA recommendations for V213 model.

The analysed modifications can be divided to the following three groups: 1. modifications with impact on reduction of the total CDF; 2. modifications with impact on reduction of the CDF for some initiating events only; 3. modifications with impact on the reliability of the appropriate system only. The last assessment of modifications by the PSA-1 model was done in 2000. The most important planned modifications, and associated CDF reductions, are presented in Table I.

Table I. Overview of modifications which have the greatest impact on the CDF reduction according to the PSA-1 results No. Modification Title CDF reduction 1. Modification of the MOV's operation on the discharge train of the 18% emergency feedwater pumps 2. Installation of special drainage from the room of MCP to the SG room 17% 3. Installation of new automatics for feedwater collectors. 17% 4. Installation of MOV's drives capable to withstand the impact of 15% environment after piping rupture at the level + 14,7m in the intermediate building 5. Installation of pipe whip restraints, supports, protective shields against 14% water jet etc. at the level +14,7m in the intermediate building 6. Installation of the special nozzle on the super emergency feedwater 13% supply lines, possibility to supply SGs by fire protection water. 7. Installation of I&C equipment capable to withstand the impact of 7,5% environment after piping rupture at the level +14,7m in the intermediate building 1 -7 All planned modifications 56%

54 The planned modifications of Dukovany NPP, which will be realised in the next years, should reduce CDF to value 7.7E-6 yeaH.

4. RISK-BASED EVALUATION OF DUKOVANY TECHNICAL SPECIFICATIONS The existing TS for Dukovany had been developed independently by the former Czechoslovak Atomic Energy Commission. The basis for the existing TS did not incorporate risk based insights.

Based on the results of the level-1 PSA study for Dukovany, the SAIC assessed the adequacy of the current TS for the Dukovany plant in 1995. For each TS requirement related to the systems modelled in PSA, the risk increase associated with the unavailability of the specified equipment was evaluated through requantification of the PSA. The accumulated plant risk associated with the unavailability of specified plant equipment was estimated as the product of specified equipment risk and the specified allowed outage time. For this application, the accumulated risk for plant outages was limited to a constant value referred to as the 'fixed safety limit' for configuration risk. Using such a 'fixed safety limit' a safety-based AOT (AOTSB) was calculated for each TS requirement.

On the basis of risk evaluations, a total of 27 changes to the Dukovany TS were recommended. Six areas were identified where the safety of the plant could be greatly enhanced by tightening the existing requirements. Nineteen areas were identified in which plant availability and maintenance efficiency could be improved by relaxing the existing requirements. Two risk sensitive areas were identified which were not included in the current Dukovany TS. Six risk sensitive areas and two proposed new areas were assessed and partially included in the TS. Some conditions from 19 areas were also taken into account in changing the TS.

Currently the Dukovany TS are revised in order to comply with a new 'Atomic Act'. The assessing of the TS was being done also from the aspect of the actual PSA results in co-operation with NRI. The revised Dukovany TS are reviewed by SUJB now. These TS will come in force in July 2002.

5. RISK MONITORING ACTIVITIES AT DUKOVANY The real-time operational safety monitoring system SAS (Safety Advisory System), that was developed by SAIC, was installed at Dukovany NPP and at SUJB in 1995. This project was financed by the SUJB, the IAEA and the US Department of Energy (DOE). SAS contains covered level-1 PSA (Full Power), that was developed in IRRAS code by SAIC in co-operation with the NRI Rez in December 1994.

During 1995 - 1997, all equipment status changes at each unit occurring during full power operation that could potentially impact unit instantaneous risk or were subject to technical specification requirements were analysed using SAS. The collection, analysis and periodic reports of all operational events were performed by the Dukovany NPP Nuclear Safety Department.

For all cases, where risk significant equipment or equipment stated in technical specifications was removed from service to maintenance, the outage risk was analysed. This risk was calculated as the product of the ACDF (the increase in Instantaneous CDF above the Baseline Risk) and the associated outage interval. The operational risk was calculated by summing the outage risk for each individual event during the associated time period.

The possibility to use the same risk-monitoring tool at both Dukovany NPP and SUJB was beneficial for both sides. During 1995 - 1997, the Dukovany NPP three times requested the SUJB to extend the allowed outage time (AOT) for plant equipment. The risk-based Oats were calculated by SAS and SUJB ratified all three requests.

Because SAS is able to solve only Full Power Level 1 PSA which is modelled in IRRAS code and is not able to operate at plant computer network, the Dukovany NPP decided to implement an advanced

55 monitoring tool. In 2000 the SCIENTECH in co-operation with the NRI Rez implemented Safety Monitor (SM), version 2.0, at Dukovany NPP and at the Czech Republic State Office for Nuclear Safety (SUJB). The US Department of Energy (DOE) financed this project. Since that time, both Czech NPPs (Dukovany and Timeline) have been using the same risk-monitoring tool. Now Dukovany is implementing a new version of SM (version 3.0) and during this year shutdown states will be included into SM.

5.1. Corrective maintenance In order to minimize the operational risk, the Dukovany Nuclear Safety Department made a set of recommendations, which resulted in reducing of operational risk. One example is connected with the Dukovany Technical Specifications.

They are very conservative but there were found allowed combinations of the simultaneous equipment unavailability which resulting in the increase in unit instantaneous CDF. The Dukovany Nuclear Safety Department developed a matrix of the allowed combinations of the simultaneous equipment unavailability and their risk so that the Dukovany maintenance planning section could minimize the operational risk. This tool gives an opportunity to the staff, who is not very familiar with PSA, to easily use PSA results. The use of this matrix contributed reducing annual operational risk of Dukovany NPP.

5.2. Probabilistic safety criteria Implicit in the use of risk monitor is the need to define acceptance criteria to support recommendations for managing operational risk. As of now, no internationally recognized methods exist for defining acceptance criteria for PSA applications. Dukovany NPP uses an acceptance criterion which has been used in US NRC research applications [4] and which sets a fixed limit for accumulated risk during plant outage at a level of 5 x 10-7. Using this criterion, risk monitors convert the calculated CD frequency for each plant configuration into a safety based allowed outage time (AOTSB)-

Various concepts of risk acceptance criteria have been used for different PSA applications in different countries. Dukovany NPP would prefer, if the criterion, which compared risk of remaining at power with risk of reactor shutdown was used in future PSA applications [5].

6. CONCLUSION The full scope PSA study for the Dukovany NPP (several revisions) has been prepared during last ten years, which covers internal events, fires, floods, level 2 and shutdown analyses. The PSA level 1 results served as a starting point for reducing impacts of the most significant sequences. Thus, the design changes replacement of some equipment and preparation of new emergency procedures followed. All planned modifications of Dukovany units related to nuclear safety are being evaluated by the operator from the aspect of the PSA results, and consequently the priorities of those modifications are being established. The Technical Specifications were assessed from the point of risk and PSA Study served as a support for Periodical Safety Review. The living PSA program has been established, which regularly takes into account design and procedures modifications, new specific data inputs based on collection and results of new corresponding analyses. The risk monitor has been using at Dukovany NPP since 1995 for managing operational safety. This year shutdown states will be included into the risk monitor and next year the results of level 2 PSA will be incorporated into the risk monitor. The risk monitor will continue to serve as useful tool to form the basis of technical discussions with the SUJB.

References

[1] DUSEK, J., HLADKY, M., PATRIK, M., VELEBA, A., 'The use of PSA in the Czech Republic as a support tool for safety decision', paper presented on the Technical Committee Meeting on 'Regulatory Review of Level 2 PSA and PSA Applications', Vienna (2000).

56 [2] PATRIK, M., et al., 'Living PSA: Probabilistic Safety Assessment of NPP Dukovany', NRI Rez Technical Report, Rez, Czech Republic, (2001). [3] SEDLAK, J., VELEBA, A., 'Development and implementation of the Safety Monitor at Dukovany NPP', paper presented at IAEA Regional workshop on 'The Role of Risk Monitors in Operational Safety' ,Dukovany, Czech Republic, (2001). [4] US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.177, 'Risk-Informed Decision making: Technical Specifications, US NRC, (1998). [5] DERIOT, M. S., 'Methods Concerning Risk-Based Assessment of Technical Specifications', 5th International Conference on Nuclear Engineering, Nice, France, (1997).

57 XAO102773 IAEA-CN-82/63

RISK - INFORMED DECISION MAKING DURING BOHUNICE NPP SAFETY UPGRADING

LIPAR M., MUZIKOVA E., KUBANYIJ. Slovak Nuclear Regulatory Authority Bajkalska 27, P.O. Box 24 SK-820 07, Bratislava 27, Slovakia Fax: +421753421015; Email: [email protected]

Abstract

The paper summarizes some facts of risk-informed regulation developments within UJD regulatory environment. Based on national as well as international operating experience and indications resulted from PSA, Nuclear Regulatory Authority of the Slovak Republic (UJD) since its constituting in 1993 has devoted an effort to use PSA technology to support the regulatory policy in Slovakia. The PSA is considered a complement, not a substitute, to the deterministic approach. Suchlike integrated approach is used in decision making processes and the final decision on scope and priorities is based on it. The paper outlines risk insights used in the decision making process concerning Bohunice NPP safety upgrading and focuses on the role of PSA results in Gradual Reconstruction of Bohunice VI NPP. Besides, two other examples of the PSA results application to the decision making process are provided: the assessment of proposal of modifications to the main power supply diagram (incorporation of generator switches) and the assessment of licensee request for motor generator AOT (Allowable Outage Time) extension. As an example of improving support of Bohunice V-2 risk- informed operations, concept of AOT calculations and Bohunice V-2 Risk Monitor Project are briefly described.

1. INTRODUCTION Since 1990 a comprehensive safety re-assessment of WWER 440 reactors operating at Bohunice NPP has been performed. Among different reasons for safety re-assessment there was lack of information on the design and operational status of WWER plant. Western regulators and operators suspected WWER reactors from inadequate application of recognized safety principles such as defense in depth, application of Single Failure Criterion, identification of Common Causes etc.

In the period of design and operational safety review of WWER 440 reactors from among number of internal and external engineering organizations, the IAEA has played significant role. Number of missions took place at Bohunice NPP. Both Bohunice V-l and Bohunice V-2 plants were subjects of those missions. Result of safety re-assessment of WWER 440 reactors was summarized by the IAEA that finally published two different Issue Books, each for relevant reactor type. Issue Books contain safety issues ranked into categories based on degradation of Defense in Depth. Methodology used for safety re-assessment was based notably on deterministic approach and PSA was limited only to reliability analysis of some safety systems, since there was no PSA technique in use in Slovakia at that time.

First PSA Level 1 study was performed by UK company Electrowatt in co-operation with national engineering companies RELKO and VUJE Trnava in 1994. Bohunice Unit 1 (WWER 440/230) was taken as a reference unit for the study. During the course of the work that was financed by a PHARE programme, two IAEA international peer review service missions (IPERS) reviewed quality of the study. PSA of Bohunice Unit 3 (WWER 440/213 design) was undertaken by national companies RELKO and VUJE. This PSA model was also subject of an IAEA review mission.

58 2. DEVELOPMENTS TOWARDS RISK-INFORMED APPROACH

2.1. Legislative framework In order to promote PSA studies to become obligatory tool for assessment of safety of operating units, UJD has issued a regulatory guide on PSA [1], which is not obligatory for performers and users of PSA analyses, however it provides valuable comprehensive information regarding the framework of Probabilistic Safety Analyses Level 1 and Level 2.

Besides PSA methodology, the guide also determines a set of probabilistic safety criteria (PSCs) to be accomplished. There is a strong support to use PSA methods for prioritization of upgrading measures, analyses of individual contributions to risk reduction and for comparison of interim indicative safety targets, values of them are still under discussion within UJD.

Nevertheless, in accordance with current common practice accepted in most PSAs of proved reactor designs, probabilistic safety criteria have been set at the level of core damage frequency (CDF) and probability of safety system and large early release frequency with the following values: • CDF < 10'4 per reactor year; • reactor protection system failure probability < 10'5; • safety system failure probability < 10"3; • screening criterion for external events <10"7 per reactor year; • large early release frequency <10"6.

However, according to the UJD standpoint, decision is not made based solely on PSA results and conveniently combined deterministic and probabilistic approach is being applied. PSA results are used notably to: • identify weaknesses in the design and operation of NPP; • compare the safety level against recommended safety target; • set priorities among improvement measures with respect to most contributing one to the risk reduction; • assess modification of the design and operating procedures; • assess modification and optimization of technical specifications.

2.2. Reasons for incorporating risk-informed regulatory approach

The main driving force behind the movement towards risk-informed approach is the perception, that use of risk insights can result in both improved safety and a reduction in unnecessary regulatory requirements, thus in improvement of regulatory effectiveness.

Some essential reasons for incorporating risk-informed regulatory approach into decision making concerning safety issues in Slovakia are as follow: effective evaluation of alternative safety upgrading measures, demonstration of improvements in plant safety due to extensive plant modifications, effective improvement of plant safety with limited resources, evaluating and optimizing allowable outage times in risk control.

3. PSA SUPPORT OF SAFETY REGULATION AND PLANT SAFETY MANAGEMENT Since its constituting in 1993 Nuclear Regulatory Authority of the Slovak Republic has devoted an effort to use PSA technology to support the regulatory policy in Slovakia. PSA technology has become a standard tool to further enhance the safety of nuclear installations in Slovakia. Although licensing of nuclear installations in Slovakia is based on deterministic approach, PSA is accepted as a supplementary tool for assessment of safety. Reasons to incorporate risk-informed regulatory approach, allowing an optimization of the safety level while maintaining fundamental deterministic

59 safety requirements, into the policy of UJD have found their practical application notably during assessment of extensive modifications at Bohunice NPP prior their approval.

Major breakthrough towards risk-informed regulation was issuing the Decision-making Act No. 1/94 where UJD presented its commitment to use the results of PSA Level 1 in support of safety decision. The Decision-making Act No. 1/94 referred to the Gradual Reconstruction of Bohunice VI NPP, where for the first time UJD requested operator to perform several analyses based on probabilistic techniques with regard to : the evaluation of impact of proposed modifications to the total plant risk at the level of core damage frequency, identification of major contributors to the risk followed by re- assessing the safety upgrading program, evaluation the possibilities of increasing reliability of emergency and vital power supply system.

3.1. Bohunice V-l Gradual Reconstruction and PSA Application Main Results of Safety Upgrading

The safety of the Bohunice V-l plant has been evaluated extensively by various organizations, including (Czecho-) Slovak and international bodies, against western and international safety standards. These evaluations have resulted in a number of requirements and recommendations for enhancement of the safety of the plant.

The former regulatory body (CSKAE) has extracted from these requirements and recommendations those improvements in safety that had to be implemented in the two stages of the plant reconstruction The first stage, the so-called small reconstruction brought the improvements (81 + 14 short term backfitting measures) necessary to allow the operation of the plant to continue up to 1995.The main results of the small reconstruction, that was completed in 1994 are as follow. • leak before break status for primary pipes; • seismic reinforcement up to level of 8 MSK 64 scale; • reactor protection system improvements, new sensors, new trip signals; • installation of diagnostic systems; • main steam line isolation valves installation; • 6 kV emergency power supply (Category 2) improvement (new DG, train separation); • DC batteries replaced and increased capacity; • confinement leaktightness improvement (reduction factor 100); • fire protection improvement; • emergency operating procedures and surveillance testing procedure implementation; • emergency planning and radiation monitoring improvement. The second stage, the major or the so-called gradual reconstruction required by the UJD and planned for the period of 1996-1999, that was fully accomplished in 2000 has brought further significant safety upgrading allowing the continuation of the plant operation. Some main achievements of the gradual reconstruction should be mentioned as follows: • configuration, capacity, qualification and performance of ECCS to ensure core cooling (two trains of 100% each, HPI & LPI & spray pumps, spray heat exchanger, improved sump design, jet condenser implementation...); • Integrated Reactor Protection System (Reactor Trip System + Engineered Safety Features Actuation System); pressurizer safety valve and pressurizer relief valve qualified for two phase flow; Steam Dump Station to the Atmosphere at each Steam Generator line; independent emergency feedwater trains to SG; new emergency feedwater pumps and tanks; separate redundancies of vital power supply (Category 1); separate redundancies of service water system; reactor power limitation and control system; modification of Post Accident Monitoring System ventilation; new design of Accident Localization System.

60 Essential PSA results:

The scope of PSA studies covers full power mode considering all important initiating events including internal fires and flooding. PSA is usually undertaken for two different plant states: pre-modification and post-modification. Objectives of PSA are to estimate the core damage frequency and to determine dominant contributors to the risk reduction based on proposed modifications. For instance fires were found as the most significant contributor to CDF at Bohunice WWER 440/230 reactors. Number of measures implemented during the course of safety upgrading program in the area of fire safety resulted in reducing of that contributor which is currently almost negligible.

With the primary objective to quantify the benefit of the Gradual Reconstruction from the risk point of view, Level 1 PSA for the full power was performed by RELKO and VUJE, based on PSA model developed for all the design and operational modifications incorporated, thus representing the configuration of the NPP as currently operating.

The calculated core damage frequency value 2.56 x 10"5/reactor year meets the UJD safety goal at the level of CDF as well as on the safety system level, since the results calculated for failure probability of safety systems are less than 10'3.

According to the results of the study, post-reconstruction risk profile consists of the following dominant contributors - the large, medium and small LOCA inside confinement, with their account more than three-fourth of the core damage frequency. These results are heavily influenced by high failure rate to run of HPSI pumps, which are required to compensate losses from reactor coolant system. It is necessary to point out, that, due to the safety system modifications made during Gradual Reconstruction, the importance of these accident groups is greatly reduced, in comparison with pre- gradual reconstruction status.

The reactor transients including loss of off-site power account about 10 percent of core damage frequency. The plant reconstruction decreased their impact on the plant safety, as these categories were more dominant contributors in the former plant PSA studies.

Anticipated transients without scram contribute approximately four percent to core damage frequency. As the external events limited fire and seismic analysis were involved at limited level having contribution to the total risk about 2 percent. Risk associated with shutdown and other low power operation modes have not been evaluated; then extension of the existing PSA by including external hazards in a full range and shutdown mode is required.

Figure 1 shows the gradual improvement of safety:

1.7

Pre-small reconstruction Postsmall reconstruction Postgradual reconstruction (1991) (1993) (2000) FIG. 1. Gradual improvement of safety at Bohunice NPP.

61 Initial (presmall reconstruction NPP state) CDF value was 1.7 x 10'3 / reactor year, after Small Reconstruction state CDF: 8.9 x 10"4/ reactor year; General PSA objectives for Major Reconstruction set by UJD: CDF < 10^/ry, failure probability of safety systems < 10"3 on demand, failure probability of reactor protection system < 10"5 on demand. After Gradual Reconstruction state CDF is 2.56 x 10'5/ reactor year. As one could read from the diagram, the core damage frequency achieved (2.56 x 10'5/ry) meets UJD criteria as well as the INSAG < lO^/ry target adopted by the plant for reconstruction.

3.1.1. Other examples of incorporating PSA results into decision making process concerning Bohunice VI NPP

By means of the PSA technology application, some challenging problems have been solved. Below there are two examples provided with the aim to illustrate how the PSA results have been handled regarding the decision making process.

Assessment of proposal of changes to the main power supply diagram - generator switches

On the basis of requirements specified in the Decision-making Act No. 1/94 and within the basic engineering stage of the major reconstruction, a 15.75 kV generator switch should have been incorporated into the main power supply diagram between the unit generator and the 15. 75 kV house load transformer branch. Besides this, some other ways of increasing reliability of supplying power to emergency distribution sections were proposed: doubling circuit breakers between preferable and emergency switchboards, reconstruction of Madunice hydro power station supposed as another electrical power source, consistent division of emergency and vital power supply of Category I and II into two redundant systems, modifications in alternative, i.e. reserved power supplies of 220/110/ 6 kV. Afterwards, two comparative PSA studies had been developed. The first one had considered all the above proposals without including the generator switches, resulting in CDF of 2.85 x 10"4 reactor year. The second study had considered all the above proposals as well as installation of 15.75 kV generator switches resulting in CDF of 2.57 x 10"4. Based on comparison of these two cases a conclusion was made that due to installing the generator switches CDF would not be decreased noticeably. On the other hand, it was shown that by means of some other measures, particularly by introducing symptom orientated emergency procedures CDF could achieve even lower value. The generator switches have not been installed eventually.

Assessment of licensee request for motor generator AOT extension

Another example concerns prolongation of AOT of motor generator as emergency power supply sources in vital power electrical systems of Category I. Based on probabilistic assessment, using PSA model of the unit after the Gradual Reconstruction, prolongation of the AOT from original value of 8 hours, corresponding to basic risk increasing of 10"3 % up to 120 hours (corresponding to basic risk increasing of 0.14 %) had been proposed by engineering company RELKO. In order to be consistent with UJD standpoint, i.e. in all circumstances to keep up enough safety margins, the AOT of 24 hours (basic risk increasing of 0.028 %, i.e. 5 times lower) was originally considered by UJD. Finally, with regard to current maintenance practice at the Bohunice V-l plant, the AOT of 36 hours has been permitted. Corresponding value of basic risk increasing is between 0.028 % and 0. 084 %, what is the value approximately 2 to 5 times lower than the value of basic risk.

3.2. Improving Support Of Bohunice V-2 Risk-informed Operations UJD recognizes, that important contributors to the overall plant risk are shutdown states. Based on the mentioned above, and on international practice as well, a shutdown PSA is being developed for all operating units in Slovakia. As it was demonstrated by deterministic analysis, some events occurring during shut down states may significantly contribute to CDF reduction. Comparison of results from full power and shutdown PSA studies may provoke discussion on potential technical specifications conflict between requirements for operability of safety systems and exceeding of allowable outage times (AOT) of certain component which is temporarily disabled to perform its safety function.

62 Considering the fact that AOT for safety equipment has been determined deterministically, the question could be raised: what kind of risk is acceptable easier: either the risk level associated with the unit shut down or the risk increase referring to a limited period of time [2]. Risk-informed Concept of AOT Calculations

In 1996 UJD requested Bohunice NPP to provide with justification of the existing Technical Specifications by means of PSA technique. In order to cope with this task Bchunice NPP launched a project on Risk Monitor development.

The AOT is trie time the component or system is allowed to be out of service. If the component or system (hereinafter referred to as component only) is not restored within this time, the plant must be shut down. When a component failure occurs, it can be under repair either during power operation or after shutdown of the plant. To make a decision on the optimal strategy, the risk for these two cases should be compared taking into consideration both the outage risk and the shutdown risk [3]. The concept is based on the setting of a reference risk (either the risk of normal plant operation or the risk of manual plant shutdown with or without a component concerned failed), which can be calculated by means of event tree/fault tree method.

There are, in principle, several methods to calculate and limit the risk [4, 5]. Some of them take and some do not take the shutdown and the follow-up start-up risk into account. The eligible possible methods were reviewed by UJD and discussed with the utility and RELKO. As the model and results of the shutdown PSA of the plant have already been available, the method chosen is based on them. The AOT is calculated by the following formula: (i) (0) AOT < CDP sd / CDF® - CDF (l) where CDP sa is core damage probability for manual shutdown and follow-up start-up of the reactor when component i is unavailable, CDF(0) is core damage frequency under normal power operation, when none of the components concerned is unavailable and CDF(l) is core damage frequency under continued operation, when component i is unavailable. Regarding the assumption made using this (l) method, it concerns limits of shutdown risk CDP sj When component i is unavailable, in AOT calculations continued operation risk and shutdown risk are compared. The shutdown risk comprises risk when shutting down, risk during the shutdown period and risk when increasing power. Assuming that shutting down is covered in an event tree in the shutdown PSA model, only the risk during the shutdown period is to be considered, which results in shorter AOT calculations. This method gives rather more conservative results than a similar one applied in [6], where 'acceptable risk in continued operation' as multiple CDF(0) reference value of risk was used.

As regards UJD standpoint to ALARA concept, in essence, a small risk increase to achieve a large economic gain fits the policy of the authority (provided the risk remains within safety goal limits), in which probabilistic safety criteria or safety goals are typically viewed as interim aspiratory targets. Suchlike approach has also been applied to some extent to gradual major modification/reconstruction process of the older Bohunice WWER 440/230 V-l NPP.

Bohunice V-2 Risk Monitor Project

To place more risk-based information in the hands of regulators and Bohunice WWER 440/213 (V-2 NPP) plant staff, i.e. planners, schedulers and operators and to provide another tool for them, UJD initiated a risk monitor project. The regulators and the plant personnel are beginning using the Equipment Out of Service (EOOS) monitor software to evaluate on-line maintenance schedules to minimize high-risk configurations. Monitoring component outages, changes in AOT, changes in repair and maintenance strategies including surveillance test intervals are furthermore considerations. The software, developed under EPRI's Risk and Reliability (R&R) Workstation program, applied by company SAIC (now Data Systems and Solutions) in cooperation with RELKO and the utility is a dynamic tool that performs real-time calculations of the plant risk.

63 The model and outcome of PSA Level 1 study of the plant (full power mode, considering all important initiating events including internal fires and floods) which was conducted when updating the Safety Analysis Report after ten years of operation [7] within periodic safety evaluation process has been the systematic basis of these efforts.

The information obtained by Risk Monitor usage is of great interest of NPP management as well as of UJD, what is proved by including the value of cumulative CDF into the framework of plant safety performance indicators, which are evaluated against valid performance indicators numerical targets. The goals set for every upcoming year are stricter than the goals for the previous year in order to assure continuous improvement of the nuclear safety.

4. CONCLUSIONS There is a commitment of Slovak regulators and operators to change and the change is in the direction of risk-informed regulation. The transition to risk-informed regulation has been taking place gradually since 1994, when for the first time Probabilistic Safety Analysis Level 1 was used in support to safety decisions. Considerable results were achieved with regard to the Gradual Reconstruction of Bohunice VI NPP, especially with the aim to prioritization of the safety measures implemented and to the evaluation of their impact on the overall plant safety. Major risk contributors have been significantly reduced and the value of CDF achieved meets the INSAG target adopted by the plant for reconstruction.

Other activities conducted at Bohunice plant and supported by UJD representing comprehensive applications of PSA technology to assess operational risk issues are mainly focused on the risk- informed AOT calculations and Risk monitor project. Both last mentioned areas are supposed to be adopted and used also at the other Slovak nuclear power plants.

References

[1] KHATB-RAHBAR, M., KUBANYI, J., HUSARCEK, J., The use of PSA Methodology in Regulatory Activities. Safety Guide BNS 1.4.2/1999, UJD SR Bratislava, (in Slovak) (2000). [2] KUBANYI, J., DUCHAC, A., 'Incorporation of PRA into the Regulatory Decision and Policy Making in Slovakia', Proceedings of the International Topical Meeting on PSA'99, Risk- Informed and Performance-Based Regulation in the New Millennium. Vol. 2, p. 1245-1250, Washington DC, (1999). [3] MANKAMO, T., KIM, I. S., SAMANTA, P. K., 'Risk-based evaluation of allowed outage times (AOTs): Considering risk of shutdown', IAEA-TECDOC-737 Advances in reliability analysis and probabilistic safety assessment for nuclear power reactors, IAEA Vienna, (1994). [4] HIOKI, K., KANI, Y., 'Risk-based evaluation of Technical Specifications for a Decay Heat Removal System of an LMFBR Plant', Technical Committee Meeting on the Use of PSA to evaluate NPP Technical Specifications, IAEA Vienna (1990). [5] SAMANTA, P. K., KIM, I. S., VESELY, W. E., Handbook of Methods for Risk-Based Analyses of Technical Specifications. NUREG/CR-61418, US NRC, (1994). [6] SANDSTEDT, J., Demonstration Case Studies on Living PSA. (NKS/SIK-1 (92)27). SKI Technical Report No. 93:33. SKI, Sweden, (1993). [7] KOVACS, Z., etc., PSA Study of Unit 3 Bohunice NPP after Modification. Report RELKO No. 1R0195, Bratislava, (1995).

64 XAO102774 IAEA-CN-82/65

STRUCTURING A RISK-INFORMED AND PERFORMANCE-BASED PROCESS FOR OPTIMIZATION OF REGULATION FOR LAGUNA VERDE NPP

RODRIGUEZ-HERNANDEZ, A. Comision National de Seguridad Nuclear y Salvaguardias Dr. Barragan 779 Col. Narvarte C.P. 03020 D. F. Fax: (+52) 50953293; Email: [email protected], [email protected]

Abstract

This work describes the plan for a process to incorporate into the regulatory activities the risk information derived from probabilistic risk assessments, as well as information generated, by the periodic evaluation of the Maintenance Rule (MR, 10CFR50.65). The current status of the Laguna Verde NPP (LVNPP) risk analysis, PSA Level 1, allows determining in a reliable way the accident scenarios and the involved systems having significant impact on safety. The determination of system's risk significance allows carrying out a prioritization of safety issues to be evaluated and inspected; for example, operational events, changes to technical specifications, design modifications, inspection priorities, etc. In addition, complementary and basic information are the results generated by the performance monitoring of structures, systems and components (SSCs) under the scope of the MR. The SSCs performance trends are indicatives to focus evaluation and inspection activities on important issues. Then, with the reportability in short periods the performance evaluations of SSCs and the incorporation of a process of risk management, the evaluation and inspection activities will be directed to those risk significant systems showing degraded performance. Therefore, based on systems performance results and risk information, it is feasible to have certain flexibility or a better balance between the regulatory requirements. Inside this process, a consensus is needed with the utility to establish quality attributes for the plant-specific PSA, as well as the rules to be followed in the use of this tool and the kind of information to be reported for MR results.

1. INTRODUCTION The Laguna Verde Nuclear Power Plant (LVNPP) is located in the coasts of the Gulf of Mexico. This nuclear plant has two reactor units of the GE BWR/5 type with Mark II containment. For Unit I a PSA Level 1 [1] has been completed and the PSA Level 2 is in regulatory review phase. This PSA Level 1 will be applicable to the Unit 2 after a comparative analysis to account for design differences between both units. Since 1992 the .Mexican regulatory agency (CNSNS) and the national utility (CFE) initiated some plans to use the PSA to address improvements in the regulatory requirements for operation and maintenance of LVNPP. In this stage, workshops on PSA application and seminars for maintenance optimization were organized. The benefits of this effort were used to solve some specific issues related to requirements surveillance testing and maintenance of equipment. The following sections include an approach to use PSA information and results of safety indicators including results from the maintenance rule program. In 1994 the utility was required to implement the regulation from 10CFR50.65 [2]. In the initial phase, CFE and CNSNS developed in parallel way the selection of SSCs and the corresponding determination of risk significance for each SSC, both set of results were compared. Later on, CFE continued with the selection of criteria for monitoring SSCs performance, such as number of functional failures per year, and unavailability, among others. In a first inspection on MR implementation, with the purpose of observing results for SSCs performance, an agreement was made for reporting the results of the SSCs performance monitoring every three months during an operational cycle for each reactor unit, including shutdown stages. During a following inspection, it was determined that CFE should form a panel of experts for the interpretation and decision making on the results of the MR. Finally, during the second half of the year 2000 the utility was required to comply with the requirements of the 10CFR50.65(a)(4), related to the assessment and management of risk increases.

65 2. RISK INFORMATION In this section the results of the PSA Level I are described, about dominant accident sequences and most safety significant systems for core damage frequency (CDF), and risk impact assessment for inoperability of significant Systems. It is also described briefly the way these results have been focused. Results of PSA Level 2 are not described because this study is in final phase of regulatory review.

2.1. Significant accident sequences and systems Figure 1 shows, in terms of percentages, the contribution of the most important accident sequences to core damage risk. As it can be observed, the most dominant accident sequences are the sequences of loss of offsite power (SBFl/2) followed by sequences of ATWS and DC power. Sequences can also be observed with minimum contribution as losses of coolant, among others. The CDF of the Unit I have a value of 3.5-10"5/year.

•OATVSS

FIG. 1. Contribution of accident sequences to the risk of core damage -Unit 1 [1,3].

Analysing in more details the results of the PSA Level 1, the systems and components having higher importance to avoid risks of core damage can be identified, it is on these systems and components where the attention and resources of the regulatory activities should be focused. The following table [4] shows in order of importance (class) some risk significant systems, joined with risk-based calculations for maximum surveillance test intervals and maximum times allowed for inoperability.

Table I. Summary of risk-based AOT/STIs compared to technical specifications requirements. Surveillance Test Intervals System Allowed Outages Times Class dmax TS Class Tmax TS Diese! Generator DG-1A/1B/1C 1 2 3 1 14 7,31 High Pressure Core Spray 1 2 U 1 S3 31,91 Batteries 2A(B)-125-DC 1 2 2 tars 1 14 7,91 Batteries 250-DC • 1 3 not ia TS 1 20 not is TS Reactor Core Isolation Cooling 1 4 14 2 92 31,91 RHR Suppression Pool Cooling - A/B 2 29 3 3 366 91 Low Pressure Coolant Injection - A/B 3 » 7 3 36S 31,91 Low Pressure Core Spray 3 » 7 3 » 31,91 Low Pressure Coolant Injection - C 3 » 7 3 » 31,91 Class 1: Unacceptable, 2: Important, 3: Non-important. Time in days.

The determination of the risk significant components involves those systems and components modelled in the PSA Level 1 using the typical risk importance measures. For Maintenance Rule

66 purposes, other systems not explicitly modelled in PSA may be classified in terms of risk through an analysis to search for relationship to those systems and initiating events modellled in PSA. Other SSCs are defined as risk significant or non-risk significant considering containment functions and radioactive release prevention.

2.2. Risk assessment of inoperable equipment As an approach for assessing plant risks [4], a review of LV operational experience was carried out for the Unit 1 7th cycle of operation. In this first approach, the review was conducted to identify the unavailability of single systems to observe the risk profile. The results shovm in Figure 2 take into account inoperability of four risk-significant systems. These systems are HPCS, RCIC, Batteries 125 VDC, and RHR. Before plotting the CDF profile, an assessment of the loss of system's function in each case was performed without considering the time of function unavailability. In the risk profile, some instances of high-risk level can be observed, but achieving levels below a risk criterion used in [3,4] for instantaneous risk, 10 times the baseline CDF.

1.8E-04 i

1.0E-04 a o 8.0E-0S

6.0E-05

4.0E-05

2.0E-05

O.CIE+OO

g g time

FIG. 2. Risk profile - Instantaneous risk for single inoperabilities of 4 significant systems.

These risk levels seem to have a well-defined frequency. In order to get more accurate results, a rigorous research for function availability of redundant systems should be done, which could give a lower risk level for each case, or unavailability of other systems giving higher risk levels. In conclusion, as required by the Maintenance Rule [2,5], some activities must be done for management and control of plant configurations before entering into maintenance or surveillance activities programmed for single systems or combinations of them.

3. PLANT PERFORMANCE INFORMATION The information determined to be useful inside the process here described are the derived data from the Maintenance rule program to monitor the maintenance effectiveness, as well as the results of performance indicators. This way, the identified safety indicators are: the results from performance monitoring of systems and components in the MR, and the performance indicators evaluated by the plant.

67 3.1. Maintenance Rule requirements The implementation of the 10CFR50.65 regulation was required to LVNPP. In summary, the MR was applied to safety related systems and to those non-safety related systems described in paragraph 10CFR50.65(b), more systems in technical specifications with possibility to cause changes in the modes of reactor operation (CFE criterion). Then, a process for determining systems' safety significance is applied and, based on safety significance, one or more parameters are assigned to monitor the SSCs performance. Based on the resulting performance and the application of corrective actions, monitoring levels are applied: monitoring (a)(l), strict; or monitoring (a)(2), normal. Also, according to the paragraph 10CFR50.65(a)(4) [5] an assessment and management of risk must be done before putting equipment out of service, identified as risk significant. Finally, an evaluation of all the MR and maintenance activities for the whole cycle (operation + shutdown) must be made, to prepare a report reflecting the evaluation of maintenance effectiveness and corrective actions in deficient areas.

3.2. Maintenance Rule results For the process of maintenance rule implementation, from 223 systems, 128 systems were selected to be under the scope of this regulation. After applying the selection criteria for systems to be under the scope of the monitoring for maintenance rule, the following set of systems was obtained. Some systems appear in different groups.

Table II. Systems of Laguna Verde 1 in the maintenance rule requirements. Total analysed systems: 223 Systems in MR: 128 Safety related 29 Non- safety related 56 In Technical Specifications 64 In Emergency Procedures 11 Systems to mitigate transients 29 Non-safety related whose failure prevents fulfillment of a Safety Related function 12 Non-safety related causing scrams or SR actuation 57

After selecting the maintenance rule systems, the determination of the risk significance for each system was carried out. Using the PSA Level 1 results, the safety significance was determined for some of the 128 systems with the criteria shown in Figure 3 together with the results for LVNPP Unit 1. According to risk significance criteria, the significant systems are those in Categories I, II and III, and the systems contributing to 90% of CDF; and the non-significant systems are those in Category IV. An analysis of the initiating events was performed to include systems not considered in an explicit way in the PSA. Additional considerations were used to assign risk significance categories to the systems not modelled in PSA, neither explicitly nor implicitly. Taking as basis these risk categories, the corresponding criteria (parameters) were assigned for performance monitoring, these are: specific criteria for significant systems, and plant level for criteria for non-significant systems. The specific criteria are unavailability and reliability; and the plant level criteria are: number of scrams per 7000 hours of criticality, unplanned capability loss factor, number of entrances to special reports, and number of entrances to internal reports.

Risk Systems 1 Category I 27 Risk significant SSCs [6]: ent \ Category II 10 SSCs in categories; |2.0 plus SSCs accounting for Category III 39 1uc 90% CDF. Category IV 52

Total: 128 Risk/ * 1.005 Risk Reduction Worth FIG. 3. LVNPP categorization of systems in the MR.

68 Within the agreements in the implementation program, it was accepted to account for only one previous cycle (shutdown + operation) for initial evaluation of systems performance, and for the following period of evaluation, to emit every 3 months a systems performance report. The results of performance monitoring for the systems of both reactor units are shown in the following table [7]. The number of systems in (a)(l) monitoring increases not much from initial evaluation to the last 3-months period report.

Table III. Systems under monitoring (a)(l) - Performance Evaluation! for Units 1 and 2. Level of risk importance Level of risk importance Unit 1 Reports - - Unit 2 Reports I II III IV I II Ill IV Initial 4 1 8 3 Initial 3 2 5 1 1st 3-months 4 1 9 3 1st 3-months 3 2 5 1 2nd 3-months 4 1 11 3 2nd 3-months 3 2 5 1 3rd 3-months 4 1 12 3 3rd 3-months 4 2 5 2 4th 3-months 4 1 12 3 4th 3-months — .. — .. 5th 3-months 4 2 12 4 5th 3-months - — - —

3.2.1. Maintenance Rule considerations It is considered that for satisfactory accomplishment of the Maintenance Rule regulation it is necessary to have an adequate establishment of performance goals and performance criteria for the SSCs to be evaluated through the effectiveness of their maintenance. An adequate performance goals setting can be achieved from plant data and compared to the wide industry experience. In this way, for the maintenance rule implementation, it can give some benefits the execution of an initial evaluation of the maintenance by means of plant data review for determination of the initial status and setting of initial performance criteria, and goals if necessary. Then, in a next performance evaluation, the initial settings can be compared and adjusted. Hence, by means of the analysis of historical data for risk significant systems and their corresponding components, it will be possible to assure an adequate setting of performance criteria and goals for systems with the greatest impact on safety.

3.2.2. Risk assessment and management Regarding the requirements of the MR for the assessment of overall impaict on plant key safety functions before taking equipment out of service, the plant needs to establish an adequate process. This process refers to methods and tools to perform the required safety evaluations, with the use of appropriate criteria to evaluate the safety level for each configuration, considering qualitative or quantitative elements. The assessment of plant configurations during operations at power is focused on safety functions of the systems modelled in the PSA. Using a Risk Monitor based on EOOS [8], the assessment is done under risk terms for annual core damage frequency against specific criteria for risk impact. For assessing and managing risk during shutdown periods, CFE has adopted a methodology based on defense-in-depth philosophy, keeping as many requirements as possible for key safety functions. In the case of the risk monitor, specific risk thresholds will be established to take appropriate actions, according to each risk level present.

3.3. Performance indicators The performance indicators evaluated by the CFE are based on indicators defined by the World Association of Nuclear Operators (WANO). However, the industry guide NEI 99-02 [9] define the indicators: number of unplanned scrams per 7000 critical hours, scrams with loss of normal heat removal, unplanned power changes per 7000 critical hours, safety system unavailability, safety system functional failure, specific activity of the reactor cooling system, reactor cooling system leakage, emergency preparedness, occupational and public radiation safety, and physical security, These indicators may be required to LVNPP because some are generated in the results of the Maintenance Rule program.

69 4. PROCESS FOR OPTIMIZING REGULATORY REQUIREMENTS In this section the necessary minimum elements are described for improvements in the regulation when incorporating risk information and information of plant operation performance. It is considered that when incorporating plant performance information into the regulation, the regulation becomes outcomes oriented. In a similar sense, when incorporating risk information, the regulation is interpreted as regulation oriented to design and operation, which should be modified, should the need arise, to improve safety if plant performance indicates this way it.

4.1. Elements for the process of regulation optimization The necessary elements in this approach are: identification of parts of the regulation where it is feasible to apply information of risk and plant performance; results of specific risk analysis; results of safety indicators; inspection results; and policy defined and agreed with the licensee for the implementation of this process, as the reportability of necessary periodic information. The following Figure 4 shows the approach for the process of regulation improvement.

The initial scope of this proposed process is focused toward areas of the nuclear safety involving prevention of initiating events, timely response of mitigating systems, and integrity of barriers. In an extensive process other safety indicators can be included, involving other areas as emergency preparedness, radiological protection and physical protection.

Plant operation data

SSCs performance: Risk Inspection safety indicators information results A A

Regulatory requirements ». J Maintenance Rule \ r requirements I Balance of ..—^.j regulatory 1 requirements

r Inspection and Regulatory evaluation decisions and actions

FIG. 4. Process for the optimization of regulatory requirements.

Requirements of the regulation. Inside each aspect of the regulation, several areas exist where the application of risk information is feasible. However, other areas exist where it is not possible to incorporate risk information; and the improvement in the regulatory process should be through other means. Therefore, case-by-case, or area-by-area, those parts of the regulation should be identified where it is possible to use risk information. It is considered that the use of the safety indicators is more extensive and it is only necessary to take this information and use it.

70 Risk analysis. The risk analyses already developed for LVNPP are the PSA levels 1 and 2. The PSA Level 1 was reviewed in very detail, and it is in a updating stage in terms of plant configuration, and incorporation of plant specific data. The results from PSA Level 2 will be considered after concluding the regulatory review.

Safety indicators. It is considered that the indicators of the MR and the performance indicators contained in the guide NEI 99-02 have a very precise meaning in terms of safety, since the systems associated to these indicators have certain attributes of safety, so that it is valid to call them safety indicators if appropriate action thresholds are introduced.

Inspection results. In connection with the inspection results, it is important to implant a process of categorization of inspection findings based on risk to determine the impact level on safety. This way, the derived requirements, operational restrictions or other enforcement will be consistent with safety significance importance and, at the same time a feedback into the inspection pi ans is possible with risk categorization of the inspection findings.

Establishment of policy. Inside the necessary policy, it is in process the revision of a draft guide [10], getting some guidelines from reference [11], this draft will be agreed with this licensee for the use of the risk information, taking into account the concepts of the defense in depth philosophy. This is, deterministic considerations on nuclear safety. That draft guide will contain guidance about specific acceptance risk criteria, among another safety thresholds. Inside the agreements with the licensee, it is necessary to establish requirements of periodic reportability for safety indicators.

5. DISCUSSION AND CONCLUSIONS The safety indicators here presented need to be compared as follows: to compare the performance criteria used in the Maintenance Rule against the performance indicators evaluated by the plant, to avoid duplicity of results, and incorporate indicators from the guide NEI 99-02. Likewise, as in the MR thresholds established for the monitoring of SSCs performance, it is necessary to define action thresholds for the performance indicators. The results of the monitoring of maintenance effectiveness follow a established procedure of documentation and reportability. It is necessary to establish an agreement of reportability for results of the performance indicators not reported by MR. It is important to clarify that there are other areas of the regulation that are out of this proposed process, in which it is possible to introduce improvements. These areas of improvement can be treated through a wider improvement program of oversight like the Reactor Oversight Process [12], which includes additional topics of safety with another type of indicators. An important part in this process is the wide participation of the licensee for the identification and timely solution of the problems reflected in trends performance, showing deficiencies or degradation in important areas for safety. Inside the action plans for prevention and correction of deficiencies it is convenient for licensee to make use, among other considerations, of risk information. The implementation of the proposed process can support decision-makings for better-oriented evaluation and inspection activities, in order to verify adequate accomplishment with regulation.

6. REFERENCES [1] CFE, Laguna Verde NPP. Probabilistic Safety Assessment Level 1 Revision 2.04. Mexico (1999). [2] USNRC, Code of Federal Regulations, 10CFR50.65 'Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants'. [3] CNSNS 'Risk importance measures results for the Laguna Verde PSA Rev. 2.04 and Evaluation of Risk-Criteria for PSA applications', Mexico. (1999). [4] CNSNS 'Development of a Strategy for the optimization of Maintenance and surveillance Testing for Laguna Verde NPP Equipment', IAEA - Coordinated Research Program, contract MEX9294, project concluded. (1999). To be published in an IAEA TECDOC. [5] USNRC, Federal Register, 10 CFR part 50, Final Rule. Volume 64, Number 137, (1999).

71 [6] NUCLEAR ENERGY INSTITUTE, U.S., NUMARC 93-01 Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants' (1996). [7] CFE, Laguna Verde, Maintenance Rule results: Initial and periodic evaluation of SSCs performance. Documented reports, Laguna Verde -1&2, (1998-2001). [8] SCIENCE APPLICATIONS INTERNATIONAL CORPORATION, Electric Power Research Institute. Computer code Equipment Out Of Service (EOOS Monitor). USA. [9] NUCLEAR ENERGY INSTITUTE. NEI 99-02 Rev. 0 'Regulatory Assessment Performance Indicator Guideline', USA, (2000). [10] CNSNS, (Draft) Guide: 'Guidance to use risk information for changes to the license bases', Mexico, (2000). [11] USNRC Regulatory Guide 1.174: 'An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis' (1998). [ 12] USNRC, Revised Reactor Oversight Program.

72 TOPICAL ISSUE 2:

INFLUENCE OF EXTERNAL FACTORS ON SAFETY XAO102775 IAEA-CN-82/03

THE BRAZILIAN EXPERIENCE IN LICENSING ANGRA 2, A 'DELAYED' NUCLEAR POWER PLANT

ALMEIDA, C. National Commission for Nuclear Energy Rua General Severiano - 90 Rio de Janeiro 22294-900 - RJ, Fax: +55215462493; Email: [email protected]

Abstract

The Brazilian nuclear power programme comprises two nuclear power plant in operation from different supplier countries. Furthermore, the second plant, Angra 2, had its construction started in 1976 and only recently in 2000 has achieved full power operation. This paper presents the experience of the Brazilian Regulatory Body in licensing this utility with all the complication arising from the different technologies, and safety philosophy, and the changes in safety standards, owners, suppliers, contractors and operators during the 25 years of construction. The paper presents first a history of the construction and commissioning of Angra 2, and then highlights some of the problems encountered in the licensing process. Some of the difficulties faced by CNEN due to several reorganizations and loss of personnel are also discussed.

1. INTRODUCTION Brazil has embarked in a nuclear power programme in the 1970s by constructing a 600 MWe two loop PWR of American technology. Although the Angra 1 plant was supplied by Westinghouse on a 'turn- key' basis, a full licensing process was developed, based on the Brazilian regulations which were established by the Brazilian National Commission for Nuclear Energy (CNEN) at the time of the project, and which was based on the existing US NRC regulations. This licensing process involved a site approval, a construction license based on the evaluation of a Preliminary Safety Analysis Report (PSAR), a authorization for initial operations (AOI) based on the evaluation of a Final safety Analysis Report (FSAR) and a authorization for permanent operations (AOP) based on the results of a detailed commissioning programme. The plant went in operation in 1981.

Through this licensing process, the plant operator, FURNAS, has developed! nuclear power project capability and CNEN, with the assistance of the IAEA and the US NRC has developed its licensing capability.

In 1975, Brazil, signed a large scope technical cooperation agreement with Germany, which involved the transfer of technology for the entire fuel cycle, including the construction eind operation of nuclear power plants. This agreement led to the beginning of the construction in 1976 of the second Brazilian nuclear power plant, Angra 2, a 1300 MWe PWR at the same site of the first plant. The plant was expected to be operational in 1983, and a third plant, of the same design was supposed do be built at the same location with one year shift in the time schedule.

The main supplier of Angra 2 was initially the German company KWU. The architect engineer was a Brazilian company called NUCLEN, a subsidiary of the large company Nuclebras, which was created to implement the Brazilian-German agreement. NUCLEN had also participation of KWU, specially in the technical directorate. Initially, the construction site was to be managed by FURNAS, but later on a construction company called NUCON was created under the Nuclebras umbrella. FURNAS remained as the plant operator almost to the completion of construction when the nuclear area of FURNAS was merged with NUCLEN to form a completely new company called ELETRONUCLEAR, in charge of design, construction and operation of the Brazilian nuclear power plants. Half way through this

75 changing process, KWU became a part of Simens AG, and the role of Simens was substantially diminished with the creation of ELETRONUCLEAR.

The construction progress was very irregular (see Fig. 1). Lots of work was performed in the initial years of 1976 to 1980 and even the main components were manufactured early in 1978. However, significant delays occurred in this period due to the difficulties in the foundation work which used a pile-foundation solution. Then, during the whole 1980s and beginning of 1990s, financial problems and a lower then expected growth in the electric demand led to a slow down in the construction, although the work has never been completely stopped. In 1995 a government decision to conclude the construction led to a re-organization of the companies and a reasonable stable work rate which lead to loading of the core on March 30, 2000, first criticality on July 14, 2000, first grid connection on July 21, 2000 and 100% power on"24 November, 2000.

100.00%

77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00

FIG. 1. Construction Progress of Angra 2.

2. THE LICENSING OF ANGRA 2 Angra 2 licensing process was initially proposed to be conducted in several partial licenses, according with the German practice adopted for the Convoy plants. However, after the initial difficulties with the licensing documentation, and due to the requirement of the Brazilian regulation a full FSAR was prepared, according to the format of the American Regulatory Guide 1.70 - Standard Format and Contents for FSAR of Nuclear Power Plants.

The review and assessment carried out by CNEN during the licensing process can be separated in three different periods. At the beginning CNEN had a full licensing capability developed through the recent experience of Angra 1 and the large training programme established for the Brazilian-German agreement, called PRONCLEAR. This initial phase lead to several licensing issues being identified, due to the fact that in general CNEN had more experience than Nuclebras in the licensing of a plant. The typical example of these issues was the problem related to the seismic design of the pile foundation, which lead to additional regulatory requirements and costly construction backfitting.

The second phase corresponds to the de-mobilization of the nuclear programme, and consequent loss of qualified personnel at CNEN, due to attrition, retirement and movement to other areas. Since the whole design and construction of Angra 2 was also slowed down at this time, no real impact on the schedule was noticed due to licensing problems.

76 The third phase corresponds to the resumption of full speed in the construction of Angra 2, and consequent flood of licensing documentation at a time when CNEN had partially lost its competence, and was involved with several other projects such as the operational problems of Angra 1, the construction of the other fuel cycle facilities, the certification of three operating research reactors, and the development of a prototype land-based submarine reactor. Of course, CNEN had difficulties to cope with the increased work load due to Angra 2, and needed additional assistance to adapt to the new safety philosophy of the German design.

3. EVALUATING THE FINAL SAFETY ANALYSIS REPORT (FSAR) The FSAR of Angra 2 was written according to the US NRC Regulatory Guide 1.70. and CNEN intended to make extensive use of the Standard Review Plan (NUREG 800?) of the US NRC in its evaluation of the document. However, differences in safety approaches between Americans and Germans made the task difficult. Moreover, the USA had not licensed a single nuclear power plant in the last 20 years, and its regulations, although very up-to-date in relation to operational issues, lag behind in relation to new design and construction issues. Typical areas of conflict were the new concept of Probabilistic Safety Assessment (PSA), the new areas related to Human Factor Engineering, severe accident considerations and the topic of verification and validation of computer software. These required several 'ad hoc' decisions, which combined the German experience with formal American requirements, taking into account new guidance provided by the IAEA recommendations. Some of these issues are still under discussion and a final decision will be included in the terms and condition of the Authorization for Permanent Operation (AOP), still been prepared.

An example of such decision is related to the area of PSA. CNEN has accepted for the Authorization for Initial Operation (AOI) the presentation of a comparative study of Angra 2 with a modern German plant for which a PSA is available, together with an identification of differences and their impact on the overall risk. However, CNEN will require a plant specific PSA to be developed for Angra 2 in the near future, as well as the application of the PSA study to operational and licensing decisions.

Another example of differences between American and German approach is related to operational technical specification. CNEN has required that a set of Technical Specification be developed for Angra 2 using the same model used in American plants and also in Angra 1. Since German plants usually do not develop such documentation, this has cause a major difficulties, because the task is much complex due to the design differences, specially the different degree of redundancy (2x 100% in USA, 4 x 50% in Germany) and the presence of a limitation system in Angra 2.

A third example of difficulty relates to the considerations of human factors. CNEN has required a presentation of a Chapter 18 in the FSAR evaluating the man-machine interfaces and other human factor considerations. ELETRONUCLEAR had no guidance on how to prepare such documentation for a German plant. After several months of discussion the scope of the chapter was agreed upon between CNEN and ELETRONUCLEAR, but this study is still underway at the present.

4. REGULATORY INSPECTION AND EVALUATION OF THE COMMISSIONING PROGRAMME The German approach to plant commissioning activities differ substantially from the American one. Siemens used to be responsible for all commissioning programme up to 100%, and then transfer the plant to the utility operational responsibility. The procedures adopted in Angra 1, and included in the Brazilian regulations establish that from the time of loading the core on, the responsibility for the plant is transferred to the operating organization. This cause lots of conflicts between German specialists and Brazilian operator. Moreover, on a component or system basis, the 'ownership' and testing status was difficult to be established, leading to CNEN identifying numerous inspection deficiencies, some times even in a non-appropriate way.

The inspection of commissioning test was very difficult for two reasons: first, the German test procedures lack the detailed step-by-step instructions used in USA and to which Brazilian operators

77 and inspectors were used and second, German specialists were used to interrupt test due to difficulties, make adjustments in some components, proceed with the test and review the implications later on, while Brazilian practices required that an interrupted test be re-evaluated before proceeding, and in most case would require a re-star from beginning of the test.

Evaluation of commissioning'test results was also difficult due to the style of German test procedures, which lack specific test acceptance criteria. The development of these criteria was a major effort undertaken by ELETRONUCLEAR during the test phase, which substantially delayed some tests. However, this has made easy for the test results review by both ELETRONUCLEAR and CNEN, with excellent results.

5. CHANGES IN NUCLEAR SAFETY STANDARDS The long delay in the construction of Angra 2 led to the necessity of the adaptation to evolving nuclear safety standards. CNEN licensing regulation itself was modernized with the issuance of CNEN-NE- 1.04 Licensing of Nuclear Installations, in 1984.

Also in the field of Quality Assurance, the IAEA Codes and Guides used in the licensing of Angra 1 and initially for Angra 2, were replaced by specific Brazilian regulation CNEN-NE- 1.16 Quality Assurance for Nuclear Power Plants, which brings the figure of the Independent Technical Supervisory Organization (OSTI) which justified the creation of a Brazilian Institute for Nuclear Quality (IBQN).

In the area of plant operations, the new regulation CNEN-NE- 1.26 Safety in Nuclear Power Plant Operations established most of the requirements for operational control which are now required for the AOP. These include a requirement for managing the overall plant risk which makes the need for a plant specific PSA mandatory.

6. CHANGES AT THE UTILITY SIDE There were several reorganizations of the nuclear power industry during the period, as mentioned above, which culminated with the creation of ELETRONUCLEAR as design, construction and operating company under the umbrella of Eletrobras, the large holding company for the electricity sector in Brazil.

The merge of the nuclear area of FURNAS, a largely hydroelectric utility, with NUCLEN, a relatively smaller engineering company has required a big effort and caused several interface problems, specially because part of FURNAS staff was used to the American style of plant operation and engineering procedures. Also in the area of Quality Assurance, the philosophy of the two organizations were quite different.

However, this merge had also a positive factor, in the fact that now the operation staff of FURNAS had available a large engineering support, not only for Angra 2 operation but also for Angra 1.

7. DIFFICULTIES AND SOLUTIONS AT CNEN The main difficulties at CNEN related to the loss of personnel and consequently of assessment capability. Although some limited replacement hiring was made in the period, the new staff lack the experience of Angra 1 and the possibility of training abroad was very limited under the existing financial limitations.

To overcome these difficulties, CNEN used extensively the assistance of the IAEA, through the request of experts, and an existing cooperation agreement with the Gesellschaft fuer Reaktorsicherheit (GRS) of Germany. More than 30 experts missions were carried out during the licensing process, and specially in the crucial period of 1999/2000 ,13 experts assisted CNEN staff.

78 Additional assistance was obtained in the nuclear research institutes operated by CNEN and, in some instances, in the Brazilian universities.

8. CONCLUSIONS Brazil's international obligations with respect to the Convention on Nuclear Safety require the existence of a regulatory body and a formal licensing procedures for the operation of nuclear power plants. CNEN has being designated as the competent regulatory body, and has made all efforts to discharge its functions accordingly. The assistance from the IAEA and the regulatory bodies of the supplying countries has been shown to be an essential component to develop and keep CNEN competence on nuclear safety matters. Due to the size of the Brazilian programme, it is expected that some of this cooperation and assistance may be necessary still some time in the future.

In spite of all the difficulties,' CNEN has been able to establish itself as a competent regulatory body, with a capable staff and an adequate control over the nuclear power plants in operation in Brazil.

79 XAO102776 IAEA-CN-82/08

NUCLEAR AND RADIATION SAFETY IN KAZAKHSTAN

KIM, A. A. Atomic Energy Committee of the Republic of Kazakhstan Lisa Chaikina str. 4,480020 Almaty, Kazakhstan Fax+ 73272633356; email: [email protected]

Abstract

Major factors, by which the radiation situation in Kazakhstan is formed, are: enterprises of nuclear fuel cycle, including uranium mining and milling activity and geological exploration of uranium; nuclear power plant and research reactors; residues of atmospheric and underground nuclear explosions, which were conducted for military and peaceful purposes at the different test sites; mining and milling of commercial minerals accompanied by radioactive substances; using of radioactive sources in industry, medicine, agriculture and scientific research.

Since 1991, after getting of sovereignty there was started creation of own legislative basis of the country for the field of atomic energy use. It includes laws, regulation and standards for nuclear and radiation safety of nuclear installations, personnel, involved in the activity with using of atomic energy, population and environment. Applicable system of state regulation in this area, including the central regulatory body in the field of atomic energy use and various ministries, agencies and committees, was created. As a result of these reforms, regulatory activities were improved in the country.

This paper presents the current matters of nuclear and radiation safety in Kazakhstan and some difficulties, which Kazakhstan encountered during the transition to an independent state.

1. INTRODUCTION The Republic of Kazakhstan, one of the new independent countries of the former Soviet Union, is located immediately to the south of Russian Federation and west of China. It encompasses over 2.7 million sq. km of land area and has a population of over 14 million. Before disintegration of Soviet Union Kazakhstan had no own legislative base in the field of atomic energy use and had no state bodies, called to execute the control at observance of security measures by atomic energy use. Since 1991, after getting of the sovereignty, Kazakhstan started developing of its own legislative and regulative system in this area, hi accordance with the Decrees of President appropriate structures in Kazakhstan were created. They are: Atomic Energy Agency, as a main Supervising governmental body, National Nuclear Centre combining all nuclear related scientific institutes, and National Corporation of Atomic Energy and Industry Enterprises KATEP. On 14 February 1994 Kazakhstan joined the International Atomic Energy Agency.

The general purpose of activity in the field of atomic energy use in Kazakhstan is safely and effective ensuring safety of the present and future generations and environment protection from radioactive contamination both by normal and extraordinary situation. According to this tasks the Republic of Kazakhstan needs the effective system for the assurance and guarantees for protection of population and environment against the possible negative influence of atomic energy usage.

The present situation in the field of nuclear and radiation safety on the territory of the Republic of Kazakhstan is formed currently by the following main factors. • Activity of the enterprises of uranium mining and milling industry, including geological exploration of uranium: As is known, the Kazakhstan takes one of the first places in the world on quantity of prospected uranium stocks (about 50 % of uranium stocks of former USSR). A long time (more than 40 years) development more than 20 deposits was conducted [1]. The enterprises

80 of this industry branch are located practically on all territory of Kazakhstan. Ulba metallurgical plant in the East of the country produces nuclear fuel for NPP. • Power and research reactors: In Kazakhstan there are 5 nuclear installations, including one nuclear power plant BN-350 in Aktau-city, and four research nuclear reactors of the National Nuclear Centre. One of them is located in Almaty, and three of them are located in Kurchatov- city (on the former Semipalatinsk Test Site). The decommissioning procedure of the NPP BN-350 reactor has started pursuant to the Governmental Decree of 22 April 1999. All research reactors operated so far. • Nuclear explosions: As a result of conduction of nuclear explosions (about 500 atmospheric and underground explosions for military and peaceful purposes) on Semipalatinsk Test Site and other sites were formed the waste of low activity on a surface and average activity in cavities of explosions as a kind of melt mountain mass [2,3]. The volumes of the waste are evaluated as 12.3 million tonnes with activity of surface contamination of 11.6 thousand Ci and underground contamination 12.87 million Ci. • Activity of the enterprises of mining and milling of commercial minerals; containing radioactive elements: Number of Kazakhstan deposits of polimetals, phosphors rare earth contains uranium, which at a production of ores is extracted together with main ores and, as a rule, is not divided and can be accumulated in concentrates, and more often leaves in tailing. On some coal deposits top of a part coal are also accompanied uranium. This coal will not be realised as a fuel, and is subject to radioactive waste management. During the study of the territory with oil deposits were find the areas with soil and industry equipment contaminated by natural radionuclides Ra-226 and Th-232. • Use of radioisotopes in medicine, industry and scientific research. In. Kazakhstan in many branches of medicine, industry and scientific research use a kind of radiation sources. Every year about 100 thousand of sources with total activity up to 25,000 Ci are using. Annually 10 thousand of sources more set out for storage. The radionuclides types of sources are from H-3 to Am-241.

The solution of problems of nuclear and radiation safety of the population and waste safety is possible only at availability of the necessary legislative base and with system of the state; regulation of radiation safety.

2. LEGISLATIVE BASE Before disintegration of the Soviet Union Kazakhstan had no own legislative base in the field of atomic energy use and had no state bodies, called to execute the control at observance of security measures by atomic energy use. The documents, regulating safety of activity in given area, were the Norms of Radiation Safety NRB 76 / 87, Basic Sanitary rules OSP- 72/ 87 and various departmental documents. State Committee on Safely Atomic Energy Use Supervision of USSR (Gosatomnadzor) executed the control in this field.

After getting of the sovereignty in 1991 to the Republic of Kazakhstan were begun and carried out till the present time work on the creation of legislative base in the field of atomic energy use and radioactive waste management based on main principles of International Basic Safety Standards [4]. Thus experience in the field of the nuclear right of a number of advanced countries, such as Germany, Finland Russia, Ukraine was used [5].

At the present time in Kazakhstan there is the following legislation base in this field: In 1997, April 14 the Law on Atomic Energy Use [6] was adopted. The Act defines nuclear energy concepts, sets out a structure for the peaceful use of nuclear energy, the protection of public health and environment, the non-proliferation of nuclear weapons and nuclear and radiation safety. It authorizes the Government to designate those State Bodies, which regulate nuclear and radiation safety and the licensing of various types of nuclear activity. That is the basic Law in the nuclear legislation of the country. In 1998, April 23 the second Law of the nuclear legislation of Kazakhstan was adopted. It is Law on Radiation Safety of Population [7]. This Law aims to protect the population from adverse

81 effects of lionizing radiation. It deals with the right of individuals in the context of such safety, the duties of users of lionizing radiation sources and the responsibilities of State bodies.

Others Laws of the Republic of Kazakhstan in this field are: • on Sanitary-epidemiological Wellbeing of the Population; • on Protection of the Environment; • on Subsoil and Subsoil Usage; • on Licensing; • on Social Protection of Citizens, affected by the nuclear tests at Semipalatinsk Test Site.

Others legislative acts in this field are: • the Decrees of the President, Decrees of Parliament and Government; • decrees about bodies of state management, regulation and inspections; • system of the rules and norms of nuclear and radiation safety; • system of state standards and rules; • system of the documentation of ministerial regulation.

In addition 100 regulation documents more, including acts of Soviet Union and developed in Kazakhstan, as well as Norms of Radiation Safety NRB-99 [8], developed and accepted in Russian Federation in 1999 used now, and Regulation for the Safe Transport of Radioactive Materials, which was elaborated on the base of IAEA Transport Regulation, 1996 Edition No. TS-R-1, and adopted in 1 March 1999 [9].

Republic of Kazakhstan have signed and joined such international treaties and conventions as Treaty on the Non-Proliferation of Nuclear Weapons, Convention on Nuclear Safety, Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management. Thus, Republic of Kazakhstan took obligation to execute the International requirements of safe atomic energy use.

3. SYSTEM OF STATE NUCLEAR AND RADIATION SAFETY REGULATION President, Parliament and Government of Kazakhstan, realizing the high national responsibility in discharging the functions took a decision to create a system of State nuclear and radiation safety regulation. Various State bodies are responsible for the following functions. In accordance with the nuclear legislation of the country Atomic Energy Agency (since 1999 Kazakhstan Atomic Energy Committee (KAEC)) is defined as a Central regulatory body in the field of supervision for nuclear and radiation safety. According to the provision on KAEC adopted by Governmental Decree of 23 September 2000, it is responsible for: • Realization of State Policy in the field of safely atomic energy use. • State control of nuclear, radioactive and special non-nuclear materials, dual-use goods. Providing Regime of Non Proliferation Nuclear Weapons, nuclear and radiation Safety during the using of atomic energy. • Export and import control of nuclear materials, technologies, equipment, special non-nuclear materials, dual-use goods and equipment, radioactive sources and isotope goods. • Preparation of Annual reports connected with safety status of entities using atomic energy. • Development of acts, regulations, standards, rules in the field of atomic energy use. • Licensing all types of activities in the field of atomic energy use. • Consideration and concordance of papers bottomed safety of nuclear installation during the all stages their life cycle. • State account and control of nuclear materials and supervision for providing of physical protection during their storage, transport and use. • Providing and Coordination of co-operation of Kazakhstan Institutions with IAEA and other International organizations in the field of atomic energy use. • Emergency preparedness.

82 • Coordination and organization of research and scientific activity in the country and participation in the international co-operation in the field of atomic energy use. • Preparation of proposals for upgrading and improvement of legislation of the Republic of Kazakhstan in the field of atomic energy use. • Other functions.

The Agency on Health of the Republic of Kazakhstan with its sanitary-epidemiology stations provides medical services necessary for the protection of the public and employees at risk. It is responsible in context of its competence for regulating and inspecting the manufacture, use, storage, transport of nuclear materials and radioactive sources. It also carries out the account all radioactive sources and gives the sanction to work with sources, renders the medical help to personal, which works with nuclear materials. The Ministry of Natural Resources and Environmental Protection is responsible for protection of the environment against radioactive contamination. It co-ordinates the work on investigation of the radiation situation in Kazakhstan and executes the State ecological examination of the projects. Others Ministries and Departments of the Republic of Kazakhstan with their responsibility are: Ministry of Energy and Mineral Resources is responsible for the co-ordination of all types of activity in the field of atomic energy use. The Ministry of Internal Affairs verifies the fire safety and physical protection standards of all facilities which use atomic energy or in which radioactive waste is managed. The Agency on Emergency Situations is responsible for monitoring compliance with measures on the prevention of emergency situations and sets out measures to protect the public against radiation exposure in the event of such situation. The Department of Safety of Industry and Mines, within this Committee, is responsible for the regulating of industrial equipment. All those State Bodies representative the first level of the system of regulation.

