Objectives and essential means of the defense in depth approach, IAEA (1996)
Most reactors under operation nowadays are light water reactors (LWR). The licensing and safety basis for them has been mainly deterministic. This approach has been under use since the beginning of commercial nuclear power in the 1950s. The purpose of this chapter is to discuss what this deterministic basis is, and how it has been used with emphasis on the US and German experience. This emphasis is because the first Brazilian reactor is of Westinghouse design, while the second one is of KWU (Kraftwerk Union)/Siemens/Areva design. Both designs are pressurized water reactors (PWR).
This chapter starts with the discussion of safety criteria, consideration of the defense in depth approach and deterministic criteria (safety margins), and the discussion of design basis accidents, including plant safety systems for meeting safety design criteria (IAEA, 2009a), Ahn et al (2010).
The approaches used thus far for safety analyses of LWRs have been essentially deterministic, where engineering judgment and conservatism have been used to face uncertainties. An example of this approach is the consideration of design basis accidents (such as large loss of coolant accidents – LOCA). They have been defined by arbitrarily combining initiating events with single failures (for example, loss of an injection pump), Kim et al (2010).
The inception of risk-informed decision making was in the 1970s, with the publication of the Reactor Safety Study NRC (1975), although it was initially named probabilistic risk assessment in the US. Since then, many improvements have been achieved but risk criteria have not as yet been established.
The risk-informed approach has been adopted by the US Nuclear Regulatory Commission (NRC) as an aid in the licensing and safety basis of US nuclear power plants. This means that the formal licensing process is to be approached by deterministic and probabilistic methods. The risk-informed approach may represent the formal presentation of a level 3 probabilistic safety assessment (PSA), so that plant risk curves are available. However, regulators do not as yet have risk criteria for this purpose, so that PSAs are recommended but their results are not compared to any criteria. Instead, there is a criterion concerning level 1 PSAs (in this case, the reactor core degradation frequency is estimated), and this is the central feature of risk-informed decision making nowadays, NRC (2002).
The risk-informed approach will be discussed in the light of US plants experience. Approaches in other countries will also be presented and the gained experience will be commented, Kadak & Matsuo (2007).
2. Basic definitions
Safety analysis is the study, examination and description of a nuclear installation expected behavior throughout its life, under normal and transient conditions, and also under postulated events, in order to determine: a) safety margins provided in normal operation and in transient regimes; b) the adequacy of items to prevent the consequences of accidents that may occur.
Safety assessment is the systematic and independent evaluation carried out by the regulator on the submitted safety analysis. It is used to support and subsidize the licensing decision on the plant acceptability, once the risk associated with its operation is known.
Inspection is the core activity performed by the regulator to verify compliance with its regulatory requirements or expressed in terms of licenses and permits and to implement them through coercive actions.
Regulatory inspection is the examination, observation, measuring, testing and verification of documentation executed by the regulator during any stage of the licensing process, to ensure compliance of materials, components, systems, structures, operational activities, processes, procedures and qualification of personnel with pre-established requirements or determined by the regulatory body.
Figure 1 displays the general Brazilian licensing process, where the definitions discussed herein play an important role.
The Preliminary Safety Analysis Report (PSAR) is one of the reports of the application for a building permit. It aims at demonstrating that the applicant is qualified to manage the construction application by providing design-related technical information to the regulator.
The Final Safety Analysis Report (FSAR) presents the final analysis and evaluation of plant design, as constructed, and the behavior of items in order to assess the risk to health and safety of the population as a whole, resulting from the installation and considering the information provided since the presentation of the PSAR.
A discussion on PSA meaning will be presented in Section 7 in the context of risk-informed decision making.
3. Defense in depth
The basic philosophy of nuclear power plant design has been described as defense in depth expressed in terms of three safety levels (NRC). These levels cover a variety of considerations that often intertwine, so that the allocation of certain aspects of the project to one level or another is somewhat arbitrary. However, these levels are useful to indicate the various stages in the safety design of a nuclear power plant. NRC defines each safety level through ordinances or rules. The basic purpose of reactor safety is to maintain the integrity of multiple barriers against the release of fission products. This integrity is supported by a defense in depth approach on three safety levels: a) prevention; b) protection; c) mitigation.
However, it has been more convenient to subdivide the second safety level (protection) into three new levels. Therefore, the implementation of the defense in depth concept is made through five levels whose objectives and essential means are displayed in Table 1, IAEA (1996). The role of each safety level can be clearly seen in the table. One desirable effect of the defense in depth concept is that the plant that adopts it tends to be more resilient to failures.
|1||Prevention of abnormal operation and/or failures||Conservative design|
High quality in construction & operation
|2||Control of abnormal operation and detection of failures (protection)||Control systems|
|3||Accident control within design basis (protection)||Engineered safety features|
|4||Control of severe plant conditions (protection)||Complementary measures|
|5||Mitigation of radiological consequences of significant radioactive releases||Off-site emergency response|
4. Accident analysis
The construction and operation of nuclear power plants requires the submission of a safety analysis report which must contain an analysis of a wide range of conceivable abnormal events. The purpose is to demonstrate that the project provides a means to control these events or otherwise accommodate their consequences without undue risk to health and safety of the public.
Analyzed conditions include: a) small transients that occur with moderate frequency and represent minor hazards; b) unlikely accident situations that can have serious consequences and therefore require different measures to protect the public.
Safety analysis is concerned with the potential effects of every conceivable (or anticipated) transient that may occur as a result of: a) operational malfunctions, e.g., human errors or small instrumentation or other equipment failures, or b) serious mechanical failures of different types.
