BASIC PROFESSIONAL TRAINING COURSE Module V Safety classification of structures, systems and components Version 1.0, May 2015 This material was prepared by the IAEA and co-funded by the European Union. 

INTRODUCTION TO SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Define the purpose of the safety classification. List important general safety requirements for plant design. Explain which items are important to safety. Define terms items important to safety and the safety system. List typical plant specific safety functions. List and explain the purpose of defence-in-depth levels.

The purpose of safety classification Design of NPPs - safety classification of structures, systems and components (SSCs); Identification and categorization of the safety functions; Identification and classification of the SSC items; Establish relationships between safety class and requirements for design and manufacturing commensurate to their safety significance. The purpose of safety classification in a nuclear power plant is to identify and categorize the safety functions and to identify and classify the related SSC items on the basis of their safety significance.   This will ensure that the appropriate engineering design rules are determined for each safety class, so that SSCs are designed, manufactured, constructed, installed, commissioned, quality assured, maintained, tested and inspected to standards appropriate to their safety significance. This Module describes the present requirements agreed by consensus for the classification of SSCs which have a role in the nuclear safety of the plant. It describes a systematic approach to identify and categorize the functions to be considered in the classification process, identify the SSCs which have a role in performing those functions, and a classification of the SSCs in a manner commensurate with their importance for the function and category. Finally it describes how design requirements, such as design codes and standards are set up for each safety class and couple examples of the SSC classification in the existing designs. The functions to be categorized are those required to accomplish the main safety functions for the different plant states and primarily those credited in the safety analysis.

General safety requirements for the plant design To control the reactivity of the reactor; The capability to safely shut down the reactor and to maintain it in the safe shutdown condition; To remove heat from the core; To remove residual heat from the core; To remove residual heat from the spent fuel storage; To confine radioactive material and control operational discharges; To assure that any releases are within prescribed limits; To ensure protection of the workers against radiations. It is important that the power plant has structures, systems and components (SSCs) capable of performing safety functions. This will enable the design to meet the general safety requirements.

Safety classification of the plant equipment Safety Requirements SSR 2/1 sets the safety classification of plant equipment (Fig. 1.1). In this context “items” are different structures, systems or components.

Definitions Accident conditions Design Basis Accident Deviations from normal operation that are less frequent and more severe than anticipated operational occurrences, and which include design basis accidents and design extension conditions. An accident causing accident conditions for which a facility is designed in accordance with established design criteria and conservative methodology, and for which releases of radioactive material are kept within acceptable limits.

Definitions (cont.) Design extension conditions Postulated accident conditions that are not considered for design basis accidents, but that are considered in the design process of the facility in accordance with best estimate methodology, and for which releases of radioactive material are kept within acceptable limits. Design extension conditions include conditions in events without significant fuel degradation and conditions with core melting. Are being used to define the design basis for safety features and for the design of all other items important to safety that are necessary for preventing such conditions from arising, or, if they do arise, for controlling them and mitigating their consequences.

Definitions (cont.) Item important to safety Safety system An item that is part of a safety group and/or whose malfunction or failure could lead to radiation exposure of the site personnel or public. System required to ensure the safe shutdown of the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents. Safety systems are designed to mitigate the radiological consequences of the Design Basis Accidents within the prescribed limits.

Definitions (cont.) Safety Features for DEC Item designed to perform a safety function in design extension conditions.

SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Explain when and how the safety classification should be performed. List the main steps in the classification process. Define terms function and design provisions. List examples of design provisions. List and briefly explain the three levels of severity. List the categorization of functions.

SAFETY CLASSIFICATION Learning objectives After completing this chapter, the trainee will be able to: Describe three safety categories. Explain how the adequacy of the safety classification should be verified.

Safety classification An iterative process: To be carried out periodically throughout the design process. To be maintained and supplemented as necessary throughout the lifetime of the plant. Although only SSCs classification is requested, establishing a categorization of the functions first is strongly recommended. In general, the operation of several systems is needed for the accomplishment of a single function. Categorization of functions gives more confidence in the correctness and consistency of the classification. The categorization of functions recommended in the draft Safety Guide DS 367 [2] is based on the three safety categories. On the basis of their classification, SSCs are designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained in accordance with established processes that ensure design specifications and the expected levels of safety performance are achieved.   Safety classification is an iterative process that should be carried out periodically throughout the design process and maintained throughout the lifetime of the plant. Safety classification should be performed during the plant design, system design and equipment design phases. It should be reviewed for any relevant changes during construction, commissioning, operation and subsequent stages of the plant’s lifetime.

