defence in depth Flashcards
Defence-in-Depth:
Concept: Applied throughout the ____ and ____ of the plan
design process
operation
Defence-in-Depth:
Concept: Provide a series of levels of defence aimed at:
aimed at preventing accidents, and
* ensuring appropriate protection in the
event that prevention fails.
Defence-in-Depth:
Concept: allows:
✓allows failure to be detected and
compensated for or corrected
Defence-in-Depth:
Concept: considers
considers organizational and human
performance
The levels of defence-in-depth shall be ____ to the extent practicable and subject to
_____.
independent
overlapping provision
Assumptions Inherent in the perspective
Defence in Depth Safety Philosophy and
Approach, assumes the following:
✓Nuclear station design will have some flaws
✓Equipment will occasionally fail and
✓Operating personnel will occasionally make
mistakes
Definition of Risk
✓Chance of injury, damage or loss
✓The frequency of an undesired event
multiplied by its consequences
ultimate goal
Reactor Safety
✓The key is to ensure sufficient DiD that:
flaws,
failures and mistakes can be accommodated
without increasing the risk or consequences
of an accident.
- Allows failure to be______and _____for or _____
detected
compensated
corrected
Defence-in-Depth: Considers:
organizational and human performance
3 things that are bound for flaws/error
equipment will occasionally fail, operating personal make mistakes, nuclear station design has flaws
- Undesired events at Nuclear
stations could lead to the
following consequences
✓Severe Core Damage ✓Large Off-Site Release ✓Public Fatalities (immediate and
delayed)
- Potential consequences are
given and _____, thus
frequencies must be_____
severe
very low
Very low frequencies require
____ defence in depth
very deep
Reduces Risk
Nuclear Power Plant Risk ▪ The frequency of an undesired event
multiplied by its consequences
to minimize potential threat
number of principles have been developed
incorporated into design and operation of nuclear generating stations
golden rule of reactor safety
control cool contain
discussed in elements of design
provision of multiple redundant nuclear safety provisions to protect workers, public and environment from radiological hazards of nuclear power plant operations
Cool - Heatsinks-
primary, backup, emergency
Cool - Heatsinks-primary
normal means of cooling the fuel at
power or shutdown
Cool - Heatsinks- back-up
a designated alternate to maintain
normal fuel cooling in case of certain failures in the
primary heatsink when shutdown
Cool - Heatsinks-emergency
cools the fuel to ensure fission
products are contained in the event of an accident (LOCA,
LOFW, earthquake etc.)
slide 13
Three Mile Island – TMI
(PWR)
- Stuck valve.
- Operators were not
trained. - Lessons learned not
captured
Three Mile Island – TMI
(PWR): 1. Was the accident a loss of:* Control ?
* Cool ?
* Contain ?
All the above
all of the above
Three Mile Island – TMI
(PWR):2. Was the accident caused primarily by:*
Equipment performance (design, equipment failure) ?
* Human Performance (people, process) ?
Human performance was the primary cause.
Three Mile Island – TMI
(PWR):3. What do you notice about the attitudes, values beliefs
of the staff at TMI ?
Operators were not trained and were out in an analyzed state of the
reactor.
Chernobyl – RBMK
- Lowering power to a
state that cannot be
controlled - Design flaw
- Rush to do a test
ignoring safety
Chernobyl – RBMK:1. Was the accident a loss of:
* Control ?
* Cool ?
* Contain ?
The Chernobyl event was primarily a loss of reactor power control
Chernobyl – RBMK:What is the primary cause of the accident?
* Equipment performance (design, equipment failure) ?
* Human Performance (people, process) ?
This accident is a combination of both equipment and human performance
Chernobyl – RBMK:3. What do you notice about the attitudes, values beliefs of
the staff at TMI?
chernobyl staff were over-confident, had little respect for procedures,
inadequate understanding of the potential of the reactor,
Fukushima
BWR
- Earthquake
- Resulting Tsunami
triggered events
Fukushima
BWR:1. Was the accident a loss of:
✓Control ?
✓Cool ?
✓Contain ?
Fukushima event of loss of cooling caused by a total loss of AC power.
Fukushima
BWR:2. Was the accident caused primarily by:
✓Equipment performance (design, equipment failure) ?
✓Human Performance (people, process) ?
