• No results found

Safety objectives and design rules for structures, systems

3.2.39. The provisions to monitor site related parameters affected by earthquakes and surface faulting, geological and volcanic phenomena, meteorological events, flooding, geotechnical hazards, hazards from biological organisms and human induced hazards (e.g. aircraft flight activities, chemical explosions, activities at nearby industrial and other facilities) should be described in this section. These provisions may be used for the following purposes:

(a) To provide the information necessary for operator actions taken in response to external events;

(b) To support the periodic safety review at the site;

(c) To develop models for the dispersion of radionuclides;

(d) To confirm the completeness of the set of site specific hazards taken into account.

3.2.40. This section should contain a description of the on‑site meteorological monitoring programme, which can potentially be used for updating meteorological data in the future, for predicting the dispersion of radioactive substances during plant operation, or for providing early warning against extreme meteorological events. The monitoring of demographic and hydrological conditions over the lifetime of the plant should also be described in this section (see SSR‑1 [5]).

3.2.41. Long term monitoring programmes should include the collection of data from site specific instrumentation and data from specialized institutions for use in comparisons to detect significant changes from the design basis, for example changes due to the possible effects of climate change.

CHAPTER 3: SAFETY OBJECTIVES AND DESIGN RULES FOR

and associated regulatory guidance, these approaches should be based on the requirements for the design of nuclear power plants established in SSR‑2/1 (Rev. 1) [3].

Safety objectives

3.3.3. This section should summarize the overall safety philosophy, safety objectives and high level principles used in the project. These should be based on the relevant safety principles set out in IAEA Safety Standards Series No. SF‑1, Fundamental Safety Principles [21].

Safety functions

3.3.4. This section should identify the plant specific safety functions that are necessary to fulfil the main safety functions and how their fulfilment is ensured by the plant’s inherent features, in accordance with Requirement 4 of SSR‑2/1 (Rev. 1) [3] and depending on the nature of the facility or activity. The corresponding SSCs necessary to fulfil those safety functions should be introduced.

3.3.5. If the main safety functions are subdivided into more detailed specific safety functions and functional criteria, with the objective of facilitating their use, they should be listed here, for example heat removal, which is considered a safety function necessary not only for the safety of the reactor core but also for the safety of any other part of the plant containing radioactive material that needs to be cooled, such as spent fuel pools and storage areas.

Radiation protection and radiological acceptance criteria

3.3.6. This section should describe in general terms the design approach adopted to meet the fundamental safety objective (see para. 2.1(a) of SF‑1 [21]) and to ensure that, in all plant states, radiation doses due to any radioactive release are kept below authorized limits and as low as reasonably achievable (see also paras 2.6 and 2.7 of SSR‑2/1 (Rev. 1) [3]).

3.3.7. Relevant radiological acceptance criteria for nuclear power plant workers and for the public, assigned for each plant state (normal operation, anticipated operational occurrences, design basis accidents and design extension conditions), and the consistency among the various criteria, should be introduced in this section.

General design basis and plant states considered in the design

3.3.8. The general approach to defining the design basis should be described, with account taken of operational states, accident conditions, and impacts from both external and internal hazards. The information provided should include the operational states and accident conditions under which a given structure, system or component will need to fulfil a safety function.

3.3.9. This section should describe the capability of the plant to cope with a specified range of operational states and accident conditions. Modes of normal operation of the plant should be specified. Plant states considered in the design should be listed and grouped into categories. In addition to normal operation, these categories should include anticipated operational occurrences, design basis accidents, design extension conditions without significant fuel degradation and design extension conditions with core melting.

3.3.10. The basis for the categorization of plant states (typically, frequencies or other associated characteristics) should be explained. Postulated initiating events (whether of internal origin or caused by internal and external hazards, if relevant) should be listed. This categorization should be commensurate with the content of chapter 15 of the safety analysis report.

Prevention and mitigation of accidents

3.3.11. This section should describe the measures taken to prevent and to mitigate the consequences of accidents and to ensure that the likelihood that an accident will have harmful consequences is extremely low (see paras 3.30 and 3.31 of SF‑1 [21]).

Defence in depth

3.3.12. This section should describe the approach adopted to incorporate the defence in depth concept into the design of the plant. It should be demonstrated that the defence in depth concept has been applied at all stages of the lifetime of the nuclear power plant, for all plant states and for all safety related activities, in accordance with paras 2.12–2.18 of SSR‑2/1 (Rev. 1) [3]. It should also be demonstrated that measures have been taken for adequate robustness and independence of levels. Particular emphasis should be placed on describing how the independence of safety systems and safety features for design extension conditions with core melting is approached.

