ML20241A151
| ML20241A151 | |
| Person / Time | |
|---|---|
| Issue date: | 08/28/2020 |
| From: | Jon Ake, Gascot R, Jose Pires, Jim Xu NRC/RES/DE |
| To: | |
| R. Gascot Lozada | |
| Shared Package | |
| ML20241A149 | List: |
| References | |
| Download: ML20241A151 (167) | |
Text
RESEARCH OVERVIEW ON MOVING TOWARD RIPB APPROACH FOR SEISMIC SAFETY Jim Xu1, José Pires1, Jon Ake1, Ramón L. Gascot2 1S e n i o r L e v e l A d v i s o r, R E S / D E 2S t r u c t u r a l E n g i n e e r, R E S / D E / S G S E B 1
RESEARCH OVERVIEW ON MOVING TOWARD RIPB APPROACH FOR SEISMIC SAFETY Jim Xu1, José Pires1, Jon Ake1, Ramón L. Gascot2 1S e n i o r L e v e l A d v i s o r, R E S / D E 2S t r u c t u r a l E n g i n e e r, R E S / D E / S G S E B 2
Introduction Motivations for developing seismic safety approach based on technology inclusive (TI), risk-informed and performance-based (RIPB) process o
The Nuclear Energy Innovation and Modernization Act (NEIMA) - directed NRC to develop a regulatory framework based on TI-RIPB approach to ensure efficient and effective review of advanced reactors.
o Utility-led and Department of Energy (DOE) cost-shared Licensing Modernization Project (LMP) developed a frequency-consequence (F-C) based methodology for selection of licensing-basis events (LBEs);
classification and special treatments of structures, systems, and components (SSCs); and assessment of defense in depth (DID) for advanced non-light water reactors (ANLWRs) o The Commission approved the LMP approach as described in SECY-19-0117 o
However, LMP methodology does not provide guidance on plant physical design Research effort to integrate ASCE 43 seismic criteria for SSCs physical design within LMP framework (LMP-ASCE) o American Society of Civil Engineers (ASCE) standard ASCE 43 provides criteria for seismic design (physical design) of SSCs that meet requisite quantitative performance goals (PF) o Performance goals and associated limit states (LS) are established based on categorizations of SSCs o
Use seismic probabilistic risk assessment (SPRA) to integrate LMP-ASCE through an iterative process This workshop will discuss proposed LMP-ASCE approach and obtain stakeholders feedback 3
Outline Goals and Overview for Workshop Proposed Seismic TI-RIPB Safety Approach Regulatory Benefits Challenges Plan for Future Research Activities Milestones and Deliverables 4
Goal and Objectives for Workshop The goal is to facilitate research for developing seismic safety approach that utilizes TI-RIPB to enhance safety in a manner that is rational and cost effective Workshop objectives Provide an overview of a proposed seismic safety approach that integrates SPRA and the performance-based design process established by ASCE 43. This approach offers a TI-RIPB pathway for ANLWRs to address seismic safety within the LMP framework Obtain feedback from stakeholders and ANLWR technical community, which will be considered in planning for activities to demonstrate the feasibility and validity of the proposed approach 5
Overview Complexities associated with seismic design and performance require comprehensive treatment Regulatory framework for seismic safety Current approaches to seismic design Technology readiness for implementing TI-RIPB seismic safety for ANLWRs 6
Complexities Associated with Seismic Design and Analysis Rock Soil UHRS FIRS GMRS ISRS ICRS Foundation Level Cabinet Structure IHRS: Uniform Hazard Response Spectra GMRS: Ground Motion Response Spectra FIRS: Foundation Input Response Spectra ISRS: In-Structure Response Spectra ICRS: In-Cabinet Response Spectra Earthquake (Source) 7
Complex Technical Disciplines Involved for Seismic Safety Regulatory Oversights Seismology/geology Seismic source characterization Ground motion models Probabilistic seismic hazard analysis (PSHA)
Site Seismic hazard/UHRS Geophysical geotechnical engineering Subsurface soil and rock properties Probabilistic site response analysis Soil-structure interaction analysis (SSI)
Seismic induced secondary hazards (liquefaction, slope stability, etc.)
Structural engineering Structural analysis to establish seismic loads for structures and equipment Code-based seismic design Mechanical, electrical, and system engineering Equipment seismic qualification by analysis Equipment seismic qualification by testing Risk assessment Seismic Fragility SPRA/SMA to assess robustness of seismic design Beyond design seismic capability 8
Technical Considerations Physical design (of structures/components) requires clearly defined performance expectations (functional designs) to support system/plant level performance Complexities introduce uncertainties Common understanding and close interactions among different technical disciplines are required to address uncertainties, especially epistemic uncertainty Aim to achieve more risk balanced system performance Considerations of non-seismic and operator actions Technology readiness for implementing TI-RIPB seismic safety 9
Regulatory Framework for Seismic Safety Regulatory bases - 10 CFR Part 50, 52, 100, Appendix S to Part 50, and Appendix A to Part 50 General Design Criterion (GDC) 2 Guidance - Regulatory Guide (RG) 1.208, Standard Review Plan (SRP) Sections 2.5, 3.7, 3.8, 3.9, 19 Seismic design to withstand site-specific hazards (safe shutdown earthquake -
SSE) for SSCs Use of SPRA to evaluate adequacy of seismic design 10
Traditional Approach to Seismic Design Aimed at preventing seismic induced core damages and mitigating radioactive material releases for large light water reactors (LWRs)
Seismic design standards for seismic category I/non-seismic category I Deterministic process SPRA to quantify risk for seismic design Proven record for adequate seismic safety for LWRs 11
Traditional Approach to Seismic Design (contd)
May not be effective and efficient for diverse ANLWR designs Designation of seismic category I/non-seismic category I lacks flexibility to accommodate diverse designs (considering safety contributions, e.g., singleton vs. doubleton)
Large disparity in risk profiles from SPRA insights Seismic design does not explicitly consider risk contribution of the SSC to system/plant level performance 12
Technology Readiness for TI-RIPB Implementation Nuclear Energy Innovation and Modernization Act (NEIMA) for ANLWRs RIPB is about integrating functional and physical designs in a more logical and systematic approach to achieve optimal system and plant level performance Utility-led and DOE cost-shared LMP developed an integrated RIPB functional design approach to group LBEs, and SSC classifications based on F-C target o
Technology inclusive o
Integrated process to SSC categorization considering risk insights and defense-in-depth philosophy o
Emphasis on system level performance with adequate margin of safety 13
ASCE Performance-based Engineering Seismic Design 3 ASCE standards provide performance-based engineering seismic design criteria for NPPs:
o ASCE 43 - Seismic Design Criteria for Structures, Systems, and Components in Nuclear Facilities o
ASCE 4 - Seismic Analysis of Safety-related Nuclear Structures and Commentary o
ASCE 1 - Standard for Geotechnical Analysis, Design, Construction, Inspection and Monitoring of Nuclear Safety-Related Structures Provide seismic design (physical design) to achieve a target performance goal defined as mean annual frequency of unacceptable performance:
=
0
/
14
Proposed Seismic TI-RIPB Approach Works within LMP RIPB framework o
Licensing basis events o
Process for categorizations of SSCs consistent with performance expectations for risk balanced function design o
Criteria for meeting risk goals based on F-C target or surrogates ASCE 43 engineering criteria for SSC seismic designs o
Produce physical designs of SSCs that meet desired probabilistic performance goals o
Performance goals and associated limit states are established based on categorizations of SSCs Use Seismic PRA to integrate LMP-ASCE thru and iterative process 15
16
Regulatory Benefits Risk-balanced design to enhance safety while reducing unnecessary design conservatism Technology inclusive Design flexibility (apply various combinations of PF and LS vs. singe SSE and elastic LS in the current guidance) to achieve a targeted level of safety Preserving proven engineering practice and applicable nuclear codes and standards Integrated approach that explicitly incorporates all important event sequences, includes not only seismic failures but also non-seismic failures and human errors, and also accounts for programmatic considerations to support the defense-in-depth philosophy 17
Regulatory Benefits (contd)
No obvious impediments identified for implementation under both Part 52 and Part 50 licensing process Risk focused design approach potentially leads to better understood and more tailored safety margin and can also lead to cost reductions (reduced demands for low risk SSCs and a more balanced risk profile across the plant), therefore enhancing the commercial viability and competitiveness for ANLWRs Could be used as alternative to the current guidance for seismic design 18
Challenges First-of-a-kind approach for nuclear engineering seismic design in that more than one seismic design category would be available for the design of safety-related SSCs Need realistic case studies to demonstrate feasibility and validity of the approach and applicable processes Establish implementation process to determine how all aspects can be seamlessly integrated and practiced especially the extent to which that quality and level of details of SPRA should be performed to support the integration process and the defense-in-depth considerations 19
Future Research Activities Reach consensus on principal aspects of the proposed alternative approach and identify potential changes and improvements Forge collaborative effort to identify case studies that can yield the most beneficial and effective insights for implementations Develop guidance to ensure a successful pathway for licensing ANLWRs under Part 52 and Part 50 processes, or a new regulatory process 20
Milestones and deliverables Phase 1 activities:
o Developed conceptual RIPB seismic safety approach documented in the phase 1 draft report (completed) o Public workshop o Phase 1 final report (December 2020)
Phase 2 activities (2021 - TBD):
o Develop implementation plan o Identify case studies to demonstrate the proposed approach o Obtain feedback from stakeholders and practitioners o Phase 2 report and guidance (NUREG, RG, etc.)
o Identify and support potential regulatory enhancements 21
Licensing Modernization Project (LMP)
Amir Afzali Licensing and Policy Director Southern Company
Licensing Modernization Project Why: Reduce regulatory uncertainty to enable accelerated commercialization of advanced non-LWR reactors Consistent with the Commissions long-standing effort to transition to risk-informed, performance-based regulations Key to achieving modern risk-informed regulation as envisioned in the agencys Transformation Initiative.
How: Develop transparent, systematic, risk-informed, performance-based, and predictable methodology What: NEI 18-04 and four supporting reports are intended to:
- Select and evaluate Licensing Basis Events (LBEs)
- Classify Structures, Systems and Components (SSCs) based on their holistic and realistic contribution to risk
- Determine Defense-in-Depth (DiD) adequacy 2
Southern Company
Commercial Viability License Social Acceptability License Regulatory Safety Focused License An Owner-Operator Perspective Licenses Needed to Build and Operate a Nuclear Power Plant License = A permit from an essential stakeholder to own or use a nuclear power plant
Reasonable Assurance of Adequate Protection Avoidance of Unnecessary Burden Realizing Positive Impacts Safer plants Public trust International recognition Avoiding Limiting Impacts High construction and operation cost Lengthy and costly licensing reviews Regulatory License
LBE Evaluation Chart
RIPB Background LMP Tabletop Insights Results of the Tabletop exercises confirmed that:
- The LMP process can be effectively executed for a spectrum of different non-LWR concepts
- Design decisions can be optimized through an integrated and realistic analysis of the plants response
- Information obtained through the LMP-based design evaluation can be used for building a strong operational risk management program
Summary
- The LMP methodology, presented in NEI 18-04, is developed based on:
- over 20 years of industry interactions with the NRC staff on risk-informed regulatory approaches, including many public reviews and discussions
- lessons learned from a number of industry tabletop exercises, covering different technologies and designs
- Positive support of NEI 18-04:
- Commission Approval of SECY-19-0117
- Issuance of NRC RG-1233 Next Steps
- Modernization of supporting regulatory requirements (e.g., seismic design requirements, TSs, Inspections, etc.)
- Modernization of content of application
Innovation is required for viability of any technology Questions How to innovate in a regulated industry?
How to avoid regulatory practices becoming a ceiling for introducing new technologies and products?
Removing barriers to innovative approaches to protecting the public, while still satisfying regulations How to manage regulatory uncertainties?
