ML20241A151
| ML20241A151 | |
| Person / Time | |
|---|---|
| Issue date: | 08/28/2020 |
| From: | Jon Ake, Gascot R, Jose Pires, Jim Xu NRC/RES/DE |
| To: | |
| R. Gascot Lozada | |
| Shared Package | |
| ML20241A149 | List: |
| References | |
| Download: ML20241A151 (167) | |
Text
RESEARCH OVERVIEW ON MOVING TOWARD RIPB APPROACH FOR SEISMIC SAFETY Jim Xu1, José Pires1, Jon Ake1, Ramón L. Gascot2 1S e n i o r Level Advisor, RES/DE 2S t r u c t u r a l Engineer, RES/DE/SGSEB 1
RESEARCH OVERVIEW ON MOVING TOWARD RIPB APPROACH FOR SEISMIC SAFETY Jim Xu1, José Pires1, Jon Ake1, Ramón L. Gascot2 1S e n i o r Level Advisor, RES/DE 2S t r u c t u r a l Engineer, RES/DE/SGSEB 2
Introduction Motivations for developing seismic safety approach based on technology inclusive (TI), risk-informed and performance-based (RIPB) process o The Nuclear Energy Innovation and Modernization Act (NEIMA) - directed NRC to develop a regulatory framework based on TI-RIPB approach to ensure efficient and effective review of advanced reactors.
o Utility-led and Department of Energy (DOE) cost-shared Licensing Modernization Project (LMP) developed a frequency-consequence (F-C) based methodology for selection of licensing-basis events (LBEs);
classification and special treatments of structures, systems, and components (SSCs); and assessment of defense in depth (DID) for advanced non-light water reactors (ANLWRs) o The Commission approved the LMP approach as described in SECY-19-0117 o However, LMP methodology does not provide guidance on plant physical design Research effort to integrate ASCE 43 seismic criteria for SSCs physical design within LMP framework (LMP-ASCE) o American Society of Civil Engineers (ASCE) standard ASCE 43 provides criteria for seismic design (physical design) of SSCs that meet requisite quantitative performance goals (PF) o Performance goals and associated limit states (LS) are established based on categorizations of SSCs o Use seismic probabilistic risk assessment (SPRA) to integrate LMP-ASCE through an iterative process This workshop will discuss proposed LMP-ASCE approach and obtain stakeholders feedback 3
Outline Goals and Overview for Workshop Proposed Seismic TI-RIPB Safety Approach Regulatory Benefits Challenges Plan for Future Research Activities Milestones and Deliverables 4
Goal and Objectives for Workshop The goal is to facilitate research for developing seismic safety approach that utilizes TI-RIPB to enhance safety in a manner that is rational and cost effective Workshop objectives Provide an overview of a proposed seismic safety approach that integrates SPRA and the performance-based design process established by ASCE 43. This approach offers a TI-RIPB pathway for ANLWRs to address seismic safety within the LMP framework Obtain feedback from stakeholders and ANLWR technical community, which will be considered in planning for activities to demonstrate the feasibility and validity of the proposed approach 5
Overview Complexities associated with seismic design and performance require comprehensive treatment Regulatory framework for seismic safety Current approaches to seismic design Technology readiness for implementing TI-RIPB seismic safety for ANLWRs 6
Complexities Associated with Seismic Design and Analysis ICRS Cabinet ISRS Structure GMRS FIRS Foundation Level UHRS Soil Earthquake IHRS: Uniform Hazard Response Spectra (Source) Rock GMRS: Ground Motion Response Spectra FIRS: Foundation Input Response Spectra ISRS: In-Structure Response Spectra ICRS: In-Cabinet Response Spectra 7
Complex Technical Disciplines Involved for Seismic Safety Regulatory Oversights Mechanical, Geophysical Structural electrical, and Seismology/geology geotechnical Risk assessment engineering system engineering engineering Subsurface soil and rock Seismic Fragility Seismic source Structural analysis to characterization properties establish seismic loads Equipment seismic SPRA/SMA to assess Probabilistic site response for structures and qualification by analysis robustness of seismic Ground motion models equipment design analysis Equipment seismic Probabilistic seismic Code-based seismic qualification by testing Beyond design seismic hazard analysis (PSHA) Soil-structure interaction analysis (SSI) design capability Site Seismic hazard/UHRS Seismic induced secondary hazards (liquefaction, slope stability, etc.)
8
Technical Considerations Physical design (of structures/components) requires clearly defined performance expectations (functional designs) to support system/plant level performance Complexities introduce uncertainties Common understanding and close interactions among different technical disciplines are required to address uncertainties, especially epistemic uncertainty Aim to achieve more risk balanced system performance Considerations of non-seismic and operator actions Technology readiness for implementing TI-RIPB seismic safety 9
Regulatory Framework for Seismic Safety Regulatory bases - 10 CFR Part 50, 52, 100, Appendix S to Part 50, and Appendix A to Part 50 General Design Criterion (GDC) 2 Guidance - Regulatory Guide (RG) 1.208, Standard Review Plan (SRP) Sections 2.5, 3.7, 3.8, 3.9, 19 Seismic design to withstand site-specific hazards (safe shutdown earthquake -
SSE) for SSCs Use of SPRA to evaluate adequacy of seismic design 10
Traditional Approach to Seismic Design Aimed at preventing seismic induced core damages and mitigating radioactive material releases for large light water reactors (LWRs)
Seismic design standards for seismic category I/non-seismic category I Deterministic process SPRA to quantify risk for seismic design Proven record for adequate seismic safety for LWRs 11
Traditional Approach to Seismic Design (contd)
May not be effective and efficient for diverse ANLWR designs Designation of seismic category I/non-seismic category I lacks flexibility to accommodate diverse designs (considering safety contributions, e.g., singleton vs. doubleton)
Large disparity in risk profiles from SPRA insights Seismic design does not explicitly consider risk contribution of the SSC to system/plant level performance 12
Technology Readiness for TI-RIPB Implementation Nuclear Energy Innovation and Modernization Act (NEIMA) for ANLWRs RIPB is about integrating functional and physical designs in a more logical and systematic approach to achieve optimal system and plant level performance Utility-led and DOE cost-shared LMP developed an integrated RIPB functional design approach to group LBEs, and SSC classifications based on F-C target o Technology inclusive o Integrated process to SSC categorization considering risk insights and defense-in-depth philosophy o Emphasis on system level performance with adequate margin of safety 13
ASCE Performance-based Engineering Seismic Design 3 ASCE standards provide performance-based engineering seismic design criteria for NPPs:
o ASCE 43 - Seismic Design Criteria for Structures, Systems, and Components in Nuclear Facilities o ASCE 4 - Seismic Analysis of Safety-related Nuclear Structures and Commentary o ASCE 1 - Standard for Geotechnical Analysis, Design, Construction, Inspection and Monitoring of Nuclear Safety-Related Structures Provide seismic design (physical design) to achieve a target performance goal defined as mean annual frequency of unacceptable performance:
= /
0 14
Proposed Seismic TI-RIPB Approach Works within LMP RIPB framework o Licensing basis events o Process for categorizations of SSCs consistent with performance expectations for risk balanced function design o Criteria for meeting risk goals based on F-C target or surrogates ASCE 43 engineering criteria for SSC seismic designs o Produce physical designs of SSCs that meet desired probabilistic performance goals o Performance goals and associated limit states are established based on categorizations of SSCs Use Seismic PRA to integrate LMP-ASCE thru and iterative process 15
16 Regulatory Benefits Risk-balanced design to enhance safety while reducing unnecessary design conservatism Technology inclusive Design flexibility (apply various combinations of PF and LS vs. singe SSE and elastic LS in the current guidance) to achieve a targeted level of safety Preserving proven engineering practice and applicable nuclear codes and standards Integrated approach that explicitly incorporates all important event sequences, includes not only seismic failures but also non-seismic failures and human errors, and also accounts for programmatic considerations to support the defense-in-depth philosophy 17
Regulatory Benefits (contd)
No obvious impediments identified for implementation under both Part 52 and Part 50 licensing process Risk focused design approach potentially leads to better understood and more tailored safety margin and can also lead to cost reductions (reduced demands for low risk SSCs and a more balanced risk profile across the plant), therefore enhancing the commercial viability and competitiveness for ANLWRs Could be used as alternative to the current guidance for seismic design 18
Challenges First-of-a-kind approach for nuclear engineering seismic design in that more than one seismic design category would be available for the design of safety-related SSCs Need realistic case studies to demonstrate feasibility and validity of the approach and applicable processes Establish implementation process to determine how all aspects can be seamlessly integrated and practiced especially the extent to which that quality and level of details of SPRA should be performed to support the integration process and the defense-in-depth considerations 19
Future Research Activities Reach consensus on principal aspects of the proposed alternative approach and identify potential changes and improvements Forge collaborative effort to identify case studies that can yield the most beneficial and effective insights for implementations Develop guidance to ensure a successful pathway for licensing ANLWRs under Part 52 and Part 50 processes, or a new regulatory process 20
Milestones and deliverables Phase 1 activities:
o Developed conceptual RIPB seismic safety approach documented in the phase 1 draft report (completed) o Public workshop o Phase 1 final report (December 2020)
Phase 2 activities (2021 - TBD):
o Develop implementation plan o Identify case studies to demonstrate the proposed approach o Obtain feedback from stakeholders and practitioners o Phase 2 report and guidance (NUREG, RG, etc.)
o Identify and support potential regulatory enhancements 21
Licensing Modernization Project (LMP)
Amir Afzali Licensing and Policy Director Southern Company
Licensing Modernization Project Why: Reduce regulatory uncertainty to enable accelerated commercialization of advanced non-LWR reactors
- Consistent with the Commissions long-standing effort to transition to risk-informed, performance-based regulations
- Key to achieving modern risk-informed regulation as envisioned in the agencys Transformation Initiative.
How: Develop transparent, systematic, risk-informed, performance-based, and predictable methodology What: NEI 18-04 and four supporting reports are intended to:
- Select and evaluate Licensing Basis Events (LBEs)
- Classify Structures, Systems and Components (SSCs) based on their holistic and realistic contribution to risk
- Determine Defense-in-Depth (DiD) adequacy Southern Company 2
An Owner-Operator Perspective Licenses Needed to Build and Operate a Nuclear Power Plant Regulatory Safety Focused License Social Acceptability License Commercial Viability License License = A permit from an essential stakeholder to own or use a nuclear power plant
Reasonable Avoidance of Assurance of Unnecessary Adequate Protection Burden Regulatory License Avoiding Limiting Impacts Realizing Positive Impacts
- High construction and
- Safer plants operation cost
- Public trust
- Lengthy and costly
- International recognition licensing reviews
LBE Evaluation Chart LMP Tabletop Insights RIPB exercises Results of the Tabletop Background confirmed that:
- The LMP process can be effectively executed for a spectrum of different non-LWR concepts
- Design decisions can be optimized through an integrated and realistic analysis of the plants response
- Information obtained through the LMP-based design evaluation can be used for building a strong operational risk management program
Summary
- The LMP methodology, presented in NEI 18-04, is developed based on:
- over 20 years of industry interactions with the NRC staff on risk-informed regulatory approaches, including many public reviews and discussions
- lessons learned from a number of industry tabletop exercises, covering different technologies and designs
- Positive support of NEI 18-04:
- Commission Approval of SECY-19-0117
- Issuance of NRC RG-1233
- Next Steps
- Modernization of supporting regulatory requirements (e.g., seismic design requirements, TSs, Inspections, etc.)
- Modernization of content of application
Innovation is required for viability of any technology
- Questions
- How to innovate in a regulated industry?
- How to avoid regulatory practices becoming a ceiling for introducing new technologies and products?
- Removing barriers to innovative approaches to protecting the public, while still satisfying regulations
- How to manage regulatory uncertainties?