The second level is formed by the various national institutions carried out the direct radiation control and measurements. The institutes of the National Nuclear Centre of the Republic of Kazakhstan (Ministry of Energy and Mineral Resources) are controlling the radiation situation at the all territories of nuclear test sites and carried out the measurements of concentrations of radionuclides in soil and water here. State enterprise 'Hydromet' with its network (Ministry of Natural resources and Environmental Protection) carried out control of global fall of the radioactive substances at the territory of the country. Joint Stock Company 'Volkovgeology' (Kazatomprom, Ministry of Energy and Mineral Resources) executes the radiation monitoring at the objects of uranium mining and milling. The control of external irradiation dose and levels of radionuclides in soil, water, food and other products is also carried out by laboratories under the Ministry of Agriculture and different scientific laboratories and various research institutes of appropriate profile.

4. SOME SPECIFIC POINTS OF SAFETY During the transition from the former Soviet Union to an independent state Kazakhstan encounteres some specific difficulties in safely area, which were not before. For example, the spent fuel from NPP, which before was transferred to Russia for storage, now must be storaged in Kazakhstan, because the legislation of Russian Federation forbid to storage the radioactive waste of other countries. Another problem were connected with the necesarity of regulation of personnel of nuclesx facilities activity and assurance of its radiation potection.

Solution of those tasks needs to create the special institutions for design, construction and built of the nuclear entities. It is necessary to develop and implementation of licensing procedure for those kinds of activity, special requirements for personal involved in this activity. Assistance from international organizations such as IAEA, NEA OECD, regulatory bodies of USA, UK, Sweden under different technical co-operation project is very important and topical. Kazakhstan participates in more than ten TC projects during every year. That may be a big project such as Interregional Model project on upgrading of radiation an waste safety infrastructure, in which involved many governmental and research institutions, or local projects for separate organizations connected with the local specific task. We will consider some of those projects.

83 According to the conception of the decommissioning of the NPP BN-350 reactor, the creation of facilities for long-term storage is necessary [10]. For this purpose, we are now setting up a project to build new containers for the disposal facilities. This project provides for the construction of 8 containers with a volume of 200 m3 each. Those containers will be connected with the operating system for the drain gully water. Waste that was collected before will be solidified with concrete and transferred for storage to the BN-350 disposal facility. Storage equipment will be in special canyons covered by stainless steel. Into each canyon there will be a signalling apparatus for the control of the solution level. This project provides a special complex of the measures on technical condition control of equipment during all period of operation.

In connection with the reactor BN-350 spent fuel management the dry storage method has been chosen. The choice of dry disposal is based on the conception used in Argonne National Laboratory (USA) during more than 30 years for storage of radioactive materials of experimental breeder reactor II (EBR-II). This method uses a silo in-ground configuration. The choice is based on detailed options study using the following criteria: • minimize proliferation and safeguards risks; • minimize technical risk; • minimize environmental and safety risk; • minimize political risk; • minimize cost.

Currently the storage siting is carried out. The project will be realized during next 6-7 years. National company KATEP-AE was defined as a main management company on the decommissioning of reactor BN-350.

During all steps of this project Kazakhstan received the assistance from Nuclear regulatory commission of USA. Those were exchange of experience between the Kazakhstan's and international experts during the workshops, seminars and work meetings, technical and financial support.

One of the main encountered difficulties is the necessity of development and implementation of new regulation documents. Assistance of international organizations in this area is very important and useful. So, a good experience Atomic Energy Committee of Kazakhstan received during the participation in the IAEA TC Project KAZ/9/006 'NPP Sitting'. Few regulatory documents on qualification, selection, training and authorization of personnel involved in activities connected with the use of atomic energy were elaborated under support of Division of Nuclear Power (Department of Nuclear Energy of the IAEA) in duration of last two years and now their are used in Kazakhstan. This work is very important for the present and future activity of all entities involved in the field of atomic energy use. Requirements of those documents are mandatory for all entities, involved in this activity. Big variety of Kazakhstan nuclear facilities and considerable amount of personnel involved in nuclear activities in a combination with limited resources dictate outstanding need in an implementation of thought-out, balanced and systematic approach to the development and upgrade of Kazakhstan nuclear training and qualification infrastructure. These considerations were the basis for planning and implementation of the IAEA and Kazakhstan joint activities.

One of the important points of safety is personal dosimetry. During the former Soviet Union this service was provided by the sanitary-epidemiology departments of Ministry of Health. Film dosimeters were used usually. Unfortunately, the power of this service was limited, and it had no possibilities of quality upgrading in this area. Now in Kazakhstan was created the radiation laboratory under support of IAEA Interregional Model project on upgrading of radiation and waste safety infrastructure in East and West Asia, in which Kazakhstan participated from 1996 to 2000. This laboratory uses the modern equipment. TLD-system HARSHAW-6600 is used for providing of personal dosimetry service. Laboratory staff had training in Germany on the base of the Bicron Company, which is one of the leaders in this area in the world. Now laboratory has about three thousand dosimeters, and this service covers about 50 private and state (local and foreign) companies, which conducted the activity in the different area of using of atomic energy.

84 5. CONCLUSION At the present time in Kazakhstan: In the field of Nuclear legislation the Laws on the Atomic Energy Use and on Radiation Safety of Population are elaborated with using of international experience in this area and adopted by Parliament of the Republic of Kazakhstan. National Regulation for the Safe Transport of Radioactive Materials was elaborated on the base of IAEA Transport Regulation, 1996 Edition No. TS-R-1, and adopted in 1999. Some regulation documents of the former Soviet Union, and Norms of Radiation Safely NRB- 99, developed and accepted in Russian Federation in 1999, are used also. The State system, which includes the number of Ministries, Agencies and Committees of Kazakhstan, for the supervision and regulation in the field of nuclear and radiation safely, was created. Atomic Energy Committee controlled all types of nuclear activity by means of licensing. Some specific difficulties in safely area and the way of their solution were discribed also. As shows the experience of international co-operation the paricipation in the different projects of multi-aspect nature is very important and useful.

References

[1] KIM A. A. Environmental restoration plans and activities in Kazakstan. Planning for environmental restoration of uranium mining and milling sites in Central and Eastern Europe. (Proc. Workshop Felix, 1996) IAEA-TECDOC-982, (1997) p. 117-127.

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Radiological conditions at the Semipalatinsk Test Site, Kazakhstan: Preliminary assesment and recommendation for futher study. Radiological Assesment report series, IAEA, Vienna (1998).

[3] KIM A. A. Resudes from nuclear testing at the Test Site Azgir. Materials of International Symposium on Restoration of Environments with Radioactive Resudes. Arlington, Virginia (1999) p. 5-13.

[4] INTERNATIONAL ATOMIC ENERGY AGENCY, International Basic Safety Standards for Protection Against Ionizing Radiation and for Safety of Radiation Sources. IAEA, Vienna, (1996).

[5] KIM. A. A. Infrastructure on radiation and waste safety in the Republic of Kazakhstan. Materials of Regional Seminar on Aproches and Practices in Strengthening Radiation Protection and Waste Management nfrastructure in Countries of Eastern Europe and the Foirmer USSR. Bratislava (1998) p. 21-22

[6] Law of the Republic of Kazakhstan on Atomic Energy Use, Almaty (1997).

[7] Law of the Republic of Kazakhstan on Radiation Safety of Population, Almaty (1998).

[8] Norms of Radiation Safety, NRB-99, Moscow (1999).

[9] Regulation for the Safe Transport of Radioactive Materials, Almaty (1999).

[10] KM A. A., KRECHETOV S. Radioactive waste management on the atomic energy enterprises of the Republic of Kazakhstan. Proceedings of International Symposium on Technologies for the Management of Radioactive Waste from Nuclear Power Plants and Back End Nuclear Fuel Cycle Activities. Taejon (1999).

85 XAO102777 IAEA-CN-82/10

NUCLEAR INSTALLATIONS IN BELARUS: IMPLICATIONS OF POLITICAL AND TECHNICAL ISSUES

ZAITSEV, S. I. Committee for Supervision of Industrial and Nuclear Safety (Promatomnadzor) Minsk, Republic of Belarus Fax: +375 17 2786083; Email: safeatom@infonet,by

Abstract

The report deals with some aspects of past and present supervisory activities at nuclear installations in Belarus. It briefly describes an existing supervisory system for nuclear installations in the Republic of Belarus, its legislative basis and functions of the supervisory body. Consideration is given to further development and improvement of the supervision in such fields as revision and elaboration of normative documents on nuclear safety, training of inspectors, co-operation with other governmental bodies while examining the nuclear option in the Republic of Belarus.

1. INTRODUCTION Belarus had research nuclear facilities already under the former USSR. The Minsk Nuclear Steam Plant (ASP) was put under construction. Before 1991 USSR supervisory bodies located in the Russian Federation supervised nuclear installations in Belarus. After Belarus gained independence, the Russian side officially notified that all the nuclear installations in its territory to be transferred under Belarus' supervision. A deficit of fuel and energy resources, increase in energy prices made one examine the nuclear option in Belarus. Under these circumstances Belarus' supervisory bodies were faced with an absolutely new task of supervising existing nuclear installations and those to be commissioned. By that time the Committee of Supervision of Industrial and Nuclear Safety (Promatomnadzor) with Nuclear and Radiation Safety Inspection being its part was established through Resolution of the Council of Ministers No. 195 of 21.05.1991.

2. REVIEW OF REGULATORY SUPERVISION SYSTEM Regulatory supervision measures are applied to nuclear materials and facilities including those under IAEA Safeguards. Such facilities encompass sub-critical assemblies, critical stands, storage of fresh and irradiated fuel, vehicles transporting nuclear material. The regulatory supervision begins with design, then comes construction, commissioning, operation and decommissioning.

3. LEGISLATIVE BASIS OF SUPERVISION The legislative basis of regulatory supervision of nuclear installations is: • Resolution of the Council of Ministers No. 195 of 21.05.1995 that entrusts Promatomnadzor with supervisory functions; • Resolution of the Council of Ministers No. 373 of 08.06.1993 that designates Promatomnadzor a national competent authority for nuclear and radiation safety; • Standing Order of State Supervision of Occupational Safety in Industries and Atomic Power Engineering in the Republic of Belarus (approved by Resolution of the Council of Ministers No. 572 of 13.10.1995 as amended by Resolution of the Council of Ministers No. 73 of 18.01.1999); • Standing Order of the Committee for Supervision of Industrial and Nuclear Safety under the Ministry of Emergencies of the Republic of Belarus; • Convention on Early Notification of a Nuclear Accident; • Convention on Assistance in the Case of a Nuclear Accident or Radiological Emergency; • Convention on Physical Protection of Nuclear Material; • Convention on Nuclear Safety;

86 • Non-Proliferation Treaty; • Safeguards Agreement; • other treaties and agreements and normative documents in the field of nuclear safety.

4. PROMATOMNADZOR FUNCTIONS IN REGULATORY SUPERVISION OF NUCLEAR INSTITUTIONS Pursuant to the tasks entrusted by the Government, the Promatomnadzor: • participates in elaboration of state programs for nuclear and radiation safety; • issues licenses for practices involving sources of ionizing radiation and operation of nuclear installations; • performs expert evaluation of design documentation and installations under supervision; • inspects installations under supervision; • examines the staff of installations in normative requirements for nuclear and radiation safety; • keeps the state accounting of nuclear materials and sources of ionizing radiation; • takes measures for physical protection of nuclear material; • co-operates with international organizations and competent authorities of other countries on issues of nuclear and radiation safety; • performs other functions as laid down in the normative documents.

5. NUCLEAR INSTALLATIONS IN BELARUS: IMPLICATIONS OF POLITICAL AND TECHNICAL ISSUES After being operated in Belarus since the early 60s', a research nuclear reactor exhausted its technological opportunities by the mid-80s'. It needed reconstructing in order to increase the capacity. The Chernobyl disaster speeded up a decision to decommission the outdated reactor. The USSR State Supervision of Atomic Energy supervised the working-out of a decommissioning project and initial stage of decommissioning. After 1991 Promatomnadzor became responsible for supervising the decommissioning activities. The fuel elements of the reactor were brought to Russia for reprocessing before 1991. Promatomnadzor inspected critical stands, storehouses of fresh and irradiated nuclear fuel in 1991-1992. As a result of the inspections, the operation of critical stands was ceased, since safety requirements were not met; nuclear material was unloaded and put into storage. A safety, control and physical protection system was upgraded in the pool-type storehouse for irradiated fuel. A new storehouse for fresh fuel meeting safety and physical protection requirements was engineered. At present a neutron generator-driven sub-critical assembly is under operation. In prospect it is possible to reconstruct and commission critical stands. A deficit of indigenous fuel and energy resources, an increase in prices for energy and environmental protection result in the need to find an escape from the energy and ecological crisis. A possible way out is to opt for the nuclear energy. The Republic of Belarus possesses some experience in designing and operating nuclear power plants, the research reactor, critical stands, as well as practical experience of constructing the Minsk NSP halted owing to the Chernobyl disaster. Since 1992 there have been some activities conducted in Belarus to study whether it is feasible to set up aNPP. However the Government of the Republic of Belarus eventually made a decision to put off the construction of aNPP for 10 years. A return to the task of developing atomic power engineering in the republic occurs in an utterly different geopolitical situation with independence being its principal feature. The nuclear technology and its application as a source of energy are inseparably bound up with issues of national and international politics. It is due to not only the need to sign international agreements, treaties and conventions, but to the need to resolve administrative and legal issues, those of NPP siting, safety assessment, training of personnel and experts, improvement of supervision of nuclear installations and many others.

At the 44th session of the IAEA General Conference one touched the issue of constructing a NPP in Belarus. The Agency supported the decision of the Government of the Republic of Belarus to put off the construction of a NPP for 10 years and agreed to render assistance in implementing envisaged scientific and research developments.

87 World experience shows that safe development of atomic power engineering depends not only on scientific and technical issues, but also on legal regulation of atomic energy utilization and technical supervision at nuclear installations. In order to lay legal foundations for peaceful uses of atomic energy, the Law 'On Uses of Atomic Energy and Radiation Protection' is being worked out in the Republic of Belarus with Promatomnadzor experts taking an active part in it.

As experience of nuclear countries shows, public opinion is the major factor influencing decision- making in this field. In the first instance it makes one understand the need for planned and consistent public awareness raising and educational work aimed at those civic strata and organizations that shape the public attitude towards NPPs. It is of special importance in the Republic of Belarus, where the problem of developing atomic power engineering is inseparably associated with the consequences of the Chernobyl disaster. The public attitude towards a possible NPP for a significant fraction of the population is formed in the light of the disaster, which fosters conceptions that it impossible to ensure safe operation of a NPP, that a NPP is not environmentally friendly, that it is highly probable that the accident will recur etc. In this respect it is crucial to shape the public opinion. In this case the supervisory body plays a great role. It is to convince the public of its competence and reliability. The public should look upon the supervisory body as a safety guarantor, since pursuant to IAEA recommendations the supervisory body should be responsible for efficient supervision in regard to all problems related to safety and environmental protection in siting, designing, constructing, commissioning, operating and decommissioning a NPP. To accomplish all the tasks successfully the supervisory body should be set up or improved well in advance before the decision on a NPP is taken.

The novelty and complicity of nuclear technology in energy production, need for large investment for its introduction require not only domestic scientific potential and local opportunities utilized to the fullest extent possible, but also experience of nuclear countries benefited from, international organizations counted on, international agreements signed.

All which is said above can be regarded as true not only for Belarus but for other republics of the former Soviet union which gained independence and for some states of the Western Europe.

6. CONCLUSIONS Population of a country as well as of neighbouring countries must have confidence in reliability and competence of the national regulatory body for nuclear safety. Therefore, whatever experience has been accumulated in a country in operation of nuclear installations, supervision and regulation of nuclear safety, the regulatory body should be in a constant process of improvement of its activities. This can be achieved by perfection of legislative, regulatory and technical documents on nuclear safety which have been prepared on the basis of the IAEA documents and documents worked out by states with developed nuclear technologies, by expansion of cooperation on the basis of bilateral agreements with regulatory bodies of other states, training of regulatory staff and operator personnel at the IAEA-sponsored courses, by improvement of the regulatory body infrastructure and methods of public relations.

The IAEA as concentrator of scientific and technological ideas, achievements and specialists in the nuclear safety field, can be regarded as guarantor of stable growth of reliability and competence of national nuclear safety regulatory bodies.

Hence, strengthening cooperation with IAEA and supervisory bodies of other countries is a major step forward to enhancing and improving the supervision of nuclear installations in Belarus.

88 XAO102778 IAEA-CN-82/32

DELIBERATIONS ON NUCLEAR SAFETY REGULATORY SYSTEM IN A CHANGING INDUSTRIAL ENVIRONMENT

KIM, H. J. Korea Institute of Nuclear Safety P.O.Box 114, Yusong, Taejon, Korea Fax: +82428612535; Email: [email protected]

Abstract

Nuclear safety concern, which may accompany such external environmental factors as privatization and restructuring of the electric power industry, is emerging as an international issue. In order to cope with the concern about nuclear safety, it is important to feedback valuable experiences of advanced countries which ever restructured their electric power industries earlier and further to reflect the current safety issues, which are raised internationally, fully into the nuclear safety regulatory system.

This paper is to review the safety issues that might take place in the process of increasing competition in the nuclear power industry, and further to present a basic direction and effective measures for ensuring nuclear safety in response thereto from the viewpoint of safety regulation. It includes a political direction for regulatory body's efforts to rationalize and enforce efficiently its regulation. It proposes to ensure that regulatory specialty and regulatory cost are stably secured. Also, this paper proposes for maintaining a sound nuclear safety regulatory system to monitor thoroughly the safety management activities of the industry, which might be neglected as a result of focusing on reduction of the cost for producing electric power.

1. INTRODUCTION Recently, as part of the policy to enhance the national competitive power, privatization and restructuring of the electric power industry including the nuclear power industry have been actively pursued by many countries in the world in order to increase competition in the electric power Industry. Accordingly, atomic energy enterprises are devoting themselves to increasing competition through merge and acquisition of any prospective enterprise or business sector, continuous reduction in their operation budget through downsizing of their organization and human resources, and reduction of their investment in safety improvement of nuclear installations. In addition, the regulatory body is pressed and required to rationalize and enforce efficiently its regulation.

On the other hand, such activities to increase competition in the nuclear power industry are bringing about a concern that they might get to be a primary factor to neglect the safety of nuclear power plants. In 1998, the International Nuclear Regulators Association (INRA) even issued a statement in connection with ensuring nuclear safety for the purpose of responding to recent external factors. It identified safety-related issues that should be considered in coping with recent trends of restructuring and privatizing the nuclear power industry and deregulation of electricity market. In April 1999, the First Review Meeting on the Convention on Nuclear Safety organized by the International Atomic Energy Agency (IAEA) addressed trends in several countries with regard to factors and circumstances affecting nuclear safety external to the nuclear safety program, including deregulation of electricity markets and increased competition. It pointed out that securing safety is a fundamental prerequisite for the utilization of nuclear energy and the best efforts for enhancing nuclear safety must be made, no matter how its environment and circumstances would be changed. Meanwhile, regulatory bodies of some countries endeavour to devise an institutional scheme for ensuring operational safety of nuclear power plants, to strengthen the independence of the regulatory body, and enhance the efficiency thereof.

89 Restructuring of the nuclear power industry for increasing competition is not limited to some countries but a worldwide trend. Recently, the Korean government has also established a plan to introduce a competition concept to the electric power industry, in which the Korea Electric Power Corporation (KEPCO) has a monopoly, for the purpose of increasing competition in the electric power industry and further enhancing the efficiency of supplying electric power. It is in pursuit of dividing the power generation sector of the KEPCO into 6 power generation enterprises and further privatizing them by stages on a short-term basis. It is also promoting its long-term program to open the power distribution sector and the power transmission section. As for the nuclear power sector of the KEPCO, the Korean government intends to reorganize and operate it separately as an independent company affiliated to the KEPCO in consideration of its characteristics in the power generation pattern and its safety-related matter. Therefore, the earlier experiences of advanced countries in restructuring their electric power industry can provide valuable lessons to countries attempting to restructure their electric power industries so that they may minimize any trial and error in ensuring nuclear safety.

This paper is to review the safety issues that might take place in the process of increasing competition in the nuclear power industry, and further to present a basic direction and effective measures for ensuring nuclear safety in response thereto from the viewpoint of safety regulation.

2. SAFETY CONCERN AND DIRECTION TO ENSURING SAFETY

The nuclear safety issues that might be raised in the process of a changing industrial environment including restructuring of the electric power industry can be derived from the earlier experiences of advanced countries therein and safety concern as raised internationally. It can be known that the activities for increasing competition in electric power industry are focusing on the efforts to reduce the cost for producing electric power in parallel with the structural transformation such as merge and acquisition of any prospective enterprise and business sector. In order to reduce the cost for producing electric power, the electric power industry raises questions on the adequacy of safety regulation, and requests to reduce the regulatory cost and curtail the burden for the enterprise to share the regulatory cost. Moreover, a concern is raised that the safety improvements and maintenance of nuclear installations might be neglected and the number of reactor operators might be reduced resulting in any poor training performance for them. Another concern is also raised that deposit of the back-end cost for decommissioning of nuclear power plants and disposing of radioactive wastes might be neglected.

In order to cope with such concerns about nuclear safety, it is important to feedback valuable experiences of advanced countries which ever restructured their electric power industries earlier and to reflect the current safety issues which is raised internationally, fully into the nuclear safety regulatory system. There will be many approaches in coping with the safety issues, but the most important matter from the viewpoint of safety regulation is to maintain a steadfast system to ensure nuclear safety. To accomplish it, special attention needs to be given to rationalize and enforce efficiently safety regulation, and further to build up a system to verify thoroughly the operational safety of nuclear power plants. To support it, the regulatory specialists and cost has to be secured stably. The following describes key measures to be implemented so that the objectives for ensuring safety in a changing industrial environment could be accomplished.

3. MEASURES FOR ENSURING SAFETY

3.1. Rationalization and efficient enforcement of safety regulation

3.1.1. Establishment of sound nuclear legislative system Any government shall seek to activate the utilization of atomic energy and ensure safety in connection therewith in terms of a national policy, the national policy shall get to be a norm in the form of any law, and thereby its rationality and purpose can be established in the relation between the government

90 and people. Then, stability and predictability of the policy is ensured, and further its substance and doctrine can get to have justness and continuity.

In order to cope with the changing environmental condition of the nuclear power industry, the government is required to establish a new relation to rationality and purpose of nuclear safety regulation. The government shall establish rationality of safety regulation and enforcement by providing the legislative frameworks to distinguish the lawful purpose of the safety control from that of utilization of the atomic energy, and further providing a clear and sound legal status to the safety regulatory activities. Also, the regulatory body shall have to set up reasonable safety standards for the efficient safety control incidental to the extended utilization of nuclear power and radioactive isotopes, and ensure the legal status thereof. Furthermore the regulatory body shall build up the legislative and regulatory system which is so simplified and clarified that it is easy to interpret, apply and access for seeking people's understanding thereof.

3.1.2. Systematic establishment of technical requirements The regulatory body shall have to build up a comprehensive set of technical requirements for nuclear safety regulation by combining such regulatory requirements as developed to meet various demands for regulation, and further establish the legal status thereof. It shall have to set up the safety goal and principles common to nuclear installations, provide the safety standards by nuclear installations on the basis of the prescribed safety goal and principles, and thereby build up the comprehensive set of technical standards. Also, to support this, an appropriate legal status shall be vested in the detailed standards and guidelines developed by any nuclear safety specialized institution or any industry so that they could be utilized in relevant regulatory activities, following approval thereof by the regulatory body. Such detailed standards and guidelines shall be examined by any competent committee as one of the procedures for enacting them so that objectivity and fairness of their provisions could be ensured. Through these procedures, the nuclear operator and/or the regulatory body shall be provided with clear, distinct and objective standards so that the transparency, clearness and reliability of safety regulation is ensured.

3.1.3. Implementation of risk-informed performance-based regulation The prescriptive regulation, which has been typically adopted to date, is to have the regulatory body set up specific and detailed requirements for individual elements functioning in every stages of the design, construction and operation of nuclear installations, and further to force any nuclear operator to comply with them. That is to say, it focuses on whether the nuclear operator complies with the stipulated procedures and standards, and in case it does not comply, any applicable sanction is imposed against it. Such prescriptive regulation is, therefore, likely to be a desirable system in the initial stage of developing the nuclear power industry when its magnitude is small. However, as its magnitude has got to be enormous and accordingly the demand for regulation and related data has got to be increased immensely, it may be inefficient for the regulatory body to regulate the entire areas of nuclear installations directly. Furthermore, such prescriptive regulation may cause the nuclear operator to conduct its safety control passively, and inhibit it from exerting its efforts to ensure nuclear safety creatively and voluntarily.

On the other hand, the performance-based regulation is to have the regulatory body set up any measurable performance goal and indexes for ensuring nuclear safety and further entrust the nuclear operator with the means and the method for accomplishing such performance goal and indexes under its self-regulation. In other words, the prescriptive regulation focuses on whether the nuclear operator complies with the specific procedures, while the performance-based regulation focuses on whether the nuclear operator accomplishes the performance targets as a basis to make any regulatory decisions. Therefore, the performance-based regulation can induce the nuclear operator to conduct its creative and voluntary safety control, and further have the regulatory body regulate discriminately depending upon the extent of accomplishing the performance targets. As such, the performance-based regulation enables the regulatory body to enforce its regulation efficiently.

91 Meanwhile, the deterministic safety assessment method based on the defence-in-depth principle was adopted in the initial stage of developing nuclear power plants when the capability to assess the overall safety of nuclear power plants was not fully available, and has been used since then. The defence-in- depth principle is based on formation of a multi-barrier concept for the prevention and mitigation of any accident. It is implemented with transitional steps of frequency reduction of any initiating accidents, redundancy and diversity of primary safety functions, multi-physical barriers, and emergency preparedness. The deterministic safety assessment method focuses on complementing the uncertainty of how any accident would evolve in nuclear power plants and further ensuring a sufficient safety margin based on experiences and engineering practices. The deterministic method based on the defence-in-depth principle enables the performance and structural integrity of respective systems, structures and components(SSCs) of nuclear power plants to be assessed depending upon respective safety functions thereof. However it can neither quantify respective effects on the overall safety of nuclear power plants nor figure out any overall safety degree of nuclear power plants. Moreover, some non-safety grade SSCs which are classified by the deterministic method based on the defence-in-depth principle are found to have a significant effect on the risk of nuclear power plants. Therefore, it is important in view of safety that the SSCs are classified depending upon their respective effects on the overall risk of nuclear power plants, and further conduct the safety control which is appropriate thereto. Specifically, it is to seek efficient regulation by providing sufficient regulatory resources to any SSCs that are important to safety, while reducing regulatory resources for any SSCs that are less important to safety. Especially, as the capability to assess the overall safety of nuclear power plants has been recently available through the development of the probabilistic safety assessment method, a method for ensuring safety from the viewpoint of risk comes into the limelight in accomplishing the ultimate safety target, 'adequate protection of the public from any unexpected risk.

The regulation methods, which have been recently promoted, are to reflect the industry's opinion to require for rationalization and efficient enforcement of safety regulation and further seek to have the regulatory body enforce regulation efficiently by allotting the regulatory resources appropriately. Therefore, the risk-informed performance-based regulation shall have to be positively implemented to complement the inefficiency of the existing safety assessment and regulatory system, along with the conventional deterministic method based on the defence-in-depth principle. Also, the overall safety degree of nuclear installations shall have to be figured out by using the probabilistic safety assessment method, and the nuclear operator shall have to be induced to conduct the safety control under its self- regulation by setting up the performance target of nuclear installations.

3.2. Thorough verification of operational safety

3.2.1. Comprehensive safety assessment of operational safety In the initial stage of developing nuclear power plants, it was believed that the operational safety of nuclear power plants could be ensured by carrying out routine and special safety reviews including inspection and maintenance. However, experience has shown that they are generally not comprehensive and do not always consider improvements in safety standards and operating practices, the cumulative effects of plant aging, operating experience, and technical developments.

Thus, it is recognized that there is a need to assess the safety of nuclear power plants comprehensively and systematically, and determine necessary and worthwhile changes that should be made in order to maintain a high level of safety and to improve the safety of older plants to a level comparable with that of modern plants. Many countries, which have commercial nuclear power plants, assess the safety thereof comprehensively and systematically on a periodic term basis along with their routine efforts for ensuring safety. Also, they apply the results of such safety assessments as one of the procedural requirements for approving life extension or renewing an operating license of a nuclear power plant, so that they may cope with the difficulty in selecting any new site for nuclear power plants, and seek to reduce the investment cost in nuclear installations, and maximize the use of the available power generation resource. Meanwhile, the IAEA encourages the periodic safety assessment system to be introduced in order to prevent a nuclear power plant from being deteriorated in its safety level and

92 further ensure a high level of safety. The Convention on Nuclear Safety also requires to carry out the comprehensive and systematic safety assessments throughout the lifetime of nuclear power plants, and reflect operating experience and new safety information in the assessments.

Therefore, an institutional scheme shall be established for improving people's reliability on. nuclear safety by assessing the overall safety level of nuclear power plants and then ensuring a high level of operational safety.

3.2.2. Activation of field-centered safety regulation Most countries, which have nuclear power plants, organize and operate a branch office of the regulatory body at the site of the nuclear power plant or any place in the vicinity of the nuclear power plant, for the purpose of checking the operating status of the nuclear power plant from time to time and supervising the safety control activities of the nuclear operator. This is to cope with any safety issues taking place in the site rapidly and enforce regulation by using regulatory resources efficiently. This is also to build up an effective cooperation and communication channels with local governments and local residents.

What is to be emphasized first of all is to verify the safety of the nuclear power plant in operation by monitoring thoroughly the safety control activities of the nuclear operator which might be neglected at any moment while focusing on reduction of the cost for producing electric power. Therefore, the regulatory body shall seek efficient safety regulation and further enhance people's reliability on nuclear safety by building up the field-centered safety verification system.

3.3. Stable securing of safety control cost

3.3.1. Stable securing of safety regulation cost The nuclear safety regulation cost is funded with the national tax or the cost to be shared by the nuclear operator under the principle to oblige any party that brought about the cause for any matter to share the cost thereof. The cost share system is prevalently used in many countries and it is a generalized system to secure the regulation cost. Accordingly the nuclear operator is obliged to share almost all the nuclear safety regulation cost. However, there is a concern that the nuclear operator would demand reduction of its share in the regulation cost as part of its efforts for reducing the cost of electric power production to increase competition. Therefore, the legal and institutional system on the magnitude of the regulation cost and the cost share procedure shall be definitely provided in order to secure the regulation cost more stably and ensure the fairness of enforcing regulation. Also a proper legal status shall be also vested in such system in terms of ensuring the independence of nuclear safety regulation. Thereby, the government shall have to eliminate any controversy on the fairness of the nuclear operator's share in the regulation cost and further enhance the transparency and stability of the regulation cost,,

3.3.2. Stable securing of funds for nuclear safety research The regulatory specialty and competence shall be necessarily ensured through enhancement of regulatory technologies so as to enforce safety regulation in a sound and objective manner, in response to diversification and quantitative expansion of matters subject to nuclear safety regulation. For this, funds for the nuclear safety research shall be provided stably, and regulatory specialists shall be educated and trained systematically. Therefore, the government shall establish a steadfast institutional scheme to ensuire the specialty and competence of nuclear safety regulation by securing nuclear safety research funds and regulatory specialists stably.

3.3.3. Strengthening of back-end cost deposit system Since decommissioning of nuclear power plants and disposal of radioactive wastes shall be subject to continuous safety control due to characteristics thereof, it is required to strengthen the back-end cost deposit system to enable the cost to be deposited consistently and further such deposit to be confirmed. In most cases, the operator of nuclear power plants is required to deposit the cost for decommissioning

93 of nuclear power plants and disposal of radioactive wastes. But if the operator does not have its operation fund sufficiently, if is liable to neglect to deposit the cost. Therefore, the continuous safety control shall be ensured by enabling the back-end cost to be deposited consistently.

4. CONCLUSION There is a concern about nuclear safety that might be neglected in the process of increasing competition in the electric power industry. Such concern is not an issue facing any one country but an international issue emerging in many countries in the world. In order to cope with the concern about nuclear safety, the government will have to feedback valuable experiences of advanced countries which ever restructured their electric power industries earlier and further to reflect the current safety issues which are raised internationally, fully into the nuclear safety regulatory system. Such measures as presented in this paper do not provide a complete solution to all problems raised under the recent environmental change, but it is required to seek a direction to improving the nuclear safety regulatory system, if any, by reviewing the existing system from the viewpoint of safety regulation.

What is most important first of all in doing so is that the regulatory body itself should exert its utmost efforts for rationalization and efficient enforcement of regulation, and further be able to get the reliability on safety regulation from people and nuclear operators by pursuing the transparent regulatory activities. On the other hand, the regulatory body shall be able to provide a firm belief about the safety of nuclear power plants in operation by monitoring the safety control activities of the nuclear operator that might be neglected at any moment while focusing on reduction of the cost for producing electric power.

94 XAO102779

IAEA-CN-82/34

REGULATORY CONCERN ABOUT ECONOMIC DEREGULATION IN FINLAND

VIROLAINEN, R., KOUTANIEMI, P. Radiation and Nuclear Safety Authority (STUK) Nuclear Reactor Regulation P. O. Box 14, FIN-00881 Helsinki, Finland Fax: +358975988382; Email: [email protected]

Abstract

The deregulation of the electricity market may cause an increased pressure; to reduce the costs of electricity generation. This makes a new challenge to the regulatory body to assess the impact of these changes on the safety of nuclear power plants. Accordingly, it is important to identify the risks to the nuclear power industry resulting from the economic deregulation.

This paper is to discuss the current situation in Finland with regard to the economic deregulation of the electricity market and the experiences so far. A common view today is that the number of electricity generating pov/er companies will be reduced in Europe because of tough competition in the electricity market. It is expected that only the biggest companies can stand the consequences of tough competition in electricity prices and the consequential pressure to reduce costs. In order to review the impact of deregulation of the electricity market some relevant points have been discussed in this paper such as change of ownership of power companies due to the economic pressure, the need to cut costs of the companies by reducing the number of their activities and increasing the efficiency in the remaining activities and /or outsourcing of activities. The need to pursue reduction or delay of planned investments in safety upgrades are discussed as well.

1. INTRODUCTION In Finland, the deregulation of the electricity market evolved stepwise since 1995 based on a new act on Electrical Power Markets and in 1998 a free competition came into force. Today about 20 % of the electric power in the Nordic countries is traded through a common exchange (the Nordic Power Pool).

The deregulation of the electricity market is assumed to cause increased pressure to reduce the costs of electricity generation also in nuclear power plants. This makes a new challenge to the regulatory body in order to assess the impact of these changes on the safety of nuclear power plants. Accordingly, it is important to identify the risks to the nuclear power industry resulting from the economic deregulation.

To provide a survey of the current situation in Finland with regard to the economic deregulation of the electricity market and of the experiences so far, it is of value to discuss some key elements of the topic. A common view today is that the number of electricity generating power companies will be reduced in Europe because of tough competition in the electricity market. It is expected that only the biggest companies can stand the consequences of tough competition in electricity prices and the consequential pressure to reduce costs. Hence the first relevant point is the possible change of ownership of power companies due to the economic pressure. The need to cut costs may also mean that the company has to reduce the number of its activities and to increase the efficiency in the remaining ones, which means outsourcing of the other activities. This may cause the nuclear power companies to pursue reduction or delay of planned investments in safety upgrades and, if possible, also exemption of some design basis requirements.

To assess the situation in Finland as to the deregulation of the electricity market, each aforementioned item will be briefly discussed below and illustrated by examples from the point of view of the Finnish regulatory practice.

95 2. IMPACT OF CHANGE OF OWNERSHIP OF POWER COMPANIES During the past five years, many changes have taken place in the ownership of utilities, including some changes in the ownership of the nuclear power plants in Finland and Sweden. An example of such a development is the merger of the Finnish companies Neste (oil and gas business) and Imatran Voima Oy (electricity production). Due to the merger, their combined engineering branch, Fortum Engineering (3000 employees), is now exposed to divestment. There was some concern on how the expert personnel on nuclear safety could be sustained in the unstable situation. However, the personnel supporting the nuclear safety activities has been assured with a special agreement which stated that the possible divestment of the Fortum Engineering will not reduce the nuclear safety expertise in the Fortum company.

In the current situation STUK has not identified any loss of the present nuclear safety expertise or other drawbacks in nuclear safety such that could be traced back to the deregulation of electricity market. Nor is there any pressure on the regulatory body to change their policies or practices.

3. REDUCTION OF COSTS AND OUTSOURCING OF ACTIVITIES IMPORTANT TO SAFETY In Finland, however, the nuclear power has been competitive in comparison with any other means of producing electricity. However, as a consequence of the deregulation of electricity market, the average income from the power production has decreased. Variation in power price has been high, and the price is strongly influenced by the availability of hydropower in the Nordic region.

Regardless of pressure on the price due to the deregulation of the electricity market, the Finnish licensees have kept the investments level as high as during past several years and maintained the number of staff and qualifications at the current level. The utilities have also stated that the future funding for research will be kept at the same level as before. Therefore, the further improvements in economics are sought mainly from improved maintenance strategy.

For improving cost-efficiency of the safety management, the risk informed approach seems to provide a sound platform. The in-house living PSAs are a regulatory requirement for all plant units. PSA models have been thoroughly assessed also by the regulatory staff, and the regulatory body (STUK) has at its disposal the tools for independent conduct of calculations with the same approved models worked up by the licensees. Several risk informed activities are being elaborated by STUK and licensees such as risk informed in-service inspection/ testing/ technical specifications which could be effective in improving safety and at the same time to limit the burden and cost to the licensees.

Other means to improve plant economics are, for example, the optimised preventive maintenance activities and risk informed classification of components.

An opposite approach that has been discussed above is to increase outsourcing of activities for example such as engineering services, maintenance, computer service or training of operating staff. Safety challenges in doing so are how to maintain the control of the outsourced functions from the safety point of view, how to keep the necessary in-house competence in order to assess outsourced work done by contractors and how to identify the prime functions of the operating organisations which could not be outsourced without serious safety implications. Examples of successful in-house activities are the aforementioned Olkiluoto and Loviisa PSAs. In Finland, PSAs are performed by licensees not by consultants which is not a usual practice internationally. The PSAs have prompted the licensees to conduct large safety improvement programmes which have provided sizeable reduction of risks in the Finnish plants.

4. PLANT MODIFICATION AND BACKFITTING PROGRAMMES The pressure from the deregulation of electricity market on the electricity price may cause mutually opposite pursuits to the licensee. On one hand it may make the licensee to lower costs, for example, in

96 delaying or giving up plant modifications already planned and, on the other hand, it requires measures to ensure competitive operation in the long term. This requires investments in equipment modernisation, possibly power uprate and development programmes aimed for improved maintenance.

No symptoms of undue efforts to save costs at the Olkiluoto or Loviisa plant units have been identified since the deregulation of electricity market came into force in Finland in 1998. TVO company has performed modernisation projects associated with power uprate and Fortum company has performed the power uprate project as well and is planning to undertake a modernisation project during the years to come. Up to now the licensees investments to the plant improvements have not been reduced but the investments are steadily going on at the same level as before the year 1998. Fortum has just recently tackled new plant modifications for reducing containment bypass frequency, improving the seal cooling system of main cooling pump and building up a new long term cooling system.

At the moment the impact 'of the deregulation of electricity market is a minor one in Finland. However, STUK has set up a development project in order to ensure that the inspection programme is sustained at an. appropriate level to assure the safe operation of nuclear power plants. Accordingly, the project will review how, if at all, the effects of deregulation of the electricity market in Finland and in other countries have appeared in the inspection programme of the nuclear power plants. A relevant indicator system may help reveal negative effects and trends, at least in the long term. The currently used indicators that are most relevant to monitor changes related to the deregulation of electricity market are annual investment rate to plant modernisation, ratio between corrective and preventive maintenance tasks and number of human errors in maintenance tasks describing work quality.

5. CONCLUSION In Finland, the deregulation of the electricity market evolved stepwise since 1995 based on a new act on Electrical Power Markets and in 1998 a free competition came into force. Hence the period to review the impact of deregulation is short.

Irrespective of the short period, many changes have taken place in the ownership of utilities, including some changes in the ownership of the nuclear power plants. An example is the merger of the Finnish companies Neste (oil and gas business) and Imatran Voima Oy (electricity production), which exposed their combined engineering branch, Fortum Engineering (3000 employees) to divestment.

Regardless of pressure on the price due to the deregulation of the electricity market, the Finnish licensees have maintained the number of staff and qualifications at the current level and kept the investments level as high as during past several years. Accordingly the large safety improvement programmes prompted by PSA ten years ago have been continued as designed. On the other hand, the risk informed approach seems to provide a sound platform to provide some cost savings for safety management. Hence several risk informed activities are being elaborated by STUK and licensees such as risk informed in-service inspection/ testing/ technical specifications whicli could be effective in improving safety and at the same time to limit the burden and cost to the licensees.

At the moment STUK has not identified any loss of the present nuclear safety expertise or other drawbacks in nuclear safety derived from the deregulation of electricity nuirket. Nor is there any pressure on the regulatory body to change their policies or practices.

97 XA0102780

IAEA-CN-82/36

A WAY OF DUKOVANY NPP TO PRIVATIZATION AND LIBERALIZED MARKET

KOUKLIK, I. Dukovany NPP CZ-67550 Dukovany, Czech Republic Email: [email protected]

Abstract

Presentation describes current situation in Dukovany NPP with two main coming future phenomenon — privatization of CEZ company and preparation for liberalized electricity market. Considerations about level of safety, investment costs and competitiveness of Dukovany Nuclear Power Plant in liberalization process is described together comparison of some safety features of world NPPs. Results of this comparison are used for consideration and evaluation of some require modifications effectiveness.

1. INTRODUCTION Dukovany NPP operates four Units with WWER 440/V213 reactors, which are representatives of the latest model in row of WWER 440 MW reactors. This year the oldest Dukovany's Unit has been in operation for sixteen years.

2. SAFETY MANAGEMENT The period of last twelve years is a period of continuous changes with all kind of nature and these changes have been more and more dynamic and turbulent. For the time being Dukovany has been influenced by two significant impacts — privatization of CEZ company and preparation for liberalized electricity market.

What does it mean in practice? Enormous pressure is on the production costs reduction. At the same time there is a contra effort of competitive companies from Western Europe to rise our price by declaring not accepted design differences and given pressure on costly investments. How one can control safety in such environment? First of all let us have a look at a chart which encloses the field for safety.

Economically reasonable investments in safety

Recommendation Area for optimisation for Dukovany NPP

Legislative Requirement 1 (the minimal level)

Length of Operation FIG. 1. Field for safety.

98 The minimal level of safety is prescribed by requirements of state legislative — by Laws and Decrees. The maximal level depends on how much I can invest into safety and particularly this aspect follows the electricity price on the market and owner demands to get profit. The role of management is to maintain costs somewhere between both limits, not to drop under minimal requirements and not to exceed economical costs.

However, there is necessity to think also about future. The manoeuvre area is; narrowing. We have to try to predict gradually increasing requirements, this going up staircase, and to influence them. At the same time we are obliged to invest only into the most significant and fundamental matters in order not to exceed the upper limit.

3. ECONOMICAL CONDITIONS What is the nature of the pressure from our competitors to get us up economical limits ? It is performed in different ways.- See the following chart with the complete compilation of our price — you can see how many per cent we spend for operation and what 'administrative' costs for decommissioning, insurance and the end of fuel cycle are like.

Which one of the competitive electricity producers has got these costs included into his price — recultivation of coal mines and ash hills, insurance of liquidation of ecological catastrophes from oil ship accidents, etc.?

nuclear account Nuclear fuel storage allotment fund 8% 18%

CEZ overhead cost 18%

other cost and general expenses 11% decommissioning fund 6%

Nuclear fuel storage maintenance fund 11% 3% services ~" depreciation 3»/0 personnel 16% 6%

FIG. 2. Cost structure at Dukovany NPP.

Inherent costs (including depreciation) are 66 %, other costs, which are not usually present in other power industries are 17 %.

99 4. MODERNIZATION PROGRAM This is not all. You can feel *also another pressure on our NPP, this is a specific pressure to increase costs — it sounds obligatory modernization. After the fall of the iron curtain there was an option to sell our cheaper electricity to West. However, this was not a good time for nuclear industry in this part of Europe because there was a recession of nuclear and Western countries stopped building new NPPs. Now a new competitor appeared in the Middle Europe and with him a new opportunity how to exert their excessive capacity. The direction was clear — either to shut down cheap sources or to increase their price and even get some profit from that. And in such a way we undergo the process of 'Safety Issues' implementation, safety evaluation by EU, transfer of knowledge by PHARE program etc. Suggested improvements were technically correct in prevailing cases, but you can always find something to be improved in any technical equipment. Following this process, in past recent years we invested 300 ml. USD. Our costs increased by several percentages. The safety was also increased. You can see our results in CDF improvement in the following figure.

Probability of Core Damage Frequency [1/year] Trend of PSA-1 results at Dukovany NPP

CDF [1/year] 2.00E-04 1.77E-04 1.84E-04 1.80E-04 1.60E-04]— 1,40E-' 1.20E-04 1.09E-04 9.93E-05 1.00E-04J— 8,00E-05|— 5.75E-05 6,00E-0i 4.00E-05]— 1.74E-05 2,00E-0i O.00E+0O 1995 1996 1997 1998 1999 2000 2010

FIG. 3. Probability of Core Damage Frequency [I /year].

For the time being we reached the level of CDF as I x 10"5, which is the recommended level for new reactors by IAEA. We are planning to implement even two more sets of modifications, by which we can reach a level of CDF as 7.75 x 10"6 during operation mode.

Note: The validity of the PSA model results was checked and tested by an IPERS mission (IAEA) with eight international experts in team for the time period of two weeks. I am giving this information because some people might look at the PSA results suspiciously.

5. WWER 440 DESIGN COMPARISON Let me declare, that these results prove a very good quality of the basic WWER 440 design. Please, look with me at the following table where I compared some safety related parameters, relations and components of WWER V213 reactors with German (Convoi) and American (Westinghouse) reactors.

100 Table I. units WWER 440 Sizewell - B: KWU - 1300 V-213 (Westinghouse) (Convoi) Reactor thermal capacity MWT 1375 3411 3765 Pressure in primary loops MPa 12.4 15.5 15.8 Volume of water in primary m3 237 309 411 circuit (PC) Volume of water in secondary m3 288 250 231 circuit (SC) Flow square of DBA m2 0.386 0.769 0.883 (2x100%) 3 Ratio of volume of PC / m / GWT 172 91 109 reactor thermal capacity

3 Ratio of volume of SC / m / GWT 209 73 61 reactor thermal capacity High pressure injection pumps - number - 3 4 4 - pump discharge pressure MPa 13.2 11.8 11.1 - flow rate (0.7 MPa) Kg/s 37.5 110.0 51.0 Low pressure ECCP pumps: - number - 3 2 4 - pump discharge pressure MPa 0.7 1.7 1.2 -flowrate (0.3 MPa) Kg/s 111.0 260.0 470.0 Hydro-accumulator tanks: - number - 4 4 8 - pressure MPa 6.0 4.5 2.6 - water volume m3 40.0 40.4 34.0 - gas volume (Nitrogen) m3 30.0 17.0 11.0

You can see three times better ratios for available volume secondary water (related to thermal power), 2 x higher volume of primary coolant (related to thermal power) and 2 x lower square for water release during Design Basic Accident for WWER-440 reactors.

Why is it like that? There are a number of WWER 440 / V213 type advantages against some Western PWR of the same age. Just for instance the following is a list of them. • horizontal steam generators — bigger volume of water for cooling after a scram; • bigger volume of water in the secondary circuit; • better stability of water level in the steam generators during transients (slower regulation); • tube plates of the steam generator are placed in a space with lower concentration of salts so it is not affected by corrosion so much (SG) — better leak-tightness of SG's tubes — the second barrier for release of radioactivity; • bigger pressuriser — this means relatively more water in the primary circuit (to thermal capacity) and by this fact, better stability of pressure in the primary circuit during transients; • relatively low neutron flux flow in the reactor core —lower exertion of the reactor vessel and internals and more time for power control; • absence of Xe oscillations, reactor power is stabile thanks to a negative power coefficient; • lower content of Co 59 in the reactor vessel material — lower contamination of equipment by Co 60 after activation by n-flux — lower personnel doses; • six times redundancy of inherent logic of safety systems; • three separated boron water tanks for boron injection systems and three separated boron water tanks for emergency LP core cooling systems (not only one shared tank for all safety systems); • the possibility of emergency connection of DGs to other Units (switching manually) (modification); • main control room staff has university degree (graduated), special state exams and psychological examination regularly every two years, they are able to solve unconditional situations; • additional emergency SG feedwater system (in total: three sources for feedwater);

101 • lower temperature specific volume exertion of the reactor core; • main isolation valves in the reactor coolant loops - the possibility of isolation some kinds of leakages; • fire brigade is located at the Dukovany NPP site.

So that, there is time to ask a question. We have nearly amended weaknesses of our reactors and we have reached a level of design safety about 1CT5 - 10"6. How about Western NPP operators? I do not want to say, that Western reactors are not safe, in any case. I want to highlight that we are in many features, safer.

6. PRIVATIZATION AND SAFETY LEVEL The answer is quite obvious, nobody wants increase its costs by extensive investments, when the safety is high enough. Our safety level is also high enough. I believe that a new owner, which will buy the CEZ, Dukovany NPP, will help us to stop these exaggerative pressures on useless investments and on the other hand will provide us with enough sources that we can maintain the correct level of safety as it was shown in my first figure.

Example of this investment could be our I&C modernisation project. It will cost several hundreds millions of USD. Core damage frequency after implementation of the new I&C systems will stay at the same level. Reliability of current systems is stable (we carry out comprehensive reliability study of I&C systems annually) and it allows us to reach very good operational and safety results. Nevertheless I&C systems replacement appeared in several IAEA 'Safety issues' and so our regulator requires them.

It stands for to have also a considerable level of understanding for nuclear power plants needs, because the price on the liberalized market can be hardly influenced. The benefit is higher by this part for which the costs can be reduced.

USD Electricity Price T benefit 1 costs 1 benefit 2 ; i

costs 2 -

FIG. 4. Cost-benefit.

7. CONCLUSION And, we are back at the first chart — sources should be at least so high that we are able to fulfill requirements of the state legislative and that we better estimate the higher level of safety. However, it is very difficult to assess such a level, because the NPP has got a big inertia and the degradation comes gradually and very often furtively. This is just an area for company management forethought and their long-term strategy. Nuclear power plant is not a story about a colossal gain in a short period, it is about a good gain for very long period.

102 XAO102781 IAEA-CN-82/37

THE NUCLEAR SAFETY REGULATION IN JAPAN AND THE RESPONSE TO CHANGES OF CIRCUMSTANCES SURROUNDING THE NUCLEAR ELECTRICITY GENERATION

HOMBU, K., HIROTA, M., TANIGUCHI, T., TANAKA, N., AKIMOTO, S. Nuclear Power Licensing Division, ANIS Ministry of Economy, Trade and Industry 1-3 Kasumigaseki Chiyoda-ku, Tokyo 100-8986, Japan Fax: +81335808535; Email: [email protected]

Abstract

The influences of external factors on nuclear safety are discussed in this paper, based on the views on the circumstances of nuclear electricity generation. The following external factors, which might have some potential impacts on nuclear safety, are selected for discussion. (1) The deregulation in the electricity generation industry, (2) The modification of approval/certification system in the regulation of electricity generation, (3) The influences to social atmosphere due to the occurrence of a series of troubles (4) The government reform and the structural adjustment of industry and (5) Others. Our further discussion seems to focus on the following 2 issues, (a) Whether the nuclear power and the other electrical sources should compete with each other for short term economical cost, or whether factors of cost stability and competitiveness as well as longer term energy supply security and global environmental issues ranging over several decades should be considered, (b) How to realize the appropriate regulation from the perspective of public acceptance and confidence, when a series of troubles occur, without imposing unnecessary burdens on industry and without jeopardizing safety. These issues may be common among many countries and can be discussed widely.

1. INTRODUCTION The Japanese energy policy is established on the basis of a medium and long term perspective. 51 plants of light water reactors are being operated, 4 plants are under construction and a plan of constructing more 13 nuclear power plants until 2010 is being discussed. This policy is based on the following views on the circumstances of the nuclear electricity generation in Japan. a. The role of the nuclear energy source. The use of non-fossil energy is inevitable in the energy supply structure composed of various energy sources in Japan and the nuclear electricity generation is a realistic option, considering the small and uncertain potential of the new and renewal energy sources and longer term energy security environment protection. b. The economic viability of nuclear energy. The nuclear energy can be economically competitive (5.9yen/kWh) with other electricity sources on certain conditions (40 years operation and 80% availability factor). c. The safety level of Japanese nuclear power plants. The safety performance of Japanese nuclear power plants is regarded as being ranked among the highest levels in the world, considering the small frequency of troubles and unplanned shutdowns and the low radiation exposure of the employees. d. The public and social acceptance of nuclear energy. The public is becoming less conscious of the need of nuclear power and the anxiety about nuclear safety is increasing. e. The issue for the nuclear industry. The shrinkage of nuclear market results in the degradation of quantity/quality of engineers and of the company alliances.

103 2. THE EXTERNAL FACTORS SURROUNDING THE NUCLEAR ELECTRICITY GENERATION In view of situations mentioned above, some examples of those circumstance changes, which might have some impact on nuclear safety, are described in the following.

2.1. Deregulation in the electricity generation industry. For the purpose of promoting competition and efficiency, the amendments of the Electricity Utilities Industry Law were enacted on March 21, 2000. The key amendment is the partial liberalization of electricity retail sale. • It is admitted that the electricity be supplied directly to large consumers(Above 2MW and 20kv) by a supplier other than the exclusively operated electrical companies. • The transparent and fair rules shall be established on the use of electricity transmission line of the electricity companies. The impacts to nuclear electricity generation are not apparent at this moment. However, various kinds of symptoms and observations are emerging, which are discussed hereafter.

2.2. The modification of approval/certification system in the electricity generation regulation In the regulation of the electricity generation industry, fundamentally the same approval/certification system has been applied to both the conventional field and the nuclear field with one exception of the reactor establishment license being required only in nuclear field. As a result of the recent re- examination on the roles of a regulator and the industry, the approval/certification system in the conventional electricity industry has been modified. And a new system has been established, which can utilize the capability of private sectors by promoting competition and innovation, in order that safety for consumers can be maintained and enhanced, through more rationalized regulation and efficiency. The amendment was issued on July 1, 2000.

2.3. The changes of social atmosphere due to occurrence of troubles The social atmosphere has been changing due to the occurrence of a series of the following significant troubles in the nuclear field. These troubles have influenced the perception and psychological attitude of the public on nuclear safety, aggravating the public anxiety to nuclear safety and eroding the recognition of the needs of nuclear power: • criticality accident at the uranium processing plant; • falsification of MOX fuel data at BNFL Sellafield site; • leakage of reactor coolant from the regeneration heat exchanger at Tsuruga NPP 2.

2.4. The government reform and the structural adjustment of industry The comprehensive re-organization in the Japanese government and the structural adjustment in the industry are proceeding in Japan.

2.5. Others The technical innovation might be included as factors having effects on safety.

3. THE DEVELOPMENT OF REGULATORY RESPONSES TO THE CHANGES The regulatory responses to the above mentioned changes can be considered to develop in the following direction.

3.1. Deregulation in the electricity generation industry. In Japan, the impacts of deregulation in the electricity generation industry on the nuclear field can not be visibly perceived as yet. However, there are already some observations and further discussions are developing. The following observations are presented on various occasions: a. Influence on safety of operating plants;

104 It is widely concerned that a reduction of operation/maintenance expenditure, which will be caused by intensified competition, might influence the safety level of an operating nuclear power plant. However, the operation/maintenance cost does not constitute large share in the total cost of nuclear electricity generation as compared with the capital cost. It produces more benefits for electrical companies if a nuclear power plant can be operated with high availability factor in place of a conventional power plant, because the nuclear fuel and operating cost is smaller than conventional cost. This guarantees the necessary investment in operation/maintenance. Some industry people view thaj the deregulation will have little impact on nuclear power plant safety. b. The impact of the competitive market on the nuclear business The nuclear is a stable electrical source owing to stable fuel and operating cost. However, the electricity by nuclear has to be sold continuously as a base load supply and has a risk of the price being beaten down. As long as the nuclear electricity generation cost is competitive, the nuclear can sustain its position in the market as a major electrical source, but when it loses competitiveness, it has to stand on a special disadvantageous position. Furthermore, as it is difficult to assess exactly the backend-cost, some of policy response measures are necessary. c. Competitiveness of nuclear power with other electricity sources It is inappropriate to compare the nuclear power with the other electrical sources like a micro-gas- turbine which appears on the short term competitive market, purely from the view point of short term economical competitiveness. The nuclear power should be evaluated from a long term perspective including supply security and environmental impact. The electricity generation industry should abolish the total cost principle in determining electricity fee and an equal footing of competition should be provided between IPP and electrical companies. We should further consider, whether the nuclear power and the other electrical sources should compete with each other purely for economical cost, and whether consideration on the long term cost stability and environmental considerations should be included. This issue may be common among many countries and can be discussed widely.

3.2. The modification of approval/certification system in electricity generation regulation. As a result of re-examination, the approval/certification system in the regulation of electricity generation, most approval and certification systems in conventional electricity sources were transformed from regulatory approval to document submission, or from regulatory inspection to self- inspection by utility companies. However, in nuclear industry, only the welding inspection was transformed for conservative reason from regulatory inspection to self-inspection.

Conventional Nuclear Detail design (A) (B) (no change) Welding inspection (C) (C) Commissioning test (C) (D) (no change) Annual periodic test during outage (Q (D) (no change)

Note: (A) Change from regulatory approval system to document submittal system (B) Regulatory approval system (C) Change from regulatory Inspection to self-certification (D) Regulatory inspection

Here, the issues are, whether the same regulatory system should be applied to both the nuclear and the conventional, or whether the special considerations should be given to the nuclear for conservative reasons. This discussion has a historical background and this should be discussed internally in Japan.

3.3. The changes of social atmosphere due to occurrence of troubles Following the troubles which gave impacts to the society, a series of technical measures were provided and at the same time the regulatory countermeasures were taken as follows: • criticality accident at the uranium processing plant;

105 • allegation system for safety violation; • nuclear security inspection to ensure observance of the safety preservation rule; • description of operator obligation in a law to train employees; • falsification of MOX fuel data at BNFL Sellafield site; • addition of regulatory periodic inspection at nuclear fuel manufactures; • inspection of a third party agency on importing fuel elements; • official submission of quality assurance program at inspection application; • leakage of reactor coolant from the regeneration heat exchanger at Tsuruga NPP 2; • enlargement of inspection scope.

These regulatory measures were determined from a regulatory view point after intensive discussion. They are meant to express a message of a regulatory authority to the public to recover their confidence. But some of the added measures have the possibility of becoming unnecessary regulatory burdens to the operators. Although the number of troubles can be decreased, the complete elimination is impossible. If the regulations are intensified each time a trouble occurs, the huge amount of regulations will accumulate and become a big regulatory burden.

We should further discuss how to cut off this vicious circle to realize the appropriate level of regulation without imposing unnecessary burdens on the industry and without jeopardizing the necessary level of safety. The risk-informed considerations might help to us. This issue may be common among many other countries and can be discussed widely.

3.4. The government reform and the structural adjustment of industry In the Japanese government, the re-organization started on Jan. 6, 2001, and the public information act will be enacted on April, 2001. Since the brake of bubble economy, the industry has been undergoing drastic restructuring to meet challenges of the innovation in IT lead technological and management area and global market competition. They are aiming at openness, accountability, and transparency as well as effectiveness, efficiency and agility, in the same way as being currently discussed globally among many countries facing the same kind of challenges.

3.5. Others The development of ABWR is a good example of success in having achieved both safety enhancement and cost reduction. The powerful promotion of technical innovation is one of the effective means to ensure safety and to realize cost down at the same time.

4. CONCLUSION The following findings are to be discussed in our country, as well as among many other countries. a. Whether the nuclear power and the other electrical sources should compete with each other for short term economical cost, or whether considerations on cost stability and competitiveness as well as longer term energy supply security and global environmental issues ranging over several decades should be included in the competition. b. How to realize the appropriate level of regulation from the perspective of public acceptance and confidence, when a series of troubles occur, without imposing unnecessary burdens on industry.

106 XAO102782 IAEA-CN-82/41

ASSESSMENT OF THE EFFECTIVENESS OF THE HUNGARIAN NUCLEAR SAFETY REGULATORY AUTHORITY BY INTERNATIONAL EXPERT TEAMS

VOROSS, L., LORAND, F. Hungarian Atomic Energy Authority Nuclear Safety Directorate (HAEA NSD), H-1539 Budapest 114. Pf.: 676, Hungary Fax: (36-1) 355-1591; Email: [email protected]

Abstract

On the bases of the role nuclear regulatory authorities (NRA) have to fulfil and the new challenges affecting them, in the paper an overview is made on how the Hungarian NRA has evaluated and utilised the results of different international efforts in the enhancement of its effectiveness and efficiency.

The reviews have been conducted by different groups of experts organised by highly recognised international organisations (e.g. IAEA, EC) and highly competent foreign regulatory bodies. The different reviews of activities and working conditions of the HAEA NSD have resulted in a generally positive picture however, revealed also weaknesses as well. They recognised the developments made in the recent years and also appreciated the overall favourable level of nuclear safety in Hungary, identified 'good practices' and made recommendations and suggestions for Ihe most important and most efficient ways of the future improvements. These are cited or referenced in the paper. At the end, some recommendations have been formed based on the experiences gained from the review missions and from our self-assessment.

1. INTRODUCTION It is an evidence, but today also widely recognised by the public that nuclear safety is sin issue which can not and should not be managed in national framework exclusively. It is resulted by effects of hypothetical severe nuclear accidents which may spread through national borders, but not less by spreading psychological reactions and feelings of the human being in our globalised, covered by media and more and more open world.

Nowadays, the official trustees of the nuclear safety are the nuclear regulatory authorities of different countries working within the framework of their national legal system. The international responsibility for nuclear safety is realised via international co-operation. This co-operation has a number of different levels, but beside the state level, and even prevailed by its intensity the most crucial part is performed by the co-operation among the operators of nuclear facilities and regulators with their partner organisations and international associations.

The role of the nuclear safety authorities is rising in guaranteeing the safety of nuclear facilities. This role has been on the increase for the past ten years and may be justified by several factors. First could be mentioned the market liberalisation in Western countries, which has forced the atomic energy industry to compete as well by extending to the sphere of energy production. The second significant event is the privatisation, posing safety challenges both in terms of ownership change and attempting to achieve maximum profits. The third factor is the disintegration of the Soviet Union, coupled with radical economic and political changes in the successor states and in Eastern-Central European countries, which latter make efforts to join the European Union. Finally, (beside the nuclear power plant operators) the nuclear safety authorities are challenged by the recent success of antinuclear movements, the phase out — for political reasons — of nuclear power plants in some Western European countries (Sweden, the Netherlands), the moratorium of further nuclear power plant construction (Belgium, Spain, , Germany), and declared antinuclear Western European countries

107 (Austria, Portugal, Ireland, Denmark, Luxembourg, Greece) since the slightest failure or incident is magnified in the media, sometimes even producing hysterical reactions, when their task is not only the enforcement of the justified safety requirements of the public, but simultaneously also to ease the fears having no reasons. (The situation is hardly alleviated by the lifetime extension movement initiated and spreading in the USA or the unbroken nuclear power plant construction program of Far Eastern countries.)

Changes affecting authorities are detailed in a 1998 study of OECD-NEA (Nuclear Energy Agency) [1], the statements and recommendations of which form a basis for the activities of the NEA Committee of Nuclear Regulatory Activities (CNRA), in which the Hungarian nuclear safety regulatory body also takes an active part.

As the role of the nuclear regulatory authorities (NRA) grows, there is an increasing demand for NRA's quality improvement. Effectiveness ('to do the right job') and efficiency ('to do the job right') are both scrutinised and emphasised. International assessment comprises an examination of the safety levels of nuclear power plants operating in the country concerned together with the quality of NRA's actions as there is a close interrelation between the two.

In most countries in the world, the operating organisation is primarily responsible for safety by law. Opinions differ, however, whether the NRA should take over some of this responsibility and how the added value to safety provided by the authority can be measured. The opinion is spreading that if the nuclear regulations of a country are strict enough and the authority is sufficiently independent, competent, and strong enough to be able to enforce its (sufficiently strict) requirements, the safety level of nuclear facilities supervised by the NRA shall be adequate. Authority independence and resources shall be provided by national governments, undertaken as an international obligation by the Vienna Convention on Nuclear Safety. (Hungary was one of the first countries to sign the Convention.) Therefore the quality of NRA's activities is determined and nuclear power plant safety is guaranteed jointly by the respective nuclear regulation system and the actual operation level of the NRA.

Adequate safety, however, is also difficult to define: all operating power plants have an operating licence issued by the national authority, therefore they are deemed to be safe enough. Nevertheless, not all nuclear power plants are identically safe and safety level of some units is considered internationally as unacceptable. These units, however, are in operation as licensed by the respective national authorities and the countries mentioned could even not managed without them in the short term. In these countries the authorities concerned are not in the position to make requirements substantially stricter as this would involve the need of shutdown of these units which are indispensable in short term. Therefore authority activity standards are strongly affected by the country conditions, primarily economic and political ones.

2. FORMS OF CO-OPERATION OF NUCLEAR SAFETY AUTHORITIES Nuclear safety authorities are utilising several means to ensure and demonstrate the required and continuously enhanced level of their work.

The authorities have realised that in line with application of different quality assurance/management systems only with quick and effective utilisation of the experiences accumulated internationally, with co-operation they can expect success, therefore they have established several international forums.

From among these forums the following is a listing of those only with participation of the representative of the Hungarian safety authority:

(a) OECD-NEA, CNRA (Committee on Nuclear Regulatory Activities); (b) CONCERT group - a group established by the European Commission (EC) comprising the nuclear safety authorities of all Western and Eastern European countries;

108 (c) Nuclear Regulatory Working Group (NRWG) — a working group pertaining to the EC, involved in special issues; (d) European Nuclear Installation Safety Group (ENIS-G) — also established by the EC recently and involving authority representatives as well as a representative from the nuclear industry of each participant country, and with task to prepare applicant countries to accession to European Union (EU); (e) Network of Regulators, of Countries with Small Nuclear Programmes (NERS, comprising ., Belgium, Brazil, the Czech Republic, Republic of South Africa, Finland, the Netherlands, Hungary, Switzerland, Slovakia, ), its main objective is to provide 'cross- assistance' to authorities if there is a lack of professional expertise somewhere to solve a problem suddenly Eippearing; (f) Forum of WWER-Regulators (Bulgaria, the Czech Republic, Finland, Hungary, Russia, Armenia, Slovakia, the Ukraine) operating working groups as well, and having the objective to discuss common phenomena related to VVER reactors and to promote solution methods.

Such extensive international co-operation is justified by the fact that authority work differs by countries, there is no unified international system of requirements for nuclear safety. Therefore 'best international practices' are deemed to be observed, which are constantly developing and improving as experiences are utilised. Participation in such forums is essential for the international appreciation of national authorities, shown by the fact that major international organisations such as the International Atomic Energy Agency (IAEA), NEA, and the EC send representatives to each of these forurns. One of the important factors of authority appreciation is international recognition and acknowledgement.