Adapt vs. Adopt Approach How should support for variety of advanced reactor systems be balanced against focusing on one technology and demonstrating success?
How do we indoctrinate new players to the U.S. nuclear culture and expectations and how do we benefit from their perspectives How should be prioritizing the research to generate the necessary technical information to support advanced technology licensing?
Acronyms LMP-Licensing Modernization Project NEI-Nuclear Energy Institute LBE-Licensing Basis Events DBE-Design Basis Events DBA-Design Basis Accidents BDBE-Beyond Design Basis Events DiD-Defense-in-Depth QHO-Quantitative Health Objective EPA-Environmental Protection Agency PAG-Protection Active Guide EAB-Exclusion Area Boundary Mwt-Megawatt Thermal F-C-Frequency-Consequence
Karl Fleming LMP Senior Technical Lead Treatment of External Events in Applying Licensing Modernization Project Methodology U.S. Nuclear Regulatory Commission Seismic Workshop September, 2020
2 Seismic RIPB for LMP Meeting Purpose and Objectives
Purpose:
To provide a brief summary of the LMP methodology Highlight the LMP treatment of external hazards Role of Non-LWR PRA Standard in LMP implementation
3 Seismic RIPB for LMP LMP Training Topics LMP Methodology includes the following parts:
Methodology overview Selection and evaluation of Licensing Basis Events* (LBEs)
PRA development and role of PRA standard to establish its technical adequacy SSC safety classification and performance requirements Evaluation of defense-in-depth (DID) adequacy
- LMP special terms are defined in glossary in back of NEI 18-04
4 Seismic RIPB for LMP Principal Focus of LMP Methodology Systematic, reproducible, robust,and integrated processes for:
o Identification of safety significant LBEs appropriate for each non-LWR design based on a design specific PRA; o
Safety classification of SSCs and selection of SSC performance requirements; o
Establishing the risk and safety significance of LBEs and SSCs; o
Demonstrating enhanced safety margins consistent with Advanced Reactor Policy; o
Identification of key sources of uncertainty; o
Evaluation of the adequacy of plant capabilities and programs for defense-in-depth including special treatments Appropriate balance of deterministic and probabilistic inputs to risk-informed decisions involved in design, operations, programs and licensing.
Performance-based approach to setting plant and SSC reliability and capability performance targets and monitoring performance against targets.
SSC performance targets linked to balancing prevention and mitigation functions identified in LBEs.
SSC capability targets include protection against hazards reflected in the underlying LBEs
5 Seismic RIPB for LMP LMP Methodology Approach Foundations laid in MHTGR, PBMR, and NGNP projects and NRC and ACRS staff reviews on key topics
- Technology inclusive risk metrics
- Use of frequency-consequence targets
- Functional containment concept
- Treatment of multi-module plants
- Reliability targets in lieu of single failure criterion
- Technology inclusive approach to defense-in-depth LMP enhancements to incorporate developments in RIPB decision making for wide spectrum of advanced non-LWRs
6 Seismic RIPB for LMP LMP process attributes:
- Risk-Informed and Performance-Based (RIPB)
- Reactor Technology-Inclusive
- Sufficiently complete
- Reproducible
- Capable of identifying reactor specific safety issues
- Compatible with current applicable regulatory requirements
7 Seismic RIPB for LMP How LMP is RIPB?
LMP is risk-informed by:
Incorporating key inputs from a design specific PRA Incorporating deterministic principles via evaluation of defense-in-depth adequacy LMP is performance based by Use of a Frequency Consequence (F-C) Target and Cumulative Risk Targets to evaluate the risk significance of licensing basis events and structures, systems, and components (SSCs)
Selection of performance-based targets for the reliability and capability of SSCs in the prevention and mitigation of accidents Use of programs to monitor the performance of the plant and SSCs against the performance targets Use of an Integrated Decision-Making Process to implement RIPB decisions that impact the safety case and its objective evaluation
Selection and Evaluation of Licensing Basis Events (LBEs)
9 Seismic RIPB for LMP Licensing Basis Events (LBEs)
LBEs are defined broadly to include all the events used to support the safety aspects of the design and to meet licensing requirements. They cover a comprehensive spectrum of events from normal operation to rare, off-normal events.
Categories defined as Normal Operations (NO), Anticipated Operational Occurrences (AOO), Design Basis Events (DBE), Beyond Design Basis Events (BDBE) and Design Basis Accidents (DBA)
LBE definitions and approach build on those developed in NGNP white papers LMP guidance document includes glossary to clarify similarities differences in terminology with regulatory terms
10 Seismic RIPB for LMP LBE Categories Anticipated Operational Occurrences (AOOs). Anticipated event sequences expected to occur one or more times during the life of a nuclear power plant, which may include one or more reactor modules. Event sequences with mean frequencies of 1x10-2/plant-year and greater are classified as AOOs. AOOs take into account the expected response of all SSCs within the plant, regardless of safety classification.
Design Basis Events (DBEs). Infrequent event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than an AOO. Event sequences with mean frequencies of 1x10-4/plant-year to 1x10-2/plant-year are classified as DBEs. DBEs take into account the expected response of all SSCs within the plant regardless of safety classification. The objective and scope of DBEs to form the design basis of the plant is the same as in the NRC definition.
Beyond Design Basis Events (BDBEs). Rare event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than a DBE. Event sequences with mean frequencies of 5x10-7/plant-year to 1x10-4/plant -year are classified as BDBEs. BDBEs take into account the expected response of all SSCs within the plant regardless of safety classification.
Design Basis Accidents (DBAs). Postulated accidents that are used to set design criteria and performance objectives for the design and sizing of SSCs that are classified as safety-related. DBAs are derived from DBEs based on the capabilities and reliabilities of safety-related SSCs needed to mitigate and prevent accidents, respectively. DBAs are derived from the DBEs by prescriptively assuming that only SSCs classified as safety-related are available to mitigate postulated accident consequences to within the 10 CFR 50.34 dose limits.
11 Seismic RIPB for LMP Selection and Evaluation of LBEs AOOs, DBEs, and BDBEs are defined in terms of event sequence families from a reactor design-specific PRA AOOs, DBEs, and BDBEs are evaluated:
- Individually for risk significance using a Frequency-Consequence (F-C) chart against a F-C Target
- Collectively by comparing the total integrated risk against a set of cumulative risk targets DBEs and high consequence BDBEs are evaluated to define Required Safety Functions (RSFs) necessary to meet F-C Target Designer selects Safety Related SSCs to perform required safety functions among those available on all DBEs DBAs are derived from DBEs by assuming failure of all non-safety related SSCs and evaluated conservatively vs. 10CFR50.34
12 Seismic RIPB for LMP Frequency-Consequence (F-C)Target Purpose is to evaluate risk significance of individual LBEs and SSCs and to help define the RSFs; not a regulatory acceptance criterion Derived from the NGNP F-C Target and frequency bins for AOOs, DBEs, and BDBEs
- Addressed staircase issue with previous F-C targets F-C Target anchor points based on:
- 10 CFR 20 annual dose limits and iso-risk concept
- Avoidance of offsite protective actions for lower frequency AOOs
- 10 CFR 50.34 dose limits for lower frequency DBEs
- Consequences based on 30day TEDE dose at EAB
- EAB doses selected to assure meeting QHO for prompt fatality individual risk LBEs compared to F-C target based on mean, and upper (95%tile) and lower (5%tile) bound estimates of LBE frequency and dose
13 Seismic RIPB for LMP LBE Risk-Significance Criteria
14 Seismic RIPB for LMP LBE Cumulative Risk Targets The total frequency of exceeding an offsite boundary dose of 100 mrem shall not exceed 1/plant-year to ensure that the annual exposure limits in 10 CFR 20 are not exceeded.
The average individual risk of early fatality within the area 1 mile of the EAB shall not exceed 5x10-7/plant-year to ensure that the NRC Safety Goal Quantitative Health Objective (QHO) for early fatality risk is met The average individual risk of latent cancer fatalities within the area 10 miles of the EAB shall not exceed 2x10-6/plant-year to ensure that the NRC safety goal QHO for latent cancer fatality risk is met.
15 Seismic RIPB for LMP Identification of Required Safety Functions (RSFs)
RSFs are those functions that, if not fulfilled would lead to increase in DBE consequences beyond the F-C target; or increase the frequency of high consequence BDBEs beyond the F-C target Define what functions have to be preserved to deliver the safety case Zero and low consequence DBEs play an important role SSCs that are available to perform the RSFs may include:
Inherent or intrinsic reactor features Passive SSCs Active SSCs Combinations of the above Advanced reactor designs typically include multiple means of achieving each RSF.
Functional and SSC level design criteria are derived from the RSFs RSFs are reactor technology and design specific and apply to specific Rn sources.
They are derived from the fundamental safety function (FSF) of controlling the release of radioactive material and address explicitly or implicitly the other FSFs of controlling heat generation and heat removal
16 Seismic RIPB for LMP LBE Summary AOOs, DBEs, and BDBEs defined as event sequence families developed in the PRA grouped by similarity of initiating event, challenge to plant safety functions, plant response, and mechanistic source term DBAs selected using prescriptive rules after designers have determined the Required Safety Functions (RSFs), identified which SSCs are available on all the DBEs to provide the RSFs, and selected those to be classified as Safety Related (SR) SSCs DBAs are derived by modifying each DBE to remove credit for any non-safety related SSC that performs a RSF DBAs correspond to event sequences modeled in the PRA some of which have extremely low frequencies Consequences of DBAs evaluated using deterministic ground rules per 10 CFR 50.34 and not compared to F-C Target
SSC Safety Classification And Performance Requirements
18 Seismic RIPB for LMP SSC Approach Highlights Includes active and passive SSCs relying on inherent reactor characteristics Retains three SSC safety classification categories in NGNP SSC white paper Proposes criteria for SSC risk significance based on absolute risk metrics (for consideration in next edition of non-LWR PRA Standard);
addresses risk significance issues identified in PRISM pilot of ASME/ANS non-LWR Standard Incorporates selected concepts from 10 CFR 50.69 and NEI-00-04 in the context of a forward fit process Includes SSC requirements to address single and multi-module event sequences Provides guidance for deriving performance based reliability and capability targets including protection against external hazards
19 Seismic RIPB for LMP LMP SSC Safety Categories SSCs Including Radionuclide Barriers Safety-Related (SR)
SSCs Non-Safety-Related SSCs with Special Treatment (NSRST)
Non-Safety-Related SSCs with No Special Treatment (NST)
SSCs selected for required safety functions to mitigate DBEs within F-C Target*
Non-SR SSCs performing Risk-significant functions Non-SR SSCs performing functions required for defense-in-depth SSCs performing non-safety-significant functions SSCs selected for required safety functions to prevent high-consequence BDBEs from entering DBE region beyond F-C target Safety-Significant SSCs Non-Safety-Significant SSCs
- SR SSCs are also relied on during DBAs to meet 10 CFR 50.34 dose limits using conservative assumptions
20 Seismic RIPB for LMP SSC Risk Significance A prevention or mitigation function of the SSC is necessary to meet the design objective of keeping all LBEs within the F-C target.
The LBE is considered within the F-C target when a point defined by the upper 95%-tile uncertainty of the LBE frequency and dose estimates are within the F-C target.
The SSC makes a significant contribution to one of the cumulative risk metrics used for evaluating the risk significance of LBEs.
