chapter c. design basis and general layout sub-chapter c.1 general safety...

SUB-CHAPTER: C.1 SECTION : -

PAGE : 1 / 36 UK-EPR

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY

CHAPTER C: DESIGN BASIS AND GENERAL LAYOUT

CHAPTER C. DESIGN BASIS AND GENERAL LAYOUT

SUB-CHAPTER C.1 GENERAL SAFETY PRINCIPLES

1. OBJECTIVES AND SAFETY PRINCIPLES

1.1. INTRODUCTION

1.1.1. Overview

This chapter aims to describe the safety approach implemented for EPR plant unit design, taking into account requirements expressed by the French Nuclear Safety Authority in its 1993 letter regarding third generation pressurized water reactors.

Given the position of the preliminary safety analysis report, on which this Design and safety Report is based, within the licensing process for the FA3 EPR, this chapter sets out to provide both a synthesis of main reactor design requirements and a description of the main technical approach adopted to meet these requirements. It points to other chapters in the Design and Safety Report in which safety requirements applicable to the topics dealt with are set out in depth, in dedicated sections that include the "zero" reference in their numbering.

It is noted that this report is not intended as a final document, partly because detailed reactor studies for the FA3 EPR are not complete (and may lead to modifications to the design) and partly because assessment of the project by the Nuclear Safety Authorities may also lead to modifications.

1.1.2. Overall objectives

The EPR reactor (European Pressurized Reactor) is designed around a nuclear island of the pressurized water reactor system jointly developed by French and German nuclear industries. The EPR is a third generation of reactor system and benefits through its evolutionary design from global international experience acquired at both PWR system operational level in western countries and French and German engineering design experience.

With regards to the previous generation of reactors, the EPR goal is to provide electrical energy at a competitive price while at the same time achieving a significantly superior safety level. Research has shown that there are no critical safety issues that would deem the current generation of reactors obsolete. On the contrary, it shows that use should be made of the several thousand reactor-years of operating experience, and the design of the new generation of reactors should embrace the whole spectrum of knowledge acquired over the past forty years. The future use of this knowledge will enable data to continue to be collected that can be highly useful for the future of the PWR system. The benefits of this feedback also make it possible to have a very high level of availability for the new-generation reactor.





The safety approach at the design level is based on the concept of defence in depth which involves a stratified layering of provisions (or lines of defence) to mitigate the effects of technical or human failures.

As presented at international level and particularly in INSAG documents, defence in depth generally has a 5-level structure:

- Level 1 is a combination of design, quality assurance and control margins aimed at preventing the occurrence of abnormal operating conditions or plant failures,

- Level 2 consists of the implementation of protection devices which make it possible to detect and correct the effects of deviations from normal operation or the effects of system failures. This defence level is aimed at ensuring the integrity of fuel cladding and that of the primary cooling system so as to prevent accidents,

- Level 3 consist of safeguard systems, protection devices and operating procedures which make it possible to control the consequences of accidents that may occur so as to contain radioactive material and prevent occurrence of severe accidents,

- Level 4 comprises measures aimed at preserving containment integrity and controlling severe accidents,

- Level 5 includes, in the event of the failure of previous levels of defence, all measures for protecting the public against the effects of significant radiological discharges.

Attaining a significantly superior safety level for the EPR reactor is achieved, on the one hand, by facilitating reactor operation and maintenance and, on the other, by design measures to reduce the immediate and delayed consequences of accidents to members of the public (in particular the population in the vicinity of the plant) and to operating staff. Research and development activities carried out in support of the EPR design, notably on severe accidents, have contributed to the knowledge of accident phenomena and helped to enhance the safety level of the plant design.

With regard to reducing the potential consequences of incidents and accidents, defence in depth in depth is improved in four main ways:

- By accounting for, and reducing the frequency of initiating events (transients, incidents and accidents) liable to occur during the different states which the reactor may encounter during operation (including full power and shutdown states, and states with the core completely unloaded in the spent fuel pool). Taking internal hazards into account on a deterministic basis in accordance with design principles similar to those used for simple initiating events, enhances the defence in depth approach,

- By taking into account external hazards at high severity levels, whether the hazards are of human origin (aircraft crashes, explosions…) or natural origin (earthquakes, extreme temperatures…). In addition to their direct effects, these hazards are studied from the point of view of other internal initiating events which they might cause,





- By taking severe accidents into account at the design stage, and implementing physical measures to ensure "practical elimination" of events and sequences that could have a significant radiological impact on the environment during the power plant’s service life. For events which cannot be prevented by design, the probability of environmental releases is minimised by strengthening the containment, and systematically identifying and eliminating conditions which could lead to containment bypass,

- By use of Probabilistic Safety Analyses (PSA) at the concept design phase to confirm the design approach and identify the multiple failure sequences that should be considered in the design basis, so as to prevent core meltdown accidents. Within this framework, an overall core meltdown frequency of 10-5 per annum per unit is set as a design objective, taking into account all types of failures and hazards.

In addition to enhancing the defence in depth approach, significant efforts have been made in the reactor design to:

- reduce production of effluents and waste from reactor operation and those arising from dismantling at the end of reactor life,

- improve reactor operation by enabling some maintenance activities to be carried out at power and by reducing operator doses collectively and individually by provisions conceived at the design stage,

- consider, in addition to nuclear hazards, all the non-nuclear risks to the environment produced by the plant.

The defence-in-depth approach to safety, and the significant improvements that have been made to EPR reactor design as a third-generation PWR system, are set out and developed in the rest of this chapter.

1.2. THE EPR DESIGN APPROACH AND PRELIMINARY SAFETY ANALYSIS REPORT CONTENTS

This Design and Safety Report is based on a translation of the public version of the FA3 Preliminary Safety Analysis Report. In order to fully understand the issues dealt with in the Preliminary Safety Analysis Report, the main design stages of the EPR programme need to be reviewed and understood.

As an "evolutionary" project based on the latest reactors in operational service in France and Germany, the EPR programme underwent a harmonisation process covering the French and German safety approaches which led to:

- publication at Safety Authorities level in July 1993 of a "joint declaration of French and German Safety Authorities on a common safety approach for future pressurized water reactors

- publication in August 1993 of a Conceptual Safety Features Review File (CSFRF) which set out the main safety options proposed for the EPR project.

The requirements and approaches proposed in these two documents served as a basis for the "Basic Design Phase" of the project which was concluded with the submission of a synthesis report (Basic Design Report) to the French Safety Authority in October 1997.





To enhance the competitiveness of the design, the EPR designers then initiated an additional design study in the "Basic Design Optimisation Phase" (BDOP) during which important design parameters were upgraded and optimised. The reactor power output level, the installation of equipment inside the main nuclear island buildings, and the safety system design were reconsidered in the BDOP, which concluded with the submission of an updated version of the Basic Design Report to the French Safety Authority in February 1999.

The designers then undertook a final study in the "Post BDOP" phase, which involved in-depth studies of the EPR and the submission of additional information to the Safety Authority to support the technical approaches set out in the Basic Design Report. This study led to a series of formal undertakings by the designer on the technical approaches to be followed. These undertakings, together with recommendations of the French safety advisory committee (GPR/German experts) developed in sessions held in the period 19-26 October 2000, formed the framework for the EPR design.

Since then, the EPR project has undertaken further in-depth studies which featured:

- on 28 September 2004, a letter from the public authorities /3/ regarding safety options for the EPR reactor project. This letter confirmed that the Technical Guidelines should have the status of safety requirements.

- a decision to construct the first French EPR at Flamanville.

The Preliminary Safety Analysis Report (PSAR) constitutes the first complete document in support of construction of an EPR at Flamanville. In accordance with current French practice, the PSAR will be followed by a provisional safety report before the first loading of nuclear fuel will be permitted. Subsequently, a final safety report will be issued when start-up tests have taken place, prior to authorising the plant’s final commissioning.

Since the drafting of the Preliminary Safety Analysis Report comes within the first part of the in-depth study phase, the studies supporting certain aspects are incomplete. For example, the Probabilistic Safety Analyses (EPS) [PSA] currently constitute a "design EPS [PSA]" since certain definitive data (such as cable runs), operating rules and other data relating to specific plant items are not yet available. The EPS [PSA] will, therefore, be completed as the detailed design progresses. The provisional safety report, and then the final safety report, will set out the updated results of the detailed EPS [PSA].

The Preliminary Safety Analysis Report is made up of twenty chapters listed at the beginning of the first Chapter. Some of these chapters or sections include the "zero" reference in their numbering, (e.g. Sub-Chapter C4.0, Requirements and Considerations Common to all Internal Hazards) indicating that they contain relevant safety requirements.

The main reactor parameters used in this Preliminary Safety Analysis Report are set out in the following table in the column headed RPS EPR (4500 MWth). Also shown are values used as the basis for studies of the two versions of the "Basic Design Report" and, for comparison, those of the N4 design.





Parameters Unit RPS EPR BDR 97 BDR 99 N4

Core thermal output MWth 4500 4250 4900 4250

Net electrical output MWe 1630 1500 1750 1450

Primary coolant pressure bar abs 155 155 155 155

Vessel inlet temperature (BE) °C 296,1 291.8 292.8 292.9

Core outlet temperature (BE) °C 330.1 327.1 330.1 329.8

ARE temperature °C 230 230 230 229.5

Loop flow rate (BE) m3/hr 28315 26520 28111 24850

GV saturation pressure bar abs 78 72.5 74.6 73.1

GV bundle surface m2 7960 7308 8171 7308

Vessel volume m3 80 000 90 000 80 000 72 700

A more detailed comparison of the different design and operating parameters of the EPR reactor and latest-generation reactors (French - N4 and German - Konvoi reactors) is set out in Chapter B.3.

1.2.1. The defence in depth approach and the different containment barriers

1.2.1.1. The basic objectives and three safety functions

The EPR reactor design, being directly derived from currently operating reactors, is based on the implementation of the "defence in depth" principle to achieve the three safety functions of reactivity control, fuel cooling and containment of radioactive material. The design includes several levels of protection to attain this objective, including the positioning of successive physical barriers between any radioactive material and the environment.

Because the EPR design has evolved from currently operating reactors, it benefits from operational experience and, for each of the three basic safety functions, provides enhanced prevention and/or mitigation of operational incidents and accidents, and gives improved protection of the public and of operational staff. In terms of the three safety functions, the main results of this approach are set out below.

Reactivity control:

- Continued use of the passive system of gravity insertion of control rod clusters, installation of a heavy reflector at the sides of the core to enhance neutron reflection, increase of core margins by use of a lower linear power density in the fuel and use of fixed, in-core instrumentation to ensure permanent monitoring of specified core parameters,

This design aspect is dealt with in Chapter D.1





- Separation within the boration system of safety and operational functions, with creation of a system dedicated to emergency boration made up of two redundant trains, each fitted with a pump and borated water storage tank located in the fuel building. Each train is individually able to bring the reactor back to a safe state after an accident. This system is separate from the safety injection system,

This design aspect is dealt with in Chapter F.7

- Systematic search for various conditions which might lead to boron dilution of the primary coolant and inclusion of monitoring systems to stop inadvertent dilution in most situations and to preclude its occurrence in others by suitable design improvements,

This design aspect is dealt with in Chapters P.2.4, S.1.2 and S.2.4

Fuel cooling and removal of residual heat:

- Creation of a system combining the functions of safety injection and shutdown cooling of the reactor, organised into four separate, independent trains. Each train is fitted with an accumulator located inside the reactor building, injecting emergency cooling water into the primary cooling system cold legs. Outside the reactor building, each train comprises a low-pressure injection pump, a medium-pressure injection pump and a heat exchanger. In injection mode, system alignment enables water from the RIS [SIS] tank (IRWST located in the reactor building) to be injected into the primary cooling system cold legs. Alternatively, the system can be switched to cooling mode, enabling the low-pressure pumps to be supplied from the hot legs and to re-inject water into the cold legs via the heat exchanger.


- Total separation of the steam generator (GV) [SG] auxiliary feedwater supply function from that used in reactor start-up and shutdown, the latter being provided by a dedicated system. The auxiliary feedwater system comprises four trains, each with its own water tank and pump, which separately supply one of the four steam generators. Two headers connecting the four trains make it possible to provide mutual emergency back-up in the event of failure of any of the individual pumps. Because the GV [SG] auxiliary feedwater system comprises four trains, it offers enhanced resistance to common cause failures, in particular those resulting from external hazards.


- Installation of a heat removal function outside the containment vessel, for use in severe accident conditions. This is a two-train system, each train comprising a pump and a heat exchanger, which is capable of cooling the containment by spraying, and also cooling the corium in the corium spreading chamber. Both trains are required to begin operation within 12 hours, and to continue operating for at least two weeks following the accident. Residual heat removal may be ensured by either of the two trains after two weeks.

This design aspect is dealt with in Chapter F.2.7





- Installation of a spare borated water tank inside the reactor building to supply reactor emergency cooling systems and the primary coolant chemical and volume control system as well the containment heat removal system used in the event of a severe accident. Having this tank avoids the need for external recirculation runs during accident conditions and also offers enhanced protection for the water supply following external hazards.


- Improved design of the cooling system using the essential service-water and component cooling systems so as to significantly reduce the frequency of total loss of heat sink as an initiating event. The design embodies a main system organised in four separate and independent trains each fitted with a pump and a heat exchanger. In addition, the main system is backed up by a dedicated circuit comprising two trains fed by specific power supplies which enable heat from corium cooling to be removed in severe accident conditions in the event of a total loss of heat sink. The architecture of these different systems leads to an entirely new pumping station design compared with that on the existing French NPP fleet.

This design aspect is dealt with in Chapter I.2

- Finally, for conditions where fuel is partly or totally located in the fuel building, reduction of the sensitivity to unavailability of equipment. This is achieved by backing up the pumps of the two main loops of the cooling system and "practically eliminating" the risk of fuel element melting in the pool by the inclusion of a third cooling system to mitigate the effects of loss of the main cooling trains. Provisions are also implemented to prevent and/or mitigate the effect of accidental draining of the spent fuel pool.

This design aspect is dealt with in Chapters I.1.3, R.3.2 and S.2.4

Containment of radioactive material:

- provisions implemented on the EPR to contain radioactive material, mainly in respect of the reactor and connecting buildings. These provisions are set out in detail in.1.2.1.4 within Sub-chapter C.1 which deals with design of the third barrier.

1.2.1.2. Design of the first containment barrier

The EPR reactor core includes 241 17 x 17 assemblies, each comprising 25 guide tubes and 264 fuel rods. This design uses a relatively low linear power density and helps to preserve significant core margins (during normal operation and accidents) while at the same time enabling implementation of the most efficient low neutron leakage loading patterns. The maximum targeted burnup fraction is consistent with what is scheduled to be implemented over the medium-term throughout the French reactor network. This fuel is not fundamentally different in terms of technology from that currently used in the French and German reactor fleets.

An important objective of the core design is to reduce the incidence of clad cracking via pellet-cladding interaction or stress corrosion, and a design not prone to this phenomenon will be used. Use of a specifically selected cladding alloy together with the installation of new instrumentation (based on sensors uniformly distributed throughout the core) both contributes towards attaining this objective.





A fuel classification programme is currently being carried out with regard to cladding material, assembly structure and fuel pellets. This programme will make it possible over the coming years to refine the design of EPR fuel.

The choice of the spectrum for the different forms of fuel management in the EPR reactor field has been deliberately left wide for optimum flexibility of future reactor operation. Benchmark forms of management envisaged are based on a UO2 core with a cycle of 12, 18 or 22 months and on a 30% MOX core with an 18-month cycle. In addition, its large core makes the EPR well suited for use of more advanced fuels, thereby optimising long-term plutonium stock management (single- and multi-recycling of Pu).

This design aspect is dealt with in Chapters D.2 to D.4 and K.3.2

1.2.1.3. Pressurised envelope design

1.2.1.3.1. CPP [RCPB] design

In line with the defence in depth approach, the primary cooling system design achieves the double requirement of reducing the frequency of initiating events (by having larger operating margins and increased system inertia) and reducing the consequences of initiating events if they occur. Figure C.1 FIG 1 identifies improvements made to the primary cooling system relative to previous generation reactors. Upgrades cover the following components:

- Reactor Pressure Vessel 1: to accommodate a large core of 241 assemblies, the vessel has an increased diameter and is fitted with a heavy reflector around its inner circumference. The reflector is made up of a stack of twelve forged plates, which are attached to the lower core plate by a set of keys and anchor rods. This design avoids the use of welded or bolted assemblies in the vicinity of the core. The reflector reduces neutron leakage and shields the vessel, thus limiting its lifetime neutron dose. The nozzle support ring and the vessel flange are made from a single forging formed from a large single ingot, which means that it is possible to eliminate the very thick circular gasket which exists between these two components in the pressure vessels currently used in the EDF fleet. Moreover, the design of reactor internals has benefited from a detailed simulation of thermo-hydraulic phenomena in normal operating conditions and most accident conditions.

- Vessel head 2: the design of the vessel head and control rod drive mechanisms is based on that used in German units, enabling core instrumentation to be installed from the top, removing the need for associated penetrations in the vessel bottom head. The core instrumentation uses an “aeroball” system which comprises twelve nozzles for neutron and thermal instrumentation around the head. This solution is made possible by the low overall dimensions of the cluster control mechanisms (MCG) [CCM] which, in addition, do not need a forced ventilation cooling system. In all, the head is fitted with 106 penetrations (89 for the MCG [CCM] and 17 for the instrumentation), which is 28 more than on the N4 design.

- Primary coolant pump 3: the primary coolant pumps benefit from French design feedback and include adaptations to reduce the risk of erosion by cavitation, which has been experienced on the N4 design. In addition, these adaptations result in improved performance. Also, in addition to the multiple running seals at the pump shaft penetration, the pumps are fitted with a shutdown sealing device designed to reduce the risks of leakage from the primary cooling system in conditions which might cause damage to the main standstill seals (i.e. total loss of power supply or cooling water).





- Steam Generators 4: by increasing the internal volume of the GV [SGs] (in comparison to the previous generation of reactors), the effects of transients are reduced. Other improvements over the N4 design GV [SGs] (increase in the heat exchange area, saturation pressure, and improvements in fluid flow at spacer plate level…) increase the heat exchanger efficiency. In addition, the choice of material for the GV [SG] tubes has benefited from feedback from operating French plants.

- Pressuriser 5: as with the GV [SGs], increased internal pressuriser volume helps to mitigate transients. Additionally, maintaining a two-phase condition when shutting down (by gradual injection of nitrogen during depressurisation) reduces the risk of overpressure inherent in single-phase operation. Finally, changes to the spray system design reduce both nozzle loading and fatigue risk on the forged shell.

- For pressure protection in the primary cooling system, the upper section of the pressuriser is fitted with two relief lines. The first 6 enables the primary coolant to be discharged to a relief tank via automatic pilot-operated pressure relief valves. The second 7 is specifically dedicated to severe accident conditions and makes it possible to discharge part of the primary coolant in the vessel, thereby bringing the pressure below a 20-bar threshold.

- The main reactor coolant loop pipework 8 is designed and manufactured with materials and in compliance with methods which make it possible to discount a double-ended guillotine break as a design basis event. This claim is technically justified (in particular by demonstrating resistance to large through-wall defects) and makes it possible to reduce the transient stresses against which the pipework supports must be designed. This is in line with the objective of reducing initiating events. The primary cooling system design basis accident becomes a break of the largest connected pipe, i.e. the pressuriser surge line which links the the pressuriser 5 to the hot leg. With regard to the manufacturing of the reactor coolant pipework, it should be noted that the cold leg is entirely single-block, thus reducing the number of homogeneous welds (9 welds per loop as against 12 on the N4 design).

- Adjustment of the relative elevations of the different components, i.e. the vessel, the primary coolant loops and the steam generators has made it possible to reduce the requirement for operating at mid-loop during shutdown phases and also gives reduced sensitivity to uncovering the core in APRP [LOCA] conditions.

Design of the primary cooling system and its components is dealt with in Chapters E.1 to E.4

1.2.1.3.2. CSP [SSPB] design

Design of the secondary cooling system also comprises upgrades which mainly affect the steam system, namely:

- Application of the concept of “break preclusion” to each of the pipe sections between the steam generator outlet and the fixed point located downstream of the main steam isolation valves. The result is that it is no longer necessary to consider the guillotine break of this pipe as an initiating event. On the other hand, the concept of break preclusion is not applied to GV [SG] feedwater piping 9.





- All the steam relief valves, pressure relief valves and main steam isolation valves form a compact valve unit (11) the mechanical design of which eliminates the risk of consequential damage and hence the need to segregate the different components.

Design of the secondary cooling system is dealt with in Chapters J.3 to J.6

1.2.1.4. Civil engineering structures and design of the third barrier

In the EPR reactor design, civil engineering structures must fulfil a dual function:

- protect the plant from all possible hazards, both internal and external,

- protect the environment following all accident conditions that have not been practically eliminated and in particular limit the need for protective measures in the most severe conditions.

Since the chosen EPR containment loading levels are higher than those in the currently operating French fleet:

- with regard to internal events, the structural design must take into account a low-pressure core meltdown with margins that take into account uncertainties in the knowledge of such phenomena,

- with regard to external events, the structural design must take into account the most severe loadings, whether these be due to natural phenomena such as earthquakes or extreme weather conditions, or to human activity such as explosions and aircraft crashes.

Within this framework, a dedicated chapter has been included in the EPR RPS [PSR] aimed at:

- drawing up an inventory of the different components of standard structures or sites (including metal structures) in the EPR nuclear island,

- setting out detailed safety requirements to be built into the design,

- introducing the design code used (ETC-C) and listing the main corresponding civil engineering criteria.

The requirements and design bases chosen for civil engineering structures are set out in Chapter C.5.0

The third containment barrier constitutes the final protection against radiological consequences arising from accident conditions in the event of failure of the first two barriers, in particular following core meltdown. In such conditions, protection of the public living in the vicinity of the plant and compliance with corresponding radiological requirements are based on a set of constructional provisions applied to buildings, equipment and systems termed the containment function.

These constructional provisions are aimed at ensuring that radioactive products are retained inside the buildings in question. These include the reactor building itself and any connected buildings which are liable to be contaminated. Containment integrity requirements are thus defined for all buildings concerned in the different accident conditions.





The main provisions for containment of radioactive materials and protection thereof are shown in figure C.1 FIG 2.

1.2.1.4.1. Containment description

With regard to the reactor building, the design chosen is based on the concept of a concrete double-walled containment similar to that used for the latest-generation reactors in the French network. These have been upgraded to enhance defence in depth, mainly as a result of taking into account phenomena linked to low-pressure core meltdown. Individual upgrades are described below. The numbering refers to figure C.1 FIG 2:

- A metal liner is included, covering the whole internal face of the inner containment 1 so as to guarantee very low leakage; the space between inner and outer 2 containments is maintained at negative pressure, enabling collection of any leakage from the inner containment and filtering before discharge into the atmosphere.

- All leakage paths liable to place the inside of the containment in direct contact with the external environment are eliminated. All containment penetrations 3 emerge into connecting buildings so that any leakages may be dealt with.

- Additional water capacity is installed in the containment, in particular to improve control of both design basis and severe accidents. Having this additional capacity (the In-containment Refuelling Water Storage Tank, IRWST 6) makes it possible to supply dedicated systems situated in the Emergency Auxiliary Buildings (BAS) rooms 7 via direct suction from the separate sumps 8 thereby limiting the possibility of failure linked to switchover during recirculation.

- The system is designed to recover and spread the corium 9 resulting from core meltdown and low-pressure release from the vessel. In terms of civil engineering, this system consists of a channel which directs the gravitational flow of corium into a large spreading chamber whose floor is covered with a layer of sacrificial materials that protect the raft foundation. The thickness of the raft foundation has been reinforced, thereby preventing penetration by corium. After spreading has occurred in the spreading chamber, it is filled with water from the IRWST. This takes place passively as a result of the heat given off by the corium.

- The inner containment (and its prestressing) design take into account the effects of pressure (and temperature) of the different core meltdown scenarios considered. In particular, effects due to explosion of the maximum quantity of hydrogen produced during such conditions are included.

- An active system is included for ultimate cooling of the containment based on containment sprays and removal of residual heat from the corium using the IRWST water. This system is composed of two identical cooling systems aimed at removing residual heat from the containment without the need for venting. Operation of both systems is required during the first two weeks following the accident, with a single system having adequate capacity thereafter.





- Additional margins are introduced into the containment design by defining two "grace periods". The first period applies to the inner containment and is aimed at ensuring containment leak-tightness for a twelve-hour period after the beginning of the core meltdown scenario, without operation of the ultimate containment cooling system referred to in the previous paragraph. The second grace period applies to the inter-containment space. It is achieved by designing the inner and outer containments so as to ensure a grace period during which the inter-containment space remains at negative pressure even if the inter-space ventilation fails when the accident occurs.

- Finally, in order to enhance radiation protection for staff during permitted maintenance access to the reactor building during operation, two zones have been created inside the containment area. The first zone (Z1) includes all the primary cooling system and is considered as being inaccessible during power operation. It is isolated from the rest of the containment (Z2 zone) by extremely thick concrete shells or metal protective devices depending on the site. In the event of an accident, these devices withdraw so as to make available all of the free space in the containment and prevent hazardous gaseous concentrations.