Transients of moderate frequency can result from operational occurrences (or other), which create an imbalance between heat generation in the fuel and its removal: a) thermal power increase, caused by: a.1) decrease of coolant temperature; or a.2) removal of control material (burnable poisons); b) decrease in cooling efficiency.
As to low frequency events, there can be: a) small pipe ruptures; b) loss of flow accidents (LOFA); and c) design basis accidents (DBA).
Small pipe ruptures are more serious when they occur in an input line of the pressure vessel of a PWR primary system circuit. The reactor is shut down by the reactor protection system (RPS) but there is loss of water to the containment (vapor flashing also occurs). In general, for breaches of equivalent diameter smaller than 0.5”, the chemical and volume control systems (CVCS) compensates for inventory losses of the reactor cooling system (RCS).
Should a loss of off-site and on-site power occur, all pumps eventually stop and the result is a loss of flow accident (LOFA). However, in 10s, in general, power will be available through emergency diesel generators. Meanwhile, the reactor is shut down when receiving a loss of flow signal, and steam is removed automatically from the turbine (steam dump). As there is some energy production during steam withdrawal, recirculation pumps typically remain connected to the main generator bus for about 10 seconds. Recirculation during pump shutdown and some natural circulation of coolant is usually sufficient to prevent the condition of critical heat flux after reactor trip.
Design basis accidents involve the postulated failure of one or more major systems and an analysis based on conservative assumptions (e.g., pessimistic estimates of fission product releases). It must be shown that the radiological consequences are within preset limits. These accidents serve as a basis for assessing the general acceptability of a particular reactor design. Design basis accidents are classified as Knief (1993): a) overcooling - heat removal increasing on the secondary side; b) subcooling - reduced heat removal on the secondary side; c) overfilling - increased inventory of reactor coolant; d) loss of flow - RCS (reactor coolant system) descreased flow; e) coolant loss - loss of reactor coolant inventory; f) Reactivity - reactivity and power distribution anomalies in reactor core; g) ATWS - anticipated transients without scram; h) Spent fuel and waste system - radioactivity release from spent fuel element or a subsystem or reactor component; i) external events - natural or man-made events that can affect plant operation and safety systems.
A major break in a steam line results in a reactivity insertion of cold water (overcooling) systems in several loop systems. This event causes liquid flashing in the secondary side of steam generators. The secondary fluid cools by removing heat from the primary (overcooling), with important implications for the reactivity balance.
In accidents related to overcooling, or others that require rapid reduction in temperature in support of depressurization, the pressurized thermal shock (PTS) phenomenon is a concern of great importance. It is a boundary condition of reactor vessel integrity. It may occur during a system transient that primarily causes severe overcooling of the vessel wall inner surface and then results in high repressurization. If there is significant degradation due to radiation embrittlement and if there are defects of critical sizes in the vessel wall, this may fail. PTS is prevented by operating within boundary curves of temperature-pressure which are periodically revised to reflect the vessel current condition, particularly in terms of radiation embrittlement. This approach tends to lead to increasing restrictions on the operation window for plant heating (heatup) and cooling (cooldown) as the plant ages.
The anticipated transient without scram (ATWS) has two general characteristics: a) it starts through a transient whose occurrence is anticipated one or more times in reactor life; b) posterior reactor trip does not occur (that is, a failure occurs). This failure, especially a reactivity insertion (control rod removal) is solved by negative reactivity feedbacks that diminish the reactor power level, or at least diminish its growth. Adequate reliability of control rods and the reactor protection system are important to prevent such events.
A large rupture or leak in one or more steam generator (SG) tubes of a PWR results in a particular loss of coolant accident (LOCA) scenario because primary coolant passes directly to the secondary side. In addition to being radioactive, the coolant also represents an irretrievable loss of inventory in the containment building. The response to this accident includes isolation of damaged generators and rapid cooling and depressurization, to reduce the coolant loss, where care must be taken to avoid other accidents (e.g., PTS).
A loss of coolant accident (LOCA) occurs in general when there is loss of inventory in the primary system through a rupture of equivalent diameter larger than 0.5 "(for ruptures with equivalent diameter less than 0.5”, the chemical and volume control systems (CVCS) compensates for inventory losses. Three types of LOCA are typically considered: a) small LOCAs: for equivalent rupture diameters between 0.5" and 3”; b) medium LOCAs: for equivalent rupture diameters between 3" and 6”; c) large LOCAs; for equivalent rupture diameters between 6” up to the double-ended or guillotine break in a reactor coolant system (RCS) cold leg, being this rupture considered as one of the design basis accidents.
The events that occur within the first 2 min following a design basis LOCA in a PWR are: a) blowdown: in which the reactor coolant is expelled from reactor vessel; b) refill: when emergency cooling water begins to fill the reactor vessel starting from the core bottom; c) reflood: when the water level raises enough to cool all reactor core.
In general, the emergency core cooling system (ECCS), one of the engineered safety features, should be designed to fit the following criteria under a postulated design basis LOCA in a PWR: a) the calculated maximum cladding temperature after the accident should not exceed 2200 °F (1204 °C); b) the calculated total cladding oxidation due to interaction of zircaloy with hot steam should not exceed 17% of the total cladding thickness before oxidation; c) the total amount of H2 generated shall not exceed 1% of the hypothetical amount generated if all cladding material around pellets reacted; d) calculated changes in geometry, e.g., diameter of fuel rods and spacing should be such that the core can still be cooled; e) the calculated core temperature, after successful ECCS starting, must be maintained appropriately low for the time necessary for the decay of long half-life fission products in reactor core. More details on LOCA analysis may be found in Glasstone & Sesonske (1994).
