ML20069B159

From kanterella
Jump to navigation Jump to search
Enclosure 6 - Shine Safety Analysis Approach - Public Version
ML20069B159
Person / Time
Site: SHINE Medical Technologies, 99902034
Issue date: 02/24/2020
From:
SHINE Medical Technologies
To:
Office of Nuclear Reactor Regulation
Shared Package
ML20069B152 List:
References
2020-SMT-0020
Download: ML20069B159 (35)
v  d  e


Text

ENCLOSURE 6 SHINE MEDICAL TECHNOLOGIES, LLC MEETING SLIDES FOR THE MARCH 4 AND 5, 2020 PUBLIC MEETING BETWEEN SHINE MEDICAL TECHNOLOGIES, LLC AND THE NRC SHINE SAFETY ANALYSIS APPROACH PUBLIC VERSION 34 pages follow

2. SHINE Safety Analysis Approach This chapter summarizes the approach to performing the safety analysis for the SHINE Medical Isotope Production Facility (the SHINE facility).

2.1. Overview of the Safety Analysis Approach Applied to the SHINE Facility The SHINE facility is comprised of eight irradiation units (IUs) and their auxiliary systems, collectively known as the irradiation facility (IF), and one production facility, known as the radioisotope production facility (RPF). The guidance that SHINE uses for performing the safety analysis for the IF and the RPF is outlined in Part 1 of the Final Interim Staff Guidance (ISG) Augmenting NUREG-1537.

Part 1 of the Final ISG Augmenting NUREG-1537 provides the format and content guidance for Chapter 13 of the SHINE Final Safety Analysis Report (FSAR).

SHINE has decided to apply a risk-based methodology similar to the guidance described in NUREG-1520, Revision 2 in the development of the detailed accident analysis. The resulting SHINE-specific methodology is described in this chapter.

This methodology is applied by SHINE to both the IF and the RPF for consistency of the safety analysis for the entire SHINE facility, with the exception of the nuclear criticality safety program which only applies to the RPF.

FSAR Chapter 13 is the SHINE licensing basis accident analysis meeting the requirements identified in 10 CFR 50.34(b)(4). This report provides the supporting basis document for the SHINE Safety Analysis (SSA). The SSA is of appropriate detail for the complexity of the facility processes and identifies:

  • Radiological hazards related to possessing or processing licensed material at its facility;
  • Chemical hazards of licensed material and hazardous chemicals produced from licensed material;
  • Facility hazards, including chemical hazards, that could affect the safety of licensed materials and thus present an increased radiological risk;
  • Potential accident sequences caused by process deviations or other events internal to the facility and credible external events, including natural phenomena;
  • The consequence and the likelihood of occurrence of each potential accident sequence identified and the methods used to determine the consequences and likelihoods; and
  • Each specific administrative control relied upon for safety; and each safety-related structure, system or component (SSC), the characteristics of its safety function, and the assumptions and conditions or programmatic administrative controls necessary to demonstrate adequate safety of the facility.

1lPage

The SSA is a systematic analysis of facility processes used to identify facility hazards associated with the processing and possession of licensed materials. The SSA has been performed for the purpose of identifying all relevant hazards, potential accident sequences and consequences, equipment and specific human actions credited for safety, and programmatic administrative controls necessary to ensure the availability and reliability of safety-related SSCs. This analysis takes into consideration the facility structure, equipment, activities, personnel, processes, and administrative controls in an integrated manner to identify and analyze hazards. The analysis is developed based on the following information:

  • a description of the structures, equipment, and process activities at the facility;
  • an identification and systematic evaluation of hazards at the facility;
  • a comprehensive identification of potential accident/event sequences that would result in unacceptable consequences, and the expected likelihoods of those sequences;
  • an assessment of radiological and chemical consequences for postulated accident sequences to demonstrate compliance with acceptable limits;
  • an identification and description of safety-related controls (i.e., structures, systems, equipment, components or specific actions) that are relied on to limit or prevent potential accidents or mitigate their consequences; and
  • an identification of programmatic administrative controls that ensure the availability and reliability of identified safety systems.

The results of the SSA consist of postulated accident sequences for inclusion in Chapter 13 of the SHINE FSAR, in accordance with the guidance in Part 1 of the Final ISG Augmenting NUREG-1537. This includes a description of the accident sequences, potential consequences, controls credited to prevent or mitigate the accident sequence, and a summary of calculated dose consequences. Accident sequences that are not considered credible or have insignificant consequences were not included in FSAR Chapter 13 but are still documented in the SSA for completeness.

The purpose of the SSA is to demonstrate adequate safety for the SHINE facility.

The following subsections describe the steps in the SSA methodology.

2lPage

2.2. Hazard Identification & Evaluation The first phase of the SSA methodology is to identify and evaluate process hazards and potential deviations and failures that could result in a radiological or chemical consequence of concern. This is performed using the Hazard and Operability Analysis (HAZOP) and Failure Modes and Effects Analysis (FMEA) hazard evaluation methods. Hazard evaluation methods are conducted using the guidance provided in Guidelines for Hazard Evaluation Procedures, Center for Chemical Process Safety, Third Edition (John Wiley & Sons, Inc.).

2.2.1. Hazard Identification The hazard identification is performed by identifying, for each process, radiological or chemical hazards that have the potential for causing harm to the public, facility staff, or the environment. This includes physical process hazards that could result in adverse effects on radiological or chemical materials. The types of hazards that are identified for the SHINE facility are listed in Table 2.2-1.

The types of hazards are identified through a systematic hazard evaluation method for each process as discussed in Section 2.3. Hazards related to process conditions are also identified as part of the hazard evaluation review, including modes of the subcritical assembly operation, target solution preparation and handling, isotope extraction and purification, and waste handling and packaging.

The process locations where hazardous regulated material, including fissile material, are located have been considered and included. Chemical types, inventories, physical forms, and facility locations are also identified.

Identification and evaluation of hazards related to external events and internal fire and flooding hazards is also conducted during the process hazards analysis as described in Section 2.3.1 Table 2.2-1 Hazard Types Hazard Type Hazards Radiological Fission products (in solution, aerosol, and off-gas),

decay products, activation products, tritium, neutron, gamma Fissile Uranium oxide, uranium metal, uranyl sulfate (target solution), uranyl peroxide, uranium salts Chemical - Toxic Uranium, SF6 gas, SF6 decomposition products, fission & decay products Chemical - Flammable/Explosive Hydrogen gas, oxygen gas, uranium metal Chemical - Reactivity Sulfuric acid, nitric acid, NaOH Chemical - Oxidizer Oxygen gas, hydrogen peroxide Chemical - Incompatibility Acids & bases 3lPage

Hazard Type Hazards Chemical - Asphyxiant Nitrogen gas, SF6 gas, clean agent for fire protection Deflagration/Detonation Hydrogen gas, oxygen gas High voltage Accelerator high voltage power supply (HVPS)

High pressure Compressed gas cylinders (nitrogen & oxygen), SF6 gas High temperature Accelerator ion beam, process heaters, hydrogen recombiners Low temperature Liquid nitrogen Kinetic energy Ventilation and process system blowers & fans Potential energy Pressurized gas cylinders (oxygen, nitrogen), SF6 pressure vessel Internal fire Initiators (electrical equipment, maintenance),

combustible materials, hydrogen gas Internal flooding Process equipment, fire protection, cooling water systems External events Seismic, tornado, tornado generated missiles, severe weather, flooding (possible maximum precipitation),

external fire, aircraft impact, industrial &

transportation events (toxic gas, explosion) 4lPage

2.2.2. Hazard Evaluations Hazard evaluations are performed for those process systems described in Section 4.1. The methods applied for hazard evaluations are in accordance with the guidance provided in Guidelines for Hazard Evaluation Procedures (Reference 17).