Containment design is set out in Chapter C.5.1

1.2.1.4.2. Inner containment design

The metal liner anchored to the inner containment makes it possible, within the containment function itself, to combine aspects of leak-tightness with the mechanical ability to withstand internal pressure. With this approach, the metal liner provides leak-tightness, and the pressure capability is ensured by the pre-stressed concrete inner containment. This design is similar to that implemented in French 900 MW plant.

Allowing for the experience gained in designing such containments, the EPR design has been based on the concept of a design pressure, a maximum test pressure and a leaktightness pressure.

The design pressure is the basis for design of the entire civil structure, and specifically the pre-stressed concrete. It is envelope for all pressures occurring under all design basis transients, incidents or accidents (Plant Condition Categories PCC 2 to 4) or multiple failures or core melt accidents (Risk Reduction Categories RRC-A and B). On the basis of relevant studies, an design pressure of 0.55 MPa absolute has been adopted for the EPR inner containment.

To demonstrate that the design and construction of the internal containment are satisfactory in terms of both leaktightness and pressure capability, an initial test is performed at ambient temperature. The test takes place at a gradually increasing containment pressure, with a series of pressure holds and associated measurements. The containment leakage rate is measured at design pressure, i.e. 0.55 MPa absolute. The test is then extended to a pressure of 0.6 MPa, which is termed the maximum test pressure. This increased test pressure takes account of the effects of temperature on the steel liner and thrust exerted by the liner on the concrete structure at the maximum temperature achieved under accident conditions (170°C). The stress measured at this pressure serves as justification of the pressure capability of the inner containment capacity1.

1 It should be noted that the pressure values indicated here only concern pre-operational

containment acceptance tests. They in no way give any advance indication of the pressure values to be chosen for periodic containment tests.





To reinforce the defence in depth aspects of the design, the verification programme is extended beyond the design pressure, to the leaktightness pressure for the inner containment. This confirms the existence of margins in the design, and is an extension of the approach developed in the Basic Design Report. It enables the leaktightness of the containment to be confirmed in extreme core meltdown accident conditions for which phenomena exacerbating the risk have been taken into account. The leaktightness pressure is set at 0.65 MPa absolute.

Figure C.1 FIG 5 sets out the different pressure values taken into account in the EPR inner containment design.

1.2.1.4.3. Buildings contributing to the containment function and containment bypasses

Since the installation is designed in such a way that all penetrations emerge into connecting buildings, these buildings play an important role in containing radioactive products. The buildings concerned are the four divisions of the Safeguard Auxiliaries Building (BAS), the Fuel Buildings (BK) and, to a lesser extent, the Nuclear Auxiliary Buildings (BAN) (schematic diagram C.1 FIG 2). Hence, these buildings have leaktightness requirements for situations in which they may be used. In addition, in order to calculate radiological consequences (1.2.3.5 within Sub-chapter C.1), leakage rates for these buildings are defined so as to make it possible to assess the environmental consequences of design basis accidents and severe accident conditions simply and globally. These leakage criteria are not intended for on-site measurements during EPR equipment and system acceptance tests.

Identifying and eliminating potential routes for containment bypass has utilised feedback from studies of the existing EDF fleet, taking account of features specific to the EPR. As part of the in-depth studies, three groups of potential bypasses have been noted and analysed, namely:

- bypasses caused by initiating events on systems connected to the primary cooling system due in particular to failure of isolating valves. The main systems concerned are the RIS/RRA [SIS], the RCV [CVCS] (Chemical and Volume Control System) and the primary sampling system,

- bypasses caused by accident sequences such as an RTGV [SGTR] where a safety valve is stuck open,

- bypasses resulting in severe accidents or core meltdown sequences such as single or multiple RTGV [SGTRs] caused by the severe accident.

Some of these bypasses are excluded by specific design provisions. Others are controlled in such a way as to prevent them leading to a core meltdown situation (e.g. failure of the RIS/RRA [SIS] system in RRA mode).

This design aspect is set out in Chapters F.2.1, R.1 and S.2.4

1.2.1.4.4. Containment adapted to shutdown states and spent fuel management

The containment study also covers conditions in which the primary cooling system is open and the core is unloaded and stored in the fuel building pool. For these open conditions, equipment access hatch reclosing times have been defined on the basis of transient analysis.

For conditions where the core is totally unloaded and cooled in the BK pool, a dedicated cooling system has been deigned to achieve "practical elimination" of core meltdown in the BK.





Risks of rapid draining of the pool are also taken into consideration. Constructional provisions have been retained to ensure "practical elimination" of core meltdown in the BK following such occurrences.

In addition, the design of systems deployed during reactor shutdowns, and in particular during fuel handling operations, embody feedback from events that have occurred throughout the existing French reactor fleet. For example, the fuel-handling machine is fitted with a device which prevents fuel element positioning errors during reloading operations.

This design aspect is set out in Chapters I.1 and R.3.2

1.2.1.4.5. Design of structures shared by the nuclear island

The raft foundation and the shell which affords protection from aircraft crashes constitute two structures which are shared by all, or a large part of the nuclear island. They are built on the following principle:

- The raft foundation is cross-shaped with a side length of approximately 100 metres. It constitutes the shared base for the reactor building, the fuel building and the four BAS (Safeguard Building) divisions. Its extremely thick foundation ensures the relative stability of the buildings it bears. In addition, in the region of the reactor building, it houses the corium recovery and cooling plant,

- The aim of the aircraft shell is to protect the reactor building, the BK and Divisions 2 and 3 of the BAS against military and commercial aircraft crashes. It has an extremely thick concrete shell covering the roofing and surrounding the exterior walls of the BK and Divisions 2 and 3 of the BAS. For BAS Divisions 1 and 4, the vertical walls of the reactor building’s outer containment provide protection against aircraft crashes.

This design aspect is set out in Chapters C.5.0 and C.5.4

1.2.2. Integrating operation and maintenance into the design: architectural effects

1.2.2.1. Preventive maintenance

A design based on four safety trains means that maintenance is possible on one of them when the reactor is at power. Note that this maintenance is taken into account in accident studies. Application of the two-zone concept to the reactor building, mentioned above, enables preparation and completion of planned maintenance operations in this building over a period of ten days organized around a refuelling outage. The "two zone" concept is described more fully in the chapter relating to the ETY system in Chapter F.2.4.

The fact that maintenance may be partially carried out during power operation contributes to maintaining safety by smoothing the workloads on maintenance teams during shutdowns and enhancing plant availability.

Maintenance operations that are scheduled around shutdowns have been subjected to a review aimed at improving conditions for staff. As an illustration, the opening diameters for access to steam generator secondary and primary cooling systems have been increased in relation to those on the N4 plant to facilitate access for staff and inspection equipment.





This design aspect is set out in Chapter M.2

1.2.2.2. Radiation protection

Reducing occupational exposure of workers has been targeted by means of an optimisation process at the design stage based on feedback from the French PWR fleet. In this respect, the ALARA approach is being implemented by taking account of feedback from the best plants in the French fleet. This makes it possible to define an ambitious collective dose objective. The Preliminary Safety Analysis Report presents a first estimated assessment of collective dose.

This first assessment will be fine-tuned during the detailed design phase to ensure that the collective dose objective has been achieved. Reduction of individual doses is achieved by focusing optimisation actions on those activities with a relatively high dose burden. This assessment requires identification of radioactive sources as well as design enhancements. As an illustration:

- the design of the vessel head is such that replacing Control Rod Drive Mechanisms (CRDMs) (a bolted connection between the casing flange and an adapter flange) enables a 40-fold reduction of the dose received by staff during such operations.

- placing a concrete floor at the top of the pressuriser at safety valve level, as well as installing anti-condensation heaters (enabling an automatic dismantling process) makes it possible to reduce the associated dose 5-fold for the corresponding maintenance operations.

This design aspect is set out in Chapter L

1.2.2.3. Human factor engineering

Human factors are taken into account in the design on the basis of a human factor engineering work programme which includes:

- operating interfaces: in particular, the main control room (MCP),

- rooms, buildings and equipment in which maintenance and operating actions are carried out locally,

- operating documents.

These design aspects are dealt with in Chapter G of the this safety report with regard to Instrumentation and Control, in Chapter M with regard to plant unit operation and in Chapter Q with regard to overall human factor engineering.

1.2.3. Design scope

1.2.3.1. Controlling single initiating events

The design safety approach applied to the EPR requires consideration of a limited number of representative events and enveloping conditions liable to be encountered during operation and various associated reactor states. These initiating events are grouped together in several categories based on their estimated frequency of occurrence and their impact on the environment.

On this basis, four Plant Condition Categories of events (PCCs) are identified, namely:





- PCC1 including all normal operating conditions,

- PCC2 grouping all design basis transients,

- PCC3 grouping all design basis incidents,

- PCC4 grouping all design basis accidents.

Identification of these events and their classification by category focuses the design of systems intended to control them and to prevent unacceptable consequences for the plant or the environment.

Since the EPR is a new design, the list of events taken into consideration for its design basis is drawn up in accordance with the process shown in figure C.1 FIG 4 and which follows the stages set out below:

- As an "evolutionary" reactor, an initial list of EPR design basis conditions was drawn up prior to the Basic Design phase in accordance with guidelines adopted for the design. Full account was taken of the schedules of events considered for the latest PWRs of French and German design. Compared with these reference reactors, the initial EPR schedule and grouping of events reflects a desire to reduce the frequency of initiating events.

- During Basic Design (BD), this schedule also underwent changes as a result of in-depth studies and development of the EPR design. Further changes were made to respond to requirements arising from the French Safety Authority's project review. This development included precise definition of the various reactor states and consideration of events likely to occur in peripheral buildings. Certain events found to be unrepresentative of the developing EPR design were also excluded. Ultimately, a schedule of postulated events was produced at the end of the BD process to serve as input for the Detailed Design (DD) studies. The specification of some events may require definition of equipment reliability criteria for systems participating in prevention and mitigation. Still others may be excluded from the schedule, and subjected to specific analysis.

- The above process led, at the end of the Basic Design phase, to a schedule of events and detailed supporting documentation that has been reviewed by the French Safety Authority (ASN). The safety analysis set out in this document is based on this schedule.

Chapter P describes the initiating events included in the schedule, the assumptions made in associated studies and the safety analysis performed for each event. This analysis is supplemented, for any event with the potential for radiological release, by calculation of its radiological consequences and confirmation that it meets the appropriate criteria.

Those events which were "excluded" from the schedule during any of the stages in the process described do not, in principle, require any safety analysis. Nevertheless, in line with the defence in depth philosophy, they have been analysed, using realistic assumptions. The outcome is set out in Section 3 of Chapter S.





1.2.3.2. Risk reduction: prevention of core meltdown

This is the first stage for reducing risks. Risk Reduction Category A (RRC-A) contains combinations of events (i.e. sequences) including multiple failures, which are liable to lead to core meltdown. The list of multiple-failure conditions proposed in this report is based on a probabilistic approach using the design EPS [PSA]. The list will be reviewed if necessary during the course of in-depth studies when the EPS [PSA] is updated.

Various technical provisions are designed and installed to prevent core meltdown and restrict the consequences to acceptable levels. In certain cases, these provisions consist solely of operator actions.

This design aspect is set out in Chapter S.1

1.2.3.3. Risk reduction: control of core meltdown

This is the second stage in risk reduction. It is based on the safety analysis of four postulated low-pressure core meltdown sequences which are not covered by "practical elimination" provisions. These different sequences assist in defining means of cooling the molten core outside the vessel, and designing the containment cooling system without the need for venting.

They also help define the instrumentation required by the operator and emergency response team to manage this type of condition, and to specifying conditions for qualifying the equipment required to achieve the safety objectives.

This design aspect is set out in Chapter S.2.2

1.2.3.4. "Practically eliminated" conditions

Conditions covered by specific treatment leading to their "practical elimination" are those which are liable to give rise to significant early discharges; mainly high-pressure core meltdown sequences. The following sequences are particularly considered in this approach:

- High-pressure core meltdown and direct containment heating sequences,

- Prompt criticality accidents,

- Steam explosion phenomena inside and outside the vessel,

- Hydrogen explosions

- Containment bypass,

- Fuel meltdown in the spent fuel pool

Demonstrating that these conditions are "practically eliminated" is based on a set of deterministic and probabilistic considerations, taking into account uncertainties due to limited knowledge of certain physical phenomena.

At the end of the level 1 EPS [PSA] a macroscopic quantification of risks of discharge into the environment (EPS [PSA] N1+) was carried out. The identified sequences were classified into three groups, namely:

- low-pressure core meltdown sequences with mitigation available (PDS1). These sequences do not lead to any significant discharges into the environment.





- low-pressure core meltdown sequences combined with a containment cooling system failure (PDS2). These sequences are assessed to lead to late loss of containment and consequently to significant discharges.

- core meltdown sequences with premature loss of containment (PDS3). These sequences must be "practically eliminated".

To illustrate the connection between these sequences and the overall approach to controlling severe accident sequences, figure C.1 FIG 5 presents the range covered by each of these three sets of sequences shown on a graph of pressure changes inside the containment versus time.

At the current Preliminary safety Report stage stage, implementation of the level 2 EPS [PSA] will enable practical elimination of the PDS3 sequences.


1.2.3.5. Hazards

The defence in depth approach requires that all internal and external hazards liable to affect reactor safety should be taken into consideration at the design stage.

1.2.3.5.1. Internal hazards

Internal hazards taken into account at design stage are as follows:

- fire, by taking into consideration the three protective elements, namely (i) prevention (using low-combustible materials, implementing specific installation rules and assigning potential fire sources to fire sectors and zones), (ii) detection (via rapid identification of the detection point and triggering of the alarm) and (iii) fire-fighting by local operators, by installed fire protection systems and by mobile fire-fighting units,

- flooding, by taking into consideration potential sources such as plant leakage (pumps, valves, tanks etc.) fractures of or cracks in piping, tank overflows, failures of certain tanks or spraying by fire-fighting systems,

- fractures in high-energy piping, tanks, pumps and valves which might cause consequential damage and additional faults. Effects considered are pipe-whip, the impact of hot jets and sprays of water or radioactive material. Flooding from these sources is covered in the previous paragraph,

- internal missiles generated for example by the ejection of mechanical items under pressure such as control rods, pressuriser heaters, temperature and pressure probes, valve devices and via failure of rotating equipment (e.g. pumps and turbines),

- internal explosions: the following potential sources of explosion are considered: internal system explosions, explosions inside buildings caused by the release of explosive gases from internal systems, and explosions outside buildings caused by the breach of pressurised containers or release from a system,

- dropped loads generated by failure of handling equipment during lifting and transportation within the plant.





Consideration of these hazards results in installation rules and/or provisions for internal protection applied to each of the buildings concerned. At the end of the design phase, a test study confirms that the plant is resistant to the identified hazards. This study is carried out for each of the buildings concerned, on the basis of rules similar to those used for initiating events (taking into account a single failure and plant unavailability due to preventive maintenance operations).

This design aspect is set out in Chapter C.4

1.2.3.5.2. External hazards

Within the context of plant design and safety, a brief description of the consideration of external hazards is set out below.

- Earthquakes are taken into account by considering design seismic motions in the form of a range of spectra known as "EUR," set at 0.25g or 0.15g, depending on whether they are applied to the conventional part of the nuclear installation or site structures. As a load combination, these spectra are used in the design of safety-related structures and equipment. The design process is supplemented by a safety analysis which aims to ensure that assessments are in line with requirements (including checking of seismic margins) and also to check that single or multiple equipment failures in earthquake conditions entail no unacceptable consequences

- Aircraft crashes. The risks resulting from air traffic are taken into consideration by dividing such traffic into three types of aircraft, namely general aviation (aircraft weighing less than 5.7 tonnes), military and commercial. The probability of an unacceptable release at the site boundary following such a hazard serves as a basis for defining the load combination for plant design.

For the current French fleet, general aviation is characterized by two types of representative aircraft (CESSNA 210 and LEAR JET 23), and postulated crashes of these aircraft are used when designing the protection. Military and civil aviation are not taken into account on a probabilistic basis.

For the EPR, the aim of significant safety enhancement has led to a more general consideration of the risk of aircraft crash (i.e. military and civil aviation) regardless of the probability of the event occurring. Critical plant is protected either by physical separation or by the existence of a physical screen known as an "aircraft shell". Detailed requirements for protection against aircraft crash are set out for each of the buildings concerned in Chapter C.5.0.

- External explosions: events linked to local industrial installations and communication routes. A standard load combination is defined to represent the incident pressure wave generated by the explosion. For the buildings to be protected, multiplication coefficients are applied to the incident wave to take into account possible reflections from surrounding structure walls. In addition, an analysis is carried out to check that design provisions are adequate from a safety viewpoint.

- External flooding, The setting of levels is designed to provide suitable margins , taking due account of flood levels reached in the past, and the potential effects of climate change. The approach incorporates operating feedback from EDF events experienced in the EDF fleet to take account of unknown factors (swells, rains etc.) in addition to those defined in safety rules.





- Rises in water table level are considered within the scope of external flooding either as one potential cause of flooding or as a contributory factor.

- Extreme weather conditions, including temperature, snow, wind, rain etc. Effects of direct loads on the structures and equipment and the potential for hazards (e.g. wind pressure on walls or the production of heavy missiles). Load combinations are defined for each of the phenomena in question, taking into account general conditions of plant installation such as, for example, location by the sea. The installation’s design with regards to detailed site specific factors will then be checked.

- Lightning and electromagnetic interference are considered in line with applicable regulations. Rules covering the design and installation of sensitive equipment (mainly electrical) are defined and implemented in such a way as to protect them, for instance via screens for cabling & wiring or meshes for termination design.

- Drought and ice formation are taken into account within the scope of extreme weather conditions for the sites in question.

- Toxic, corrosive or flammable gases: events linked to local industrial installations and communication routes. Other consequences of this type of event, related to the specific site, are taken into account, such as fires outside the site.

Overall, protection from external hazards is ensured by defining the load combinations to be applied to plant, systems and structures which may be affected. For certain external hazards, the "load combination" approach may be supplemented by an initiating event approach.

This design aspect is set out in Chapter C.3

1.2.3.5.3. Other hazards taken into account

In addition to hazards listed in 1.2.3.5.1 and 1.2.3.5.2 within this Sub-chapter, the EPR plant design takes into account other hazards resulting from acts of malicious intent.

With regards to such hazards, the installation is protected via a series of provisions corresponding to the principles of defence in depth aimed at:

- Preventing malicious acts by ensuring that the installation is placed under permanent surveillance. Some of these measures are visible whilst others are covert.

- Physically protecting the plant from different potential threats. Some elements of this protection are intrinsic provisions designed to provide protection against non-malicious external hazards (such as physical separation of redundant systems or "bunkerisation" of parts of the nuclear island). In addition, there are specific provisions aimed at excluding potential assailants from sensitive zones (such as fences around the plant),

- Making provision for and organising measures (similar to an emergency plan) aimed at limiting the consequences of malicious acts in the event that they occur.

Hazards of a malicious nature taken into account in the EPR design are defined by national civil authorities. Such hazards are taken into account by the designer. The design and analysis of counter-measures are examined by and agreed with the civil authorities.





Details of the protection of the plant and local population against acts of malicious intent are dealt with in specific documents outside this Design and Safety Report, for reasons of confidentiality.

1.2.3.5.4. Multiple hazards

Feedback on external hazards at both national and international level has underlined the fact that the plant operator may be confronted with multiple hazard situations, as illustrated by the incident at the Blayais power plant.

For the EPR, different potential combinations of hazards are analysed, based on evaluation of operating feedback. The analysis takes into account:

- combination of physical phenomena inherent in the hazard itself,

- combination of the hazard in question with potentially dependent events or internal or external hazards,

- combination of the hazard with independent internal or external initial conditions.

This approach enables a certain number of hazard combinations to be identified and subsequently taken into account in the EPR design.

This design aspect is set out in Chapter C.3.1

1.2.4. Radiological consequences

1.2.4.1. Conditions chosen for assessing radiological consequences

The assessment of radiological consequences must demonstrate the ability of the plant to contain radioactive materials, for all design conditions.

With regards to the reactor, the conditions taken into account in the plant design are set out in the safety analysis report and are as follows:

- operating conditions with a single initiating event (PCC2, 3 and 4):

o the majority of these conditions are linked to the nuclear steam supply system and are chosen to maximise the demand on the three basic safety functions, namely controlling core reactivity, removing residual heat and containing radioactive materials.

o certain conditions, which place a demand only on the containment function, are studied purely from the aspect of radiological consequences (e.g. fuel handling accidents in the fuel building, or failure of the gaseous waste treatment tank).

- operating conditions with multiple failures (RRC-A)

- hypothetical severe accidents corresponding to RRC-B low-pressure core meltdown sequences.

- hazards.





In the safety analysis report, PCC 2, 3 and 4 events, RRC-A accidents and RRC-B severe accidents are assessed for radiological consequences. Thus, on the basis of system integrity and filtration, the containment of radioactive products is ensured. This is achieved by comparing assessed doses with the project objectives (see subsection 1.2.3.3.2 above), to confirm that design provisions are appropriate.

Hazards are not studied as specific scenarios in accident studies, but as loading conditions applied in the design of safety systems. In addition, accidents which do not affect the nuclear steam supply system are studied purely from the aspect of radiological consequences (i.e. to confirm the containment function). These accidents include all events (whether of internal origin or hazards) potentially affecting any part of the installation which may contain radioactive materials outside the nuclear steam supply system process. Resulting doses are compared to design operating condition objectives.

At this preliminary safety analysis report stage, the approach involves presenting analysis of the radiological consequences of a set of enveloping transients.

1.2.4.2. Objectives related to assessing radiological consequences

For the EPR project, requirements concerning the radiological consequences of accidents (including severe accidents) have been set at the design stage.

With regard to design basis accidents (PCC3 and PCC4), the principle chosen and specified in the Technical Guidelines /2/ is expressed as follows:

There should be no requirement for protective countermeasures for the public living nearby: i.e., no evacuation, no need for sheltering and no need for distribution of iodine tablets.

In accordance with these objectives, an estimate of the doses received by the population over a short-term period (7 days) and at the site boundary (500m) is required in practice. A check is made to ensure that doses do not exceed the following values, including in the demonstration, if necessary, permitted restrictions on the consumption of certain foodstuffs:

- effective dose < 10 mSv

- equivalent dose to the thyroid < 100 mSv

In the EPR design, no distinction is made between acceptability criteria for the radiological consequences of PCC3 and PCC4 accidents. There is consequently convergence between the EPR project’s PCC3-4 criteria and category 3 criteria for currently operating plants, whereas for category 4 accidents, the level of requirements is more demanding for the EPR than for currently operating plants.

This design aspect is set out in Chapter P.3.

With regard to severe accidents, particular attention has been paid to phenomenological understanding and assessment of consequences at the design stage. Requirements (/2/) are aimed at limiting the impact of any severe accident over time and area, including:

- Limited need for sheltering,

- No need for emergency evacuation beyond the immediate vicinity of the power plant,





- No permanent relocation,

- No long-term restriction on the consumption of foodstuffs.

The dose levels to be taken into account for these different protective measures are as follows:

- Short-term measures:

o Requirement for sheltering: 10 mSv (effective dose)

o Evacuation: 50 mSv (effective dose)

o Distribution of iodine tablets: 100 mSv (equivalent dose to the thyroid)

- Medium- and long-term measures:

o Relocation: 10 mSv / month for prolonged exposure (dose rate due to irradiation by the ground) or 1 Sv (effective dose).

Any restrictions concerning consumption of foodstuffs produced in the vicinity of the plant are governed by relevant European marketing regulations applicable in the event of a nuclear accident or other radiological emergency.


1.2.4.2.1. Main methods and assumptions adopted for assessing radiological consequences

Confirmation that radiological objectives have been achieved is achieved by analysis of the radiological consequences of selected operating conditions. The basic principles and assumptions for assessing these radiological consequences are summarized below:

- The assessment is based on conservative methods and assumptions.

- A pH for the IRWST water of around 7.5 for LOCA and severe accidents has been selected, so as to limit volatile iodine production in the containment.

- Calculating the effective dose includes all potential routes for exposure: external exposure to the plume and deposits, internal exposure via inhalation and ingestion of contaminated foodstuffs. The assessment is for a period of 50 years. Results are evaluated:

o after 7 days. Doses relating to this phase correspond to exposure of a member of the public in the immediate vicinity of the site at the moment of release. Effective doses received via inhalation, external exposure to the plume and deposits on the ground are calculated at a distance of 500 m from the site boundary. In addition, the dose absorbed by the thyroid by inhalation is also assessed for an adult and a 1-year old child.

o after 50 years. Doses after 50 years represent the effects over the lifetime of a person. In addition to the doses received when the radioactive cloud passed over, doses received over the long term are due to the persistence of ground contamination. People living in the vicinity of the plant are subjected to an external exposure to radioactive deposits on the ground as well as to internal exposure by ingestion of contaminated foodstuffs, over a period of 50 years. These doses are assessed at a distance of 2 km from the point of release.





Methods for calculating doses

The main methods and assumptions for calculating doses (atmospheric scattering of fission products released into the environment, dose conversion factors) are stipulated in Chapters P.3 and S.2.3.

1.2.5. Safety classification and associated requirements

The first safety classification approach devised and applied for the EPR design was functional in nature. This choice was based on experience of safety classifications from the French fleet which was itself based on safety classification of mechanical and electrical equipment in American power plants (ASME and IEEE). This approach was later supplemented by barrier classes reflecting radioactive content, initially, of mechanical equipment, and then of electrical and I&C equipment and of civil engineering structures.

