Integrating quantitative defense-in-depth metrics into new reactor designs

Integrating quantitative defense-in-depth metrics into new reactor designs

Nuclear Engineering and Design 330 (2018) 157–165 Contents lists available at ScienceDirect Nuclear Engineering and Design journal homepage: www.els...

190KB Sizes 0 Downloads 55 Views

Nuclear Engineering and Design 330 (2018) 157–165

Contents lists available at ScienceDirect

Nuclear Engineering and Design journal homepage: www.elsevier.com/locate/nucengdes

Integrating quantitative defense-in-depth metrics into new reactor designs☆ ⁎

T

Cindy Williams , William J. Galyean, Kent B. Welter NuScale Power, LLC, 1100 NE Circle Blvd., Suite 200, Corvallis, OR 97330 United States

A R T I C L E I N F O

A B S T R A C T

Keywords: Defense-in-depth Risk-informed Performance-based PRA Reactor Design

Risk-informed, performance-based (RIPB) methods have progressed to the point where high-level guidance can be used to augment traditional, deterministic, nuclear safety design practices in areas important to nuclear reactor safety. This paper describes an approach for augmenting the traditional defense-in-depth (DID) qualitative approach with quantitative risk information from a plant-specific probabilistic risk assessment (PRA) in a way that is structured, can be applied on a consistent basis, and allows for clear acceptance criteria. Adding performance-based targets that should be achieved is expected to result in safer and more economical plant designs. Evaluations of DID can be conducted throughout the design process as well as in support of design certification and operating license applications to identify where defense protections could be enhanced or relaxed. Consistent with the United States Nuclear Regulatory Commission's policy statement encouraging greater use of PRA to improve safety decision making and regulatory efficiency, this scenario-based DID method can be used to evaluate changes and overall plant design as part of the normal design control process. Although the RIPB method presented in this paper was developed for application to advanced passive light water reactor designs, the metrics could be tailored to other reactor designs. This risk-informed approach to DID helps to ensure that public and worker risk insights are integrated into the design process holistically.

1. Introduction Nuclear power plants must be designed to generate electricity in a safe, reliable, and economical manner. Design processes for existing light water reactors (LWRs) have relied heavily on deterministic design methods and deterministic analyses to ensure safety and comply with regulatory requirements. Risk evaluations have typically been performed after a significant amount of design work has been completed to ensure compliance with United States (U.S.) Nuclear Regulatory Commission (NRC) safety goals. These risk evaluations support, in part, qualitative and deterministic defense-in-depth (DID) assessments. Defense-in-depth is a design philosophy aimed at ensuring safety is not dependent on any one feature; it employs successive levels of redundant and diverse safety functions in design, construction, and operation to ensure appropriate barriers, controls, and personnel are in place to prevent, contain, and mitigate accidents and exposure to radioactive material. This philosophy has evolved over the history of nuclear power plant design with the overall goal of ensuring adequate safety to the

public. The purpose of this paper is to outline an approach for a more quantitative assessment of the effectiveness of the implementation of the DID design philosophy. Implementing the philosophy of DID includes a broad set of integrated design processes. They address accident prevention, accident mitigation, and risk management. Reactor design DID, as described here, consists of the integration of three strategies: 1. The first strategy employs conservative codes, standards, and analysis methods in the design to ensure margins of safety exist so as to minimize potential impacts of uncertainty. Multiple and successive barriers are employed to prevent, contain, and mitigate exposure to an accidental fission product release. 2. The second strategy involves programs and processes that serve to ensure fission product barrier function is designed with appropriate reliability and maintained throughout the life of the plant. 3. The third strategy requires evaluating the effectiveness of these fission product barriers to maintain their effectiveness and

☆ Funding: This material is based upon work supported by the Department of Energy under Award Number DE-NE0000633, an account of work sponsored by an agency of the United States government. Neither the United States government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or any agency thereof. ⁎ Corresponding author. E-mail address: [email protected] (C. Williams).

https://doi.org/10.1016/j.nucengdes.2018.01.008 Received 7 September 2017; Received in revised form 29 December 2017; Accepted 2 January 2018 0029-5493/ © 2018 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/BY-NC-ND/4.0/).

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

uncertainties in safety analyses; the extent to which DID is applied can be determined, in part, by the use of risk insights (U.S. Nuclear Regulatory Commission, 2016): The concept of defense-in-depth has always been and will continue to be a fundamental tenet of regulatory practice in the nuclear field, particularly regarding nuclear facilities. Risk insights can make the elements of defense-in-depth more clear by quantifying them to the extent practicable. Although the uncertainties associated with the importance of some elements of defense may be substantial, the fact that these elements and uncertainties have been quantified can aid in determining how much defense makes regulatory sense. Decisions on the adequacy of or the necessity for elements of defense should reflect risk insights gained through identification of the individual performance of each defense system in relation to overall performance.