The following methods are applied for the SHINE hazard evaluations:

  • Hazard and Operability Analysis (HAZOP)
  • Failure Modes and Effects Analysis (FMEA)

The HAZOP method was selected for most of the main process systems. The HAZOP methodology is the hazard evaluation technique best suited for batch or continuous processes. The HAZOP method is focused on process deviations or upsets, potential causes such as component failures or maloperation, possible consequences, and potential controls that may be applied for prevention or mitigation.

The FMEA method was applied to several other SHINE supporting systems: the neutron driver assembly system (NDAS); the tritium purification system (TPS); the radiological ventilation zone 1, 2, and 3 systems; and the nitrogen purge system (N2PS). The FMEA method is best suited for complex mechanical or electrical systems such as these. The FMEA method is focused on the failure or maloperation of system components, potential causes of component failure, possible consequences of component or system failure, and potential controls that may be applied for prevention or mitigation.

Both methods provide an assessment of potential failures, causes, and consequences that provide a basis for the development of possible accident sequences in the process hazards analysis. The hazard evaluation methods are carried out by a team of technical staff that provide the expertise for the evaluated process, and other disciplines needed for a comprehensive evaluation.

Hazard evaluation meetings are conducted in dedicated team review meetings for a systematic review of each process of interest. The hazard evaluation lead prepares for the meetings by performing a review of available process information (e.g., design criteria documents, process flow diagrams, piping & instrumentation diagrams) and develops a set of review drawings for distribution to the team members. The process systems are divided into functional sections for the evaluation that form the basis of the review.

The evaluation meetings are started by the hazard analysis lead with an overview of the methodology (i.e., HAZOP or FMEA) to be applied and the purpose and goals of the evaluation. The cognizant design engineer then provides a detailed overview of the process design and operation. This overview provides the team with an orientation and allows questions and answers to be discussed such that the team understands the process under review. The team then begins a section-by-section review of the process.

5lPage

The hazard evaluation identifies causes and potential consequences for process upsets, maloperations, or component failures. At this stage of the safety analysis process, there is no quantitative characterization of the risk (i.e., likelihood or consequence severity). The purpose of the hazard evaluation is to identify potential yet credible failure-cause-consequence relationships for further analysis. The engineering judgement of the team is relied on to qualitatively identify if a postulated failure-cause-consequence is credible and should be retained for additional analysis.

The output of the hazard evaluations are those failure-cause-consequences that have the potential for causing harm to the public, facility staff, or the environment; the possible engineered or administrative controls that may be applied for prevention or mitigation; and any additional recommendations for the design team to consider for process safety improvements or analysis. The results of the hazard evaluations are used to inform the process hazard analysis and accident sequence development described in Section 2.3. The hazard evaluations are documented in separate SHINE technical reports.

2.2.3. Hazard Evaluation Team Qualifications This section describes the makeup of the hazard evaluation teams and their qualifications to perform a thorough and appropriately conservative safety evaluation.

The hazard evaluations were performed by a team with expertise in engineering, criticality safety, fire, chemistry, radiation protection, and safety analysis. The team included personnel with experience and knowledge specific to each process or system that was being evaluated. The team was comprised of individuals who have experience, individually or collectively, in:

  • Nuclear criticality safety
  • Radiological safety
  • Fire safety
  • Chemical process safety
  • Safety analysis methodology The team leader is trained and knowledgeable in the methodologies chosen for the hazards and accidents evaluations. The team leader is responsible for the overall direction of the hazard and process evaluations. In addition, the team leader has an adequate understanding of the process operations and hazards evaluated; however, the leader need not be the responsible cognizant engineer or process expert.

A SHINE manager is responsible for providing overall administrative and technical direction for the hazard evaluations.

6lPage

2.3. Process Hazard Analysis & Accident Sequence Development This section provides a description of the methodology used for the process hazards analysis (PHA) and accident sequence development.

The PHA uses the results of the hazard evaluations described in Section 2.2 to develop accident sequences in accordance with the accident sequence categories described in Section 2.3.2. This approach combines the types of accident sequences derived from the guidance in Part 1 of the Final ISG Augmenting NUREG-1537 with the hazard evaluations performed for the SHINE facility.

Accident sequence development uses the risk index methodology discussed in Section 2.3.3. Potential accident sequences are defined based on the failures, process deviations, or external events as identified in the hazard evaluations for the SHINE facility. An initiating event is defined for each scenario that may include equipment failures, human errors, external events, or combinations of these elements. Potential consequences are also identified for each accident sequence as one or more of the following:

  • Radiological dose to the public or worker
  • Chemical dose to the public or worker
  • Criticality event
  • No consequence of concern Accident sequences that may result in a consequence of concern are first evaluated with no engineered or administrative controls applied, referred to as an uncontrolled accident sequence. A total risk index number is determined based on an estimate for the likelihood of occurrence and severity of consequences. For accident sequences with unacceptable risk indices, as defined in Section 2.3.3, engineered and administrative controls are applied that reduce the likelihood of occurrence and/or the severity of the consequences such that an acceptable risk level is reached. The final accident sequence is referred to as a controlled accident sequence. The credited engineered and administrative controls are identified as safety-related controls.

2.3.1. Overview of the PHA The PHA is divided into three sections:

  • IF accident sequences
  • RPF accident sequences
  • External event induced accident sequences The approach focuses the development of accident sequences that are specific to the two major facilities within the SHINE production facility, the IF and the RPF.

External event induced accident sequences are treated on a site-wide basis.

External events include natural phenomenon such as seismic events, tornado, severe weather, and flooding; industrial and transportation accidents such as 7lPage

aircraft impact, explosions, toxic chemical releases, and external fires. The external events PHA also includes fires and flooding from causes internal to the IF and the RPF. The accident types associated with external events are listed in Table 2.3-3.

Initiating events that are considered include:

  • Events that are external to the process being analyzed such as internal fires and internal flooding;
  • Deviations from normal process operations (credible abnormal events);
  • Failures of process components;
  • Human errors that result in process upsets or failures.

The evaluation for the IF and RPF is primarily concerned with credible abnormal events, failure of process components, and human errors (Bullets 3 through 5 above). The evaluation for external events is applied on a site-wide basis and includes Bullets 1 and 2 above.

Accident sequences are evaluated through the PHA process to assess risk and the need for safety-related controls. The PHA identifies the type of accident, possible initiating events, likelihood of occurrence, potential consequences, and risk rankings. The PHA also identifies the safety-related engineered and administrative controls that provide risk reduction through preventative and/or mitigative functions.

