Office for Nuclear Regulation
An agency of HSE

Technical Assessment Guide

Integrity of Metal Components and Structures

T/AST/016 - Issue 3

Issue date:
13/08/08
Review date:
13/08/12
Open Government Status:
Fully Open
Approved By:
Dr A J Cadman

Contents

Comments on this guide, and suggestions for future revisions, should be made and recorded in accordance with Office for Nuclear Regulation’s (ONR) standard procedures. Comments made from outside ONR should be sent via ndenquiries@hse.gov.uk

1  Purpose and scope

1.1  This Technical Assessment Guide (TAG) discusses ONR's approach to the assessment of the integrity of metal components and structures that are significant for nuclear safety. The assessment envisioned here is that of the structural integrity aspects of licensees' safety submissions. This TAG uses the term “Licensee” and in most cases this will be the correct term. However, in this TAG the term “Licensee” should be taken to include any organisation that is responsible for a safety case formally submitted to ONR for assessment. The TAG makes frequent reference to the Safety Assessment Principles, 2006 Edition [1] (SAPs). The SAPs encompass application to existing and new (proposed) nuclear facilities (SAPs Foreword). In general, this TAG provides guidance on application of the SAPs without distinction between ‘old’ and ‘new’ facilities. The main distinction is in terms of the overall conclusion of the assessment and ALARP, rather than the technical content of the assessment.

1.2  The SAPs are intended to cover nuclear facilities in general, not just nuclear reactor power plants. This Technical Assessment Guide is intended to cover all nuclear facilities dealt with by ONR. However illustrative and example text often refers to reactor plant.

1.3  This TAG contains general guidance to advise and inform NII Inspectors in the exercise of their professional regulatory judgement. This is not a tick-list or check-sheet set of instructions. It is not a training manual for new Inspectors. New Inspectors will need to use this TAG in combination with their existing experience and discussion with peers in ONR to understand aspects of the ONR assessment process in this technical area. In places, this TAG uses words such as ‘adequate’ and ‘appropriate’, these may be taken as flags identifying where Inspectors can especially expect to exercise their judgement. This document is not written as a guide to Licensees on how to develop their safety cases.

1.4  The outcome of an assessment is predominantly a consequence of the Inspector's professional regulatory judgement, within the framework of ONR's assessment process. Assessment outcomes are not pre-ordained by this TAG.

1.5  Assessment of the structural integrity aspects of a safety case is not done in isolation. Other TAGs may be relevant in particular cases; this is dealt with in the Introduction below (see Section 4.1).

1.6  Paragraph 92(c) of the SAPs states a safety case needs to provide a demonstration that the nuclear facility will or does conform to good nuclear engineering practice and sound safety principles. Paragraph 92(c) of the SAPs emphasises design based on deterministic engineering, defence in depth and adequate safety margins. This TAG provides the NII Inspector with guidance within this framework. Experience of actual component reliability is a relevant consideration. However, theoretical analyses to yield predictions of component reliability are unlikely to provide a significant contribution to a safety case. In particular, in terms of failure due to the presence of crack-like defects, probabilistic fracture mechanics is not expected to play a significant role in a structural integrity safety case.

2  Relationship to licence and other relevant legislation

2.1  The primary Licence Conditions under which assessment of the integrity of metal components and structures is carried out are:

LC 15 (periodic review),
LC 17 (quality assurance),
LC 19 (construction or installation of new plant),
LC 20(4) (modification to design of plant under construction),
LC 22(4) (modification or experiment on existing plant),
LC 23 (adequate safety case and operating rules),
LC 24 (operating instructions),
LC 25 (operational records),
LC 26 (control and supervision of operations),
LC 27 (safety mechanisms, devices and circuits),
LC 28 (examination, inspection, maintenance and testing), and
LC 34 (leakage).

2.2  Other Licence Conditions relevant to structural integrity assessment are:

LC 6 (documents, records, authorities and certificates),
LC 10 (training),
LC 12 (duly authorised and other suitably qualified and experienced persons),
LC 13 (nuclear safety committee),
LC 14 (safety documentation),
LC 29 (duty to carry out tests, inspections and examinations),
LC 35 (decommissioning).

3  Relationship to SAPs, WENRA Reference Levels and IAEA Safety Standards

SAPs

3.1  The SAPs (2006 Edition) directly addressed by this Technical Assessment Guide are:

EMC.1 to EMC.34 in the section of the 2006 SAPs entitled “Integrity of Metal Components and Structures”, Paragraphs 238 to 279;

EAD.1 to EAD.5 in the section of the 2006 SAPs entitled “Ageing and
Degradation”, Paragraphs 194 to 202 (as related to metal components and
structures).

3.2  Where assessment is for structural integrity of a component or structure which forms part of a containment, Principles ECV.1 to ECV.10 should also be considered (paragraphs 418 to 438). Where the component or structure forms part of a core support structure, Principles ERC.1 to ERC.4 should also be considered.

3.3  There are a number of other SAPs Principles and Paragraphs that are relevant to the assessment of the integrity of metal components and structures. The list below provides guidance on these other SAPs and Paragraphs (in the listing order of the 2006 Edition of the SAPs). When only Principles are mentioned, it should be assumed the associated Paragraphs are also relevant. Individual Paragraphs are listed where they are particularly important or are not associated with a listed Principle:

SC.1 to SC.7 (Safety Case Processes) (most assessment of integrity of metal components and structures is anticipated to be based on the content of a safety case)

ECS.1 to ECS.5 (Safety Classification and Standards)

EDR.1 to EDR.3 (Design for Reliability - Failure to Safety)

ERL.1 and ERL.2 (Form of Claims), and Paragraphs 177 to 179

EMT.1 to EMT.8 (Maintenance, Inspection and Testing)

ELO.1 (Layout - Access)

EHA.1 to EHA.17 (External and Internal Hazards)

EPS.1 to EPS.5 (Pressure Systems)

FA.2, FA.5 to FA.9 (Fault Analysis) and Paragraph 536 (in particular 536(c))

Numerical Targets 7, 8 and 9 (Numerical Targets and Legal Limits)

Note that the 2006 Edition of the SAPs refer to the application by the Licensee of a Quality Management System (QMS), Paragraphs 50-51.

3.4  SAPs are identified as appropriate in the Advice to Inspectors below.

WENRA Reference Levels and IAEA Safety Standards

3.5  Part of the specification for the update of the Safety Assessment Principles was to consider the Reactor Safety Reference Levels, Decommissioning Safety Reference Levels and Waste and Spent Fuel Storage Safety Reference Levels published by the Western European Nuclear Regulators’ Association (WENRA) and IAEA Standards, Guidance and Documents. The update of this Technical Assessment Guide also considers the WENRA and IAEA publications for specific applicability. WENRA and IAEA documents are dealt with in Appendices 1 and 2 respectively of this TAG. It is interesting to note that the SAPs are intended for both existing and new facilities whereas the WENRA Reactor Safety Reference Levels are intended for existing reactors. However there is little difference between the general requirements of each. The WENRA and IAEA documents considered in this TAG are for nuclear reactor power plants and so do not have the same broad scope intent of the SAPs and this TAG.

4  Advice to Inspectors

4.1  Introduction

1)  This guide is concerned with the assessment of the structural integrity aspect of Licensees' safety cases. The philosophy for the assessment of structural integrity is set out in paragraphs 238-248 and 254-257 of the SAPs[1]. This guide interprets this philosophy and provides advice on the engineering assessment of the integrity of metal components and structures.

2)  The safety case should identify the structures, systems and components that are important for the safe operation of the installation. The safety case should identify normal operating and potential fault conditions, including the effects of internal and external hazards. The safety case should demonstrate that the integrity of structures, systems and components important for the safe operation of the installation are maintained for a defined period of operation. Ultimately this will be the projected life of the installation, including any period of safe storage, taking due account of potential ageing and degradation mechanisms.

3)  The purpose of ONR assessment is to come to a view whether the design, construction, operation, monitoring, inspection and maintenance are adequate to meet the required level of safety. The Inspector, while concentrating on the specifics of structural integrity needs to be aware of the context of this element of the safety case. In particular, the safety case will usually be dealing with a potential hazard (event with undesirable consequences). The structural integrity part of the safety case is concerned with the likelihood or frequency of occurrence of the event and thence its consequences. This might be in terms of a structural integrity related initiating event; either the direct system failure consequences or as an internal hazard (see 4.4 paragraph 3). Or it could be a structural integrity related failure in a system designed to cope with an initiating event. The Inspector needs to begin by understanding the level of structural integrity claimed or implied by the safety case. In other words how unlikely the structural integrity failure needs to be within the context of the safety case. The less likely the failure needs to be, the more demanding are the requirements on the structural integrity aspect. The combination of the consequences of failure and the probability or likelihood of the failure gives a measure of risk.

4)  The SAPs[1] Targets 8 and 9 give quantitative expression to the concept of an indicative upper limit on risk (the Basic Safety Levels, BSLs) and an upper limit on the broadly acceptable region (the Basic Safety Objectives, BSOs). Very often it is not possible to apply such quantification, and instead assessment will be more in terms of qualitative likelihood (SAPs Paragraphs 248 and 536(c)). Nevertheless, the concept of a band between an indicative upper limit on risk and broadly acceptable risk is still useful; it is the region in which 'As Low as Reasonably Practicable' (ALARP) is relevant. Inability to meet a BSL should only be an issue for existing plant; a new installation should be capable of being designed to meet BSLs.

5)  If it seems a BSL is exceeded, the Inspector should carefully read SAPs Paragraphs 571 and 572. If a BSL is clearly exceeded and there is no prospect of improvement in the long-term, then the issue moves into consideration under the HSE Enforcement Management Model (EMM). The EMM is outside the scope of this Guidance; the Inspector should consult ONR Operational Procedure INS/030 and associated Guidance G/INS/030. If the Inspector reaches a judgement that a BSL is comfortably exceeded and the EMM procedure outcome indicates significant regulatory action (e.g. shutdown), ONR line management will need to be engaged and convinced of any proposed action.

6)  In some situations a small inventory in a single item (e.g. reactor vessel of a small reactor) might mean the release quantities are inherently limited for the failure of a single item. However if the installation consists of a number of similar such items, then a view on the frequency of failure of a single item and the corresponding bounded consequence would have to account for the number of items. Generally, estimates of likelihood and frequency are not precise to within a factor of 2 to 4, so numbers of items in this range are not critical. However if there were 6 to 10 or more items at one installation it would be appropriate to factor this into the consideration of the required reliability of individual items.

7)  Structural integrity relies on a number of technical areas, for example metallurgy and materials property testing, welding engineering, stress analysis, fracture mechanics, examination techniques. An Inspector may be experienced in a number of these areas. However the Inspector should be alert to those aspects of an assessment where they may need to consult with colleagues and Inspectors should avoid giving undue attention to those aspects with which they are most familiar. It is unlikely a structural integrity safety case could be made on one feature alone. At the same time, some structural integrity safety cases can have a rich content and the NII Inspector may reach a conclusion on the acceptability of the case using a different weighting of the features of the safety case to that presented by the Licensee.