- Adapt vs. Adopt Approach
- How should support for variety of advanced reactor systems be balanced against focusing on one technology and demonstrating success?
- How do we indoctrinate new players to the U.S. nuclear culture and expectations and how do we benefit from their perspectives
- How should be prioritizing the research to generate the necessary technical information to support advanced technology licensing?
- LMP- Licensing Modernization Project
- NEI- Nuclear Energy Institute
- LBE- Licensing Basis Events
- DBE- Design Basis Events
- DBA- Design Basis Accidents
- BDBE- Beyond Design Basis Events
- DiD- Defense-in-Depth
- QHO- Quantitative Health Objective
- PAG- Protection Active Guide
- EAB- Exclusion Area Boundary
- Mwt- Megawatt Thermal
- F-C- Frequency-Consequence
Treatment of External Events in Applying Licensing Modernization Project Methodology Karl Fleming LMP Senior Technical Lead U.S. Nuclear Regulatory Commission Seismic Workshop September, 2020
Meeting Purpose and Objectives
Purpose:
- To provide a brief summary of the LMP methodology
- Highlight the LMP treatment of external hazards
LMP Training Topics
- LMP Methodology includes the following parts:
- Methodology overview
- Selection and evaluation of Licensing Basis Events* (LBEs)
- PRA development and role of PRA standard to establish its technical adequacy
- SSC safety classification and performance requirements
- Evaluation of defense-in-depth (DID) adequacy
Principal Focus of LMP Methodology
- Systematic, reproducible, robust ,and integrated processes for:
o Identification of safety significant LBEs appropriate for each non-LWR design based on a design specific PRA; o Safety classification of SSCs and selection of SSC performance requirements; o Establishing the risk and safety significance of LBEs and SSCs; o Demonstrating enhanced safety margins consistent with Advanced Reactor Policy; o Identification of key sources of uncertainty; o Evaluation of the adequacy of plant capabilities and programs for defense-in-depth including special treatments
- Appropriate balance of deterministic and probabilistic inputs to risk-informed decisions involved in design, operations, programs and licensing.
- Performance-based approach to setting plant and SSC reliability and capability performance targets and monitoring performance against targets.
- SSC capability targets include protection against hazards reflected in the underlying LBEs Seismic RIPB for LMP 4
LMP Methodology Approach
- Foundations laid in MHTGR, PBMR, and NGNP projects and NRC and ACRS staff reviews on key topics
- Technology inclusive risk metrics
- Use of frequency-consequence targets
- Functional containment concept
- Treatment of multi-module plants
- Reliability targets in lieu of single failure criterion
- Technology inclusive approach to defense-in-depth
- LMP enhancements to incorporate developments in RIPB decision making for wide spectrum of advanced non-LWRs 5
Seismic RIPB for LMP
LMP process attributes:
- Risk-Informed and Performance-Based (RIPB)
- Reactor Technology-Inclusive
- Sufficiently complete
- Reproducible
- Capable of identifying reactor specific safety issues
- Compatible with current applicable regulatory requirements Seismic RIPB for LMP 6
How LMP is RIPB?
- LMP is risk-informed by:
- Incorporating key inputs from a design specific PRA
- Incorporating deterministic principles via evaluation of defense-in-depth adequacy
- LMP is performance based by
- Use of a Frequency Consequence (F-C) Target and Cumulative Risk Targets to evaluate the risk significance of licensing basis events and structures, systems, and components (SSCs)
- Selection of performance-based targets for the reliability and capability of SSCs in the prevention and mitigation of accidents
- Use of programs to monitor the performance of the plant and SSCs against the performance targets
- Use of an Integrated Decision-Making Process to implement RIPB decisions that impact the safety case and its objective evaluation Seismic RIPB for LMP 7
Selection and Evaluation of Licensing Basis Events (LBEs)
Licensing Basis Events (LBEs)
- LBEs are defined broadly to include all the events used to support the safety aspects of the design and to meet licensing requirements. They cover a comprehensive spectrum of events from normal operation to rare, off-normal events.
- Categories defined as Normal Operations (NO), Anticipated Operational Occurrences (AOO), Design Basis Events (DBE), Beyond Design Basis Events (BDBE) and Design Basis Accidents (DBA)
- LBE definitions and approach build on those developed in NGNP white papers
- LMP guidance document includes glossary to clarify similarities differences in terminology with regulatory terms Seismic RIPB for LMP 9
LBE Categories Anticipated Operational Occurrences (AOOs). Anticipated event sequences expected to occur one or more times during the life of a nuclear power plant, which may include one or more reactor modules. Event sequences with mean frequencies of 1x10-2/plant-year and greater are classified as AOOs. AOOs take into account the expected response of all SSCs within the plant, regardless of safety classification.
Design Basis Events (DBEs). Infrequent event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than an AOO. Event sequences with mean frequencies of 1x10-4/plant-year to 1x10-2/plant-year are classified as DBEs. DBEs take into account the expected response of all SSCs within the plant regardless of safety classification. The objective and scope of DBEs to form the design basis of the plant is the same as in the NRC definition.
Beyond Design Basis Events (BDBEs). Rare event sequences that are not expected to occur in the life of a nuclear power plant, which may include one or more reactor modules, but are less likely than a DBE. Event sequences with mean frequencies of 5x10-7/plant-year to 1x10-4/plant -year are classified as BDBEs. BDBEs take into account the expected response of all SSCs within the plant regardless of safety classification.
Design Basis Accidents (DBAs). Postulated accidents that are used to set design criteria and performance objectives for the design and sizing of SSCs that are classified as safety-related. DBAs are derived from DBEs based on the capabilities and reliabilities of safety-related SSCs needed to mitigate and prevent accidents, respectively. DBAs are derived from the DBEs by prescriptively assuming that only SSCs classified as safety-related are available to mitigate postulated accident consequences to within the 10 CFR 50.34 dose limits.
Seismic RIPB for LMP 10
Selection and Evaluation of LBEs
- AOOs, DBEs, and BDBEs are defined in terms of event sequence families from a reactor design-specific PRA
- Individually for risk significance using a Frequency-Consequence (F-C) chart against a F-C Target
- Collectively by comparing the total integrated risk against a set of cumulative risk targets
- DBEs and high consequence BDBEs are evaluated to define Required Safety Functions (RSFs) necessary to meet F-C Target
- Designer selects Safety Related SSCs to perform required safety functions among those available on all DBEs
- DBAs are derived from DBEs by assuming failure of all non-safety related SSCs and evaluated conservatively vs. 10CFR50.34 Seismic RIPB for LMP 11
Frequency-Consequence (F-C)Target
- Purpose is to evaluate risk significance of individual LBEs and SSCs and to help define the RSFs; not a regulatory acceptance criterion
- Addressed staircase issue with previous F-C targets
- F-C Target anchor points based on:
- 10 CFR 20 annual dose limits and iso-risk concept
- Avoidance of offsite protective actions for lower frequency AOOs
- 10 CFR 50.34 dose limits for lower frequency DBEs
- Consequences based on 30day TEDE dose at EAB
- EAB doses selected to assure meeting QHO for prompt fatality individual risk
- LBEs compared to F-C target based on mean, and upper (95%tile) and lower (5%tile) bound estimates of LBE frequency and dose Seismic RIPB for LMP 12
LBE Risk-Significance Criteria Seismic RIPB for LMP 13
LBE Cumulative Risk Targets
- The total frequency of exceeding an offsite boundary dose of 100 mrem shall not exceed 1/plant-year to ensure that the annual exposure limits in 10 CFR 20 are not exceeded.
- The average individual risk of early fatality within the area 1 mile of the EAB shall not exceed 5x10-7/plant-year to ensure that the NRC Safety Goal Quantitative Health Objective (QHO) for early fatality risk is met
- The average individual risk of latent cancer fatalities within the area 10 miles of the EAB shall not exceed 2x10-6/plant-year to ensure that the NRC safety goal QHO for latent cancer fatality risk is met.
Seismic RIPB for LMP 14
Identification of Required Safety Functions (RSFs)
- RSFs are those functions that,
- if not fulfilled would lead to increase in DBE consequences beyond the F-C target;
- or increase the frequency of high consequence BDBEs beyond the F-C target
- Define what functions have to be preserved to deliver the safety case
- Zero and low consequence DBEs play an important role
- SSCs that are available to perform the RSFs may include:
- Inherent or intrinsic reactor features
- Passive SSCs
- Active SSCs
- Combinations of the above
- Advanced reactor designs typically include multiple means of achieving each RSF.
- Functional and SSC level design criteria are derived from the RSFs
- RSFs are reactor technology and design specific and apply to specific Rn sources.
- They are derived from the fundamental safety function (FSF) of controlling the release of radioactive material and address explicitly or implicitly the other FSFs of controlling heat generation and heat removal Seismic RIPB for LMP 15
LBE Summary
- AOOs, DBEs, and BDBEs defined as event sequence families developed in the PRA grouped by similarity of initiating event, challenge to plant safety functions, plant response, and mechanistic source term
- DBAs selected using prescriptive rules after designers have determined the Required Safety Functions (RSFs), identified which SSCs are available on all the DBEs to provide the RSFs, and selected those to be classified as Safety Related (SR) SSCs
- DBAs are derived by modifying each DBE to remove credit for any non-safety related SSC that performs a RSF
- Consequences of DBAs evaluated using deterministic ground rules per 10 CFR 50.34 and not compared to F-C Target Seismic RIPB for LMP 16
SSC Safety Classification And Performance Requirements
SSC Approach Highlights
- Includes active and passive SSCs relying on inherent reactor characteristics
- Proposes criteria for SSC risk significance based on absolute risk metrics (for consideration in next edition of non-LWR PRA Standard);
addresses risk significance issues identified in PRISM pilot of ASME/ANS non-LWR Standard
- Incorporates selected concepts from 10 CFR 50.69 and NEI-00-04 in the context of a forward fit process
- Includes SSC requirements to address single and multi-module event sequences
- Provides guidance for deriving performance based reliability and capability targets including protection against external hazards Seismic RIPB for LMP 18
LMP SSC Safety Categories SSCs Including Radionuclide Barriers Safety-Related (SR) Non-Safety-Related Non-Safety-Related SSCs SSCs with Special SSCs with No Special Treatment (NSRST) Treatment (NST)
SSCs selected for required safety SSCs performing non-safety-Non-SR SSCs performing functions to mitigate DBEs within significant functions Risk-significant functions F-C Target*
SSCs selected for required safety Non-SR SSCs performing functions to prevent high-functions required consequence BDBEs from entering for defense-in-depth DBE region beyond F-C target
- SR SSCs are also relied on during DBAs to meet 10 CFR 50.34 dose limits using Safety- Non-Safety-conservative assumptions Significant SSCs Significant SSCs Seismic RIPB for LMP 19
SSC Risk Significance
- A prevention or mitigation function of the SSC is necessary to meet the design objective of keeping all LBEs within the F-C target.
- The LBE is considered within the F-C target when a point defined by the upper 95%-tile uncertainty of the LBE frequency and dose estimates are within the F-C target.
- The SSC makes a significant contribution to one of the cumulative risk metrics used for evaluating the risk significance of LBEs.