1.2.5.1. Functional classification and the concept of "barriers"

The main objective behind the creation of the functional classification is to ensure a link between the different equipment classifications involved in the safety approach, a link which does not exist in the current EDF fleet. Another aim is to take into account, at the design stage, a 1984 French Government ruling defining a concept termed "Important for Safety".

In comparison with the safety classification used for the existing French fleet, this double objective brings about the following developments:

- creation of a functional classification comprising three classes designated F1A, F1B and F2 and the allocation of safety functions between these three classes on the basis of their contribution either to attaining two defined reactor states, (namely "controlled state" and "safe state") for design basis initiating events, or to "a final safe state" for multiple failure conditions. The diagram of figure C.1 FIG 6 represents the association logic of the different functions for attaining and maintaining these different states.

- elimination of the terminology "Important for Safety", although this concept is embodied in the substance of the EPR safety approach as an essential feature. This notion was incorporated in the F2 safety class for which criteria were set up, such as achievement of the RRC-A final state and preventing significant discharges in RRC-B, as well as controlling internal and external hazards within the framework of event-based design.

This classification concept, which arose from studies of design events, was subsequently supplemented by a "barrier"-type approach relating design and manufacturing requirements to radioactive content. Since the equipment concerned is mainly mechanical, the concept of "barriers" (as described in Section B.2.1 of the Technical Guidelines) is associated with mechanical classification by introducing thresholds of activity concentration when defining classification limits. In addition, requirements were incorporated in the design of civil engineering structures to take into account their role in the barrier concept, without identifying specific safety classes because of the very limited number of structures concerned.

This design aspect is set out in Chapter C.2.1





1.2.5.2. Classification of mechanical, electrical, I&C and seismic equipment

Following definition of the functional and barrier classifications, several safety classes were devised to link together requirements applicable to different types of equipment. These included the following:

- Classes M1, M2 and M3 for mechanical equipment,

- EE1 and EE2 for electrical equipment,

- E1A, E1B and E2 for I&C equipment,

- C1 for buildings containing F1-classified systems or equipment in safety classes M1, M2 or M3.

In addition to these classes which are specific to each type of component, two seismic classes were defined to take seismic effects on safety equipment into account. These are:

- Class SC1 covering equipment and structures that contain or fulfil F1-classified safety functions, M1 equipment, as well as some M2 or M3 or F2 equipment on a case by case basis,

- Class SC2 covering equipment and structures that protect, or whose failure may jeopardize, SC1-classified equipment.

This design aspect is set out at principle level in Chapter C.2.1 and at implementation level in each of the chapters concerned.

As an illustration, figures C.1 FIG 7A to 7D set out in schematic format the different classifications on which the EPR safety approach is based. In a "bubble" concept representing all EPR installation equipment, an initial breakdown makes it possible to isolate safety-classified equipment from non-safety related equipment. For safety-classified equipment, the different classifications are as follows.

- Functional classification, the definition of which sets out the limits of classes F1A, F1B and F2(*). An additional class for equipment without a functional role (termed NF) also appears in figure C.1 FIG 7A,

Mechanical classification, the definition of which sets out the limits of classes M1, M2 and M3 in figure C.1 FIG 7B. In the same way as in FIG 7A above, an additional class for equipment not classified as mechanical (termed NM) is also included,

- Seismic classification, of which the limits, set out in figure C.1 FIG 7C, follow the definitions of different functional and mechanical classes. Class SC1 follows the limits of class M1, class F1 and a part of class F2. Class SC2, covers a part of classes M3 and F2 as well as equipment without mechanical or functional classification (NM / NF). On the same principle as for other classifications, a type of equipment appears which is not classified as seismic, called NSC.

* It should be noted that the electrical and I&C classifications may be associated with the

functional classification. Electrical equipment of class EE1 is associated with class F1 and class EE2 with class F2; similarly I&C classes E1A and E1B are associated with functional classes F1A and F1B, respectively and class E2 with functional class F2.





Finally, figure C.1 FIG 7D represents all possible combinations of system and equipment classification based on the three functional, mechanical and seismic classifications. Sixteen zones of potential classification appear to which all safety-classified equipment may be assigned.

1.2.5.3. Deterministic requirements and design codes

Deterministic requirements are associated with the definition of these different safety classes. They address safety functions and safety-classified equipment.

With regard to safety functions, the three classes F1A, F1B and F2 are associated with the following requirements:

- application of the single failure criterion (Subsection 1.2.5.4 above),

- physical separation,

- emergency power supply,

- seismic design,

- assurance of construction quality and periodic tests.

The same requirements apply to the design of safety-classified equipment, together with the requirement for:

- use of an approved design code,

- appropriate qualification for earthquakes and ambient conditions, (see Sub-section 1.2.5.4 below).

With regards to mechanical equipment, three design levels called Q1, Q2 and Q3 are defined. These define the applicable design code, on the basis of the mechanical and ESPN classification. A matrix involving the two classifications is used to determine the code level which must be used at design stage.

This design aspect is set out in Chapter C.2.1.

1.2.5.4. Single failure criterion

A system is designed in accordance with the single failure criterion if it is capable of fulfilling its function in spite of any single failure independent of the initiating event. The single failure may be active in the short and long terms or passive in the long-term (after 24 hours).

An active single failure is defined as:

- either the malfunction of mechanical or electrical equipment which requires a mechanical movement to accomplish the specified function (e.g. a relay switchover, start-up of a pump, opening or closing of a valve),

- or the malfunction of an item of I&C equipment .

NB: the following failures are excluded when the single failure criterion is applied:

a) failure to open of an accumulator check valve (non-return valve),





b) failure to close of a main steam line isolating valve in the event of rupture of one or several steam generator tubes.

A passive single failure is defined as a failure which occurs in an item of equipment which does not need to change state to carry out its function. A passive failure can be:

- a leak in a pressurised fluid system; if such a leakage is not detected and isolated, it is assumed to increase until it reaches a flow rate corresponding to full guillotine rupture;

- another mechanical failure causing damage to a flow line and jeopardizing the normal operation of a fluid system.

A passive single failure is taken into account for the long-term only after more than 24 hours of safety system operation, with a leakage rate conventionally assumed to be equal to 200 litres per minute up to such time as the leak is isolated. In addition, for each F1 system, sensitivity studies are carried out to show that a short-term passive single failure (before 24 hours), as well as a leakage rate in excess of 200 l/min (up to rupture of a connected pipe with a 50-mm internal diameter), are covered by taking into account active single failures or do not give rise to a cliff-edge effect with regards to system capability and radiological consequences.

1.2.5.5. Equipment qualification

The objective of qualification is to confirm that equipment is capable of fulfilling its functions under the postulated conditions to which it may be subjected.

Hence, all equipment is potentially required to be qualified against the different ambient conditions (normal, incident or accident conditions) to which it may be subjected.

In practice, the scope of qualification is limited to by considerations the safety duty of the equipment and, the nature of the equipment under consideration.

The safety duty of equipment is to ensure:

- successful achievement of the three fundamental functions of reactivity control, removal of residual heat and containment of radioactive materials. These overall functions are ensured by a series of basic functions (such as emergency shutdown, safety injection, boration, power supplies etc). The associated systems and equipment are safety classified in accordance with the principles set out in Chapter C.2.1,

- production of electrical power via a series of basic functions (such as steam generation, production of electricity in the turbo-alternator, operation of the main condensers). These systems and equipment are not safety classified although they are fundamental to operation and to the safety of operational staff.

The qualification approach is required only for safety classified equipment.

The definition of qualification parameters is generally based on standardized conditions which envelope the conditions potentially encountered by particular pieces of equipment. This approach is adopted because it avoids determining a multitude of ambient conditions to which particular plant items might actually be subjected, depending for example on their specific location. It facilitates management and re-use of equipment thus qualified. However, for some plant items this may lead to qualification requirements substantially more onerous than the conditions to which the item might realistically be subjected.





To address both the technical and cost-effectiveness aspects of this issue, multiple standards have been defined for the EPR so as to be as close as possible to more realistic conditions, while at the same time maintaining a healthy margin to actual accident conditions. These multiple standards, termed "families", are used to demonstrate qualification in design accident conditions.

The aim behind having standardized qualification conditions is to represent the conditions to which equipment may be subjected in the three situations of normal operation, seismic loads and extreme conditions which result either from an event linked to the nuclear steam supply system or from an internal or external hazard. The main aspects incorporated into these conditions are as follows:

Normal operation: the objective is to assess equipment operation over time via qualification "in normal conditions". A qualification programme specific to each type of equipment is drawn up and may, depending on its operating conditions, include:

- design testing in nominal operating conditions, which makes it possible to draw up a reference point for its characteristics,

- functional limit tests during which the influence of the main environmental parameters (vibrations, temperature...) representative of installation conditions are assessed,

- robustness and/or operational assessment tests over time involving conditions (e.g. exposure to irradiation, temperature…) designed to artificially age equipment. Even though a proposed service life might be used to specify these tests, they would not be used to demonstrate a qualified service life.

Seismic loads: seismic events are dealt with specifically in the qualification programme since, if an earthquake occurs, this constitutes a common hazard capable of jeopardizing the whole installation. From seismic spectra (defined in Chapter C.3) and the determination of the main floor response spectra, the qualification approach is built up either via justification by substantiating equipment design or via "seismic tests" using methods based on IEC 60980. Using the illustrative presentation of figure C.1 FIG 7C, seismic qualification is applied to all equipment featured in the SC1 "bubble".

Extreme situations: these situations may either be the result of an event linked to the nuclear steam supply system or an internal or external hazard. The safety classification of the equipment concerned, and the potential conditions, determine the qualification requirements, which can be divided up into the following groups:

- With regards to design accidents and multiple failure situations, families of ambient conditions are defined in the relevant buildings. Equipment is assigned to one of the families depending on the type and duration of the situation to which it will be exposed. Taking into account the different locations of equipment, periodicities for replacing age-sensitive components and the family of ambient conditions, has led to the definition of several standardized qualification conditions, each corresponding to a thermodynamic profile and an exposure dose.

- With regards to qualification of a given item of equipment, the applicable standardized conditions (thermodynamic envelope, exposure dose) depend on its location, replacement periodicity for age-sensitive components and on its family of ambient conditions. Using the illustrative presentation of figure C.1 FIG 7D as a basis, "PCC" qualification is applied to all equipment in the "bubble" including M1/F1A, M2/F1 and M3/F1 categories.





Different internationally recognised methods may be used for qualification, based on RCC-E, KTA or IEEE standards. However, an initial check is carried out to ensure their appropriateness for specific EPR applications.

- RTHE [HELB]: qualification of isolating devices which have to close in the event of rupture in "high energy" conditions and qualification for operation in the presence of suspended solids and radioactive contamination are also taken into account in qualification for accident conditions.

- With regard to severe accidents, qualification conditions specific to each item of equipment concerned are defined based on the required missions. Referring to figure C.1 FIG 7D, "RRC-B" qualification is applied to all equipment in the "bubble" including the M2/F2 and M3/F2 categories.

- Ambient conditions resulting from internal and/or external hazards: demonstration covers the capacity to resist hazards. Such is the case, for example, with fire, explosion, flooding, while earthquakes are dealt with specifically as set out previously. This qualification may be supplemented by installation provisions. Using the illustrative presentation of figure C.1 FIG 7D as a basis, qualification for internal and/or external hazards is applied to all equipment in the "bubble" of the NM/F2 category.

Different methods of qualification are used depending on the nature of the hazard in question. For example, in the event of fire, methods described in the ETC-F are used.

This design aspect is set out in Chapter C.7 with regards to PCC and RRC situations and in Chapters C.3 and C.4 with regards to internal and external hazards.

1.2.6. Design tools

1.2.6.1. EPS [PSA]

Probabilistic safety assessments, EPS [PSA], are an essential part of EPR safety and design considerations. The EPS [PSA] is used to develop the reactor design, by allowing an assessment of the relative advantages of different design options within the original project objectives. To be as representative as possible, the EPS [PSA] also incorporates human reliability assessment, using simplified methods. It also make use of component reliability data from French and German or international (EG&G) operating experience and of common mode failure values derived from generic data. The EPS [PSA] has been developed over successive phases, depending on the state of progress of the different design study stages and in particular:

- an initial level-1 EPS [PSA] quantifying the probabilities of core meltdown for power states, was carried out within the Basic Design phase,

- a second level-1 EPS [PSA] covering a broader scope which quantifies the probabilities of core meltdown both for power and shutdown states and incorporates the impact of maintenance at power. This assessment was part of the Basic Design optimisation phase,

- as an extension of the level-1 EPS [PSA], a level 1+ EPS [PSA] which quantifies in broad terms the risk of containment failure for the principal degraded plant states.





These results have made it possible both to confirm the acceptability of the overall reactor design and to improve the design of certain safety systems in terms of redundancy and diversity with regards, for example, to power supplies (e.g. for the reactor emergency cooling system) or cooling circuits (e.g. the final containment cooling system, the spent fuel cooling system in the Fuel Building pool and for reactor makeup water in certain shutdown states).

In addition, the probabilistic approach was used throughout the post-BDOP phase to ensure that the events considered in the overall safety approach were exhaustive and to determine the design basis for the detailed study phase. This made it possible to:

- confirm and supplement the initial schedule of initiating events to be taken into account in the design and to assign them to three categories: transients, incidents or accidents,

- check that the design provides for a balanced spread of risk across the initiating events, by ensuring that there are no dominant sequences contributing to core meltdown frequency,

- re-examine the list of RRC-A (Risk Reduction Category A) conditions and ensure that, for each of them, specific provisions exist enabling core meltdown risk to be reduced,

- assess the "practical elimination" of certain meltdown sequences in the RRC-B (Risk Reduction Category B) group which lead to significant early discharges (such as, for example, containment bypass sequences, boron dilution accidents etc.) in addition to the deterministic provisions included to prevent them.

Finally, with a view to assessing reactor design at the end of the in-depth study phase, the probabilistic approach was supplemented during the first phase of in-depth studies by considerable work covering:

- level-2 EPS [PSA] to quantify probabilities of discharges into the environment related to the various events, sequences and scenarios,

- probabilistic assessment of hazards with a view to estimating the overall core meltdown risk due to internal and external hazards.

All aspects concerning probabilistic studies (databases, methods, updated calculations and results, incorporating in particular an initial assessment of the proportion of hazards in total core meltdown risk) are set out in Chapter R.

After the in-depth study phase and finalisation of all design options, these elements of the PSA will be updated, with particular regard to the following aspects:

- equipment reliability databases incorporating real experience drawn from selected components (mechanical, electrical, I&C etc.) together with all their actual maintenance modes (during output or shutdown),

- human reliability in line with operational systems implemented (procedures, man-machine interfaces)

- details the layout of the installation (raceways, ventilation of electrical panels...) and operating procedures for the different conditions encountered,

- quantification of uncertainties associated with calculation results.





This update will confirm that the overall core meltdown safety objectives and the internal design objectives have been met.

1.2.6.2. Design codes, calculations and modelling of conditions

Since the EPR design uses an evolutionary approach meeting enhanced safety requirements, the codes and standards implemented for design, manufacturing and commissioning of the EPR are of three types:

- design codes applicable to French NPPs known as RCCs (Design & Construction Rules) outlining industrial practice for currently operating EDF reactors, which are partially applicable to the EPR,

- EPR design codes known as ETCs (EPR Technical Codes) which set out industrial practices specific to the EPR, and which replace existing RCCs,

- other EPR-applicable codes and standards, in the context of the project’s European background (at both regulatory and industrial levels).

The list of the different applicable design codes is supplied in Chapter B.6.

The design of the EPR systems, equipment and structure uses numerous computer codes and models of various conditions, in particular related to severe accident scenarios.

A description of all R&D results used in designing the EPR design is included in Chapter B.5 of this safety analysis report.

Qualification of these codes incorporates a procedure aimed at justifying the validity of results and stipulating the respective responsibilities of the supplier of the code, the subcontractor (if the support study is carried out under contract) and of EDF with regard to code implementation.

1.2.6.3. Design and construction quality

EDF has set up a management system which serves as a basis for all activities related to design and construction, covering plant safety, quality and environmental compatibility.

This system includes:

- provisions ensuring quality which are applicable to EDF, its subcontractors and suppliers and which are in compliance with French regulatory requirements (the quality decree of August 1984) and requirements of ISO 9001 and ISO 14001 standards.

- a general organisation of resources and responsibilities which make it possible to carry out and meet all tasks and actions defined in the processes of plant design.

1.2.7. Environmental impact

Environmental impact is considered in this chapter with respect to:

- normal operating situations such as waste treatment and end-of-life of the reactor (dismantling operations),

- non-nuclear risks constituted by the installation referred to as "conventional risks".





The Impact on the environment of nuclear accidents is examined in Chapters P and S, as part of their radiological consequences.

1.2.7.1. Conventional risks of non-nuclear origin

In accordance with French regulatory requirements, EPR safety analysis takes into account conventional (i.e. non-nuclear) risks.

The safety analysis demonstrates that all potential conventional risks have been identified and dealt with, and that their consequences are acceptable for the environment, i.e. for the population located near the site boundary. It is based on the following stages:

- preparation of an inventory of equipment which potentially presents a conventional risk,

- identification of those events liable to lead to consequences on the environment or on other site plant or equipment, the risk of which is not eliminated at source by design provisions,

- following the identification of initiating events, definition of relevant global scenarios and implementation of (physical or administrative) lines of defence for equipment failures leading to environmental impact or impact on buildings which house safety functions,

- confirmation of the efficiency of these lines of defence by study of global scenarios.

This design aspect is set out in Chapter C.8.

1.2.7.2. Liquid and gaseous waste

Waste treatment systems contribute to containment, monitoring and control of liquid and gaseous radioactive discharges into the environment.

The aim is to significantly reduce liquid and gaseous discharges for a given reactor power, in comparison to the existing fleet (except for tritium and C14).

The systems concerned are as follows:

- The RPE [NVDS] (nuclear island vent and drain) system which selectively collects all the liquid or gaseous waste produced inside and outside the containment and channels it to the associated storage and treatment plants. Hence, this system contributes towards compliance with radioactivity criteria for liquid and gaseous discharges.

- The TEP [CSTS] (primary effluent treatment) system which enables storage, control and treatment of hydrogenated primary liquid waste. This waste stream is recycled in the primary coolant system to reduce the radioactive waste discharge. It is also used to treat aerated waste produced when the primary system is opened or drained.

- The RCV [CVCS] (chemical and volume control) system which, during the shutdown transient, ensures high flow rate purification of the primary coolant, so as to minimizing the doses to operational staff during shutdown and to satisfy radiological criteria specified for the last stages of cold shutdown.





- The TEG [GWPS] (gaseous effluent treatment) system which contains, treats and enables decay of hydrogenated and aerated gaseous waste derived from treatment of primary coolant or from the gas blanket of primary coolant tanks. Decay of excess gaseous waste produced during plant transients (start-up, shutdown, primary oxygenation) is carried out in series-mounted activated charcoal beds.

This design aspect is set out in Chapter K.3.

1.2.7.3. Solid waste

Reducing waste production from fuel, and in particular "long-lived" waste, is a major element in environmental optimisation of the nuclear fuel cycle, regardless of the ultimate method of management of this type of waste.

The EPR design and performance directly assist in fulfilling this objective. When compared to existing power plants, the EPR offers:

- improved overall use of fuel material as a result of enhanced operating and safety margins as well as better neutron efficiency. Less nuclear fuel is needed for an equivalent power, with improved possibilities of recycling. Hence, the EPR design enables reductions in natural uranium consumption and the production of radioactive waste.

- optimisation of recycling and medium-term plutonium management by increasing burn-up levels and enhancing flexibility which makes it possible, depending on requirements, to implement different types of MOX or innovative fuels.

Implementing high burn-up fuel cycles enables savings of approximately 17% in natural uranium resources, compared to current management systems for a given reactor power.

The result is a 26% reduction in long-lived waste.

With regards to solid waste other than fuel, estimates have been made by examining the best performing 25% of plants in the current French fleet for each type of waste, which gives a total volume of approximately 80 m3/year (in comparison to 120 m3 which is the accumulated fleet average for 2004). These ambitious estimates are based on improvements in design enabling enhanced selective sorting of waste and, from the very beginning of operations, introducing waste zoning and a policy of radiological cleanliness of the different plant buildings.

This design aspect is set out in Chapter K.3.

1.2.7.4. Dismantling

Integration of dismantling operations into EPR design has been achieved by:

- anticipating the dismantling process by simulating activation of materials and postulating potential events conducive to the spread of contamination (via definition of cleanliness and waste zoning at the design stage),

- taking operational feedback into account from sites with large component maintenance,





- choosing materials which make it possible to reduce system activation and the volume of radioactive waste, enhancing the strength of materials for fuel cladding and improving the resistance of the primary cooling system to corrosion and erosion,

- developing construction techniques aimed at facilitating dismantling and removal of contaminated equipment and structures, and enabling the use of shields,

- developing system-related provisions which make it possible to avoid radioactive deposits, restrict the spread of contamination and facilitate decontamination of rooms and equipment.

This design aspect is set out in Chapter T.





2. TECHNICAL GUIDELINES

This section describes how the basic safety requirements set down in the Technical Guidelines for the design and construction of the next generation of nuclear pressurized water reactors, are taken into account in design of the EPR (Chapter B.7).

The Technical Guidelines were set out by the GPR safety advisory body in October 2000, and were endorsed by the French nuclear regulator /2/.

Table C.1 TAB 1 sets out for each item in the Technical Guidelines how it has been taken into account in the EPR design by referring to the relevant chapter(s) of this report. If the text of a particular Technical Guideline does not in itself constitute a technical recommendation (e.g. introductory text, general remarks, etc…) this is indicated by the entry "-" in the table.





LIST OF REFERENCES

[1] DSIN letter no. 1321/93 of the 2 September 1993: Joint declaration of the French and German Authorities on a common safety approach for future pressurized water reactors.

[2] "Technical Guidelines for the design and construction of the next generation of nuclear pressurized water plant units" adopted during plenary meetings of the GPR and German experts on the 19 and 26 October 2000.

[3] DGSNR letter /SD2/n°0729/2004 of the 28 September 2004 on safety options for the EPR reactor project.

SUB-CHAPTER : C.1 SECTION : -

UK-EPR



TABLE : 1 PAGE: 1 / 104

Index Technical Directives (Technical Guidelines) for the design and construction of the next generation of pressurized water nuclear power plants

Chapters for the FSO

These technical directives (technical guidelines) present the opinion of the Permanent Group responsible for Nuclear Reactors (GPR) concerning the philosophy and the safety approach as well as the general safety requirements to be applied for designing and constructing the next generation of PWR – (pressurized water reactor) type nuclear power plants, presuming that construction of the first units of this generation starts at the beginning of the 21st century. These technical directives are based on joint work from the French Institut de Protection et de Sûreté Nucléaire (IPSN) (Institute of Nuclear Protection and Safety) and the German Gesellschaft für Anlagen- und Reaktorsicherheit (GRS). These technical directives were discussed in depth with members of the German RSK (Reaktor Sicherheitskommission) safety commission up to the end of 1998 and with German experts beyond this date.

-

The context of these technical directives must be clearly understood. Faced with the present nuclear energy situation worldwide, various nuclear reactor designers are developing new products, all advertising their intention to obtain improved safety levels, via different means. The GPR considers that to operate a new series of nuclear power plants at the beginning of the next century, the best way is to deduce the design of these units from the design of existing units in an "evolutionary" way, whilst taking into account the operational experience and in-depth studies carried out for these units. Nevertheless, the introduction of innovative provisions must also be considered within the context of designing the new generation of units, in particular to prevent and control severe accidents.

C.1.1

Here, the GPR stresses that a significant safety improvement for next generation nuclear power plants is required at the design stage, in relation to existing units. If improvement research is an ongoing concern in the safety field, major advances required at the design stage clearly result from better consideration of the problems linked to severe accidents caused by possible contamination of extended surfaces by long-lived radionuclides such as caesium, not only in the short-term but also in the long-term; for existing units, improvements are implemented in a practical way, taking their design limitations into account, within the context of the normal periodic review process for unit safety.

C.1.1


UK-EPR



TABLE : 1 PAGE: 2 / 104



The GPR believes that significant advances at the design stage are possible in an "evolutionary" way if necessary attention is paid to lessons learnt from operational experience and probabilistic studies carried out for existing units as well as from the results from safety research, in particular with regard to severe accidents, with the aim of obtaining a reduction in the calculated probability of occurrence and calculated accidental discharges of radioactive materials. The research and development work carried out at the design stage (then during operation) will also contribute to improving safety or validating the behaviour of the systems and units.

C.1.1

A.1.1

A - SAFETY PRINCIPLES A.1 - GENERAL SAFETY APPROACH

Significant improvement of safety for next generation nuclear power plants, in relation to existing units, is specified by the objectives presented hereafter.

A.1.1 - General safety objectives a) For normal operation and operating incidents, one objective is to reduce the individual and collective

doses received by workers, which are strongly linked to maintenance and in-service inspection activities. Reduction of the exposure of workers must be researched via an optimisation process taking into account data acquired from operational experience. It is also advisable to consider limiting radioactive discharges within the framework of the corresponding dose constraints, and reducing radioactive waste quantities and activities.