Internal fire events are evaluated on a fire area basis. Each fire area, as defined in the SHINE Fire Hazards Analysis (FHA), was evaluated for the potential initiating fire causes and consequences. The FHA describes the hazards located in each fire area, and the fire protection features (e.g., fire barriers, detection, and suppression) that are located in each fire area. The accident sequences identify the potential to damage structures, systems, and components that could result in the release of radiological materials or hazardous chemicals. Engineered and administrative controls are also identified for prevention and/or mitigation of fire-initiated accident sequences.

Accident sequences that are evaluated are provided in the tables in Appendices A, B, and C of this report.

2.3.2. Categories of Accident Sequences This subsection provides a general description of the categories of accident sequences used in the PHA. The subsection is divided into accidents originating in the IF, the RPF, and external events common to both. The types of accident sequences are derived from the guidance in Part 1 of the Final ISG Augmenting NUREG-1537. Additional accident sequences that are specific to the SHINE facility are derived from the PHA.

The following sections describe accident sequences as identified by the PHA or derived from Part 1 of the Final ISG Augmenting NUREG-1537.

8lPage

Accident Sequences in the IF The accident sequences identified in the IF are categorized by accident type as discussed in Section 13a2.1 in Part 1 of the Final ISG Augmenting NUREG-1537.

A summary of the categories of accidents analyzed for the IF is presented in Table 2.3-1.

There are several hypothetical accident sequences developed for each accident type. The initiating events and potential consequences are derived from the hazard evaluations performed for each relevant process system as described in the FSAR.

The accident sequences are examined in detail in the PHA for the IF, and are provided in Appendix A.

Table 2.3-1 Categories of Accident Sequences in the Irradiation Facility Accident Description Category Insertion of Excess Failures that cause the reactivity of the target solution vessel (TSV) to Reactivity unexpectedly increase during target solution filling (Mode 1), during irradiation (Mode 2), or during post-irradiation but prior to target solution dump to the TSV dump tank (transition to Mode 3). These events could potentially lead to exceeding power density limits in the target solution and being outside of analyzed conditions.

Reduction in Failures in the cooling systems that can result in changes in the target solution Cooling including increased temperature, increased concentration, adverse chemical effects, thermal stress of components, or the potential for bulk boiling of the solution.

Mishandling or Failures in the target solution vessel, the TSV dump tank and connected Malfunction of systems that can result in target solution migrating into locations not designed Target Solution for target solution resulting in leakage, contamination, or unintended criticality.

Loss of Normal Failures that result in a complete or partial loss of normal electrical power. This Electrical Power may include a loss of offsite power, or other failures of the normal electrical power system.

Mishandling or Failures that result in the release of radioactive fission product gases from the Malfunction of primary system boundary. For the SHINE facility, this is primarily releasing of Equipment radioactive gases from the TSV off-gas system (TOGS) or TSV.

Large Undamped Failures or transients that could result in large undamped power oscillations.

Power Oscillations Detonation and Failures that result in a hydrogen deflagration or detonation within the primary Deflagration in the system boundary. This may occur in the TOGS, the TSV headspace, or the Primary System TSV dump tank.

Boundary 9lPage

Accident Description Category Unintended Failures or process upsets that can result in exothermic reactions that could Exothermic challenge the primary system boundary integrity.

Reaction other than Detonation Facility System Failures in support systems or other shared systems that could result in an Interactions adverse impact on the primary system boundary Facility Specific Accident sequences that are specific to the SHINE facility design. These Events include accident sequences that originate in the NDAS or the supporting TPS.

Accident Sequences in the RPF The accident sequences identified in the RPF are categorized by accident type as discussed in Section 13b.1.2 and 13b.3 of the Final ISG Augmenting NUREG-1537. A summary of the categories of accidents analyzed for the SHINE radioisotope production facility is presented in Table 2.3-2.

There are several hypothetical accident sequences developed for each accident type. The initiating events and potential consequences are derived from the hazard evaluations performed for each relevant process system as described in the FSAR.

The accident sequences are examined in detail in the PHA for the RPF, and are provided in Appendix B.

Table 2.3-2 Categories of Accident Sequences in the Radioisotope Production Facility Accident Description Category Inadvertent Failures such as spills or leaks, changes in configuration or geometry, Criticality misdirection or misalignments, chemistry changes, or other issues or initiating events that results in a criticality event.

Mishandling or Failures, such as spills, misalignments, or misloads that result in the release of Malfunction of radioactive fission products to RPF hot cells, vaults, or pipe trenches, or Equipment increased direct radiation doses.

Accidents with Failures, such as spills or leaks, that can result in fatalities or long-lasting Hazardous health effects to workers or the public.

Chemicals 10 l P a g e

External Events The external events identified in the SHINE facility are categorized by accident type as discussed in Section 13a2.1.6 and 13b.1.2 of the Final ISG Augmenting NUREG-1537. A summary of the types of external events for the SHINE facility is presented in Table 2.3-3.

There are several hypothetical accident sequences developed for each external event type. The initiating events and potential consequences are derived from the hazard evaluations performed for each relevant process system as described in the FSAR. The external events include internal events that affect both the IF and RPF together and are not particular to either the IF or RPF.

The accident sequences are examined in detail in the PHA for the IF and RPF, and are provided in Appendix C.

Table 2.3-3 External Events in the Radioisotope Production Facility and Irradiation Facility Accident Type Description Seismic Event A design basis earthquake event occurs and damages plant equipment or structures, resulting in various failures, and possible releases.

Tornado and High Tornados or high winds damage structures or create a hazardous Wind environment. This includes the effects of tornado generated missiles.

External Flooding Maximum precipitation events damage structures or create a hazardous environment.

External Fires External fires from various sources such as wildfires, lightning, or natural gas lines, damage structures or create a hazardous environment.

Transportation Transportation accidents such as aircraft impact into the buildings, toxic gas Accidents releases, or explosions, damage structures or create a hazardous environment.

Internal Fires Failures of equipment or release of flammable materials resulting in fire in the plant and subsequent damage or destruction of important equipment or confinement barriers.

Internal Flooding Rupture of piping or inadvertent actuation of fire suppression resulting in undesired flooding of areas of the plant.

Internal Chemical Spill or release of hazardous chemical or material resulting in undesired Release reactions or interactions, or a dangerous environment.

Compressed Gas Component or piping failure resulting in a hazardous atmosphere or energetic Release release hazard.

11 l P a g e

2.3.3. Risk Matrix Development This section provides a description of the methodology used for the risk matrix development for assessing accident sequences defined in Section 2.3.

The risk matrix approach provides a method of determining the risk of various accident sequences based on a quantitative estimate of the likelihood of occurrence and the severity of the consequences. The likelihood of occurrence and the consequence severity for each uncontrolled accident sequence is estimated and corresponding categories are assigned. The risk matrix then identifies those credible accidents which have the potential to exceed the acceptable risk index values, and therefore require engineered and/or administrative controls for prevention or mitigation. The risk index values are then reassessed after application of engineered or administrative controls that result in an acceptable risk outcome. This results in a controlled accident sequence that meets the acceptable level of risk as outlined in Table 2.3-6.

The likelihood category definitions used in the risk matrix for the SHINE facility are presented in Table 2.3-4. There are three likelihood categories that are referred to as Highly Unlikely, Unlikely, and Not Unlikely, and correspond to a likelihood index number of 1, 2, and 3, respectively.