- A significant contribution to each cumulative risk metric limit is satisfied when total frequency of all LBEs with failure of the SSC exceeds 1% of the cumulative risk metric limit. The cumulative risk metrics and limits include:
- The total frequency of exceeding of a site boundary dose of 100 mrem <1/plant-year (10 CFR 20)
- The average individual risk of early fatality within 1 mile of the Exclusion Area Boundary (EAB) < 5x10 -7/ plant-year (QHO)
- The average individual risk of latent cancer fatalities within 10 miles of the EAB shall not exceed 2x10-6/plant-year (QHO)
Seismic RIPB for LMP 20
SSC Category Relationships Risk- Safety-Safety- Significant Significant PRA Modeled Related SSCs SSCs SSCs SSCs All Plant SSCs Seismic RIPB for LMP 21
Derivation of Special Treatment Requirements
- SR SSCs
- Required to be protected against Design Basis External Hazard Levels (DBEHLs)
- Required Functional Design Criteria (RFDC) derived from Required Safety Functions (RSFs); may be used with ARDCs in formulating principal design criteria
- SSC level Safety Related Design Criteria (SRDC) developed from RSFs
- SSC reliability and capability performance targets
- Focus on prevention and mitigation functions identified in LBEs
- Integrated decision making process to derive additional specific special treatment requirements, if any
- Reflects concepts from 10 CFR 50.69 and NEI-00-04 from existing reactors from a forward fit perspective
- Reflects Commissions expectations for risk-informed and performance based regulation from SRM to SECY 98-0144 Seismic RIPB for LMP 22
Quality Assurance for Safety Significant SSCs
- SR SSC QA:
- The QA requirements for SR SSCs are expected to meet the applicable parts of 10 CFR 50 Appendix B. Application of Appendix B QA is focused on the SR classified SSC in the performance of its Required Safety Functions and the QA requirements developed under Appendix B are expected to be performance based. Specifics of the SR applications of the applicable QA program elements are evaluated as part of the Integrated Decision Process.
- NSRST SSC QA:
- The applicable requirements for NSRST SSCs are expected to meet the users commercial quality programs. Application of the NSRST QA program requirements are focused on the SSC in the performance of its safety functions identified in the LBEs responsible for the safety classification and are expected to be performance-based. Specifics of the NSRST aspects of the applicable program elements are also evaluated as part of the Integrated Decision Process in evaluating defense-in-depth adequacy.
Seismic RIPB for LMP 23
PRA Development
- Although not required, early introduction of PRA into design process is encouraged and facilitates risk-informing design decisions
- Scope and level of detail consistent with scope and level of detail of design and site information and fit for purpose in RIPB decisions
- Depending on the stage of the design, PRA event-sequences include those hazards that have state of practice PRA methods and involve single and multiple reactor modules and include risk significant non-reactor sources
- Limitations and uncertainties associated with PRA addressed in the evaluation of defense-in-depth adequacy and deterministic inputs to RIPB decisions
- LMP recognizes iterative nature of design development, PRA development, and RIPB decisions along the way Seismic RIPB for LMP 24
DID Adequacy Framework Seismic RIPB for LMP 25
Role of DID Evaluation for External Events
- All risk-informed and performance based (RIPB) decisions in LMP are implemented via an Integrated Decision Process (IDP) that incorporates defense-in-depth principles
- IDP sets the reliability and capability performance targets for all safety significant (SR and NSRST) SSCs
- These include special treatment requirements including protections against external hazards
- Plant Capability for DID
- Programmatic elements of DID
- RIPB evaluation of DID Seismic RIPB for LMP 26
LMP Treatment of Safety Functiohns Required Required Safety Functional SR SSC Design Functions (RSFs) Design Criteria Criteria (SRDC)
(RFDC)
Frequency-Fundamental Consequence Safety SR SSC SR SSC Special Safety Functions and Cumulative Related Performance Treatment (FSFs)
Risk Targets (SR) SSCs Targets Requirements LBEs from PRA Design Basis Design Basis PRA Safety (AOOs, DBEs, Accidents External Hazard Functions (PSFs) and BDBEs) (DBAs) Levels (DBEHLs)
Other Risk Input to Design and Significant Functions Safety Functions Provided in the Non-SR NSRST SSC NSRST SSC Design with ST Special Performance Content of Application (NSRST) Treatment Targets Other Safety SSCs Requirements Functions for Adequate DID Non-SR Other Safety With No ST Functions SSCs (NST)
LMP TREATMENT OF EXTERNAL HAZARDS
Incorporation of External Events in to LBEs
- PRAs introduced at early stage of design are limited in scope and level of detail commensurate with design development
- A technically adequate at-power internal events PRA may be used for the initial selection of LBEs, selection of SR SSCs and definition of DBAs; alternatively LBE process tasks may be implemented after a more mature stage is reached
- Design Basis External Hazard Levels (DBEHLs) are selected to design the protections against area events, e.g. internal fires and floods, and external hazards, e.g. seismic events, external flooding, high winds and missiles
- When SR SSCs requirements to be protect against the DBEHLs are incorporated with appropriate design margins, the DBAs derived from the internal events PRA are expected to be stable (note that each DBA initiating event may be caused be due to internal or external causes).
- As external hazards and area events are incorporated into the PRA there will be new AOOs, DBEs, and BDBEs and risk insights to incorporate; but no new DBAs
- Application of the LMP methodology is an iterative and flexible process Seismic RIPB for LMP 29
Design Basis External Hazard Levels
- DBEHL Scope
- Seismic Events
- Other external hazards
- Area events such as internal fires and floods
- Options to establish the DBEHLs
- Use existing regulatory guides
- Select hazard levels via probabilistic hazard analysis consistent with 95%tile 10-4/plant-year DBE cut-off
- DBEHLs become part of the reliability and capability targets for the SR SSCs in the performance of their Required Safety Functions
- Not applicable to NSRST but there may be some need to protect against hazards Seismic RIPB for LMP 30
External Events Considerations for SSCs
- When external events are incorporated into the PRA there will be new LBEs initiated by external hazards and possibly (but doubtful) some new risk significant LBEs
- DBEs associated with external hazards should only involve success states for any SR SSCs that are protected against DBEHLs
- There should be no new DBAs but rather new DBEs that map into the original DBAs determined from internal events
- The new LBEs may produce additional risk significant SSCs which may increase the population of NSRST SSCs; this may lead to new capability targets to protect these NSRST SSCs against external hazards.
- Unless the new LBEs lead to new risk significant SSCs, there should be no capability targets to protect NSRST SSCs against external hazards Seismic RIPB for LMP 31
Role of NLWR PRA Standard
- Trial use standard issued in 2013; extensively used in pilot PRAs
- ASME/ANS RA-S-1.4-2020 has been approved by JCNRM and is currently in review by ANSI
- NRC plans to endorse in a regulatory guide in 2021
- Incorporates both absolute and relative risk metrics to establish risk significance and specifically designed to support LMP
- Treatment of external hazards expanded to include:
- Use of bounding site characteristics for Design Certification PRAs
- Treatment of event sequences involving different plant operating states, multiple reactors and non-reactor sources of radionuclides Seismic RIPB for LMP 32
Questions?
Seismic RIPB for LMP 33
BACK-UP SLIDES LBE Considerations for TICAP
- Identification of LBEs
- Sources of Rns within scope of application
- Identification and Justification for RSFs for each source of Rns
- PRA Safety Functions for each
- DBEs and High Consequence BDBEs
- Justification for sufficiency of selected RSFs
- Selection of SR SSCs
- Confirm availability of SR SSCs on all DBEs
- Justification for SR SSC selection
- Definition of DBAs and source terms for Chapter 15
PRA Development Typical PRA Development Interfaces Seismic RIPB for LMP 37
Evaluation of X-energy LBEs Against F-C Target Seismic RIPB for LMP 38
eVinci Functional Event Tree Top Events Initiating Event Reactivity Control Heat Removal Containment End State The IEs The evaluated eVinci The evaluated eVinci The evaluated As the figure of merit identified in the Micro-Reactor design has Micro-Reactor design eVinci Micro- for the evaluated PRA are three strategies for includes two strategies for Reactor design eVinci Micro-Reactor processed reactivity control: heat removal: relies on the CCS risk assessment is a through the for the containment release frequency,
- CDS
- Heat removal via the functional event function. even success states secondary side system tree
- ESS can result in limited
- Conduction through the releases.
- The passive release of core block to the canister hydrogen from the with natural draft heat moderator*
removal from the outside surface of the canister to an air duct system that channels air to the surrounding environment.
Seismic RIPB for LMP 39
Functional Event Tree for eVinci Micro-Reactor Seismic RIPB for LMP 40
eVinci Micro-Reactor Fission Product Source Terms Gap Heat-Up and Cooldown Release Fractions including the Gap Fraction Fraction Peak Temp = 750°C Peak Temp = 850°C Peak Temp = 950°C Min Nom Max Min Nom Max Min Nom Max Duration 2.3 hrs 2.8 hrs 3.5 hrs 4.3 hrs 5.3 hrs 6.4 hrs 6.2 hrs 7.6 hrs 9.3 hrs Species Nobles 1.7E-04 5.0E-04 5.7E-04 6.6E-04 3.1E-03 3.6E-03 4.5E-03 1.8E-02 2.1E-02 2.7E-02 I 1.4E-04 4.0E-04 4.5E-04 5.3E-04 2.4E-03 2.9E-03 3.6E-03 1.4E-02 1.7E-02 2.1E-02 Cs 1.4E-04 4.6E-04 5.3E-04 6.2E-04 3.0E-03 3.5E-03 4.4E-03 1.8E-02 2.1E-02 2.6E-02 Sr 1.7E-06 5.0E-06 5.7E-06 6.6E-06 3.1E-05 3.6E-05 4.5E-05 1.8E-04 2.2E-04 2.7E-04 Mo 4.4E-05 1.3E-04 1.4E-04 1.7E-04 7.6E-04 9.1E-04 1.1E-03 4.5E-03 5.4E-03 6.7E-03 Ba 3.5E-06 1.0E-05 1.1E-05 1.3E-05 6.1E-05 7.3E-05 8.9E-05 3.6E-04 4.3E-04 5.4E-04 La 3.5E-08 1.0E-07 1.1E-07 1.3E-07 6.1E-07 7.3E-07 9.0E-07 3.6E-06 4.3E-06 5.4E-06 Ce 3.5E-08 1.0E-07 1.1E-07 1.3E-07 6.1E-07 7.3E-07 9.0E-07 3.6E-06 4.3E-06 5.4E-06 Sb 8.7E-05 2.5E-04 2.8E-04 3.3E-04 1.5E-03 1.8E-03 2.2E-03 9.0E-03 1.1E-02 1.3E-02 Te 1.4E-04 4.0E-04 4.5E-04 5.3E-04 2.4E-03 2.9E-03 3.6E-03 1.4E-02 1.7E-02 2.1E-02 Ru 8.7E-06 2.5E-05 2.8E-05 3.3E-05 1.5E-04 1.8E-04 2.2E-04 9.1E-04 1.1E-03 1.4E-03 Seismic RIPB for LMP 41
eVinci LBE Evaluation Against F-C Target Seismic RIPB for LMP 42
PRA Standard for Advanced Non-LWR Nuclear Power Plants 12/31/2018
Scope of non-LWR Standard
- Multiple plant operating and shutdown states
- Event sequences developed to include end states with mechanistic source terms and offsite radiological consequences (similar to LWR Level 3 PRA)
- Technology inclusive end states and risk metrics
- Frequencies of event sequences, event sequence families, and release categories
- Mechanistic source terms and radiological doses and health effects
- Options with requirements for user defined end states (e.g sodium boiling)
- Event sequences involving two or more reactors or radionuclide sources
- Requirements for PRAs done at preoperational design stages
- Requirements to address uncertainties in establishing passive system reliability
- JCNRM requirement to maintain consistency with LWR PRA standards where appropriate Seismic RIPB for LMP 44
Technical Elements with Integrated Treatment of Hazards Seismic RIPB for LMP 45
PRAs Using Standard PRA Reactor Type PRA Organization Time Frame PRISM SFR GE-Hitachi, ANL 2017 HTR-PM PB-HTGR Tsingua Univ. ROC 2013-Present TWR SFR Terrapower 2013-Present PBMR PB-HTGR PBMR Ltd. 2006-2010 Xe-100 PB-HTGR X-Energy 2014-Present MCFR MSR Terrapower 2014-Present FHR MSR/PB Kairos 2018-Present MSRE MSR EPRI, Vanderbilt Univ. 2018-Present eVinci Micro-Reactor Westinghouse 2019-Present HTGR Prismatic HTGR JAEA, Japan 2017-Present CFR-600 SFR ANL 2018-Present VTR SFR GE-Power, ANL 2019-Present Seismic RIPB for LMP 46
Lessons Learned from Pilots
- Consensus among pilots that standard was useful in establishing PRA technical adequacy
- Most significant and useful feedback obtained from PRISM, HTR-PM and TWR PRAs
- More clarification needed on intent of some requirements
- Most significant technical issues include:
- Issues with applying LWR PRA approach to risk significance
- Need more guidance on dealing with very small risk levels
- Need to rethink roles of relative and absolute risk importance measures
- Sufficient experience in applying trial use standard to justify development of ANSI version of standard Seismic RIPB for LMP 47
NRC Plan to Endorse non-LWR Standard
- NRC Statement at public meeting:
ASME/ANS RA-S-1.4 provides an acceptable means to establish the scope and technical adequacy of the PRA
- NRC will issue interim staff guidance for near term use of current 2013 trial use version of standard in 2020
- NRC continues to support the development of the next edition of the standard
- NRC plans to issue a RG similar to RG 1.200, but a different RG, to endorse the next edition of the non-LWR standard to be balloted in 2020 Seismic RIPB for LMP 48
PRA Considerations for TICAP
- LMP encourages (does not require) PRA to be introduced early in the conceptual design; scope and design evolve in iterative fashion
- Scope of PRA governed by NRC requirements in Part 50 and 52
- ASME/ANS RA-S-1.4-2020 used perform PRA for applicable scope
- Summarize results of PRA and risk insights in Chapter 19 or equivalent
- Use of PRA to support LMP is regarded as a PRA application and outside the domain of the PRA standard. Covered elsewhere in application, topical reports, or in-house documentation subject to audit
- Grouping and classifying event sequence families into LBEs
- Evaluating risk significance of LBEs against F-C and cumulative risk targets
- Input to identification of RSFs, RFDC, and SRDC
- Input to SSC Safety Classification
- Input to evaluation of DID adequacy Seismic RIPB for LMP 49
Experience in Application of LMP Methodology Seismic RIPB for LMP 50
MHTGR DBEs DBE-1 Loss of offsite power initiating event and SCS forced cooling, successful reactor trip, passive cooling via RCCS, intact HPB and no release involving a single reactor module.
