basic concepts of nuclear safety - atoms for€¦ · the 'design extension conditions'...

IAEA International Atomic Energy Agency

BASIC CONCEPTS OF NUCLEAR SAFETY

IAEA Workshop on Severe Accident Management Guidelines 19–23 October 2015, Vienna, Austria

presented by

Tim Haste (IRSN)

IAEA

Outline

• Introduction to nuclear safety Basic facts Fundamental safety principles Defence-in-depth Safety functions Initiating events

• Plant features and behaviour Basic elements Structures, symbols and components Accident scenario classifications Acceptance criteria Plant operation and configuration Instrumentation and control

2 Basic concepts of nuclear safety

IAEA

Basic facts


The course considers light water reactors (LWRs) and pressurised heavy water reactors (PHWRs);

These can be direct cycle (steam is generated in the core and directly transported to the turbines, e.g. boiling water reactors (BWRs) or indirect cycle, where heat from the core goes to a steam generator, from which steam goes to the turbine, e.g. pressurised water reactors (PWRs), also PHWRs;

This presentation covers fundamental safety principles applicable to all types, followed by a summary of plant features and behaviour.

IAEA

Schematic of a Boiling Water Reactor


[www.usnrc.gov]

IAEA

Schematic of a Pressurised Water Reactor


[www.usnrc.gov]

IAEA

Schematic of a Pressurised Heavy Water Reactor


[www.cna.ca]

IAEA

Fundamental Safety Objective

To protect people and the environment from harmful effects of ionising radiation;

To achieve this objective, nuclear power plants are designed and operated so as to achieve the highest standards of safety that can reasonably be achieved. This includes: Control of radiation exposure;

Control release of radioactive material to the environments;

Restrict the likelihood of an accident with inadvertent release of radionuclides;

Mitigate the consequences of such an accident;

Important elements of nuclear safety are the principle of defence in depth and the definition and application of safety functions.


IAEA

Defence in depth

Defence in depth is a concept of independent and subsequent layers of safety measures; Failure of one level is mitigated by features in the next layer;

In nuclear power plant safety, multiple and successive physical barriers are provided against the escape of fission products to the environment;

This is achieved through different levels of protection, which are detailed below;

This concept is also used widely outside the nuclear sector, where the number of levels depends on the application.


IAEA

Levels of protection (1/3)

Five levels are defined: The first level deals with high quality of the reactor circuit, so that the

probability of accidents is low;

The second level should prevent deviations from normal operation to develop into accidents, by specific systems, design features and operating procedures. Such deviations may occur once or several times during plant life. Supporting procedures are Abnormal Operating Procedures (AOP), or similar other names;

The third level assumes that despite the provisions in the first and second level, accidents may occur, up to and including the design basis accidents/events (DBA, DBE);

Mitigation is done by dedicated engineered safety features, safety systems and the associated procedures, the Emergency Operating Procedures (EOPs). DBA / DBE are not expected to occur, but are postulated to determine the design basis of the plant;


IAEA


Five levels (continued): The fourth level provides protection for highly improbable accidents,

the 'design extension conditions' (DEC), notably through maintaining the containment function. Supportive procedures are the Severe Accident Management Guidelines (SAMG);

Should also level 4 fail, notably the containment, then emergency measures are taken in the environment, to protect the people and the environment, which is the fifth level.


IAEA


Event Frequency

DiD Level

Plant Condition

Objective Means Radiological Consequences

Expected During Lifetime of Plant

Level 1 Normal Operation

Prevent Failure & Abnormal Operation

Conservative Design/High Quality Construction

Operation Discharge Limits

Level 2 Operational Occurences

Control Failures & Abnormal Operation

Control, Limiting and Protection Systems, Surveillance

Operation Discharge Limits

Rare & Unlikely Events

Level 3a

Single Initiating Event

Accident Control Prevent Core Damage/ Core Melt Limit Release

Safety Systems Accident Procedures

Minor Off-site Radiological Impact

Level 3b

Selected Multiple IE

Safety Features Accident Procedures

Extremely Rare Events

Level 4 Core Melt Accident

Elimination of Large or Early Release

Safety Features for Mitigation

Protective Measure (limited in area & time)

Emergency Planning

Level 5 Significant Release

Mitigation of Radiological Impact

Off-site Emergency Response

Drastic Protective Measures


IAEA

Multiple technical and physical barriers between the fission products in the reactor core and the environment: Fuel matrix; Fuel cladding; Primary system pressure retaining boundary of the reactor

coolant; Containment;

Barriers are supported by additional retaining functions like water layers, pressure differences, filters in ventilation systems.