reliability to ensure they continue to perform their design safety functions under abnormal conditions. While the general design criteria in 10 CFR 50 are the key inputs into the requirements analysis process from a regulatory perspective, alternate or additional requirements may be needed for new and advanced reactors in cases of unique technologies, designs, or site characteristics (U.S. Code of Federal Regulations, 2015a). While there are numerous ways in which to integrate risk-informed, performance-based (RIPB) principles and methods into the design process (e.g., reliability assurance program), this paper describes the method by which an RIPB approach is being used within existing NRC guidance to augment the traditional DID philosophy for advanced passive LWRs. Although traditional nuclear power plant design was based on deterministic and conservative analysis techniques, the results did not guarantee a conservative design. Advancements in probabilistic risk assessment (PRA) methods have led to their use in improving plant design and operations. Because PRAs realistically reflect actual plant design, construction, operational practices, and operational experience, they have proven to be a valuable complement to traditional engineering approaches. Use of PRA in regulatory matters to the extent supported by state of the art methods and data has resulted in measurable improvements in nuclear reactor safety by reducing the likelihood and consequences of potential severe accidents. The proposed approach describes a method for augmenting the traditional DID philosophy with risk information from the PRA that is structured, quantifiable, and can be applied on a consistent basis; this approach reduces subjectivity and supports risk-informed decision making. Metrics are proposed to evaluate the adequacy of DID, which can be used to: (1) establish a DID baseline for the plant, and (2) serve as a method for evaluating the adequacy of DID in design changes. While integration of RIPB principles and methods are most effective early in the design process when risk insights can be used to support early trade studies and decision making, caution should be taken since early versions of the PRA have larger uncertainties due to the lack of design detail. Evaluations of plant DID can be conducted throughout the design development process as well as in support of design certification and operating license applications. Although the metrics proposed here are intended for use on advanced passive LWR designs, it is expected that they can be tailored to other, technology-specific reactor designs that use similar metrics for evaluating plant risk such as core damage frequency and large release frequency. This risk-informed DID approach allows incorporation of risk insights early, and more broadly, into the design process holistically; it can be used to help ensure the design, construction, and operation of a new reactor design poses no undue risk to the health and safety of the public.

While it is widely accepted that DID helps to ensure safe LWR operation, at the same time, it is recognized that DID is challenging to measure or quantify because philosophies differ (U.S. Nuclear Regulatory Commission, 2016). Incorporation of risk insights can be formalized in an RIPB approach to DID, and by extension, to plant design; this is consistent with the NRC policy statement on the use of PRA (U.S. Nuclear Regulatory Commission, 1985): The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data, and in a manner that compliments the NRC’s deterministic approach and supports the NRC’s traditional DID philosophy. 2.1. Defense-in-depth regulatory requirements Defense-in-depth has been at the core of the NRC's safety philosophy, and remains fundamental to the safety and security expectations of NRC’s regulatory structure. The following summarizes key regulatory documents with regards to DID and risk-informed decision making to nuclear power licensing:

• 10 CFR 100.1(d), Reactor Site Criteria: states that DID be considered in reactor siting criteria (U.S. Code of Federal Regulations, 2015b). • Policy Statement on the Regulation of Advanced Reactors: sets ex•



2. Defense-in-depth The concept of DID is a longstanding principle used in the evaluation of nuclear plant licensing. While somewhat different definitions have been used in various regulatory documents, the definitions consistently include the concept that implementation of DID helps assure plant safety by providing barriers to radionuclide release such that safety is not dependent on a single barrier. The current definition of DID in the NRC glossary is: An approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is creating multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon. Defense-indepth includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures.



pectation that designs incorporate the DID philosophy by maintaining multiple barriers against radiation release, and by reducing the potential for, and consequences of, severe accidents (U.S. Nuclear Regulatory Commission, 2008). Standard Review Plan Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors: recommends that applicants identify risk-informed safety insights based on systematic evaluations of risk such that the design’s robustness, levels of DID, and tolerance of severe accidents initiated by either internal or external hazards can be evaluated (U.S. Nuclear Regulatory Commission, 2014). NUREG-2150, A Proposed Risk Management Regulatory Framework: observes that, “there is no guidance on how much DID is sufficient,” and that risk assessment, in combination with other technical analyses, can inform decisions about appropriate DID measures (U.S. Nuclear Regulatory Commission, 2012). Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant Specific Changes to the Licensing Basis: provides the framework for current licensing decision making, establishes that DID should be maintained to address uncertainties, and encourages the use of risk analysis to provide insights on the “extent of defense-in-depth” (U.S. Nuclear Regulatory Commission, 2011).

2.2. Objectives of defense-in-depth within a risk-informed and performancebased framework

The concept of DID has further been used to account for

The inclusion of RIPB elements into the philosophy of DID provides 158

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

framework for risk-informed decision making (International Atomic Energy Agency, 1996). The five levels of DID described in IAEA INSAG10 have been expanded upon to allow for calculation of a level of DID adequacy. The calculation of DID adequacy can be used to: (1) establish a DID baseline of a power plant design, and (2) serve as a method for evaluating DID adequacy of proposed design changes. This quantitative RIPB DID evaluation is complimentary to traditional qualitative or deterministic DID evaluations. The approach is also consistent with the integrated risk-informed decision-making framework described in IAEA INSAG-25 (International Atomic Energy Agency, May 2011). The IAEA INSAG-25 report reinforces a transparent, reproducible, and structured framework of deterministic and probabilistic techniques and findings to help achieve an integrated decision-making process that serves in an optimal fashion to ensure nuclear reactor safety.

the ability to assess, on a quantitative and consistent basis, the adequacy of DID. By augmenting the traditional, deterministic DID philosophy with RIPB elements, a more complete depiction of plant risk is possible. The following objectives were established for using RIPB methods in a manner that compliments the traditional DID philosophy:

• The existing methods for integrating nuclear safety within the plant design using the philosophy of DID remain essentially unchanged. • Defense-in-depth ensures appropriate barriers, controls, and per• • • •

sonnel are provided to prevent, contain, and mitigate events and incidents leading to exposure to radioactive material according to the hazard present, the relevant scenarios, and associated uncertainties. Each DID barrier is designed with sufficient safety margin to maintain its functionality for relevant scenarios and account for uncertainties. Systems needed to ensure the functionality of a DID barrier are designed to ensure appropriate reliability for relevant scenarios. Defense-in-depth barriers are subject to performance monitoring. Defense-in-depth ensures the risks resulting from the failure of some or all of the established barriers and controls, including human errors, are maintained acceptably low.

