Etienne COURTIN

[Left hand page running head is author’s name in Times New Roman 8 point bold capitals, centred. For more than two authors, write AUTHOR et al.]

APPLICATION OF

THE CONCEPT OF DEFENCE IN DEPTH

TO THE EPR REACTOR DESIGN

E.COURTIN

AREVANP

Paris, France

Email:

Abstract

The application of defence in depth has been improvedin Generation3 NPPs in two main directions: the improvement in the core melt prevention for complex sequences and the consideration of core melt situations in the design. This can be illustrated by EPR design.

The plant safety is primarily based on a robust list of design basis conditions(DBC) designed by considering single initiatinginternalevents that challenge the main safety functions. In Gen3 NPPs these accidents shall include events initiated in the spent fuel pool and also events initiated during any plant shutdown mode.

Design Extension Conditions without significant fuel degradation (DEC-A) are meant to prove core melt prevention capability of the plant in complex sequences. The first step is to build the list of relevant sequences in close link with the probabilistic targets of core melt.

DEC conditions with significant fuel degradation (i.e. core melt, DEC-B) are deterministically postulated in the design. The list of EPR core melt design situationsresults from the identification of the specific physical phenomena expected to occur during core melt and dedicated systems are designed to address them. The significant fuel degradation situations that cannot be reasonably controlled are demonstrated to be practically eliminated.

This article will explain how the EPR model implements the concept of defence in depth, relying on a very strong main line of defence for DBC, complemented by independent features designed to prevent fuel degradation or limit its consequences.

1.INTRODUCTION

The concept of defence in depth is a cornerstone of Nuclear Power Plant Safety. This concept is not new in the NPP design though its application to Generation3 NPPs leads to extend the understanding of how should each level of defence be implemented in order to meet the stringent safety objectives that are now applicable to new reactors.

The paper develops the application of defence in depth concept to EPR reactor design; it mainly focuses on the methods applied regarding internal events (excluding hazards) in 3rd and 4th levels of defence in order to achieve Europeansafety objectives (as they are set in ref.[1] and[2]). Note that, even though the objectives are the same in all EPR Projects, the methodology described here after reflects the up to date process and it may differ on the ongoing projects.

2.Principles

2.1.Safety objectives

As a generation3 nuclear reactor, the EPR model aims at having only limited detrimental impact on the population and the environment, even in case of a postulated core melt situation. The various safety objectives considered in EPR design for different kinds of design conditions are those in force in the Western Europe. Some of these objectives are recalled below, as they are stated in ref.[2].

[…]

O2. Accidents without core melt

ensuring that accidents without core melt induceno off-site radiological impact or only minor radiological impact (in particular, no necessity of iodine prophylaxis, sheltering nor evacuation).

reducing, as far as reasonably achievable,

  • the core damage frequency taking into account all types of credible hazards and failures and credible combinations of events;

—[…]

O3. Accidents with core melt

reducing potential radioactive releases to the environment from accidents with core melt, also in the long term, by following the qualitative criteria below:

  • accidents with core melt which would lead to earlyor largereleases have to be practically eliminated;
  • for accidents with core melt that have not been practically eliminated, design provisions have to be taken so that only limited protective measures in area and time are needed for the public (no permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in food consumption) and that sufficient time is available to implement these measures.

Compared to former designs, a clear stress is put on two main additional objectives that are: first to prevent core melt with a high confidence and, second, to be able to manage core melt situations in a way that guarantees limited radiological consequences. These two aspects are further developed in the paper.

2.2.The defence in depth principle

The defence in depth principle was defined in ref.[4] and the definition of defence in depth levels, as applicable to EPR design, are refined in ref.[3]. There are some differences between IAEA and WENRA definitions of the levels, mainly regarding whether complex sequences without core melt should be considered in level3 (WENRA) or level4 (IAEA). However, regardless of these differences, there are major convergences in the international safety approach based on the defence in depth principle and that can be summed up in the following way.

—The main basis of nuclear safety are a robust design and a strict plant operation and maintenance; they ensurethat normal operation can be carried out without any threat to the nuclear safety (level1 of defence in depth). This aspect is not further developed in the paper.

—Minor deviations from normal operation are corrected,in particular by limitation systems,without any radiological consequences too (level2 of defence in depth). This aspect is not further developed in the paper.

—Safety systems are designed to cope with single initiating events leading to accident conditions. (level3 of defence in depth)

—Multiple failure may affect safety systems, leading to complex accident conditions where core melt should be prevented (levelof defence in depth 3b in WENRA or 4 in IAEA)

—Regardless of the reliability of the means implemented to prevent core melt, situations with significant fuel degradation should be postulated and dedicated means be implemented to limit the radiological consequences (level4 of defence in depth).

—Independence should be provided between the features credited in each line of defence, as far as reasonably practicable.

The next parts of the paper describe how these principles are implemented in EPR design in order to reach the safety objectives mentioned in §2.1.

