ML20083L722

From kanterella
Jump to navigation Jump to search
Candu Reactors, Their Regulation in Canada, and the Identification of Relevant NRC Safety Issues
ML20083L722
Person / Time
Site: 05200005
Issue date: 04/30/1995
From: Charak I, Kier P
ARGONNE NATIONAL LABORATORY
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
CON-FIN-L-2046 ANL-95-5, NUREG-CR-6315, NUDOCS 9505180578
Download: ML20083L722 (48)


Text

. . . . .. -

NUREG/CR-6315 ANI. -95/5 CANDU Reactors, Their Regulation in Canada, and the Identification of Relevant NRC Safety Issues  ;

1 I harak. >.11. Kier Argonne National Laboratory Prepared for U.S. Nuclear Regulatory Commission ,

l 1

PDR DOC 0 05 .

A PDR i

o L

t AVAILABILITY NOTICE Availability of Reference Matenals Cded in NRC Publications Most documents enA ;.i NRC publications will be available from one of the following sources:

1. The NRC Public Document Room 2120 L Street, NW. Lower Level, Washington. DC 20555-0001
2. The Superintendent of Documents, U.S. Government Printing Office. P. O. Box 37082 Washington, DC 20402-9328
3. The National Technical Information Service, Springfield, VA 22161-0002 Although the listing that follows represents the majority of documents cited in NRC publicat!ons, it is not in-tended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda: NRC bulletins, circulars, information notices, in-spection and investigation notices; teensee event reports; vendor reports and correspondence; Commission papers: and applicant and licensee documents and correspondence.

The following occuments in the NUREG series are available for purchase from the Government Printing Office:

formal NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement reports, grantee reports, and NRC booklets and brochures. Also available are regulatory guides, NRC regula-tions in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.

Documents available from the National Technicallnformation Service include NUREG-series reports and tech-nical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technicallibraries include all open literature items, such as books.

Journal articles, and transactions. Federal Register notices Federal and State legislation, and congressional reports can usually be obtained from these librarles.

Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-ceedings are available for purchase from the organization sponsoring the publication cited.

Single coples of NRC draf t reports are available free, to the extent of supply, upon written request to the Office of Administration, Distribution and Mail Services Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, Copies of Industry codes and standards used in a substantive manner In the NRC regulatory process are main-tained at the NRC Library, Two White Flint North,11545 Rockville Pike, Rockvi!!e, MD 20852-2738, for use by the public Codes and standards are usually copyrighted and may be purchased from the originating organiza-tion or,if they are American National Standards, from the American National Standards Institute,1430 Broad-way, New York, NY 10018-3308.

DISCLAIMER NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government.

Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibikty for any third party's use, or the results of such use, of any information, apparatus, product, or process disclosed in this report, or represents that its use by such third party would not infnnge privately owned rights.

1

NUREG/CR-6315

'ANL-95/5 j

I I L CANDU Reactors, il l Their Regulation in Canada, j and the Identification of Relevant NRC Safety Issues l

l Manuscript Completed: June 1993 Date Published: April 1995 Prepared by

1. Charak, P. H. Kier l

Argonne National Laboratory 9700 S. Cass Avenue Argonne, IL 60439 Prepared for Division of Systems Research Office of Nuclear Regulatory Research U S. Nuclear Regulatory Commission Washington, DC 20555-0001 l NRC Job Code L2046 f

ABSTRACT Atomic Energy of Canada, Limited (AECL) and its subsidiary in the United States, are considering submitting the CANDU 3 design for standard design certification under 10 CFR Part 52.

CANDU reactors are pressurized heavy water power reactors. They have some substantially different safety responses and safety systems than the LWRs that the commercial power reactor licensing regulations of the U.S. Nuclear Regulatory Commission (NRC) have been developed to deal with. In this report, the authors discuss the basic design characteristics of CANDU reactors, specifically of the CANDU 3 where possible, and some safety-related consequences of these characteristics The authors also discuss the Canadian regulatory provisions, and the CANDU safety systems that have evolved to satisfy the Canadian regulatory requirements as of December 1992.

Finally, the authors identify NRC regulations, mainly in 10 CFR Parts 50 and 100, with issues for CANDU 3 reactor designs. In all, eleven such regulatory issues are identified. They are: (1) the ATWS mle (Q50.62); (2) station blackout (Q50.63); (3) conformance with Standard Review Plan (SRP); (4) appropriateness of the source term ( 50.34(f) & 100.11); (5) applicability of reactor coolant pressure boundary (RCPB) requirements ( 50.55a, etc); (6) ECCS acceptance criteria

( 50.46(b);(7) combustible gas control ( 50.44, etc); (8) power coefficient of reactivity (GDC 11);

(9) seismic design (Part 100); (10) environmental impacts of the fuel cycle (Q51.51); and (11)

(standards 50.55a).

v l

I iii

, CONTENTS' P.ASC AB STRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . iii

.. l

~ ACKNOWLEDGEMENTS . . . . . . . . . ......................................vu 1 1

1. DESIGN CHARACTERISTICS OF CANDU REACTORS . . . . . . . . . . . . . . . ..1 1.1 Introduction . . . . . . . . . . .........................................I 1.2 Design Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Some Safety-Related Consequences ofDesign Characteristics . . . . . . . , . . . . . 5
2. REGULATION AND LICENSING OF CANDU REACTORS IN CANADA . . . . . .6 2.1 Regulations and Regulatory Instruments ....... ... .. . . ........ 7 2.1.1 Atomic Energy Control Regulations . . . . . . . . ... . .......... 7 2.1.2 Regulatory Policy Statements . . . .... . .................... 7 2.1.3 Consultative Documents .. ..... ....................12 2.2 The Licensing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.1 Site Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 '

2.2.2 Construction Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Operating License ...... ............ ......... .. .. ... 16 2.2.4 License Renewals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3 . Emergency Planning . . . . . ................ . .... ..... . . . 17 2.4 CANDU-Specific Regulatory Requirements . . . . . . . . . . . . . . . . . . . . . . . . 18

3. CANDU SAFETY SYSTEMS . . . . . . . . . . . ...... ... ...............19 3.1 Special Safety Systems . ....................................19 3.1.1 Shutdown Systems . . . . . . . . . . . . . . . . . ..... .. . . . . . . . . . . 19 3.1.2 Emergency Core Cooling System (ECCS) . . . . . . . . . . . . . . . . . . . . 20 3.1.3 Containment System .......... .................. ....... 20 3.1.4 Separation and Independence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.2 Systems Performing Basic Safety Functions .........................22 3.2.1 Reactor Shutdown Capability . . . . . . . . . . . . ...... ......... 22 3.2.2 Residual Heat Removal Systems ........ ... . . . . . . . . . . . 22 3.2.3 Emergency Core Cooling . . . . . . . . . . . . . . . .................. 24 3.2.4 Key Parameters for Monitoring and Control . . . ...............24 3.2.5 Electrical Power Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 y

y

~

o

4. CANDU SAFETY ISSUES VIS-A-VIS NRC REGULATIONS . . . . . . . . . . . . . . . 25 l

l 4.1 Anticipated Transients without Scram (ATWS) . . . . . . . . . . . . . . . . . . . . . . . 25 4.2 Station Blackout .............................................26 4.3 Conformance with Standard Review Plan ...........................26 4.4 Source Term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.5 Reactor Coolant Pressure Boundary ...............................27.

4.6 ECCS Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.7 Combustible Gas Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.8 Power Coefficient of Reactivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.9 . Seismic Design ...............................................28 4.10 Environmental Impacts of Uranium Fuel Cycle ............... ...... 29 4.11 Canadian Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 0 l S. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 l APPENDIX A ..... . ... ......... ..... ......... ... . ..... . 35 TABLES 2-1 Maximum Permissible Doses Imposed by Atomic Energy Control Regulations ..... 8 2-2 Reference Dose Limits for Postulated Failure Conditions .. .... ......... ... 9 2-3 Radiation Dose Limits Based on Consultative Document C-6 Used in Licensing the Darlington Station . ..............................13 4-1 Issues in NRC Regulations for CANDU Reactors . . . . .... ... .. ......,.. 31 FIGURES 1-1 37-Element Fuel Bundle . . . . . . . . . ... ........ .. . . . ..... ..... 3 1-2 CANDU Reactor Assembly . . . . . . . . . . . . . . . . . . . . . . ... . .. .... ... 4 3-1 CANDU Reactor Shutdown Systems .. .. .. ....... ...... . ........ 21 3-2 CANDU 3 Layout Illustrating Physical Separation .. ...................23 vi i

ACKNOWLEDGEMENTS This work was sponsored by the U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, Division of Systems Research. Zoltan Rosztoczy, Anthony J. DiPalo, and Ralph O. Meyer provided guidance and direction for this work. We are also indebted to the personnel of Atomic Energy of Canada Limited. (AECL), Ontario Hydro (OH), the Atomic Energy Control Board (AECB), and the Ministry of the Solicitor General of the Province of Ontario for their cocimikm and invaluable input to this work. We particularly want to thank the following and their staffs:

Massimo Bonechi, Daniel A. Meneley, and Raj .Jaitly of AECL; G.M. Frescura of OH; Bernard M. Ewing and Peter H. Wigfull of AECB; and F.B. Ali of the Ministry of the Solicitor ,

General. J l

l L

=

vii

.m

e .

CANDU REACTORS, THEIR REGULATION IN CANADA, AND THE IDENTIFICATION OF RELEVANT NRC SAFETY ISSUES

1. DESIGN CHARACTERISTICS OF CANDU REACTORS l

i 1.1 ' Introduction CANDU (Canadian Deuterium Uranium) reactors are Canadian-designed pressurized heavy water power reactors (PHWRs) that are operating or under construction in Argentina, India, Korea, '

Pakistan, and Romania, as well as in Canada. The reactors operating in the Province of Ontario are

- in multi-unit stations (Pickering, Bruce, and Darlington) and have power ratings that range from 515 MWe to 881 MWe. Elsewhere in Canada and in Argentina, Korea, and Romania, there are single-unit 600 MWe CANDU 6 plants (the CANDU reactors in India and Pakistan were built in the early '

1970s and are smaller). The multi-unit stations and single-unit stations employ different containment systems. The multi-unit stations have a single integrated containment system employing negative pressures, dousing water pressure suppression, and i vacuum building.lThe containment at the single-unit stations includes dousing water pressure s2ppression systems and filtered air discharge (Morison, et al.,1987).

Atomic Energy of Canada Limited (AECL), the designer of CANDU reactors, and its ,

subsidiary in the United States, are considering submitting a 450-MWe design for standard design certification under 10 CFR Part 52. This design is known as the CANDU 3. The U.S. Nuclear Regulatory Commission's (NRC) regulations for licensing of commercial power reactors are <

contained primarilyin 10 CFR Parts 50 and 100 and were developed for light-water reactors (LWRs) in the United States. These regulations address safety concerns of LWRs and frequently refer to LWRs, boiling water reactors (BWRs), or pressurized water reactors (PWRs). Because of

' differences in design, CANDU reactors have different safety-related characteristics than LWRs.

  • Therefore, phenomena that are safety concerns for LWRS that should be addressed in regulations may not occur or be safety concerns for CANDU reactors. Similarly, phenomena that are safety concerns for CANDU reactors that should be addressed in regulations may not occur or be safety concerns for LWRs.

. One objective of this report is to review the design characteristics of CANDU reactors and their regulation in Canada. Another objective is to identify the Canadian regulatory requirements, policies, and guidance that are specific to CANDU reactors. As only CANDU reactors have been licensed in Canada, it may not possible to distinguish Canadian regulatory philosophy from CANDU-specific requirements except for requirements that apply to components that are CANDU-specific 'Ihelast objective is to identify some NRC (i.e., LWR) issues relevant to CANDU reactors.

