Regulatory Framework and Safety Documents

Regulatory Framework and Safety Documents

APPENDIX REGULATORY FRAMEWORK AND SAFETY DOCUMENTS 13 A13.1 REGULATORY FRAMEWORK A legal framework has to be established that provides for the regu...

69KB Sizes 0 Downloads 103 Views

APPENDIX

REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

13

A13.1 REGULATORY FRAMEWORK A legal framework has to be established that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities. Legislative institutions should produce laws which assign the prime responsibility for safety to the operating organization and establish a regulatory body responsible for a system of licensing, for the regulatory control of nuclear activities and for enforcing the relevant regulations. It is also very useful, although not done everywhere, for the legislative power of a country to define in general terms the safety level which nuclear installation should achieve in order to give the industrial organizations and the regulatory body general guidance in their activities. For example, the classes of nuclear installations, the orders of magnitude of the amount and the probability of the maximum accident release or consequences should be established at the top of the people’s representation structure, with a balanced view of the risks and benefits to society. The prime responsibility for the safety of the installation rests with the operating organization. It is responsible for establishing its safety criteria (which should be approved by the regulatory body) and for the compliance of the design, construction, and operation of the installation with them and with relevant safety standards. Procedures and arrangements for the safe control of the installation under all conditions should also be established together with the maintenance of a competent and fully trained staff and for the control of fissile and radioactive materials utilized or generated. It is the responsibility of the regulatory body to set the detailed safety objectives and standards and to monitor and enforce them. Effective independence of the regulatory body from organizations that promote nuclear activities should be in place in order to ensure the absence of undue pressures from competing interests. An important function of the regulatory body is to communicate to the public any information concerning safety and in particular its regulatory decisions and opinions. In many cases, the regulatory body is supported by a dedicated technical support organization (TSO) which performs technical analyses and studies. These are used in reviews and in other activities by the regulatory body. The personnel of the two organizations may comprise several tens of people to a few thousands people according to the size of the nuclear program and the activities entrusted to the body itself. Usually the regulatory body has access to confirmatory research, which creates a way to directly get supporting technical information necessary to a well-based regulatory activity. A review of existing regulatory frameworks for various countries is included in OECD (1991).

467

468

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

A13.2 SAFETY DOCUMENTS The principal documents concerning plant safety vary according to the specific requirements of each country; however, some conceptual generalizations, accepted everywhere, can be made. The following documentation will be briefly discussed: • • • • • • • • •

The safety report (SR). The probabilistic safety evaluation (PRA or PSA). The environmental impact assessment (EIA). The external emergency plan (EEP). The operation manual, including the emergency procedures (EP). The operation organization document. The preoperational test program. The technical specifications (TS) for operation. The periodic safety reviews. Other documents result from inspection activities on plant construction and operation.

A13.2.1 THE SAFETY REPORT The SR is the principal document for the demonstration that the design and the construction of a nuclear plant on a specific site are such that it can be operated without undue risk to the workers and the public. Here the assumption is made that the SR contains the treatment of both the aspects relevant to the site and those concerning the plant (description and analysis). It must be noted, however, that in various regulatory systems, the two issues are dealt with in separate documents. It is easy to understand that this subdivision quickens the time for site selection and for preparatory work on it; however, the acceptability of a site also depends on the characteristics of the plant to be installed on it. The problem is easily solved for proven plants. In different cases, various parts of the information on the plant safety characteristics must be presented in advance and inserted in the part of the SR devoted to the site. In case of separation and of advanced presentation of the part of the report relevant to the site, it will be in any case necessary to link the approval of the site to the compliance with some reasonably assumed plant characteristics. The SR is a ‘living’ document which evolves and changes with time. The principal factors of this change are the progression of the detailed design, the design modifications decided during the construction and the operation of the plant and the needs for adjustments due to the progress of safety knowledge. It has also to be noted that, for the demonstration of the plant safety, more detailed information concerning both design and analyses than is usually included in the SR is also necessary. The corresponding documents are termed ‘support documents’ (following the IAEA (1979) nomenclature). In some regulatory systems (e.g., in the Italian one) these supporting documents take the form of detailed design reports which have to be submitted, for approval, to the national control body. Usually, the principal stages of the SR are • •

the preliminary SR: to be submitted before the site approval and the plant construction permit; and the final SR: to be submitted before fuel loading.