This accident caused by a combination of both equipment and human
performance failures
Fukushima
BWR:3. What was significant values
✓Organizational values contributed to the severity of the event?
✓What is different from the Chernobyl event?
Very similar but of cause different challenge from the tsunami
slide 17
safety culture
as a nuclear safety concept was
established after the Chernobyl accident.
Safety Culture - INSAG-4
- That assembly of characteristics and attitudes in
organizations and individuals which establishes that, as an
overriding priority, nuclear plant safety issues receive the
attention warranted by their significance.
IAEA -
International Atomic Energy Agency
INSAG -
The International Safety Advisory Group
slide 19
defence in depth DOES NOT
translate precisely into a set of design rules
defence in depth is based on
ancient military philosophy of providing multiple barriers of defence and is used in the design of nuclear facilities the assessment of designs all aspects of regulation
multiple barriers to undesirable consequences (slides 21,22)
- No one single event causes accidents or incidents
- It is almost always a link of different events
- if any of them would have been done differently , the outcome would
have been different
- Reliability is concerned with
with the overall operation of
nuclear generating stations
overall station reliability is a function of
the reliability of
systems and equipment.
Reliability R(t) definition
probability that a device will work adequately for the period intended (system will perform its design function for specifies mission time) under the operating conditions encountered
reliability is a probability with a numerical value ranging from
0 (totally unreliable)
1 (always operates for the time intended)
pump judged to have reliability of 0.99 for its first year of operation (based on historical data for this type of pump) it means for 1000 hours of operation the pump will be unavailable for no more than __ hours
10
Reliability is
concerned with
whether
an operating
component in a
process system is likely
to fail.
process system
is a system that operates
when the plant is producing power.
poised system
is sitting waiting to
operate in the event of specific events
poised systems, the
concern is
whether a
system or component
will be available when
called upon to
operate.
- Assume Valve reliability is 0.975/y
- What is the system reliability of two valves in parallel if
only valve is needed (i.e. one valve is redundant)?
Failure probability = 0.025 x 0.025 = 0.000625/y
* Reliability = 1- 0.000325 = 0.999675/y
- Assume Valve reliability is 0.975/y
- What is the system reliability of two valves in series (i.e.
neither valve is redundant)?
- Failure probability = 0.025 + 0.025 = 0.050/y (approx.)
- Reliability = 1- 0.05 = 0.95/y
- Availability, A,
is the fraction of time a
component or system is available to
perform its intended purpose
- Unavailability, Q,
is the fraction of time a
component or system is unavailable when
needed
RELATION OF A AND Q
Q + A = 1
The concept of availability is applied to
____ systems
POISED
Availability is related to reliability but is
defined as the
fraction of time that a device
is available to work if called upon to do so.
✓Availability has a value from
▪ 0 (never available) to 1 (always available)
▪ generally expressed as years per year or hours per
year
✓The value, which is more frequently
encountered, however, is ____
unavailability.
or example, if a poised system has an
unavailability target of 10-3 years/year, this means
that it will be unavailable for no more than ____
8
hours during the year
(1 year = 8760 hours and 8/8760 is approximately
10-3
).
______ of poised system is measured by ____ periodically
unavailability
testing
lamda
systems failures per yeat
T
test period in years
r
repair time in years (if system is required during repairs)
Q
unavailability
Q eq
Q=(lamda)(T/2 + r)
safety systems are tested often enough to _____ ______ with design and licensing availability requirements
demonstrate compliance
Typical
Unavailability
Targets
Special Safety Systems:___
Standby Safety Support:___
0.001 year/year: (10^-3 y/y)
0.01 year/year : (10^-2 y/y)
For Special Safety Systems, another way of
saying this is that a SSS is expected to
respond sufficiently to a process failure ___ times out of ___ demands
999
times out of 1000 demands (“reliability”)
Design Methods for Improving System
Reliability/Availability
redundancy
independence
elimination of common cause effects
fail-safe
fail-safe
- failure results in
function performed
Elimination of
common cause
effects
- environmental
qualification - seismic
qualification - group 1 and 2
systems - diversity
independence
- channelization
✓safety system
trip channels
✓odd and even
power - different supplies
(e.g. fuel tanks,
suction supply,
etc.)