Main Loop Transient with Control Rod Trip failure, successful reactor trip via RSS, forced cooling via SCS, intact HPB DBE-2 and no release involving a single reactor module.
Control Rod Withdrawal, with successful reactor trip, Main Loop forced cooling failure, forced cooling via SCS, intact DBE-3 HPB and no release involving a single reactor module.
Control Rod Withdrawal with successful reactor trip, loss of Main and SCS forced cooling via failures, passive cooling DBE-4 via RCCS, intact HPB and no release involving a single reactor module.
Seismic event with loss of offsite power, successful reactor trip, continued forced cooling via Main Loops or SCS, DBE-5 intact HPB and no release involving all four reactor modules.
Moderate SG leak with successful reactor trip, SG isolation and dump, forced cooling via SCS, intact HPB and no DBE-6 release involving a single reactor module.
Moderate SG leak with successful reactor trip, SG isolation and dump, failure of forced cooling via SCS, intact HPB DBE-7 and no release involving a single reactor module.
Moderate SG leak with moisture monitor failure, successful manual reactor trip, SG isolation and dump, forced cooling DBE-8 via SCS, intact HPB and no release involving a single reactor module.
Moderate SG leak with successful reactor trip and SG isolation, failure of SG dump, forced cooling via SCS, DBE-9 circulating activity release via open primary relief valve to reactor building involving a single reactor module.
Moderate HPB leak with successful reactor trip, continued forced cooling, release of circulating activity and lift-off of DBE-10 plateout to reactor building involving a single reactor module.
Small HPB leak with successful reactor trip, failure of forced cooling via Main and SCS Loops, passive cooling via DBE-11 RCCS, partial release of circulating activity and delayed fuel release to reactor building involving a single reactor Seismic RIPB for LMP module.
51
Comparison of Required Safety Functions Westinghouse LMP Pilot MHTGR Xe-100 PRISM Kairos-FHR MSRE eVinci Radionuclide Core and Reactor Core and Reactor Reactor Core Core and Fuel Salt System Entire Micro Sources Coolant System Coolant System only Reactor Vessel and Drain Tank Reactor Plant Considered
- Retain Rn in Fuel
- Retain Rn in
- Remove Core
- Maintain Fuel
- Maintain
- Containment of Particles Fuel Particles Heat Particle Integrity Confinement of Radioactive
- Control Chemical
- Control
- Reactivity
- Control Core Rns Material Attack Chemical Attack Control Reactivity
- Control Chemical
- Reactivity Control Required
- Control Heat
- Control Heat
- Remove Decay Behavior
- Decay Heat Safety Generation Generation Heat
- Control Nuclear Removal Control Functions
- Control Heat
- Control Heat
- Maintain Vessel Heat Generation Removal Removal Integrity
- Control Heat Removal and Addition Seismic RIPB for LMP 52
MHTGR Selection of Safety Related SSCs for Control Core Heat Removal Safety Function Alternate Design Basis Events SSCs Sets of DBE DBE Classified SSCs DBE 1 DBE 2 DBE 3 DBE 4 DBE 5 DBE 10 DBE 11 as SR?
6/7 8/9
- Reactor
- HTS No No No No No No No No No No
- Reactor
- SCS No Yes Yes No Yes Yes Yes Yes No No
- SCWS
- Reactor
- RV Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
- RCCS
- Reactor
- RV Yes Yes Yes Yes Yes Yes Yes Yes Yes No
Example MHTGR DBAs 1 of 3 DBE Design Basis Events DBA Design Basis Accidents Loss of offsite power initiating event and SCS forced cooling, successful reactor trip, passive cooling via RCCS, Loss of Main and SCS forced cooling, successful reactor trip, intact HPB and no release involving a single reactor passive cooling via RCCS, intact HPB and no release involving a DBE-1 DBA-1 module. (corresponds to PRA sequence family with single reactor module (corresponds to PRA sequence family with frequency of 5x10-5/plant-year or about 1x10-5/reactor- frequency of 5x10-5/plant-year or about 1x10-5/reactor-year) year)
Main Loop Transient with Control Rod Trip failure, Loss of Main and SCS forced cooling with Control Rod Trip successful reactor trip via RSS, forced cooling via SCS, failure, successful reactor trip via RSS, passive cooling, intact intact HPB and no release involving a single reactor DBE-2 DBA-2 HPB and no release involving a single reactor module.
module. (corresponds to PRA sequence family with (corresponds to PRA sequence family with frequency of 7x10-frequency of 7x10-5/plant-year or about 2x10-5/reactor- 5/plant-year or about 2x10-5/reactor-year) year)
Control Rod Withdrawal, with successful reactor trip, Main Loop forced cooling failure, forced cooling via SCS, intact HPB and no release involving a single reactor DBE-3 module. (corresponds to PRA sequence family with frequency of 2x10-3/plant-year or about 5x10-4/reactor- Control Rod Withdrawal, with successful reactor trip, failure of year) forced cooling via Main loops and SCS, passive cooling via RCCS, intact HPB and no release involving a single reactor Control Rod Withdrawal with successful reactor trip, loss module. (corresponds to PRA sequence family with frequency of of Main and SCS forced cooling via failures, passive DBA-3 7x10-5/plant-year or about 2x10-5/reactor-year) cooling via RCCS, intact HPB and no release involving a DBA-4 DBE-4 single reactor module. (corresponds to PRA sequence Seismic RIPB for with family LMP frequency of 7x10-5/plant-year or about 2x10-54
Example MHTGR DBAs 2 of 3 DBE Design Basis Events DBA Design Basis Accidents Seismic event with loss of offsite power, successful reactor trip, Seismic event with loss of offsite power, successful reactor trip, failure of continued forced cooling via Main Loops or SCS, intact HPB and forced cooling via Main Loops or and SCS, passive cooling via RCCS, DBE-5 no release involving all four reactor modules. (corresponds to PRA DBA-5 intact HPB and no release involving all four reactor modules.
sequence family with frequency of 2x10-4/plant-year or 2x10- (corresponds to PRA sequence family with frequency of 6x10-8/plant-year 4/reactor-year) or ~6x10-8/reactor-year)
Moderate SG leak with successful reactor trip and SG isolation, failure of Moderate SG leak with successful reactor trip, SG isolation and SG dump, failure of forced cooling via SCS, passive cooling via RCCS, dump, forced cooling via SCS, intact HPB and no release involving circulating activity and delayed fuel release via primary relief valve to DBE-6 DBA-6 a single reactor module. (corresponds to PRA sequence family with reactor building involving a single reactor module. (corresponds to PRA frequency of 5x10-2/plant-year or about 1x10-2/reactor-year) sequence family with frequency of 2x10-7/plant-year or 5x10-8/reactor-year)
Moderate SG leak with successful reactor trip, SG isolation and dump, failure of forced cooling via SCS, intact HPB and no release DBE-7 involving a single reactor module. (corresponds to PRA sequence family with frequency of 4x10-5/plant-year or 1x10-5/reactor-year)
Moderate SG leak with moisture monitor failure, successful manual Moderate SG leak with successful reactor trip and SG isolation, failure of reactor trip, SG isolation and dump, forced cooling via SCS, intact SG dump, failure of forced cooling via SCS, passive cooling via RCCS, DBA-7 DBE-8 HPB and no release involving a single reactor module. circulating activity and delayed fuel release via primary relief valve to DBA-8 (corresponds to PRA sequence family with frequency of 4x10- reactor building involving a single reactor module.
5/plant-year) DBA-9 (corresponds to PRA sequence family with frequency of <10-8/plant-year Moderate SG leak with successful reactor trip and SG isolation, or <10-8/reactor-year) failure of SG dump, forced cooling via SCS, circulating activity DBE-9 release via open primary relief valve to reactor building involving a single reactor module. (corresponds to PRA sequence family with Seismic RIPBoffor frequency LMP 2x10 -4/plant-year) 55
Example MHTGR DBAs 3 of 3 DBE Design Basis Events DBA Design Basis Accidents Moderate HPB leak with successful reactor trip, failure of Moderate HPB leak with successful reactor trip, continued forced cooling via Main loops and SCS, passive cooling via forced cooling, release of circulating activity and lift-off of RCCS, release of circulating activity, delayed fuel release, DBE-10 plateout to reactor building involving a single reactor module DBA-10 and lift-off of plateout to reactor building involving a single (corresponds to PRA sequence family with frequency of reactor module (corresponds to PRA sequence family with 1x10-2/plant-year or about 3x10-3/reactor-year) frequency of 6x10-8/plant-year or about 1.5x10-8/reactor-year)
Small HPB leak with successful reactor trip, failure of forced Small HPB leak with successful reactor trip, failure of cooling via Main and SCS Loops, passive cooling via forced cooling via Main and SCS, partial release of RCCS, partial release of circulating activity and delayed fuel circulating activity and delayed fuel release to reactor DBE-11 DBA-11 release to reactor building involving a single reactor module building involving a single reactor-module (corresponds to (corresponds to PRA sequence family with frequency of PRA sequence family with frequency of 3x10-4/plant-year or about 8x10-5/reactor-year) <10-8/plant-year or <10-8/reactor-year)
Seismic RIPB for LMP 56
Top Down Process of Allocating Design Criteria to Safety Related SSCs Safety Case Element Definition Reference Starting point for defining the scope of the PRA which Radionuclide (Rn) includes all Rn sources with the potential for producing a ASME/ANS RA-S-1.4-2020 Source risk significant event sequence Reactor design specific SSC functions modeled in a PRA Safety Function PRA that serve to prevent and/or mitigate a release of ASME/ANS RA-S-1.4-2020, (PSF) radioactive material from a specified source or to protect NEI 18-04 one or more barriers to release.