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

469

While the preliminary SR describes many plant data at the level of initial solutions and plans, the final SR shows the plant “as built” (in its final form) as a result of the design, validation and modification activities. The content of the SR may, for simplicity, be subdivided in the following five parts: • • • • •

Site Quality assurance Criteria and standards Design Nuclear safety and radiation protection analysis.

The needs of radiation protection and of containment and mitigation of the effluents must permeate all the content of the SR and therefore are not indicated as separate parts of the SR. It is strongly advised that one or more radiation protection design experts are part of the design organization. In addition to the systems specifically devoted to radiation protection tasks, some design aspects must be the subject of complete evaluation, such as the following: the general and detailed plant layout; the space available for operation, inspection and maintenance tasks; the choice of materials; system specifications and component specifications and location. Other issues which may be part of the SR or be the subject of separate documents, are • • • • • •

organization for preoperational tests and operation; preoperational test program; operational limits, operation conditions and procedures; emergency plans; decommissioning schemes; physical protection. The objectives of the SR information on the site are • assessment of the feasibility of a safe plant on the site; • definition of the site parameters necessary to plant design (external events and so on); • evaluation of the possible impact of the plant operation on the surrounding population and environment.

These three objectives must be followed keeping in mind both the normal operating conditions and the exceptional and accidental ones. A sample list of the contents of a SR is given in the NRC Regulatory Guide 1.70 Rev3 (USNRC, 1978). What has to be underlined is that, in the light of experience, many unfavorable characteristics of a site cannot be corrected by design provisions. In other words, various site exclusion criteria exist (an example is included in Appendix 16). A principal section of a SR should be devoted to the description of the quality assurance programs of the plant owner and of its contractors during the design, construction, testing, and operation of the plant. The methods for the implementation of the quality assurance functions should also be described. The section of the SR devoted to criteria and standards is particularly important. All the standards to be adopted for the plant should be listed, which usually can be divided into three levels of generality: the general criteria (general safety and radiation protection objectives and functional

470

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

system objectives) and general applicable country laws (health protection limits, fire protection laws, etc.), the guides at the level of system and component (e.g., the NRC Regulatory Guides and the standard review plan) which usually are not compulsory but simply indicate an acceptable way of proceeding, and, finally, the technical standards for components (ASME III Code for Pressure Components, etc.). It is important to note that all the standards (and particularly those concerning components) evolve with time and that, therefore, the specific issue used has to be indicated. How does one proceed if a standard changes during the design? This problem, typically the result of revisions (every five or ten years) of the safety of operating plants, is usually tackled and solved as follows: •

• •

• •





If the revision is due to formal improvements and no new safety problem is involved as a consequence of the progress in knowledge, then no special analysis or modification is necessary. If the revision is intended to solve some new safety problem, then: additional, more precise analyses are performed in order to demonstrate, possibly, that the existing design which followed the old standard is still acceptable in the light of the new knowledge; modifications to operation parameters or rules are introduced, if possible, in order to compensate for the ‘inadequacy’ of the standards adopted for the design; if any other action is inadequate, plant modifications have to be made in order to take account of the new knowledge. The part of the SR devoted to the description of the design should offer a concise yet complete description of the entire plant. It should allow the reviewers: to obtain an overall view of the systems and structures of the plant, as far as their characteristics and integrated functioning is concerned, either in normal and in transient and accident conditions, including the possibility of external, natural and unnatural, events; to understand and evaluate the design solutions and the main operational limits adopted to satisfy the reference criteria and the safety and protection standards.