Barrier concept


IAEA

Important inventories of fission products

Other inventories of radioactive materials

Atmospheric release of radioactive gases and aerosols

Release of contaminated water

Fission Product Barriers

Source: AREVA


IAEA 14 Basic concepts of nuclear safety

Physical Barriers

Dedicated systems are in place to protect the integrity of each of these barriers

4th barrier

IAEA

Three fundamental safety functions must be assured: Control of reactivity; Removal of heat from the fuel rods; Confinement of radioactive materials and mitigation of releases;

A nuclear power plant has structures, systems and components (SSC) that separately or together perform these functions; Equipment is classified into items important for safety (safety systems) and those that are not; Safety systems ensure the safe shutdown of the core, the

residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents.

Safety Functions


IAEA

Control and limit reactivity changes: Reactor core; Fuel storage;

Guarantee safe shutdown: Prevent damage to fuel elements; Keep thermal power in safe range;

Important features: Inherently safe behaviour of reactor core; Effective and reliable control rods and SCRAM function; Secondary shutdown, esp. by boron injection for LWR.

Safety Function: Control of reactivity


IAEA

Safety Function: Cooling of Fuel

Maintain coolant (water) at the fuel elements; Reliable heat sinks for (residual) thermal power in: Reactor core: Fuel storage:

Reliable heat transport: No Departure from Nucleate Boiling (DNB)

Important features: Main heat sink (condenser) and auxiliary heat sink (release valves); Integrity of primary coolant pressure boundary; Active recirculation and/or natural convection; Safety injection and heat removal systems.


IAEA

Trend of residual power with two different burn-ups

Residual Power


IAEA

Safety Function: Confinement of Radioactivity

Safely close-off potential release paths; Degradation mechanism: corrosion, stress loads, irradiation, wear & tear,

etc.

Shielding of direct radiation; No impairment of heat removal; Implementation; Designs, materials, fabrication, dimensioning with high safety margins; Recurrent testing, ageing management, preventive maintenance, etc.; Isolation equipment; Additional retention functions (filters, water layers, pressure differences); Shielding materials (concrete, water layer, etc.).


IAEA

Radiological Safety Functions

During Normal NPP operation Release limits; Direct exposure limits;

As low as reasonably achievable (ALARA);

Continuous control and supervision of radioactive materials; Controlled and predetermined release paths;

Design basis accidents DBA specific release and exposure limits; Analysis of a potential release/exposure paths;

Beyond design basis accidents (design extension) Minimize radiological impact within and outside the plant

(mitigative measures).


IAEA

Redundancy

A number of safety functions are designed for redundancy, i.e. at least one more safety system is capable of providing the requested safety function; In most reactor designs, the following systems are designed against single failure; Fast reactor shutdown; Residual heat removal from the core; Emergency core cooling; Containment isolation; Containment heat removal; Containment atmosphere control and clean-up.


IAEA

Redundant Safety Systems Example - EPR


Internal hazard (fire, explosion, missile, flooding) one division lost

External hazard (airplane crash) division 1 or 4 lost

EPR DESIGN

airplane protection

IAEA

Common Cause Failures (CCF) bypass redundancy; CCF important contributor to accident scenarios; Countermeasure: Diversity; Redundant Systems or Components (2 or more) for a safety function with Different Attributes;

Operating conditions (high pressure / low pressure); Physical methods (transducers for pressure, temperature, flow rate); Working principles (electric / combustion motor); Manufactures; Design teams;

Low Likelihood for CCF; Growing importance (actuation of protection system, pilot valves,

emergency power supply, service water supply, etc.).