2.4. Evaluating the adequacy of defense-in-depth The method for evaluating the adequacy of DID is based on a multilevel concept where if one level fails, other levels provide the necessary protection of public safety. The method includes five levels starting with protection against initial plant upsets, through successive levels including means to limit potential consequences. The objective of the first level of protection is the prevention of abnormal operation and system failures. If the first level fails, abnormal operation is controlled or failures are detected by a second level of protection. Should the second level fail, a third level ensures that safety functions are performed by activating specific safety systems and other safety features. Should the third level fail, a fourth level limits accident progression through accident management so as to prevent or mitigate severe accident conditions and external releases of radioactive materials. The last objective is the mitigation of the radiological consequences. Decision analysis techniques were employed to translate the elements of DID in a systematic and formal manner. As summarized in Table 1, the method starts with a structured matrix based on the five levels of DID: (1) prevention, (2) control of abnormal operations, (3) control of accidents, (4) control of severe plant conditions, and (5) mitigation. Then, each level is broken down into individual attributes; the attributes include both qualitative and quantitative metrics based on traditional DID measures as well as risk insights. The approach depicts the elements that are used to devise, maintain, and improve DID in a structure that weighs choices between complex alternatives. The utility of a decision-making algorithm in the form of a matrix also helps make the process transparent and repeatable. Although the weighting for each level in Table 1 was chosen to reflect equal importance of each level of DID, small adjustments in weightings may be considered to allow slight differences in levels (for example, based on the premise that prevention is more important than control, or control is more important than mitigation). This is consistent with historical approaches to DID that state the principal defense is through the prevention of accidents through conservative design, followed by a second line of defense that includes protective systems to prevent or minimize damage from failures, and finally a third line that includes installed engineered safety features to mitigate the consequences of postulated accidents (U.S. Nuclear Regulatory Commission, 2016). Similarly, attribute scores were chosen to provide a scale to infer a level of robustness beyond the current subjective approach; the relative strength of individual DID attributes is shown by quantifying them to the extent practicable. While the numbers are somewhat arbitrary, exact values are intended to provide a practical way to distinguish

2.3. Basis of the scenario-based defense-in-depth method The approach to risk-informed evaluation of DID adequacy as described in this paper is based conceptually on NRC Regulatory Guide 1.174 (U.S. Nuclear Regulatory Commission, 2011), the IAEA INSAG-10 report (International Atomic Energy Agency, 1996), and the IAEA INSAG-25 report (International Atomic Energy Agency, May 2011). Regulatory Guide 1.174 provides recommendations for using risk information in support of licensee-initiated licensing basis changes to a nuclear power plant. While it provides an example of a risk-informed process for evaluating DID for design changes in licensed, operating, nuclear power plants, it does not address the specific criteria needed for each nuclear power plant activity or design characteristic that may be amenable to risk-informed regulation. It also does not provide specific guidance with respect to risk-informed decision-making in conceptual, preliminary, detailed, or final design phases. Nevertheless, the guidance can be adapted to support the design development process for evaluating the adequacy of DID. Seven factors are identified in Regulatory Guide 1.174 for evaluating the impact of proposed licensing basis changes on DID (U.S. Nuclear Regulatory Commission, 2011). These factors were considered in development of the risk-informed DID approach: 1. A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation. 2. Over-reliance on programmatic activities as compensatory measures is avoided. 3. System redundancy, independence, and diversity are commensurate with the expected frequency, consequences of challenges to the system, and uncertainties (e.g., no risk outliers exist). 4. Defenses against potential common-cause failures are included in the design. 5. Independence of barriers is maintained. 6. Defenses against human errors are maintained. 7. The intent of the plant’s design criteria is maintained. In addition, the IAEA INSAG-10 report was relied upon for the concept of an accident-scenario/sequence1-based DID evaluation

(footnote continued) assessment. This typically comprises an initiating event (i.e., an initial plant upset event) and a series of system level failure events that ultimately lead to some undesired plant condition (e.g. core damage).

1 Scenario and sequence are used interchangeably in this paper and are intended to denote a single core damage pathway through an event tree in a probabilistic risk

159

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

Table 1 Summary Defense-in-Depth Matrix (evaluated on an accident sequence/scenario basis). Defense-in-Depth Levels and Attributes

Defense-in-Depth Evaluation Metrics High (4)

Level 1: Prevention of Abnormal Operation and Failures (Weight 20%) Internal event initiating event frequency (per year) ≤1E−2 External hazard initiating event frequency (per year) ≤1E−4 Level 2: Control of Abnormal Operation and Detection of Failures (Weight 20%) Safety system response Passive Nonsafety system response Automatic Level 3: Control of Accidents within the Design Basis (Weight 20%) Core damage frequency only considering safety systems (per year) ≤1E−5 Conditional core damage probability ≤1E−5 Level 4: Control of Beyond Design Basis Conditions (Weight 20%) Conditional containment failure probability ≤0.01 Time to beginning of core damage (hours) ≥8 Coping time (hours) ≥72 Containment isolation response Fail-safe valves Level 5: Mitigation of the Consequences of Releases (Weight 20%) Large release frequency (per year) ≤1E−8 Secondary confinement Seismic Cat. 1