-

C.1.1 and L.1 L.4

K

A.1.1

b) Another objective is to reduce the number of significant incidents, which means researching

improvements in equipment and systems used in normal operation, with the aim of reducing the frequency of transients and incidents and thus limiting the possibility of accident situations developing from such events.

C.1.1 and

R


UK-EPR



TABLE : 1 PAGE: 3 / 104



A.1.1

c) A significant reduction in the overall frequency of core meltdown must be obtained for next

generation nuclear power plants. Implementing defence in depth improvements for these units should result in an overall core meltdown frequency less than 10-5 per reactor year being obtained, considering uncertainties and all types of failures and hazards.

C.1.1 and

R

A.1.1

d) In addition, an important objective is to obtain a significant reduction in radioactive discharges that

may result from any conceivable accident situation, including core meltdown accidents. For core meltdown accidents, there must be no need to protect the populations living within the vicinity of the damaged power plant (no evacuation, no sheltering). Core meltdown accidents which would lead to large early discharges must be "practically eliminated": if they cannot be considered as physically impossible, design provisions must be made to exclude them. This objective concerns, in particular, pressurized core meltdown accidents. Low pressure core meltdown sequences must be dealt with so that the maximum conceivable associated discharges only require very limited population protection measures in terms of scope and duration. This would result in no permanent relocation, no need for emergency evacuation beyond the immediate vicinity of the unit, limited sheltering, no long-term restrictions in terms of consuming food products.

C.1.1 and:

P.3 S.1.3 S.3.3

S.2.4

S.2


UK-EPR



TABLE : 1 PAGE: 4 / 104



A 1.2

A 1.2

A.1.2 The "defence in depth" principle

The "defence in depth" principle is the basic safety principle for next generation nuclear power plants. This principle involves implementing several protection levels, including successive barriers against the discharging of radioactive substances into the environment. This principle must be used to demonstrate that the three basic safety functions - reactivity control, fuel cooling and containment of radioactive substances - are carried out correctly. The aim is to provide protection for members of the public and workers. This includes preventing accidents and limiting their consequences. For next generation nuclear power plants, the general safety objectives mentioned in section A.1.1 involve strengthening the "defence in depth" for these units in relation to existing units; these objectives require, in particular, broader consideration of the possibilities of multiple failures and the use of diverse methods for accomplishing the three above-mentioned basic safety functions; they also require substantial improvement of the containment function, considering in particular the various possible failures of this function for core meltdown situations. Results from operational experience and from in-depth studies, such as the probabilistic safety analyses carried out for pressurized water reactors, and advances in understanding the physical phenomena that may intervene during the development of accident situations, in particular, core meltdown situations, must be taken into account.

C.1.1

C.1.1 and:

S.1

C.5, F.2 R

B.5, S.2 It is highlighted that a reduction in the frequency of occurrence of accidents (including core meltdown

accidents) must be obtained by reducing the frequency of occurrence of the initiating events and by further improving the availability of safety systems. In particular, specific attention must be paid, at the design stage, to shutdown states and in particular to the specific operational modes required by the actions carried out during shutdown periods.

C.1.1 and: R

P.2 R.1

M.1, M.2


UK-EPR



TABLE : 1 PAGE: 5 / 104



It is also highlighted that the quality of the design, manufacture, construction and operation is essential for safety within the context of the first defence in depth level. Quality must be obtained and demonstrated particularly via an adequate set of requirements for design, manufacture, construction, commissioning and operation and also via quality assurance. In addition, it is advisable to appropriately consider, at the design stage, the possibilities for inspecting and testing the equipment along with the possibilities for replacing certain equipment, considering that maintenance and test activities are essential for maintaining the safety of the unit throughout its operation.

C.1.1 and:

C.2, N,

E.2.5, F.5 J.5, M.2

A 1.3

A.1.3 - General strategy relating to severe accidents The general objectives mentioned in section A.1.1 have the following general implications in relation to severe accidents. a) "Practical elimination" of accident situations which would result in large early discharges

C.1.1 and:

• Accident sequences with containment bypass (via steam generators or via circuits connected to the primary cooling system which exit the containment) must be "practically eliminated" via design provisions (such as adequate design pressure for the pipework systems) and operating provisions with the aim of providing reliable isolation and also to prevent failures.

S.2.4 R.1

• Special attention must be paid to shutdown situations where the containment is open.

F.2, M.2 R.2

• Prevention, via design provisions, of reactivity accidents resulting from the rapid introduction of

chilled or insufficiently borated water must be such that they may be "excluded".

G.5.10 I.3.2 R.1

S.2.4


UK-EPR



TABLE : 1 PAGE: 6 / 104

Index Chapters for the FSO

Technical Directives (Technical Guidelines) for the design and construction of the next generation of pressurized water nuclear power plants

• Primary cooling system overpressure must also be avoided where necessary via design provisions and

operating procedures in order to contribute, in particular, to "excluding" reactor vessel rupture.

E.2, E.4.5, E.4.7,

S.2 C.6.1.5

• High pressure core meltdown situations must be avoided via design provisions (such as diversity and

automatic actions) for secondary side safety systems and if necessary for reactivity control and primary "open-feed" systems. Transforming with high reliability1 high pressure core meltdown sequences into low pressure core meltdown sequences must be a design objective so that high pressure core meltdown situations may be "excluded". Depressurization must be such that the installation is able to deal with conditions resulting from ejection of the molten core into the atmosphere of the containment ("direct heating of the containment") and with loads on the reactor vessel supports and reactor pit structures.

E.4.8, S.2.1, S.2.2

S.2.4

• Global hydrogen detonations and steam explosions in and outside of the vessel, which jeopardize the containment integrity, must be "practically eliminated".

S.2.2 S.2.4

A 1.3

b) Limiting the consequences of low pressure core meltdown situations • With reference to containment leaks, there must be no direct leakage from the containment toward

the exterior. The pipes that are likely to transport radioactive substances outside of the containment enclosure must lead to peripheral buildings that have adequate containment capacities. Improvements for the permanent monitoring of containment leaktightness must be researched. The containment penetrations which are pressure resistant must support loads resulting from core meltdown sequences.

•

C.1.1 and:

F.2.1

F.2.5 F.2.3

1 As a guide, the equipment used to depressurize the primary cooling system must also be as reliable as the relief valve system used to prevent overpressure.


UK-EPR



TABLE : 1 PAGE: 7 / 104

Index e Chapters for the FSO

T chnical Directives (Technical Guidelines) for the design and construction of the next generation of pressurized water nuclear power plants

• The various aspects of the spray system must be appropriately considered inside the containment for

severe accident situations. Such a system allows both the pressure and the radioactive aerosol concentrations to be reduced inside the containment; however, a spray system reduces damping via the steam and increases the hydrogen combustion flame speed.

F.2.7

• Residual heat must be removed from the containment with no venting system; for this function, a final residual heat removal system must be installed.

F.2.7

• With reference to the possible formation of combustible gaseous mixtures, the containment must be designed to resist global deflagration of the maximum quantity of hydrogen which may be contained in the enclosure during core meltdown accidents and also to resist a representative local rapid deflagration. Also, provisions must be made in respect of local detonations and the possibility of sequences with deflagration-detonation transition (DDT) which may damage the enclosure and its internal structures. Limiting combustible gas concentrations via the design of the internal structures and the use of catalytic recombiner units must, in particular, be considered.

C.5.1

S.2.1 S.2.2 F.2.4

• Penetration of the containment foundation raft by "corium" must be avoided, given that this

phenomenon may result in significant discharges and long-term contamination of the water table and the basement. In addition, suitable provisions must be implemented to prevent contaminated gas and water leaks in the basement via cracks in the foundation raft.

C.5 F.2.1 F.2.6

A 1.4

A.1.4 - Demonstration of safety The demonstration of safety for the next generation nuclear power plants must be carried out in a deterministic way, completed with probabilistic methods and suitable research and development work.

C.1.1 and:


UK-EPR



TABLE : 1 PAGE: 8 / 104



A 1.4 In this demonstration, single initiating events must be "excluded" or "dealt with" - meaning that their consequences are examined in a deterministic way. Single initiating events may only be "excluded" if sufficient design and operating provisions are made so that it can be clearly demonstrated that it is possible to "practically eliminate" this type of accident situation; for example, rupture of the reactor vessel and that of other large components (like the secondary section of the steam generators or the pressuriser) may be examined in this way.

P E.2, J.5 C.4.2 I.1.3

A 1.4 Other single initiating events may be grouped to define a limited number of reference transients, incidents and accidents; these reference transients, incidents and accidents may be divided into categories according to the estimated frequencies of the corresponding groups of events. For the various reference transients, incidents and accidents, the appropriate technical criteria must be respected with conservative assumptions including aggravating failures. For the various significant reference transients, incidents and accidents from the radiological point of view, presuming that the corresponding technical criteria are respected, it must be checked that the radiological consequences may be tolerated and are consistent with the general safety objectives mentioned in section A.1.1 for accident situations with no core meltdown. Some more severe radiological consequences may be considered tolerable for the categories with the lowest estimated frequency.

P.0

P.3

A 1.4 In addition to the single initiating events, the demonstration of safety must analyse situations with multiple failures along with internal and external hazards. The demonstration of safety relating to these situations and hazards may be supported by probabilistic evaluations.

P.1, C.3, C.4

R.4

A 1.4 Possible links between internal and external hazards and single initiating events must also be considered.

C.3

A 1.4 A probabilistic safety analysis must be carried out starting at the design stage and at least including internal events; this probabilistic safety analysis would indicate the core meltdown sequence frequencies with a preview of the possible consequences from various types of core meltdown situation on the containment function.

R


UK-EPR



TABLE : 1 PAGE: 9 / 104



A 1.4 However, the "practical elimination" of accident situations which may result in large early discharges is a question of judgment and each type of sequence must be examined separately. Their "practical elimination" may be demonstrated by deterministic and/or probabilistic considerations, taking into account uncertainties due to limited knowledge of certain physical phenomena. It is highlighted that "practical elimination" may not be demonstrated by respecting a generic probabilistic "cutoff value".

S.2.4

A 1.4 With reference to low pressure core meltdown accidents, given the large range of possible accident conditions in severe accident situations, compliance with the general safety objectives mentioned in section A.1.1 must be demonstrated by calculating the radiological consequences of various representative sequences which must be accurately defined according to the design of the unit. To evaluate the results, the levels of intervention proposed by publication 63 of the CIPR [IPRC] (for evacuation and relocation) and the European Union limits (for the marketing of foodstuffs) may be used as references.

S.2.3

A 1.4 It is highlighted that in general, for incidental and accident situations, including core meltdown situations, the calculation of radiological consequences must deal with short and long-term consequences, considering the various ways of transferring radioactive materials into the environment (air, surface waters, water tables) and to humans (irradiation via the plume and via the soil, incorporation of radionuclides via ingestion and inhalation). Atmospheric dispersion and deposits on plant life, soil and other surfaces must in particular be determined. Analysing the exposure of critical groups must take realistic assumptions and parameters into account in particular for life habits, exposure conditions, integration times, meteorological conditions and the transfer of radionuclides into the environment.

P.3 S.1.3 S.2.3 S.3.3

A 2.1

A.2 - GENERAL SAFETY PRINCIPLES A.2.1 - Reactor behaviour in transient operating conditions

Generally, the design of the unit must be such that the intrinsic behaviour of the reactor is stable (for example, negative moderator coefficient).

C.1.1 and: D.4


UK-EPR



TABLE : 1 PAGE: 10 / 104



Improvements must be made making the behaviour of the unit less sensitive to operator errors and operating system failures, for example, via suitable automatic control and by implementing sufficiently large cooling capacities inside the primary and secondary cooling systems and inside the primary and secondary makeup water systems. Adequate grace periods must be obtained for actions required by operators.

Q.2 Q.3 P.2

More precisely, the prevention of human errors and less sensitivity to these errors must be researched by increasing margins in the design bases by using passive systems or systems with increased passive characteristics, by simplifying the design and by limiting interactions between systems, whilst making sure not to neglect the possible advantages of functional redundancy, via broader automation of the safety systems for specific situations and via man-machine interface improvements to provide operators with additional response times and reliable information for diagnosing the true behaviour of the unit.

Q.3 Q.4

A 2.1 Sufficient margins must be implemented in relation to safety limits, whilst taking into account measurement uncertainties and abnormal unit behaviour due to minor disturbances or operator errors.

P

A 2.1 The unnecessary startup of safety systems must be avoided where possible. To avoid such actions, the introduction of suitable limiting functions may be appropriate, i.e. additional control functions which operate when the operation regulation systems are unable to maintain controlled variables within the specified limits for normal operation.

C.2.1 G.4.3


UK-EPR



TABLE : 1 PAGE: 11 / 104



A 2.2

A.2.2 - Redundancy and diversity in the safety systems For events that are not controlled by operating systems and/or by the limiting functions, protection and backup systems are needed to return and maintain the reactor to a safe state in terms of sub-criticality, core cooling and containment of radioactive substances. The reliability of these systems must be consistent with the general objectives to reduce the frequency of occurrence of accidents, taking into account the estimated frequencies of initiating events and the corresponding action times for these systems. This reliability must be obtained via an adequate combination of redundancy and diversity. Adequate attention must be paid to the fact that the possibilities of common modes of failure limit the possibilities for reducing unavailability by adding identical trains (on this point, it is highlighted that it is probably not possible to demonstrate that the unavailability of a redundant safety system consisting of identical trains is less than 10-4 per demand), and due to the fact that diversity may result in more complex systems and maintenance difficulties; in addition, due attention must be paid to the support systems when the benefits linked to implementing diverse equipment and systems are evaluated. Special attention must be paid to reducing the possibility of common cause failures. Physical separation and geographical separation must be implemented where possible. The support functions (energy, control, cooling, etc.) must also be as independent as possible. The redundancy and diversity of electrical sources must be particularly stressed.

C.1.1 and: G, 15

R

C.2 R

R

H.3 S.5

A 2.2

Furthermore, provisions (including hardware and software diversity) must be implemented at the general instrumentation and control structure level to limit common causes of software failures.

G


UK-EPR



TABLE : 1 PAGE: 12 / 104



A.2.3 - Man-machine interface Due attention must be paid to human factors at the design stage, taking into account aspects linked to the normal operation, to tests and maintenance, with particular emphasis on operational experience. The general aim is to take advantage of human capabilities, whilst minimising the possibilities of human error and making the unit less sensitive to these errors (see section A.2.1). Due attention must be paid to simplifying operation, minimising human actions needed for carrying out safety functions, making provisions allowing good maintenance capability, tests, and reliable monitoring of the availability of safety systems.

C.1.1 and: Q.2

A complete engineering programme for human factors must be implemented. This programme must also cover maintenance and test activities to provide consistency and traceability of the questions relating to human factors and the design choices in a well structured human factors approach and according to trade practices. This human factor engineering programme should be implemented under the supervision of a specific team which includes human factors experts.

Q.2

Adequate man-machine interfaces must be developed in all areas where humans interact with technical equipment, taking into consideration the organisation of teams. Apart from operations in the control room, this includes tests, repairs and maintenance.

Q.2 Q.3 Q.4

Reducing operator errors and making the unit less sensitive to these errors may be carried out by using

suitable ergonomic design principles and providing long enough response times for operator actions. The time required depends on the complexity of the situation to be diagnosed and the actions to be taken.

Q.2 Q.3 Q.4 P.2

Sufficient and appropriate information must be provided to the operators for a clear understanding of the

true state of the units, including severe accident conditions, and for a clear evaluation of the effects of their interventions.

Q.2 Q.3 Q.4


UK-EPR



TABLE : 1 PAGE: 13 / 104



A 2.4

A.2.4 - Protection against internal hazards Internal hazards may be defined as events whose origin is internal to the unit that may cause hostile conditions or damage to the equipment required for fulfilling the three basic safety functions mentioned in section A.1.2. In particular, they include pipe, vessel, tank, pump and valve failures as well as floods, fires, explosions, projectiles and the dropping of loads.

C.1.1 and: C.4

The "defence in depth" principle must be applied to the protection against internal hazards to limit the probability and consequences of such hazards by implementing provisions for prevention, monitoring and limitation of the consequences, which are consistent with the provisions, made for internal events.

C.4

In relation to the definition of the three basic safety functions, not only the buildings containing systems required for reaching and maintaining a safe shutdown state but the buildings housing systems containing radioactive materials must also be considered.

C.4

It is advisable to emphasize the fact that the occurrence of internal hazards during shutdown states must be accurately examined, taking into account specific configurations for the safety systems and equipment which may be required in these states.

C.4

To check the design and the demonstration of safety relating to internal hazards, special attention must be paid to evaluate the exhaustive nature of the possible causes of such hazards including, for example, alignment errors or electromagnetic interference, as well as the possibilities of internal hazards from other internal or external unit events or events that may affect the three basic safety functions on more than one of the successive defence in depth levels.

C.4

A.2.5

A.2.5 - Protection against external hazards External hazards may be defined as natural events or events linked to human activities originating from outside of the unit that may negatively affect the safety of the unit. In particular, they include earthquakes, aircraft crashes and explosions.

C.1.1 and: C.3


UK-EPR



TABLE : 1 PAGE: 14 / 104



External hazards may consecutively or simultaneously affect various lines of defence of the unit and they depend on the sites. Therefore, due attention must be paid to the choice of sites in the aim of not imposing excessive requirements on the design of the corresponding unit. Generally, design provisions must be made in respect of external hazards consistently with those made for internal events and internal hazards; meaning that the external hazards must not constitute a large part of the risk associated to next generation nuclear power plants.

C.3

R.4

The general purpose of the design provisions is to guarantee that the safety functions for the systems and equipment which are required to bring the unit to a safe shutdown state and to prevent and limit radioactive discharges are not affected in an unacceptable manner by an external hazard. However, as external hazards depend on the sites, not all of these hazards need to be taken into account in a standardised design; external hazards such as external floods, droughts, the formation of ice and corrosive or combustible toxic gases, may be dealt with for a particular unit only, according to the site.

C.3

The equipment whose function is necessary during external hazards must be qualified for the range of parameters presumed to occur during such events.

C.1, C.3, C.7

A.2.6

A.2.6 - Using probabilistic safety analyses As already indicated in section A.1.4, a probabilistic safety analysis must be carried out with the following objectives at the design stage: confirming the choice of design options, including the redundancy and diversity of safety systems, ensuring a balanced safety concept and evaluating deviations in relation to current practices in terms of safety, to appreciate improvements in the level of safety compared with the existing units. Evaluation of the results from the probabilistic safety analyses in relation to probabilistic quantitative objectives may provide useful indications. But generally, probabilistic quantitative objectives must not be considered as requirements; they are mainly used to provide alignment values for checking and evaluating the design.

C.1.1 and: R.0


UK-EPR



TABLE : 1 PAGE: 15 / 104



With reference to the general method, the probabilistic safety analysis may be carried out in two or more stages: a simplified analysis at the design stage and more in-depth analysis during the engineering phases, when more accurate information on the design becomes available.

R

The simplified analysis, including the internal events at least, must present a preliminary evaluation of the frequency of core damage and the corresponding sequences; also, the designer must distinguish the various types of core meltdown sequences according to their consequences for the behaviour of the containment.

R.1

R.2

Furthermore, at the design stage, various design possibilities must be evaluated and sensitivity studies must be carried out. However, applying a probabilistic safety analysis at an early design stage must be carried out with care because the final results will depend on the actual choice of components, system techniques and operational procedures.

R.1

It is nevertheless highlighted that, even for the first evaluation at the design stage, the designer must consider a list of initiating events that are as complete as possible. We must insist on the fact that it is essential to deal with the common cause failures in order to evaluate certain design options. Another important subject is dealing with human interventions, including diagnosis and maintenance. It is also essential to use qualified data.

R.1

Within the framework of more complete studies, internal and external hazards should be considered with the development of appropriate methods; in addition, the need for and feasibility of a level 2 probabilistic safety analysis may be considered.

R.4 R.2

A.2.7.1

A.2.7 - Radiological protection of workers and members of the public A.2.7.1 - Professional exposure of workers

As indicated in section A.1.1, a reduction of the professional exposure of workers must be researched via an optimisation process taking into account data from operational experience, in particular, in France and Germany.

C.1.1 and: L.1

It is highlighted that identification of relevant radiological protection options is the first stage of an ALARA approach which must be completed with comparative evaluation of the effectiveness of these options. Objectives must be defined in terms of collective doses and individual doses.

L.4


UK-EPR



TABLE : 1 PAGE: 16 / 104



Operational experience shows that possible improvements of individual and collective doses may result in design provisions, for example, the choice of materials in relation to a suitable water chemistry to avoid corrosion products, implementation of shielding, better component reliability, implementation of robots and ease of use. In particular, the designer must consider easy access to work locations, environmental working conditions, the development of specific tools and robots to reduce dose rates and/or intervention times.

C.1.1 and: E, L

The designer must also consider where possible and reasonable, carrying out non-scheduled activities such as repairs and replacements.

A.2.7.2

A.2.7.2 - Radioactive effluents and waste. In accordance with the optimisation principle, the unit must be designed to limit exposure of members of the public to radiation resulting from radioactive material being released into the air or into the water. The corresponding exposures will be determined for a reference person (member of the critical group) at the most unfavourable location considering all of the appropriate means of exposure and taking into account discharges from other installations.

C.1.1 and: 2.8

In order to fix discharge limits for a unit within the context of authorisation procedures, specific site conditions will be considered; due attention will also be paid to the possible later contributions to exposure on the site, resulting from human activities.

2.8

Design provisions must be made to further reduce the activity and the volume of radioactive materials to be removed from the unit as waste. Taking these materials as the basic assumption, the efforts made to reduce discharges must be balanced with the quantity of waste generated by these efforts. As for radiological protection, the doses for members of the public originating from discharges, exposure of workers and the doses caused by the waste must be considered in the optimisation process.

K.1, K.3

L.4


UK-EPR



TABLE : 1 PAGE: 17 / 104



B.1.1

B- BASIC SAFETY CHARACTERISTICS B.1 - DESIGN OF THE BARRIERS B.1.1 - Design of the core and the fuel cladding

The design of the fuel assemblies for next generation nuclear power plants may be based on current reference designs, for example, 17X17 assemblies with UO2 or UO2-PuO2 pellets, as the excess of radioactivity in the new assemblies is compensated where necessary by burnable poisons (for example, UO2 mixed with Gd2O3).

D

B.1.1 Later improvements in the understanding of the behaviour of fuel assembly materials in normal and accident conditions as well as objectives for higher burnup fractions than for existing reactors could result in the designer proposing fuel design developments. Developments in fuel design and burnup fraction must be introduced with care.

D

The designer must demonstrate that the fuel design developments do not negatively affect the overall behaviour of fuel assemblies under irradiation, in particular with regard to deflection and deformation phenomena, and must justify the criteria proposed for normal and accident conditions. Any authorisation request relating to modification of the fuel design or its burnup fraction must be based on adequate research and development results, including results obtained for demonstration fuel assemblies that have an equal or greater burnup fraction, and suitable qualification of the design codes (in particular, for slow power ramps, loss of cooling accidents and reactivity accidents).

-

For example, it would be appropriate to eliminate, via the fuel design, the risk of cladding ruptures resulting from pellet clad interaction during reference transients, without restricting the operation of the reactor (load monitoring, prolonged operation at reduced power). It is highlighted that the corresponding demonstration must be supported by experimental justification.

D.2 -

B.1.1 For the neutronic and thermohydraulic aspects, the considerations developed in the second paragraph of this section regarding the fuel design are based, in particular, on the residual power curve and on the treatment of uncertainties linked to the DNB correlation for calculating the DNB ratio (REC).

D.3


UK-EPR



TABLE : 1 PAGE: 18 / 104



As regards reactivity coefficients, as already indicated in section A.2.1, the reactor design must be such that the intrinsic behaviour of the reactor must be stable (for example, negative moderator feedback). In principle, the moderator temperature coefficient must remain negative from hot shutdown to nominal conditions with all of the control rods outside of the core2; the cooling tower vacuum coefficient must be negative in all conditions.

D.3

B.1.1

Monitoring of the power distribution in the core must be ensured via neutronic instrumentation fixed inside the core, a mobile measuring system ("aeroball") and neutronic instrumentation outside of the core.

D.4 G.5.2, G.5.3

2 However, some fuel management systems may result in high boron concentrations at the very beginning of core life, and consequently, a positive moderator temperature coefficient.


UK-EPR



TABLE : 1 PAGE: 19 / 104



B.1.2.1

B.1.2 - Primary cooling system B.1.2.1 - General requirements

The integrity of the primary cooling system containment is a question which requires special attention. High quality levels must be obtained for its components, via the choice of materials, manufacturing processes with associated inspections, calculation rules with suitable assumptions to analyse systems and accidents, measurements taken at the design stage to simplify maintenance and continuous monitoring and specific operational procedures, and via operational surveillance, including in-service inspections.

E

B.1.2.2

B.1.2.2 - Ruptures assumed at the design stage Breaks connected to the primary cooling system containment form part of the events to be dealt with in the demonstration of safety. Small pipework ruptures cannot be excluded due to phenomena such as vibration and corrosion. On the other hand, a complete guillotine break of a large correctly designed, manufactured and inspected pipe is highly unlikely; also, when design, manufacturing and inspection provisions are implemented, the complete guillotine break of a main reactor coolant pipe may be "excluded" (in the sense given in section A.1.4). The possibility of accessing each point of these pipes and inspecting it is of course a necessary prerequisite condition; the designer must, in particular, implement provisions allowing access for complete volumetric inspection of all of the main reactor coolant pipe welds and parts of large connected pipes where degradation is possible and allowing two volume inspection methods to be used for bimetallic welds. In addition, a suitable combination of available methods must be implemented to monitor primary leaks3.

