Joint ICTP-IAEA Essential Knowledge Workshop on Deterministic Safety Analysis and Engineering Aspects Important to Safety Trieste, 12-23 October 2015 Assessment of Internal Hazards Javier Yllera Department of Nuclear Safety and Security Division of Nuclear Installation Safety IAEA International Atomic Energy Agency
OUTLINE 1. Definitions of Internal and External Hazards 2. Importance of Internal Hazards 3. Applicable IAEA Safety STANDARDS 4. General approach for design and assessment 5. Examples of Application (Pipe break-flooding) 6. Discussion IAEA
Internal & External Hazards IAEA Definitions • No definition in the IAEA Safety Glossary for internal or external hazards. • Definition for external event: • Events unconnected with the operation of a facility or the conduct of an activity that could have an effect on the safety of the facility or activity. Typical examples of external events for nuclear facilities include earthquakes, tornadoes, tsunamis and aircraft crashes . • An internal fire ( a fire inside the plant) could be considered as an external event. The terminology is not clear • SSR 2/1 includes design requirements against internal and external hazards IAEA 3
Internal & External Hazards IAEA Definitions • The hazard describes the circumstances that may lead to an event, e.g. the presence of combustible material may lead to a fire. • The hazard may or not exist • The event may occur or not occur • In this context hazards and events are used often as synonymous in IAEA SSs and other IAEA publications Internal/external Hazard Event (seismicity) (earthquake, tsunami) Internal/External Hazards or Events • IAEA
Internal Hazards • Internal hazards originate from sources located on the site of the nuclear power plant, both inside and outside of plant buildings. Sources may or not be part of the process equipment. • Examples of internal hazards include: • Internal fires • Pipe whip • Internal floods • Turbine missiles • Drop of heavy loads • On-site explosions IAEA 5
External Hazards • External hazards originate from sources located outside of the site of the nuclear power plant. • Examples of external hazards include: • Seismic hazards • High winds and wind-induced missiles • External floods • Other severe weather phenomena (e.g., tornados) • Off-site transportation accidents • Off-site explosions • Releases of toxic chemicals from off-site storage facilities • External fires (e.g. fires affecting the site and originating from nearby forest fires) • Effects of volcanism (lava flows, ashes, etc. ) IAEA 6
Importance of Internal and External Hazards • Internal and external hazards have the potential to induce an initiating event and to cause damage to several or many plant equipment or affect plant operation (and even outside emergency response) • The Internal or the External Hazard is not an initiating event • The design should be such that: • the frequency of the hazards is minimized (when possible) • Plant operators and sufficient equipment to operate the plant and bring it to a safe and durable state is not affected by the hazards. Internal/external Postulated IE Hazard Event (loss of offsite power) (seismicity) + damages (earthquake, tsunami) Internal/External Hazards or Events IAEA 7
IAEA SAFETY STANDARDS / Requirements • Requirement 17: All foreseeable internal hazards and external hazards, including the potential for human induced events directly or indirectly to affect the safety of the nuclear power plant, shall be identified and their effects shall be evaluated. Hazards shall be considered for the determination of postulated initiating events and generated loadings for use in the design of relevant items important to safety for the plant. IAEA
IAEA SAFETY STANDARDS / Requirements • Item 17: The design shall take due account of internal hazards such as fire, explosion, flooding, missile generation, collapse of structures and falling objects, pipe whip, jet impact, and release of fluid from failed systems or from other installations on the site. Appropriate features for prevention and mitigation shall be provided to ensure that safety is not compromised IAEA
IAEA SAFETY STANDARDS / Guidelines IAEA Guidelines are intended to supplement Requirement documents by providing guidance on how to fulfil the ‘shall’ requirements IAEA
GENERAL APPROACH • Defence in Depth Approach: Implementation of consecutive layers of protection • Prevention on the internal hazard from occurring. Reducing frequency and magnitude • Early detection and suppression of the internal hazard. • Limiting the impact and propagation of the hazard on the plant. Avoiding secondary hazards. • Mitigation of the consequences on the plant. Safe shutdown of the plant after the internal hazard IAEA
