Safety Assessment of General Design Aspects of Npps (Part 2)

Home , Redundancy (engineering)

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making SafetySafety AssessmentAssessment ofof GeneralGeneral DesignDesign AspectsAspects ofof NPPsNPPs (Part(Part 2)2)

LecturerLecturer LessonLesson III III 1_2 1_2 WorkshopWorkshop InformationInformation

IAEAIAEA WorkshopWorkshop CityCity , ,Country Country XXXX - - XXXX Month, Month ,Year Year ItemsItems forfor DiscussionDiscussion

z Review of Single Failure Criterion

z System Redundancy

z System Independence

z System Diversity

z Concept of Fail-Safe Design

z System Interactions and Dependencies

z Conduct of Single Failure Assessments

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 2 ReviewReview ofof SingleSingle FailureFailure CriteriaCriteria

z “.. protection system shall be designed for high functional reliability and inservice testability commensurate with safety functions performed.”

z “Redundancy and independence designed into protection system shall be sufficient to assure:

z “1. No single failure results in the loss of protective function..”

z “2. Removal from service of any component or channel does not result in loss of required minimum redundancy unless acceptable reliability of operation of protection system can be otherwise demonstrated.”

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 3 ReviewReview ofof SingleSingle FailureFailure CriteriaCriteria

z “..protection system shall be designed to permit periodic testing of its functioning when reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.”

Taken from US Title 10 Code of Federal Regulations, Part 50 Appendix A, General Design Criteria 21

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 4 ExampleExample ofof PotentialPotential SingleSingle FailureFailure

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 5

SystemSystem RedundancyRedundancy

z System redundancy in all critical components is first step to meet single failure criteria.

z System redundancy reduces system failure probability thus improving reliability.

z To be redundant requires individual trains have sufficient capacity (Design Margins) to meet functional requirements.

z 2 redundant trains alone does not meet single failure criteria.

z Provisions also needed for: periodic on-line testing, and ability to remove a channel from service.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 9 SystemSystem RedundancyRedundancy

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 10 SystemSystem RedundancyRedundancy

z To permit on-line testing and maintenance typically use minimum of 3 redundant trains or channels.

z To prevent spurious safety system operation (also potential safety concern) it is most common to take 2/3 Coincidence in actuation logic.

z Current reactor protection systems use either 2/3 or 2/4 coincidence logic.

z IEEE Std. 279 (1971), IEEE Std. 379 (1988) provide conservative guidance

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 11 ExampleExample ofof TooToo MuchMuch RedundancyRedundancy

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 12 SystemSystem IndependenceIndependence

z Single Failure Criteria for redundant systems implies redundant trains (or channels) are physically independent of each other.

z No common dependencies on power or environmental supports.

z Cross-connections are isolated to prevent fault in one train failing redundant train.

z IEEE Std. 384 (1984) provides conservative guidance.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 13 ExampleExample ofof LackLack ofof IndependenceIndependence

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 14 ExampleExample ofof LackLack ofof IndependenceIndependence

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 15 SystemSystem IndependenceIndependence

z Independence is achieved by:

z Routing cabling in physically separated metal conduits according to electrical design standards, such as IEEE Std. 384 (1984).

z Cross-connection using qualified electrical isolation devices

z Use of Optical Isolators NOT resistors

z Fluid system cross connections isolated via check valves.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 16 SystemSystem DiversityDiversity

z Reliability of redundant, independent safety system becomes limited by potential for common cause failure.

z Example: 2/4 train ECCS system will typically have failure probability in 10-4 to 10-5 range.

z It is difficult to mathematically justify common cause failure probability being significantly lower than this range.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 17 CommonCommon CauseCause FailuresFailures includeinclude

z Common design error or inadequate Design Margins

z Common manufacturing defects

z Common testing or system restoration errors

z Environmental degradation (dirt, grit, moisture)

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 18 SystemSystem DiversityDiversity

z Potential significance of common cause failure warrants thorough consideration in safety assessments.

z Additional redundancy is NOT way to address common cause failure.

z Component diversity is acceptable way to address common cause failure.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 19 DiversityDiversity CanCan BeBe AchievedAchieved ByBy

z Use of different physical operating principles (e.g. : steam and electric driven pumps)

z Use of different component manufacturers to eliminate common manufacturing defects.