High reliability and availability can be
achieved by attention to a number reliability
of principles during design and operation of
a station. They are:
✓Redundancy
✓Independence
✓Diversity
✓Periodic testing
✓Fail-safe operation
✓Single-failure criterion
✓Operational Surveillance
✓Preventative maintenance and
✓Predictive maintenance
redundancy
- more than one way
to do a job
Redundancy:
✓ If only one component exists to perform a certain function, when it fails, the system fails.
Redundancy: how to improve
✓ This problem can be reduced by installing additional components, so that if one fails, there is another to do the
job.
✓ In other words, higher reliability can be attained by providing a backup (or redundant) component.
s redundancy is provided primarily to
to ensure reliable operation, not to
allow more convenient maintenance.
in Nuclear Plant Design - Redundancy is the provision of
components or capacity in excess of 100% of system
requirements, such that failures of excess components or capacity do not disable the system function.
✓ e.g. two 100% capacity pumps placed in parallel
✓ Redundant equipment must be _____ and ____ from external common cause failures.
independent
protected
t or f Redundancy does not by itself protect against system failures
t
Result of Taking redundant equipment out of service for maintenance
will lower the reliability of the system.
✓ Balance of Plant Systems
▪ SST and UST
▪ Digital Computer
o DCCX AND DCCY
✓ Space shuttle program
▪ The computer control system in each shuttle contains more than one computer.
▪ Redundancy is provided by running the same software control program on more than one
computer. If one computer fails, another is immediately available to assume control.
“Redundant” means
“Redundant” means having a second source of power or piece of
equipment that acts as a backup in case the first fails to operate properly.
single failures is an aspect of the defense-in-depth design
mentality
No single failure can result in unacceptable consequences
✓Single Failure Criterion is a requirement that a system which is designed to carry out
a defined safety function must be capable
of carrying out its mission in spite of the
failure of any single component within the system or in an associated system which
supports its operation
✓Prevention of Consequences for Single failures
▪ Redundancy, Diversity, Separation, Fail-Safe Design and Safety Margin (ALARA)
▪ Example, Emergency Core Cooling System.
o Its electrical power system can be performed by an “Electrical isolation”
achieved “by the use of separation distance, isolation devices, shielding and
wiring techniques, or combinations thereof.”
All safety groups shall function in the presence of a______
single failure.
The single-failure criterion requires that each safety group can perform all
safety functions required for a PIE in the presence of any single component
failure, as well as:
▪ all failures caused by that single failure
▪ all identifiable but non-detectable failures, including those in the nontested components
▪ all failures and spurious system actions that cause (or are caused by) the
PIE
Common
Mode/Cause
Failures
- A concurrent failure of two or more structures,
systems or components due to a single specific
event or cause, such as natural phenomena design
deficiency, manufacturing flaws, operation and
maintenance errors, and human-induced
destructive events.
- Design Methods to Counter Common
Mode/Cause
Failures
✓Independence
✓Odd/Even equipment
✓Diversity
✓Separation
✓Channelization
Electrical power supplies are designated as
odd or
even
✓odd and even supplies are____
which is an example of ___
independent
channelization
Typically, half the equipment providing a function
is supplied by an __
even source, and half by an odd
source, so that the effect of one power supply
failure is limited to either odd or even equipment
Odd and
Even
Equipment
✓This eliminates some power failures as a
common mode failure for odd and even
equipment.
✓If the odd and even equipment provides at
least 100% redundancy, then system failure is
prevented for these power failures (e.g. SDC
pumps)
Reliability principles - Independence
- physical separation of systems or components so that a fault
in one system will not affect the others.
how is independence achieved
having no shared components or
common services (functional separation), and by physical separation.
reliability principles - Independence- in CANDU
In CANDU use of two independent shutdown systems SDS1
and SDS2
➢ Two systems are independent if the failure of one, or the failure of
any system or structure necessary to support it, cannot cause the
other to fail.
➢ SDS1 failure of power it works as rods
➢ SDS2 actuation of helium gas injection of poison
SDS1 and SDS2 - Independence
SDS 1 and 2 have no shared
components or services, such as
electrical power, and components
are physically separated North and
South of the reactor
reliability principles - Diversity
is variety in design, manufacture, operation and maintenance of redundant
components or systems for the purpose of reducing unavailability due to common
cause effects, such as design or manufacturing flaws, unforeseen failure modes,
and Operating and Maintenance (O&M) errors.