Another not less important authority assessment tool is represented by international missions, sent by particular organisations at request or without being requested but received cordially for substantial reasons of interest. These missions include ones in frame of assistance programs (e.g. in Hungary the RAMG project of several years, completed in two phases with participation of the Finnish, Belgian, and Spanish regulators in the framework of the EC PHARE program), self-initiated evaluations by the Western European Regulators' Association (WENRA), and reviews performed by various organisations and expert groups commissioned by the EC. In accordance with the expanding international practice the IAEA sent a mission at our own request. In the form of its regular service in May of 2000 an International Regulatory Review Team (IRRT) carried out the review of the Hungarian nuclear safety regulatory body, the HAEA NSD.

3. REVIEW RESULTS OF THE HUNGARIAN AUTHORITY The Nuclear Safety Directorate of the Hungarian Atomic Energy Authority (HAEA NSD) has undergone several international review processes in recent years. The direct or indirect objective of all of these was to assess the degree of maturity of the Hungarian nuclear authority from the viewpoint of Western countries to guarantee EU accession even with a nuclear power plant of Soviet design. The reviews included areas of both nuclear legislation and authority quality, i.e. its effectiveness and efficiency. The latter was assessed on the basis of licensing, inspection, and enforcement practices.

The first major review was performed in May 1998, when a delegation of respected Western European professors visited Hungary on behalf of the EC. The group was headed by J. P. Contzen, personal advisor of the foreign affairs commissioner of the EC and former director of the Ispra research centre. The direct objective of the visit was to assess the effectiveness of EU assistance programme, but much broader demand for information was perceivable. The group visited each of the countries eligible for accession in the middle term and in the longer run, providing a separate evaluation of each of them in their report. Hungary was deemed to be the most mature for accession.

The most comprehensive inspection was performed in the framework of the IRRT mission.

109 The IRRT mission was requested officially from IAEA in 1999. Preparations took about a year: in the meantime, internal subproject leaders were appointed, reference materials were prepared, and we ourselves also made preparations in the form of presentations as well as by collecting further information materials and organising professional visit programs. The preparatory meeting, held on December 2/3 with an IAEA representative attending, finalised the program and the professional materials list.

The ERRT mission itself was carried out between May 22 and June 2, 2000. It was a full scope mission, only transport of radioactive materials was excluded; furthermore, in the decentralised Hungarian regulatory system comprising a number of public authorities it was limited to the activities of HAEA NSD only. The international group of eight members headed by Mr. J. Misak (IAEA) consisted of American, Belgian, British, Finnish, French, German, and Slovakian experts examining ten different professional areas. The draft report of the group was prepared by the end of the second week, evaluating authority performance in detail: it defined the elements considered to be 'good practices' and recommended to others as well, and provided recommendations and suggestions to improve the authority work.

The short one-page summary of the report states that HAEA is a highly competent organisation with the technical and regulatory capabilities required to complete the responsibilities assigned to it. HAEA has made several initiatives recently in order to improve its efficiency, including the development of an extensive guideline system, the self-evaluation of the organisation and working methods of HAEA NSD, and the improvement of emergency preparedness roles and qualification of the staff. The group also noted the new organisational structure and rules of operation as a result of self-evaluation.

The mission considers the following areas to improve authority work most efficiently: (a) legal framework and overall independence of the regulatory authority (role of the government member supervising the authority, as well as their independence from energy promoters; ownership of nuclear facilities and waste disposal sites; limitation of the timeframe for authority decisions); (b) effectiveness, competence, and staffing conditions of the nuclear authority (incompatibility of authority and ownership roles within HAEA; co-ordination between authorities; internal quality assurance; financial and staffing conditions of the authority); (c) preparation and completion of inspections by site supervisors (training program for supervisors; integrated, planned, and recorded inspections); (d) decommissioning, radiation protection, and waste management of nuclear facilities (waste optimisation evaluation^ implementation of the ALARA principle; co-ordination with partner authorities; training on guidelines; integration of radiation protection inspection into authority activities); (e) authority management of accident prevention (information to general public, training, national level practice initiatives).

At the same time, the report [2] provided best authority practices to be followed, as listed below: (a) establishment of the Nuclear Financial Fund; (b) requirement for regular review of legal framework; (c) self-assessment performed by HAEA NSD (organisational improvements, emergency preparedness); (d) licensing activities of HAEA NSD being modern, efficient, and well organised; (e) establishment of flexible and effective co-operation with technical support organisations; (f) publication of annual HAEA NSD event analysis report on the Internet; (g) development of diverse computerised codes — different from those applied in industry — to perform authority evaluation of design bases accidents (DBAs) and beyond DBAs; (h) tendency towards an open and transparent authority activity as a result of HAEA NSD policies, and reflected in regulations and guidelines.

Although it is inevitable for the report to contain also subjective elements and some misinterpretations and misunderstanding due to the relatively short time provided for review, we do agree with most of

110 the statements. An action plan has been developed to implement proposals; the follow up mission to assess the measures taken is planned to take place in about one and a half years.

Another important evaluation of the Hungarian NRA is included in the second WENRA report published in October 2000.

A first assessment report by WENRA was published previously, in March 1999, the summary of which contains the following about the Hungary and the Hungarian NRA: "Legislation and other regulations are up-to-date, and compare favourably with the principles applied in Western countries. HAEA is also sufficiently independent from the organisations promoting nuclear energy." [3].

In the second report, WENRA again examined the seven applicant countries to EU operating at least one nuclear power plant unit, namely Bulgaria, the Czech Republic, Hungaiy, Lithuania, Romania, Slovakia and Slovenia. The NRA and the nuclear power plants operated have been evaluated in separate chapters for each country. (The Annex presents the general safety characteristics of RBMK and VVER type units.) Hungary was evaluated by experts from the Finnish and Belgian authorities, who had acquired in-depth knowledge about us in the course of the RAMG project of several years mentioned above. However, the report was approved by all WENRA members (heads of the Belgian, Finnish, French, German, Italian, Spanish, Swedish, Swiss, and British nuclear authority).

The report makes highly favourable statements about the Hungarian authority; however, it includes critical remarks as well: "The Hungarian approach t<3 licensing, regulating and controlling nuclear facilities has developed strongly in the last ten years. A proper licensing process is in place. Legislation and regulations are up- to-date, and the Hungarian regulatory practices are comparable with those: of Western European countries. Issues that need to be considered by the Hungarian Government are the following: • the fact that the Minister of Energy Affairs is also the HAEC President creates an apparent conflict of interest, even though the formal mandate of HAEC President precludes this,; • the number of different authorities with direct responsibilities in the regulation of nuclear facilities increases the risk that important issues may be overlooked, and decreases the efficiency of the regulatory work. The NSD needs to continue its efforts to develop the inspection approach towards process oriented comprehensive team inspections." [4]

With a view to the fact that antinuclear EU Member States consider WENRA to be biased towards nuclear energy, they demand independent and impartial reviews in order to assess the nuclear safety levels of applicant countries. For this purpose, the EC concluded an agreement with a consortium headed by the Austrian company ENCONET, which has produced a report recently. It is to be finalised after the ENIS-G meeting of January 19, 2001.

A new and important initiative has been made very recently under the umbrella of the Atomic Questions Group of the EU which established an ad hoc Working Party on Nuclear Safety (WPNS) with the aim to reach independent conclusions on the candidate countries' current situation and perspectives with regard to a 'high level of nuclear safety'. The WPNS investigates both regulatory framework and nuclear facilities. The report will be based mainly on the statements of the WENRA- report, but it will be updated with additional information provided by the respective countries.

Presently it is still not known what role will be assigned to those reports issued on the nuclear safety assessment of the countries awaiting EU accession; however, the above may support our opinion that there is no need to be afraid of the results as regards Hungary.

4. SUMMARY AND RECOMMENDATIONS Changes in the world, particularly in the Eastern and Central European region in the course of the past ten years have resulted in an increasing role of nuclear regulatory authorities in guaranteeing reactor

111 safety. NRAs should meet this expectation by improving their quality. Nuclear legislation and authority quality have been reviewed by several international groups with particular regard to countries applying for EU membership. Evaluations for Hungary have all produced positive results. This is promising from the viewpoint of Hungary, but it does not mean that authority effectiveness and efficiency development may be interrupted. As it is a permanent task to improve the safety of nuclear power plants, so is the continuous modernisation of the regulatory system, which is to be performed using feedback from international assessments, from the domestic and international experiences. Besides authority efforts, however, the Government also has tasks to perform having responsibility in the fields of legislation and providing resources for the authorities, which are specified in the Vienna Convention on Nuclear Safety and are precedent to the NRA being able to fulfil its mission according to the increased requirements and being challenged by changing environment of the electricity production.

As for a long time, the international co-operation has given support for the HAEA NSD, while the international experiences and 'good practice' serve as a mirror and in certain sense also as a scale, and the same time they facilitate our further development. Our practice — partly referred to the above — proves, that the IAEA and its services, programmes within the framework of the regional technical co- operation constitute a substantial component in this process.

Based on our experiences we recommend to the NRAs: (a) to use widely international missions for assessment of their regulatory effectiveness and efficiency; (b) to develop and operate internal quality assurance/management system; (c) to contribute to development of a set of indicators to be used for monitoring quality of authority activities; (d) to contribute to investigate added value of nuclear safety provided by NRAs; (e) to feed back experiences to the IAEA gained from IRRT missions to improve its efficiency.

References

[1] NUCLEAR ENERGY AGENCY, ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT, Future Nuclear Regulatory Challenges, A Report by the NEA Committee on Nuclear Regulatory Activities, 47 pp (1998).

[2] Report of the INTERNATIONAL REGULATORY REVIEW TEAM (IRRT) to HUNGARY, Budapest 21 May - 2 June 2000, International Atomic Energy Agency TC Project RER/9/052 IAEA-RU-9195 (can be downloaded from address: ftp://ftp.haea.gov.hu/public/irrt.pdf) (2000).

[3] WESTERN EUROPEAN NUCLEAR REGULATORS' ASSOCOATION, Report on nuclear safety in EU applicant countries, p. 13 (1999).

[4] WESTERN EUROPEAN NUCLEAR REGULATORS' ASSOCOATION, Nuclear safety in EU candidate countries p. 52. (can be downloaded from address: http://www.stuk.fi/english/nppO (2000).

112 XAO102783 IAEA-CN-82/55

THE UK NUCLEAR REGULATOR'S VIEW OF EXTERNAL INFLUENCES ON SAFETY1

SUMMERS, J. L. Health and Safety Executive St. Peter's House Stanley Precinct Bootle Merseyside L20 3LZ UK Fax: +441519514163; Email: [email protected]

Abstract

Over the past forty or so years, significant changes have taken place in the UK nuclear industry and the pace of change is continually increasing. As a consequence, the Nuclear Installations Inspectorate (Nil), the UK's nuclear regulator, has also had to change. This paper describes some of the challenges to safety that have arisen in recent years and how Nil's style of regulation has had to adapt to ensure that safety is maintained and improved. Nil's approach has been to: be proactive in its relations with Government and market regulators; adopt new competencies to equip it for the challenges it faces; strive to improve its efficiency and effectiveness; and develop new approaches to regulating changes in licensees' organisations and ways of working. Importantly, Nil seeks to amticipate change rather than react to it.

1. THE DRIVERS FOR CHANGE The nuclear industry in the UK is fifty years old, and the Nil was formed over forty years ago in response to the Windscale Pile fire. We have seen many changes to the nuclear industry and our style of regulation has had to adapt to ensure a continuing improvement in safety.

The first nuclear power reactors, at Calder Hall and Chapelcross were mainly for the production of plutonium for the military programme but they were also built as power stations and are still in operation. The Calder Hall design became the basis for the UK's first generation 'Magnox' reactor programme. At first, there were several nuclear design and construction companies, which were consortia of major British engineering companies. The power stations were owned and operated by two large integrated and government owned electricity utilities, who had large scientific and engineering resources to oversee design, construction and operation and were supported by the United Kingdom Atomic Energy Authority (UKAEA), a Government owned agency for research and support to the nuclear industry.

The privatisation of the electricity utilities and the formation of separate, though still Government owned, nuclear generating companies took place in 1989. In 1996 the more modern of the nuclear power stations, the Advanced Gas-cooled Reactors (AGRs) and the PWR at Sizewell B were privatised. The older, Magnox, reactors remained in the public sector and were later incorporated into British Nuclear1 Fuels (BNFL) in preparation for its eventual partial privatisation. Other parts of the nuclear industry have also seen changes: UKAEA has been broken up, with the core of its scientific expertise privatised; the Ro.syth and Devonport Royal Naval Dockyards have been licensed as government owned commercially operated submarine refuelling facilities and eventually privatised. And the management of the atomic weapons manufacturing installations at Aldermaston and Burghfield has been contractorised and brought under Nil's licensing regime.

1The views expressed in this paper are those of the author and do not necessarily reflect the views of the Nuclear Installations Inspectorate.

113 We have seen the expansion and subsequent decline of nuclear safety research, which has left Great Britain with a number of ageing nuclear research sites. A wide variety of research facilities, including fast breeder reactors and fuel cycle facilities are now being decommissioned. Additionally, some of the first Magnox power reactors are now being decommissioned and BNFL has indicated closure dates for the rest. Radioactive waste, which has been accumulating for many years, now needs to be treated and stored in a passively safe state pending ultimate disposal.

Some would say that the nuclear generation industry is now a mature, production industry, rather than one seeking technical advance and development. But no new power stations have been ordered for 15 years; the expertise is decreasing; and the vast technical resource, which underpinned the nuclear programme, has reduced dramatically. Staff and expertise has been lost and the Universities, which provided the engineers and scientists, have ceased to provide undergraduate courses and the range of postgraduate courses has been drastically reduced.

Significant initiatives, by Government to further deregulate the UK energy industries and by the nuclear generating industry itself in response to pressures from competing fuels, are leading nuclear generators everywhere to seek cost reduction and rationalisation. This is not particular to the nuclear industry as restructuring, mergers, demergers, deskilling and downsizing are part of modern life.

Whether or not the nuclear power will be seen in the 21st century as providing a significant contribution to global economic growth and to reductions in global warming, only time will tell. But there can be no future for nuclear power if it cannot be shown to be safe and the management of nuclear waste shown to be exemplary.

2. IMPACT ON THE SAFETY REGULATION OF THE INDUSTRY Nuclear operators have to fend for themselves in the electricity market. The changes to the market are increasing the commercial pressures. A fully private company has to satisfy its shareholders and protect its share price. The prospect of take-overs is real and continuous and this has a substantial short term component. Arguably, the nuclear power companies have changed in ten years from being stable, well resourced and monolithic public servants which had the luxury of being able to take a predominantly long-term view, into lean participants in a changing, competitive market where a short term view is also necessary in order to ensure survival. This may be good for commerce, but we have to consider the implications for safety.

The challenge for the regulator is to create the environment where it is recognised that good management improves both commercial and safety performance; it should not set them up as separate and opposing objectives. The safety regulator has to change too, and adapt to challenges to almost every sphere of its activities. From mirroring its licensees as stable and conservative, with a natural reluctance to accept change, it has to become more proactive and predictive, seeking to understand and anticipate developments. And it has, where possible, to seek to influence the drivers behind change.

In turn, economic competition is causing nuclear generating companies to question more closely the safety regulators' actions and seek the lifting of, what they perceive to be, 'unnecessary' regulatory burdens. In addition, as safety regulators increase their scrutiny in certain areas (such as organisational structures), operators may feel that regulatory burdens are increasing. Thus, Nil, in responding to the competitive environment, is examining its effectiveness and taking measures to improve efficiency.

We recognise that the role of the safety regulator is to assure the safety of activities, it is not to put unnecessary impediments in the way of legitimate business practices. So there is a further challenge to regulators: to continue to ensure the proportionality of their regulatory responses. Thus it must recognise and permit new practices that improve or, at least, are not detrimental to safety. And it must resist practices that are likely to be detrimental. It could be said that these changes and challenges have always been with us; but the issue today is one of increased pressure, increased speed of change and the flux of many changes occurring at the same time. New responses are therefore needed.

114 3. CHALLENGES TO SAFETY FROM RESTRUCTURING Examples of challenges and the corresponding responses from regulators are categorised below in groups, for simplicity of description. But in reality, the issues cannot be compartmentalised, they interact and their influence is indivisible.

3.1. Pressures on Licensees

Nil's concern is that Licensees' focus may have moved from the long term to the short; and from safety to economics. As management focus is diverted to commercial issues, and particularly at times of financial stress, there can be a response of restructuring and re-appointing at Executive level. Ontario Hydro's difficulties warn us to watch for the possibility of executive management becoming decoupled from technical safety issues or for there to be a loss of capability to properly understand such issues. Nil looks carefully at licensees' Executive level restructuring and at the experience record of new Executives.

3.2. Pressures on Licensees' staff and their culture The concentration of the company on economic performance, the effect of downsizing and the use of contractors can, amongst other things, lead to overwork, uncertainty, deteriorating communications and unclear accountabilities.. The age profile and the tendency to lose the older staff during down sizing through early retirement can result in a disproportionate amount of expertise and skills being lost. These can increase stress and hence challenge the effective delivery of safety. Our Inspectors look for symptoms of stress and safety culture degradation.

3.3. Licensees' utilisation of their plants The most obvious response to financial pressures on power station owners is to seek reductions in plant operating margins (which can include safety margins), in order to uprate plant output. Reducing maintenance, engineering changes to plants to uprate and changes to the maintenance philosophy can also be carried out. But licensees find that there may be a corresponding decrease in reliability and availability if these initiatives are handled wrongly and there has to be a careful analysis of the benefits and commercial risks. There is a synergy with safety risks and commercial risks and between engineering and organisational change. Change needs to be carefully thought out, carefully planned and other precursors put in place if they are to be successful in commercial as well as safety terms. In some cases plant owners have sought to take what appears at first to be a counterintuitive course of action by seeking better reliability by reducing the amount of plant changes, while taking the secondary benefit of reducing engineering and technical effort. This latter course of action can also lead to licensees developing a reluctance to back fit safety improvements and to carry out plant ageing mitigation, as they realise the benefits to be gained from reduced engineering work.

Nil has always had licence conditions to give it regulatory control over operations, maintenance arrangements, engineering change, and periodic (plant ageing) reviews. A new licence condition, Licence Condition 36 (LC36), giving Nil regulatory powers to address organisational change is discussed later in this paper.

3.4. Licensees' organisational change The UK nuclear industry has seen: divestment, mergers, change of ownership and privatisation. Such issues typically demand a relicensing response and the number of licences that Nil has processed over recent years has increased. A take-over by a foreign owner is an obvious possiibility to be considered, and UK licensees have diversified into foreign markets, a development that could lead to a loss by senior managers of focus on domestic activities.

Less substantial management and organisational changes are occurring with increasing frequency, particularly: demanning; contractorisation; multiskilling; and shift pattern changes. LC36 gives Nil regulatory powers to deal with them. They produce a flux of changes which may interact with one

115 another with effects that are hard to predict, and LC36 requires licensees to have a systems approach which incorporates reviews of interactions between individual changes.

3.5. Infrastructure Issues The same pressures and developments affecting nuclear power plant owners are affecting industry generally, indeed nuclear power plants have tended to lag the rest of industry and this gives an opportunity to anticipate possible developments in the nuclear industry. The consequence of downsizing and contractorisation has been reductions in expertise and skills amongst contractors and suppliers, and this is exacerbated by the lack of orders for nuclear power plants in the UK for 15 years so that many suppliers can no longer support specialist equipment or expertise. Design knowledge and capability has similarly declined and the decline has spread back to the Universities. Nuclear science and technology teaching is in decline, yet the industry will be around for many decades to come. The current age profile in the industry and the safety regulator is such that, without a reversal, there could be a significant knowledge gap in 10-20 years from now and Nil is in dialogue with Government in proposing action on this.

Licensees are becoming more reluctant to continue funding nuclear research, which in addition to being a concern to the regulator, which needs to assure itself that licensees will be capable of adequately responding to problems, itself contributes to the overall decline in expertise. Prior to privatisation Nil sought, and was given, powers to compel licensees to fund or carry out necessary nuclear safety research. This power has been valuable in preventing an unacceptable reduction, but the pressure for reduction continues.

3.6. Societal and Political Issues The onset of privatisation and market deregulation in the UK was Government inspired. The regulator was drawn into the public debate about the impact on safety. This was a stimulus to Nil to address the matter proactively and Nil's thesis was that the proposed changes in the industry could be managed effectively, so that safety levels are maintained, if licensees and the regulator recognised the implications of the changes and think ahead. There was a need for strong responses from the regulator coupled with the Government being responsive to the needs of safety in formulating their proposals. Nil was very proactive in advising Government on this.

When privatising utilities in Great Britain, Government has established market regulators to ensure proper competition as the market is 'imperfect'. This is because there are monopoly aspects associated with the sharing of parts of the infrastructures, such as the electricity grid or the gas delivery pipelines. In addition, market regulators are charged with driving prices down for the consumer. Nil has considered it necessary to hold dialogue with the market regulator for electricity to ensure that safety factors are considered when market regulatory activity takes place. For example, UK power stations are not in general designed to be load following and the New Electricity Trading Arrangements (NETA) about (at the time of writing) to be put into affect will in effect penalise nuclear generators for this lack of flexibility, increasing price pressures. NETA has the potential to shift the focus of executive management and operating staff further towards commercial activities.

In the Britain there is political will to improve the openness and transparency of public bodies, a situation which did not exist until relatively recently. Nil has responded by publishing more information about its decision making and explaining significant decisions in public documents.

Most of the UK's existing nuclear units will be shut down in the next 20 years. In the meantime, the Kyoto global warming targets may be tightened, and even the existing target will be threatened by closure of the old nuclear units. It is prudent to anticipate the challenges to the regulator if new build is proposed, and Nil keeps a watching brief on this.

116 3.7. Direct pressure on regulators The pressures on nuclear licensees are prompting them in turn to a more challenging relationship with the regulator. Operators are demanding more evidence of consistency and proportionality in Nil's regulation. This is quite appropriate, and our view is that the public expects that the nuclear industry, because of its unusual hazard potential, will continue to be strongly and transparently regulated. As part of licensees' challenging stance, there are more claims that Nil is interfering with licensees' business initiatives. This is especially true of the recent initiatives Nil has taken to regulate: organisational change (see below); maintenance of licensee's competence; and the use of contractors. Nil is countering these claims by holding workshops and other dialogues with various levels of licensees' staff to explain the basis of our activities.

The reduction in the availability of external expertise, mentioned above, has effects on the regulator and its ability to get an independent view in certain technical areas. This puts pressure on building up in-house expertise and Nil is actively seeking to recruit new staff to build up its expertise and counteract the effects of retirement of experienced staff.

3.8. Financial sind economic issues In the past, Nil generally restricted its oversight of commercial matters to assuring, at the time of licensing, that utilities had a stable source of income to operate the plants safely and to decommission their plants after retirement and safely manage the waste.

During privatisation of the nuclear generating industry, Nil sought assurances from Government, and made its own independent assessment (using external financial advice) on the: financial capability of the companies. Government also set up a segregated fund to manage the financing of decommissioning liabilities, consulting Nil closely. We continue to watch the privatised licensees, in particular, through for example the share price, for financial stress as this could be a precursor to pressure on the resources available for the discharge of safety duties. Nil also monitors the licensee's segregated decommissioning fund to satisfy itself that it is being administered prudently.

4. REGULATORS RESPONSES TO CHALLENGES A number of examples have been given in this paper of specific responses by Nil to safety and regulatory challenges. In addition to these there has been a systemic response:

4.1. Licensees' management of change (LC36) Central to Nil's strategy of dealing with the kinds of changes arising recently is to ensure that it is done safely. An important aspect of Nil's approach to the regulation of the restructuring of the nuclear power industry for privatisation, was to gain confidence that the licensees were approaching the change in a systematic and controlled manner. This was necessary not only to ensure that the final outcome ensured adequate safety standards but also that in moving toward the end point the safety of the operating stations was not adversely affected.

However, in 1998 it was becoming clear that licensees' management of change was of such importance that it required regulatory oversight and that a consistent and proportionate approach was needed. There was also uncertainty as to whether Nil had sufficient regulatory powers to control and, if necessary halt, changes which may affect safety. In June 1999, Nil felt it necessary to attach a new licence condition (LC 36) to all nuclear site licences, which came fully into force on 1 April 2000. Under LC 36, the licensee must make and implement arrangements to control changes to its organisational structure and resources which may affect safety. These arrangements must, where appropriate, allow for Nil to agree to changes before they are implemented. LC36 also gives Nil the power to halt changes in the interest of safety.

Nil expects operators to apply their arrangements to organisational structures and resources, including staffing levels. Also covered should be changes at the corporate centre and the influences of other

117 organisations upon whom the licensee relies on to deliver nuclear safety. Central to the arrangements a licensee must make under this condition is the requirement that it must establish a process by which the requisite size and structure of its organisation is determined and substantiate this baseline, for without such a baseline it is hard to see how change can be effectively managed. At the time of writing, all licensees have established their arrangements and most have been approved by Nil: of the changes processed since April 2000, most are satisfactory. The next step is for Nil to carry out targeted inspections.

4.2. Nil's capability Although LC36 is the keystone of Nil's response to changes, it needs to have competencies beyond those regarded as traditional, for example extending into understanding organisations, finance, commercial law. Additionally, Nil needs to ensure the retention of its existing capabilities. The pressures, noted above, of loss of experience of older staff, reductions in numbers of contractor companies, reductions in research, possible new build etc. can be expected to impinge on Nil's own capability. Nil has initiated a recruiting drive and this will enable older staffs expertise to be shared before they leave.

4.3. Nil's regulatory effectiveness Nil has also had to become more effective and efficient, and is seeking continuous improvements through its adoption of the European Quality Foundation Business Excellence Model and has reorganised itself to a more licensee-focussed structure. It has gained Investors In People award, sponsored by UK Government's Department of Trade and Industry as part of a commitment to training, staff development and the effective use of its staff. International exchanges are a vital part of sharing and developing experience.

We are also seeking improvement through the review of our regulatory standards and processes (for example the Safety Assessment Principles — SAPs and Licence Conditions) and have developed and shared with stakeholders, guidance for Nil's Inspectors dealing with some of the issues described in this paper (examples are: LC36, contractorisation, licensees' competencies, management of safety).

5. CONCLUSION Nil has adapted to the many changes that have occurred in over forty years. It continues to monitor developments and seeks to focus on the drivers for change in order to be anticipatory. Nil seeks to improve its effectiveness in regulating in a changing world.

118 XAO102784 IAEA-CN-82/57

REQUALIFTCATION OF THE STEAM SUPPLY SYSTEMS OF UNITS 3 AND 4 OF THE KOZLODUY NPP TO A NEW MODEL WWER-440/B-209M

IORDANOV, I., SABINOV, S., OURUTCHEV, V., STOEV, M. Kozloduy Nuclear Power Plant pic. BG-3321 Kozloduy, Bulgaria Fax: +3599732591; Email: [email protected]

Abstract

In order to achieve significant advance in operational safety level, the prcject characteristics, the possibility of safety systems upgrading and operational conditions of Units 1 to 4 of the Kozloduy NPP were an object of very serious and in-depth analysis in the years 1990-2000. This systematic evaluation was initiated under the broad international concern resulted from the conclusions of IAEA missions held during 1990-1991 to assess the safety of the units. As a result of the efforts of the plant staff and many international 'experts the operational conditions, design safety and plant management were dramatically improved which resulted in bringing the plant to a new safety level. This review also developed such that the design safety features of Units 3 and 4 are significantly different from those units of the so-called V-230 group. The principle difference and advantages of Units 3 and 4 design were clarified and confirmed. A review process of the changed status of Units 3 and 4 safety was conducted in 1999-2000 with the help of IAEA experts and the experts of RISKAUDIT and WENRA. The process led to the conclusion that the significance of advantages of the safety level need to be encapsulated within a new safety case and the corresponding set of steps was combined as a "Project for upgrading the Nuclear Steam Supply System of Units 3 and 4 of Kozloduy NPP to model WWER-440/B-209M". The completion of the activities under this project is expected in 2002 following the major implementation phase during 2001/2002 units' outages.

1. THE BASIC IDEAS OF PROJECT PR-B-209M

Earlier review of the design safety features of Units 3 and 4 confirmed that they are significantly different from those units of the so-called V-230 group. In contrast to the units of B-230 type, a three trains structure of safety systems is used. The capacity of emergency core cooling systems is defined by the condition to avoid significant fuel rods damage in case of main pipeline rupture in primary circuit. Many other technical solutions are implemented in the project in order to achieve higher safety level. These are the emergency control room, separated control systems for the active safety systems etc.

These good design solutions were significantly developed and expanded in sequentially implemented programs - "Short term safety improvement program" (1991-1997), "Complex program for units' upgrading" (since 1998 up to 2000), "Program for preparation and conducting of OSART mission in 1999". The implementation of these programs created the base for essential changes in the views for safety level of these units.

The aim of the new project PR-B-209M is to implement the necessary technical measures, analyses and design documentation changes for units' design basis change and to demonstrate the correspondence of new project to the contemporary safety requirements for the necessary internationally accepted level. The project consists of set of technical measures to address the remaining safety issues with regard to the solutions already internationally accepted and a special design review study for comparison and justification of the changed design status, taking into account contemporary design safety requirements.

119 The project was launched in 2000 on the basis and as a continuation of the Complex Program for modernization of the units thus assuring the consistency of the approach for continuous upgrading of the units safety.

The provision of core cooling with all initiating events that are related with primary circuit rupture is included in the safety analysis review of new project B-209M. The demonstration of not exceeding the limits for radiation impact on the environment in case of such events is also included. The acceptance criteria and conditions for the correspondent analysis are reasoned in each particular case in correspondence with the recommendations of IAEA and WENRA experts.

Guillotine brake of primary pipeline with diameter 209 mm is accepted as a base for demonstration of the capacity of core cooling systems, their single failure tolerance with conservative initial conditions and for system modelling. This is in correspondence with the approach accepted by IAEA.

The specific aims regarding the decisive aspects of unit safety are presented in next paragraphs: • Reliable fuel cooling (in order not to reach conditions for fuel rod damage) has to be demonstrated for all postulated initiating events, related to brake of primary circuit pipelines with diameter 200 mm. This suppose using of deterministic approach (conservative initial conditions, considering single failure, acceptance criteria as for design base accident), including the radiological consequences. The accepted initial and limiting conditions have to be reasoned in the analyses. The conditions for preserving the fuel rod integrity are defined in the applicable documents as follows: - temperature of fuel cladding — not higher than 1200°C; — local depth of fuel cladding oxidation — not more than 18% of initial wall thickness; - percentage of reacted zirconium — not more than 1% of its quantity in the core. • The initiating event with main circulation pipeline break (diameter 500 mm) is analysed using realistic approach regarding the initial conditions and availability of normal operation systems and safety systems. It has to be demonstrated for this initiating event that non-permissible change of fuel rod geometry in the core (melting, plastic deformation) is not reached. • The problem with providing of fuel cooling for initiating events with LOCA is related directly with the requirement for guaranteed integrity of the last barrier - the construction of containment, and with satisfying the defined criteria for acceptable radiation impact of the accidents that are presented below. • An approach using supplementary emergency feedwater system is implemented for Units 3 and 4 regarding the initiating events without loss of coolant. As a result the program measures lead to minimizing the probability of core damage. The basic sequences defining this probability are determined using the methods of probabilistic safety analysis and minimizing their impact is in the base of providing a general core damage frequency less than 10"4. • Preserving of concrete hermetic compartment integrity has to be demonstrated for all initiating events and with dynamic loads during the accident. A filtered pressure relief system will be implemented for pressure limitation. This solution is equivalent with the solution for pressure limitation used in B-213 project (bubble condenser). • The leak of steam generator compartments has to be limited gradually by the project to not more than 100% volume/24 hours for the conditions of tightness test that is performed each year. At the same time, the maximum permissible untightness of the compartment is defined using the given below limits for radiation impact in case of accident. • Satisfying of criterion for beyond design accident in accordance with BNSA requirements has to be demonstrated for all initiating events related to a rupture of real primary circuit pipeline with DN 200 mm. The criterion for initiating event with a rupture of pipeline DN 500 mm is not exceeding the limits for radiological impact for beyond design accidents. • The accepted limits for the maximum forecast individual dose of population are defined as follows: — For design base accidents - effective dose of 50 mSv during the first year after the accident and absorbed dose of 150 mGy for the thyroid of a person on the border of preventive measures area;

120 — For beyond the design base accidents - effective dose of 5 mSv during the first year after the accident aind absorbed dose of 50 mGy for the thyroid gland of a person on the border and out of the area for protective measures of 'Kozloduy' NPP. • It is foreseen an implementation of a set of measures for filter modernization of the design ventilation systems in order to minimize the radiation impact on the environment during normal operation. • The approach of the updated revision of program PRG'97A is used. It includes focusing on activities in the preventive measures' area - analysis of the real condition in order to define the strength margin, identifying the potential mechanisms for degradation and initiating of corrective measures if necessary. A number of strength and safety analyses are planed for that purpose. The necessary measures for providing the main pipelines reliability during seismic event are implemented too. • A progress of the measures for early leak detection is planned using three qualified systems based on different principles. At time being one qualified and three not qualified systems on different principles are used. A progress in metal control as an organization, technology etc. is planned too. • The approach of the updated revision of program PRG'97A is used. It includes continuation of risk analysis and completion of the necessary measures for equipment qualification, seismic strengthening of the constructions considering the updated seismic assessment, additional measures for fire safety etc. • An implementation of a number of measures and development of a complete strategy for severe accidents' management are included in the project. These are reactor level measurement, forced filter ventilation of the compartment, installation of hydrogen recombination system etc. • An upgrading of the design base of project B-230 units to project B-209M is achieved as a result of the different measures' implementation and satisfying the specific aims. In order to prove the bringing of original design base to the improved level, a technical document for implementation of the pack of project measures has to be issued for each unit separately.

2. SCOPE OF THE PROJECT

In general, 62 technical measures are included in the project. They are distributed in the accepted 13 groups' system considering the measures' impact on the aspects of safety provision in NPP. They are developed on the base of NPP operational experience considering the specific requirements for satisfying the aims that are defined above.

The most of measures (35) will be implemented by the end of 2001. Another 25 measures have to be completed in 2002. The last three measures, partial implementation of which is provided during units' outage, will be completed in 2003.

The total costs of project implementation are evaluated as above $66 000 000 and the funding is provided completely by NPP investment program. All opportunities for additional foreign funding (using PHARE program, for instance) shall be used on occasion.

3. THE PROCESS OF REQUALIFICATION

Based on the above presented approach in the beginning of the year 2001 the formal process of transferring KNPP units 3 and 4 to a new model was initiated jointly by KNPP and leading Russian design and scientific organization including the Main Designer. The process itself comprises of three stages: • Development of a methodology for evaluation of the new units safety case and for review of the upgraded plant from the point of view of existence of effective protective leers. Agreement on this methodology by Safety Authorities; • Performance of the evaluation according the agreed methodology and preparation of justification for the acceptance of the new safety case and consequently, of the new model. Presentation of this justification to the Safety Authority;

121 • Preparation of specification of the set of design documents representing the new model and introducing the changes into plant documentation.

A technical specification and work plan to perform the necessary steps were approved together with a schedule that foresees all work for justification to be done till the end of 2001.

4. CONCLUSION The successful finalization of the project "Project for upgrading the Nuclear Steam Supply System of Units 3 and 4 of Kozloduy NPP to model WWER-440/B-209M", together with the already implemented modernization of Bohunice NPP Units 1 and 2 shall be considered as a great success of the concentrated efforts of the international community, IAEA and the corresponding countries toward improvement of safety in nuclear installations built on earlier standards and shall be used as a guiding example for other eastern countries.

122 TOPICAL ISSUE 3:

SAFETY OF FUEL CYCLE FACILITIES XAO102785 IAEA-CN-82/12

SUCCESS IN BEHAVIOUR-BASED SAFETY AT LOS ALAMOS NATIONAL LABORATORY'S PLUTONIUM FACILITY

WIENEKE, R. E., BALKEY, J. J., KLEINSTEUBER, J. F. Los Alamos National Laboratory NMT Division, P.O. Box 1663, MS E501 Los Alamos, New Mexico USA 87545 email: [email protected]

Abstract

Los Alamos National Laboratory's (LANL's) Plutonium Facility is responsible for a wide variety of actinide processing operations in support of the United States Department of Energy's (DOE's) stockpile stewardship of the nation's nuclear arsenal. Both engineered and administrative controls are used to mitigate hazards inherent in these activities. Nuclear facilities have engineered safety systems that are extensively evaluated and documented, and are monitored regularly for operability and performance. Personnel undergo comprehensive training, including annual recertification of their operations. They must thoroughly understand the hazards involved in their work and the controls that are in place to mitigate those hazards. A series of hazard-control plans and work instructions are used to define and authorize the work that is done.

Primary hazards associated with chemicals and radioactive materials are well controlled with minimal risk to the workforce and public. The majority of injuries are physical or ergonomic in nature. In an effort to increase safety awareness and to decrease accidents and incidents, a program focusing on the identification and elimination of unsafe behaviours was initiated. Workers are trained on how to conduct safety observations and given guidance on specific behaviours to note. Observations are structured to have minimal impact upon workload and are shared by the entire work force. This program has effectively decreased a low accident rate and will make long-term sustainability possible.

1. LOS ALAMOS NATIONAL LABORATORY Los Alamos is one of the United States' national laboratories owned by the DOE and operated by the University of California. The Laboratory is one of the original nuclear weapons complex laboratories dating back to Project Y of the Manhattan Engineering District during World War II [1]. Consequently, research with radioactive materials has been conducted at Los Alamos for over half a century and remains one of the primary responsibilities of this institution. The capabilities of the Plutonium Facility are essential in accomplishing one of the Laboratory's core missions of Stockpile Stewardship of the Nation's nuclear arsenal.

The Laboratory occupies about 111 square kilometres in north central New Mexico about 40 kilometres northwest of Santa Fe, the state capital. It is located at an elevation of approximately 2,200 meters above sea level on the Pajarito plateau on the east flank of the Jemez Mountains.

2. NUCLEAR MATERIALS TECHNOLOGY DIVISION The Nuclear Materials Technology Division (NMT) is one of the Laboratory's organizational units and is responsible for the operation of the Plutonium Facility. The Plutonium Facility is a concrete- reinforced structure designed in accordance with DOE general design criteria for plutonium processing and handling facilities and was completed in 1978. It has a floor area of 14.000 square meters consisting of a service floor and an operations floor that is divided into two independent halves and organized into four operating areas numbered 100 to 400. The 100 and 200 areas contain plutonium research and development laboratories, reactor-fuels laboratories, plutonium-238 heat-source fabrication operations, analytical chemistry, and personnel decontamination areas. The 300 and 400

125 areas contain actinide processes (both wet chemistry and pyrochemistry), metallurgical operations, parts machining, waste operations, and non-destructive assay laboratories. Diverse activities and a rapidly changing project base present a challenge to waste operations.

3. NUCLEARFACILITYSAFETYPHILOSOPHY Engineered barriers provide the most effective protection from radioactive and hazardous materials. The barriers in the Plutonium Facility have been incorporated through architectural and structural design and employ differential pressure zones, High-Efficiency Particulate Air (HEPA) filtration, glove boxes and radiation shielding in the design of the facility. Administrative procedures augment these passive safety features with the identification of radiological control areas, routine monitoring programs, use of personnel protective clothing and detailed work instructions. Extensive safety analysis reports document these controls and evaluate 'design basis accidents' to ensure that stipulated release limits, under accident conditions, are not exceeded. Safety-significant structures, systems and components critical to the proper operation of engineered safety systems are identified. Surveillance and test criteria are established to verify their operability. All operations conducted within the facility must be performed within the established 'safety envelope.'

Personnel integrity and competence are key to the success of any endeavour, and safety is no exception. Individual training plans are established based upon job assignments. Personnel must be knowledgeable of the hazards and risks that they face, and training is designed to reinforce their understanding. Technicians participate in the evaluation of their operations to identify and quantify hazards inherent in work activities. Mitigating factors (both engineered and administrative) are considered that reduce risk to acceptable levels. These hazards analyses are documented and provide the basis for the development of work instructions that are used to perform the work. Personnel are trained and qualified on these hazards analysis and work instructions. In addition to classroom training, new personnel are mentored by experienced operators before being allowed to work independently. Risky operations always require at least two people to perform.

This safety methodology has resulted in low accident/incident rates. Serious accidents involving chemicals and radioactive materials are rare. Physical injuries (cuts, scrapes, strains, sprains, etc.) and repetitive motion injuries dominate job-incurred injuries. In order to achieve and sustain lower accident/incident rates, it became apparent that a new approach to safety must be employed that would change the traditional perception of safety and would result in a fundamental shift in behaviour and attitudes toward safety.

4. TRACKING OF ACCIDENT AND INCIDENTS Two independent systems are used to track accidents and incidents at LANL. One addresses radiological incidents such as unplanned exposures to penetrating radiation, contamination with radioactive materials and internal uptake of radioisotopes. The other records chemical exposures and physical injuries incurred on the job. A database is used to record information pertaining to the injury and document factual information on the incident, root-cause analysis, and track corrective actions. No-blame inquiries are held as soon as possible after the incident in order to capture the accurate information needed to perform a thorough investigation and to take action to prevent accident recurrence. This information is also advertised Laboratory-wide and sometimes DOE-wide as lessons- learned for facilities that conduct similar operations. If the incident is serious enough, it triggers a higher level of notification arid response as outlined in DOE order 232.1, Occurrence Reporting and Processing of Operations Information [2]. We will concentrate on accident response within the Laboratory and NMT Division in this paper.

The collection and reporting of industrial accident data is conducted in accordance with the Occupational Safety and Health Act (OSHA) [3]. Accident rate definitions are calculated on the basis of a one-year running average and are expressed by a normalized factor of lost workday cases per 200,000 working hours (100 person-years). Accidents are defined as job incurred or aggravated injuries requiring more than first aid to treat. These accident rates have been declining in an irregular

126 manner and appear to be approaching an asymptotic limit. It is this artificial limit that based-based safety is intended to address.

5. BEHAVIOUR BASED PHILOSOPHY The application of principals relative to one's daily experience is beneficial hi order to realize a more complete understanding of the concept behind based-based safety. The idea of consequences controlling behaviour, generally regarded as the foundation concept, is the key. In day-to-day activities, the majority of behaviours rely on applying previous experience of consequences (both negative and positive) as the reinforcing factor. A simple example: a burn received from touching a hot stove uses a negative consequence as a predictor of future behaviour. Conversely, the use of protective measures preventing the negative consequence of a burn reinforces the behaviour from a positive aspect. The imitation or modelling of behaviour provides additional consequences acquired from something other than trial and error experience. The approval demonstrated by parents as their infant smiles communicates a positive consequence and repeatedly reinforces repetition of the behaviour.

It is the work of B.F. Skinner [4], generally regarded as the founder of based-based science merged with W. Edwards Deming's Total Quality Management (TQM) [5] that provides the basis for successful implementation of based-based safety. Scientific sampling of statistical data provides a measurement of the quality of safety and when coupled with positive, reinforcing consequences encourages the desired safe behaviours.

The based-based safety process is designed to engage the workforce in the implementation and utilization of their own safety initiative. The process, being employee-driven, is based on the simple act of having workers observe other workers and provide feedback to safe and at-risk behaviours. Observations typically take 10 to 15 minutes. Observations are strictly conducted under the conditions that no names are used and no blame is placed. A prospective observer takes 2 days of training on how to perform observations: • the observer uses a Critical Behaviour Inventory® and a data sheet looking for safe and at-risk behaviours; • following an observation, the observer gives feedback to the worker and allows the worker to comment on the feedback; • observation data are entered into a database for analysis and problem solving.

This process iis founded on the premise that for every accident there are hundreds or sometimes thousands of at-risk behaviours. When at-risk behaviours are reduced, the likelihood of injuries is reduced also. A successful approach must not, in any manner, imply that the workers are the problem. In fact, the two-way feedback promotes the idea that the workers are indeed the solution. Workers typically perform at-risk behaviours because barriers to safe work often force workers in conflicting directions. The following barriers are categorized into groups and offer some examples: • Hazard Recognition and Response The worker has inadequate skills or knowledge and does not know or is unaware that the situation represents risk. The worker may be adequately trained and experienced but lias become used to the risk. • Business Systems The at-risk situation is the result of an organizational system that was unreliable. When a system is inefficient, employees will avoid using it or they may find ways around the system. • Rewards/Recognition The at-risk behaviour is encouraged (or conversely the safe behaviour discouraged) as a result of misguided reward and recognition practices or by the absence of accountability for following safe practices. Misguided rewards and recognition may be formal but based on production and not on safety, or informal through peer pressure leading to the omission of certain safety-critical steps. • Facilities and Equipment

127 The task is performed at risk in that it is difficult or impossible to do it safely because of equipment or workstation design, lack of adequate maintenance, or unavailable tools or equipment needed to do the work safely. • Disagreement on Safe Practices The at-risk behaviour stems from an absence of agreement on the safe way to perform a job. • Personal Factors The at-risk behaviour results from personal characteristics of the worker that result in him/her deliberately taking risks or refusing to work safely as a result of factors such as fatigue, medication, stress, or illness. • Culture The at-risk behaviour is a long-established practice; 'we've always done it that way.' • Personal Choice The worker has adequate skill, knowledge, and resources but chooses to work at risk to save time, effort, or something similar.

In order to remove these barriers we must understand which ones are causing at-risk behaviours. The way this is accomplished is through observing and talking with employees. The feedback loop provides individual employees a method of hazard recognition and reporting that remains anonymous, with a built-in matrix to elevate safety issues for resolution as necessary. As the data and feedback are received in large numbers from the employees, the barriers to safe work are defined and addressed.

6. PROGRAMME STRUCTURE The NMT based-based safety initiative began by forming an identity separate from existing Laboratory institutional safety programs. Employees were asked to participate in a contest to find a name. Ultimately the name chosen was ATOMICS. This acronym stands for Allowing Timely Observations Measures Increased Commitment to Safety.

The roles and responsibilities were established and clearly defined. These included definitions of roles for the management sponsor (the champion of the process initiative), the facilitator, the steering team, the observers, and the employees. Brief examples are listed below. Management sponsor: • assists committee members and obtains necessary resources; • has regular contact with facilitator and steering committee,; • serves as liaison between management and the committee that includes representing management's point of view to the committee and bringing committee concerns and views to other managers; • supports the confidential nature of the observation process. Facilitator: • serves as liaison with management, which includes meeting with management sponsor and/or NMT Facility management team at least monthly for progress and status reviews; • serves as liaison with outside groups, which includes providing information about the NMT based-based safety process to other Laboratory organizations and outside institutions; • acts as facilitator/chair of committee meetings. Steering Committee: • attends training as necessary to implement this process in NMT division; • completes individual or subcommittee assignments to fulfill committee objectives; • recruits and trains observers; • maintains observation skills. Mentor observers to ensure quality observations; • uses observation data for problem solving. Observers: • explain and emphasize 'no names, no blame,' and keep observations confidential; • know and understand the observation data sheet and definitions; • give immediate and positive feedback to the person or persons being observed;

128 • attempt to understand why at-risk behaviour occurred; • support the NMT based-based safety process and the Based-based Accident Prevention Process (BAPP®) by words and actions; • follow all postings applicable to the area while performing observations; • stop work when necessary, using LANL guidelines. (See LIR 401-10-010, Stop Work and Restart [6]-) If work is stopped: Immediately stop the observation so that anonymity is not confused or compromised. Employees • give the based-based safety process a chance to work; • maintain familiarity with the process; • cooperate with observers; • provide the steering committee feedback on process effectiveness; • review feedback charts; • discuss safety concerns with the steering committee members or other observers.

7. PROGRAMME PLANNING AND IMPLEMENTATION NMT Division contracted Behavioural Science Technology, Inc. (BST®) [71 to guide our efforts to improve our safety record and decrease the accidents and incidents that consistently kept the Division on an unacceptable plateau. The BST® consultants initially made an extensive assessment of site safety perceptions by making numerous visits to the Laboratory, performing informational training and surveying the existing culture. The results of the evaluation are measured on a series of scales defining the degree to which personnel judge the adequacy of site safety. The consultant then uses an implementation design team to communicate and educate the Division and develop a strategy based on previous data and experience. Participants in the implementation of the process were selected from the workforce based upon specific guidance criteria. The consultant trained the steering team in the details of the technology, and behaviours critical to safety were mapped out. The inventory that was derived from past accidents and incidents defines the Critical Behaviours Inventory (CBI®) and forms the basic pool of observational data to be collected. Input and comments from employees were solicited through a series of ownership presentations given to all groups in the Division. The steering committee developed and subsequently trained the workforce in based-based observation techniques to collect the data for tracking and identifying the barriers to safety improvement. The steering committee also underwent traiining in interpretation and action planning using the collected daia.

8. PROGRAMME EVALUATION Indicators of the success of the ATOMICS process are showing steady improvement. The level of demonstrated management support for employee participation in observation training, observation data collection, and anonymity has been clearly defined and communicated by memorandum to the Division. The group leaders, in turn, lend support for the implementation by setting a positive example and by providing financial resources. Allowing time for the participants to support based-based safety is actively encouraged, and regular progress reports are expected and used by managers. This level of commitment is crucial to the long-term success of the based-based safety process in the Division.

Employee efforts during a pilot implementation at another NMT facility (before the ATOMICS process) yielded invaluable experience and lessons learned that were incorporated into the ATOMICS implementation. A major obstacle identified in the pilot was the lack of defined and demonstrated management commitment; the importance of midlevel manager support was severely underestimated. To overcome this barrier it was critical that participation in observations (both observed and observer roles) be viewed as part of the employee's daily tasks. The ideas of doing observations that were 'not part of the job' and were separate from 'real work' were addressed. It was imperative that programmatic work assignments include the time necessary to participate iin this process and that personnel be evaluated for their contribution.

129 By October of 2000, the ATOMICS Steering Team had conducted three observer-training classes, and field observations were in full swing. By March of 2001, fourteen observer training classes had been conducted, and the number of trained observers reached 200. This is indicative of the level of worker and management commitment, considering that the observer training is a full two-day class. The resistance to observations has been sporadic as the process enters its second year in existence. The fears voiced during initial ownership meetings that this would be a 'flavour-of-the-month safety initiative' are becoming remote as participation increases. The direct support of management continues to demonstrate a high level of interest and promotes the success of the process. Over 65 have participated in additional manager/team leader classes that cover data interpretation and use. The data collected since October have continually improved in quality and indicate repeatedly increased employee recognition of at-risk behaviours. Because the comments are requested from the employee being observed, not only has the awareness increased, the employees are agreeing to the risk assessment and are frequently self-correcting.

Another major success of the'ATOMICS program at this stage is the fact that 200 employee observers have made based-based observations of over 1,250 individuals who were given positive feedback on the safe behaviours demonstrated. At this writing, roughly 2,600 individuals have clearly made the choice to participate in an informal one-on-one discussion of safety as it relates to their work.

The NMT Division Total Recordable Injury Rate (TRI) began at 4.25 for 1,457,238 man-hours worked in March of 2000 and has dropped to a TRI of 2.60 in February of 2001 for 1,309,580 man-hours worked. In one year's time the TRI has shown a significant 1.65 reduction. This downward trend includes an approximate 10 percent drop in man-hours worked. In the same period, the Lost Workday Cases (LWC) rate has dropped from 3.57 to 0.76. The introduction of the ATOMICS based-based safety process to the Division was implemented by conducting 16 separate ownership meetings to the individual working groups.

To date, approximately 900 field observations have been completed, and statistics confirm the importance of workplace ergonomics to the overall safety in NMT. The documented percentage of safe behaviours associated with the ergonomic factors and performance of tasks at these workstations indicate evidence of worker unfamiliarity with possible cause and effects of injuries that plague industry as well as NMT operations. The feedback loop includes informing the observed individual of whom to contact to provide an ergonomic evaluation. A meaningful reduction of at-risk behaviours affecting the overall safety record of the Division is anticipated as a result of consulting with safety professionals on ergonomic issues. Ergonomic issues make up the majority of the NMT Division lost workdays (see Figure 1) and are one of the current observation focus areas for observations. From January 2001 to April 2001, the percent of safe observed behaviours for ergonomics has shown a promising increase (see Figure 2). Observation data averages of approximately 100 observations per month indicate a percent safe increase from 83% in January to 93% in April. The awareness level of safe ergonomic behaviours and the encouragement of peer feedback to enlist the Health and Safety team for professional ergonomic evaluation of employee workstations demonstrate superior employee involvement and teamwork.

Radiation safety and housekeeping issues are additional areas that make up the current focus of observations. These categories are showing an upward trend in the percent of safe behaviours observed. Radiological Incident Report rates (RIRs) for both TA-55 and CMR from January 2000 to March 2001 are trending downward. These statistics, normalized to the OSHA rate of 200,000 hours have dropped from 30 to 14 at TA-55 and from 22 to 12 at CMR. Rates of contamination at exits for both facilities, again normalized to OSHA rates, are showing marked decreases, TA-55 from 8.2 to 4.2 and CMR from 6.0 to 2.5. Housekeeping issues are for the most part an enabled behaviour (one that the employee has direct control over) and ATOMICS statistics are encouraging because they indicate an increase in safe observed behaviours.

130 INJURY CLASSIFICATION 03/01/2000-02/28/2001

6% (ZP/ B Illness, Rep Trauma I! Strain I ^io I D Laceration WjjS||| J D Puncture • Bite/Sting

24% B Contusion FIG. 1. NMT injuries by category. Ergonomic Safety 2001

Percent Safe

January February March April

FIG. 2. Trend in observations of safe behaviour.

The NMT Division goal of 200 observations per month projects 2,400 total observations for the 2001 calendar year and should take minimal additional effort on the part of the workforce. Because an observation typically takes fifteen minutes from start to finish, this is more than a reachable goal should each observer perform a single observation in a calendar month.

For the calendar year 2001 all of the categories on the CBI® combined indicate an increase in the safe behaviours from 90% to 95% in four months (see Figure 3). As the observations increase in frequency, the percent of safe behaviours observed will increase as well. Comment reports from observational data are shared with the management team in order to remedy at-risk behaviours that are non-enabled (behaviours the employee has no control over). Starting in January, these reports have been distributed to each NMT group leader. Additional criteria for identifying group responsibility of non-enabled barriers to safe work are now added to the data sheets on a volunteer basis. This enables the individual work group opportunities to correct issues identified during observations.

131 All CBI Categories for 2001 140 120-K 100 80 60 40 20 SfS January February March April

• Total % Safe l# Observations FIG. 3. Trend of combined CBI categories.

9. FUTURE DIRECTION The next steps in the program are to continue coaching trained observers, to improve the skills needed to perform observations and feedback, and to begin applying behavioural principles to incident and accident investigation in the Division. It would be presumptuous to attribute the downward trends in TRI and LWC statistics solely to the ATOMICS efforts though. The bigger picture would credit the level of NMT Division employee involvement in a worker based safety effort that defines and supports a common, measurable goal. NMT employees are beginning to distinguish the difference between factors that are within their control from those they have little or no control over. The obvious benefit is a worker's increased perception of personal responsibility and control of behaviours essential to safety.

The ATOMICS program is successfully under way and already showing promising results at the Plutonium Facility, thanks to the enthusiasm of the workforce implementing the program. Management is aggressively addressing identified safety issues in order to ensure a safe working environment for everyone. Safety indicators are showing the potential of penetrating the current limit and attaining even lower accident/incident rates for the Division. It is NMT Division's intent to attain: • The Vision of ATOMICS NMT Division is the Los Alamos National Laboratory and U.S. Department of Energy's model of excellence in the application of safety performance. • The ATOMICS Mission NMT Division will continuously improve the health and safety of the workforce by reducing at- risk behaviours through ongoing based-based observations.

In order to realize this vision it must be communicated and shared throughout the Division and valued without compromise. It must be recognized by all levels within the organization and not subject to misinterpretation. As the observations increase; the accidents and injuries will decrease proportionately in both severity and frequency. It is anticipated that longer periods will pass without injuries. A powerful motivator is worker responsibility for the safety of co-workers as well as themselves. NMT Division will continue to embrace based-based safety as the standard and espouse the philosophy that there is no acceptable level of injury in operations at the Plutonium Facility.

References

[1] RHODES, R., Making of the Atomic Bomb Touchstone Books, New York, (1995) 870 pp. [2] 'Occurrence Reporting and Processing of Operations Information,' United States Department of Energy, DOE Order 232.1A (1997).

132 [3] Occupational Safety and Health Act, Public Law 91-596, 91st Congress, S.2193 (1970). [4] SKINNER, B. F., About Behaviorism, Random House, New York, (1976) 291 pp. [5] DEMING, W. E., Out of the Crisis, MIT Press, Cambridge, Massachusetts, (2000) 505 pp. [6] 'Stop Work and Restart, Los Alamos National Laboratory,' Laboratory Implementation Requirements LIR-401 -10-010 (2000). [7] Behavioural Science Technology, Inc., 417 Bryant Circle, Ojai, California, 93023, www.bstsolutions.com, 1-800-548-5781.

133 XAO102786 IAEA-CN-82/26

CRITICALITY ACCIDENT STUDIES AND RESEARCH PERFORMED IN THE VALDUC CRITICALITY LABORATORY, FRANCE

BARBRY, F., FOUILLAUD, P. Service de Recherche en Surete et Criticite Institut de Protection et de Surete Nucleaire (I.P.S.N.) Departement de Prevention et D'etude des Accidents CEA Valduc - 21120 Is-sur-Tille, FRANCE Fax: +33380235222; Email: [email protected]

Abstract

In 1967, the IPSN (Institut de Protection et de Surete Nucleaire - Nuclear Protection and Safety Institute) started studies and research in France on criticality accidents, with the objective of improving knowledge and modelling of accidents in order to limit consequences to the public, the environment and installations.

The criticality accident is accompanied by an intense emission of neutronic and gamma radiation and releases of radioactive products in the form of gas and aerosols, generating irradiation and contamination risks. The main objectives of the studies carried out, particularly using the CRAC installation and the SILENE reactor at Valduc (France) were to model the physics of criticality accidents, to estimate the risks of irradiation and radioactive releases, to elaborate an accident detection system and to provide information for intervention plans.

This document summarizes the state of knowledge in the various fields mentioned above. The results of experiments carried out in the Valduc criticality laboratory are used internationally as reference data for the qualification of calculation codes and the assessment of the consequences of a criticality accident. The SILENE installation, that reproduces the various conditions encountered during a criticality accident, is also a unique international research tool for studies and training on those matters.

1. PURPOSES OF CRITICALITY ACCIDENT STUDIES The study of criticality accidents that could occur in installations aims to the following objectives: evaluating exposure risks for operators, identifying possible means of detection, studying the long term behaviour of the critical configuration, evaluating the consequences of radioactive releases on the public and the environment and providing information that could help to prepare intervention plans and crisis management.

Up to the present day, about sixty accidents occurred throughout the world, two thirds of them in research installations and one third in fuel cycle installations, causing the death of about twenty operators [1, 2].

Criticality accident study programs were started in France in 1967 in order to improve knowledge about accidents. IPSN initiated experiments reproducing the criticality accident by divergence of a fissile solution of uranyl nitrate on the CRAC and SILENE installations.

2. GENERAL PHENOMENOLOGY OF A CRITICALITY ACCIDENT The criticality accident is the result of an uncontrolled chain fission reaction being started when the quantities of nuclear materials (uranium or plutonium) present accidentally exceed a given limit called the 'critical mass'.

134 As soon as the critical state is exceeded, the chain reaction increases exponentially within a time period that depends on the overall reactivity of the system. The result is a fast increase in the number of fissions that occur within the fissile medium. This phenomenon results in a release of energy mainly in the form of heat, accompanied by the intense emission of neutronic and gamma radiation and the release of fission gases. The increase in the temperature of the fissile medium usually causes the appearance of neutronic feedback mechanisms that will reduce the reactivity present until the: system becomes sub-critical, even if only temporarily. The result is usually the appearance of a power peak. After this first peak, radiolysis gas or steam bubbles migrate to the surface such that the resulting antireactivity effect disappears and the power excursion restarts. This process by which bubbles are formed and then released outside the system causes the oscillating phenomenon usually observed during a criticality accident [Fig. 1].

FIG. 1. Typical criticality accident in a fissile solution

Therefore globally, the behaviour of a criticality excursion is defined by the following main parameters: • the physicochemical nature of the critical fissile medium; • the initial neutronic source, depending on whether it is uranium or plutonium; • the reactivity inserted in the system and the neutronic feedback mechanisms resulting from temperature increase, void effects (radiolysis gas and steam bubbles), and heat exchanges with the environement.

As confirmed by experiments performed in the SILENE reactor, the combination of the previous phenomena with the initial accident conditions can lead to three types of behaviour [Fig. 2]: 1. the critical system becomes permanently sub-critical by modifying the configuration (mixing, splashing or dispersion of material, modification of the geometry, etc.); 2. the system is made temporarily sub-critical by the increase in the temperature of the fissile material, and in this case the critical reaction will restart after a variable time interval that depends on heat exchanges with the environment;

135 3. following a large initial reactivity, the system reaches temperatures at which the medium boils and the variation in power then depends on whether the medium is under or over moderated. The behaviour of the critical system during the post-accident phase depends also on whether or not the system is confined.

10 sec, 103 sec. TiKE

2 " CfiSt

1 Bin, 10 H»H. ieo fflin. ti»e

t

A floiilBg plafeISjJ a; 1 1 i » ' >^a. ^ -— K>O«psnas. «fi s; ft. j I 1 t ! t ( — .ijih 1 Mift. 10 fS!fB, 1W mta. TIME

FIG. 2. Post-accident phases of a criticality accident

This description applies to typical situations but it is in no way exhaustive since every criticality accident can have unique circumstances, as is clearly demonstrated by looking at accidents that have actually occurred throughout the world and particularly the most recent accident in Tokai-Mura in which a tank cooling device modified the events during the post-accident phase.

136 3. ACQUIRED KNOWLEDGE ABOUT CRITICALITY ACCIDENTS PARTICULARITY ABOUT AQUEOUS MEDIA USING THE CRAC AND SILENE FACILITIES About 70 experiments were performed on the CRAC {Consequences Radiologiques d'un Accident de Criticite - Radiological Consequences of a Criticality Accident) installation in the Valduc Criticality Laboratory between 1967 and 1972, reproducing criticality accidents in an uranyl nitrate fissile medium [3, 4]. The studies carried out were continued on the SILENE reactor starting in 1974 and more than 2000 divergences have been carried out so far [5, 6].

Parameters varied within the following ranges in these experiments representative of accident situations: uranium concentration between 20 and 340 g/1, potential reactivity p less than 10 $ in a homogeneous system, the dollar $ being the value of the reactivity corresponding to the 'prompt' critical reactivity (also called P).

3.1.Results and practical information about accident physics The results and acquired information can be summarized as follows: First power peak and associated effects • power period Te varying from 0.9 ms to 4 minutes, • maximum power ranging from 1012 to 3x1019 fissions.s"1. The maximum values of the total energy of the first power peak were observed for the largest volumes (3xlO17 fissions for a volume of 230 liters). For fast transients (p » P), the maximum first peak power E is varying with the reciprocal period co as a function of a1'8. Some of the observations wer.e : • the appearance of a pressure wave for fast kinetics (Te < 10 ms), also causing noise ; • splashing of the solution under the fast transients if there is no lid on the vessel; • a blue light due to the CERENKOV effect concomitant with the power peaks. Energy recovered under the thermal form The fraction of energy that is actually retrieved in thermal form during the C1EIAC and SILENE tests corresponds to 1.4xlOn fissions.cal"1 (about 180 MeV) retrieved in the form of heat. For power excursions subsequent to high reactivity (several $), it was observed that the boiling of the solution was reached for an energy corresponding to about l.lxlO16 fissions per liter. These data are valid for a power excursion lasting for a few minutes and for a system without any forced cooling. Formation ofradiolysis gases Many experiments have shown a rate of formation ofradiolysis gases corresponding to l.lxlO"13 cmVfissions. Furthermore, the threshold at which these gases appear has been estimated at 1.5xl015 fissions per liter of solution [7].

3.2. Modelling of accident physics An analysis of past criticality accidents illustrates the wide variety of situations encountered : media, configurations, causes and observed effects (power, energy, duration, etc.). The results show that the energy can vary from a few 1015 fissions to 4 x 1019 fissions for fuel cycle installations, and the power during the first peak can be as high as 1020 fissions.s"1 for a very short time. The duration can simply be a 'flash' of a few milliseconds, or it can continue for tens of hours.

The diversity of these effects is directly related to parameters that affect the accident phenomenology. This is why different accident models were developed, making a distinction between four main environment categories (liquid, powder, metal, fuel rods in water). The following diagram illustrates the common architecture of these calculation programs.

137 ACCIDENTAL INSERTION OFREACTIVITY

> t

REACTIVITY BALANCE

FEEDBACK MECHANISMS Doppler effect >f TEMPERATURE Spectrum effect POINT EFFECTS KINETIC Expansion effect (Density, leaks, etc.) EQUATIONS VOID EFFECT (radiolysis gas, steam, etc.)

>

POWER ENERGY TEMPERATURE

Accident calculation programs developed jointly with the UKAEA (CRITEX for aqueous media, POWDER for powders, CHATEAU for immersed fuel rods) can be used to estimate the variation of the power, energy and temperature of the medium during the early times of the accident [8].

3.3. Exposure risks associated with a criticality accident: CRAC and SILENE results The contribution of neutrons and gamma rays to the total dose is very variable depending on the nature of the fissile material (metal, powder, liquid, etc.), the dimensions and compositions of the system, and its environment. As the distance from the source increases, the energy of the radiation field degrades and its intensity decreases approximately inversely as a function of the square of the distance over the first few meters. For longer distances, radiation propagation laws are more complex due to effects related to the ground and the atmosphere.

Dosimetry results obtained on the CRAC and SILENE installations [9] must be considered as being representative of the dose to which personnel could be exposed during a criticality accident in a uranyl nitrate solution. The number of fissions and the emitted dose are not proportional to each other for sources with very different configurations, since leakage radiation depends on the source characteristics. It is found that the dose/fission ratio is maximum for small sources with low concentrations.

The maximum value of the observed total dose during tests on the CRAC and SILENE installations is 5.8 x 102 Gy at lm from the centerline of the source, for 1018 fissions for a 30 cm diameter cylinder with a concentration of 80 g/1.

For information, doses emitted during the first peak on the SILENE reactor for 1017 fissions at 1 m from the core (40 liters of uranyl nitrate solution) are as follows: • Neutrons : Dose (KERMA tissus) « 20 Gy=* Equivalent dose» 300 Sv • Gamma: Dose «25Gy=> Equivalent dose«25 Sv.

Measured doses demonstrate that the risk of exposure is one of the major risks in a criticality accident and the resulting doses can be fatal for personnel working in the immediate vicinity of the equipment concerned.

138 3.4. Detection of criticality accidents The purpose of a criticality accident detection system is to trigger an alarm as quickly as possible in order to trigger immediate evacuation of personnel at the beginning of a criticality accidental excursion and thus limit exposure risks.

In 1976, the CEA designed the E.D.A.C system {Ensemble de Detection et d'Alarme de Criticite) making use of information derived from the CRAC and SILENE experiments., based on a monitoring unit connected to at least three criticality detectors [10]. The criticality alarm is only triggered if at least two detectors send an alert signal to the monitoring unit. The detection system is based on measuring the total dose due to neutronic and gamma radiation by means of tw o scintillators, sensitive to these two types of radiation.

Tests carried out in the SILENE reactor demonstrated that the system can be used to detect all types of accidents, in other words power excursions with fast kinetics and with slow kinetics. The EDAC accident detection system can also record and monitor the evolution of the accident by means of criticality detectors, particularly through a remote console placed outside the evacuation area. Its contribution may be essential for management of the post-accident situation and intervention.