This report is organized as follows. The remainder of this section discusses the general design characteristics of CANDU reactors and some safety-related consequences resulting from these charactenstics. When the design characteristics differ among models of CANDU reactors, the 1

-- . . ----- . _ . . .. . - - -_ _ ~ - .

R characteristics of CANDU 3 reactors will be described, if possible. The safety systems used in CANDU reactors evolved in response to the safety requirements imposed by the Canadian L regulatory agency, the Atomic Energy Control Board (AECB). As the AECB has had years of experience in dealing with the safety of CANDU reactors and as the CANDU 3 design that may be submitted for standard design certification in the United States will have gone through (or will be going through) a similar process in Canada, the Canadian licensing framework and safety requirements which will have shaped the CANDU design, are relevant, and are discussed in Section 2. Those Canadian requirements that appear to be specific to the CANDU reactor design are also discussed in Section 2. The safety systems that have evolved to meet the Canadian regulatory requirements are discussed in Section 3. In Section 4, NRC issues relevant to CANDU reactors are identified.

1.2 Design Characteristics A CANDU reactor is fuelled by natural uranium dioxide (UO ), 2 and cooled and moderated by heavy water. Fuel bundles and heavy water coolant are contained within horizontal pressure tubes. In the CANDU 3, there are 37 zirconium-alloy-clad fuel elements in a fuel bundle,12 bundles per pressure tube, and 232 pressure tubes in the reactor. Each pressure tube is isolated and insulated from the moderator by a concentric calandria tube. The space between a pressure tube and a calandria tube is filled with a gas (frequently dry CO2 ). Figure 1-1 illustrates a fuel lattice. A heavy water moderator-reflector is contained within a horizontal, cylindrical vessel, called the calandria. The calandria tubes can be thought of as internal surfaces of the calandria. Because of the separation afforded by the pressure tube concept, the coolant is hot and pressurized, and the moderator is cool and at essentially atmospheric pressure. This arrangement is illustrated in Figure 1-2.

On-power fuelling is used in CANDU reactors to compensate for reduction in reactivity from fuel burnup. Because of the use of natural uranium as the fuel, a CANDU reactor has very little excess reactivity, small reactivity coeflicients, and low fuel burnup relative to LWRs. The limited excess reactivity is accommodated by the use of on-power fuelling. Associated with each pressure tube is a fuel channel for fuelling purposes. Approximately 12 fuel bundles per day will be replaced in the CANDU 3. To maintain appropriate power shapes, these bundles would not be from a single fuel channel, but rather from three or four fuel channels. Most CANDU reactors use two fuelling machines; one to insert fresh fuel bundles at one end of the fuel channel; the other to remove spent fuelbundles at the opposite end of the fuel channel. However, the CANDU 3 is being designed for use with only one fuelling machine, and would be fuelled from only one side of the reactor.

The pressure tube design coupled with on-power fuelling permits rapid removal of a defective fuel bundle that is leaking fission product activity into the coolant. Such defective fuel is first detected by a gaseous fission product monitoring system, which analyzes flowing samples of the coolant. Then a delayed neutron monitor can be used to identify those fuel channels that contain the defective fuel bundle, which can then be removed during power operation by the fuelling machine (Kugler,1980).

2

l.

l l

Figure 1-1 37. Element Fuel Bundle I '

y N

\ a'nalh

$,.$$$hE i

N~5

~~n,,,

i i

, l l

1

\

\' -

l  ?

I

\eff/

S urce: Fig.1.41-1 ofKugler,1980 3

l Figure 1-2 CANDUReactor Assembly i l

  • .ac. .

sion

  • p g  ?

(: n .. m _

% ce o

p, y

@ g e / >

@  ; M- V s A -.

% / R : y =

/

\

j / o Wl ! h h E pv,

/

{$

< g.l,: ';88'..::!

f Ej .  !, i l

Gq q r

o!!

.*e

!8 d

q le 6 - - A s ,.j P

! e ,

/} ,,,- '

\ 8

. ... y l,,, .

  1. 44>

'Y  ::ee e sios o t =:::: _ .... ... ...  :: = = . . . . .

8 NT O MOO ATOR Ex, sacM TO MtAO TAMat l

$. PVfLL,se0 MACMiME = SiOG TVSESM SET 19. CURTA4N SMitLOINO $4ASW l I '"$ s*lEle$E'f.'o",'!! 't 'a"v'El/llE'""

t nim".0'.:f!CfL'"

. 't ",','f,O','ll,*"'" ' """ "* **'"

t "

'"?;.'.";i U 't 1"::::::u"L ,

lt l: l':S: 12.'," 't 2 ";"c*A ',:' " " "r "" "  !

u. wo iro r u ,6ux aerecrea va.1 2, vigtiew un oi,vse,vo g =;r ,,

l Source: Fig.1.2.1-1 of Kugler,1980 I 4

.=

l l

The terminology that has evolved divides equipment and systems used in a CANDU design into two groups: (1) process systems; and (2) special safety systems. Process systems are those systems used in the normal operations of the plant. Examples of process systems important for safety are: the heat transport system that transports heat from the reactor fuel to where it can generate steam for electricity production or be rejected to the environment; and the reactivity regulating system that controls the power level and distribution throughout the core. If there is an event or process malfunction that creates a safety problem beyond the capability of the process systems, then one or more of the special safety systems are called upon to function. In the absence of such conditions, special safety systems are not in use. Special safety systems are: (1) shutdown system 1 (SDS 1);(2) shutdown system 2 (SDS 2); the emergency core cooling system (ECCS); and (4) the containment system.

CANDU actors are faced with the same general safety requirements as LWRs. There must be the capability: to shut down the reactor; to limit overpressure in the heat transport system; to remove decay her.t; and to limit the release of radioactive materials to the environment. Similarly CANDU reactors have the same types of protective barriers to the the of fission products as LWRs: a ceramic fuel with a high melting point, zirconium alloy clad; a reactor coolant pressure boundary; and a containment system. Therefore, the special safety systems serve the same purposes as safety systems for LWRs: shutdown systems, emergency core cooling systems (ECCSs); and containment systems. The regulatory requirements that these systems must meet in Canada are described in Section 2. The systems that have evolved to meet these requirements and their separation and independence are described in Section 3.

1.3 Some Safety-Related Consequences of Design Characteristics CANDU reactors have r egative fuel temperature coemcients from the Doppler effect and positive coolant void coemciena 6 dcrease in coolant density results in an increase in reactivity).

For small variations about nomina. verating conditions, the power coemcient (i.e., the combination of the reactivity coemcients from changes in fuel temperature, coolant density, and moderator density) is slightly negative but close to zero (AECL,1989). However, for small variations at powers somewhat above nominal operating conditions , the power coemcient may be slightly positive. It has been estimated that because of the onset of exit boiling, the power coemeient for the CANDU 3 would turn positive between 105% and 115% of nominal full power (i.e., go from -

0.009 mk/% power increase to a small positive power coemcient).

Because of the positive void coefficient, a loss of coolant accident (LOCA) would cause an increase in reactivity that the shutdown systems are designed to handle. Mitigating the size of the power pulse following such a transient is the fact that reactivity-insertion-transients tend to be slower in CANDU reactors than in other reactors. This is because the prompt neutron lifetime is relatively long (0.9 ms) and because the delayed neutron fraction is enhanced by delayed photoneutrons from the dissociation of the deuteron by gamma rays from the decay of fission products. Also, as noted above, the available excess reactivity is limited, another factor in limiting the consequences of reactivity insertion transients.

5

l i

A CANDU core is larger than an LWR core generating the same power. This leads to the possibility ofunstable xenon power oscillations that could cause some fuel to overheat. The reactor regulating system in CANDU reactors, which is controlled by computers, contains a number of regulating components. These may include: cobalt or stainless steel adjuster rods; liquid zone controllers in which the level oflight water can be varied; mechanical zone controllers; cadmium control absorbers, which may be positioned outside of the core, moderator poison; or even booster rods of enriched uranium (Bruce A). When the reactor regulcing system includes liquid zone controllers, xenon instability can be controlled by differentially fihbg or draining individual zone controllers. For simplicity, mechanical zone control units, rather thar. liquid zone control units, are used as the primary means of regulating the power distribution in the CANDU 3 design (Hedges, 1990).

- Separation of the moderator and coolant has several advantages. Reactivity devices, both j regulating and shutdown, are located in the low-pressure moderator where they are less subject to damage in the event of a LOCA than are reactivity devices in an LWR. The negative moderator temperature coefficient introduces a positive reactivity following an accidental cooldown in an LWR. In a CANDU reactor, reactivity is not sensitive to rapid cooldown accidents. Also, in the event of a LOCA and loss of the ECCS, the moderator can act as a heat sink to provide further assurance that a coolable core configuration is maintained.

Because of the use of heavy water, tritium is formed from neutron capture by the deuteron, and tritium inventories are larger than in LWRs. Because of the use of natural uranium, fuel burnup and fission product inventories are relatively low compared with LWRs.

2. REGULATION AND LICENSING OF CANDU REACTORS IN CANADA This section discusses safety aspects of regulation and licensing of CANDU reactor plants in Canada. Most aspects of regulation and licensing are within the jurisdiction of the Atomic Energy Control Board (AECB or Board). The Board, a body with five members one of whom is appointed President and ChiefExecutive, was created by the Atomic Energy Control Act of 1946 (Chap. A-19, Revised Statutes of Canada) and was empowered to make regulations governing all aspects of the development and application of atomic energy. In 1954, the Act was amended to transfer responsibility for research and exploitation of atomic energy to a designated minister and to transfonn the Board into a strictly regulatory agency. Atomic Energy of Canada, Limited (AECL),

a government-owned company that had been formed in 1952, carries out the research and exploitation duties and is responsible to the designated minister.

Canada is comprised of 10 provinces and two territories; each province has authority in certain areas relating to nuclear reactors. They have jurisdiction over occupational health and safety matters, except for radiation protection, which is a responsibility of the AECB. Provincial inspectors have the power to inspect all pressure vessels, including the pressure tubes of CANDU reactors. Offsite radiological emergency planning is also a provincial responsibility in Canada. A province may interpret this responsibility broadly. For example, the Province of Ontario has requested and Ontario Hydro has agreed that provincial concurrence is required for any action that 6

l L

L l

could have offsite effects, e.g., venting radioactive gases (Ahearne,1989). The provincial ministry with jurisdiction over radiological emergency planning in Ontario is the Ministry of the Solicitor General (Ontario,1986).

Permeating the Canadian regulatory framework is the fundamental principle that the applicant / licensee bears the basic responsibility for safety, with the AECB primarily setting safety objectives and some performance requirements, and auditing the licensee's performance (Atchison, et al.,1983). Here are few formal regulatory requirements, and these are of the nature of numerical safety goals and objectives, rather than prescriptive design or operational mies. Safety requirements sufficiently detailed for design purposes are developed during the licensing process through negotiations between the applicant and the AECB.

2.1 Regulations and Regulatory Instruments a

ne AECB hasissued regulations, known as Atomic Energy Control Regulations. These are formally equivalent to NRC's regulations in Title 10 of the Code of Federal Regulations (all references to 10 CFR are to the January 1,1991 edition). The AECB has also issued " Regulatory Policy Statements" that contain safety requirements for CANDU reactors and " Consultative Documents" that contain regulatory proposals that are published to solicit comments.