A PRA Safety Function that is required to be fulfilled to Required Safety maintain the consequence of one or more DBEs or the NEI 18-04 Function (RSF) frequency of one or more high-consequence BDBEs inside the F-C Target Reactor design-specific sub-functions and functional Required Functional criteria that are necessary and sufficient to meet the NEI 18-04 Design Criteria (RFDC)
RSFs Design criteria for SR SSCs (in performing their RSFs)
Safety-Related Design that are necessary and sufficient to fulfill the RFDCs for NEI 18-04 Criteria (SRDC) those SSCs selected to perform the RSFs Seismic RIPB for LMP 57
MHTGR Required Functional Design Criteria 1 of 4 Required Required Functional Design Criteria Safety Function Retain The reactor fuel shall be designed, fabricated, and operated in such a manner that Radionuclides minor radionuclide releases from the fuel to the primary coolant will not exceed in Fuel acceptable values.
Particles Control The vessel and other components that limit or prevent the ingress of air or water Chemical shall be designed, fabricated, and operated in such a manner that the amount of air Attack or water reacting with the core will not exceed acceptable values.
The intrinsic dimensions and power densities of the reactor core, internals, and Control Heat vessel, and the passive cooling pathways from the core to the environment, shall Generation be designed, fabricated, and operated in such a manner that the fuel temperatures will not exceed acceptable values.
The reactor shall be designed, fabricated, and operated in such a manner that the inherent nuclear feedback characteristics will ensure that the reactor thermal power Control Heat will not exceed acceptable values. Additionally, the reactivity control system(s)
Removal shall be designed, fabricated, and operated in such a manner that during insertion of reactivity, the reactor thermal power will not exceed acceptable values.
Seismic RIPB for LMP 58
MHTGR Required Functional Design Criteria 2 of 4 Required Required Safety Required Functional Design Criteria Safety Function Sub-Functions The vessel and other components that limit or prevent the ingress of air or water shall be designed, fabricated, and operated in such a manner that the amount of air or water reacting with the core will not exceed acceptable values.
Limit Fuel Hydrolysis The steam, feedwater and other cooling systems shall include a reliable means to Control limit the amount of steam and water that can enter the reactor vessel to an Chemical acceptable level.
Attack Limit Fuel Oxidation The primary system/boundary shall be designed and fabricated to a level of quality that is sufficient to ensure high reliability of the primary system/boundary integrity needed to prevent air ingress during normal and off-normal conditions. The plant shall be designed, fabricated, operated, and maintained in a manner that ensures that the primary system boundary design limits are not exceeded.
Seismic RIPB for LMP 59
MHTGR Required Functional Design Criteria 3 of 4 Required Safety Required Safety Required Functional Design Criteria Function Sub-Functions The intrinsic dimensions and power densities of the reactor core, internals, and vessel, and the passive cooling pathways from the core to the environment, shall be designed, fabricated, and operated in such a manner that the fuel temperatures will not exceed acceptable values.
Control with Two independent and diverse sets of movable poison equipment shall be provided in the Movable Poisons design. Either set shall be capable of limiting the heat generation of the reactor to acceptable levels during off-normal conditions.
Shutdown Reactor The equipment needed to sense, command, and execute a trip of the control rods, along with any necessary electrical power, shall be designed, fabricated, and operated in such a manner that reactor core shutdown is assured during off-normal conditions.
Shutdown Reactor The equipment needed to sense, command, and execute a trip of the reserve shutdown Diversely control equipment, along with any necessary electrical power, shall be designed, Control Heat fabricated, operated, and maintained in such a manner that the shutdown of the reactor Generation core is assured during off-normal conditions.
Maintain Geometry The design, fabrication, operation, and maintenance of the control rod guide tubes, the for Insertion of graphite core and reflectors, the core support structure, the core lateral restraint Movable Poisons assemblies, the reactor vessel, and reactor vessel support shall be conducted in such a manner that their integrity is maintained during off normal conditions as well as provide the appropriate geometry that permits the insertion of the control rods into the outer reflector to effect reactor shutdown.
The design, fabrication, and operation of the reserve shutdown control equipment guide tubes, the graphite core and reflectors, the core support structure, the core lateral restraint assemblies, the reactor vessel, and reactor vessel support shall be conducted in such a manner that their integrity is maintained during off-normal conditions, as well as provide the appropriate geometry that permits the insertion of reserve shutdown control material to effect reactor shutdown.
Seismic RIPB for LMP 60
MHTGR Required Functional Design Criteria 4 of 4 Required Safety Required Safety Required Functional Design Criteria Function Sub-Functions The reactor shall be designed, fabricated, and operated in such a manner that the inherent nuclear feedback characteristics will ensure that the reactor thermal power will not exceed acceptable values. Additionally, the reactivity control system(s) shall be designed, fabricated, and operated in such a manner that during insertion of reactivity, the reactor thermal power will not exceed acceptable values.
Transfer Heat to A highly reliable, passive means of removing the heat generated in the reactor core Ultimate Heat Sink and radiated from the reactor vessel wall shall be provided. The system shall remove heat at a rate which limits core and vessel temperatures to acceptable levels during a loss of forced circulation.
Conduct Heat from The reactor core shall be designed and configured in a manner that will ensure Core to Vessel Wall sufficient heat transfer by conduction, radiation, and convection to the reactor vessel wall to maintain fuel temperatures within acceptable limits following a loss of forced Control Heat cooling. The materials which transfer the heat shall be chosen to withstand the Removal elevated temperatures experienced during this passive mode of heat removal. This criterion shall be met with the primary coolant system both pressurized and depressurized.
Radiate Heat from The vessel shall be designed in a manner that will ensure that sufficient heat is Vessel Wall radiated to the surroundings to maintain fuel and vessel temperatures within acceptable limits. This criterion shall be met with the primary coolant system in both a pressurized and depressurized condition.
Maintain Geometry for The design, fabrication, operation, and maintenance of the core support structure, Conduction and graphite core and reflectors, core lateral restraint assembly, reactor vessel, reactor Radiation vessel support, and reactor building shall be in such a manner that their integrity is maintained during off-normal conditions so as to provide a geometry conducive to removal of heat from the reactor core to the ultimate heat sink and maintain fuel temperatures within acceptable limits.
Seismic RIPB for LMP 61
MHTGR Safety Related SSCs Seismic RIPB for LMP 62
MHTGR SR SSC for Core Heat Removal RSF
- Reactor Cavity Cooling System (RCCS)
- Passive reactor cavity cooling system relying on air natural convection to the environment to provide passive core heat removal and protect the vessel and supports
- SRDC for the RCCS
- The RCCS shall have the capability to remove sufficient decay heat from the reactor core to prevent overheating of the outer control rods, the reactor, vessel, and vessel internals.
- The RCCS shall have the capability of removing sufficient decay heat from the reactor core to maintain peak fuel temperatures below 1600°C (2900°F).
- The RCCS shall provide the required decay heat removal capability for the duration of the HTS and SCS shutdown whether the vessel is pressurized (with full primary coolant inventory) or depressurized.
- Offsite radionuclide releases are to be limited as necessary to meet the numerical dose guidelines of the Top-Level Regulatory Criteria.
- In the event of a loss of primary coolant pressure boundary integrity, the RCCS shall be capable of withstanding a 69 kPa (10 psi) differential pressure.
Seismic RIPB for LMP 63
Comparison of LMP and 10 CFR 50.69 SSC Safety Categories Seismic RIPB for LMP 64
Roles of SSC Reliability and Capability in Prevention and Mitigation of Accidents Plant features Defense-in-Plant prevent SSC1 Prevents SSC2 Limits LBE End State Depth Layers Frequency Dose Distrubance Inititating Fuel Damage? Release? [1]
Challenged event?
Disturbance controlled with N/A Layer 1 fd 0 Yes no plant trip fd fdp0 LBE-1 F-C Target Frequency ------ >
p0 Yes 1 No fuel damage or release Layer 2 fdp0 0 fdp0p1 LBE-2 No Fuel damage w/ limited p1 Yes 2 Layer 3 fdp0p1 dlow release fdp0p1p2 LBE-3 No p2 Fuel Damage w/ un-3 Layers 4 and 5 fdp0p1p2 dhigh No mitigated release Consequence ------->
[1] See Figure 2-4 for definition of defense-in-depth layers 0 dlow dhigh SSC LBEs Function SSC Performance Attribute for Special Treatment Plant N/A Prevent initiating event Reliability of plant features preventing initiating event 1 Mitigate initiating event Capability to prevent fuel damage SSC1 2 Prevent fuel damage Reliability of mitigation function 3 Help prevent large release Reliability of mitigation function 2 Mitigate fuel damage Capability to limit release from fuel damage SSC2 3 Prevent unmitigated release Reliability of mitigation function Seismic RIPB for LMP 65
SSC Classification Summary
- LMP retains the NGNP SSC safety categories of SR, NSRST, and NST
- SR and NSRST SSCs classified as safety significant
- NSRST SSCs include other risk significant SSCs and SSCs requiring some special treatment for DID adequacy
- Minimum special treatment is the formulation of reliability and capability targets for safety significant SSCs and a program to monitor performance against targets
- Reliability and capability targets linked to the prevention and mitigation functions of the safety significant SSCs, respectively
- Owners QA applied to NSRST SSCs in the performance of their prevention and mitigation functions responsible for classification as NSRST
- Specifics of special treatment defined via Integrated Decision Process using forward fit 10 CFR 50.69 process Seismic RIPB for LMP 66
SSC Safety Classification Considerations for TICAP
- Scope of SR SSCs expected to be much smaller for non-LWRs
- Level of detail highest for SR SSCs, moderate for NSRST, and nominal industrial for NST
- Assignment of reliability requirements for SR and NSRST SSCs creates need for DRAP
- Assignment of capability requirements for SR and NSRST SCs can be tied selected codes and standards
- Justification for special treatment requirements beyond performance targets and monitoring is provided as part of defense-in-depth evaluation.
Seismic RIPB for LMP 67
Defense In Depth Adequacy Evaluation and Use of an Integrated Decision Making Process (IDP)
NRC Defense in Depth Philosophy
...an approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is creating multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon. Defense in depth includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures.
Seismic RIPB for LMP 69
DID Adequacy Approach
- Builds on NGNP DID approach also reflected in ANS-53.1
- Evaluation of DID adequacy is both risk-informed and performance-based.
- The layers of defense and attributes of the NRC and IAEA DID frameworks are more visibly represented.
- DID attributes for plant capability and programmatic DID have been enhanced for consistency with the measures defined in the LMP Guidance Document
- This process is used to evaluate each LBE and to identify the DID attributes that have been incorporated into the design to prevent and mitigate accident sequences and to ensure that they reflect adequate SSC reliability and capability.
- Those LBEs with the highest levels of risk significance are given greater attention in the evaluation process.
- The practicality of compensatory actions for DID purposes are considered in the context of the individual LBE risk significance and in a cumulative manner across all LBEs Seismic RIPB for LMP 70
DID Concept from NUREG/KM-0009 Seismic RIPB for LMP 71
LMP DID Adequacy Evaluation -
Specific Objectives
- Establish alignment with accepted definitions of the DID philosophy and describe how multiple layers of defense are deployed to establish DID adequacy
- Describe how the concept of protective strategies of DID are used to define DID attributes that are incorporated into the plant capabilities that support each layer of defense.
- The resolution of the general concept of protective strategies into a set of DID attributes is necessary to support an objective evaluation of DID adequacy.