3.3.13. It should be demonstrated that there are physical barriers to the release of radioactive material and systems to protect the integrity of the barriers and that measures are taken to ensure the robustness of these provisions at each level of defence in depth.

3.3.14. Where appropriate, any operator actions envisaged to be necessary to mitigate the consequences of an event and to assist in the fulfilment of the safety functions essential for defence in depth should be described.

3.3.15. Where appropriate, any off‑site support envisaged to be necessary should be described.

Application of general design requirements and technical acceptance criteria 3.3.16. This section should include a high level description of the deterministic design principles. Where aspects of the design are based on conservative deterministic principles (such as those embodied in international standards, internationally recognized industrial codes and standards, and regulatory guides), the use of such design approaches should be elaborated in this section of the safety analysis report, with reference made to the specific applicable codes and standards.

3.3.17. The scope of implementation of the single failure criterion and how compliance with this criterion is achieved in the design should be described in this section of the safety analysis report. This section should also include results from the consideration of the possibility of a single failure occurring while a redundant train of a system is undergoing maintenance or is impaired by internal or external hazards.

3.3.18. The provisions to comply with Requirements 21 and 23–26 of SSR‑2/1 (Rev. 1) [3] for protection against common cause failures should also be described in this section of the safety analysis report.

3.3.19. Any other relevant approaches aimed at ensuring safety should be specified in this section. Such approaches typically include the following, as applicable:

(a) Simplification of the design;

(b) Passive safety features;

(c) Gradually responding plant systems;

(d) Fault tolerant plant and systems;

(e) Operator friendly systems;

(f) Equipment that employs the ‘leak before break’ concept.

3.3.20. Any specific technical acceptance criteria used in the design that are associated with the integrity of individual barriers against the release of radioactive material should be listed here. If probabilistic safety objectives or criteria have been used in the design process, these should also be specified in this section.

Practical elimination of the possibility of event sequences arising that could lead to an early radioactive release or a large radioactive release

3.3.21. This section should describe the approach used to identify the conditions that could lead to an early radioactive release or to a large radioactive release and should summarize the design and operational provisions implemented to ensure that the possibility of such conditions arising has been ‘practically eliminated’6 (see para. 5.31 of SSR‑2/1 (Rev. 1) [3]).

3.3.22. In this section, reference should also be made, as appropriate, to other sections of the safety analysis report where relevant confirmatory analyses are presented (e.g. chapter 15 of the safety analysis report; see paras 3.15.1–3.15.68).

Safety margins and avoidance of cliff edge effects

3.3.23. This section should summarize the approach taken to ensure adequate margins to prevent cliff edge effects relating to damage to barriers against releases of radioactive material to the environment (see para. 5.73 of SSR‑2/1 (Rev. 1) [3]).

3.3.24. This section should specifically describe the approach and assumptions for deterministic safety analyses (conservative or realistic), selected to demonstrate adequate safety margins, including the use of sensitivity studies to demonstrate the avoidance of cliff edge effects in the analyses applicable for design extension conditions.

6 Footnote 16 of SSR‑2/1 (Rev. 1) [3] states: “The possibility of certain conditions arising may be considered to have been ‘practically eliminated’ if it would be physically impossible for the conditions to arise or if these conditions could be considered with a high level of confidence to be extremely unlikely to arise.”

3.3.25. The section should also describe the approach used to demonstrate safety margins for internal or external hazards. For natural hazards, it should be described how adequate safety margins are ensured for hazards that exceed those considered in the design (see para. 5.21A of SSR‑2/1 (Rev. 1) [3]).

Design approaches for the reactor core and for fuel storage

3.3.26. This section should describe the design approaches adopted to demonstrate the performance of the safety functions in the reactor and in the fuel storage areas, in particular in the spent fuel pool. These design approaches could imply differences in implementation of defence in depth, different specification of derived safety functions, different monitoring means and substantial differences in the time evolution of accidents. In accordance with Requirement 4 of SSR‑2/1 (Rev. 1) [3], shielding of the irradiated fuel elements is required. More detailed descriptions of design provisions should be included in the relevant sections of chapters 4 and 9 of the safety analysis report (see paras 3.4.1–3.4.10 and 3.9.1–3.9.24); information to be provided regarding the evolution of accidents and the availability of sufficient margins should be included in chapter 15 of the safety analysis report (see paras 3.15.1–3.15.68).

Further recommendations regarding fuel storage are provided in IAEA Standards Series No. SSG‑63, Design of Fuel Handling and Storage Systems for Nuclear Power Plants [22].