2.1.1 Atomic Energy Control Regulations Le AECB promulgated formal regulations, known as Atomic Energy Control Regulations, that were consolidated as of December 31,1977 (CRC,1978), and which have been amended  ;

several times since. Part II which pertains to " Nuclear Facilities" and which is only two pages in )

length, contains broadly stated requirements for a license for a nuclear facility. The only quantitative requirement is that measures be taken to reduce doses to persons from operation of a nuclear facility below certain maximum permissible levels, the latest version of which is given in Table 2-1 (SOR,1985). These maximum permissible doses are similar to those promulgated by the NRC in 10 CFR Part 20 in 20.101 and 20.105 prior to the recent comprehensive revision of 10 CFR Part 20 (NRC,1991).

2.1.2 Regulatory Policy Statements Regulatory Policy Statements are used to define safety requirements for CANDU reactors. ,

Hey do not have the force oflaw, as do the Atomic Energy Control Regulations, but they seem to have more weight than NRC's Regulatory Guides. As stated in prefaces, Regulatory Policy Statements are described as " firm expressions that particular ' requirements' not expressed as Rqn%ns or License Conditions be complied with or that any requirements be met in a particular manner but where the AECB retains the discretion to allow deviations or to consider alternative means ofattaining the same objectives where a satisfactory case is made." There are five Regulatory Policy Statements relating to reactor safety, four of which impose requirements on special safety systems (emergency core cooling system, shutdown systems, and containment). These are I l

commonly referred to as: R-7 (AECB,1991a) relating to containment systems; R-8 (AECB,1991b) 7 I

-,.%i .

g , - ~ . - , - , <

Table 2-1 Maximum Permissible Doses Imposed by Atomic Energy Control Regulations

  • Atomic Energy Worker Any Other Person Rem per Organ or Tissue Quarter-year Rem / year Rem / year Whole body, gonads, bone marrow 3 5 0.5 Bone, skin, thyroid 15 30 3 Any tissue of the hand, forearms, feet, 38 75 7.5 and ankles Lungs and other single organs or tissue 8 15 1.5

'In Consultative Document C-83 (AECB,1986), the AECB is proposing to change the maximum permissible doses to bring them into better conformance with the recommendations of the ICRP.

Source: SOR,1985 and R-10 (AECB,1977) relating to shutdown systems; and R-9 (AECB,1991c) relating to emergency core cooling systems (ECCSs). The fiflh, R-77 (AECB,1987a), addresses overpressure protection for primary heat transport systems. These Regulatory Policy Statements have, in effect, codified basic long-standing Canadian regulatory practice (Hurst and Boyd,1972).

'Ihe subject matter ofRegulatory Policy Statements is not restricted to nuclear reactor safety, but rather covers the full range of the AECB's jurisdiction. Other subjects include regulatory objectives, requirements, and guidelines for the disposal of radioactive waste (R-104) and policy on monitoring and dose recording for the individual (R-91). Comprehensive listings of Regulatory Policy Statements, Consultative Documents, and other AECB reports and documents are contained in a catalogue (see Appendix A). Some of the major safety requirements contained in these documents will now be described.

Classes of Failures Traditionally, the events for which the Board has required analysis have been divided into two classes. In both classes, there is a serious process system failure. This is defined in R-10 (AECB,1977) as any failure of process equipment or procedure which could lead to a significant release of radioactive material from the station in the absence of special safety system action. A significant release is one which would result in individual or population doses in excess of those in Table 2-2 (Table 1 of R-10) for Class I failures.

In a Class I failure, there is a serious process failure and no impairment of the special safety systems, i.e., one of the shutdown systems operates as designed and both the containment and the 8

Table 2-2 Reference Dose Limits for Postulated Failure Conditions l

Maximum Total l Meteorology to be Maximum Individual Population Dose i Situation Used in Calculations Dose Limits Limits

  • Class 1 Failure Either worst weather 0.5 rem whole body 10' person-rem existing at most 10%

of time or Pasquill F or condition iflocal data incomplete. 3 rem to thyroid 6 10' thyroid-rem Class 2 Failure Either worst weather 25 rem whole body 10' person-rem existing at most 10%

of time or Pasquill F or condition iflocal data incomplete. 250 rem to thyroid

  • 10' thyroid-rem

'For purposes of the safety analysis, population dose is integrated from the station boundary out to a distance where the individual dose is 1% of the dose to an individual at the boundary.

6 For other organs, use 1/10 ICRP occupational value.

'For other organs use 5 time ICRP annual occupational dose.

Source: AECB,1977.

ECCS operate as designed. In a Class 2 failure, there is a serious process failure, one shutdown system operates as designed, and either: the containment operates as designed and the ECCS is unavailable; or the ECCS operates as designed and the containment is impaired.

Unavailability of Special Safety Systena Regulatory Policy Statements R 7 through R-10 (AECB,1977,1991a-c) require that each special safety system (containment, ECCS. each shutdown system) be designed so that it can be demonstrated that its unavailability to meet rJ1 its minimum allowable performance standards is less than 10 years per year, or approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> per year.

Regulatory documents do not address the frequency of serious process failures. However, it is established Canadian practice that in the aggregate the frequency of serious process failures should not exceed one in every three reactor years (Atchison, et. al,1983) The rationale for this frequency is that a claim by a licensee that the incidence of serious process failures will not exceed this frequency can be validated from a few years of operation of the p' ant (Laurence,1965).

9

Reference Dose Limits l l

Regulatory Policy Statement R-10 requires that an applicant for an operating license show l by analysis, adequately supported by experimental evidence, that the reference doses given in Table 2-2 are not exceeded if a Class I failure or a Class 2 failure were to occur. It should be noted that the dose to the maximally exposed ofTsite individual for Class I failures in Table 2-2 is the maximum permissible dose for normal operations to other than atomic radiation workers from the Atomic Energy Control Regulations (see Table 2-1). Also, the population dose limit for Class 1 accidents is the annual population dose limit for normal operations in Canadian licensing practice (Boyd,1967). Because the Pickering Station is in densely populated metropolitan Toronto, the AECB imposed limits on collective dose. The rationale for using the same dose limits for normal operations and Class I failures is that the limiting frequency of serious process failures is so high that they can be regarded as a feature of normal operations, and doses to the public from such failures can be treated as part of the doses from normal operations (Laurence,1965).

For coincident serious process and special safety system failures (Class 2), the individual dose limits were chosen to be values at the lower limit of possible early somatic damage. The population dose limits were chosen to result in about 10 cases ofleukemia or 30 cases of thyroid carcinoma over a number of years. These incidences ofleukemia and thyroid carcinoma were considered comparable to the normal incidence in a population of a million (Boyd,1965). Because the estimated frequency of a Class 2 failure is less than 10/yr, it was felt that these limiting doses would not result in inordinate risk to the public.

Performance Reauirements Regulatory Policy Statements R-7 through R-9 impose certain performance requirements on each special safety system. Each must be capable oflimiting dose to the public to reference dose limits for certain specified events involving serious process failures with and without coincident failures of special safety systems. The events are listed in tables in the respective Regulatory Policy l Statements and may differ among special safety systems. Each special safety system is required to meet certam performance requirements associated with its function when the specified events occur.  ;

Each shutdown system should be designed such that it is able to render the reactor subcritical and maintain it subcritical, and to ensure that any fuel failure mechanism does not result in a loss of primary heat transport system integrity (AECB,1991b). The ECCS should ensure, except for failures associated with the initiating event, that for the specified events: fuel in the reactor shall not fail because ofinadequate cooling; and all fuel in the reactor and all fuel channels shall be kept in a configuration such that continued removal by the ECCS of the decay heat produced by the fuel can be maintained. Also, the ECCS shall be capable of continuing to supply sufficient cooling flow for as long as required to prevent further damage to the fuel (AECB,1991c). For the containment system, there are requirements that the specified events not cause loss of structural integrity, damage to the containment stmeture, or the positive design pressure of each part of the containment envelope being exceeded (AECB,1991a).

1 1

10 l

l

RegulatoryPolicy Statement R-77 (AECB,1987a) clarifies the requirement of R-10 that each i

~ shutdown system should incorporate two diverse trip parameters for serious process failures requiring shutdown action. The shutdown systems are viewed as part of an integrated shutdown :

overpressure protection system so that it is necessary to define appropriate service limits for events )

- and failures which lead to overpressure and which occur coincidently with various shutdown system - )

l impairments. R-77 specifies service limits associated with the trip of the shutdown systems for the particular event under consideration. These. service limits, which are dermed in the general requirements section under Section III of the Boiler and Pressure Vessel Code of the American Society of Mechanical Engineers (ASME Code), are dependent on the frequency of the event or  ;

failure and whether the shutdown system is the first or second shutdown system to trip.

Environmental Reauirements Each special safety system and its components that may be required to operate, or to continue to operate, in response to the specified events, are required to be designed to meet all necessary performance requirements while being subjected to the most severe environmental conditions that could be present when or before such equipment is required. Qualification is to consist, where practicable, of tests that demonstrate that the equipment can operate under conditions similar to those occurring if the events happened. If such tests are impracticable, then analysis is required to demonstrate that the environmental requirement is met. I f

The specified events are described in Tables in R-7 through R-9. The events include failure of components that found in CANDU reactors but not in LWRs, such as pressure tubes, calandria 4 - tubes, and of fuelling machines.

Separation and Independence Regulatory Policy Statements R-7 through R-9 require that, to the extent practicable, each special safety system shall be physically and operationally independent from process systems and from other special safety systems. The two shutdown systems should be of diverse designs, and should be able to meet their performance requirements effectively independent of the correct functioning of process systems and other special safety systemsc This basic principle of separation and independence of safety system is attributed to the recognition after a serious accident at the NRX research reactor in 1952 that even well-designed and well-built systems fail (Atchison, et al, 1983).

Seismic Oualification Each special safety system, and its support systems, are required to be seismically qualified.

^

Each shutdown system and the containment system are required to perform their function following '

a design basis earthquake (DBE), which is a counterpart to the safe shutdown earthquake in the United States. In addition, there must be a seismically qualified area from which each shutdown system can be manually activated following a DBE. The emergency core cooling system is required to continue fuel cooling following a site design earthquake that occurred after cooling had been re-

. I1

I established following a LOCA. The site design earthquake is a much weaker earthquake than the  !

DBE. The design basis earthquake is not assumed to induce a LOCA in the Canadian safety analysis. Numerous systems, including the primary heat transport system (PHTS), are designed to retain structural integrity following a DBE.

2.1.3 Consultative Documents Another type of regulatory document is the Consultative Document, which is published by the AECB to solicit comments from the nuclear industry and the public on a regulatory proposal.

In certain cases, after the public comment period, a Consultative Document may have trial use to gain practical experience. Following the period of trial use, a revised document is reissued for further public comment prior to release in final form. The process of accepting a Consultative Document as a Regulatory Policy Statement is deliberate. For example, it took over a decade for the Consultative Documents with requirements for the special safety systems (C-7 through C-9) to be issued as Regulatory Policy Statements R-7 through .R-9.

Consultative Document C-6 addresses the content of safety analyses (AECB,1980). It has been used on a trial basis in the licensing of Ontario Hydro's Darlington Station (Marchildon,1985) and is expected to be issued as a Regulatory Policy Statement in modified form. Consultative Document C-6 specifies certain events that should be analyzed in a Safety Report and provides the ground rules for the analysis. In contrast to R-10, which divides events into two classes (serious process failures and special safety system failures coincident with serious process failures), C-6 divides eventsinto five classes and requires that the dose to the maximally exposed offsite individual for a period up to at least 30 days after the worst case of the event not exceed certain reference doses. C-6 not only contains a table with events that are required to be analyzed in a safety analysis and their class, but requires the applicant to analyze additional events that a review of the plant design, operational procedures, and potential external influences identify, and which may pose a ,

comparable or greater risk to the public than the events specified in the table. Although, C-6 does l not specify the basis for the division of events into classes, as C-6 was applied for the Darlington licensing process the expected frequency of the event was the basis for the specification of classes 1 (Ontario Hydro,1988). Table 2-3 shows the licensing criteria used for Darlington. j Consultative Document C-6 is being used in the Standard Plant Design Approval (SPDA) )

process (the SPDA is the Canadian counterpart to NRC's Standard Design Certification) that the  !