In particular, special problems caused by specific site characteristics should be described and discussed. Similarly, possible plant design aspects should be described which have not yet been satisfactorily solved, together with the possible research and development programs aimed at the identification of a satisfactory solution. A comparison table, moreover, should be supplied showing plant data and corresponding data of other similar recent plants, with the indication of the condition of the other plants (degree of completion and authorization, operational situation, etc.). In general terms, the objective of safety analysis (SA) is to demonstrate that the plant design and its operating procedures (together with well-trained personnel) ensure a high level of protection of the population and workers in case of malfunctions, human errors or assumed external events. Therefore, the contents of the SA is a set of dynamic studies of the most significant transients and accidents, giving an evaluation of their consequences on the plant and on the outside environment. The SA must offer a clear picture of the integrated behavior of the plant in fault conditions. The integrity and the behavior of the barriers between the radioactive substances and the environment

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

471

are the main concern of the plant response evaluation. The information supplied by the SA, together with the information contained in the balance of the SR, should be sufficient to convince reviewers that the plant design is acceptable from a safety and radiation protection point of view, at the authorization stage to which the SR applies. The SA is usually structured as follows: • • •

The initiating events (which in general descend from the general design criteria), usually subdivided in a certain number (often four) operation conditions. The acceptance criteria and the design methods, usually contained in the general criteria and in the system component guides. The analyses and the conclusions.

On the basis of past experiences (see Appendix 17), it is recommended that particular attention is given to the length in (real) time for which the transients and accident are calculated. These parameters can be established tentatively beforehand, but they can be defined only after calculation as they can indicate the presence of situations which may confuse the operators. Moreover, in the evaluations, it should be ensured that sufficient time exists to allow for the correct intervention of the operators, up to the attainment of perfectly stabilized plant conditions.

A13.2.2 THE PROBABILISTIC SAFETY ASSESSMENT The PSA is now a companion of the SR for every new plant. In fact, after some initial doubts, it is now recognized as a valid knowledge and evaluation tool for a plant and also as valid help in the design and operation of it (see Chapter 11: Safety Analysis). It is understood, then, that PSA must be developed in parallel with the design, initially making many working assumptions on the features of the plant as it will be at the end. IAEA requirements demand that a summary of the plant PSA is included in the SR. The PSA, used in this way, can be limited to level 1 or 2, that is, at the first core damage or at the releases from the containment, respectively. A complete risk analysis (PRA), performed, for example, to verify the compliance of the plant with preselected risk objectives, must also include level 3, that is, the probabilistic evaluation of the accident consequences. Further discussion on PSA strong and weak points can be found in Section 18.6, together with some ideas for overcoming the difficulties which a probabilistic analysis cannot, by its nature, resolve.

A13.2.3 THE ENVIRONMENTAL IMPACT ASSESSMENT The EIA is now compulsory nearly everywhere. It follows official channels that are usually different from those of the safety evaluation and health protection. Many issues, however, of the two processes coincide and it is useful if the two analyses proceed in parallel. The EIA commences with the initial strategic planning of the works. During the development of the two processes (nuclear safety and environmental impact) information exchange should take place between the authorities responsible, for example, by a mutual participation of observers in the commission meetings and in working groups.

472

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

A13.2.4 THE EXTERNAL EMERGENCY PLAN Before fuel loading, an EEP must be operative as a part of the Defense in Depth (see Chapter 9: Defense in Depth). To this end, usually, a dedicated issue of the safety evaluation is prepared, containing the technical basis for the EEP.