Companies that sell reactors must provide analysis tools through which one can establish that the proposed reactor is designed to meet the criteria for emergency core cooling. These tools are generally complex computer programs that use thermal hydraulic models for calculating fuel and cladding temperatures, and other relevant situations and reactor characteristics. These tools should include means for calculating: a) energy sources; b) hydraulic parameters; c) heat transfer mechanisms of various hypothetical accident stages.
Different calculation programs have been developed and are being refined in order to calculate characteristic parameters, such as: a) coolant flow rates; b) enthalpy; c) coolant, fuel, and cladding temperatures; d) system pressure, under steady state and transient conditions.
Central to the above calculations is the notion of nodalization. Real reactor circuits must be nodalized, that is, a set of nodal volumes and junctions are defined and inserted into calculation programs to perform the desired safety calculations. An example of these nodalization procedures may be found in Borges et al (2001) concerning Angra 2 power plant.
5. Severe accidents and accident management
Severe accidents are those which are characterized by at least an initial core damage, typically specified as the overcoming of regulatory fuel limits, as, for example, 1200oC in the fuel cladding, as discussed in Section 4.
The need for considering severe accidents became apparent upon the issuance of the Reactor Safety Study (which will be briefly discussed in Section 7), NRC (1975), where a probability per year of the order of 1 in 20,000 reactor-years was estimated for core melt. This value was apparently higher than the one implicitly estimated for the reactors operating at that time (Petrangeli, 2009). This calculated figure meant an expected core melt each 40 years, although the Reactor Safety Study itself estimated that only one in about 100 core melt events could cause severe health consequences (up to 10 causalities). It is noteworthy that the Three Mile Island event reinforced and confirmed the need initially arisen for progress in nuclear safety by considering possible events beyond design basis.
IAEA (2000a) defines a severe accident as a very low probability plant state beyond design basis accident condition (like those discussed in Section 4), which may arise due to multiple failures of safety systems leading to significant core degradation. These failures may jeopardize the integrity of many or all of the barriers to the release of radioactive material.
IAEA (2000a) also mentions that the consideration of severe accidents shall not be performed as design basis accidents are, that is, by assuming conservative assumptions. Rather, realistic or best estimate assumptions, methods and analytical criteria should be employed.
In this sense, important event sequences that may lead to severe accidents shall be identified using a combination of probabilistic and deterministic methods and engineering judgement. Next, these event sequences are to be reviewed against a set of criteria aimed at determining which severe accidents shall be addressed in safety analysis.
Accident management has arisen to cope with severe accidents. IAEA (2000b) establishes some requirements on severe accident management and accident management in the operation of nuclear power plants. According to this, plant staff shall receive instructions in the management of accidents beyond design basis.
Examples of event sequences for PWRs in this context have been considered in the Reactor Safety Study (NRC, 1975), as a large-break LOCA with loss of all ac power and a transient-induced accident. This latter is caused by an event that requires reactor trip combined with a station blackout, i.e, the loss of all power, as well as the loss of capability of the secondary system to remove heat from the primary circuit.
External events might also play an important role in severe accident management since they are an importance source of energy for the reactor (Knief, 1992).
IAEA (2009b) discusses severe accident management programs for nuclear power plants. D’Auria & Galassi (2010) discuss important features on scaling in nuclear reactors that might be relevant for severe accident management. As mentioned earlier, as best estimates are to be used in severe accident management rather than conservative estimates, uncertainty analysis plays a dominant role in this field. Na et al (2004) present an approach for the prediction of major transient scenarios for severe accidents in nuclear power plants by using artificial intelligence.
6. Licensing of nuclear power plants
The licensing of nuclear power reactors is a formal activity that constitutes a permanent process of decision making, involving the issuance of licenses, permits, amendments or their cancellations, covering issues involving the safety of nuclear reactors, and the radiological protection of operators, the general population and the environment.
Decision making is performed based on the results of two complementary activities: a) safety assessment; and b) inspection.
The decision should consider whether there is sufficient assurance that the facility operation will not result in undue risk to: a) population, b) operators and c) the environment.
The licensing process of nuclear facilities is regulated by standard CNEN-NE-1.04 (CNEN, 1984), in force since 1984. The issuance of licenses or permits shall be preceded by the applicant request together with information, data, plans and reports, whose content is described in the standard.
6.2. Applicable standards
There are over 40 standards in force in CNEN (Brazilian Nuclear Energy Commission), and 20 apply to nuclear power reactors. In the absence of appropriate standardization, codes and guidelines of the International Atomic Energy Agency (IAEA), are preferably used, where necessary. Table 2 displays the most important nuclear standards concerning nuclear power reactors issued by CNEN. These standards may be found in cnen.gov.br.
6.3. The licensing process
The licensing process requires the issuance by CNEN of the following acts: a) Site Approval (AL); b) Construction License (LC); c) Authorization for Nuclear Material Use (AuMN); d) Authorization for Initial Operation; e) Authorization for Permanent Operation (AOP).
The various reports and programs per act required during the licensing process are presented below.
For site approval: a) Site Report; and b) Preliminary Program of Pre-Operational Monitoring.
|NE-1.01||Reactor Operator Licensing|
|NE-1.04||Licensing of Nuclear Installations|
|NN-1.12||Qualification of Technical Independent Oversight Bodies in Nuclear Facilities|
|NE-1.14||Report of Nuclear Plants Operating|
|NN-1.15||Independent Technical Supervision in Quality Assurance Activities|
|NE-1.16||Quality Assurance for nuclear-power plants|
|NE-1.17||Personnel Qualification and Certification for Non-Destructive Testing Items in Nuclear Facilities|
|NE-1.22||Meteorological Programs in Support of nuclear-power plants|
|NE-1.26||Safety in Operation of nuclear-power plants|
|NE-2.01||Physical Protection of Nuclear Operating Units of Area|
|NN-2.03||Fire Protection in nuclear-power plants|
|NE-3.01||Basic Guidelines for Radiation Protection|
For the Construction License (LC): a) Preliminary Safety Analysis Report (PSAR); b) Preliminary Plan of Physical Protection (PPPF); c) Quality Assurance Program (QAP); and d) Preliminary Plan for Personnel Training.