CANDU 3 design is currently undergoing. AECL, the applicant in the SPDA process, responded I to the use of C-6 by developing what it calls the Systematic Plant Review and Analysis Process (SPRAP) for identifying potential events in a systematic way. The SPRAP has the following steps (Jaitly,1991):

(1) Systems containing radionuclides are identified; (2) Using computer aided design techniques and flow sheets, systems interfacing with those containing radionuclides are identified; 12

Table 2-3 Radiation Dose Limits Based on Consultative Document C-6 Used in Licensing the Darlington Station Individual Dose Limit Expected Whole Event Qualitative Event Frequency Frequency" Dody Thyroid Class Criteria (per reactor-yr) (rem) (rem) 1 Greater than 50% chance of f > 10 2 0.05 0.5 occurring in the Lifetime of a single reactor; or more frequent than twice in the lifetime of a four-unit station.

2 About once in the lifetime of an 10 2 > f > 10 O.5 5 eight-unit station.

3 Low probability postulated 10 > f > 10 3 30 failure.

4 Verylow probability postulated 10d > f > 10 10 100 accident 5 Extremely low probability f < 10 25 250 postulated failure. __

  • Expected frequency ranges are not part of Consult _ ative Document C-6 (AECB,1980); they were used by Ontario Hydro to classify events needing analysis that are not listed in C-6.

Source: Ontario Hydro,1988, Table 1-3 (3) Systems that are adjacent to those containing radionuclides are identified; (4) Consequences of failures of individual components or combinations of components of systems containing radionuclides are examined; (5) Consequences of failures of systems interfacing with or adjacent to each system containing radionuclides are examined; (6) Failure modes that have similar plant responses are combined into a dominant event; (7) The plant response to a dominant event is examined by a Probabilistic Safety Analysis; 13

(8) Consequence analysis requirements are defined from event tree analysis; and (9) Consequence analyses with containment impairments considered, as appropriate, are performed.

Consultative Document C-6 would also require that the consequences of certain serious process failures combined with massive containment impairments that could result in very large releases of radioactive material from containment be analyzed. These events would be ofinterest to fully assess the risk to the public posed by a nuclear station, although they are not design basis events because of their low frequency of occurrence.

A number of the events that C-6 requires be analyzed involve failure of pressure tubes and calandria tubes or involve the on-power fuelling machine, design features that are particular to CANDU reactors, or at least are not applicable to LWRs. For example, Class IV events are next to the most severe class of events. One set of Class IV events involves a fuelling machine backing off the reactor without the fuel channel assembly closure plug being replaced; another set of Class IV events involves failure of a fuelling machine when off reactor and containing a full complement of irradiated fuel.

Two other Consultative Documents are relevant, C-83 and C-98. Consultative Document C-83 (AECB,1986) contains proposals for general amendments to the Atomic Energy Centrol Regulations. The proposed amendments for Nuclear Facilities would increase the scope of the AECB's control to include environmentally significant site preparation work, decommisdoning, and abandonment. They would also codify the general requirements for a constructica license. They would generally add the requirement that an applicant for a license address p otection of the environment, so that the AECB could better implement a requirement for an environmental assessment. The scope of the environmental assessment would be limited to the site and the nuclear facility. There is no requirement to consider the environmental effects of the nuclear fuel cycle, such as in 10 CFR {51.51. The proposed amendments for Radiation Protection would make some changes in the maximum permissible doses to bring them into better conformance with recommendations of the Intemational Commission on Radiological Protection.

Consultative Document C-98 (AECB,1987b) is a proposed Regulatory Policy Statement that addresses the reliability of safety-related systems in nuclear reactors. It identifies general requirements for a reliability analysis for such systems.

2.2 The Licensing Process There are no regulatory documents that specify the steps in the licensing process. However, there are reports that document the process (Boyd,1966; Joyce,1979). There are three phases in the traditional licensing process: (1) Site Acceptance; (2) Construction Approval; and (3) Operating License. The trend in licensing in Canada is toward a process similar to standard design certification under 10 CFR Part 52. Since March 1989, the CANDU 3 has been in the process of obtaining a Standard Plant Design Approval (SPDA). The SPDA means ratification of a design such that a 14

combined construction permit and provisional operating license will be issued for plants using the design, without further review except for site specific aspects (Hedges, et al.,1990). The scheduled date for the CANDU 3 to receive the SPDA as of Januanj 1992 was April 1996. From the experience oflicensing Gentilly-2 in Quebec and Point Lepreau in New Brunswick, it was learned that alarger proportion of the required licensing documentation could be submitted at an early stage I

of thelicensing process (Marchildon,1985). The Standard Plant Design Approval process continues this trend.

2.2.1 Site Acceptance There are two objectives of this phase: (1) to establish the conceptual design; and (2) to determine the feasibility of designing, constmeting, and operating on the site a facility that meets the AECB's safety requirements. The applicant is required to submit a Site Evaluation Report with its application for site acceptance. The content of the Site Evaluation Report should address these two objectives. It should contain suflicient information on the conceptual design and operation together with such preliminary safety analysis as may be necessary so that the site's acceptability for the particular design can be judged (Joyce,1979).

The site acceptance process includes at least one public meeting in the vicinity of the site.

If requested by the applicant, the AECB will give the Site Evaluation Report a preliminary review to identify any major obstacles to site acceptance. Eventually, the applicant will submit the final Site Evaluation Report. The AECB staff reviews this final report and prepares a report that is reviewed by the Board in reaching a decision on site acceptance.

2.2.2 Construction Approval The primary concern of the AECB during the construction approval phase is to ensure that the design meets the AECB safety requirements. To do this, the design should be sufliciently advanced that events specified in Regulatory Policy Statements can be analyzed. Construction will be authorized only when the design and safety analysis programs have advanced such that the AECB can make a judgment that no further significant design changes will occur (Joyce,1979). A significant design change appears to be one that would change results in the safety analysis.

The construction approval phase begins with a meeting of the AECB and applicant staff to reach agreement on the procedures for obtaining a construction approval. This meeting sets the ground rules and ensures that the applicant understands the AECB's basic safety requirements.

Based on this understanding, the applicant prepares a set of documents called Nuclear Safety Design Guides. The Nuclear Safety Design Guides are detailed sets ofinstructions that inform the facility designers of the particular requirements and standards that the safety-related systems must meet.

Draft Nuclear Safety Design Guides are reviewed by the AECB staff for compliance with AECB requirements and to ensure that the entire series of documents is sufliciently comprehensive.

Usually, a few iterations are needed before the documents are acceptable. The number of Nuclear Safety Design Guides and the subjects addressed in each vary from station to station. For the Darlington Station, nine were used (Ontario Hydro,1988); for the CANDU 3, there are 12. There 15

it, a Nuclear Safety Design Guide for each special safety system. Other design guides may address subjects including: common mode incidents - seismic design; limiting consequences of postulated pipe ruptures; and environmental qualification of safety-related equipment.

Nuclear Safety Design Guides appear to play a role equivalent to Regulatory Guides in the NRC's regulatory framework. However, in keeping with the Canadian approach that places primary responsibility for safety on the applicant, with the AECB setting safety objectives and performance requirements, and auditing results, requirements and standards that must be met by safety-related systems are not developed by the regulatory agency, but rather by the applicant.

Information from the Nuclear Safety Design Guides provides input to the System Design Requirements, which are used to develop the reference design in which % major parameters of the design are fixed. Tbc process of developing the detailed design is also accomplished during the construction approval phase. The process of detailed design includes the preparation of design specifications, design descriptions, and auditing the design from the perspective of exposure of the opera +ing and maintenance stafTto radiation. Concurrently and interacting strongly with the detailed design process, is development of a safety analysis. The safety analysis is a process in which the safety consequences of certain hypothetical events specified by the AECB (e.g., those specified in R-7 through R-9, or in C-6) are analyzed (Joyce,1979). The applicant must demonstrate the estimated consequences to humans of radiological releases are within the criteria set by the AECB.

2.2.3 Operating License 1

l %e AECB's main concerns in the phase leading to granting an operating license are: that the plant as built conforms to the design submitted and approved; and that the plans for operations are satisfactory. If the design was not complete when the construction approval was given, then the Safety Report must be updated so that the AECB can determine that the more detailed design continues to meet safety requirements. Also, Regulatory Policy Statements R-7 through R-9 require i

that the AECB approve procedures to conform to the operating requirements and testing requirements contained in those iegulatory documents.

The operating license phase usually includes submission of a Final Safety Report; completion of a previously approved commissioning program; examination and authorization of senior personnel; approval of Operating Policies and Principles; and preparation of plans and procedures for operations quality assurance and for dealing with radiological emergencies (Atchison, et al,1983). Positions that require AECB authorization include station manager, shift supervisor, shift operating supervisor, and unit first operator. The station manager is responsible for ensuring l that allstaff are trained to execute their duties, with emphasis placed on the AECB authorized stafT (Ontario Hydro,1988). Canada does not require licensing of plant operators; instead key staff are examined and authorized by the AECB and the station manager is responsible for the training and l performance of supporting plant stalT.

%e Operating Policies and Principles (OP&P) is a document prepared by the applicant and subject to review by the AECB that specifies the principles and constraints to which the station will i 16 l

l

be operated. When it is approved, it becomes a condition of the operating license. Ontario Hydro stations have Abnormal Incidents Manuals (AIMS) to assist operations personnel take appropriate actions following a process system failure, a special safety system impairment, or a common mode event. It provides an operator with procedures for achieving a safe condition based on a wide sample of postulated accidents (Ontario Hydro,1988). Operating Policies and Principles and Abnormal Incidents Manuals play the same role as technical specifications and emergency operating procedures (EOPs), respectively, in the United States.

2.2.4 License Renewals Operating licenses in Canada are for relatively short terms. They are at most for two years, but can be for as short a period as six months. There are several reasons why the licenses have such short terms. The AECB assigns resident station representatives to do monitoring and surveillance of the operations, maintenance, and performance of the reactor plants. These resident station representatives generally have somewhat more authority than NRC inspectors, especially regarding recommendations for changes in license conditions. From the performance of a station, it might be appropriate to drop some license conditions, retain others, and possibly add new conditions. Short license terms are convenient for changing performance-based license conditions in response to resident station representative recommendations. If a unit's performance is good, license renewal is a routine matter.

The types of performance characteristics with which resident station representatives are concerned include exposure to workers and other persons. Ontario Hydro's reports compare measured and projected exposures to target exposures that have taken on regulatory significance.

If target exposures are exceeded, the utility and the AECB would consider there to be a problem that should be corrected. For persons other than atomic radiation workers, the target exposure is 1% of the maximum permissible dose set by the Atomic Energy Control Regulations, or 5 mrem. This 5-mrem target is consistent with the ALARA limits in Appendix 1 to 10 CFR Part 50.

Licensees are required to update their safety analysis for a plant as specified in the license.

Changes in the safety analysis or the subject of generic letters issued by the AECB may suggest modification oflicense conditions, and a short license term facilitates getting the requirements of generic letters and the results of updated safety analyses incorporated in license conditions. Also a short license term facilitates getting the results of research programs (e.g., the research into the design of pressure tubes) incorporated in license conditions.

