defence in depth Flashcards

Question

Three Mile Island – TMI (PWR):2. Was the accident caused primarily by:* Equipment performance (design, equipment failure) ? * Human Performance (people, process) ?

Answer 1

Human performance was the primary cause.

Answer 2

Operators were not trained and were out in an analyzed state of the reactor.

Answer 3

1. Lowering power to a state that cannot be controlled 2. Design flaw 3. Rush to do a test ignoring safety

Answer 4

The Chernobyl event was primarily a loss of reactor power control

Answer 5

This accident is a combination of both equipment and human performance

Answer 6

chernobyl staff were over-confident, had little respect for procedures, inadequate understanding of the potential of the reactor,

Answer 7

1. Earthquake 2. Resulting Tsunami triggered events

Answer 8

Fukushima event of loss of cooling caused by a total loss of AC power.

Answer 9

This accident caused by a combination of both equipment and human performance failures

Answer 10

Very similar but of cause different challenge from the tsunami

Answer 11

as a nuclear safety concept was established after the Chernobyl accident.

Answer 12

* That assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.

Answer 13

International Atomic Energy Agency

Answer 14

The International Safety Advisory Group

Answer 15

translate precisely into a set of design rules

Answer 16

ancient military philosophy of providing multiple barriers of defence and is used in the design of nuclear facilities the assessment of designs all aspects of regulation

Answer 17

* No one single event causes accidents or incidents * It is almost always a link of different events * if any of them would have been done differently , the outcome would have been different

Answer 18

with the overall operation of nuclear generating stations

Answer 19

the reliability of systems and equipment.

Answer 20

probability that a device will work adequately for the period intended (system will perform its design function for specifies mission time) under the operating conditions encountered

Answer 21

0 (totally unreliable) 1 (always operates for the time intended)

Answer 22

an operating component in a process system is likely to fail.

Answer 23

is a system that operates when the plant is producing power.

Answer 24

is sitting waiting to operate in the event of specific events

Answer 25

whether a system or component will be available when called upon to operate.

Answer 26

Failure probability = 0.025 x 0.025 = 0.000625/y * Reliability = 1- 0.000325 = 0.999675/y

Answer 27

* Failure probability = 0.025 + 0.025 = 0.050/y (approx.) * Reliability = 1- 0.05 = 0.95/y

Answer 28

is the fraction of time a component or system is available to perform its intended purpose

Answer 29

is the fraction of time a component or system is unavailable when needed

Answer 30

fraction of time that a device is available to work if called upon to do so.

Answer 31

▪ 0 (never available) to 1 (always available) ▪ generally expressed as years per year or hours per year

Answer 32

unavailability.

Answer 33

8 hours during the year (1 year = 8760 hours and 8/8760 is approximately 10-3 ).

Answer 34

unavailability testing

Answer 35

systems failures per yeat

Answer 36

test period in years

Answer 37

repair time in years (if system is required during repairs)

Answer 38

unavailability

Answer 39

Q=(lamda)(T/2 + r)

Answer 40

demonstrate compliance

Answer 41

0.001 year/year: (10^-3 y/y) 0.01 year/year : (10^-2 y/y)

Answer 42

999 times out of 1000 demands (“reliability”)

Answer 43

redundancy independence elimination of common cause effects fail-safe

Answer 44

* failure results in function performed

Answer 45

* environmental qualification * seismic qualification * group 1 and 2 systems * diversity

Answer 46

* channelization ✓safety system trip channels ✓odd and even power * different supplies (e.g. fuel tanks, suction supply, etc.)

Answer 47

✓Redundancy ✓Independence ✓Diversity ✓Periodic testing ✓Fail-safe operation ✓Single-failure criterion ✓Operational Surveillance ✓Preventative maintenance and ✓Predictive maintenance

Answer 48

* more than one way to do a job

Answer 49

✓ If only one component exists to perform a certain function, when it fails, the system fails.