P, S

C.4.2, E.2

E.2

3 Additional provisions may be implemented locally to detect low leak rates.


UK-EPR



TABLE : 1 PAGE: 20 / 104



B.1.2.3

B.1.2.3 - Consequences for the demonstration of safety The loads to be considered for the design of the reactor vessel internal structures and for the design of the structures in the containment building are therefore limited to those resulting from a rupture equivalent to a complete guillotine break on the largest pipe connected to a main reactor coolant pipe (pressuriser surge line).

C.6.5 C.6.6 C.5.3

B.1.2.3 In practice, the designer must assume that any pipe connected to a main reactor coolant pipe could become detached from the corresponding branch pipe. In these conditions, the cross-section through which the primary coolant could escape, once the ruptured pipe is displaced, is the same as the internal section of the branch pipe; no flow limiters may be taken into account for the corresponding calculations (specific rate, pressure wave, etc.).

P

B.1.2.3 In addition, the specific rate equivalent to a double-ended guillotine rupture of a main reactor coolant pipe must be assumed for the design of the core backup cooling function (using realistic assumptions and models and suitable criteria, to be proposed by the designer) and of the pressurized enclosure of the containment building, to obtain safety margins for core cooling in view of avoiding core meltdown and for the containment function;

C.5 F.2.1 S.3

B.1.2.3 the double-ended guillotine rupture must also be assumed for the component supports and for the qualification of equipment

E.4.9 C.7

B.1.3

B.1.3 - Requirements relating to the main secondary coolant pipes For the secondary cooling system, main reactor coolant pipe ruptures between the steam generators and the first isolation devices outside of the reactor building or the first fixed points located after these parts and the main feedwater pipes located between the steam generators and the reactor building penetrations may be "excluded" if the following requirements are met:

J.5 -


UK-EPR



TABLE : 1 PAGE: 21 / 104



• in general, statutory requirements and construction codes targeting a high quality must be applied; in

addition, the design requirements must be stricter than the general rules for category 1 pipes4; • significant hydrodynamic effects must be avoided; • the fixed points must be as close to the containment penetrations as possible; • materials must remain in the ductile region for the lowest temperatures that may be encountered

during reference transients, incidents and accidents; • pipes and elbows must have no welds. Geometrical singularities and stress concentrations must be

avoided; in particular, this applies to welds on supports, attachments and fittings. Temporary welds or fittings must be prohibited;

• the chemistry of the water must be checked with high reliability; • the installation of systems must allow easy access to all external piping surfaces; the in-service

inspection of welded areas must be possible, using effective methods.

J.5

In addition, the possibility of common cause failure of main steam pipework and main feedwater pipework must be reduced as much as possible by adequately separating the systems.

J.3, 10.6

In all cases, the designer must assume that any pipe connected to the main secondary coolant pipework may be separated from its branch pipe.

J.5, 15

It must also be highlighted that the designer must define the load conditions that will be considered for the mechanical design of the steam generator internal structures and supports and for the main steam line and main feedwater line supports inside the reactor building.

E.4

4 According to the technical codes relating to mechanical equipment.


UK-EPR



TABLE : 1 PAGE: 22 / 104



B.1.4

B.1.4 - Containment function As already indicated in section A.1.2, the general objectives established for the next generation nuclear power plants require substantial improvement of the containment function; the general strategy relating to severe accidents mentioned in section A.1.3 presents the technical objectives concerning this function more accurately.

B.1.4.1 - Design requirements for the containment and the peripheral buildings

C.1.1

These objectives may be achieved by using a double wall containment concept including a pre-stressed concrete interior wall, a reinforced concrete external wall, with a containment annulus between the internal and external walls maintained at a pressure lower than atmospheric pressure so as to collect any possible leaks via the internal wall and to filter them before discharging them into the environment via the stack.

C.5.1 F.2.1 F.2.2 F.2.5

The design pressure and design temperature of the containment internal wall must be such that they allow a grace period of at least 12 hours without removing the heat outside of the containment after a severe accident. They must also guarantee its integrity and its leaktightness even after global deflagration of the maximum hydrogen quantity that may be contained in the containment building during low pressure core meltdown accidents (see section A.1.3).

C.5.1 F.2

S.2.2

It may be presumed that this quantity of hydrogen is not instantly produced and released into the containment, but according to a function of time depending on representative severe accident sequences; catalytic recombiner units may be used to significantly reduce the quantity of hydrogen in the containment and the concentrations of hydrogen as a function of time. Thus, the quantity of hydrogen to be considered when designing the containment internal wall depends, in particular, on parameters such as core characteristics, hydrogen releases in the containment as a function of time, and the effectiveness of the catalytic recombiner units.

S.2.2


UK-EPR



TABLE : 1 PAGE: 23 / 104



In addition, the containment volume and the means for limiting the consequences must be such that they prevent the possibility of a global hydrogen detonation. The possibilities of high hydrogen concentrations must be avoided as much as possible via the design of the containment internal structures; also, specific provisions, such as reinforced compartments and containment walls, must be implemented where necessary to deal with phenomena such as rapid local deflagrations or deflagration-detonation transition sequences (see paragraph E.2.2.4).

C.5.1 S.2.

F.2.4

With reference to the foundation rafts, the objectives indicated in section A.1.3 relating to low pressure core meltdown situations may be obtained by adequately implementing a large cooled corium spreading compartment.

F.2.6 F.2.7 S.2.2

A low containment internal wall leak rate is essential5. In view of existing experience, it is recommended

to use high-performance concrete with low delayed deformations for this internal wall. Injection products should be systematically used, in particular, at each construction joint and at each interface between the concrete and the penetration sleeve. Special attention must also be paid to the design measures in view of obtaining adequate pre-stressed concrete leaktightness in all of the discrete areas such as the foundation raft, the gusset, the area between the support bracket of the polar crane and the belt dome, the area surrounding the equipment hatch and the dome. In all cases, installing a leaktight liner on the containment building internal wall seems necessary locally on all of the discrete areas6.

F.2.1 C.5.1

Periodic leaktightness tests of the containment must be carried out at the design pressure of the building. In principle, an air test at the design pressure of the containment must be carried out before installing the leaktight liner on the internal wall in order to detect any major construction defect that may be hidden by the leaktightness of this liner. Provisions must also be implemented to check and to be able to re-establish, if necessary, the adequate leaktightness of the containment building external wall.

F.2.5

5 Calculations of radiological consequences demonstrate that, for a double wall containment concept as described in this section, presuming a leak rate of 1% per day or less of the containment enclosure atmosphere

into the containment annulus and the absence of direct leakage from the containment into the external atmosphere, the radiological consequences of an average size primary break followed by low pressure core meltdown are consistent with the objectives indicated in section A.1.1.

6 Where the effectiveness and the robustness of the concept to limit the consequences of the hydrogen risk will be clearly demonstrated, installation of a leaktight liner over the entire internal surface of the

containment building is not required.


UK-EPR



TABLE : 1 PAGE: 24 / 104



Specific provisions must be implemented to collect possible leaks associated with the various types of penetrations7 as well as provisions ensuring adequate containment possibilities for the peripheral buildings.

F.2.5

Detailed information must be provided by the designer regarding the containment leak collection system and leaktightness monitoring system: design and operational criteria (leaktightness, periodic tests, etc.), qualification of the valves with the corresponding ambient conditions, protection against hazards (as defined in sections A.2.4 and A.2.5) that may damage the equipment of the system, etc.

F.2.2, F.2.5

With reference to the peripheral buildings, a leaktightness value must be defined for each of the peripheral buildings with a containment function, including the nuclear auxiliaries building, the safeguard auxiliaries building and the spent fuel building. In addition, adequate means must be considered for restoring the leaktightness of the emergency auxiliaries building following a break in the safety injection and in the residual heat removal system outside of the containment building.

F.2.1

I.4 S.3

Provisions must also be implemented to maintain, where necessary, negative pressure in the containment and in the peripheral buildings during shutdown states, taking into account the location of the fuel during these states.

I.4 F.2.1

B.1.4.2 - Prevention of containment bypasses As indicated in section A.1.3, core meltdown sequences with containment bypass (via steam generators or via the circuits connected to the primary cooling system and exiting the containment enclosure) must be "practically eliminated". This involves systematic examination of all of the possible bypass sequences, with a deterministic analysis of the corresponding lines of defence, completed with the probabilistic safety analysis results. The following aspects may be mentioned:

S.2.4 R.1

7 These provisions should include a leak recovery system for the equipment hatch, staff and emergency air locks, a fuel transfer tube and certain mechanical penetrations communicating with ventilated rooms


UK-EPR



TABLE : 1 PAGE: 25 / 104



a/ the list of possible containment enclosure bypass sequences must include leaks from the containment heat removal system, containment enclosure bypasses via the leak collection system, and liquid effluents flowing through the inter-containment space,

R.1, R.2

b/ in general, with reference to leaks and breaks of the circuits connected to the reactor cooling system, design provisions must be implemented to prevent overpressure in the low pressure parts of the connected systems or to ensure adequate design of these parts in respect of overpressures. The corresponding provisions must be specified (design pressure and design temperature along with the associated criteria). In addition, strict requirements must be applied to the means implemented to detect primary leaks in the peripheral buildings and to avoid their consequences. Exceptions must be justified on a case-by-case basis; this applies to the leak detection means in the nuclear auxiliaries building.

F.3

For the circuits connected to the primary cooling system, the designer must study the use of diverse isolation means, failure possibilities for these means and the associated monitoring equipment, along with the use of pipes designed to withstand the primary coolant pressure in corresponding situations. In addition, the risk of containment bypass by pipes only equipped with manual valves must be studied by the designer.

R.1

R.1

With reference to the large tank of borated water used for safety injection and located inside the reactor building, spray lines outside of the containment must be equipped up to the first valve with a double envelope, which is designed to contain the accident conditions inside the containment not only at the beginning of the accident but also long-term during the accident; double envelopes must be designed to allow periodic inspection of the internal suction pipes. In addition, the consequences of a leak from the internal pipework must be considered.

F.3

Core meltdown sequences with a significant leak from the steam generator tubes (up to the multiple rupture of steam generator tubes) must be "practically eliminated". On this subject, the designer must study the situations mentioned in paragraph E.2.2.5.

S.2.4 S.3

F.2.3, R.2


UK-EPR



TABLE : 1 PAGE: 26 / 104



With reference to core meltdown sequences which could occur in shutdown states with the containment building open, which will only be authorised for certain states (see paragraph E.2.2.5), the designer must demonstrate that, for representative accident sequences, the containment will be reliably sealed before significant radioactive discharges can be produced in the containment; this requirement particularly concerns the equipment hatch, taking into account the time available before the water boils in the reactor core and the ambient conditions in the reactor building along with the need for support systems if necessary.

C.2.1 C.5.2

B.2.1

B.2 - SAFETY SYSTEMS AND FUNCTIONS B.2.1 - Classification of the safety functions, barriers, structures and systems

A safety function8 may be defined as the combined action of a set of technical provisions to perform a specific task in a specific state of the plant. A safety function may be performed by one or more systems.

-

Implementation of the "defence in depth" principle may be based on the introduction of a safety system and function classification. The aim of this classification is to define the general requirements that are applicable to safety systems and functions with ranking of the requirements according to the importance of these functions and systems for safety.

C.2.1

B.2.1 A possible way of defining a suitable classification is to study the various reference transients, incidents and accidents, according to their estimated frequencies, considering the following two physical states:

C.1.1 P.0

8 As distinct from the basic safety functions mentioned in section A.1.2.


UK-EPR



TABLE : 1 PAGE: 27 / 104



B.2.1

a) in the "controlled" state, the core is subcritical (short-term criticality feedback before operator actions resulting only in low neutronic power that may be accepted on a case-by-case basis for a few events), heat removal is carried out short-term, for example, via the steam generators, the water inventory of the core is stable and the radioactive discharges remain tolerable.9;

b) in the safe shutdown state, the core is subcritical and the residual heat is constantly removed10, the radioactive discharges remain tolerable9.

For multiple failure conditions, a final state may be defined: the core is subcritical, the residual heat is evacuated by the primary or secondary cooling systems, and the radioactive discharges remain tolerable9.

S.1.0

B.2.1

With these definitions: • the safety functions required for obtaining the "controlled" state after a reference transient, incident

or accident are F1A classified; • the safety functions required beyond the "controlled" state for obtaining and maintaining the safe

shutdown state after a reference transient, incident or accident are F1B classified; • the safety functions required for obtaining the final state for multiple failure conditions are F2

classified. In addition, the safety functions required for dealing with internal and external hazards are also F2 classified11. Finally, the instrumentation and control functions which contribute to maintaining the reactor initial conditions within the limits assumed in the demonstration of safety and the limitation functions implemented to prevent spurious protection activation actions are F2 classified.

•

C.2.1

9 Consistent with the objectives indicated in section A.1.4.

10 Cooling channels are able to sustainably transfer the heat to the final cooling water.

11 When they are studied according to an event-based approach.


UK-EPR



TABLE : 1 PAGE: 28 / 104



B.2.1 The classification of safety systems (including in principle support systems) may be deduced from the classification of safety functions: • if for at least one reference transient, incident or accident, a given system must perform an F1A

function, then this system is F1A classified; however, support systems for an F1A function may be F1B classified if they are in service and do not need to change state when the event occurs and if they do not fail because of the event;

• if for at least one reference transient, incident or accident, a given system must perform an F1B function, then this system is F1B classified at least;

• if to prevent or limit the consequences of a multiple failure condition, a given system is important for significantly reducing the frequency of core meltdown, then this system is F2 classified at least.

•

C.2.1

B.2.1 The general requirements for an F1A system are: application of the single failure criterion12 (at the system level), physical separation of redundant trains, emergency power supply by the main emergency diesel generator sets, periodic tests, quality assurance, resistance to earthquakes, and for the corresponding equipment, use of accepted design codes and qualification for accident conditions.

C.2.1

B.2.1 The general requirements for an F1B system are: application of the single failure criterion (at the function level), physical separation of redundant trains (at the function level), emergency power supply by the main emergency diesel generator sets, periodic tests, quality assurance, resistance to earthquakes, and for the corresponding equipment, use of accepted design codes and qualification for accident conditions.

C.2.1

B.2.1 The general requirements for an F2 system are: periodic tests, quality assurance and use of accepted design codes for the corresponding equipment; physical separation is implemented when an F2 system is used as backup for an F1A or F1B system; the requirements relating to electrical backup, resistance to earthquakes and qualification for accident conditions of the corresponding equipment are defined on a case-by-case basis.

C.2.1

12

Definition of the single failure criterion and its combination with preventive maintenance are presented in section C.2.1.


UK-EPR



TABLE : 1 PAGE: 29 / 104



B.2.1 Also, the classification concept must take into account barriers, relating to preventing, controlling and limiting the consequences of radioactive discharges. This means that the classification of barriers relating to the various radioactive sources completes the classification deduced from the studies relating to reference transients, incidents and accidents and to multiple failure conditions; a system, equipment or structure may therefore be classified for its barrier function as well as for its barrier protection function.

C.2.1

B.2.1 All of the equipment classed as barriers must have a functional classification at least equal to F2 and the corresponding mechanical equipment must be designed at least according to the appropriate technical codes.

C.2.1

B.2.1 Also, specific functional (for example, leaktightness) and operational (for example, maintenance, periodic tests) requirements must be defined for the systems that have a barrier classification and the buildings that provide a containment function, and this for all parts of the unit. These requirements must also take into account analysis of internal and external hazards; also, due attention must be paid to the components which present a risk of damage due to their high energy.

C.2.1

B.2.1 Specific attention must be paid to the classification of barriers and to the associated requirements for containment isolation valves, for the leak collection system penetrations and for the transfer tube as well as for the active and passive equipment, the structures and other devices linked to the spent fuel pool containment.

C.2.1 C.2.2

B 2.2.1

B.2.2 - Requirements for the safety equipment B.2.2.1 - Qualification of the safety equipment

The equipment needed for the demonstration of safety must be qualified for the conditions for which they are necessary. The qualification includes the operation and reliability, taking into account the environmental conditions to which the materials and equipments would be exposed in the unit, including severe accident conditions. The qualification process must be finished before the unit is started up, in particular for new materials and equipment.

C.7.1 C.7.2


UK-EPR



TABLE : 1 PAGE: 30 / 104



B 2.2.1 The designer must specify his general qualification approach for classified equipment; this approach must be applied to all types of equipment (mechanical, electrical, etc.) in and outside of the reactor building and take account of internal and external accident conditions and ageing.

C.7.1

B 2.2.1 For this approach, qualification methods and typical conditions covering ambient conditions for reference situations and for severe accident situations must be defined and their representative nature must be justified (in particular for ageing).

C.7.2

B 2.2.1 With reference to the electrical equipment, qualification may be obtained by testing one or more samples of this equipment via a sequence of conventional representative tests or via a clear demonstration of the capacity of this equipment to operate in the conditions defined, for example, by comparing with other equipment; a combination of two methods may also be used. Operational experience may also be considered.

C.7.1

B 2.2.1 In principle, the test sequences for seismic qualification include ageing before the seismic tests and the test sequences for qualification in loss of coolant accident (APRP) [LOCA] include ageing and seismic qualification tests before the APRP [LOCA] tests. For these APRP [LOCA] tests, typical conditions corresponding to the enveloping thermodynamic, chemical and irradiation conditions in the containment must be defined with adequate margins.

C.7.1

C.7.2

B 2.2.1 With the aim of avoiding any degradation of the emergency core cooling function, the production of debris in accident conditions, in particular insulation material debris, must be taken into account in the qualification approach.

C.7.1

B.2.2

B.2.2.2 - Computerised safety systems To obtain the high reliability required for the instrumentation and control systems, the designer must, when computerised systems are used, implement specific safety requirements, for the qualification of such computerised systems for each safety category, including design rules for the software.

G.2.4


UK-EPR



TABLE : 1 PAGE: 31 / 104



B.2.2

The three main principles for the design of computers for safety systems are to avoid faults, to eliminate faults and to tolerate faults. Avoiding faults may be implemented in a approach to construction via strict directives and rules that are applicable during the entire life cycle of a system, including system specification (hardware, software and integration), production (design, software coding and installation of hardware, tests), operation and maintenance. Avoiding faults must be completed by an analytical approach to eliminate faults. This includes informal procedures such as inspections, re-readings, audits, reviews and formal procedures such as accuracy tests, statistical analyses and various integration tests. In order to deal with residual faults which would persist in spite of all of the measures taken to avoid and eliminate faults, fault tolerance must be introduced into the design. For the hardware, this may be obtained via redundancy and diversity The diversity must be examined to obtain tolerance to the software faults.

G.2.4

B 2.3.1

B.2.3 - Requirements applicable to specific safety functions B.2.3.1 - Reactivity control function

The reactivity control function may be performed via control rods and borated water injection systems, including an additional boration system with two trains, each one capable of returning the reactor from the controlled state to the safe shutdown state for any reference transient, incident or accident other than a loss of coolant accident, without requiring the pressuriser safety valves to be opened. This system must be F1B classified for this safety function and may be implemented manually.

F.3 F.7

In addition, this system must be automatically implemented for transients with emergency shutdown failure; the corresponding instrumentation and control functions must be F2 classified. With reference to spurious opening of the secondary cooling system valves and secondary line breaks, the designer must specify if the reactor may become critical again after emergency shutdown of the reactor during such transients, incidents or accidents; the instrumentation and control equipment must be classified accordingly.

S.1


UK-EPR



TABLE : 1 PAGE: 32 / 104



With reference to homogeneous boron dilutions, the designer must study implementation of the activation of emergency shutdown or of a boration system for the homogenous dilution reference transients at least. In all cases, the reliability of the emergency shutdown function must be high enough to contribute to "practically eliminating" high pressure core meltdown sequences. Despite the role of the additional boration system, adequate means must be implemented in this aim, such as diversity of the main components of the emergency shutdown system (physical measurements, signals and associated treatments, emergency shutdown circuit breakers).

G.5.10 P.2

S.2.4

H.3

B 2.3.1 As indicated in section A.1.3, reactivity accidents resulting from the rapid introduction of chilled or insufficiently borated water must be avoided via design provisions so that they may be "excluded". Among these design provisions, automatic devices that allow prevention of the unscheduled formation of a diluted water plug, leak detection devices and monitoring of the boron concentration of the system must be considered where necessary.

F.3 G.5.10 I.3.2 S.2.4 R.3.3

B2.3.2

B.2.3.2 - Residual heat removal function The residual heat removal function must be ensured with high reliability. In general, a four train system designed to perform the residual heat removal function and the low pressure safety injection function may suffice if adequate provisions are implemented for the parts of the residual heat removal system located outside of the reactor building, to "practically eliminate" severe accident sequences with containment bypass.

F.3

R.1 S.2.4

The residual heat must be transported from the combined residual heat removal and low pressure safety

injection system to the final cooling water via an intermediate cooling system.

I.2.1 I.2.2 I.2.6


UK-EPR



TABLE : 1 PAGE: 33 / 104



However, a detailed demonstration must be provided by the designer in relation to obtaining a safe shutdown state for the various accident situations to be considered for the various states of the unit. Special attention must be paid to the event sequences for which switching from one operational mode to another of the combined residual heat removal and low pressure safety injection system trains is thus required for the corresponding time periods; also the diversity and suitability of the automatic water injection signals and the adequacy of the makeup water flow rate must be justified; finally, adequacy of the manual water makeup planned for dealing with failure of the automatic means must be demonstrated.

P.2 S.1

B2.3.2 Operational experience has demonstrated that special attention must be paid to the possibility of loss of an adequate water level during shutdown states where the core is in the reactor vessel. Design provisions must be implemented to reduce the operational requirements mid-loop when the core is in the reactor vessel13 and to deal with the loss of the normal residual heat removal system.

P.2, S.1 R.1 F.3

In addition, the design characteristics for measuring the water level in the loops requires special attention; diverse means should be implemented.

G.5

The assumptions relating to restarting the residual heat removal system pumps after a drop in the water level must be clearly justified.

F.3, P.2

B2.3.2 Finally, situations which require reduction of the water level in the primary cooling system during shutdowns must be defined and justified by the designer, along with provisions - including design margins, instrumentation and adequate procedures – implemented for dealing with the associated risks.

M.1 P.2

13

During normal shutdowns for reloading, it would be advisable to carry out steam generator maintenance and in-service inspections only when the core is totally unloaded.


UK-EPR



TABLE : 1 PAGE: 34 / 104



B 2.3.3

B.2.3.3 - Emergency core cooling function The assumptions for breaks to be considered for the emergency core cooling function are defined in section B.1.2; other assumptions relating to the design of the corresponding systems are indicated in part D.2. The emergency core cooling function may be provided by an optimised concept including medium pressure safety injection into the cold legs with a lower discharge pressure at the steam generator safety valve opening set-point, accumulators injecting into the cold legs and a low pressure safety injection in the cold legs, with switchover to combined injection in the cold and hot legs after a period of a few hours, with the injection systems using water from a large water tank located inside the containment building.

F.3

Installing a large borated water tank inside the reactor building provides significant advantages for dealing with loss of coolant accidents. Nevertheless, due attention must be paid to the correct mixture of water contained in the tank and to the temperature increase of this water (subcooling should be maintained) during such accidents (in relation to the volume of the tank), and to the quality of the water for the emergency core cooling system pumps.

F.3.2

The emergency core cooling system function for "practically eliminating" high pressure core meltdown situations must also be considered.

S.2


UK-EPR



TABLE : 1 PAGE: 35 / 104



B 2.3.4

B.2.3.4 - Secondary cooling system heat evacuation function The secondary cooling system heat removal function warrants special attention. It must have the capacity to remove heat from the reactor core via steam generators associated with the steam generator relief valves and the steam generator emergency feedwater supply during reference transients, incidents and accidents. After the reactor has been shut down, transition from the hot subcritical state on the primary side to intermediate conditions must be ensured by this function to then enable the cold subcritical state to be obtained via the residual heat removal function on the primary side.

F.8 F.6 J.3

For special events (small primary break and rupture of a steam generator tube), the secondary cooling system heat removal function must be able to reliably ensure cooling of the primary cooling system until conditions have been reached that allow the emergency core cooling system to operate14 (shutdown and startup system reliability, reliability of the condenser bypass).

F.8 R.1 J.4

B 2.3.4 To obtain "practical elimination" of high pressure core meltdown sequences linked to the loss of normal and emergency feedwater supply systems, the designer must install and justify an adequate combination of means, including an independent startup and shutdown system, and an increased spare capacity of water in each steam generator compared to the existing units, and the use of the secondary open-feed and primary open-feed (automatically or manually started).

F.6, F.8 J.3, J.4

S.1

14

Opening the pressurizer valves may not be enough to make the safety injection system effective.