2.3 Emergency Planning Offsite emergency planning in Canada is a provincial responsibility. There is no federal agency involvement equivalent to that of the Federal Emergency Management Agency (FEMA)in the United States. The AECB hasjurisdiction over onsite emergency planning and makes decisions concerning major safety areas; however, it will not issue a license unless safety arrangements are acceptable to provincial authorities. The Province of Ontario, where all but two of Canada's reactors are located, has developed emergency plans that are similar in structure to, but generally less 17

l detailed than, the State and local plans in the United States. It has a master plan (Ontario.1986) and station-dependent supplements such as for the Pickering Station (Ontario,1990); however, it generally adheres to United States practice for plants that are located in the United States near the Canadian border (e g., the Fermi 2 Plant in Newport, Mich.).

There are several differences between Ontario's master plan and NRC requirements. For example, the plume exposure emergency planning zone (EPZ) and ingestion EPZ for CANDU plants have radii of 10 km and 50 km, respectively, rather than 10 mi and 50 mi, as in the United States.

Also, there are only three emergency classification levels (called " notification categories") rather than four as in the United States. However, generally, the differences in offsite emergency planning f are not based on differences in technology between CANDU reactors and LWRs. For example, the l

l 10 km radius for the plume exposure EPZ was arrived at by assuming a Class 2 Failure resulting in a dose of 25 rem at the plant boundary to the maximally exposed individual (the reference dose limit set by the AECB), assuming that dose rate is reduced with distance according to (distance)", and calculating the distance at which the province's threshold dose for evacuation (I rem) would not be exceeded (Ontario,1984).

The Ontario Provincial Working Group #8 has recommended (Ontario,1988) that there be planning for two types of accidents: the Maximum Planning Accident (MPA) and the Worst Credible Radiation Emission (WCRE). The Maximum Planning Accident would give the maximum 4 4 consequences ofany accident whose probability is above a predetermined value (10 to 10 / reactor-year). It would be the highest consequence accident of the kinds that are currently considered in safety analysis. The MPA would then form the basis for the type of emergency planning and preparedness currently being done in Ontario.

The Worst Credible Radiation Emission (WCRE)is defined as the maximum consequences possible from any nuclear disaster within the limits of physical and chemical realities. It would typically involve a triple failure: a serious process failure; a failure of shutdown, or shutdown and ECCS; and a containment failure. Its frequency would then be less than 0.1% of that of the MPA.

Full and detailed emergency planning and preparedness would not be required for the WCRE; rather only planning and preparedness to mitigate early morbidity and mortality in the event of a WCRE would be required. The WCRE defmed by Ontario Working Group #8 is not the same accident as the beyond-design-basis accidents described in the AECB's Consultative Document C-6, which involves serious process failures and massive containment failure, but not concurrent failures of the shutdown systems and the ECCS. Concern with the WCRE represents how provinces in Canada may get involved in safety areas that states in the United States do not.

2.4 CANDU-Specific Regulatory Requirements The CANDU reactor is the only design of power reactor that has been submitted to the AECB for licensing. Therefore it not possible to separate definitely those safety aspects of the Canadian regulatory framework that represent the AECB's regulatory philosophy from safety requirements that are specific to CANDU reactors. One can, however, examine the safety requirementsin the Regulatory Policy Statements and the Consultative Documents and ask whether 18 l

l l

i L -- - _ _ _ _ _ _ _ - _ _ _ _ - _ _ _ _ _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

- , _ _ _ . _ .. ._ . _ . __ . - _ . - ~ _ _ . _ .

g 4 ,

s

'i f

'it islikely that a requirement would be applicable to another type of reactor such as an LWR.- From

' an examination of R-6 through R-10, R-77,' and C-6, it appears that all of the general requirements j

', could apply to LWRs.' However, some of the events that would require operation of special safety systems by R-6 through R-9 and some of the event that C-6 would require be analyzed involve components or equipment that are specific to CANDU reactors.

c 3. CANDU SAFETY SYSTEMS In this section, CANDU safety systems are discussed. These include special safety systems .

and other safety-related systems.

l 3.1 Special Safety Systems

. The AECB's Regulatory Policy Statements require that there be four special safety systems:  !

-J two shutdown systems; an emergency core cooling system (ECCS); and a containment system (AECB,1991a-c). The requirements imposed on these systems were discussed in Section 2.1.2.

4 Special safety systems that evolved to meet the AECB's requirements are now discussed. .

3.1.1 Shutdown Systems The requirement for two shutdown systems originated in the early 1970s because of  ;

difficulty in analyzing an anticipated transient without scram (ATWS) accident (Atchison, et al, 1983). It was felt that the analysis of ATWS was too speculative to be relied upon, and that the problem could be circumvented by requiring two diverse shutdown systems, each with high availability.

The two shutdown systems are denoted as SDS1 (Shutdown System 1) and SDS2 (Shutdown System 2). Each shutdown system has sensing circuits that monitor the status of a range of parameters and if these parameters indicate potentially unsafe operation, trip logic initiates a i

, shutdown action. For each type of process failure, there is a primary trip parameter (e.g., high neutron power) and an alternate trip parameter (e.g., high heat transport system pressure). SDSI ,

employs a number ofcadmium-loaded rods. These rods, normally held above the reactor by electro-magnetic clutches, fall under gravity into the moderator when the clutches are deenergized upon receipt of a trip signal (or loss of power). In the CANDU 3 design, there are 24 rods in SDSI. To.

provide further redundancy, the rods are divided into two groups of 12 rods each. Each of the groups has separate, diverse trip signals and sufficient poison to shut down the reactor.

The second shutdown system, SDS2, uses rapid injection of a liquid poison (gadolinium nitrate dissolved in heavy water) through horizontal injector nozzles into the moderator. The liquid poison is held in tanks. Upon receipt of the trip signal, fast-acting helium pressure valves are ,

, opened causing the liquid poison to be injected into the moderator. There are six liquid poison  !

injector nozzles in the CANDU 3 design. In safety analyses, the less effective shutdown system is credited. This is usually SDSI, with two stuck rods. When SDS2 is credited, one of the six injection nozzles is assumed not to function. The shutdown systems SDSl and SDS2 meet the 19 t

k 9

, . ,.->,r - T . v e - --- - - - - - - . - - - - - - - - - - - - -

regulatory requirement that they be of diverse designs and physically and operationally independent from each other (AECB,1991b). Figure 3-1 is a schematic representation of the two shutdown systems.

3.1.2 Emergency Core Cooling System (ECCS)

]

The emergency core cooling system (ECCS) is activated if the loss of normal coolant cannot )

be made up by the normal process systems (a loss of coolant accident or LOCA). It has a high pressure stage and a low pressure stage in the CANDU 3 design. The high pressure stage uses gas pressure to inject light water from water tanks into the headers of the primary heat transport system.

Although some of the water injected by the high pressure injection system will pass directly out of the break, the remainder will pass through the core before discharging from the break. The low pressure stage, which is used for the long term, first pumps water from a low pressure storage tank that has collected in the reactor building sump area and returns it to the reactor core via the emergency core cooling heat exchanger.

3.1.3 Containment System

'lhe containment for the CANDU 3 is a large, dry reinforced concrete structure with a steel liner, which is designed to accommodate, within design pressure, the largest pipe breaks in the heat transport system (Hedges,1990). The containment system includes air coolers to maintain long-temi cooling and hydrogen igniters. AECL believes there is suflicient natural circulation within the containment building to provide mixing of hydrogen gas with the building's atmosphere. The containment system has the capability for filtered discharge; however, this has not been credited in the safety analysis being reviewed by the AECB.

The containment system for the CANDU 3 is a departure from the containment systems for other CANDU reactors which used dousing systems for pressure suppression. In a CANDU 6 single l unit station, the containment system has a plastic-lined, concrete containment building with a l dousing system and operational air coolers, a filtered discharge system, access air locks, and for those system lines which may be open during normal operations, an automatically initiated containment closure system. For multiunit stations, a vacuum building, connected to each unit reactor by a duct, contains the dousing system (Kugler,1980). Elimination of the housing system simplifies the containment system by eliminating the required structures, piping, valves, and  :

controls. The ECCS of earlier CANDU designs has a medium pressure stage that supplies dousing tank water. The ECCS of the CANDU 3 does not have this medium pressure stage because the containment dousing system has been eliminated. ,

3.1.4 Separation and Independence AECB regulatory policy requires that special safety systems be physically and operationally independent from each other, and as far as practicable, from all process systems. Such separation and independence help ensure that safety functions can be performed if there is a common mode 20 1

Figure 3.I CANDU Reactor Shutdown Systems SDs g i N N 12 \

ELECTnon'AGNETic M C l q= ; \

- lE r Ct tJTCllES '

w

'D l

-- - s, e

Trip SituyopF ROD logic E TUBES llELIUrs yy9 ltlGli PRESSU m w .

iSENSORS g;

(yOulcoc n

suuroppgg0S I]j y f j lj , OPENINa VALyg

  1. '#NDRIA

.: :G

ff $

f- Ul r LIQUID lb MODI?nATOR LOGIC POISON" i

g u

l NO2ZLES SENsons L-sos Il 2 Source: Fig. 3-1 of Ontario Hydro,1988

event (e.g., fire or earthquake) that can affect more than one major component of a system or more than one system.

In CANDU reactors, systems are separated into two groups. The systems in one group are, to the extent practicable, physically and operationally separate and independent of the systems in the other group. The systems in each group should be capable of performing three basic safety  !

functions: (1) to shut down the reactor; (2) to cool the fuel (residual heat removal and emergency core cooling); and (3) to monitor key plant parameters during and after an accident. In the CANDU 3 designthat AECL has proposed, process systems are in Group 1 and special safety systems are in Group 2. All Group 2 systems and specified Group 1 safety-related systems are qualified to the design basis earthquake (DBE). Within Group 2, the special safety systems are totally separated from each other.

The planned station layout for the CANDU 3 reflects the separation required by the two group concept. Buildings containing equipment, systems, and activities associated with normal operations are considered to be part of Group 1. The Group 1 buildings include: the reactor auxiliary building, the Group 1 service building, the turbine building, and the maintenance building.

The reactor building contains both Group 1 and Group 2 systems; and the Group 2 service building contains the pans of the Group 2 systems not in the reactor building. Figure 3-2 illustrates this separation.

3.2 Systems Performing Basic Safety Functions The systems for performing each basic safety function within each group are now described.

3.2.1 Reactor Shutdown Capability The reactor regulating system in Group 1 can shut down the reactor for normal operations and plant upsets. In the CANDU 3, the regulating system relies on mechanical zone control units, adjusting (power level) rods, and mechanical control absorber rods. The zone control units are used primarily for changing the flux distribution to control xenon oscillations and for adjusting for the effects offuelloading. In Group 2 are the two shutdown systems: gravity rod insertion (SDSI); and pressurized liquid poison injection into the moderator (SDS2). The two shutdown systems, being separate and independent, are in different subgroups of Group 2 (SDSl is in Group 2A and SDS2 is in Group 2B, which also includes containment).

3.2.2 Residuallleat Removal Systems There are two systems for residual heat removal in each group, one for the short term and the other for the long term. CANDU reactors have a system called the Shutdown Cooling System (SDCS) to cool the fuel and the primary heat transport system (PHTS) after the reactor is shut down and to maintainlow temperature for an indefinite period. It consists essentially of a pump and a heat exchanger at each end of the reactor connected between the inlet and outlet headers of the heat transport circuits. The SDCS can be used under normal conditions at reduced PHTS pressure or 22

.. . -. . = . . .. _. .

,_m f . , ,

7

?

Figure 3-2 CANDU 3 Layout Blustrating Physical Separation Source: Hedges, et al,1990 1 1

4 l 1

1

  • ".. GROUP 2*.*.

. . SERVICE * *.