3.Design basis conditions

The aim of this part is not to describe in detail how design basis conditions are defined and addressed as this issue is not a major step forward in the design of new plants compared to Generation2 NPPs, even though many improvements have been brought in both prevention and mitigation of accidents. In EPR design, "Design Basis Conditions" stand for both Anticipated Operational Occurrences (AOO) and Design Basis Accidents (DBA).

3.1.Purpose of Design Basis Conditions (DBC)

Design basis conditions aim at designing the safety systems that are able to compensate for disturbances in the control of the reactor main safety functions. For this purpose, envelope accident sequences are postulated on the basis of single initiating events that directly affect the control of the plant main plant parameters. Those accidents should be analysed with conservative methods and assumptions in order to bring safety margins in the design and be able to cope with most of real accident situations that may be slightly different or more complex than the postulated ones.

3.2.Improvements in EPR design

The main improvements provided in EPR design regarding the DBC refer to:

—the consideration of shutdown modes as possible initial conditions for accident initiation;

—the consideration of accident situations occurring in the fuel storage pool.

Basically power operation is the most usual operational mode of the plant and accident analyses address it in priority. However operation feedback along the years has proved that shutdown modes also lead to specific threats, in particular when RCS or containment are open. In EPR, each plant mode is analysed in order to identify the specific risks and corresponding accident sequences are included in the DBC list. The same conservative analysis rules apply to the DBC initiated in shutdown modes.

The spent fuel pool has the potential to generate radiological releases. Therefore DBC analysis should not be limited to the reactor itself and should include the risks specific to the pool and also the fuel handling operations. In EPRsafety demonstration, accident sequences related to the spent fuel pool are included in the DBC list and conservative analysis rules are also applied. The transient families are mostly associated to the reduction of heat removal capability or uncontrolled pool level decrease.

4.Design extension conditions: Core melt prevention(DEC-A)

4.1.Purpose of DEC-A analysis

According to WENRA objective O2 (see §2.1), it has to be demonstrated that the overall core damage frequency (CDF)is reduced as far as reasonably achievableand WENRA requires this demonstration to be primarily deterministic. From a design point of view, it means that the core damage frequency that can be associated to each Postulated Initiating Event (PIE) should be made low enough thanks to deterministic provisions. Based on former experience, the order of magnitude of an indicative core melt frequency targetfor a given PIE should be less than1E-7/reactor.year in order to meet the generally approved target value of 1E-5/r.y for the overall core melt frequencyestimated in Level 1 Probabilistic Safety Assessment (PSA).

As the reliability of most active and passivesafety systems credited in the DBC analysis is limited, such CDF target cannot be reached for the most frequent PIEs by just crediting the safety systems. Therefore the aim of DEC-A analysis is to prove that, for any PIE, core melt can be prevented even in complex sequenceswherea complete failure of a DBC safety system is assumed. Such demonstration relies on diversified features that are able to control the safety functions when failure in safety systems is assumed. In such case, the combined reliability of the safety systems and the diversified systems allows to meet the probabilistic target.

At the design stage, detailed PSA resultsare not yet available, therefore such evaluation is performed based on decoupled approach. The principle is displayed in Fig.1.

4.2.List of DEC-A

DEC-A analysis are required when there is a need to provide diversified means to control the fundamental safety functions during complex sequencesand the efficiency of these means cannot be proved by mere engineering judgment. Two types of complex sequences are considered in the design:

—frequent DBC combined with a common cause failure (CCF) affecting a safety system (including its support systems);

—a common cause failure affecting a safety system used in normal operation (e.g. support systems).

Note that, at the basic design stage, the combination of independent initiating events or simultaneous failure of system without plausible common cause is not considered in the design because the associated frequencies are assumed to be low enough to reject such sequences into the residual risk.This assumption has to be later confirmed byLevel 1 Internal Event PSA.

The diversity analysis consists in listing all the features credited in frequent DBC(including those used in normal operation, if any) and either postulating a complete failure of the feature by common cause or justifying that such common cause failure is not plausible (for instance because of intrinsic diversity). Then it is analysed whether a diverse mean should be implemented for this feature; there are several possible cases:

—in the frame of DEC-A analysis rules and criteria, the resulting complex sequence remains acceptable regarding the core melt prevention objective without any additional mean;

—the existing DBC features not affected by the common cause failure are able to compensate for the failure provided that they are sufficiently diversified from the feature that was postulated to fail, then no specific DEC-A feature is required;

—a specific reliable DEC-A feature diversified from the safety system that was postulated to fail is required to meet the safety objective.

Eventually the list of DEC-A is built by defining bounding sequences allowing to prove the efficiency of each identified diversified mean in the most challenging plausible complex sequence.