Steps in the classification process SSCs to be classified are all SSCs necessary to accomplish the Fundamental Safety functions as defined in SSR2/1 Req. 4. SSCs candidates for classification cannot be all captured if only systems performing the fundamental safety function for the different plant states are considered. The first step in the classification process is a basic understanding of the plant design, its safety analysis and how the main safety functions will be achieved. Using information from safety assessment (the analysis of postulated initiating events), the functions are categorized on the basis of their safety significance. The SSCs belonging to the categorized functions are identified and classified on the basis of their role in achieving the function.   An SSC implemented as a design provision should be classified directly, because the significance of its postulated failure fully defines its safety class without any need for detailed analysis of the category of the associated safety function. All functions and design provisions necessary to achieve the main safety functions for the different plant states, including all modes of normal operation, should be identified.

Pre-requisites to Safety classification Prior starting the safety classification process, following inputs are necessary: Radiological releases limits established by the Regulatory Body for operational conditions and for the different accident conditions; Plant system description; Plant states definition and categorization; Postulated Initiating Events (PIE) considered in the design with their estimated frequency of occurrence.

Pre-requisites to Safety classification (cont.) Accident analysis; Application of the Defence in depth concept (which systems belong to the different levels of defence); PSA level 1 is not a strict pre-requisite for the safety Classification but needed for verification of its correctness.

Generic principle for design of NPP Use of deterministic methodologies. To make risks (consequences versus frequency) acceptable: To decrease the probability of an accident to occur; Functions to make the consequences acceptable with regard to its probability; A combination of preventive and mitigation measures. Categorization of the functions provided by design provisions is not necessary because the safety significance of the SSC can be directly derived from the consequences of its failure.   Next step in the process is to determine the safety classification of all SSCs important to safety. Deterministic methodologies should be applied, complemented where appropriate by probabilistic safety assessment and engineering judgment to achieve an appropriately shaped risk profile, i.e. a plant design for which events with high consequences have a very low predicted frequency of occurrence.   From Fig. we can see that design provisions are primary implemented to decrease the probability of an accident to occur and functions to make the consequences acceptable with regard to its probability. For most of the initiating events, a combination of both preventive and mitigation measures is implemented to decrease its frequency of occurrence and then to make its consequences acceptable first, but also as low as reasonable practicable.

Identification and categorization of functions Functions to be categorized are those requested to accomplish the fundamental safety functions in the different plant states; Functions are derived from the fundamental Safety functions which are required to be accomplished in all plant states; The deterministic safety analysis provides information of functions to be accomplished to mitigate the consequences of the different PIEs. “Function” includes the primary function and any supporting functions that are expected to be performed to ensure the accomplishment of the primary function. The term ‘function’ includes the primary function and any supporting functions that are expected to be performed to ensure the accomplishment of the primary function. The functions to be categorized are those functions required to achieve the main safety functions for the different plant states, including all modes of normal operation.   These functions are primarily those that are included in the safety analysis and should include functions performed at all five levels of defence in depth: Prevention; Detection; Control and mitigation safety functions.

Generic list of Safety functions to be categorized Fundamental Safety Function Functions to be categorized for the different plant states Control of Reactivity R1 - Maintain core criticality control R2 - Shutdown and maintain core sub-criticality R3 - Prevention of uncontrolled positive reactivity insertion into the core R4 - Maintain sufficient sub-criticality of fuel stored outside the RCS but within the site Heat removal H1 - Maintain sufficient RCS water inventory for core cooling H2 - Remove heat from the core to the reactor coolant H3 - Transfer heat from the reactor coolant to the ultimate heat sink H4 - Maintain heat removal from fuel stored outside the reactor coolant system but within the site Confinement of radioactive material C1 - Maintain integrity of the fuel cladding C2 - Maintain integrity of the Reactor Coolant Pressure Boundary C3 – Limitation of release of radioactive materials from the reactor containment C4 – Limitation of release of radioactive waste and airborne radioactive material EXtra X1 –Protection and prevention against effects of hazard X2 - Protect of workers against radiation risks X3 - Limit the consequence of hazard X4 – Plant operation in accident conditions and monitoring of plant parameters X5 - Monitor radiological releases in normal operation X6 - Limits and conditions for normal operation Can be used as a generic list of functions for pressurized water reactor. Can be used for early classification but has to be more developed once the design is more detailed. For classification purpose, those functions need to be defined for the different plant states taking into account that one single function is often accomplished by different systems, as generally requested by the Defense in depth concept.