3.5. Estimate of releases of radioactive products during a criticality accident in solution The SILENE installation was used for an experimental program to determine: the rates of release of fission products (FP) emitted during a criticality accident in an aqueous fissile medium, the experimental conditions varying up to and including boiling of the solution to facilitate the release of fission products [11]. The main information derived from the SILENE fission products program is as follows: • the release ratios of rare gases (Xe and Kr) are almost 100% for gases with half-lives of more than one minute. They vary between 10% and 50% for half-lives varying from a few seconds to a minute, and are of the order of 10% for very short half-lives; • the maximum release ratios observed for iodine for acidity close to 2N, were very much less than 1% for a boiling solution, but about 10% for a low solution acidity and a high initial content by load of iodine in the solution; • the maximum emission ratios for other volatile fission products are estimated at 20% for bromine and 1% for ruthenium. For information, the maximum quantities of fission products released from the solution for 1018 fissions are 3 x 1014 Bq for rare gases and aerosols and about 1.8 x 1012 Bq for iodine.

3.6. Experiments and exercises carried out on the SILENE reactor for action management: The SILENE reactor is used to provide evaluation data necessary for intervention management following a criticality accident. The following themes are considered: estimate of the possible dose to a work team during the post-accident phase [9]; dosimetry of the criticality accident; SILENE is an international reference source and has already been used for the purposes of international exercises under the auspices of the AIEA and the CCE [12]; radiation instrumentation test during the post-accident phase; fast checking of exposed personnel and dose estimate (sodium activity and dosimeter measurements, for example) for an appropriate therapeutic treatment.

4. CONCLUSIONS The criticality accident studies carried out have improved knowledge in several fields : jphysics, detection, dosimetry and the release of radionuclides. These results must contribute to a better assessment of the risks of irradiation and contamination associated with a criticality accident and the application of action measures and provisions for crisis management. They emphasize the need to define well intervention plans and to be capable to stop the accident process.

139 More generally, operating experience with real accidents that have occurred throughout the world confirms that the energy released during a criticality accident is generally limited, but there are severe risks of irradiation for personnel working close to the equipment concerned and lethal doses are possible. The unfortunate Tokai-Mura accident also demonstrates that the scale of the consequences in terms of the media and acceptability of the nuclear risk may be completely different.

The SILENE reactor is a unique international research installation that can be used for training teams and to maintain the skills necessary for management of action to be taken following a criticality accident.

References

[I] A Review of Criticality Accidents, 2000 revision, Los Alamos National Laboratory report LA 13638, Los Alamos, NM, (2000). [2] Sixth International Conference on Nuclear Criticality Safety (Proceedings) ICNC'99, Versailles (1995). [3] BARBRY, F., CRAC - Essais de synthese des resultats experimentaux Commissariat a l'Energie Atomique, personal communication, DSN-SEESNC nr. 117, (1973). [4] LECORCHE, P., R.L. Seale. Review of the Experiments Performed to Determine the Radiological Consequences of a Criticality Accident. Oak Ridge, TN., Y-CDC-12, (1973). [5] BARBRY, F., A Review of the Silene Criticality Experiments, Proceedings of the Topical Meeting on Physics and Methods in Criticality Safety, Nashville TN (1993). [6] BARBRY, F., 'Fuel solution Criticality Accident studies with the SILENE reactor: Phenomenology, consequences and simulated intervention' International Seminar on Criticality studies programs and needs. ICNC'83, Dijon (1983). [7] BARBRY, F., ROZAIN, JP., Formation of radiolysis gas and the appearance of a pressure increase during a criticality excursion in a fissile solution, Trans. Am. Nucl. Soc, (1989). [8] MATHER, J., BICKLEY, A.M., PRESCOTT, A., BARBRY, F., FOUILLAUD, P., ROZAIN, J.P., Validation of the CRITEX Code, ICNC91, Oxford (1991) [9] BARBRY, F., Exposure Risks and Possibilities of Intervention and Diagnosis in Criticality Accidents, Conference on Nuclear Criticality Safety, ICNC'91, Oxford (1991). [10] HUVER, M., PRIGENT, R., Detection of criticality accidents: the EDAC II system, International Conference on Nuclear Safety, ICNC'91, Oxford (1991) [II] BARBRY, F., FOUILLAUD, P., Revue des experiences menees sur le reacteur SILENE pour 1'evaluation du terme source en cas d'accident de criticite en solution, personal communication, IPSN - DPEA -SRSC nr. 99-04. [12] MEDIONI, R., DELAFIELD, HJ., An International Intercomparison of Criticality Accident Dosimetry Systems at the SILENE Reactor, 1993. Report HPS/TR/H/1(95) (1995).

140 XAO102787 IAEA-CN-82/38

RECENT DEVELOPMENT IN SAFETY REGULATION OF NUCLEAR FUEL CYCLE ACTIVITIES

KATO, S. Nuclear Fuel Cycle Regulation Division Ministry of Economy, Trade and Industry 1-3-1 Kasumigaseki, Chiyoda-ku Tokyo 100-8986, Japan Fax: +81335808484; Email: [email protected]

Abstract

Through the effort of deliberation and legislation over five years, Japanese government structure was reformed this January, with the aim of realizing simple, efficient and transparent administration. Under the reform, the Agency for Nuclear and Industrial Safety (ANIS) was founded in the Ministry of Economy, Trade and Industry (METI) to be responsible for safety regulation of energy-related nuclear activities, including nuclear fuel cycle activities, and industrial activities, including explosives, high- pressure gasses and mining.

As one of the lessons learned from the JCO criticality accident of September 1999, it was pointed out that government's inspection function was not enough for fuel fabrication facilities. Accordingly, new statutory regulatory activities were introduced, namely, inspection of observance of safety rules and procedures for all kinds of nuclear operators and periodic inspection of fuel fabrication facilities. In addition, in order to cope with insufficient safety education and training of workers in nuclear facilities, licensees of nuclear facilities are required by law to specify safety education and training for their workers.

ANIS is committed to enforce these new regulatory activities effectively and efficiently. In addition, it is going to be prepared for, in its capacity of safety regulatory authority, future development of Japanese fuel cycle activities, including commissioning of JNFL Rokkasho reprocessing plant and possible application for licenses for JNFL MOX fabrication plant and for spent fuel interim storage facilities.

1. 1. ORGANIZATIONAL RESTRUCTURING OF NUCLEAR SAFETY REGULATION

1.1. Government Restructuring As of January 6th this year, Japanese government was restructured, and its twenty-two ministries and agencies were reorganized into twelve. The concept and objective of the restructuring was to reform fat and rigid government structure and to realize simple, efficient and transparent administration. The reform was the fruit of the deliberation and legislation over five years. An advisory body to the Prime Minister was established in 1996 to discuss concept of the reform and to specify new structure of the government. The body made a report at the end of 1997. Relevant laws and regulations were formulated and modified to realize the reform by the end of 1999, and after preparatory period the reform took effect at the beginning of this year.

In the restructuring, Science and Technology Agency (STA), formerly responsible for safety regulation of fuel cycle activities, was merged with Ministry of Education to become Ministry of Education and Science and Technology (MEST), and the METI was reborn as Ministry of Economy, Trade and Industry (METI). With respect to nuclear energy, METI deals with energy uses aspect, and MEST with its scientific and technological side. Responsibility of nuclear safety regulation was reallocated between METI and MEST according to this demarcation. Accordingly, safety regulation of

141 refinery business, fuel fabrication business, spent fuel interim storage business, reprocessing business, nuclear waste management business, and relevant transportation of nuclear materials, which STA was in charge, is now undertaken by METI. (See Fig.l)

Before Reorganization Current Status (January, 2001) MITI METI Safety Regulation of: Safety Regulation of: Refinery Business Refinery Business Commercial Nuclear Power Plant Fuel Fabrication Business Spent Fuel Interim Storage Business Spent Fuel Interim Storage Business Reprocessing Business Waste Management Business Commercial Nuclear Power Plant Power Reactors of R&D Stage Transportation of relevant Nuclear Materials

STA MEST Safety Regulation of: Safety Regulation of: Refinery Business Research Reactors Fuel Fabrication Business Use of Nuclear Materials Reprocessing Business Transportation of relevant Nuclear Waste Management Business Materials Research Reactors Use, Storage and Transportation of Power Reactors of R&D Stage Radioisotopes Use of Nuclear Materials Transportation of Nuclear Materials - Use, Storage and Transportation of Radioisotopes

FIG. 1. Reallocation of safety regulatory responsibility.

1.2. Agency for Nuclear and Industrial Safety (ANIS) The Agency for Nuclear and Industrial safety (ANIS) was established in the METI, to be intent on safety regulation of whole spectrum of energy-related nuclear facilities, from power reactor to fuel cycle facilities and waste management. ANIS is also independent from the promotional function of nuclear energy, which is undertaken by the Agency for Natural Resources and Energy.

There is 260 staff in the ANIS, of which about 70 was transferred from STA. Of the 260 staff, about 100 inspectors are stationed near nuclear facilities for effective implementation of inspection activities. In order to upgrade technical expertise of the ANIS staff, it employs various experts who had substantial experiences in design, construction and maintenance of nuclear facilities.

As an advisory organ to ANIS, Nuclear and Industrial Safety Subcommittee was established under the Advisory Committee for Natural Resources and Energy, consisting of experts from various fields, including nuclear engineering, laws and economics and other social sciences, industrial safety, mass media, corporate governance, and nuclear industry. The Council is expected to issue its first report, 'Consolidation of Basis for Nuclear Safety', at the end of June. The report will overview status quo of basis of nuclear safety in terms of institutional system, knowledge basis, human resources, research and training facilities, and financial resources, and discuss how to strengthen these basis.

1.3. Nuclear Safety Commission (NSC) The most important function of NSC is to review safety examination undertaken by regulatory body in licensing of nuclear facilities to see whether the examination is adequate. It had been incorporated as a part of the governmental restructuring program to reinforce NSC, by increasing its secretariat, and

142 further its independence of regulatory bodies, especially from STA. Namely, it had been planned that in January 2001 the secretariat of NSC would be enlarged and transferred from Nuclear Safety Bureau of STA to newly-born Cabinet Office, which is to have strong function of government-wide planning and inter-ministry coordination.

However, the JCO criticality accident accelerated this part of reorganization program. It was pointed out that complementary safety regulation by regulatory body and NSC has to function more effectively and that NSC has to play more active role in supervising and guiding safety regulatory administration. In April 1999, the secretariat was transferred to the Prime Minister's Secretariat, and its staff was increased from 20 to 92, of which 41 have a stronger technical background.

Eventually, as of January this year, the secretariat, Office of Nuclear Safety Commission, has staff of one hundred. (See Fig.2)

Before April, 2000 January, 2001

NSC NSC NSC

Prime Minister's Office Prime Minister's Office Cabinet Office

Office of Nuclear Safety Office for Nuclear Office for Nuclear Policy Research, Safety Commission. Safety Commission Nuclear Safety Bureau, Prime Minister's Science and Technology Secretariat Cabinet Office Agency (STA) • Secretary-General • Director-General for NSC • Deputy Director-General for NSC \ • 59 staff(51 + 8) • 51 staff (20+ 31) • 41 technical counselors • 20 staff • 41 technical counselors

Total 92 Total 100

• Further Independence • Strengthening of Function

FIG. 2. Reinforcement of Nuclear Safety Commission (NSC).

2. NUCLEAR SAFETY REGULATION AFTER THE JCO ACCIDENT The JCO criticality accident was the worst one in Japanese history of development and utilization of nuclear energy. Two workers directly dealing with the Uranium solution died of acute, excess radiation exposure. The investigation committee of NSC found that the direct cause of the accident was infringement of rules and procedures for nuclear criticality safety by the workers dealing with the solution. However,

143 the committee also pointed out several underlying factors leading to the accident. First, safety management system of the JCO was incomplete, and safety culture was not rooted in the company. Second, nuclear safety edueation and training was not sufficiently given to the workers. Third, government's inspection function was not enough for fuel fabrication facilities.

2.1. Reinforcement of safety regulation In responding to lessons learned from the accident, the amendment to the Law on the Regulation of Nuclear Source Material, Nuclear Fuel Material and Reactors was proposed by the Cabinet, and enacted by the Parliament in December 1999, to reinforce nuclear safety regulations. The amendment got effective on July 1, 2000.

The reinforced regulations include, among other, a) periodic inspection of fuel fabrication plant; b) inspection of state of observance of safety rules and procedures; c) stationed nuclear safety inspectors; and d) effective safety education and training.

a) Periodic inspection of fuel fabrication plant METI shall carry out periodic inspection of fuel fabrication plant once a year to ensure that safety and performance of the plant is maintained. The inspection was carried out for all the six fuel fabrication plants (including two enrichment plants) through November to December last year and their safety and performance was satisfactory.

b) Inspection of state of observance of safety rules and procedures METI and MEST shall carry out inspection of the state of observance of the safety rules and procedures in nuclear facilities under their regulatory responsibility four times a year. The safety rules and procedures are to be set out by licensees and approved by the government, and provide for, among other, operators' in-house organizational structure and responsibility for nuclear safety, operational rules and procedures for equipment of safety significance, and education and training of workers about nuclear safety. Three rounds of the inspection were carried out for eight fuel cycle facilities by the end of March, and no infringement of the safety rules and procedures were found.

c) Stationed nuclear safety inspectors METI and MEST shall station 100 nuclear safety inspectors at major nuclear facilities, for effective implementation of the inspection.

d) Effective safety education and training Nuclear operators shall provide their employees with substantial safety education and training, and specify program development and content of safety education and training in their safety rules and procedures.

2.2. Administrative punishment of the JCO It was found that JCO committed a severe infringement against the Law on the Regulation of Nuclear Source Material, Nuclear Fuel Material and Reactors, and STA revoked, after a public hearing from the company, its license for fuel fabrication business on March 28, 2000. It was the most serious administrative action in such a case. Thereafter, JCO transferred uranium material for LWR fuel (low- enriched uranium hexafluorfde and uranium dioxide powder) to other fuel manufacturers. JCO is intent on preserving its used facilities and radioactive waste safely. For the sole purpose, JCO is granted permission of uses of nuclear materials, under the supervision by MEST.

2.3. Safety review guide for fuel fabrication of enriched uranium NSC pointed out, as a lesson from the JCO accident, that a separate safety review guide was absent for fuel fabrication facility dealing with uranium of more than 5% enrichment. NSC established safety review guide for fuel fabrication business dealing with enriched uranium of 5-20% last September. The review guide requires, among other, that criticality accident be taken into consideration with respect to siting of the facility, that criticality control of uranium solution be, as a principle,

144 accomplished geometrically for any concentration. It also requires that the facility is equipped with criticality alarm, and when necessary, with counter measures to criticality accident.

3. AGENDA FOR ANIS'S FUEL CYCLE REGULATORY ACTIVITIES ANIS is committed to enforce the reinforced regulation effectively and efficiently. In addition, it is going to be prepared for, in its capacity of safety regulatory authority, future development of Japanese fuel cycle activities, including commissioning of JNFL Rokkasho reprocessing plant and possible application for licenses for JNFL MOX fabrication plant and for spent fuel interim storage facilities.

In carrying out its regulatory function with respect to fuel cycle facilities, ANIS is going to pay attention to the latest technology and relevant knowledge and regulatory experience, both in Japan and abroad. It will also ensure coherence with regulation of power reactors, where sophistication of regulatory approach is preceding, as well as be aware of technical difference between fuel cycle facilities and power reactors.

The preparation in view of future development is ongoing with expert advice from the Nuclear Fuel Cycle Safety Subcommittee of the Nuclear and Industrial Safety Subcommittee.

3.1. JNFL Rokkasho reprocessing plant Construction work of the reprocessing facility, whose start of operation is expected in July 2005, is in progress; 63% of the construction has been completed at the end of this March,, The spent fuel storage pool has already got passed pre-service inspection in December 1999, and it began to receive spent fuel from power reactors after the JNFL's Safety Agreements with Aomori Prefecture and Rokkasho- mura and adjacent localities were concluded November last year.

Water test has begun in head-end process building in April. This means that the plant is getting into commissioning stage. Accordingly, pre-service inspection by regulatory authority is going to shift its weight more on performance and technical specification of the plant than on construction and manufacturing of building and equipment. ANIS is also to confirm, during the course of commissioning stage, whether JNFL's program for active test is adequate in terms of safety. It would be important that these regul'atory activities are undertaken so that JNFL be closely acquainted with the plant, and JNFL's technical expertise are fully developed, in terms of c[uality and quantity of operators and other technical staff, for the operation of the plant.

3.2. JNFL MOX fuel fabrication plant JNFL expressed its intent November last year that it will enter into MOX fuel fabrication business, responding to request from Japanese electric utilities. The company has a plan to construct and operate a MOX fuel fabrication plant for Japanese customers with the capacity of 130ton/year, and it plans to begin MOX fuel production three to four years after the operation of reprocessing plant.

NSC has begun discussion this January to establish a safety review guide for MOX fuel fabrication plant. ANIS, closely following the deliberations on the safety review guide, is going to prepare specific technical criteria and other technical material required for the safety examination of possible application for license.

3.3. Interim Storage of Spent Fuel It is foreseen that about 7,700 tons of away-from-reactor spent fuel interim storage capacity is required in Japan by 2010. The Law on the Regulation of Nuclear Source Material, Nuclear Fuel Material and Reactors has already been amended to incorporate the regulation of interim storage business, and technical specification has also been established for detailed design and construction method.

NSC has begun discussion this January to establish a safety review guide for spent fuel interim storage facility. ANIS, closely following the deliberations on the safety review guide, is going to prepare

145 specific technical criteria and other technical material required for the safety examination of possible application for license.

3.4. JNC Reprocessing Plant in Tokai-mura After the three and a half years of shut-down due to the fire and explosion accident in its low-level radioactive waste treatment facility, Japan Nuclear Cycle Development Institute resumed operation of its reprocessing plant in November last year, having gotten consent from Governor of Ibaraki-ken and Mayor of Tokai-mura.

The plant will have reprocessed 32 tons of spent fuel since its resumption by the end of June, and total amount of reprocessed fuel since its operation in 1977 will be about 1000 tons.

During the shutdown period, JNC reviewed safety of the reprocessing plant, and completed improvements to the plant, taking into account relevant knowledge and experiences and lessons learned from the fire and explosion accident and from the JCO criticality accident. Both STA and NSC concluded last spring that the review and the improvement of safety measures were appropriate. The plant also got passed its thirteenth periodic inspection at the end of July. The consent of the Governor and Mayor was granted after careful consideration of the resumption from safety and other viewpoints in the Governor's advisory body.

During the course of the consideration, it was concerned that the design of the plant was out-of-date and its equipment might suffer from aging. Although the sound state of the plant had been confirmed through the periodic inspection, in order to cope with the concern, JNC has been committed to periodically review safety of the reprocessing plant, and the ANIS is to confirm whether the review is adequate. The viewpoint and method for the safety review is being developed.

4. CONCLUSION JCO criticality accident led to reinforcement of safety regulation more for safety management in operational stage of nuclear facilities rather than for design and construction stage. On the other hand, new safety regulatory structure for whole spectrum of energy-related nuclear facilities is in place.

In these circumstances, safety regulation of fuel cycle activities has to seek more effectiveness and efficiency, as well as fully prepared for future development in fuel cycle activities. The foreseen development include commissioning of JNFL Rokkasho reprocessing plant and possible application for license for JNFL MOX fabrication plant and for spent fuel interim storage facilities.

In these efforts, ANIS is going to pay attention to the latest technology and relevant knowledge and regulatory experiences, both in Japan and abroad. It will also ensure coherence with regulation of power reactors, where sophistication of regulatory approach is preceding, as well as be aware of technical difference between fuel cycle facilities and power reactors.

146 XA0102788

IAEA-CN-82/42

PROSPECTS FOR SAFE MANAGEMENT OF SPENT NUCLEAR FUEL OF RESEARCH REACTORS

YANOVSKAYA, N. S., MAKARCHUK, T. F., ERSHOV, V. N., ZAITSEV, N. B. Ministry for Atomic Energy of the Russian Federation Interbranch Coordination Center 'Nuclide' StPetersburg, Russian Federation email: [email protected]

ARKHANGELSKY, N. V. Ministry for Atomic Energy of the Russian Federation Department of Atomic Energy Moscow, Russian Federation

Abstract

At present, in Russia the problem of management with spent nuclear fuel (SNF) of research reactors (RR) is an integral part of the general problem of SNF management.

Most of research reactors were put into operation long ago (30 or more years ago), when the issue of SNF management did not receive the attention it deserved. So from several reactors SFA v/ere not taken out during the whole period of operation. Clearly it has created a lot of problems related to the storage of SNF at RR sites

1. INTRODUCTION Total amount of Russian nuclear research installations is great. These installations comprise of research reactors (operated at a stationary output level and of pulse type) and critical assemblies. The issue of SNF management is of importance only for research reactors, which operate at a stationary output level. The data on amount of reactors and operators is presented in Table I.

All types of research reactors may be classified into several groups: the largest group consists of WWER type reactors; IRT type reactors; powerful research reactors employed in materials technology: SM-2, MIR, MR, IVV-2M; experimental reactors AM, BR-5, BOEL-60, VK-50, AST.

Furthermore, in Russia there were developed the reactors with non-stationary neutron-flux density (pulse reactors and critical assemblies). Neutron-flux fluence in these facilities is very insignificant, and in this case it is much easier to resolve the SNF management problem. Experience leads us to consider SNF from these facilities as fresh, which can be used in other research installations or NPP reactors.

Table I. Research reactors with stationary neutron-flux density.

. .. .. Reactor Licensed „ . ^ _.. Reactor Regular fuel NXT [nstitutioi , . ,. , , . ,„, attainment State , °. designation )utput, Mw , type type _ _ _ _ _ 6 7 8 Shut down in UO +A1 1 J^T VVER-2 3 1954 2 t 1983 1 itllK UA1 alloy Kurcha- Out of U+Mg tov Pres:sure- 2 Institute' RFT 20 1952 service in trihe UO?+Mg 1962 UO2+A1

147 Criticality Reactor Licensed Reactor Regular fuel N [nstitutioi attainment State designation mtput, MW type type date 1 2 3 4 5 6 7 8 Shut down in Pressure- UO +A1 3 MR 40 1963 2 1993 tube in pool UA1 alloy Out of UO2+AI 4 IRT 8 1957 service in Pool UA1 alloy 1979. UO +A1 5 IR-8 8 1981 In operation Pool 2 UA1 alloy 6 Gamma 0,125 1982 In operation Tank Uranium alloy 7 Argus' 0,05 1981 In operation Homogeno UO2SO4 us UO +A1 8 OR 0,3 1989 In operation Tank 2 UA1 alloy J Out of Homogeno 9 'Romashka' 0,04 1964 service in UC2 1966. us Out of Pressure- 10 'Topaz - 2' 0,1 1973 service in tube uo2 1986. SM-2 11 100 1961 In operation Tank (SM - 3), uo2 Pressure- 12 MIR-M1 100 1966 In operation UO +A1 tube in pool 2 UO 13 BOR-60 60 1969 In operation Fast 2 SSCRF PuO2 RIAR RBT-6, 6 1975 SFAof 14 RBT- 10 1983 In operation Pool SM-2 10/1,2 10 1984 solution Decommissi 15 ARBUS 12 1963 Tank UAI3+AI oned 16 VK-50 170 1965 hi operation Tank UO2 17 AM 10 1954 In operation Pressure- UO2+Mg tube SSCRF tULJW 18 TPPIJ BR-10 8 1959 In operation Fast UN lr JrH Decommissi Thermo 21 'Topaz' 0,3 1970 UO pellets oned emission 2 22 SB IVV-2M 15 1966 In operation Pool UO +A1 RDIPE 2 23 NIIP IRV-M1 2 1974 Pool Ual branch 24 RF WER-C 15 1964 In operation Pool U dioxide NIFHI 25 PIYF WER-M 18 1959 In operation Pool UO2+A1 UA1 26 MEPI IRT 2-2,5 1967 In operation Pool UO2+A1 Shut down 27 RDIPE IR-50 0,05 1961 for Pool UO +A1 reconstructio 2 n in 1993 RINF 28 within IRT-T 6 1967 In operation Pool UO2+A1 TPU

148 2. ACCUMULATED VOLUME, NOMENCLATURE AND CHARACTERISTICS OF SNF IN STORAGE FACILITIES OF SCIENTIFIC AND RESEARCH INSTITUTES AND CENTERS Total amount of SNF in storage facilities, accumulated in form of various spent fuel assembly (SFA) types, is about 17 tons of uranium. Storage of SNF immediately after discharge from core is carried out in at-reactor cooling pools. After the removal of residual energy release SFAs are transferred for long-term storage to a separately located centralized storage facility on the territory of an institute, then a part of SFAs included in the nomenclature of the reprocessing plant are transported to PO 'Mayak'. The centralized SNF stores at sites of scientific centers are filled almost by 100%, which hampers the operation of reactors in service. The storage period of many types of SNF in water pools approaches a maximum allowable period.

At present, the rate of SNF accumulation in facilities has been considerably reduced due to the decrease of number of research reactors caused by decommissioning as well as the reduction of operation time. For the most part of reactor installations and water-filled SNF stores the service life is being expired, they require reconstruction; conditions of further SNF storage are to be revised. A serious problem is the storage of damaged fuel. There is a need to develop criteria for identification of some part of damaged fuel as the fuel, which can be reprocessed.

A peculiarity of research reactors in terms of SNF management is a great diversity of used fuel elements and fuel assemblies. They differ in geometric dimensions, type of composition, cladding and enrichment factors. On the other hand, an amount of SFAs (and correspondingly, total amount of uranium therein) of many types is not large, which hampers the development and implementation of a cost-efficient technology of transportation and treatment of these fuel assemblies.

To a first approximation, all SNF from research reactors can be subdivided into the following groups: • fuel elements and assemblies based on diverse fuel compositions UA1X-A1, UO2-A1 in aluminium alloy claddings (reactors of MIR-M1, Arbus, WWER-C, IVV-2M, WWER-M, WWER-C IRT-M, MR, IR-8 types); • fuel elements and assemblies based on UO2 ceramic alloy in claddings made from different stainless steel (reactors of BOR-60, BR, Topaz types); • fuel elements and assemblies based on UO2 ceramic alloy in zirconium alloy claddings (VK-50 type reactor); • fuel elements and assemblies based on diverse fuel composition - uranium dioxide in copper- beryllium matrix in stainless steel cladding (reactors of SM, RBT-6, RBT-10/1,2 type); • small amounts of experimental fuel elements and assemblies tested in research reactors (fuel - uranium carbides, nitrides, beryllides, uranium based alloys, homogenous reactor fuel; claddings - various steels and alloys).

3. TRANSPORTATION AND TECHNOLOGICAL SCHEME OF MANAGEMENT OF SNF OF RESEARCH REACTORS The nomenclature of fuel assemblies to be reprocessed is quite large. These are assemblies of V/WER, MIR (or MR), IRT, IVV-2M type on the basis of uranium-aluminum alloy or uranium dioxide in aluminum matrix in various modifications. Assemblies of IRT-1000 type with EK-10 and S-36 type based on uranium dioxide in magnesium matrix. Furthermore, the nomenclature also includes fuel assemblies of SM-2, AST, BOR-60 and VK-50 type reactors at GNC RF NIIAR.

In the past only the fuel on the basis of aluminum was genuinely reprocessed. SNF from reactors of SM-2, BOR-60 types, many other kinds of fuel (carbides, nitrides, silicides, etc.) have never been reprocessed in PO 'Mayak'. The nomenclature of the PO 'Mayak' reprocessing plant includes about 50% of accumulated SFAs, containing around 2.8 tons of metal uranium. For transportation of SNF to PO 'Mayak' the existing fleet of TUK-19, TUK-32 and TUK-6 cask is used (Table II.). SNF is transferred in a special train, which consists of 1-2 wagons. This amount of transportation facilities is obviously insufficient to prevent a long-term delay in transferring the accumulated RR

149 SNF. Moreover, the shipment of SNF for reprocessing by small batches is economically unprofitable as the expenditures on services of the RF Ministry of Transport run as much as 1/3 of total expenses on management of RR SNF.

Currently, the storage facility at PO 'Mayak', which is intended for RR SNF, is essentially full with a rather small reserve capacity for SFA from SM-2 reactor of SSC RF RIAR. Between 2001 and 2006 the treatment of RR SNF at PO 'Mayak' will be limited by the necessity to employ the existing machinery for reprocessing SNF from nuclear submarines. Hence the centralized stores of scientific centers cannot be discharged through the shipment of SNF for reprocessing to PO 'Mayak'.

Table II. Transportation facilities for SNF from research reactors.

Type of Service life TTTK wagon- ?roductior of wagon- Material 1 UJY TUK No Amount capability, container and year container, of TUK weight, t cask years Kg 1 2 4 5 7 8 9 10 Wagon- 1978- 1 container TK- 1985 15 30 SS 2660 92,0 6 with TUK-6 2 wagons with Wagon TK-5 16 4-6 2 with TUK - 1990 casks 20 ss depending 4,75 19 casks 1 wagon with 4 on fuel type casks Wagon- container TK- 1 wagon with 3 12,3 3 1994 25 • SS 40,0 VG-18with casks 8,5 TUK-32

4. PROSPECTS FOR SAFE MANAGEMENT OF SNF OF RESEARCH REACTORS One of the options providing the required time for tackling the problem of management of SNF of research reactors and the flexibility for harmonization with future possibilities, is the implementation of the technology of long-term cask storage of SNF. The use of this technology allows us to provide, should the need arise, the future non-expensive conversion to any final stage of fuel cycle.

In a feasibility study of the establishment of a storage facility it is anticipated to assess a possibility of using metal and concrete TUK MBK-VMF casks, which fleet has been created to carry out the program of decommissioning of nuclear submarines which must end in 2005-2006, as well as the newly created fleet of dual-purpose casks based on cast iron with spheroid graphite (TUK-19-Ch) for RRSNF.

To tackle these problems Minatom of Russia has developed a 'Plan of actions for implementation of the concept of transportation and technological scheme of management of SNF of research reactors. This 'Plan of actions' suggests to classify by convention all RR SNF into three categories:

1. RR SNF traditionally reprocessed at PO 'Mayak'. For this category of SNF there exists a transportation and technological arrangement equipped with transportation facilities and casks, as well as a treatment technology. The following set of actions is targeted for this SNF type: • to perform materials technological and radiochemical studies of the state of RR SNF in the process of long-term storage; • to perform activities to justify the prolongation of service life of Centralized SNF stores and set them into correspondence with the requirements of normative documentation in force;

150 • to compact SNF in Centralized stores for allocation of all accumulated RR SNF; • to develop practical measures for recycling dual-purpose casks based on a metal and concrete cask of TUK MBK-VMF type for RR SNF; • to create additionally a fleet of dual-purpose casks on a basis of special cast iron (TUK-19- Ch); • to cany out a feasibility study of creation of facilities for 'dry' cask storage of RR SNF on the basis of TUK MBK-VMF and/or TUK-19-Ch with provision of physical protection and anti-crisis monitoring means on the site of SSC RF RIAR and/or PO 'Mayak' with consideration for potential schedule of shipment of RR SNF for reprocessing.

2. Significant actual amounts ofRR SNF which is non-reprocessible at the present. The development of a technology for its treatment may be justified on economic grounds, however, it is time consuming. These types of RR SNF with high enrichment in 235U stand out above 12 tons (~70% of total amount of SNF). The most important type of such SNF are fuel elements and assemblies on a basis of the ceramic alloy of uranium dioxide with a cladding of different stainless steels. They are used in reactors such as BOR, BR, 'Topaz'. To resolve the issue of management of this type of RR SNF there is a need to perform the following set of actions: • a feasibility study of a possible treatment of RR SNF at PO 'Mayak' and/or GNC RF NIIAR; • on the basis of the feasibility study to develop a technology of RR SNF treatment. As this will take place it is necessary to study the potentialities of development of a general-purpose reprocessing technology; • a feasibility study of the development of facilities for 'dry' cask storage of RR SNF on the basis of TUK MBK-VMF and/or TUK-19-Ch with provision of physical protection and anti- crisis monitoring means on the site of SSC RF RIAR and/or PO 'Mayak' with consideration for the findings of the feasibility study of facilities for 'dry' cask storage of reprocessible RR SNF.

3. Insignificant amounts ofRR SNF, which cannot be reprocessed at PO 'Mayak'. The utility of the development of its reprocessing in the near future is not apparent taking into account technical and economical parameters. Generally it is a small quantity of rare types of fuel elements and assemblies irradiated in experimental reactor channels. Main directions of activities: • a comprehensive study of the state of RR SNF and the existing 'wet' and 'dry' stores, a determination of an exact list of SFAs not to be reprocessed; • a technical and economic comparison of options of arrangement of the long-term 'dry' storage of this type ofRR SNF at a site of SSC RF RIAR and/or PO 'Mayak'.

5. CONCLUSIONS To resolve the problem of safe management ofRR SNF it is first and foremost necessary to classify all SNF into the fuel which can be reprocessed at PO 'Mayak' not experiencing iroubles, and that which reprocessing is not advisable primarily due to economic reasons. A next step will be the development of the schedule of the shipment of SNF out of storage facilities located on the premises of operators of research reactors taking into* account the potentialities of an organizational, technical and financing scheme.

Under the circumstances when we have to avoid the dependence of RR SNF discharge from storage facilities and reprocessing on limited reprocessing capacities of PO 'Mayak', there is a need to perform a feasibility study of the development of cask storage pads on the premises of research centers, PO Mayak' and/or GNC RF NIIAR.

In 'Plan of actions' the primary actions are said to be those aimed at the establishment of such SNF storage facility which will enable to unload the old facilities that stood in need of upgrading as well as at-reactor and separately located facilities of non-reprocessible spent fuel of research reactors. To

151 switch to the 'dry' mode of storing RR SNF it is necessary to accomplish a set of actions aimed at forecasting the state of SFAs under 'dry' storage for 100 years and longer.

References

[1] Federal Purpose-Oriented Program 'Nuclear and Radiation Safety in Russian Federation in 2000- 2006', decree of government of Russian Federation, No. 149 (2000). [2] VATULIN A, STETSKY Y., DOBRIKOVA L, ARKHANGELSK^ N., 'A Feasibility Study of Using the new Rod Type Fuel Assembly Design for LEU Conversion of the IR-8 Research Reactor' 22nd International Meeting on RERTR, Budapest (1999).

152 XAO102789 IAEA-CN-82/44

CRITICALITY STUDIES: ONE OF THE TWO PILLARS OF CRITICALITY SAFETY AT THE BELGONUCLEAIRE MOX PLANT

LANCE, B., MALDAGUE, T., EVRARD, G., RENARD, A., KOCKEROLS, P. Belgonucleaire s.a., 4 Avenue Ariane, 1200 Bruxelles, Belgium Fax: +3227740614; Email: [email protected]

Abstract

The present paper focuses on the criticality studies performed by the Engineering division of Belgonucleaire. These are one of the two pillars of the criticality prevention implemented for the Belgonucleaire MOX producing plant.

1. INTRODUCTION Belgonucleaire operates a mixed plutonium/uranium oxide (MOX) fuel producing plant located in Dessel, Belgium. Since 1986, the plant is working at an annual capacity of 35-40 tons of MOX, using a MIMAS fabrication process. A diagram of the fabrication process is given in Figure 1. MOX is manufactured by mixture of plutonium oxide and depleted or natural uranium oxide powders. The whole production line is installed in dry glove boxes.

Stage Main Steps

Reception

I Pu isotopic homogeneization | Primary blending Micronization Powder Forced Sieving preparation crushing Secondar1y blending dosing Incorporation of additive(s) milling

Pelletizing Sintering Pellet Centeriess grinding fabrication Q inspections & sorting

Pellet column preparation Rod fdling Rod End plug TIG welding fabrication Pressurization Q inspections Packaging

Assembly Assembling by FBFC Int Dessel fabrication

FIG. 1. MIMAS production process at Belgonucleaire

153 Due to the important throughput of fissile material, criticality prevention is one of the major concerns for the safe operation of the plant. In that sense, it must address all the steps shown in the Figure 1. Criticality safety is relying on two pillars which are the criticality studies (the theory) and the reliable operational practice. As the human factor is the most difficult aspect to manage, a quality assurance system has been developed for both the definition of the specifications and the operational practice. The interested reader is referred to Ref. [1] for the latter aspect. The present paper focuses on the criticality studies, the first pillar of criticality safety.

2. GENERAL METHODS The evaluation of the configurations of fissile material is based on criticality calculations, performed by the Engineering division of Belgonucleaire for the main part. The authorized amount of fissile material in parts of the production line is based on safe mass (1-Dimension) calculations. For more complex configurations, and for storage structures, safe geometry (3-Dimensions) calculations are performed.

The safe mass is determined from the computation of reflected spheres. Pessimistic assumptions are taken for the plutonium content, the isotopic composition and the density and humidity of the material. The applied uncertainties take into consideration the double batching of fissile material (50%), calculation errors and heterogeneity effects (15%) and an extra arbitrary margin according to the licence prescriptions of the plant (10%).

For the safe geometry calculations, besides the pessimistic assumptions on the fissile material, the characteristics of the infrastructure (absorbing and reflecting materials) are also taken in a conservative way in the model. The calculations are generally performed by means of Monte Carlo codes which provide the effective neutron multiplication factor keff with its standard deviation a.

The criterion keff + 3a < 0.95 must be satisfied in both normal and accidental conditions. This is compliant with the 'double contingency principle': no single error, regardless of its occurrence probability, may lead to criticality. Variable density of water is always considered to pursue the moderation optimum.

Computations for new configurations or for modified installations are always initiated by a calibration calculation: the previous configuration or a similar installation is modelled in order to verify the coherence between present calculations and the older ones.

The validation of the computer chain and its application to the MOX plant was audited by the independent inspectorate Association Vincotte Nucleaire (AVN).

3. COMPUTING TOOLS To achieve the calculations, several codes are used in routine.

The 1-D problems (safe mass determination) are calculated with the transport code (deterministic) ANISN [2], coupled with the cross sections library (16 energy groups) developed by Hansen & Roach [3].

For the 3-D problems (safe geometry problems), Monte Carlo calculations are performed with the code KENOVa [4]. The cross sections for non fissile materials (CH2, Cd, Pb) are here again taken from the H&R 16 groups library. For the fissile material, the cross sections are prepared through a calculation performed by the multi-purpose code WIMS-8a [5]. This modular code uses its own library WIMS'97 (69 or 172 energy groups) based on JEF2.2. For instance, for a storage of rods, the typical route is a pin cell calculation terminated by a smearing of the fuel, cladding and moderator (air between rods with a certain amount of water). Then a condensation is performed in order to obtain the

154 WIMS'97 (69 or 172 groups)

WIMS Specific computation scheme according to the problem + cross section condensation to 16 groups

CACTUS

Hansen & Roach (16 groups) Interface Program

ANISN KENOVa DANTSYS ONEDANT TWODANT THREEDANT

FIG. 2. Structure of the computing tools used for the criticality studies at Belgonucleaire.

Figure 2 shows the computing tools used in Belgonucleaire for the criticality studies performed for plants of the fuel cycle. It is worth noting that - 1-D problems may also be performed following the WIMS-KENOVa, or H&R-KENOVa, or WIMS-ONEDANT, or H&R-ONEDANT route, - 3-D problems may be performed either with the WIMS-THREEDANT chain or using KENOVa with H&R cross sections. This affords cross checks made by the same or by other engineers, increasing the confidence in the calculated results.

DANTSYS [6] is a package of deterministic transport Sn computer codes allowing to describe a wide range of geometries. Only the three most employed codes of the package DANTSYS are listed in Fig. 2., namely ONEDANT, TWODANT and THREEDANT, respectively for 1,2 and 3-D problems. ONEDANT employs the same calculation method as ANISN but is quicker. In that sense, the separation between ANISN and ONEDANT, appearing in the Figure 2, is mainly due to historical reasons and because ONEDANT is included in a much larger package. Two dimensional Sn transport calculation is also implemented in the WIMS package as the TWOTRAN module. THREEDANT is the most interesting tool for describing X-Y-Z geometries. Other options such as hexagonal pitch exist.

When the geometry of the problem may be simplified in a conservative way, the CACTUS module of WIMS reveals to be very efficient and flexible. This is a 2D transport calculation, using the 'characteristics method' [7]. It affords to describe very general and complex geometries. In reactor physics, for instance, CACTUS is used to calculate PWR, BWR and WWER fuel assemblies.

155 The computer codes and their use are validated against various experiments : critical experiments from open literature [8]; proprietary programmes and international programmes with the Belgian VENUS reactor : VENUS PRP experimental programme (> 200 experiments), VIP experiments (VIP-PWR, VIP-BWR, VIPEX, VIPO) in which the reactor is loaded with high Pu content MOX rods; international programmes in progress: REBUS (validation of burn up credit through experiments carried out with spent fuel) and KEOPS (sub-critical measurement of the keff on powders and pellets). Moreover, Belgonucleaire is taking part in various international benchmarks coordinated by the OECD.

4. TYPICAL EXAMPLES The criticality studies are performed in order to get various parameters, for instance: the minimum mass and/or minimum volume (1-D problems) of a fissile material leading to criticality, from which the safe mass and/or safe volume can be deduced. For such problems, the

density of the moderator in the mixture is calculated by dmod - (l - (dox JDOX)) Dmod ,

where Dmod and Dox are respectively the theoretical densities (no mixture) of the moderator and fissile oxide and where dOx is varied from zero to Dox in order to get parameterised curves as shown in the Figure 3 ; the sub-criticality level of a storage. In Figure 4, for example, the keff level in accidental conditions is obtained in two steps: first the individual boxes are gradually flooded with water, the space between the boxes staying dry. Then the water content in the ambient air filling this space is modified in order to catch the maximum interaction between the boxes ; the maximum amount of fissile material (rods in a storage room, powder boxes, cans) ; geometry reactivity effects. Figure 5 shows an example of a studied configuration for cans in a glove box; the material reactivity effect, indicating whether a neutron absorbing material must be included in the conception of a storage structure ; the reactivity effect of the reflector, accounting for the presence of operators near the fissile material; etc.

10000

1000-r

0L a 100

0.01 0.1 1000 Ratio H/Pu

156 (a Dry ambient air :::ftj)>:: Ambient air with :•:•:•:: cal : •: •::: •::: van

Q70 (b j 1 1

/ • \ : \ i i \ i t y

i i i i i i i i

J ! L •"--•-^_ L 1 1 1 i 1 1 1 i --> Q45 1 I

0 2 4 6 8 10 12 14 16 0 Q05 Q1 Q15 Q2 Q25 Q3 Q36 Q4 Q45 Q5 Wterlael inthestcra^bo

FIG. 4. ividual storage bo between

Hiiiiiiiiiiiiiiiipiiiiiiiii v.v.v.v. 12 8 on

-4— -> Variable ::

:|;!;| water (30 :j:j:j:;:j: X.vXvl

157 FIG. 5. Model for reactivity effect evaluation due to the geometry of cans in a glove box The fissile materials frequently considered at Belgonucleaire are PuO2, PUO2-UO2 (MOX) and Pu. These may be mixed with other compounds containing mostly O, H and C. The reference isotopic Pu (239/240/241/242) vector is usually taken as 70/18/10/2 but other possibilities can be studied. The physical form of the fissile material may be solid (rod, pellet), liquid (samples for chemical analysis), powders (master and secondary blends) and scraps. The powder density may be varied from 2 to 5 g/cm3 and contains as much as 5 w/o water.

5. CONCLUSIONS For the criticality prevention of its MOX plant, Belgonucleaire considers the two aspects, 'good reliable operational practices' [1], and the 'technical specifications' as two pillars of criticality safety. The technical specifications are defined on the basis of the criticality studies performed by the Engineering Division for the most part. Various codes and libraries are therefore used in routine and, due to the great flexibility o'f the computing tools, additional cross checks are performed by other computing routes. The same tools are also used for other criticality purposes: spent fuel storage pool, shipping casks, etc.

Besides these studies, mainly focused towards the criticality level, kinetic aspects should be considered in the near future.

References

[1] KOCKEROLS, P., 'Criticality prevention in a MOX fuel plant', WONUC, Moscow, Erchevo (2000). [2] ENGLE, W. W., A Users Manual For ANISN - A One Dimensional Discrete Ordinates Transport Code With Anisotropic Scattering, K-1693, Oak Ridge, Tennessee (1973). [3] HANSEN, G. E. and ROACH W. H., Six And Sixteen Group Cross Sections For Fast And Intermediate Critical Assemblies, LAMS-2543 (1961). [4] PETRIE, L. M. and LANDER, N. F., KENO-Va: An Improved Monte Carlo Criticality Program With Supergrouping Computing Telecommunication Division At ORNL (1990). [5] WIMS8a, The ANSWERS Software Package, a General Purpose Neutronics Code, AEA Technology (1999). [6] ALCOUFFE, R. E., BAKER, R. S., BRINKLEY, F. W., MARR, D. R., O'DELL, R. D., WALTERS, W. F., DANTSYS: A Diffusion Accelerated Neutral Particle Transport Code System, LA-12969 (1995). [7] HALSALL, M. J., "A Users Guide to the WIMS-E Module WCACTUS", AEEW-R 1710 (1983). [8] INTERNATIONAL HANDBOOK OF EVALUATED CRITICALITY SAFETY BENCHMARK EXPERIMENTS, NEA/NSC/DOC(95)03 (2000).

158 XAO102790

IAEA-CN-82/54

REGULATION OF FUEL CYCLE FACILITIES IN THE UK

ASCROFT-HUTTON, W. W. Health and Safety Executive, Nuclear Safety Directorate St Peter's House, Balliol Road, Bootle L20 3LZ Fax: +441519514017; Email: [email protected] Abstract

The UK has facilities for the production of uranium hexaflouride, its enrichment, conversion into fuel and for the subsequent reprocessing of irradiated fuel and closure of the fuel cycle. All of these facilities must be licensed under UK legislation. HM Nuclear Installations Inspectorate has delegated powers to issue the licence and to attach any conditions it considers necessary in the interests of safety. The fuel cycle facilities in the UK have been licensed since 1971.

This paper describes briefly the UK nuclear regulatory framework and tide fuel cycle facilities involved. It considers the regulatory practices adopted together with similarities and differences between regulation of fuel cycle facilities and power reactors. The safety issues associated with the fuel cycle are discussed and Nil's regulatory strategy for these facilities is set out.

1. INTRODUCTION The UK has facilities for dealing with all aspects of the nuclear fuel cycle from receipt of ore concentrate to recycling of reprocessed irradiated fuel. These facilities have been licensed nuclear installations since 1971 when British Nuclear Fuels Limited (BNFL) was created and separated from the United Kingdom Atomic Energy Authority (UKAEA). This paper discusses regulation of those plants. It does not consider fuel cycle facilities operated by other licensees including UKAEA. However the regulatory processes described in this paper are equally applicable; to them.

While there are many similarities in the processes and requirements for regulating fuel cycle facilities and power reactors there are a number of significant differences. These differences arise from the physical and chemical states of materials being handled, their environment and mobility and the processes being carried out. The differences can lead to the need to adopt: a different regulatory practice in order to meet a common regulatory principle.

One of the major areas of difference is waste management and decommissioning. These result in a number of specific safety issues which are discussed. As well as dealing with immediate issues there is also a requirement to have in place a strategy for ensuring a progressive and systematic reduction in the hazard.

2. UK REGULATORY STRUCTURE FOR FUEL CYCLE FACILITIES HM Nuclear Installations Inspectorate (Nil) was created as a result of the inquiry into the Windscale fire in 1957. Following a review of health and safety legislation in the early 1970's Nil became part of the newly created Health and Safety Executive (HSE) in 1975. At the same time HSE took over the issue of nuclear site licenses from the Secretary of State. Nuclear site licenses are now issued by the Chief Inspector of Nuclear Installations on behalf of HSE.

There is a standard license which is common to any type of nuclear installation. It has 36 conditions attached to it. The conditions are not prescriptive in telling a licensee what to do. Rather, they are goal setting and require the licensee to 'make and implement adequate arrangements' for the control of various parts of its operations. It is for each licensee to determine what is appropriate and adequate for

159 its operations. Obviously Nil has available appropriate sanctions if it considers a licensee's arrangements inadequate. The license conditions cover all aspects of operations from design through construction commissioning and operation into decommissioning. They cover 'hard issues' such as modifications and maintenance and 'soft' issues such as training and instructions. One condition which was added in mid 1999 and came into full effect in April 2000 covers the control of organisational change.

3. FUEL CYCLE FACILITIES OPERATED BY BNFL AND URENCO This paper relates to the fuel cycle facilities operated by BNFL and Urenco (Capenhurst) Ltd. The facilities are:-

BNFL Capenhurst

This is the site of the UK's original gaseous diffusion plant. The plant is shut down and the site is undergoing decommissioning.

Urenco Capenhurst

This site was created in 1993 by separating it from the original larger BNFL Capenhurst site. It contains centrifuge enrichment facilities. Some of the earlier centrifuge cascades are being decommissioned.

BNFL Springfields

This site has a number of processes, namely production of uranium hexafluoride, production of uranium metal magnox fuel, production of uranium dioxide powder and advanced gas cooled reactor oxide fuel and residue recovery. There are also older facilities on the site which have been decommissioned or are undergoing decommissioning.

BNFL Drigg

This site is the national low level waste repository. It also contains stores of plutonium contaminated material which are being recovered and repackaged to modern standards.

BNFL Sellafield

This is the largest and most complex of the fuel cycle facilities. It receives, stores and reprocesses irradiated magnox and oxide fuels. Associated with the reprocessing plants are facilities for conditioning and storage of high level liquid wastes prior to their vitrification.

The site also has associated intermediate level waste conditioning and storage facilities. Being the original site of the UK's atomic programme Sellafield also has a number of legacy facilities which contain various materials from the early years of the programme. There is, as a consequence, a large programme of post operational clean out and decommissioning.

4. REGULATORY PRACTICES A site inspection plan is developed by Nil's inspectors for each of the sites. These plans cover the programme for inspection for compliance with site license conditions and other legislation. They also identify those areas which will be subjected to themed inspections. Themed inspections may look at the same topic across a site or between sites. They enable Nil's inspectors to benchmark performance identifying good practices and areas for improvement. In this way generic lessons can be quickly learned and measures taken to broadcast them widely. The plans also contain elements for project assessment management and reactive work.

160 Project assessment management covers the work required by Nil's inspectors to manage the assessment of licensees' proposals to modify existing plant or construct new ones. This involves reviewing a licensee's proposal, determining which are to be subject to full assessment, managing that work and preparation of the appropriate legal documentation. Every licensing decision we make is supported by a report which sets out what has been done and why it is appropriate to grant permission.

Reactive work is work which has not been foreseen. It can arise from events or incidents or from findings of inspections. Being unforeseen it is not possible to say precisely what the work is or when it will arise. However, experience has shown that an allocation of about 15% of time to reactive work is necessary.

Compliance inspection is arranged so that all of the license conditions are inspected over a three year period. This may not seem onerous but it must be recognized that fuel cycle facility sites are large and multifunctional. A compliance inspection begins by taking the licensee's arrangements for managing a particular activity. After familiarization with these the inspector selects the precise activity to be inspected. When inspecting he is seeking to determine if the arrangements ensure the work is adequately controlled, that they are clear and unambiguous, that they are understood and that they are being followed. After the inspection the inspector records his findings.

Themed inspections can and do vary widely. At one end of the spectrum is the Team Inspection carried out at Sellafield in September 1999. Here the theme was control and supervision of operations. The reason for the inspection was an apparent increase in the number of events where control and supervision was seen as a root cause. This inspection lasted 2 weeks and involved a team of 13 inspectors with a wide range of backgrounds. Being site wide it was able to highlight examples of good practices and areas for improvement. A mark of BNFL's response to its findings can be seen in the number and magnitude of the changes which have taken place or are taking place. These included: • a revised safety policy statement issued by BNFL; • clearer lines of accountability; • more consistent working methods across the site; • more visibility of senior management at plant level.

BNFL is not programmed to complete its response until October 2002.

A lesser themed inspection, but one with a significant impact, was into the control of sealed radioactive sources. One Nil inspector was investigating a reported loss of a source. Her findings led her to suspect that control might not be adequate across the site. She conducted a themed inspection with another colleague over two days. They found sufficient failings to justify the issue of an Improvement Notice. An Improvement Notice is an enforcement device available to all HSE inspectors and requires specified improvements to be made within a given time period. Adequate progress had not been made within the time allowed, including an extension to the original period. The inspector therefore initiated criminal proceedings against BNFL. The case was proven and BNFL was found guilty and fined.

Nil mobilizes its reactive effort in accordance with HSE's four elements of policy on enforcement, namely targeted, consistent, proportionate and transparent. This means that Nil chooses the events it wishes to investigate and those which it decides to stand back from and requires the licensee to submit an investigation report for review. In such cases Nil takes into account the original event and the thoroughness of the licensee's investigation in determining what regulatory action, if any, is to be taken.

At the other end of the spectrum is a rapid response in which a team of inspectors is sent to site immediately. Where an event has actually terminated and the plant is safe Nil will usually assemble the team to attend site on the next working day.

161 5. SIMILIARITIES IN REGULATION OF FUEL CYCLE FACILITIES AND POWER REACTORS The obvious areas of similarity lie in compliance inspection and the use of themed inspections. Similar standards are required for licensees' arrangements and compliance with them. There were some differences which previously arose from the way the two industries developed which have now been resolved. Two particular examples are the setting up of structured review meetings and the method of regulating plant outages.

In the first case stand back review meetings were not held at the fuel cycle facilities. Instead more local reviews of plant safety performance took place. This was found to be too plant focused and the overview was not always clear. Now there are review meetings with the senior management of each of the operating businesses. These provide the opportunity to more formally measure progress on clearance of safety issues. The site inspector always takes part in these meetings and in the prior briefing of Nil management.

Outages in fuel facilities may be different in that a complete plant close down, as occurs with a reactor, may not necessarily take place. However the principles of good regulation still apply. The first principle is to operate to the licensee's outage planning timetable. If Nil, as the regulator, is expecting a licensee to carry out particular safety related improvements then the licensee needs to know in good time. The principle also applies to plant inspections which may need the provision of specialist equipment with a long lead time. Having agreed the safety related work programmes and the performance criteria well in advance of the outage Nil then plans its own outage inspection strategy.

During the outage any inspection results can be treated on a 'by exception' basis as the performance criteria will have been previously agreed. This frees the time of Nil and licensee staff during the normally busy outage period so they can concentrate on key safety issues. The process also speeds the administration of issuing the regulatory Consent to permit plant restart.

6. DIFFERENCES IN APPROACH The differences between fuel cycle facilities and power reactors which have safety implications are: • fuel cycle facilities are usually multi plant sites with integrated dependencies on one another; • fuel cycle facilities have numerous plants which cannot be shutdown in the same way as a reactor; • radioactivity is in a more mobile but less energetic state; • contamination and ventilation issues are more critical in fuel cycle facilities; • fuel cycle facilities utilize aggressive chemicals; • the legacy issues associated with the nuclear programme.

These differences lead to a modified regulatory approach. For example there is greater focus on control of operations in view of the greater reliance on administrative controls as opposed to engineered safety features in reactors. There is also more emphasis on criticality control in view of the greater mobility of fissile species. A third area, again due to mobility of species, is radiological protection of staff. Rigorous control of the potential for contaminating personnel is mandatory.

7. SAFETY ISSUES One of the key safety issues in fuel cycle facilities is the maintenance of safety in legacy plants. Many of these plants are old and of uncertain condition and/or content. Post operational clean out is necessary before the plants can be decommissioned. The issue is one of how to ensure adequate progress is being made when there is apparently little effective incentive on a licensee to proceed. Fortunately UK law gives Nil powers to require progress to be made. Failure to comply would be a criminal offence.

Other safety issues Nil is currently addressing are: • ensuring that there are sufficient suitably qualified and experienced staff;

162 • emergency arrangements; how do you account for everyone on a large site? • measurement and improvement of safety culture; • production of more user (operator) friendly safety cases.

8. REGULATORY STRATEGY It is important to have short, mid and long term strategies for regulating fuel cycle facilities. The short term strategy involves ensuring the continued safety of the plants concerned. The mid term strategy is to encourage the licensee to put in place its programme for the progressive and systematic reduction of the hazard from legacy wastes. This will involve the recovery of the material, conditioning it and storing it in a safe, passive and monitorable state.

Nil's long term strategy is to effectively regulate the licensee's programmes. To this end Nil has issued specifications under the site licence in order to formalise the process. End dates have been set and programmes to achieve this are now awaited.

9. CONCLUSIONS Nil recognises that there are differences in the approach to the regulation of fuel cycle facilities and power reactors. However this is achieved within the standard licensing system within the UK. Nil has developed and is applying a strategy for both ensuring the continuing safety of the facilities and reducing the hazard from legacy materials.

10. ACKNOWLEDGEMENT The author is only one member of the team which regulates nuclear fuel cycle; facilities. He has been supported by a strong team of inspectors. The paper is, however, the view of the author and therefore it does not necessarily represent HSE's or Nil's formal view.

163 TOPICAL ISSUE 4:

SAFETY OF RESEARCH REACTORS XAO102791 IAEA-CN-82/05

SAFETY OF GHANA RESEARCH REACTOR (GHARRI)

AMUASI, J. H.*, SCHANDORF, C.+, YEBOAH, J.+ * Ghana Atomic Energy Commission, P. O. Box LG80, Legon-Accra, Ghana + Radiation Protection Board, Ghana Atomic Energy Commission, P. O. Box LG80, Legon-Accra, Ghana Fax: +23321400807; Email: [email protected]

Abstract

The Ghana Research Reactor, GHARR-1 is a low power research rector with maximum thermal power lever of 30kW. The Reactor is inherently safe that uses highly enriched uranium (HEU) as fuel, light water as moderator and beryllium as a reflector. The construction, commissioning and operation of this reactor have been subjected to the system of authorization and inspection developed by the Regulatory Authority, the Radiation Protection Board (RPB) with the assistance of International Atomic Energy Agency. The Reactor has been regulated by the preparation of an Interim Safety Analysis Report (SAR) based upon International Atomic Energy Agency Standards. International Safety Assessment peer review and safe inspections have confirmed a high level of operational safety of the reactor since it started operating in 1994.

Since its operation there has been no significant reported incident/accidents. Several studies have validated the inherent safety of the reactor. The reactor has been used for neutron activation analysis of various samples, research and teaching. About 1000 samples are analysed annually. The final Safety Analysis Report (SAR) was submitted after five years of extensive research on the operational reactor to the Regulatory Authority for review in June 2000.

1. INTRODUCTION The Ghana Research Reactor-1 GHARR-1 is a commercial version of the Prototype Miniature Neutron Source Reactor (P-MNSR) designed and manufactured by China Institute of Atomic Energy (CIAE), Beijing. It is a reactor with a nominal power of 30kW. It is a safe nuclear facility which employed high enriched uranium fuel, light water as moderator, coolant and shield and beryllium as reflector. The reactor is cooled by natural convention. It is designed for use in universities, hospitals and research institutes mainly for neutron activation analysis, production of short-lived radioisotopes and education. It is operated at a thermal neutron flux up to lxlOI2n/cm2.s. The full description and technical details can be found in following publications [1,2].

The reactor is inherently safe with a very strong capability for power self-regulation, These characteristics have been confirmed through various transient experiments [3, 4]. The total cold excess reactivity is 4.0mk and is controlled through one control rod of work 6-8mk which ensures a shut- down margin of about 3mk. This is sufficient to maintain the reactor in safe mode during shut-down. A scram is provided such that the reactor will not exceed 120% of nominal power and the temperature difference between the core outlet and inlet must not exceed 120% of the nominal limit. The reactor can be shut-down by inserting cadmium rabbits into the core using pneumatic transfer system or manually.

The inherent safety of the reactor is based upon: 1. its strong negative reactivity coefficient; 2. its core coolability by natural convention; 3. its built-in excess reactivity, which, for clean and cold core is limited to 4nik.

167 2. REGULATORY FRAMEWORK FOR LICENSING AND INSPECTION OF THE REACTOR In Ghana, the Radiation Protection Board is the sole regulatory authority for the purposes of nuclear and radiation safety. It was established by Provisional National Defence Council Law 308 of 1993 by amending the Ghana Atomic Energy Act 204 of 1963. The Radiation Protection Regulations LI 1559 of 1993 prescribed the mandate and responsibilities of the Board as a licensing Authority for the radiation Protection and Waste Safety [5, 6, 7].

Pursuant to the regulatory requirements to obtain a license before operating the reactor, the National Nuclear Research Institute applied for following licenses: (i) constructional license by submitting three chapters of the Safety Analysis report, namely Safety Principles and General Design Criteria, Site Characteristics and Building and Structures. After review of the application a constructional license was issued on 1st March 1994 (GHARR-1-94- 01); (ii) source loading license, GHARR-1 -95-04; (iii) criticality tests license GHARR-1-95-05; (iv) high power test license GHARR-1-95-06; (v) operator's license and Senior operators licenses, GHARR-1-95-01-3; (vi) provisional operational license GHARR-1-95-07.

These stages of the licensing procedures were reviewed by the Board's Technical Committee and upon the advice of this committee all the appropriate licenses were issued by the Board. All these licenses were issued with the proviso that the completed SAR and written procedures be submitted by 31st March 1995. The interim Safety Analysis Report was submitted on 28 April 1995 to the RPB after internal review by the Reactor Safety Committee and Radiation Safety Committee of the National Nuclear research Institute (NNRI). The SAR was written in accordance with IAEA guidelines [8, 9, 10]. The NNRI submitted in addition to the SAR, the following supporting documents 'On-site and zero power experiments for start-up of Ghana Research Reactor, GAEC-NNRI-RT-22', 'Steady State Operational Characteristics of Ghana Research Reactor-1, GAEC-NNRI-RT-23' and 'Dynamic Feedback Characteristics of Ghana Research Reasctor-1, GAEC-NNRI-RT-24'.

The provisional operational license was based upon the terms and conditions as specified in the Operating Limits and Conditions (OLC) as contained in chapter 17 of the Safety Analysis Report and Nuclear and Radiation and Waste Safety regulations applicable in Ghana [11].

The essential elements of the Operational Limits and Conditions (OLC) can be summarized as follows: 1. power limit: < 87kW; 2. temperature at the inlet of the core: < 30°C at 30kW; 3. water level of the reactor vessel: < 460cm; 4. safety system settings for max power: 63kW; 5. minimum water level: 465cm; and 6. maximum difference of temperature through the core: 21 °C.

3. INTERNATIONAL CO-OPERATION TO ENSURE SAFE OPERATION OF RESEARCH REACTOR-1, GHARR-1 Ghana Atomic Energy Commission requested International Atomic Energy agency through the Technical Assistance Project GHA/1/010 in 1994 for the provision and installation of a 30kW research reactor.

Under this project IAEA provided all equipment to make the reactor critical. Several experts were provided during the installation, preparation and review of the Interim Safety Analysis Report [11] and licensing of GHARR-1.

168 Under the Agency Supply Agreement INFCIRC/468 of 1994 an Integrated Safety Assessment of Research Reactor (INSARR) mission was undertaken by two experts in February 1997. They reviewed the regulatory, radiation protection, nuclear safety aspects and the operations of the reactor [12].

The conclusions and recommendations of this mission enabled the Regulatoiy Authority (Radiation Protection Board) and the licensee (National Nuclear Research Institute) with the assistance of the IAEA to enhance the regulatory oversight and operational safety of the GHARR-1. International Atomic Energy Agency has also provided support for several research contracts to be implemented toward enhanced utilization of the research reactor on the following topics: 1. Calculations for the Core configuration of the Miniature Neutron source Reactor, Research Contract No. 5734/R2/RB. 2. Steady State Operational Characteristics of Ghana Research Reactor-1, IAEA Research Contract No. 8789/RB. 3. Nuclear Core Design Analysis of Ghana Research Reactor-1, GAEC-NNRI-RT-40 (1995), 4. On-site Critical and Zero Power Experiments for Start-up of Ghana Research Reactor-1, GAEC- NNRI-RT-22 (1995).

The recommendations of the INSARR Mission in 1997 and RPB; and the results of the IAEA co- ordinated research contracts have been used to complete the final Safety Analysis Report. The SAR was submitted to RPB for review in June 2000. The Research and Technical committee of RPB is currently reviewing the Final Safety Analysis Report (SAR). [13]

Since the reactor was commissioned in 1995 there has been five safeguards inspection missions to Ghana in 1996,1997,1998 ,1999 and 2000.

4. QUALIFICATION AND TRAINING OF PERSONNEL The required qualification and training of the operating staff is well established in the SAR and OLC. The training and retraining programme are in general adequate and the licensed operators are examined every two years to renew their licenses. The operators were trained by the supplier. The operators were certified by RPB after passing a written test and oral examination.

Operating staff of reactor undergoes periodic training workshop/seminars organized by IAEA on Research Reactor topics relevant to their jobs. Operating personnel also receive training on the job on procedures for safe operation of the reactor, conduct of routine experiments, handling and storage of all radioactive materials, emergency and security procedures.

5. UTILIZATION OF THE RESEARCH REACTOR Section 11.1 of the SAR provides description of the experimental facilities of the GHARR-1, in particular rabbit. A and B systems. Currently the utilization programme of the reactor includes: 1. Neutron Activation Analysis (NAA); 2. education and training of University students and foreign students; and 3. collaborative research with researchers in the sub-region.

Production of radioisotopes is under development. Yearly annual reports for the operation of the reactor indicate the extent of utilization. [14]

6. CONCLUSION The successful implementation of the Miniature Neutron Source Reactor (MNSR), GHARR-1 is a clear demonstration of what can be achieved through a collaborative commitment from the Government of Ghana and International Atomic Energy Agency.

The basic radiation protection, nuclear safety and regulatory infrastructure have been well established for the safe operation of the 30kW research reactor.

169 The operational staff through the Technical and Scientific assistance received from IAEA have undertaken extensive and comprehensive research on the commercial MNSR supplied by China. The final Safety Analysis Report contains current data especially chapter 16 'Safety Analysis' on transient analysis of fresh core replacement and over-addition of JJe plates accidents and estimation of neutron and gamma-dose rates for loss-of-coolant accident (LOCA).

The Operational Limits and Conditions (OLC) have been revised as suggested by the INSARR Mission in 1997. The expertise gained by Ghana is being used by IAEA to assist other member states implementing similar research reactor projects.

References

[I] YAEHEN, Y., Reactor Complex, CIAE, Technical Report Code MNSR-OC-2, (1992). [2] YIZHENG, L., ZHON, Z. W., XLANFA, G. Z. Testing Protocol zero Power Testing of the Ghana Equipment, CIAE Tech Report, Code MNSR-OL-7, (1993). [3] AKAHO E. H. K., et al 'Nuclear Safety Related Calculation for Ghana Research Reactor-1', Core Proceedings of the 5th Asian Symposium on research reactors, Vol. 2 Taejon, (1996). [4] AKAHO E. H. K.; AMM-SAMPONG S; MAAKUU B. T.; DODOO-AMOO D. N. A., 'Dynamic Feedback Characteristics of the Ghana Research Reactor-1', GHARR-1, GAEC-NNRI- RT-24 (1995). [5] Atomic Energy Act, 1963, Act 204, (Government of Ghana Printing Department, Accra, Ghana) (1963). [6] Act Energy Amendment Law, PNDC Law 308, (Ghana Publishing Corporation, Accra, Ghana) (1993). [7] Radiation Protection Instrument, LI 1559, (Ghana Publishing Corporation, Accra, Ghana) (1993). [8] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment of Research Reactors and Preparation of the Safety Analysis Report. Safety series No. 35-G1 IAEA, Vienna, (1993). [9] INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear Reactors: Design. Safety Series No. 35-S1 IAEA, Vienna, (1992). [10] INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear Reactors: Operation. Safety Series No. 35-S2 IAEA, Vienna, (1992). [II] Interim Safety Analysis Report for Ghana Research Reactor-1. E. H. K. AKAHO, S. ANIM- SAMPONG, D. N. A. DODOO-AMOO, B. T. MAAKUU, G. EMI-REYNOLDS, E. K. OSAE, H. O. BOADU AND S. AKOTO-BAMFORD, GAEC-NNRI-RT-26 (1995). [12] Integrated Safety Assessment of Reactor (INSARR) Mission to Ghana Report, NSNI/INSARR/1997-2 (1997) [13] Final Safety Analysis Report for Ghana Research Reactor-1, E. H. K. AKAHO, S. ANIM- SAMPONG, D. N. A. DODOO-AMOO, B. T. MAAKUU, G. EMI-REYNOLDS, E. K. OSAE, H. O. BOADU AND S. AKOTO-BAMFORD, GAEC-NNRI-RT-90. (2000) [14] Annual Reports of Ghana Research Reactor-1 (GHARR-1) (1996, 1997, 1998).

