defence in depth - Canteach
defence in depth - Canteach
defence in depth - Canteach
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
OBJECTIVES<br />
Module 3<br />
DEFENCE IN DEPTH<br />
After complet<strong>in</strong>g this module you will be able to:<br />
CRO 3.1 Def<strong>in</strong>e the Defence <strong>in</strong> Depth operat<strong>in</strong>g philosophy, and state the<br />
three basic assumptions <strong>in</strong>herent <strong>in</strong> this philosophy.<br />
CRO 3.2 The Defence <strong>in</strong> Depth model ofnuclear safety features many<br />
overlapp<strong>in</strong>g barriers protect<strong>in</strong>g workers, the public and the<br />
environment from large releases offission products. Expla<strong>in</strong> how<br />
each ofthe follow<strong>in</strong>g physical or adm<strong>in</strong>istrative barriers impacts on<br />
nuclear safety, and give three elements ofthe application ofthis<br />
barrier <strong>in</strong> a NPP:<br />
22107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
22107.J - Defence In Deplh<br />
NOTES AND REFERENCES<br />
CRO 3.3 Give and expla<strong>in</strong> the three aspects of a Defence <strong>in</strong> Depth approach to<br />
Page J3 manag<strong>in</strong>g reactor accidents.<br />
Page J4 CRO 3.4 Expla<strong>in</strong> how Defence <strong>in</strong> Depth is ma<strong>in</strong>ta<strong>in</strong>ed when a safety related<br />
system is impaired or removed from service for ma<strong>in</strong>tenance.<br />
Page 14 CRO 3.5 Expla<strong>in</strong> how the Defence <strong>in</strong> Depth philosophy applies to the<br />
diagnosis ofabnormal <strong>in</strong>cidents.<br />
Page IS 3.6 Expla<strong>in</strong> how an 88 ensures Defence <strong>in</strong> Depth is ma<strong>in</strong>ta<strong>in</strong>ed when an<br />
automated control system is placed on manual control.<br />
Page 15 CRO 3.7 Describe the five physical barriers between radioactive fission<br />
products and the public.<br />
Page 16 CRO 3.8 Describe the effect oflarge scale fuel failures on the physical barriers<br />
to environmental releases, and the impact on the protection ofthe<br />
public and environment.<br />
Page 17 CRO 3.9 Dist<strong>in</strong>guish between, and give two examples ofeach:<br />
a) Process Systems<br />
b) Safety Support Systems<br />
c) Special Safety Systems<br />
d) Standby Safety Support Systems<br />
Page 18 CRO 3.10 Dist<strong>in</strong>guish between, and give two examples ofeach:<br />
a) Active Systems<br />
b) Poised Systems<br />
Page 19 eRO 3.11 Def<strong>in</strong>e marg<strong>in</strong> ofsafety and marg<strong>in</strong> to trip and give two examples of<br />
each. Expla<strong>in</strong> the important relationship that must exist between a<br />
marg<strong>in</strong> ofsafety and a marg<strong>in</strong> to trip <strong>in</strong> order for adequate trip<br />
coverage to exist.<br />
Page 2
22 107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
Defence In Depth Model Of Nuclear Safety<br />
Page 4<br />
Described below and illustrated <strong>in</strong> Figure 3.1 is a Defence <strong>in</strong> Depth model<br />
consist<strong>in</strong>g of 12 layers of <strong>defence</strong>, or barriers, aga<strong>in</strong>st nuclear accidents. Most of<br />
these barriers are addressed <strong>in</strong> greater detail <strong>in</strong> other modules ofthis course.<br />
These barriers are not <strong>in</strong>dependent ofone another--a failure ofone can sometimes<br />
affect the <strong>in</strong>tegrity of others. This model provides a convenient method of<br />
conceptualiz<strong>in</strong>g the many physical and adm<strong>in</strong>istrative barriers to proJect workers,<br />
the public and the environment from radiological hazards associated with NPP<br />
operation.