8)  ECS.1 and ECS.2 deal with the fundamental aspects of categorisation of Safety Functions (Categories A, B and C) and safety classification of Structures, Systems and components (Classes 1, 2 and 3). Safety Functions of metal components and structures are often related to:

  • maintaining a pressure or containment boundary for operability of the system of which the component or structure is a part,
  • avoiding a failure of a component or structure which could impair the Safety Function of another system (the latter might often be classified as an ‘internal hazard’ issue).

IAEA Safety Standards Series Requirements document NS-R-1 (see Appendix 2 ref A2.2 here), defines three fundamental safety functions in its section 4.6 and in its Annex, defines 19 more specific safety functions for reactors. For integrity of metal components and structures, IAEA NS-R-1 Annex safety functions 11 (maintain integrity of pressure boundary) and 19 (prevent failure which would cause impairment of a safety function) are particularly relevant.

9)  The safety categorisation of structures and components is dependent on the loss of safety function and radiological consequences of their failure or leakage, and on the failure frequency requirements placed on them in the safety analysis. Safety Function categorisation and safety classification of structures, systems and components is discussed above in relation to ECS.1 and ECS.2. The standards of design, manufacture, installation and testing, in-service maintenance, inspection and testing, and operation will vary accordingly. For example, the catastrophic failure of a Reactor Pressure Vessel (RPV) of a large power plant would almost certainly lead to unacceptable radiological consequences, and hence the highest standards are required at each stage of the life of such a vessel. A claim that primary cooling circuit pipework will not suffer guillotine type failures might also fall into this category. On the other hand, the radiological consequences of initial leakage from certain chemical plant containment may be less significant, provided there is confidence in the double containment to allow detection of and recovery from the situation. In this latter case appropriate industrial, national or international standards may be sufficient. This shading of requirement is fundamental to the philosophy of the assessment of structural integrity. SAPs Paragraphs 243-253 are the basis for assessment of the situations demanding the highest integrity, SAPs Paragraphs 254-257 summarise the approach for less demanding situations.

10)  The highest demands are placed on the structural integrity safety case (SAPs Paragraphs 243-253) when the Licensee claims the likelihood of gross failure is so low it may be discounted, but if failure did occur the consequences would be extreme. Assessment of this type of safety case is dealt with in section 4.3 below. Some UK Licensees have referred to this type of structural integrity safety case as an ‘Incredibility of Failure’ (IOF) safety case [14]. This terminology is used in the UK, see the Technical Advisory Group on Structural Integrity (TAGSI) review of this type of safety case [2]. In Europe, the term ‘Break Preclusion’ has been used (Basissicherheitskonzept)[16] for essentially the same sort of claim. Not all structural integrity safety cases need to claim the discounting of gross failure; cases that can be made with less demand on structural integrity, do not carry the same burden of requirements.

11)  An Inspector assessing the structural integrity aspects of a safety case should be aware of ONR's general expectations for Licensees' safety cases and how they are to be produced. From experience of structural integrity assessment and depending on the safety case the following TAGs may be relevant:

12)  The Inspector may also need to consider some of the ONR Compliance Procedures in terms of the potential outcome of their assessment, e.g.:

4.2  Structural Integrity philosophy

1)  The general lack of adequate reliability data for structural components leads to assessment being based primarily on established deterministic engineering practice. Even when there is some confidence in assessing reliability based on existing data and a probabilistic safety case is possible, it is unlikely to be acceptable without substantial support from theoretical analyses and engineering judgement. As a result, although the radiological consequences of failure of structural components may be significant, inclusion in a PSA might be indicative or nominal and rudimentary compared with other aspects of the PSA.

2)  Principle EMC.1 of the SAPs[1] refers to those situations where the component or structure is required to have the highest reliability, i.e. where gross failure is discounted. For a nuclear reactor, a reactor pressure vessel is an example (primarily because of Safety Function 11 in IAEA NS-R-1 Annex, see 4.1-8 above). Another example might be a pressurised accumulator inside containment which is normally isolated from the primary circuit but whose gross failure would pose an unprotected/unmitigated hazard to the Safety Functions of other systems and components (Safety Function 19 in IAEA NS-R-1 Annex). For such components there are two particularly important aspects to be addressed:

  • the structure should be as defect free as possible;
  • it should be demonstrated to be defect tolerant.

In particular, the critical / limiting crack sizes need to be larger than the defect size that can be reliably detected and characterised by the applied examination techniques (how much larger will depend on the overall case and is an important aspect for judgement by the Inspector). This wording is of course in terms of crack-like defects but can be generalised to other forms of degradation (see SAPs Paragraph 240 for the definition of the term ‘defect’ as used here). And in principle, a component could fail due to overload without any contribution from degradation in the fabric of the component. Note the SAPs do not encourage the use of the type of structural integrity safety case that discounts gross failure, see SAPs Paragraph 250; the SAPs simply accommodate the likely necessity to assess this sort of safety case in some circumstances.

3)  EMC.2 calls for the assessment to include a comprehensive examination of relevant scientific and technical issues and to take account of available precedent.

4)  In order to achieve these fundamental requirements, several related but independent arguments should be used, based on the following (see EMC.3 - many of the following contribute to the defect tolerance of components and structures or the management of aspects that affect defect tolerance):

  1. the use of sound design concepts and proven design features;
  2. a detailed design loading specification covering normal operation, plant transients, faults, internal and external hazards;
  3. consideration of potential in-service degradation mechanisms;
  4. analysis of the potential failure modes for all conditions arising from design specification loadings;
  5. use of proven materials;
  6. application of high standards of manufacture, including manufacturing inspection and examination;
  7. high standards of quality assurance throughout all stages of design, procurement, manufacture, installation and operation;
  8. pre-service and in-service examination to detect and characterise defects at a stage before they could develop to cause gross failure;
  9. defined limits of operation to ensure the facility is operated within the limits of the safety case. Where appropriate, limits of operation should be supported by protection systems, for instance overpressure protection;
  10. in-service monitoring of facility operational parameters;
  11. in-service materials monitoring schemes;
  12. a process for review of facility operation to ensure the facility is operated and materials performance is within the assumptions of the safety case;
  13. a process for review of and response to deviations;
  14. a process for review of experience from other facilities, developments in design and analysis methodologies and the understanding of degradation mechanisms for applicability to the component or structure in question;
  15. a process for control of in-service repairs or modifications to similar codes, specifications and standards as for original manufacture, taking account of developments since manufacture.

5)  For an overview of a practical example of the elements of a safety case that discounts gross failure and assessed by ONR, see refs 14 and 15.

6)  For components that are not of major safety significance, the above list of requirements is also relevant, though the stringency of their application should reflect the lower safety categorisation of the item (SAPs paragraphs 254-257). Principles covering those various requirements are presented below.

4.3  Highest Reliability Components and Structures - Discounting Gross Failure

1)  In some cases a Licensee may argue a safety case where the likelihood of gross structural failure is claimed to be so low that it may be discounted but if failure did occur the consequences would be unacceptable. Licensees invoke such lines of argument where the consequences are unacceptable or where it would be difficult to demonstrate that consequences are acceptable. One reason for unacceptable consequences is often that there is no means of mitigating the effects of the structural failure. In the UK this is often referred to as there being no ‘line of protection’. ONR does not seek or encourage this basis for a safety case in any particular circumstance but will assess such cases on their merits.

2)  A case that claims gross failure is so remote it may be discounted, carries a high burden of ‘proof’ (arguments and evidence). Such a case cannot be made by simple assertion of the robustness of a component or structure. So declaring a component or structure to have this status is not to be seen as an easy option simply to avoid considering the consequences of failure, i.e. as a time-saver in the hazard / consequences area. Discounting gross failure should only be invoked if the consequences of failure are unacceptable, or it is not possible to demonstrate the consequences are acceptable. SAPs paragraphs 243 to 248 discuss such safety cases. The content of the SAPs will not be repeated here. However the following are emphasised:

“….. a claim that gross failure of a pressure vessel may be discounted cannot be plausibly associated with a failure rate much better than 1x10-7 to 1x10-8 per vessel year….”

“claims for pipework weld failure rates for gross failure… much better than 1x10-8 to 1x10-9 per weld year should not be considered plausible.”

These are indicative failure frequencies. A safety case that discounts gross failure cannot be a ‘formal proof’ of such reliability levels. See section 4.14 for a review of reliability statements based on operational experience.

3)  The aim in assessing a structural integrity safety case that discounts gross failure is not to check for ‘perfection’ in every individual aspect. Rather the main aim of the assessment of a safety case that discounts gross failure is to check that a claim of very high reliability/quality is met for all aspects and that there is sufficient defence-in-depth in the array of structural integrity measures and arguments. The aim is that an individual aspect which is short of ‘perfection’ cannot by itself precipitate gross failure. It is the extent of structural integrity reliability/quality and defence-in-depth that distinguishes a case that discounts gross failure from structural integrity safety cases that claim to substantiate a lower level of reliability.

4)  A safety case that discounts gross failure will attract commensurate ONR assessment interest. Usually, structural integrity cases that discount gross failure will imply a level of reliability higher than is demonstrable by actuarial statistics (see SAPs paragraphs 248 and 536(c)). In such cases, the limit is the impracticality of demonstrating SAPs Targets 8 and 9 are satisfied – not that it is known these Targets are exceeded. In judging a case that discounts gross failure, the NII Inspector should bear in mind HSE policy that a new facility should at least meet the BSLs and there is a level of broadly acceptable risk. The limit on tolerability of risk in this case is effectively the minimum set of conditions to apply which make a claim of discounting gross failure plausible. This means ALARP is relevant to ways of improving the case beyond this minimum set of conditions. ALARP is not relevant to arguing acceptance of a case that does not meet the judged minimum set of conditions for a claim that discounts gross failure. The foregoing implies some cases that discount gross failure could be more robust than others. That is there is not one standard or set of requirements for discounting gross failure, but in any given circumstance a minimum set of conditions would be judged to be required.

5)  In terms of limits on risk for cases that discount gross failure, the SAPs Target 9 (Total risk of 100 or more fatalities) [1] is the most relevant. However, the NII Inspector should be aware that the potential consequences of a gross structural integrity failure could exceed the Target 9 levels. Depending on inventory and accident sequence, release quantities of order up to 100 times those implied in Target 9 could be relevant. Given the linear relationship between consequence (dose, release) and frequency in SAPs Targets in general, consequences 100 times greater than those in Target 9 imply a requirement for frequency of occurrence to be 100 times lower. There is also the question of whether a single class of accident should contribute more than a fraction of total risk (see footnote to SAPs Target 8 and consider it for Target 9). The NII Inspector may find it useful to approach assessment of a safety case that discounts gross failure from this perspective. For existing plant, a less attractive possibility would be to assess the structural integrity safety case by comparison with the overall perceived risk from the installation. However this approach is the least favoured.