Low (1)

> 1E−2 and ≤1 > 1E−4 and ≤1E−2

>1 > 1E−2

Automatic control Control room

Manual control Local

> 1E−5 and ≤1E−3 > 1E−5 and ≤1E−3

> 1E−3 > 1E−3

> 0.01 and ≤0.1 < 8 and ≥1 < 72 and ≤24 Active valves

> 0.1 <1 < 24 Check valves

> 1E−8 and ≤1E−6 Other

> 1E−6 None

through the role that individual systems play in providing protection against a release and the effect the individual systems act in concert. This sequence-based method considers quantitative metrics from an acceptable PRA2; an acceptable PRA that meets scope, level of detail, and technical adequacy in accordance with endorsed standards can be used to support regulatory decision making (U.S. Nuclear Regulatory Commission, 2011).

between designs with varying degrees of DID. The scoring is simply a way to provide quantitative risk targets that should be achieved, or improvements made in the design; they also help gauge the level of safety of a nuclear power plant design. While this method provides DID measures that can be directly quantified, it is recognized that judgment has been exercised in setting level weighting and attribute scoring. By breaking down the elements of DID, and ranking them through relative importance, the method provides a systematic and structured approach to evaluating the adequacy of DID. Lastly, the scoring of the metrics (i.e., high = 4, medium = 3, and low = 1) are design based on the premise that a single “low” score should not be offset by a single “high” score, but in fact requires a twofor-one offset such that at most only a single attribute might be scored as “low” and still have an overall evaluation of acceptable. The adequacy of DID may be evaluated on a sequence basis for system metrics, by frequency-averaging across all sequences for plant metrics, or both. An overview of the process follows. Each level is described in detail in subsequent sections; they are also graphically depicted in Table 2 through Table 6.

2.4.1. Defense-in-depth prevention metrics The first level of DID is focused on prevention. The level 1 prevention attributes consider deviations from normal operating conditions, including transients and plant shutdowns. Prevention is measured by the frequency of a deviation from normal operation. Deviations or initiating events are perturbations to steady-state operation that could challenge plant control and safety systems whose failure could potentially lead to an accident. An initiating event is defined in terms of the change in plant status that results in a condition requiring an automatic reactor trip (e.g., loss of feedwater, loss of coolant accident), or a manual trip prompted by conditions other than those involved in a normal shutdown. An initiating event may result from human causes, equipment failure from causes internal to the plant (e.g., hardware faults, floods, or fires) or external to the plant (e.g., earthquakes or high winds), or combinations of both. Table 2 includes the level 1 DID metric for prevention of abnormal operation and failures. The DID values for internal initiating event frequencies range from events that are not expected to occur within the plant lifetime to those that are expected to occur each cycle. Because external hazards such as earthquakes and tornadoes can potentially impact the ability of plant systems to respond to an upset condition, the DID values for external hazard frequencies are lower. The weighting for the level 1 metric is 20 percent; accident prevention is the first priority. Provisions that prevent deviations from normal plant operation are generally more effective and more predictable than measures aimed at control or mitigating consequences. A plant’s performance generally deteriorates when the status of the plant or a component departs from normal conditions. As such, preventing degradation of plant performance will provide the most effective protection to the public and environment.

• Each level of defense includes attributes that are evaluated individually based on higher-to-lower levels of DID. • Each attribute is scored independently (all attributes are shown with • • •

Medium (3)

a default score); note that not all attributes will necessarily be evaluated for a sequence-based evaluation. An average score is then calculated for each level, based on the number of applicable attributes. The scores for each level are weighted based on the weights shown in the level headings in Table 2 through Table 6. The scores are then combined; a total score of greater than 3.0 indicates a higher than nominal level of DID and should, therefore, be judged as adequate.

In the scoring used in this method, a score of 3 is loosely associated with design features consistent with the current generation of operating plants in the U.S. Since these plants have already been evaluated by the NRC and found to be safe, the DID for these plants is adequate. However, for advanced designs, the expectation is for improved safety. Therefore, this “level” of DID (i.e., a score of 3) is therefore termed as “nominal.” This quantitative DID evaluation method compliments traditional qualitative or deterministic DID evaluations and improves on the capability to analyze nuclear power plant designs as integrated systems. The PRA is used to help determine whether more or less DID is needed

2 Regulatory Guide 1.200 provides guidance on determining the technical adequacy of a PRA (U.S. Nuclear Regulatory Commission, 2009). This guidance defines a technically acceptable PRA and provides the NRC’s position on industry PRA consensus standards.

160

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

Table 2 Defense-in-depth prevention metric (level 1). Prevention of Abnormal Operation and Failures1 Level 1 Defense-in-Depth Attributes2 (Weight 20%)

High

Medium

Low

Internal event initiating event frequency (per year) Attribute score External hazard initiating event frequency (per year) Attribute score

≤1E−2 4 ≤1E−4 4

> 1E−2 and ≤1 3 > 1E−4 and ≤1E−2 3

>1 1 > 1E−2 1

1 2

The level 1 DID prevention metric focuses on conservatism in the design and quality in construction and operation. Not all attributes will necessarily be evaluated for a sequence-based evaluation.