The following activities do not depend on a previous license: a) site excavation; b) infrastructure preparation; c) buildings not intended for safety-important items; and d) system components manufacturing.
Obligations during plant construction: a) report of deficiencies in the executive project, construction and pre-operational phase with impact on safety; b) progress report of activities; c) results of the programs of research and development (R & D) designed to solve safety problems; d) reports on equipment storage; e) audit programs on contractors; f) procedure for pre-operational tests, and g) submit to resident construction inspection.
Authorization for Initial Operation (AOI): a) Final Safety Analysis Report (FSAR); b) answers to LC constraints; c) authorization for nuclear material use; d) final plan for physical protection (FPF); e) radiation protection plan; f) fire protection plan; g) commissioning program; h) test procedures; i) Quality Assurance Program (PGQ); j) operating procedures manual; k) local emergency plan (PEL); l) operator team licensed by CNEN; m) civil responsibility insurance against damages; and n) submit to resident inspection.
Authorization for Permanent Operation (AOP): a) initial report of operations; b) commissioning report, and c) responses to AOI requirements.
During Operation: a) periodic reports; b) operational event reports; c) report to CNEN in Emergencies; d) shutdown planning; e) technical specification changing requests; f) technical modification requests; g) operator licenses reassessment; h) safety periodic review (each 10 years); i) response to CNEN requirements; j) submit to periodical inspections; and k) submit to resident inspection.
For safety review and assessment activities, four basic procedures are used: a) comparison with other facility used as a reference; b) verification of requirement, standard, and specification adherence; c) design verification through independent calculations; and d) incorporation of requirements arising from international experience in nuclear technology.
The verification of compliance requirements is made through a detailed examination of normative and support documents, identifying clearly the criteria that support the regulator assessment.
The analysis of the document or activity being evaluated is performed by comparing it with the regulator assessment criteria and/or previous requirements issued, following proper procedures for each type of task, such as: a) operational event; b) modification project; c) technical specification changes; d) Accident Analysis; e) periodical reports; and f) system and component design.
Next, a balance of deficiencies and nonconformities is performed.
The final product of the safety assessment is a technical advice. This document must contain the basis of judgement and conclude in a clear and concise way on the acceptability of the document or the activity under review. If there are deficiencies or nonconformities requirements for the implementation of corrective actions should be issued.
The objectives of independent calculations are: a) verify the completeness and adequacy of the analysis performed by the designer; and b) provide the regulator technical staff with experience and knowledge about phenomena and modeling techniques associated with the facility operation in normal or accident conditions.
Lessons learned through international operating experience and nuclear accidents are permanent sources of improvement of licensing requirements adopted by CNEN.
An inspection activity is made throughout all licensing phases, through testimonies, inspections and audits. Inspections may be reactive or routine. Reactive inspections (advised or not) are dependent on the project phase or on the occurrence of a significant event that requires verification. For reactors in permanent operation routine checks follow a regular program, which is established on an annual basis.
Regulatory Inspections are formal activities conducted by a team of inspectors which follows a previously prepared checklist, considering: a) inspection requirements (standards, license or permit terms, etc); b) examination of documents that regulate the inspected activity, such as: b.1) quality assurance program; b.2) operation manual; b.3) technical codes or standards; b.4) design specifications; b.5) FSAR applicable sections; b.6) checking of requirements not fulfilled in previous inspections.
During plant construction and operation phases, CNEN keeps a team of resident inspectors, which makes a plant daily monitoring and issues periodical audit reports. These reports describe inspection activities, identify non-compliances and formulate proper requirements for the licensed facility to deploy appropriate corrective actions, when necessary. Figure 2 display CNEN’s inspection approach.
Tasks of power reactor licensing are performed through acts. These acts are related to the different steps during the licensing process: a) pre-licensing; b) site approval; c) construction issuance; d) during construction; e) AOP Issuance; f) operation monitoring. Acts related to pre-licensing involve: a) management contacts; b) verification of project objectives and preliminary schedules; and c) team meetings on licensing, quality systems and safety analysis.
Acts related to site approval involve: a) site report assessment (demographics, seismology, hydrology, meteorology, geography, and external events); b) emergency plan viability; and c) interaction with the environmental licensing (through the Brazilian environmental agency, IBAMA).
Acts related to construction issuance involve: a) PSAR examination and evaluation to check the safety concept acceptability of the plant design (design basis accidents, philosophy, design approach, experimental support, safety research, reference plant, standards adopted in the design and fabrication, program quality assurance and development of major providers, training program for human resources) ; and b) assessment of the pre-operational environmental monitoring program.
Acts during construction: a) assessment of safety deficiencies identified during the execute design, construction, assembly or pre-operational tests, from non-conformities recorded in the context of the Quality Assurance Program, or from deviations from the criteria and design basis as stated in PSAR, or arising from significant damage during construction, assembly or testing; b) FSAR review to check whether the design final specification confirms safety analysis findings; c) implementation inspection of procedures established in QAP, facility compliance as constructed in relation to licensed design, test adequacy on structure and system integrity as well as functional tests of components and systems; d) monitoring of international experience, with emphasis on the reference installation, to identify any additional measures that need to be required to improve safety of the facility under construction.