- Summarize the programmatic attributes of DID to provide adequate assurance that the DID plant capabilities in the design are realized when the plant is constructed and commissioned and are maintained during the plant design life cycle
- Discuss the roles of programmatic DID attributes to compensate for uncertainties, human errors, and hardware failures
- Identify the importance of defenses against common cause failures and need to minimize dependencies among the layers of defense
- Present guidelines for evaluating and establishing a DID adequacy baseline
- Achieve agreement on when DID adequacy is achieved among those responsible for designing, operating, reviewing, and licensing advanced non-LWRs Seismic RIPB for LMP 72
Layers of Defense Adapted from IAEA Seismic RIPB for LMP 73
Role of the Integrated Decision Making Process
- The reactor designer is responsible for ensuring that DID is achieved through the incorporation of DID features and programs in the design phases and in turn, conducting the evaluation that arrives at the decision of whether adequate DID has been achieved
- The reactor designer uses an Integrated Decision Making Process (IDP) to ensure there is an input from multiple functional areas
- Later, the reactor designer or plant operator may confirm DID adequacy through the use of an Integrated Decision Making Process Panel (IDPP) for the reference baseline confirmation Seismic RIPB for LMP 74
Integrated Decision Making Process (IDP)
- Use of an IDP during the design stage should include participants with the following typical functional competencies as appropriate for the state of development and DID topics :
o Safety Analysis o Design Engineering o System Engineering o Risk Management (i.e., PRA) o Operations and Maintenance o Nuclear Licensing
- Participants should receive the complete LMP training Seismic RIPB for LMP 75
DID Adequacy Evaluation Process
- DID baseline evaluation is developed using an Integrated Decision Process (IDP) and updated during each design/licensing phase
- Defense-in-depth is deemed as adequate when:
- Plant capability DID is deemed to be adequate.
- Plant capability DID guidelines are satisfied.
- Review of LBEs is completed with satisfactory results.
- Programmatic DID is deemed to be adequate.
- Performance targets for SSC reliability and capability are established.
- Sources of uncertainty in selection and evaluation of LBE risks are identified.
- Special treatment for all SR and NSRST SSCs is sufficient.
Seismic RIPB for LMP 76
Timing of IDP Evaluations
- Completing the evaluation of the DID adequacy of a design is not a one-time activity
- The Designer is expected to integrate the RIPB-DM process as much as practical into the design process to minimize the potential for revisions late in the design phases due to DID considerations
- IDP DID adequacy evaluations would be expected to occur, as a minimum, in concert with completion of each major phase of design:
o conceptual, o preliminary, o detailed, and o final
- Additionally occur in response to any significant design changes or new risk-significant information at any phase of design or licensing, construction or operations Seismic RIPB for LMP 77
Inputs to the IDP Evaluation
- The LMP and design processes will generate data and evaluations that will be subject to the IDP, including:
o Licensing Basis Event (LBE) event sequences and categorization into event categories -
o A summary of other radiological hazards not modeled in the PRA o Evaluations of LBEs against the F-C curve o Identification of required safety functions o Evaluations of plant risk against cumulative risk targets o Identification of defense-in-depth layers challenged by each LBE o Listing of safety-related (SR) SSCs o Identification of Design Basis Accidents (DBAs) o Safety evaluation of DBAs o Listing of non-safety related SSCs with special treatment (NSRST) o Identification of functional design criteria for SR SSCs o Determinations of special treatment requirements for SR and NSRST SSCs o Listing of Programmatic DID capabilities Seismic RIPB for LMP 78
Plant Capability Defense-In-Depth Attributes The table below provides a listing of the integrated DID attributes and principal evaluation focus of the Plant Capability DID evaluation scope using an IDP [Box 12]
Attribute Evaluation Focus PRA Documentation of Initiating Event Selection and Event Sequence Modeling Initiating Event and Event Sequence Completeness Insights from reactor operating experience, system engineering evaluations, expert judgment Multiple Layers of Defense Extent of Layer Functional Independence Layers of Defense Functional Barriers Physical Barriers Inherent Reactor Features that contribute to performing PRA Safety Functions Functional Reliability Passive and Active SSCs performing PRA Safety Functions Redundant Functional Capabilities Diverse Functional Capabilities SSCs performing prevention functions SSCs performing mitigation functions Prevention and Mitigation Balance No Single Layer / Feature Exclusively Relied Upon Seismic RIPB for LMP 79
DID Adequacy Evaluation (cont.)
o Plant capability DID is deemed to be adequate:
Plant capability DID guidelines in Table 5-2 (next slide) are satisfied Risk margins against F-C target are sufficient Risk margins against Cumulative Risk Targets are met Role of SSCs in the prevention and mitigation at each layer of defense challenged by each LBE is understood Prevention/mitigation balance is provided across layers of defense Classification of SSCs into SR, NSRST, and NST is appropriate Risk significance classification of LBEs and SSCs are appropriate Independence among design features at each layer of defense is sufficient Design margins in plant capabilities are adequate to address uncertainties identified in the PRA Seismic RIPB for LMP 80
DID Adequacy Evaluation (cont.)
Table 5 Guidelines for Establishing the Adequacy of Overall Plant Capability Defense-in-Depth
[Any SSCs necessary to meet this guideline would be regarded as performing a safety function necessary for adequacy of plant capability DID]
Layer Guideline Overall Guidelines Layer[a]
Quantitative Qualitative Quantitative Qualitative
- 1) Prevent off-normal operation and Maintain frequency of plant transients within designed cycles; meet user AOOs requirements for plant reliability and availability[b]
- 2) Control abnormal operation, Maintain frequency of all DBEs < 10-2/ Minimize frequency of challenges to detect failures, and prevent DBEs plant-year safety-related SSCs No single design or operational Meet F-C target
- 3) Control DBEs within the analyzed No single design or operational feature,[c] no Maintain frequency of all BDBEs < 10-4/ for all LBEs and design basis conditions and feature[c] relied upon to meet matter how plant-year cumulative risk prevent BDBEs quantitative objective for all DBEs robust, is metric targets exclusively relied with sufficient[d]
- 4) Control severe plant conditions, upon to satisfy No single barrier[c] or plant feature margins mitigate consequences of BDBEs the five layers of Maintain individual risks from all LBEs < relied upon to limit releases in defense
- 5) Deploy adequate offsite protective QHOs with sufficient[d] margins achieving quantitative objectives for all actions and prevent adverse BDBEs impact on public health and safety Notes:
[a] The plant design and operational features and protective strategies employed to support each layer should be functionally independent
[b] Non-regulatory user requirements for plant reliability and availability and design targets for transient cycles should limit the frequency of initiating events and transients and thereby contribute to the protective strategies for this layer of DID. Quantitative and qualitative targets for these parameters are design specific.
[c] This criterion implies no excessive reliance on programmatic activities or human actions and that at least two independent means are provided to meet this objective.
Seismic
[d] The level RIPB of margins for LMP between the LBE risks and the QHOs provides objective evidence of the plant capabilities for DID. Sufficiency will be decided by the IDP.
81
DID Adequacy Evaluation (cont.)
Table 2 Programmatic DID Attributes The table below provides a listing of the integrated DID attributes and principal evaluation focus on Programmatic DID evaluation scope [Box 17]
Attribute Evaluation Focus Performance targets for SSC reliability and capability Quality / Reliability Design, manufacturing, construction, O&M features, or special treatment sufficient to meet performance targets Compensation for human errors Compensation for mechanical errors Compensation for Uncertainties Compensation for unknowns (performance variability)
Compensation for unknowns (knowledge uncertainty)
Off-Site Response Emergency response capability Seismic RIPB for LMP 82
DID Adequacy Evaluation (cont.)
The table below provides a listing of the integrated decision-making attributes and principal evaluation focus of the IDP in the overall RIPB DID evaluation scope Attribute Evaluation Focus What can go wrong?
Use of Risk Triplet Beyond PRA How likely is it?
What are the consequences?
Plant Simulation and Modeling of LBEs Knowledge Level State of Knowledge Margin to PB Limits Uncertainty Management Magnitude and Sources of Uncertainties Implementation Practicality and Effectiveness Action Refinement Cost/Risk/Benefit Considerations Seismic RIPB for LMP 83
Margins Plant Performance Margins
- Best Estimate o Reflected in the margins between LBE frequencies and consequences and the F-C target o One way to demonstrate enhanced margins consistent with NRC Advanced Reactor Policy; event sequence families below QHOs
- DBA LBE Margins o Compared to 10CFR 50.34 o Compared to 10 CFR 100 SSC-Level Safety Margins
- Margins in design codes selected to provide a robust capability to support the mitigation function of safety significant SSCs;
- Margins in the performance requirements selected to ensure that SSC will perform their prevention functions with adequate reliability.
Seismic RIPB for LMP 84
Evaluating Margins Against F-C Target Seismic RIPB for LMP 85
Considerations in the Evaluation of DID Adequacy (cont.)
- Metrics o LBE Risk Significance F-C Target Cumulative Risk Targets o SSC Risk Significance Impact on F-C Target Impact on Cumulative Risk Targets
- Margins o Plant performance margins (LBEs) o SSC design performance conservatism Seismic RIPB for LMP 86
Considerations in the Evaluation of DID Adequacy (cont.)
- Uncertainties o Completeness o Analyzed Uncertainties o Residual Risks
- Compensatory Action Decisions o Choices o Impact on Risk o Timing o Practicality Seismic RIPB for LMP 87
Uncertainties
- Completeness o PRA completeness for identified hazards o Sources of risk-significant uncertainties o Treatment of radiological and other hazards not included in PRA
- Analyzed o Data Availability o Model Maturity o Performance History
- Residual Risks o EPZ basis o EP response effectiveness o Tech Spec Completeness o AOT basis o Monitoring of Plant Long Term Performance o Etc.
Seismic RIPB for LMP 88
Using an IDP in Defining Compensatory Actions
- The timing, as well as risk-significance, of when the need for additional DID capabilities is identified should influence the decision of what form of compensatory actions are taken
- Programmatic actions alone should not be taken to solve a plant performance vulnerability associated with an event that can lead directly to exceedance of an applicable safety target, goal, or regulation
- The choice of compensatory action includes:
o design changes to mitigate undesirable dose consequences, o reliability improvements in the physical design, o the special treatment applied to risk-significant SSCs, o programmatic controls or processes that improve the likelihood of performance success, or o a combination that provides meaningful improvements in the risk profile for a given risk-significant LBE Seismic RIPB for LMP 89
Using an IDP in Defining Special Treatments
- Special Treatments
- include reliability and capability performance targets and programs to ensure targets are met and maintained
- are defined to address uncertainties about plant performance relative to risk targets
- The IDP is used to evaluate special treatments for SR and NSRST SSCs including the setting of performance targets for SSC reliability, availability, and capability and any other treatments deemed necessary as a result of the DID evaluation.
- Where additional special treatments are deemed beneficial for DID purposes, the IDP will be used to consider additional compensatory actions.
- Additional compensatory actions should provide meaningful benefits to the risk-significant performance of the plant and/or improvements in the management of risk-significant uncertainties.
Seismic RIPB for LMP 90
Compensatory Action Decisions
- Choices o Plant Capability o Programmatic o Mix
- Impact on Risk o Improve Plant Capability LBE Outcome Changes Layers of Defense increase or independence improvements
- Improve Plant Performance Assurance Programmatic actions Reduction of Risk Significant Sources of Uncertainty
- Reduce Residual Uncertainties Siting and Emergency Planning performance External Independent Oversight
- Timing - Life Cycle Considerations
- Practicality o When is enough, enough?