6)  As background to the assessment of structural integrity safety cases that discount gross failure, the Inspector may wish to consider the TAGS response to an ONR question on the matter [2].

4.4  Safety function and safety categorisation

1)  The safety functional requirements of components and structures should be identified from the safety schedule, see SAPs paragraphs 346 and 526, and the appropriate safety categorisation determined in accordance with Principles ECS.1, ECS.2 and associated paragraphs. In general the safety functional requirement of components and structures will depend on the potential radiological consequences of their failure, and on the requirement to meet the functional requirement for the proposed life of the facility. From this, the appropriate standards of design, manufacture, installation and testing, in-service maintenance, inspection and testing, and operation of components and structures can be derived. The Inspector should therefore verify the potential radiological consequences of structural failure at an early stage in the assessment process to enable the depth and breadth of the assessment to be established. It is also important to identify the potential failure modes of the component. The failure modes should be ranked in terms of their importance in terms of consequences.

2)  ECS.2 requires that structures, systems and components should be categorised based on the consequences of failure and of the failure frequency requirements of the safety case. ECS.3 then suggests appropriate safety case requirements, and thus assessment requirements.

3)  The safety case for metal components and structures should be examined in the context of the overall safety case for the plant taking due account of interactions with other safety features. There may be protective devices that can mitigate the effect of failure to a greater or lesser degree. It may be that the direct effect of structural failure is trivial but the indirect consequences may be failure of safety related plant, instrumentation, or operator dose uptake, i.e. the failed part acts as an internal hazard to a principal safety feature.

4.5  Design - the use of sound design concepts and proven design features

1)  In order to demonstrate that structures meet their safety functional requirements it is necessary to establish that sound design concepts, rules, standards, methodologies and proven design features have been used, and that the design is robust. Guidance on the requirements for structural design is provided in ECS.3, ECS.4, paragraphs 157 to 159, paragraphs 160-161, paragraph 177 and EAD.2. The requirements depend on the safety categorisation of the structure.

2)  All operational loadings and credible fault loadings should be identified and their magnitudes specified (EMC.7, EMC.11). Load combinations should be defined.  SAPs EHA.1, EHA.3 to EHA.5 and EHA.7 cover external and internal hazard loads. Load definitions should be conservative, and remain appropriate for the proposed future operation of the structure. This is of particular importance when reviewing proposals for extending operation or for a change of use of structures or components.

3)  For pressure boundary and other load bearing structures, the use of appropriate British Standards, or International Standards might well be acceptable as a minimum. However where codes are perceived not to reflect modern requirements or practices, it may be worthwhile and practicable to invoke additional stress analysis and analysis of fabrication processes, inspections or materials. Most design codes express limits in term of stress. However, for non-pressure boundary structures e.g. core support structures, functional limits on displacement may be important.

4)  For new designs of components and structures, or for major modifications to existing plant, the number and location of welds should be carefully reviewed, since it may be possible to eliminate welds, to position them in areas of lower stress and lower irradiation, and ensure that they are readily inspectable (EMC.5, EMC.6, EMC.8, EMC.9).

5)  The design should be supported by stress analyses, and if necessary model tests, to validate the methods used, to demonstrate that adequate margins against failure are maintained throughout the plant life (EMC.32). As appropriate, prototype testing of unusual design features such as secondary retention devices should form part of the structural integrity safety case. Consideration should be given to the uncertainties associated with environmental effects when reliance is placed on testing with simulated conditions. Analyses and tests need to be done under a quality process that will provide a basis for relying on the results. The adequacy of margins needs to be considered in the light of the perceived accuracy, reliability and conservatism of analysis and test results.

6)  The design concept should incorporate appropriate protection systems and monitoring systems to enable the component or structure to be maintained within its safe operating envelope for the duration of the life of the installation. For pressure boundary components, these would typically include overpressure protection systems, thermocouples for monitoring temperatures, safety relief valves, leak detection systems, loss of coolant feed trip systems. For other load bearing structures the emphasis would probably be more on monitoring systems. Adequate arrangements need to be in place for maintenance, inspection, and testing of the monitoring systems to ensure that the safety functional requirements continue to be met.

7)  The design should take due account of degradation processes, including corrosion, erosion, creep, fatigue and ageing, and for the effects of the chemical and physical environment. The potential for interaction effects should also be considered, e.g. creep/fatigue, stress corrosion cracking, intergranular stress corrosion cracking. Due allowance should be made for uncertainties in the initial state of components and the rate of degradation. Of particular importance are degradation mechanisms in components and structures that may be difficult or impractical to inspect in service. In this case it is anticipated that conservative estimates would be included in the design and appropriate surveillance schemes specified. Monitoring and surveillance should be appropriate for the rate of progress of anticipated degradation mechanisms as well as giving some speculative coverage for unexpected degradation processes.

8)  The design of some structures might not be based on any recognised published design code. In this case the Inspector should examine the justification provided by the licensee to establish that it is based on sound scientific understanding, and that the design methods are supported by suitable experimental verification and validation. As required by ERL.1 and paragraphs 177(a) (b) and (d), the safety case should include a comprehensive examination of all the relevant scientific and technical issues. Designs should be supported by appropriate research and development and any novel features adequately tested before coming into service, and subsequently monitored during service, SAPs paragraph 239.

9)  For existing plant it is recognised that the original design codes and standards may have changed, and other factors such as additional loads, degradation mechanisms, or advances in analysis methods may enhance, or erode, some of the explicit and implicit safety margins in codes. It may be necessary to check for significant changes in codes through time (e.g. manufacturing examinations before or after post weld heat treatment). It should be established that the original design codes and standards remain appropriate, or be demonstrated that any shortcomings are not significant in terms of the overall safety case. This aspect can give rise to difficulties for pressure vessels and pipework systems, particularly in the case of fault loads or unforeseen degradation mechanisms that were not addressed at the design stage. The assessment of the effects of internal and external hazards, for example those arising from dropped loads or earthquakes, may not have been addressed at the design stage for existing plants and needs to be carefully considered.

10)  Safety submissions for existing plant should contain a comparison with current standards and any significant deviation from modern design practice justified. Failure to meet modern standards should be identified by the licensee, and the implications addressed with the aim of showing that reasonably practicable improvements have been made, or will be addressed.

4.6  Load analysis - the analysis of all conditions within the design basis

1)  The safety case should include an analysis of the potential failure modes for all conditions arising from design basis loads.

2)  The objective of the analysis is to demonstrate that the structures are capable of withstanding normal operating and fault loads for the projected life of the installation taking due account of potential degradation mechanisms. There should be a margin between the operating and fault envelope and the conservative failure limit over the full intended lifetime with due allowance for uncertainty. Failure modes should be progressive, with the possibility of disruptive failure without warning being remote (EDR.1, EMC.7, EMC.11).

3)  For infrequent events the Inspector may need to consider whether there is scope for alleviation of the most rigorous requirements for pessimism in the structural integrity analysis. In such cases the safety case should provide a suitable justification for any relaxation. In terms of stress analyses, it may be reasonable to use stress limits that increase as the likelihood of the loading decreases. That is lower stress limits would apply to normal operating conditions, and higher stress limits to infrequent fault loading conditions. For fracture mechanics analyses it may be appropriate for normal operating and frequent fault conditions to base margins on initiation fracture toughness. However for infrequent fault conditions, it may be appropriate to base margins for results of fracture mechanics analyses on a level of fracture toughness enhanced by limited stable tearing. If such assessments are used, they can usefully be supported by a sensitivity study showing margins based on initiation fracture toughness. Values of toughness enhanced by limited stable tearing must be supported by valid material toughness test data up to at least the extent of tearing invoked in the safety case (EMC.34, paragraph 278).

4)  The complexity of the analysis will be dependent on the safety categorisation of the component or structure. For the highest category this might include finite element stress analysis and where failure by crack growth is concerned, a fracture mechanics assessment in accordance with recognised procedures such as R5[3], R6[4] or BS 7910[5]. It is important that the Inspector ensures that analysis codes and procedures are adequately verified and validated for the particular application as required by EMC.32, EMC.34 and paragraph 276. For lower category structures compliance with appropriate national and international standards may be sufficient.

5)  The purpose of the analysis should be to demonstrate that the structure is tolerant to any actual or postulated degradation or defects that may remain after manufacture or that may develop during service. In the case of crack-like defects, the submission should show that there is an adequate margin between the size of defects capable of being detected by the examination techniques used and the critical defect size. Clearly, the size of an 'adequate margin' should be judged on a case-by-case basis depending on the overall safety case for the particular structure or component.

6)  The Inspector should establish that data used in analysis is demonstrably conservative, and that appropriate studies are carried out to establish the sensitivity to the analysis parameters. This aspect is especially important where fitness for purpose analyses based on R5, R6, BS 7910 etc., are concerned.

7)  This TAG does not recommend minimum acceptable reserve factors (e.g. for R6 analysis results), since the values of margins are dependent on the conservatisms in the input data. A low margin is not likely to be acceptable without substantial justification. Sensitivity studies to establish the effects of variations in the assessment parameters assist the engineering judgement of the safety case. Generally, safety cases for components where the dominant failure mechanism is due to crack-like defects should not rely entirely on a fracture mechanics analysis. This is only one element of the case that could include consideration of conservative design, the use of known materials, original manufacturing quality and testing, metallurgical investigations and examinations demonstrating negligible or at least acceptable defect growth, and analysis to demonstrate defect tolerance at the end of life.

8)  The adequacy of margins against failure limits, examination capabilities, and integrity analysis should be considered in the context of the overall safety case rather than individual elements of the case. The Inspector should apply engineering judgement to the various factors in reaching a conclusion on the adequacy of any particular case. The Inspector should also take due note of assessment precedents in the application of significant engineering judgement for the evaluation of the adequacy of safety arguments for high integrity components and structures.

9)  SAPs EMC.12, paragraph 263 and EMC.23 require that the operating regime ensures that metal pressure boundaries exhibit ductile behaviour when significantly stressed. In addition to this, the ONR statement [6] on operation of reactor pressure vessels made of ferritic steel provides a formal view on the need for vessels to be operated on the upper shelf of fracture toughness. This states that ferritic steel RPVs must, for normal steady-state operation, operate on the upper shelf. For other operating conditions an RPV should be on the upper shelf wherever possible. The Inspector should look for evidence the Licensee has considered all reasonably practicable measures to maximise the margin between onset of upper shelf and normal steady state operation. There are various ways of defining the onset of upper shelf conditions from a given set of materials data. The Inspector should be aware this is a complex area. If the Inspector is not a specialist in this area they should seek advise from colleagues within ONR for this aspect of the assessment.