3. Utility Safety Culture. The follow<strong>in</strong>g elements ofa well-managed nuclear<br />
safety program, all ofwhich have an obvious, positive impact on nuclear<br />
safety, demonstrate a Utility's commitment to foster<strong>in</strong>g a good safety<br />
culture:<br />
a) clear policy commitment--eg, that safety takes precedence over<br />
production<br />
b) adequate fund<strong>in</strong>g ofthe nuclear safety program<br />
c) dedicated organizational unites) (eg, Division, Department) to manage<br />
nuclear safety<br />
d) well-def<strong>in</strong>ed nuclear safety roles and responsibilities<br />
e) practis<strong>in</strong>g self-regulation<br />
f) nuclear safety performance monitor<strong>in</strong>g and report<strong>in</strong>g versus established<br />
measures<br />
g) Nuclear Review Committee to oversee Corporate nuclear safety<br />
h) Regulatory relations<br />
i) motivation by Management leadership and example<br />
j) conservative decision mak<strong>in</strong>g<br />
k) employee commitment--eg, to personnel error reduction work practices<br />
22107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
Obj. 3.2 c)<br />
Page 7
22107,3 - Defence In Deplh<br />
NOTES AND REFERENCES<br />
Obj. 3.2 tl) 4. Quality Assurance Program. The quality ofplant components and<br />
systems, management functions and work practices is assured by the<br />
follow<strong>in</strong>g elements ofa Utility's QA program:<br />
a) quality pr<strong>in</strong>ciples<br />
b) legislation, codes and CSA standards for design, procurement,<br />
construction, commission<strong>in</strong>g and operation ofNPP equipment and<br />
systems<br />
c) life cycle QA program for plant<br />
d) quality audits and corrective action follow-up<br />
Obj. 3.2 e) 5. Environmental Protection Program. Compliance with public dose limits is<br />
demonstrated, and environmental impact ofNPP operation is m<strong>in</strong>imized by<br />
the follow<strong>in</strong>g program elements:<br />
Page 8<br />
a) Derived emission limits on radioactive contam<strong>in</strong>ants <strong>in</strong> liquid and<br />
airborne effluents<br />
b) Environmental monitor<strong>in</strong>g sites<br />
c) Water, vegetation, precipitation, fish and milk sampl<strong>in</strong>g program<br />
d) Active Liquid Waste Management System and authorized pump-outs<br />
e) Airborne effluent sampl<strong>in</strong>g via Stack Monitors<br />
f) Liquid effluent sampl<strong>in</strong>g (Service Water and Condenser Circulat<strong>in</strong>g<br />
Water)<br />
g) MISA program<br />
h) Spills report<strong>in</strong>g<br />
i) Radioactive waste management and volume reductionyrogram<br />
j) Intermediate term storage ofirradiated fuel--IFB, dry storage modules<br />
k) Long-term radioactive waste disposal project
2211I7.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
c) identitY <strong>in</strong>cipient equipment failures, so that corrective action can be<br />
taken before catastrophic failures occur, and<br />
d) properly execute emergency response procedures to mitigate and<br />
accommodate accident consequences.<br />
The follow<strong>in</strong>g are elements ofthe NPP stafftra<strong>in</strong><strong>in</strong>g & qualification program:<br />
a) work group tra<strong>in</strong><strong>in</strong>g & qualification programs--Operators,<br />
MechanicaVControVCivil Ma<strong>in</strong>ta<strong>in</strong>ers, Chemical Technicians, Technical<br />
Support staff,<br />
b) <strong>in</strong>itial tra<strong>in</strong><strong>in</strong>g, progression tra<strong>in</strong><strong>in</strong>g, cont<strong>in</strong>u<strong>in</strong>g tra<strong>in</strong><strong>in</strong>g<br />
c) classroom, simulator, laboratory, shop, and on-the-job tra<strong>in</strong><strong>in</strong>g, as<br />
required<br />
d) conventional and radiation safety tra<strong>in</strong><strong>in</strong>g<br />
e) authorization tra<strong>in</strong><strong>in</strong>g for key positions<br />
f) emergency response tra<strong>in</strong><strong>in</strong>g<br />