UK-EPR



TABLE : 1 PAGE: 36 / 104



B 2.3.5

B.2.3.5 - Heat removal function outside of the containment enclosure The containment enclosure heat removal function in low pressure core meltdown conditions may be carried out by a system performing spraying inside the enclosure and corium cooling, divided into two trains, with one train being enough at the end of 15 days to maintain the pressure in the enclosure below the design pressure. These trains would be cooled by a dedicated system diverse in relation to an intermediate equipment cooling system used by the systems linked to preventing core meltdown. The two trains of this dedicated cooling system would be electrically backed up by small diesel generator sets as described in paragraph B.2.4.1. It is highlighted that a containment heat evacuation system with radioactive fluid recirculation outside of this containment involves dealing with possible failures of the corresponding pipework and the associated radiological consequences.

F.2.7

F.2.7

P.3

B 2.3.6 B.2.3.6 - Primary cooling system depressurization and overpressure protection functions

Adequate primary cooling system protection against overpressure must be implemented for the various reference transients, incidents and accidents and for the transients with emergency shutdown failure.

C.6.1.5 E.2 S.1

B 2.3.6 Protection against overpressure must also be implemented for the systems connected to the primary

cooling system (such as the system designed to perform the residual heat removal and low pressure safety injection function, when it is connected to the primary cooling system).

C.6.1.5 E.2 F.3

B 2.3.6 With reference to cold overpressure, adequate protection of this system and of the reactor cooling system in cold shutdown states may be provided by the pressuriser safety valves, as their opening is controlled by a dedicated instruction developed by a pressure signal deriving from a pressure threshold.

C.6.1.5 E.2


UK-EPR



TABLE : 1 PAGE: 37 / 104



B 2.3.6 On the other hand, the primary cooling system depressurization system must be designed to contribute to preventing core meltdown via the primary open-feed function.

E.4 S.1

B 2.3.6 The depressurization function, which aims to transform high pressure core meltdown sequences into low pressure core meltdown sequences (see section A.1.3), may be carried out by adding pressuriser valves, and a dedicated relief valve equipped with an isolation valve to the depressurization function, as these valves are designed so that opening them is guaranteed even for high gas temperatures. This relief function must be available in the event of losing external electrical supplies and unavailability of all of the diesel generator sets. Once opened, the relief valve must remain open with high reliability throughout the progress of the accident.

E.4.8 S.2.2

B 2.3.7

B.2.3.7 - Protection function against overpressures in the secondary cooling systems The protection function against overpressure in the secondary cooling systems may be provided by a combination of isolatable steam relief lines and safety valves installed between the reactor building and the main steam isolation valves. The adequate character of this combination of relief lines and safety valves must be checked by also considering removal of the residual heat, limitation of radioactive discharges and prevention of excessive cooling of the reactor core. For the protection against overpressure function, emergency shutdown of the reactor may be taken into account as a pressure reduction measure, which allows the total relief capacity to be reduced, as long as the reliability and the diversity of the provisions relating to emergency shutdown of the reactor are similar to those relating to core protection. This approach may be used for the reference transients, incidents and accidents. For the transients, brief overshoots of the steam pipework design pressure may be tolerated as long as the safety valves are not required. Also, transients with emergency shutdown failure must be dealt with; the most unfavourable transients regarding the pressure increase on the primary and secondary side must be examined, taking into account the transient duration and the effect of this duration on the reliability of the secondary valves.

C.6.1.5 J.3

C.6.1.5

B 2.3.7 Relief valves and safety valves must be qualified for the fluid conditions which may occur when they are being used.

C.7, J.3, F.8


UK-EPR



TABLE : 1 PAGE: 38 / 104



B 2.3.7 More precisely, from the safety point of view, the protection against secondary overpressure function may be performed for each steam generator via two safety valves, each one with a 25% relief capacity, in addition to a steam relief line (with an isolation valve and a regulated relief valve) with a 50% relief capacity. The setpoint for emergency shutdown of the reactor would be set at a value lower than or equal to the steam generator design pressure. Safety valve and relief valve opening characteristics and setpoints should be chosen so that the safety valves are not activated in the event of a steam generator tube rupture.

C.6.1.5 J.3

B 2.3.7 This concept means that the steam relief lines are classified as F1A systems; in addition, adequate reliability of the corresponding valves must be clearly demonstrated.

C.2

B 2.4

B.2.4 - Requirements applicable to support safety systems B.2.4.1 - Power supplies

Power supplies are essential as support systems to reduce the frequency of core meltdown and to "practically eliminate" high pressure core meltdown sequences. For a general unit installation with safety systems with four trains, adequate reliability of the power supplies could be obtained by installing four identical main diesel generator sets, completed with two small diesel generator sets that are able to back up, in particular, two of the emergency steam generator feedwater supply pumps and the necessary support systems.

-

H.3

The small diesel generator sets must be diverse in relation to the four main diesel generator sets to eliminate where possible common causes of failure between the two types of diesel generator sets, taking into account feedback from these generator sets, and connected to the sets of busbars with various voltages.

H.3

Independence between the main diesel generator sets and the small diesel generator sets must be completely justified by studying the failure modes for diesel generator sets. In particular, the probabilities of failure for the main diesel generator sets and small diesel generator sets must take into account failure risks for their batteries, whilst appropriately considering the corresponding operataing experience.


UK-EPR



TABLE : 1 PAGE: 39 / 104



Due consideration must also be paid to the electrical switchboards and to possible common causes of failure in these switchboards.

R.1

B.2.4.2 - Intermediate cooling system and emergency townswater system The intermediate cooling system and the emergency townswater system are important support systems for transferring the residual heat from the system designed to perform the residual heat removal and low pressure safety injection functions to the final cooling water.

I.2.1 I.2.2

Possible common causes of intermediate cooling system and emergency townswater system failures must be fully analysed.

I.2.1 I.2.2

In addition, the designer must demonstrate that the heat removal capacity for each heat exchanger between the intermediate cooling system and the emergency townswater system is adequate for all of the normal operating conditions, including the shutdown states, and the reference transients, incidents and accidents. The reliability of the isolation devices for the systems where fire loads are not considered must be studied in detail.

I.2.2

C 1

C - ACCIDENT PREVENTION AND SAFETY CHARACTERISTICS OF THE UNIT C.1 - REDUCING THE FREQUENCY OF INITIATING EVENTS

The objective of reducing the frequency of initiating events - as requested in section A.1.2 - involves evaluating operational experience to increase, where possible, reliability of the operating equipment and systems (for example, the normal steam generator feedwater supply system) and to eliminate as widely as possible the occurrence of phenomena that may jeopardize the integrity of the mechanical equipment such as vibrations, corrosion, cavitation, etc.

-


UK-EPR



TABLE : 1 PAGE: 40 / 104



Operational experience particularly shows that adequate provisions must be implemented to control the thermal fatigue phenomena linked to mixing hot and cold fluids. Their suitability must be justified.

E, F.3, F.6

Design provisions that allow the frequencies of the initiating events to be reduced must be considered for all types of events which contribute to the overall frequency of core meltdown. It is important to consider initiating events for all of the operating states, including full power, low power, and all of the relevant shutdown states.

R.1, P

C 1 The quality of design, manufacture, construction, operation and maintenance must guarantee that the malfunctions that result in safety functions being invoked are of low probability.

-

C 2.1

C.2 - REDUNDANCY AND DIVERSIFICATION C.2.1 - Single failure and preventive maintenance criterion

A system is designed according to the single failure criterion if it is able to fulfil its function in spite of a single failure irrespective of the event, the control of which requires the system to be operating. The single failure applied may be active over the short and long-term or passive over the long-term (after 24 hours).

C.2.1 P.0

C 2.1 An active single failure is defined as a failure or position error that is enough to prevent a piece of equipment from performing an expected safety function. Such a failure may have the following characteristics:

a) malfunction of a mechanical or electrical piece of equipment which involves a mechanical motion to perform the expected function requested (for example, operating a relay, starting up a pump, failure of a valve on opening or closing, etc.),

b) malfunction of instrumentation and control equipment.

P.0

C 2.1 The consequences of unscheduled equipment startup due to single failures in the instrumentation and control systems must, in particular, be studied to identify weak points, if they exist, in the separation of redundant equipment and in the instrumentation and control systems (as detailed in part G.3).

G


UK-EPR



TABLE : 1 PAGE: 41 / 104



C 2.1

Some single active failures may be excluded if the single failure criterion is applied for designing the systems; such exclusions must be clearly justified by suitable methods relating to specific design and operating provisions, taking operational experience into account. The justifications should include analysis of the consequences of failure with realistic assumptions. Such exceptions could include: a) failure when opening accumulator non return valves, b) failure when closing one of the main steam isolation valves in the event of rupture of one or more

steam generator tubes (the behaviour of the main steam line filled with water and the quantity of primary coolant lost must be specified along with the possible radiological consequences).

P.0

P.2 S.3

C 2.1 A passive single failure is defined as a failure which appears in a piece of equipment which does not need to change state to carry out its function. A passive failure may be: • a leak from the pressure boundary of a fluid system; if not detected and isolated, such a leak is

presumed to increase up to the corresponding flow rate to total rupture; • another mechanical failure jeopardizing the flow line corresponding to the normal operation of a

fluid system.

P.2.1

C 2.1

Taking into account passive failures in the operation of a safety system only for the long-term (after more than 24 hrs), with a leak rate presumed to be conventionally equal to 200 litre/minute up to isolation of the leak, is in principle acceptable. However, for each F1 system, sensitivity studies must be carried out to demonstrate that the case of a short-term passive single failure (before 24 hrs) as well as the case of a leak rate greater than 200 litre/minute (up to rupture of a connected pipe with an inside diameter of 50 mm) are covered by taking into account active single failures which do not lead to a cliff edge effect in relation to the effectiveness of the system and the radiological consequences.

P.2.1

P.3


UK-EPR



TABLE : 1 PAGE: 42 / 104



C 2.1 In addition, possible short-term leaks must be considered for all of the passive headers.

P.2.1

C 2.1 In all cases, the designer must accurately indicate the prevention measures and limitation of consequences measures that he will implement to deal with passive failures, including provisions relating to detecting and isolating leaks and to water intake15. F1 requirements (with the possible exception of redundancy) must be applied to the corresponding detection and isolation devices.

C 2.1 Preventive maintenance is defined as taking equipment out of service at defined moments irrespective of the appearance of failures. During preventive maintenance periods, the equipment concerned is considered unavailable for the function for which it was designed. If the nature of preventive maintenance is such that the system may be returned to an operational state within a suitable time delay allowing the safety function to be carried out if requested, then the system can be considered as available.

P.0

If preventive maintenance is carried out during time periods where an F1 system may be required to operate on request or is on standby, this maintenance must be combined with application of the single failure criterion (at the system level for F1A systems, at the function level for F1B systems), whilst taking into account the capacity required for the corresponding safety function during the corresponding situation. For each safety system for which periodic tests will be carried out on a train during preventive maintenance of another train, suitable measures must be taken to prevent a safety system train from becoming unavailable during the tests.

P.0

Interconnections between alternating current power supply trains should only be permitted for maintenance and only between two of the four trains (trains 1 and 2 on one hand and trains 3 and 4 on the other hand). During power operation, maintenance should not be carried out on more than one train at the same time.

M.2 H.3

15

The designer should develop a pragmatic approach to the leak rates associated with passive failures (including possible failures of small pipes), based on research of the sensitive locations, and taking into account existing operational experience.


UK-EPR



TABLE : 1 PAGE: 43 / 104



C 2.2

C.2.2 - Probabilistic safety analysis and diversification The possible common causes of failure must be eliminated where possible via adequate equipment design and installation rules, including, for example, the choice of diverse equipment.

-

C 2.2 It should be noted that for frequent initiating events, the reliability requirement for a safety function is such that two systems or pieces of diversified equipment may prove to be necessary.

-

C 2.2

To determine the adequate combination of redundancy and diversity for safety systems, the designer may, as indicated in section A.2.6, use probabilistic objectives as nominal target values; in this case, the orientation values of 10-6 per year for core meltdown frequency due to internal events respectively for power states and shutdown states could be used, bearing in mind the need to consider the associated uncertainties.

R.0

To carry out probabilistic safety analyses, the list of initiating events must also be as comprehensive as possible, even for the initial analysis at the design stage; it must also deal with all of the sequences already studied in the French probabilistic safety analyses, including events in safety shutdowns, even with very rough estimations of their frequencies at the first stage.

R.0 R.1

The use of simplified models and generic data along with limiting the calculations to a time period of 24 hours may be enough to provide valid indications in the first stage for the design of next generation nuclear power plants.

R.1

Nevertheless, even at the design stage, it would be appropriate to study specific events which could occur after 24 hours (for example, filling up a tank) in the aim of showing no cliff edge effect.

R.3

In particular, due attention must be paid to external hazards which would require long operating times for certain systems.

R.4


UK-EPR



TABLE : 1 PAGE: 44 / 104



C 2.2

With reference to common causes of failure, the designer must consider this type of failure for parts of components inside a system and study the possibilities of common causes of failure between various systems. It would not be appropriate to exclude, in principle, the possibilities of common causes of failure for equipment operating permanently and in the same operating state before and during the accident, or for equipment belonging to a large group of identical components used in similar conditions. Such exclusions must be dealt with on a case-by-case basis. In particular, common causes of operating failures during the time required for the task must be considered for identical pumps belonging to the same system and fulfilling the same function in the same conditions.

R.1

Unavailability due to maintenance must be studied as of the start of the design stage, in particular, if maintenance operations are planned with the unit at power. The possible effect of human errors during maintenance and tests must be studied at the design stage. Preventive maintenance must be considered in a realistic way; unavailability due to preventive maintenance should not result in a large contribution to the overall frequency of core meltdown.

R.1

R.1

On the other hand, it is highlighted that maximum repair times before a reactor is shut down must be specified for safety system components; to this end, probabilistic analyses may also be used, taking into account the above defined nominal target values, with due attention to associated uncertainties. Maximum repair times must also be consistent with the "practical elimination" of accident situations which would result in large early discharges.

M.2

Human reliability is especially difficult to deal with at the design stage, because human factors are highly dependent on specific unit operating characteristics which are not defined at this stage (procedures, organisation, etc.). The first estimation may only be very rough, therefore.

R.1

It is to be pointed out that it is not possible to evaluate the advantages of man-machine interface improvements without experimental results. A data collection programme must be defined as soon as possible.

Q.2


UK-EPR



TABLE : 1 PAGE: 45 / 104



The assumptions, criteria and data must be justified. The reliability data must be up-to-date and complete, considering in particular the French and German operational experience; in this field, special attention must be paid to common causes of failure as well as to instrumentation and control systems (hardware and software). Uncertainties concerning reliability data, common causes of failure and human reliability must be dealt with at the design stage by carrying out sensitivity studies.

R.1

The designer must also carefully evaluate the frequencies of sequences that lead to core meltdown, when the system to remove the heat from the containment is unavailable, and the corresponding consequences, taking into account possible operator actions. Sequences with initial leaks from the containment must also be studied.

R.2


UK-EPR



TABLE : 1 PAGE: 46 / 104



C 3

C.3 - HUMAN FACTORS As indicated in section A.2.3, a complete engineering programme for human factors must be implemented. The following subjects must be dealt with in this programme, according to an iterative process where necessary: a) description and analysis of the tasks: this would systematically cover interactions between humans

and the equipment as well as interactions between humans, for all operating, maintenance, repair and test activities. In a first stage, data would be collected preferably via direct observation of these activities in existing units, completed with interviews and later by tests on models and simulators;

b) allocating functions to equipment and humans: this would, in particular, result in a justified list of tasks to be automated, not to be automated or to be shared in a man-machine cooperation;

c) design of the interfaces: this would cover definition of the information to be presented, its organisation and its implementation, in particular, in the main control room where a global vision of the actual state of the unit is required, the alarm system, the communication means for the various types of activities, the working environment and the control means to be provided to operators; special attention would be paid to the Emergency Control Centre defined in part G.3 as well as to other work locations outside of the main control room;

d) organisation of the control teams: this would cover definition of the required number and skills needed for the staff, to deduce the selection criteria and training programmes, as well as the organisation of teams with a clear distribution of responsibilities

e) development of operator "guidance", including suitable documentation and procedures; computerised procedures should be developed consistently and integrated with the other interfaces used by the operators;

f) verification and validation: adjustments should be implemented according to the results from the verification and validation process taking into account the evaluation of human reliability in all design phases.

A specific subject concerns the alarm system for which the designer must consider maintenance, repair and test situations and define criteria for classifying alarms at an early design stage. Such classification must not prevent the possibility of carrying out consistency tests for the alarms which appear.

Q.2, Q.3, Q.4


UK-EPR



TABLE : 1 PAGE: 47 / 104



C 4

C.4 - RADIOLOGICAL PROTECTION OF WORKERS AND MEMBERS OF THE PUBLIC C.4.1 - Radiological protection during normal operation

To implement the ALARA approach for next generation nuclear power plants (as requested in paragraph A.2.7.1), detailed evaluation of existing operational experience is necessary. This evaluation would include in particular: • the dose rates in the vicinity of the reactor cooling system during shutdowns, with the respective

contributions of corrosion product deposits (58Co, 60Co, 124Sb); • the shielding in the reactor building and auxiliaries buildings.

L.3

L.2

With reference to the choice of materials, it would be wise, for next generation nuclear power plants to reduce where possible the use of stellites and antimony and to select materials with low levels of cobalt impurities. The choice of alloy for the steam generator tubes must also be justified by the designer, taking into account operating experience relating to the corresponding activity levels in the reactor cooling system along with prevention of corrosion on the primary side and on the secondary side.

L.1 L.4 E.4

With reference to shielding, it would be appropriate to use design activity values for the fission products and corrosion products in the reactor cooling system in a more realistic way than for existing units, by appropriately considering operating experience. These activities, with the corresponding spectra, must be specified by the designer; all of the relevant irradiation sources must be taken into account (neutronic and gamma radiation around the reactor vessel, 16N around the reactor cooling system, etc.).

L.3.2


UK-EPR



TABLE : 1 PAGE: 48 / 104



The following points must also be specified by the designer: • the primary coolant purification level during normal operation and during cold shutdown, • the design provisions made to avoid or limit where possible areas where corrosion product deposits

could accumulate, • the surface treatments (such as electrolytic polishing) applied to parts of the primary cooling system

or reactor cavity, • the provisions considered for facilitating decontamination operations, • the design provisions for using robots, • the design provisions for facilitating work in the containment building, by reducing working times

and increasing the distances between the radioactive sources and the workers.

-

L.2

L.4

T - L

Q.2

In addition, the radiological impact from the tasks carried out in the reactor building during power operations must be accurately studied by the designer.

L.4 L.3.3

C.4.2 - Radioactive effluents, waste reduction and dismantling

C.4.2.1 - Waste reduction and dismantling The designer must specify how he will take into account the objective to reduce radioactive effluents and waste indicated in paragraph A.2.7.2 within the context of an optimisation process. This involves detailed evaluation of the existing operating experience. The following points must, in particular, be dealt with:

K.1


UK-EPR



TABLE : 1 PAGE: 49 / 104

Index e neration Chapters for the FSO

T chnical Directives (Technical Guidelines) for the design and construction of the next geof pressurized water nuclear power plants

• equipment specifications for components that are in contact with the primary coolant;

• the chemistry of the reactor coolant (advantages and disadvantages of possible modifications to this chemistry);

• the provisions allowing corrosion product deposits to be reduced which are or may be activated by passing through the reactor core; this particularly applies to deposits on the fuel assemblies and structures surrounding the reactor core;

• the gaseous and liquid radioactive effluent, and solid radioactive waste treatment processes according to the characteristics of the various types of effluents and waste, taking into account plausible situations such as cladding ruptures.

E, L.4 E.2, E.4

L.4

K.1

Certain choices of materials already requested in section C.4.1 for radiological protection purposes (such as reducing where possible the use of stellites and antimony and choosing materials with low levels of cobalt impurities) would also present advantages in relation to radioactive waste management. Another point relating to the choice of materials is the production of long-lived radionuclides which must be considered in relation to the ultimate future of the waste.

E L.4

It is also essential to make a clear distinction at the design stage between the conventional waste areas, inside of which the waste produced is not likely to be contaminated or activated, and the nuclear waste areas, inside of which the waste produced is likely to be contaminated or activated; expansion of the nuclear waste areas should be minimised by a suitable design.

With reference to dismantling, suitable provisions must be implemented at the design stage to facilitate the corresponding work. In particular, it would be wise to install the large components in such a way that they may be dismantled and transported with a view to later treatment; concern should be paid to handling means, removal methods and the necessary biological protection. In addition, provisions allowing in situ cleaning and decontamination should be considered when the systems and vessels are designed and installed.

T


UK-EPR



TABLE : 1 PAGE: 50 / 104



C.4.2.2 - Effluent treatment systems In relation to the objective indicated in paragraph A.2.7.2. and repeated in the previous section, the designer must specify the following points relating to the effluent treatment systems: • the liquid and gaseous radioactive effluent management policy in the unit;

• the method and databases used to determine the radioactive flux to be considered (including C14) in designing effluent treatment systems. These radioactive fluxes must cover all of the transients considered for the design of the unit (normal operation, including unit shutdowns and load monitoring and other reference transients). Effluent management, which could result in reference incidents and accidents, must also be taken into account;

• demonstration of the identification of all of the possible radioactive and chemical discharges and the suitable character of their monitoring.

K


UK-EPR



TABLE : 1 PAGE: 51 / 104



D 1 D - CONTROLLING REFERENCE TRANSIENTS, INCIDENTS AND ACCIDENTS

D.1 - LIST OF REFERENCE TRANSIENTS, INCIDENTS AND ACCIDENTS

As indicated in section A.1.4, reference transients, incidents and accidents that affect the unit must be considered to demonstrate reactor safety. Defining reference transients, incidents and accidents to be studied consists of several stages: • Identification of the possible initiating events which could lead to radioactive substances being

released inside and outside of the unit; • exclusion of the simple initiating events which are subjected to sufficient prevention via design and

operating provisions; • pooling of all other events identified so as to define a limited number of reference transients,

incidents and accidents so that the consequences of each reference event cover those of the corresponding group of events.

•

P.0

D 1 Due attention must be paid to reference transients, incidents and accidents that occur in shutdown states, taking into account specific associated operating conditions, in particular the possible unavailability of certain barriers and certain safety systems.

P.0 P.2

D 1

Specific attention must also be paid to the initiating events which could result in the barrier consisting of the containment being bypassed, including isolation failures in the systems connected to the primary cooling system and crossing the containment, along with steam generator tube ruptures.

P.0 P.2

S.2.4

D 1 It is desirable to classify the reference transients, incidents and accidents according to the estimated frequencies of the groups of initiating events that they cover; this means the definition of four categories of unit reference operating conditions from normal operation and transients up to incidents and accidents.

P.0


UK-EPR



TABLE : 1 PAGE: 52 / 104



D 1 For each category of reference operating conditions, the list of initiating events, assumptions, associated rules and criteria must be specified by the designer.

P.0

D 1 For the definition of the internal initiating events to be considered for the unit, it may be useful to distinguish the various reactor states. · State

A power state and hot shutdown state or intermediate state with all of the reactor automatic protection functions available; certain functions may be deactivated at low pressure;

· State B

intermediate shutdown above 120°C, the shutdown cooling system not connected; certain automatic reactor protection functions may be deactivated;

· State C

intermediate shutdown and cold shutdown with the shutdown cooling system in operation and the primary cooling system closed or able to be closed rapidly;

· State D

cold shutdown with the primary cooling system open;

· State E

cold shutdown with the reactor cavity full;

· State F

cold shutdown with the reactor core completely unloaded.

P.1

D 1 The list of reference operating conditions to be dealt with in the demonstration of safety of next generation nuclear power plants may be largely deduced from experience from existing units, by adapting it to the more detailed design considered as acceptable in these technical directives. In the preliminary list presented hereafter, when no reactor state is mentioned, the corresponding operating condition must be studied in state A for the most unfavourable power level.

-


UK-EPR



TABLE : 1 PAGE: 53 / 104



D 1 Normal operation: category 1 operating conditions (PCC 1)

Normal operating conditions include situations, which are controlled by the operating systems, such as the temperature rise and reactor cooling, the power levels, and power ramps, etc. For these situations, the unit is maintained within the limits defined by these technical specifications (in particular for everything concerning system availability and the number of occurrences).

P.0


UK-EPR



TABLE : 1 PAGE: 54 / 104



D 1 Reference transients: category 2 operating conditions (PCC 2)

• emergency shutdown (unscheduled) • malfunction of the steam generator feedwater supply system resulting in reduction of the feedwater

supply temperature, • malfunction of the steam generator feedwater supply system resulting in an increase in the feedwater

flow rate, • excessive increase of the secondary steam flow rate, • turbine tripping, • unscheduled closing of a main steam isolation valve, • loss of condenser vacuum, • short-term loss of external power supplies (≤ 2 hours) (states A, C, D), • loss of the normal steam generator feedwater supply flow (loss of all of the main feedwater supply

pumps and the startup and shutdown system pump), • loss of a main primary coolant pump without partial emergency shutdown, • uncontrolled withdrawal of a group of control rods (state A), • misalignment of a control rod, up to dropping of the rod, without taking into account limitation

devices, • startup of a primary coolant loop on shutdown at an incorrect temperature, • malfunction of the chemical and volume control system resulting in a reduction of the primary

cooling system boron concentration (states A to E), • malfunction of the chemical and volume control system resulting in an increase or reduction of the

primary cooling system water inventory, • primary coolant pressure transient (unscheduled spraying in the pressuriser, unscheduled heating of

the pressuriser), • uncontrolled reduction of the water level in the primary cooling system during mid-loop operation

(states C or D), • loss of a shutdown cooling system train during mid-loop operation (states C, D).