10)  Metal pressure boundary components should be operated on the upper shelf of fracture toughness as far as possible under all potential operating and fault conditions. Situations where this target might be relaxed include expected, practically unavoidable but short duration loads (e.g. certain phases of start-up and shut-down) or low frequency fault conditions. Such situations need to be carefully justified by the safety case. Where upper shelf conditions cannot be achieved it is important that all uncertainties are considered and that adequate margins on toughness are shown. For existing structures it may be possible to alleviate concerns about low temperature operation by introducing limiting temperatures for operation. For start-up and shut-down situations, pressure-temperature limit diagrams are likely to be required. For new plant, and where practicable for existing plant, there is a preference for safety relief devices with set points under the control of the protection system, to provide automated compliance with the pressure-temperature limit diagram.

11)  Proof pressure test arguments might be used to show that defects which could have survived the proof test would not grow in service such that they could threaten structural integrity at the end of life under the most onerous loading condition. Such arguments may need to be viewed with some caution since the original margins may be eroded by service conditions and time-dependent degradation mechanisms. The possibility also exists that ductile tearing may have occurred during the proof test. In addition, it should be emphasised that design and assessment codes such as R6 are failure avoidance analysis techniques and are not primarily intended as methods for failure prediction. The primary (and historical) purpose of pressure testing was to confirm the adequacy of material strength, wall thicknesses and mechanical closure arrangements. At present it is not accepted that adequate validation has been completed to enable ONR to have high confidence in proof test analyses for avoidance of fracture.

12)  Modern standards require consideration of fault loading conditions that may not have been addressed at the design stage for existing structures. In particular the effects on the integrity of the structure of internal and external hazards need to be addressed, EHA.1 to EHA.17 and associated Paragraphs. Some further guidance may be found in T/AST/013, on external hazards, and T/AST/014 on internal hazards. Failure of structures may also give rise to hazards such as missiles, steam or hot gas release, collisions, pipewhip, etc., which could potentially compromise other safety related structures and equipment. The safety case should demonstrate that appropriate consideration has been given to the effects of hazards on safety related structures, and of the secondary effects of structural failure.

13)  The hazards posed by earthquakes can present some difficulties particularly for existing structures. Earthquake loading can be included in the design specification for new plant and analysed in the design substantiation. Existing structures may have been designed and constructed prior to seismic qualification being required, or may have been qualified to a less rigorous standard than that required for new structures.

14)  The position is especially challenging for existing structures whose failure would give rise to unacceptable radiological consequences, i.e. those components and structures requiring highest integrity (claim that gross failure is so unlikely it may be discounted - section 4.3). FA.5 (referenced in EHA.4) and paragraph 514(c) of the SAPs call for demonstration that a structure is capable of withstanding hazards with a predicted frequency of being exceeded of less than 1 in 10000 years, including earthquakes. The safety case should also show there is no disproportionate increase in risk for an appropriate range of events that are more severe than the design basis event, EHA.7.

15)  This implies that components and structures where the claim is gross failure can be discounted, need to be shown to be capable of withstanding the loads associated with events whose frequency of occurrence does not exceed 1 in 10000 years (at least a robust case for ‘no cliff-edge’ effect), unless it can be shown that the frequency of an event is demonstrably below once in 10 million years, EHA.1 with Paragraph 212.

16)  The safety cases for many existing structures include consideration of known or postulated degradation mechanisms or defects. The Inspector should ensure that due account has been taken of these in the seismic analysis of the structure and that appropriate acceptance criteria have been specified. Acceptance criteria based on meeting the requirements of codes and standards are not likely to be acceptable for degraded or defective structures. It is important to ensure that the seismic safety case is compatible with the overall safety case for the installation. In many instances for existing plant it may be necessary to rely on ALARP arguments to enable a judgement to be made on the acceptability of seismic loading safety cases.

4.7  Materials - the use of proven materials

1)  It is important to verify that safety significant components and structures are constructed from materials with well-established materials properties and behaviour, EMC.13. The potential degradation mechanisms that could occur should be established at the design stage and appropriate materials chosen. Material properties used in analyses should be demonstrably conservative e.g. lower bounds of either generic databases or specific data that represent the component manufacturing and fabrication conditions. In general the steels specified in the design of pressure boundary components and other structures have a well-established history of usage. However if any unforeseen behaviour change or degradation mechanism is identified the licensee should review and if necessary update the relevant safety case.

2)  The material composition, manufacturing process, operational history, pressure, temperature, irradiation, creep, fatigue, and corrosion mechanisms may result in degradation in the material properties assumed at the design stage. Appropriate provision should be made for the measurement of relevant properties of fully representative materials (EAD.3 and EMT.6) across the full range of environmental conditions expected throughout the identified lifetime of the plant.

3)  Difficulties may arise as a plant ages where particular loadings or degradation mechanisms may not have been identified at the design stage, or the understanding of the degradation mechanism changes. In these cases it is important that the Licensee's safety case considers the likely material performance given the modified understanding, and establishes the implications for the performance of the structure. This may involve additional examinations, material sampling and testing, metallographic examination, testing of archive material, and simulation of material behaviour in order to improve confidence in the future performance of the structure. Evidence from similar plant experience elsewhere may be relevant. It may be necessary to monitor the component or structure to verify that the material is not deviating from the anticipated behaviour. The adequacy of data derived from surveillance samples should be examined, as appropriate, to gain assurance that the data accurately represents the component damage state, recognising the inherent scatter in determination of most materials properties. The Inspector should examine the safety case for these aspects and look for commitments for examination and monitoring covering expected and unexpected phenomena (sometimes referred to respectively as 'safety case' based and 'speculative' examinations or monitoring).

4.8  Manufacture, inspection and testing

The application of high standards of manufacture, including in-process inspection, and construction, for the materials and processes used:

1)  The material specification, manufacturing processes and inspections should be suitable and should be aimed at ensuring that the component or structure is free from significant defects, and that the structure is tolerant of any remaining defects (ECS.3 with paragraph 157 and EMC.5, EMC.6). Components and structures should be designed and fabricated to facilitate examination during manufacture and during service (e.g. the selection of forged rather than cast components, to aid the transmission of ultrasound) (EMC.8, EMC.9).

2)  To meet high standards of structural integrity it is necessary to establish that:

(a)  the manufacturing processes and inspections are carried out in accordance with approved procedures, e.g. using an approved weld procedure and welders qualified for that procedure, weld repair procedures, inspection procedures, and

(b)  that appropriate third party inspection of manufacture and examination is specified to ensure that a high standard of workmanship has been achieved (EMC.14, EMC.17 and EMC.19). Examinations of high integrity components should be redundant, diverse and qualified (qualification is the process previously referred to in the UK as validation). Pre-service inspections should be carried out at a late stage in the period prior to operation, when the plant is in a state essentially as will apply in normal operation.

3)  The specification of a proof test before service provides some assurance that the as-built component or structure has been constructed to an adequate standard (Paragraph 266). That is the material strength and section thicknesses are adequate. The reassurance may only be of limited value for existing plant where degradation mechanisms may have eroded any margins derived from the original proof tests and tests do not represent all loading conditions. Further proof tests in service are not usually feasible given the radiological consequences if failure occurred during such a test. It may also introduce additional damage to the plant in the form of stable tearing at pre-existing crack-like defects that may undermine the proof test argument.

4)  When dealing with existing plant it may not be possible to verify to the same extent as new plant that adequate standards of manufacture have been achieved. However, it should be possible to identify the manufacturer and to confirm that the manufacturer is, or was, a recognised company in the field. It may also be possible for the Licensee to examine the manufacturing records still available, and reach some conclusions on the quality of manufacture. This could reveal strengths as well as weaknesses.

5)  Care is required in accepting commonality arguments based on manufacture, operational experience or examination of similar components. Broadly, commonality arguments are strongest where highly correlated, common cause process deviations or degradation mechanisms dominate and weakest where process deviations and degradation mechanisms have a large random element.

6)  It is likely that the incidence of structurally significant defects will be higher than average at welds, especially those with complex combinations of material and geometry, where welding and/or access for examination or environmental conditions are difficult, and for welds for which there is no diversity of examination procedure. Where a safety case requires specific assurance on the likelihood of structurally significant defects at particular locations, it can only be supported by direct examination using a technique qualified for the defect type, size and orientation of concern.

7)  Part of the examination of the quality of manufacture should include a review of manufacturing concessions for deviations from the original specification.

8)  When considering modifications to existing plant, new components should be designed, manufactured, inspected and tested in accordance with modern standards and practice where appropriate. Any proposal which lowers the existing standard should not be accepted. This requires some judgement since we are dealing with what is reasonably practicable, and consistent with the overall system integrity. The Inspector should refer to the Technical Assessment Guide on ALARP, T/AST/005.

4.9  Quality Assurance

1)  There should be high standards of quality assurance throughout all stages of design, procurement, manufacture, construction, installation, commissioning, operation and decommissioning. Quality Assurance Arrangements are also required for production of the safety case.

2)  The Licensee should use, and require its contractors to use, formal QA procedures to specify the quality and organisational arrangements for each stage of design, manufacture, construction, installation, commissioning, operation and decommissioning. The QA Programme / Management arrangements should be sufficient to support the claims of the safety case. The QA Programme / Management arrangements should comply with recognised standards and where appropriate should include provision for the appointment of an Independent Third Party Inspection Agent. The aim should be to provide confidence that the safety case requirements have been met by control and surveillance of the design, manufacture, operation and maintenance activities.

3)  From experience of where issues can arise, the Inspector may wish to check the Licensee-contractor interface and other organisation-to-organisation interfaces of the QA arrangements. The Licensee’s supply chain arrangements for products should include technical awareness and not just be a procurement and financial process. The Licensee should have a process for checking (perhaps on a sampling basis) the veracity of ‘certificates’ for products, especially where the products might be considered ‘commodity’ items and have been through a chain of suppliers before ultimate delivery.

4)  The QA arrangements should include a procedure for dealing with non-conformances so that departures from design, specification of materials, manufacturing processes, dimensional tolerances, defects etc., can be identified and appropriate consideration given to the safety significance of such departures. When appropriate, this procedure may result in concessions allowed by the design authority against the original design intent or requirement. It should be demonstrated and recorded that the component or structure is capable of meeting its safety functional requirements, if necessary by remedial work (EMC.19). The range of technical disciplines involved in reaching judgements on non-conformities and concessions should be appropriate to the issues involved. To provide confidence in the quality of the design, manufacture, examination and testing, the Inspector should consider examining the system for dealing with non-conformances on a sample basis. A review of the case history or lifetime records (the terms vary among Licensees) may be appropriate during manufacture of new components and structures, during periodic reviews or discovery of unexpected defects in existing components and structures. The aim is to verify that any concessions granted do not invalidate the safety case requirements or assumptions.

5)  The Inspector may need to examine the case history to verify that it contains adequate records of the specification of detailed weld design, and standards of weld procedures, welder qualification, and weld examination procedures. Examination of the construction case histories can provide confidence in the original manufacturing quality. This is of particular importance in terms of the original weld inspection procedures and results. Nevertheless, original construction records do not always show the full picture, (e.g. weld repairs may not have been recorded accurately or examination records may be incomplete) and the Inspector may need to examine whether the Licensee has considered other options, such as a re-examination if reasonably practicable.