Diversity

IAEA

Nuclear Safety Evolution

Design Safety Requirements have increased: Separation of redundant trains;

e.g. fire confinement;

Passive safety systems; e.g. Physical processes instead of powered (active) technical components;

Protection against hazards; Natural hazards, e.g. seismic; Man-made hazards, e.g. plane crash;

Exclusion of core melt accidents; Generation IV reactors.


IAEA

Passive Safety Systems Example – AP1000

Containment cooling relies on; Water inventory; Gravity; Natural

circulation; Residual power.


[Figure from Westinghouse]

IAEA

In the design of a nuclear power plant, a systematic approach is applied to identify a comprehensive set of Postulated Initiating Events (PIEs); All foreseeable events with the potential for serious consequences and all foreseeable events with a significant frequency of occurrence are anticipated and are considered in the design; The PIEs are identified on the basis of engineering judgment and a combination of deterministic (considers mechanistically what can go wrong) and probabilistic analysis (considers probability and can assign more weight to accidents with higher probability); They include all foreseeable failures of structures, systems and components, as well as operating errors and possible failures arising from internal and external hazards;

Postulated Initiating Events Definition (1/2)


IAEA

From these, Design Basis Accidents and Design Basis Events are selected for determining the boundary conditions which the plant must withstand, without radiation protection limits being exceeded; Some accidents beyond these latter two groups are considered in the design, to further improve safety. These include also events with fuel damage. The events are called 'Design Extension Conditions' (DEC) (also known as Beyond Design Basis Accidents (BDBAs)):

27

Basic concepts of nuclear safety

Postulated Initiating Events Definition (2/2)


IAEA

Procedure for Deterministic Analysis

Identify and categorize initiating events

Establish acceptance criteria

Establish analysis methods & codes

Perform analysis

Plant Design

Operation Limits

Data Base for Analysis

Input deck for code

Operator Action

Acceptance criteria evaluation


IAEA

Initiating Events Categorisation

Since the number of sequences for analysis leading to core damage and eventually to the release of fission products to the environment is virtually infinite, a method needs to be chosen to select a reasonable number of accident sequences, or classes of sequences. This is generally known as 'categorization' of initiating events; The most typical categories used in DBA are based on grouping by: Principal effect on potential degradation of fundamental safety

functions; Principal cause of the initiating event; Frequency and potential consequences of the event; Relation of the event to the original NPP design (for existing

plants). Analyses have to be performed to confirm that the challenges can be handled by the components, building structures, I&C equipment etc.


IAEA

Initiating Events Categorisation – examples (1/3)

Principal effect on potential degradation of fundamental safety functions leads to the following event categories, considered typically in the reactor; Increase in heat removal by the secondary side; Decrease in heat removal by the secondary side; Decrease in flow rate in the reactor coolant system; Increase in flow rate in the reactor coolant system; Anomalies in distributions of reactivity and power; Decrease in reactor coolant inventory; Radioactive release from a subsystem or component;


IAEA


Grouping by principal cause Control rod malfunctions; Interfacing system LOCA, ISLOCA; Loss of power supply; Anticipated transient without scram; External event (seismic, flooding etc.).


IAEA


Grouping by postulated initial event from internal cause; Pipe whipping (due to pipe failures); Fluid jet impingement forces (due to pipe failures); Internal flooding and spraying (due to leaks or breaks of pipes, pumps,

valves); Internal missiles from pipe breaks or due to failure of rotating components; Load drop (e.g. fuel cask); Internal explosion; Fire.

Examples of initiating event from operating experience; Data for all unexpected reactor trips during power operation at US

commercial nuclear power plants are yearly reviewed and categorized by the NRC. OECD, IAEA etc. compile lists of nuclear incidents and accidents worldwide.


IAEA

Example of operation experience feedback - France


35

DETECTdeviations, incidents

UNDERSTAND

ASSESS

CORRECT

IMPROVE

• reactivity control• fuel cooling• confinement

SAFETY FUNCTIONS

RULES

BARRIERS

CONDUCT

PRECURSOR EVENT ?