Answer 50

✓ This problem can be reduced by installing additional components, so that if one fails, there is another to do the job. ✓ In other words, higher reliability can be attained by providing a backup (or redundant) component.

Answer 51

to ensure reliable operation, not to allow more convenient maintenance.

Answer 52

components or capacity in excess of 100% of system requirements, such that failures of excess components or capacity do not disable the system function. ✓ e.g. two 100% capacity pumps placed in parallel

Answer 53

independent protected

Answer 54

will lower the reliability of the system.

Answer 55

▪ SST and UST ▪ Digital Computer o DCCX AND DCCY

Answer 56

▪ The computer control system in each shuttle contains more than one computer. ▪ Redundancy is provided by running the same software control program on more than one computer. If one computer fails, another is immediately available to assume control.

Answer 57

“Redundant” means having a second source of power or piece of equipment that acts as a backup in case the first fails to operate properly.

Answer 58

No single failure can result in unacceptable consequences

Answer 59

of carrying out its mission in spite of the failure of any single component within the system or in an associated system which supports its operation

Answer 60

▪ Redundancy, Diversity, Separation, Fail-Safe Design and Safety Margin (ALARA) ▪ Example, Emergency Core Cooling System. o Its electrical power system can be performed by an “Electrical isolation” achieved “by the use of separation distance, isolation devices, shielding and wiring techniques, or combinations thereof.”

Answer 61

single failure.

Answer 62

▪ all failures caused by that single failure ▪ all identifiable but non-detectable failures, including those in the nontested components ▪ all failures and spurious system actions that cause (or are caused by) the PIE

Answer 63

* A concurrent failure of two or more structures, systems or components due to a single specific event or cause, such as natural phenomena design deficiency, manufacturing flaws, operation and maintenance errors, and human-induced destructive events.

Answer 64

✓Independence ✓Odd/Even equipment ✓Diversity ✓Separation ✓Channelization

Answer 65

odd or even

Answer 66

independent channelization

Answer 67

even source, and half by an odd source, so that the effect of one power supply failure is limited to either odd or even equipment

Answer 68

✓This eliminates some power failures as a common mode failure for odd and even equipment. ✓If the odd and even equipment provides at least 100% redundancy, then system failure is prevented for these power failures (e.g. SDC pumps)

Answer 69

* physical separation of systems or components so that a fault in one system will not affect the others.

Answer 70

having no shared components or common services (functional separation), and by physical separation.

Answer 71

In CANDU use of two independent shutdown systems SDS1 and SDS2 ➢ Two systems are independent if the failure of one, or the failure of any system or structure necessary to support it, cannot cause the other to fail. ➢ SDS1 failure of power it works as rods ➢ SDS2 actuation of helium gas injection of poison

Answer 72

SDS 1 and 2 have no shared components or services, such as electrical power, and components are physically separated North and South of the reactor

Answer 73

is variety in design, manufacture, operation and maintenance of redundant components or systems for the purpose of reducing unavailability due to common cause effects, such as design or manufacturing flaws, unforeseen failure modes, and Operating and Maintenance (O&M) errors.

Answer 74

ensure that there is more than one way of doing a job.

Answer 75

✓The presence of two or more redundant systems or components to perform an identified function, where the different systems or components have different attributes

Answer 76

Common Cause Failure

Answer 77

✓Using the space shuttle, diversity is provided by running entirely different software control programs on different computers to achieve the same purpose. ✓The software is even created by a different design team. This ensures that a bug in one piece of software is not duplicated in the other so that one mistake cannot disable more than one computer (common cause failures)

Answer 78

* In CANDU use of two diverse shutdown systems SDS1 and SDS2 ✓ SDS1 achieves emergency shutdown by dropping shutoff rods into core under gravity, whereas SDS2 injects liquid absorber under pressure. ✓ SDS1 and SDS2 components, and SGs and EPGs are from different manufacturers * Balance of Plant Systems ✓ Four Classes of Power ✓ Digital Computers DCCX and DCCY