Acts during AOP issuance: a) assessment of compliance with all LC and AOI conditions; b) assessment of compliance with all CNEN safety significant requirements in earlier stages; c) beginning of resident inspection; d) procedure analysis and witness of integrated tests including loading tests; e) initial criticality; f) low power physical tests and other tests; g) initial operation report (ROI) evaluation to determine the adequacy of commissioning program to demonstrate foundations of safety analysis; h) survey of international safety standard and licensing evolution since the last license or permit issued.
Acts related to operation monitoring: a) resident inspection to verify compliance with terms set out in the AOP, particularly in relation to technical specifications; b) safety assessment on requirement and restriction compliance expressed in AOP; c) conduction of periodic inspection and audit program on activities that affect quality and are safety significant; d) assessment of operational safety by examining periodic operation reports, of consolidation of CNEN issued requirements and the examination of significant event reports; e) control and daily record of operational activities; f) assessment of technical change applications to be introduced in the licensed project or technical specifications changes; and g) monitoring of international operating nuclear reactors experience.
6.4. PSAR and FSAR
The minimum content of PSAR comprises: a) Description and safety analysis of the site for the facility; b) Facility description and analysis with special attention to design features and operation; c) Preliminary design of the facility, with emphasis on: c.1) the main criteria;c.2) the design bases and their relationship with the main criteria, and c.3) information related to building materials, arrangement and approximate dimensions; d) Preliminary analysis and evaluation of project performance and installation of items in order to assess the risk to health and safety of people (safety margins for normal operation and transient conditions and adequacy of the items designed for accident prevention); e) Description and justification of the choice of variables based on the analysis and preliminary assessment that will be subject to technical specifications, and f) description of control systems for release of effluents and radioactive waste.
FSAR must include information that: a) describes the facility; b) provides the basis for the project; c) defines the limits of operation, and d) allows a safety analysis of the installation as a whole.
FSAR should allow for a: a) perfect understanding of the system design; and b) clear display of the relationships between the system design and safety assessments.
FSAR should also contain information relating to plant operation, like: a) quality assurance;b) program of pre-operational tests and initial operation; c) program for the conduct of operation, including: c.1) maintenance; c.2) periodic tests of items, and d) proposed technical specifications (TS).
Table 3 displays the FSAR contents.
Chapter 17 of FSAR is the only one written in Portuguese for Brazilian power plants, because all FSAR chapters except this one are prepared by the vendor. The chapter on quality assurance is prepared by the licensee itself.
A chapter 19 on probabilistic safety assessment (to assess core melt frequency, the so called Level 1 PSA as will be discussed in Section 7) is to be added to FSAR for Brazilian power plants.
6.5. Licensing of Angra 1 nuclear plant
Angra 1 has had its license covered by CNEN NE 1.04 and has been based on the American model of the Nuclear Regulatory Commission (NRC).
The operation time of 40 years was used in the project and considered in the safety assessment review for issuance of the Provisional Authorization of Operation (APO) in 1984, and later in the Authorization for Initial Operation (AOI) in 1987, and Authorization for Permanent Operation (AOP) in 1994.
In AOP, the time of 40 years was considered as a basis for 1984 and a review of the authorization to ratify or amend its terms is scheduled every 10 years. This ensures a periodical safety assessment review, keeping the licensing bases of CNEN–NE–1.26 standard.
|01||Introduction and General Description|
|03||Design of Structures, Components, Equipments & Systems|
|05||Reactor Coolant Systems and Connected Systems|
|06||Engineered Safety Features|
|07||Instrumentation and Control|
|10||Steam and Power Conversion System|
|11||Radioactive Waste Management|
|13||Conduct of Operations|
|14||Initial Test Program|
|17||Garantia de Qualidade (Quality Assurance)|
|18||Human Factors Engineering|
General Design Criteria adopted are described in Appendix A of 10 CFR 50, and were the minimum requirements for Angra 1 main criteria. The establishment of a defined accident spectrum that has been postulated for the project, whose consequences could not exceed the maximum dose limits on the borders of the "exclusion area", according to 10 CFR 100, characterized the deterministic licensing model.
The exclusion area is defined as the area in which an individual located at any point on its edge for 2 hours immediately after the release of fission products, would not receive a whole body radiation dose greater than 25 rem or a total thyroid radiation dose greater than 300 rem due to iodine exposure (Lamarsh & Baratta, 2000).
The verification of requirements established pursuant to 10 CFR 50 was driven by regulatory guides that consolidate the positions adopted and accepted by NRC technical assessment teams. FSAR standard model, as provided in standard NE-1.04, was the Regulatory Guide RG 1.70, Standard Format and Content of Safety Analysis Report for NPPs (1978). NUREG 0800, Standard Review Plan for Review Safety Analysis Report for NPP, is employed by CNEN for safety assessment.
6.6. Licensing of Angra 2 nuclear plant
Just as Angra 1’s, Angra 2’s licensing is subject to standards CNEN–NN-1.04 and 1.26. There is a direct correspondence between the American and German licensing models. To maintain uniformity between both Angra 1 and Angra 2 licensing, the FSAR contents, as provided in standard CNEN-NE-1.04 (CNEN, 1984) is in accordance with RG-1.70 (NRC, 1978), as amended to incorporate the developments in NUREG 0800 (NRC, 1996).
As will be discussed in Sec. 6.7, a noteworthy feature of Angra 2 licensing is the inclusion of human factors.
The safety criteria document presents the German Interior Ministry requirements that can be understood as minimum criteria in relation to the plant main design criteria. Guidelines for PWR reactors have recommendations for different design, divided into 25 chapters and, where applicable, they take into account technical standards from others, like ASME.
6.7. Human factors and human reliability
A point worth mentioning is the incorporation into FSAR of the so called human factors engineering (Chapter 18). NUREG 0711 (NRC, 2004) has been adopted as a reference for the safety evaluations, taking into account the technological differences between Westinghouse and Siemens/KWU (AREVA) designs.