Table 2.3-4 Likelihood Category Definitions Likelihood Category Likelihood Index (T) Event Frequency Limit Risk Index Limits Less than 10-5 per Highly Unlikely 1 T -5 event, per year Between 10-4 and 10-5 Unlikely 2 -5 < T -4 per event, per year More than 10-4 per Not Unlikely 3 -4 < T event, per year The estimation of the likelihood of occurrence for an uncontrolled accident sequence is described in Section 2.4. The determination of the likelihood of occurrence consists of the initiating event frequency (e.g., seismic event, process component failure, human error) and may be combined with an additional component failure or human error, including any recovery times (i.e., failure duration). In most cases the initiating events are represented by single events or single failures. The frequency of occurrence of an initiating event for an accident sequence is represented by a failure frequency index number (FFIN) as presented in Table 2.4-1.

The consequence category definitions used in the risk matrix for the SHINE facility are presented in Table 2.3-5. Numerical limits for the radiological and chemical exposure effects are included in the definitions for high and intermediate consequence for the public and worker. The low consequence category is implicitly 12 l P a g e

defined as resulting in consequences that are less than intermediate and meet the SHINE Safety Criteria limits in Table 2.5-1.

Table 2.3-5 Consequence Category Definitions Consequence Workers Offsite Public Category RD > 25 rem RD > 100 rem High Consequence 3 30 milligrams sol U intake CD> PAC-3 CD > PAC-2 Intermediate 5 rem < RD 100 rem 0.5 rem< RD 25 rem Consequence 2 PAC-2 < CD< PAC-3 PAC-1 < CD PAC-2 Accidents with lower Accidents with lower Low Consequence radiological and radiological and chemical 1 chemical exposures exposures than those above than those above The consequences of accident sequences are initially estimated based on the type of hazard present (e.g., radiological, chemical, criticality) without consideration of features that could prevent or mitigate the initiating event. The estimation of chemical and radiological consequences is based on the judgement of the hazard evaluation team for the uncontrolled accident sequences. Radiological dose calculations were performed to estimate the radiological consequences for the controlled accident sequences to demonstrate that the low consequence dose limits are met for all credible accident sequences. For chemical exposures, the acceptance criteria are defined by the protective action criteria (PAC) guidelines for chemicals as described in Section 2.5.3.

The risk matrix used for SHINE is presented in Table 2.3-6. The risk matrix combines the likelihood and consequence categories for each unmitigated accident sequence to determine the risk index rating for the sequence. Risk index ratings of 4 or less are determined to be acceptable and to not require preventive or mitigative controls. Risk index ratings greater than 4 will require controls to reduce the consequence category and/or the likelihood category to reduce the overall risk to an acceptable level (4 or less).

13 l P a g e

Table 2.3-6 Risk Matrix Likelihood of Occurrence Severity of Consequences Likelihood Category 1 Likelihood Category 2 Likelihood Category 3 Highly Unlikely Unlikely Not Unlikely (1) (2) (3)

Consequence Category 3 Acceptable Unacceptable Unacceptable High 3 6 9 (3)

Consequence Category 2 Acceptable Acceptable Unacceptable Intermediate 2 4 6 (2)

Consequence Category 1 Acceptable Acceptable Acceptable Low 1 2 3 (1)

The application of the risk matrix for accident sequences that are evaluated are provided in the tables in Appendices A, B, and C.

2.3.4. Process Hazard Analysis Evaluation Tables This section describes the documentation of the PHA and accident sequence development. The following appendices contain tables that document the overall review of the accident sequences that were conducted for the SHINE SSA:

  • Appendix A - Irradiation Facility PHA Accident Sequence Table
  • Appendix B - Radioisotope Processing Facility PHA Accident Sequence Table
  • Appendix C - External Events PHA Accident Sequence Table A description of the information presented in the PHA accident sequence tables is provided in Table 2.3-7.

14 l P a g e

Table 2.3-7 Process Hazard Analysis Accident Sequence Table Description Column Label Description ID Accident scenario ID. Corresponds to FSAR Chapter 13 sections.

Accident Type The accident types are listed in Tables 2.3-1, 2.3-2, and 2.3-3 of this report for internal event accidents in the IF, internal event accidents in the RPF, and external events, respectively.

Scenario A summarized statement of the accident scenario.

Description Cause or This column lists the potential initiating events or causes for the Initiating Event accident scenario. Initiating events may include:

  • External events due to natural phenomenon or man-made causes,
  • Non-process related facility events external to the process being analyzed (internal fires, internal flooding, system interactions), or
  • Process related deviations or failures.

Consequence A summary statement of the potential radiological or chemical consequences that can affect the worker or the public.

FFIN The failure frequency index number for the initiating event as discussed in Section 2.4. Generally, there are no preventive controls applied for this determination except as noted in Section 2.4.

Likelihood The likelihood category as discussed in Section 2.4.

Category -

Uncontrolled Worker The worker consequence category as discussed in Section 2.5.

Consequence Generally, there are no mitigative controls applied for this

- Uncontrolled determination. The assessment of consequence is based on the judgement of the PHA review team.

Public The public consequence category as discussed in Section 2.5.

Consequence Generally, there are no mitigative controls applied for this

- Uncontrolled determination. The assessment of consequence is based on the judgement of the PHA review team.

Worker Risk - Risk index number for the worker for the uncontrolled accident Uncontrolled sequence.

Public Risk - Risk index number for the public for the uncontrolled accident Uncontrolled sequence.

15 l P a g e

Column Label Description Available Engineered (active or passive) and administrative controls credited Controls for prevention or mitigation of the accident sequence. There may be more than one control credited for prevention or mitigation.

Additional defense-in-depth controls may also be listed.

FPIN Failure probability index number for the controls, or combination of controls as discussed in Section 2.4. The controls are assessed for reduction of the consequence or likelihood categories. If multiple independent controls are listed, the FPIN may be a summation of those controls.

Likelihood The likelihood category as discussed in Section 2.4. Preventive Category - controls are applied for this determination.

Controlled Worker The worker consequence category as discussed in Section 2.5.

Consequence Mitigative controls are applied for this determination. The

- Controlled assessment of consequence is based on the judgement of the PHA review team or the dose results from the consequence analyses.

Public The public consequence category as discussed in Section 2.5.

Consequence Mitigative controls are applied for this determination. The

- Controlled assessment of consequence is based on the judgement of the PHA review team of the dose results from the consequence analyses.

Worker Risk - Revised risk index number for the worker for the controlled accident Controlled sequence.

Public Risk - Revised risk index number for the public for the controlled accident Controlled sequence.

Accident This column provides additional notes regarding the determination Scenario the initiating event FFIN, the preventative controls, and the mitigative Notes controls.

16 l P a g e

2.4. Likelihood Evaluation Method Because SHINE is a first of a kind facility, the assignment of a likelihood category for the accident sequences for the SHINE facility relies on engineering judgement of similar systems and components in industrial and nuclear applications. This section describes the general approach to provide a consistent framework for the assessment of initiating event frequency, and any additional failure probabilities of SSCs that would need to exist for the accident sequence to occur.

The determination of the likelihood of occurrence consists of the initiating event frequency (e.g., seismic event, process component failure, human error), which may be combined with an additional component failure or human error, including any recovery times (i.e., failure duration). In most cases the initiating events are represented by single events or single failures.

