Fuel Handling Systems Licensing Documentation

(FSDA)

SYSTEM REQUIREMENT SPECIFICATION (SRS)

SYSTEM DESCRIPTION (SD)

SYSTEM REQUIREMENT EVALUATION (SRE)

plant SEP and SEQP to cover fuel handling systems. SEP-FHs targets are to:

define the list of licensing documents for fuel handling;
define the list of parent documents, requirements and standards
applicable for each document;
- define the tasks for each document;
describe the principles of documents developing;
- describe the methodology for nuclear risk analysis and
functional safety design.

(SEP-FH)

SQfP

FSDA

Refueling machine

SRS

SD

SRE

SQP

- Electrical Bridge Polar Crane l/c 360(205)/60/5/5+10t;
Trestle Crane l/c 360(140)/60+10t;
…

method for FSDA. The examples of each stage are presented below in FSDA section.

(FSDA)

SYSTEM REQUIREMENT SPECIFICATION (SRS)

SYSTEM DESCRIPTION (SD)

SYSTEM REQUIREMENT EVALUATION (SRE)

Mainly based on referent NPP data

RM are based on YVL and EPC requirements for fuel handling at the NPP. The reference NPP experience is utilized as well.

(hereinafter referred to as PIE) is a list of undesirable finite events while performing transport and handling operations by the refueling machine. Occurrence of these events actually means the disturbance of main safety requirements specified.

FA – Fuel Assembly

the full list of possible failure modes, which can occur during the RM operation. A detailed analysis of all possible deviations in the operation of refueling equipment mechanisms is carried out to determine the list of failure modes. Failure modes are divided to External (outside the reactor building), External (from RM point of view) and Internal (see the next slide)

and assemblies

Failure modes associated with bridge travel

Failure modes associated with trolley transfer

Failure modes associated with travel of FA gripper

Failure modes associated with the main mast sweep

Failure modes associated with lock travel

Failure modes associated with Control Rod gripper travel

Failure modes associated with travel of FA lift-off mechanism

Failure modes associated with placing Control Rods in the reactor

All possible kinds of disturbances in operation of RM mechanisms and devices, regardless of their possible impact on safety of transport and handling operations with nuclear fuel are considered as internal failure modes of the refueling machine.

See the next page

In the next phase requirement YVL-E.11-604 for FMEA will be prepared in more detail for component level by the equipment supplier (YVL-E.11-605).

ranges

Operational speed

Low speed

Installation

Extraction

Transfer

Causes and conditions of PIE occurrence can significantly differ for various stages of transport and handling operations and even when performing a single process operation. Therefore, the essential stage of activity is allocation of specific areas of the nuclear fuel handling process, so-called basic distances, where causes and conditions of safety requirement violations remain invariable (causes and conditions of PIE occurrence).

– RM with FA or absorbing rod of the control and protection system (CPS AR)
(BD12) – RM without FA, CPS AR

transfer operations.

Diagram shows the general approach to define basic intervals in case of vertical movements. If there is a difference between movements in Reactor and Fuel Pool or Refueling well (from consequences point of view), special basic intervals are defined. Otherwise basic intervals are the same.

distance
(BD-01)

+

Failure mode (F001)

Failure mode
(F012)

Failure mode
(F010)

Failure mode
(F030)

Failure mode
(F_last one)

=

=

PIE#01

PIE#02

Functional Requirement (FR#42)

Functional Requirement (FR#09)

+

+

+

+

The analysis of failure mode consequences on basic distancess incudes review of all failure modes at each basic distance and determination of PIE occurrence possibility.

of FE cladding;
- leads to subcriticality disturbance.

- minor damage FA without loss of
of the fuel cladding integrity;
- damage of Control Rod;
- damage of RM mechanisms;

In this document the risks are divided into major and minor risks on the basis of severity of the nuclear consequences. «No risk» is used when safety is ensured without RM participation. Risk level is a defining criterion in further selection of counter-measures, classification of safety functions and selection of the way of their implementation.
At this preliminary stage of analysis conservative approach is used. Each risk which couldn’t be classified as Minor without calculations was classified as Major. The results will be updated at the stage of Manufacturer detailed analysis.

NO RISK

no countermeasure for refueling machine is needed,
some other SSC prevent the risk.
Example: mispositioning of control rod in the reactor -
subcriticality is ensured by boron injection

procedure requirement

A counter-measure is considered to be main if there are no other counter-measures capable to prevent the occurrence of PIE in case of the this counter measure failure. Other counter-measures are preventive.

Mechanical design requirement
Safety I&C functions
Operating procedure requirement

– Risk analysis table

functions. Functions are attributed to blocks on diagram in accordance with the following principle:
Operational functions – 1, Safety functions – 2.
In case there is strict requirement to implement the safety function:
- if there is no software – 2.1;
- if the function is activated by component with its own software (safety field device) – 2.2;
If the function is activated by Programmable logic controller (PLC) – 2.3;
Operational functions follow the same principle.

(FSDA)

SYSTEM DESCRIPTION (SD)

SYSTEM REQUIREMENT SPECIFICATION (SRS)

SYSTEM REQUIREMENT EVALUATION (SRE)

requirements related to the
Refueling Machine (RM) from YVL-guides, EPC-contract, Upper level documents and other sources.
Moreover, this document elaborates further requirements and provides traceability
of the requirements.