Considerations of interactions between multiple units

3.3.27. For multiple unit sites, this section should describe any sharing of systems among the units as well as any interconnections among the units. It should be confirmed that Requirement 33 of SSR‑2/1 (Rev. 1) [3] is met.

3.3.28. Any interconnections between units to further enhance safety should be explicitly described in this section, and the positive and negative effects of such interconnections should be explained.

3.3.29. A description should be provided of any interconnections or services provided by shared systems that will be severed when one or more units are shut down for an extended period and kept in a safe storage state (e.g. in preparation for future decommissioning). In addition, the results of analyses that consider the impact on other operating units of severing the interconnections and shared services should be provided.

Design provisions for ageing management

3.3.30. This section of the safety analysis report should define the design life of items important to safety and should describe how relevant mechanisms of ageing and wear were taken into account in the design of the nuclear power plant to ensure the adequate performance of the most important plant components.

Special attention should be devoted to the reactor pressure vessel, in particular to the effects of neutron embrittlement.

3.3.31. It should be described how adequate margins are maintained, with account taken of degradation mechanisms relevant to ageing, including those caused by testing and maintenance, by plant states during a postulated initiating event and by plant states following a postulated initiating event.

3.3.32. It should be described how ageing effects caused by environmental factors (e.g. vibration, irradiation, humidity, temperature) over the expected service life of items important to safety have been considered in the qualification programme for such items. Reference should be made to a comprehensive ageing management programme (see paras 3.13.1–3.13.30).

Classification of structures, systems and components

3.3.33. This section of the safety analysis report should provide information on the approach adopted for the categorization of safety functions, for the identification of the SSCs necessary to fulfil these safety functions and for the safety classification of these items (see Requirement 22 of SSR‑2/1 (Rev. 1) [3]

and IAEA Safety Standards Series No. SSG‑30, Safety Classification of Structures, Systems and Components in Nuclear Power Plants [23]). The information should include details of the following:

(a) The methodology and criteria applied for safety classification;

(b) The categorization of the safety functions;

(c) The safety classification of the SSCs;

(d) The associated engineering, design (e.g. environmental qualification, seismic categorization) and manufacturing rules for different safety classes of SSCs;

(e) The verification of the classification.

3.3.34. If there is a potential for structures or systems to interact, then details should be provided of the way in which it has been ensured in the design that a

plant provision of a lower class or category cannot unduly impair the role of plant provisions with a higher classification.

3.3.35. A list of the main SSCs important to safety, together with their related safety functions, safety classification, seismic categorization and associated safety requirements, should be included either in an annex to, or as a reference in, the safety analysis report.

Protection against external hazards

3.3.36. An indicative list of external hazards to be considered should be provided in chapter 2 of the safety analysis report. This section of chapter 3 should provide a list of the external hazards specifically considered in the design. It should also describe the quantitative design parameters of individual hazards, relevant design criteria, codes and standards, methods of assessment, and the general design measures to ensure that the SSCs important to safety are adequately protected against the detrimental effects of the hazards considered in the plant design.

3.3.37. Hazards of natural origin and human induced hazards relevant to the given site should be described (see IAEA Safety Standards Series Nos SSG‑67, Seismic Design for Nuclear Installations [24], and SSG‑68, Design of Nuclear Installations against External Events Excluding Earthquakes [25]). As stated in para. 5.15B of SSR‑2/1 (Rev. 1) [3]: “For multiple unit plant sites, the design shall take due account of the potential for specific hazards to give rise to impacts on several or even all units on the site simultaneously.”

3.3.38. As stated in para. 5.17 of SSR‑2/1 (Rev. 1) [3]: “Causation and likelihood shall be considered in postulating potential hazards.” Combinations of events and failures, such as induced effects caused by primary external hazards, for example flooding following an earthquake, are also required to be considered (see para. 5.32 of SSR‑2/1 (Rev. 1) [3]). More generally, combinations of various types of load, including loads from randomly occurring individual events, should be considered and described here.

3.3.39. A detailed description of possible off‑site protective actions and any human interactions necessary to mitigate the impact of external hazards should be provided in chapter 13 of the safety analysis report. At the same time, the demonstration that there is adequate protection against the design basis hazard for each case should be provided in the applicable chapter of the safety analysis report.

3.3.40. General information concerning the different hazards taken into consideration in the design should be presented in this section. The detailed design information, including calculation and test results, should be included in chapters 4–12 of the safety analysis report.