170 XAO102792 IAEA-CN-82/06

SAFETY ASSESSMENT OF VARIOUS OPERATION MODES

PESIC, M., PLECAS, I., PAVLOYTC, R. The 'Vinca' Institute of Nuclear Sciences P.O. Box 522,11001 Belgrade, Yugoslavia Fax./Tel. ++381-11-444.74.57; Email: [email protected]

Abstract

Various operation modes of RB heavy water critical assembly are realised during last 42 years. These modes were consequence of wide flexibility of the core lattices and usage of three types of fuel elements: natural U rods, LEU and HEU slugs. More than 600 different cores are changed up to now, setting, sometimes, special requirements to the control, safety and dosimetry systems. These cores with different dominant neutron spectra includes the simplest thermal cores, various coupled fast- thermal and thermal-to-fast neutron converters inside or outside the reactor tank. Power excursion accident, in which six personnel were heavy irradiated, occurred at the reactor only six months after the first start-up. From that time, safety assessment of the reactor operation with different cores became a regular practice. It requires updates often to the safety analysis report(s), regulation and operation rules and assessment of radiation protection practice and in-situ monitoring, due to the fact that the RB reactor is designed without biological shielding with staff offices and laboratories surrounding the reactor hall. This paper summarises general experiences of nuclear safety and radiation protection analyses, underlining few basic results for some of unusual modes of the RB reactor operation.

1. INTRODUCTION The 'RB' reactor [1] is an unshielded critical assembly designed in 1958 to operate using heavy water and natural (metal) uranium fuel rods. In 1962, 2% enriched metal uranium of Soviet origin became available and the first safety analysis report was written. A study of the RB reactor as possible source of fast neutrons began in 1976, when the 80% enriched UO2 (dispersed in Al matrix) fuel was bought too in the former Soviet Union. At the beginning of the research, the simplest fast neutron fields were designed: the external neutron converter - ENC (1976) and the experimental fuel channel - EFC (1982). Simultaneously, more sophisticated computer codes were developed in the Nuclear Engineering Laboratory and new methods in measurements were applied. As a result of the experiences gained in determination of characteristics of these initial fast neutron fields, new and more complex fast neutron fields were designed latter: the internal neutron converter - INC (1983 and 1998), and the coupled fast- thermal core - HERBE (1990). Simultaneously, operational and regulation rules and safety analysis reports were updated.

2. RB REACTOR SPECIAL CORES - SHORT OVERVIEW hi most of the experiments, RB critical assembly operates as a pure heavy water reactor at power levels from 10 mW to 50 W. The initial core (in 1958) was loaded with natural (metal) uranium fuel. Power excursion accident, in which six personnel were heavy irradiated (one died), occurred at the reactor only six month after the first start-up. From that time, safety assessment of the reactor operation with different cores became a regular practice - the first Final Safety Analysis Report and Regulation Rules were written in 1962 when reactor control, safety and dosimetry systems were modernised to allow operation with 2% enriched metal U. Further mayor refurbishment of the control equipment was done in 1982 (new start-up channels) and in 1987 when new neutron control and gamma dosimetry logarithmic channels were added in the control panel. Regulation and operation rules were updated accordingly.

171 Among many different thermal cores, special attention is required by core no 5/1973, designed in 1973 for irradiation purpose by fast neutrons outside of the reactor tank. Such an RB reactor core, with central heavy water reflector and fuel distribution along the core peripheral, was used for the IAEA Project: International Inter-comparison of Neutron Accidental Dosimeters. The reactor control system was modified to allow operation at power level of a few kW. The experiment went without problems, but recent analyses shown that reactor operated at approximately 2.5 time higher power than declared by operating staff. It was consequence of fact that power was not calibrated for the new core configuration and safety analyses and operation rules were not carried in full details.

When 80% enriched uranium fuel became available, initial studies of design of fast neutron fields behind or inside reactor tank started. Various 'experimental cores' were designed up to now. Some of these cores, that required special safety, operation and radiation attention, are described shortly and their basic characteristics are given in Table I.

The ENC [2] transforms thermal neutron leakage flux from the RB tank into a fast, near to fission spectrum, neutron flux. It is designed as an aluminium box placed beside the reactor core and filled with segments of 80% enriched uranium dioxide fuel (total 4.3 kg 235U). The output of the ENC is covered by a thin Cd plate to eliminate thermal neutrons in output spectrum. A special RB core is designed to optimise the maximum ENC flux output in function of the reactor power. The large experimental space and possibility of downshifting of fast neutron spectrum at the ENC output using screens of different materials are the principal advantages of the ENC. The shortcoming of the ENC is low intensity of the fast neutron flux.

The EFC [3] was constructed of ten 80% enriched UO2 fuel segments of the RB reactor, placed in a standard fuel channel of the RB core, but without moderator around fuel segments. The segments are modified in such way that an inner aluminium part of the hollow fuel segments is removed. The intensity of the fast neutron flux inside the EFC was upgraded on account smaller available experimental space and softer neutron spectrum than in the ENC. New RB core was designed in aim to increase epithermal neutron flux around the EFC that was placed in position of the central axis of the RB reactor core, surrounded with radial thermal core zone filled with highly enriched fuel elements without moderator inside fuel channels.

The INC [4] is thermal-to-fast neutron converter designed inside the RB tank. The fast zone (without moderator) of INC-1 was designed as an 80% enriched fuel elements annulus surrounded with blanket made of two layers of the natural uranium fuel elements in separate aluminium tanks. A central air hole is designed for irradiation purpose. Three different versions of the INC are developed (INC-1, INC-2 and INC-3). The INC thermal zone is the RB thermal core of 2% and 80% enriched fuel elements placed in square lattice pitch of 12 cm surrounded with heavy water reflector. The recent INC-3 is designed with 80% enriched uranium fuel annulus and thin Cd layer in fast zone offering large space for irradiation by fast neutrons.

The HERBE [5] is coupled fast-thermal neutron core designed in the RB reactor for fast neutron flux intensity increasing in a vertical experimental channel placed in the centre of the fast core. Characteristics of the HERBE are determined by computer codes and in the experiments for verification. The fast core of the HERBE system is loaded with the natural uranium fuel elements. It is surrounded by the neutron filter and the neutron converter annular zones. The neutron filter contains a thin cadmium layer and the natural uranium fuel elements. Increase of fast neutron flux is realised by the neutron converter, filled with the 80% enriched UO2 fuel elements Thermal core is composed of the 80% enriched UO2 in the 12 cm square lattice cell, moderated and reflected by heavy water. A vertical channel (7.2 cm inner diameter) is placed in the centre of the system. New safety analysis report for the HERBE system was written in 1991 including appropriate changes in operation and regulation rules.

172 Table I. Characteristics of the Neutron Fields at the RB Reactor

Name of the Field Experimental space Neutron flux [cirfV] at 1 W Equivalent dose rate Neutron Field location /Dominant neutron [mSv/h] atl W at RB reactor at reactor spectrum THERMAL FAST neutron gamma (< 0.465 eV) (> 0.8 MeV) EC = Experimental RB core & HC:D=17mm, L = 2m Horizontal (HC) or reflector VC:D.= llcm,L = 2.3m 1 107 5.3 105 1630 Vertical (VC) Channel . / thermal ES = Experimental Space platform & few cubic meters around the RB reactor RBhall / thermal 1.8 105 2.5 102 7.7 3.5 ENC = RB External north RB 1 mx 1 mx 1.5m Neutron Converter platform / fission 0 4.5 104 80 1 ENC_FE = ENC with Fe north RB 1 mx 1 mx 1.5 m (8 cm) screen platform / softened fission + 1/E5* 0 2.5 104 35 0 MFC = Modified RB RBcore D = 2.3 cm, L = 1.2 m Fuel Channel no. 58. / softened fission + 1/Ea 2.6 106 2.7 106 5500 350 INC-1 = Internal Thermal-to- RB core D = 20cm,L=1.25m Fast Neutron Converter, ver.l no. 59. / softened fission + 1/Ea 2.3 105 1.4 106 2800 700 INC-2 = Internal Thermal-to- RBcore D = 30cm,L=1.26m Fast Neutron Converter, ver.2 no. 60. / softened fission + 1/E" 2.3 105 1.5 106 3000 700 HERBE = Coupled Fast- RB core D = 3.8 cm, L = 95 cm Thcrrnal System no. 78. / intermediate 9.2 102 9.5 105 3150 210 INC-3 = Internal Thermal-to- RBcore D = 30cm, L=155cm Fast Neutron Converter, ver.3 no. 86. / intermediate 3.7 103 1.7 106 3450 200

Remarks: 1. D = diameter, L = length; 2. Maximum values of the neutron flux and equivalent neutron and gamma-ray dose rate are 5shown 3. CONTROL AND SAFETY ASSESMENT RB reactor started operation in April 1958 without any written Safety Analysis Report or Operation Rules. First safety analysis was done after the accident that occurred in October 1958. After that accident, reactor control, safety and dosimetry systems were modernised for the IAEA ' Vinca Dosimetry Experiment' carried out in 1960 to examine irradiation consequences of the accident. The first Final Safety Analysis Report and Operation Rules are written in 1961/62 when reactor started operation using 2% enriched metal uranium fuel elements. These reports and rules are reviewed by the Nuclear Safety Committee, an independent expert body of the Vinca Institute, formed in that period for the first time. According to the results of review, the Nuclear Safety Committee proposed to the Director General to issue permission for regular operation of the reactor.

Modifications, mentioned above, converted the RB critical assembly to a flexible experimental reactor with 1 W nominal power. It operates usually from 10 mW to 50 W, and, on special occasions and shortly, at 'very high power' up to 10 kW. The RB reactor operated safely using 2% enriched and natural metal U fuel in 1962-1976 period. Over 300 different reactor cores were examined. The reactor reached criticality almost 3000 times. New 80% enriched UO2 fuel, with almost the same mass (7.67 g per segment) of U- 235 nuclide as in 2% enriched metal U fuel, and the same geometry shape as the 2% enriched fuel, was bought in 1976. The safety analysis report for operation of the RB thermal cores with HEU was updated in 1977/1978 when new start-up channels are built-in as well.

Development of all versions of fast neutron fields at the RB reactor was reviewed and approved by the Nuclear Safety Committee. General demands, set during design of these fast neutron fields at the RB reactor, were: (a) modifications of the RB reactor core should not be large; (b) only existing nuclear fuel can be used; (c) the whole coupling: RB reactor-fast neutron field should be strong in such a way that it acts as a common thermal reactor (large prompt neutron time) so that the existing reactor control system can operate normally; and (d) the coupling should be designed in such a way that the system can be shut down quickly and safely with safety rods in thermal core.

All demands that were set during design of the fast neutron fields at the RB reactor were achieved. The safety analyses showed that the RB reactor operation with designed fast neutron fields is safe, without any need for significant modification of control or safety systems. The existing safety rods system has enough reactivity that can be inserted in a very short interval so any power excursion can be stopped. Response times of the reactor control instrumentation are so that all control of the designed couplings is within normal operation modes of the RB reactor. According to the results of these analyses, the safety system of the RB reactor can quickly and safely shutdown the reactor during the most probable accident or in case of accident in which highest reactivity is inserted. Neither the system components nor the reactor stuff should be exposed to high doses (up to 25 mGy) during these postulated serious accidents. In order to increase sensitivity of the safety system to the most dangerous possible accident (flooding of the fast zone of the INCs and HERBE by heavy water from thermal core), two moderator leak sensors were placed in the outermost tank of the fast core and independently connected to the existing RB reactor safety system.

Special safety and dosimetry analyses are carried out for the RB cores that operate with ENC (acts as an external neutron source in the reactor) and for the cores with INCs (large voids inside reactor tank allowing huge leakage of dominantly fast neutrons). Operation modes of these cores set additional requirements and increased attention of the reactor staff. Radiation protection analyses and measurements of dose rates during operation of these reactor cores have shown that topography of dose rates around reactor hall is within foreseen limits and that no further requirements should be set to the reactor power level or control operation modes or rules.

Presently, RB reactor operates with the core designed as the third version of the INC, INC-3 [6]. This special core is used for irradiation purposes, development of modern radiation protection, reactor control and safety systems, and for verification of new computer codes used for reactor design and safety studies developed at NET Laboratory in the Vinca Institute. Another field of the RB reactor recent extensive

174 application is increasing interest for compilation and systematisation of evaluated benchmark experiments in critical safety. Three separate evaluations of the more than 20 carefully selected, well documented and reviewed RB reactor experiments, are included into the International Criticality Safety Benchmark Evaluation Project (ICSBEP) Handbook, managed by the OECD/NEA [7] and issued as CD ROM edition or Web presentation, each year.

Control and dosimetry monitoring equipment of the RB reactor was partially modernised in 1978 (start-up channels) and 1986-1988, when 3 neutron logarithmic 'power' channels and 3 gamma dosimetry channels with ionisation chambers were installed. Safety analysis report and operation rules are updated in 1991, after a period of testing of the equipment. Unfortunately, due to lack of funds., these last 6 channels were not connected into the reactor safety system. So, the RB reactor still operates using old electronic tube equipment connected to the safety and (manual and automatic) power control systems. Lack of spare parts (electronic tubes, some of them are old more then 50 years) is main ageing problem in maintaining of this equipment, ready now for a museum.

Ageing of reactor equipment becomes a serious shortage in reactor reliable control. Examining data on the reactor safety trips compiled from 1962 it can be seen that during the total of about 1800 days of operation of the RB reactor, the total of near 600 safety trips are recorded. Among them near 10% are due to operator failure and about 20% are due to power failure. The rest (about 70%) is due to failure in equipment. In the last 10 years, the average value of 16.1 trips/year from all causes can be derived. Among them, 3.1 trips/year are due to equipment failure, 3.2 trips/year are due to electricity power failure and 1.2 trips/year is attributed to operator various errors.

4. CONCLUSIONS Safety and radiation protection analyses have shown that the RB reactor can operate safely with all different types of developed neutron fields without any significant modification of the existing control and safety systems. There were no needs for additional safety rods acting upon the fast core zones. Only for safety precautions, two new sensors of the moderator level (the 'flooding accident') were placed in the outer tank of fast zone of the INCs and HERBE and independently connected to the existing safety system. Some cores (with ENC or INC) require special attention of the reactor staff and carefol modes of operation. Modernisation of control, safety and dosimetry equipment of the RB reactor still remains primary demand. This demand is set to the Ministry of Sciences and Technology of Republic Serbia as new project, expecting also support of various international communities, specially the IAEA, within technical assistance.

References

[1] POPOVIC, D., 'The Bare Critical Assembly of Natural Uranium and Heavy Water', Peaceful Uses of Atomic Energy (Proc. 2nd UN Inter. Conf. Geneva 1958), Vol. 12, paper no. 15/P/491, UN Publication, Geneva 392-394 (1958). [2] STRUGAR, P., SOTIC, O., NINKOVIC, M., PESIC, M., ALTIPARJV1AKOV, D., Conversion of the RB Reactor Neutrons by High - Enriched Uranium Fuel and Lithium Deuteride, Kernenergie 24 3 101-104(1981). [3] PESIC, M., MARKOVIC, H., SOKCIC, M., MIRIC, I., PROK1C, M., STRUGAR, P., Experimental Fuel Channel for Samples Irradiation at the RB Reactor, Kernenergie 27 11-12 461-464(1984). [4] PESIC, M., Coupled Fast - Thermal System at the RB Nuclear Reactor, Kernenergie 30 4 142-149 (1987). [5] PESIC, M., ZAVALJEVSKI, N., MILOSEVIC, M., STEFANOVIC, D., POPOVIC, D.5 NIKOLIC, D., MARJNKOVIC, P., AVDIC, S., A Study on Criticality of Coupled Fast- Thermal Core HERBE at RB Reactor, Annals of Nuclear Energy 18 7 413-420 (1991).

175 [6] MILOSEVIC, M., PESIC, M., DASIC, N., LJUBENOV V., 'Determination of Neutron Flux Distribution Across the RB Reactor with Large Central Air Hole' YUNSC'98 (The 2nd Yugoslav Nuclear Society International Conference, Belgrade 1998) (ANTIC, D., Ed.) Vinca Institute, Belgrade 365-370 (1998). [7] PESIC M., 'RB Reactor: Natural Uranium Rods in Heavy Water' (LEU-MET-THERM- 001, Vol. IV), 'RB Reactor: Lattices of 2%-Enriched Uranium Elements in Heavy Water' (LEU-MET-THERM-002, Vol. IV) and 'RB Reactor: Lattices of 80%-Enriched Uranium Elements in Heavy Water' (HEU-COMP-THERM-017, Vol. H), International Handbook of Evaluated Criticality Safety Benchmark Experiments ICSBEP Vol. I-VII, OECD NEA/NSC/DOC(95) Paris (2000).

176 XA0102793 IAEACN-82/14

EXPERIENCE IN THE IMPLEMENTATION OF QUALITY ASSURANCE PROGRAM AND SAFETY CULTURE ASSESSMENT OF RESEARCH REACTOR OPERATION & MAINTENANCE

SYARIP Reactor Division of R&D Center for Advanced Technology Jl. Babarsari POB 1008 Yogyakarta 55010, Indonesia Fax: +62274561824; Email: [email protected]

SURYOPRATOMO, K. Nuclear Engineering Department, University of Gadjah Mada Jl. GrafikaNo.2 Yogyakarta 55281, Indonesia Fax: +62274902210

Abstract

The implementation of quality assurance program and safety culture for research reactor operation are of importance to assure its safety status. It comprises an assessment of the quality of both technical and organizational aspects involved in safety. The method for the assessment is based on judging the quality of fulfillment of a number of essential issues for safety i.e. through audit, interview and/or discussions with personnel and management in plant. However, special consideration should be given to the data processing regarding the fuzzy nature of the data i.e. in answering the questionnaire. To accommodate this situation, the SCAP a computer program based on fuzzy logic for assessing plant safety status has been developed. As a case study, the experience in the assessment of Kartini research reactor safety status shows that it is strongly related to the implementation of quality assurance program in reactor operation and awareness of reactor operation staffs to safety culture practice. It is also shown that the application of the fuzzy rule in assessing reactor safety status gives a more realistic result than the traditional approach.

1. INTRODUCTION Indonesia has three research reactors: 100 kW (Kartini reactor) in Yogyakarta, 2000 kW reactor in Bandung, and 30000 kW multipurpose reactor in Serpong near Jakarta. All three reactors are in operation. A good safety performance of the three research reactor's operation is of central importance, therefore the reactor safety status should always be improved.

The assessment of plant (reactor) safety status relating to the implementation of quality assurance program as well as it safety culture status is usually assessed through auditing pertinent documentation and interviews and/or discussions with personnel and management in the plant. The approach for safety assessment described in IAEA-Safety Series [1, 2] make uses of a questionnaire composed of questions which require 'Yes' or 'No' answers. Such a procedure ignores the fact thai; the expert answering the question usually has knowledge which goes far beyond a mere binary answer. Therefore, a computer program was developed for data analysis based on the theory of fuzzy sets. Data collected through discussions and. interviews are presented in the form of ratings or scores given by the investigator based on his personal judgment to every item being questioned. The rating numbers range from 1 to 7 and represent linguistic variable of goodness of the status of the item.

The paper describes how the analysis method was developed, and then by using it, a sample analysis was done for the assessment of safety status of the Kartini research reactor.

177 2. METHODOLOGY

2.1.SCAP description SCAP is an abbreviation of Snfety Culture Assessment Program. It is a computer program used for doing an assessment on safety status of a plant. In principle, the method used in SCAP is based on ASCOT guidelines[2, 3]. SCAP includes every aspect considered in ASCOT missions, with two additional technical aspects i.e. plant design and plant maintenance and one non-technical aspect (i.e. LP&S - Low Power and Shutdown conditions).The reason to make these additions is that the status of a plant basically depends on both the quality of design and maintenance. A good plant design is nothing without proper maintenance, and so is the contrary. Hence, good plant condition can only be fulfilled by good design and good maintenance.

LP&S conditions deserve special consideration as humans activities are so involved in these conditions. It was noted that approximately 60% of the loss of shutdown cooling and loss of electrical power events involved test, calibration, maintenance, repair, or installation errors [4]. And less than 20% of the events were found to be related to operations. The majority of errors involved personnel other than control room operators. These facts indicate the need for special consideration of LP&S conditions.

In summary, all of the aspects being included in SCAP can be listed as follows: (a) organization corporate; • government; • regulatory agency; • research and design organizations; (b) plant overview; • plant visit; • documentation review; (c) plant; • design; • maintenance; • experience feedback; • personnel; • management; • working environment; • LP&S conditions.

2.2. Data collection The assessment normally begin with discussions at government/regulatory office, and then to a visit to the corporate headquarters. At last, the majority of time is spent at the plant. At the plant, the assessment begins with an initial overview, as certain manifestations of safety culture are readily apparent on a walk- through of the plant and documentation review. But whatever impression derived from an initial walk may only be a positive indication of effective safety culture. Hence, the main conclusion on safety culture would be established through discussions and interviews with personnel.

The concentration during discussions and interviews is put on the individual and collective attitudes and knowledge rather than technical content of systems. All except for the two additional aspects i.e. plant design and plant maintenance.

2.3. Data rating/score

Data collected through discussions and interviews are presented in the form of ratings or scores given by the investigator based on his personal judgment to every item being questioned. The rating numbers range from 1 to 7 and represent linguistic variable of goodness of the status of the item as follows:

178 Rating/score Linguistic meaning 1 very very bad 2 very bad 3 bad 4 average 5 good 6 very good 7 excellent

2.4. Data processing As rating data are fuzzy in nature, the data will be processed accordingly by using fuzzy mathematical operation. Here lies the main difference between ASCOT approach and SCAP approach in data processing.

Each of the item in SCAP is given a weight of relative importance. And the overall status of a plant is computed as the weighted average value of all the rating data. The computation is in principle similar to ordinary way one compute an average value. But the arithmetical operation must first be adjusted with fuzzy logical thinking. This can be done by applying Zadeh's extension principle. Zadeh's extension principle is a general method for extending functions over the integers to function over fuzzy sets based over the integers.

The results is the following definition (over the universe {1,2,3,4,5,6,7} of the rating) for fuzzy addition, fuzzy multiplication and fuzzy division: Let A = {a(i)/i | K=i<=7} then A+B = {min(a(i),b(j))/[i+j] \ l<=i,j<=7} A*B = {min(a(i),b(j))/[i*j] I K=iJ<=7} A/B = {min(a(i),b(j))/[i/j] | K=ij<=7} This definition computationally means that to compute the degree of membership of, say, 9 we have to examine all of the possible ways that two integers i and j in the universe {1,2,3,4,5,6,7} can sum to 9 and examine the degrees of membership of these pairs. If x is the degree of membership of 9 in A+B, then x would be calculated as follows:

x = max{min(a(2),b(W> min(a(3),b(6))> mn(a(4)tb(5)), min(a(5),b(4)), min (a(6),b(3)), min(a(7),b(2))} Each of the minimum operation computes one of the degree of membership of [i+j]—9 in the set A+B as is described in the above definition. And the maximum operation is taken as {x,y,x,z} = {x,y,z} (in ordinary set theory) and {.2/x, J/y, .4/x, .8/z} = {.4/x, J/y, .8/z) (in fuzzy set theory) Similar procedure applies also to the other two operations.

The result of A+B operation is a fuzzy subset over the set of integers from 1 to [7+7]=14, A*B is a fuzzy subset over the integers from 1 to [7*7]=49, and A/B is an approximate fuzzy subset over the integers from 1 to [7/l]==7. Notice that A/B is an said to be an approximate fuzzy subset: as, in theory, A/B should be a fuzzy subset over the set of real. However in most applications, it is usually approximated for simplification purpose. In SCAP, this set over the real is reduced to one over the integers by deleting any element not over an integer base. The last step in processing data is to find an appropriate natural language expression for the weighted average fuzzy set. In SCAP this is done by 'matching' this weighted average fuzzy set with the previously defined fuzzy sets for each rating/score that range from very-very- bad (rating number 1) to excellent (rating number 7) and take the closest one. In mathematical terms, this can be done by so called 'Best Fit' method, and is calculated as follows: Let Fs = {fs(i)/i | i is an element of the universe}

179 = defined fuzzy sets, where index s refers to each of the rating/score; this means that F3 is a fuzzy set for rating of 'Bad', F5 is a fuzzy set for rating of 'Good', F6 is a fuzzy set for rating of 'Very good' and so on. R = {r(i)/i I i is an element of the universe} = weighted average fuzzy set.

The best fit of Fs to R is measured by distance between Fi,F2,... ,F7 and R

7 2" distance{Fs,R) = ZWO-KO)

And then take Fs which gives the shortest distance as the final decision, whether the plant status is good (F5), average (F4), bad (F3), and so on.

A fuzzy sets editor is provided to enable the user to redefine the default fuzzy sets defined in SCAP. Questionnaires editors are designed for program enhancement as Questionnaires content may need further modifications to adjust with the new/changing facts in the future. And a rating/score editor is the part of SCAP in which users enter rating/score value while they are doing their assessment in a plant.

3. RESULTS AND DISCUSSIONS At the present time, all research reactors and nuclear installations are owned and operated by the government, i.e. the National Nuclear Energy Agency (Batan) as a 'Promotion Body'. According to the new Act No. 10/1997 on Basic Provision of Nuclear Energy , the responsibility to promote the application of nuclear energy is vested to 'Promotion Body', and the responsibility to regulate and control is vested to 'Regulatory Body' (Bapeten). The safety organization for research reactors (nuclear facilities) operation in Indonesia is shown in Figure 1. Nuclear Energy National Nuclear Control Board Energy Agency

Bureau for Law and Research External reactors and Organization Control other nuclear facilities

Facility Level Reactor safety committee H & S Div.

Reactor Internal Internal safety (Operation) Control practice •\ Division

Internal safety audit -*• Functional -• Coordination

FIG. 1. Safety organization for research reactors operation in Indonesia

180 From the reactor site, the assessment begins with an initial overview as certain manifestations of safety culture are readily apparent on a walk-through of the plant and documentation review. Questionnaires are grouped in files as follows : • main program: SCAP.EXE • questionmiires files: • fuzzy sets file : Default MAP.

Q-1100.001 : (Government) Q-1107.001 (Plant maintenance) Q-l 101.001 : (Regulatory agency) Q-l 108.001 (Plant experience feedback) Q-l 102.001 : (Corporate) Q-l 109.001 (Plant personnel) Q-l 103.001 : (Supporting organization) Q-l 110.001 (Plant management) Q-1104.001 : (Plant visit) Q-1111.001 (Plant working environment) Q-1105.001 : (Documentation review) Q-1112.001 (Plant LP&S conditions) Q-l 106.001 : (Plant design)

SCAP is designed for people working in a group. Hence, a facility is provided in it for combining all data files prior to processing.

3.1. Interrelationship scheme

From look at the list of aspects included in SCAP, it is obvious that there exists some kind of interrelationship among them. Especially between plant design and maintenance, personnel and working environment, and management and corporate. As a consequence of this fact, the following scheme is applied in determining the final decision of the plant safety status. Final Decision

OR

OR 1 PLANT 1 (SUPPORTING^ LOW POWEW (^RGANIZATIOt) SHUTDOWN i PLANT 1 If PLANT ^ DESIGN j J AQAINTENANCJMAINTENANCEE

f EXPERIENC I FEEDBACK

( PLANT )1 { PLANT PLANT ^ ( CORPORATE ^ (PERSONNELtPERSONNELj) I WORKING lAGEMENTj ^ ATTITUDE J ENVIRONM.EN1 e

3.2. Sample output The sample output of SCAP 'assessment results using collected data from the Kartini research reactor is shown in Table I. The overall plant status in this result is average. This result might be confusing for those who have no acquaintance with fuzzy logic but traditional two-value logic as ordinary average value computation would lead someone to 'good' decision because almost all of the data give 'good' scores. However odd it may be, but this is truly the most logical result. This can be explained as follows: as safety status of a plant depends on quality of both plant design and plant maintenance, plant status is bad whenever one of these two aspect is bad or average. This result is also in accordance with the analysis result by similar method [5]. Therefore, a good plant design is of no use if plant maintenance is bad, and

181 so is the contrary. Consequently, no matter how good other aspects are, they are nothing without good maintenance.

Table I. Safety status of Kartini research reactor according to SCAP output Assessment result with respect to Aspect

Overall Plant Status average

#data Status

Overview 22 good Plant Design 92 good Plant Maintenance 21 average Plant Experience Feedback 64 good Plant Management 112 good Plant Personnel 65 good Plant Working Environment 79 good Plant Low Power & Shutdown 153 good Government 20 good Corporate 19 good Regulatory Agency 38 good Supporting Organization 33 good

Whereas, from the observation and experience in the implementation of the quality assurance program and safety culture practice of Kartini research reactor operation and maintenance, it was found that by the traditional method (ordinary average value of binary answer on questionnaires/ audit results), the safety status of Kartini reactor is rated as 'good'. The experience in implementation of safety culture practice of the Kartini reactor operation and maintenance was also shown that the changes in culture or adjustments to culture proceed very slowly. The main obstacle is the need to explain the notion 'safety culture', it had to be understandable and recognizable by everyone, and need a continuous process in promoting the safety culture.

4. CONCLUSIONS The method presented has proved useful in assessing the safety culture of the research reactor, and as a sample assessment the safety culture status of Kartini research reactor is rated as 'average', while by using the traditional approach it is rated as 'good'. The experience in the assessment of Kartini research reactor safety status shows that it is strongly related to the implementation of quality assurance program in reactor operation and awareness of reactor operation staffs to safety culture practice. It is also shown that the application of fuzzy rule in assessing the reactor safety status give more realistic results than the traditional approach.

ACKNOWLEDGEMENTS

The author would like to thank to Prof. U. Hauptmanns in Anlagentechnik und Anlagensicherheit, Fakultat fur Maschinenbau, Otto-von-Guericke Universitat Magdeburg, Germany, for his guidance in finishing this research. As well as to all Kartini research reactor staff for their cooperation.

References

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Series No. 75 INSAG 4, Safety Culture, IAEA, Vienna, (1991). [2] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA-TECDOC-860, ASCOT Guidelines, Guidelines for organizational self-assessment of safety culture and for reviews by the Assessment of Safety Culture in Organizations Team. IAEA, Vienna, (1996). [3] SURYOPRATOMO, K., SCAP: Safety Culture Assessment Program using Fuzzy Logic, Media Teknik, University of Gadjah Mada, Yogyakarta (1995). [4] NUREG/CR/1093, 'Human Factor in Low Power & Shutdown Conditions', (1993)

182 [5] SYARIP, HAUPTMANNS, U., Application of Fuzzy Set Theory for Safety Culture and Safety Management Assessment of Kartini Research Reactor, Proceedings of International Symposium on Research Reactor Utilization, Safety and Management, IAEA-SM-360, Lisbon, (1999). [6] HAUPTMANNS, U., Computer-Aided Valuation of Safety Management, Journal of Process Safety and Environmental Protection, T98025, Institution of Chemical Engineers (IChemE), (1998). [7] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA-TECDOC-821, Experience With Strengthening Safety Culture in Nuclear Power Plants : Report of a Technical Committee Meeting held in Vienna, IAEA, Vienna. (1995). [8] BECQUAERT, A., The Nuclear Power Plants of DOEL Our Approach to Safety Culture, in Proceediiag of Symposium of Advances in the Operational Safety of Nuclear Power Plant, IAEA, Vienna, p 108-121 (1995). [9] BOOTH, R. T., The Promotion and Measurement of a Positive Safety Culture, in : Neville Stanton (Editor), Human Factor in Nuclear Safety, Taylor & Francis Ltd., 1 Gunpowder Square, London EC4A 3DE, p 313-343, (1996).

183 XAO102794 IAEA-CN-82/16

SAFETY ENHANCEMENT IN CIRUS THROUGH AGEING MANAGEMENT AND REFURBISHING

SHARMA, S. K. Bhabha Atomic Research Centre Trombay, Mumbai-400 085, India; Fax: +91225505311; Email: [email protected]

Abstract

Ageing assessment of systems, structures and components of the 40 MWt research reactor Cirus located at the Bhabha Atomic Research Centre, Trombay was carried out after the reactor had completed over 30 years of operation. Refurbishing requirements were identified based on these studies and an extended outage of the reactor was commenced towards end 1997 for implementing the required actions. This opportunity was also utilized for undertaking studies and making necessary improvements for enhancing reactor safety. These included assessment of physical condition and seismic evaluation of major structures, theoretical estimations and laboratory measurements of stored energy in the graphite reflector, actions to ensure integrity of sub-soil piping and correction of leaks in helium piping by remote repairs. Some of the important activities for enhancing reactor safety during ageing assessment and refurbishing of Cirus are discussed in this paper.

1. INTRODUCTION CIRUS, a 40 MWt research reactor located at the Bhabha Atomic Research Centre, Trombay went into operation in 1960 and has been extensively used for basic and applied research, radioisotope production and manpower training. Cirus is a vertical tank type heavy water reactor utilizing natural uranium as fuel, heavy water as moderator, helium as cover gas, graphite as reflector, light water as primary coolant and sea water as secondary coolant. A vertical cross-section of the reactor block is shown in Fig. 1.

With a long period of service spanning over three decades, some of the reactor components started showing signs of ageing during the nineties resulting in excessive maintenance efforts and reduced reactor availability. Detailed ageing studies were therefore carried out to examine the condition of systems, structures and in-core and out-of-core components of the reactor towards assessing their condition and identifying refurbishing requirements. An extended outage of the reactor was then started towards end of 1997 for implementing the required refurbishing actions. Apart from carrying out necessary repairs and component replacements, this opportunity was also utilized for making several improvements to enhance reactor safety.

184 REVOLVING FLOOR REMOVABLE BIOLOGICAL SHIELDS

UPPER HEADER ROOM / BIOLOGICAL CONCRETE SHIELD

—810LOGICAL WEB STEEL. THERMAL SHIELD •

ALUMINIUM THERMAL SHIE — STEEL THERMAL SHIELD

SELF SEHVE FACILITY THERMAL COLUMN'

•BEAM TUBE

REACTOR VESSEL"

•GRAPHITE REFLECTOR

ALUMINIUM THERMAL- . • /—* ^— CAST IRON THERMAL SHIELD -y*.-».- .• '.7. VI SHIELD

STEEL THERMAL SH1ELD" SUPPORTING STEEL STRUCTURE

CIRUS VERTICAL CROSS SECTION

FIGURE-1

2. PRIMARY COOLANT SYSTEM COMPONENTS The primary coolant in Cirus is maintained in a closed recirculating loop and the system is comprised of main coolant recirculation pumps, tubular heat exchangers and associated piping and valves. On stoppage of the main coolant pumps, the reactor is automatically shut-down and shut-down core cooling is provided by gravity flow of water from a sphere shaped tank, called Ball Tank, with core outlet flow received in a tank located below ground. Water from the underground tank is pumped back to the Ball tank by pumps provided with diesel power. The general arrangement of Cirus primary coolant system is shown in Fig. 2.

185 EMERGENCY WATER RESERVOIR CSALL TANK !

%—NORMAL SHUT-DOWN CORE \ COOLING FLOW INLET LINE \ / 7 CHECK VALVES

-LINE FOR PUMP'.NG 4 WATER TO COR! t FROM a.S.OUMPJ. i PUMPS f-> P-V.T.AMK {\ |W!TH \_J \) jCLASSS-r" ^ POWER JPR1MARY COOLANT ^-RJNG SUPPLY j jPUMPS (5 NO*.)-! HEADER

j NORMAL •*\ SHUT-OOWN REVERSE i COOLING COOLSNG FLOW FLOW INLET OUTLET LINE LINE FUEL ROOS PRIMARY COOLANT ± H.EX«.(SNo UNDERGROUND DUMP TANK

—— COOLANT FLOW PATH WITH PRIMARY COOLANT PUMPS OPERATING. SHUT-OOWN COOLING FLOW PATH.

SIMPLIFIED FLOW DIAGRAM OF PRIMARY COOLING WATER SYSTEM OF CiRUS

FIGURE-2

2.1. Sub-soil piping Large sections of primary coolant system piping are laid sub-soil, 4-5 metres below the grade. An assessment of corrosion status of the inside surfaces of piping was done by metallurgical examination of a small piece of pipe removed from the hot leg of the system which is subjected to most severe service conditions. The surface was in good condition with no localized attacks. Uniform corrosion was measured to be about 0.035 mpy compared to design corrosion allowance of 0.1 mpy. This is attributed to stringent control maintained on coolant chemistry over the years. Excavation was carried out to expose all sub-soil pipes for thorough inspection. Water proofing on the pipes was found intact but had deteriorated due to long service period of nearly 4 decades. The outer surface of 500 mm and 250 mm diameter pipes was in good condition. Pipes of 200 mm or less diameter were seen to have pitted near welds joining pipe sections and were replaced. Old tar-felt based protective coating on all pipelines was replaced by cold-applied rubber modified bitumen coating. Elastomer gaskets on couplings joining pipe sections were replaced and were formed by in-situ vulcanisation of elastomer rings.

2.2. Shut-down core cooling flow monitoring Shut down cooling flow rate through the core was monitored by an orifice installed at the inlet to the core. A review indicated that in case of any flow diversion between the orifice and the core inlet, this

186 could lead to erroneous and non-conservative indication of shut-down core coolant flow. A coolant flow monitoring system based on elbow taps was therefore provided at the core outlet also.

2.3. Failed fuel detection system The failed fuel detection system is comprised of a gaseous fission product stripping system arranged in a matrix form. A small flow of water from the outlet of each coolant channel was led to strippers where gaseous fission products were stripped by compressed air. Beta activity in the stripped gases was monitored with thin metal diaphragms separating moist air and activity monitoring instruments. Maintenance of this system required excessive effort and significant man-rem consumption on account of frequent failure of the thin metal diaphragms and leakages in copper tubes bringing water samples to the strippers. In view of this, the system was replaced by a gamma monitoring system wherein coolant outlet sample flow from channels is led to chambers with gamma monitors installed near these chambers and arranged in a matrix form. This change was made based on satisfactory experience with a similar system installed in the 100 MWt Dhruva reactor.

2.4. Physical separation of equipment The two pumps provided for pumping water from the underground tank to the: Ball tank were located in the same room. These were relocated in different areas to guard against possible incapacitation of both pumps on account of common cause failures. A dedicated diesel generator was also provided to supply power to these pumps in the event of a station black-out.

3. COVER GAS SYSTEM PIPING

3.1. Leak correction of pipe joints in inaccessible location The tank shaped reactor vessel of Cirus is made of aluminium with tubes fitted between top and bottom tube sheets to serve as lattice positions. Vertical aluminium pipes are attached to the top and bottom tube sheets which are connected to the stainless steel piping of the cover gas and moderator system respectively by flanged joints with elastomer gaskets. The flanged joints connected to cover gas piping located above the reactor vessel are in an inaccessible region, about 5 metres below the working platform at the top of the reactor. These joints developed leaks after a service period of over 30 years. Leak rates were observed to be higher when the reactor was shut-down indicating that joints had become loose due to thermal cycling and permanent set in the gasket material. Experiments carried out in the shop showed that leaks from flanges of similar design with very old and deteriorated gaskets installed between the flanges could be corrected by tightening. Special split sealing clamps were developed for remote installation around the flanges. The job involved lowering of the clamps from the operating platform to the elevation where the flanges are located through 100 mm diameter lattice tubes, moving them sideways to flange locations and placing the clamps around the flanges. All these operations had to be done remotely using a set of strings for manoeuvring the clamps into position, like in a puppet show. A full scale mock-up was therefore erected where qualification of tools, procedures and personnel was carried out. The clamps were then remotely installed around the flanged joints and tightened to correct leaks.

3.2. Leak correction of pipe joints in inaccessible location The tank shaped reactor vessel of Cirus is made of aluminium with tubes fitted between top and bottom tube sheets to serve as lattice positions. Vertical aluminium pipes are attached to the top and bottom tube sheets which are connected to the stainless steel piping of the cover gas and moderator system respectively by flanged joints with elastomer gaskets. The flanged joints connected to cover gas piping located above the reactor vessel are in an inaccessible region, about 5 metres below the working platform at top of reactor. These joints developed leaks after a service period of over 30 years. Leak rates were observed to be higher when reactor was shut-down indicating that joints had become loose due to thermal cycling and permanent set in the gasket material. Experiments carried out in the shop showed that leaks from flanges of similar design with very old and deteriorated gaskets installed between the flanges could be corrected by tightening. Special split sealing clamps were

187 developed for remote installation around the flanges. The job involved lowering of the clamps from the operating platform to the elevation where the flanges are located through 100 mm diameter lattice tubes, moving them sideways to flange locations and placing the clamps around the flanges. All these operations had to be done remotely using a set of strings for manoeuvring the clamps into position, like in a puppet show. A full scale mock-up was therefore erected where qualification of tools, procedures and personnel was carried out. The clamps were then remotely installed around the flanged joints and tightened to correct leaks.

3.3. Replacement of degraded piping For some of the piping in the helium system, inter-granular stress corrosion cracking was observed which was attributed to ingress of trichloroethylene into the system on a couple of occasions. Trichloroethylene was used as cooling medium for freezer dryers in cover gas purification system for removal of heavy water vapours. The corroded piping sections were replaced and direct cycle refrigeration equipment were installed for freezer dryers to avoid use of trichloroethylene.

4. ZIRCALOY TEST-SECTION OF PRESSURISED WATER LOOP A pressurised water loop is installed in Cirus wherein light water coolant is recirculated at a pressure and temperature corresponding to those in the primary heat transport system of Indian pressurised heavy water based nuclear power plants. The loop is used for irradiation testing of fuels and structural materials and its in-pile test section is made of zircaloy material. Hydrogen generated through corrosion reaction of zircaloy with high temperature coolant and by radiolytic decomposition of coolant can be picked up by the test section. Excessive hydrogen pick-up can lead to hydriding and consequent embrittlement of the material. An assessment of hydrogen pick-up by the zircaloy test section during its operating period of over 25 years was made based on hydrogen pick-up models developed for nuclear power plants. The test section was also subjected to ultrasonic testing for detection of any flaws. These checks confirmed that hydrogen pick-up in the material is not unduly high and there are no unacceptable flaws in the test-section. Plans are on hand to develop tools for in- situ scraping of the inside of the test section to obtain sliver samples for determining actual hydrogen pick-up in the material by laboratory analysis.

5. STORED ENERGY IN GRAPHITE REFLECTOR The reactor vessel of Cirus is surrounded by two graphite reflector rings. For some period prior to the shut down of the reactor for refurbishing, the reactor had been operated at power levels of 20 MW. Due to the low power operation and consequent reduction of concurrent annealing, there was apprehension of wigner energy accumulation in the reflector. A theoretical model of the reactor and reflector was developed for thermal analysis based on measurement of graphite temperatures at various elevations during reactor operation at varying power levels and with normal and reduced ventilation air flows. A graphite sample block was removed from the reflector and stored energy at its various axial locations was measured by differential scanning calorimetry in the Post Irradiation Examination laboratories of BARC. Results of laboratory measurements and thermal analysis showed that wigner energy stored in the reflector was not significant. In view of these observations, the reactor was operated for a short period at a power level of around 37 MW. A sample block from the reflector was then removed and its analysis showed significant reduction of stored energy even with this short high power operation. These observations confirmed that stored energy in the graphite reflector did not pose any safety hazard and there was no requirement of carrying out any in-situ annealing of the reflector using external equipment.

6. ASSESSMENT OF STRUCTURES

6.1. Ageing assessment of concrete structures For providing gravity assisted shut down core cooling, about 4 megalitres of demineralised water is stored in a 22 M diameter sphere shaped concrete tank known as the Ball tank, which is supported on a

188 conical shaped structure and is located at a higher elevation than the reactor core. The tank bottom is cupola shaped and a 3.3 M diameter, 16 M high vertical inspection shaft is located at its centre extending above the maximum water level in the tank. This tank and the 130 M high reactor building ventilation air exhaust stack are the two major concrete structures that were built over 50 years ago and have been subjected to wind loads and weathering in the coastal saline environment. The concrete of these structures was subjected to detailed examination which included rebound hammer test, ultrasonic pulse velocity checks and laboratory assessment of core samples. Concrete of the structures was found to be in sound condition and capable of providing many more years of service.

6.2. Seismic Evaluation The Ball tank, the stack, the steel reactor containment building and a few other structures were also subjected to seismic evaluation. This was done since the area where the reactor is located has been recently placed, in a higher seismic zone category. Except for the shaft-cupola joint of the Ball tank, the structures were found to be meeting the present day seismic criteria, possiibly due to the fact that excessive safety margins were used in their designs at the time of their construction in the fifties. The area joining the central inspection shaft of the Ball tank and its bottom cupola was found to be overstressed under postulated seismic conditions of maximum intensity. Thiis is due to inadequate reinforcement design of the slender cantilever-like vertical shaft when subjected to maximum envisaged ground acceleration under its own weight coupled with sloshing loads from the large mass of water stored in the tank. Plans have been prepared for strengthening the shaft-cupola joint area by installing a number of steel gussets all around and providing metal liner with epoxy sealing for leak tightness. Work for implementing these corrective actions is on hand.

7. OTHER SAFETY RELATED ACTIONS Taking advantage of the refurbishing outage, fire safety improvements were made by incorporating a fire detection system and providing fire barriers and fire retardant coatings on electrical cables. The alkali scrubber and silver-coated copper-mesh filter based iodine removal system in emergency ventilation exhaust was replaced by state-of-art activated charcoal-HEPA filter based system having higher iodine removal efficiency. Continued reliability of reactor shut-down devices was ensured by checking and confirming that drop profiles of shut-off rods and opening timing of dump valves were as per design intent. The Safety Analysis Report of the reactor was also revised to reflect all changes made during refurbishing.

8. CONCLUSIONS Systematic ageing assessment and performance reviews of Cirus systems after the reactor had seen over 30 years of operation provided valuable information for identifying refurbishing requirements. This was supplemented by further inspections carried out after shut-down of the reactor and unloading irradiated fuel from the core. These assessments, reviews and inspections also helped in formulating an action plan for safety enhancement of the reactor. Ageing assessment and seismic evaluation of major structures, assessment of stored energy in the graphite reflector and assessment of hydrogen pick-up by the zircaloy test-section of pressurised water loop are a few examples that provided a good understanding of the safety status of these structures and components. Activities like repair actions for ensuring integrity of sub-soil piping, leak correction in helium pipe joints through remote repairs, physical separation of safety related equipment and fire safety improvements have enhanced reactor safety considerably.

After completion of the refurbishing outage, the reactor can be expected to provide service for several years in a safe and reliable manner. The ageing assessment and refurbishing work is also considered cost-effective since this could be done at a small fraction of the cost of building a new reactor of similar capabilities.

189 XAO102795

IAEA-CN-82/19

SAFETY STATUS OF RUSSIAN RESEARCH REACTORS

MOROZOV, S. I. Division for Safety Assessment and Licensing of Research Reactors, Federal Nuclear and Radiation Safety Authority of Russia (GOSATOMNADZOR) Taganskaya Street 34, RU-109147 Moscow, Russian Federation Fax: +70959124041; Email: [email protected]

Abstract

Gosatomnadzor of Russia is conducting the safety regulation and inspection activity related to nuclear and radiation safety at nuclear research facilities, including research reactors, critical assemblies and sub-critical assemblies. It implies implementing three major activities: 1) establishing the laws and safety standards in the field of research reactors nuclear and radiation safety; 2) research reactors licensing; and 3) inspections (or license conditions tracking and inspection).

The database on nuclear research facilities has recently been updated based on the actual status of all facilities. It turned out that many facilities have been shutdown, whether temporary or permanently, waiting for the final decision on their decommissioning. Compared to previous years the situation has been inevitably changing. Now we have 99 nuclear research facilities in total under Gosatomnadzor of Russia supervision (compared to 113 in previous years). Table I. explaining their distribution by types and operating organizations is presented.

The licensing and conduct of inspection processes are briefly outlined with emphasis being made on specific issues related to major incidents happened in 2000, spent fuel management, occupational exposure, effluents and emissions, emergency preparedness and physical protection. Finally, a summary of problems at current Russian research facilities is outlined.

1. INTRODUCTION This paper has been written on the basis of the annual report on nuclear and radiation safety status of nuclear facilities in Russia submitted to the Russian Federation Government by the Federal Nuclear and Radiation Safety Authority of Russia (Gosatomnadzor of Russia) in 2001 [1]. According to this report Gosatomnadzor of Russia is conducting the safety regulation and inspection activity related to nuclear and radiation safety also at nuclear research facilities, including research reactors (RR), critical assemblies (CA) and sub-critical assemblies (SCA).

The safety regulation process is based on three major aspects as shown below: SAFETY REGULATION APPROACH |

Legislative - Standards LICENSING INSPECTIONS Basis

Only two items, licensing and inspections, are addressed in this paper to show the current status of safety of Russian nuclear research facilities. hi the beginning of 2001 the database on nuclear research facilities has been updated based on the actual status of all facilities* [2]. It turned out that many facilities have been shutdown whether temporary or permanently waiting for the final decision on their decommissioning. Compared to

190 previous years the situation has been inevitably changing due to reasons explained below. Now we have 99 nuclear research facilities under Gosatomnadzor of Russia supervision (compared to 113 in previous years). They are distributed by the current status as presented in Table I.

Table I. Status of Russian research facilities Type Operational Extended Decom. Construction or TOTAL Shutdown Reconstruction RR 25 4 6 2 37 CA 26 16 3 1 46 SCA 7 6 2 1 16 TOTAL 58 26 11 4 99

In 1994 Gosatomnadzor of Russia made its first attempt to establish a nuclear research reactor safety classification based on the level of hazard a facility may represent as follows: Group 1: nominal power up to 100 MWt for which there is a potential for severe accidents in all INES scale; Group 2: nominal power up to 20 MWt, devoted to a nuclear core physiics study, training, and isotope production with a moderate nuclear and radiation risk; Group 3: nominal power up to 1 MWt where it may not be necessary to organize a forced cool- down of the reactor core in an emergency situation and with a small risk.

In Table II. a list of operating organizations and research facilities divided into above-said groups is presented.

Table II. Operating organizations of research facilities Number of RR by Safety Groups OPERATING ORGANIZATION 12 3 Total RR RR RR CA SCA 1 Russian Scientific Center 'Kurchatov Institute' - - 7 18 1 26 2 State Scientific Center'Physics and Power 2 1 2 11 - 16 Engineering Institute', Obninsk 3 State Scientific Center'Scientific and Research 7 - 1 2 - 10 Institute of Nuclear Reactors', Dimitrovgrad 4 State Enterprise'Scientific, Research and Design - - 1 - 3 4 Institute of Power Techniques', Moscow 5 State Subsidiary Enterprise 'Sverdlovsk filial of - 1 1 Scientific, Research and Design Institute of Power Techniques', Zarechni 6 State Enterprise'Scientific and Research Institute of 5 5 Devices', Lytkarino 7 Open Stock Company''Machine Building Plant', 7 7 Electrostal 8 Design Bureau of Machinery, Nizhni Novgorod 4 4 9 State Scientific Center' Institute of Theoretical and - - 1 1 - 2 Experimental Physics', Moscow 10 All-Union Scientific and Research Institute of 1 1 Chemical Technology', Moscow 11 Design Bureau'Gidropress', Podolsk .... 2 2 12 S.Petersburg Institute of Nuclear Physics after B.P. 1 1 - 1 3 Konstantinov, Gatohina

13 Tomsk Scientific and Research Institute of Nuclear 1 1 Physics, Tomsk 14 Moscow State Engineering and Physics Institute - 1 - - 5 6 (Technical University), Moscow

191 15 Moscow Power Engineering Institute (Technical University), Moscow 16 Institute of Machinery, S.Petersburg 17 Filial of State Scientific Center 'Scientific and Research Institute of Chemical Physics', Obninsk 18 Central Scientific and Research Institute after A.N. 1 2 1 Krylov, S.Petersburg 19 Joint Institute of Nuclear Research, Dubna 1 2 20 Joint Stock Company 'Belgorodgeology', Belgorod 1 21 Joint Stock Company 'Norilsk Mining and 1 1 Metallurgy Kombinat after A.P. Zavenyagina', Norilsk 10 20 45 16 99 TOTAL

2. LICENSING The second big chunk of Gosatomnadzor of Russia regulatory activity is a licensing process for nuclear research facilities. A unified scheme of licensing had been established when the Federal Law on Atomic Energy Use was passed by the Russian Duma in 1995. It is pretty similar to licensing processes established in most countries as schematically presented by the following figure:

Licensing Process Head, Gosatomnadzor LICENSE of Russia

SED

License preparation Drafts: - Decision RR Department - License REVIEW •*- -Conditions

« 8 1 I If approved Other Departments EXPERTISE INSPECTION concerted

In 2000 Gosatomnadzor of Russia issued 19 licenses for different activities related to nuclear research facilities.

3. INSPECTIONS

3.1. Self assessment One of the important issues in this area is to control a self-assessment to be conducted by the operating organizations and be annually presented to Gosatomnadzor of Russia for its review and making decision as a feedback. To effectively control this process a special Order by Gosatomnadzor of Russia has been issued and appropriate requirements are put into the license conditions.

3.2.Major incidents at Russian nuclear research facilities in 2000. It should be noted that there were no nuclear and radiation incidents at the research facilities which would result in exceeding the limits of safe operation. During 2000 there were 47 (47 in 1999)

192 incidents related to the scram of the Emergency Control System (Emergency Control Rods). This number can be classified into the following categories: operator's error - 8 malfunction of control or instrumentation systems - 12 due to unstable power supply from the external grid -17 malfunction of the electric equipment- 7 heat rejection equipment malfunction - 1 malfunction of experimental devices- 2.

The analysis of all incidents happened at research facilities in 2000 has shown that the majority of events was related to: • aging of I&C equipment; • aging of Electric Systems equipment; • instability of the External Electric Power Supply; and • human/operator's error.

All these reasons represent the main problems at the research facilities. The need for reconstruction to fix the above problems is obvious but would require substantial investments. The other problem, that is becoming a serious one, is a human factor/operator's errors that can be characterized by the following reasons leading to the constant reduction in the number of adequately qualified operating staff: • lack of prestige; • decreasing of financial support; • staff aging/retirement.

3.3. Spent fuel and waste management From all amount of spent fuel, the following nuclear research reactor sites have the major quantity: • 'Kurchatov Institute' (Moscow); • PhEI (Obninsk); • NIIAR (Dmitrovgrad); • RDIPE Subsidiary (Sverdlovsk); • SPINPh (St. Petersburg suburb, Gatchina); and • NIFHI (Obninsk).

Table III summarizes the status of Spent Fuel storage facilities at different resesirch reactor sites.

Table III. Status of some research reactor sites spent fuel storage facilities Occupancy, % Site and Reactor Name 19JJ9 2000 'Kurchatov Institute', Moscow: - MR 60 60 -IR-8 36 36 PhEI, Obninsk: - AM-1 60 60 -BR-10 22 22 RDIPE Subsidiary (Sverdlovsk): - WWR-2M n 80 NIIAR, Dimitrovgrad: - CM-3 94 94 - MIR.M1 85 97 -RBT-10/l,RBT-10/2 68 67 - BOR-60 97 95 - VK-50 71 56 SPINPh (St. Petersburg suburb, Gatchina): - WR-M 37 37

NIFHI (Obninsk): - VVR-ts 53 59

193 The major problems of the spent fuel and radwaste storage facilities are the following: • the problem of SF transfer from some reactors to a specialized enterprise for its conditioning and disposal has not been resolved yet; • a large amount of radioactive equipment having big dimensions is collected at the sites; • the technology of some SF reprocessing, as well as for non-standard equipment has not been developed up to now; • liquid RadWastes are not solidified (due to lack of resources) and are stored in temporary storage facilities.

From the above table it can be easily seen that some storage facilities are close to be completely filled with Spent Fuel Assemblies.

3.4. Effluents and emissions The amount of releases (airborne and waterborne) in 2000 was less than in previous years when summed releases never exceeded the established control levels [3].

3.5. Occupational radiation exposure The radiation dose rate to the personnel is basically determined by the modes of the reactor operation at nominal power, by the experiments needs, by preventive maintenance and repair of equipment and devices whether irradiated or located in radiation zones.

The current practice at Russian Research Reactors shows that in working rooms of constant presence the radiation dose rate is in between 0,2 to 0,02 urem, that is well below the permissible one (0,8 urem). The average radiation exposure at the facilities was 0,3 rem/a, whereas the regulatory limit is 2 rem.

3.6. Emergency preparedness All sites have developed appropriate instructions of personnel behaviour during an emergency. There are two plans: On-Site Emergency Plan and Off-Site Emergency Plan. Both plans are connected with each other in some instances. A personnel training to emergency situations is conducted on the regular basis as required by the regulatory body. One problem still exists: lack of contemporary means of communication (including mobile phones).

3.7. Physical protection This one of the important issues was successfully decided with the help of the IAEA and US Department of Energy assistance at some selected sites. For other sites the problem of a modern hardware needed for physical protection still exists.

4. SUMMARY OF PROBLEMS General: most of research reactors are 25-30 years old and physically obsolete. Most important problems could be summarized as follows: • justification of the reactor equipment (structures, elements, cladding, etc.) operability and reliability for the next period of operation; • replacement of I&C equipment to a contemporary one; • spent fuel transportation from the sites; • concept of Research Reactors Decommissioning; • concept of Research Reactors RadWaste Disposal (out of the site).

194 References

[1] GOSATOMNADZOR of Russia, Annual Report on Federal Authority Activities in Nuclear and Radiation Safety, Moscow, (2001). [2] Russian Federation Research Reactors Data Base, GOSATOMNADZOR INTERNAL MEMORANDUM [3] Major Sanitary Rules when dealing with Radioactive Substances and other Sources of Ionizing Radiation, OCP-72/87, Moscow, (1987).

195 XAO102796 1AEA-CN-82/27

SAFETY CHALLENGES ENCOUNTERED DURING THE OPERATING LIFE OF THE ALMOST 40 YEAR OLD RESEARCH REACTOR BR2

KOONEN, E., JOPPEN, F., GUBEL, P. BR2 department SCK-CEN, Boeretang 200 B-2400 Mol, Belgium Fax: + 32 14 320513; Email; [email protected]

Abstract

The BR2 reactor is one of the major MTR-type research reactors in the world. Its operation started in the early 1960's. Two major refurbishment operations have been carried out since then. Several safety reassessments were carried out over the years in order to keep the safety level in line with modern standards and to enhance operational safety.

This paper gives an overview of the safety challenges encountered over the years and how those were met.

1. INTRODUCTION The BR2 reactor is a 100 MWth research reactor operated by the Belgian Nuclear Research Centre SCK-CEN. It is one of the major MTR-type reactors in the world and the major infrastructure of SCK- CEN. First operation with an experimental loading started in early 1963. Since then the reactor has been intensively used for fuel and materials testing for various reactor projects in national and international framework and for the production of radioisotopes for the major companies active in this field. The reactor has undergone two major refurbishments, various safety reassessments and lately an INSARR mission by IAEA. This paper gives an overview of the major safety challenges that were encountered during the life of the reactor.

2. THE EARLY YEARS: The design of the reactor was undertaken in the late 1950's by a mixed Belgian-American team according to specifications established by SCK-CEN and safety criteria existing at that time in the USA. The construction took less then five years and was mainly executed by Belgian industry. The first license to operate was issued January 1961 by the province of Antwerp as an amendment to the license for the whole research centre which was valid for 30 years (until 1986).

The BR2 operating organisation was constituted by young people, highly enthusiastic about the promises of nuclear energy; some of them had undergone a training abroad (in the US and the UK). Sufficient budget was available, as the country wanted to acquire its own know-how in reactor technology. Only state-of-the-art equipment was used and many industrial companies started activities in the nuclear field.

Initially the safety concerns were mainly directed to the nuclear part of the installation. The classical part of the installation was. considered to be a well-known field and intervened in the safety considerations mainly through their interaction with the nuclear part. The safety studies explored the operational limits such as admissible reactivity step and ramp, hot spot factors and maximum admissible heat flux, thermal-hydraulic perturbations and an envelope accident scenario (known as 'maximum credible accident'). An important point was the introduction of a periodic measurement of the leak-rate of the containment building.

196 Later on safety assessments concentrated on the more and more sophisticated experimental devices developed for BR2, such as rigs and loops containing Na or NaK, gas loops, pressurised water capsules, 3He screens. This led to a revision of the maximum credible accident.

3. THE FIRST REFURBISHMENT During the 1970's, some problems due to material degradation were discovered. First the primary heat exchangers had to be replaced due to accelerated corrosion. Then the 3He poisoning of the beryllium matrix was discovered by time dependant reactivity variations after an extended shutdown needed to replace the heat exchangers.

A detailed inspection of the beryllium matrix showed that non-negligible swelling of the matrix had occurred. As a consequence a periodic inspection programme of the matrix was established and discussions with the regulatory body started as to which fluence the matrix could be safely operated. The admissible shutdown periods in function of the 3He poisoning were also established.

Finally at the end of 1978 it was decided to replace the beryllium matrix and to proceed with a general overhaul of the installation. A detailed inspection programme revealed failures on some equipment due to ageing, like corrosion of some bolts of the primary circuit inside the reactor pool. A visual and ultrasonic inspection of the aluminium vessel was also executed and gave satisfactory results.

A maximum allowable fast fluence was established for the beryllium matrix, which consequently became the life-limiting component of the installation. A first surveillance programme based on surveillance specimens was launched for the beryllium.

4. THE MAJOR ACCIDENTS AND THEIR CONSEQUENCES The 1979 TMI-II accident clearly put the focus on the importance of LOCA evaluations and more generally to the detailed safety assessment of all classical parts of a nuclear installation. The WASH- 1400 (the so-called Rasmusson report) introduced the probabilistic approach to safety. For BR2 this triggered the request by the regulatory body for further safety evaluations: assessment of the possibility for common mode and common cause failures; evaluation of the consequences of a rupture of the aluminium vessel; enhancement of the reliability of the automatic isolation valves of the containment building in case of accidents; assessment of liberation of an important amount of gas in the reactor ves sel and installation of the means to evacuate it (directly triggered by TMI-2).

In 1986 a general safety reassessment of SCK-CEN as a whole was due in order to obtain a new license. For BR2 in particular an overall safety reassessment was conducted. A new royal decree concerning the authorisation for operation without time limitation was issued. A major change was that a quinquennial safety review was requested from now on (a procedure similar to the decennial safety reviews imposed on power reactors). In particular the requirements for leak-tightness and isolation of the containment building were specified in much more detail.

Sometime later the local authorised inspection agency, which was in charge of many regulatory tasks, was absorbed by the authorised inspection agency responsible for the power reactors such that the independence concerning the review of the safety of the installation was guaranteed.

5. THE NEW CHALLENGES IN A CHANGED ENVIRONMENT After Chernobyl the global mission of SCK-CEN was reviewed and a general streamlining of the activities around safety issues resulted. In particular the activities of BR2 were now more focused on reactor safety rather than on the development of new reactor concepts.

197 Due to a general restructuring plan a global early retirement programme was established. Many experienced people left the reactor and many young inexperienced people had to be hired. In order to satisfy the request of the license concerning minimum experience for particular jobs, an important training and retraining programme had to be established.

In general operational safety became a major concern. Therefore a global system to plan, organise, authorise, follow-up and control all operations was set up. This system very much includes all characteristics of a formal QA system but due to the fact that it was historically established in a bottom-top approach, lacks the more formal aspects of such a system.

Serious budgetary constraints led to the further development of commercial activities and to a further reduction of personnel, down to the limit allowed by the safety authorities.

The Safety audits by the regulatory body became more formalised and discussions took place up to which point the requirements for nuclear power stations are applicable to BR2. In particular this question was debated when a new PWR-type loop for BR2 was reviewed by the Safety Committee (the authorised inspection agency sits on this committee).

Assessments concerning possible accidents initiated by external events (fire, earthquakes, aeroplane crashes) were conducted.

A standardised method for analysis of incidents was established as well as a data-base on past significant events, their consequences, their direct and root causes and lessons to be learned was put into operation.

More and more ageing problems had to be tackled: electrical power supplies and distribution, instrumentation. When looking for spare parts, it was also experienced that quite some companies previously active in the nuclear field had either abandoned these activities or had ceased to exist.

Many efforts have been devoted to the back-end of the fuel cycle, to the reduction of waste production (in particular effluents), the evacuation and disposal of solid and liquid waste. Since the late 1980's financial provisions have to be constituted for the future treatment and final disposal of all waste produced during the operation of BR2.

6. THE SECOND REFURBISHMENT In 1995 the beryllium matrix reached its established fluence limit. After the managing board had established that the BR2 reactor was an essential tool to accomplish the mission of SCK-CEN, it was decided to proceed with an extensive refurbishment of the installations.

To ensure that all important aspects would be addressed in the refurbishment programme, a comprehensive evaluation process was started in 1991 in close collaboration with the authorised inspection agency and the regulatory authorities. The key issues were risks assessments to verify that the safety goals would be met and to define backfitting or upgrading actions, and ageing evaluations and inspections to assess the remaining life of particular equipment and to define the necessary mitigation actions. The safety goals themselves were checked against modern standards. From these studies and inspections resulted the refurbishment action plan. The prioritisation of all possible refurbishment actions was the result of a PSA level 1+ assessment whose prime objective was to estimate the potential significance, the potential consequences and the consequent acceptability of accident sequences.

The actual refurbishment action plan comprised upgradings and modernisations, inspections, extensive maintenance and safety and reliability studies required by the licensing authorities. The main aspects are briefly discussed hereafter: replacement of the beryllium matrix. For economic reasons, it was decided to use the beryllium matrix of the mock-up BR02 reactor;

198 life extension of the reactor aluminium vessel - the prospects for life extension were evaluated well in advance against the following life limiting phenomena: fracture toughness, low cycle fatigue amd corrosion. During the refurbishment shutdown an exhaustive visual, ultrasonic and eddy current inspection was carried out. As a result of all these efforts, the aluminium vessel was requalified for the planned 15 years life extension. a surveillance programme based on preirradiated representative aluminium samples has been initiated; the major process instrumentation was renewed taking account of redundancy, diversity and testability; ergonomics: following the results of an extensive ergonomic study, the reactor control main desk was replaced, several valves were automated and an emergency control panel was placed in the process control room; reliability of the primary circuit isolation valves and the containment building isolation valve was enhanced by re-engineering of the control and actuation systems. This included the introduction of redundancies and an additional emergency control panel; a new fire protection system was put into service after an extensive study. It includes components for both active protection (early detection) and passive protection (prevention of fire spreading); a seismic analysis was performed at the request of the licensing authorities. The analysis showed that most of the installation — including the reactor and the containment building can withstand the reference earthquake. A few structural reinforcements were required.

7. THE PRESENT SITUATION An INSARR audit was recently conducted at the request of the Belgian State. The general conclusion was that BR2 satisfies most of the present international standards concerning the safety of research reactors. The major recommendations from the INSARR team were to formalise the existing QA programme according to the IAEA recommendations in this field and to extend the competence of the Internal Safety Committee.