6)  For complex, multi-disciplinary safety cases the Inspector may wish to consider communication of information between disciplines and the handling of issues generated during the production of the safety case; (MS.2, MS.4, EHF.8 and paragraphs 48, 50-60, 68, 89 and 387, as they relate to production of safety cases and the link between safety case assumptions / claims and actual plant condition / operation).

4.10  Inspection - pre-service and in-service examination and in-service monitoring

1)  Examination immediately prior to and during service and in-service monitoring have three objectives:

  1. help confirm the plant is in the configuration assumed in the safety case;
  2. help confirm any predicted degradation or ageing effect is developing within the rate allowed for in the safety case:
  3. help confirm there are no manufacturing shortfalls or in-service degradation processes other than those dealt with in the safety case.

In general, inspection requirements should be identified in the safety case and be incorporated into the Maintenance Schedule if appropriate.

2)  Inspection provides an important element in establishing the integrity of components and structures that are required to have the highest reliability (gross failure so unlikely it can be discounted). In particular it should be demonstrated that components and structures are examined to appropriate standards (ECS.3), are as defect free as possible, with critical crack sizes being larger than the capability of the examination technique, and that the existence of defects can be established by examination throughout the operational life (EMC.5, EMC.6).

3)  In-service examinations should be carried out where they are reasonably practicable to enable the present condition of the structure to be confirmed, and to verify that the component or structure is behaving as the safety case assumes. In-service examination provides a means of assuring that components and structures remain at all times fit for purpose (EMC.27, EMC.28). It is noted that particular difficulties have arisen in the past in interpreting re-examination results where modifications have been made to the examination procedures following the original examinations.

4)  For high integrity structures and components the examination procedures should be redundant and diverse, e.g. radiography, ultrasonics, and aided surface examinations (such as liquid penetrant or magnetic particle); and possibly redundant and diverse within one method e.g. ultrasonics (EMC.29, EMC.30 and paragraph 272). Where appropriate, repeat examinations should be carried out by different examination teams. The adequacy of examination procedures and personnel should be qualified. The interpretation of examination results and the assessment of their structural integrity significance should be carried out by suitably qualified and experienced personnel. For crack-like defects, the defect sizes and orientation used in integrity analyses should be pessimistic, and include the contribution associated with the uncertainties in defect location and sizing for the particular examination technique. The level of pessimism in the integrity analysis will be dependent on the overall safety case and the consequences of failure.

5)  The extent and periodicity of the examination proposals should be commensurate with the operational duty and safety functional requirement (EMT.6 and paragraph 190). Where defects, degradation or deviations from design intent are found in existing components and structures any proposed remedial action or technical justification should be assessed via the Licensee's plant modification procedure, including Independent Nuclear Safety Assessment. Planning the extent of in-service examination based on previous operating experience (see section 4.14) may be reasonable, but is not a guarantee of locating all in-service degradation in any particular plant. In general there should be some ‘speculative’ element to in-service examination to look for the unexpected. A good number of degradation phenomena have been found initially by simple visual examination methods, rather than sophisticated volumetric examination techniques.

6)  Examination results should be interpreted within an established framework of defect categorisation and sentencing criteria.

7)  Examination shortfalls should be clearly identified. For example it may not be possible to examine 100% of a weld because of access difficulties. The implications of the inability to examine areas of welds should be addressed in the assessment of the significance of any defects found or defects that could exist in the unexaminable areas.

8)  Components and structures should be designed such that failure modes are progressive and sufficient warning of impending failure is provided to enable remedial measures to be taken to prevent failure or to mitigate its consequences. Monitoring may take the form of visual examination, photographic or video records, thickness measurements, or other forms of NDE, e.g. ultrasonics, eddy current, MPI etc., such that degradation of structures and components can be identified before structural integrity is compromised. Monitoring should be performed at appropriate intervals and ensure that the results will enable timely identification of degradation. The Inspector may also need to establish the Licensee has adequate arrangements for defining reporting and acceptance criteria, and for the evaluation of inspection and monitoring results.

9)  Component and structure integrity may be supported by periodic leak testing, proof testing, functional testing, strain, displacement or vibration monitoring. For existing components and structures the Inspector should consider the viability of monitoring for the remaining life of the component or structure using experience of similar structures, accelerated testing, destructive testing of samples or experience in other industries but in similar environments.

10)  The design, manufacture, operation and maintenance of monitoring systems should be commensurate with the required duty and reliability.

4.11  Materials monitoring - the provision of in-service materials monitoring

1)  The data derived from surveillance specimen materials may need to be examined in detail to ensure that damage mechanisms are thoroughly understood and all relevant data have been included. The appropriate use of the data in any application should be justified in the safety submission. Significant extrapolation of data should be avoided. Extrapolation might be in time or to similar base and weld materials. Any extrapolation or correlation used to derive material properties should contain adequate margins to cater for uncertainties, including the effects of accelerated testing. New facilities, and where practicable existing facilities, should include surveillance material specimens and test programmes to provide adequate forewarning of detrimental material property changes throughout the life of the facility.

2)  Test data should adequately represent the materials and conditions of interest. Materials samples might be taken from components or structures during or after manufacture or after a period of service exposure. Factors that may affect the accuracy of data are material specification, trace element content (e.g. for ferritic steel, copper in the case of irradiation embrittlement, and sulphur in the case of fatigue crack growth in some aqueous environments), heat treatment, temperature, irradiation conditions (including the thermal to fast neutron fluence ratio), environment, loading conditions and operational history. It may also be important to consider orientation of specimens with respect to the applied stress in the component.

4.12  Leak detection and leak-before-break

1)  Where high reliability in structural integrity needs to be claimed and justified, a “leak-before-break” argument may not be appropriate as the main thrust of the safety case argument. However, it depends on what is in the argument, rather than simply the label attached to it. For very high integrity (for instance where there is no ‘line of protection’ for the consequences of failure), a “No Break” argument or a “No Leaks or Break” argument might best summarise or label the sort of structural integrity safety case required. If some consequences are still protected, for example loss of fluid by providing emergency injection, but other consequences are not, for example pipe whip and jet forces, the inspector should expect the Licensee to present a clear justification for the apparent inconsistency.

2)  From operational experience (see section 4.14), incidents of sub-critical crack growth in BWR and PWR primary circuit and connected system piping have to date resulted in stable through wall cracks which have leaked and remained stable until the leak has been detected. In the recorded incidents, most of the pipework has been made from austenitic stainless steel. By one means or another and eventually, the leakage has been detected. The relevant incidents have involved normal plant loadings (which applied during the sub-critical crack growth). That is the through wall cracks were not subjected to a fault loading. Large scale experiments conducted at Battelle as part of the International Piping Integrity Research Group (IPIRG) programme (1986-1996) on ferritic and stainless steel pipework sections show the resilience of nuclear plant type pipework (circa 350mm outside diameter, 25mm wall thickness) to large, dynamic, repeating ‘fault’ type loadings, combined with normal pressure and temperature [12, 13]. However, by itself this anecdotal experience does not amount to a safety case.

3)  Leak detection arguments and leak-before-break arguments might be provided to support pressure boundary structural integrity safety cases. Originally, the term leak-before-break referred to the situation where a defect has been sized, for example by examination, and it is argued that such a defect, were it to grow, would lead to a leak rather than a break. Its usage has widened to include leak detectability, the argument that for a range of through-wall defects, leaks can be detected whilst the defect remains stable.

4)  In general, it would be expected that a leak detection or leak-before-break argument would be more easily made and accepted for thin-walled components, made from ductile materials. Operational experience data (e.g. ref 8) predominantly contains leak type failures in small diameter, thin wall pipework. This may be due to the relative lack of attention to design and in-service conditions for ‘minor’ lines of ‘low’ perceived safety significance, rather than an inherent propensity for small diameter, thin wall pipe to leak or burst compared to large diameter, thick wall pipe. If a thin-walled component also has a small diameter, a leak from a through-wall defect may be difficult to detect because of the absolute length and gape of the defect. The Inspector might decide to place little weight on a leak detection / leak-before-break argument for a thick-walled component or where the limiting through-wall crack length is only a small multiple of the wall thickness.

5)  The Inspector should consider whether the analysis assumptions are consistent with the overall fatigue and fracture analysis, and that a sufficient margin is available between the capability of the leak detection system to detect a leak and failure of the component. For metal components it is important to ensure that the component is operating in a ductile state of fracture toughness where leak-before-break is claimed. Clearly, if a through wall crack is postulated to be detectable by the leakage through the crack during normal operation, the defect needs to be stable with a suitable margin under the range of normal operation loading conditions. Margins for the through wall defect under infrequent fault loads are a separate matter. See 4.6-3 regarding loading condition frequency and corresponding measures of fracture toughness. Factors that may need to be considered include the potential for debris blocking of the leak path, the dynamic effects at break-though of the crack to a through-wall crack and possibly initial break-through over only a fraction of the complete crack length.

6)  Leak-before-break arguments might not be applicable if interacting, multiple defects, rather than isolated defects, are possible. The examination history may give an indication of the likelihood of such defects.

7)  Obviously, leak detection capability is fundamental (EMC.25, EMC.26 and paragraph 270). The safety case should explain the leak detection system and identify the sensitivity, reliability, response time and availability of the leak detection system. There is likely to be a need for periodic testing and calibration of leak detection equipment. Claims in the safety case must be consistent with the practicalities of the leak detection system. The Inspector should examine the safety case for operating instructions covering how operations staff are to respond to the detection of a leak. The response may be graded depending on the rate of leakage and the rate of change of leakage.

8)  The hazards associated with the leakage of fluids should be considered in the safety case to ensure that these do not lead to potential loss of safety related plant or equipment and do not pose a hazard to operators. The safety case should demonstrate that the plant can continue to be operated safely in the event of leakage or spillage of fluids.

4.13    Ageing and Degradation

1)  In preceding sections of this TAG, aspects of ageing and degradation have been implicitly considered. For metal components and structures, the consideration of ageing and degradation at the design stage and during service is a long established practice. Mechanisms such as creep, fatigue, thermal strain ageing, irradiation embrittlement, environmental effects such as corrosion and flow assisted corrosion, are well recognised and routinely considered in structural integrity evaluations (see this TAG 4.5-7,4.6-2, 4.7-1 to -4, 4.10-1(ii) and (iii) 4.10-8, 4.11). Ageing and degradation mechanisms might lead to initiation of defects, sub-critical growth of pre-existing defects or reduce the defect tolerance of the material. Some ageing and degradation mechanisms might lead to some or all of these effects.

2)  Ageing and degradation mechanisms have the potential to erode safety margins attributed to the plant at start of life. Clearly this could have safety significance. Therefore each nuclear facility should have an ageing management programme.

3)  The safety case for nuclear facility components and structures needs to include a suitably conservative consideration of the effects of ageing and degradation on safety margins throughout plant operating life, including through decommissioning.