✓Diversity is an attempt to
ensure that there is more than one way of doing a job.
how to reduce the possibility of common-cause failure.
✓The presence of two or more redundant systems or components to perform an
identified function, where the different systems or components have different
attributes
- Diversity avoids
Common Cause Failure
how does diversity avoid Common Cause Failure
✓Using the space shuttle, diversity is provided by running entirely different software
control programs on different computers to achieve the same purpose.
✓The software is even created by a different design team. This ensures that a bug in
one piece of software is not duplicated in the other so that one mistake cannot
disable more than one computer (common cause failures)
Reliability principles - Diversity in CANDU
- In CANDU use of two diverse shutdown systems SDS1 and SDS2
✓ SDS1 achieves emergency shutdown by dropping shutoff rods into core under gravity, whereas SDS2 injects
liquid absorber under pressure.
✓ SDS1 and SDS2 components, and SGs and EPGs are from different manufacturers - Balance of Plant Systems
✓ Four Classes of Power
✓ Digital Computers DCCX and DCCY
Reliability principles - Fail-Safe Operation
A system or component is called fail-safe if after failing it
leaves the remainder of the system in a safer state.
✓Failure does not contribute to system unavailability.
✓Failures are not eliminated, but the failures are
safe:
Reliability principles - Fail-Safe Operation: examples Train locomotives are equipped with a deadman brake
✓It must be depressed by the engineer to allow the
locomotive to move.
✓If the engineer falls over dead, his foot will come off
the brake and the locomotive will come to a halt
Reliability principles - Fail-Safe Operation: examples CANDU
- SDS1; Power failure releases the rods into the core
✓ Rods are energized during operation
Reliability principles- Separation
Cables routed in different cable trays
* Separate rooms for odd and even Class III switchgear
* Separate control areas. (MCR, SCAs - secondary control areas)
Failure of a poised system,
is not readily
apparent and can only be determined by testing.
Unavailability can be kept low by ________
more frequent testing.
Since it is not possible to determine at what point the failure
occurred,______
unavailability is considered to be half the time since the
system was last tested (plus however long it takes to make the
repairs).
Reliability principles – Periodic Testing: The frequency of testing must, however, be balanced against:
▪ Wear and tear on the system and components caused by
testing,
▪ Unavailability due to removing components from service for
the duration of the test
▪ The risk (by human error) of leaving the system in a degraded
state after a test, and
▪ The danger of activating the system during the testing process.
Reliability principles – Operational Surveillance
Process of continual monitoring and trending of process parameters
and equipment with the intent of spotting potential problems before
they become real problems
✓Thus, corrective action can be taken before a major problem occurs
Operational surveillance- Example
✓An example is vibration monitoring of rotating equipment. If unusual
vibrations are detected, the equipment can be stopped and repaired
before the vibration causes serious damage.
Reliability data on different types of equipment offers_______
a means of estimating
when failures are likely to occur.
By planning replacement or maintenance before any appreciable
deterioration occurs that can contribute to the predicted failure, it is possible
to
reduce the number of unscheduled outages and consequent loss of
production.
appearance of throwing away good equipment, but____
the reliability statistics indicate that the equipment is likely to fail shortly and
probably inconveniently (remember Murphy’s Law).
- The best form of preventive maintenance is
predictive
maintenance
Predictive Maintenance
- Based on equipment condition.
- Maintenance or replacement is only done when diagnostic test results
(such as vibration monitoring) indicate equipment degradation.
SLIDE 52
Multiple Physical Barriers
- Multiple fission product barriers
- Multiple radioactivity barriers
- The multiple barrier approach that
has been built into station design:
✓is intended to ___
prevent or impede
the release of radioactivity from
the fuel to the public
There are _____ passive radioactivity
barriers continuously available
five
five passive radioactivity
barriers continuously available
- The uranium fuel is molded into ceramic fuel pellets
which have a high melting point and lock in most of the
fission products - The fuel sheath which is made of high integrity welded
metal (zircaloy) and contains the ceramic fuel - The heat transport system which is constructed of high
strength pressure tubes, piping and vessels and contains
the fuel bundles - The containment system which provides a relatively
leak tight envelope maintained slightly below
atmospheric pressure (Except CANDU-6). This partial
vacuum encourages air to leak in instead of out
thereby helping to prevent release of radioactivity
that escapes from the heat transport system, and - The exclusion zone of at least one kilometre radius
around the reactor that ensures any radioactive
releases from the station are well diluted by the
time they reach the boundary
LABEL SLIDE 54
Process systems
are those systems
performing a continuous function in the
normal operation of the plant.