Presently a quinquennial safety reassessment is underway as foreseen in the license. In particular comprehensive requirements for availability of particular instrumentation and equipment ate being established.

One can conclude that, up to the present day, the BR2 reactor was able to respond to the various safety challenges resulting from an ever-changing environment. This will also be possible in the future provided that the necessary resources are allocated to this objective.

199 XAO102797 IAEA-CN-82/35

STRENGTHENING OPERATIONAL SAFETY OF THE 3MW TRIGA MK-II RESEARCH REACTOR OF BANGLADESH ATOMIC ENERGY COMMISSION THROUGH MODIFICATION AND UPGRADE OF ITS WATER SYSTEM

HAQUE, M. M., ZULQUARNAIN, M. A., SALAM, M. A. Reactor Operation and Maintenance Unit Atomic Energy Research Establishment Savar, Dhaka, Bangladesh Fax: +88028613051; Email: [email protected]/[email protected]

Abstract

The 3 MW TRIGA MK-II Research Reactor of Bangladesh Atomic Energy Commission (BAEC) attained its first criticality on 14 September 1986. Since then it has been operated at different power levels for manpower training, various R and D activities and isotope production. However, operation of the reactor had to be suspended temporarily for a number of times because of different types of problems mainly in the water systems of the reactor. The first problem was encountered in January 1990. It was a leakage problem in the suction line of the emergency core cooling system (ECCS). Then in September 1990 a welding joint of the exi-check valve located at the discharge side of one of the two primary pumps failed. As a result primary water started to leak out of the system at a slow rate. These problems were solved locally. However in July 1997 the 32,000 liter capacity N-16 decay tank (made of Type 6061-T6 aluminium alloy) got damaged due to corrosion. As the tank was found not to be repairable, it was decided to replace it by a new one. It was also strongly felt that the water system of the reactor was needed to be upgraded such that operational safety of the reactor is strengthened. Keeping this in mind a contract was signed on 14 Jan 2000 with the original reactor supplier to supply and install a new decay tank by replacing the old one. Under the contract provisions were also kept to upgrade the cooling system. The upgrading program mainly includes replacement of the fouled tube and shell type heat exchanger by a new plate type one, modification of the layout of the cooling pipes, installation of isolation valves, modification of the old ECCS, etc. It is expected that after completion of all these works by May 2001, operational safety of the BAEC TRIGA research reactor will be strengthened significantly.

1. INTRODUCTION The BAEC TRIGA reactor achieved its first criticality on 14 September 1986 and was completely commissioned for full power operation on 1st October the same year. It is a zirconium hydride moderated and light water cooled pulsing type reactor having a steady state thermal power of 3 MW and pulsing power of 852 MW when pulsed with an insertion of 2.00 dollar (1.4% Ak/k) of reactivity.

The Reactor Operation and Maintenance Unit (ROMU) has the overall responsibility to operate and maintain the facility. The facility is used primarily for conducting training, research and production of radioisotopes. Regulatory obligations under the Nuclear Safety and Radiation Control Act, 1993 are undertaken by the BAEC and implemented through its Nuclear Safety and Radiation Control (NSRC) Division.

So far the reactor has been operated for a total of about 3261 hours amounting to a cumulative thermal energy production of about 5513 MWh. This includes operation in natural convection cooling mode as well as in forced convection cooling mode. The facility was operated at full power for about 768 hours since its commissioning.

200 2. WATER SYSTEMS OF THE REACTOR The BAEC TRIG A reactor has a number of water systems. These are (1) Primary water system, (2) Secondary water system, (3) Emergency core cooling system (ECCS) and (4) On line purification system. Design of the BAEC TRIGA reactor is, in many ways, different from many other TRIGA reactors operating elsewhere. Most of the unique design features are related to the primaty water system. These include, among others, the use of two modes of cooling, namely natural convection at low power level (up to 500 kW) and forced convection for operation at higher power level. In the later mode, coolant flow is maintained by simultaneous operation of two pumps, each supplying 50% of the total flow of 794 m3/h (3500 GPM). Brief descriptions of the water systems are given below.

2.1. Primary Water System The primary water system consists of the reactor pool liner, N-16 decay tank, primary pumps [two primary pumps 37 kW (50 hp) each], heat exchanger (tube side), several manual and motor operated valves (exi-check valve, butterfly valve, etc.), aluminium pipes, etc. The primary water system, is filled with demineralized water. Total water inventory of the system is about 60,000 liters.

2.2. Secondary Water System The secondary water system has two cooling towers [each with a 15 kW (20) hp fans], heat exchanger (shell side), pumps [two pumps 30kW (40 hp) each], strainers, valves, MS pipes, etc. The system uses ordinary tap water.

2.3. Emergency Core Cooling System (ECCS) The ECCS has a small battery (12V) operated pump having a capacity of 3.78 liter/m (1 GPM). It takes water from the N-16 decay tank and pumps it to the core through the lower plenum shroud of it (core).

A schematic diagram of the water systems of the reactor is shown in Fig. 1.

FIG-1: 3 MW TRIGA REACTOR WATER SYSTEM

2.4. On line purification system The on-line purification system takes water from the reactor pool through a water surface skimmer at a rate of about 38 liters/m (10 GPM) and passes it through a cartridge filter and a mixed bed type demineralizer column such that primary system water quality could be maintained at levels set forth in the Operational Limits and Conditions (OLCs) of the reactor.

201 3. INCIDENTS AROUND THE WATER SYSTEM OF THE REACTOR Several incidents have been encountered so far around the water systems of the reactor. The incidents are briefly described below in a chronological order.

3.1.Incident-l (Jan 1990) A leakage in the ECCS line was detected in January 1990. An in-house team investigated the incident. It was found that the leak had developed in a segment of the pipe connecting the decay tank and the ECCS pump. The possible reasons for failure were identified as follows: a. direct contact of the aluminium pipe laid in a shallow trench and the dampness of the decay tank room might have caused some corrosion of the pipe, and b. pipe joints were subject to undesirable stress.

The damaged segment of the pipe was replaced by a PVC pipe. The pipe was relayed by cutting a trench so as to avoid physical contact with the floor. A valve was installed at the outlet of the decay tank to facilitate isolation of the ECCS pump and pipeline during maintenance work.

3.2.Incident-2 (Sept 1990) A fault at the weld-joint in the form of a crack having a circumferential length of about 25cm (lOin) in the exi-check valve of the primary cooling system was detected on 4 September 1990. Upon investigation by an in-house team in collaboration with Bangladesh University of Engineering and Technology (BUET) and the Bangladesh Chemical Industries Corporation, it was pointed out that vibration induced stress in the primary pipes was one of the reasons for this failure. Design defects such as pipe supports, couplings spacers and hubs; misalignment of pump and motor, defective motor bearings, static imbalance of pump impeller, faulty pipe layout and pump foundation and undesirable throttling of discharge valves of the pumps were identified as some of the possible reasons leading to the fault.

The exi-check valve was duly repaired and reinstalled. Pipe supports and pump foundations were modified so as to reduce stress and vibration. Impeller and shaft of one of the primary pumps were also balanced statically to reduce vibration. Pipe layout could not be changed as high quality aluminium welding work could not be undertaken locally.

3.3.Incident-3 (July 1997) A leakage was detected in the decay tank of the primary cooling system of the reactor in July 1997. The problem was thoroughly investigated and studied by several expert groups consisting of members from within BAEC and outside organizations. The decay tank leakage incident which is considered to be the single most significant incident around the reactor water system is described in the following section.

4. DECAY TANK LEAKAGE PROBLEM On 14 July 1997, water was found to be leaking out of the 32000 liter capacity decay tank of the primary water system of the reactor while carrying out the routine inspection of the facility. About 45,000 liters of de-mineralized water with an activity concentration of about 28 Bq/liter (mainly due to the presence of 58Co) leaked out from the primary water system. The water was collected and stored in several polyethylene containers.

A number of independent investigations and assessments on the cause of leakage and possible remedies were carried out. The tank was isolated, removed and its corroded areas were tested by NDT techniques. Extensive corrosion and pitting were found in a particular area where rain water seeped in

202 : Ammgcii>;ntflf DtosyTan

Fig-2bt

203 during the monsoon and accumulated for a long period, perhaps over a number of seasons. Corrosion and pitting were also observed on the inner walls/baffles of the decay tank.

The primary cooling loop of the reactor that got opened as a result of removal of the decay tank was closed temporarily by installing a stainless steel pipe linkage. Reactor operation was then resumed on July 27 1998 with the approval of the regulatory authority at limited power (250kW) and under specific conditions.

As per the recommendations of the expert committees, BAEC then decided to replace the damaged decay tank by a new one with improved support system. At the same time it was decided to upgrade the cooling system of the reactor by incorporating some additional valves, replacing a T' joint with a modified 'Y' joint, renovating defective pipe supports, etc. It was also decided to replace the fouled tube and shell type heat exchanger by a new plate type one. Accordingly a contract was signed on 14 January 2000 with the original reactor supplier for replacement of the decay tank and cooling system upgrade. Government of Bangladesh approved a project in this regard and granted necessary funds to support the modification and upgrade work. Improvements that are going to be achieved through the implementation of the above mentioned project are as follows:

4.1. Decay tank support The old decay tank (nominal dimensions: length 9m (30ft), diameter 2m (7ft) had been placed on a concrete saddle. The water that had seeped into the saddle formed a corrosive mixture with concrete ingredients. The corrosive mixture then attacked the tank and rendered severe damage to it. Now the new tank has been designed and fabricated with aluminium supports at four locations. These supports have been welded such that they have become an integral part of the tank. As a result, the tank body will never be in contact with the concrete. It is to be noted that in order to facilitate the installation of the new tank, the concrete saddle of the old tank has been completely demolished and removed. Fig. 2 shows the arrangements of the old and the new supports of the tank.

4.2. Modification of the decay tank room The decay tank room is an under ground room having a dimension of about 1 lm x 3m (36ft x lift). The top of the decay tank room is covered with two layers of heavy concrete blocks each having a thickness of 50cm (20in). The clear space (head-room) between the top of the decay tank and the bottom of the concrete block was only 7.5cm (5in). Under the present modification work this head- room has been increased to 62.5cm (25in). This would facilitate easy inspection of the decay tank.

The decay tank room and the primary pump room (which has the same elevation as the decay tank room) were separated by a 1.2m (4ft) thick wall made of heavy concrete (density: 2.75g/cc) blocks. This wall did not have any door. As a result, operators could not enter into the decay tank room for inspection work. Under the present modification work, this wall will have an inspection door. This will be locked following the recommendation set forth in the OLCs of the Safety Analysis Report (SAR).

A CI sheet covered room will be made over the decay tank room such that rainwater does not fall directly on the shielding top cover of the decay tank room. Earlier there was no room like that.

4.3. Valves There is a motor operated butterfly valve at the reactor tank exit line [30cm (12in) schedule 40 aluminium pipe]. This valve has neoprene rubber seal. Most probably the seal was damaged by high gamma radiation emitted from the N-16 present in the coolant water. As a result, the valve failed to work properly during the decay tank leakage incident. Under the present modification work, the damaged seal of this valve will be replaced by a new one. In addition, a manually operated knife gate valve will be installed at the entrance of the decay tank. This will help to prevent loss of reactor tank water in the event of any leakage at the downstream (after the decay tank). Also two isolation valves

204 will be installed across the new plate type heat exchanger. This will facilitate maintenance of the heat exchanger.

4.4. Modification of the piping layout The primary water system has two 50% pumps. The discharge sides of these two pumps are connected together by a 'T' joint. Head on collision of the water flows from the two pumps was believed to be one of the causes of higher vibration level in the primary piping. So, under the present upgrading program, this T' will be replaced by a modified 'Y' joint with a view to achieve reduced vibration level.

4.5. Heat exchanger The designed capacity of the old tube and shell type heat exchanger was very close to 3 MW (which is the designed power of the reactor). With the passage of time the outer surface of the heat exchanger tubes were fouled with scales. This reduced the heat transfer capacity of the heat exchanger. As a result, the reactor could not be operated at full power. Several attempts were made to clean the heat exchanger using chemical cleaning process. But these were not successful. So, as per the recommendation of local as well as foreign experts, it was decided to replace the heat exchanger by a new plate type one. The plate type heat exchanger will have capacity of about 4 MW. Therefore, full power operation of the reactor will not be hampered. It is also understood that plate type heat exchangers are easy to clean. Therefore, if there is scaling on the plates of the; heat exchanger, it will be dismantled and cleaned mechanically.

4.6. Emergency Core Cooling System (ECCS) After the incident of 1990, a segment of the piping of the ECCS was replaced: by a PVC pipe. IAEA INSARR mission conducted at the facility in 1995 recommended to replace the PVC pipe by a metallic pipe. During the present modification/upgrading work, the PVC pipe will be replaced by a SS pipe. The safety and the reliability of the ECCS will thus be enhanced considerably. Regarding the other recommendations of INSARR Mission, BAEC has decided to implement them at the earliest possible convenient. A time bound action plan in this regard has recently been communicated to the Agency.

5. STATUS OF IMPLEMENTATION OF THE MODIFICATION WORKS The decay tank replacement and cooling system upgrading project is now going on in full swing. The decay tank room has already been modified. New decay tank, heat exchanger, valves, piping, etc. are expected to arrive at the reactor site within the third week of March 2001. Installation of the new components are expected to be completed by the end of May 2001.

6. CONCLUSIONS The BAEC TRIGA research reactor has been operated as per standard rules and procedures as laid down in the Safety Analysis Report (SAR). Moreover, special care was taken for routine check and surveillance for preventive and corrective maintenance of systems and equipment to ensure safety. Nevertheless the reactor operation was interrupted time and again by initial faulty design and wrong installation especially of the primary water system of the reactor. The project that is being implemented presently at the facility is expected to eliminate all the identified deficiencies of the water systems. A new safety analysis report (SAR) has also been prepared incorporating all the modifications that are being carried out now. While preparing the SAR, formal: of IAEA safety series 35-G1 was followed. It is expected that after successful completion of project mentioned above, the operational safety of the reactor water systems will be strengthened and as a result, it will be possible to operate the reactor at 3 MW power level without interruption for carrying out all R&D and isotope production activities through out the useful life of the reactor.

205 References

[1] AHMED, K., ZULQUARNAIN, M. A., BAEC, 'Operation, Modification and Ageing Management of the 3 MW TRIGA Research Reactor of Bangladesh Atomic Energy Commission (BAEC)', Paper presented in the IAEA/BARC seminar on Ageing Management of Research Reactor, Mumbai, (2000).

[2] ZULQUARNAIN, M. A., BAEC, 'Status of IRSRR in Bangladesh', Paper presented at the IAEA TCM on Implementation of the Incident Reporting System for Research Reactor (IRSRR), Vienna, (1999).

[3] ZULQUARNAIN, M. A., et. al., BAEC, 'Rectification Work on the Primary Cooling System of the 3 MW TRIGA Mk-II Research Reactor of Bangladesh Atomic Energy Commission', Published in the proceedings of the 5th Asian Symposium on Research Reactors (Volume-1), Taejon, (1995).

[4] KARIM, C. S., et. al., BAEC, 'Interim Report on Leakage of Coolant from the Decay Tank of TRIGA Mark-II Research Reactor at AERE, Savar', Personal communication, Dhaka, (1997).

[5] 'INSARR report to the government of Bangladesh', NENS/INSARR/1995, (1995).

206 XAO102798 IAEA-CN-82/43

FRENCH SAFETY AUTHORITY PROJECTS IN THE FIELD OIF RESEARCH AND TEST REACTORS

SAINT RAYMOND, P.+, DUTHE, M.+, ABOU YEHIA, H.* +French Safety Authority 99 Rue de Grenelle, F-75353 Paris 07 SP, France Fax: +33143194780; Email: [email protected] "institute of Protection and Nuclear Safety

Abstract

This paper gives an outline of some actions initiated by the French safety authority in the field of research and test reactors. An important action concerns the definition of the authorisation cri teria for the implementation of experiments in these reactors. In particular, it is necessary to define clearly in which conditions an experiment may be authorised internally by the operating organisation or needs a formal approved by the safety authority. The practice related to the systematic; safety reassessment of old facilities and the regulatory provisions associated with the decommissioning are presented after a discussion on the ageing issues.

1. OPERATION The inspection and regulation of research and test reactors is a difficult task, as each constitutes a special case with a different design and purpose. The activities carried out in them can, however, be divided into two broad categories: experimental work, which can change in nature and for which the licensee may not have long-term plans, and activities related to operation which tend to vary little over time.

1.1. Inspection and monitoring of experimental work Research and test reactors are essentially facilities for carrying out experimental irradiation, basic research works in various fields, training and production of artificial radioactive elements, mainly for medical uses.

As these activities can vary greatly, their description in the safety documentation of the facility is, with a few notable exceptions, extremely brief. Therefore, before any implementation or modification of an experiment, the licensee shall initiate a process of internal assessment of the safety of the planned operation which, in certain cases, necessitates the submission of an application file to the DSIN1. Experiments of minor extent and with minor safety implication can be the subject of internal authorisation by the operating organisation, following established procedures.

It is the licensee's responsibility to determine which experiments need a formal DSIN approval. When it is not called in, the DSIN can request inspections to check the content of the design, operation and safety files of the experiment and, where appropriate, request the licensee to rectify any situations it considers to be abnormal.

This system, which allows the licensee the flexibility necessary for carrying out its experimental work has operated satisfactorily up to now. However, the DSIN considers it indispensable to obtain a clearer picture of forthcoming experiment programmes so as to ensure that no experiments liable to

1 Direction de la surete des installations nucleaires, the French nuclear regulator, also lcnown as Nuclear Safety Authority.

207 compromise nuclear safety are carried out without its approval. The DSIN has therefore requested the CEA2 to supply a schedule of the main experiments to be carried out in its research and test reactors. The DSIN also considers it necessary to more clearly establish, in consultation with the licensees, the technical criteria for determining the authorisation channel required for conducting an experiment. These criteria are related to the potential risks of the experiment and can, for instance, relate to the pressure in the experimental device, the presence of sodium or NaK, the potential consequences of equipment faults, etc.

Actions have been initiated in 1999, in addition to that described below, in order to make progress in these areas.

1.2. Redefinition of the authorised operating envelope and its management When experiments are not being carried out, research and test reactors are the subject of monitoring by the Safety Authority that is similar to that in other licensed nuclear facilities. Accordingly, if any reactor is built or substantially modified, the safety analysis is made and is used by the DSIN to define an operating envelope for the licensee.

Complying with this operating envelope is, of course, essential, but the degree of safety of a facility also depends greatly on the manner in which maintenance operations are carried out and modifications are made, particularly as regards safety-related equipment. In addition, keeping a facility in the operating envelope depends on the ability of the monitoring, regulation and protection systems to properly fulfil its functions. Such systems do not, however, make equal contributions to reactor safety, and the licensee's response, should any fail, must therefore be adapted to the case, and be formally covered in documents that are known to, if not approved by, the DSIN.

At the present time, the boundary of the authorised operating envelope of the facilities, in other words, the limit between the operations that the licensee is allowed to carry out at will and those for which explicit approval by the Safety Authority is necessary, is not fully defined.

The DSIN's short-term goal is therefore to identify any lack of precision before beginning process of redefinition, to draw clear distinctions between operations that are to be the subject of Safety Authority agreement and those which the licensee can carry out at its own initiative. Some of the latter include operations which relate to the normal operating envelope and others which, without necessitating Safety Authority agreement, need to be the subject of internal appraisal by the licensee, in accordance with pre-determined procedures.

The DSIN will evaluate the application of the procedures on the basis of a number of actual cases. After this evaluation process, if it appears that the internal organisation of the licensee is satisfactory, and provided it has demonstrated its ability to correctly assume its responsibilities concerning nuclear safety, the DSIN may decide to broaden the authorised operating envelopes of the reactors. This process, which results in delegating a larger number of minor authorisations to the licensee, will allow the Safety Authority more time to oversee activities with important safety implications.

The first stage of this process began a number of years ago, when the DSIN required the licensees to comply with the requirements of the Directive of 10 August 1984 concerning the quality of design, construction and operation of licensed nuclear facilities. This gave the licensee the opportunity to draw up lists of items important for safety and quality-related activities, and to set in place suitable organisational structures.

The main task remaining therefore consists in examining the validity and the consistency of the data supplied, in verifying that it addresses the issues mentioned earlier, in requesting any additional information needed and in ensuring that the licensees update the facility safety documentation in order

' Commissariat a Veriergie atomique, the French atomic energy commission.

208 to take into account these aspects, before moving on to the phase consisting of broadening the operating envelope.

1.3. Harmonization of surveillance tests The third issue under study by the DSIN for the immediate future is harmonisation of the research and test reactor safety documents and, more specifically, those relating to surveillance tests and inspections. For a given type of equipment, the maintenance and verification rules can differ greatly between one installation and the others. The DSIN's goal is therefore to determine, for each major safety issue and in consultation with the licensees, appropriate inspection and scheduling and to draw up, for surveillance tests, good practice guidelines which licensees and safety organisations can refer to.

The consideration given to these issues reflects the Safety Authority's desire to more effectively exercise its control over activities that it considers to be important to safety, while allowing the licensees more freedom to act in other areas of operation. Success with this process requires the border between the two areas to be properly defined beforehand and for the supervisory structures of the licensees to have demonstrated their ability to satisfactorily adapt to the changes in working methods resulting from this new division of the tasks.

2. AGEING AND SAFETY REASSESSMENT

2.1. Ageing of the installations The structures of research reactors, particularly pool-type reactors, are generally subjected to low temperature and pressure constraints. However, some internal structures in these reactors may be subjected to large neutron flux which causes them to become brittle. Generally speaking, these structures are replaceable and they can be disassembled under water with relative ease from the coping of the pool without danger of irradiation.

Since the components and structures of research reactors can be replaced, it does not necessarily mean that they become less safe as they age. In most cases, the decision to close an old installation is generally due to its design principles being obsolete, the lack of experimental programs or economic considerations.

The safety reassessment of old research and test reactors provide an opportunity to examine their overall safety and to look at the behaviour of the equipment and the elements which are important for safety in more detail on the basis of past incidents and lessons learned from operating experience.

2.2. Safety reassessment of old research and test reactors In France, nuclear reactors which have been operating for more than 10 years, undergo a systematic safety reassessment at the request of the nuclear regulator DSIN. For such reassessment, the applicant has to provide updated safety documents for the installation (safety analysis report, general operating rules, on-site emergency response plan) which take into account the modifications concerning the site conditions due to human activities or to improvements in knowledge (regarding earthquake for instance). A new chapter shall be added to the safety analysis report presenting operational experience feedback and lessons learned from incidents which have occurred since the reactor first started up. At the request of the DSIN, these documents are then assessed by the Institute for Protection and Nuclear Safety (IPSN) which reports before the advisory committee in charge of nuclear reactors. Following this assessment, the group sends its advice and recommendations to the DSIN.

Concerning the scope of the assessment, each barrier and the associated systems are re-examined in the light of operating experience. This includes incident analysis covering failures prevention, monitoring, and corrective actions by safety systems or operators.

209 The appropriateness of the general operating rules, including the technical specifications, is also reviewed. In addition the review covers: the organizational structure for quality in operation, data and information in relation to operating personnel (particularly mobility and training); doses received by personnel, reports on radioactive effluent releases, and management of solid radioactive waste; questions raised by inspections carried out by the safety authority.

Finally, the results from technical analysis performed in the framework of the safety reassessments are the basis for the safety authority decisions concerning the confirmation of previous operating licenses for the installations.

3. DECOMMISSIONING

3.1. Decommissioning of research and test reactors: safety requirements As with all major nuclear installations, a number of clean-up and disassembly operations are carried out at the end of the service lives of research and test reactors, so that their closure can be pronounced and dismantling work begun. All these operations lead to the facilities being removed from the list of licensed nuclear installations. They may subsequently be completely dismantled or transformed into new facilities.

The safety principles to be applied during decommissioning of a licensed nuclear installation are not different from those that were in force during the previous stages of its service life. Licensees continue to be responsible for the safety of their facilities. They have to take all the administrative and technical steps required in order to prevent excessive exposure of workers to radiation, keep the amount of radioactive products or effluents released into the environment to a minimum and prevent accidents, where necessary reducing the impact on neighbouring facilities, local inhabitants and the surrounding area.

Licensees have to give a clear indication of the final status of the facility and describe the work that will be carried out to achieve it. The technical solutions that can be envisaged can be very wide ranging, from immediate, complete dismantling of the facility to deferred dismantling, with facilities being kept in place until all fissile material and fluids, or even some radioactive compounds, have been removed. As a general rule, the Nuclear Safety Authority prefers 'rapid' dismantling.

Arrangements must also be taken for dealing with the waste generated at all stages, including during the dismantling phase. This waste, which can be high or intermediate level, very low level or conventional is the subject of special administrative procedures.

The Safety Authority is not responsible for determining the dismantling strategy or schedule or the technical measures to be taken. However, it does endeavour to ensure that nuclear safety is optimised throughout the dismantling procedure. It prompts the licensee to think more carefully about its dismantling strategy. It encourages it to see clean-up operations through to the end, even though the operating teams are still in place and it makes sure that any operations that are subsequently entrusted to subcontractors are carried out in an organised manner to sufficiently high standards. Lastly, the Safety Authority requires that a rigorous approach be adopted to waste management, particularly during the dismantling stage when large amounts of waste are generated.

3.2. Regulatory provisions associated with decommissioning The implementation of these principles was made law by a new article introduced in 1990 into the decree of 11 December 1963, the cornerstone of the action taken by the DSIN.

As stated in these legal texts, nuclear installations should be decommissioned in stages : termination of activities, final shutdown and dismantling. The DSIN approves the termination of activity when

210 required, since this is not a recognised regulatory step, and grants licensing decrees for the other two stages at the end of a procedure involving various experts (Institute for Protection and Nuclear Safety, Advisory committees, etc.) and possibly a public inquiry. Furthermore, if previous safety analyses prove to be insufficient as the time draws near for delicate operations to be carried out, the Safety Authority can choose to give its agreement on a case-by-case basis. Finally, licensed nuclear installations that are transformed into interim storage facilities for their own equipment (which is the case with deferred dismantling of power reactors) require a new construction licence decree, which is more often combined with the partial dismantling licence decree.

These hold points make it possible to have firm control over high-risk operations while leaving the players sufficient leeway to make allowance during subsequent stages for the lessons learned or difficulties encountered. The licensee is therefore free to devise its own strategy and study in more depth the clean-up operations to be carried out as the project progresses, assess the risks encountered during the work, draw up new radioactive inventories, identify nuclear waste zones etc. The Safety Authority can then carry out its expert appraisal of the most important issues and improve its recommendations. When the facilities are small, as are many research and test reactors, these stages can be simplified. The Safety Authority makes sure that the licensee carries out an internal analysis of the operations it plans to carry out at each stage of the work.

4. CONCLUSION The French safety authority has initiated actions for ensuring a better definition of the authorisation criteria relating to the implementation of experiments in research and test reactors. This will optimise the safety evaluation work in order to focus the efforts on issues with important safety implications.

The safety reassessment of old research and test reactors is a good exercise for checking their overall safety level and taking into account updated safety criteria. This action will continue to be performed in the next years for different installations.

Finally the safety principles established for decommissioning of nuclear installations and for waste management are applied at the present time for research and test reactors; no major difficulties are encountered in this case.

211 XAO102799 IAEA-CN-82/45

SAFETY OPERATION OF TRAINING REACTOR VR-1

MATE JKA, K. Czech Technical University Faculty of Nuclear Sciences and Physical Engineering Department of Nuclear Reactors Prague, Czech Republic Fax: +42026880764; Email: [email protected]

Abstract

There are three nuclear research reactors in Czech republic in operation now: light water reactor LVR-15, maximum reactor power 10 MWt> owner and operator Nuclear Research Institute Rez; light water zero power reactor LR-0, maximum reactor power 5 kW,, owner and operator Nuclear Research Institute Rez and training reactor VR-1 Sparrow, maximum reactor power 5 kWt, owner and operator Faculty of Nuclear Sciences and Physical Engineering, CTU in Prague.

The training reactor VR-1 Vrabec 'Sparrow', operated at the Faculty of Nuclear Sciences and Physical Engineering, Czech Technical University in Prague, was started up on December 3, 1990. Particularly, it is designed for training the students of Czech universities, preparing the experts for the Czech nuclear programme, as well as for certain research work, and for information programmes in the sphere of using the nuclear energy (public relations).

1. SHORT DESCRIPTION OF THE REACTOR The VR-1 training reactor (Fig. 1) is a pool-type light-water reactor based on enriched uranium with maximum thermal power lkWth and short time period up to 5kWth. The moderator of neutrons is light demineralized water (H2O) that is also used as a reflector, a biological shielding, and a coolant. Heat is removed from the core with natural convection. The reactor core contains 14 to 18 fuel assemblies IRT-3M, depending on the geometric arrangement and kind of experiments to be performed in the reactor. The core is accommodated in a cylindrical stainless steel vessel pool, which is filled with water. UR-70 control rods serve the reactor control and safe shutdown.

The reactor has the shape of an octahedral body, manufactured from special heavy concrete containing cast iron which possesses outstanding shielding properties. Two vessels, of virtually identical design, are accommodated in the shielding. One is designed for the core, the other is a handling vessel. They are interconnected by a gate. Thus the experimental devices, the irradiated materials and the nuclear fuel can be transported under the water level from each to another. This contributes appreciably to the radiation safety during the reactor operation. The reactor is fitted with a water circuit, including a standby tank and a demineralization station for preparing high-purity water and maintaining this high purity.

During the first six years of operation, the fuel of the IRT-2M type with the enrichment 36%, imported from the former USSR, was used in the VR-1 reactor. The operation of the VR-1 reactor with the fuel of IRT-3M type started in April 1997. This fuel is imported from Russia, its 235U enrichment is 36%. The fuel is delivered in three modifications, as eight-tube, six-tube, and four-tube fuel. The fuel layer is in the form of a dispersion of Al and UO2,235U enriched to 36% with the thickness of 0.6 mm which is covered with a layer of pure aluminium with the thickness of 0.4 mm on both sides. The total thickness of the tube wall is 1.4 mm. About 352 g of 235U is in the eight-tube assembly, about 309 g of 235U is in the six-tube assembly, and about 235 g of 235U is in the four-tube assembly. The maximal burn-up of the IRT-3M assemblies guaranteed by the fuel producer is 40%. Due to the small power of the VR-1 reactor, its fuel stays to be physically fresh, i.e. there is no measurable burn-up. Particularly, in the VR-1 reactor less than 0.1 g of 235U burns up during 1 year.

212 The digital reactor control equipment consists of the control and safety system, signalling system, connecting system and neutron source control. The control and safety system consists of a ni:imber of functional units, the most important of them comprising: 4 measuring channels for power measurement and automated .control, 4 independent safety channels which prevent the reactor power from exceeding a maximum permissible value, communication channels co-ordinating the performance of the entire system, a peripheral channel ensuring communication between the system and the operator. Each of the systems is based on a microcomputer fitted with special software.

The experimental equipment of the reactor includes two horizontal channels: at radial channel 250 mm in diameter (the diameter can be reduced to 90 mm), and a tangential channel 100 mm in diameter. Moreover, the reactor is fitted with a set of vertical channels which, according to their diameter (12, 24 and 56 mm), can be inserted into various positions in the core. The horizontal channels as well as the vertical channels are designed for the irradiation of samples and examination of neutron fields. The rabbit (pneumatic post), which is particularly well suited to activation analysis was installed in the reactor last year.

In December 2000 the VR-1 reactor had been in operation for 10 years. An international conference named 'Training Reactor Use and Operation' which was organised by reactor staff was held on this occasion. More than 80 experts from the Czech Republic and IAEA, Austria, Germany, Slovakia and the Russian Federation evaluated ten years of VR-1 operation and outlined future development of the VR-1 reactor in the frameworks of Czech Universities and Czech Nuclear Engineering.

2. PRESENT USE AND PLAN FOR THE TRAINING REACTOR VR 1 UP TO THE NEXT 10 YEARS The VR-1 reactor is operated particularly for the training of university students and nuclear power plant staff, R&D, as well as information services for non-military nuclear energy. Training on the VR- 1 reactor provides students with experience in reactor and neutron physics, dosimetry, nuclear safety, and nuclear installation operation. Students from technical universities and from natural sciences universities come to the reactor for training. Every year approximately 200 university students are introduced to the reactor (lectures, experiments, experimental and diploma works, etc.). About 12 different faculties from Czech universities use the reactor. International co-operation with European universities in Germany, Hungary, Austria, Slovakia, Holland and UK is frequent. Currently, students can try out more than 20 experimental exercises. Further training courses have been included to provide special training for selected specialists from Czech Nuclear Power Plants.

Scientific research respects reactor parameters and requirements of the so-called clean reactor core (free from a major effect of the fission products). Research on VR-1 is mainly aimed at the preparation and testing of new educational methodologies, investigation of reactor lattice parameters, reactor dynamics study, research in the control equipment field, neutron detector calibration, etc.

Important parts of the reactor operation are information services and promotional activities in the nuclear power field. Many visitors, mainly high school students, come to the reactor. The reactor staff prepares an attractive program including reactor operation. Every year more than 1500 high, school students come to visit the reactor, as do many foreigner visitors.

The plan for the training reactor VR-1 for the next 10 years covers both impulses and demands from reactor users and conclusions from the conference. The plan covers essential activities (less important activities describes the annual plan for each year) in five fields: educatiion activities, research activities, public relation activities, international cooperation, and human resources, innovation and new equipment.

Educational activities: • keeping the current state in the field number of user schools, number of students and number of offered experimental exercises,

213 • improving existing experimental exercises and establishing new according requests users from universities and nuclear engineering companies, for example: - study of neutron noise and it's application; - study of thermal effects; - study of digital control systems; - study of transmutation technologies ADTT, - study of neutron detectors.

Research activities: • seeking research activities which can use advantages 'clean' Core without temperature, pressure, burn-up feedback etc.; • continuing in study of the digital control nuclear research reactors; • continuing development of the VR-1 reactor's control equipment; • continuing co-operation with Nuclear power plant research institute in Trnava, Slovakia the field of testing detectors for Temelin NPP; • studying of transmutation technologies ADTT.

Public relation activities: • keeping current state in the field number of user schools and number visitors; • developing new demonstration experiments for Secondary/High School students.

International co-operation: • continuing close co-operation with Universities in Germany, Austria, Hungary, Slovakia etc.; • participation in reduce enrichment of research and test reactors RERTR Program with co- operation with Nuclear Research Institute in Rez; • participation in European Nuclear Education Network ENEN, Work package 10 — regional class WPlOa for Austrian, Czech, Hungarian, Slovak and Slovenian students; • co-operation with Technical University Dresden (Germany) on the organising Inspector Training of Criticality Tester for IAEA and NEA inspectors; • continue co-operation in OECD Halden Reactor Project; • additional courses for IAEA.

Human resources, innovation and new equipment: • keeping highly educated and qualified operational staff and teachers participating in teaching and training; • developing of the VR-1 reactor's control equipment based on latest technologies and according to international recommendations and standards; • replace Russian IRT-3M fuel with 36% enrichment with low enriched fuel (below 20%) probably from Russia within the framework of the RERTR programme; • establish system for automation of collection and evaluation of experimental data; • developing new and upgrade recent equipment according to requests of users and latest technologies.

3. PERSONNEL PREPARATION FOR OPERATION OF VR-1 TRAINING REACTOR Qualified (licensed) person for operation research reactors in Czech republic - Selected personnel are: shift supervisor, reactor operator or senior reactor operator, head (leader) of group for physical start of operation (basic critical experiment) and check-up (superintended) physicist. Typical shifts constitution on Training Reactor VR-1 Basic (standard) shift: (shift supervisor /I/ - licensed, reactor operator III - licensed, maintenance and radiation protection personnel III)

214 Extended shift: A/ for extensive or large experiments (shift supervisor III, reactor operator III, maintenance /]./, leader of experiment III, research workers) B/ for training or practical personnel preparation (shift supervisor III, reactor operator III, maintenance and radiation protection personnel III, Teacher 121, students 14 and more/) C/ for basic critical experiment (shift supervisor III, reactor operator III, maintenance and radiation protection personnel 111, check-up physicist III - licensed or head of 'starting group' III - licensed). The system of text books for operating personnel preparation in Czech republic contains: • selected articles from theory of reactors; • experimental methodologies for training; • research and experimental reactor; • technical description of Czech research reactors — (reactor LVR-15, reactor LR-0, reactor VR-1); • safety and operation of research reactors; • database of examining questions. System was prepared by SONS (State Office for Nuclear Safety) in co-operation with Faculty of Nuclear Sciences and Physical Engineering Czech Technical University in Prague and Nuclear Research Institute in Rez

Some aspects of practical training on Czech research reactors: Training on own reactor (or simulator), operation manipulation, operational limits and conditions, fire heizard training, technical reporting, communication, emergency plan and team work

4. NUCLEAR SAFETY AND RADIATION PROTECTION

Nuclear safety is the condition and the ability of the nuclear installation (here, the VR-1 reactor) and its personnel to prevent both uncontrolled development of fission chain reaction and unacceptable release of radioactive substances, or ionising radiation into the environment and also, to limit the consequences of such an incident.

The assurance of the corresponding level of nuclear safety is in the centre of attention at the VR-1 reactor workplace. This reflects all aspects that come from the above given definition. Particularly, it is possible to say: • The VR-1 training reactor was designed and produced in order to match fully all requirements for research nuclear equipment. Special attention was paid also to the both fact that the keeper of the equipment is the university and that students from various schools in the Czech Republic as well as foreign students will be at the workplace. Thus, regarding the technical aspect, the equipment corresponds to the requirements that come from the IAEA recommendations (e.g. number and independence of the measuring channels, number and functions of the control rods, the neutron source, the arrangement of the core, the used fuel, the handling methods, the necessary comfort of the operators, etc.). The equipment that is important from the point of view of the nuclear safety (the reactor vessels, the control rods, and the control system) is under check and quality assurance. If some systems are step-by-step innovated, there is an effort to increase their ability to fulfil the assumed tasks as well as the nuclear safety level. • Thanks to the sophisticated organisation of the VR-1 reactor operation, the whole equipment is permanently held in a very good state. It follows both from its thorough maintenance and from the regular operating inspections. • The reactor operators have the important role to ensure nuclear safety. Therefore, the prerequisites are made for them so that their numerical (e.g. according to the type of realised work) as well as psychological (health, as well) state corresponds the strict requirements and they start the shift-work in good mental as well as physical condition.

215 • The special attention is also paid to the operators' abilities. Before the state examination, which is the condition to obtain the authorisation for chosen activities at the VR-1 reactor, all employees must pass the corresponding exacting preparation. It includes the necessary theoretical knowledge as well as the ability to operate and attend the whole equipment properly. For this, they have all necessary papers and provisions at their disposal. Always after the determined period, the operators pass so called periodical preparation that is completed with the state examination again.

However, the VR-1 reactor has several important aspects that relate to its nuclear safety directly. At least two aspects are mentioned: • With its structure, the used fuel is slightly sub-moderated from the physical point of view. It means that in the case of the non-sufficient heat removal that is released as a result of the 235U nucleus fission, the water boiling among the individual fuel tubes would occur and thus, the moderating ability would drop substantially. The reactor would have the clear tendency to stop spontaneously. This property is so-called a negative cavity reactivity coefficient and it can be demonstrated experimentally at the VR-1 reactor with the simulation of the nucleate boiling by using compressed air. • Thanks to the small power of the VR-1 reactor, practically, no fission products are concentrated in its fuel. The fuel that is designed for the power research reactors stays to be physically fresh for whole the time of the VR-1 reactor operation. The consumption of 235U is less than O.lg per year. Thus, it means that even in the case of so-called hypothetical over-project accident related to the possibility of melting the part of the VR-1 reactor fuel, a significant exposure to danger of its neighbourhood does not occur. The quantity of the fission products that could escape outside of the reactor workplace during this very less probable event is so small that any additional provisions to minimize the consequences of that accident are not necessary.

The VR-1 workplace is under permanent dosimetric checks. Both the stationary dosimetric system with the gamma sensors, the neutron detectors, the radioactive aerosol measurement, the portable devices and the equipment for the personal dosimetry (monitoring the people) by using various types of dosimeters are used.

Radiation protection also includes the handling of the waste (solid, liquid, and gas) that can occur at the reactor workplace and in which radioactive materials could be included. This is realised in spite of the fact, that due to the character of the VR-1 reactor operation and the reached power, the quantity of the radioactive waste is practically null.

The neighbourhood of the VR-1 reactor is monitored, as well. So far, no influence of the VR-1 operation on the outside environment has been found. Neither has any accident occurred at the VR-1 workplace with radiation consequences. The yearly value of the gamma and neutron dose equivalent is significantly less than 0.5 mSv. Regarding the students and the visitors, this value is under the sensitivity threshold of the used personal dosimeters.

5. EMERGENCY PREPAREDNESS

Emergency preparedness is an ability to recognise a development of a radiation incident and, on its occurrence, to fulfil measures determined in emergency plans.

On the basis of the thoroughly performed emergency analyses (the accidents with both radiation and non-radiation consequences. were analysed), the emergency plan to protect the VR-1 reactor employees has been elaborated. The consequences of the initialisation events, that come from the IAEA prepared and recommended list, have been evaluated. It is, for example, power supply loss, various possibilities of releasing the positive reactivity (e.g. the criticality during the fuel replacement, control rod failure, loss of the check during the start-up), loss of the coolant, erroneous handling, and special inside (fire, explosion, flooding of the workplace) and outside (flooding, fire, traffic disaster) events. The results of the analyses show that with observing the basic principles and procedures, the

216 reactor operation can be accepted in its locality in the thickly settled city agglomeration and it is usable for the purpose for which it was built.

The emergency plan of the VR-1 reactor has the following structure: • determining the intervention level; • specification and analysis of the assumed emergency conditions; • detection method of the assumed emergency conditions; • emergency instructions for the individual emergency conditions; • medical part; • estimation of the consequences. The individual parts of the emergency plan (response to the chosen emergency conditions or their combinations) are trained regularly with the VR-1 reactor workplace.

6. CONCLUSION

The experiences with the VR-1 operation are excellent for the last 10 years. There was no accident regarding nuclear safety or radiation protection during the whole period of the use. Operation of the reactor is widely included in many study branches and it significantly contributes to the education of our students and also public wide in terms of conditions and acceptability of the use of nuclear energy.

References

[1] MATEJKA, K., SKLENKA, L'., KROPIK, M., KOLROS, A., 'Educational programme on the training reactor VR-1' (IAEA-SM-360/17), Lisbon, (1999).

[2] SKLENKA, L\, MATEJKA, K., KROPIK, M., KOLROS, A., 'Safety aspects on the training reactor VR-1 operation' (IAEA-SM-360/21), Lisbon, (1999).

[3] Training Reactor Use and Operation, Proc. Int. Conf. Prague, (2000).

217 X//s////*'//>'//*'/////// /// /'////// r~/ /./. _* // 1 - reactor vessel 2 - handling vessel 3 - rod storage for storing the control rods 4 - tangential (inserted) channel 5 - irradiation equipment 2 (carrying basket) 6 - drives of the carrying basket 7 - reactor shielding I B >-* CD

0 1/1 CO CD XAO102800 IAEA-CN-82/56

EXPERIENCES IN CONTROLLING THE UPGRADING OF TRIGA 2000 BANDUNG REACTOR

HUDA, K., WIBOWO, Y. W., SUPRAWHARDANA, M. S. Directorate for Licensing of Nuclear Installation, Nuclear Energy Control Board (BAPETEN), Jl. M.H. Thamrin 55 Jakarta 10350, Indonesia Fax: +62212301253; Email: [email protected]

Abstract

Triga 2000 Bandung Reactor was established in 1961 for research, education and isotope production purposes. The reactor reached its first criticality in October 1964 and operated at nominal power of 250 kW until 1971. In 1971 the reactor was upgraded to the power level of 1000 kW. In order to raise the capacity of isotope production, the reactor has been upgraded again to the power level of 2000 kW. During the modification of the reactor, the Center for Research and Development of Nuclear Techniques (CRDNT) as the management of the reactor faced many problems, either technical or non- technical ones. This caused the upgrading activities take a long time. At this time, the reactor upgrading has almost finished, and the nuclear commissioning is going on. Several aspects and problems associated with the upgrading process have been reviewed and the results are discussed in the present paper.

1. INTRODUCTION Triga 2000 Bandung Reactor is one of the Triga type reactors, which is located in Bandung and operated by the Center for Research and Development of Nuclear Techniques (CRDNT) under direction of National Nuclear Energy Agency (BATAN) Indonesia. The reactor went critical for the first time on October 16, 1964 and operated at nominal power of 250 kW [1]. The reactor was eventually upgraded to 1000 kW in 1971. However, in the periods of 1980 - 1990 the reactor was merely operated at the power level of 500 - 700 kW due to the descending of its cooling capacity [2]. The reactor was operated for the purpose of research, training for university students and radioisotope production.

In order to increase its capability in radioisotope productions for local consumption and potential export, the reactor has been decided to be power-upgraded to 2000 kW to serve as a back up to the 30 MW Reactor SJerba Guna G.A. Siwabessy in Serpong. A contract agreement for the project between BATAN as the operator and U.S. General Atomics as the supplier was signed cm October 27, 1995 [3]. The project started in April 1996 and most of the project activities have been completed. The reactor reached its first criticality, after being upgraded, on May 13, 2000. The reactor is currently still in the nuclear commissioning stage.

In executing the upgrading activities, CRDNT-BATAN has faced many problems, either technical or non-technical ones. This caused the upgrading activities to take a long time, longer than was expected. Its schedule has been changed many times and every time the upgrading approval had to be renewed as well. At this time, the reactor is under the commissioning stage, and almost all tests have been completed. Some topics and associated problems raised during the upgrading execution are reviewed and the results are presented in this paper.

219 2. REACTOR UPGRADING

2.1. Dismantling of components The reactor upgrading was started by removing the fuel elements from bulk shielding on 29 April 1996. During this activity, it was found that there was water in the thermalizing column. It was considered that the water in the thermalizing column could only come from the gap between the aluminium tank and its supporting concrete biological shielding. This necessitated the aluminium tank to be inspected to check whether corrosion or cracking had occurred on the tank.

Visual and ultrasonic inspections were conducted afterwards. Visual inspections showed that there were colour changes at many places on the tank surface. Ultrasonic inspections conducted over 3260 points demonstrated that the tank tends to thin from the outside surface. The tank thickness was measured to be about 4 mm averaged, instead of 6 mm as the initial thickness [4].

The upgrading team of CRDNT cut two pieces of 16 cm X 16 cm wide from the tank as samples, to check the condition of its outside surface, under supervision of an expert from General Atomics. It was found that there was A1O2 powder produced on the samples, which clearly verified that the corrosion had occurred on the outside surface of the tank.

CRDNT decided to put a new aluminium tank on the old one. Consequently, all structures of the core should be first removed from the tank, and beam ports, thermal column and thermalizing column has to be cut. Some problems rose associated with removing the core structures and cutting many components in the tank, such as [4]: • radiation exposure was found to be very high on the Lazy Susan (rotary specimen rack). It was measured to be about 1000 - 2000 rad/h; • corrosion had occurred on the reflector with high radiation exposure (14 rad/h); • water leakage was found on the connection between the beam ports and the reactor core. The above-mentioned problems were gradually surmounted by providing a special shielding, replacing the reflector with a new one, etc. Due to such problems some procedures for conducting the upgrading were inevitably revised accordingly.

2.2. Fabrication of the new tank CRDNT proposed to the Regulatory Body (BAPETEN) to use ASME Standard-Section VIII as a basis for fabricating the new reactor tank. BAPETEN approved the proposal, and CRDNT started establishing procedures and technical guides for the reactor tank fabrication and instalment based on the standard.

CRDNT fabricated the tank from 6061-T6 type aluminium plates of 6.35mm thick. The plates were welded and formed as 5 circular shells including a bottom part of the tank. The welding of the shells was performed using Metal Inert Gas (MIG) and Tungsten Inert Gas (TIG) methods. The welding works were carried out by PT. Gaya Logam (subcontractor), and the welding inspections were subcontracted to B4T (consultant).

Based on the ASME Standard - Section VIII Division 1 Part UW 11, B4T inspected the welding results using the radiography method. The inspection results indicated that there were some defects on the welded shell such as crack (1 point), incomplete penetration (small order), lack of fusion (small order) and tungsten inclusion (« 90%). B4T recommended that, according to the ASME Standard, all defects must be repaired. However, CRDNT argued against the recommendation of B4T.

CRDNT was supported by BAT AN - Aluminium Technology Group (BATG) to do assessments on the results of the aluminium welding. The assessments were done from various points of view, such as: Welding Technology, Material Science and Metallurgical Physics, QA and QC, Mechanics, Electrochemistry and Corrosion, and Safety Standard. Assessment results showed, that the welded shells can be used with the lifetime of about 19 years with following conditions:

220 • all defects such as crack, incomplete penetration and lack of fusion must be repaired; « but, tungsten inclusion does not require any repair; and » the tank is only used as a liner, not as a pressure vessel.

Based on the consideration that the aluminium tank will be used merely as a liner instead of a pressure vessel, CRDNT argued to use the tank after all defects, except the tungsten inclusion, have been repaired, and proposed to refer to different standard (other than the ASME Standard - Section VIII). CRDNT has chosen the assessment results to be a new standard for the tank fabrication.

From above explanation, several notes can be raised up here as follows: • CRDNT has applied an unsuitable standard for designing the new tank; • the welders lack of technical experience and capability in welding aluminium metal; and • the welding procedures provided by CRDNT were not appropriately followed.

2.3. Installation of the new task As previously mentioned, extensive corrosion had occurred on the old reactor tank. Therefore, a new aluminium tank has to be put inside the old tank as a liner. Fabrication of the new tank has been done by welding aluminium plates and forming them as circular shells, as described in previous sub-section. The tank installation was conducted by combining and welding the shells directly in the old tank. The gap between the old tank and the new one was filled by cement grout to assure the rigidity of the new tank. The upper part of the tank was extended outside the concrete shielding by 1 m in order to increase the water inventory. The modified reactor after installation of the new aluminium tank is shown in Figure 1. At the first time, the extra 1-meter tank extension was unshielded, so that the radiation exposure due to Nitrogen-16 around the reactor deck and in the control room was noticeably high. The increase of the radiation levsl due to the power increase has been predicted by the SAR [5]. The additional permanent shielding has to be considered for the top of the reactor to reduce radiation levels in the control room and other locations.

REACTOR VESSEL (ALUMINIUM TANK}

.REACTOR CORE

BORAL 6553

THERMAL COLUMN DOOR ON TRACK GRAPHITE (HEAVY CONCRETE)

STANDARD CONCRETE

POLYETHYLENE • GRAPHITE THERMAL COLUMN LEAD 8534 A8 dimensions in mm FIG. 1 Vertical Section of Triga Mark 2000 Bandung

221 2.4. Core ModlflcatiOB In order to increase the capability of power generation and also heat transfer, the reactor core has been modified by changing the core configuration from annular to hexagonal. The fuel element design and construction were not modified but new conditions of operation with higher core average temperatures, and higher specific power and bum-up require new limits of operation with reduced safety margin. The modified core configuration can be seen in Figure 2. The annular to hexagonal type change was meant to allow the better distribution of heat load over the whole flow channels in the core. Above the core, a chimney of 1 m high has been installed to gain a better thermal hydraulic performance of the core.

Neutron source f Control \ / Etement

FIG. 2 Modified Core Configuration

The maximum thermal neutron flux density was designed to be 4.8x!0u n/(cm2.s) in the ring A [5] In the equilibrium state, the reactor core is loaded by 100 fuel elements to meet the required flux density. One additional control element has been incorporated to the core to anticipate the higher core reactivity excess due to the higher capacity of fuel loading (see Table L). The shutdown margin with one stuck rod is -1.272 $ [3].

Table I. Data comparison of TRIGA 2000 Bandung before and after modification No. Parameter / System Before Modification After Modification 1. Reactor Power 1000 kW 2000 kW 2. Reactor Core Annular Hexagonal 3. Number of fuel dement 74 100 4. Number of Control Rod 4 5 5. Debit of Primary Cooling System 350gpm(22 l/s) 950gpm(60i/s) 6. Debit of Secondary Cooling System 750 gpm (47.3 l/s) 1200 gpm (75 l/s) Number of Blower of Secondary Cooling 7. 3 2, LBT-350 type System 8. Heat Exchanger type Shell and Tube Plate 9. Tank height 6.5 m 7.8 m 10. Chimney - height = 1 m 11. ECCS - Debit = 8 gpm (0.5 Us) 12. Emergency Ventilation System - Active carbon filter Connected with primary cooling Separated from primary cooHng Dif&ser 13. system svstem 14. Number of DifFuser Nozzle 1 2 Connected with primary cooling Separated from primary cooling IS. Water Purification System system system Ring A, E-8, E-15, E-23 and G- 16. Position of Irradiation Facility RffigA,F-10andG-ll 11

222 2.5. Cooling system The cooling of the Triga 2000 reactor core is provided by natural convection flow of demineralized water in the reactor pool. The heat accumulated in the reactor pool is then removed by the active primary and secondary cooling systems. The modified primary cooling circuit consists of a 6-inch pipe loop of stainless steel, two centrifugal pumps of 960 gpm and a plate-type heat exchanger of 2.4 MW capacity. The secondary system is built of carbon steel pipe and includes two pumps of 1200 gpm and two cooling towers [5]. The majority of the secondary system is located outside of the reactor building adjacent to the reactor hall. The maximum temperature in one instrumented fuel rod measured at position B-2 in the core during the commissioning stage was 618°C [6].

3. A BRIEF OVERVIEW OF THE SAFETY EVALUATION PROCEDURE

3.1. General Procedure Before conducting a project for reactor modification or reactor upgrading, the: operating organization shall submit trie project proposal to be approved by the regulatory body (Nuclear Energy Control Board, BAPETEN). The proposal should cover an initial safety analysis that determines whether the proposed changes are within the regulatory constrains for the operation of the reactor, such as approved operational limits and conditions.

A more detailed or comprehensive safety assessment may be required, depending on the results of the initial safety evaluation, which is performed by BAPETEN, together with proposals and justifications for the necessary changes in safety documentation (Safety Analysis Report, SAR), operational limits and conditions, procedures, etc.

3.2. Safety evaluation for Bandung reactor In 1995, CRDNT - BATAN proposed a reactor modification, including the initial safety assessment to BAPETEN (at that time: Atomic Energy Control Bureau, AECB - BATAN). BAPETEN carried out an initial safety evaluation based on the documents of the initial safety assessment. The initial safety evaluation results showed that the proposed changes on the reactor were categorized to be outside the approved safety requirements. BAPETEN then recommended CRDNT to submit a more detailed safety analysis report, new operational limits and conditions, quality assurance program (QA Program) and procedures for the modifications.

A Preliminary Safety Analysis Report (PSAR) has been proposed by CRDNT and has been revised many times according to the recommendations given by BAPETEN staffs through their safety evaluations. To conduct the safety evaluation, BAPETEN has established a safety evaluating team, which is coordinated by Directorate for Licensing of Nuclear Installation. BAPETEN performed inspections and QA audits to assure that the safety requirements were met during the upgrading activities. BAPETEN has also several times invited CRDNT staffs to discuss many problems associated with the upgrading progress. The discussions covered both technical and administrative problems.

As a safety evaluation standard, BAPETEN applied Indonesian Governmental Regulation and the nuclear safety provisions, which are established by BAPETEN or BATAN, such as: • Governmental Regulation No. 64/2000, 'Licensing of Nuclear Energy Utilization'; • Chairman Decree of BAPETEN, No. 05/1999, ' Provision for Design Safety of Research Reactor'; • Chairman Decree of BAPETEN, No. 06/1999, ' Construction and Operation of Nuclear Reactor'; etc. • due to the lack of a national standard, BAPETEN adopted the IAEA safety standard, ASME, etc.

223 3.3. IAEA INSARR Recommendations Although, IAEA INSARR recommendations are not mandatory for the operating organization to follow, BAPETEN believes that the recommendations are in light of the safety improvement. Therefore, BAPETEN strengthened, that INSARR recommendations have to be followed by CRDNT, and those become mandatory actions.

4. SUMMARY The modification of the Triga 2000 Bandung Reactor has been done to meet the need of high capacity of radioisotope production as a back up to the RSG-GA Siwabessy Serpong. The reactor is currently under nuclear commissioning stage. The reactor conditions before and after modification can be seen from the data comparison summarized in Table I.

Many problems were faced during the reactor modification. Most of the problems came from the lack of as-built documents of the old reactor components and systems. Such problems have become serious when the upgrading team started dismantling some active components such as reactor core, reflector, Lazy Susan, etc. The lack of experience and technical skill of the upgrading team, especially those responsible for welding and installation the reactor tank is also one of the problems. The welders did not appropriately follow the procedure provided by the upgrading team for tank welding, so that the quality requirements as stated in the standard (ASME VIII) could not be met. The lack of guides related to the planning and procurement of the upgrading that should be provided by Nuclear Energy Control Board (BAPETEN) was also another problem. While most of the problems have been surmounted, the above experiences have to be learnt by all participants in conducting the reactor- upgrading project. Those have to be lessons for the regulatory body, as well.

References

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Directory of Nuclear Research Reactors, Vienna p. 216 (1985). [2] HUDA, K. and PANDI, L.Y., Dismantling, Installing and Testing of Reactor Components of Bandung Triga Mark II, personal communication, (1999). [3] INTERNATIONAL ATOMIC ENERGY AGENCY, Report of Expert Mission to the Bandung Triga Mark II Research Reactor, (2000). [4] CRDNT-BATAN, Report of Cold Commissioning for Reactor of Triga Mark 2000, Bandung (1984). [5] CRDNT-BATAN, Preliminary Safety Analysis Report for Reactor of Triga Mark II 2000 kW, Bandung (2000). [6] CRDNT-BATAN, Report of Recent Status of Triga 2000 Reactor, presented at BATAN- BAPETEN meeting held at BAPETEN (2001).

224 XA0102801 IAEA-CN-82/61

AGEING OF RESEARCH REACTORS

CIOCANESCU, M. Institute for Nuclear Research, Pitesti, P.O. Box 78, RO-0300 Arges, Romania Fax: +4048262449; email: [email protected]

Abstract

Historically, many of Research Institutions were centred on a research reactor facility as main technological asset and major source of neutrons for research. Important achievements were made in time in this research institutions for development of nuclear materials technology and nuclear safety for nuclear energy.

At present, ageing of nuclear research facilities among these research reactors; and ageing of staff are considerable factors of reduction of competence in research centres. The safe way of mitigation of this trend deal with ageing management by so called, for power reactors, Plant Life Management and new investments in staff as investments in research, or in future resources of competence. A programmatic approach of ageing of research reactors in correlation with their actual and future utilisation, will be used as a basis for safety evaluation and future spending.

1. 'DESCRIPTIVE' THE PRESENT STATUS OF RESEARCH REACTORS AGEING Ageing Feedback to research, design, redesign technology of materials and processes operation new limits, new regulations is a continuous process. Continuous Reliable Founding of Research Reactor Operation till Decommissioning is one of safety issue for which nor operating organisation either regulatory authority is directly responsible. The government, in this situation, bear the responsibility for direct financing or to establish legal mechanism to ensure Continuous Reliable Founding of Research. Operating organization and regulatory authority have the role to sustain the request for funds and to support for efficient utilization in the general interest of society for nuclear safety. Dealing with priorities or funds allotment there is only one priority — nuclear safety.

Prevention of ageing of research reactor is usually performed too late when phenomena or indication of ageing occur, this is based on large number of information of old reactors in operation. A programmatic prevention activity of ageing can be developed at any age of the research reactor in operation, starting with a matrix of ageing mechanism ranked on probability to occur the most sensitive elements of systems to ageing, including all active and passive safety systems and those which may drastically limits the availability and life of research reactor. This will result in criteria for ageing assessment and in predictive actions to manage the ageing of facility.

Descriptive approach of ageing of research reactors systems and structures is one of factors limiting systematic approach of issue.

Most of ageing related activities are post-factum descriptive causes of failures, in operating research reactors, are events, sometimes being difficult to split in to natural (ageing) or human errors causes. Without attempting to establish a clarification in the most cases reported, relative to ageing deal with corrosion, stress corrosion without identification of root causes and a unique solution replacement of component by a new one following the initial design to avoid large impact in commissioning and licensing of new part.

225 Recognised ageing factors and mechanism in the systematic presentation, may be: physical ageing phenomena on components and systems; evolution of safety standards and criteria; evolution of design criteria and ' good engineering practice'; evolution of technology — new products/ obsolete materials; evolution of risk by the authorities and the public; need to upgrading and improvement of documents; increased demands to reduce waste production.

Physical effects manifest the impact of ageing in research reactors: reliable degradation resulting from high failure rates of ageing components; obsolesce of equipment resulting in unavailability of replacement or parts and maintenance on serviceable components; radiation damage effects causing embrittlement of materials; radioactivity buildings resulting in high exposure rates which hamper operation and maintenance; loss of integrity of piping, pool, tanks, confinement and structures for corrosion, stress cracking, wear; loss of motivation of staff in categories of researcher, operating personnel, maintenance personnel.

Staff ageing itself is one of safety issue affected by the following factors: mobility — incentive, motivation, cost training and licensing; health — increased health risk with age; retirement — increasing the mean age of staff without new employment.

2. CURRENT RESEARCH REACTORS AGEING PROBLEMS During the lifetime of the reactor aggressive environment and operating conditions caused degradation of some components below their initial specifications.

Continuous decision process concerning safety of facility deal with: Reasons for upgrading and refurbishment to cope with ageing effects and meet new safety standards; Reasons for shutdown and decommissioning, both ways on the basis of: legal background and procedures; reactor actual and foreseen utilization; financial support for the next 10 years; lessons learned from similar facilities. Legal background and procedures for research reactors should be completed and reinforced by the regulatory authority in developing countries. Documents on nuclear safety reactors developed by the IAEA starting with Safety Standards, safety guides, safety practice until technical documentation series cover entirely the safety requirements, operation, maintenance, core conversion, ageing, decommissioning, being used as reference for safety evaluation of a facility.

Actual and foreseen reactor utilization may be found in one of the activities as a combination of education, research, technology development and services. Reactors, which sustain programs for future nuclear technology development and are sustained by their Government, are likely to be refurbished and develop programs for ageing mitigation. On the other hand the underused reactors without financial support are exposed to permanent shutdown and decommissioning, still requiring a program for decommissioning and a large amount of money.

There are numerous facilities which belong to the same family of design, age and utilization, but without similar financial resources there is the case judgement on the future of this facility.

226 Problems which may occur in the operation of one of their facilities may occur to another facility, following the probability rules. Learning from the experience of similar facilities may help to solve some problems before the event happens.

Most of research reactors of one family (one recognized designer/supplier) have many design similarities which appear like technical solutions. Some of these technical solutions were rapidly accepted by other designers without having in mind specific conditions, correlations and technological limitation at that time, producing equipment and systems which are less resistant to ageing. Common causes of ageing of a family of reactors can be found in the original design.

3. AGEING EVALUATION PROGRAM (AEP) The review of ageing and safety upgrading is generally focused on hardware and component degradation and/or obsolesce. There is also the need to review the loss of safety knowledge that occurs with the loss of staff due to retirements or organizational changes.

The objective of AEP is to determine the life expectancy (residual work life) of a reactor by performing suitable investigation measures, taking into account special design features of the facility post-operation period and operation experience. It should also be determined to what extent modification, refurbishment or replacement measures have to be taken in the near future to guarantee the safe operation of the facility according to the present state-of-the-art of science and technology. The ageing evaluation program is being focused on the systems and components of the reactor.

The plan can be subdivided into several phases. The first phase includes inventory of all structures, systems and safety equipment (further named components in this section), analysis and evaluation of operating documents and results of regular inspections, special unusual occurrences/events, analysis evaluation of comparable events at the nuclear facility, identification, compilation on life limitation effects and ageing effects. The second phase concerns the determination of critical components with respect to susceptibility to malfunctions. The third phase concerns the determination of critical groups of components for comparison with other facilities for damaging mechanisms (radiation, corrosion wear, fatigue) and selection of components for subsequent investigations. The fourth phase concerns the elaboration and execution of inspection program analysis for safety of components and safety evaluation of inspection results.

Ageing Evaluation Program should take into consideration: the inherent safety of original design using passive principles and systems which are less susceptible to ageing than those designs based on active countermeasures/action; the built-in capacity of the facility to cope with ageing, such as supplementary thickness of the wall for corrosion, larger diameter of pipes for future power increase, extra heat transfer capacity, built-in heat exchanger and cooling tower, electrical power supply to accommodate new electrical equipment and additional requirements of new experiments.

Due to the evolution of regulations and safety standards old design facilities do not meet all present requirements; this is why they are considered aged. During the preparation of the Ageing Evaluation Program a judgment is necessary to evaluate the significance of non-compliance with the last standard requirements. The result of this judgment should be considered along as the expected remaining life of the reactor in terms of cost benefit.

Another important section of Ageing Evaluation Program concerns life extension of research reactors: this is a nuclear activity which will be performed according to new standards of design, construction, testing and operation based on the review of safety analysis, accompanied by new licensing of modifications and personnel.

The Ageing Evaluation Program is based on several sources of data and information derived from the operation of the reactor, periodic inspection and maintenance, event analysis and reporting, quality assurance relevant audits and inspection in the non-conformance reporting.

227 Other important sources of information are: the studies and works done in nuclear power plants to prevent ageing of safety systems where similarities are reasonably judged; the incident reporting system for research reactors (IRSRR) established by IAEA is a very useful tool where event analyses are in connection with ageing consequences.

The last chapter of the Ageing Evaluation Program concerns the actions and measures for ageing mitigation. In this area a major difference from nuclear power plant is noticeable. In a power plant most of non-conformities in equipment and systems are identified during inspection and are replaced by routine procedures. In research reactors the non-conformity is less discovered during inspections but and more likely during normal operation activities when abnormalities occur. The basic safety requirements are the same for power plant and for research reactors even in the inspection area of activities, but the techniques, methods and approach of inspection in these two situations are different due to reduced capability and means in the case of research reactors.

Since a power plant should ensure a high availability many components are exchanged without any indication on unavailability, the research reactors, due to the general lack of financial means, such components are not replaced. Thus these components are used until their life ends, calling randomly for replacement, with negative effects in availability and safety. In such cases only the provisions of fail-safe concept of the initial design operate.

3.1. The present status of relationship between ageing of research reactors and their nuclear safety The present status of representation of ageing of research reactor is at the level of qualitative description of physical conditions concerning mainly the presentation of different aspects of ageing of various facilities frequently oriented to the availability of the facility to satisfy new technical and experimental requirements.

There is not a systematic approach of relation between the ageing process of the facility and trends in its nuclear safety. The ways in which ageing diminishes effectiveness of defence in depth by mechanisms of barriers ageing, equipment and safety system and which is the gap between initial designed performances of safety system and recent requirements derived from the last ICRP Recommendations lacks a thorough understanding.

The mitigation mechanism of ageing is at the level of description, replacement of equipment, repair of some systems based on the initial design or sometimes using new engineering solutions without sound safety analysis.

3.2. Priority for future work on safety of ageing reactors Development of safety criteria for evaluation of safety of installations older than 20, 30, 40 years against which the lifetime of the facility may be justified. Lifetime assessment techniques, programs in order to evaluate the probability of an event in the remaining life to permanent shutdown should be developed.

In the 50 years of research reactor operation a large amount of data concerning material behaviour under irradiation was accumulated in comparison with the data available 30-40 years ago in the early design of nuclear facility.

Synthesis of these data in an international effort may lead to realistic evaluation of ageing of safety components under specific conditions of operation, to assess the structural integrity and remaining life of such a safety component.