4)  At the design stage, potential ageing and degradation mechanisms should be identified and stated as part of the design specification. With the mechanisms defined, a conservative estimate should be made of the minimum safe working life of the components and structures. For components and structures that are impractical to replace, the conservative estimate of minimum safe working life should be especially robust. For components and structures that cannot be replaced, the use of novel materials or design concepts is unlikely to assist in establishing a conservative safe working life (EAD.1).

5)  It is to be expected there will be uncertainties in material properties and plant parameters required in the estimation of a safe working life.  Such uncertainties should be considered during the design process and subsequently confirmed or otherwise by in-service monitoring and measurement of material properties and plant parameters. Periodic review during service should use evolving in-service information to update the predicted minimum safe working life (EAD.2, EAD.3, EAD.4).

6)  Existing components and structures may have been designed and built to a code or standard that is no longer current. In other words the component or structure was built to a code or standard that is now obsolete. Usually there will be a current code or standard which     would be applicable to a similar component or structure if it were to be designed and manufactured now. Current relevant codes and standards can form the basis of a design capability assessment. Over the course of a number of years, new approaches may be adopted to assist in supporting claims of structural integrity. An example over the last few decades has been the increasing use of fracture mechanics to demonstrate the resistance to crack growth in metallic components and structures. Current methods (e.g. fracture mechanics procedures) can be applied to existing components and structures.  One practical limitation can be whether appropriate materials data is available for an existing component or structure to permit the plausible use of advance analysis techniques (EAD.5).

7)  Within the context of nuclear regulation in the UK, and unless there is an acute problem of ageing or degradation, the natural stage to consider ageing, degradation and obsolescence issues is during the Periodic Safety Review process.

4.14    Operational Experience Data

1)  Wherever possible, the design and operation of metal components and structures (and their associated safety cases) should be informed by relevant specific and general operational experience. Similarly, the Inspector’s assessment of a safety case should take into account relevant operational experience. Metal components and structures in nuclear facilities are generally reliable. But total worldwide experience is still modest. Taking light water reactors as an example, to end 2007 operational experience worldwide amounts to about 12,000 reactor years (for the UK AGRs operating experience to end 2007 is about 200 reactor years). Even with zero events of a defined type and using a 95% upper confidence level, the quantitative reliability statement that can be made is

2.996/12000 = 2.5x10-4 per reactor year

This assumes:

uncorrelated, rare events at constant hazard, following a Poisson distribution;

uniform distribution for the Bayesian prior;

to determine the probability density function of the failure rate. With about 400 reactors worldwide, the number of reactor years increases by about 4000 reactor years every 10 years. So quantitative reliability statements based on operational experience cannot ‘improve’ by more than at best about a factor of 25% in the next 10 years.

2)  Detailed operational experience data is generally not freely available, being considered proprietary information. For nuclear components and structures, the IAEA Incident Reporting System (IRS) provides some information. At the time of writing, ONR staff have access to the web-based version of the IAEA IRS database. The IAEA IRS database is only for power reactors and predominantly for Light Water Reactors (BWR, PWR). Nevertheless the information can be of general use and sometimes could be of specific use. Note the IAEA IRS dose not include all events that have occurred worldwide.  The IRS database probably contains the most significant events, and probably includes the range of causes of failure. However the IAEA IRS database is not suitable for making quantitative reliability statements.

3)  For this TAG and for nuclear vessels and pipework, a survey has been completed of the IAEA IRS. The results of this survey are contained in two documents, for nuclear vessels [7], and for piping in primary circuits and connected systems [8]. References 7 and 8 also include events not in the IAEA IRS database, the alternative sources are identified. To illustrate the incomplete nature of the IAEA IRS database, the entire database contains almost 3500 events of all sorts, and for piping, reference 8 contains less than 100 events. By contrast the Swedish Nuclear Plant Inspectorate’s review of nuclear plant piping experience for the period 1970-1996 includes over 1000 events in ‘LOCA sensitive piping [9]. The subsequent OECD [10] project on piping failure data (ODPE) has accumulated many more instances of non-through wall cracking and wall thinning, with smaller proportionate increases in the number of leak events and rupture or structural failure events (for the more severe failure events, changes of failure definition could affect the apparent changes in numbers of events).

4)  In the absence of sufficient information for nuclear vessels to make quantitative reliability statements beyond the sort of value illustrated above, there has been interest in non- nuclear vessel operating experience. One of the most recent examples is reference 11, a survey of UK non-nuclear vessel experience for the period 1983-1988. Reference 11 is based on experience over 5 years for about 360,000 vessels, about 75% being air receivers. For air receivers the ‘disruptive’ failure rate is 4.8x10-6 per vessel year (95% upper confidence bound - Table 3 ref 11). Boilers and steam receivers appear notably less reliable with a ‘disruptive’ failure rate of 2.4x10-5 per vessel year (95% upper confidence bound). It is difficult to know how to relate non-nuclear vessel operating experience to nuclear vessels. For instance is the operating environment of a typical non-nuclear air receiver or steam receiver / boiler better or worse than a nuclear vessel?

5)  In assessing a safety case which includes operational experience, the inspector should review the weight of the operational experience and its role in the safety case claims, arguments and evidence. Taking the examples of piping operational experience data summarised above, one can consider the least frequent failure sequences that are likely to be included in the data, and for frequent failure sequences, how many examples are likely to be included in the database. The main factor affecting both considerations will be the size of the database in terms of plant-operating years of experience, the extent of the event collection process and the relevance of the experience to the subject of the safety case. It is important to consider available operating experience, both in production and assessment of safety cases.  But available operating experience is unlikely to be a decisive basis alone for a safety case.

4.15    Decommissioning

1)  Approaching and during decommissioning of a nuclear facility, the continuing, amended or reducing role of the integrity of metal components and structures should be reviewed. Changes to the role of metal components and structures for the decommissioning phase should be incorporated in the decommissioning safety case.

2)  Several of the factors for normal operation of a nuclear facility (e.g. in-service examination, ageing and degradation, materials monitoring) may remain relevant during decommissioning.  However the requirements may be less demanding for the decommissioning phase compared with normal operation; it depends on the residual nuclear hazard. The NII Inspector should apply the guidance in this TAG to the decommissioning phase of a nuclear facility, moderated by the changing nuclear hazard. A basic factor is whether, under generally accepted definitions, what were defined as pressure systems for normal operation, continue to be classified as pressure systems in the decommissioning phase.

4.16    General advice

1)  The Inspector should consider, as appropriate for the key safety issues, the elements set out in paragraphs 238 to 257 of the SAPs to the appropriate depth to establish whether:

the design, load analysis, materials, standards of manufacture, inspection and testing, quality assurance standards, protection systems, and provisions for material monitoring, maintenance and inspection provide the necessary confidence that the safety functional requirements will be met.

2)  It should be emphasised that the adequacy of the integrity of metal components and structures relies to an extent on each of the factors outlined, and the Inspector should apply engineering judgement to the overall safety case before coming to a view on its acceptability. Structural integrity safety cases tend to be multi-legged and each leg of the argument needs to be considered before coming to a view on the overall adequacy of any case. Due consideration should be given to the potential for common mode failure mechanisms and factors that affect more than one leg of a multi-legged argument.

3)  The Inspector is not expected to repeat the analysis provided by the Licensee, though sample checks may be appropriate. The assessment overall will be a sampling process. The Inspector may wish to examine the Licensee's process for developing the safety case to gain confidence in the content and claims of the safety case. The Licensee's process for developing the safety case should include adequate checking, verification and independent review to a degree appropriate to the case (MS.2, MS.4, EHF.8 and paragraphs 48, 50-60, 68, 89 and 387).

4)  This process relies on engineering judgement. This may be particularly demanding for existing metal components and structures where by comparison with modern standards, shortcomings may be present in some of the legs of the argument, and it may not be possible to introduce changes to the component or structure. See paragraph 31of the SAPs [1]. Other measures, such as changes to operating conditions, may be necessary to achieve an acceptable safety case. In some cases, consideration should be given to the reasonable practicability of enhancing confidence in the safety case by additional research, examination, measurements, material examination, analysis, or enhanced monitoring or make alternative provisions to ensure safety.

References

Safety Assessment Principles for Nuclear Facilities. 2006 Edition. Revision 1 (January 2008 - issued to ONR staff April 2008)

2  Bullough R., et al, The Demonstration of Incredibility of Failure in Structural Integrity Safety Cases. Int. J. Pressure Vessels and Piping Vol 78 No8 pp539-552 (2001).

3  Assessment Procedure for the High Temperature Response of Structures. British Energy Generation Ltd document R5 Issue 3 (initial issue June 2003 which replaced Issue 2) (as of May 2007, there have been no Amendments).

4  Assessment of the Integrity of Structures Containing Defects. British Energy Generation Ltd document R6, Revision 4 (initial issue April 2001 which replaced Revision 3) as amended (as of May 2007 last Amendment was No5, May 2006).

5  Guide to Methods for Assessing the Acceptability of Flaws in Metallic Structures. British Standard BS7910:2005 (27 July 2005) (current version as of May 2007).

6  Statement on the Operation of Ferritic Steel Nuclear Pressure Vessels, Health and Safety Executive, Nuclear Installations Inspectorate, Int. J. Pressure Vessels & Piping, Vol 64 No3 pp307-310 (1995).

7  Harrop L P., Nuclear Power Plant Vessel Operational Integrity - Worldwide. Summary of Vessel Degradation Events. Based on International Atomic Energy Agency (IAEA) Incident Reporting System (IRS) and Other Reports to 19 December 2007. TRIM document 2007/341502 in folder 1.9.3.148. (19 December 2007).

8  Harrop L P., Tables Summarising International Atomic Energy Agency (IAEA) Incident Reporting System (IRS) Incident Reports for Nuclear Power Plant Piping Degradation - Cracks, Leaks, Ruptures in PWR and BWR Reactor Coolant Loops and Connected System Piping. TRIM document 2007/341485 in folder 1.9.3.148. (19 December 2007).

9  Nyman R., Hegedus D., Tomic B., Lydell B., Reliability of Piping System Components. Framework for Estimating Failure Parameters from Service Data. Swedish Nuclear Plant Inspectorate document SKI 97:26 3rd Edition (January 2005). TRIM document  2007/343339 in folder 1.9.3.148.
Reliability of Piping System Components - Framework for estimating failure parameters from service data

10  Heurta A., OECD NEA Related Project. SCAP Project, OPDE, RI-ISI and RISMET. OECD IAGE Sub-Group on Integrity of Metal Components & Structures. Paris (April 2007). (PowerPoint document) TRIM document 2008/128 in folder 1.9.2.148.

11  Davenport T J., Warwick R G., A Further Survey of Pressure Vessel Failures in the UK (1983-1988). AEA Technology document SRD/R/545 (February 1997).
TRIM document 2007/330565 in folder 1.9.3.148.

12  Record of Large Scale Tests on Pipes. International Piping Integrity Research - 1.3 Facility, 1.3 Tests, 1.1/1.2 Tests Summary. (Video) (HSE Library Item R132 985).