Table 3 Defense-in-depth control metric (level 2). Control of Abnormal Operation and Detection of Failures1 Level 2 Defense-in-Depth Attributes (Weight 20%)

High

Medium

Low

Safety system response2 Attribute score Nonsafety system response2 Attribute score

Passive or fail-safe system 4 Automatic 4

Active system with automatic control 3 Control room action 3

Active system with manual control 1 Local action 1

1 2

The level 2 DID control metric focuses on control, limiting protection systems, and other surveillance features. If more than one system is involved, each system is evaluated separately and the highest rating is used for the attribute.

Table 4 Defense-in-depth control metric (level 3). Control of Accidents within the Design Basis1 Level 3 Defense-in-Depth Attributes (Weight 20%)

High

Medium

Low

Core damage frequency only considering safety systems (i.e., focused PRA) (per year) Attribute score Conditional core damage probability Attribute score

≤1E−5

> 1E−5 and ≤1E−3

> 1E−3

4 ≤1E−5 4

3 > 1E−5 and ≤1E−3 3

1 > 1E−3 1

1

The level 3 DID control metric focuses on engineering safety features, accident procedures, limiting protection systems, and other surveillance features.

postulated design-basis accidents (e.g., a loss of coolant accident or main steam line break). It also includes the conditional core damage probability which fully utilizes all plant capabilities, including available nonsafety-related equipment and the role of operators. If the development from an initiating event to a severe accident condition is slow, it is possible for plant personnel to diagnose the status of the plant and restore systems and safety functions. Table 4 includes the level 3 control metric. The core damage frequency value for high DID covers sequences in which safety systems alone (i.e., focused PRA) are well above the quantitative objective established to meet the Commission’s safety goal (i.e., total core damage frequency of less than 1E−4 per reactor year). The sequence conditional core damage probability values are based on the sequence core damage frequency values from the PRA including credit for nonsafety system response; the sequence conditional core damage probability considers failures of safety and nonsafety plant systems and components following an off-normal event. The final control level, level 4, focuses on protection of containment. As such, this metric includes consideration of the time to the beginning of core damage. In the event of core damage, the next line of defense is containment and preventing accident progression and the potential for a release. Table 5 includes the level 4 control metric. Similar to the level 3 conditional core damage probability attribute, the level 4 conditional containment failure probability attribute fully utilizes all plant capabilities, including available nonsafety-related equipment and the role of operators. The conditional containment

2.4.2. Defense-in-depth control metrics The next three levels of defense cover control of the plant following abnormal operation or system failure. The weighting for control levels 2 through 4 is 20 percent each; the weighting for each is similar to the prevention metric and represents the capability of the plant to respond to an abnormal condition and prevent a release. The level 2 DID metric, control of abnormal operation and detection of failures, considers inherent plant features and systems to control abnormal operations. In response to a deviation from steady-state operation, it considers plant response and the systems designed to detect and bring the plant back to normal operating conditions. The level 2 control attributes consider whether the plant’s response is automatic or requires manual control. The design of the plant and system response focuses on the prevention of conditions that might threaten the ability to remove core heat. Table 3 includes the level 2 control metric. The DID metrics for safety and nonsafety system response to events range from passive systems to those that require local, manual control by plant operators; DID is enhanced through the use of passive and highly-reliable, power-independent fail-safe safety systems. The level 3 DID metric covers control of accidents within the design basis. In spite of the provisions for prevention, accident conditions may occur. Engineered safety features and protection systems are provided to prevent evolution towards severe accidents and confine radioactive materials. The level 3 DID metric focuses on prevention of core damage. The attributes consider the core damage frequency using only safety systems (i.e., focused PRA)—those systems designed on the basis of 161

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

Table 5 Defense-in-depth control metric (level 4). Control of Severe Plant Conditions, Including Prevention of Accident Progression and Mitigation of the Consequences of Severe Accidents1 Level 4 Defense-in-Depth Attributes2 (Weight 20%)

High

Medium

Low

Conditional containment failure probability Attribute score Time to beginning of core damage (hours) Attribute score Coping time – for loss of all AC power sequences (hours)

≤0.01 4 ≥8 4 ≥72 4 Fail-safe actuated valves 4

> 0.01 and ≤0.1 3 < 8 and ≥1 3 < 72 and ≥24 3 Active actuated valves 3

> 0.1 1 <1 1 < 24 1 Only check valves 1

Containment isolation response

1 2

The level 4 DID control metric focuses on complementary measures and accident mitigation. Not all attributes will necessarily be evaluated for a sequence-based evaluation (i.e., coping time).

failure probability value for high DID covers sequences in which there is considerable margin to meet the NRC’s Standard Review Plan Chapter 19.0 acceptance criteria for containment failure (i.e., 0.1); the value for low DID covers sequences that do not meet the criteria. The threshold values for the time to core damage consider the possibility of additional resources becoming available to limit core damage progression; medium DID provides time for emergency operating facility staffing and low DID limits the control of accident progression to the operator recovery actions that would be performed in accordance with the emergency operating procedures. Recovery actions are considered from the time of the initiating event up to the point at which containment failure is imminent. This time can be used to take measures to prevent core degradation and containment failure. For sequences that involve a complete loss of all AC power, coping time is considered (i.e., the time from the onset of a station blackout to the time when AC power is needed to be restored to maintain adequate core cooling). The coping time for high DID is based on expectations for passive plants; it is also the time in which outside resources are expected to be available to support FLEX strategies (i.e., portable equipment to support diverse and flexible coping strategies). The coping time for medium DID is based on expectations for restoring AC power; it is also the time in which site access is expected to be restored to support FLEX strategies. The DID metric for high containment isolation is based on highlyreliable fail-safe components (e.g., valves that fail closed on a loss of power) while a low valuation is based on a design that only relies on check valves which historically have not been as reliable for leaktightness.

availability of structures to limit a possible release. Table 6 includes the level 5 mitigation metric. The weighting for the level 5 metric is 20 percent. The large release frequency value for high DID covers sequences in which there is considerable margin to meet the quantitative objective established to meet the Commission’s safety goal (i.e., total large release frequency of less than 1E−6 per reactor year); the value for low DID covers sequences that fall short of meeting the safety goal. The DID metrics for secondary confinement range from a Seismic Category 1 structure which would provide some mitigation to no secondary confinement.