QUALITY PROCEDURES

600 safety-relevant events per year in France

IAEA

Plant Features and Behaviour - general

All plant types considered (BWR, PWR, PHWR) here have characteristics in common: Generation of heat by nuclear fission; Cooling by water; Continued generation of heat after shutdown from decay of fission

products (decay heat), declining with time; Separate systems for cooling the plant in the shutdown state (decay heat

removal system or residual heat removal system (RHR));

Provision to cool the reactor core should the normal cooling fail, e.g. caused by a loss-of-coolant accident (LOCA), called Emergency Core Coolant Systems (ECCS); In addition, there are emergency power systems (diesel generators) should

normal power supplies fail;

Containment to keep in radioactive material that might escape from the reactor core in the event of an accident. 34 Basic concepts of nuclear safety

IAEA

Design Basis - general

To define the design basis, categorisation of the plant states is made, on the basis of their frequency of occurrence: Normal Operation (NO), including start-up, power operation and shutdown; Anticipated Operational Occurrences (AOO), which are expected to occur

over the operating lifetime of the plant; Design Basis Accidents (DBA), which are not expected to occur during

plant life but are included for robustness of design and a high level of safety;

(Design Extension Conditions (DEC), which are largely hypothetical accidents beyond the DBA, which include accidents with significant degradation of the reactor core. They are considered for additional safety provisions and mitigation measures, should such accidents occur despite all measures taken to prevent them.

The design is such that for each of these classes of events / plant states equipment and procedures must be available to mitigate the consequences within predefined acceptance criteria. ;


IAEA

Design Basis – coupling with defence in depth (1/2)

The various plant states are coupled with the defence in depth concept as follows: Anticipated Operational Occurrences (AOOs) are counteracted by

measures in the defence in depth level 2; planned actions are by normal (= non-safety grade) control systems. The plant staff in the Main Control Room uses Abnormal Operating Procedures (AOPs) to mitigate their consequences and return the plant to Normal Operation;

Design Basis Accidents (DBAs) and Design Basis Events (DBEs) are a set of accident conditions /event that are derived from postulated initiating events, for the purpose of establishing the boundary conditions which the nuclear power plant shall be able to withstand, without exceeding acceptable limits for radiation protection (example, large break LOCA);

Design Extension Conditions are selected conditions beyond the DBA/DBEs, for which the NPP still has, as far as is reasonably practicable, provisions to prevent unacceptable radiological consequences. Such accidents can lead to fuel damage and fuel melt (example, station black-out (loss of all AC on-site, both normal and emergency AC generators). Another example is a seismic event beyond the plant's design basis.


IAEA

Design Basis – coupling with defence in depth (1/2)


Technical support or crisis teams

Control room staff

Authorities

Beyond-design-basis accidents

Design-basis accidents

Accident correction

Limit of operational conditions

protective systems

emergency operating procedures

severe accident management guidance

Off-Site Emergency Planning

Technical support or crisis teams

Control room staff

Authorities

Beyond-design-basis accidents

Design-basis accidents

Accident correction

Limit of operational conditions

protective systems

emergency operating procedures

severe accident management guidance

Off-Site Emergency Planning

IAEA

Requirements for plant design (1/3)

The design basis for items important to safety specifies the necessary capability, reliability and functionality for relevant operational states, as defined before, to meet the specific acceptance criteria over the lifetime of the nuclear power plant; From these acceptance criteria, a set of design limits consistent with the key physical parameters for each item important to safety is derived for all operational states. These criteria depend on the plant states such that for more frequent plant states, more strict criteria are defined; The requirement to meet release limits specified for anticipated operational

occurrences is met by designing the reactor cooling system and its regulation and control system such that no departure of nucleate boiling occurs at the fuel cladding;

For accident conditions, the release limit is transformed into a requirement on the ECCS to keep the fuel cladding temperature and oxidation below pre-specified limits;

The criteria for AOO are more stringent than those for DBA/DBE.