A significant contribution to each cumulative risk metric limit is satisfied when total frequency of all LBEs with failure of the SSC exceeds 1% of the cumulative risk metric limit. The cumulative risk metrics and limits include:
The total frequency of exceeding of a site boundary dose of 100 mrem <1/plant-year (10 CFR 20)
The average individual risk of early fatality within 1 mile of the Exclusion Area Boundary (EAB) < 5x10 -7/ plant-year (QHO)
The average individual risk of latent cancer fatalities within 10 miles of the EAB shall not exceed 2x10-6/plant-year (QHO)
21 Seismic RIPB for LMP SSC Category Relationships All Plant SSCs PRA Modeled SSCs Safety-Significant SSCs Risk-Significant SSCs Safety-Related SSCs
22 Seismic RIPB for LMP Derivation of Special Treatment Requirements SR SSCs Required to be protected against Design Basis External Hazard Levels (DBEHLs)
Required Functional Design Criteria (RFDC) derived from Required Safety Functions (RSFs); may be used with ARDCs in formulating principal design criteria SSC level Safety Related Design Criteria (SRDC) developed from RSFs SR and NSRST SSCs (all Safety Significant SSCs)
SSC reliability and capability performance targets Focus on prevention and mitigation functions identified in LBEs Integrated decision making process to derive additional specific special treatment requirements, if any Reflects concepts from 10 CFR 50.69 and NEI-00-04 from existing reactors from a forward fit perspective Reflects Commissions expectations for risk-informed and performance based regulation from SRM to SECY 98-0144
23 Seismic RIPB for LMP Quality Assurance for Safety Significant SSCs SR SSC QA:
The QA requirements for SR SSCs are expected to meet the applicable parts of 10 CFR 50 Appendix B. Application of Appendix B QA is focused on the SR classified SSC in the performance of its Required Safety Functions and the QA requirements developed under Appendix B are expected to be performance based. Specifics of the SR applications of the applicable QA program elements are evaluated as part of the Integrated Decision Process.
NSRST SSC QA:
The applicable requirements for NSRST SSCs are expected to meet the users commercial quality programs. Application of the NSRST QA program requirements are focused on the SSC in the performance of its safety functions identified in the LBEs responsible for the safety classification and are expected to be performance-based. Specifics of the NSRST aspects of the applicable program elements are also evaluated as part of the Integrated Decision Process in evaluating defense-in-depth adequacy.
24 Seismic RIPB for LMP PRA Development Although not required, early introduction of PRA into design process is encouraged and facilitates risk-informing design decisions Scope and level of detail consistent with scope and level of detail of design and site information and fit for purpose in RIPB decisions Depending on the stage of the design, PRA event-sequences include those hazards that have state of practice PRA methods and involve single and multiple reactor modules and include risk significant non-reactor sources ASME/ANS non-LWR PRA standard specifically designed to support LMP PRA applications Limitations and uncertainties associated with PRA addressed in the evaluation of defense-in-depth adequacy and deterministic inputs to RIPB decisions LMP recognizes iterative nature of design development, PRA development, and RIPB decisions along the way
25 Seismic RIPB for LMP DID Adequacy Framework
26 Seismic RIPB for LMP All risk-informed and performance based (RIPB) decisions in LMP are implemented via an Integrated Decision Process (IDP) that incorporates defense-in-depth principles IDP sets the reliability and capability performance targets for all safety significant (SR and NSRST) SSCs
- These include special treatment requirements including protections against external hazards IDP uses a set of attributes defined in NEI 18-04 to evaluate:
- Plant Capability for DID
- Programmatic elements of DID
- RIPB evaluation of DID Role of DID Evaluation for External Events
LMP Treatment of Safety Functiohns Fundamental Safety Functions (FSFs)
PRA Safety Functions (PSFs)
Required Safety Functions (RSFs)
Other Risk Significant Safety Functions Other Safety Functions for Adequate DID Other Safety Functions Safety Related (SR) SSCs Non-SR with ST (NSRST)
SSCs Non-SR With No ST SSCs (NST)
NSRST SSC Performance Targets NSRST SSC Special Treatment Requirements Required Functional Design Criteria (RFDC)
Input to Design and Content of Application SR SSC Performance Targets SR SSC Special Treatment Requirements SR SSC Design Criteria (SRDC)
Functions Provided in the Design Design Basis External Hazard Levels (DBEHLs)
LBEs from PRA (AOOs, DBEs, and BDBEs)
Design Basis Accidents (DBAs)
Frequency-Consequence and Cumulative Risk Targets
LMP TREATMENT OF EXTERNAL HAZARDS
29 Seismic RIPB for LMP Incorporation of External Events in to LBEs PRAs introduced at early stage of design are limited in scope and level of detail commensurate with design development A technically adequate at-power internal events PRA may be used for the initial selection of LBEs, selection of SR SSCs and definition of DBAs; alternatively LBE process tasks may be implemented after a more mature stage is reached Design Basis External Hazard Levels (DBEHLs) are selected to design the protections against area events, e.g. internal fires and floods, and external hazards, e.g. seismic events, external flooding, high winds and missiles When SR SSCs requirements to be protect against the DBEHLs are incorporated with appropriate design margins, the DBAs derived from the internal events PRA are expected to be stable (note that each DBA initiating event may be caused be due to internal or external causes).
As external hazards and area events are incorporated into the PRA there will be new AOOs, DBEs, and BDBEs and risk insights to incorporate; but no new DBAs Application of the LMP methodology is an iterative and flexible process
30 Seismic RIPB for LMP DBEHL Scope
- Seismic Events
- Other external hazards
- Area events such as internal fires and floods Options to establish the DBEHLs
- Use existing regulatory guides
- Select hazard levels via probabilistic hazard analysis consistent with 95%tile 10-4/plant-year DBE cut-off DBEHLs become part of the reliability and capability targets for the SR SSCs in the performance of their Required Safety Functions Not applicable to NSRST but there may be some need to protect against hazards Design Basis External Hazard Levels
31 Seismic RIPB for LMP When external events are incorporated into the PRA there will be new LBEs initiated by external hazards and possibly (but doubtful) some new risk significant LBEs DBEs associated with external hazards should only involve success states for any SR SSCs that are protected against DBEHLs Any new LBEs with failure of SR SSCs should be BDBEs or event sequences less likely than BDBEs There should be no new DBAs but rather new DBEs that map into the original DBAs determined from internal events The new LBEs may produce additional risk significant SSCs which may increase the population of NSRST SSCs; this may lead to new capability targets to protect these NSRST SSCs against external hazards.
Unless the new LBEs lead to new risk significant SSCs, there should be no capability targets to protect NSRST SSCs against external hazards External Events Considerations for SSCs
32 Seismic RIPB for LMP Trial use standard issued in 2013; extensively used in pilot PRAs ASME/ANS RA-S-1.4-2020 has been approved by JCNRM and is currently in review by ANSI NRC plans to endorse in a regulatory guide in 2021 Incorporates input from the Next Edition of the LWR PRA standard Incorporates both absolute and relative risk metrics to establish risk significance and specifically designed to support LMP Treatment of external hazards expanded to include:
- Use of bounding site characteristics for Design Certification PRAs
- Treatment of event sequences involving different plant operating states, multiple reactors and non-reactor sources of radionuclides Role of NLWR PRA Standard
33 Seismic RIPB for LMP Questions?
BACK-UP SLIDES
35 Seismic RIPB for LMP Identification of LBEs Sources of Rns within scope of application AOOs, DBEs, and BDBEs Identification and Justification for RSFs for each source of Rns PRA Safety Functions for each DBEs and High Consequence BDBEs Justification for sufficiency of selected RSFs Selection of SR SSCs Confirm availability of SR SSCs on all DBEs Justification for SR SSC selection Definition of DBAs and source terms for Chapter 15 Available Precedents: See MHTGR LBE selection Topical Report LBE Considerations for TICAP
PRA Development
37 Seismic RIPB for LMP Typical PRA Development Interfaces
38 Seismic RIPB for LMP Evaluation of X-energy LBEs Against F-C Target
39 Seismic RIPB for LMP eVinci Functional Event Tree Top Events Initiating Event Reactivity Control Heat Removal Containment End State The IEs identified in the PRA are processed through the functional event tree The evaluated eVinci Micro-Reactor design has three strategies for reactivity control:
- CDS
- ESS
- The passive release of hydrogen from the moderator*
The evaluated eVinci Micro-Reactor design includes two strategies for heat removal:
- Heat removal via the secondary side system
- Conduction through the core block to the canister with natural draft heat removal from the outside surface of the canister to an air duct system that channels air to the surrounding environment.
The evaluated eVinci Micro-Reactor design relies on the CCS for the containment function.
As the figure of merit for the evaluated eVinci Micro-Reactor risk assessment is a release frequency, even success states can result in limited releases.
40 Seismic RIPB for LMP Functional Event Tree for eVinci Micro-Reactor
41 Seismic RIPB for LMP eVinci Micro-Reactor Fission Product Source Terms Gap Fraction Heat-Up and Cooldown Release Fractions including the Gap Fraction Peak Temp = 750°C Peak Temp = 850°C Peak Temp = 950°C Min Nom Max Min Nom Max Min Nom Max Species Duration 2.3 hrs 2.8 hrs 3.5 hrs 4.3 hrs 5.3 hrs 6.4 hrs 6.2 hrs 7.6 hrs 9.3 hrs Nobles 1.7E-04 5.0E-04 5.7E-04 6.6E-04 3.1E-03 3.6E-03 4.5E-03 1.8E-02 2.1E-02 2.7E-02 I
1.4E-04 4.0E-04 4.5E-04 5.3E-04 2.4E-03 2.9E-03 3.6E-03 1.4E-02 1.7E-02 2.1E-02 Cs 1.4E-04 4.6E-04 5.3E-04 6.2E-04 3.0E-03 3.5E-03 4.4E-03 1.8E-02 2.1E-02 2.6E-02 Sr 1.7E-06 5.0E-06 5.7E-06 6.6E-06 3.1E-05 3.6E-05 4.5E-05 1.8E-04 2.2E-04 2.7E-04 Mo 4.4E-05 1.3E-04 1.4E-04 1.7E-04 7.6E-04 9.1E-04 1.1E-03 4.5E-03 5.4E-03 6.7E-03 Ba 3.5E-06 1.0E-05 1.1E-05 1.3E-05 6.1E-05 7.3E-05 8.9E-05 3.6E-04 4.3E-04 5.4E-04 La 3.5E-08 1.0E-07 1.1E-07 1.3E-07 6.1E-07 7.3E-07 9.0E-07 3.6E-06 4.3E-06 5.4E-06 Ce 3.5E-08 1.0E-07 1.1E-07 1.3E-07 6.1E-07 7.3E-07 9.0E-07 3.6E-06 4.3E-06 5.4E-06 Sb 8.7E-05 2.5E-04 2.8E-04 3.3E-04 1.5E-03 1.8E-03 2.2E-03 9.0E-03 1.1E-02 1.3E-02 Te 1.4E-04 4.0E-04 4.5E-04 5.3E-04 2.4E-03 2.9E-03 3.6E-03 1.4E-02 1.7E-02 2.1E-02 Ru 8.7E-06 2.5E-05 2.8E-05 3.3E-05 1.5E-04 1.8E-04 2.2E-04 9.1E-04 1.1E-03 1.4E-03
42 Seismic RIPB for LMP eVinci LBE Evaluation Against F-C Target
PRA Standard for Advanced Non-LWR Nuclear Power Plants 12/31/2018
44 Seismic RIPB for LMP Scope of non-LWR Standard Multiple plant operating and shutdown states Event sequences developed to include end states with mechanistic source terms and offsite radiological consequences (similar to LWR Level 3 PRA)
Technology inclusive end states and risk metrics Frequencies of event sequences, event sequence families, and release categories Mechanistic source terms and radiological doses and health effects Options with requirements for user defined end states (e.g sodium boiling)
Event sequences involving two or more reactors or radionuclide sources Requirements for PRAs done at preoperational design stages Requirements to address uncertainties in establishing passive system reliability JCNRM requirement to maintain consistency with LWR PRA standards where appropriate
45 Seismic RIPB for LMP Technical Elements with Integrated Treatment of Hazards
46 Seismic RIPB for LMP PRAs Using Standard PRA Reactor Type PRA Organization Time Frame PRISM SFR GE-Hitachi, ANL 2017 HTR-PM PB-HTGR Tsingua Univ. ROC 2013-Present TWR SFR Terrapower 2013-Present PBMR PB-HTGR PBMR Ltd.