: WILDING :.l-SECONDARY

......... CONTROLAREA 4.s w .... <

.. .. .. ....,.',.,.,.,.js

. . . As w s.,

3. . ,.,.

fl[ ?k[fittp

.ig .aulLDINGivggd I e

$.* .,GROUE1 ly #fM:;O & 21c# MAIN i l* ,; MS?J4 CONTROL l

@g64' MAINTENANCE BUILDING g aff&#@e<8d$5G?-

+C #F ROOM REACTOR AUX 1LIARY lRRADIATED FUEL EI ,

STORAGE BAY L _J. ?ROUP1

' EEiNICE '

BUILDhNG TURBINE BUILDING ADMINISTRATION BUILDING t

3 k

l GROUP 1 l ,

4 W GROUP 2

% GROUP 1 AND GROUP 2 SYSTEMS .

i 4

  • 23

(

under accident conditions at nominal operating pressure. For normal and upset conditions, the  ;

SDCS with use of Group I support systems (e.g., electrical systems, service water) provides long j term residual heat removal. For accident conditions, the SDCS utilizes Group 2 support systems (in subgroap 2A) to provide long term residual heat removal.

Short term residual heat removal capability is provided by the feedwater systems (FWSs).

For Group 1, this capability is provided by the main and auxiliary feedwater systems; for Group 2, by the subgroup 2A (emergency) feedwater system.

3.2.3 Emergency Core Cooling For a LOCA, primary emergency core cooling is provided by the emergency core cooling system (ECCS) in subgroup 2A. The ECCS was discussed in Section 3.1.2. The moderator, a Group 1 system because it is used in normal operations, provides a backup heat sink.

3.2.4 Key Parameters for Stonitoring and Control It is necessary to monitor key parameters, and to maintain control during and following an accident. These activities normally take place in the main control room, which is located in the  ;

reactor auxiliary building, a Group 1 building. The mechanical and electrical systems there are not qualified to continue to perform if there is a design basis earthquake (DBE). Therefore, CANDU  ;

i reactors have a secondary control area in the Group 2 service building that is seismically qualified j for a DBE. In the CANDU 3 design, this secondary control area has been upgraded to have the same j control panels as in the main control room.

3.2.5 Electrical Power Systems l

! Electrical power systems for CANDU reactors are divided into four classes according to their interruptibility. Uninterrruptible DC power supplies and AC power supplies, are in Classes I and II, respectively. Short term (minutes)interruptible AC power supplies are in Class III. Long-term interruptible AC power supplies are in Class IV (Kugler,1980).

Class IV poweris supplied from the external grid and/or the station turbine generator. Class III power is derived from diesel generators, as well as from the external grid and/or station turbine generators. There are two levels of diesels generators, standby and emergency, that start automatically when there is a loss of Class IV power. Standby diesel generators are in Group 1; emergency diesel generators are in Group 2. Classes I and II derive their power from Class III systems or from batteries. Ifloss of the external grid, station turbine generators, and emergency diesci genemtorswere to be considered a station blackout as defined in 10 CFR 50.2, then CANDU reactors would have standby generators and batteries available. Station blackout is discussed in more detailin Section 4.2.

24

4. CANDU SAFETY ISSUES VIS-A-VIS NRC REGULATIONS In this section, we discuss several safety-related issues associated with CANDU reactors for which there exist relevant U.S. Nuclear Regulatory Commission regulations. For the purpose of this section, NRC regulations are taken to be those regulations and criteria contained in Title 10 of the Code ofFederal Regulations (10 CFR), January 1,1991 edition.

The listing ofissues should not be considered all-inclusive, but rather is a compilation of items that generally have potential safety importance and in some cases have consumed substantial NRC efrort in licensing of LWRs over the years. Each of the items is discussed separately below, although not in any order ofimportance.

4.1 Anticipated Transients without Scram (ATWS)

For more than a decade, the NRC studied reactor transients in which an anticipated operational occurrence (e.g., loss of feedwater flow to the steam generator) is accompanied by a failure ofthe reactor trip system to shut down (i.e., scram) the reactor. Such an event became known as " anticipated transient without scram" or ATWS. Initial assessments concluded that the reliat,ility of shutdown systems, although seemingly high, was not high enough to limit the probability of an ATWS event to a pre-determined numerical value considered acceptable (NRC,1978a). Later, however, the NRC deemphasized its reliance on numerical safety goals, and instead used quantitative risk assessment as one input into an engineering evaluation of the ATWS for LWRs (NRC,1978b).

- The ATWS mle (10 CFR 50.62), which is LWR- and design-specific, requires, inter alia, that certain PWRs add a " diverse scram system," by which is meant there must be diversity in the devices necessary to transform a trip-sensor output into the removal of electric power from the controt rods used to scram the reactor. The notion of diversity as applied in the rule does not require diversity in the reactivity-control portion of the shutdown system. The ATWS rule evolved over several years and focused exclusively on LWRs designed in the United States. The required modifications are prescriptive; they do not establish performance goals to determine whether the modifications should be accomplished. However, permeating the NRC work is the concern about common-mode failures that could increase the likelihood of an ATWS event.

CANDU reactors are provided with two completely redundant and diverse shutdown systems, as described above in Section 3. The diversity extends even to the poison portion of each system, unlike the common shutdown rods used in most PWRs. In addition, the ongoing safety analyses of the CANDU 3 are following the accident prescriptions of Consultative Document C-6 (AECB,1980), so that a number of anticipated operational occurrences , such as those considered by the NRC in the ATWS rulemaking process, are within the design bases for the shutdown systems.

Another requirement of the ATWS mle is that the reactor's auxiliary (or emergency) feedwater system be activated by a device that is " diverse" from the reactor trip system. In CANDU 3, the emergency feedwater system is referred to as Group 2 feedwater. This system is incorporated in the 25

Group 2A special safety system block. That block includes one of the shutdown systems (SDSI).

, The other shutdown system (SDS2) is in the Group 2B block, completely separate from the Group -

-2A block. Therefore, there is at least one level of " diversity" between the feedwater system actuation and the reactor trip system.

4.2 Station Blackout Station blackout refers to the complete loss of AC electrical power to the essential and nonessential buses of a nuclear power plant (see 10 CFR 50.2 for a complete definition). The-  !

Reactor Safety Study (NRC,1975) identified a station blackout occurrence as a potentially imponant contributor to the total risk from LWR accidents. Subsequently, the NRC designated station blackout as Unresolved Safety Issue A-44 (NRC,1979). The effon leading to resolution of this issue culminated in a repon containing technical findings (NRC,1985), and subsequently in the publication of the final rule (10 CFR 50.63).

The essence of the station blackout rule is either: (1) that the reactor be able to survive a '

station blackout for a period of time to be determined on a case-by-case basis (termed " coping"); or (2)that an alternative AC power source as defined in 10 CFR {50.2 be available to supplement the normal AC power. If the latter option is selected, the coping analysis of the first option is required only if the alternative AC source is not available for more than 10 minutes.

The CANDU 3 safety analysis undergoing review by the AECB does not include conformance to a station blackout design requirement. The reason for this seems to be that the on-site AC power systems are believed to have higher reliability than is typical for U.S. LWRs, primarily because of the incorporation of two standby power generators (not safety-grade) in addition to the usual two safety-grade emergency generators. AECL cites an overall probability of a station blackout event for the CANDU 3 design, including the reliability of the offsite power grid, as <104 /yr.

4.3 Conformance with Standard Review Plan Section 50.34(g) requires that applicants for LWR operating licenses evaluate their facility designs against the NRC Standard Review Plan (SRP). However, the SRP is LWR-specific (NRC, ,

1981). There is no SRP specific to the CANDU reactor.

4.4 Source Term A basic requirement in the analysis of the consequences of reactor accidents is the development of appropriate source terms, which are then used to estimate consequences to the public, and in some cases to plant personnel. For almost three decades, the NRC has provided '

guidance to license applicants on determining t! acceptability of a panicular site. That guidance, contained in 10 CFR {100.11, refers to TID-14844 (DiNunno et al.,1962) as a document that "may be used as a point of departure" for this determination. TID-14844 contains a source term that has 4

since been universally adopted in LWR safety analyses in the United States. (The NRC is

26

considering updating'the source term to include knowledge about severe LWR accidents and the resulting behavior of the released fission products that has been acquired over the past 30 years

[ Soffer, et al.,1992]). In addition to the siting application,10 CFR {50.34, which contains TMI-related requirements, specifically cites the TID-14844 source term in certain requirements (e.g., in evaluating control room habitability under accident conditions).

The CANDU 3 design features that are relevant in the determination of appropriate source terms resulting from a spectrum of accidents are significantly different from those of the PWR used in the TID-14844 assessment. CANDU safety analyses are purported to use appropriate source 1 terms developed on mechanistic rather than deterministic grounds.

4.5 Reactor Coolant Pressure Boundary ]

I The basic concept ofthe CANDU 3 reactor coolant pressure boundary (RCPB) is unlike that  ;

ofLWRs currently licensed in the United States. Primarily, the PWR pressure vessel is replaced in i a CANDU reactor with hundreds ofindividual pressure tubes. Each pressure tube is essentially a j pipe containing a single fuel channel, fuel bundles, and the high-pressure reactor coolant. The 1

pressure tubes are arrayed inside a low-pressure calandria vessel filled with D2 0 moderator, with each pressure tube isolated from the moderator by a calandria tube._ The pressure tubes are

fabricated of a zirconium-niobium alloy. One essential difference between CANDU pressure tubes l and PWR pressure vessels is that the former are replaceable, and, indeed, a retubing program is in progress for several Ontario Hydro reactors. Also, the mobile fuelling machine used for on-power ,

removal and replacement of fuel bundles is frequently a part of the RCPB. These basic characteristics raise design issues that are not covered by the ASME Boiler and Pressure Vessel i Code, whichis mandated by 10 CFR 50.55a. However, such CANDU components as the pressure tube are designed in accordance with Canadian Standards Association standards, which themselves frequently invoke applicable ASME requirements.

Sevemi pressure-tube failures with benign consequences have been reponed at the Pickering and Bruce stations (Ontario Hydro,1988, Hare,1988). Of these, only two resulted in heavy water leakage outside the confines of the primary cooling system. The first of these occurred at the Pickering station and resulted in heavy water leakage into the containment building. The second caused the failure of the calandria tube, with prim >.y system heavy water entering the calandria tank and mixing with the moderator. The first failure occurred in a Zircaloy-2 tube and the second in a 4

zirconium-niobium alloy tube, similar in material and design to the tubes proposed for the CANDU-3 pressure tubes. Tube cracking has been attributed to delayed hydride cracking in the presence of high tensile stress concentrations in surface flaws resulting in progressive crack growth and ultimately failure. Nevertheless,it is noted that AECB regulations (AECB, 1980,1991c) require that pressure-tube failures be considered in a safety analysis since such failures would result in a small-break LOCA. Furthermore, the failure of a single pressure tube is not expected to propagate to other fuel channels.

27 .

l l

4.6 ECCS Acceptance Criteria The Canadian requirements for emergency core cooling systems (ECCSs) are contained in Regulatory Document R-9 (AECB,1991c). There, two classes of accidents are specified for which i an ECCS is mandated: the first comprises events for which no fuel failures are allowed; and the )

second comprises events for which such failures are expected. In the former case, the applicant must show by analysis that fuel failures do not occur. In the latter case, the basic acceptance criterion is that the calculated accident doses must be within the reference dose limits discussed in Section 2.1.2 l

j above. Fuel-failure criteria are not specified by the AECB. On the other hand, the NRC's deterministic rules contained in 10 CFR 50.46(b) specify criteria to be used in judging the eflicacy of the ECCS. The safety analyses of CANDU reactors have typically followed a mechanistic approach, that is, simplifying assumptions regarding physical phenomena are made, or empirical models are used, only when an appropriate physical model cannot be developed and/or analyzed.