4.3.Systems credited in DEC-A: independence between levels of defence in depth

The demonstration of DEC-A level independency would be straightforward if there were a whole set of diversified systems fully independent from the safety systems and that would be able to fully manage any DEC-A sequence. However the demonstration is more complex as safety systems can still be credited in a DEC-A analysis becausethe simultaneous and complete failure of all the components contributing to the DBC line of defence is not plausible. Actually each DEC-A sequence is characterized by an assumed CCF and any feature not affected by this CCF is considered to be still available. Then the analysis is performed based on both these features and, if necessary, additional DEC-A features that are neither affected by the CCF thanks to adequate diversity.

Eventually the adequate independence of the DEC-A line is proved sequence by sequence and it consists in proving that whatever plausible failure combination is assumed in DBC line, there is still sufficient means available in both the DBC and DEC-A lines to prevent core melt.

5.Design extension conditions: core melt management(DEC-B)

5.1.Purpose and scope of DEC-B analysis

According to WENRA definition of the 4th level of defence in depth applicable in Western Europe (ref.[3]), core melt has to be postulated regardless of the effort made to prevent it in the previous levels of defence in depth. The consequence is that dedicated DEC-B features have to be designed in order to limit the consequences of the accident and fulfil the associated safety objectives (see §2.1). The purpose of DEC-B analysis is to prove the appropriate design of DEC-B features.

This design is based on the identification of the main physical challenges for the containment integrity expected to occur during a core melt. A limited number of scenariosare defined in order to characterize each of these challenges and the specific DEC-B features are sized to cope with them.

5.2.Systems credited in DEC-B: independence between levels of defence in depth

Basically only specific features dedicated to DEC-B are credited in DEC-B analysis. No credit can be taken from any system used in normal operation or any safety system (DBC), except some SSCslike the containment itself. Such rule provides assurance of the independence of the 4th level of defence compared to the first levels.

Some features may be credited in both DEC-A and DEC-B analysis provided that it does not jeopardize the safety objectives. In practice, it means that, when a DEC-B feature is used in DEC-A, it should be proved that the possible core melt sequence resulting from this DEC-A sequence combined with the failure of the feature, that may lead to unacceptable consequences, has a probability low enough to be rejected in the residual risk.

6.Practical elimination: a complement to defence in depth concept

6.1.Purpose of practical elimination

According to defence in depth concept, dedicated DEC-B features are implemented in order to limit the consequences of fuel melt. If this last level of defence is correctly implemented, in addition to the prevention means implemented in the previous levels of defence, then it can be considered that the safety objectives are satisfactorily met and it is not necessary to proceed to further demonstration (in particularno requirement to postulate the loss of DEC-B features). Mitigation of fuel melt events mainly relies on the capability to perform efficiently the containment function and, on the contrary, it is impossible to fulfil the safety objectives in conditions where the control of this function is jeopardized, in particularif the containment building integrity is affected.

The aim of the practical elimination concept it to prove that severe accident situations where the containment function would be significantly jeopardized, leading to large or early releases, can "be considered with a high level of confidence to be extremely unlikely to arise" (ref.[5]). Note that a mere overshoot of DEC-B criteria is not considered to be necessarily a large or early release. Basically a situationto be practically eliminated is associated to significant failure of the containment resulting from energetic phenomenon where the containment building would be damaged in a sudden and irreversible way. There are other kinds of containment failures that could also lead to large or early releasesbut they are either progressive or can be repaired.For these situations it can be considered that additional mitigating measures can be implemented (mostly based on mobile means),and so they are not considered in the practical elimination process.

Eventually the practical elimination process first consists in identifying the severe accident situations that can be associated to energetic phenomenon liable to challenge the containment integrity. Such phenomenon may occur after the fuel melt (such as hydrogen detonation) or before the fuel melt (prompt criticality during heterogeneous dilution). In addition, situations where the implementation of a containment function is not reasonably practicable are also identified and included in the practical elimination process as fuel melt occurring in these specific conditions may obviously lead to large releases (core melt in the spent fuel pool or core melt in the reactor while the containment is open).

6.2.Demonstration of practical elimination

Once thesituations that have to be practically eliminated are listed, it is necessary to identify the plausible accident sequences that may lead to these specific fuel melt situations. The demonstration of practical elimination is based on the implementation of several independent lines of defence that prevent the energetic phenomena to occur. Demonstration is performed on a case by case basis, depending on the situation that has to be eliminated and the associated credible sequences. In any case, the reliability of the features that are implemented to achieve this demonstration should allow proving with a high confidence that the resulting core melt situation has a very low frequency.

7.conclusion

EPR reactor fulfils stringent safety objectives aiming at preventing core melt and inducing no impact to the population and environment in case of accident conditions. In addition, though core melt frequency is very low and according to defence in depth principles, dedicated systems are implemented in order to manage those core melt situations that may occur and guarantee very limited radiological consequences. Eventually some very few situations can be conceived where radiological consequences would not be limited in case of core melt, because of significant failure of the containmentdue tovery energetic phenomena; these situations are proved to be practically eliminated.