2006-2010 Xe-100 PB-HTGR X-Energy 2014-Present MCFR MSR Terrapower 2014-Present FHR MSR/PB Kairos 2018-Present MSRE MSR EPRI, Vanderbilt Univ.
2018-Present eVinci Micro-Reactor Westinghouse 2019-Present HTGR Prismatic HTGR JAEA, Japan 2017-Present CFR-600 SFR ANL 2018-Present VTR SFR GE-Power, ANL 2019-Present
47 Seismic RIPB for LMP Lessons Learned from Pilots Consensus among pilots that standard was useful in establishing PRA technical adequacy Most significant and useful feedback obtained from PRISM, HTR-PM and TWR PRAs More clarification needed on intent of some requirements Most significant technical issues include:
- Issues with applying LWR PRA approach to risk significance
- Need more guidance on dealing with very small risk levels
- Need to rethink roles of relative and absolute risk importance measures Sufficient experience in applying trial use standard to justify development of ANSI version of standard
48 Seismic RIPB for LMP NRC Plan to Endorse non-LWR Standard NRC Statement at public meeting:
ASME/ANS RA-S-1.4 provides an acceptable means to establish the scope and technical adequacy of the PRA NRC will issue interim staff guidance for near term use of current 2013 trial use version of standard in 2020 NRC continues to support the development of the next edition of the standard NRC plans to issue a RG similar to RG 1.200, but a different RG, to endorse the next edition of the non-LWR standard to be balloted in 2020
49 Seismic RIPB for LMP LMP encourages (does not require) PRA to be introduced early in the conceptual design; scope and design evolve in iterative fashion Scope of PRA governed by NRC requirements in Part 50 and 52 ASME/ANS RA-S-1.4-2020 used perform PRA for applicable scope Summarize results of PRA and risk insights in Chapter 19 or equivalent Use of PRA to support LMP is regarded as a PRA application and outside the domain of the PRA standard. Covered elsewhere in application, topical reports, or in-house documentation subject to audit Grouping and classifying event sequence families into LBEs Evaluating risk significance of LBEs against F-C and cumulative risk targets Input to identification of RSFs, RFDC, and SRDC Input to SSC Safety Classification Input to evaluation of DID adequacy PRA Considerations for TICAP
50 Seismic RIPB for LMP Experience in Application of LMP Methodology
51 Seismic RIPB for LMP MHTGR DBEs DBE-1 Loss of offsite power initiating event and SCS forced cooling, successful reactor trip, passive cooling via RCCS, intact HPB and no release involving a single reactor module.
DBE-2 Main Loop Transient with Control Rod Trip failure, successful reactor trip via RSS, forced cooling via SCS, intact HPB and no release involving a single reactor module.
DBE-3 Control Rod Withdrawal, with successful reactor trip, Main Loop forced cooling failure, forced cooling via SCS, intact HPB and no release involving a single reactor module.
DBE-4 Control Rod Withdrawal with successful reactor trip, loss of Main and SCS forced cooling via failures, passive cooling via RCCS, intact HPB and no release involving a single reactor module.
DBE-5 Seismic event with loss of offsite power, successful reactor trip, continued forced cooling via Main Loops or SCS, intact HPB and no release involving all four reactor modules.
DBE-6 Moderate SG leak with successful reactor trip, SG isolation and dump, forced cooling via SCS, intact HPB and no release involving a single reactor module.
DBE-7 Moderate SG leak with successful reactor trip, SG isolation and dump, failure of forced cooling via SCS, intact HPB and no release involving a single reactor module.
DBE-8 Moderate SG leak with moisture monitor failure, successful manual reactor trip, SG isolation and dump, forced cooling via SCS, intact HPB and no release involving a single reactor module.
DBE-9 Moderate SG leak with successful reactor trip and SG isolation, failure of SG dump, forced cooling via SCS, circulating activity release via open primary relief valve to reactor building involving a single reactor module.
DBE-10 Moderate HPB leak with successful reactor trip, continued forced cooling, release of circulating activity and lift-off of plateout to reactor building involving a single reactor module.
DBE-11 Small HPB leak with successful reactor trip, failure of forced cooling via Main and SCS Loops, passive cooling via RCCS, partial release of circulating activity and delayed fuel release to reactor building involving a single reactor module.
52 Seismic RIPB for LMP LMP Pilot MHTGR Xe-100 PRISM Kairos-FHR MSRE Westinghouse eVinci Radionuclide Sources Considered Core and Reactor Coolant System Core and Reactor Coolant System Reactor Core only Core and Reactor Vessel Fuel Salt System and Drain Tank Entire Micro Reactor Plant Required Safety Functions
- Retain Rn in Fuel Particles
- Control Chemical Attack
- Control Heat Generation
- Control Heat Removal
- Retain Rn in Fuel Particles
- Control Chemical Attack
- Control Heat Generation
- Control Heat Removal
- Remove Core Heat
- Reactivity Control
- Maintain Fuel Particle Integrity
- Control Core Reactivity
- Remove Decay Heat
- Maintain Vessel Integrity
- Maintain Confinement of Rns
- Control Chemical Behavior
- Control Nuclear Heat Generation
- Control Heat Removal and Addition
- Containment of Radioactive Material
- Reactivity Control
- Decay Heat Removal Control Comparison of Required Safety Functions
53 Seismic RIPB for LMP MHTGR Selection of Safety Related SSCs for Control Core Heat Removal Safety Function Alternate Sets of SSCs Design Basis Events SSCs Classified as SR?
DBE 1 DBE 2 DBE 3 DBE 4 DBE 5 DBE 6/7 DBE 8/9 DBE 10 DBE 11
- Reactor
- HTS
- ECA No No No No No No No No No No
- Reactor
- SCS
- SCWS No Yes Yes No Yes Yes Yes Yes No No
- Reactor
- RV
- RCCS Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
- Reactor
- RV
- RB Yes Yes Yes Yes Yes Yes Yes Yes Yes No
54 Seismic RIPB for LMP Example MHTGR DBAs 1 of 3 DBE Design Basis Events DBA Design Basis Accidents DBE-1 Loss of offsite power initiating event and SCS forced cooling, successful reactor trip, passive cooling via RCCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 5x10-5/plant-year or about 1x10-5/reactor-year)
DBA-1 Loss of Main and SCS forced cooling, successful reactor trip, passive cooling via RCCS, intact HPB and no release involving a single reactor module (corresponds to PRA sequence family with frequency of 5x10-5/plant-year or about 1x10-5/reactor-year)
DBE-2 Main Loop Transient with Control Rod Trip failure, successful reactor trip via RSS, forced cooling via SCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 7x10-5/plant-year or about 2x10-5/reactor-year)
DBA-2 Loss of Main and SCS forced cooling with Control Rod Trip failure, successful reactor trip via RSS, passive cooling, intact HPB and no release involving a single reactor module.
(corresponds to PRA sequence family with frequency of 7x10-5/plant-year or about 2x10-5/reactor-year)
DBE-3 Control Rod Withdrawal, with successful reactor trip, Main Loop forced cooling failure, forced cooling via SCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 2x10-3/plant-year or about 5x10-4/reactor-year)
DBA-3 DBA-4 Control Rod Withdrawal, with successful reactor trip, failure of forced cooling via Main loops and SCS, passive cooling via RCCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 7x10-5/plant-year or about 2x10-5/reactor-year)
DBE-4 Control Rod Withdrawal with successful reactor trip, loss of Main and SCS forced cooling via failures, passive cooling via RCCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 7x10-5/plant-year or about 2x10-5/
)
55 Seismic RIPB for LMP Example MHTGR DBAs 2 of 3 DBE Design Basis Events DBA Design Basis Accidents DBE-5 Seismic event with loss of offsite power, successful reactor trip, continued forced cooling via Main Loops or SCS, intact HPB and no release involving all four reactor modules. (corresponds to PRA sequence family with frequency of 2x10-4/plant-year or 2x10-4/reactor-year)
DBA-5 Seismic event with loss of offsite power, successful reactor trip, failure of forced cooling via Main Loops or and SCS, passive cooling via RCCS, intact HPB and no release involving all four reactor modules.
(corresponds to PRA sequence family with frequency of 6x10-8/plant-year or ~6x10-8/reactor-year)
DBE-6 Moderate SG leak with successful reactor trip, SG isolation and dump, forced cooling via SCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 5x10-2/plant-year or about 1x10-2/reactor-year)
DBA-6 Moderate SG leak with successful reactor trip and SG isolation, failure of SG dump, failure of forced cooling via SCS, passive cooling via RCCS, circulating activity and delayed fuel release via primary relief valve to reactor building involving a single reactor module. (corresponds to PRA sequence family with frequency of 2x10-7/plant-year or 5x10-8/reactor-year)
DBE-7 Moderate SG leak with successful reactor trip, SG isolation and dump, failure of forced cooling via SCS, intact HPB and no release involving a single reactor module. (corresponds to PRA sequence family with frequency of 4x10-5/plant-year or 1x10-5/reactor-year)
DBA-7 DBA-8 DBA-9 Moderate SG leak with successful reactor trip and SG isolation, failure of SG dump, failure of forced cooling via SCS, passive cooling via RCCS, circulating activity and delayed fuel release via primary relief valve to reactor building involving a single reactor module.
(corresponds to PRA sequence family with frequency of <10-8/plant-year or <10-8/reactor-year)
DBE-8 Moderate SG leak with moisture monitor failure, successful manual reactor trip, SG isolation and dump, forced cooling via SCS, intact HPB and no release involving a single reactor module.
(corresponds to PRA sequence family with frequency of 4x10-5/plant-year)
DBE-9 Moderate SG leak with successful reactor trip and SG isolation, failure of SG dump, forced cooling via SCS, circulating activity release via open primary relief valve to reactor building involving a single reactor module. (corresponds to PRA sequence family with frequency of 2x10-4/plant-year)
56 Seismic RIPB for LMP Example MHTGR DBAs 3 of 3 DBE Design Basis Events DBA Design Basis Accidents DBE-10 Moderate HPB leak with successful reactor trip, continued forced cooling, release of circulating activity and lift-off of plateout to reactor building involving a single reactor module (corresponds to PRA sequence family with frequency of 1x10-2/plant-year or about 3x10-3/reactor-year)
DBA-10 Moderate HPB leak with successful reactor trip, failure of forced cooling via Main loops and SCS, passive cooling via RCCS, release of circulating activity, delayed fuel release, and lift-off of plateout to reactor building involving a single reactor module (corresponds to PRA sequence family with frequency of 6x10-8/plant-year or about 1.5x10-8/reactor-year)
DBE-11 Small HPB leak with successful reactor trip, failure of forced cooling via Main and SCS Loops, passive cooling via RCCS, partial release of circulating activity and delayed fuel release to reactor building involving a single reactor module (corresponds to PRA sequence family with frequency of 3x10-4/plant-year or about 8x10-5/reactor-year)
DBA-11 Small HPB leak with successful reactor trip, failure of forced cooling via Main and SCS, partial release of circulating activity and delayed fuel release to reactor building involving a single reactor-module (corresponds to PRA sequence family with frequency of
<10-8/plant-year or <10-8/reactor-year)
57 Seismic RIPB for LMP Safety Case Element Definition Reference Radionuclide (Rn)
Source Starting point for defining the scope of the PRA which includes all Rn sources with the potential for producing a risk significant event sequence ASME/ANS RA-S-1.4-2020 PRA Safety Function (PSF)
Reactor design specific SSC functions modeled in a PRA that serve to prevent and/or mitigate a release of radioactive material from a specified source or to protect one or more barriers to release.