Maintaining an adequate number of skilled and motivated staff for the safe operation of research reactors has been a great concern for operating organization of aged facilities:

228 a) through international cooperation based on the above-mentioned sources, in the attempt to a systematic approach of research reactors ageing, the Agency may draw some general guidelines; b) Ageing Evaluation Program issued by each research facility, based on general guidelines, will contribute to the realistic understanding of situation and decision for new expenses (funds) which may be allotted.

3.3. Needs for strengthening international cooperation including recommendations for IAEA future activities Ageing of nuclear research reactors generally became an issue of concern, but only ageing of safety equipment should be addressed by different approaches to generate models for safety evaluation of few types of worldwide recognized designs for research reactors.

4. CONCLUSIONS A programmatic approach of ageing of research reactors in correlation with their actual and future utilization, will be used as a basis for safety evaluation and future spending.

229 XA0102802 IAEA-CN-82/66

EMERGENCY PLANNING AND PREPAREDNESS OF THE DALAT NUCLEAR RESEARCH INSTITUTE

LUONG, B. V. Dalat Nuclear Research Institute 01 Nguyen Tu Luc, Dalat, Fax: +8463821107; Email: [email protected]

Abstract

The effectiveness of measures taken in case of accident or emergency to protect the site personnel, the general public and the environment will depend heavily on the adequacy of the emergency plan prepared in advance. For this reason, An emergency plan of the operating organization shall cover all activities planned to be carried out in the event of an emergency, allow for determining the level of the emergency and corresponding level of response according to the severity of the accident condition, and be based on the accidents analysed in the SAR as well as those additionally postulated for emergency planning purposes. The purpose of this paper is to present the practice of the emergency planning and preparedness in the Dalat Nuclear Research Institute (DNRI) for responding to accidents/incidents that may occur at the DNRI. The DNRI emergency plan and emergency procedures developed by the DNRI will be discussed. The information in the DNRI emergency plan such as the emergency organization, classification and identification of emergencies; intervention measures; the co-ordination with off-site organizations; and emergency training and drills will be described in detail. The emergency procedures in the form of documents and instructions for responding to accidents/incidents such as accidents in the reactor, accidents out of the reactor but with significant radioactive contamination, and fire and explosion accidents will be mentioned briefly. As analysed in the Safety Analysis Report for the DNRI, only the in-site actions are presented in the paper and no off-site emergency measures are required.

1. INTRODUCTION The safety precautions, taken in the siting, design, construction and operation of the reactor, will greatly reduce the risk of an accident or emergency that may occur at the reactor facility. However, the effectiveness of measures taken in case of accident or emergency to protect the site personnel, the general public and the environment will depend heavily on the adequacy of the emergency plan prepared in advance. An emergency plan of the operating organization shall cover all activities planned to be carried out in the event of emergency, allow for determining the level of the emergency and corresponding level of response according to the severity of the accident condition, and be based on the accidents analysed in the SAR as well as those additionally postulated for emergency planning purposes. The emergency plan shall be implemented by emergency procedures in the form of documents and instructions that detail the implementation actions and methods required to achieve the objectives of the emergency plan. The extent of detailed obligatory instructions in these procedures should be commensurate with the postulated scenario.

The intent of this paper is to present the practice of emergency planning and preparedness in the DNRI. The DNRI emergency plan, established by DNRI for the event of a nuclear accident/incident that may be occur at the DNRR facility, describes the arrangements in order to respond to any accident/incident in the shortest possible time, to minimize injuries to persons, loss of life and /or damage to property, and restore DNRI to normal operation in a timely and orderly manner. The information in the DNRI emergency plan such as the emergency organization, classification and identification of emergencies; intervention measures; the co-ordination with off-site organizations; and emergency training and drills will be discussed in detail in the following sections. The emergency procedures in the form of documents and instructions will be presented briefly.

230 2. DNRI EMERGENCY PLAN The DNRI emergency plan relates to the following nuclear facilities: 1) Dalat Nuclear Research Reactor; 2) Radioactive Liquid Waste Treatment Station; 3) Radioactive Waste Disposal Building; 4) Laboratories (Laboratories of the Radioisotope Production Dept., Laboratories of the Nuclear Physics Dept., Laboratories of the Centre for Analytical techniques and Environment, Laboratories of the Radiation Protection Dept., Laboratories of the Nuclear Electronics Dept., etc); and 5) Cobalt-60 Radiator.

The DNRI emergency plan provides information of the following: (a) the emergency organization, including authority and responsibility; (b) classification and identification of emergencies; (c) intervention measures; (d) the co-ordination with off-site organizations; (e) documents and equipment available to deal with an emergency; (f) radiological protective measures; (g) emergency training and drills.

2.1. Emergency Organization In addition to their daily responsibilities, designated members of an ad-hoc committee within DNRI have specific responsibilities in the emergency response organization. This ad-hoc committee consists of the following members: 1) the DNRI Director, chairperson of the committee; 2) the Deputy Director, vice-chairperson, who can be delegated the responsibility of the chairperson when needed; 3) the Reactor Manager, who will be responsible for directing the measures to cope with accidents/incidents which occur in the reactor; 4) the Head of Radiation Protection Department, who, in co-ordination with the heads of other related departments or services of DNRI, will be responsible for directing the measures to cope with a radiological accident in case it occurs in laboratories of these departments or services; 5) the Head of Administration Department, who will be responsible for providing communication and transportation means to be used in the emergency situation, assuring the security of the site, and organizing the co-ordination of the on-site services and external aid from off-site organizations.

2.2. Classification of emergency at DNRI The types of emergency situations that may arise at DNRR facility can be classified into three groups based on the nature and extent of the emergency as follows: (i) accidents/incidents in the reactor; (ii) accidents/incidents out of the reactor but with the locally significant contamination of radioactive substances; (iii) ordinary accidents/incidents with potential consequences affecting nuclear or radiological safety.

The emergency situations of type (i), which might occur in the reactor during both its operation and shutdown, could be reactivity accident; loss of reactor pool water accident; amd total loss of electric power supply. The emergency situations of type (ii) with high radioactive contamination could be the significant leakage of radioactive liquid substances or wastes from the containers; the release of radioactive material from unsealed radioactive sources and dispersion of radioactive material to the environment; and accidental missing of sealed radioactive sources. The ordinary accidents/incidents (type iii) such as fire, explosion, the stack collapses due to a break of its holding ropes could potentially lead to radiological or nuclear risks.

231 2.3. Emergency Identification

2.3.1. For accidents/incidents in the reactor: For DNRR, a reactivity accident could be as result of inadvertent withdrawal of control rods when the reactor is at low or full power, mishandling of fuel (e.g. insertion of a fuel assembly into the core when it is near critical), and unauthorized loading (or unloading) irradiation samples with a positive reactivity larger than specified limits by the pneumatic transfer systems. The reactivity accident could lead to loss of control of chain reaction in the reactor, especially, including inability to shut down the reactor and/or to maintain it in a shutdown state for long time; fuel failure; and release of fission products from the fuel into the environment.

Loss of reactor pool water accident could result from a break of the beam ports, the thermal column or the pool wall. When the reactor pool water level lowers a depth of 0.6m from the pool surface, the reactor will be shutdown by a scram signal on low water level. The total loss of pool water might occur at DNRR. In this case, however, the core will be cooled by air convection and it is not melted because of reactor power below 1MW. The loss of reactor pool water accident could lead to insufficiency of heat removal from the reactor while at full power or in a shutdown state and loss of integrity of any barrier to release of the radioactive fission products.

Total loss of electric power supply is the case when the city network electricity is cut off and the reserved sources such as UPS and/or diesel generators fail to function properly. In this case, the reactor will be surely shutdown due to drop of control rods into the core under gravity and safely maintained at its sub-critical state. However, information on the all reactor parameters after reactor shutdown is unavailable in the reactor control room. This event is considered as an emergency case at DNRR.

Usually, the information available in the reactor control room allows the operating shift personnel (especially, the shift supervisor and/or the reactor operator) to be clearly aware of the principal process parameters of the reactor. However, it requires supplementation with radiological monitoring and visual observation within the reactor hall. Besides, rapid gathering of the environmental monitoring data is required to determine the release level of radionuclides into the on-site and off-site environment.

2.3.2. For accidents/incidents out of the reactor but with locally significant contamination of radioactive substances: The information to be acquired is the activity of liquid radioactive material contained in the broken container, or the radioactivity of release from the unsealed radioactive source, or the activity of the sealed radioactive source that is missing.

2.3.3. For ordinary accidents/incidents: It is required to rapidly acquire information of the event in allowing for assessment of its immediate effects and later potential hazards to the reactor.

2.4. Intervention measures Soon after the emergency situation has been identified and assessed, the first actions must be promptly taken to cope with unfavourable evolution of the event. In case of an emergency in the reactor, it is the responsibility of the reactor operating shift personnel for achieving this goal under direct command of the Reactor Manager, hi case of emergency occurring in a laboratory at the reactor site, the head of the department administering this laboratory is responsible to organize locally the intervention in co- ordination with the Head of Radiation Protection Dept.

To cope with anticipated emergencies, the intervention measures prepared in advance will be applied. These measures are established in the form of emergency procedures based on the results of emergency studies and on the experiences gained from emergency drills.

232 In case of accident, the protective measures imposed on the on-site personnel may include sheltering, evacuation, intake of iodine tablets, or body decontamination, etc. Even in case of the most severe accident in the reactor, the general public and the off-site environment are affected minimally, just under the specified limits. Therefore, no restrictions or additional measures are imposed on the off-site population in any case.

When the accident is over, recovery operations must be conducted in order to return the facility to the safe situation and to recover the accident consequences. The emergency situation will be considered terminated only when the safe situation of the facility is fully re-established. The chairperson of the ad-hoc committee is responsible to declare the emergency termination.

2.5. Co-ordination with off-site organizations In case of emergency, the DNRI is responsible to co-ordinate the actions with the following organizations: Lam-Dong Provincial People's Council; Lam-Dong Provincial Police Department; Dalat City's Fire Service; Lam-Dong Provincial Hospital; Lam-Dong Meteorological Service; Dalat City's Electricity Service; Dalat City's Water Supply Company; and Vietnam Atomic Energy Commission (VAEC).

When an emergency is considered as serious, and/or when the off-site assistance of the above- mentioned organizations is needed, or it is necessary to evacuate the personnel from the facility site, the ad-hoc committee shall notify VAEC and the local authorities with accurate information.

2.6. Emergency documents and equipment The ad-hoc committee shall ensure the availability and readiness of equipment and documents to be used for its intervention direction. The emergency equipment available or ready to operate consists of: personal dosimeters and other radiation survey instruments; UPS and diesel generators; system of emergency communication; emergency vehicle; decontamination tools and substances; protective clothing and equipment; first-aid medicaments. These emergency equipment are subjected to periodic verification in respect to their quantity, availability and performance.

The documents needed in an emergency situation are kept at the headquarters of the ad-hoc committee and consist of the following: 1) a copy of Ref. [1] 'Planned Actions in Emergency Cases'; 2) drawings of the facility buildings and structures with guidelines of the emergency exits; 3) a scheme of the fire prevention and fighting system of the facility; 4) list and scheme of positions where intervention equipment is located; 5) a call list of in-site and off-site persons needed in case of emergency communication; and 6) lists of the above-mentioned emergency equipment with their storage locations and the persons responsible to store and operate them.

2.7. Radiological protection measures In case an emergency occurs, the health physicists are required to quickly carry out the measurements and to determine the degree and kind of radioactive contamination at each location in order to report to the ad-hoc committee.

233 The Health Physics Group shall provide the personnel with adequate protective equipment and with detailed manuals or instructions of use. The Group shall precisely specify the time duration and the measures that the personnel must take in emergency intervention and recovery in order not to be exposed to the radiation over the dose limits. However, as in special circumstances, it may be allowable to the personnel, taking part in preventing the emergency, to receive an individual effective dose as much as 2 to 5 times the annual dose limit.

The contaminated locations must be localized and bared with warning signs, and effective measures to prevent contamination from spreading should be implemented. After the emergency recovery, the facility personnel are permitted to return to their workplace only if the radiation dose, the surface contamination and the air contamination are back to normal levels.

2.8. Emergency training and drills All facility personnel are required to study this emergency plan. Every year, the DNRI authorities organize the re-training (or training) course for the facility personnel accompanying with the drills on the anticipated accidents that might occur at the site.

3. EMERGENCY PROCEDURES

3.1. Accidents in the reactor At the moment an accident occurs in the reactor, if the reactor is in operation and its protection system does not actuate an automatic scram, it must be manually shut down.

3.1.1. Reactivity accident If the accident occurs during core handling, the safety rods must be released by pressing any of the two scram buttons located on the reactor platform, and, simultaneously, the core handling must be stopped. The shift supervisor shall report the accident situation to the Reactor Manager, who, in turn, reports to the ad-hoc committee. The committee may declare the warning of an emergency situation within the site. The ventilation of the reactor hall (P-3 and V-2 systems) will be shut down.

Except the operating shift personnel and personnel participating in accident intervention and recovery, all must be evacuated from the reactor building under guidance of the health physicists. At the air- lock, the health physicist on duty will check those persons leaving the reactor hall for contamination, collect their personal dosimeters for quick determination of the radiation dose received, and provide instructions of decontamination for those having been considerably contaminated. Any significantly contaminated individuals must be rushed to hospital.

Based on the radiological situation in the reactor hall and on the latest acquired information, the Reactor Manager and the Head of the Radiation Protection Dept. will work out the particular plan for accident recovery, for discovery of damaged fuel assemblies and dealing with them (if any), as well as for investigation of the accident causes.

3.1.2. Loss of reactor pool water The shift supervisor shall report the accident situation to the Reactor Manager, who, in turn, to the ad- hoc committee. The committee may declare the warning of an emergency situation within the site. The ventilation of the reactor hall (P-3 and V-2 systems) will be shut down. The primary and secondary pumps, if on work, will be halted. The health physicist will carry out monitoring of radioactive airborne and gases in the reactor hall and the primary loop equipment room. If the radioactive airborne or gases are detected, he should guide irrelevant persons to leave the reactor hall through the air-lock.

Based on the rate of water loss from the reactor pool, the shift supervisor will decide to add demineralized water to the pool, and, in case there is a threat to the core of exposure to air, will

234 command the mechanic to add tab water directly into the pool. The Reactor Manager and the Head of the Radiation Protection Dept. will work out the plan for accident recovery, including: (a) determination of contaminated locations and contamination level; (b) determination of radioactive airborne and gaseous activity; (c) collection of water from the floor into the sump; (d) pumping of waste water from the sump to the processing station at Bldg. No.2; (e) decontamination of the reactor hall floor; (f) decontamination of the personnel after recovery work.

3.1.3. Total loss of electric power supply The instrumentation and control operator on duty accompanied by the health physicist shall check for the full insertion of control rods into the core by using a portable battery-powered lamp. The shutdown state of the reactor can also be evaluated by the Cherenkov light intensity in the core or by the gamma dose rate around the reactor.

Having assured the reactor shut down, the operating shift continues to cope with the accident. If any control rod is not released, the mechanic will make it drop. The electrician and/or the diesel operator will check the UPS and/or diesel generators and make necessary repairs in order to re-establish the emergency power supply as soon as possible.

When the electric power supply from the city network returns normal, the shift supervisor will allow to re-start the reactor after assuring that all the abnormal phenomena have been fixed.

3.2. Accidents out of the reactor but with significant radioactive contamination In any case of release of radioactive substances to the floor or into the air, the central ventilation system must be shut down, except for local ventilation of the radioisotope production hot cells.

The health physicist on duty shall determine the dose rate or contamination level, and assign the time duration and individual protective measures for personnel of the acting group 1.0 take part in accident intervention and recovery. The shift supervisor or the group head will direct the actions of the group personnel in preventing the accident development and in carrying out the decontamination followed.

3.3. Fire and explosion accidents When the reactor is on operation, it must be manually scrammed if the fire/explosion occurs on the reactor technological equipment or there is potential to affect reactor safety. Electric supply to the area where the fire/explosion occurs must be cut off.

The fire fighting; measures shall be carried out, in the first place, to prevent the fire from spreading. If the pressure of city water is not sufficient, fire pumps should be started. In case needed, either a member of the ad-hoc committee or the shift supervisor or the laboratory head or the security guard should urgently call the city's fire fighting service.

In case of large fire, it is necessary to evacuate the site personnel. In case of fire/explosion leading to an accident in (or out of) the reactor, the actions are to be taken as described in 3.1 (or 3.2).

4. CONCLUSION Historically, any abnormal occurrence at the reactor site is referred to as an emergency case. Also, the discussions above presented are mostly applied to the nuclear power plant or the research reactor of high power based on the initial emergency plan supplied by the Soviet designer. That is the name of [1] which covers the actions to be carried out during the planned abnormal occurrences rather than emergencies. As analysed in the Safety Analysis Report for the DNRI [2], the accident conditions and accidents are very unlikely to occur at the DNRR facility, and even with the maximum hypothetical accident, the radiation doses to the general public are still below limits specified for the normal

235 exposure. Therefore, only the in-site actions are presented in this paper and no off-site emergency measures are required.

References

[1] Planned Actions in Emergency Cases - DNRI, Dalat, (in Vietnamese) (1996). [2] Safety Analysis Report for the Dalat Nuclear Research Reactor, Dalat, (2000).

236 XAO102803

IAEA-CN-82/67

SAFETY OF RESEARCH REACTORS-A REGULATOR'S PERSPECTIVE

RAHMAN, M. S. Pakistan Nuclear Regulatory Authority P.O. Box No. 1912 Islamabad, PAKISTAN Fax: +92519204112; Email: [email protected] Abstract

Due to historical reasons research reactors have received less regulatory attention in the world than nuclear power plants. This has given rise to several safety issues which, if not addressed immediately, may result in an undesirable situation. However, in Pakistan, research reactors and power reactors have received due attention from the regulatory authority. The Pakistan Research Reactor-1 has been under regulatory surveillance since 1965, the year of its commissioning. The second reactor has also undergone all the safety reviews and checks mandated by the licensing procediares. A brief description of the regulatory framework, the several safety reviews carried out have been briefly described in this paper. Significant activities of the regulatory authority have also been described in verifying the safety of research reactors in Pakistan along with the future activities. The views of the Pakistani regulatory authority on the specific issues identified by the IAEA have been presented along with specific recommendations to the IAEA. We are of the opinion that there are more Member States operating nuclear research reactors than nuclear power plants. Therefore, there should be more emphasis on the research reactor safety, which somehow has not been the case. In several recommendations made to the IAEA on the specific safety issues the emphasis has been, in general, to have a similar documentation and approach for maintaining and verifying operational safety at research reactors as is currently available for nuclear power reactors and may be planned for nuclear fuel cycle facilities.

1. INTRODUCTION The pro-environment movements of the seventies and the accidents at Three Mile Island and Chernobyl compelled the nuclear industry, national governments and international agencies to focus their attention on nuclear power plant safety. As a consequence the research reactors received less attention than they deserved. Similarly, the nuclear fuel cycle facilities also got less attention. However, after the Tokaimura incident these facilities are now getting more attention. The nuclear industry and the IAEA should not wait for an accident in a research reactor to redefine its priorities and then look into the safety of research reactors along with the fuel cycle faciliities.

In Pakistan the regulatory authority (RA), DNSRP has always accorded due importance to research reactor safety. Although it had a relatively large task of licensing of the first PWR but the research reactors had been under active regulatory surveillance all the time.

2. STATUS OF RESEARCH REACTOR SAFETY IN PAKISTAN Pakistan has two research reactors located at the Pakistan Institute of Nuclear Science and Technology (PINSTECH) at Nilore Islamabad. The first reactor, PARR-1 was commissioned in 1965. It is a swimming pool type reactor. Originally its power was 5 MW and it used highly enriched uranium (HEU) fuel. In 1990, the HEU fuel was replaced by Low Enriched Uranium (LEU) fuel and the reactor power was raised to 9 MW. In 1985, the instrumentation and control of the reactor including its control panel were replaced due to obsolescence. In the year 2000, a formal operating license allowing the licensee to operate PARR-1 at 10 MW was issued. The second research reactor is a miniature neutron source reactor (MNSR) of 27 KW. Operation License to PARR-2 was issued in 1993. PARR-2 is mainly used for operator training and neutron activation analysis and has no significant operational safety problems.

237 On the other hand, in PARR-1 the issue of obsolescence of equipment and structures was faced. In the mid eighties, the licensee initiated a program for replacement of old equipment with those that provided increased operational flexibility, reliability and testability. As the philosophy of I&C was not changed, therefore a revision of FSAR was not required by DNSRP. The design of the new equipment was compared with the specifications of the previous ones. DNSRP approved the new system and also witnessed the installation and commissioning of the replaced equipment. The replacement of obsolete equipment was completed in the end of 1985.

However, the licensee continued to face problems due to ageing structures such as leakage from the reactor pool and inclusion of«debris from the pool construction material in the primary coolant. These were causing operational and safety problems. The licensee also had to convert from HEU to LEU fuel according to international requirements. Accordingly, the licensee decided to convert HEU to LEU fuel and to install a stainless steel liner in the reactor coolant circuit including the pool and hold up tank. In addition, extensive repair work was carried out on the reactor containment building. An emergency core cooling system was also installed. In view of the extensive upgrading, the licensee was asked to submit a revised FSAR.

The licensee prepared a revised FSAR and presented a case for allowing operation at a maximum power of 9 MW. DNSRP reviewed the FSAR and witnessed the installation of the liner, other safety related equipment and fabrication of LEU fuel in China. In addition, DNSRP had several control (hold) points in the commissioning process such as approach to criticality and during ascension of power in steps. DNSRP allowed progression from one stage to the next only when it was satisfied. After completion of the commissioning the licensee was permitted to operate PARR-1 at a maximum power of 9 MW. Recently, the licensee applied for permission to raise the power to 10 MW. A revised FSAR was submitted by the licensee, which was reviewed and approved by DNSRP. A formal operation license was issued to the licensee to operate PARR-1 at a maximum power of 10 MW. As a result of the above, the licensee has been able to significantly improve the safety level of PARR-1.

A regulatory framework and oversight has existed for research reactors since PARR-1 was commissioned in 1965. The nuclear regulatory authority has been evolving since then and various regulatory bodies of the time have maintained a regulatory surveillance and have licensed the supervisors and operators responsible to manipulate the controls of research reactors. With the passage of time this frame work and oversight has become more formal and documented. Procedures for the licensing of research reactors and operating personnel have been in place and rigorously followed and enforced. DNSRP as part of its surveillance program conducts regulatory inspections at specified intervals and also when an unusual event occurs. Both the research reactors are in use and there is apparently no immediate need for preparing procedures defining safety precautions and preservation measures to be taken during long shutdowns. However, DNSRP would be asking the licensee to start work on such procedures to cater for a remote possibility.

3. SPECIFIC SAFETY ISSUES In the ensuing sections comments are presented on safety issues identified by IAEA.

3.1. Systematic (periodic) reassessment of safety A single safety review, no matter how thorough, cannot detect all the safety deficiencies. Moreover, with time additional safety deficiencies tend to creep in. This happens in spite of the fact that during the operational phase all modifications in technical specifications and plant hardware are reviewed and approved by the regulatory authority. A comprehensive safety review has its own advantages; for example, in such reviews the plant is analysed as a whole and not as a single modification.

In case of PARR-1, as already described above, there have been several systematic assessments, though not at regular intervals. In the future we intend to have regular periodic safety reviews for research reactors with an interval on the order of 10 to 15 years. Necessary steps for rulemaking in this regard are being taken. Since PARR-1 has been recently reviewed, PARR-2 will be subjected to a

238 periodic review in the near future. Later, DNSRP will specify the documents to be submitted along with the time frame, their format and contents, etc. and in parallel it will try to develop a standard review plan for reviewing these documents.

3.2. Obsolescence of equipment and lack of maintenance RA should refrain from defining the obsolescence acceptable to it. Instead it should verify that the plant safety systems are available as required by technical specifications (TS). In case a channel/train or system is not available due to unavailability of equipment due to obsolescence, the licensee should be asked to invoke the limiting condition (LCO) of operation and complete repairs in the stipulated time or go in the specified mode of operation. The licensee should be guided in such cases by the requirements of TS, maintenance policy, etc. and should weigh his losses due to shutdowns. Consequently, the forces of economics may require implementation of a replacement program in the early phases of obsolescence. RA may allow the licensee to have a continuous upgrading program. In addition, it may include a comprehensive safety review of all the upgrades in the periodic safety reviews.

3.3. Loss of expertise and corporate memory A reasonable turn over of manpower is good but if it affects the plant functioning then preventive measures should be taken. If incentives, including financial, are provided, experts can be retained and new experts can be attracted. Regarding loss of corporate memory, it can be stated that written record is the corporate memory. All the events significant or insignificant should be reported reviewed and documented. When there are changes in corporate management there should be over lapping periods and extensive exchange of information during the handing over and taking over. A two man approach may also be followed in which the main person keeps another person informed of the salient events in his work so that he can act as a back up in his absence. New owner should retain the old operating team for a while. This can provide some sort of continuity and preserve the corporate memory.

3.4. Lack of quality assurance programs Generally activities affecting safety in all research reactors should be subject to a quality assurance program. However, an ANS standard on QA programs for research reactors does not require a QA program for research reactors below 10 MW power. Such relaxation should be withdrawn. All activities affecting safety including those of siting, design, construction, operation and decommissioning should be controlled by a QA program for research reactors of all power levels and types. The QA program should however be commensurate with the power (flux) level of the reactor. Reference documents for preparing such QA programs are available in plenty for nuclear power plants but are scarce for research reactors.

3.5. Lack of clear utilization programs and consequent lack of financial support The nuclear industry as a whole should look in to this issue. The number of research reactors should be decreased and several universities and organization may share a research reactor. Neighbouring countries can share a reactor and its expenses. To enhance reactor utilization, programs can be started for training and retraining of operators and regulators. While attempts should be made to reduce the operating costs, a fraction of these can be borne by the governments. Licence fee and other regulatory expenses may also be reduced commensurate with the utilization of the reactor. Licensees may seek Agency's support in drawing up new utilization programs.

3.6.Financing of safety measures (safety assessment, safety upgrading, dismantling and decommissioning) All safety measures and regulatory activities cost money. This burden is necessary to ensure the public that the reactors are being operated safely. These costs are a very small percentage of the total cost. As the licensee has to bear these costs he should be informed of the regulatory requirements at an early stage of planning. Cost of safety measures should be included in the financial feasibility calculations with a reasonable margin for future regulatory requirements. The RA should also carefully evaluate

239 the cost and benefit of a regulatory requirement before imposing it and try to reduce paper work. However, there are certain activities for which the burden is to be borne by the licensee alone; for instance; decommissioning costs. A mechanism for ensuring sufficient funds at the end of life or whenever decommissioning is expected should be in place before operation license is granted. The regulator should frequently verify this capability. For cutting costs, national or international contractors may be hired for jobs that are rarely performed.

3.7. Ownership of shutdown reactors Research reactors should not be in the shutdown mode for long periods. If a long shut down is anticipated, proper safety precautions and preservative measures should be taken according to written procedures. In case of even longer duration of shutdown, consideration should be given to de-fuelling and blanketing of safety significant equipment in an inert atmosphere. Adequate monitoring of parameters such as chemistry and reactivity should be continued. Critical parameters such as water level in the pool should be alarmed. Physical protection of the facility should be ensured. While transferring the ownership of the reactor it should be noted that the operation license is non- transferable. The RA should satisfy itself that the new owner meets its criteria and then allow transfer of the operation license.

3.8. Safety assessment of different modes of utilization including experiments The RA should not assess different modes of utilization including experiments. Rather, it should place limits on power, flux, differential temperature across the core, clad temperature, radioactivity in the coolant, etc. The licensee should assess experiments and reactor utilization according to written policy/procedures preferably with the advice of an in-house committee. The RA may verify in its periodic surveillance that the applicable procedures are being followed.

3.9. Emergency preparedness It has been a general experience that in research reactors the level of emergency preparedness is more than what is required. This has resulted due to use of criteria and safety assessment tools developed for nuclear power plants. As a result, the licensee has to implement emergency preparedness measures generally prescribed for power or large research reactors. If a rational approach is adopted in this area the cost of operation can be reduced. In turn it will also decrease the regulatory cost. More emphasis should be placed, in the future, on the on-site measures rather on off-site measures.

3.10. Training and qualification of operators and regulators Training of operators should be arranged when obsolete equipment and structures are repaired or replaced, new utilization plans are drawn, new experiments are planned, new fuel is used, new regulatory requirements are introduced, ownership is changed with an accompanied change in operation policy, long shutdowns are terminated, etc. The training should be such that an operation engineer can also work in maintenance and engineering. This can help in reducing costs and keep personnel gainfully employed. There should be several stages in licensing so that the interest of the operators is maintained. Compulsory periodic retraining should be a part of licensing requirements. The operators should be trained on event and symptom (or a combination of the two) emergency procedures.

The training and qualification of regulators is equally important. It should be noted that there are several industry standards and IAEA documents available for training and qualification of operators but guidelines for the training and qualifications of regulators are rarely available.

Training of regulators and operators should be such that rigidity of approach (trained incapacity) is avoided. It prepares them to adjust to changing circumstances while still achieving their goals of verifying safety.

240 3.11. Safety implications bf new fuels The safety implications of new fuels should be very carefully considered before allowing their use in the core. While converting from HEU to LEU we did not encounter any difficulty in the thermal hydraulic behaviour of the fuel but the new fuel had a feature that required careful handling during fuelling. The operators had to be trained in this aspect before first fuelling of the core. We also paid attention to the QA of the fuel during fabrication and our inspectors witnessed the qualification tests. The IAEA may collect performance-related data on different type of fuels fabricated by various vendors and make it available to Member States. This will be helpful to both RA and licensee.

3.12. Lack of regulatory framework It can be generally said that there is a lack of industrial standards for research reactors. For example compare the regulatory guides issued by USNRC under its Division 1 with those issued under Division 2. An. examination of the list of regulatory documents issued by other leading RA or a review of the catalogue of ANS standards will give a similar picture. As a consequence the standards written primarily for nuclear power plants are being used for research reactors as well. Similarly, computer codes written for nuclear power plants along with very conservative assumptions are being used in safety assessments of research reactors. This has resulted in over conservative results requiring unwarranted safety measures causing difficulties for the RA and the licensee. On the basis of NUSS documents, the Agency may prepare a version applicable to research reactors. Similarly, other documents and programmes initiated for power reactors may be amended and applied to research reactors as well. For example; PROSPER, INES, IRS, OSART, etc. may be extended to research reactors. The definition of nuclear installation should also include research reactors.

3.13. Insufficient independent peer reviews for research reactors It is felt that there should be more international and national peer reviews, as is the practice in nuclear power plants. The licensee should invite more INSARR missions through IAEA or through any other similar forum. The research reactor operators may form such associations or under the sister organization framework share their experience of research reactor operation. The research reactor suppliers can also form an organization similar to COG (CANDU Operator Group) and collect and disseminate safety and operational experience on the reactors supplied by them. If such peer reviews are conducted, then RA may adjust their surveillance programs to reduce the regulatory burden of the licensee.

3.14. Lack of an International Convention on Research Reactor Safety The idea of including research reactors in the present convention or having another safety convention is a good one and should be considered by the stakeholders in the Memlber States namely; the governments, FLA. and the licensees.

4. RECOMMENDATIONS TO IAEA In view of the aibove, the following recommendations are made to the IAEA: revise NUSS documents'and prepare a research reactor version of these; establish a list of documents required to be prepared by the licensee for submission to the regulatory authority and specify their format and contents and prepare a document on the lines of the US Standard Review Plan (NUREG 0800) for use by the RA; collect data on the performance of various types fuels supplied by various vendors being used in the current research reactors and publish it annually; act as a catalyst to establish organizations for research reactors similar to WANO and COG; assist Member States to form regional groups of countries for increasing reactor utilization and financial support to research reactor owners; include research reactors in the definition of nuclear installations so that IAEA programs such as IRS, PROSPER, INES, OSART, IRRT, etc cover research reactors also; offer more INSARR missions to Member States; prepare technical report series documents for QA of research reactors;

241 commission studies for extension of life of operating research reactors; establish various task groups to discuss and prepare TECDOCs on each specific safety issue.

5. CONCLUSIONS It is concluded that in Pakistan and other Member States the research reactors are operating safely. However, the nuclear industry is going through a transition and the stake holders in the safety of research reactors will have to act in unison and take concerted initiatives now to address these multi- dimensional problems as outlined in the above paragraphs. In this regard, a proactive approach should be preferred over a reactive approach. The dividends accrued from this approach will surpass the financial and other inputs that will have to be made in this context. The respective governments of the Member States, the regulators and operators of research reactors and the IAEA should liberally provide these inputs, share their experience and mutually help each other in attaining the goal of safer research reactors.

242 TOPICAL ISSUE 5:

SAFETY PERFORMANCE INDICATORS XA0102804 IAEA-CN-82/09

PERFORMANCE INDICATORS AT EMBALSE NPP: PSA & SAFETY SYSTEM INDICATORS BASED ON PSA MODELS

FORNERO, D. A. Nucleoeletrica Argentina S.A. Los Cercis 243 - B 5856 Embalse - Cordoba, Argentina Fax: +543514244577; Email: [email protected]/[email protected]

Abstract Several indicators have been implemented at Embalse NPP. The objective was selecting some representative parameters to evaluate the performance of both the plant and the personnel activities, important for safety. A first set of indicators was defined in accordance with plant technical staff criteria. A complementary set of them was later added based on WANO guidance.

This report presents the set of indicators used at Embalse NPP, centering the description to those related to safety systems performance indicators (SSPI). Some considerations are done about the calculation methods, the need for aligning and updating their values following Embalse Probabilistic Safety Assessment (PSA) development and some pros and cons of using the PSA model for getting systems indicators.

Owing to the fact that PSA ownership by utilities is also a subject of the meeting, some characteristics of the organization of the PSA Project are described at the beginning of the report. At Embalse NPP a Level 1 PSA has been developed under the responsibility of the own plant and with an important contribution from IAEA. PSA was developed at the site, conducting this to a Study strongly interactive with the station staff.

1. PSA AT EMBALSE NPP

1.1. Characteristics — plant ownership Embalse NPP is a PHWR 650 MWe station, CANDU design (CANadian Deuterium Uranium) that started commercial operation in 1984.

Particular probabilistic studies had been developed for the plant since the beginning of the operation, such as relatively simplified fault trees and the analysis of some event sequences for a limited group of initiating events, with a probabilistic approach.

A comprehensive and systematic Level 1 PSA began to be developed at Embalse on the ends of 1997. Developing a formal PSA at Embalse had been an objective defined some yeairs before. However, its beginning was delayed because it was a priority to develop first the same study for Atucha I, that is the other NPP in operation in Argentina. It is also a PHWR station (Siemens-KWU) and its design is older than Embalse's. So, in the early 1990s it was thought convenient to develop detailed PSA studies for it first. After a Level 1 PSA for internal events were completed for Atucha, PSA started at Embalse in a systematic way.

A very important characteristic of this PSA is that the own station was responsible of the Project from the beginning and the Study was developed essentially at the plant.

The experience showed that this is a very important issue to reflect the actual Operation of the plant. The day to day information supplied for operators, maintenance and technical support personnel to PSA group, would be impossible to be found in the same way in the best formal documentation that

245 someone can have available in any place. Despite the fact that PSA was mainly developed at the plant, an heterogeneous group of people participated in the Project conducting to have at its disposal a varied kind of previous experiences. So it is worth to be mentioned that among the participants in the Project there were plant specialists in different fields and also people with experience in Atucha PSA, from both the own plant and the Nuclear Safety Head Office, specialists from the Atomic Energy National Commission and from the Regulatory Body. Also, technical visits from the designer (AECL) and from IAEA experts were carried out in order to support PSA team. In this way, IAEA provided two 'one- week' type expert missions.

Foreign specialists from Romanian and Cuban PSA groups, with previous experience in their respective PSA projects, develop different activities for Embalse PSA during relatively large periods. This was an important contribution to the Project and also allowed them to get a good knowledge on an operating plant. IAEA support was fundamental in this point.

Although PSA general applications is not the main objective of this paper, it is anyway considered important to mention that PSA results are starting to be used in different fields. As examples they can be indicated the following cases: a) PSA Human Reliability analyst work in conjunction with people who develop Emergency Operating Procedures (EOP) in order to optimize then and make compatible aspects that sometimes can go in an opposite way, as the following: • The 'needs' of PSA analysts of assuring that human actions (HA) included in the event sequences are contemplated in EOPs. • The need of Operation groups that the information included in EOPs is not complicated enough due to the adding of excessive information. b) Plant modifications are evaluated with PSA model, but at the present only at a system level impact. Impact at a whole model level will be done in the near future. c) Plant configuration analysis are expected to be done. At present, system configurations are included in some way through safety systems performance indicators. These indicators had been developed up to now using simplified systems fault trees but were gradually replaced by detailed fault trees developed for PSA Project.

Performance Indicators at Embalse NPP are described next in a general way. Particular attention is paid to Safety Systems Performance Indicators and their relationship with PSA models.

2. SAFETY INDICATORS AT EMBALSE NPP Next group of indicators had been defined in a given moment at Embalse NPP in order to analyse some important issues related to plant operation performance:

Fuel Burning Annual Unavailability of Emergency Core Cooling System Fuel Failure Rate in the last 12 months Annual Unavailability of AC Power Stand-by Diesel Generators Number of Work Orders accumulated and 'Ages' Annual Unavailability of Containment Dousing System Number of Modifications to Prev. Mainten. Annual Unavailability of Containment Isolation Valves program Number of Modifications to Routine Tests Annual Unavailab. of Reactor Shutdown System 1 (shutoff procedures rods) Number of Work Orders related to design changes Annual Unavailability of Reactor Shutdown System # 2 with pending documentation updating (Liquid poison injection) Accomplishment of Preventive Maintenance Accomplishment of the Equipment Rotation program program Accomplishment of the Routine Tests program Number of Work Orders accumulated requiring plant in (in order to report if any one is pending) shutdown state for its execution Number of Audits / Surveillance Number of Corrective Actions Training Hours: Executed vs. Programmed Absenteeism (Personnel Availability)

246 This set of indicators implemented at Embalse NPP was completed with those defined by WANO, i.e.:

Fuel reliability - Steady State Reactor Coolant Safety Systems Performance (for HPECI, ABF and EACP). Activity Thermal Performance , Generation Data (Unit Capability, Unplanned Automatic Scrams) Radiation Protection (Collective Radiation Exposure, Chemical (S/G Blowdown Sodium, Chloride & Sulfate Volume of Solid Radioactive Waste) Concentration, etc.) Personnel Safety (Industrial Safety Accident Rate)

2.1. Safety systems indicators

2.1.1. Background At Embalse NPP there are four 'Special Safety Systems' defined: the two reactor shutdown systems, the emergency core cooling system and the containment safety functions. During the plant commissioning stage, the designer left the concept of calculating the so-called 'Annual Actual Past Unavailability' for these systems in order to verify that each individual value was kept lower than 10"3 year/year.

Some relevant: aspects of the calculation methodology for these values were the following: • If a system had kept at least one redundancy path available during one year, the Actual Past Unavailability for the system was assumed as 0 (zero), because it was considered that system never had lost its minimal capability to operate properly in case of being demanded. • If the system was completely unavailable for any reason, for a given period (for instance 8 hours) the system unavailability was defined as the number of hours unavailable divided the total number of hours that the system was required in the year (for instance 8000 hs.). Using as an example the values indicated in brackets, Actual Past Unavailability would be 10"3.

In case that one redundant train of a system had been available during all the period, this method did not allow to distinguish — because it was indistinct for the indicator result — if other redundant paths were 100 % available or it had experienced any problems instead. This has been considered at Embalse NPP as a rigid methodology with the shortcoming of potential masking of important failures and unavailabilities.

2.1.2. WANO Safety Systems Performance Indicators WANO Guideline establishes that Safety Performance Indicators are calculated for three systems (HPECI, EACP, ABF). According to the definition the way to obtain them is; dividing the hours that any component of the system is unavailable by total time in the period considered. Redundancies are simply taken into account dividing the result by the number of trains. This tms the advantage: that the value is easy to be calculated and understood but the disadvantage that they do not give a good representation of systems characteristics, mainly from the point of view of the redundancies.

2.1.3. Safety Systems Performance Indicators (SSPI) defined at Embalse NPP In order to solve the disadvantages of not taking into account the redundancies in a proper way, a different way to develop these indicators was implemented at Embalse. This method is a hybrid one and it mixes probabilistic approaches with actual past facts. Although this is not strictly correct from the point of view of the methodology, it has the important advantage that every cause of unavailability of the different components is reflected in the result. These indicators, generically called 'X System Unavailability during the year Y' are obtained, in the following way: • Taking a simplified but normal fault tree of the system, a basic system unreliability (Qs) is calculated taking into account the normal parameters considered in a fault tree, i.e. system configuration, failure rates, tests frequencies, etc. If no problem occurred in the system during the considered year, it is defined that the system annual past unavailability is Qs (not '()'). This intends to indicate that system configuration was kept during the whole year and the probability

247 of not being available, in case it had been demanded, was the calculated through the 'normal' fault tree. • When any component was effectively unavailable for any reason during a given period Ti of the year, value '1' is assigned to its unavailability and a new degraded system unreliability value, Qdi, is calculated for this system configuration. This is repeated the necessary number of times, according to the actual unavailabilities observed. • In order to obtain the annual unavailability Qy of the system the contributions are weighted with the time period Ti that every configuration actually occurred: Qy = SUM over i {Qdi * Ti / 1 year} + Qs * Tr / 1 year where Tr is the remaining time in the year (1 year - the sum over i of all Ti.)

This approach has the double advantage of: • reflecting any kind of component unavailability in the system; • being essentially conservative: components that actually underwent any unavailability are properly included, while the rest of components, with non observed unavailability during the time period, are nevertheless affected by their normal failure probability.

The present system availability can be measured both in absolute, through this definition of Qy, and in relative by the ratio (Qy-Qs)/ Qs, which provides a figure of the system degradation in a proportional way. No arbitrary target or reference value is necessary in this approach.

What could be objected, namely the validity of the simple fault tree model, is a point treated later on.

Analysing the trend of Qy and the causes of contributions to systems unavailability, actions are taken endeavouring to minimize these contributions. These indicators were extended also to other systems different from the 'four special safety systems'.

2.1.4. Data collection for obtaining safety systems performance indicators The data required to obtain the safety systems performance indicators are mainly, the failures recorded in a given period and the unavailabilities due to maintenance. Sources of information are:

a) Test procedures records In order to get such kind of data, operations test procedures records are daily checked by technical support people. Failures detected for a given system are classified in five types depending on whether they lead to: 1) system becomes completely unavailable, 2) a decreasing in the efficacy of the system, 3) a redundancy is lost, 4) no implication in system availability (except due to the related maintenance) because failure is incipient and 5) evolution to the safe way but affecting normal operation of the plant. When a failure detected in a test is one of the type included in any one of the first three groups, affecting a component availability, the weight of the component in the system is analysed through the corresponding fault tree. Time with the failure present is assumed as half the time between the last successful test and the test that revealed the failure.

b) Work orders If any doubt is kept about whether a given failure is a catastrophic one or not for a component, work orders open to repair the failure are analysed to pick up more data. If information found there is not clear enough, plant maintenance specialists are consulted. For instance, if an important oil leakage is detected during a test for a stand-by pump, mechanical specialists of the plant are consulted before classifying the failure. They give their judgement about whether or not the pump would be available to work for 24 hours in case of an actual demand (24 hs is the reference components mission time for PSA and safety systems performance analysis).

c) Operation logs Shift supervisor and operator logs are consulted on a daily basis in order to get information about equipment status, maintenance activities and times in which equipment become unavailable and

248 re-established after a given maintenance. Maintenance times are counted to obtain safety systems performance indicators if they lead to a decreasing in system reliability.

2.2.PSA models and Safety Systems Indicators Fault trees developed for Embalse NPP PSA are more detailed than the original and simplified models used for obtaining the indicators. However, some cares have to be taken before replacing the 'old' fault trees by the 'new' ones; mainly when the intention is to compare trends.

Among the PSA results it is frequently observed that two issues appear as important as large contributors to systems unavailabilities: • Common Cause Failures (CCF) • Human Actions (HA) PSA detailed models showed that CCF are important contributors in fault trees results. This is frequent in systems with similar redundant trains. So, if CCF are included in the calculation of the indicators they can largely override and mask contributions to the final unavailability due to particular components. As an example it can be mentioned that at Embalse NPP, for the safety function 'Primary System Loops Isolation after LOCA' the failure probability of the heading appear mul QS = 32 E-3 factor 3 when CCF between redundant valves is included.

Another point to be carefully analysed is the corresponding to Human Actions (HAs). Although the four special safety systems are essentially automatic, HAs associated to some safety related system performance can have an important impact on the results. Under a certain point of view, it may be necessary to consider the indicators without them in order to avoid to loss quantitatively the specific contribution due to individual components.

2.2.1. Indicator 'Increase of Unavailability (F^)' Simplified fault trees were used to get the indicators up to 1998. More detailed fault trees began to be used since that date and in some systems boundaries were changed. That is why sometimes is not possible to compare the results of different years because the base to calculate are different.

In order to compare trends it was thought useful to define a factor called Increase of Unavailability (FIND)- This factor represents the increase of the annual unavailability of the system referred to the basic value taken as reference (Qs). F^ = (Qy - Qs) / Qs.

2.2.2. Examples Two examples based on hypothetical configurations postulated are presented to show: a) the calculation steps to get the annual unavailability for a system in a year, taking into consideration a couple of contributions due to a failure and a maintenance. b) values of system unavailability as well as the factor Fno for different years resulting from calculate them with the old simplified models, the new models without HA. and CCF and the new models with HA and CCF. Q Example a) This example shows contributions of 5.7 E3 components unavailabilities in the whole system

unavailability for a given system during a year. It is 3 calculated assuming that two degraded system 4.6 E" configurations were presented during the year: 1) One MV fails during a monthly test and 2) One pump under a large maintenance. 3.0 E-3

2000 Year

249 1. Contribution of the configuration 1 (CC1) Degraded condition: One MV fails during a monthly test Degraded System Unavailability 4 * 10'2 . Obtained from the modified fault tree without the MV (assigning T to MV unavailability) Failure duration: 15 days (dormant failure during 15 days assumed) CC1 = 4 * 10"2 * 15 days / 365 days 1.6* 1(T3

2. Contribution of the configuration 2 (CC2) Degraded condition: One pump in a large maintenance. Degraded System Unavailability 8 * 10'2 . Obtained from the modified fault tree without the Pump, (assigning 7' to Pump unavailability) Failure duration: 5 days CC1 = 8 * 10'2 * 5 days / 365 days 1.1 * 1(T3

B. Contribution of the basic system unavailability (CCB) Condition: Normal configuration of the system Basic system unavailability (Qs): 3.2 * 10"3 . Assumed in this example and obtained from the 'normal' fault tree that includes all the components. Duration of this configuration: 345 days (whole year less time any component unavailable). CCB = 3.2* 10-3 * 345 days/365 days 3 * 10-3

3 Annual System Unavailability Qy = CC1 + CC2 + CCB = 5.7 * 10 Increase of Unavailability Factor: = (Qyear-Qs)/Qs = 0.78

Example b) This example shows the differences in unavailability and increase of unavailability factor results by obtaining them from different basic fault trees for ECCS and assuming hypothetical failures. 1: Obtained from 'old' simplified fault trees that consider High, Medium and Low Pressure stages (HP, MP, LP) of the system but not including Human Actions (HA) nor Common Cause Failures (CCF). 2: Obtained from detailed fault trees from PSA for HP and MP stages taking away CCF. This fault tree without LP stage was chosen because it does not include HA that mask the rest of the contributions. 3: Obtained from detailed fault trees from PSA including all the stages and HA and CCF.

FIG. 1. COMPARISON BETWEEN SYSTEM ANNUAL UNAVAILABILITIES OBTAINED BY DIFFERENT WAYS

1.6E-02 1.4E-02 1.2E-02 1 .OE-02 8.0E-03 6.0E-03 -H 4.0E-03 2.0E-03 0.0E+00

YEAR

250 It can be seen that Qy from 1 and 2 are quite different. This occurs due to the fact that the system boundaries taken as reference are different. For case 1 the HP, MP and LP stages have been taken while for case 2 LP was not considered. However as can be seen in Figure 2 the proportional factor FIND from 1 and 2 are quite similar. This shows the advantage of this factor in order to compare trends.

For year 96 FIND 1 and 2 are well different because of a failure was assumed in a LP Stage and it cannot be distinguished using model 2 because LP is not included in the fault tree selected as reference.

For case 3 even FIND are well different and that is due to the fact that HA and CCF have been included in the basic fault tree. So when a failure or a maintenance occur their contribution are usually masked for the large contribution of HA and CCF being the indicator less sensible to the degraded configurations that took place during the year.

FIG. 2. COMPARISON BETWEEN FIND FACTORS OBTAINED BY DIFFERENT WAYS

1.80 1.60 1.40 1.20 1.00 0.80 0.60 0.40 0.20 0.00 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 DFIND1 1.56 0.75 0.63 0.00 0.19 1.00 0.00 0.44 0.59 0.19 0FIND2 1.42 0.75 0.58 0.00 0.17 0.25 0.00 0.42 0.58 0.17 IFIND3 0.52 0.23 0.21 0.00 0.07 0.33 0.00 0.17 0.20 0.07 YEAR

3. CONCLUSIONS A set of indicators have been developed at Embalse NPP in order to evaluate plant and personnel performance. For safety systems, indicators measure system past availability. A method was developed to calculate them and it has the advantage that allows to distinguish differences in the performance of a system, although when in a strict way it was available the whole time. This method takes into account the loss of redundancies and the impact of the components unavailabilities in the system from a probabilistic point of view.

Originally this method was developed using simplified fault trees. Afterwards a comprehensive Level 1 PSA, with the main characteristic of being strongly interactive with plant operational staff, has been carried out in last years. As a product of such a PSA Study new and more complex fault trees have been obtained. Detailed fault trees developed in the framework of Level 1 PSA are in principle fully applicable to continue getting safety performance indicators in a similar way.

251 In order to compare trends a- proportional factor was defined and it indicates that the relationship of system annual unavailability in relation to basic value are kept similar using simplified or detailed fault trees. However, it is not the same if CCF and HA are included in the models to get the Safety Systems Indicators, because their high relative weights usually mask particular component unavailabilities contributions.

252 XAG102805 IAEA-CN-82/20

DEVELOPMENT AND USE OF SAFETY INDICATORS AT STUK

TIIPPANA, P. Radiation and Nuclear Safety Authority, STUK P.O.Box 14, FIN-00881 Helsinki, Finland Fax: +358 9 7598 8382; Email: [email protected]

Abstract

This paper gives an outline of the development and use of STUK's indicator system at the department of Nuclear Reactor Regulation (YTO) in the Radiation and Nuclear Safety Authority, STUK. Indicators used at YTO are measures related to the safety of nuclear installations and regulatory activities. Indicators are numbers, ratios, percentages and amounts of interested matters that are found suitable for regulatory purposes, that is assessment and trending of the safety of nuclear installations and regulatory activities.

STUK's indicator system is divided into two main areas; safety of nuclear facilities and regulatory activities. Safety of nuclear facilities is divided into 3 areas based on the concept of defence in depth; safety and quality culture, operational events and physical barriers. Regulatory activities are also divided into 3 areas; working processes, resource management and regeneration and ability to work. These areas are measured using several indicators. At the moment some of these indicators are included in YTO's management system to measure whether internally set goals ;are achieved or not.

1. GENERAL The Radiation and Nuclear Safety Authority, STUK, is the nuclear regulatory body in Finland. STUK's regulatory activities comprise all safety review and all safety related inspections at the Finnish NPP's, as well as drafting of safety regulations and issuing of regulatory guides. Indicators are used as a complementary tool in the nuclear safety regulation in addition to inspections and safety reviews as well as a tool for management of YTO's own activities.

1.1 Goal of the indicator system The indicator sj^stem has been intended for an information system which different functional sectors within YTO can utilise in their daily work. The indicator system is appliceible for assessing and especially detecting changes in the safety level of NPPs as well as assessing success of the strategy plan and for focusing safety review and inspection programme at YTO. Goals of the indicator system are to illustrate levels and trends of nuclear safety in a quantitative manner, to identify weaknesses at nuclear power plants, to focus and optimise the use of YTO's resources and to evaluate and develop YTO's review and inspection activities.

1.2 Development project Development of a set of safety related indicators has included several steps, such, as: determination of monitoring areas taking account existing data sources; nomination of candidate indicators for each interest area; data collection, data validation and test calculations; development of an information system for indicators; reporting.

Objectives and areas to be monitored were defined during the winter of 1995-1996. Initial data collection, data analysis and test calculations were performed during the summer of 1996. A decision to adopt the indicator system as a managerial tool was made in 1997. This decision was extremely important for the utilisation of the system. Some new projects were also initiated in 1997 to develop

253 additional indicators for certain areas. These are discussed later in the text. Between 1998-2001 the system has changed; some new indicators has been included into the system and some have been dropped out based on the information obtained from test calculations. The system has been introduced to the personnel of YTO and each indicator has a responsible person, the user, which is essential for the utilisation of the system. At the moment, adoption of Balanced Score Card system is under planning and discussion at STUK and this may change the use and role of indicators at STUK in the near future.

1.3 Experience from the development project Development of the indicator system has given experience and ideas. Some of them are listed below: Documents published by the IAEA and other international organisations have been a useful tool to get familiarised with the concept of an indicator system as well as to organise the development project. The limited number of existing data sources restricts the possibilities for determination of specific indicators. This should be noted at an early stage. In practice, the areas to be monitored may be examined on a theoretical basis, whereas the specific indicators should not be nominated before getting familiarised with the data sources. The acceptability and usefulness of the indicator system within the regulatory body can be improved by asking for needs and opinions of the staff. Furthermore, participation of the staff in the data collection and analysis should improve the commitment throughout the organisation. Interpretation of the results (figures) should be carried out carefully. The focus of the analysis should lie on the trends and reasons for changes instead of numbers. One should be careful when using indicators for comparison between nuclear power plants.

2. DESCRIPTION OF THE PRESENT INDICATOR SYSTEM The indicator system is divided in two principal groups, that are the safety of a nuclear facility and the regulatory activities. Indicators describing the safety of nuclear facilities can also be utilised to assess effectiveness of STUK, from regulator's point of view 'outcome' of activities. These indicators are so called indirect indicators because these reflect mostly the achievements of the operating organisations, but STUK can also make some contribution on them. Consideration of the area of 'NPP safety' is based on the adoption of the concept of 'Defence in Depth'. The areas (or layers) under consideration are Safety and Quality culture, Operational events and Physical barriers. Indicators concerning regulatory activities are applicable for assessing work processes, resource management and personnel viewpoints. So far these are used to follow fulfilment of QA requirements.

The principal groups A, 'Safety of nuclear facilities' and B, 'Regulatory activities' of the indicator system are divided into sub-groups and further into indicator areas as presented in Table I.

Table I. Structure of the indicator system and indicator areas. A. Safety of nuclear facilities B. Regulatory activities Al Safety and quality culture Bl Working processes Al. 1 Failures and their repairs B1.1 Fulfilment of outcome targets Al .2 Number of TTKE deviations B1.2 Timely decision making A1.3 Availability of safety systems B1.3 Maintenance of regulations Al .4 Radiation doses B1.4 Implementation of inspection program Al .5 Radioactive releases B1.5 Steering of contracted safety research Al .6 Documentation B1.6 Actions in abnormal situations Al .7 Investments on plant safety A2 Operational events B2 Resource management A2.1 Number of events B2.1 Resources for regulatory control of nuclear safety A2.2 Significance of events B2.2 Distribution of work load A2.3 Causes of events

254 A2.4 Number of fire alarms A3 Structural integrity B3 Regeneration and ability to work: A3.1 Integrity of nuclear fuel B3.1 Maintenance of YTV Quality Manual A3.2 Integrity of primary circuit B3.2 Execution of development projects A3.3 Integrity of containment B3.3 Execution of training program B3.4 Work satisfaction B3.5 Compliance with values

The review period of the indicators related to the safety of nuclear facilities is a calendar year, but in some cases also the operating cycle. Indicators related to the regulatory activities are determined every calendar year. The data collection has been performed separately for each indicator based on licensee reports and data available within the regulatory body.

3. EXAMPLES OF RESULTS AND USE OF INDICATORS Numerical values for the majority of all indicators have already been calculated for a period of several years. The figures (or trends) clearly demonstrate the usefulness of quantitative indicators, not only for nuclear safety regulation but also for illustrating the quality of the regulator's work. YTO has recently paid attention to improve the quality of its own activities within the nuclear safety regulation. For several areas of activities, a positive development can be observed by use of indicators. However, according to the figures continued inadequate performance has been seen in some areas, and there is an obvious need for improvement. As mentioned earlier a sub-set of indicators are also being used for setting goals and measuring YTO's own performance on annual basis. Examples of those goals and respective results are shown in the in the following section. These indicators are calculated and reported to the management at the end of each year. Changes in indicator values are analysed generally. Based on indicator values further activities have been started.

In practise indicators of the safety of nuclear installations are mainly used as a background material for the discussions between regulatory and licensee management, safety assessment and inspections. Indicators describing regulatory activities are mainly used internally to follow-up the fulfilment of QA requirements and planning.

3.1. Outcome of the regulatory work YTO's internal goals are presented inside quotation marks before the figures.

"The number of technical and human originated "Collective radiation doses do not exceed 5.78 CCFs does not increase remarkably." man Sv / 4 NPP units. Annual doses for each individual do not exceed 20 mSv, considering the average value for 5 years period." \ 1

«•

10-

»• 6- i

«• 2- T11 I 0 3^ 95-96 J R 96-99 9940 H !K-97 97-96 not 4 6 7 11 10

FIG. 1. Annual numbers of human originated FIG. 2. Annual collective doses recorded at CCFs at a two-unit Olkiluoto site. Olkiluoto two-unit site.

255 "NPPs are operated in compliance with Tech. "The dose of the most exposed person living near Specs." the NPP is below 0.005 mSv/year." Note that this is the performance goal. Limit in the license is 0.1 mSv/year.

FIG. 3. The indicator value is the number of FIG. 4. Annual doses (uSv/a) based on the recorded deviations at Loviisa NPP. releases from the Olkiluoto NPP, and calculations with a conservative dose model.

"Core damage risk contribution from actually "Fuel integrity, integrity of primary circuit and occurred events does not exceed 5%." integrity of containment fulfil requirements, and no significant negative changes are seen."

14,00

12,00

10,00

8,00 6,00- - I 4.00 2.00 1 0,00 1 1995 1996 1997 4199n8 1999 2000 • LO1 2.78 2.66 1,54 5.09 2,30 7,30 DLO2 5.83 217 3,80 1.87 6.90 12.10

FIG. 5. As-occurred risk contribution at Loviisa FIG. 6. The proportion of isolation valves at NPP, presented as a percentage of the average Olkiluoto NPP, which passed the first leakage annual core damage risk, which is estimated in testOutput of the regulatory work the PSA study (see more explanation later in the text).

256 3.2. Output of the regulatory work

"All inspections included in STUK's annual "Decisions on reviewed items at STUK are made inspection programme are performed and within 3 months." reported."

0,60-

0,50-

0,40- 0,30- 1 0,20- 1 0,10- • l 1933119S 199 19S 19E 199 19E 2000 • afle 1 kk 0.54 O.S 0.5 0,5 US 0,4 0.5 0.59 D1-3kk 0,29 0.2 0.2 0.3 i).: 0.2 0.2 0,27 • yli3kk 0.17 0.1 0.1 0.1 0.1 0.2 0.2 0.14

FIG. 7. The proportion of planned inspections FIG. 8. The proportion of different review times made in a given year and the proportion of concerning Loviisa NPP inspections performed on time (Olkiluoto NPP)

"Regulatory guides are updated according to the "R&D funded by STUK support effectively annual plan." regulatory activities. Research programs are reported by the contractor according to the contract. Research reports are analysed and commented during one month by STUK experts."

FIG. 9. The proportion of updates, as compared FIG. 10. The proportion of comments issued on with the plans. time

4. FUTURE ACTIVITIES At the moment indicators are available to STUK's personnel in the Intranet. Still there are tasks that should be done in order to form a well functioning indicator system. For example, requirements on the licensee reporting should be assessed against the information needed for calculation of indicators. For example, the information needed for some indicators is not regularly submitted to STUK at the moment. Updating of the relevant Guide YVL 1.5 is ongoing. In addition annual internal reporting practice for all indicators should be developed and started.

257 5. DEVELOPMENT OF SPECIFIC SAFETY RELATED INDICATORS

5.1. PSA-based indicators A few PSA-based indicators have been set up in order to identify the safety significance and to follow up and monitor the risk development of specific events in NPP operation as follows: 1. exemptions from the Technical Specifications; 2. failures of devices covered by the Technical Specifications; 3. preventive maintenance and other disconnection of devices covered by the Technical Specifications; 4. operating events.

Each indicator is given as the annual sum of core damage frequency contributions from respective type of events, divided by the average annual core damage frequency from the PSA study. Each sum contains all respective events that reduce the reliability of some safety function, and thus cause a temporary risk increase above the basic risk level. Basic risk level prevails when no deviations from faultless plant condition are known to exist. One should recognise that the basic risk level already contains the risk contribution from majority of the aforementioned events that reduce the safety systems reliability. At a plant performing properly, a low indicator value demonstrates that the risk contributors which can be measured have a minor impact to the total risk. The majority of risk comes from infrequent significant initiators such as LOCAs, Loss of offsite power etc. Figure 5 of this paper presents a sum of all four indicators (exemptions from Tech. Specs., failures, maintenance, other events). The associated plant configurations necessary for PSA based indicators are calculated using plant specific living PSA-programs.

While developing the risk based indicators, one should be aware of the limitations of PSA such as completeness problem, modelling uncertainty, shortages in human error analysis and CCF analysis etc., which result in uncertainty into the PSA figures. These uncertainties however are found rather insignificant as concerns the use of indicators. The main problem within the PSA based indicators is that some issues are difficult or even impossible to model with the current PSA-model. Hence it is required that a sophisticated Living PSA system including extensive and detailed system models, with a well established data collection and processing system to provide plant specific data, and an efficient, user friendly PSA code are available. If these conditions are met, the determination of PSA based indicators is quite straightforward.

5.2. Indicators based on plant specific fault data statistic Based on the study at STUK useful indicators can also be extracted from fault data records, such as indicators for the common cause failures and the quality of maintenance. The idea was to examine the usability of fault data records in calculation and screening of different types of failures. The analysis of common cause failures was based on a method jointly developed by STUK and VTT (STUK's main contractor for nuclear safety research). These indicators have been developed and defined only for Olkiluoto nuclear power plant. The indicators are simply the numbers of different failure types. The screening of the plant specific fault data covered years 1995-1996 (about 2800 cases). Failures at Loviisa NPP are currently being analysed in a new project contracted to VTT. Common cause failures were divided into two categories — to human or technical failures. These were further divided to critical or non-critical failure classes according to their influence on system or devices. When screening failures also individual human errors and multiple technical failures were identified. These indicators describe the work quality of maintenance that could be essential safety issue under deregulated energy markets and subsequently growing use of subcontractors.

5.3. Safety culture indicators Evaluation of the current level of safety culture by quantitative means has proven to be a complex task. However, instead of direct measurement of safety culture STUK has tried a somewhat different approach. It was considered that the evaluation of safety culture could be carried out by identification of features of safety culture by measuring the values of safety critical organisations (culture of the

258 organisation) because they reflect also safety culture. A project to develop such a methodology was started at the beginning of 1999 in co-operation with VTT. Pilot project was focused on STUK's organisation and the goal was to develop a tool to assess safety culture that STUK could also use to assess utilities. At the moment, the method is under discussion in Finland and the next phase is to apply it to maintenance groups at NPPs. Based on the study STUK has also included internal value indicators (based on self assessment results) into the indicator system but the data collection has just started and so fxending is not possible at this stage.

6. CONCLUSIONS The experience STUK has got on the use of indicators has clearly demonstrated the usefulness of quantitative indicators, not only for the nuclear safety regulation but also for illustrating the quality of the regulator's work. However, development of an indicator system has not been an easy task and it will take a long time and a lot of effort to implement a functional indicator system. So far present indicators have been successfully used for background material for the discussions between regulatory and licensee management, safety assessment and inspections and public information. Based on the results it can be said that the use of indicators at STUK will get more emphasis in the future. However, based on STUK's experience, indicators should only be used as a supporting tool for regulatory body in its regulatory work and in any case the interpretation of the results of indicators has to be done very carefully and not jump in to conclusions without a proper analysis. It is very essential to know what is the data behind the indicator and what it really measures. This is even more important if indicators are used for comparison for example between NPPs.

259 XAO102806 IAEA-CN-82/21

IMPROVEMENT PROGRAMME OF SAFETY PERFORMANCE INDICATORS (SPIs) IN KOREA

LEE, S. Y. Korea Institute of Nuclear Safety P.O. Box. 114, Yu-Sung Taejon, Republic of Korea Fax: +82-42-863-3381, Email: [email protected]

Abstract

KINS has developed and used Safety Performance Indicators (SPIs), which are count based and composed of 10 indicators in 8 areas, to monitor the trend of performance of NPPs in Korea since 1997. However, the limited usage of SPIs and the increasing worldwide interest on SPIs became the motivation of the SPI improvement programme in Korea. Korea is planning to establish plant performance evaluation programme through analysis of SPI and result of inspection. The SPI improvement programme is a part of the plant performance evaluation programme and includes study on performance evaluation areas, indicator categories, selection and development of indicators, redefinition of indicators and introduction of graphical display system.

The selected performance evaluation areas are general performance, reactor safety and radiation safety. Each area will have categories as sub-areas and total six categories are selected. One or two indicators for each category are determined or will be developed to make a set of Safety Performance Indicators. Also graphic display system will be introduced to extend the usage of SPIs.

1. INTRODUCTION Performance indicators for the quantitative assessment of NPP's operational performance have developed and used by many operating organizations, regulatory bodies, and international organizations as their own purposes. The performance indicators can be used to monitor and to gain perspective on performance and progress of a nuclear power plant. The Pis also provide an indication of the possible need to adjust priorities and resources to achieve improved performance.

The importance and usefulness of performance indicators were recognized also in Korea and SPIs for Korean nuclear power plants were developed through a government-funded project in 1997 by KINS with the cooperation of the Korea Electric Power Corporation (KEPCO). The SPIs, currently used after one-year trial application and modification, are composed of 8 indicators for PWR plants. The SPIs for CANDU reactors are searched separately because CANDU reactors have different characteristics with PWRs and relatively less operating experience than PWRs in Korea.

Korean is planning and studying the establishment of plant performance evaluation programme. This programme will evaluate each operating NPPs in Korea using the analysis of SPIs and inspection results. However, current SPIs are all traditional count-based indicators and no performance goals were set. Also the increasing chances of comparing safety performance among plants or countries and the demand to utilize SPIs for regulatory purpose initiated the introduction of new concept, for example risk concept, into the safety performance indicators and graphic display system. The possibility of regulation policy change to performance-based regulation and increasing demand of public communication tool is also a motivation of the SPI improvement programme. Currently, the international trends are also seeking the possibilities of expanding the usage of SPIs. For example, the OECD/NEA just started Working Group for developing IPIS (International Performance Indicator System) and US NRC developed and started 'New regulatory oversight programme' (NUREG-1649).

260 Overall improvement programme and results up to now are presented and allso the result of current SPIs are illustrated in Figure 1.