He Canadian analytical models purport to be capable of generating DB A-specific source terms from the mechanistic fuel temperature / failure calculations.

4.7 Combustible Gas Control Following a LOCA, hydrogen gas may be generated by the chemical reaction of very hot cladding material with heavy water coolant. Canadian regulations require that, in such event, hydrogen deflagration or explosion be prevented by physical means or else shown to be impossible (AECB, 1991a). NRC regulations, contained primarily in 10 CFR Q50.34(f)(1)(xii),

{50.34(f)(2)(ix), and 50.44, are far more prescriptive than the AECB's regulation. Each approach is consistent with its corresponding approach on ECCS acceptance criteria (see Section 4.6 above),

since the hydrogen source term computation is related to the more general issue of whether deterministic models and data should be required when there is a (validated) mechanistic analysis based on specifics of the reactor system available.

4.8 Power Coefficient of Reactivity l

General Design Criterion 11 (GDC 11) of Appendix A to 10 CFR Part 50 requires that "in the power operating range the net effect of the prompt inherent feedback characteristics tends to l compensate for a rapid increase in reactivity." If the phrase " power operating range" means any power up to and including a trip setting for the shutdown system, then the CANDU 3 might not meet l this criterion. It is predicted that at some power above 105% of the normal operating power the CANDU 3 will exhibit a positive power coefficient of reactivity, although CANDU reactors have operated for twenty years or more without any indication of an uncontrollable reactor instability associated with this characteristic. The NRC staff considers GDC 11 to be satisfied if this coeflicient is negative and there is a negative Doppler coeflicient of reactivity (NRC 1981).

4.9 Seismic Design The Canadian approach to seismic des gn, as proposed in the CANDU 3 design, differs in several respects from U.S. requirements. First,10 CFR Part 100, App. A, defines a safe shutdown 28

carthquake (SSE) and an operating basis earthquake (OBE). (However, a proposed change to 10 CFR Pan 100, Append 1x A, would eliminate the OBE from consideration in advanced LWR design.)

The Canadians define a design basis earthquake (DBE) which is analogous to the SSE. (A footnote to 10 CFR Part 100, App. A recognizes this interchangeable nomenclature.) However, there is no AECB equivalent of the OBE. Rather, a site design earthquake (SDE)is dermed; the SDE is an earthquake with a 100-y return period. Its application is discussed below.

Second, because the primary heat transport system is designed to survive a DBE, a DBE-induced LOCA is not considered a design basis event in the Canadian approach. This means that the emergency core cooling system (ECCS) is not designed or qualified to cope with a LOCA simultaneous with a DBE. However, the ECCS and its backup moderator cooling system are designed to maintain their structural integrity following a DBE and remain functional in a SDE f which is assumed to occur 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> afler a LOCA.

The NRC rules that govern this latter situation are 10 CFR 100, App. A and GDC 35. The first requires that the ECCS " remain functional" following the SSE (or DBE). This is interpreted to mean functional in all aspects, e.g., coolant injection, recirculation, and the like. GDC 35 requires that the ECCS function "following any loss of reactor coolant." Taken together, these citations appear to require the ECCS to function following a DBE concurrent with a LOCA. I 1

In addition,it is unclear whether the CANDU spent fuel storage and cooling system is DBE- j qualified according to NRC requirements. Although the pool itself is DBE-qualified, the pool coohng system is not. The NRC staffinterpretation of GDC 2 in this regard is that either the cooling system thould be seismically qualified or the pool makeup water system, including its water source, should 1,e so qualified (NRC,1981) l Finally, the Canadian rules for containment design (AECB,1991) and their corresponding implementation in CANDU, require, inter alia, that the containment (1) limit releases of radioactive material following a LOCA and (2) remain functional following a DBE when the containment is credited in the safety analysis following such an event. Since, as noted above, a simultaneous LOCA and DBE is not a design basis event, the containment is not designed for that condition.

NRC requirements for LWR concrete containment design are mainly covered by 10 CFR 50, Appendix A, and General Design Criteria 1,2,4,16, and 50. The NRC staff considers GDC 1 to be met if the containment is designed according to the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Division 2 (ASME 1989). That code enumerates a number of load combinations required to be accommodated by the structure, among which is the loading due to thermal and mechanical forces from a LOCA acting simultaneously with loads generated by the I SSE (or DBE). i 4.10 Environmental Impacts of Uranium Fuel Cycle Environmental reports (ERs) filed pursuant to 10 CFR Part 51 as part of a reactor construction permit application are currently required to include data on the environmental impacts of the uranium fuel cycle. The use of Table S-3 (10 CFR s51.51) in the ER for the environmental 29

impactsis mandated for the LWR fuel cycle. Because of the use of natural uranium (no enrichment) and heavy water, the CANDU fuel cycle is different from the LWR fuel cycle that is implicitly defined in Table S-3.

i 4.11 Caandian Standards l I

In several key areas of design, the CANDU 3 design utilizes Canadian standards instead of the standards required of applicants by the NRC. In addition to the NRC requirements discussed abovein Sections 4.5 and 4.9, standards of the Canadian Standards Association (CSA) are also used as follows:

Subject CSA Standard NRC Requirement Safety system I&C N290 series IEEE standards cited in 10 CFR 50.55a and endorsed in NRC 1981 QA N286 series 10 CFR 50, App. B Inservice inspection N285.4, N285.5 ASME B&PV Code,Section XI, cited in 10 CFR 50.55a The equivalence of the Canadian and U.S. requirements has not been assessed in this work.

Table 4-1 contains a summary of the issues discussed above.

l 30 l

1

[ ,

Table 4-1 Issues in NRC Regulations for CANDU Reactors Item 10 CFR Citation - Relevant CANDU Issues Anticipated transient 50.62 CANDU reactors have two diverse without scram (ATWS) and redundant shutdown systems.

Station blackout 50.63 Estimated reliability ofCANDU AC ,

power systems exceeds that used to determine need for coping.

Conformance with 50.34(g) No SRP exists for PHWRs Standard Review Plan (SRP)

Source term 50.34(f),100. ll Source term for CANDU reactors developed mechanistically.

Reactor coolant pressure 50.55a, 50.60, 50.61, Canadian Standards Association

i. boundary (RCPB) App. G & H, GDC 14 standards used for CANDU reactors.

ECCS acceptance criteria 50.46(b) CANDU criteria not prescriptive.  ;

Combustible gas control 550.44, 50.34(f)(1)(xii), CANDU approach is mechanistic.

50.34(f)(2)(ix)

Power coefficient of GDC11 CANDU reactors may have slightly reactivity positive coefficient under certain operating conditions. L Seismic design Part 100, App. A, CANDU safety analyses do not .

GDC 1, GDC 2, require consideration ofDBE-GDC 4, GDC 16, induced LOCA.

GDC 35, GDC 50 Environmentalimpacts of 51.51 CANDU fuel cycle different from fuel cycle LWR fuel cycle.

  • Reactor design and QA 50.55a, Part 50 App. CANDU reactors use Canadian standards B standards. ,_

3 l 31 ,

4

5. REFERENCES Aheame, J.F.,1989, A Compari. son Between Regtdation ofNuclear Power in Canada and the United l States, Progress in Nuclear Energy, 22, 215.

ASME,1989, Codefor Concrete Reactor Vessels and Containments, ASME Boiler and Pressure Vessel Code, Section 111, Division 2, American Society of Mechanical Engineers, July 1.

Atchison, J.F., F.C. Boyd, and Z. Domaratzki,1983, Canadian Approach to Nuclear Power Safety, Nuclear Safety, 24, 439, July-Aug. (Also see INFO-1040).

AECL,1989, Unique Aspects of the CANDU 3 Design, Atomic Energy of Canada Limited, June 6.

AECB,1977, Use of Two S7mtdown Systems in Reactors, Atomic Energy Control Board, Regulatory Policy Statement R-10, Ottawa, Ontario, Canada, January 11.

AECB,1980, Requirementsfor the Safety Analysis of CANDU Nuclear Power Plants, Atomic Energy Control Board, Consultative Document C-6, Ottawa, Ontario, Canada, June.

AECB,1986, Proposed General Amendments to the Atomic Energy ControlRegadations, Atomic Energy Control Board, Consultative Document C-83, Ottawa, Ontario, Canada, April 28.

AECB,1987a, Overpressure Protection Requirementsfor Primary Heat Transport Systems in CANDU Power Reactors Fitted with Two Shutdown Systems, Atomic Energy Control Board, Regulatory Policy Statement R-77, Ottawa, Ontario, Canada, October 20.

AECB,1987b, Requirementsfor Reliability Analysis ofSafety-Related Systems in Nuclear Reactors, Atomic Energy Control Board, Consultative Document C-98, Ottawa, Ontario, Canada, April 14.

AECB,199Ia, Requirementsfor Containment Systemsfor CANDUNuclear Power Plants, Atomic Energy Control Board, Regulatory Policy Statement R-7, Ottawa, Ontario, Canada, February 21.

AECB,199lb, Requirementsfor Shutdown Systemsfor CANDU Nuclear Power Plants, Atomic Energy Control Board, Regulatory Policy Statement R-8, Ottawa, Ontario, Canada, February 21.

AECB,1991c, Requirementsfor Emergency Core Cooling Systemsfor CANDUNuclear Power j Plants, Atomic Energy Control Board, Regulatory Policy Statement R-9, Ottawa, Ontario, Canada, February 21.

1 AECB,1991d,Publicariam Catalogue 1991-1992, Atomic Energy Control Board, Ottawa, Ontario, Canada. l Boyd, F.C.,1966, Reactor Licensing in Canada, Presented to the Canadian Nuclear Association, June 1,1966, Atomic Energy Control Board preprint AECB-1014.

32 i

Boyd, F.C.,1967, Containment and Siting Requirements in Canada, presented at the International ,

Atomic Energy Agency Symposium on the Containment and Siting ~at Nuclear Power Plants, Vienna, Apr. 3,1967, Atomic Energy Control Board preprint AECB-1018.

CRC,1978, AtornicTwergy ControlRegulations, Consolidated Regulations of Canada, Chapter 365, Statute Revision Commission.

DiNunno, J.J., et al.,1962, Calc:<tation ofDistance Factorsfor Power and Test Reactor Sites, U.S.

Atomic Energy Commission Report TID-14844, March 23.

Hare, F. Kenneth,1988, 7 . ."qfety of Ontario's Nuclear Power Reactors - A Scientific and Technical Review - Min ec, Report, Ontario Nuclear Safety Review, Toronto, Ontario, j February 29. j i

Hedges, K.R., M Bonechi, and E.M. Hinchley,1990, "CANDU 3 Technical Outline," Atomic I Energy of Canada, Limited.

l Hurst, D.G. and F.C. Boyd,1972, Reactor Licensing and Safety Requirema,ts, Atomic Energy Control Board Paper AECB-1059, June 11. ,

Jaitly, R.K.,1991, CANDU 3 Safety and Licensing, AECL CANDU, private communication, November 14.

Joyce, M.,1979, The Licensing Processfor Nuclear Power Reactors - Revision I, Atomic Energy Control Board Paper AECB-1139/REV-1, June 11.

Kugler, G,1980, Distinctive Safety Aspects of the CANDU-PHWReactor Design, A:nmin Energy of Canada Limited Report AECL-6789, Mississauga, Ontario, January.

Laurence, G.C.,1965, Reactor Siting Criteria andPractice in Canada, presented at the American Nuclear Society National Topical Meeting on Nuclear Power Reactor Siting, Los Angeles, Feb.18, 1965, Atomic Energy Control Board, preprint AECB-1010.