GENERAL APPROACH Prevention of Hazards • Very few hazards may be eliminated • Physically impossible or by very high quality of design, e.g. no load drop if there is no lifting equipment / 2A pipe break for pipes designed as ‘Leak before break’. • Frequency can be reduced however by appropriate design and operation provisions. • e.g. Occurrences of a load drop can be minimized by lifting the heavy loads with cranes of a high reliability • Occurrences of fires can be minimized by reducing the fire load in a room, controlling the use of transient fuels, etc. • Regular inspection of piping and vessels. IAEA
GENERAL APPROACH Early detection and suppression of the internal hazard. • When possible early detection and suppression reduces the likelihood of an internal hazards of a sufficient magnitude to cause damage, or limits the extension of the damage • Examples: • Fire detection and extinguishing • Flood detection and isolation • Detection and suppression can be automatic or manual • Direct automatic detection (fire detectors, flood detectors) • Indirect detection: • Automatic: system alarms, equipment malfunctioning originated by the hazards • Manual detection: human presence, plant walkdown • Automatic suppression: Fire extinguishing systems, flood isolation, etc. triggered by automatic detection • Manual suppression: remote or local human intervention IAEA
GENERAL APPROACH Limiting the impact and propagation of the hazard on the plant. • Limiting the impact: Adequate plant layout . Adequate protection features for the equipment • Prevention of PIEs to the extent possible. • AOOs should be prevented, but is not always possible. • Internal/external hazards should not or very rarely lead to accidents. • Prevention of damage to safety significant equipment (protection, qualification). • Physical separation of safety divisions by barriers with adequate resistance to the hazards to the extent possible. • Confinement of the effects of the fire to limited areas of the plant • Prevention of secondary hazards, e.g. pipe break leading to flooding can cause also pipe whip damages, water impingement, etc. Load drop can cause pipe break and flooding, etc. IAEA
GENERAL APPROACH Mitigation of the hazard consequences. Plant safe shutdown • After the internal hazard is controlled, sufficient plant equipment should remain operable for the safe and durable shutdown of the plant. • External hazards (e.g. earthquakes) can challenge equipment of different safety divisions, but the design of the equipment (e.g. design of seismic equipment category I) can prevent its failure. A safety system can remain fully functional • For internal hazards, e.g. internal fire, the failure of one division may be unavoidable, e.g. fire originated in the room of division I. Hence, single failure criterion may not be longer met. Random failures need to be taken into account in the safe shutdown analysis. • Safe shutdown analysis identifies the set of systems and minimal number of division that cannot be affected by the hazard for accomplishing the fundamental safety function and shutdown the plant safely. IAEA
GENERAL APPROACH • PIE generated by internal hazards • An internal/external hazard should not lead to an initiating event for which the plant is not designed • Identification of PIEs must be thorough and consider potential effects of internal/external hazards. • Analysis of plant response to PIEs is mainly made by modeling the plant response running qualified codes, demonstrating compliance with acceptance criteria (with conservatism), • The operation of the systems credited in the PIE analysis shall not be jeopardized by the secondary consequences of the internal hazard • Systems and components to be protected from the effects of the internal hazard are those required for its mitigation of the PIEs that can be originated, i.e. the systems required to operate the plant to a safe and durable state . IAEA
GENERAL APPROACH Is the plant safe enough ? • It is often not possible or impractical to prevent that an internal/external hazards doesn’t lead to an AOO. The operator may even trigger it. • Hazards initiating an accident condition should be prevented to the extent possible by design. If not, the frequency of occurrence shall be consistent with the severity of the consequences according to the principle ‘ the higher the consequences the lower the probability’’ (e.g. prevention of equipment failure should be ALARP) • Shutting down and bringing the reactor to the normal cold shutdown after any hazard shall be possible (e.g. in case of a fire, flood, heavy load drop) IAEA
Recommend
More recommend