2.4.3. Defense-in-depth mitigation metric The level 5 metric includes accident management measures aimed at controlling the course of a severe accident and mitigating its consequences. It considers the frequency of a large release and the

2.5.1. Plant-based example This section includes an example evaluation of an overall plantbased DID metric for a small modular reactor design using the PRA developed to support design certification. This new design is less susceptible to severe accidents due to its integrated design and highly reliable passive safety systems that fail-safe on a loss of power and minimize challenges to core integrity. Compared to existing LWR designs, the small modular reactor design also includes additional fission product barriers such as a Seismic Category I reactor building. Such features reduce the potential for core damage and subsequent radionuclide release.

2.5. Results The evaluation of DID adequacy can be calculated by scoring the prevention, control, and mitigation DID attributes, calculating an average score for each level, applying the appropriate weighting factors, and summing up the results for comparison against the 3.0 nominal level of DID adequacy threshold. As shown in Sections 2.5.1, 2.5.2, and 2.5.3 a quantitative evaluation of the adequacy of DID can be applied to the overall plant design as well as individual sequences. A high level of DID mitigates concerns about uncertainty with regards to the design, construction, maintenance, and operation of a plant design. A high level of DID also provides assurance of the safety of power plant operation. As DID is designed to protect the health and safety of the public and environment, a higher level of DID indicates a higher level of protection.

Table 6 Defense-in-depth mitigation metric (level 5). Mitigation of Radiological Consequences of Significant Releases of Radioactive Materials1 Level 5 Defense-in-Depth Attributes (Weight 20%)

High

Large release frequency (per year) Attribute score Secondary confinement (e.g., reactor building) Attribute score

≤1E−8

> 1E−8 and ≤1E−6

> 1E−6

4 Seismic Category I 4

3 Other

1 None

3

1

1

Medium

Low

1. The following shows the plant design scoring for the level 1 prevention DID attributes. - The frequency of internal initiating events was judged to be medium. The PRA includes a wide range of internal initiating events from general transients with a frequency of greater than one per module-year to loss of coolant accidents (LOCAs) with frequencies of one in 10,000 years. - The frequency of external hazards was judged to be medium. This

The level 5 DID mitigation metric focuses on off-site emergency response.

162

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

5. The final DID metric, level 5, considers mitigation of radiological consequences of significant releases of radioactive material. The following shows the plant design scoring for the level 5 attributes. - The large release frequency scores high: the plant-level large release frequency is well below 1E−8 per year. - Because the design includes a Seismic Category 1 reactor building that would contain or scrub most releases, the secondary confinement attribute scores as high.

number could go up or down depending on the specific site selected; however site selection will include consideration of the potential hazards making a low assessment unlikely. The plant design, however, is below grade and the reactor building is Seismic Category I which will provide protection from many external hazards. Considering both attributes, the overall plant-based level 1 DID metric score is 3.0 [(3 + 3)/2]; the design is found to incorporate a nominal level of defense for prevention of abnormal operation and system failures.

For this example design, the overall plant score for the level 5 mitigation of radiological consequences of significant releases of radioactive material is assessed as 4.0 [(4 + 4)/2]; that is, the design is found to incorporate a higher than nominal level of DID. The plant design scored equal or higher than the nominal level of DID for each of the five levels of DID. Combining all five DID metrics, including weighting, results in an overall plant metric of 3.6 [(3.0 × 20%) + (3.5 × 20%) + (4.0 × 20%) + (3.5 × 20%) + (4.0 × 20%)]; this is significantly higher than the nominal level of DID for an overall plant design. The results show that the level of DID in the small modular reactor design is acceptable in terms of prevention, control, and mitigation of abnormal operation, design-basis events, and severe accidents. This level of DID provides reasonable assurance that the design poses no undue risk to the public health and safety.

2. The following shows the plant design scoring for the level 2, control of abnormal operation, DID attributes. - In the plant design, safety system actuation is passive in addition to being automatic. Therefore, system response scores high. - The nonsafety system response to off normal conditions scores medium; most nonsafety system response can be performed from the control room. Considering both attributes, the overall plant score for the level 2, control of abnormal operation, DID metric is a 3.5 [(4 + 3)/2]; the design is slightly above the nominal level of DID for level 2. 3. The following shows the plant design scoring for the level 3, control of accidents within the design basis, DID attributes. - Calculating the core damage frequency crediting only safety-related systems is significantly less than 1E−5 per year for internal events. Therefore, safety system core damage frequency scores high. - The conditional core damage probability calculated from the PRA also results in a high score. This value is calculated using the PRA cutsets and setting the associated initiating event frequencies to certainty (i.e., TRUE).