Unit Capability Factor j Unplanned Outage Rate I

90 91 92 93 94 95 96 97 98 99 90 91 92 93 94 95 96 97 9i! 99

Unplanned Scrams for Critical Period | Safety System Actuation 1.0 1 0.5 11

, III. 1 to .llll 11.III. I l90 l91 92 93 94 95 96 97 9f. 99 Year

Primary System Boundary Integrity | Fuel Reliability \

90 91 92 93 94 95 96 97 98 99

Radiation Collective Dose j Low Level Solid Radioactive Waste I il Hull 90 91 92 93 94 95 96 97 98 99 90 91 92 93 94 95 96 97 98 99

FIG. 1. Average trend of each indicator

261 2. FRAME WORK OF SPI IMPROVEMENT PROGRAMME

2.1. Safety performance evaluation area and categories First of all, the areas to be evaluated to measure the safety performance of a plant are determined. The performance evaluation areas are selected based on the final goal of nuclear safety that is to protect public and environment from radiological hazards. Those areas are general performance area, reactor safety area and radiation safety area. The general performance area is not directly related to the safety but can show overall performance which depends on the operation and maintenance.

The reactor safety area can be sub-divided into three categories, integrity of multiple barriers, initiating events and mitigation system. The safety of nuclear plant could be assured when the multiple barriers maintain their integrity. These barriers include fuel, primary coolant, containment and emergency preparedness. Indicators to measure the integrity of each barrier are selected.

Safety performance can also be measured by the occurrence of reportable events and availability of mitigation system. Korean reporting criteria prescribes many reportable events and unplanned reactor scram is one of the important reportable events. Safety Injection system and emergency diesel generator are major accident mitigation systems.

Radiation safety, both on site and off site, is an important area to measure the safety performance of a nuclear power plant.

In summary, the areas and categories for SPIs are as follows; • general performance area; • operation; • maintenance; • reactor safety area; • initiating events; • multiple barrier; • mitigation system; • radiation safety area; • on site radiation safety • off site radiation safety.

2.2. Selection of SPIs Characteristics of SPIs are considered before the selection of appropriate indicators within each performance evaluation area. The characteristics of improved SPIs should be; based on current SPIs; able to cover safety related areas; balanced among indicators; balanced reactor types in Korea; comparable with other countries or plants; based on available and controllable data; and possible to communicate with public.

Based on the above characteristics of SPIs and areas and categories for SPIs, most of the current SPIs are adopted and additional SPIs to be developed are determined. Those SPIs adopted from current SPIs are reviewed and some of the SPIs need to be redefined following the new concept of improved SPIs.

Besides the selected SPIs additional SPI candidates are proposed and are under review. Those are unplanned power reduction indicator and number of reportable events in initiator area etc.

262 2.3. Definition of selected SPIs

2.3.1. General performance area In this area, there are two categories and one indicator for each category. Unit Capability Factor and Unit Outage Rate were selected as indicators to measure operational and maintenance sub-area under general performance area.

• Operation Indicator (UCF): Unit Capability Factor UCF = actual electricity generation/design capacity • Maintenance Indicator (UOR): Unit Outage Rate UOR = unplanned outage time/ (unplanned outage time + reactor operating time).

2.3.2. Reactor safety area • Initiating event Unplanned Reactor Scram is selected as an indicator representing the Initiating events because the unplanned reactor scram is the major event in frequency of report among reportable events. Indicator (USR): Unplanned Reactor Scram USR = No. Of unplanned reactor scram for 7000 critical hours Unplanned power reduction and number of reported events are candid indicators in this area.

• Multiple barriers All the physical and non-physical barriers are selected in the category of multiple barriers. These are Fuel, Primary Coolant, Containment and Emergency Preparedness. Fuel Indicator (FR): Fuel Reliability FR = 1-131 equivalent activity in primary coolant (same as WANO's) Primary Coolant Indicator (PCL): Primary coolant leakage PCL = Primary Coolant Leak Rate Containment Indicator (CL): under development Containment leakage-during test is a candid indicator. Emergency Preparedness Indicator (EP): under development Number of findings in the inspection of emergency response facility could be an indicator.

• Mitigation System Safety Injection System availability and the availability of Emergency Diesel Generator are selected as indicators for mitigating system. PSA result will be incorporated in these indicators. Safety Injection Indicator (SIA): SI system Availability SLA = Availability of SI system Emergency DG Indicator (DGA): DG availability DGA = Availability of EDG.

2.3.3. Radiation Safety Area Radiation Safety area has two indicators which are on site radiation safety and off site radiation safety. On-site Radiation Safety Indicator (RCD): Radiation Collective Dose RCD := Radiation collective dose including sub-contractors Off-site Radiation Safety Indicator (ORE): under development ORE := off-site radiological effects ODCM could be used for this indicator.

263 Safety Performance Category Indicator Remark Evaluation Area General Operation - Unit Capability Factor Maintenance - Unplanned Outage Rate Initiator - Unplanned Reactor Scram Multiple Barrier - Fuel Reliability - Primary Coolant Leakage - Containment Leakage UD* Reactor Safety - Emergency Preparedness UD*

Mitigation System - SI availability - DG availability

Radiation Safety On site radiation safety - Radiation Collective Dose UD* Off site radiation safety - Public Dose/Environmental Radiation * UD: under development

Table I. SPI summary

2.4. Performance classification and graphical display The PI improvement programme includes graphical display of SPIs of each plant. All the safety performance will be classified as four levels which are satisfactory, acceptable, attention and unacceptable. The threshold of each level will be determined by using PSA results and statistical method based on database. This graphical display system will make SPIs more easier to evaluate plant safety performance for users and public. Proto-type graphical display form was suggested and under development by computer engineers and web designers.

3. CONCLUSION AND FUTURE WORK The increasing interest on SPI and changing regulatory environment was the motivation of the SPI improvement programme. The improved SPIs will be based on current SPIs but the concept of whole system will be quite different. Current SPIs were developed on count-base and lack of completeness and comparability limited the utilization of them. They could only give average performance trend and no thresholds for acceptable performance level were established. The improved SPIs will have more completeness and comparability by more comprehensive study and introducing PSA. With the improved SPIs and other regulatory measures the acceptability of safety performance of all NPPs in Korea and appropriate regulatory response could be determined. In addition, the SPIs with graphic display system will serve as a public information tool for easier understanding of safety performance ofNPPs.

Once the draft of the improved SPIs and graphical display system is completed, trial use on pilot plant is planned. Any deficiency or unpractical findings will be corrected and modified for actual use. Also additional SPIs will be added if required during trial use or actual use of the new SPIs.

We understand the SPIs are not stand only tools to evaluate safety performance of a plant and may have adverse effects for example operator bias when abused. User manual describing not only the purpose and definition of each SPI but also limitations and adequate usage of SPIs will be prepared.

264 References

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, Operational safety performance indicators for nuclear power plants (IAEA-TECDOC-1141), IAEA, Vienna (2000). [2] NUCLEAR ENERGY INSTITUTE, Regulatory Assessment Performance Indicator Guideline (NEI 99-02), (1999). [3] INTERNATIONAL ATOMIC ENERGY AGENCY/NUCLEAR ENERGY AGENCY OF THE ORGANIZATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT, Safety Performance Indicators (Proc. Specialist Meeting on Safety Performance Indicators, Madrid, 2000), IAEA/NEA/Ciemat/CSN (2000). [4] LEE, S., Performance Indicators of Korean Nuclear Power Plants (KINS/AR-729), Taejon (2000).

265 XAO102807 IAEA-CN-82/23

ESTIMATIONS OF ACTUAL AVAILABILITY

MOLAN, M.*, MOLAN, G.+ *Institute for occupational health, Korytkova 7, SI-1000 Ljubljana, Slovenia Fax: +38612317787; Email: [email protected] +HERMES SoftLab research group, Litijska 51, SI-1000 Ljubljana, Slovenia Fax: +38615865270; Email: [email protected]

Abstract

Adaptation of working environment (social, organizational, physical and physical) should assure higher level of workers availability and consequently higher level of workers performance. A special theoretical model for description of connections between environmental factors, human availability and performance was developed and validated. The central part of the model is evaluations of human actual availability in the real working situation or fitness for duties self-estimation. The model was tested in different working environments. On the numerous of 2000 workers standardized values and critical limits for Availability questionnaire were defined. Standardized method was used in identification of the most important impact of environmental factors. Identified problems were eliminated by investments in the organization in modification of selection and training procedures in humanization of working environment. For workers with behavioural and health problems individual consultancy was offered. Described method is a tool for identification of impacts, hi combination with behavioural analyses and mathematical analyses of connections offers possibilities to keep adequate level of human availability and fitness for duty in each real working situation. Model should be a tool for achieving adequate level of nuclear safety by keeping the adequate level of workers availability and fitness for duty. For each individual worker possibility for estimation of level of actual fitness for duty is possible. Effects of prolonged work and additional tasks should be evaluated. Evaluations of health status effects and ageing are possible on the individual level.

Key words: AH model, human actual availability, questionnaire of actual availability, humanization, workload, estimation

1. INTRODUCTION A high proportion of the same health problems and availability of workers in some categories of workers excited a lot of research activities with the same goal: reduction of workload and elimination of causes initiating the health problems. These reductions should be enforced whenever possible and they should assure adequate levels of human availability. All activities are oriented toward the reduction of workload to the level, which will assure less human related problems, and stable performance of the facility.

A system's performance is shaped by the level of human actual availability [1]. Achieving the adequate stable level of system's performance is the essential goal of the facility's management. Trials to reduce workloads to the level, which should assure higher availability, are so called ihumanisation measures'. Humanisation measures are determined by the state of knowledge in the area of occupational health and ergonomics. There are particular researches focused to one or to a few workloads. Suggestions as the result of these researches are specialised, focused to some particular improvements at the working environment [2]. It is difficult to eliminate all the problems at the working place and to reduce workloads to the level with minimal negative impact on workers performance and health.

Determination of connections of workers' health with performance, availability and environment are the most important goals of all expert models developed in the area of human factors. Expert models have been developed for decision making in hospital treatment in surgery, in cardiology, in neurology

266 and in internal medicine. There are no useful and friendly expert system's for decision making in the occupational health. There are no expert models for prediction of human fitness for duty and performance based on input human availability data. The general model connecting all factors from the working environment connected in the workload with the data of actual availability, health and performance evaluated through the cost benefits of humanisation changes have been defined and presented in [3].

Particular model connected data from the working environment with the data about actual availability and health was presented in [4]. Separate model connecting particular factor from the workload with availability and health or performance should be also developed. All developed models will be integrated in unique general AH (availability - humanisation) model.

2. THE OBJECTIVES In this paper the central part of the AH model is presented. The central part of the model is the method for estimation of actual availability. This is actual availability identification tool.

3. METHODS Actual availability is estimated with questionnaire of actual availability QAA. QAA is the tool for estimation of actual availability in the real situation. QAA is composed from 47 items with five-point scale.

Excellent well-being Extremely bad condition

1_ 2 3 4 5 FIG. 1 The interval of estimation

Items of the QAA are composed in seven scales. According to cluster analyses, items of QAA are grouped in the following areas of well-being: • level of physical fatigue; • level of physical fatigue; • general well-being; • motivation; • mood; • stress; • vigilance.

3.1. Procedure Results of QAA implementation were connected with the results from the 'left side' • work identification components of AH model. The data about workload were collected in field measurements of working condition (E data), in analyses of working places (O data and T data), and in pre-employment medical and psychological estimation (M data).

Majority of M data were collected in psychological evaluations of workers in the year 2000. Number of analysed workers was 37. Colleted M data described potential capacity of workers. In previous researcher general connections between potential capacity and actual availability were determined [6]. In procedure presented in this paper, measure of influence of M data on A data were defined and analysed. Sub model (WA sub model) connecting W data and A data as a part of AH model is analysed.

3.2. Sample Data were collected for workers in NPP Krsko. This group of workers support preventive maintenance activities outage and major modifications. These workers were selected for special activities in the

267 areas of high doses of ionising radiation. These are specially safety demanding activities due to the high doses, high temperature, and limited time.

3.3. Model

work load components : N E... Ecology | T... Technology | '' components' ©...Organisation j •^humanjafonnanoe '; costs M... Man (human part) / \ human fitness (health) ''.

i.humanisation s cost benefit ': \

•i H

( 2. multiplication") ?' CJL X, / (_ 1. Poisson reliability functions ) rTTpolynorn"^

FIG. 2 Availability Humanisation modeV - AH model Formal definition of AH model components and connections are based on following propositions.

Proposition 1 : Fe: £-» E, Ft: 7-» T, Fo : 0 ->• O, and Fm : "7X-> M are Poisson reliability functions.

Proposition2: W = EuTuOuMandEnTnOnM = 0

Proposition 3 : ^: W -> A, ?,: A -> P, and fe: A —> F are continuous functions.

Proposition 4 : c: C -» H and the function i is a continuous function and bijection.

Let it be M, selected item of human capacity data. Mj ={nij;i, m^, ..., xa.\tf} are measured values for one selected human capacity and

A = {{au,..., aij7},..., { a37,i,..., a37,7}} are all measured values for human availability data. For each selected human capacity parameter, measurements are approximated with function

X2 + ...+ a7 X7= m where are Xi = physical fatigue, X2 = physical fatigue, X3 = general fatigue, X4 = motivation, X5 = vigilance, X6 = mood, X7 = stress. This connection between M and A (see Figure 2) is modelled with || ||2 norm (least square method).

268 4. RESULTS AH model has been used in studies in different working environments. Average levels of perceived well-being as the indicator of actual availability are shaped by impacts of workloads factors. Major impacts are modelled and analysed. Mathematical model and logical analyses of results give us measures of influence of particular workload parameter.

4.1. Analyses of impact of education - E (1 law - 4 medium)

E = 0,28 Xj + 0,06 X2 - 0,03 X3 - 0,12 X,- 0,07 Xs + 0,10 Xe + 0,91 X7

Education shapes perceived level of actual availability. The most important is impact on perceived stress. On general perceived level stress of all workers is very low. It is in the interval of now influence on the performance. The level of perceived stress of more educated workers is in the interval of stress, which assures higher performance. Perceived stress of all workers is below the level of moderate perceived stress. More educated workers are also more motivated for work. They work very hard. Education is not very influential factor because the variability in the level of education is very small.

4.2. Analyses of impact of perception - S (time in seconds)

S - 17,8 Xi + 2,98 X2 +5,44 X3 - 0,49 X, +0,60 X5 - 4,48 X6 + 4,66 X7

Perceptual abilities shape perceived level of physical fatigue. Workers with lower level of perceptual abilities are more fatigue. On average perceived level of physical fatigue iis very low. Perceptual abilities of workers are very high. Perception abilities have been one of the selection criteria for this group of workers. Each decrease in the level of perception means higher fatigue even in the interval of adequate welfare.

4.3. Analyses of impacts of reaction capacities - R (time in seconds)

R = 14,8 X! - 3,07 X2 + 3,13 X3 + 9,06 Xt - 0,83 X» + 4,29 Xs - 1,55 Xs

There is a strong influence of reaction abilities on physical fatigue. Workers with lower level of reaction capacities feel themselves more exhausted and more physically fatigued. All abilities have influence on physical fatigue, hi the reality perception abilities are more important than reaction abilities.

4.4. Analyses of impact of anxiety - A (1 low - 5 high)

A = 3,00 X! + 12,45 X2 + 3,08 X3 +2,66 X, -1,70 X5 - 9,81 X« + 5,93 X7

According to our results level of anxiety determine perceived level of physical fatigue. More anxiety workers feel more physically fatigue. The impact is logical. Workers with higher level of anxiety are less stable and with lower level of stress resistance. Average level of perceived physical fatigue is in the interval of good welfare; comparing with other parameters of well-being it is higher. Sensations of physical fatigue are consequences of working environment components.

4.5. Analyses of impact of age - A (age in years)

A= 3,39 X! + 0,10 X2 + 19,09 X3- 3,65 X4 - 5,00 X5 - 3,04 X« - 3,92 X7

There is a strong negative impact of age on general well-being. Older workers felt more fatigue they are exhausted and less motivated. They perceive also more symptoms of physical fatigue. Strong

269 influence of age on general well-being determines actual availability and consequently performance. Analyses workers are young but even among them age influence is evident.

QAA as a part of the AH model and a tool for identification of the level of actual availability has been used in different working environment. QAA as a tool was standardised on the numerous of 2500 workers. Limits of the average levels on all seven scales were determined in the standardisation.

5. DISCUSSION QAA is a useful tool for evaluation of human actual availability in working situations. It should be used whenever we have to estimate level of workers availability. When we have to estimate availability of elder workers or availability of workers for special activities and tasks we need precise tool. Usually only limited number of workers is available. On the other side also in some industries workers are older. The majority of elder workers need more individual approach. On individual level availability for special activities should be estimated. There is also great difference among individuals of the same age.

Actual availabilities estimations reflect workers perception of their capacity, health, knowledge, age, education, and motivation. In reality workers' performance depends only on workers' actual availability. If workers percept themselves as available, they will perform the task. If workers percept themselves as unavailable and unfit, they will not be able to perform the task. They will fill themselves to exhaust, to fatigue, and to depressed to finish the job. In estimations of actual availability, human potential capacity elements are integrated in the unique new value — perceived actual availability. The impacts of human capacity elements differ in different environments and in different working groups. General AH model describes connections between particular elements of AHmodel. Particular sub models define and analyse measure of influence between neighbour components of AH model. The mathematical model is a tool for description of particular connections and for definition for measure of influence. WA sub model determine the most important work loads components.

Whenever we have to analyse or estimate human availability or effects of external factors on the human actual availability we have to have standardized procedure and validated tool. For this purpose we have developed AH model and as a central part of it QAA.

The AH model is a possible suggestion and help for implementing humanisation measures at the working environment. It offers a clear description of connections between the work load's components, human actual availability, human performance and human health to the cost benefits. The centre of the model is a self-estimated level of actual availability. This is approved by our previous research work.

Workloads are important as far as they influence the human availability. It is not necessary to wait for work impacts on human health. We have to react earlier immediately when we get information that workload affects human availability. The decrease of human related mistakes and stable system performance is management's interest.

Implementation and use of the AH model is based on the following issues: • Workers are able to perceive workload's influence on their actual availability. Perceived self estimated level of human availability is shaped by the work components' influence. • Human performance depends on the level of human availability. Connections have been modelled and determined. • People are able to perceive unfitness and fatigue before they have health problems. • Collected data in the field studies offer precise component's data for use in the model and for its validation. Developed AH model together with QAA tool is a possibility to estimate as exact as possible impacts of different work loads components. Use of QAA data offers possibilities for work organization in

270 different situations. On the bases of input human capacity data, prediction of levels of human actual availability should be possible.

Use of AH model offers possibility of keeping desired level of radiation and nuclear safety due to the human factors. By AH model human influence on final level of performed task is precise defined. Higher level of nuclear and radiation safety should be assured by adequate maintenance teams, which are selected with use of AH model. This is another option of the AH model implementation.

References

[1] SKOF, M., MOLAN, G., Human availability and system's performance in systems of high technologies. In Organization and information systems 2 (Z. Kaltneker, Ed.) (Moderna organizacija, Kranj), (1992), 237-248. [2] COSTA, G., A seven-point program to reduce stress in air traffic controllers in Italy. In Conditions of work digest (M. B. Jankanish Ed.) (International labour office, Geneva), (1992), 172-183. [3] MOLAN M, MOLAN G., Development of the model for work humanization, In From experience to innovation IEA' 97. In Proceedings of the 13th Triennial congress of the International ergonomic association. Vol. 1, (Seppala, Pentiet, Ed) Organizational design and management: (Tampere 1997), Helsinki: Finish Institute of occupational health, (1997), 510-512 [4] MOLAN G., MOLAN M., Development of the expert model for health follow up, In Human Factors in Organizational Design and Management - VI (P. Vink, Ed.), Elsevier Science B.V., (1998), 549-554. [5] FELLER, W., An introduction to probability theory and its applications. (J. Wiley, New York), (1968) [6] SKOF, M., MOLAN, G., Human potential capacity, real capacity, and performance: models and connections. In Use of probabilistic safety assessment for operational safety by IAEA (IAEA, Vienna), (1991), 766-770.

271 XA0102808 IAEA-CN-82/39

DEVELOPMENT OF SAFETY PERFORMANCE INDICATORS IN JAPAN

OHASHI, H., TAMAO, S., TANAKA, J., SAWAYAMA, T. Nuclear Power Engineering Corporation, Safety Information Research Center FujitaKanko BLDG. 8F, 17-1, 3-Chome Toranomon, Minato-Ku, Tokyo 105-0001, Japan Fax:+81(3)343 5-3410; Email:[email protected],[email protected],[email protected],[email protected]

Abstract

For the purpose of safety regulations of operating nuclear power stations in Japan, the regulatory authorities utilize two types of regulations. One is the direct regulation such as periodical inspection to inspect the function and performance of equipment important to safety and the other is the audit type regulation such as preservation inspection to audit the compliance with the safety preservation rules.

As performance indicators are expected to be effective tool to evaluate the activities by audit type regulations, NUPEC are studying a comprehensive set of operational performance indicators to meet the effective evaluation method for the safety preservation activities in the audit type regulations under the frame of current safety regulation system.

The study includes the establishment of the comprehensive operational performance indicators applicable in Japan, the effective application of performance indicators to the current Japanese regulation, the clarification of the applicable scope of utilization, the possibility of applying the performance indicators. This report describes the present status of our performance indictor studies. After the completion of these studies the regulatory authorities will evaluate if and how the new set of comprehensive performance indicators could be introduced to Japanese regulatory scheme.

1. STUDY PROCEDURE The study is carried out in three years from 1999 fiscal year to 2001 fiscal year. Fig. 1 shows the time schedule.

Time schedule Investigation items for the set of overall performance 1999FY 2000FY 2001FY (1) Investigation and reflection of domestic and foreign (2) Classification and system atizatio n of the performances contro 1 in Japan (3) Development of the overall performance indicator (4) Extraction of the performance indicators for each (Except for the emergency measures and safety during p e r io d) (5) Extraction of the performance indicators for the measures and safety during shutdown (6) Investigation of the evaluation method and (7) Trial evaluation (including PSA evaluation except for p e r io d) (8) Evaluation of the applicability effectiveness to regulations, and identify the problems to be (9) Extraction of the performance indicators for each reacto trial (10) Trial evaluation applying PSA evaluation for (11) Developmentofthe o ve rail per form a nee in die a tor set applicable in Japan (12) Extraction of the subjects to be investigated for indicator application in audit type safety regulation FIG. l.Time schedule.

272 2. JAPANESE SAFETY REGULATIONS AND SAFETY ADMINISTRATION SYSTEM The safety regulations of the operating nuclear power plants in Japan are mainly regulated by nuclear material safeguards rules, safety preservation rules, and periodical inspection.

Periodical inspection is the inspection of the equipment and the verification of the function during plant shutdown. While, safety administration measures such as the recording and reporting, the qualification of chief engineer of reactors and persons responsible for operation are ruled by the safety preservation rules. The nuclear safety inspectors of our regulatory authority are performing 'preservation inspections' to inspect the status of observing the safety preservation rules and 'comprehensive investigations of safety preservation management'. Additionally, the regulators review the periodic inspections by the utilities in parallel with regulatory periodic inspection and the periodic safety review.

Fig. 2 shows the safety regulations and control measures in operating stage and the relation with the set of comprehensive operational performance indicators.

Relating laws The Law for the Regulations Electricity Industrial Special Law of Nuclear Source Material, Utilities Safety and for Nuclear and Nuclear Fuel Material and Disaster Industry Law Health Law regulations Reactors Measures

Nuclea± r safety inspector Items not regulated by laws and regulations but reportable to the Administration Nuclear Safety Government measures to material preservation ensure the safeguards rule Periodic plant rule / safety review performance Periodic check Recording Stationing of the qualified and reactor engineer and the reporting responsible engineer for operation Items performed by Nuclear the Government to material control plant safeguards performance Plant rule Comprehensive performance Comprehensive performance indicator framework investigation of (See Fig. 3) safety preservation management

FIG. 2. The safety regulations and control measures in operating stage and the relation with the set of comprehensive operational performance indicators.

3. DEVELOPMENT OF THE COMPREHENSIVE PERFORMANCE INDICATOR FRAMEWORK In order to apply the performance indicators, we tried to develop and classify the regulatory items based on the requirements of 'Administration Measures to Ensure Plant Performance' into various stepwise performances.

In the next step, we had investigated the applicability of performance indicators to the following specific characters that were selected to be possessed as safety performance indicators. Specific characters of performance indicators are Quantification, Objectivity of measurement, Objectivity of evaluation, Representatively, Accuracy/Verifiable ness, Feasibility of corrective action , Predictability, Easy data acquisition, Easy handling.

The studies include the performance indicator based on the risk information, in addition to the performance indicators based on the current deterministic safety regulations. 'Nuclear Material

273 Safeguards' is excluded from the investigation scope, since it is not open to the pubic. Development of indicators to evaluate 'Emergency Measures' and 'Safety during Shutdown' are being performed. Fig. 3 and Fig. 4 show the preliminary result of the basic comprehensive performance indicator framework and numbers of performance indicators in Japan. The results indicate that there are only few safety administration items, ( performance ), which are applicable or partially applicable as performance indicators and most of them are dependent on preservation inspections performed by nuclear safety inspectors, periodic test, comprehensive investigation of safety preservation management, or audit of periodic safety reviews etc.

Public and Employee Safety

Organization Preservation of Safety Safety during Radiation Emergencyj and Functions Shutdown Controls Management Measures Controls I 1 1 Occurrence Mitigation Boundary Employee Public of facilities integrity Exposure Exposure abnormal and/or accident Organization Occurrence of Mitigation Preparation Response and abnormal facilities Control to to Management and/or accident Emergency Emergency

FIG. 3. The preliminary basic comprehensive performance indicator.

Purpose Public and Employee Safety Organization Performance, and Emergency major Preservation of Safety Functions Safety during Shutdown Radiation Controls Measures classification Management Controls Number of 47 150 20 36 performances Organizati on Occurrence and Occurrence Preparation Performance, of abnormal Mitigation Boundary Management of abnormal Mitigation Employee Public Response to intermediate Control to and/or facilities integrity and/or facilities Exposure Exposure Emergency classification Controls Emergency accident during accident Shutdown Number of 24 115 1 performances Number of performances after groupings (minor classification) Number of performances feasible for performance indicator applicability

s eor y eor y min i eor y min i eor y It min i I S II min i ? 8 18 fe-S P Number of II performance a indicators 28 1 1 Preliminary Proposed Performance Indicators 1 I ° I ' I ' I ' I">1 1 1 0 0 1 0 1

FIG. 4. The classification of performance and the numbers of relating performance indicators (ex. PWR).

4. INVESTIGATION OF THE PERFORMANCE EVALUATION METHODS WITH PERFORMANCE INDICATORS AND THE JUDGMENT BASIS Regarding the performances to be applied for the evaluation methods with performance indicators, we investigated the evaluation methods and the judgment basis more appropriate for Japanese present regulation system, including the feasibility study for representative PWR to apply the quantitative threshold value method and trend evaluation method etc.

274 4.1. Basic concept using performance indicators to regulations As the effective measures to apply performance indicators to the frame of current safety control regulation system, it could be considered to use the performance indicators as supplemental indicators in the inspection of the utilities on the safety administration activities such as preservation inspection to audit the compliance with the safety preservation rules.

Supplemental indicators make clear the points of audits and expect to enhance accountabilities. The following could be considered to be applicable as supplemental indicators. a. Evaluation with trend Determine if the administrating status are of the better or worse trend and to make clear the important points to be audited. b. Evaluation comparing with the other plants (or plant mean values) Identify the performance which are better or worse compared with the other similar plants to make clear the important points to be audited. c. Evaluation of safety margin for quantified limiting value Evaluate the safety margin for quantified limits and performances to make clear the significant points to be audited.

4.2. Investigation of the evaluation method of proposed performance indicators and judgment criteria After examining fundamental attributes, such as requirements and problems in case of applying the above evaluation method to 'Performance indicators based on the deterministic theory' and 'Performance indicator applying the risk information', extracted performance indicator candidates were evaluated and classified into appropriate type from the standpoint of the performance evaluation methods. The evaluation method and the possibility of target value set-up were examined concretely for the typical performance indicator of each type. Then performance indicator candidates were roughly narrowed down from these examination results, and narrowed performance indicators were checked their applicability of their examination results in detail.

The following are the classification of the type from the standpoint of the performance evaluation methods. The numbers of initial extracted performance indicators and narrowed down preliminary proposed perfoirmance indicators are shown in parentheses. Type-A: Existing limitation values are available. (44 to 6) Type-B: Quantitative reference indicator does not exist, but evaluation is feasible by referring the trend or comparison with others. (9 to 3) Type-C: Quantitative reference indicator dose not exist, and objectivity is not sufficient. (2 to 2) Type-D: Deviation from the limitation. (7 to 0) Type-E: Risk information applying items where present PSA is applicable(l 1 to 11) Type-F: Risk information applying items but the evaluation is not feasible because of no evaluation model at present, etc.(8 to 0).

Fig. 5 shows the comprehensive performance indicator framework filled with the preliminary proposed perfoirmance indicators based on the performed studies.

275 Public and Employee Safety

Organization Preservation of and Safety Management Functions Controls

1 Occurrence of Abnormal Mitigation facilities Boundary and/or Accident Integrity

Attendance Number of Number of Unavailability ||Unavailability Margin of Rate of Reportable Deviations Reactor Accumulator Iodine-131 Education Events from Limits Auxiliary Injection Concentration and Training Component System for limits Cooling Sea Occurrence Unavailability Water Rate of Pressurizer Unavailability Margin of System Initiating Relief Containment — RCS Leak Events Valve Spray System Rate for Limits Unavailability Unavailability High Head Margin of Pressurizer Injection Unavailability Containment Notation: Safety Valve System Emergency Leak Rate for Single Line: Power Limits Deterministic Theory Source Application Items Unavailability System Unavailability Double Frame: Reactor Low Head Risk Information Auxiliary Injection Application Items Component Cooling Water System Unavailability System Auxiliary Feed Water System

Preparation Safety during Radiation Control to Shutdown Controls Emergency

J_ Organization Occurrence Mitigation and of facilities Employee Public Management A bnormal Exposure Exposure during and/or (Study in Shutdown Accident future)

Detection Occurrence Margin of Margin for Attendance Numbers of Numbers of Dose Monitoring Rate of Abnormality Trouble Equivalent Area outside Training to during during Evaluation Boundary Emergency Shutdown Shutdown Value for Limits Limits

FIG. 5.The comprehensive performance indicator framework filled with the preliminary proposed performance indicators (ex PWR).

Evaluation Example on Indicator 'Margin of Dose Equivalent Evaluation Value for Limits' We performed trial evaluation for the performance indicators of some model plants using the operation results to determine the adequacy of evaluation method and judgment criteria as practical safety control regulations.

276 4.3. Evaluation on judgment criteria Considerations: • regulatory quantitative limits (50 mSv) have been set; • qualitative target 'ALARA' has been set; • employee dose equivalent are largely depend on the periodical inspection procedure.

Data: • Interior plants mean value data, based on past results, are available. (For resent 10 years 1-2 mSv/year, limits 50 mSv) In this evaluation, it is possible to set the results of the interior plants mean value as the base considering margin for limitation value. Regarding the subject measured values, plants mean or site mean value versus interior plants mean value, and employee maximum dose equivalent are considerable. The former is appropriate for the performance relative evaluation between plants and the latter is appropriate for evaluation on margin to regulatory limits. Both values are evaluated here.

4.4. Trial evaluation using performance indicators Fig.6. shows the progress of mean dose equivalent of each site and all of them are largely below the target value 5 mSv. The results of this evaluation suggest the potential to over the target values is extremely low, and the regulations is not sufficient enough.

99

FIG. 6. Trial evaluation on indicator 'Margin on dose equipment evaluation value for limits'.

277 Fig.7. shows the dose equivalent distribution for the individuals in most resent year (1999) results. The results indicate that the maximum value for plant A is over 20 mSv, although no employee over target value 25mSv, and margin for target value is small. This suggests that the performance indicators evaluation method and target value on the individuals dose equivalent are appropriate for the interior plant results.

FIG. 7. Trial evaluation on indicator 'Margin on dose equipment evaluation value for limits' (dose equivalent distribution for individuals).

5. CONCLUSION Comprehensive performance framework and performance indicators suitable for Japanese safety regulation were extracted through this study. Candidates for performance indicator and proposal of framework were settled investigating the evaluation method and judgment criteria.

Applicability of performance indicator to all operating plant will be discussed this fiscal year referring of NRC and IAEA. After the completion of fundamental evaluation, the regulatory authorities will evaluate if and how the new set of comprehensive performance indicators could be introduced to Japanese regulatory scheme.

278 XA0102809 IAEA-CN-82/59

OPERATIONAL SAFETY PERFORMANCE INDICATOR SYSTEM AT THE DUKOVANY NUCLEAR POWER PLANT — EXPERIENCE WITH INDICATOR AGGREGATION

MANDULA, J. Dukovany NPP CZ-67550 Dukovany, Czech Republic Fax: +420618815152; Email: [email protected]

Abstract

The operational safety performance indicators serve as an important tool of performance monitoring and management at the Dukovany NPP. A software-supported system has been developed, which has included: data collection, central data storage, graphic output production and periodical report generation. Analyses of performance indicator trends together with evaluation in respect of annually updated target values and acceptance criteria is used for operational safety reviews forming an integral part of continual self-assessment process.

This contribution has been focused on experience obtained during development of the operational safety assessment model using indicator aggregation. It summarises problems that had to be paid specific attention in the development process. Thanks to their solution, the model has become a synoptic monitor and a useful tool for operational safety assessment.

1. NEW SYSTEM DEVELOPMENT Based on our own experience with use of performance indicators since the beginning of Dukovany NPP operation and according to the latest IAEA recommendations [1], we have revised the existing performance indicator system and developed a safety performance indicator system. From the bulk of indicators hitherto used by the individual departments of the plant, we have selected all indicators concerning safety and meeting given criteria. These indicators have been included in a new centralized system. To maintain compatibility with international performance indicator systems, all WANO performance indicators and some IAEA-PRIS performance indicators have been included as well.

This effort has resulted in a group of 184 specific indicators. Each of these indicators has been assigned the following attributes: definition, targets and criteria, frequency of data collection, data provider and responsible system engineer. In the first step, the indicators were divided in four main areas indicating: (1) safe, reliable operation; (2) barrier reliability and tightness; (3) environmental effect; (4) activities of state regulatory body.

In the scope of IAEA Coordinated Research Project, the Dukovany NPP has been revising the system and a software support. The choice and the basic hierarchy of the operational safety performance indicators has been revised so that it was in accordance with three attributes of safe operation: smooth operation, low risk and positive safety attitude. Also the lower levels of the indicator hierarchy (overall and strategic indicators) reflect the recommendations provided in [1]. Specific indicators are tested according to recommended selection criteria.

An important part of the centralized system of operational safety performance indicators is a computer network application providing for data inputting and storage. It is a 32-bit Windows application cooperating with an SQL Oracle server. The main characteristics of the application include: • openness of the system for setting a group of specific indicators; • possibility to create any hierarchic structure of the indicators and display the structure on the screen;

279 • distributed system of data collection (individual data providers can input 'their' indicator values directly from their computer); • automatic requesting of missing data; • possibility to monitor indicator values and show their trends; • easy generation of charts and tables; • user defined report templates and generation of a desired report according to selection criteria; • indicator evaluation by comparing the actual values with target and limit ones; • evaluation of overall and strategic indicators by aggregating the lower-level indicators; • using colour codes for displaying indicators of all levels; • a support system makes possible to define more hierarchic structures of indicators with possibility to repeat specific indicators within one or more structures. It makes possible to create combinations of safety, operational and economical indicators.

2. EXPRIENCE WITH ASSESSMENT OF OVERALL SAFETY USING INDICATOR AGGREGATION In the document [1], a method has been proposed how to create the hierarchy of operational safety performance indicators, so that it involved all significant safety areas and aspects. The document also provides examples of indicator evaluation and colour coding by gradual aggregation of the indicators from the specific ones to overall safety assessment. Although the aggregated values above a performance indicator set had been used before (e.g. composite index above WANO indicators) the recommendations in [1] have been very progressive due to their comprehensiveness.

Application of IAEA recommendation at a particular plant, development of a specific indicator hierarchy and aggregation method, where specific conditions of the plant and national environment were considered, requires a profound system analysis. Basically, a simplified quantitative model of safety has to be developed that uses available measurable parameters. The analysis should include selection of the most suitable indicators for each area (according to given criteria), establishment of indicator evaluation criteria and limits and selection of a mathematical method of aggregation. A profound comprehensive analysis of the existing plant performance indicator system is certainly beneficial for the system, because it may help to better understand the role of the individual indicators and their limitations following from their nature and the extent of simplification.

When devising methods of indicator aggregation, the following pitfalls deserving special attention have been identified:

2.1. Setting the goal, planned and limit indicator values (further referred to as criteria) The indicator evaluation criteria influence the whole aggregation process. It is therefore necessary to pay the closest attention to this step, so that the criteria are in accordance with plant operation, with plant strategic goals as well as with international standards. At the Dukovany NPP these criteria are set up for a year period, and at key indicators, they are updated annually.

2.2. Terminology The names of criteria and zones the indicator value can be related to are very important for common users to understand the system and correctly interpret its outputs. At Dukovany NPP, the baseline is represented by an acceptance criterion, which is called 'Limit' (it may be identical with a specified legislative limit). This criterion divides the area of possible indicator values into an acceptable and unacceptable range. The acceptable range is further divided by two other criteria. The first one called 'Annual plan' determines areas of expected and unexpected values. These areas are called 'Operating zone' and 'Warning zone'. To evaluate extremely good results, the criterion 'Strategic goal' is used, which should represent rather a long-term target than a required value for a near future. Figure 1 shows the terminology used at the Dukovany NPP.

280 Excellent zone Strategic Goal Operating zone Annual Plan Warning zone

Unacceptable zone Limit

FIG. 1. Criteria terminology.

2.3. Creation of derived material (for periods shorter than one year) When evaluating indicators for a shorter period, two basic characters of indicators have to be considered — cumulative and rate ones. A cumulative indicator is an absolute value of a monitored parameter that can be determined by summing parameter values over a period of time. For the time period, the indicator value does not decrease. Such indicators may be number of events, radiation doses received, volume of radioactive waste released etc. Rate indicators are ratio quantities that express the monitored condition independently of the moment of calculation. They cannot be summed, but indicator values can be averaged. Such indicators may be specific activity of reactor coolant, industrial safety accident rate, number of events related to a constant period or indicators expressed in per cent. Rate indicators can be compared directly to the one-year criteria at any time. For the cumulative indicator, a derived criterion has to be calculated from the one-year value at the moment of indicator evaluation. At Dukovany plant, linear interpolation is used. The actual indicator value is then compared to the derived criterion.

2.4. Conversion of indicators of different nature and units For the indicators to be aggregated, they must be converted to a comparable rating. At the Dukovany NPP, the following methods have been chosen: • Based on exceeding the individual criteria, the indicators are assigned points 1, 2, 3 or 4. In other words, the indicators falling in the Unacceptable zone are rated 1, indicators in the Warning zone are rated 2, indicators in the Standard zone are rated 3, while 4 is reserved for the indicators occurring in the Excellent zone. The colour coding corresponds to Figure 1. (1 - red, 2 - yellow, 3 - white, 4 - green). • Should the significance of the unacceptable zone be emphasised, it may be rated 0 instead of 1, so the rating scale then transforms into 0-2-3-4. This increases the 'weight' of the unacceptable indicator values in calculation of the aggregated indicator. • For a more detailed indicator evaluation, the zone between the Limit and Goal is divided into 100 points; the Limit value is rated 0 points while the Goal value is rated 100. The points 1-99 are assigned by linear interpolation (the difference between the goal and limit indicator value is divided by 100). The value of the Standard criteria (the border between the warning and standard zone) can be defined by system user. However this method provides higher resolution of aggregated indicators, it requires additional modifications of the aggregation methods.

281 2.5. Assessment of indicator significance in a particular group In addition to selection of specific indicators for a group, it is very difficult to compare the indicator significance. Based on this rating, weight factors are determined, which are used for weighted-average calculations of aggregated indicators.

2.6. Aggregation methods for higher-level indicator evaluation To calculate aggregated values of higher-level indicators, the Dukovany NPP uses the following methods: • simple average of the point rating — standard approach; • weighted average considering the significance of individual indicators in the group (see item 5); • average emphasizing unacceptable values (see item 4, second bullet); • selection of minimum colour codes — discriminating approach, where the unfavourable indicator values are not disguised. This method eliminates masking effect of aggregation.

2.7. Considering trends by indicator evaluation Trends represent very important information component of each indicator. It is therefore desirable to include significant trends also in the aggregated values. Inclusion of trends into the aggregation is optional. The number of periods can be selected, which the trend is evaluated for. If a significant trend is present, the indicator receives ±1/2 point. In the colour coding, the trend is depicted by ascending or descending hatches.

2.8. Examples In the Figure 2 there is as an example a cut out of a screen copy from the software supporting the safety performance indicator system at the Dukovany NPP. Aggregated values of strategic and overall indicators for the smooth operation attribute are displayed using colour codes described above. Besides the status for 2000 there is also status for three previous years. It makes a rough view of an indicator trend.

•Legend— 3 Rok. Rok: Rok Bf Unacceptable area , . 3 1.937 1998 1999 J7 Warning area Rok.2000 |T" Standard area T~ Fancy-free value d IS Undefine-value -

Operational Safety

Smootn cpcotion

Course oi cperatran System status

Events Production losses Failure rate Material status

FIG. 2. Aggregation of strategic and overall indicators..

282 Details of trends and values of specific indicators are easily visible by rolling out the PI structure, see Figure 3.

SUucUire:jP'ovoznf bezpecnost "] Rok -Rok Rok M Unacceptable area te Propitious trend »eriott JYearly 3. 199? 1998 1999 B Unpropitious bent It*2000 F Standard aiea f Fancy-free vabe Interval: Year j "033 &[ E Extra area S Undefine value [7 Snow value* of indicators

Update j Method | Ps.nl ol cre-ai. j

"|Piovozni bezpecnost J Provozni bezpecnost • Kultuia bezpecnosti \'\ alita provozu Prflbeh provozu ' Postoj k bezpecnosti Udalostl ' Snaha o zlepseni Number of power reductions through EP-3 actuation | Kvalita piovozu Unit: pocet | Plflbeh piovozu Extra area: < 2 ludalosti Standard area: 2-3,5 Warring area: 3,5 - 5 ; Neplanovana automa i Unacceptable area: > 5 ? No. of exUaordinary e' t indicator values I »No. of exhaordinarji a t Annual note I \ Numbei of events INE ; Number of events INE

Number of underpress Pocet automatickeho:

•JRizik'D provozu % Riziko poiuchy iPozadovana aktivace E f Neopiavnene pozj Number of spuri ^fe Spurious signall

FIG. 3. Details of specific indicators.

3. CONCLUSION The model structure of plant indicators and their evaluation by aggregation of lower levels provides plant management very useful tool for effective use of the information from operational safety performance indicators. Selection of aggregation methods enables the user to optimise the view of a given indicator group or confront conclusions following from different point of views, so that, for example, negative trend of some indicators are not masked by positive trend of the others.

Simplicity and clarity of the aggregated values can tempt to making definite conclusions from this monitor. It may also lead to deliberate manipulation with the methods to obtain a desired result. It has to be emphasized, that should the indicators become a reliable tool of operational safety assessment, it could not be an object of manipulation. They must be treated unbiased, and the aggregated values, in spite of the system complexity, must be regarded only as a piece of a mosaic the complete safety assessment consists of.

Reference

[1] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA-TECDOC-1141, Operational Safety Performance Indicators forNPPs, IAEA, Vienna, (2000).

283 XA0102810 IAEA-CN-82/62

SAFETY ASSESSMENT, SAFETY PERFORMANCE INDICATORS AT THE PAKS NUCLEAR POWER PLANT

BAJI, C, VAMOS, G., TOTH, J. Paks NPP, P. O. Box 71, H-7031 Paks, Hungary Fax: +3675506733; Email: [email protected]

Abstract

The Paks Nuclear Power Plant has been using different methods of safety assessment (event analysis, self-assessment, probabilistic safety analysis) including performance indicators characterizing both operational and safety performance since the early years of operation of the plant. Regarding the safety performance the indicators include safety system performance, number of scrams, release of radioactive materials, number of safety significant events, industrial safety indicator etc.

The Paks NPP also reports a set often indicators to WANO Performance Indicator Programme which, among others, include safety related indicators as well. However a more systematic approach to structuring and trending safety indicators is needed so that they can contribute to the enhancement of the operational safety. A more comprehensive set of indicators and a systematic evaluation process was introduced in 1996. The performance indicators framework proposed by the IAEA was adapted to Paks in this year to further improve the process. Safety culture assessment and indicators characterizing safety culture is part of the assessment process.

1. INTRODUCTION According to the Nuclear Safety Code of Hungary "The safety is such a feature of a nuclear power plant which —using technical and administrative measures — excludes the possibility of presenting risk to the human life, the health and the life conditions of the present and the future generation and the environment above the internationally accepted risk levels" or as the IAEA document (Design for Safety of Nuclear Power Plants) states in a more simple way "The safety is the protection of all persons from undue radiological hazards". However, the problem is that the safety cannot be measured. A high level of safety is the result of the interaction of a good design, operational safety and human performance. From this it can be seen that there are different aspects of safety. One is that may be called as design safety or engineering safety that depends on how the plant is designed. It depends upon how the design basic principles were applied during the design and construction, e.g. how many redundancies are built into the systems, whether the system components fulfill the single failure criteria etc. Another aspect is the operational safety that depends on how professionally the plant is operated and maintained. A significant component of this is the human performance. The design safety of the plant can be assessed based on deterministic and probabilistic evaluations which is included into the Safety Analysis Report. It is more difficult to evaluate or measure how well the plant is operated. This question depends on many factors the most of which cannot be measured, they can only be estimated.

2. SAFETY ASSESSMENT There are different methods to evaluate the operational safety of the plant. One is the event analysis with root cause analysis. This method can be considered as a so called 'mitigative' one because it is based on events that already occurred and the operational safety is analysed based on the past 'negative' experience. For these events detailed investigation is performed and corrective actions are defined in order to eliminate the root causes. A more proactive way is the analysis of low level events or near-misses because in this case corrective measures can be defined without real significant events. But the analysis of low level events needs the allocation of more human resources. At the Paks NPP

284 only a small part of the low level events are investigated in details. Another part of those events are only recorded and trended. For the first part corrective actions are defined, for the other part corrective actions are taken only if negative trend can be observed. Other methods of the: assessment are the self- assessment, quality assurance, probabilistic safety assessment, regulatory inspection etc.

In the last 10 years the term 'safety culture' has been given significant attention. According to the IAEA definitions the safety culture is that assembly of characteristics and attitudes in organisations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance. The assessment of safety culture of the operating organisation of a nuclear power plant can provide nearly a full picture of the operational safety. The safety culture can be assessed either separately or using indicators which characterize safety culture as a subset of indicators in the overall system. At the Paks Nuclear Power Plant both ways are applied as it is described in this paper. The most complex way of the assessment of operational safety is the use of a complete set of indicators. A comprehensive set of indicators will definitely include elements of all the different methods mentioned above.

3. SAFETY PERFORMANCE INDICATORS

3.1. Background information Indicators have been used at the Paks NPP from the early years of operation. The first set consisted of six indicators such as load factor, forced outage rate, unplanned automatic scrams, thermal performance, collective radiation exposure and ESF actuation. These indicators were selected based on international practice and were merely used for comparison and trending without any feedback. The introduction of WANO indicator system in the early 90's was a big step. The WANO system was a more systematic set of indicators but still far from being a full set to evaluate the operational safety in complex. In 1996 a system of 28 main (as a total 55) indicators was defined which set was quite comprehensive and covered a wide scope of activities that have relationship to safety. Those main areas are the following: • fire safety; • significant event; • technical specification; • quality; • safety system reliability, • training; • environmental impact (radioactive wastes and releases); • risk (core damage frequency).

3.2. The use of indicators So far the indicators have been analysed in detail yearly. A report on the indicators is prepared and reported to the Operations Review Committee for assessment at the annual meeting. In case of

Industrial safety accident rate

• Paks

1992. 1993. 1994. 1995. 1996. 1997. 1998. 1999. 2000.

285 negative trend corrective actions are defined to improve the area for which the indicator provides indication. In the system that had existed until 2000 the assessment was performed based on qualitative considerations using trends or international comparison. Two examples of the indicator trend will be given in this paragraph. The most recent negative trend have been observed in the industrial safety indicator (as an example) as it can be seen on the following diagram. The causes of the 1999 high value were carefully analysed, international benchmarking with other nuclear power plants and national benchmarking with other industrial enterprises in Hungary were conducted in 2000. Based on the results of the major causes of the incidents some corrective actions were implemented in 2000 and more corrective actions have been defined to be implemented in 2001. There was a slight improvement in 2000 but more significant improvement is needed in order to reach an acceptable value of this indicator.

The other example is to present an indicator with a positive trend that is the fuel reliability indicator. The trend graph with world-wide comparison is presented on the diagram below. This is an indicator which have been improved by two orders of magnitude in the last few years. This indicates the high reliability of the implemented fuel and the good water chemistry of the primary systems.

Fuel reliability

nRaks

1992. 1993. 1994. 1995. 1996. 1997. 1998. 1999. 2000.

Most of the rest of the indicators are either slowly and gradually improving or the variation of the indicator remains within an acceptable range. As it can be seen from the above the basis for international comparison is the WANO indicator system. The plant reports data to WANO quarterly and WANO issues assessment report twice per year. The results of the safety indicators analysis is also published in a yearly coloured brochure with other results of the yearly evaluation of safety. Some of the indicators which may be interesting for the public are displayed on a large board at the entrance to the plant. The safety indicators are also available on the Intranet system.

3.3. Recent initiatives In the second half of 2000 the safety indicator system was reviewed. It was identified during the self- assessment in the Periodic Safety Review (PSR) process that the system needs to be revised and modified in accordance with the international practice. As a basis for the review the IAEA proposed framework was used. The Paks NPP did not participate in the IAEA pilot study but was very carefully following the activities in the project. After the IAEA issued TECDOC-1141 (Operational safety performance) indicators, the results were analysed and the Paks safety indicator system was modified. The major changes made to the existing system included the following: • the framework with the 3 safety attributes (Plant operates smoothly, Operational safety and Attitude towards safety) were adopted and the existing indicators were categorized according to the attributes; • new indicators were defined in order to make the system complete and to cover all the areas of safety related activities; • the frequency of the assessment of the indicators was set to quarterly (previously some of the indicators were evaluated only annually).

286 Now this new system is in the implementation phase. The structure is given in the attached figures. The first flow-chart shows the overall framework and the full system is shown on the other three flow- charts attached to this paper. The indicators shown in italics are those which are newly defined, the rest are those which existed in the previous performance indicator set at Paks.

3.4. Safety Culture Assessment Though the safety performance indicators include a number of indicators that characterize the safety culture and one attribute of the newly implemented system (attitude towards safety) is practically a subset of safety culture indicators, the safety culture at Paks have been given high importance and has been analysed within an individual project in the last 5-7 years.

3.4.1. Enhancement of Safety Culture at the Paks NPP In 1993 the plant management initiated a programme for the improvement of safety culture. Based on that decision EM IAEA Model Project titled 'Strengthening Training for Operational Safety' at Paks NPP was launched in 1994. This project as one of the three major elements also contained enhancement of safety culture. The first main actions to improve Safety Culture a clear plant Safety Policy was issued and distributed, an IAEA Safety Culture Workshop was organized at Paks, examples of good safety culture practices were developed and safety culture survey was carried out among the employees. The last item is the one which established the basis for the regular assessment and monitoring of the safety culture level at Paks. The first safety culture assessment carried out for Paks NPP employees in 1994 was repeated in 1999 and also performed for the plant management in 2000.

3.4.2. Safety Culture assessments at Paks Safety Culture Indicator is a function of many variables. Important contributing factors are the clear safety policies and management expectations with priority of nuclear safety, sound procedures and adherence to procedures, implementation of self-assessment and reviews and staff training and education. The list of questions provided in the INSAG-4 document with some addition and modification were used as the basis for the survey. As part of the above described safety culture improvement project an initial evaluation of the safety culture level was performed in 1994. The objectives of the survey were definition of the basic safety culture level at the: Paks NPP, assessment of the attitude of the plant personnel towards nuclear safety and identification of good practices and corrective actions.

In 1999 a repeated assessment was performed using the same approach with the same questions. Contrary to the 1994 survey - which was carried out by the experts of the plant - in 1999 a professional organisation the Department of Ergonomics and Psychology of the Budapest University of Technical and EconomicaJ Sciences was contracted for performing the survey and analysing the results. In 2000 the assessment among members of the management had the goal to underline the changes carried out since the first evaluation and to point out the differences not only between professional organisations but also between employees and managers and between different levels of management.

3.4.3. Method of the assessments The survey for employees in 1999 was based on the 1994 evaluation, but the questions were slightly modified in order to assess both components of safety culture properly. They covered Operations, Maintenance, Radiation and Engineering disciplines. At least 30 representatives were randomly selected from each discipline for the survey. Taking into account mainly the ASCOT guidelines method the 80 questions covered the following components: organisation, team, individual, technology. The interviews with a limited number of people were specified as 'semi-controlled' in order to collect both specific information and individual opinion.

The management assessment covered all the technical organisations of the plant with a few representatives from Human and Economics Divisions. So it was performed with the participation of 77 managers of different levels and plant shift supervisors. All of them filled in the questionnaire and

287 22 of them participated in the interviews, making additional comments, recommendations and pointing out areas where improvements are necessary. The questions and structure of the interview were similar to the 'employee survey' in order to make possible the comparison of the results.

3.4.4. Analysis of the results The information provided in the questionnaires were analysed with a systematic input data checking by statistical hypothesis analysis. A numerical value was calculated for the groups of questions and eventually a single indicator was processed for the different plant attributes and an overall indicator for the whole plant. The comparison of the safety culture levels are given in the following table.

1994 (%) 1999 (%) 2000 (%) Safety culture level 61 77 76

In 1994 the main deficiencies were communication, training, attention to human factor. In 1999 the main contributing factor to increasing of the measured safety culture value was the increased attention to safety and also high positive expectations from the new management. Deficiencies indicated were: complicated documentation, frequent organisational structure changes, the problem with the external contractors. In 2000 the management the survey pointed out some positive aspects of the safety culture level but there remained areas which need improvement such as global company—level vision, a stable plant organisation and clearly regulated working processes.

4. SUMMARY The performance indicators should be a tool for the management to assess the operational safety performance and to indicate areas where improvement is needed. For this purpose an indicator system is needed that covers all the areas of safety related activities. For this reason the system of safety indicators has been revised at the Paks NPP and the IAEA framework has been adopted. The safety indicators are used at Paks as one of the tools for safety assessment in parallel with other methods such as event analysis, root cause analysis, self assessment etc. A special attention is paid to the safety culture and it is analysed in parallel with the safety indicators implementing periodic assessment of the safety culture using statistical survey among the employees of the power plant.

References [1] INTERNATIONAL ATOMIC ENERGY AGENCY, International Nuclear Safety Advisory Group: 75-INSAG-3, IAEA, Vienna, (1988). [2] INTERNATIONAL ATOMIC ENERGY AGENCY, International Nuclear Safety Advisory Group: 75-INSAG-4, IAEA, Vienna, (1991). [3] Reports on Comprehensive Assessment of Safety Culture Level Performed at Paks NPP. Technical University of Budapest, Faculty of Ergonomics and Psychology, Budapest. (1999, 2000). [4] TOTH, J., Safety Culture Review at the Paks NPP. Presented on IAEA workshop, Karachi (1999). [5] HADNAGY, L., TOTH, J., Assessment of Human Performance and Safety Culture at the Paks Nuclear Power Plant, Specialist Meeting on Safety Performance Indicators Madrid, (2000). [6] INTERNATIONAL ATOMIC ENERGY AGENCY, Operational safety performance indicators for nuclear power plants, IAEA-TECDOC-1141, Vienna (2000).

288 PLANT OPERATES SMOOTHLY A

STATE OF SSC OPERATIONAL (STRUCTURES, SYSTEMS, EVENTS PERFORMANCE COMPONENTS) "

Forced power Corrective work Other significant reductions and Material condition State of the barriers Reportable events orders issued outages 1 3 1

Plant capability Number of — Chemistry index Fuel • Number of — Number of factor corrective work reliability events to be significant orders for safety Equipment reported events —— Unplanned systems loading cycles — Reactor Coolant immediately to investigated capability loss accounting System leakage regulatory body internally factor • Ratio of corrective work orders Ratio of tubes _ Containment - Number of - Number of other • Ratio of generation executed to work plugged in Steam leakage events reported event reports loss due to orders requested Generators re gularly to required by unplanned outage regulatory body regulatory body extension Number of pending work • Number of forced orders power reductions and outages due to internal causes • Ratio of preventive orders vs. preventive and corrective work orders

• Ratio of unsuccessful internal technical safety inspections

OPERATIONAL SAFETY

SAFETY SYSTEMS AND PREPAREDNESS FJSK MANAGEMENT EQUIPMENT ,

Plant comfiguration Safety systems Operational staff Emegency Initiating events Core damage risk performance ~ risk ,

— Number of — Number of times — Ratio of failed — Findings during - Number of events — Number of — Core damage reactor scramc a safety system licensing exams emergency drills leading to limited initiating events frequency is unavailable operational (operational) — Number of ECCS - Operator errors L-^— Ratio of people conditions • Conditional core 2 actuations ^— Safety systems during accident receiving training defined by damage ' Core damage scenarios on the on the Emergency technical performance probability probability during -Number of simulator Plan tn thf> specification caused by 3 shut-down Emergency Electric initiating events — Ratio of failures 3 Power Supply dicoveredby — Core damage Systems actuations serveiDance and fmquency caused testing by fee —Number of reactor A protection tevet ? actuations

STRATEGIC INDICATOR

SPECIFIC INDICATOR

289 ATTITUDE TOWARDS SAFETY C

- Number of - Number of • Number of — Industrial safety - Ratio of • Number of — Ratio of event temporary technical workers receiving accident rate independent internal repeated events corrective actions modifications of specification doses above 6 audits performed backlogs violations - Number of operating mSv/month vs. planned audits - Ratio of external 2 (investigation limit) industrial events reviewed — Ratio of internal - Number of events accidents caused • Ratio of audits corrective - Number of due to human Collective disability independent - Average lag time actions backlogs error exeeding 3 days internal safety of event exemptions from radiation 3 inspections investigation the technical exposure — Average lag time performed closing specification - Ratio of events in - Number of false of performing of vs.planned which plant • Number of fire alarms event corrective inspections - Number of personnel did not controlled area Ratio of event actons findings in follow the rooms placed in " Number of real investigation 4 configuration procedure higher fire events - Number of backlogs — Average lag time management contamination deviations of performing of category — Material damage recorded in the internal audits caused by fire reports of the correcfrve actons Liquid independent radioactive internal audits releases vs. allowed limit - Number of deviations - Gaseous recorded in the radioactive reports of the emissions vs. independent allowed limit safety inspections

- Volume of low- and medium-level radioactive waste

I Volume of high- level radioactive waste

290 XAO102811 IAEA-CN-82/64

THE ESTABLISHMENT AND IMPLEMENTATION OF SAFETY CULTURE POLICY IN INDONESIA

ANTARIKSAWAN, A. R., SUHARNO, ARBIE, B. Nuclear Safely Technology Development Center National Nuclear Energy Agency of Indonesia Jl. KH. Abdul Rohim, Kiningan Barat Jakarta 12710 Indonesia Fax: +622115251110; Email: [email protected]

Abstract

This paper describes the progress in the establishment and implementation of safety culture in Indonesia, especially in BAT AN with special attention is given to the development of safety culture indicators. The spirit of safety culture implementation is marked firstly by declaration of Policy Statement by the Head of BAT AN. In order to monitor the implementation of safety culture, six indicators is established. Based on those indicators, it is seemed that at present the progress of implementation of safety culture is quite good enough.

1. INTRODUCTION Until 1998 when the monetary crisis began, Indonesia had a rate of electrical energy demand of more than 15% per year. For a developing country like Indonesia, this condition poses serious problems in the long run. E>espite of some fossil energy resources, which is far from abundant, it is necessary to exercise our option for diversification by including nuclear energy as an integral part of the Indonesian Long Term National Development Plan. In order to give strong justification to nuclear power plant (NPP) introduction, a comprehensive and in-depth Feasibility Study had been undertaken since 1991, and completed in 4.5 years. The main result of this study is among others Primary Energy Supply Scenario. The optimization showed that first NPP operation is feasible in the year 2004 [1].

A new Indonesian Nuclear Energy Act (Act No. 10/1997) has been legislated to replace the old atomic energy act (Act No. 31/1964). The most important key point of Act No. 10/97 is that the regulating and promoting functions of nuclear technology utilization are separated. The regulating function is performed by a regulatory body (so-called BAPETEN), and the promoting function is undertaken by executing body (mainly presented by BAT AN). The separation of these two functions is expected will strengthen the nuclear activities.

Updating previous study, a comprehensive assessment of different energy sources for electricity generation in Indonesia supported by IAEA will be performed in year 2001 and 2002, using MAED code for demand analysis, MARKAL code for supply analysis and B-GLAD code for externalities evaluation.

As a consequence of the economic crisis, the promotion of nuclear technology utilization is emphasized toward the nuclear technique application (in the agriculture and food industries, for example) rather than the introduction of NPP. Beside, effort to achieve a more high level of safety of existing nuclear facilities, which almost all are used for research and development activities, is intensively performed. By doing so, it is expected that people could be assured of our commitment to the nuclear safety, and of our capability to handle nuclear materials. One way to achieve the high level of safety is by establishment and implementation of safety culture policy in all of our nuclear activities. This paper will describe the progress in the establishment and implementation of safety culture in Indonesia, especially in BAT AN. The special attention is given to the development of safety culture indicators.

291 2. ESTABLISHMENT OF SAFETY CULTURE POLICY In INSAG-3 [2] it was stated that Safety Culture "refers to personal dedication and accountability of all individuals engaged in any activity which has bearing on the safety of nuclear power plants. The starting point for the necessary full attention to safety matters is with the senior management of all organizations concerned. Policies are established and implemented which ensure correct practices, with the recognition that their importance lies not just in the practices themselves but also in the environment of safety conscious which they create".

According to the above recommendation and following to the spirit and commitment BAT AN to the safety of nuclear facilities, in 1998 the Head of BATAN declared officially a Policy Statement for safety of nuclear facilities. It is stated that "in whole organization of BATAN, safety have to be first priority in carrying out all activities, as an overriding priority, and should be considered organizational and individual". It is further stated that the implementation of policy statement should be based on the principals as follows: independence, clarity, openness, efficiency, and reliability. On the other hand, on June 2000 the Chairman of BAPETEN declared also major policies for the assurance of nuclear safety through the settlement of nuclear regulatory goals and principles to protect the workers, public and the environment. The purpose of this policy statement is to provide the framework for regulatory authority to manage the control of nuclear energy utilization.

For strengthening the implementation of the safety culture policy, Indonesia joins the Nuclear Safety Culture Project, which is began in 1997, and is organized among FNCA (Forum for Nuclear Cooperation in Asia) countries. In this context, Indonesia had actively participated in the three workshops, which are already conducted. Other activities in this project include among others developing joint commitment to safety culture, providing a forum for exchange of information, and cooperation between participants.

3. SAFETY CULTURE ACTIVITY INDICATORS According to the Safety Culture Workshop organized by FNCA in Sydney in January 1998, six safety culture indicators were established as indicators for monitoring safety culture implementation. Those indicators are the following: 1. meeting between management and employees; 2. system for analyses of incident; 3. training activities related to improving safety culture; 4. meeting or activities with regulatory, contractors and facilities user; 5. survey, behavioural studies etc. carried out to determine employee attitudes; 6. resources allocated to promote safety culture activities.

After two years of the establishment of those indicators, monitoring and assessment in various activities in BATAN was conducted by a group which is in charge of the development of safety culture. The assessment was initially emphasized on the activities related to the operation of research reactor. It seemed that in general safety culture is well understood and become a part of their activities. The followings describe the assessment results for each indicator [3],

3.1. Meeting between management and employees It is obvious from technical and managerial point of view that the good communication between management and technical personnel is a necessary condition to obtain a best result of activity. Especially, in the nuclear activities where the safety becomes a major concern, daily activities must be monitored.

An example implementation of this safety culture indicator could be seen in the reactor research operation organization where the meeting between management and employees are conducted in daily, weekly and monthly basis and on request meeting. In such meeting several things are reported and discussed. The safety issues are generally put in the first priority to be discussed and solved. As a topic to be discussed in daily meeting are among others: daily condition of plant, availability of supporting

292 equipment, the readiness of the operator (in any shift hours), the check list result of the system and component, the log book and procedures. On the other hand, in the weekly meeting, the meeting concerns on the plant problem and the action performed, the planning of utilization of irradiation facilities, and the maintenance problems. During the monthly meeting, the topics which are discussed are the receiving dose of the worker and planning to improve the safety.

3.2. System for Analysis of Incident to Determine Human Factor and Lesson Learned to Improve Safety Culture. A well structured system for analysis of an incident was not implemented yet. However, as a meeting between management and employees could be conducted on daily, weekly and monthly basis, the incident which happens in the reactor could be promptly reported, discussed, and solved. On the other hand, there is a general guidance to the personnel (operators) how they must act and report if any incident occur.

When an incident was occurred and detected by operator, the immediate action to overcome that incident must be taken to bring the reactor in safe condition. Then, based on the report of the operator, the safety technical group or the safety technical committee study, analyses and tiy find the root cause. The results of the assessment are reported to the management level. The management level has responsible to give a final decision.

3.3. Training activities related to improving safety culture Realizing that the quality of human resources is an important factor to assure the safety of the installation, several training activities are regularly conducted. For example: practical training or exercise on fire fighting, exposure radiation scenario, and other formal training (class training) for operators. In all of training session, the importance of safety culture is generally reminded.

3.4. Meeting or activities with regulatory, contractors and facilities user The creation of an independent regulatory body is expected could strengthen the nuclear safety performance, especially through consistent implementation of safety culture. In order to achieve that goal, the meeting between two organization BATAN and BAPETEN are intensively organized. The meeting involves either the top level management or technical employees in both organization. On the other hand, BATAN and BAPETEN are actively organize meeting with industries and public to inform among other the nuclear safety enforcement. Especially, for industries which use a radioactive materials, the introduction of safety culture is given.

3.5. Survey, behavioural studies etc. carried out to determine employee attitudes In order to know the attention and attitude of employee on safety culture, a survey was performed using a questioner that is distributed to the employee. The result shows that awareness of the employee is good enough. In other part, a survey by conducting a dialog was also conducted. The result shows the same thing as questioner.

3.6. Resources allocated to promote safety culture activities In BATAN, the Center for Nuclear Safety Technology Development (CNSTD) is responsible for socializing, promoting, monitoring and evaluating the safety culture implementation. The activities are performed by a safety culture group which is set up under the Division of Safety Evaluation. On the other hand, in each nuclear facility, a division of work safety is available.

The promotion of safety culture is also carried out by conducting annual seminar where the representative of all facilities attend and report the safety culture implementation progress. Beside, the first publication of Nuclear Safety and Safety Culture Bulletin is issued.

293 4. CONCLUSIONS The establishment and implementation of safety culture in Indonesia has been described. First, a Policy Statement for safety of nuclear facilities from the top level management has been declared officially. To monitor the implementation of safety culture, six indicators is established. Based on those indicators, it is seemed that at present the progress of implementation of safety culture is on the right path. References

[1] ANTARIKSAWAN, A.R., SUBKI, I., 'Indonesian Requirements and Safety Objectives For Future Nuclear Power Plants,' Paper presented at IAEA - TCM on Approaches to Safety of Future Nuclear Power Plants in Different Countries, Vienna, (1995). [2] INTERNATIONAL ATOMIC ENERGY AGENCY, 'Basic Safety Principles for Nuclear Power Plants', 75-INSAG-3, (1988). [3] SUHARNO, Progress on The Six Safety Culture Indicators Indonesia, presented at Nuclear Safety Culture Workshop, Shanghai, (2000).

294