ASME/ANS RA-S-1.4-2020, NEI 18-04 Required Safety Function (RSF)
A PRA Safety Function that is required to be fulfilled to maintain the consequence of one or more DBEs or the frequency of one or more high-consequence BDBEs inside the F-C Target NEI 18-04 Required Functional Design Criteria (RFDC)
Reactor design-specific sub-functions and functional criteria that are necessary and sufficient to meet the RSFs NEI 18-04 Safety-Related Design Criteria (SRDC)
Design criteria for SR SSCs (in performing their RSFs) that are necessary and sufficient to fulfill the RFDCs for those SSCs selected to perform the RSFs NEI 18-04 Top Down Process of Allocating Design Criteria to Safety Related SSCs
58 Seismic RIPB for LMP MHTGR Required Functional Design Criteria 1 of 4 Required Safety Function Required Functional Design Criteria Retain Radionuclides in Fuel Particles The reactor fuel shall be designed, fabricated, and operated in such a manner that minor radionuclide releases from the fuel to the primary coolant will not exceed acceptable values.
Control Chemical Attack The vessel and other components that limit or prevent the ingress of air or water shall be designed, fabricated, and operated in such a manner that the amount of air or water reacting with the core will not exceed acceptable values.
Control Heat Generation The intrinsic dimensions and power densities of the reactor core, internals, and vessel, and the passive cooling pathways from the core to the environment, shall be designed, fabricated, and operated in such a manner that the fuel temperatures will not exceed acceptable values.
Control Heat Removal The reactor shall be designed, fabricated, and operated in such a manner that the inherent nuclear feedback characteristics will ensure that the reactor thermal power will not exceed acceptable values. Additionally, the reactivity control system(s) shall be designed, fabricated, and operated in such a manner that during insertion of reactivity, the reactor thermal power will not exceed acceptable values.
59 Seismic RIPB for LMP MHTGR Required Functional Design Criteria 2 of 4 Required Safety Function Required Safety Sub-Functions Required Functional Design Criteria Control Chemical Attack The vessel and other components that limit or prevent the ingress of air or water shall be designed, fabricated, and operated in such a manner that the amount of air or water reacting with the core will not exceed acceptable values.
Limit Fuel Hydrolysis The steam, feedwater and other cooling systems shall include a reliable means to limit the amount of steam and water that can enter the reactor vessel to an acceptable level.
Limit Fuel Oxidation The primary system/boundary shall be designed and fabricated to a level of quality that is sufficient to ensure high reliability of the primary system/boundary integrity needed to prevent air ingress during normal and off-normal conditions. The plant shall be designed, fabricated, operated, and maintained in a manner that ensures that the primary system boundary design limits are not exceeded.
60 Seismic RIPB for LMP MHTGR Required Functional Design Criteria 3 of 4 Required Safety Function Required Safety Sub-Functions Required Functional Design Criteria Control Heat Generation The intrinsic dimensions and power densities of the reactor core, internals, and vessel, and the passive cooling pathways from the core to the environment, shall be designed, fabricated, and operated in such a manner that the fuel temperatures will not exceed acceptable values.
Control with Movable Poisons Two independent and diverse sets of movable poison equipment shall be provided in the design. Either set shall be capable of limiting the heat generation of the reactor to acceptable levels during off-normal conditions.
Shutdown Reactor The equipment needed to sense, command, and execute a trip of the control rods, along with any necessary electrical power, shall be designed, fabricated, and operated in such a manner that reactor core shutdown is assured during off-normal conditions.
Shutdown Reactor Diversely The equipment needed to sense, command, and execute a trip of the reserve shutdown control equipment, along with any necessary electrical power, shall be designed, fabricated, operated, and maintained in such a manner that the shutdown of the reactor core is assured during off-normal conditions.
Maintain Geometry for Insertion of Movable Poisons The design, fabrication, operation, and maintenance of the control rod guide tubes, the graphite core and reflectors, the core support structure, the core lateral restraint assemblies, the reactor vessel, and reactor vessel support shall be conducted in such a manner that their integrity is maintained during off normal conditions as well as provide the appropriate geometry that permits the insertion of the control rods into the outer reflector to effect reactor shutdown.
The design, fabrication, and operation of the reserve shutdown control equipment guide tubes, the graphite core and reflectors, the core support structure, the core lateral restraint assemblies, the reactor vessel, and reactor vessel support shall be conducted in such a manner that their integrity is maintained during off-normal conditions, as well as provide the appropriate geometry that permits the insertion of reserve shutdown control material to effect reactor shutdown.
61 Seismic RIPB for LMP Required Safety Function Required Safety Sub-Functions Required Functional Design Criteria Control Heat Removal The reactor shall be designed, fabricated, and operated in such a manner that the inherent nuclear feedback characteristics will ensure that the reactor thermal power will not exceed acceptable values. Additionally, the reactivity control system(s) shall be designed, fabricated, and operated in such a manner that during insertion of reactivity, the reactor thermal power will not exceed acceptable values.
Transfer Heat to Ultimate Heat Sink A highly reliable, passive means of removing the heat generated in the reactor core and radiated from the reactor vessel wall shall be provided. The system shall remove heat at a rate which limits core and vessel temperatures to acceptable levels during a loss of forced circulation.
Conduct Heat from Core to Vessel Wall The reactor core shall be designed and configured in a manner that will ensure sufficient heat transfer by conduction, radiation, and convection to the reactor vessel wall to maintain fuel temperatures within acceptable limits following a loss of forced cooling. The materials which transfer the heat shall be chosen to withstand the elevated temperatures experienced during this passive mode of heat removal. This criterion shall be met with the primary coolant system both pressurized and depressurized.
Radiate Heat from Vessel Wall The vessel shall be designed in a manner that will ensure that sufficient heat is radiated to the surroundings to maintain fuel and vessel temperatures within acceptable limits. This criterion shall be met with the primary coolant system in both a pressurized and depressurized condition.
Maintain Geometry for Conduction and Radiation The design, fabrication, operation, and maintenance of the core support structure, graphite core and reflectors, core lateral restraint assembly, reactor vessel, reactor vessel support, and reactor building shall be in such a manner that their integrity is maintained during off-normal conditions so as to provide a geometry conducive to removal of heat from the reactor core to the ultimate heat sink and maintain fuel temperatures within acceptable limits.
MHTGR Required Functional Design Criteria 4 of 4
62 Seismic RIPB for LMP MHTGR Safety Related SSCs
63 Seismic RIPB for LMP Reactor Cavity Cooling System (RCCS)
Passive reactor cavity cooling system relying on air natural convection to the environment to provide passive core heat removal and protect the vessel and supports SRDC for the RCCS The RCCS shall have the capability to remove sufficient decay heat from the reactor core to prevent overheating of the outer control rods, the reactor, vessel, and vessel internals.
The RCCS shall have the capability of removing sufficient decay heat from the reactor core to maintain peak fuel temperatures below 1600°C (2900°F).
The RCCS shall provide the required decay heat removal capability for the duration of the HTS and SCS shutdown whether the vessel is pressurized (with full primary coolant inventory) or depressurized.
Offsite radionuclide releases are to be limited as necessary to meet the numerical dose guidelines of the Top-Level Regulatory Criteria.
In the event of a loss of primary coolant pressure boundary integrity, the RCCS shall be capable of withstanding a 69 kPa (10 psi) differential pressure.
MHTGR SR SSC for Core Heat Removal RSF
64 Seismic RIPB for LMP Comparison of LMP and 10 CFR 50.69 SSC Safety Categories
65 Seismic RIPB for LMP Roles of SSC Reliability and Capability in Prevention and Mitigation of Accidents Yes fd F-C Target p0 Yes No p1 Yes No p2 No
[1] See Figure 2-4 for definition of defense-in-depth layers 0
dlow dhigh SSC LBEs Function Plant N/A Prevent initiating event 1
Mitigate initiating event 2
Prevent fuel damage 3
Help prevent large release 2
Mitigate fuel damage 3
Prevent unmitigated release Consequence ------->
LBE-1 LBE-2 LBE-3 Frequency ------ >
SSC1 SSC2 fdp0 fdp0p1 fdp0p1p2 fdp0 Layer 2 Layer 3 1
No fuel damage or release 2
Fuel damage w/ limited release 3
Fuel Damage w/ un-mitigated release Layers 4 and 5 0
Plant Distrubance Plant features prevent Inititating event?
SSC1 Prevents Fuel Damage?
SSC2 Limits Release?
LBE End State Frequency Dose N/A Disturbance controlled with no plant trip fd 0
Defense-in-Depth Layers Challenged [1]
Layer 1 fdp0p1 dlow fdp0p1p2 dhigh Reliability of mitigation function Capability to limit release from fuel damage Reliability of mitigation function SSC Performance Attribute for Special Treatment Reliability of plant features preventing initiating event Capability to prevent fuel damage Reliability of mitigation function
66 Seismic RIPB for LMP SSC Classification Summary LMP retains the NGNP SSC safety categories of SR, NSRST, and NST SR and NSRST SSCs classified as safety significant Absolute risk metrics used to determine SSC and LBE risk significance NSRST SSCs include other risk significant SSCs and SSCs requiring some special treatment for DID adequacy Minimum special treatment is the formulation of reliability and capability targets for safety significant SSCs and a program to monitor performance against targets Reliability and capability targets linked to the prevention and mitigation functions of the safety significant SSCs, respectively Appendix B QA focused on performance of SR SSCs in the performance of the RSFs Owners QA applied to NSRST SSCs in the performance of their prevention and mitigation functions responsible for classification as NSRST Specifics of special treatment defined via Integrated Decision Process using forward fit 10 CFR 50.69 process
67 Seismic RIPB for LMP Scope of SR SSCs expected to be much smaller for non-LWRs Level of detail highest for SR SSCs, moderate for NSRST, and nominal industrial for NST Assignment of reliability requirements for SR and NSRST SSCs creates need for DRAP Assignment of capability requirements for SR and NSRST SCs can be tied selected codes and standards Justification for special treatment requirements beyond performance targets and monitoring is provided as part of defense-in-depth evaluation.
SSC Safety Classification Considerations for TICAP
Defense In Depth Adequacy Evaluation and Use of an Integrated Decision Making Process (IDP)
69 Seismic RIPB for LMP NRC Defense in Depth Philosophy
...an approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is creating multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon. Defense in depth includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures.
70 Seismic RIPB for LMP DID Adequacy Approach Builds on NGNP DID approach also reflected in ANS-53.1 Evaluation of DID adequacy is both risk-informed and performance-based.
The layers of defense and attributes of the NRC and IAEA DID frameworks are more visibly represented.
DID attributes for plant capability and programmatic DID have been enhanced for consistency with the measures defined in the LMP Guidance Document This process is used to evaluate each LBE and to identify the DID attributes that have been incorporated into the design to prevent and mitigate accident sequences and to ensure that they reflect adequate SSC reliability and capability.
Those LBEs with the highest levels of risk significance are given greater attention in the evaluation process.
The practicality of compensatory actions for DID purposes are considered in the context of the individual LBE risk significance and in a cumulative manner across all LBEs
71 Seismic RIPB for LMP DID Concept from NUREG/KM-0009
72 Seismic RIPB for LMP LMP DID Adequacy Evaluation -
Specific Objectives Establish alignment with accepted definitions of the DID philosophy and describe how multiple layers of defense are deployed to establish DID adequacy Describe how the concept of protective strategies of DID are used to define DID attributes that are incorporated into the plant capabilities that support each layer of defense.
The resolution of the general concept of protective strategies into a set of DID attributes is necessary to support an objective evaluation of DID adequacy.