13  Pipe System Test on Aged Cast Stainless Steel: Experiment and Slow Motion: IPIRG Test 1.3-7, Battelle. (Video) (1990) (HSE Library item R133 509).

14  Geraghty J.E., Structural Integrity of Sizewell B - the Way Forward. Nuclear Energy
pp97-103, Vol35 No2 (April 1996).

15  Sizewell ‘B’ Reactor Pressure Vessel. Special Issue of Nuclear Energy Vol 31 No 6
pp409-453 (December 1992).

16  Roos E., Herter K-H., Otremba F., Metzner K-J., General Concept of the Integrity of Pressurised Components. Transactions of SMiRT 16 Division O Paper 1725 (August
2001) (General Concept for the Integrity of Pressurized Components)

Appendix 1 - Western European Nuclear Regulators’ Association (WENRA) Reactor Safety Reference Levels, Decommissioning Safety Reference Levels, Waste and Spent Fuel Storage Safety Reference Levels

A1.1)  The WENRA Reactor Safety Reference Levels were published in January 2007 and updated in January 2008 [A1-1]. By their title they only apply to reactors. According to the WENRA web site, the Reference Levels are for existing plants[A1-2], confirmed by the titles of Issues E and F within the Reference Levels.

A1.2)  Generally the WENRA Reference Levels are at a high level, somewhat similar to the higher level requirements of the SAPs. Rather than compare the WENRA Reactor Safety Reference Levels and the SAPs and show how they are similar, here the differences relevant to structural integrity are highlighted. If the Inspector applies the SAPs then the general WENRA Reactor Safety Reference Levels should be accounted for. For example, the WENRA Reactor Safety Reference Level on Ageing and Degradation is covered in this TAG by section 4.13 together with sections 4.10 and 4.11. A few WENRA Reference Levels are quite specific, relevant examples for structural integrity are listed below:

Issue E “Design Basis Envelope for Existing Reactors” paragraph 9.5: The means for shutting down the reactor shall consist of at least two diverse systems.

This is not primarily a structural integrity issue, though there may be potential structural integrity failures which could compromise physical means of shutting down a reactor.

The Appendix to Issue E lists a set of design basis events, though for internal events it only explicitly covers water reactor designs.

Issue F “Design Extension of Existing Reactors”: An Appendix lists a set of beyond design basis events, though these are only for internal events and water reactors.

Issue K “Maintenance, In-Service Inspection and Functional Testing” paragraph 3.8: The reactor coolant pressure boundary shall be subject to a system pressure test at or near the end of each major inspection interval.

This is distinct from a leak test, which is the subject of paragraph 3.9; the implication is the pressure test would be at a pressure above the design pressure, though no specific multiplier is given. This is a rather odd Reference Level; although one or two countries in Europe have this practice it is not general. See section 4.8, paragraph 3 and section 4.6 paragraph 11 of the main text of this TAG.

A1-3)  The WENRA Decommissioning Safety Reference Levels report was issued in July  2007[A1-3]. The WENRA DSRLs do not explicitly contain requirements for metal components and structures. Section 4.15 of the main text of this TAG covers decommissioning.

A1-4)  The WENRA Waste and Spent Fuel Storage Safety Reference Levels report was issued in December 2006[A1-4]. The WENRA WSFSSRLs do not explicitly contain requirements for metal components and structures. However aspects of this TAG may be relevant to assessing the structural integrity of storage containers

References

A1-1  WENRA Reactor Safety Reference Levels. Reactor Harmonization Working Group of the Western European Nuclear Regulators’ Association. (January 2008). (as of July 2008 available from the Publications section of WENRA web site: Wenra (http://www.wenra.org/)

A1-2  Wenra - The challenge to harmonise safety requirements

A1-3  WENRA Decommissioning Safety Reference Levels. Working Group on Waste and Decommissioning of the Western European Nuclear Regulators’ Association. Version 1.0 (March 2007). (as of July 2008 available from the Publications section of WENRA web site

A1-4  WENRA Waste and Spent Fuel Storage Safety Reference Levels. Working Group on Waste and Decommissioning of the Western European Nuclear Regulators’  Association. Version 1.0 (December 2006). (as of July 2008 available from the Publications section of WENRA

Appendix 2 - International Atomic Energy Agency (IAEA), Standards, Guidance and Documents

A2.1)  IAEA publishes several types of documents, grouped into ‘Series’. The four Series
of interest here are:

Safety Standards Series
Safety Reports Series
Technical Reports Series
Technical Documents Series (TECDOCS)

Lists of the documents in these Series are available on the IAEA web site; the more recent documents (roughly since 1996) are available in PDF format on the IAEA web site. According to SF-1 (ref A2-1), IAEA safety standards, comprise Safety Fundamentals, Safety Requirements and Safety Guides; these are all in the Safety Standards Series. These IAEA safety standards are applied by the IAEA and joint sponsoring organizations to their own operations, and are recommended for use by States and national authorities and by other international organizations in relation to their own activities. IAEA documents not listed under the Safety Standards Series are not part of IAEA safety standards. For TECDOCs, see the IAEA disclaimer in the reference list below.

A2.2)  The result of this review of IAEA documents can be summarised as:

The SAPs (2006 Edition) and the Technical Assessment Guides overall cover the same areas. That is the review of the IAEA documents has not  revealed any significant gaps in the SAPs or TAGs;

The IAEA Safety Series documents leave the Inspector a good deal of latitude for judgement. That is the IAEA documents do not appear to constrain the Inspector to any greater extent than the SAPs and TAGs;

The IAEA documents apply only to nuclear power reactors and mostly to PWR and BWR type reactors. The remit of the ONR Safety Assessment Principles and this TAG is wider and covers all nuclear facilities.

A2.3)  The lists of IAEA documents have been assessed and the subset potentially relevant to assessment of metal components and structures extracted (May 2007) and are listed in the Reference List to this Appendix.

A2.4)  In addition to the search of IAEA documents with titles potentially relevant to assessment of integrity of metal components and structures, a general search of IAEA documents was made using the word ‘advanced’ to identify IAEA documents relevant to new reactors. A number of documents were identified. These are not primarily concerned with structural integrity but they do give an overview of new designs and the role of structural integrity within those designs. The documents found as a result of this search and filtering are also listed in the References to this Appendix.

A2.5)  SF-1, Safety Fundamentals (ref A2-1) is a new document approved by the IAEA Board of Governors in September 2006. This is the primary publication in the IAEA Safety Standards Series, superseding the previous Safety Fundamentals publications issued in the former Safety Series. SF-1 is a very high level document           and contains just 10 Principles. The Principles in SF-1 have their equivalents in the more general Principles of the ONR Safety Assessment Principles (2006 Edition).  However there are no SF-1 Principles which relate specifically to assessment of the structural integrity of metal components and structures.

A2.6)  Two Requirements documents were identified as potentially relevant to this TAG, NS-R-1 and NS-R-2 (refs A2-2, A2-3). According to NS-R-1, IAEA Safety Requirements establish the requirements that must be met to ensure safety. These requirements, which are expressed as ‘shall’ statements, are governed by the objectives and principles presented in the Safety Fundamentals.

A2.7)  NS-R-1 (ref A2-2) covers Requirements for Design of nuclear power plants. This covers design at a broad level. The general requirements are applicable to assessment of structural integrity of metal components and structures. There are also some requirements quite specific to assessment of metal components and structures. Overall if the Inspector follows the SAPs (2006 Edition) and the further guidance in this TAG, the Requirements in IAEA NS-R-1 will be addressed.  Particular sections of NS-R-1 of interest here are:

  • Requirements for Management of Safety
  • Principal Technical Requirements (including Safety Functions in 4.5 top 4.7)
  • Requirements for Plant Design
  • Requirements for Design of Plant Systems
    • Reactor Core and Associated Features
    • Reactor Coolant System

It is not reasonable here to give a point-by-point comparison between the IAEA
NS-R-1 requirements and the SAPs (2006 Edition), however one example is provided. Paragraph 6.24 of NS-R-1 states:

The pressure retaining boundary for reactor coolant shall be designed so that flaws are very unlikely to be initiated, and any flaws that are initiated would propagate in a regime of high resistance to unstable fracture with fast crack propagation, to permit timely detection of flaws (such as by application of the leak before break concept). Designs and plant states in which components of the reactor coolant pressure boundary could exhibit brittle behaviour shall be avoided.

This is covered by SAPs EMC.1, EMC.5, EMC.6, EMC.11, EMC.12, EMC.23, EMC.26, EMC.34.

A2.8)  NS-R-2 (ref A2-3) covers requirements for Operation. Again this covers requirements     at a general level. Probably less of NS-R-2 is relevant to this TAG than NS-R-1.  However some sections are generally relevant, including:

  • Plant Operations
  • Operational Limits and Conditions
  • Maintenance, Testing, Surveillance and Inspection of Structures, Systems and Components Important to Safety
  • Plant Modifications

There are fewer directly relevant parts of NS-R-2 compared to NS-R-1, but one example is given. The start of paragraph 5.2 of NS-R-2 states:

  • Operational limits and conditions shall be developed to ensure that the plant is operated in accordance with the design assumptions and intent. They shall reflect the provisions made in the final design…….

This is covered in the SAPs (2006 Edition) for structural integrity of metal components and structures by paragraph 252 item (i) and by EMC.21.

A2.9)  Five Safety Guides have been identified as potentially relevant to this TAG: NS-G-1.9, NS-G-1.10, NS-G-2.6, NS-G-2.3, NS-G-1.6 (refs A2-4 to A2.8).  According  to IAEA, its Safety Guides recommend actions, conditions or procedures for meeting safety requirements. Recommendations in Safety Guides are expressed as ‘should’ statements, with the implication that it is necessary to take the measures recommended or equivalent alternative measures to comply with the requirements.

A2.10)  It is important to note these Guides are aimed at the designer and operator of the nuclear power plant, not the regulator. However the Inspector may find the content of these Guides useful as background information.

A2.11)  NS-G-1.9 (ref A2-4) provides guidance for the design of the reactor coolant system and associated systems. The guidance is general and specifically oriented to PWR, BWR and Heavy Water Reactors. Sections specifically relevant to this TAG are:

  • General Considerations in Design
    • Selection of Materials
    • Provision of Overpressure Protection
    • Considerations of isolation
    • Provisions for In-Service Inspection, Testing and Maintenance
  • Specific Considerations in Design
    • Reactor Coolant System

One example of how NS-G-1.9 and the SAPs (2006 Edition) cover particular topics are the “Provision of Overpressure Protection” in NS-G-1.9 (paragraphs 3.39 to 3.46) and “Consideration of Isolation” (paragraphs 3.66 to 3.69). These are covered in the SAPs in EPS.3 to EPS.5 (overpressure) and EPS.2 (isolation).

A2.12)  NS-G-1.10 (ref A2-5) provides guidance for the design of reactor containment systems. For this TAG the only relevance is if the containment structure includes a significant metal component. For instance an inner steel pressure shell surrounded by a concrete outer shell. This is a relatively specialized area. The SAPs EMC.1 to EMC.34 plus ECE.1 to ECE.24 together cover the same ground as NS-G-1.10 in terms of structural integrity.