The human factors engineering approach to be presented in FSAR is composed by the following topics: a) Human factors engineering program management; b) Operating experience review; c) Functional Requirements Analysis and Function Allocations; d) Task Analysis; e) Personnel Qualification and Quantification; f) Human Reliability Analysis; g) Human – System Interface Design; h) Procedures Development; i) Development of the Training Programs; j) Human Factors Verification and Validation.
Figure 3 displays the NRC human factors engineering approach that has been adopted by CNEN.
6.8. Licensing in US
The Brazilian nuclear regulation was strongly influenced by the model used in the U.S., particularly with regard to stages of the licensing process. The basic law to regulate nuclear power is the Atomic Energy Act, 1954. In 1974, through the Energy Reorganization Act, an exclusive agency was created to regulate the use of nuclear energy, called the Nuclear Regulatory Commission (NRC).
The Code of Federal Regulations (CFR) is the collection of US technical documents. It has several titles, and Title 10 refers to energy. Titles are divided into parts. NRC's regulations are in Title 10 (Parts 0-199). Appendix A to 10 CFR 50 sets out general design criteria (GDC) for nuclear power plants, which set out requirements for the design, manufacture, construction, testing and performance of systems and structures, NRC (1999).
There are 45 GDCs, divided into six categories: 1 - General Requirements; 2 - Protection Against Multiple Barriers for Fission Product Release; 3 - System Protection and Reactivity Control; 4 - Systems Containing Fluids; 5 - Reactor Containment, and 6 - Control of Fuel and Radioactivity.
Appendix B of 10 CFR - Part 50 presents the program requirements for quality assurance. The FSAR contents are established in 10 CFR-Part 50.34 (Contents of Applications; Technical Information). NRC publishes documents called regulatory guides, which, although not mandatory (but strongly recommended), describe methods, standards and acceptable ways to meet the requirements of 10 CFR. These documents are broken down into 10 divisions, where division 1 concerns power reactors.
RG 1.70 (NRC, 1978) establishes the content and format for the FSAR. The Reg Guides mention standards and industry standards that NRC recognizes as safe engineering practices e.g., IEEE Std-323 for electrical and mechanical equipment qualification, IEEE (2004). Some codes and industry standards are considered mandatory and are explicitly mentioned in paragraphs of 10 CFR - Part 50 (eg 10 CFR 50.55a - ASME Code for Pressure Vessels and boilers). See the NRC site (nrc.gov) for details on CFR
Industry standards are prepared by institutions which have began to produce special rules for application in the nuclear area, the main ones being: American Society for Mechanical Engineers (ASME), asme.org; Institute of Electrical and Electronics Engineers (IEEE), ieee.org; American Society for Testing Materials (ASTM), astm.org; Health Physics Society (HPS), hps.org; American Institute of Chemical Engineers (AIChE), aiche.org; Institute of Nuclear Materials Management (INMM), inmm.org.
Technical documents referred as NUREGs are used by NRC in its regulatory action. These reports are diverse in nature and support decision-making. They can result of technical studies, record of experience, training programs, etc. NUREG-0800, Standard Review Plan for Review of Safety Analysis Reports of Nuclear Power Plants is an example. It is used by NRC technical staff for guidance on the assessment of safety analysis reports. Figure 4 displays the general US licensing procedure.
6.9. Licensing in Germany
The Atomic Energy Act (AtG in German) of 1960 provides the legal basis for the peaceful use of nuclear energy in Germany. By the German constitution, states (Länder) are responsible for implementing AtG on behalf of the German federal government. To ensure uniform application of AtG, the Federal Government oversees the states. Section 7 of ATG refers to nuclear installations and their licensing.
AtG provisions are supplemented by other laws and regulations of acts in the following areas: radiation protection; environmental impact; emissions control; and service water.
The various acts include the following areas: radiological protection; nuclear licensing procedures; financial insurance; cost of the atomic act; nuclear safety authority; and payment of disposal.
Safety requirements are of general characteristics, providing an environment for different technical solutions, but these solutions must have the same goal of protection. Licensing and supervision authorities have to examine whether this goal is achieved through a variety of safety regulations.
Safety regulations include: a) safety criteria for nuclear power plants, approved by the state committee for nuclear energy; b) BMI (former Ministry of Interior) and BMU (present-day Ministry of Interior and the Environment) guides for qualification of personnel for nuclear power plants; c) safety criteria for final storage; d) safety guidelines of the Committee on Reactor Safety; e) safety standards of the Nuclear Standards Committee; f) standards of the German Institute for Standardization.
The licensee applies for a license to build and operate the plant to the Licensing Authority of the state, preparing the safety report in accordance with the legislation requirements. The state licensing authority examines whether the prerequisites for ensuring the permit were met, assisted by the Organization of Independent Inspection. At the same time, BMU is involved in the process. BMU is assisted by a radiation protection committee. After project evaluation, this committee shall present its recommendations to BMU.
BMU evaluates the recommendations and submit its comments to licensing authorities, which are considered in the decision making process of the state authority. The state authorities, communities near the plant, other authorities and institutions whose areas of responsibility may be affected (nature protection, fire protection, disaster control, etc.) take part in the examination process.
Licensing authorities may request opinions from experts about nuclear safety and radiological protection requirements. However, experts only give technical support to the authorities, having no power of decision in licensing. A step in licensing are public hearings, which may contest the licensing authority, based on current legislation, and consequently taking action to an administrative court.