IAEA


Design requirements of the plant SSC are commensurate with their importance to safety. This importance to safety is reflected in allocating the SSC to various safety classes (usually from 1 to 3), with the most stringent requirements for the highest safety class. The design requirements include all aspects of design, notably pressure integrity, quality assurance (QA), seismic resistance, electrical qualification, and environmental qualification; QA is a documentary and organisational system to reach a pre-specified quality level of SSC important to safety; For example, safety systems meet requirements for redundancy (the so-called single failure principle, physical separation and independence, and fail-safe design; Support service systems that ensure the operability of equipment forming part of a safety system are also considered to be safety systems and, therefore, meet design requirements accordingly;


IAEA


The engineering design rules for items important to safety at a NPP are specified and comply with relevant national or international codes and standards and with proven engineering practices, with due account taken of their relevance to nuclear power technology. Design for safe operation over lifetime: Items important to safety for a NPP shall be designed to be calibrated,

tested, maintained, repaired or replaced, inspected and monitored as required to ensure their capability of performing their functions and to maintain their integrity in all conditions specified in their design basis;

In addition to the implementation of a qualification programme for items important to safety, the design of these items shall be determined providing appropriate margins in the design to take due account of relevant mechanisms of ageing, neutron embrittlement, wear out and other potential age-related degradation.


IAEA

Structures, Systems and Components (1/3)

The safety classification of equipment in an NPP is based primarily on deterministic methods, complemented where needed by probabilistic methods, considering: The safety functions to be performed by the item; The consequences of failure to perform the safety function; The frequency with which the item will be called upon to perform a safety

function; The time following a postulated initiating event at which, or the period of

which, the item will be called upon to perform a safety function.


IAEA



IAEA


Once the categorization of functions is completed, and SSC are assigned to one or more safety functions, these SSC should be classified for safety. In general, the following classifications should be established and be verified for adequacy and consistency: Classification of systems on the basis of the importance of the affected

safety function; Classification for pressure components, on the basis of the severity of the

consequences of their failure, mechanical complexity and pressure rating; Classification for resistance to earthquakes, on the basis of the need for

the structure or component considered to retain its integrity and to perform its function during and after an earthquake, taking into account aftershocks and their consequential incremental damage;

Classification of electrical, instrumentation and control systems on the basis of their safety or safety support functions, which may be different from the classification of other plant systems owing to the existence of field-specific, widely-used classification schemes;

Classification for quality assurance provisions.


IAEA

Accident Scenario Classifications (1/2)

These span from normal operation to design extension conditions: Normal operation, covering approach to criticality, start-up, power

operation (steady-state and load following), hot standby, hot shutdown and cold shutdown (latter may have open RCS and containment);

Anticipated operational occurrences, expected during plant life; An operational process deviating from normal operation which is expected to occur

once or several times during the operating lifetime of the power plant but which, in view of appropriate design provisions, does not cause any significant damage to items important to safety nor lead to accident conditions.

Design basis accidents, not expected to occur during plant life, but postulated to occur; Accident conditions against which an NPP is designed according to established

design criteria, and for which the damage to the fuel and the release of radioactive material are kept within authorized limits. The accidents are not expected to occur during plant life, but are postulated to occur to set the design basis.


IAEA

Accident Scenario Classifications (2/2)

Design extension conditions, unlikely Accident conditions more severe than those of a DBA, not expected during plant life

and very unlikely to happen. DECs are selected conditions beyond the DBAs/DBEs, for which the NPP still shall have provisions to prevent unacceptable radiological consequences, to the extent practical. A DEC may or may not involve core degradation.

Severe accidents, remote; An accident more severe than DBA and involving significant core / fuel degradation.