Answer 79

A system or component is called fail-safe if after failing it leaves the remainder of the system in a safer state. ✓Failure does not contribute to system unavailability. ✓Failures are not eliminated, but the failures are safe:

Answer 80

✓It must be depressed by the engineer to allow the locomotive to move. ✓If the engineer falls over dead, his foot will come off the brake and the locomotive will come to a halt

Answer 81

* SDS1; Power failure releases the rods into the core ✓ Rods are energized during operation

Answer 82

Cables routed in different cable trays * Separate rooms for odd and even Class III switchgear * Separate control areas. (MCR, SCAs - secondary control areas)

Answer 83

is not readily apparent and can only be determined by testing.

Answer 84

more frequent testing.

Answer 85

unavailability is considered to be half the time since the system was last tested (plus however long it takes to make the repairs).

Answer 86

▪ Wear and tear on the system and components caused by testing, ▪ Unavailability due to removing components from service for the duration of the test ▪ The risk (by human error) of leaving the system in a degraded state after a test, and ▪ The danger of activating the system during the testing process.

Answer 87

Process of continual monitoring and trending of process parameters and equipment with the intent of spotting potential problems before they become real problems ✓Thus, corrective action can be taken before a major problem occurs

Answer 88

✓An example is vibration monitoring of rotating equipment. If unusual vibrations are detected, the equipment can be stopped and repaired before the vibration causes serious damage.

Answer 89

a means of estimating when failures are likely to occur.

Answer 90

reduce the number of unscheduled outages and consequent loss of production.

Answer 91

the reliability statistics indicate that the equipment is likely to fail shortly and probably inconveniently (remember Murphy’s Law).

Answer 92

predictive maintenance

Answer 93

* Based on equipment condition. * Maintenance or replacement is only done when diagnostic test results (such as vibration monitoring) indicate equipment degradation.

Answer 94

* Multiple fission product barriers * Multiple radioactivity barriers

Answer 95

prevent or impede the release of radioactivity from the fuel to the public

Answer 96

1. The uranium fuel is molded into ceramic fuel pellets which have a high melting point and lock in most of the fission products 2. The fuel sheath which is made of high integrity welded metal (zircaloy) and contains the ceramic fuel 3. The heat transport system which is constructed of high strength pressure tubes, piping and vessels and contains the fuel bundles 4. The containment system which provides a relatively leak tight envelope maintained slightly below atmospheric pressure (Except CANDU-6). This partial vacuum encourages air to leak in instead of out thereby helping to prevent release of radioactivity that escapes from the heat transport system, and 5. The exclusion zone of at least one kilometre radius around the reactor that ensures any radioactive releases from the station are well diluted by the time they reach the boundary

Answer 97

are those systems performing a continuous function in the normal operation of the plant.

Answer 98

✓For example, the primary heat transport system is a process system that is continuously active in the removal of heat from the fuel ✓The reactor regulating system is a process system that is continuously active in the normal control of reactor power.

Answer 99

✓heat is produced and electricity generated ✓while maintaining control, cooling and containing.

Answer 100

operate only to compensate for the failure of process systems

Answer 101

✓by providing additional cooling to the fuel (emergency coolant injection system), and ✓by containing radioactivity, which has escaped from the fuel (containment system).

Answer 102

be available to perform their intended function.

Answer 103

does not allow reliance on equipment and systems to prevent accidents.

Answer 104

knowledgeable about system conditions, alert for any evidence that systems or equipment may be on the verge of failure, and act promptly to prevent or minimize the consequences of such failures.

Answer 105

✓To achieve a high level of competence, the qualification criteria for each job family are clearly defined. ✓Considerable effort goes into performancebased training of staff to meet those criteria and maintain their qualification.

Answer 106

not just competent staff but also processes and procedures for the staff to carry out in a systematic fashion.