Seismic design

3.3.41. The seismic design characteristics and specific design requirements applicable for the design of SSCs, including codes, standards, methodologies and basic assumptions, to be taken into account should be presented in this section (see SSR‑2/1 (Rev. 1) [3]). A description of the design solutions for SSCs to ensure compliance with the requirements should be provided in chapters 4–12 of the safety analysis report. The information provided should include the following:

(a) Seismic design parameters;

(b) Design ground motion (including levels SL‑1 and SL‑2);

(c) The applicable seismic system analysis;

(d) Seismic analysis methods;

(e) The procedures used for analytical modelling;

(f) The interaction of structures with different safety classifications;

(g) Seismic instrumentation;

(h) Arrangements for control room operator notification.

Extreme weather conditions

3.3.42. This section should present the design basis weather conditions for the extreme meteorological hazards (as identified in chapter 2 of the safety analysis report), the codes and standards applicable for the design, the methodologies with basic assumptions, and any other specific design criteria regarding loads and load combinations that need to be taken into account. A description of the design measures for ensuring compliance with the safety objectives and the design requirements should be provided in chapters 4–12 of the safety analysis report.

Extreme hydrological conditions

3.3.43. This section should present the design basis external flooding or low water level conditions and hazards, as identified in chapter 2 of the safety analysis report. This section should also describe the codes and standards applicable for the design, the methodologies and basic assumptions used, and any other specific design criteria regarding loads and load combinations that are taken into account.

A description of design measures for ensuring compliance with the safety

objectives and the requirements should be provided in chapters 4–12 of the safety analysis report.

3.3.44. This section should also describe the methods and procedures by which the static and dynamic effects of the design basis flood conditions identified in chapter 2 of the safety analysis report are applied to structures that are designated as providing protection against external flooding.

Aircraft crash

3.3.45. This section should specify and describe all the SSCs that are necessary to perform the functions required to attain and maintain a safe shutdown condition, or to mitigate the consequences, in the event of an aircraft crash.

It should define the design basis aircraft crash characteristics, as described in chapter 2 of the safety analysis report, as well as the applicable design codes and standards, the assumptions, and any specific design criteria regarding loads and load combinations that are taken into account. A description of design measures for ensuring the required safety performance and for demonstrating compliance with the requirements should be provided in chapters 4–12 of the safety analysis report.

Missiles

3.3.46. The level of protection against all external missiles (other than aircraft) identified in chapter 2 of the safety analysis report should be included in this section of the safety analysis report. This section should specify the design basis missile hazard, provide the design basis missile data, identify the codes and standards used for the design of protective measures, and describe the methodologies and basic assumptions used as well as any specific design criteria regarding loads and load combinations that are taken into account.

A description of design measures for ensuring the required safety performance and demonstration of compliance with the requirements should be provided in chapters 4–12 of the safety analysis report.

External fires, explosions and toxic gases

3.3.47. This section should describe the protection against external fires, explosions and toxic gases originating from other industrial and transportation activities. The design basis external fire, explosion and toxic gas hazards identified in chapter 2 of the safety analysis report should be described, including the codes and standards applicable for the design, the methodologies and basic assumptions

used, and any specific design criteria regarding loads and load combinations that are taken into account. A description of design measures for ensuring the required safety performance and demonstration of compliance with the requirements should be provided in chapters 4–12 of the safety analysis report.

Other external hazards

3.3.48. This section should describe the protection against any other external hazards considered in the design, covering each in a separate subsection. The design basis hazards should be described, including the codes and standards applicable for the design, the methodologies and basic assumptions used, and any specific design criteria regarding loads and load combinations that are taken into account. A description of design measures for ensuring the required safety performance and demonstration of compliance with the requirements should be provided in chapters 4–12 of the safety analysis report.

Protection against internal hazards

3.3.49. This section should provide a list of the internal hazards considered in the design. This section should also include a description of the quantitative design parameters of individual hazards; relevant design criteria, codes and standards;

methods of assessment; and the general design measures provided to ensure that the essential SSCs important to safety are adequately protected against the detrimental effects of all the hazards considered in the plant design to ensure safe shutdown of the plant. Design requirements for internal hazards are established in para. 5.16 of SSR‑2/1 (Rev. 1) [3], and further recommendations and guidance are provided in IAEA Safety Standards Series No. SSG‑64, Protection against Internal Hazards in the Design of Nuclear Power Plants [26]. The list of internal hazards should include the following:

(a) Internal fires and explosions;

(b) Heavy load drops;

(c) Internal flooding;

(d) Pipe whip following pipe ruptures and dynamic effects associated with high energy pipe ruptures;

(e) Internal missiles, such as those originating from rotating structures;

(f) Failures of pressurized components, supports or other structures.

3.3.50. As noted in para. 3.3.38, consideration is required to be given to combinations of internal hazards (e.g. flooding due to an internal missile) or plausible combinations of external and internal hazards.