Summarize the programmatic attributes of DID to provide adequate assurance that the DID plant capabilities in the design are realized when the plant is constructed and commissioned and are maintained during the plant design life cycle Discuss the roles of programmatic DID attributes to compensate for uncertainties, human errors, and hardware failures Identify the importance of defenses against common cause failures and need to minimize dependencies among the layers of defense Present guidelines for evaluating and establishing a DID adequacy baseline Achieve agreement on when DID adequacy is achieved among those responsible for designing, operating, reviewing, and licensing advanced non-LWRs
73 Seismic RIPB for LMP Layers of Defense Adapted from IAEA
74 Seismic RIPB for LMP Role of the Integrated Decision Making Process The reactor designer is responsible for ensuring that DID is achieved through the incorporation of DID features and programs in the design phases and in turn, conducting the evaluation that arrives at the decision of whether adequate DID has been achieved The reactor designer uses an Integrated Decision Making Process (IDP) to ensure there is an input from multiple functional areas Later, the reactor designer or plant operator may confirm DID adequacy through the use of an Integrated Decision Making Process Panel (IDPP) for the reference baseline confirmation
75 Seismic RIPB for LMP Integrated Decision Making Process (IDP)
Use of an IDP during the design stage should include participants with the following typical functional competencies as appropriate for the state of development and DID topics :
o Safety Analysis o
Design Engineering o
System Engineering o
Risk Management (i.e., PRA) o Operations and Maintenance o
Nuclear Licensing Participants should receive the complete LMP training
76 Seismic RIPB for LMP DID Adequacy Evaluation Process DID baseline evaluation is developed using an Integrated Decision Process (IDP) and updated during each design/licensing phase Defense-in-depth is deemed as adequate when:
Plant capability DID is deemed to be adequate.
Plant capability DID guidelines are satisfied.
Review of LBEs is completed with satisfactory results.
Programmatic DID is deemed to be adequate.
Performance targets for SSC reliability and capability are established.
Sources of uncertainty in selection and evaluation of LBE risks are identified.
Special treatment for all SR and NSRST SSCs is sufficient.
77 Seismic RIPB for LMP Timing of IDP Evaluations Completing the evaluation of the DID adequacy of a design is not a one-time activity The Designer is expected to integrate the RIPB-DM process as much as practical into the design process to minimize the potential for revisions late in the design phases due to DID considerations IDP DID adequacy evaluations would be expected to occur, as a minimum, in concert with completion of each major phase of design:
o conceptual, o preliminary, o detailed, and o final Additionally occur in response to any significant design changes or new risk-significant information at any phase of design or licensing, construction or operations
78 Seismic RIPB for LMP Inputs to the IDP Evaluation The LMP and design processes will generate data and evaluations that will be subject to the IDP, including:
o Licensing Basis Event (LBE) event sequences and categorization into event categories -
o A summary of other radiological hazards not modeled in the PRA o
Evaluations of LBEs against the F-C curve o
Identification of required safety functions o
Evaluations of plant risk against cumulative risk targets o
Identification of defense-in-depth layers challenged by each LBE o
Listing of safety-related (SR) SSCs o
Identification of Design Basis Accidents (DBAs) o Safety evaluation of DBAs o
Listing of non-safety related SSCs with special treatment (NSRST) o Identification of functional design criteria for SR SSCs o
Determinations of special treatment requirements for SR and NSRST SSCs o
Listing of Programmatic DID capabilities
79 Seismic RIPB for LMP Plant Capability Defense-In-Depth Attributes The table below provides a listing of the integrated DID attributes and principal evaluation focus of the Plant Capability DID evaluation scope using an IDP [Box 12]
Attribute Evaluation Focus Initiating Event and Event Sequence Completeness PRA Documentation of Initiating Event Selection and Event Sequence Modeling Insights from reactor operating experience, system engineering evaluations, expert judgment Layers of Defense Multiple Layers of Defense Extent of Layer Functional Independence Functional Barriers Physical Barriers Functional Reliability Inherent Reactor Features that contribute to performing PRA Safety Functions Passive and Active SSCs performing PRA Safety Functions Redundant Functional Capabilities Diverse Functional Capabilities Prevention and Mitigation Balance SSCs performing prevention functions SSCs performing mitigation functions No Single Layer / Feature Exclusively Relied Upon
80 Seismic RIPB for LMP DID Adequacy Evaluation (cont.)
o Plant capability DID is deemed to be adequate:
Plant capability DID guidelines in Table 5-2 (next slide) are satisfied Risk margins against F-C target are sufficient Risk margins against Cumulative Risk Targets are met Role of SSCs in the prevention and mitigation at each layer of defense challenged by each LBE is understood Prevention/mitigation balance is provided across layers of defense Classification of SSCs into SR, NSRST, and NST is appropriate Risk significance classification of LBEs and SSCs are appropriate Independence among design features at each layer of defense is sufficient Design margins in plant capabilities are adequate to address uncertainties identified in the PRA
81 Seismic RIPB for LMP DID Adequacy Evaluation (cont.)
Layer[a]
Layer Guideline Overall Guidelines Quantitative Qualitative Quantitative Qualitative
- 1) Prevent off-normal operation and AOOs Maintain frequency of plant transients within designed cycles; meet user requirements for plant reliability and availability[b]
Meet F-C target for all LBEs and cumulative risk metric targets with sufficient[d]
margins No single design or operational feature,[c] no matter how robust, is exclusively relied upon to satisfy the five layers of defense
- 2) Control abnormal operation, detect failures, and prevent DBEs Maintain frequency of all DBEs < 10-2/
plant-year Minimize frequency of challenges to safety-related SSCs
- 3) Control DBEs within the analyzed design basis conditions and prevent BDBEs Maintain frequency of all BDBEs < 10-4/
plant-year No single design or operational feature[c] relied upon to meet quantitative objective for all DBEs
- 4) Control severe plant conditions, mitigate consequences of BDBEs Maintain individual risks from all LBEs <
QHOs with sufficient[d] margins No single barrier[c] or plant feature relied upon to limit releases in achieving quantitative objectives for all BDBEs
- 5) Deploy adequate offsite protective actions and prevent adverse impact on public health and safety Notes:
[a] The plant design and operational features and protective strategies employed to support each layer should be functionally independent
[b] Non-regulatory user requirements for plant reliability and availability and design targets for transient cycles should limit the frequency of initiating events and transients and thereby contribute to the protective strategies for this layer of DID. Quantitative and qualitative targets for these parameters are design specific.
[c] This criterion implies no excessive reliance on programmatic activities or human actions and that at least two independent means are provided to meet this objective.
[d] The level of margins between the LBE risks and the QHOs provides objective evidence of the plant capabilities for DID. Sufficiency will be decided by the IDP.
Table 5 Guidelines for Establishing the Adequacy of Overall Plant Capability Defense-in-Depth
[Any SSCs necessary to meet this guideline would be regarded as performing a safety function necessary for adequacy of plant capability DID]
82 Seismic RIPB for LMP DID Adequacy Evaluation (cont.)
Attribute Evaluation Focus Quality / Reliability Performance targets for SSC reliability and capability Design, manufacturing, construction, O&M features, or special treatment sufficient to meet performance targets Compensation for Uncertainties Compensation for human errors Compensation for mechanical errors Compensation for unknowns (performance variability)
Compensation for unknowns (knowledge uncertainty)
Off-Site Response Emergency response capability Table 2 Programmatic DID Attributes The table below provides a listing of the integrated DID attributes and principal evaluation focus on Programmatic DID evaluation scope [Box 17]
83 Seismic RIPB for LMP DID Adequacy Evaluation (cont.)
The table below provides a listing of the integrated decision-making attributes and principal evaluation focus of the IDP in the overall RIPB DID evaluation scope Attribute Evaluation Focus Use of Risk Triplet Beyond PRA What can go wrong?
How likely is it?
What are the consequences?
Knowledge Level Plant Simulation and Modeling of LBEs State of Knowledge Margin to PB Limits Uncertainty Management Magnitude and Sources of Uncertainties Action Refinement Implementation Practicality and Effectiveness Cost/Risk/Benefit Considerations
84 Seismic RIPB for LMP Margins Plant Performance Margins Best Estimate o
Reflected in the margins between LBE frequencies and consequences and the F-C target o
One way to demonstrate enhanced margins consistent with NRC Advanced Reactor Policy; event sequence families below QHOs With Uncertainty Bands o
AOOs that overlap DBE region o
BDBEs that overlap DBE region DBA LBE Margins o
Compared to 10CFR 50.34 o
Compared to 10 CFR 100 SSC-Level Safety Margins Margins in design codes selected to provide a robust capability to support the mitigation function of safety significant SSCs; Margins in the performance requirements selected to ensure that SSC will perform their prevention functions with adequate reliability.
85 Seismic RIPB for LMP Evaluating Margins Against F-C Target
86 Seismic RIPB for LMP Considerations in the Evaluation of DID Adequacy (cont.)
Metrics o LBE Risk Significance F-C Target Cumulative Risk Targets o SSC Risk Significance Impact on F-C Target Impact on Cumulative Risk Targets Margins o Plant performance margins (LBEs) o SSC design performance conservatism
87 Seismic RIPB for LMP Considerations in the Evaluation of DID Adequacy (cont.)
Uncertainties o Completeness o Analyzed Uncertainties o Residual Risks Compensatory Action Decisions o Choices o Impact on Risk o Timing o Practicality
88 Seismic RIPB for LMP Uncertainties Completeness o
PRA completeness for identified hazards o
Sources of risk-significant uncertainties o
Treatment of radiological and other hazards not included in PRA Analyzed o
Data Availability o
Model Maturity o
Performance History Residual Risks o
EPZ basis o
EP response effectiveness o
Tech Spec Completeness o
AOT basis o
Monitoring of Plant Long Term Performance o
Etc.
89 Seismic RIPB for LMP Using an IDP in Defining Compensatory Actions The timing, as well as risk-significance, of when the need for additional DID capabilities is identified should influence the decision of what form of compensatory actions are taken Programmatic actions alone should not be taken to solve a plant performance vulnerability associated with an event that can lead directly to exceedance of an applicable safety target, goal, or regulation The choice of compensatory action includes:
o design changes to mitigate undesirable dose consequences, o reliability improvements in the physical design, o the special treatment applied to risk-significant SSCs, o programmatic controls or processes that improve the likelihood of performance success, or o a combination that provides meaningful improvements in the risk profile for a given risk-significant LBE
90 Seismic RIPB for LMP Using an IDP in Defining Special Treatments Special Treatments include reliability and capability performance targets and programs to ensure targets are met and maintained are defined to address uncertainties about plant performance relative to risk targets The IDP is used to evaluate special treatments for SR and NSRST SSCs including the setting of performance targets for SSC reliability, availability, and capability and any other treatments deemed necessary as a result of the DID evaluation.
Examples of special treatment are provided in Table 4-1 of NEI-18-04; examples in LMP SSC Report Where additional special treatments are deemed beneficial for DID purposes, the IDP will be used to consider additional compensatory actions.
Additional compensatory actions should provide meaningful benefits to the risk-significant performance of the plant and/or improvements in the management of risk-significant uncertainties.
91 Seismic RIPB for LMP Compensatory Action Decisions Choices o
Plant Capability o
Programmatic o
Mix Impact on Risk o
Improve Plant Capability
LBE Outcome Changes
Layers of Defense increase or independence improvements Improve Plant Performance Assurance
Programmatic actions
Reduction of Risk Significant Sources of Uncertainty Reduce Residual Uncertainties
Siting and Emergency Planning performance
External Independent Oversight Timing - Life Cycle Considerations Practicality o
When is enough, enough?