Answer 107

✓For example, a routine testing program for safety systems helps meet the availability targets

Answer 108

An operational surveillance preventive maintenance program

Answer 109

✓Elaborate work control processes

Answer 110

are thoroughly investigated and solutions applied

Answer 111

✓The design of an NPP shall incorporate defence in depth. The levels of defence in depth shall be independent to the extent practicable. ✓Defence in depth shall be achieved at the design phase through the application of design provisions specific to the five levels of defence.

Answer 112

shall include conservative design and high-quality construction to provide confidence that plant failures and deviations from normal operations are minimized and accidents are prevented. This shall entail careful attention to selection of appropriate design codes and materials, design procedures, equipment qualification, control of component fabrication and plant construction, and use of operational experience

Answer 113

shall be achieved by controlling plant behaviour during and following a postulated initiating event (PIE) using both inherent and engineered design features to minimize or exclude uncontrolled transients to the extent possible

Answer 114

- shall include the provision of inherent safety features, fail-safe design, engineered design features, and procedures that minimize the consequences of DBAs. These provisions shall be capable of leading the plant first to a controlled state, and then to a safe shutdown state, and maintaining at least one barrier for the confinement of radioactive material. Automatic activation of the engineered design features shall minimize the need for operator actions in the early phase of a DBA.

Answer 115

- shall be achieved by providing equipment and procedures to manage accidents and mitigate their consequences as far as practicable. Most importantly, adequate protection shall be provided for the confinement function by way of a robust containment design. This includes the use of complementary design features to prevent accident progression and to mitigate the consequences of DECs. The confinement function shall be further protected by severe accident management procedures

Answer 116

The design shall provide adequately equipped emergency support facilities, and plans for onsite and offsite emergency response

Answer 117

1. Normal operation (NO) 2. Anticipated Operational Occurrences (AOO) 3. Design Basis Accidents (DBA) 4. Design Extension Conditions (DEC) 5. Events more severe than DEC

Answer 118

1. To prevent deviations from normal operation, and to prevent failures of structures, systems and components important to safety * Conservative design * High-quality construction (e.g., appropriate design codes and materials, design procedures, equipment qualification, control of component fabrication and plant construction, operational experience) (NO)

Answer 119

2. To detect and intercept deviations from normal operation, to prevent anticipated operational occurrences from escalating to accident conditions and to return the plant to a state of normal operation. * Inherent and engineered design features to minimize or exclude uncontrolled transients to the extent possible (AAOs)

Answer 120

3. To minimize the consequences of accidents, and prevent escalation to beyond-design-basis accidents * Inherent safety features * Fail-safe design * Engineered design features, and procedures that minimize consequences of DBAs (DBA)

Answer 121

4. To ensure that radioactive releases caused by severe accidents or design-extension conditions are kept as low as practicable. * Equipment and procedures to manage accidents and mitigate their consequences as far as practicable * Robust containment design * Complementary design features to prevent accident progression and to mitigate the consequences of design-extension conditions * Severe accident management procedures (DEC)

Answer 122

To mitigate the radiological consequences of potential releases of radioactive materials that may result from accident conditions. * Emergency support facilities * Onsite and offsite emergency response plan (Beyond DEC)

Answer 123

* 5 levels of Defence in Depth ✓Independent to the extent practicable * Plant States which correspond (roughly) to levels * Plant equipment for use at each level (not a perfect match) * Safety assessment demonstrates that design meets safety objectives

Answer 124

* REGDOC-2.5.2, Design of Reactor Facilities, Nuclear Power Plants * REGDOC-2.4.1, Deterministic Safety Analysis * REGDOC-2.4.2, Probabilistic Safety Analysis (PSA) for Nuclear Power Plants * CSA Standard N290.16, Requirements for beyond design basis accidents

Answer 125

✓Normal Operation - 1 ✓Anticipated Operational Occurrences 1 > f > 10^-2 ✓Design Basis Accidents 10^-2 > f > 10^-5 ✓Design Extension Conditions 10^-5 > f > Practically Eliminated

Answer 126

practically eliminated.