The frequency of occurrence of an initiating event for an accident sequence is represented by a FFIN, as presented in Table 2.4-1.

The bases for determining the FFIN for an accident sequence include evidence and type of control. As SHINE does not have an operational history, an assessment based on type of control is the main bases applied for determining the frequency category.

To determine the FFIN selected for an accident sequence initiator based on the type of control, several factors are considered including:

  • Administrative (i.e., human error)
  • Type of component failure (i.e., active versus passive)
  • Degree of redundancy (i.e., single component, redundant component)
  • Design margin (e.g., design pressure versus nominal pressure)
  • Other factors including degree of enhancement for administrative controls (e.g., independent verification and step sign-off).

If the accident sequence is postulated to occur only if another condition or failure is present, then an additional probability of component failure or condition is included in the evaluation. The FPIN represents this as a failure on demand, or as a probability that the condition exists. This can be evaluated as a simple probability of failure on demand or approximated as the product of a failure rate and a recovery time, defined in this analysis as a duration index number (DIN). The quantitative characterization of the FPIN and DIN are listed in Tables 2.4-2 and 2.4-3, respectively.

17 l P a g e

Table 2.4-1 Failure Frequency Index Numbers Failure Frequency Index Based on Evidence Based on Type of Control Comments Number (FFIN)

External event with If initiating event, no controls

-6 N/A freq. < 10-6/yr needed.

For passive safe-by-design components or systems; failure is considered highly unlikely for robust passive engineered controls:

1. Whose dimensions fall within established single parameter limits or that can be shown by calculation to be subcritical including the use of Initiating event with the approved subcritical margin,

-5 N/A freq. < 10-5/yr

2. That have no credible failure mechanisms that could disrupt the credited design characteristics, and
3. Whose design characteristics are controlled so that the only potential means to effect a change that might result in a failure to function would be to implement a design change.
1. Exceptionally robust passive engineered control No failures in 30 (PEC), Rarely can be justified by evidence.

years for hundreds of

-4 2. Two independent active Further, most types of single control similar controls in engineered control (AECs), have been observed to fail.

industry.

PECs, or enhanced specific administrative control (SAC)

No failures in 30 A single control with years for tens of

-3 redundant parts, each a None similar controls in PEC or AEC industry.

No failure of this type

-2 in the facility in 30 A single PEC None years.

A few failures may 1. A single AEC

-1 occur during facility 2. Enhanced SAC None lifetime. 3. Redundant SAC Failure occur every 1 0 A single SAC None to 3 years.

Several occurrences Frequent event, inadequate Not for controls, just initialing 1

per year. control events.

Occurs every week or Very frequent event, Not for controls, just initialing 2

more often. inadequate control events.

18 l P a g e

Table 2.4-2 Failure Probability Index Numbers Failure Probability Probability of Failure on Based on Type of Control Comments Index Number (FPIN) Demand If initiating event, no

-6 10-6 control needed.

1. Passive engineered control (PEC) with high design margin. Can rarely be justified by
2. Inherently safe process. evidence. Most types of

-4 or -5 10 10-5

3. Two redundant controls single controls have been more robust than a simple observed to fail.

AEC, PEC, or enhanced SAC.

1. Single PEC

-3 or -4 10 10-4 2. Single AEC with high None availability

1. Single AEC
2. Enhanced SAC

-2 or -3 10 10-3 None

3. SAC for routine planned operations A SAC that must be performed in

-1 or -2 10 10-2 None response to a rare unplanned demand.

Table 2.4-3 Duration Index Numbers Duration Index Number Average Failure Duration in Years Comments (DIN) Duration 1 > 3 years 10 0 1 year 1 Formal monitoring to

-1 1 month 0.1 justify indices < -1

-2 A few days 0.01

-3 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 10-3

-4 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 10-4

-5 5 minutes 10-5 As an example, the introduction of a base chemical into uranyl sulfate target solution could result in uranium precipitation and a potential criticality. This may be represented as a failure frequency of the base solution into a sump tank due to leakage or maloperation (FFIN) while there is uranium solution present in the sump tank due to a previous process upset or failure (FPIN). Since both conditions are required for the potential accident sequence to occur and either condition could occur first, the likelihood is evaluated as the combination of an FFIN and an FPIN.

19 l P a g e

In this example, the FPIN may be evaluated as the product of an event frequency (i.e., FFIN for uranium solution release to sump tank) and the duration (i.e., DIN for detection and remediation of uranium solution in the sump). Many of these types of accident sequences are considered highly unlikely because of the number of failures that need to occur. This methodology provides the basis to identify controls that are required to support a determination of highly unlikely.

2.4.1. Definitions of Unlikely, Highly Unlikely, and Credible SHINE uses the following definitions of Credible, Unlikely, and Highly Unlikely.

1) Credible - Events that do not meet any of the following conditions are considered credible:
a. An external event for which the frequency of occurrence can conservatively be estimated as less than once in a million years.
b. A process deviation that consists of a sequence of many unlikely events or errors for which there is no reason or motive. In determining that there is no reason for such errors, a wide range of possible motives, short of intent to cause harm, must be considered.
c. A convincing argument exists that, given physical laws, process deviations are not possible, or are extremely unlikely. The validity of the argument is not dependent on any feature of the design or materials controlled by the Technical Specifications or safety-related SSCs or activities.

Events that meet any of the above sets of qualities is therefore not credible. A determination of not credible must be convincing without the application of any designated controls.

2) Unlikely - Event frequency between 10-4 and 10-5 per event, per year.
3) Highly Unlikely - Event frequency less than or equal to 10-5 per event, per year 20 l P a g e

2.5. Consequence Analysis Methods Consequence analysis is performed for radiological and chemical hazards as applicable for each accident sequence as described in the following subsections.

The consequence analysis provides the basis for determining the severity of accident sequence consequences and the corresponding consequence category.

2.5.1. SHINE Safety Criteria The SHINE facility has adopted a set of criteria which defines the radiological and chemical dose consequences to demonstrate that individuals are protected against undue risks from exposure to radiological and chemical materials. The SHINE Safety Criteria are listed in Table 2.5-1.

The SHINE safety analysis methodology defines acceptable risk for an accident sequence if the risk index values are estimated to be 4 as shown in the risk matrix, Table 2.3-6. The SHINE safety criteria radiological dose limits, criteria a &

b, are used in the consequence category definitions to define low consequence.

The safety criteria for chemical dose limits, criteria c & d, for low consequence are discussed in Section 2.5.3.

Table 2.5-1 SHINE Safety Criteria SHINE Safety Criteria a1, 2 An acute worker dose of 5 rem or greater total effective dose equivalent (TEDE) b1, 3 An acute dose of 0.5 rem or greater TEDE to any individual located outside the owner controlled area C An intake of 30 mg or greater of uranium in soluble form by any individual located outside the owner controlled area d1, 4 An acute chemical exposure to an individual from licensed material or hazardous chemicals produced from licensed material that could lead to irreversible or other serious, long-lasting health effects to the worker or could cause mild transient health effects to any individual located outside the owner controlled area e Criticality in the RPF: under normal and credible abnormal conditions, all nuclear processes in the RPF shall remain subcritical, including use of an approved margin of subcriticality for safety f Loss of capability to reach safe shutdown conditions 1 Acute refers to a single radiation dose or chemical exposure event.