Marchildon, P.,1985, Recent Developments in Canadian Nuclear Power Plant Licensing Practices, Presented at the Canadian Nuclear Society Annual Conference, Ottawa, Ontario, June 3,1985, Atomic Energy Control Board Paper INFO-0178.

Morison, W.G., et al.,1987, Containment Systems Capability, Nuclear Journal of Canada,1:1, 53-68.

NRC,1975, Reactor Safety Study, U.S. Nuclear Regulatory Commission Report WASH-1400, October.

33

NRC,'1978a, Anticipated Transients Without Scram for Light Water Reactors, U.S. Nuclear.

Regulatory Commission Report NUREG-0460, Vols. I and 2, April.

'NRC,1978b, Anticipated Transients Without Scram for Light Water Reactors, U.S. Nuclear Regulatory Commission Report NUREG-0460, Vol. 3, December.

NRC,1979, Identification of Unresolved Safety Issues Relating to Nuclear Power Plants, U.S.

Nuclear Regulatory Commission Report NUREG-0510, January.

NRC,1981, Standard Review Plan, U.S. Nuclear Regulatory Commission Report NUREG-0800, July (as revised).

NRC,1985, Emluation of Station Blackout Accidents at Nuclear Power Plants, U.S. Nuclear Regulatory Commission Report NUREG-1032, May. F NRC,1991, Stanlardsfor Protection Against Radiation, U.S. Nuclear Regulatory Commission, 56 FR 23360, May 21.

Ontario Hydro,1988, The Safety of Ontario's Nuclear Power Reactors: A Scientific and Technical Review, submission to the Ontario Nuclear Safety Review, Toronto, Ontario, February 29.

Province of Ontario,1984, Nuclear Emergt ncy Plan: Report of Provincial Working Group #3, April.

Province of Ontario,1986, Nuclear Emerge acy Plan: Part I- ProvincialMaster Plan, Ministry of the Solicitor General, Toronto, Ont. Canada., June.

Province of Ontario,1988, The Upper Limit)br DetailedNuclear Emergency Planning, Report of Provincial Working Group #8, June 30.

Province of Ontario,1990, Nuclear Emergency Plan: Part II- Pickering, Ministry of the Solicitor Gener.d, Toronto, Ont. Canada., August.

Solfer, L., et al.,1992, Axident Source Termsfor Light-Water Nuclear Power Plants, U.S. Nuclear Regulatory Commission, Draft NUREG-1465, June.

SOR,1985, Canadian Gazette, Summary of Regulations, Part II, 119,1885, SOR/85-335, April.

34

L i.

i APPENDIX A Table A-1 Other Regulatory Policy Statements Issued by the AECB Number Title Date R-71 Deep Geological Disposal of Nuclear Fuel Waste: Background 01/29/85 Information and Regulatory Requirements Regarding the Concept Assessment Phase

.R-76 Atomic Energy Control Board Policy and Procedures on 05/17/83 Representations and Appearr. aces R-90 Policy on the Decommissioning of Nuclear Facilities 08/22/88 R-91 Policy on Monitoring and Dose Recording for the Individual 03/01/90 ,

i R-94 Default Values 08/27/87 R-100 The Determination of Effective Doses from the Intake of 08/27/87 i Tritiated Water  ;

l R-104 Regulatory Objectives, Requirements and Guidelines for the 06/05/87 l Disposal of Radioactive Waste R-105 The Determination of Radiation Doses from the Intake of 10/13/88 I l

Tritium Gas Source: AECB,1991d 1

l l

i l

l 35 l ,

Table A-2 Other Consultative Documents Issued by the AECB

.l Number Title Daty C-1 Long Term Aspects of Uranium Tailings Management 08/81-C Atomic Energy Control Regulations: Amendments Concerning 07/10/81 Inspectors, Nuclear Facility Licensing, and Procedural Safeguards C Quality Assurance Programs for Nuclear Facilities 12/20/82 C-36 A Guide to the Licensing of Uranium and Thorium Mine and 06/02/86 Mill Waste Management Systems

)

C-47 Atomic Energy Control Regulations: Amendments Relating to 11/14/83 the Limitations of Exposure to Ionizing Radiation C 'i0 The Use of Fault Trees in Licensing Submissions 05/31/83 C-78 Limitation of Exposure to Ionizing Radiation - Explanatory. I1/14/83 Notes Relating to a Proposed Amendment of the Atomic Energy Control Regulations C-79 Review of the Nuclear Liability Act 03/09/84 '

C-83 Proposed General Amendments to the Atomic Energy Control 04/28/86 Regulations C-85 The Basis for exempting the Disposal of Certain Radioactive 05/06/85 materials from Licensing C-90 Policy on the Decommissioning of Nuclear Facilities 10/15/85 C-92 Dosimetry Services for Internal and External Radiation Sources 03/19/86 ~

C-95 Policy Statement on Maximum Acceptable Levels of -10/30/86 Contamination on Equipment and Materials Leaving Uranium Mine Facilities  ;

l g 36 .

l t

P r> Table A-2 ' Other Consultative Documents Issued by the AECB (Cont.)

Number Title Date C-96 Input to the AECB Licensing Process from Unions and 10-30-86 Worker Representatives C-98 Requirements for Reliability Analysis of Safety-Related 04/14/87 Systems in Nuclear Reactors C-106 Technical & Quality Assurance Specifications for 04/17/89 .;

Dosimetry Services C-110 Implementation of a Program to Recover The Atomic 03/03/89 Energy Control Board's Operating Costs C-117 Requirements for Gamma Radiation Survey Meter 11/28/90 Calibration C-120 A Guide for Approval of Cobalt Teletherapy Installation 12/18/90 l

Source: AECB,1991d 4

f f i

I 37 j yy,, c y- y er ,y w , - e -, y ~, -

e 4

6 DISTRIBUTION FOR NUREG/CR-6315; ANI 95/5 laternal ANL Technical Publications Seriices - P. H.- Kier (5)

I. Charak (5)

External Dist. Category R1 Manager, U.S. Department of Energy Chicago Field Office ,

ANL-E Libraries (2)

ANL-W Library M. W. Hodges, T-10 E37 D. D. Ebert, T-10 G6 f

T. L. King, T-10 E37 - G. H. Marcus, 0-11 D23 L. M. Shotkin, T-10 G6 - J. N. Donohew,0-11, D23 F. Eltawila, T-10 K8 D. C. Scaletti, 0-11, D23 R. O. Meyer (2), T-10 G6 E. D. Throm, 0-11, D23 D. E. Carlson (2), T-10 G6 V. G. Snell, L. N. Rib, R. T. Curtis (3); AECL Technologies, 9210 Corporate Blvd., Suite 410, Rockville,MD 20850 J- J. L. Judd, R. W. Shumway, C. E. Slater, D. L. Hagrman (4); Lockheed Idaho Technologies Co.,

P.O. Box 1625, Idaho Falls, ID 83415 A. L. Wright, Oak Ridge National Laboratory, P.O. Box 2009, Oak Ridge, TN 37831 T. J. Heames, D. A. Powers (2); Sandia National Laboratories, P.O. Box 5800, Albuquerque, NM 87185 l

D. J. Diamond, H. Ludewig (2); Brookhaven National Laboratory, P.O. Box 5000, Upton, Long  ;

Island,NY l1973 B. E. Boyack, Los Alamos National Laboratory, MS K551, P.O. Box 1663, Los Alamos, NM 87545 I

1 38 4

NRC popu 336 u.s. NucLgoR REGULATORY COMMIS$10N 1. W y . Rev Roh2-mi. am BIBLIOGRAPHIC DATA SHEET is** instinscrons on tsa rev NUREG/CR-6315

7. TITLE ANu SUSTITLE ANL-95/5 CANDU Reactors, Their ' Regulation in Canada, and the Identification of Relevant NRC Safety Issues 3. DATE REPORT PUBLISHED MONTH YEAR April 1995
4. FIN oR GRANT NUMBER L2046
6. AUTHoRIS) 6. TYPE OF REPORT Technical I Charak, P.H. Kier 7. PERioo COVERED u,,,_ o,m,
8. RF R NIZATlaN - N AM E AND ADDR ESS ter Nnc. orove owisen. Onne er ner,on. v.1 nuconar netuterary commossen. an<t emelkne narress. itconerscoor. orove Argonne flational Laboratory 9700 S. Cass Avenue Argonne, IL 60439 s.m. .u . ir aonar.c. . ore m une o.ss,an. orr-..a n.,u . u.1 n.cn., n .aor, co--in on. l
e. goNSoRgoya ANsiAT\oN - NAM E AND ADDRESS or nac. av Division of Syster>s Research Of fice of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555
10. SUPPLEMENTARY NOTES
11. ABSTRACT (200 more er seast Atomic Energy of Canada, Limited (AECL) and its subsidiary in the United States, are considermg submitting the CANDU 3 design for standard design certification under 10 CFR Part 52. CANDU reactors are pressurized heavy water power reactors. They have some substantially different safety responses and safety systems than the LWRs that the commercial power reactor licensing regulations of the U.S. Nuclear Regulatory Commission (NRC) have been developed to deal with. In this report, the authors discuss the basic design characteristics of CANDU reactors, specifically of the CANDU 3 where possible, and some safety-related consequences of these characteristics. The authors also discuss the Canadian regulatory provisions, and the CANDU safety systems that have evolved to satisfy the Canadian regulatory requirements as of December 1992. Finally, the authors identify NRC regulations, mainly in 10 CFR Parts 50 and 100, with issues for CANDU 3 reactor designs. In all, eleven such regulatory issues are identified. They are: (1) the ATWS rule (l50.62); (2) station blackout (650.63); (3) conformance with Standard Review Plan (SRP); (4) appropriateness of the source term (150.34(f) & Q100.11); (5) applicability of reactor coolant pressure boundary (RCPB) requirements (l50.55a, etc); (6) ECCS acceptance criteria (650.46(b); (7) combustible gas control (Q50.44, etc); (8) power coefficient of reactivity (GDC 11); (9) scismic design (Part 100); (10) environmental impacts of the fuel cycle (651.51); and (11) (standards {50.55a).

13, AVAILABluiY ST ATEMENT

12. CIE Y WoRDS/DESCR!PToRS (List worm or onemes ther men essat raemeners in locartes tne rvoort.J Unlimited CANDU reactor regulation in Canada i.. ncuan v ctAss .. CAT.o~

CAllDU safety issues vis-3-vis NRC regulations tr , ,

Unclassified

,r . n.ooru Unclassified Ib. NUM8ER OF PAGES

16. PRICE NRC 7ORM 335 (2491

k I

l on recycled paper i

Federal Recycling Program

l

^ '

NUREGICR-631s I CANDU REACTORS, THEIR REGULATION IN CN AND APRIL 19957 d$.

THE IDENTIFICNI1ON OF RELEVANT NRC SAFETY ISSUES - ^ c ,S " ~

s

, - UNITED STATES - .

. FRsT ctAss MAIL I

,  : NUCLEAR REGULATORY COMMISSION POSTAGE AND FEES PAID ' -

~ WASHINGTON. D.C. 20555-0001 USNRC' _

. PERMIT NO. G !.

i-OFRCIAL BUSINESS

, PENALTY FOR PRIVATE USE, $300 ...-1 1

120555139531 1 1AN1R1 US NRC-OADM OIV FOIA E PUBLICATIONS SVCS TPS-PDR-NUREG -,

2WFN-6E7 '

WASHINGTON DC 20555 e

4 1

1 t

9 d

i s_

s a

1hi%'u---AT h .rm. ^ ha =2 _4-ivi'- W 4r4mi eve  % r 4 y'-ugfWW wr egy- e q w qg<v g y9-vg-,- -rg g'9'- A y g 'g ,,