g) special duty qualification--eg, crane operator, Media Briefer <strong>in</strong><br />
Emergency Operations Center, conf<strong>in</strong>ed space gas Tester, magnetic<br />
particle QC <strong>in</strong>spector, ...<br />
Obj. 3.2 h) 8. Good Operat<strong>in</strong>g and Ma<strong>in</strong>tenance Practices. The <strong>in</strong>tegrity ofthe<br />
analyzed state is preserved, the plant material condition ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> good<br />
repair, and the risk ofunnecessary upset is m<strong>in</strong>imized through such practices<br />
as the follow<strong>in</strong>g:<br />
Page 10<br />
a) the exercise ofdue diligence<br />
b) procedural compliance<br />
c) good housekeep<strong>in</strong>g<br />
d) configuration management and change control<br />
e) pre- and post-ma<strong>in</strong>tenance test<strong>in</strong>g<br />
f) foreign material exclusion<br />
g) personnel error reduction programs-self-check<strong>in</strong>g, <strong>in</strong>dependent<br />
verification
12. The Five Physical Barriers. In order for radioactive fission products to<br />
reach the public, they must first escape from the ceramic fuel pellets, then<br />
penetrate the fuel sheath, the heat transport boundary, the Conta<strong>in</strong>ment<br />
boundary, and the exclusion zone. The <strong>in</strong>tegrity ofthese barriers is<br />
ma<strong>in</strong>ta<strong>in</strong>ed us<strong>in</strong>g the follow<strong>in</strong>g strategies:<br />
a) ensur<strong>in</strong>g that reactor power is controlled, and fuel cool<strong>in</strong>g ma<strong>in</strong>ta<strong>in</strong>ed<br />
b) similar strategies as those to ma<strong>in</strong>ta<strong>in</strong> reliable safety related systems,<br />
listed above<br />
c) HT boundary <strong>in</strong>spections--feeders, pressure tubes, boiler tubes<br />
d) Conta<strong>in</strong>ment boundary leak rate tests<br />
Additional Examples Of The Defence In Depth Philosophy:<br />
The balance ofthis module is devoted to discuss<strong>in</strong>g additional examples ofthe<br />
Defence <strong>in</strong> Depth philosophy <strong>in</strong> NPP operations.<br />
Defence In Depth Approach To Reactor Accidents<br />
A Defence <strong>in</strong> Depth approach to reactor accidents <strong>in</strong>cludes the follow<strong>in</strong>g three<br />
aspects:<br />
22107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
Obj. 3.2 I)<br />
1. Accident prevention. Accidents are prevented to the extent possible us<strong>in</strong>g Obj. 3.3<br />
the strategies ofthe above Defence <strong>in</strong> Depth model. Accidents are<br />
prevented by high quality design, construction, operation and regulatory<br />
control ofthe plant, consistent with the safety analysis. Systems are tested,<br />
<strong>in</strong>spected, operated and ma<strong>in</strong>ta<strong>in</strong>ed accord<strong>in</strong>g to approved procedures, by<br />
tra<strong>in</strong>ed and skilled personnel, with an appropriate level ofsupervision. When<br />
faults are detected, they are corrected, orifrepairs cannot be made, the plant<br />
is placed <strong>in</strong> a safe state. Automatic system responses, and use ofapproved<br />
procedures prevent process upsets from escalat<strong>in</strong>g <strong>in</strong>to accidents.<br />
2. Accident mitigation. We cannot rely on accident prevention alone. Even<br />
with high quality design, operation and ma<strong>in</strong>tenance, accidents are still<br />
possible, and so we require high quality strategies for accident mitigation and<br />
management. In accident mitigation, the overall strategy is to shut down the<br />
reactor, ma<strong>in</strong>ta<strong>in</strong> fuel cool<strong>in</strong>g, and conta<strong>in</strong> radioactivity. These functions are<br />
accomplished by qualified staff us<strong>in</strong>g accident mitigation (Abnormal<br />
Incidents) procedures, with the aid ofsafety systems designed especially for<br />
accident mitigation. The availability ofpoised systems to perform their<br />
mitigat<strong>in</strong>g functions is ensured by periodic test<strong>in</strong>g.<br />