A13.2.5 THE OPERATION MANUAL, INCLUDING THE EMERGENCY PROCEDURES The operation manual, which includes the EP and the internal emergency plan, must be available before any operation with nuclear fuel. It is important that the EP includes, in order to prevent severe accidents, the procedures based on the analysis of the plant states (symptom oriented) as well as the more traditional ones based on the analysis of specific accident sequences (event oriented). In the symptom-based approach, operator actions result from the monitoring of plant symptoms rather than from the identification of the details of the event taking place. For example, the operator responds to the symptom of loss of primary water inventory as opposed to the specific event of a loss of coolant accident. The need for this kind of procedure was indicated by the Three Mile Island accident where the operators were confronted with a confusing situation (see Appendix 17) and were not able to timely identify the precise event taking place. Subsequently, it was confirmed that it was possible to develop emergency procedures on the basis of the damaging symptoms of the event rather than of the origin of the event and its consequences. The two concepts partly overlap, but by following the symptombased approach it is not necessary to lose precious time in identifying, by a process of selection and elimination, the event origin and features. In general, some critical safety functions are identified (attainment of subcriticality, availability of coolant in the core, availability of an efficient containment function) and the operator action is to identify which critical safety function is not available to the desired degree and to try, with the support of the emergency symptom-based procedures, to restore the function itself. The difference between event-based procedures and symptom-based procedures is the possibility of quickly diagnosing the plant accident situation. If this diagnosis can be made, then the event-based procedures are followed. If it cannot, then the symptom-based procedures are used. It is apparent from the preceding sentences that both sets of procedures are intended to be used in any nuclear plant. The process of developing modern procedures is still ongoing on many plants and it takes a remarkable effort. Some plants decide to have a dedicated procedure development group of experts. Some other plants carry out procedure development with other work groups, such as operations staff or operational experience feedback staff, as a part time responsibility. In any case, a plant procedures group ensures an efficient and effective method for development, distribution and revision of plant procedures, resulting in lower cost and more uniform quality. Close cooperation between the procedures group and the technical departments on a plant is essential. Symptom-based procedures require the NPP to complete a significant amount of site-specific thermal-hydraulic analyses of bounding scenarios. These analyses ensure that a generic set of operator actions for loss of each critical safety function are sufficient to mitigate the most severe challenge to that critical safety function. Owners groups may share the same package of procedures but the EPs and the supporting thermal-hydraulic analyses are plant specific. In recent years it has been determined that a potential for external release of radioactive products not only exists while the plant is operating at power but also when it is in a low power or shutdown

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

473

condition. EPs, therefore, have been expanded in order to cover situations where the reactor cooling system may be depressurized and the vessel head removed. Due to the specific requirements of certain plant configurations that may exist during shutdown, together with the reduced level of automatic protection, many of these procedures are specific to these plant conditions and initiating events and thus are very event specific. It has also been recognized that the operator needs additional guidance for those conditions beyond the design basis accidents where core damage exists or is imminent. Hence the evolution of severe accident management guidelines (SAMGs). Due to the wide variety of conditions that may exist, these guidelines have been written in a symptom-based format. Symptom-based, event-based, and integrated (a combination of the two) approaches to emergency operating procedures exist. Verification and validation of procedures are two very important elements in the procedures development work. Verification is defined as the process of determining if a procedure is administratively and technically correct. Validation is the process of evaluating procedures to ensure that they are usable and they will function as intended. These two processes should be performed using a graded approach, that is, devoting more effort where the consequences of some inadequacy are more serious. Administrative procedures such as record keeping verification and validation can be accomplished through a tabletop review. For emergency operating procedures, verification may include checking the technical information against design documents while validation might include the use of mock-ups of the plant and a full-scope control room simulator, as well as direct use of the plant. Checklists are available for verification and validation (IAEA, 1998). It is highly recommended that the plant designer participates in the procedure preparation and review phases.

A13.2.6 OPERATION ORGANIZATION DOCUMENT The operation organization document describes the functions, responsibilities, and mutual relationships of the plant personnel. The adequacy of its contents directly affects the adequacy of the human element to which the plant is entrusted. Great weight should be placed on this document as its content gives a measure of the attention given to the human factors of safety. The operation organization document should include training and personal/professional development issues.

A13.2.7 THE PREOPERATIONAL TEST PROGRAM The initial test program concerns a particularly delicate phase in the plant life, in which possible design or construction deficiencies usually come to the open. The test program comprises two phases: nonnuclear (before fuel loading) and nuclear. The tests are often termed “preoperational” and “nuclear,” respectively. In the preoperational tests, components and systems are tested. Integrated tests of several interacting systems are performed too. Therefore, the functional consistency of the systems to the design is verified, as well as the absence of vibrations, normal operation in general and the normal expansion and contraction of systems while they heat up and cool down, etc. It is very desirable that operating personnel directly take part in the preoperational tests, together with the representatives of the contractors, in order to get used to the plant components.