2 The worker exposure event is assumed to last for 10 minutes, during the evacuation of the facility.

3 The public exposure event is generally assumed to last for 30 days, while mitigation efforts may be on-going. An exception is for accident scenarios involving the tritium purification system, which assumes a 10 day exposure event.

4 Licensed material and hazardous chemicals produced from licensed material are materials containing uranium (irradiated or unirradiated), fission products, or activation products.

21 l P a g e

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3) 2.5.2. Radiological Consequence Analysis The radiological dose consequence analysis is based on the five-factor formula as described in NUREG/CR-6410, Nuclear Fuel Cycle Facility Accident Analysis Handbook, March 1998. A set of radiological dose cases are defined to represent and bound the potential release conditions for postulated accident scenarios that are determined during the PHA.

The approach begins with the determination of the materials at risk (MAR) for the process locations and conditions. The physical state of the materials at risk (e.g.,

liquid, gas, aerosol), the thermodynamic conditions that may exist for each scenario (e.g., temperature, pressure, humidity), the type of release stressors (e.g., mechanical, fire, deflagration), and any release path factor considerations (i.e., confinement) are identified. The method then models the transport of the major isotopic contributors (i.e., noble gases, halogens, non-volatiles, tritium) from the source confinement location, into the facility buildings for worker dose determination, and then into the environment for dispersal to the site boundary.

The methodology is described in more detail below.

Material at Risk The MAR used for the target solution scenarios is calculated using the Monte Carlo N-Particle 5 (MCNP5 v1.60) and the Oak Ridge Isotope Generator (ORIGEN-S, as included in the SCALE 6.1.3 package) codes using bounding assumptions for the target solution irradiation.

  • Corresponding fission power: 137.5 kW (license limit +10%)
  • Irradiation time per cycle: 30 days
  • Total time between irradiations: [ ]PROP/ECI
  • Extraction between irradiations: none
  • Length of target solution recovery: [ ]PROP/ECI Target solution is held for a period of [ ]PROP/ECI after cessation of irradiation before transfer to the RPF. The target solution MAR is then partitioned into various source terms that are characterized by extraction of isotopes from the target solution, removal of product solutions, and extraction and evolution of gaseous and liquid waste solutions. Zeolite beds in the TOGS are credited with iodine removal prior to transfer of target solution for spill scenarios outside of the IU cell. These source terms correspond to the specific accident scenarios developed during the PHA.

The MAR for the accident scenarios involving the release of tritium are determined based on the inventory expected to be contained in the system that is assumed to fail. For example, the maximum expected tritium inventory in a neutron driver is the MAR for a neutron driver rupture. For tritium the source term is equal to the MAR since all tritium is assumed to escape from the process equipment as a gas.

22 l P a g e

Radionuclide Transport Model This model is based on a series of coupled equations for the rate of change of the mass of a radionuclide in various facility locations. The methodology effectively combines the airborne release fraction (ARF) and the leak path factor (LPF) into a single parameter that replaces ARF x LPF in the five-factor formula as defined in NUREG/CR-6410, Nuclear Fuel Cycle Facility Accident Analysis Handbook, March 1998. The three locations for which radionuclides are considered are

1. Location of initial release,
2. Downstream facility rooms or spaces, and
3. The environment.

The model tracks the activity of the radioisotopes in these locations by determining the scenario-specific MAR inventory in the location of initial release, the leakage rates from location to location, and the removal rate due to physical processes.

The source term release rates are defined for the location of initial release using the MAR described above. The source term is assumed to be instantaneously released into the initial location. All noble gases are released to the gas space. For tritium release scenarios, all tritium is also released to the gas space. Iodine is partitioned between gas and liquid depending on solution pH and temperature. The remainder of radionuclides are dissolved in solution in liquid or solid form and are potential sources for aerosol transport. Aerosol generation is considered due to bubble burst, spray leak, or spill, and is available for gas flow. The rate of bubble formation includes the effects from solution radiolysis.

Leakage rates are determined based on the physical paths (junctions) that connect two locations. Time dependent equations to describe the pressure and temperature in the locations are modeled. Pressure driven flows are calculated through specified leakage paths and include both forward flow and counter-current flow as applicable. Where pressure differences are negligible, flows induced by differences in gas densities are considered.

Removal rates are modeled for sedimentation, condensation, adsorption, radioactive decay, and engineered system removal. The sedimentation rate applies to aerosol states for applicable radionuclides. Condensation applies to the removal of aerosols and those radionuclides that have both vapor and liquid states.

Adsorption models the removal of iodine through adsorption onto surfaces in the source volumes. Radioactive decay is applied to consider the effects of decay removal and buildup.

Removal rates by physical processes may include filters or carbon beds depending on the scenario. A decontamination factor (DF) is applied to account for these mechanisms. Separate DF values are defined for any flow path for noble gases, iodine, and aerosols.

The cumulative leakage for the duration of the event is used to determine the public dose. The cumulative leakage at 10 minutes is used to determine the worker dose received during evacuation from the facility. The cumulative leakage rates 23 l P a g e

represent the product of the leak path factors and the airborne release fractions for each category of radioisotope.

Radiological Dose Consequence The TEDE is calculated for the public and the facility worker based on the results of the radionuclide transport accident scenario for each accident scenario type.

The methodology uses external (i.e., submersion) and internal (i.e., inhalation) radiation sources to calculate;

  • The dose equivalent (HT) and the effective dose equivalent (HE) for external sources and,
  • The committed dose equivalent (HT,50) and the committed effective dose equivalent (HE,50) for internal sources.

The TEDE and the total dose equivalent (TDE) are measures of the total body and organ doses, respectively, received from external and internal radiation sources.

External doses are calculated for submersion in contaminated air for both the public and worker with appropriate dose conversion factors (DCF) for submersion for each radionuclide. Inhalation doses are calculated based on a respirable fraction, DCF for inhalation for each radionuclide, and breathing rate. Worker dose is calculated based on a facility evacuation time of 10 minutes. The public dose is calculated over the duration of the event at the site boundary and for the nearest resident.

The PAVAN computer code is used to calculate the short-term atmospheric dispersion (/Q) factors for an effluent release to the public. The /Q values are calculated at the nearest point along the site boundary and at the nearest resident location. The most limiting of the 50th percentile /Q is used for both receptor locations. A 50th percentile /Q value is considered acceptable since the source terms present in the SHINE facility are considerably smaller than those found in a nuclear reactor. A ground release is assumed as it is conservative compared to an elevated stack release.

Table 2.5-2 lists the major parameters used in the dose consequence assessment.