Process systems EXAMPLE
✓For example, the primary heat transport
system is a process system that is continuously
active in the removal of heat from the fuel
✓The reactor regulating system is a process
system that is continuously active in the
normal control of reactor power.
- Reliable process systems ensure that:
✓heat is produced and electricity generated
✓while maintaining control, cooling and
containing.
Safety systems are poised systems that
operate only to compensate for the failure of
process systems
Reliable
Safety
Systems
They can do this by shutting down the reactor to
regain control (shutdown systems),
✓by providing additional cooling to the fuel (emergency
coolant injection system), and
✓by containing radioactivity, which has escaped from
the fuel (containment system).
Reliable
Safety
Systems: Reliability in this context means that in the
rare event these systems are called upon to
act, they will
be available to perform their
intended function.
The safety systems are designed to operate
automatically and the five passive barriers
are always in place, but the DiD concept
does not allow reliance on equipment and
systems to prevent accidents.
✓It is important that operating and maintenance
staff are
knowledgeable about system
conditions, alert for any evidence that systems
or equipment may be on the verge of failure,
and act promptly to prevent or minimize the
consequences of such failures.
Competent
Operating and
Maintenance
Staff
✓To achieve a high level of competence, the
qualification criteria for each job family are
clearly defined.
✓Considerable effort goes into performancebased training of staff to meet those criteria and
maintain their qualification.
Adequate detection and correction of failures requires
not just competent staff but also processes and
procedures for the staff to carry out in a systematic
fashion.
Detect and
Correct
Failures Example
✓For example, a routine testing program for safety
systems helps meet the availability targets
✓_______________program in conjunction
with a planned _____________
helps to ensure that equipment and systems are
monitored, inspected and repaired before they fail.
An operational surveillance
preventive maintenance program
_____________ exist, allowing the
quick reporting, prioritizing and repair of
deficiencies.
✓Elaborate work control processes
✓Failures, when they do occur, are __________ through a
rigorous change approval process.
are thoroughly
investigated and solutions applied
- Section 6.1 Application of defence in depth
✓The design of an NPP shall incorporate defence in depth. The
levels of defence in depth shall be independent to the extent
practicable.
✓Defence in depth shall be achieved at the design phase through
the application of design provisions specific to the five levels of
defence.
REGDOC 2.5.2; How many levels of defence
5
REGDOC 2.5.2- Level 1
shall include conservative design and high-quality construction to provide confidence that plant failures and
deviations from normal operations are minimized and accidents are prevented. This shall entail careful attention to selection of
appropriate design codes and materials, design procedures, equipment qualification, control of component fabrication and
plant construction, and use of operational experience
REGDOC 2.5.2- Level 2
shall be achieved by controlling plant behaviour during and following a postulated initiating event (PIE) using both
inherent and engineered design features to minimize or exclude uncontrolled transients to the extent possible
REGDOC 2.5.2- Level 3
- shall include the provision of inherent safety features, fail-safe design, engineered design features, and
procedures that minimize the consequences of DBAs. These provisions shall be capable of leading the plant first to a controlled
state, and then to a safe shutdown state, and maintaining at least one barrier for the confinement of radioactive material.
Automatic activation of the engineered design features shall minimize the need for operator actions in the early phase of a
DBA.
REGDOC 2.5.2- Level 4
- shall be achieved by providing equipment and procedures to manage accidents and mitigate their consequences
as far as practicable. Most importantly, adequate protection shall be provided for the confinement function by way of a robust
containment design. This includes the use of complementary design features to prevent accident progression and to mitigate
the consequences of DECs. The confinement function shall be further protected by severe accident management procedures
REGDOC 2.5.2- Level 5
The design shall provide adequately equipped emergency support facilities, and plans for onsite and offsite
emergency response
Canadian Approach -Defence in Depth
DiD levels match (approximately) to plant states:
- Normal operation (NO)
- Anticipated Operational Occurrences (AOO)
- Design Basis Accidents (DBA)
- Design Extension Conditions (DEC)
- Events more severe than DEC
slide 63
Defence-in-Depth Framework; Level 1 and implementation
- To prevent deviations from normal operation, and to prevent
failures of structures, systems and components important to
safety
- Conservative design
- High-quality construction (e.g., appropriate design codes and materials,
design procedures, equipment qualification, control of component
fabrication and plant construction, operational experience) (NO)
Defence-in-Depth Framework; Level 2 and implementation
- To detect and intercept deviations from normal operation, to
prevent anticipated operational occurrences from escalating
to accident conditions and to return the plant to a state of
normal operation.