z Use of different technicians to test, maintain, or restore operating equipment.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 20 ConceptConcept ofof FailFail--SafeSafe DesignDesign

z “Fail-safe” concept originated with military concerns over accidental launch of missiles or detonation of weapons.

z Fail-safe concept requires systematic identification of safe outcome of system failure (e.g. no missile launch!).

z Central issue of Fail-safe concept typically identification of de-energized state of systems and components.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 21 ApplicationApplication ofof FailFail SafeSafe ConceptConcept toto NPPsNPPs z Control Rod Clutches, electrical breakers should be designed to TRIP on loss of control power. z Relay logic should TRIP on loss of power. z Reactor protection system should be designed to TRIP on loss of power supply. z ECCS recirculation valves should typically fail as-is. z Pneumatic Valves should be assessed which is safest state for loss of air pressure. z Solenoid operated valves should be assessed which is safest state for loss of power.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 22 SystemsSystems DependenciesDependencies && SystemsSystems InteractionsInteractions

z Most NPP designs have redundant protection systems supported by redundant support systems (e.g. AC/DC Power, cooling water, HVAC, etc.)

z Failure of one train of these individual support systems can lead to very complicated transient events involving sudden loss of ½ of all systems.

z World operating experience has shown these events can be very severe.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 23 SystemsSystems DependenciesDependencies && SystemsSystems InteractionsInteractions z Systems Interactions caused by single failures (steam line rupture in a compartment, inadvertent automatic fire suppression operation) can cause significant components to fail simultaneously. z Faults initiated by failed support systems and system interaction events should be considered in Single Failure Assessments.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 24 ConductConduct ofof SingleSingle FailureFailure AssessmentAssessment z Excellent guidance on performing single failure assessments can be found in: IAEA 50-SP-1, IEEE Std. 352 (1987). z Single Failure Assessment is deterministic in nature and documented as FMEA. z Probability only considered in dispositioning of “incredible faults”. z Purpose: document Single Failure Criteria compliance for safety systems credited in Accident Analysis. z Inputs are comparable to those needed for PSA (frequently FMEA conducted in parallel with PSA)

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 25 ConductConduct ofof SingleSingle FailureFailure AssessmentAssessment

z Documentation required:

z All Electrical Schematics, Piping & Instrument Drawings, Isometrics (fluid systems only).

z Equivalent Schematics for all Support Systems.

z All Electrical/Mechanical Specifications.

z System descriptions.

z Operating Manuals and Operating Procedures.

z Test/Maintenance Procedures.

z Operating History Reports for similar equipment at other NPPs.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 26 ConductConduct ofof SingleSingle FailureFailure AssessmentAssessment

z Systematic identification of PIEs or Postulated Initiating Events.

z Identification of systems credited (timing, operation mode) in Accident Analysis.

z Collapse credited systems, support systems into single list of credited functions.

z Support system FMEA used to identify any systems interaction transients requiring further accident analysis as new PIEs.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 27 ConductConduct ofof SingleSingle FailureFailure AssessmentAssessment

z Single Failure Assessments are LARGE

z Independent review by Regulatory Body or other external organizations necessitates systematic, auditable documentation.

z Typical Format is via: Failure Modes and Effects Analysis Table

z Content of FMEA Table found in 50-SP-1 or IEEE Std. 352 (1987).

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 28 DocumentationDocumentation ofof SingleSingle FailureFailure AssessmentAssessment

– FMEA Table systematically documents:

z Specific component identification -

z Component function -

z Failure mode -

z Effect of the failure on the system -

z Methods available to detect/correct the failure -

z Any relevant further comments -

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 29 ExampleExample ofof ActualActual FMEAFMEA

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 30 IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 31 CommentsComments fromfrom PersonalPersonal ExperienceExperience

z Single Failure assessments and PSA complement each other as tools to investigate safety.

z Both tools have identified design weaknesses

z Single Failure assessment provides a more legal proof of regulatory compliance to Regulatory Body than does a PSA –because no faults are hidden from consideration.

z Support System FMEAs frequently used as critical input to PSA for identifying Special Initiators.

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making 32