2.5.2. Sequence-based example A This section includes an example evaluation of the adequacy of DID for a specific sequence of the small modular reactor design evaluated in Section 2.5.1. As shown in Table 7, the sequence is initiated by a LOCA in the reactor coolant makeup line for a single reactor module. The LOCA is followed by a success of the reactor trip system, success of the decay heat removal system, and success of the emergency core cooling system. However, the sequence leads to core damage and a large release due to a failure to isolate the break, failure of containment isolation, and failure to initiate makeup inventory.

Considering both level 3 attributes, the overall plant score for the level 3, control of accidents within the design basis, DID metric is a 4.0 [(4 + 4)/2 ]; the design is higher than the nominal level of DID for level 3.

1. The following shows the makeup line LOCA sequence scoring for the level 1 prevention DID attribute. - The frequency of the initiating event scores high since the makeup line LOCA has a frequency much less than 1E−2 per module-year. - Because the external hazard frequency attribute does not apply for this sequence, the sequence level 1 DID metric is based on a single attribute with a score of 4.0. 2. The following shows the makeup line LOCA sequence scoring for the level 2, control of abnormal operation, DID attribute. - Safety system response scores high. The decay heat removal system, containment isolation, and emergency core cooling systems are passive, fail-safe systems. - Nonsafety system plant response scores medium. Backup coolant injection is available via actions from control room operators.

4. The final DID control metric, level 4, considers control of severe plant conditions including prevention of accident progression and mitigation of the consequences of a severe accident. The following shows the example plant design scoring for the level 4 attributes. - The conditional containment failure probability is based on the large release frequency being more than an order of magnitude below core damage frequency for internal and external hazards. For this particular example, assume the result is medium. - The time to core damage is determined from thermal hydraulic analysis calculations for design-basis and credible beyond-designbasis scenarios. This particular example assumes the result is medium. - The station blackout (i.e., loss of all ac power) coping time (i.e., the time between an initial loss of ac power and the time at which core heat removal is lost) scores high; since for this design the station blackout coping time is unlimited. - The containment isolation response scores high; the design includes redundant containment isolation valves that fail closed on a loss of power.

Considering both level 2 attributes, the sequence level 2 DID metric score is a 3.5 [(4 + 3)/2]. Table 7 Example sequence A. Makeup Line LOCA Sequence

The overall plant score for the level 4, control of severe plant conditions including prevention of accident progression and mitigation of the consequences of a severe accident, DID metric is 3.5 [(3 + 3 + 4 + 4)/4]; the design is higher than the nominal level of DID for level 4.

Description

Frequency/Probability

LOCA in the normal, primary coolant inventory makeup line Common cause failure to close of both isolation valves in makeup line Excess flow check valve fails to close an isolate LOCA Operator fails to initiate backup coolant injection

3E−4

Sequence large release frequency = 6E−12 per module-year.

163

5E−5 1E−1 4E−3

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

3. The following shows the makeup line LOCA sequence scoring for the level 3, control of accidents within the design basis, DID attributes. - The core damage frequency for this sequence using only safety systems scores high; most mitigating systems considered are safety-related. - The conditional core damage probability scores high; core damage requires failures of both containment isolation valves, the excess flow check valve, and mitigation via backup injection.

Table 8 Example sequence B. Loss of offsite power and Station Blackout Sequence

Considering both level 3 attributes are high, the sequence level 3 DID metric score is a 4.0.

Description

Frequency/Probability

Loss of offsite power Failure of offsite power recovery Common cause failure of the emergency diesel generators Failure to control turbine-driven auxiliary feedwater

3E−2 3E−1 6E−3 8E−3

Sequence large release frequency = 4E−7 per year.

4. The final DID control metric, level 4, considers control of severe plant conditions including prevention of accident progression and mitigation of the consequences of a severe accident. The following shows the makeup line LOCA scoring for the level 4 attributes. - The conditional containment failure probability scores low. Although a large release requires failure of both containment isolation valves and a check valve, the path to core damage involves failure of both isolation valves (i.e., in this case core damage directly leads to a large release and the conditional containment failure probability is 1.0). - The time to core damage is judged to be medium based on bounding thermal hydraulic calculations. - The containment isolation response scores high; the design includes redundant containment isolation valves that fail closed on a loss of power.

1. The following shows the loss of offsite power sequence scoring for the level 1 prevention DID attribute. - The frequency of the initiating event scores medium. Because the external hazard initiating event frequency attribute does not apply for this sequence, the sequence level 1 DID metric is based on a single attribute with a score of 3.0. 2. The following shows the loss of offsite power sequence scoring for the level 2, control of abnormal operation, DID attribute. - Safety system response scores medium. Emergency core cooling and containment isolation require AC power. - Nonsafety system plant response scores low. Any nonsafety mitigating system would require local control. Considering both level 2 attributes, the sequence level 2 DID metric score is a 2.0 [(3 + 1)/2].

The sequence level 4 DID metric is based on three attributes and the score is a 2.7 [(1 + 3 + 4)/3]; since this is not a station blackout sequence, coping time does not apply.

3. The following shows the loss of offsite power sequence scoring for the level 3, control of accidents within the design basis, DID attributes. - The core damage frequency for this sequence using only safety systems scores high. - The conditional core damage probability scores medium; core damage requires failures of both emergency generators and auxiliary feedwater.

5. The final DID metric, level 5, considers mitigation of radiological consequences of significant releases of radioactive material. The following shows the makeup line LOCA scoring for the level 5 attributes. - The large release frequency for this sequence scores high since it is well below 1E−8 per year. - Secondary confinement scores high as the design includes a Seismic Category 1 reactor building that would contain or scrub most releases.