Page 13
Active Systems<br />
0 PHT 0 Electrical 0 SDS1<br />
power<br />
0 Mod. 0 Process 0 SDS2<br />
Aux. water<br />
0 Instrument 0 ECI<br />
air<br />
0 Backup 0 Contai<br />
heat s<strong>in</strong>ks nment<br />
0 Secondary<br />
control<br />
area<br />
0 Annulus<br />
gas<br />
0 PHT<br />
0 Moderator<br />
0 Steam Gen.lBoiler<br />
Emergency Cool<strong>in</strong>g<br />
0 Standby generators<br />
0 Conta<strong>in</strong>ment vent<strong>in</strong>g<br />
0 Setback and slepback<br />
0 Emergency water<br />
o Emergency power<br />
o Secondary control areas<br />
o Backup heat s<strong>in</strong>ks<br />
Table 3.1: Examples ofactive and passive safety related systems<br />
Marg<strong>in</strong>s and Trip Coverage<br />
Safety systems are designed to control, cool, and conta<strong>in</strong> over a wide range of<br />
analyzed transients. The safety systems and equipment are operated <strong>in</strong> a<br />
conservative manner and are not cont<strong>in</strong>uously on the verge oftripp<strong>in</strong>g or break<strong>in</strong>g<br />
down. The difference between the operat<strong>in</strong>g level ofa parameter and the value<br />
where someth<strong>in</strong>g unsafe occurs, such as exceed<strong>in</strong>g a design limit, is called the<br />
marg<strong>in</strong> ofsafety for that parameter. For example, assume the reactor operates at<br />
100"10 full power. Iffuel element center-l<strong>in</strong>e melt<strong>in</strong>g will not occur below 130"10<br />
full power, then the marg<strong>in</strong> ofsafety aga<strong>in</strong>st center-l<strong>in</strong>e melt<strong>in</strong>g is 30%.<br />
Marg<strong>in</strong> to trip also becomes a factor <strong>in</strong> operational safety. To illustrate, assume<br />
the reactor operates at 100% full power. Ifthe shutdown system trip set po<strong>in</strong>t is<br />
at 110% full power, the marg<strong>in</strong> to trip is 10"10. Marg<strong>in</strong> to trip is a measure oehow<br />
much a parameter must vary before a protective trip is actuated, or simply the<br />
difference between the operat<strong>in</strong>g po<strong>in</strong>t and trip set po<strong>in</strong>t ofa given parameter.<br />
Both concepts ofmarg<strong>in</strong> ofsafety and marg<strong>in</strong> to trip are illustrated <strong>in</strong> Figure 3.3.<br />
22107.3 - Defence III Depth<br />
NOTES AND REFERENCES<br />
Obj. 3.11<br />
Page 19
221(17.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
Page 20<br />
Operat<strong>in</strong>g<br />
Parameter<br />
Value<br />
Uneate Umit<br />
Tr p Set Po<strong>in</strong>t<br />
Marg<strong>in</strong> to Trp<br />
t- L-_Operal<strong>in</strong>g Pl:><strong>in</strong>t<br />
MalQ <strong>in</strong> to Safety<br />
Figure 3.3: Marg<strong>in</strong> To Trip and Marg<strong>in</strong> ofSafety<br />
In choos<strong>in</strong>g the safety system trip set po<strong>in</strong>ts for marg<strong>in</strong> to trip, an analytical<br />
approach is used to detenn<strong>in</strong>e the most limit<strong>in</strong>g set ofcircumstances <strong>in</strong> the design<br />
basis set. Error allowances are assigned to the trip set po<strong>in</strong>ts to allow for<br />
operational uncerta<strong>in</strong>ties. Allowances may <strong>in</strong>clude such th<strong>in</strong>gs as simulation and<br />
<strong>in</strong>strumentation errors, precision ofcalibration, and uncerta<strong>in</strong>ty <strong>in</strong> the parameter<br />
measurement.<br />
The smaller the marg<strong>in</strong> to trip is, the more likely spurious trips will occur. A<br />
protective system that unnecessarily trips the reactor is undesirable. In practice,<br />
the reactor may be derated to provide an adequate marg<strong>in</strong> to trip ifthis marg<strong>in</strong> is<br />
too small. For adequate trip coverage to provide safe operation, the marg<strong>in</strong> to trip<br />
must always be less than the marg<strong>in</strong> ofsafety, so that the protective trip occurs<br />
before the unsafe condition.