P.0


UK-EPR



TABLE : 1 PAGE: 55 / 104



D 1

Reference incidents: category 3 operating conditions (PCC 3) • small break of a steam generator feedwater supply system pipe or steam pipe, • long-term loss of external power supplies (> 2 hours) (state A), • spurious opening of a pressuriser pressure safety valve, • spurious opening of a relief line or steam generator pressure safety valve (state A), • small primary circuit break (states A, B), • rupture of a steam generator tube (a single tube), • spurious closing of all of the main steam isolation valves, • unscheduled loading and operation of a fuel assembly in an unsuitable position, • forced reduction of the primary flow (4 pumps), • failures in the gaseous or liquid effluent treatment systems, • uncontrolled withdrawal of a group of control rods (states B to D), • uncontrolled withdrawal of a rod, • rupture of a line transporting primary coolant outside of the containment (for example sampling

line).

P.0


UK-EPR



TABLE : 1 PAGE: 56 / 104



D 1

Reference accidents: category 4 operating conditions (PCC 4) • long-term loss of external power supplies (> 2 hours) (state C), • rupture of a steam pipe (states A, B), • rupture of a steam generator feedwater supply pipe (states A, B) • spurious opening of a relief line or steam generator pressure safety valve (state B), • ejection of a control rod (states A, B), • intermediate or large break of the primary cooling system (up to rupture of the pressuriser surge

line16 in states A and B), • small primary circuit break (up to a diameter of 50 mm, in states C and D), • break in the shutdown cooling system outside of the containment (up to 250 mm in diameter, in

states C and D), • seizing of a primary coolant pump (seized rotor), • rupture of a primary coolant pump shaft, • rupture of two steam generator tubes, • fuel handling accident, • boron dilution due to a non-isolatable rupture of a heat exchanger tube (states A to E).

P.0

16

Without taking into account the effect from a flow limiter.


UK-EPR



TABLE : 1 PAGE: 57 / 104



D 1 The final list must be completed and justified by the designer taking the following comments into account: • if an operating condition considered in PCCn for the power state is declassified to PCCn+1 for the

shutdown states, then this classification must be justified on a case-by-case basis based on the estimated frequency of the initiating event in the shutdown states;

• the categories of certain operating conditions such as "spurious opening of a steam generator pressure safety valve (state A)" or "boron dilution due to a non-isolatable rupture of a heat exchanger tube (states A to E)" must be accurately justified based on the detailed design of the corresponding equipment;

• spurious opening of the dedicated depressurization system (described in paragraph B.2.3.6) must be introduced into the list of operating conditions unless accurate justification can be presented;

• the size of the small primary circuit breaks in PCC 3 must be specified and justified; • the specific case of a small primary circuit break at the most unfavourable location in relation to

injection via the additional boron injection system, occurring at the same time as a single aggravating factor on the train that is not affected by this system, must be studied;

• ejection of a control rod must be considered in state C unless the designer can provide adequate justifications;

• the approach for internal initiating events occurring outside of the reactor building, in particular in the spent fuel pool, must be specified and justified (see section G.1);

•

P.0

D 1 • with reference to the auxiliaries buildings which contain systems with radioactive substances, accident studies must be included in the operating categories and carried out with the corresponding rules. Once the system configuration in these buildings is such that high-energy lines are separated from those which transport radioactivity, then the failure of equipment containing radioactivity may, in principle, be studied only as a possible initiating event;

•

P.0 P.3


UK-EPR



TABLE : 1 PAGE: 58 / 104



D 1 • with reference to homogeneous boron dilutions in the primary cooling system, the scenarios retained

for the accident studies, along with their classification into operating condition categories, must be justified based on exhaustive identification of the initiating events that may originate from a dilution, with the corresponding flow rates, and an evaluation of their respective similarities;

P.0

D 1 • the exclusion of intermediate primary cooling system breaks in state B2 when the accumulators are isolated must also be accurately justified;

P.2

D 1 • an operating mode with only three primary coolant pumps would require evaluation of the corresponding accident studies.

D 1 • The probabilistic safety analyses carried out at the design stage must also be used to check and alter the above presented list.

P.0

D 2

D.2 - SAFETY ANALYSIS RULES AND ACCEPTANCE CRITERIA

For the various reference transients, incidents and accidents, rules must be applied for the demonstration of safety and suitable technical decoupling criteria must be respected with conservative assumptions. For certain reference transients, incidents and accidents, the designer must present accident studies covering all of the planned fuel managements.

P

P.1 P.2

It must be checked for the various significant reference transients, incidents and accidents from the

radiological point of view, presuming that the corresponding technical criteria are respected, that the radiological consequences are tolerable and consistent with the general safety objectives defined in section A.1.1 for accidents without core meltdown.

P.3


UK-EPR



TABLE : 1 PAGE: 59 / 104



D 2.1

D.2.1 - Safety analysis rules The demonstration of safety concerning the operating condition categories must take into account the following rules: • in principle, only F1 systems may be used in the demonstration of safety to obtain and maintain the

safe shutdown state (as defined in section B.2.1); non F1 equipment is only considered if it is unfavourable for the transient. However, very limited exceptions could be accepted for non F1 equipment that is favourable for a transient if suitable requirements are applied to this equipment. The designer must provide a complete list of the corresponding equipment, with the associated requirements, and verification of the absence of a cliff edge effect when this equipment is not taken into account in the demonstration of safety;

P.0 -

D 2.1

• the most unfavourable aggravating factor must be taken into account. This is a single failure applied to equipment used to carry out the demonstration of safety, including non F1 equipment as defined above, if it exists. In particular:

a) the sticking of a control rod must be considered as a possible aggravating factor for the reference transients, incidents and accidents. Where adequate provisions are implemented to prevent any sticking of a control rod, whilst paying due attention to existing operating experience, it is not necessary to consider the simultaneity of the sticking of a rod and another aggravating factor;

b) failure on closing a main steam relief valve must be considered as a possible aggravating factor for reference transients such as homogeneous dilution and the uncontrolled withdrawal of a control rod;

P.0

D 2.1

• preventive maintenance must be combined with taking the most unfavourable aggravating factor into account, in the conditions indicated in section C.2.1;

P.0

D 2.1

• manual action from the main control room may be presumed to intervene 30 minutes at the earliest after the first significant information is given to the operators. For a manual action in rooms, outside of the main control room, the shortest time period to take into account is one hour.

P.0


UK-EPR



TABLE : 1 PAGE: 60 / 104



D 2.1 In addition, reference transients, incidents and accidents (with the exception of those initiated by human action), must be studied presuming loss of external power supplies at the most unfavourable time; only seismic classified equipment may be used for the demonstration of safety. The technical decoupling criteria to be respected are similar to those of reference accidents.

P.0

D.2.2 - Acceptance criteria The technical decoupling criteria to be respected in the demonstration of safety are in particular the following. For reference transients (PCC 2), fuel cladding integrity must be maintained. This involves defining a limit for the critical heat ratio, to be specified by the designer, and, possibly, the criterion concerning pellet-clad interaction.

P.0

D

Evaluation of the consequences of reactivity accidents, such as uncontrolled removal of a control rod on the behaviour of the fuel, requires detailed investigations taking into account specific fuel characteristics and the associated burnup fraction.

P.2

For rupture of the pressuriser surge line in state A (PCC 4), the temperature of the cladding hot spot must remain lower than 1,200°C, maximum cladding oxidation must remain lower than 17% of the cladding thickness, the maximum quantity of hydrogen produced must remain lower than 1% of the quantity which would be produced if the entire active part of the cladding was to react. It is also necessary to prevent degraded core cooling conditions from lasting for a long time which could result in considerable damage to the fuel.

P.2


UK-EPR



TABLE : 1 PAGE: 61 / 104



D 2.2 Other technical decoupling criteria must be proposed and justified by the designer, concerning: • the maximum energy deposited in the fuel during rapid transients such as the ejection of a control

rod (PCC 4), • the possibility of re-cooling the reactor core for a long time after a loss of coolant accident, • the maximum number of fuel rods that may undergo critical heating in operating condition

categories 3 and 4, • the maximum temperature of the cladding at the hot spot during rapid transients allowing cladding

embrittlement to be prevented, • the maximum quantity of molten fuel in operating condition categories 3 and 4.

P.0

D 2.2 Also, safety analysis of reference transients, incidents and accidents according to the associated rules must include evaluation of the protection against primary and secondary cooling system overpressure with suitable specific criteria. More generally, it must be checked that the design rules applied to classified equipment used in the demonstration of safety cover the conditions (in particular, mechanical equipment stresses) resulting from reference transients, incidents and accidents with suitable margins. The safety evaluation for reference transients, incidents and accidents must also include specific justification of the volume of the steam generator feedwater supply system tanks appropriately taking into account an aggravating factor and the preventive maintenance strategy.

C.6

F.6, P.2

D 2.2 In addition, subcriticality requirements relating to the shutdown states must be defined taking into account accident conditions which could take place in these states.

D.3.5 P.2


UK-EPR



TABLE : 1 PAGE: 62 / 104



D 2.3

D.2.3 - Using design codes For each design code used to justify the design, the designer must specify its experimental validation and its qualification and how the remaining uncertainties are taken into account (for example, sensitivity studies). This applies to the design codes used for neutronic and thermohydraulic calculations relating to reference transients, incidents and accidents, and in particular to new generation design codes (combined 3D thermohydraulic and neutronic design codes), to demonstrate that the enveloping values determined by the results are truly conservative for all of the studies relating to PCC operating conditions. This also applies to the design codes used to determine the transient variation of residual power for the operating conditions studies. Realistic assumptions and models may be used for the demonstration of safety relating to the rupture of the pressuriser surge line in state A (PCC 4); but compliance of the results with the acceptance criteria must be proven with a high level of confidence - which means using a frozen design code version, which must be qualified and verified, and an explicit evaluation of the associated uncertainties, whilst combining basic uncertainties (code models, scale effects, initial conditions and limit conditions, user effects, etc.). Another approach may be to use models and criteria that are already applied to existing units conservatively. Additional tests or a re-evaluation of earlier tests may be necessary for design characteristics that differ from existing characteristics in order to reduce the uncertainties; this must be considered in relation to using realistic analyses.

Appendix PA

P.2.4

D 2.4

D.2.4 - Radiological consequences The possible radiological consequences must be calculated as indicated in section A.1.4. The realistic assumptions used for the calculations must be justified by the designer; this applies to the radionuclide spectrum considered for calculating doses and to the fission product activity in the primary coolant (which must be determined by taking the technical operational specifications into account) as well as the iodine entrainment considered for steam generator tube ruptures.

P.3


UK-EPR



TABLE : 1 PAGE: 63 / 104



In particular, the radiological consequences must be calculated for accident situations in the shutdown states, including a shutdown cooling system guillotine break outside of the containment building and also for accident situations with contaminated fluids circulating outside of the building for a long time. The final results from the study regarding the reference transients, incidents and accidents that are significant from the radiological point of view must include the effective doses for members of the critical groups and the possible contamination of food products. In particular, it is highlighted that the equivalent thyroid doses for adults and children are important indicators of the radiological consequences for certain accident situations. The doses from ingesting contaminated food and from the deposit of radioactive substances must be presented for various distances and different time periods.

P.3 S.1.3 S.3.3

In a first approach, the following assumptions may be retained for the largest primary break inside the containment • cladding rupture rate: 10% (this value requires justifications, taking the fuel composition and burnup

fraction into account), • internal containment leak rate: 1% per day of the free volume of the internal containment (without

direct leak towards the exterior), • the inter-containment space filter efficiency: 1,000 for molecular iodine and aerosols, 100 for

organic iodine.

P.3

P.3

P.3

P.3


UK-EPR



TABLE : 1 PAGE: 64 / 104



In addition, generally, a sensitivity study concerning the radiological consequences of accident situations resulting in discharges inside the reactor building must be carried out presuming a small atmospheric leak from the reactor building into a peripheral building, while taking into account the leaktightness and the retention capacity of this peripheral building.

P.3 F.2.1

E 1.1 E - CONTROLLING OPERATING CONDITIONS WITH MULTIPLE FAILURES AND ACCIDENTS WITH CORE MELTDOWN

E.1 - OPERATING CONDITIONS WITH MULTIPLE FAILURES

E.1.1 - Demonstration of safety,

In addition to reference transients, incidents and accidents, operating conditions with multiple failures must be considered in the demonstration of safety. A list of operating conditions with multiple failures, called RRC-A17, to be studied in a deterministic way with a view to making further design provisions, is presented in paragraph E.1.2.1. The results from the probabilistic safety analyses carried out at the design stage must be used to check and alter the preliminary list of operating conditions with multiple failures and to check the suitable character of the additional provisions planned.

C.1.1 S.1

R.3.1

17

Risk Reduction Category


UK-EPR



TABLE : 1 PAGE: 65 / 104



E 1.2.1

E.1.2 - Deterministic analysis of the RRC-A operating conditions

E.1.2.1 - List of RRC-As The list, hereafter, of operating conditions with multiple failures to be dealt with in the demonstration of safety for the next generation nuclear power plants is deduced from experience from existing units, adapted more precisely to the concept considered as acceptable in these technical directives.

-


UK-EPR



TABLE : 1 PAGE: 66 / 104



E 1.2.1

When no reactor state is mentioned, this means that the corresponding operating condition must be studied in state A for the most unfavourable power level. Operating conditions with multiple failures: Risk Reduction Category A (RRC-A) • total loss of electric power supplies: loss of external electric power supplies coincident with the

failure of 4 main diesel generator sets (state A and mid-loop operation in state C or D), • loss of the intermediate and emergency townswater cooling systems (state A and mid-loop operation

in state C or D), • total loss of steam generator feedwater supply (loss of the main feedwater supply system, the startup

and shutdown system and the auxiliary feedwater supply system), • small primary circuit break (up to 50 mm in diameter) and loss of the medium pressure safety

injection system trains (loss of pumps or loss of the secondary system partial cooling) (states A and C)

• small primary circuit break (up to 50 mm in diameter) and loss of the low pressure safety injection system (states A and C)

• small primary circuit break and simultaneous loss of the intermediate cooling and emergency townswater systems,

• transients with emergency shutdown failure, • rupture of several steam generator tubes (up to 10 tubes in a steam generator), • rupture of a steam pipe and simultaneous rupture of a steam generator tube (up to ten tubes in the

affected steam generator), • steam generator tube rupture (one tube) with the affected steam generator steam relief line stuck

open, • total loss of the spent fuel pool cooling system.

S.1


UK-EPR



TABLE : 1 PAGE: 67 / 104



E 1.2.2

E.1.2.2 - Investigating specific sequences 1/ With reference to transients with emergency shutdown failure, the situations considered in the

demonstration of safety must be specifically justified, in relation to the results from the probabilistic safety analyses. The designer must justify the conservatism of the reactivity coefficients used in the corresponding studies.

R.1 S.1

E 1.2.2 2/ Detailed investigations are particularly necessary concerning: • rupture of a steam generator tube combined with the sticking of a main steam relief line in

the open position (considering the case of hot standby and the location of the tube rupture);

S.3

• e small primary circuit break combined with the loss of low pressure safety injection system (cold shutdown subcriticality, formation of insufficiently borated water plugs, clogging, long-term removal of the heat from the water tank inside the containment enclosure);

S.1 F.3

• small primary circuit break combined with loss of the medium pressure safety injection system (calculations relating to core subcriticality, impact of the rapid cooling of the secondary circuit on the primary and secondary cooling system structures);

S.1

• total loss of the spent fuel pool cooling system, for which the ambient conditions in the corresponding building and their impact on the structures and systems located inside this building, along with the possibilities of providing makeup water or repairing faulty components, must be completely analysed. Additional provisions must be implemented where necessary, in particular, in relation to support systems.

S.1 I.1.3 R.3.2


UK-EPR



TABLE : 1 PAGE: 68 / 104



E 1.2.3

E.1.2.3 - Accident analysis rules and acceptance criteria To analyse operating conditions with multiple failures, all systems may be presumed to be available, with the exception of those which are presumed faulty in the multiple failure combination. Neither additional failure nor unavailability due to maintenance are to be applied in a deterministic way in the systems required for obtaining the final states as defined in section B.2.1.

S.1.0

E 1.2.3 In addition, for operating conditions with multiple failures, the technical decoupling criteria relating to reference accidents may be used to demonstrate the integrity of the barriers. In particular, the safety analysis of RRC-A operating conditions according to the associated rules must include examining the protection against primary and secondary cooling system overpressure with adequate specific criteria. For the transients with emergency shutdown failure, the maximum primary coolant pressure must not exceed 1.3 times the design pressure for any core configuration.

S.1.0

C.6.1.8

C.6.1.8

E 1.2.3 It is highlighted that for RRC-A operating conditions, including those with containment bypass, the calculated radiological consequences must be consistent with the general objectives mentioned in section A.1.1 for accidents without core meltdown. The methods to apply to determine the possible radiological consequences of RRC-A operating conditions is similar to the method applied to the reference transients, incidents and accidents as described in section D.2.4. In particular, the radiological consequences must be calculated for total loss of the spent fuel pool cooling system.

S.1.3 S.3.3

S.1.3

E 1.3

E.1.3 - Probabilistic analysis of operating conditions with multiple failures Given that support systems are large contributors to the overall frequency of core meltdown, special attention must be paid to these systems. In particular, this concerns:

R.1


UK-EPR



TABLE : 1 PAGE: 69 / 104



1. the probabilistic safety analysis sequences associated with a loss of external power supplies: • the possibilities of long-term loss of external power supplies (which may depend on the site) must be

accurately examined. If retaining a maximum time period of 24 hours is advisable at the design stage, at a later stage, the designer should clearly identify the initiating events which could lead to long-term loss of external power supplies;

R.3

• due to the uncertainties relating to the time to uncover the core in the event of loss of external power supplies in state D, the loss of external power supplies situation in state D followed by failure of the four main diesel generator sets must be accurately examined taking the provisions implemented to deal with this situation into account;

R.1

• the reliability values expected for the diesel generator sets and the independence between the two types of diesel generator sets must be justified;

H.3.4 R.1

• the provisions made to maintain the long-term integrity of the primary coolant pump seals must be justified;

E.4.1 S.1, R.1

• the autonomy of the steam generator feedwater supply system tanks must be carefully checked for

all of the failure sequences; a failure probability for their re-supply should be introduced in the corresponding sequences.

F.6, S.1 R.3

E 1.3

2. the probabilistic safety analysis sequences associated with loss of cooling systems : • the possibilities of long-term loss of the final cooling water (which may depend on the site) must be

examined;

R.3


UK-EPR



TABLE : 1 PAGE: 70 / 104



• due to uncertainties relating to recovery of the final cooling water before the conditions in the containment and the water tank inside this containment may reach too high values in state D, the loss of cooling source situation must be accurately evaluated (taking into account corresponding provisions which may depend on the site);

R.3 S.1

• the efficiency of cooling diversity for two of the low pressure safety injection system pumps by chilled water cooling the instrumentation and control systems must be justified.

R.1

Due attention must also be paid: • to the frequency and consequences of a total loss of the spent fuel pool cooling system, with specific

attention paid to situations where the core is unloaded, taking into account the means that may be used to deal with such a failure and specific provisions to be implemented during maintenance of a train;

R.3.2

• to all possible cases of an unscheduled drop in the water level in the primary circuit in shutdown states, taking into account the detailed design of the reactor and the planned operational practices;

R.1

• concerning the total loss of the steam generator feedwater supply and to all of the possible dependencies between the startup and shutdown system and the main feedwater supply system.

R.1


UK-EPR



TABLE : 1 PAGE: 71 / 104



E 2.1

E.2 - PROTECTION PROVISIONS AGAINST ACCIDENTS WITH CORE MELTDOWN E.2.1 - Safety objectives

As indicated in section A.1.1, accident situations with core meltdown which would result in large early discharges must be practically eliminated. Low pressure core meltdown sequences must be dealt with so that the maximum conceivable associated discharges would only require very limited protection measures in terms of scope and duration for members of the public. Given that, up to now, experience relating to taking severe accidents into account when designing pressurized water reactors is limited, the directives which follow are more detailed than those relating to reference transients, incidents and accidents and to operating conditions with multiple failures.

S.2.4 S.2.3

-

E 2.2.1

E.2.2 - Practical elimination of sequences that result in large early discharges

E.2.2.1 - Prevention of high pressure core meltdown and direct overheating of the containment

As indicated in section A.1.3, one design objective is to transfer with high reliability high pressure core meltdown sequences into low pressure sequences so that high pressure core meltdown sequences may be "excluded".

S.2.4


UK-EPR



TABLE : 1 PAGE: 72 / 104



E 2.2.1 This objective involves limiting the pressure of the primary circuit within the 15 to 20 bar range at the time of the reactor vessel rupture. This objective may be achieved by adding pressuriser valves and a dedicated relief valve with an isolation valve to the depressurization function, as described in paragraph B.2.3.6

E.4.8 S.2.1 S.2.2 S.2.4

E 2.2.1 The relief capacity of the dedicated valve must be determined by considering the following situations, with realistic assumptions: • loss of external power suppliers and unavailability of all of the diesel generator sets; • loss of external power supplies and unavailability of all of the diesel generator sets but with re-

establishment of makeup water during core meltdown; • total loss of steam generator feedwater supply combined with failure of the primary open-feed18.

E.4.8

E 2.2.1 However, sensitivity studies relating to the relief capacity, hot gas temperatures and to the opening criteria must be carried out by the designer by considering delayed discharge and late reflood along with calculation model uncertainties relating to the advanced core degradation phase or to the reflood.

S.2.2

E 2.2.1 These sensitivity studies will also help to determine the opening means (manual or automatic) for the dedicated valve, by taking into account the possibility of human errors during the accident.

E.4.8 S.2.2

E 2.2.1 The dedicated valve and its isolation valve must be qualified for representative conditions. Experimental

justifications may be required, in particular for conditions which differ greatly from normal operating conditions.

E.4.8 C.7

E 2.2.1 Furthermore, design provisions must be made to deal with the mechanical loads which would result from failure of the reactor vessel at 20 bars so as to limit vertical lifting of the reactor vessel.

E.4.9 E.4.3 S.2.2

18

It is presumed that the pressurizer valves are unavailable; the dedicated valve and its isolation valves remain available.


UK-EPR



TABLE : 1 PAGE: 73 / 104



E 2.1 In addition, design provisions must be made to limit corium dispersion into the containment atmosphere in the case of reactor vessel penetration, to prevent "direct overheating of the containment ". These design provisions relate to the reactor pit and its ventilation and to the neutron measurements outside of the core, to ensure that large quantities of corium from the reactor vessel cannot be transported outside of the reactor pit.

F.2.6 S.2.2

E 2.2.2 E.2.2.2 - Prevention of rapid reactivity injection accidents The "practical elimination" of rapid reactivity injection accidents involves detailed examination of each heterogeneous dilution scenario, considering all of the lines of defence for this scenario.

S.2.4

Analysis may consist of the following three stages: • a maximum volume of water plugs without boron is defined based on neutronic and thermohydraulic

considerations relating to the subcriticality of the core, irrespective of the actual dilution scenarios; • this maximum volume is used to define deterministic means ensuring that this volume is not

exceeded for each actual dilution scenario; • a probabilistic safety analysis is used to check that, for each actual dilution scenario, all of the

provisions implemented provide adequate defence in depth in order to "practically eliminate" the corresponding reactivity accidents.

S.2.4

With reference to the first stage, the calculations relating to mixing phenomena should be carried out with various codes, including validation calculations that are preferably based on hydraulic experience in large-scale test installations.

S.2.4


UK-EPR



TABLE : 1 PAGE: 74 / 104



With reference to the second stage, all of the dilution scenarios must be accurately examined, including those resulting from operator errors, auxiliary system malfunctions, steam generator tube leaks and those concerning borated water tanks.

S.2.4

E 2.2.2 It is highlighted that implementing automatic F1A classified suction switchover from the charging pumps

of the chemical and volume control system (RCV) [CVCS] to the water tank inside the containment in the event of detecting a diluted flow via a single F1A boron meter, consisting of a neutron source and four flux detectors, would be a positive design measure for limiting the consequences from dilutions originating from RCV [CVCS] lines19. However, the possibility of classifying the F1A boron meter must be established.

I.3.2

G.5.10 P.2

E 2.2.2 Adequate methods must be defined by the designer to "practically eliminate" heterogeneous boron dilution scenarios via the intermediate cooling system exchangers. In particular, pump designers may be provided with requirements resulting from corresponding studies with a view to preventing the formation of an inadmissible diluted borated water plug in the auxiliary systems connected via their pump seal cooling systems.

S.2.4

E 2.2.2 In addition, it is highlighted that, in the case of a total loss of power supplies when removal of the residual heat is provided by steam generators operating in counter-current condensation, slightly borated water may accumulate in the primary circuit; this situation must also be studied carefully by the designer.

S.2.4

E 2.2.2 It is also highlighted that high boron concentrations at the beginning of core life would reinforce the attention to be paid to the "practical elimination" of reactivity accidents that result from a rapid introduction of chilled or insufficiently borated water. These boron dilution accidents must be examined in relation to the shutdown system reactivity margins.