- Inherent and engineered design features to minimize or exclude
uncontrolled transients to the extent possible
(AAOs)
Defence-in-Depth Framework; Level 3 and implementation
- To minimize the consequences of accidents, and prevent
escalation to beyond-design-basis accidents
- Inherent safety features
- Fail-safe design
- Engineered design features, and procedures that minimize consequences
of DBAs (DBA)
Defence-in-Depth Framework; Level 4 and implementation
- To ensure that radioactive releases caused by severe
accidents or design-extension conditions are kept as low as
practicable.
- Equipment and procedures to manage accidents and mitigate their
consequences as far as practicable - Robust containment design
- Complementary design features to prevent accident progression and to
mitigate the consequences of design-extension conditions - Severe accident management procedures (DEC)
Defence-in-Depth Framework; Level 5 and implementation
To mitigate the radiological consequences of potential
releases of radioactive materials that may result from
accident conditions.
- Emergency support facilities * Onsite and offsite emergency response
plan (Beyond DEC)
Canada (CNSC) follows IAEA SSR-2/1 requirements for design
- 5 levels of Defence in Depth
✓Independent to the extent practicable - Plant States which correspond (roughly) to levels
- Plant equipment for use at each level (not a perfect match)
- Safety assessment demonstrates that design meets safety objectives
Relevant Canadian / regulatory documents
- REGDOC-2.5.2, Design of Reactor Facilities, Nuclear Power Plants
- REGDOC-2.4.1, Deterministic Safety Analysis
- REGDOC-2.4.2, Probabilistic Safety Analysis (PSA) for Nuclear Power
Plants - CSA Standard N290.16, Requirements for beyond design basis accidents
Plant States Considered in the Design:* Canada (CNSC) follows SSR-2/1 for plant states considered in design
✓Normal Operation - 1
✓Anticipated Operational Occurrences 1 > f > 10^-2
✓Design Basis Accidents 10^-2 > f > 10^-5
✓Design Extension Conditions 10^-5 > f > Practically Eliminated
Events leading to a large radioactive release or an early radioactive
release must be ___
practically eliminated.
- Frequency is not only consideration for____
practical elimination hence no
frequency cut-off is defined.
✓Severe scenario than DEC
- The approach to safety analysis is
compatible with SSG-2 Rev 1,
, Deterministic
Safety Analysis for Nuclear Power Plants
* Section 7 describes the requirements for each
plant state
* IAEA Document
Safety
Analysis:* CNSC Uses
REGDOC-2.4.1, Deterministic
Safety Analysis
Slide 69
Design Considerations in DiD
Design and Analysis Rules
- Design and analysis rules for NO, AOO, DBA are well established
✓Provide high confidence that events up to DBA will not require offsite
- Design rules for Design Extension Conditions (DEC) allow more judgement and
the objective is __
“reasonable confidence” that equipment will function as
intended in the accident environment, e.g.
✓best-estimate safety analysis, not conservative
✓survivability assessment, not full EQ
✓reasonable estimates of operator action times, not “30 minute rule”
✓no application of Single Failure Criterion
Safety objectives and safety goals are met through
implementation of the
defence-in-depth framework
✓results in a strong safety case
- Elements of the defence-in-depth framework are found in the
CNSC’s
regulations and regulatory documents, and in national and international
standard
- General nuclear safety objective:
✓ Design and operate nuclear power plants (NPPs) in a manner that will protect individuals, society and the
environment from harm.
✓ This objective relies on the establishment and maintenance of effective defences against radiological hazards in NPPs.
- Technical safety objective
✓ Provide all reasonably practicable measures to prevent accidents in the NPP, and mitigate the consequences of
accidents if they do occur.