Considering both level 3 attributes are high, the sequence level 3 DID metric is score is a 3.5 [(4 + 3)/2].

Considering both mitigation attributes score high, the level 5 metric score is a 4.0. This sequence scored above the nominal level of DID for four of the five levels of DID. Combining all five DID metrics, including weighting, results in a sequence-based DID score of 3.6 [(4.0 × 20%) + (3.5 × 20%) + (4.0 × 20%) + (2.7 × 20%) + (4.0 × 20%)]. Plant design features result in this sequence providing a higher than adequate level of DID. This is consistent with the extremely low frequency of 6E−12 for this sequence and provides assurance of the safety of the small modular reactor design. This type of sequence-based DID evaluation can be used, in part, for evaluating sequences that might be used in establishing the size of plume exposure emergency planning zones.

4. The final DID control metric, level 4, considers control of severe plant conditions including prevention of accident progression and mitigation of the consequences of a severe accident. The following shows the loss of offsite power sequence scoring for the level 4 attributes. - The conditional containment failure probability scores low. In this sequence, the loss of all power leads to a failure of containment isolation. - The time to core damage is judged to be medium. - The coping time scores low. - The containment isolation response scores medium; although this design includes redundant containment isolation valves, power is required for closure.

2.5.3. Sequence-based example B This section includes an example evaluation of the adequacy of DID for a sequence in a plant design in which safety systems rely on AC power. As shown in Table 8, the sequence is initiated by a loss of offsite power followed by failure of both emergency diesel generators that results in a station blackout. The sequence progresses to core damage and a large release following failures of decay heat removal, emergency core cooling, and containment isolation.

The sequence level 4 DID metric is based on all four attributes and the score is a 2.0 [(1 + 3 + 1 + 3)/4]. 5. The final DID metric, level 5, considers mitigation of radiological consequences of significant releases of radioactive material. The following shows the loss of offsite power sequence scoring for the level 5 attributes. - The large release frequency for this sequence scores medium. 164

Nuclear Engineering and Design 330 (2018) 157–165

C. Williams et al.

conducted throughout the design process as well as in support of design certification and operating license applications. Quantification of DID reduces subjectivity in plant safety assessments, helps to ensure that public and worker risk insights are integrated into the design process holistically, and provides assurance of the safety of new reactor designs.

- Secondary confinement scores medium as the design includes a reactor building. The sequence level 5 mitigation metric score is a 3.0 [(3 + 3)/2]. Combining all five DID metrics, including weighting, results in a sequence-based DID score of 2.7 [(3.0 × 20%) + (2.0 × 20%) + (3.5 × 20%) + (2.0 × 20%) + (3.0 × 20%)]. This sequence scored below the nominal level of DID.

References International Atomic Energy Agency, International Nuclear Safety Advisory Group, “Defense in Depth in Nuclear Safety,” INSAG-10, Vienna, Austria, 1996. International Atomic Energy Agency, International Nuclear Safety Advisory Group, “A Framework for an Integrated Risk Informed Decision Making Process,” INSAG-25, Vienna, Austria, May 2011. U.S. Code of Federal Regulations, “General Design Criteria for Nuclear Power Plants,” Introduction, Appendix A, Part 50, Title 10, “Energy,” 2015 (10 CFR 50 Appendix A). U.S. Code of Federal Regulations, “Reactor Site Criteria,” Part 100, Chapter I, Title 10, “Energy,” December 2015 (10 CFR 100). U.S. Nuclear Regulatory Commission, “Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants,” Policy Statement, Federal Register, Vol. 50, FR 32138, August 8, 1985. U.S. Nuclear Regulatory Commission, “Policy Statement on the Regulation of Advanced Reactors,” Final Policy Statement, Federal Register, Vol. 73, FR 60612, October 14, 2008. U.S. Nuclear Regulatory Commission, “An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,” Regulatory Guide 1.200, Rev. 2, March 2009. U.S. Nuclear Regulatory Commission, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” Regulatory Guide 1.174, Rev. 2, May 2011. U.S. Nuclear Regulatory Commission, “A Proposed Risk Management Regulatory Framework,” NUREG-2150, April 2012. U.S. Nuclear Regulatory Commission, “Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors,” NUREG-0800, Chapter 19, Section 19.0, Draft Rev. 3, November 2014. U.S. Nuclear Regulatory Commission, “Historical Review and Observations of Defense-inDepth,” NUREG/KM-0009, March 2016.

3. Conclusions Consistent with the NRC’s policy statement encouraging greater use of PRA to improve safety decision making and improve regulatory efficiency, this paper outlines a more robust approach for assessing DID than what has traditionally been done in the past (i.e., evaluated subjectively and qualitatively). This method can be used to evaluate individual accident sequences, design changes, and the overall plant design as part of the normal design control process. This DID evaluation method demonstrates one approach to enhance use of RIPB methods as an integral part of new reactor design development and establishes quantitative metrics that can be applied on a consistent basis and tailored to a specific design. This performance-based method is intended to compliment the traditional DID philosophy employed in design development. As RIPB methods have progressed to the point where the use of PRA can be extended to augment traditional, deterministic nuclear safety design practices, this paper demonstrates a quantitative approach to: (1) establish a DID baseline for a new nuclear power plant design, and (2) serve as a method for evaluating the adequacy of DID for design changes and operational decisions. Evaluations of DID can be

165