A2.13)  NS-G-2.6 (ref A2-6) covers maintenance, surveillance and in-service inspection. For assessment of integrity of metal components and structures it is mainly the surveillance and in-service inspection aspects which are relevant. Sections potentially relevant to this TAG are:

  • Analysis of Results and Feedback Experience
  • Area in Which Special Considerations Apply
    • Plant Ageing
    • Plant Designed to Earlier Standards
  • Additional Considerations Specific to Surveillance
  • Additional Considerations Specific to In-Service inspection.

The few paragraphs on plant ageing and plants designed to earlier standards only provide a set of general points.

SAPs (2006 Edition) which address surveillance and in-service inspection for metal components and structures are EAD.1 to EAD.5, EMC.24 to EMC.26 and EMC.27 to EMC.30. General matters relating to Maintenance, Inspection and Testing are covered in SAPs EMT.1 to EMT.8.

A2.14)  NS-G-2.3 (ref A2-7) covers modifications. The guide is quite general; there is nothing in NS-G-2.3 which is only relevant to integrity of metal components and structures. As defined in NS-G-2.3, modifications can include physical changes to plant, operational limits and conditions, operating procedures and modifications to safety assessment tools and processes. NS-G-2.3 does not seem to include the concept of modification to a safety case, without any of the modifications listed above. A modification to a safety case, in the light of new knowledge, but containing arguments why no other modifications are needed could well be something ONR would wish to assess. Active management of safety cases and maintenance of safety cases (implying the potential for modifications in safety cases) is addressed in SAPs (2006 Edition) SC.7. For integrity of metal components and structures, ONR SAP EMC.31 applies. There is no separate section of the SAPs (2006 Edition) which covers modifications. It may be that as ONR expects modifications to be covered by safety case changes, at appropriate categorization, the SAPs deal implicitly with modifications through the Principles relevant to safety cases (SC.1 to SC.8).

A2.15)  NS-G-1.6 (ref A2.8) provides guidance on seismic design. There are many aspects of NS-G-1.6 which are not specific to integrity of metal components and structures. Particular sections which might be considered are:

  • Seismic Design
    • Piping and Equipment
  • Qualification by Analysis
  • Seismic Qualification by Means of Testing, Earthquake Experience and
    • Indirect Methods

Seismic loading is one external hazard covered by SAPs (2006 Edition) EHA.1 to EHA.17 and specifically in EHA.9. In terms of integrity of metal components and structures, seismic loading is included (probably implicitly) in EMC.7, EMC.32 and paragraph 279.

A2.16)  The remaining IAEA documents in the reference list below are in the Technical Report Series and the TECDOC Series. These ‘IAEA other safety related publications’ are ‘informational publications’. They do not contain IAEA Principles, Requirements or Guidance. The Technical Report Series and TECDOC Series documents listed here are included based on their titles being apparently relevant to integrity of metal components and structures. Many of the documents are concerned with ageing and ageing management; this obviously having been a dominant theme over the last 20 years or so, with no significant new build. A few TECDOCs deal with new or ‘advanced’ reactors. These do not contain much on metal components and structures, beyond a summary description of the main components of the pressure boundaries of the designs. All these documents are only for nuclear power plants with water-cooled reactors.

References

Safety Standards Series

79 documents listed on the IAEA web site

Selected 8 as potentially relevant:

A2-1  SF-1 Safety Fundamentals (November 2006)

A2-2  NS-R-1 Safety of Nuclear Power Plants: Design (September 2000)

A2-3  NS-R-2 Safety of Nuclear Power Plants: Operation (September 2000)

A2-4  NS-G-1.9 Design of the Reactor Coolant System and Associated Systems in Nuclear Power Plants (September 2004)

A2-5  NS-G-1.10 Design of Reactor Containment Systems for Nuclear Power Plants (September 2004)

A2-6  NS-G-2.6 Maintenance, Surveillance and In-Service Inspection in Nuclear Power Plants (October 2002)

A2-7  NS-G-2.3 Modifications to Nuclear Power Plants (October 2001)

A2-8  NS-G-1.6 Seismic Design and Qualification of Nuclear Power Plants (November 2003)

Safety Reports Series

50 documents listed on the IAEA web site.

None identified as relevant

Technical Reports Series

343 documents listed on the IAEA web site.

Selected 3 as potentially relevant:

A2-9   Methodology for the Management of Ageing of Nuclear Power Plant Components Important to Safety (July 1992)

A2-10  Guidelines for Application of the Master Curve Approach to reactor Pressure Vessel Integrity in Nuclear Power Plants (March 2005)

A2-11  Plant Life Management for Long Term Operation of Light Water Reactors - Principles and Guidelines (December 2006)

The following document does not have a PDF file available on the IAEA web site:

A2-12  Neutron Irradiation Embrittlement of Reactor Pressure Vessel Steels (1975).

Technical Documents (TECDOCs)

1424 documents listed on the IAEA web site. PDF versions usually available back to late 1996. Before that date only a few (perhaps important) TECDOCs are available as PDF documents.

Note the following disclaimer on the IAEA web site:

The IAEA Technical Documents (IAEA-TECDOC) series reports on many aspects of the Agency's work. Please note, however, that titles in this series are not edited and therefore may not always conform to the high quality standards of IAEA publications. The IAEA does not assume any responsibility for consequences which may arise from the use of older titles.

(IAEA Technical Documents (IAEA-TECDOCs))

Selected 20 documents as potentially relevant:

A2-13 TECDOC-774 Guidance on the Application of Leak Before Break Concept - Report of the IAEA Extrabudgetary Programme on the Safety of WWER-440 Model 230 Nuclear Power Plants (November 1994)

A2-14 TECDOC-981 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: Steam Generators (November 1997)

A2-15 TECDOC-1037 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: CANDU Pressure Tubes (August 1998)

A2-16 TECDOC-1119 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: PWR Vessel Internals (October 1999)

A2-17 TECDOC-1120 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: PWR Pressure Vessels (October 1999)

A2-18 TECDOC-1181 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: Metal Components of BWR Containment Systems (October 2000)

A2-19 TECDOC-1197 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: CANDU Reactor Assemblies (February 2001)

A2-20 TECDOC-1263 Application of Non-Destructive Testing and In-Service Inspection to Research Reactors - Results of a Co-ordinated Research Programme (December 2001)

A2-21 TECDOC-1303 High Temperature On-Line Monitoring of Water Chemistry and Corrosion Control in Water Cooled Power Reactors - Report of a Co-ordinated Research Project 1995-1999 (July 2002)

A2-22 TECDOC-1341 Extreme External Events in the Design and Assessment of Nuclear Power Plants (March 2003)

A2-23 TECDOC-1347 Consideration of External Events in the Design of Nuclear Facilities Other Than Nuclear Power Plants, with Emphasis on Earthquakes (March 2003)

A2-24 TECDOC-1361 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: Primary Piping in PWRs (July 2003)

A2-25 TECDOC-1400 Improvement of In-Service Inspection in Nuclear Power Plants (July 2004)

A2-26 TECDOC-1435 Application of Surveillance Programme Results to Reactor Pressure Vessel Integrity Assessment - Results of a Co-ordinated Research Project 2000-2004 (April 2005)

A2-27 TECDOC-1441 Effects of Nickel on Irradiation Embrittlement of Light Water Reactor Pressure Vessel Steels (June 2005)

A2-28 TECDOC-1442 Guidelines for Prediction of Irradiation Embrittlement of Operating WWER-440 Reactor Pressure Vessels - Report Prepared Within the Framework of the Co-ordinated Research Project (June 2005)

A2-29 TECDOC-1470 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: BWR Pressure Vessels (October 2005)

A2-30 TECDOC-1471 Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: BWR Pressure Vessel internals (October 2005)

A2-31 TECDOC-1487 Advanced Nuclear Plant Design Options to Cope with External Events (February 2006)

A2-32 TECDOC-1503 Nuclear Power Plant Life Management Processes: Guidelines and Practices for Heavy Water Reactors (June 2006)

The following documents do not have PDF files available on the IAEA web site:

A2-33  TECDOC-109 Periodic Inspection of Nuclear Reactor Steel Pressure Vessels, Stockholm 21-25 October 1968 (February 1969) (HSE Library Catalogue shows a copy)

A2-34  TECDOC-189 Fracture Mechanics Applications: Implications of Detected Flaws, Winterthur 3-5 December 1975 (August 1976) (HSE Library Catalogue shows a copy)

A2-35  TECDOC-202 Reactor Pressure Vessel Surveillance, Pilsen 17-18 May 1976 (November 1997)

IAEA Documents Identified by Search on the Word ‘Advanced’

71 documents listed on the IAEA web site.

Selected 9 documents as potentially relevant and not already in the lists above (all are from the TECDOC series):

A2-36 TECDOC-677 Progress in Development and Design Aspects of Advanced Water Cooled Reactors - Proceedings of a Technical Committee Meeting held in Rome 9-12 September 1991 (December 1992)

A2-37 TECDOC-682 Objectives for the Development of Advanced Nuclear Plants (January 1993)

A2-38 TECDOC-752 Status of Advanced Containment Systems for Next Generation Water Reactors (June 1994)

A2-39 TECDOC-936 Terms for Describing New, Advanced Nuclear Power Plants (April 1997)

A2-40 TECDOC-968 Status of Advanced Light Water Reactor Designs 1996 (September 1997)

A2-41 TECDOC-977 Integral Design Concepts of Advanced Water Cooled Reactors - Proceedings of a Technical Committee meeting held in Obninsk, Russian Federation, 9-12 October 1995 (November 1997)

A2-42 TECDOC-1390 Construction and Commissioning Experience of Evolutionary Water Cooled Nuclear Power Plants (April 2004)

A2-43 TECDOC-1391 Status of Advanced Light Water Reactor Designs 1994 (May 2004)

A2-44 TECDOC-1474 Natural Circulation in Water Cooled Nuclear Power Plants - Phenomena, Models and Methodology for System Reliability Assessments (November 2005)

The following documents do not have PDF files available on the IAEA web site:

A2-45 TECDOC-117 Development of Advanced Reactor Pressure Vessel Material (Tokyo, 21-25 July 1969) (1970)

A2-46 TECDOC-265 Analysis of the Behaviour of Advanced Reactor Pressure vessel Steels Under Neutron Irradiation (1986)

A2-47 TECDOC-479 Status of Advanced Technology and Design for Water Cooled Reactors: Light Water Reactors (1988)

A2-48 TECDOC-510 Status of Advanced Technology and Design for Water Cooled Reactors: Heavy Water Reactors (1989)

A2-49 TECDOC-665 Materials for Advanced Water-Cooled Reactors - report of a Technical Committee Meeting, Plzen, 14-17 May 1991 (1992)

Directgov - Business Link

Updated 10.01.12