✓ This takes into account all possible accidents considered in the design, including those of very low probability. Any
radiological consequences will be below prescribed limits, and the likelihood of accidents with serious radiological
consequences will be extremely low
Qualitative Safety Objectives for New Nuclear Power Plants* A limit is placed on the societal risks posed by
posed by NPP operation Individual members of the public shall be provided a level of
protection from the consequences of NPP operation, such that there is no significant additional risk to the life and health of
individuals.
✓ Societal risks to life and health from NPP operation shall be comparable to or less than the risks of generating electricity by
viable competing technologies, and shall not significantly add to other societal risks.
Qualitative Safety Objectives for New Nuclear Power Plants* plant states that could lead to significant radioactive releases are
are practically eliminated.
✓ For plant states that are not practically eliminated, only protective measures that are of limited scope in terms of area and
time shall be necessary for protection of the public, and sufficient time shall be made available to implement these measures
Quantitative Safety Goals for New Nuclear
Power Plants (1);Core damage frequency
- The sum of frequencies of all event sequences that can lead to significant core degradation shall be less than
10^-5 per reactor year.
Quantitative Safety Goals for New Nuclear
Power Plants (1);Small release frequency
- The sum of frequencies of all event sequences that can lead to a release to the environment of more than
10^15 becquerels of iodine-131 shall be less than 10^-5 per reactor year. - A greater release may require temporary evacuation of the local population.
Quantitative Safety Goals for New Nuclear
Power Plants (1); Large release frequency
The sum of frequencies of all event sequences that can lead to a release to the environment of more than
10^14 becquerels of cesium-137 shall be less than 10^-6 per reactor year. A greater release may require long
term relocation of the local population.
SLIDE 74
SLIDE 75
SLIDE 76
SLIDE 78
Canadian Nuclear Power Plants
- Defence in depth
- Large inventory of water
- Many hours of passive cooling
- In-ground spent fuel pools
- In-ground spent fuel pools
✓Seismically qualified
✓Diverse means of adding water
- Many hours of passive cooling
✓Extended recovery time
- Large inventory of water
✓Primary/secondary coolant
✓Moderator coolant
Defence in depth
✓Reliable safety system
✓Independence of process,
control and safety systems
✓Multiple barriers
CANDU Design Overview Based on the
CANDU-6 Design
Emergency water supply (simplified)
SLIDE 80
CANDU Design Overview Passive Heat Removal
SLIDE 81
SLIDE 84
Fukushima
BWR:Lessons Learned
ALL ACCIDENTS PREVENTABLE
organizational safety culture in place
design enhancements from lessons learned
Lessons Learned and Design Enhancements (DiD): The 2011 Nuclear Power Plant Accident in Fukushima
✓Nuclear safety issues
✓Raised many questions
✓provided opportunities
* Fukushima accident
✓External event can act as a common mode initiator
✓Failure of the safety provisions in several levels of DiD
Review of DiD
in CANDUs
- Post
Fukushima
- DiD remains valid
- OFI
- Implementation of DiD needs further work
- external hazards;
- Additional guidance
- harmonisation;
- Improvements focus
- preventing accidents is key but consider mitigation
Post-Fukushima Enhancements to Defence in
Depth (1) : general conclusion
✓ Canadian nuclear power plants are safe
✓ Risk posed to the health and safety of Canadians or to the environment is small.
✓ Recommended improvements will further reduce the risk to as low as reasonably practicable.