Answer 127

practical elimination hence no frequency cut-off is defined. ✓Severe scenario than DEC

Answer 128

, Deterministic Safety Analysis for Nuclear Power Plants * Section 7 describes the requirements for each plant state * IAEA Document

Answer 129

REGDOC-2.4.1, Deterministic Safety Analysis

Answer 130

* Design and analysis rules for NO, AOO, DBA are well established ✓Provide high confidence that events up to DBA will not require offsite

Answer 131

“reasonable confidence” that equipment will function as intended in the accident environment, e.g. ✓best-estimate safety analysis, not conservative ✓survivability assessment, not full EQ ✓reasonable estimates of operator action times, not “30 minute rule” ✓no application of Single Failure Criterion

Answer 132

implementation of the defence-in-depth framework ✓results in a strong safety case

Answer 133

CNSC’s regulations and regulatory documents, and in national and international standard

Answer 134

✓ Design and operate nuclear power plants (NPPs) in a manner that will protect individuals, society and the environment from harm. ✓ This objective relies on the establishment and maintenance of effective defences against radiological hazards in NPPs.

Answer 135

✓ Provide all reasonably practicable measures to prevent accidents in the NPP, and mitigate the consequences of accidents if they do occur. ✓ This takes into account all possible accidents considered in the design, including those of very low probability. Any radiological consequences will be below prescribed limits, and the likelihood of accidents with serious radiological consequences will be extremely low

Answer 136

posed by NPP operation Individual members of the public shall be provided a level of protection from the consequences of NPP operation, such that there is no significant additional risk to the life and health of individuals. ✓ Societal risks to life and health from NPP operation shall be comparable to or less than the risks of generating electricity by viable competing technologies, and shall not significantly add to other societal risks.

Answer 137

are practically eliminated. ✓ For plant states that are not practically eliminated, only protective measures that are of limited scope in terms of area and time shall be necessary for protection of the public, and sufficient time shall be made available to implement these measures

Answer 138

* The sum of frequencies of all event sequences that can lead to significant core degradation shall be less than 10^-5 per reactor year.

Answer 139

* The sum of frequencies of all event sequences that can lead to a release to the environment of more than 10^15 becquerels of iodine-131 shall be less than 10^-5 per reactor year. * A greater release may require temporary evacuation of the local population.

Answer 140

The sum of frequencies of all event sequences that can lead to a release to the environment of more than 10^14 becquerels of cesium-137 shall be less than 10^-6 per reactor year. A greater release may require long term relocation of the local population.

Answer 141

* Defence in depth * Large inventory of water * Many hours of passive cooling * In-ground spent fuel pools

Answer 142

✓Seismically qualified ✓Diverse means of adding water

Answer 143

✓Extended recovery time

Answer 144

✓Primary/secondary coolant ✓Moderator coolant

Answer 145

✓Reliable safety system ✓Independence of process, control and safety systems ✓Multiple barriers

Answer 146

ALL ACCIDENTS PREVENTABLE organizational safety culture in place design enhancements from lessons learned

Answer 147

✓Nuclear safety issues ✓Raised many questions ✓provided opportunities * Fukushima accident ✓External event can act as a common mode initiator ✓Failure of the safety provisions in several levels of DiD

Answer 148

* DiD remains valid * OFI * Implementation of DiD needs further work * external hazards; * Additional guidance * harmonisation; * Improvements focus * preventing accidents is key but consider mitigation

Answer 149

✓ Canadian nuclear power plants are safe ✓ Risk posed to the health and safety of Canadians or to the environment is small. ✓ Recommended improvements will further reduce the risk to as low as reasonably practicable.