7. Risk-informed decision making
PSA is a methodology that can be applied to provide a structured analysis process to evaluate the frequency and consequences of accidents scenarios in nuclear power plants. NRC first applied PSA in the Reactor Safety Study (NRC, 1975). An important initiative taken by NRC in 1988 was the issuance of Generic Letter GL-88-20, which originated the program known as IPE (Individual Plant Examination). This is because the Reactor Safety Study did not consider each plant individually in the risk assessment.
Since that time, NRC has been using risk assessment and directing the issuance of decisions on complex items associated with or related to safety such as: a) total loss of power (station blackout); b) anticipated transients without reactor shutdown (ATWS); c) pressurized thermal shock events (PTS); and e) Maintenance Rule.
NRC issued the Probabilistic Safety Assessment Policy Statement (NRC, 1995), which incorporated risk assessment as a tool in the regulatory process. It consists of elements that have originated the Risk-informed Decision Making (RIDM) and the Performance Based Regulation (PD).
The following PSA-based RIDM regulatory guides were issued: a) changes in the bases of the specific plant licensing, RG-1.174 (NRC, 2002) ; b) assessment of changes and implementation of technical specifications, RG-1.177 (NRC, 1998c); c) in-service inspections in pipes, RG-1.175 (NRC, 1998a); d) quality assurance, RG 1.176 (NRC, 1998b); e) an approach to determine the technical quality of APS results for RIDM, RG 1.200 (NRC, 2002).
Many of the current regulations, based on deterministic requirements, can not be quickly replaced. In January 2001, Paragraph 69 of the 10 CFR 50 (see nrc.gov), which regulates RIDM, was issued.
‘Risk insights’ is used to refer to the results and decisions that are made after probabilistic safety assessments are performed. It is necessary to distinguish three approaches or treatments in the decision making process: a) Risk Based (RB); b)) Risk Informed (RI); and c) Performance Based (PB).
The risk-based approach to decision making is the one where only the numerical results of a probabilistic safety assessment are taken into consideration. This causes a strong dependence on the results of risk assessment, due to uncertainties associated with PSA (such as completeness and use of data). NRC does not endorse the risk-based approach, however does not invalidate the use of probabilistic calculations to demonstrate compliance with some criteria.
The risk-informed approach to the process of regulatory decision-making represents a philosophy according to which the outcomes and decisions arising from risk assessment are considered along with other factors to establish requirements that will best target on issues related to the design and operation that impact safety and health of the public.
The RI approach extends and improves the deterministic treatment because it: a) allows explicit consideration of a wide range of changes for safety; b) provides rationale for prioritizing these changes based on risk, operational experience and/or engineering judgment; c) facilitates the consideration of a broad range of resources to support these changes; d) identifies and describes uncertainty sources in the analysis; and e) leads to proper decision making, providing a mechanism to test the results’ sensitivity to a set of assumptions.
Where appropriate, a regulatory approach with information on risk can be used to reduce unnecessary conservatism in deterministic treatment, or can be used to identify areas with insufficient conservatism in deterministic analysis and provide the foundation and additional requirements or regulatory actions.
The RI approach lies between the risk-based approach and the purely deterministic treatment. The details of the regulatory approach to be used will determine where the RI-based decision will fall in this spectrum. The concept of defense in depth remains the principle of regulatory practice. The findings and decisions arising from risk assessment can make the elements of defense in depth clearer due to the PSA quantitative approach.
Rules can be either prescriptive or performance based (PB). Prescriptive requirements specify particular aspects, activities or program elements to be included in the project or process, as a means of achieving the desired goal. A performance-based requirement depends on results (measured or calculated, i.e., performance data) to be found. It provides greater flexibility to the licensee to achieve these results.
RIDM philosophy is the reconciliation of the results of PSA insights with the traditional deterministic analysis. Often, PSA results conflict with deterministic insights (defense in depth and safety margin, for example). It is noteworthy that the use of RIDM by the licensee is voluntary.
As a result of policy implementation methodologies for the use of risk information, NRC expected the regulatory process would improve in three aspects: a) by PSA incorporation into regulatory decisions; b) preserving agency’s resources; and c) reducing unnecessary effort on licensing.
RIDM follows principles for implementation and evaluation of changes proposed by the licensee, and to evaluate these changes a series of assumptions is adopted by the regulator. It is expected that the proposed changes meet the set of principles described below. PSA techniques can be used to ensure and show compliance with these principles, which are displayed in Table 4.
|1||Change meets the existing law and is explicitly related to the requested exception or rule change|
|2||The proposed change is consistent with the philosophy of defense in depth|
|3||The proposed change has sufficient margins|
|4||When the proposed change results in an increased frequency of core damage and/or risk, this increase should be small and consistent with the regulations laid down in (51FR30028, 4/8/86)|
|5||The impact of the proposed change should be monitored using performance measures|
The evaluation of proposals and licensing acceptance guides adopt these same five principles, according to the eight assumptions detailed next.
Assumption # 1: All safety impact of the proposed change has been assessed in an integrated manner as part of the general approach of risk management, in which the licensee uses risk analysis to improve operational and engineering decisions in the identification of actions to reduce risks, and not to justify the elimination of licensing requirements perceived as undesirable. For those cases where risk increases are proposed, the benefits should be consistent with the increased risk proposal. The approach used to identify changes in requirements must also be used to identify areas where the requirements should be increased or reduced.
Assumption # 2: The content (scope and quality) of engineering analysis (deterministic and probabilistic) performed to conduct and justify the proposed changes have been appropriate to the change nature and scope and should be based on the plant as built and operated, reflecting its operational experience.
Assumption # 3: The plant-specific PSA that supports all licensee proposals has been subject to quality control and an independent evaluation or certification.