Post-Fukushima Enhancements to Defence in
Depth (1) : general recommendations
✓ Strengthening defence in depth
▪ external events and beyond design basis accidents
▪ design and safety analysis
▪ severe accident management
✓ Enhancing emergency preparedness
▪ onsite and offsite emergency response
✓ 5 Levels of DiD
✓ adequate
✓ opportunity for improvement
✓ Improving regulatory framework and
processes
▪ Regulatory framework
▪ Industry and operator oversight
procedures
✓ International collaboration
▪ CANDU countries
▪ Other NPP regulators
Post-Fukushima Enhancements to Defence in
Depth (3): Level 3
- Level 3: Protecting spent fuel pools
✓ Makeup water capability and instrumentation
Post-Fukushima Enhancements to Defence in
Depth (3): Level 4
Level 4: Preventing and mitigating severe accidents
✓ Protecting fuel
✓ Makeup water capability to steam generators / primary heat transport system / emergency core
coolant / dousing spray
✓ Preventing severe core damage
✓ Makeup water capability to moderator system and calandria vessel/vault
✓ Protecting containment
✓ Passive recombiners and containment venting
✓ Severe accident management guidelines validation/exercise
Post-Fukushima Enhancements to Defence in
Depth (3): Level 5
- Level 5: Protecting the public
▪ Containment filtered venting
▪ Integrated emergency plans and full-scale emergency exercises
Reactor Defence
in Depth Protect
Fuel (1) : * Analyses and reassessments
✓ site-specific magnitudes of external
events * high winds, seismic, tsunami /storm surges,
flooding
✓ station blackout event on spent fuel
bundles inside fueling machine
✓ Multi
-unit events
Reactor Defence
in Depth Protect
Fuel (1) : Design improvements
✓ Emergency mitigating equipment ▪ mobile equipment ✓ Water makeup connections to ▪ steam generators ▪ heat transport system ✓ Provision for main steam safety valves after
station blackout
✓ Upgrades of power systems ▪ load shedding to extend battery
availability
▪ power supply for key instrumentation
✓ Protection against flooding (barriers, water
-
tight doors, sealing penetrations
Reactor Defence-in-Depth
Prevent Severe Core Damage:* Analyses and reassessments
✓ modelling for multi-unit plant events ✓ Reassessment of control room habitability
during emergencies
✓ Instrumentation qualification for severe
accident
Reactor Defence-in-Depth
Prevent Severe Core Damage:* Design improvements
✓ Water makeup connections to ▪ calandria vessel ▪ calandria vault ▪ relief capability of calandria/vault ▪ Instrumentation upgrades
Reactor Defence in Depth Protect
Containment:* Analyses and reassessments
- Analyses and reassessments
✓ Enhancement of filtered containment venting system
✓ Severe accident management guidelines (SAMGs)
✓ Instrumentation for SA conditions monitoring (qualify
existing or new)
✓ Control facilities’ habitability during SA
✓ Improved modelling of SAs for multi-unit plants
Reactor Defence in Depth Protect
Containment:* Design improvements
✓ Filtered containment venting
✓ Passive autocatalytic recombiners (PARS)
- Design improvements
✓ Filtered containment venting
✓ Passive autocatalytic recombiners (PARS)
Reactor Defence in Depth
Protect Spent Fuel Pools:* Analyses and reassessments
✓Structural integrity check for
temperatures
Reactor Defence in Depth
Protect Spent Fuel Pools:* Design improvements
- Design improvements ✓Instrumentation for pool parameters ✓Piping and connections for extra
heat sinks
✓Procedure in event of loss of heat
sinks (pool water)
Enhancing Emergency
Preparedness (Onsite)
Implemented Safety
Enhancements:* Onsite emergency preparedness
✓ Incorporating SA management into emergency plans
Enhancing Emergency
Preparedness (Onsite)
Implemented Safety
Enhancements: * Backup power and telecommunications
✓ Implementation of backup power to emergency facilities and telecommunications equipment
✓ Formalized mutual aid agreement for external support
▪ Regional Emergency Response Support Centre
Enhancing Emergency
Preparedness (Onsite)
Implemented Safety
Enhancements:* Station boundary monitoring and dose modelling
✓ Installation of automated real-time boundary radiation monitoring
✓ Development of source term estimation capability
Enhancing Emergency
Preparedness (Offsite);* Integration of Federal and Provincial Nuclear
Emergency Plans
✓ national-level oversight process for offsite
nuclear emergency programs
✓ Review planning basis of offsite arrangements * developing capability for predicting offsite
effects
– needs for sheltering and
evacuation
* simple instructions to public in case of
nuclear emergency
✓ Monitor performance of full scale emergency
drills involving multi
-levels
Federal/provincial/municipal
Improvements to
Regulatory
Framework and
Processes
Amendments to REGDOCS
✓Class I Nuclear Facilities Regulations
✓Radiation Protection Regulations
* Developing new regulatory documents
✓Design of reactor facilities
✓Periodic safety review process
✓accident management and nuclear
emergency preparedness
* Implementing new licence conditions
✓accident management
✓public information program
DiD Worldwide and In Canada
Post Fukushima
- IAEA Safety Standards and Guides
✓Re-evaluated and improved - Canada (CANDU Reactors)
✓Alignment based on IAEA Safety Standards and Guides
✓Well informed by the Defence in Depth concept - Improvement and retrofits to the CANDU design