IAEA

Acceptance Criteria (1/2)

Acceptance criteria are used to judge the acceptability of the results of a safety analysis, and may: Set numerical limits on the values of predicted parameters; Set conditions for plant states during and after an accident; Set performance requirements on systems; Set requirements on the need for, and the ability to credit actions

by operators; They are commonly applied to licensing calculations, both conservative and best-estimate; For probabilistic studies, these can be compared with acceptance criteria for risk; Range and conditions need to be clearly specified; May vary according to the conditions associated with the accident;


IAEA

Acceptance Criteria (2/2)

Basic (high level) Acceptance Criteria Usually defined as limits by a regulatory body. They are aimed at achieving

an adequate level of defence-in-depth. Examples are limits to doses to the public in a DBA/DBE, or a limit set to prevent a pressure boundary failure;

Specific Acceptance Criteria May include additional margins and they are chosen to be sufficient but

not necessarily strictly meeting the basic acceptance criteria; Typically they are used to confirm that there are adequate safety margins

beyond the authorized limits to allow for uncertainties and to provide defence in depth;

May be developed by the designer and/or owner and approved by the regulatory body; or they may be set by the regulatory body itself, e.g. would be a limit on the cladding temperature in a LOCA in a PWR / BWR. For AOOs, it is often required that no departure of nucleate boiling occurs at the nuclear fuel cladding.


IAEA

Plant modes of operation – PWR (1/2)

These modes normally have different sets of EOP and SAMG Mode 1, power operation mode, power > 5% full power; Mode 2, start-up mode, power < or = 5% full power; Mode 3, hot standby, the reactor is critical and Tave greater than or equal to

165 °C (typically). RCS pressure may be above or below the pressure at which accumulators can discharge, so injection from accumulators can be affected;

Mode 4, hot shutdown, is the hot shutdown mode, in which the reactor is subcritical and RCS. Tave is typically between 165 °C and 93 °C. In this mode, any high pressure injection is shut off, accumulator discharge valves are closed, the RCS pressure and temperature are reduced to the RHR operational conditions, and the RHR is placed in service. When this is accomplished, the steam generators are removed from service, followed by shut-down of the reactor coolant pumps (RCPs);


IAEA

Plant modes of operation – PWR (2/2)


Mode 5 is the cold shutdown mode, in which the reactor is subcritical and RCS Tave is less than 93°C (typical). In this the RCS has been cooled down and steam generators are not available. During this mode: The RCS is depressurized; The steam generators are not available; they may be prepared for outage activities

(drained, filled, or placed in lay-up); Containment integrity may not be intact (generally only as necessary for outage

activities); The RCS may be drained down to mid-loop operation, in preparation to removal of

the RPV head (occurs in mode 6). The RCS pressure boundary may be opened (for example, pressuriser manway

cover and steam generator primary side manway cover).

Mode 6 is the refuelling mode. Transition is made from mode 5 to mode 6 when one or more closure head bolts are less than fully tensioned. RCS level is at mid-loop, with core cooling by the RHR system. The RPV head is removed, the fuel transfer is in preparation for refuelling. Refuelling commences.

IAEA

Plant modes of operation – BWR (1/2)

These are largely identical to the PWR modes, except that no hot standby is defined, and there is no steam generator: Mode 1, encompasses all operational states associated with power

operation; Mode 2, represents the start-up and return to full-power operation; Mode 3, represents the hot shutdown operational states. In this state,

decay heat is initially rejected by the feedwater / condensate system. If operators close main steam isolation valves and open safety relief valves to dump steam to the suppression pool, the suppression pool cooling mode of the RHR system is used. After the closure of main steam isolation valves, decay heat removal is accomplished by the RHR system in shutdown cooling mode;


IAEA

Plant modes of operation – BWR (2/2)


Mode 4 contains all the operational states associated with cold shutdown conditions. Decay heat removal is performed by the shutdown cooling mode of RHR. In this mode of operation, it is permitted to open the containment;

Mode 5 encompasses the operational states associated with reactor refuelling. In this mode of operation, both the RPV pressure boundary and containment are open. The RHR is used exclusively in shutdown cooling mode. Because the RPV water level is drained below the steam lines and steam line plugs are installed, RHR cannot be operated in suppression pool cooling mode. In this state, there can be a number of distinct configurations of relevance to SAMGs, reflecting whether the RPV and SFP are connected as a contiguous water volume and whether the RPV has been defueled.