YVL-guides

EPC-contract

SRS

Upper level

Example:

Other

According to YVL E.11-5.1-517 safety functions that have been identified on the basis of the hoisting device unit’s risk analysis (FSDA) shall be focused on the hoisting device unit’s subsystems as functional requirements (SRS).

(FSDA)

SYSTEM REQUIREMENT SPECIFICATION (SRS)

SYSTEM DESCRIPTION (SD)

SYSTEM REQUIREMENT EVALUATION (SRE)

Mostly based on the reference NPP data

REFUELING MACHINE

Structure is based on KAA pilot

of absorbing rods of the control and protection system (hereinafter
CPS AR);
- monitoring of FA tightness;
- monitoring of FA and CPS AR reloading using video control system;
tools handling:
- CPS AR cask;
- device for FA installation level monitoring;
- FA seats inspection device;
- FA inspection device;
- device for lifting of dropped FA and leak-tight bottle.

General information

RM components
The refueling machine (RM) consists of a bridge (1) located in the central hall at the elevation of +31,200, a trolley (2) on which the main operating components of the machine are installed: the main mast (3) and TV arm (4).
Power to electrical equipment located on RM are supplied trough the local cabinet (7) and cable chain (5)
"Seismic terminal" for seismic clamps on the bridge is located outside the rail track (8).
The RM is controlled from a stationary remote control room located outside the reactor building containment. The control and monitoring equipment is located in the control room.

RM frontal view

4

3

9

9

cabinet
8 – Rail track

RM top view

5

2

1

8

8

CIMS

Structural diagram of the RM CIMS

Safety building 10UKD.

RM control room location (based on referent NPP)

Control room placement outside the containment reasons:
limitation of personnel quantity inside the containment;
more economical;
shortage of place inside containment.
Remote video supervision ensures entirety and sufficiency of the refueling process control and physical inventory of the nuclear fuel for the operator

pool (Automated monitoring system of radiation situation in the premises and at the site)

Spent fuel pool water level

Signal from seismic sensors of the industrial ant seismic protection system

Neutron flux density:
“STOP” signal from Neutron flux monitoring system

Signal from the instrumentation and control system of safety systems

of the RM and ensure continuous monitoring of the RM parameters during the refueling in the normal operation mode at the stopped power unit.

The Control Panel [1.1] is designed for:
- arrangement of the HSI is the task of the operation mode, state display of the RM mechanisms, etc.;
- recording of the refueling process;
- generation and printing of documents by the results of work [4] [4.1]

The local control panel [1.2] is designed to control the RM mechanisms in manual conditions from the central hall under direct visual supervision of the RM mechanism movements by the operator during the commissioning and maintenance of the RM jointly with the RM CS.

The Control system [1] receives task from Local Control Panel [1.2] and Control Panel [1.1]. It controls Refueling machine using sensors [1.4] measuring the different parameters of Refueling Machine like speed, position and load.

The Drive Control System [8] is designed to provide power supply and removal of supply voltages of electric motors [8.1] and brake devices [8.2] of the drive of the RM in accordance with accepted commands.

The Power Supply System [7] is designed to receive initial power supply of the 400 V three-phase voltage, 50 Hz, using two inputs from the 0.4 kV auxiliary switchgear and its conversion, distribution, controlled power supply for the RM CSs and the refueling machine electrical equipment.

and interlock function, when controlling the RM. Performance of the functions takes into account the information received from its own sensors of linear and angular movements (encoders) and force monitoring sensors (strain gage sensors).

The protection system II [3] is designed to perform the protection and interlock function. The function performance is based on the data received from its own discrete sensors (position sensors and maximum force exceedance sensors), force control sensors and linear and angular movement sensors (encoders).

The Fuel cladding integrity monitoring system [6] is designed to detect on-line FA with leaky FE at the shutdown reactor after the FAs are lifted from the core to transportation position in response to gaseous fission products released by FA into the water filling the inner space of working shaft.

The video control system [5] is designed to realize remote video observation while performing the process of FA reloading and physical inventory of the nuclear fuel, as well as to provide working area video control of the RM as whole in central hall during the technological operations.

the following components given in table:

System description

panel
Local control panel
Drive control system

Protection system I
Protection system II
Emergency switch unit (Power supply system)

Own sensors of all I&C RFM systems
Connections diagnostic
Local control panel (acquisition of the information)

Control panel (HSI)
Local control panel (HSI)

movement
area

Low speed
area

Minimum
speed
area

Emergency
zone

Low speed
area boundary

Minimum speed
area boundary

Minimum speed
area boundary

Mechanical stops

Physical boundary

(FSDA)

SYSTEM DESCRIPTION (SD)

SYSTEM REQUIREMENT EVALUATION (SRE)

SYSTEM REQUIREMENT SPECIFICATION (SRS)

System requirement specification document for RM and references to the System description document where performance of the given requirements is shown. Moreover, this document includes the information on properties and the status of requirements and system description. The document is developed in accordance with the KAA pilot.