92 Seismic RIPB for LMP DID Adequacy Established/Documented Using an IDP
- The RIPB evaluation of DID adequacy continues until the recurring evaluation of plant and programmatic DID associated with design and PRA update cycles no longer identifies risk-significant vulnerabilities where potential compensatory actions may be needed
- This determination is made using an IDP and documented initially in a preliminary DID integrated baseline evaluation report which is subsequently revised as the iterations through the design cycles and design evaluation evolve
- At this point, a DID baseline can be finalized to support the final design and operations of the plant
93 Seismic RIPB for LMP Baseline Establishment The DID Adequacy baseline information is expected to become part of the license application (See DG 1353)
The level of detail in the application is expected to be a summary of results similar in purpose to the PRA summary information in Chapter 19 The details of the evaluation should be maintained under a process control procedure and documents retained for the life of the plant
94 Seismic RIPB for LMP Transitioning from Design Phase DID to Operations Once the design phase DID adequacy baseline is completed, changes in operations may be effectively evaluated using a standing panel The panel would operate similar to the PORC or equivalent Panel members should collectively provide, as a minimum, the technical expertise outline in the DID section of NEI 18-04 Qualifications, records of deliberations and closure of recommendations should be consistent with the owners Operations QAP The change control procedures could be incorporated with the plant 50.59 change control process or similar licensing basis change control procedures
95 Seismic RIPB for LMP LMP Methodology Summary LMP methodology is a RIPB approach to:
- Selecting and evaluating LBEs
- Safety classification of SSCs
- Developing performance targets for SSC reliability and capability
- Incorporating defense-in-depth principles to RIPB decisions
- Confirming adequacy of defense-in-depth LMP goal is to contribute to consistency in preparation of successful license applications for advanced non-LWRs The TICAP discussion on how the LMP impacts content of applications has just begun:
- Aspects to include in license application
- Aspects to retain internally for NRC audit
96 Seismic RIPB for LMP Key LMP References Nuclear Energy Institute, NEI 18-04, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, Report Revision 1, August 2019 U.S. Nuclear Regulatory Commission, Draft Regulatory Guide - DG 1353, Guidance for a Technology-inclusive, Risk-informed, and Performance-based Approach to Inform the Content of Applications for Licenses, Certifications, and Approvals for Non-light-water Reactors, April 2019 Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, - Selection and Evaluation of Licensing Basis Events, Rev 0, August 2019.
Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Probabilistic Risk Assessment Approach Rev 0, August 2019.
Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Safety Classification and Performance Criteria for Structures, Systems and Components, Rev 0, August 2019.
Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, - Risk-Informed and Performance-Based Evaluation of Defense-in-Depth Adequacy, Rev 0, August 2019.
97 Seismic RIPB for LMP The Key Consideration SRP Chapter 15.0 statement:
If the risk of an event is defined as the product of the events frequency of occurrence and its consequences, then the design of the plant should be such that all the AOOs and postulated accidents produce about the same level of risk (i.e., the risk is approximately constant across the spectrum of AOOs and postulated accidents). This is reflected in the general design criteria (GDC), which generally prohibit relatively frequent events (AOOs) from resulting in serious consequences, but allow the relatively rare events (postulated accidents) to produce more severe consequences.
==
Conclusion:==
To meet this requirement LBE Selection has to be RIPB Options: Ad hoc RIPB Approach vs. Systematic RIPB Process
98 Seismic RIPB for LMP Use of HAZOPs at Early Phase of Design Development Identify/Characterize Radionuclide Sources Define Radionuclide Barriers and Supporting Structures Define Reactor Specific Safety Functions Protecting Each Barrier Identify SSCs and Operator Actions Supporting Each Safety Function Identify Failure Modes of Each Barrier and SSCs Providing Safety Functions Identify Challenges to Preventing Barrier and SSC failure modes Exhaustive Enumeration of Reactor Specific Initiating Events Building Blocks for:
- Reactor Design Iteration
-Design-Specific PRA Model Development Select Risk Metrics for Risk-Informed Performance-Based Decisions Event Sequence Development, Success Criteria, Fault Tree Analysis and End States Mechanistic Source Term Development, Physical and Phenomenological Consequence Analysis Process Hazard Analysis (PHA)
(e.g., HAZOP, FMEA)
PHA Evaluation of Processes for Each Source Boundary Conditions for PHA Evaluation of Source Processes PHA Functions Identified to Control Process Deviations PHA SSCs Identified to Prevent Deviation Causes PHA Identification of Causes of Deviations PHA Evaluation of Consequences of Deviations PHA Evaluation of Consequences of Deviations Early Phase Engineering Design Baseline
99 Seismic RIPB for LMP Integration of LMP Process Tasks Tasks are iterative; not sequential Tasks can begin early in the conceptual design process and mature with the design evolution Discovery mode or confirmatory mode Event sequence families from a PRA used as key input to selecting LBEs SSC classification and evaluation are integrated with the LBE selection and evaluation tasks Defense-in-depth evaluation is integrated with the LBE selection and evaluation and is an integral part of the SSC classification and performance requirement determination Tasks include deterministic and probabilistic elements and involve RIPB decisions to support the design and formulate and evaluate the safety case.
- 1. Establish initial design capabilities
- 8. Evaluate plant risks vs Cumulative Risk Targets
- 7. Evaluate LBE risks vs. F-C Target
- 5. Perform PRA
- 4. Define scope of PRA for current design phase
- 2. Establish F-C Target Based on TLSTs
- 17. Confirm Programmatic DID adequacy
- 15. Evaluate uncertainties and margins
- 14. Define and evaluate FDC for SR SSCs
- 13. Identify NSRST SSCs
- 18. DID adequacy established; Document/
Update DID Baseline evaluation Color Key Acronymns F-C Frequency Consequence DID Defense-in-Depth FDC Functional Design Criteria LBE Licensing Basis Events NSRST Non-Safety Related with ST SSC Structure, System, Component ST Special Treatment SR Safety Related TLSTs Top Level Safety Targets Risk Significant SSCs Other SSCs needed for DID Adequacy
- 12. Confirm Plant Capability DID adequacy A
Iterate as required A
A A
A A
A
- 11. Perform safety analysis of DBAs A
100 Seismic RIPB for LMP MHTGR Phased Development of PRA
101 Seismic RIPB for LMP X-Energy HTGR Slow Depressurization Event Tree
102 Seismic RIPB for LMP Major Components of eVinci Micro-Reactor Emergency Shutdown Core Reflectors &
Shielding Control Drum Drive Heat Pipes Primary Heat Exchanger Canister
103 Seismic RIPB for LMP Uses of PRA in LMP Methodology Supporting and evaluating the design options and trade studies Identifying the spectrum of LBEs to be considered Evaluating the risk significance of LBEs against F-C Target Performing an integrated risk assessment of plants that may be comprised of two or more reactor modules and associated non-core sources of radioactive material Safety classification of SSCs Development of performance targets for the reliability and capability of SSCs in the prevention and mitigation of accidents Determining integrated plant performance margins compared to risk targets Exposing and evaluating sources of uncertainty in the identification of LBEs and in the estimation of their frequencies and consequences, and providing key input to the evaluation of the adequacy of DID Providing risk and performance-based insights into the evaluation of the design DID adequacy Supporting other risk-informed and performance-based (RIPB) decisions
104 Seismic RIPB for LMP PRA Standard Background In 2006 ASME BNCS directed the CNRM to initiate PRA standards for advanced LWRs and non-LWRs PRA applications envisioned for non-LWR standard included:
Incorporation of risk insights into design Selection of licensing basis events SSC safety classification Evaluation of defense-in-depth adequacy Technology inclusive approach adopted to address all known advanced non-LWR concepts using integrated treatment of hazards Coordination of non-LWR and ALWR WGs for consistency in treatment of preoperational PRAs Draft standard issued for review and comment in 2008 Standard issued by JCNRM for trial use in 2013 (ASME/ANS RA-S-1.4-2013)
Trial Use Standard used in many pilot applications Balloting for ANSI version of standard expected in 2020
105 Seismic RIPB for LMP LMP SSC Safety Classification Approach
106 Seismic RIPB for LMP Example Risk Margins for MHTGR LBE Category Limiting LBE[a]
F-C Target Name Mean Freq.
/plant-yr.
Mean Dose (Rem)
Freq. at LBE Dose/plant-yr. [b]
Mean Frequency Margin[c]
[d]
Dose Margin[e]
AOO AOO-5 4.00E-02 2.50E-04 4.00E+02 1.00E+04 1.00E+00 4.00E+03 DBE DBE-10 1.00E-02 2.00E-03 6.00E+01 6.00E+03 1.00E+00 5.00E+02 BDBE BDBE-2 3.00E-06 4.00E-03 2.50E+01 8.30E+06 2.50E+02 6.00E+04 Notes:
[a] The Limiting LBE is the LBE with the highest risk significance in the LBE category
[b] Frequency value measured at the LBE mean Dose level from the F-C target, See [2] in Error! Reference source not found.
[c] Ratio of the frequency in note [b] to the LBE mean frequency, mean frequency margin
[d] Dose value measured at the LBE mean frequency from the F-C target, See [4] in Error! Reference source not found.
[e] Ratio of the Dose in Note [d] to the LBE mean dose, Mean Dose Margin LBE Category Limiting LBE[a]
F-C Target LBE Name 95th Percentile Freq./plant-yr.
95th Percentile Dose (Rem)
Freq. at LBE Dose/plant-yr.[b]
95th Percentile Frequency Margin[c]
95th Percentile Dose Margin[e]
AOO AOO-5 8.00E-02 1.10E-03 9.00E+01 1.13E+03 1.00E+00 9.09E+02 DBE DBE-10 2.00E-02 6.00E-03 2.00E+01 1.00E+03 1.00E+00 1.67E+02 BDBE BDBE-2 1.00E-05 1.50E-02 8.00E+00 8.00E+05 1.00E+02 6.67E+03 Notes:
[a] Limiting LBE is LBE with highest risk significance in LBE Category
[b] Frequency value measured at the LBE 95th percentile Dose level from the F-C target, See [6] in Error!
Reference source not found.
[c] Ratio of the frequency in note [2] to the LBE 95th percentile frequency, 95th percentile Frequency Margin
[d] Dose value measured at the LBE 95th percentile frequency from the F-C target, See [8] in Error! Reference source not found.
[e] Ratio of the Dose in note [d] to the LBE 95th percentile dose, 95th percentile Dose Margin
RIPB Seismic Safety Approach (Integration of ASCE 43 Design Criteria with the LMP Framework)
September 2-3, 2020 NRC Headquarters Rockville, Maryland September 2-3, 2020 1
Contributors Nilesh Chokshi Robert Budnitz MK Ravindra Bis Dasgupta John Stamatakos Osvaldo Pensado (project manager)
Nuclear Regulatory Commission
- Jim Xu
- Jon Ake
- Ramon Gascot-Lozada (project manager) 2
Disclaimer This project was performed by the Southwest Research Institute for the Office of Nuclear Regulatory Research of the U.S. Nuclear Regulatory Commission (NRC).
Reported results are preliminary, and part of an ongoing research program.
The expressed views do not necessarily reflect the views or regulatory position of the U.S. Nuclear Regulatory Commission.
3
Outline of the Overall Presentation Part 1 - Proposed Risk-Informed and Performance-Based (RIPB) Approach Part 2 - Demonstration of Feasibility through Simple Examples Part 3 - Questions and Challenges Related to Implementation Part 4 - Phase 2 Activities and Scope 4
The four presentations are intended to elicit feedback from the participants and draw some insights to be summarized in the final session. These insights will be considered as we finalize the Phase 1 report and developed plans for Phase 2
RIPB Approaches to Safety of Nuclear Facilities (Integration of LMP Framework and ASCE 43 Performance-Based Design Approach)
Part 1 - Proposed Approach 5
Outline of Part -1 Presentation Discussion of objectives Discussion of draft Phase 1 report outline Brief review of key assumptions and principles of ASCE 43 and 4 Brief overview of LMP approach Discussion of process for integrating seismic design in the RIPB framework Overarching considerations in implementing the LMP/ASCE 43 Integration process Technical considerations Summary 6
Objectives of Phase 1 Project Propose an approach that:
- Aligns with the LMP concepts with its emphasis on using event sequences to understand safety importance of individual SSCs
- Develops strategies linking ASCE seismic performance goals to LMP risk-informed SSC categorization
- Evaluates the adequacy of ASCE criteria in meeting target performance goals Identify potential activities for the next phase 7
The Phase 1 draft report describes the proposed LMP/ASCE 43 Integration approach and potential activities for the next phase.