12107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
• Use ofapproved procedures ensures adequate review for legal, technical and<br />
operat<strong>in</strong>g constra<strong>in</strong>ts, for system <strong>in</strong>teractions and for deterioration ofphysical<br />
barriers to the release of radioactivity.<br />
Page 22<br />
• Review and approval ofabnormal <strong>in</strong>cidents procedures ensures that the upset<br />
unit is placed <strong>in</strong> a safe state.<br />
• A Defence <strong>in</strong> Depth approach to event diagnosis is provided by the SS<br />
<strong>in</strong>dependently verity<strong>in</strong>g the CRO diagnosis, and by the CSP moriitor<strong>in</strong>g and<br />
restoration procedure, which should return the unit to a safe state even ifthe<br />
diagnosis was wrong, or the event-based procedure fails to cater to the specific<br />
operat<strong>in</strong>g conditions encountered.<br />
• When an automated system is placed on manual control, the same constra<strong>in</strong>ts<br />
designed <strong>in</strong>to the automated system apply. An operator may be dedicated to<br />
controll<strong>in</strong>g a parameter, to simulate the undistracted operation ofthe<br />
automatic controller.<br />
• Tra<strong>in</strong><strong>in</strong>g and qualification equip personnel to recognize situations where levels<br />
of<strong>defence</strong> may bejeopardized or impaired.<br />
• The five physical barriers between fission products and the public are:<br />
a) Ceramic fuel,<br />
b) Fuel Sheath<br />
c) Heat Transport System<br />
d) Conta<strong>in</strong>ment Boundary<br />
e) Exclusion Zone<br />
• When large scale fuel failures occur, at least two ofthe five physical barriers<br />
are breached--the Ceramic fuel, and the fuel sheath. In the case ofa LOCA,<br />
the third barrier, the primary heat transport system boundary is also breached.<br />
In the unlikely event ofa LOCA with co<strong>in</strong>cident loss ofconta<strong>in</strong>ment (dual<br />
failure), the only barrier rema<strong>in</strong><strong>in</strong>g is the exclusion area.<br />
• Defence <strong>in</strong> Depth is provided for the control/cool/conta<strong>in</strong> funCtions ofsafety<br />
related process systems via the follow<strong>in</strong>g back-ups: standby safety support<br />
systems, special safety systems, and Emergency water and power systems.
• The primary stratagem for prevent<strong>in</strong>g operat<strong>in</strong>g parameters from reach<strong>in</strong>g<br />
unsafe values, is to choose an operat<strong>in</strong>g po<strong>in</strong>t which provides a conservative<br />
marg<strong>in</strong> ofsafety. Defelice ill Depth is provided by an automatic protective<br />
trip. The trip set po<strong>in</strong>t is chosen such that the trip marg<strong>in</strong> is less than the safety<br />
marg<strong>in</strong>, so that the trip occurs before the unsafe condition is reached,<br />
allowances for uncerta<strong>in</strong>ties <strong>in</strong> measured and calculated values hav<strong>in</strong>g been<br />
taken <strong>in</strong>to account.<br />
• Defence <strong>in</strong> Depth is enhanced for reactor trips <strong>in</strong> that primary and back-up<br />
trips exist with<strong>in</strong> each SDS for most analyzed system failures.<br />
22107.3 - Defence In Depth<br />
NOTES AND REFERENCES<br />
Page 23
22107.3 - Defelice III Depth<br />
NOTES AND REFERENCES<br />
Page 24<br />
ASSIGNMENT<br />
1. Carefully prepare detailed answers for the Module 3 learn<strong>in</strong>g objectives.<br />
2. List 6 standby safety support systems and describe the purpose ofeach system<br />
with respect to nuclear safety.<br />
3. As directed by your Instructor, review the follow<strong>in</strong>g reactor <strong>in</strong>cidents:<br />
a) Picker<strong>in</strong>g Unit 2 flux tilt <strong>in</strong>cident of 1990<br />
b) TMI accident of 1979<br />
c) Chernobyl Accident of 1986<br />
d) Salem marsh grass <strong>in</strong>cident of 1994<br />
For each <strong>in</strong>cident,<br />
a) IdentifY the <strong>in</strong>itiat<strong>in</strong>g event,<br />
b) IdentifY which ofthe 12 layers ofthe Dejence <strong>in</strong> Depth model were<br />
violated.<br />
c) State which, <strong>in</strong> your op<strong>in</strong>ion, was the greater problem--equipment<br />
failures or <strong>in</strong>appropriate human activity. Give your rationale.