Answer 150

✓ Strengthening defence in depth ▪ external events and beyond design basis accidents ▪ design and safety analysis ▪ severe accident management ✓ Enhancing emergency preparedness ▪ onsite and offsite emergency response ✓ 5 Levels of DiD ✓ adequate ✓ opportunity for improvement ✓ Improving regulatory framework and processes ▪ Regulatory framework ▪ Industry and operator oversight procedures ✓ International collaboration ▪ CANDU countries ▪ Other NPP regulators

Answer 151

* Level 3: Protecting spent fuel pools ✓ Makeup water capability and instrumentation

Answer 152

Level 4: Preventing and mitigating severe accidents ✓ Protecting fuel ✓ Makeup water capability to steam generators / primary heat transport system / emergency core coolant / dousing spray ✓ Preventing severe core damage ✓ Makeup water capability to moderator system and calandria vessel/vault ✓ Protecting containment ✓ Passive recombiners and containment venting ✓ Severe accident management guidelines validation/exercise

Answer 153

* Level 5: Protecting the public ▪ Containment filtered venting ▪ Integrated emergency plans and full-scale emergency exercises

Answer 154

✓ site-specific magnitudes of external events * high winds, seismic, tsunami /storm surges, flooding ✓ station blackout event on spent fuel bundles inside fueling machine ✓ Multi -unit events

Answer 155

✓ Emergency mitigating equipment ▪ mobile equipment ✓ Water makeup connections to ▪ steam generators ▪ heat transport system ✓ Provision for main steam safety valves after station blackout ✓ Upgrades of power systems ▪ load shedding to extend battery availability ▪ power supply for key instrumentation ✓ Protection against flooding (barriers, water - tight doors, sealing penetrations

Answer 156

✓ modelling for multi-unit plant events ✓ Reassessment of control room habitability during emergencies ✓ Instrumentation qualification for severe accident

Answer 157

✓ Water makeup connections to ▪ calandria vessel ▪ calandria vault ▪ relief capability of calandria/vault ▪ Instrumentation upgrades

Answer 158

* Analyses and reassessments ✓ Enhancement of filtered containment venting system ✓ Severe accident management guidelines (SAMGs) ✓ Instrumentation for SA conditions monitoring (qualify existing or new) ✓ Control facilities’ habitability during SA ✓ Improved modelling of SAs for multi-unit plants

Answer 159

* Design improvements ✓ Filtered containment venting ✓ Passive autocatalytic recombiners (PARS)

Answer 160

✓Structural integrity check for temperatures

Answer 161

* Design improvements ✓Instrumentation for pool parameters ✓Piping and connections for extra heat sinks ✓Procedure in event of loss of heat sinks (pool water)

Answer 162

✓ Incorporating SA management into emergency plans

Answer 163

✓ Implementation of backup power to emergency facilities and telecommunications equipment ✓ Formalized mutual aid agreement for external support ▪ Regional Emergency Response Support Centre

Answer 164

✓ Installation of automated real-time boundary radiation monitoring ✓ Development of source term estimation capability

Answer 165

✓ national-level oversight process for offsite nuclear emergency programs ✓ Review planning basis of offsite arrangements * developing capability for predicting offsite effects – needs for sheltering and evacuation * simple instructions to public in case of nuclear emergency ✓ Monitor performance of full scale emergency drills involving multi -levels Federal/provincial/municipal

Answer 166

Amendments to REGDOCS ✓Class I Nuclear Facilities Regulations ✓Radiation Protection Regulations * Developing new regulatory documents ✓Design of reactor facilities ✓Periodic safety review process ✓accident management and nuclear emergency preparedness * Implementing new licence conditions ✓accident management ✓public information program

Answer 167

* IAEA Safety Standards and Guides ✓Re-evaluated and improved * Canada (CANDU Reactors) ✓Alignment based on IAEA Safety Standards and Guides ✓Well informed by the Defence in Depth concept * Improvement and retrofits to the CANDU design