Seismic RIPB for LMP 91
DID Adequacy Established/Documented Using an IDP
- The RIPB evaluation of DID adequacy continues until the recurring evaluation of plant and programmatic DID associated with design and PRA update cycles no longer identifies risk-significant vulnerabilities where potential compensatory actions may be needed
- This determination is made using an IDP and documented initially in a preliminary DID integrated baseline evaluation report which is subsequently revised as the iterations through the design cycles and design evaluation evolve
- At this point, a DID baseline can be finalized to support the final design and operations of the plant Seismic RIPB for LMP 92
Baseline Establishment
- The DID Adequacy baseline information is expected to become part of the license application (See DG 1353)
- The level of detail in the application is expected to be a summary of results similar in purpose to the PRA summary information in Chapter 19
- The details of the evaluation should be maintained under a process control procedure and documents retained for the life of the plant Seismic RIPB for LMP 93
Transitioning from Design Phase DID to Operations
- Once the design phase DID adequacy baseline is completed, changes in operations may be effectively evaluated using a standing panel
- The panel would operate similar to the PORC or equivalent
- Panel members should collectively provide, as a minimum, the technical expertise outline in the DID section of NEI 18-04
- Qualifications, records of deliberations and closure of recommendations should be consistent with the owners Operations QAP
- The change control procedures could be incorporated with the plant 50.59 change control process or similar licensing basis change control procedures Seismic RIPB for LMP 94
LMP Methodology Summary
- LMP methodology is a RIPB approach to:
- Selecting and evaluating LBEs
- Safety classification of SSCs
- Developing performance targets for SSC reliability and capability
- Incorporating defense-in-depth principles to RIPB decisions
- Confirming adequacy of defense-in-depth
- LMP goal is to contribute to consistency in preparation of successful license applications for advanced non-LWRs
- The TICAP discussion on how the LMP impacts content of applications has just begun:
- Aspects to include in license application
- Aspects to retain internally for NRC audit Seismic RIPB for LMP 95
Key LMP References
- Nuclear Energy Institute, NEI 18-04, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, Report Revision 1, August 2019
- U.S. Nuclear Regulatory Commission, Draft Regulatory Guide - DG 1353, Guidance for a Technology-inclusive, Risk-informed, and Performance-based Approach to Inform the Content of Applications for Licenses, Certifications, and Approvals for Non-light-water Reactors, April 2019
- Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, - Selection and Evaluation of Licensing Basis Events, Rev 0, August 2019.
- Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Probabilistic Risk Assessment Approach Rev 0, August 2019.
- Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, Safety Classification and Performance Criteria for Structures, Systems and Components, Rev 0, August 2019.
- Idaho National Laboratory, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors, - Risk-Informed and Performance-Based Evaluation of Defense-in-Depth Adequacy, Rev 0, August 2019.
Seismic RIPB for LMP 96
The Key Consideration
- SRP Chapter 15.0 statement:
If the risk of an event is defined as the product of the events frequency of occurrence and its consequences, then the design of the plant should be such that all the AOOs and postulated accidents produce about the same level of risk (i.e., the risk is approximately constant across the spectrum of AOOs and postulated accidents). This is reflected in the general design criteria (GDC), which generally prohibit relatively frequent events (AOOs) from resulting in serious consequences, but allow the relatively rare events (postulated accidents) to produce more severe consequences.
Conclusion:
To meet this requirement LBE Selection has to be RIPB
PHA Evaluation of Processes for Each Source Identify/Characterize Radionuclide Sources Boundary Conditions for PHA Evaluation of Source Processes Define Radionuclide Barriers and Supporting Structures PHA Functions Identified to Control Process Deviations Define Reactor Specific Use of HAZOPs Safety Functions Protecting Each Barrier PHA SSCs Identified to Early Phase at Early Phase Identify SSCs and Prevent Deviation Causes Operator Actions Engineering Supporting Each Safety Design Baseline Function of Design PHA Identification of Causes of Deviations Identify Failure Modes of Each Barrier and SSCs Providing Safety Functions Development Process Hazard Analysis (PHA)
PHA Evaluation of Consequences of Deviations Identify Challenges to Preventing Barrier and (e.g., HAZOP, FMEA) SSC failure modes Exhaustive Enumeration of Reactor Specific Initiating Events PHA Evaluation of Consequences of Event Sequence Building Blocks for:
Deviations Development, Success - Reactor Design Iteration Criteria, Fault Tree -Design-Specific PRA Model Analysis and End States Development Mechanistic Source Term Select Risk Metrics for Development, Physical Risk-Informed and Phenomenological Performance-Based Seismic RIPB for LMP Consequence Analysis Decisions 98
- 1. Establish initial 10. Select SR Iterate as Integration of LMP design SSCs and required capabilities define DBAs A
A Process Tasks
- 2. Establish F-C
- 11. Perform safety Target Based analysis of DBAs on TLSTs
- Tasks are iterative; not sequential A
- Tasks can begin early in the conceptual
- 3. Define
- 12. Confirm Plant SSC safety Capability DID functions for adequacy design process and mature with the design PRA modeling evolution Risk Significant SSCs
- 4. Define scope
- Discovery mode or confirmatory mode
as key input to selecting LBEs 14. Define and
- SSC classification and evaluation are
- 5. Perform PRA evaluate FDC for Color Key SR SSCs integrated with the LBE selection and A Deterministic evaluation tasks 6. Identify and categorize
- Defense-in-depth evaluation is integrated DBE, or BDBE margins with the LBE selection and evaluation and is Probabilistic A
- 16. Specify an integral part of the SSC classification
- 7. Evaluate LBE ST requirements risks vs. F-C for SR and NSRST Target and performance requirement determination SSCs Risk-Informed A
- Tasks include deterministic and probabilistic A
- 8. Evaluate 17. Confirm plant risks vs elements and involve RIPB decisions to Programmatic Acronymns Cumulative Risk DID adequacy Targets F-C Frequency Consequence support the design and formulate and DID FDC LBE Defense-in-Depth Functional Design Criteria Licensing Basis Events evaluate the safety case. 9. Identify DID layers challenged
- 18. DID adequacy established; Document/
NSRST Non-Safety Related with ST SSC Structure, System, Component Seismic RIPB for LMP 99 Update DID Baseline ST Special Treatment by each LBE evaluation SR Safety Related TLSTs Top Level Safety Targets
MHTGR Phased Development of PRA Seismic RIPB for LMP 100
X-Energy HTGR Slow Depressurization Event Tree Seismic RIPB for LMP 101
Major Components of eVinci Micro-Reactor Control Heat Pipes Reflectors &
Emergency Drum Drive Core Shielding Primary Heat Shutdown Exchanger Canister Seismic RIPB for LMP 102
Uses of PRA in LMP Methodology
- Supporting and evaluating the design options and trade studies
- Identifying the spectrum of LBEs to be considered
- Evaluating the risk significance of LBEs against F-C Target
- Performing an integrated risk assessment of plants that may be comprised of two or more reactor modules and associated non-core sources of radioactive material
- Safety classification of SSCs
- Development of performance targets for the reliability and capability of SSCs in the prevention and mitigation of accidents
- Determining integrated plant performance margins compared to risk targets
- Exposing and evaluating sources of uncertainty in the identification of LBEs and in the estimation of their frequencies and consequences, and providing key input to the evaluation of the adequacy of DID
- Providing risk and performance-based insights into the evaluation of the design DID adequacy
PRA Standard Background
- PRA applications envisioned for non-LWR standard included:
- Incorporation of risk insights into design
- Selection of licensing basis events
- SSC safety classification
- Evaluation of defense-in-depth adequacy
- Technology inclusive approach adopted to address all known advanced non-LWR concepts using integrated treatment of hazards
- Coordination of non-LWR and ALWR WGs for consistency in treatment of preoperational PRAs
- Draft standard issued for review and comment in 2008
- Standard issued by JCNRM for trial use in 2013 (ASME/ANS RA-S-1.4-2013)
- Trial Use Standard used in many pilot applications
- Balloting for ANSI version of standard expected in 2020 Seismic RIPB for LMP 104
LMP SSC Safety Classification Approach Seismic RIPB for LMP 105
Example Risk Margins for MHTGR Limiting LBE[a] F-C Target LBE Freq. at LBE Mean Dose at LBE Mean Freq. Mean Dose Dose Category Name Dose/plant- Frequency Freq. (Rem)
/plant-yr. (Rem) Margin[e]
yr. [b] Margin[c] [d]
AOO AOO-5 4.00E-02 2.50E-04 4.00E+02 1.00E+04 1.00E+00 4.00E+03 DBE DBE-10 1.00E-02 2.00E-03 6.00E+01 6.00E+03 1.00E+00 5.00E+02 BDBE BDBE-2 3.00E-06 4.00E-03 2.50E+01 8.30E+06 2.50E+02 6.00E+04 Notes:
[a] The Limiting LBE is the LBE with the highest risk significance in the LBE category
[b] Frequency value measured at the LBE mean Dose level from the F-C target, See [2] in Error! Reference source not found.
[c] Ratio of the frequency in note [b] to the LBE mean frequency, mean frequency margin
[d] Dose value measured at the LBE mean frequency from the F-C target, See [4] in Error! Reference source not found.
[e] Ratio of the Dose in Note [d] to the LBE mean dose, Mean Dose Margin Limiting LBE[a] F-C Target 95th 95th 95th 95th LBE Freq. at LBE LBE Percentile Percentile Percentile Dose at LBE Percentile Category Dose/plant-Name Freq./plant- Dose Frequency Freq.(Rem)[d] Dose yr.[b]
yr. (Rem) Margin[c] Margin[e]
AOO AOO-5 8.00E-02 1.10E-03 9.00E+01 1.13E+03 1.00E+00 9.09E+02 DBE DBE-10 2.00E-02 6.00E-03 2.00E+01 1.00E+03 1.00E+00 1.67E+02 BDBE BDBE-2 1.00E-05 1.50E-02 8.00E+00 8.00E+05 1.00E+02 6.67E+03 Notes:
[a] Limiting LBE is LBE with highest risk significance in LBE Category
[b] Frequency value measured at the LBE 95th percentile Dose level from the F-C target, See [6] in Error!
Reference source not found.
[c] Ratio of the frequency in note [2] to the LBE 95th percentile frequency, 95th percentile Frequency Margin
[d] Dose value measured at the LBE 95th percentile frequency from the F-C target, See [8] in Error! Reference source not found.
[e] Ratio of the Dose in note [d] to the LBE 95th percentile dose, 95th percentile Dose Margin Seismic RIPB for LMP 106
RIPB Seismic Safety Approach (Integration of ASCE 43 Design Criteria with the LMP Framework)
September 2-3, 2020 NRC Headquarters Rockville, Maryland September 2-3, 2020 1
Contributors Nilesh Chokshi Nuclear Regulatory Commission Robert Budnitz - Jim Xu
- Jose Pires MK Ravindra
- Jon Ake Bis Dasgupta
- Ramon Gascot-Lozada (project John Stamatakos manager)
Osvaldo Pensado (project manager) 2
Disclaimer This project was performed by the Southwest Research Institute for the Office of Nuclear Regulatory Research of the U.S. Nuclear Regulatory Commission (NRC).
Reported results are preliminary, and part of an ongoing research program.
The expressed views do not necessarily reflect the views or regulatory position of the U.S. Nuclear Regulatory Commission.
3
Outline of the Overall Presentation Part 1 - Proposed Risk-Informed and Performance-Based (RIPB) Approach Part 2 - Demonstration of Feasibility through Simple Examples Part 3 - Questions and Challenges Related to Implementation Part 4 - Phase 2 Activities and Scope The four presentations are intended to elicit feedback from the participants and draw some insights to be summarized in the final session. These insights will be considered as we finalize the Phase 1 report and developed plans for Phase 2 4
RIPB Approaches to Safety of Nuclear Facilities (Integration of LMP Framework and ASCE 43 Performance-Based Design Approach)
Part 1 - Proposed Approach 5
Outline of Part -1 Presentation Discussion of objectives Discussion of draft Phase 1 report outline Brief review of key assumptions and principles of ASCE 43 and 4 Brief overview of LMP approach Discussion of process for integrating seismic design in the RIPB framework Overarching considerations in implementing the LMP/ASCE 43 Integration process Technical considerations Summary 6
Objectives of Phase 1 Project Propose an approach that:
- Aligns with the LMP concepts with its emphasis on using event sequences to understand safety importance of individual SSCs
- Develops strategies linking ASCE seismic performance goals to LMP risk-informed SSC categorization
- Evaluates the adequacy of ASCE criteria in meeting target performance goals Identify potential activities for the next phase The Phase 1 draft report describes the proposed LMP/ASCE 43 Integration approach and potential activities for the next phase.