474

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

It is not usually considered necessary that the preoperational tests program is explicitly approved by the safety control body, but its contents, time schedule, and results are, however, timely communicated to it. On the other hand, the nuclear tests program must have prior approval because it must fully demonstration the safety characteristics of the plant and because while it is being carried out, the risk of accidents involving radioactive products starts. However, not all conceivable tests can be performed, as some of them would be detrimental to systems and components and therefore dangerous in view of the subsequent life of the plant (e.g., the capability of a safety injection system to introduce cold water at full flow in an operating plant will never be tested because the water injected would cause an unacceptable thermal transient on structures and components). In these cases, partial yet demonstrative tests are performed. As far as the contents of a test program is concerned, specific documents should be consulted (Petrangeli, 1985). Here it is sufficient to say that it is very important that the procedure of any single test includes a clear specification of the acceptance limits of the test, in order to avoid long and costly discussions between the organization responsible for the tests and the safety control body during the performance of the tests themselves. The test period, in fact, is a particularly delicate phase in the life of the plant, either for the intrinsic difficulties of the tuning of the plant and for the huge organization necessary for all the tests and the measures to be performed. The nature of the “final exam” also leads to high psychological tension. Therefore, any unnecessary disturbance or delay must be avoided. It is often convenient to specify three levels of acceptability of each test: • • •

acceptance; acceptance after review by the designer without test program stoppage; nonacceptance.

As far as possible, the tests should comply with normal operating procedures. The tests are a good opportunity to test the procedures, too and to amend them, if necessary. On the basis of practical experience, at least nine months are necessary for the preoperational tests and at least three months for the nuclear tests. Causes, sometimes trivial, of delay may always intervene, thus extending the time required. Often a great deal of time is lost because of defective pipe support anchorages, pipe vibrations, and fluid leakages from systems and from buildings.

A13.2.8 THE TECHNICAL SPECIFICATIONS FOR OPERATION The objective of the TS is to define conditions and limits for the operation of the plant, compatible with its safety, and to define the specifications and the programs for periodic surveillance of the various parts of the plant. The operational limits concern plant parameters such as pressures, temperatures, and the minimum availability of systems and components for the various operating modes (full power, cold shutdown, and so on). Particularly important is an initial part of the TS devoted to definitions. An example of a particularly delicate definition is the one concerning the word “operable”: one of the most common within the TS! The TS text, with the aid of the initial definitions, must be clear and unmistakable. In fact the TS are the first support of the plant operators for fundamental decisions, such as the continuation

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

475

of operation at power in the presence of irregular plant situations. Frequently, little time for discussions and interpretation is available when decisions of this kind have to be taken. The probabilistic plant analysis offers a rational basis for decisions concerning the TS, either for the choice of operating limits or for the intervals between tests and inspections of parts of the plant (periodic surveillance). The TS must be available before fuel loading.

A13.2.9 THE PERIODIC SAFETY REVIEWS Operating personnel must pay continuous attention to plant safety and conduct periodic reviews in order to improve the plant and its operating procedures as a result of research and of operating experience of similar plants. An operating licence usually requires revision every 10 years. As already mentioned in Section A13.2.1 in connection with criteria and standards, the case may occur that new knowledge or new standards may generate doubts about the consistency of the criteria and about the adequacy of the plant or its procedures. In that section it was noted that the situation has to be primarily assessed to see if the discrepancy is formal or substantial in nature. Even in the latter case, various degrees of action are available, such as a more refined analysis, modifications to limits and operating procedures and, finally, plant improvements.

REFERENCES IAEA, 1979. Information to be Submitted in Support of Licensing Applications for Nuclear Power Plants. IAEA Safety Series 50-SG-G2, Vienna. IAEA, 1998. Good Practices with Respect to the Development and Use of Nuclear Power Plant Procedures. TECDOC 1058, IAEA, Vienna. OECD, 1991. Licensing Systems and Inspection of Nuclear Installations. OECD, Nuclear Energy Agency, Paris. Petrangeli, G., 1985. Licensing Procedures: Parts I III. CEE Training Seminar on PWR Safety, Cairo, Nov Dec. USNRC, 1978. Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants: LWR Edition. Regulatory Guide 1.70, Rev. 3, November.