IAEA

Instrumentation and Control – importance for safety (1/2)


In each NPP, instrumentation is provided to determine the values of the main variables which indicate the status of the fission process, the reactor core, the reactor coolant system and the containment, in order to obtain all information needed for the plant's safe and reliable operation, to determine its status in operational occurrences and accident conditions and to make decisions for the purposes of accident management; Appropriate and reliable control systems are available to maintain and limit the relevant process variables within the specified operational ranges;. Instrumentation and recording equipment is provided to ensure that the status of essential equipment to mitigate incidents and accidents is known, and to monitor the location and magnitude of possible releases; The instrumentation covers control, protection monitoring and display, and testing functions; The I&C functions provide assurance that the plant is well controlled, can mitigate the effects of plant transients or other PIEs; There are also service functions, e.g. electric, pneumatic and hydraulic power, and data communication systems.

IAEA

Instrumentation and Control – importance for safety (2/2)


Example of I&C systems important for safety

IAEA

Instrumentation and Control – design basis


Control functions are designed to provide assurance that the plant is controlled and kept within its operating envelope under normal and abnormal conditions. Control functions can also mitigate the effects of plant transients or PIEs, thereby contributing to nuclear safety by minimizing the demand on protection functions; The reactor protection system is designed such that it detects unsafe plant conditions and initiates safety actions to achieve and maintain safe plant conditions. Where limited time is available for the operators to respond, the actuation of the safety systems is automatic. It is often also designed that it overrides unsafe actions by plant personnel; For example, it is not possible to switch off ECCS injection as long as the initiation criteria for ECCS are present; For all instrumentation and control systems important to safety the design includes the environmental conditions which the system will be required to withstand, and the expected duration of operation under such conditions, for operational states and for design basis accident conditions.

IAEA

Instrumentation and Control – use in severe accidents


The instrumentation and control in presently operating plants have not been designed to operate under severe accident conditions. Some not even under DBA conditions. For example, the steam generator level measurement may change at elevated pressure in the containment and usually does not compensate for this error. Therefore, the plant parameters needed for severe accident management measures should be identified and it should be checked whether these parameters are available from the instrumentation in the plant, notably under severe accident and environmental conditions for the instruments. Hence, the qualification of all relevant instruments should be recognized that, in order to obtain the required information, the equipment may need to operate well beyond its qualified range. Alternative instrumentation should be identified where the primary instrumentation is not available or not reliable. For instruments still available, it should be checked how much the measured parameters may deviate from their values under nominal conditions.

IAEA

Conclusions


A summary of the basic concepts of nuclear safety has been presented, covering PWR, BWR and PHWR systems, in particular:

Basic facts Fundamental safety principles Defence-in-depth Safety functions Initiating events

Plant features and behaviour have also been considered; Basic elements Structures, symbols and components Accident scenario classifications Acceptance criteria Plant operation and configuration Instrumentation and control

IAEA

Acknowledgements and References


The author thanks several IRSN colleagues since they are referred to their past lectures in ENSTII and/or SARNET workshops and/or have provided invaluable comments, in particular Didier Jacquemain. Many transparencies reproduce material from the ENSTII course on introduction to nuclear safety, for example those by Andreas Weilenberg of GRS.

The following books provide further detail: • Sehgal B.R. (ed.), “Nuclear safety in light water reactors”, Academic Press

(Waltham, San Diego, Oxford, Amsterdam), ISBN 978-0-12-388446-6, 2012;

• Jacquemain D. (ed.), “Les accidents de fusion du cœur des réacteurs nucléaires de puissance; État des connaissances”, EDP Sciences, ISBN 978-2-7598-0972-1, 2013, www.irsn.fr/accident-grave (in French);

• Jacquemain D. (ed.), “Nuclear power reactor core melt accidents: State of knowledge”, EDP Sciences, ISBN 978-2-7598-1835-8, 2015, http://www.irsn.fr/EN/Research/publications-documentation/Scientific-books/Pages/Collection-sciences-et-techniques-4628.aspx .

basic concepts of nuclear safety - atoms for€¦ · the 'design extension conditions'...

Documents