24 l P a g e

Table 2.5-2 Major Parameters Used in the Dose Consequence Assessment Parameter Assumed Value Breathing rate (m /s) 3 3.5E-4 Worker exposure time (sec) 600 IF free volume (m3) 13,380 RPF free volume (m3) 17,907 50% /Q at the site boundary (s/m3) 3.88E-4 50% /Q at the nearest residence (s/m3) 5.43E-5 Damage ratio 1.0 Public dose conversion factors ICRP-72, FGR-12 Worker dose conversion factors ICRP-68, FGR-11, FGR-12 2.5.3. Hazardous Chemical Consequence Assessment SHINE has evaluated the potential hazards of chemicals at the site. The analysis has been performed for hazardous toxic chemicals within the facility, and not just those produced from licensed materials, since the listed chemicals may or may not be produced from or associated with licensed materials depending on which point in the process or system is being considered. The analysis is therefore bounding for all hazardous chemicals produced from licensed materials. Engineered or administrative controls have been developed only for those systems or processes where the hazardous chemical is produced from or otherwise associated with licensed materials. Consequence or chemical dose modeling are evaluated using dispersion models and/or computer codes that conform to the methodologies in NUREG/CR-6410, Nuclear Fuel Cycle Facility Accident Analysis Handbook, March 1998.

The hazardous chemical consequence assessment is performed to demonstrate that potential consequences are within acceptable limits. This assessment determines if the release of hazardous chemicals from the SHINE facility could lead to exceeding Protective Action Criteria (PAC) categories as identified in Table 2.3-5. The inventory of chemicals used at the SHINE facility is compiled by storage location, quantity, and type of storage container.

A consequence analysis for the public and nearest residence is performed using the ALOHA (Areal Locations of Hazardous Atmospheres), Version 5.4.7, computer code. The chemical MAR is assumed to be the largest quantity of material that can be present for a single release event. In most cases, this is limited by the capacity of a single storage container (i.e., a single container spill).

To model the chemical exposure to the facility workers, the evaporation rates or directly released material from the ALOHA calculations are used to determine the amount of each chemical released into the facility atmosphere. The evaporation rate is determined by setting the assumed wind speed to the minimum value allowed in ALOHA, which simulates the indoor air movement. The puddle area used for evaporation is modeled by using the room dimensions that the chemical 25 l P a g e

is stored in. The resulting concentration of a chemical release within the facility is calculated as a homogenous mixture within the RPF volume.

To model the chemical exposure to the members of the public, the evaporation rates from the chemical puddle are calculated in the same way as above for the worker dose. The evaporated chemical is then dispersed using a 4.2 m/s wind speed, which is based on meteorological data from the Southern Wisconsin Regional Airport. The chemical dose for the site boundary and the nearest resident is determined.

26 l P a g e

2.6. Nuclear Criticality Safety Evaluation Process Criticality safety evaluations are performed using a combination of What-if Checklist and Event Tree analysis to screen and determine the credible criticality events and determine appropriate controls in order to meet the double contingency principle.

Each system is evaluated using the What-if Checklist approach to identify the set of process upsets relevant to each of the typical criticality safety parameters.

Following process upset identification, a credibility determination is performed using the definitions of credible and not credible as described in Section 2.4.1 of this report. For events determined to be not credible, no further evaluation is needed.

For process upsets determined to be credible, the upset is evaluated to determine if it can be considered Safe-by-Design. A process upset is safe-by-design if the process or system: (1) remains subcritical due to the presence of robust passive engineered controls whose dimensions fall within established single parameter limits or that can be shown by calculation to be subcritical including the use of the approved subcritical margin, (2) has no credible failure mechanisms (e.g.,

corrosion, bulging, leakage) that could disrupt the credited design characteristics, and (3) design characteristics are controlled so that the only potential means to effect a change that might result in a failure to function would be to implement a design change. Bounding process conditions are considered during the calculations to determine subcriticality. Design characteristics that are credited in the safe-by-design determination are specified as passive engineered controls.

For process upsets considered safe-by-design, the double contingency principle is met by definition.

Credible process upsets not determined to be safe-by-design are further evaluated using event tree analysis to identify the independent, unlikely, and concurrent changes in process conditions that must occur before a criticality accident is possible. As needed, controls are selected using the preferred control hierarchy to preclude or reduce the likelihood of the identified changes in process conditions in order to reduce the overall likelihood of a criticality accident to highly unlikely.

27 l P a g e

2.7. Safety-Related Controls As defined in the SHINE facility quality assurance program description (QAPD) safety-related items are those physical SSCs whose intended functions are to prevent accidents that could cause undue risk to the health and safety of workers and the public; and to control or mitigate the consequences of such accidents.

Undue risk is defined by the SHINE Safety Criteria in Section 2.5.1. Safety-related SSCs shall implement the full measure of the requirements of the SHINE QAPD.

As defined in the SSA, types of safety-related controls that are credited for prevention and/or mitigation of accident sequences are as follows:

  • engineered controls (active or passive) are identified as safety-related SSCs and,
  • specific administrative controls.

Programmatic administrative controls are implemented to assure that safety-related controls can perform their intended functions.

Defense-in-depth (DID) controls may also be identified that are not credited in accident sequences but provide additional margin for risk reduction.

Safety-related SSCs in the RPF also include those SSCs that assure criticality events are highly unlikely and acute chemical exposures to an individual from licensed materials or hazardous chemicals produced from licensed materials could not lead to irreversible or other serious, long-lasting health effects to a worker or cause mild transient health effects to any individual located outside the owner controlled area.

The results of the SSA consist of postulated accident sequences for inclusion in Chapter 13 of the SHINE FSAR. Information is included for each accident sequence that is consistent with the guidance in Part 1 of the Final ISG Augmenting NUREG-1537. This information includes a description of the accident sequence, potential consequences, controls credited to prevent or mitigate the accident sequence, and a summary of calculated dose consequences.

2.7.1. Identification of Safety-Related Controls The accident sequences that are documented, as described in Table 2.3-7, identify the controls that are credited for prevention and/or mitigation of accident sequences. A descriptive list of the safety-related controls is compiled in the SSA report. Table 2.7-1 describes the information that is provided in the SSA report.

28 l P a g e

Table 2.7-1 Safety-Related Control Table Description Description Control ID Unique identifier that identifies the associated system and type of control (i.e., AEC, PEC, SAC). The types of controls are defined as follows:

1. AEC - Active engineered control A physical device that uses active sensors, electrical components, or moving parts to maintain safe process conditions without any required human actions.
2. PEC - Passive engineered control A device that uses only fixed design features to maintain safe process conditions without any required human action.
3. SAC - Specific administrative control Either a simple administrative control or an enhanced administrative control. relied on to prevent or mitigate a specific accident sequence or to maintain subcriticality and established in formal plant procedures. Where, a) Simple administrative control - A procedurally required or prohibited human action to maintain safe process conditions.

b) Enhanced administrative control - A procedurally required or prohibited human action, combined with a physical device that alerts the operator that the action is needed to maintain safe process conditions or that otherwise adds substantial assurance of the required human performance.

Description A description of the control including its safety function (preventive, mitigative, or other support function). Other information provided in the description depends upon the type of control and may include operating conditions or modes, any automatic actions performed by the control, or any human actions initiated by the control.

Specific administrative controls will also describe the particular action or set of actions that is credited.

Safety Identification of any applicable safety parameter and associated Parameter and limits.

Limits Reliability Identification of the programmatic administrative controls applied to Management ensure that the credited control can perform its intended safety Measures function. For example, design controls, type and frequency of surveillance, or preventative maintenance may be applicable.