Phase 1 Draft Report Outline Chapter 1 - Introduction Chapter 2 - Regulatory Framework: This chapter discusses the pertinent NRC regulations and seismic design guidance Chapter 3 - Incorporating the Enhanced RIPB Concepts in the Seismic Design Process:
This chapter proposes a stepwise, iterative process to align seismic design with the RIPB framework (referred to as the LMP/ASCE 43 Integration Approach). The considerations involved in implementing this process are described in detail. The process considers design issues for both advanced reactor designs and existing (or similar) large light water reactors along with Part 52 and Part 50 licensing considerations 8
Phase 1 Draft Report Outline Chapter 4 - Approaches to Evaluate the Feasibility of a Seven-Step Seismic Design Process: This chapter describes three different approaches to demonstrate several aspects of the LMP/ASCE 43 Integration Approach. A detailed approach using existing seismic PRAs will be considered for implementation in the next phase Chapter 5 - Summary, Conclusions, and Next Steps: Includes identification of potential activities for the next phase 9
The draft report may be updated considering the feedback from this workshop.
Brief Review of ASCE 43 Seismic design criteria for structures, systems, and components in nuclear facilities The acceptable performance level (the target performance goal) for an individual SSC is achieved by selecting the return period of the DBE ground motion in terms of the Seismic Design Category (SDC)
The Limit State (LS) defines the required performance in terms of the limiting acceptable design condition of the SSC and is adjusted based on the safety function and risk significance of the component 10 This approach allows the designer to control conservatisms and safety margins in accordance with the risk significance of SSCs permitting more balanced design
ASCE 43 - Concept of Seismic Design Categories (SDC) and Design Basis Earthquakes (DBEs)
ANS 2.26 provides guidance to assign categories - SDC 5 is considered applicable to NPPs.
The categories were developed for DOE facilities but are more broadly applicable 11 Seismic Design Category 2
3 4
5 Target performance goal, PF,
per year 4 x 104 1 x 104 4 x 105 1 x 105 DBE response spectrum (DRS) or acceleration time series DRS = SF x UHRSHp Hp = PF SF = Scale factor at each spectral frequency SF accounts for slope characteristics of a hazard curve
ASCE 43 - Limit States Limit State Structural Deformation Limits A
Large permanent distortion, short of collapse Significant damage B
Moderate permanent distortion Generally repairable damage C
Limited permanent distortion Minimal damage D
Essentially elastic behavior Negligible damage 12
Limit state D is currently used for safety-related SSCs in NRC-regulated nuclear power plants
Overview of RIPB Approach 13 Individual SSC Design (ASCE 43)
-Establish Performance Target
-Assign Design Limits/Functional Requirements Seismically Induced Initiating Events Seismic Event Sequence Quantification Seismic System Model Event Trees and Fault Trees SSC Seismic Fragilities Curves Individual Event Sequences:
- 1. Frequency
- 2. Dose Consequence Verify Risk Criteria
- 1. F-C curve Target
- 2. Integrated Risk Licensing Basis Events (LBEs)
Refine SSC Design/ System, If Needed Performance-based Design Response Spectrum (DRS)
Seismic Hazard Curve PSHA Seismic Hazard Curve and Uniform Hazard Response Spectra Plant Configuration and Operations Seismic Design codes and Standards Integrated Decision-Making Final Categorization of SSCs for Seismic Design Risk Importance Analysis Probabilistic Risk Assessment Design of SSCs LMP Safety Classification Defense-in-Depth Adequacy LMP-RIPB Process for Seismic Design Results Site and Facility Information Fragility
Process for Integrating Seismic Design in the RIPB Framework LMP/ASCE 43 Integration Approach (Chapter 3) 14
Guiding Principles Integrate within the broader RIPB framework, which concentrates on the contribution of each SSC in the relevant event sequences Build on existing RIPB approaches in structural/seismic engineering (for example, ASCE 1, 4, 43)
Recognize that the design process remains the familiar deterministic process Utilize existing codes and standards to the maximum extent feasible; Useable with any regulatory framework (e.g., Part 52 and Part 50); and Identify and suggest updates to the regulatory framework and guidance, as necessary Ensure that the approach is technology inclusive 15
Overview of the Process In using the ASCE 43 SDCs and LSs graded approach, its clear that the performance goals for different SSCs cannot be derived from the F-C plot There are many SSCs in various event sequences, and hence there is no unique solution to achieving the overall safety goal Therefore, one potential approach is to use predetermined SSC categories and Limit States and rely on the PRA to demonstrate how close the resulting F-C pairs are to the target and how the design meets the cumulative risk metrics Process can lead to identification of additional Licensing Basis Events (LBEs) and the recategorization of SSCs The risk target can be achieved by re-designating the safety classification, selectively hardening/relaxing the design, introducing redundancy, improving random failure rates, improving human-error probabilities, or some combination of these 16
Seven Step Process 17
Seven Steps (1)
Step 1 -Initial Selection of the ASCE 43 SDC and LS categories.
- Establish an initial categorization of SSCs based on an internal event PRA and available design information Step 2 - Seismic Design
- Step not intended as rigorous re-design of the entire plant, but as a design assessment of the components that are candidates for alternative SDC and LS designations, so that more realistic fragilities can be estimated in the next step Step 3 - Fragility Determination
- Details of designs dictate to a large extent the realistic and component-specific fragilities. It is unlikely complete realistic fragilities will be available or developed at the initial design stage. Generic fragilities currently used in the design of NPPs are based on LS-D. It is not necessary to use the most accurate fragilities for choosing alternate SDCs and LSs. It is possible to estimate a range of potential changes in the fragilities and obtain robust insights on feasibility of alternatives.
18
Seven Steps (2)
Step 4 - Perform Seismic PRA
- Perform a SPRA using the fragilities developed in step 3 and the SPRA models developed in accordance with the applicable codes and guidance Step 5 - Check the proposed classification against the risk criteria (Integrated Decision-Making)
- The results of the initial PRA are evaluated to determine whether the individual event sequence risks fall within the F-C curve, whether the integrated risk criteria and the defense-in-depth criteria are met, and which risk significant LBEs fall within the acceptable margin on the FC curves Step 6 - Iteration
- Based on the Step 5 results, this step determines whether the final categorizations achieved on Steps 2 through 5 should be iterated to meet the desired safety and cost goals, and the applicable regulatory requirements Step 7 - Final SSC Classification
- The final SSC categorization is established to be the basis for the detailed and final seismic design and licensing of a certified design 19
Seismic Design of SSCs The SDC/LS category for each SSC requiring a seismic design is determined based on the outcome of the LMP/ASCE 43 Integration approach The design response spectra for each SDC are derived from PSHA results using ASCE 43 Seismic response analysis is performed using ASCE-4 methods - similar to current requirements Design of SSCs follows engineering approaches in appropriate codes and standards Design of building elements is performed to meet ACI-349 and 359 and AISC N690 codes Design of mechanical equipment, piping systems, cable tray systems and HVAC systems will follow ASME codes - no change from current practice Seismic design and qualification of electrical components will follow current IEEE standards Design alternatives (e.g., base isolation) and sophistication (e.g., non-linear analysis) can be pursued as appropriate In summary, for most part, there are no changes to current design practice except there may be more SDC/LS categories for consideration requiring additional response analyses 20
SPRA of Final Designs Under current Part 52, final SPRAs are performed at the following three completeness stages reflecting status of the design and available information at each stage:
- 1. For the certified design application;
- 2. For the combined license application considering site-specific hazard, site, and other information; and
- 3. Before the fuel loading, considering as-designed, as-built, and other operating conditions Plant and site-specific fragility analyses and SPRAs will follow the accepted methodologies specified in either the LWR PRA standard or the non-LWR PRA standard Results of these SPRAs will serve as final checks against applicable risk criteria and other integrated decision-making considerations, such as defense-in-depth aspects 21
Overarching Considerations for Implementing the LPM/ASCE-43 Integration Stability and flexibility of design Stability during licensing process Operational stability over the lifetime Ability to deal with new knowledge and emerging issues Compliance with regulations with the goal to optimize safety and cost benefits Strategies for radiological sources other than reactors (e.g., spent fuel pool, radwaste structures, etc.)
22
Technical Considerations Related to the Selection of SDC and LS Categories Minimum requirement Level of detail at the design stage. Completeness of a PRA and adequate technical detail Considerations related to SPRA for this specific application Part 52 process Selection of OBE Shutdown and restart criteria after an earthquake Complexity of design process 23
Seismic Hazard Curves for Selected Sites 24
Minimum Requirement (DRS for Various SDC Categories) 25 Rock Site Deep Soil Site
Reductions in Ground Motion Levels for Various SDC Categories Site Ratio of PGA Values Ratio of Spectral Accelerations at 5 Hz.
SSDRS4
/SSDRS5 SSDRS3
/SSDRS5 SSDRS4
/SSDRS5 SSDRS3
/SSDRS5 A
0.49 0.29 0.50 0.30 B
0.48 0.30 0.50 0.30 C
0.67 0.49 0.65 0.46 D
0.56 0.37 0.57 0.37 E
0.57 0.39 0.60 0.42 F
0.50 0.30 0.45 0.26 G
0.52 0.32 0.51 0.31 H
0.55 0.38 0.58 0.40 I
0.58 0.40 0.60 0.42 26
Ratios of PGA and 5 Hz SA for Various SDC Categories
Reductions in Seismic Demands for Alternate Limit States Reinforced concrete shear walls, in-plane Ratio of reduction of forces for different limit states compared to LSD Shear controlled walls Aspect Ratio:
height/length < 2.0 LSA/LSD LSB/LSD LSC/LSD 0.50 0.57 0.67 27
Reductions in Seismic Demand for a Shear Wall due to Inelastic Energy Absorption Factor
CSDRS5 Ground Motion 28 SSDRS5 for All Sites
CSDRS4 Ground Motion 29 SSDRS4 for All Sites
Insights Our analysis shows that relaxation of the SDC requirement (i.e., SDC-5 to SDC-4) provides substantial benefits and is generally more easily implemented than relaxation of the LS requirement
- Implementation involves regulatory and managerial considerations, in addition to changes in some technical design guidance
- Could result in multiple design ground motions for a site and a facility Relaxation of the LS requirement (i.e., LS-D to LS-C) is feasible and could be a more viable option in certain situations:
- Implementation is sometimes more complex and would require more iterations
- Would require update of some guidance in the long-term. For example, related to post-earthquake restart actions Need to complete Phase 2 studies to demonstrate feasibility and validity of the proposed LMP/ASCE 43 Integration approach
Summary No inherent technical impediments to the proposed LMP/ASCE-43 Integration approach Although current seismic regulations and guidance do have some aspects that are Light Water Reactor (LWR) oriented, these aspects will not impede application of the proposed process Biggest benefit is the flexibility (not available in the current process), which could also affect aspects other than design (e.g., initial layout to optimize seismic categorization, ease in construction, operational and maintenance efficiencies, ease or difficulty in performing a robust SPRA)
Process can be used for both Part 52 and Part 50 applications (any future licensing processes should also be accommodated)
Process is technology inclusive, can accommodate different risk criteria, and preserves design stability and predictability The Phase 1 report will provide a technical basis to develop a regulatory guide to establish acceptable conditions for implementing the process 31