Identification and categorization of functions Practically, for each PIE, functions necessary to control or mitigate the consequences are identified and categorized. The categorization of functions is performed to reflect the safety significance of every function. Safety significance is assessed by screening the following factors: (1) The consequences of failure to perform the function; (2) The frequency of occurrence of the postulated initiating event for which the function will be called upon; (3) The significance of the contribution of the function in achieving either a controlled state or a safe state. 3 levels of severity: high, medium and low

Categorization of functions Dose limits or acceptance criteria are used to define High, medium and low severity of consequences; The severity is either assessed by calculation or derived from the accident deterministic safety analysis. Table 2.1: Relationship between Safety Function Type and Safety Categories. * Medium or low severity consequences are not expected to occur in the event of non-response of a dedicated function for the mitigation of design extension conditions.

Categorization of functions Safety category 1: Any function that is required to reach the controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘high’ severity.

Categorization of functions Safety category 2: Any function that is required to reach a controlled state after an anticipated operational occurrence or a design basis accident and whose failure, when challenged, would result in consequences of ‘medium’ severity; or Any function that is required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘high’ severity; or Any function that is designed to provide a backup of a function categorized in safety category 1 and that is required to control design extension conditions without core melt.

Categorization of functions Safety category 3: Any function that is actuated in the event of an anticipated operational occurrence or design basis accident and whose failure, when challenged, would result in consequences of ‘low’ severity; or Any function that is required to reach and maintain for a long time a safe state and whose failure, when challenged, would result in consequences of ‘medium’ severity; or

Categorization of functions Safety category 3: Any function that is required to mitigate the consequences of design extension conditions, unless already required to be categorized in safety category 2, and whose failure, when challenged, would result in consequences of ‘high’ severity; or Any function that is designed to reduce the actuation frequency of the reactor trip or engineered safety features in the event of a deviation from normal operation, including those designed to maintain the main plant parameters within the normal range of operation of the plant; or

Categorization of functions Safety category 3: Any function relating to the monitoring needed to provide plant staff and off-site emergency services with a sufficient set of reliable information in the event of an accident (design basis accident or design extension conditions), including monitoring and communication means as part of the emergency response plan (defence in depth level 5), unless already assigned to a higher category.

Example of categorization - PIE: Core melt accident Fundamental Safety Function Generic function Sub Function   category Main SSCs Confinement of radioactive material C3 – Limitation of release of radioactive materials from the reactor containment C3.1 - Heat removal from the containment 3 Containment cooling system or Containment venting system + associated supporting SSCs C3.2 - Minimizing radiological releases C3.2.1 – Containment spray  Containment spray system + associated supporting SSCs C3.2.2 – Containment Isolation Containment and its isolation system + associated supporting SSCs C3.2.3 - Prevention of unfiltered leakage Filtered ventilation systems in auxiliary buildings + associated supporting SSCs C3.3 Containment integrity C3.3.1 - molten core stability Core catcher and corium cooling system + associated supporting SSCs C3.3.2 - Combustible gases management H2 recombiners + associated supporting SSCs C3.3.3 - Prevention of direct containment heating Fast Primary Circuit depressurization system Containment venting system + associated supporting SSCs C3.3.4 - Containment Depressurization Containment venting system + associated supporting SSCs

Classification of Structures, Systems and associated Components Once the safety categorization of the functions is completed, the SSCs performing functions should be assigned to a safety class. Systems are expected to be assigned to a safety corresponding to the safety category defined for the function performed. After the safety categorization of functions is completed, the SSCs performing these functions should be assigned to a safety class All the SSCs required to perform a function that is safety categorized should be identified and classified according to their safety significance.   Three safety classes are used consistent with the three categories recommended in Table 2.1. The initial classification should take into account two factors: The consequences of failure to perform the safety function; The time following a postulated initiating event at which, or the period for which, the item will be called upon to perform a safety function.

Classification of Structures, Systems and associated Components (cont In a single system, individuals components may have different safety classes depending on: (a) The safety role performed by the component (b) The consequences of its failure to perform the safety function; (c) The frequency with which the item will be called upon to perform a safety function (d) The time following a postulated initiating event at which, or the period for which, the item will be called upon to perform a safety function. For individual components containing radioactive materials the consequences of their failure are identified with regards to the activity released and to the capability of the system to perform its intended function. The safety class should be determined on the basis of the highest consequence. Nevertheless the safety class cannot be lower than class 3.

Design provisions The safety of the plant is also dependent on the reliability of different equipment which, unlike to systems, is not called upon an event. That equipment designated as “Design provision” is necessary to prevent accidents, to limit propagation of the effects of hazards, to protect workers and the public of radiation risks.