7
Phase 1 Draft Report Outline Chapter 1 - Introduction Chapter 2 - Regulatory Framework: This chapter discusses the pertinent NRC regulations and seismic design guidance Chapter 3 - Incorporating the Enhanced RIPB Concepts in the Seismic Design Process:
This chapter proposes a stepwise, iterative process to align seismic design with the RIPB framework (referred to as the LMP/ASCE 43 Integration Approach). The considerations involved in implementing this process are described in detail. The process considers design issues for both advanced reactor designs and existing (or similar) large light water reactors along with Part 52 and Part 50 licensing considerations 8
Phase 1 Draft Report Outline Chapter 4 - Approaches to Evaluate the Feasibility of a Seven-Step Seismic Design Process: This chapter describes three different approaches to demonstrate several aspects of the LMP/ASCE 43 Integration Approach. A detailed approach using existing seismic PRAs will be considered for implementation in the next phase Chapter 5 - Summary, Conclusions, and Next Steps: Includes identification of potential activities for the next phase The draft report may be updated considering the feedback from this workshop.
9
Brief Review of ASCE 43 Seismic design criteria for structures, systems, and components in nuclear facilities The acceptable performance level (the target performance goal) for an individual SSC is achieved by selecting the return period of the DBE ground motion in terms of the Seismic Design Category (SDC)
The Limit State (LS) defines the required performance in terms of the limiting acceptable design condition of the SSC and is adjusted based on the safety function and risk significance of the component This approach allows the designer to control conservatisms and safety margins in accordance with the risk significance of SSCs permitting more balanced design 10
ASCE 43 - Concept of Seismic Design Categories (SDC) and Design Basis Earthquakes (DBEs)
ANS 2.26 provides guidance to assign categories - SDC 5 is considered applicable to NPPs.
The categories were developed for DOE facilities but are more broadly applicable Seismic Design Category 2 3 4 5 Target performance goal, PF , 4 x 104 1 x 104 4 x 105 1 x 105 per year DBE response spectrum DRS = SF x UHRSHp (DRS) or acceleration time Hp = PF series SF = Scale factor at each spectral frequency SF accounts for slope characteristics of a hazard curve 11
ASCE 43 - Limit States Limit State Structural Deformation Limits A Large permanent distortion, short of collapse Significant damage B Moderate permanent distortion Generally repairable damage C Limited permanent distortion Minimal damage D Essentially elastic behavior Negligible damage Limit state D is currently used for safety-related SSCs in NRC-regulated nuclear power plants 12
Site and PSHA Seismic Hazard Curve and Plant Configuration Seismic Design Facility Uniform Hazard Response Spectra and Operations codes and Standards Information Design of SSCs Performance-based Individual SSC Design (ASCE 43)
Design Response -Establish Performance Target Spectrum (DRS) -Select SDC and LS
-Assign Design Limits/Functional Requirements Probabilistic Risk Assessment Seismically Induced Initiating Overview of RIPB Events Seismic System Model Approach Event Trees and Fault Trees Seismic Hazard Curve Fragility SSC Seismic LMP-RIPB Fragilities Curves Process for Seismic Event Sequence Seismic Quantification Design Individual Event Sequences:
- 1. Frequency
- 2. Dose Consequence Integrated Decision-Making Verify Risk Criteria
- 1. F-C curve Target
- 2. Integrated Risk Refine SSC Design/ System, Defense-in-Depth Adequacy If Needed Licensing Basis Events (LBEs)
Risk Importance Analysis Results Final Categorization of SSCs for Seismic Design LMP Safety Classification 13
Process for Integrating Seismic Design in the RIPB Framework LMP/ASCE 43 Integration Approach (Chapter 3) 14
Guiding Principles Integrate within the broader RIPB framework, which concentrates on the contribution of each SSC in the relevant event sequences Build on existing RIPB approaches in structural/seismic engineering (for example, ASCE 1, 4, 43)
Recognize that the design process remains the familiar deterministic process Utilize existing codes and standards to the maximum extent feasible; Useable with any regulatory framework (e.g., Part 52 and Part 50); and Identify and suggest updates to the regulatory framework and guidance, as necessary Ensure that the approach is technology inclusive 15
Overview of the Process In using the ASCE 43 SDCs and LSs graded approach, its clear that the performance goals for different SSCs cannot be derived from the F-C plot There are many SSCs in various event sequences, and hence there is no unique solution to achieving the overall safety goal Therefore, one potential approach is to use predetermined SSC categories and Limit States and rely on the PRA to demonstrate how close the resulting F-C pairs are to the target and how the design meets the cumulative risk metrics Process can lead to identification of additional Licensing Basis Events (LBEs) and the recategorization of SSCs The risk target can be achieved by re-designating the safety classification, selectively hardening/relaxing the design, introducing redundancy, improving random failure rates, improving human-error probabilities, or some combination of these 16
Seven Step Process 17
Seven Steps (1)
Step 1 -Initial Selection of the ASCE 43 SDC and LS categories.
- Establish an initial categorization of SSCs based on an internal event PRA and available design information Step 2 - Seismic Design
- Step not intended as rigorous re-design of the entire plant, but as a design assessment of the components that are candidates for alternative SDC and LS designations, so that more realistic fragilities can be estimated in the next step Step 3 - Fragility Determination
- Details of designs dictate to a large extent the realistic and component-specific fragilities. It is unlikely complete realistic fragilities will be available or developed at the initial design stage. Generic fragilities currently used in the design of NPPs are based on LS-D. It is not necessary to use the most accurate fragilities for choosing alternate SDCs and LSs. It is possible to estimate a range of potential changes in the fragilities and obtain robust insights on feasibility of alternatives.
18
Seven Steps (2)
Step 4 - Perform Seismic PRA
- Perform a SPRA using the fragilities developed in step 3 and the SPRA models developed in accordance with the applicable codes and guidance Step 5 - Check the proposed classification against the risk criteria (Integrated Decision-Making)
- The results of the initial PRA are evaluated to determine whether the individual event sequence risks fall within the F-C curve, whether the integrated risk criteria and the defense-in-depth criteria are met, and which risk significant LBEs fall within the acceptable margin on the FC curves Step 6 - Iteration
- Based on the Step 5 results, this step determines whether the final categorizations achieved on Steps 2 through 5 should be iterated to meet the desired safety and cost goals, and the applicable regulatory requirements Step 7 - Final SSC Classification
- The final SSC categorization is established to be the basis for the detailed and final seismic design and licensing of a certified design 19
Seismic Design of SSCs The SDC/LS category for each SSC requiring a seismic design is determined based on the outcome of the LMP/ASCE 43 Integration approach The design response spectra for each SDC are derived from PSHA results using ASCE 43 Seismic response analysis is performed using ASCE-4 methods - similar to current requirements Design of SSCs follows engineering approaches in appropriate codes and standards Design of building elements is performed to meet ACI-349 and 359 and AISC N690 codes Design of mechanical equipment, piping systems, cable tray systems and HVAC systems will follow ASME codes - no change from current practice Seismic design and qualification of electrical components will follow current IEEE standards Design alternatives (e.g., base isolation) and sophistication (e.g., non-linear analysis) can be pursued as appropriate In summary, for most part, there are no changes to current design practice except there may be more SDC/LS categories for consideration requiring additional response analyses 20
SPRA of Final Designs Under current Part 52, final SPRAs are performed at the following three completeness stages reflecting status of the design and available information at each stage:
- 1. For the certified design application;
- 2. For the combined license application considering site-specific hazard, site, and other information; and
- 3. Before the fuel loading, considering as-designed, as-built, and other operating conditions Plant and site-specific fragility analyses and SPRAs will follow the accepted methodologies specified in either the LWR PRA standard or the non-LWR PRA standard Results of these SPRAs will serve as final checks against applicable risk criteria and other integrated decision-making considerations, such as defense-in-depth aspects 21
Overarching Considerations for Implementing the LPM/ASCE-43 Integration Stability and flexibility of design Stability during licensing process Operational stability over the lifetime Ability to deal with new knowledge and emerging issues Compliance with regulations with the goal to optimize safety and cost benefits Strategies for radiological sources other than reactors (e.g., spent fuel pool, radwaste structures, etc.)
22
Technical Considerations Related to the Selection of SDC and LS Categories Minimum requirement Level of detail at the design stage. Completeness of a PRA and adequate technical detail Considerations related to SPRA for this specific application Part 52 process Selection of OBE Shutdown and restart criteria after an earthquake Complexity of design process 23
Seismic Hazard Curves for Selected Sites 24
Rock Site Minimum Requirement (DRS for Various SDC Categories)
Deep Soil Site 25
Reductions in Ground Motion Levels for Various SDC Categories Ratio of Spectral Ratio of PGA Values Site Accelerations at 5 Hz.
SSDRS4 SSDRS3 SSDRS4 SSDRS3
/SSDRS5 /SSDRS5 /SSDRS5 /SSDRS5 A 0.49 0.29 0.50 0.30 B 0.48 0.30 0.50 0.30 C 0.67 0.49 0.65 0.46 D 0.56 0.37 0.57 0.37 E 0.57 0.39 0.60 0.42 F 0.50 0.30 0.45 0.26 G 0.52 0.32 0.51 0.31 H 0.55 0.38 0.58 0.40 I 0.58 0.40 0.60 0.42 Ratios of PGA and 5 Hz SA for Various SDC Categories 26
Reductions in Seismic Demands for Alternate Limit States Reinforced concrete shear Ratio of reduction of forces for different walls, in-plane limit states compared to LSD Shear controlled walls LSA/LSD LSB/LSD LSC/LSD Aspect Ratio:
height/length < 2.0 0.50 0.57 0.67 Reductions in Seismic Demand for a Shear Wall due to Inelastic Energy Absorption Factor 27
CSDRS5 Ground Motion SSDRS5 for All Sites 28
CSDRS4 Ground Motion SSDRS4 for All Sites 29
Insights Our analysis shows that relaxation of the SDC requirement (i.e., SDC-5 to SDC-4) provides substantial benefits and is generally more easily implemented than relaxation of the LS requirement
- Implementation involves regulatory and managerial considerations, in addition to changes in some technical design guidance
- Could result in multiple design ground motions for a site and a facility Relaxation of the LS requirement (i.e., LS-D to LS-C) is feasible and could be a more viable option in certain situations:
- Implementation is sometimes more complex and would require more iterations
- Would require update of some guidance in the long-term. For example, related to post-earthquake restart actions Need to complete Phase 2 studies to demonstrate feasibility and validity of the proposed LMP/ASCE 43 Integration approach
Summary No inherent technical impediments to the proposed LMP/ASCE-43 Integration approach Although current seismic regulations and guidance do have some aspects that are Light Water Reactor (LWR) oriented, these aspects will not impede application of the proposed process Biggest benefit is the flexibility (not available in the current process), which could also affect aspects other than design (e.g., initial layout to optimize seismic categorization, ease in construction, operational and maintenance efficiencies, ease or difficulty in performing a robust SPRA)
Process can be used for both Part 52 and Part 50 applications (any future licensing processes should also be accommodated)
Process is technology inclusive, can accommodate different risk criteria, and preserves design stability and predictability The Phase 1 report will provide a technical basis to develop a regulatory guide to establish acceptable conditions for implementing the process 31