29 l P a g e

2.8. Integration into the Final Safety Analysis Report & Technical Specifications The guidance that SHINE uses for performing the SSA presented in this report is outlined in Part 1 of the Final ISG Augmenting NUREG-1537. Part 1 of the Final ISG Augmenting NUREG-1537 provides the format and content that is included in Chapter 13 of the SHINE FSAR. This section describes how the results of the SSA are incorporated into the SHINE FSAR and the Technical Specifications.

2.8.1. Incorporation into the FSAR Chapter 13 Accident Analysis FSAR Chapter 13 is the SHINE licensing basis accident analysis. The accident analysis is divided into two Chapters, 13a2 and 13b, that cover the IF and the RPF, respectively.

Tables 2.8-1, 2.8-2, and 2.8-3 list the FSAR accident sequences and corresponding FSAR sections for each section for accidents with radiological consequences.

Irradiation Facility Within FSAR Section 13a2, the subsections labeled as 13a2.1.x provides a general description of the postulated accident sequences in the IF. This includes the following information:

  • Identification of Causes, Initial Conditions, and Assumptions;
  • General Scenario Description; and
  • Accident Consequences.

The discussions in these subsections outline the accident sequences as identified in the SSA. The SSA may describe several postulated accident sequences in each of the categories identified in Table 2.8-1. Similar accident sequences within the SSA may be combined in the FSAR descriptions as single accident sequence.

The subsections labeled as 13a2.2.x provide a more detailed discussion of accident sequences that may result in radiological consequences. The information provided in these subsections includes:

  • Initial Conditions
  • Initiating Event
  • Sequence of Events (including safety controls)
  • Damage to Equipment
  • Radiation Source Terms
  • Radiological Consequences 30 l P a g e

This discussion provides a detailed description of the accident sequence from the initiating event through the radiological source terms and consequences. The controls that are credited for preventing the accident sequence from progressing, or controls that mitigate the consequences of the accident sequence are also identified. The radiological consequences are mapped to the consequence analysis as discussed in Section 2.5.

Table 2.8-1 FSAR Accident Analysis for the Irradiation Facility FSAR Accident Description Sections 13a2.1.1 IF Maximum Hypothetical Accident 13a2.2.1 13a2.1.2 Insertion of excess reactivity 13a2.2.2 13a2.1.3 Reduction in cooling 13a2.2.3 13a2.1.4 Mishandling or malfunction of target solution 13a2.2.4 13a2.1.5 Loss of off-site power 13a2.2.5 13a2.1.6 External events 13a2.2.6 13a2.1.7 Mishandling or malfunction of equipment 13a2.2.7 13a2.1.8 Large undamped power oscillations 13a2.2.8 13a2.1.9 Detonation and deflagration in the primary 13a2.2.9 system boundary 13a2.1.10 Unintended exothermic chemical reactions 13a2.2.10 other than detonation 13a2.1.11 System interaction events 13a2.2.11 13a2.1.12 Facility-specific events 13a2.2.12 Radioisotope Production Facility Within FSAR Chapter 13b, the subsections labeled as 13b.1.2.x provide a general description of the postulated accident sequences in the RPF. This includes a high level description of each of the postulated accident sequences from the SSA. The SSA may have several postulated accident sequences in each of the categories identified in Tables 2.8-2. Similar accident sequences may be combined in the FSAR descriptions as single accident sequence.

The subsections labeled as 13b.2.x provide a more detailed discussion of accident sequences that may result in radiological consequences. Similar to the accident sequences in the IF, the information for the RPF includes;

  • Initial Conditions 31 l P a g e
  • Initiating Event
  • Sequence of Events (including safety controls)
  • Damage to Equipment
  • Transport of Radioactive Material
  • Radiological Consequences This discussion provides a detailed description of the accident sequence from the initiating event, and includes a sequence of events, the extent of equipment damage from the event, transport of radioactive material and radiological consequences. The controls that are credited for preventing the accident sequence from progressing, or controls that mitigate the consequences of the accident sequence are also identified. The radiological consequences are mapped to the consequence analysis as discussed in Section 2.5.

Table 2.8-2 FSAR Accident Analysis for the Radioisotope Production Facility FSAR Accident Description Section 13b.1.2.1 Maximum hypothetical accident in the RPF 13b.2.1 13b.2.2 Loss of electrical power 13b.1.2.2 External events 13b.2.3 13b.1.2.3 RPF critical equipment malfunction 13b.2.4 13b.1.2.4 RPF inadvertent nuclear criticality 13b.2.5 13b.1.2.5 RPF fire 13b.2.6 13b.1.2.6 Analyses of accidents with hazardous 13b.3 chemicals The external events that are identified in Table 2.8-3 are included in the IF and RPF accident analysis discussions as applicable.

32 l P a g e

Table 2.8-3 FSAR Accident Sequences for External Events FSAR Accident Description Section 13a2.1.6 Seismic Events 13a2.2.6 13a2.1.6 Severe Weather 13a2.2.6 13a2.1.6 External Flooding 13a2.2.6 13a2.1.6 External Fire 13a2.2.6 13a2.1.6 Transportation Accidents 13a2.2.6 13b.1.2.5 Internal Fire 13b.2.6 13a2.2.11 Internal Flooding 13b2.3 13a2.2.11 Chemical/Gas Release 13b2.3 2.8.2. Incorporation of Controls into the Technical Specifications The SSA identifies a set of AECs, PECs, SACs as discussed in Section 2.7. The SSA-identified engineered controls (i.e., SSCs) that are required to be operable under certain conditions to meet the assumptions underlying the SSA are included within Section 3.0 of the Technical Specifications, Limiting Conditions for Operation and Surveillance Requirements. The Technical Specification Basis discussion for each LCO identifies the safety function performed by the SSC and the irradiation unit modes or other conditions during which the SSC is required to be operable. The SSA does not identify the design details of the SSCs, which are provided by other SHINE design documentation.

Section 4.0 of the Technical Specification, Design Features, includes design features that are identified in the SSA. These are aspects of the facility design and other physical conditions (e.g., distance to the site boundary, building free volume) that are inputs or assumptions in the radiological dose calculations that support the SSA dose consequence analysis.

The SSA also identifies the programmatic administrative controls that are required to be implemented to ensure that safety-related SSCs will be capable of performing their design functions. Section 5.0 of the Technical Specifications, Administrative Controls, includes the programmatic administrative controls identified in the SSA (e.g., maintenance of safety-related SSCs, fire protection program) and requires that those programs are established, implemented, and maintained. Section 5.0 additionally requires the development and use of procedures (Section 5.4) that implement the specific administrative controls identified in the SSA.

33 l P a g e

Section 5.0 also includes discussion of the configuration management program (Section 5.5.4), which provides oversight and control of design information, safety information, and records of modifications that might impact the ability of safety-related SSCs to perform their functions. The configuration management program Section 5.5.4 also lists controls not otherwise included in Sections 3.0, 4.0, or 5.0 that will be maintained under the configuration management program and will not be modified as described in the Technical Specifications without prior NRC approval. The configuration management program is applied to all safety-related SSCs.

Sections 3.0, 4.0 and 5.0 of the Technical Specifications additionally include information not derived from the SSA but was included to meet the requirements of ANSI/ANS 15.1-2007, The Development of Technical Specifications for Research Reactors.

34 l P a g e

Retrieved from "https://kanterella.com/w/index.php?title=ML20069B159&oldid=2936346"