Design provisions (cont.) Design features that are designed to such a quality that their failure could be practically eliminated: The shells of reactor pressure vessels or steam generators. Features that are designed to reduce the frequency of accident: Piping of high quality whose failure would result in a design basis accident. Passive design features that are designed to protect workers and the public from harmful effects of radiation in normal operation: Shielding, civil structures and piping. Passive design features that are designed to protect components important to safety from being damaged by internal or external hazards: Concrete walls, anti whipping devices.

Classification of the design provisions SSC implemented as a design provision can be classified directly by assessing the level of severity of its failure. Safety class 1 Any SSC whose failure would lead to consequences of ‘high’ severity; Safety class 2 Any SSC whose failure would lead to consequences of ‘medium’ severity; Safety class 3 Any SSC whose failure would lead to consequences of ‘low’ severity.  

Verification of the safety classification Comparison of the classification established according to a the deterministic approach (e.g. application of the IAEA SSG-30) with insights from probabilistic safety assessment; Expectation: Consistency between the deterministic and probabilistic approaches provides confidence that the safety classification is correct; If there are differences further assessment should be carried out in order to understand the reasons for these and a final safety class should be assigned; Iterative process to ensure the completeness of the classification. The adequacy of the safety classification should be verified using deterministic safety analysis, which should be complemented by insights from probabilistic safety assessment and/or supported by engineering judgement. The contribution of the SSC to reduction in the overall plant risk is an important factor in the assignment of its safety class. Consistency between the deterministic and probabilistic approaches provides confidence that the safety classification is correct. Generally it is expected that probabilistic criteria for safety classification will match those derived deterministically. If there are differences, further assessment should be performed in order to understand the reasons for this and a final class should be assigned, supported by an appropriate justification.   The process of verification of the safety classification should be iterative, keeping in step with and informing the evolving design.

Selection of engineering design rules for SSCs Three characteristics of the engineering design rules: Capability; Dependability; Robustness. A complete set of engineering design rules should be specified to ensure that the safety classified SSCs will be designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained to appropriate and well proven quality standards. Engineering requirements give confidence that reliability of every SSC is commensurate to their individual safety significance. Engineering design rules are related to the following three characteristics: Capability is the ability of an SSC to perform its designated safety function as required, with account taken of uncertainties; Dependability is the ability of an SSC to perform the required plant specific safety function with a sufficiently low failure rate consistent with the safety analysis; Robustness is the ability of an SSC to ensure that no operational loads or loads caused by postulated initiating events adversely affect the ability of the safety functional group to perform a designated safety function.

Selection of engineering design rules for SSCs To achieve the expected reliability: At the system level, design requirements to be applied may include specific requirements, such as single failure criteria, independence of redundancies, diversity and testability. For individual structures and components, design requirements to be applied may include specific requirements such as environmental and seismic qualification, and manufacturing quality assurance procedures. They are typically expressed by specifying the codes or standards that apply. Appropriate codes and standards(for pressure retaining equipment: ASME, RCC-M, etc., for I&C IEC or IEEE, etc.) and clear links between safety classes and code acceptance criteria Regulatory limits and acceptance criteria

Environmental qualification of SSCs Humidity; Temperature and pressure; Vibration; Chemical effects and radiation; Operating time; Ageing; Submergence; Electromagnetic interference; Radio frequency; Interference and voltage surges. The environmental qualification of SSCs should be determined in accordance with the conditions associated with normal operation and for postulated initiating events in which the SSCs may be called on to operate. Environmental qualification should include consideration of: Humidity; Temperature; Pressure; Vibration; Chemical effects; Radiation; Operating time; Ageing; Submergence; Electromagnetic interference; RF fields; Interference and voltage surges.

Questions When in the life time of the power plant should be the safety classification performed? Which are the main steps in the classification process? What includes the term “function”? Why design provisions have to be considered for classification? Which are the examples of design provisions? Which are three levels of severity? How are the functions categorized? How should be the adequacy of the safety classification verified? Which are the three important characteristics in the selection of engineering design rules for the SSCs?

IAEA safety standards Specific Safety requirements SSR-2/1; Safety of Nuclear Power Plants –Design Safety Guide SSG-30; Safety Classification of Structures, Systems and Components in Nuclear Power Plants General safety requirements GSR Part 4; Safety for Facilities and Activities Specific safety guide SSG-2; Deterministic Safety Analysis for Nuclear Power Plants The views expressed in this document do not necessarily reflect the views of the European Commission.