Assumption # 4: Consideration of appropriate uncertainties has been provided and decision interpretations supplied, using a monitoring, feedback and corrective actions program to consider significant uncertainties.
Assumption # 5: The use of core damage frequency (CDF) and large early release frequency (LERF) as a basis for PSA acceptance is an acceptable approach to Principle 4.
Assumption # 6: Variations in estimates of CDF and LERF arising from proposed changes to licensing bases will be limited to small increments. Cumulative effects of these changes will be monitored and considered in decision making.
Assumption # 7: Proposal acceptance will be evaluated by licensee in order to ensure that all principles are met.
Assumption # 8: Data, methods and evaluation criteria used to support regulatory decisions should be documented and available for public scrutiny.
Figure 5 displays NRC approach for RIDM.
Regulatory Guide 1.174 (NRC, 2002) describes the approach accepted by NRC to assess the nature and impact of licensing basis conditions (LBC) by considering engineering aspects and application of risk insights.
Regulatory Guide 1.200 describes the approach accepted by NRC to determine that PSA quality, in part or in whole is sufficient to assure its results so that they can be used in regulatory decision making. Figure 6 illustrate the role of the above discussed regulatory guides.
In what concerns PSA role in decision making, the key is to provide an assessment of change impacts on risk. It has been necessary to develop a quantitative criterion to serve as a guideline and meet NRC principles. These guidelines have been created to allow comparisons of risk variation evaluations (including internal and external events, full load, low load and shutdown). This criterion uses the core damage frequency obtained from a Level 1 PSA and also the Large Early Release Frequency and is presented in Figure 7.
Kadak & Matsuo (2007) present a discussion about US experience on RIDM usage, where 35 nuclear plants have effectively implemented RIDM. By comparing INPO performance indices with NRC indices for these 35 plants with those of another 19 plants that have not implemented RIDM it is clearly seen that RIDM implementation has significantly improved performance indices. The performance indicators considered in the analysis were: a) Unit capacity factor; b) Automatic unplanned shutdowns (7,000 hr of criticality); c) Safety systems performance; d) Safety injection system actuation; e) Auxiliary feedwater system actuation; f) Power system actuation; g) Fuel element reliability; h) Collective radiation exposure; and i) Water chemistry performance.
8. Final considerations
It is noted that licensing is characterized by decision making in various fields and disciplines and its steps can influence the course of evolution of the enterprise. The relationship between the licensing agency and applicants for licenses and permits must be honest, keeping the formalism and the independence of the institutions themselves that are recognized with distinct responsibilities. Controversial topics should be discussed openly and the decision making process formalized in writing (technical advice, inspection reports and minutes of meetings).
The demonstration that the facility presents no undue risk to the public and the environment may require engineering activities, analytical or experimental, that may significantly affect the initial schedules and preliminary costs estimates. Design features significantly innovative or new reactor concepts require extensive research and testing of prototypes at all levels, such as components, systems, and small-scale facilities.
|Spain||Recommends PSA use to define changes in requirements|
|France||The methodology Optimisation de la Maintenance par la Fiabilité (OMF – Maintenance Optimization for Reliability) has been developed to apply criteria for use of risk information for the optimization of plant maintenance including in-service inspection|
|Sweden||An update of rules considers in-service inspection use with risk information through qualitative and quantitative approaches|
|Finland||Expects to rationalize in-service inspection by a combination of deterministic and probabilistic methods under regulator initiative.|
|UK||Proposals for adoption of methodologies that use risk information in nuclear power plant management represent an evolution.|
|Switzerland||Expects to produce guidelines for implementation of a risk-informed in-service inspection quantitative method within a few years.|
|Czech Republic||Believes it is too complicated to introduce a risk-informed approach for in-service inspection, yet its interest on the matter is significant.|
The physical and mathematical models used in engineering projects are validated by experimental data or calculations. Realistic models of best estimate are preferable to conservative models, but their use requires an adequate treatment of the uncertainties involved, determined from extensively developed databases.
The identification of areas of specialty where the technical staff of the regulatory body lacks experience must occur in a timely manner to enable this qualification or the necessary arrangements to hire consultants or consulting teams.
The timing of any nuclear development should provide the time intervals prior to the granting of licenses and permits for the analysis and evaluation of the regulatory body.
The licensing model in Brazil, in the aspects of safety analysis is deterministic in nature, that is, the plant behavior, after assuming an initiating event or malfunction, is studied with calculation models that describe the physical process of systems reactor.
The objective of this type of analysis is to check whether the allowed values of key plant variables are exceeded. The probabilistic safety analysis (PSA) focuses on the identification of sequences of events that can lead to meltdown of the reactor, and studies of reliability of safety systems. The objective of this analysis is to indicate potential weaknesses in the design of systems and provide the basis for improving safety.
CNEN has introduced in Standard NE–1.26 (CNEN, 1997) the requirement for risk management, where the operating organization should develop, implement and continuously refine a model for managing the risk associated with various operational configurations. Thus, a probabilistic safety analysis complements the deterministic safety analysis, and it is incorporated into the licensing procedure, because during plant operation, the impact on total risk measured by the model for risk management should be considered. This encompasses decision making involving activities like: a) design modifications and specifications changes or exceptions; b) system configuration management; c) maintenance and testing planning; and d) analysis of operational events.
The responsibility for nuclear safety in all phases of the enterprise belongs to the licensed organization. The licensing activity decides whether the licensee has the technical and organizational competence to fulfill this responsibility.
A very important point in this context concerns the licensing of advanced reactors, like the AP-1000. The risk-informed approach has brought into light the conciliation of deterministic and probabilistic methods for safety analysis. Accident scenarios both in the design basis and also beyond the design basis are being approached much more precisely and many advances in safety philosophy are proving to be effective in this way.