S.2.4

19

Also, the designer must examine the possibility of using the F1A boron meter designed for heterogeneous dilutions to prevent return to criticality caused by homogeneous dilutions.


UK-EPR



TABLE : 1 PAGE: 75 / 104



E 2.2.2 Finally, given that intrinsic dilution mechanisms appear during certain accident situations (for example, the heat transfer mode in the steam generators via boiling and condensation in the case of primary circuit breaks, reverse flow rates in the case of steam generator tube ruptures, etc.), these mechanisms and the corresponding codes must be completely analysed, considering the mixing phenomena which may reduce the consequences of insufficiently borated water plugs. Certain configurations require special attention: simultaneous injection of two water plugs into the reactor vessel, restart of natural circulation in a loop without safety injection and low-density plugs penetrating into the reactor vessel. In particular, design provisions such as automatic interlocks must be implemented for all of the PCC and RRC-A operating conditions concerned in order to exclude the restarting of primary coolant pumps following a significant intrinsic heterogeneous dilution.

S.2.4

E 2.2.3

E.2.2.3 - Prevention of steam explosions Vessel phenomena A large mechanical energy release would be needed to jeopardize the reactor vessel and the containment; nevertheless, the designer must examine the possibilities of steam explosions in the vessel linked to core meltdown. Due attention must be paid: • to justifying the maximum size of the mixing area, taking into account the specific design of the

lower support plate of the core and the uncertainties relating to the relocation and behaviour of the core in the lower plenum; within this context, scenarios with reflood must be accurately studied;

• to transposing the experimental results20 to the specific design of the next generation nuclear power plants;

• • to the order of magnitude of the temperature rises for the upper internal structures and the vessel

head during core meltdown sequences and their consequences; • to the primary circuit behaviour (including the steam generators) in the case of a high-energy water

plug passing through the vessel downcomer following a high-energy water-molten core interaction in the vessel.

S.2.4

20

Including the results from the BERDA installation.


UK-EPR



TABLE : 1 PAGE: 76 / 104



Phenomena outside of the vessel The quantity of water that may be present in the reactor pit and in the spreading chamber when the vessel is perforated must be limited by design. The possibility of a large steam explosion occurring during corium reflood must be avoided and the loads resulting from water-molten core interactions must be taken into account in the design.

S.2.4

E 2.2.4

E.2.2.4 - Prevention of hydrogen detonations As indicated in paragraph B.1.4.1, the possibility of high local hydrogen concentrations must be prevented where reasonably possible by the design of the containment internal structures. When it is not possible to demonstrate that the local hydrogen concentration remains below 10%, specific criteria21 may be used, as long as they are completely justified and validated, to demonstrate the absence of deflagration-detonation transitions and rapid deflagrations; in the opposite case, adequate provisions must be implemented such as corresponding reinforced compartment and containment walls.

S.2.4 and: S.2.2

A systematic and deterministic approach must be carried out by the designer to select relevant scenarios in terms of hydrogen release flow rates, taking into account the means to limit the consequences and it must be proven that the scenarios selected are covered.

S.2.2

With reference to the means for limiting the consequences, a concept using recombiner units only, without installing ignition switches, with direct discharge from the primary circuit into the containment via a large pressuriser discharge tank with two relief lines equipped with rupture disks, and with the discharges directed into two primary coolant pump compartments, is, in principle, acceptable and must be able to respect the abovementioned safety objectives. But this concept must be optimised and the method as well as the tools used for the demonstration must be completely justified and validated.

S.2.2

21

Such as criterion 7 λ and criterion σ.


UK-EPR



TABLE : 1 PAGE: 77 / 104



However, it is highlighted that significant uncertainties exist concerning the production of hydrogen during severe accident sequences; these uncertainties are mainly linked to phenomena such as the late reflood of a partially damaged core at high temperature, the flow of materials from the molten core into the water in the reactor vessel lower plenum and the interactions between the corium and the sacrificial materials. These uncertainties require studies with various codes and models.

S.2.2

In particular, scenarios with passive or active reflood and scenarios characterised by hydrogen releases at several locations must be dealt with in the demonstration of the efficiency and robustness of the concept limiting the consequences linked to hydrogen.

S.2.2

It is highlighted that the consequences regarding the flammability of the mixture from the decrease in steam partial pressure following startup of the containment heat removal system must be accurately studied by the designer, considering various startup timings for this system.

S.2.2

E 2.2.5

E.2.2.5 - Prevention of containment bypasses As indicated in section A.1.3, "accident sequences (core meltdown) with containment bypass… must be "practically eliminated" via design provisions… with the aim of providing reliable isolation and also preventing failures."

S.2.4 and:

With reference to the low pressure safety injection and shutdown cooling system (ISBP/RRA) [LHSI/RHRS], continuous monitoring of the pressure and temperature in the parts of pipes located between the primary circuit first and second isolation non return valves which are maintained at accumulator pressure, would provide effective monitoring of the leaktightness of these non return valves. Nevertheless, to "practically eliminate" core meltdowns with containment bypass caused by a significant realistic leak through these two isolation non return valves, the designer must justify the capacity of the power-operated isolation valves located on the safety injection lines outside of the containment to stop a reverse flow (which may be two-phase). In all cases, the parts of the ISBP/RRA [LHSI/RHRS] pipes outside of the containment up to and including the power-operated isolation valves must be designed so that their integrity is maintained in primary coolant conditions.

F.3


UK-EPR



TABLE : 1 PAGE: 78 / 104



When a shutdown cooling system is operating, the importance for safety of the leaktightness of the non return valve located at the water tank suction inlet inside the containment and the medium pressure safety injection system non return valve inside this containment must also be highlighted. Specific attention must be paid to closing these non return valves after a sequence to switch the safety injection mode to the shutdown cooling mode, taking into account the possible presence of particles in the flow flowing through each of these non return valves during the safety injection.

F.3

In all cases, adequate provisions must be implemented to guarantee the integrity of the safety injection system parts concerned outside of the containment in the event of a leak via these non return valves.

Strict design provisions must be applied to the parts of the shutdown cooling system located outside of the containment to prevent severe ruptures in these parts of the system. Also, the ability of the isolation valves to close must be proven for all sizes of break (up to the guillotine break), including with a two-phase flow22.

F.3

With reference to possible breaks in the thermal barriers for the chemical and volume control system high pressure cooler and primary coolant pumps, the designer must justify the maximum size of the breaks assumed and the provisions implemented to detect and isolate such a break even for two-phase flow conditions.

R.1, I.3.2

With reference to the possible breaks in the ISBP/RRA [LHSI/RHRS] system heat exchangers, the designer must also justify the maximum size of break assumed and evaluate the consequences of such a break on the intermediate cooling system circuits in terms of pressure and temperature increase.

R.1

22

It is noted that a guillotine break of the largest pipe is a reference accident (PCC 4).


UK-EPR



TABLE : 1 PAGE: 79 / 104



As regards core meltdown sequences which may occur during shutdown states when the containment building is open, the designer must specify the various shutdown state phases for which this opening is authorised. It would be appropriate to maintain the containment closed with the inter-containment space negative pressurization system operating at least in states A, B and C (with a primary coolant temperature greater than 70°C) and in state D before the reloading phase. The secondary side of the steam generators would also be kept closed and the containment isolation systems would be operational in the same A, B and C state phases (with a primary coolant temperature greater than 70°C) and in state D before the reloading phase. In all cases, the designer must demonstrate that, for representative accident sequences, the containment would be reliably closed before significant radioactive releases are may happen inside the containment; as indicated in paragraph B.1.4.2, this requirement concerns the equipment hatch.

M.1 R.1

R.2 C.5.2

As regards core meltdown situations with a significant leak from steam generator tubes (up to multiple rupture of steam generator tubes), the following situations must be studied: single or multiple rupture of steam generator tubes with loss of the systems required to deal with this rupture, single or multiple rupture of steam generator tubes with failure to close the corresponding main steam isolation valve, rupture of a steam pipe with leaks from the associated steam generator tubes, spurious opening of a secondary safety valve with leaks from the associated steam generator tubes.

R.1 S.3

Given that core meltdown sequences with subsequent steam generator tube failures must be "practically eliminated", the scenarios leading to natural circulation via the primary coolant loops and the steam generators must also be accurately studied with adequate validated codes.

E 2.2.6

E.2.2.6 - Prevention of core meltdown in the spent fuel pool When the spent fuel pool is not located in the containment, it must be demonstrated that spent fuel meltdown conditions in the pool are "practically eliminated". This demonstration must consider the case of an earthquake.

S.2.4 R.3.2 I.1.3


UK-EPR



TABLE : 1 PAGE: 80 / 104



E 2.3

E 2.3.1

E.2.3 - Limiting the consequences of low pressure core meltdown scenarios

E.2.3.1 - Molten core cooling outside of the vessel With reference to the containment foundation raft, the objectives indicated in section A.1.3 for low pressure core meltdown situations may, as mentioned in paragraph B.1.4.1, be achieved by installing a large spreading chamber in a dead-end with corium cooling when it is spread over this large surface. The large spreading chamber would be geographically separated from the reactor pit and protected in relation to thermo-mechanical loads following failure of the reactor vessel. Design provisions would prevent condensation water from any part of the containment from entering this chamber. In addition, a steel door would physically separate the reactor pit from the spreading chamber.

F.2.6

In this concept, layers of sacrificial concrete would be laid in the reactor pit and in the spreading chamber to obtain adequate molten mix characteristics. Penetration of the foundation raft would be avoided by a protective refractory coating covered with a steel coating. The molten mixture would be cooled by reflooding this mixture from above with water from the water tank inside the containment. Thermal loads on the foundation raft would be limited by a thick steel plate placed under a protective coating (refractory ZrO2), with cooling channels linked to the heat removal system outside of the containment.

F.2.6

F.2.7

Until now, no validated code system has been able to reliably describe the phenomena for severe accident sequences. Also, the design of the reactor pit and large spreading chamber, including corium cooling, must be justified by the designer based on experimental results and associated calculations, for a large range of possible scenarios.

S.2


UK-EPR



TABLE : 1 PAGE: 81 / 104



Experiments are required for studying the various spreading conditions which may occur (fast pouring, slow pouring, successive pouring, local formation of solidified corium, formation of a crust, etc.), and the possibilities of highly energetic corium-water interactions and the erosion of sacrificial materials and its effect on the composition of the molten mixture in the spreading chamber. In particular, separated effect experiments are needed for studying the physico-chemical and thermodynamic properties of the corium and the mixtures. Spreading tests should also be carried out with materials that resemble corium up to a representative scale, taking into account the actual concept of the spreading chamber, in particular, the installation of sacrificial materials.

S.2

The robustness of the above described concept must be checked for various scenarios, in particular scenarios with late reflood and scenarios with low residual heat; specific attention must be paid to the opening of the door (in particular to the possibility of early or partial failure of the steel door) along with optimisation of the reactor pit design in terms of composition and masses of sacrificial concrete layers, and of the transfer channel between the reactor pit and the spreading chamber. The behaviour of the refractory layer must also be validated taking into account the cooling system capacities (in particular the critical flux) and the possibilities of thermo-chemical attacks by iron oxides or corium oxides. Specific attention must also be paid to conditions with long-term liquid mixing in the spreading chamber and to the stability of the multilayer system in these conditions.

S.2

E 2.3.2 E.2.3.2 - Cooling the containment enclosure without venting The containment cooling function in low pressure core meltdown conditions may be carried out by a system that ensures spraying in the containment and corium cooling, divided into two trains as described in paragraph B.2.3.5, with a dedicated cooling system that ensures diversity in relation to the intermediate cooling system used for the systems relating to the prevention of core meltdown. Pressurization of the dedicated cooling system above the containment cooling system operating pressure would ensure no leak from this system into the dedicated cooling system.

F.2.7


UK-EPR



TABLE : 1 PAGE: 82 / 104



Due attention must be paid to the following subjects: a) possible system leaks, in particular: • the design of the double envelope of the non-isolated part of the containment heat removal system

suction line and monitoring of this line and this double envelope, taking into account possible corrosion effects;

• the design of the parts of the containment heat removal system which are installed outside of this containment and the corresponding dedicated rooms, in relation to the reliability of these leak detection and faulty train isolation system;

• the consequences of a leak in the containment heat removal system compartments (pressure, temperature, relative humidity, irradiation, etc.) with classification of the corresponding equipment.

F.3

F.2.7 F.2.1

b) the possibilities of common causes of failure of the containment heat removal system and the systems required for preventing core meltdown, in particular:

• loss of shared support systems: as the reliability of the heat removal function may be limited by the

reliability of the support systems, in particular, the power supplies and the final cooling water, the designer must, where necessary, study improvements within the context of specific site studies;

• • • sealing the filters from the containment internal tank: detailed information must be provided by the

designer: flow characteristics, volume and behaviour of the debris, etc.

F.2.7 R.2 I.2.6

F.3

c) the long-term reliability of the corium cooling in the spreading chamber.

F.2.6 S.2.2


UK-EPR



TABLE : 1 PAGE: 83 / 104



E 2.3.3 E.2.3.3 - Instrumentation It is highlighted that for severe accident conditions, relevant information is not only required for operators but also for emergency teams. A detailed proposal must be presented by the designer with adequate justifications.

S.2.2.6

E 2.3.4 E.2.3.4 - Qualification for severe accident conditions As indicated in paragraph B.2.2.1, the equipment that is required if a severe accident occurs must be qualified for the conditions for which they are needed. In particular, the behaviour of the penetrations and that of the leaktight liner inside the containment must be studied where necessary, taking into account the various phenomena which may occur during severe accidents, in particular hydrogen combustion; the designer must define the corresponding qualification programme.

C.7.1 C.7.2

E 2.4

E.2.4 - Demonstration of safety Severe accident conditions must be studied in the demonstration of safety for next generation nuclear power plants. Examples of such conditions include: • the loss of external power supplies coincident with the unavailability of all of the diesel generator

sets, i.e. total loss of power supplies as defined in the RRC-A operating conditions combined with the unavailability of the small diesel generator sets,

• the total loss of steam generator feedwater supply (as in the RRC-A conditions) combined with the failure of the primary side "open-feed",

• a small primary circuit break with total loss of the safety injection system, • a loss of primary coolant (up to rupture of the pressuriser surge line) with complete failure of the

safety injection system.

S.2.2

However, uncertainties relating to some of the phenomena which may occur during severe accident sequences require various scenarios to be considered and sensitivity studies to be carried out.

S.2.2


UK-EPR



TABLE : 1 PAGE: 84 / 104



E 2.4 For each design code used to justify the design, the designer must specify its experimental validation and qualification and how the remaining uncertainties are taken into account (for example, sensitivity studies).

Appendix SA

E 2.4

With reference to the loads resulting from hydrogen combustion, with the limitation of consequences concept described in paragraph E.2.2.4, local dynamic effects caused by phenomena such as rapid deflagration or a deflagration-detonation transition are only expected on the containment building's internal structures; provisions such as reinforced walls for the corresponding compartments must be installed where necessary.

C.5

For the containment internal wall, it must also be demonstrated that whilst taking into account methods to limit the consequences, and regardless of the scenario selected, the pressure load resulting from the complete, adiabatic and isochoric hydrogen combustion does not exceed the containment design pressure at any time.

F.2.1

To demonstrate that the safety objective for the low pressure core meltdown sequences described in section A.1.1 has been achieved, calculation of the possible radiological consequences must use realistic assumptions and parameters.

S.2.3

As a sensitivity study, the case of a small leak from the reactor building into a peripheral building must be studied in detail, taking into account the leaktightness of the building concerned and the retention area provided by this building.

S.2.3


UK-EPR



TABLE : 1 PAGE: 85 / 104



F 1.1

F - PROTECTION AGAINST HAZARDS F.1 - PROTECTION AGAINST INTERNAL HAZARDS F.1.1 - General requirements

As indicated in section A.2.4, the internal hazards to consider in the demonstration of safety include: • the failure of components subjected to pressure, • internal flooding, • fires, • internal explosions, • internal projectiles, • dropping of loads. •

C.4

F 1.1 The possibilities of common modes of failure due to internal hazards may be minimised by installing the parts of the safety system trains which are outside of the containment building in divisions designed in such a way that the total loss of a division due to an internal hazard would not prevent the three basic safety functions being performed, by applying a single failure that is consistent with the safety demonstration rules applied to the reference transients, incidents and accidents. Installation provisions must be specified by the designer for the safety system redundant equipment that is not separated by the division configuration. In addition, the demonstration of safety must be created for each internal hazard presuming that all of the non-protected equipment affected is lost and considering a single aggravating factor and the first operator actions according to the same laws as for the reference transients, incidents and accidents. In principle, internal hazards which do not result from such reference transients, incidents and accidents should not produce a unit operating condition which would come under the incidents or accidents categories. In the opposite case, the designer must show that this unit operating condition is covered in terms of probability and consequences by studying the reference incidents and accidents and reference operating conditions with multiple failures.

C.4

C.4


UK-EPR



TABLE : 1 PAGE: 86 / 104



F 1.1 The relationships between internal hazards (such as floods resulting from pipe ruptures or fires resulting from explosions) must be considered in the demonstration of safety along with internal hazards which may result from external hazards or severe accidents (see paragraph F.2.2.1 for earthquakes).

C.4

F 1.2.1

F.1.2 - Requirements for designing protection provisions against internal hazards F.1.2.1 - Pipe, vessel, tank, pump and valve failures

The pipe, vessel, tank, pump and valve configuration and design must be based, where possible, on the physical or geographical separation principle to prevent an initiating event being aggravated, by applying, in particular, an aggravating factor consistent with the rules applied for the reference transients, incidents and accidents, and to prevent common causes of failure in the systems required for obtaining and maintaining a safe shutdown state. In this respect: a) the configuration of the reactor coolant pipes should be such that the failure of a primary circuit loop

does not cause the failure of another loop; b) the configuration of the primary and secondary coolant pipework should be such that failure of the

primary cooling system does not cause failure of the secondary cooling system and vice versa; c) failure of a secondary coolant pipe23 should not result in simultaneous depressurization of two steam

generators, d) depressurization of a steam generator simultaneously on the water side and the steam side should be

avoided, e) the first isolation valves on connected systems should be located as close to the main pipes as

possible. Non-compliance with these rules must be justified.

C.4.2

23

See the breaks to assume in section B.1.3.


UK-EPR



TABLE : 1 PAGE: 87 / 104



F 1.2.1 With reference to the effects from pipe, vessel, tank, pump and valve failures, for high energy components (components from systems transporting water or steam at a pressure greater than 2.0 MPa or at a temperature greater than 100°C during normal operation, components transporting gases at a pressure greater than atmospheric pressure), the local effects to consider include internal system effects (forces linked to pressure waves and forces linked to increased flows) and effects on the surrounding area of the components (jet effects, reaction forces, pipe whipping). In addition, in each case, the global effects to be considered include floods, the most severe ambient conditions and the differential pressure effects on the structure of the buildings.

C.4

F 1.2.1 In addition to "the exclusion" of guillotine breaks on the main reactor coolant pipes and main secondary coolant pipes as indicated in sections B.1.2 and B.1.3, ruptures may be "excluded" from the demonstration of safety for the vessels, tanks, pumps and valves designed, constructed and operated with high quality requirements; However, such an approach must be clearly justified by the designer on a case-by-case basis, taking into account operational experience from existing units; with these justifications, only leaks would be studied. Other rupture "exclusions" may be discussed for pipes with diameters smaller than approximately 50 mm, designed, constructed and operated according to high quality and monitoring requirements when these pipes are operated at high-energy for less than 2% of reactor life; in the case where such rupture "exclusions" were to be justified, only leaks would be taken into account

C.4.2

F 1.2.1 The location of applied pipe ruptures or leaks must be selected considering not only the stresses calculated in the pipes but also the possible consequences of high or low energy pipe failures in each compartment containing such pipes; this must, in particular, be applied to the containment penetrations.

C.4.2

F 1.2.1 In addition, suitable assumptions must be proposed and justified by the designer concerning the importance of initial leaks via cracks crossing pipes, flanges and pump and valve penetrations, along with the importance of leaks that may result from damage to a pipe or other equipment via whipping from a broken pipe.

C.4.2


UK-EPR



TABLE : 1 PAGE: 88 / 104



F 1.2.2 F.1.2.2 - Internal flooding With reference to floods, in addition to the pipe, vessel, tank, pump and valve ruptures and leaks defined in paragraph F1.2.1, possible flood initiating events such as a pre-operational error, erroneous operation of a fire fighting system, tank overflow, opening of the safety valves, the failure or unscheduled operation of isolation components, etc., must be dealt with in the demonstration of safety.

C.4.8

F 1.2.2 All of the relevant effects of possible floods must be considered including those from a rise in the water level for the active and passive components in the affected area, a pressure, temperature or humidity increase or increase of the ambient radioactivity conditions for the equipment in the affected area, from spraying of the electrical components, boric acid releases, and loads which result on the building structures, including the doors and airlocks. The time periods assumed for the necessary operator interventions must be justified by the designer, taking into account the various flood sources that may occur simultaneously and the ambient conditions in the access ways.

C.4.8

F 1.2.2 Avoiding groundwater contamination must also be a design objective; the corresponding provisions must be specified and justified by the designer even for the case of internal flooding of an auxiliary building.

C.4.8

F 1.2.3

F.1.2.3 - Fires According to the "defence in depth" principle, fire protection includes prevention, detection and the extinguishing of fires (fire control) and limiting the consequences of fires (non-propagation of fires). Priority is given to provisions which aim to limit and isolate heat loads, limit the formation of fumes and prevent ignition sources close to combustible materials; this leads to non-flammable or not very flammable fluids and equipment being selected where possible and appropriate; possible ignition sources must be clearly identified and studied.

C.4.7 I.5.1


UK-EPR



TABLE : 1 PAGE: 89 / 104



F 1.2.3 Despite the prevention measures, fire protection must be based on the assumptions that a fire may break out anywhere in the installation and in any normal operating condition; a single fire must be considered at a given moment. Special attention must be paid to the fire protection provisions in shutdown states, including during maintenance activities. In addition, protection against fires which may break out in an abnormal unit state, in particular in post-accident shutdown conditions, must be defined by the designer.

C.4.7 I.5.1

F 1.2.3

With reference to limiting the consequences of fires, priority must be given, firstly to physical protection via fire sectors, and secondly to geographical separation via fire areas. During shutdown states, maintaining sectorisation elements linked to safety in the open position must be only by exception and be subjected to analysis on a case-by-case basis, with suitable compensatory provisions being defined. This requirement must be taken into account as of the design stage.

C.4.7 I.5.1

F 1.2.3 Safety analysis of the effects of fires must clearly identify the possibilities of common causes of failure which may result from the incomplete separation of the redundant equipment required for obtaining and maintaining a safe shutdown state (including the internal flooding risks linked to using fire fighting systems); in such cases, additional provisions must be implemented where necessary. More generally, the operational failure of all of the equipment other than equipment with adequately justified protection, must be presumed inside the fire sector or fire area where the fire has broken out.

C.4.7 I.5.1

F 1.2.3

In addition, the following points must be highlighted: • the degree of fire resistance for sectorisation elements must be specified by the designer, taking into

account developments in expertise; • pressure effects caused by the fire must be evaluated; if necessary, adequate qualification must be

carried out for sealing the openings which must resist fire, in particular for those situated on the border of a fire sector;

• monitoring the propagation of fires must be considered as an aim when designing fire detection systems;

• the countermeasures required, in the case of a fire, to protect safety classified systems (sectorisation elements, fire detection and fire fighting systems) must be designed to withstand earthquakes.

C.4.7

C.4.7


UK-EPR



TABLE : 1 PAGE: 90 / 104



F 1.2.4 F.1.2.4 - Internal explosions Priority must be given to preventing internal explosions, in particular via strict limitation of the use of gas and explosive fluids. Appropriate methods as well as the relationships between internal explosions and other hazards must be defined by the designer.

C.4.6 I.5.6

F 1.2.5 F.1.2.5 - Internal projectiles Internal projectiles may be produced by rotating equipment failures or high-energy component failures. These failures must be avoided where possible via quality and monitoring requirements; appropriate measures must be defined by the designer, in particular, the installation of systems to prevent the overspeed of rotating equipment.

C.4

F 1.2.5 Nevertheless, studies must be carried out to evaluate the possible consequences of projectiles from representative internal components, in particular, a projectile coming from a low pressure turbine part; according to the results of these studies, additional provisions must be implemented where necessary.

C.5

F 1.2.6 F.1.2.6 - Dropping of loads In principle, the dropping of loads onto equipment linked to safety must be subjected to prevention provisions according to the importance of the consequences which may result. The levels of defence against the dropping of loads (prevention, monitoring and limitation of consequences provisions to be implemented) must be defined by the designer.

C.4 I.1.4


UK-EPR



TABLE : 1 PAGE: 91 / 104



F 2.1

F.2 - PROTECTION AGAINST EXTERNAL HAZARDS F.2.1 - Events to be considered

The external hazards to be considered in the demonstration of safety and for which design provisions are required in section A.2.5 include: • • earthquakes, • aircraft crashes, • external explosions, • lightning and electromagnetic interference, • underground water, • extreme meteorological conditions (temperature, snow, wind, rain, etc.), • external flooding, • drought, • the formation of ice, • toxic, corrosive or flammable gases.

C.3

In general, a good method for determining the provisions to implement against external hazards is to define the load combinations. A suitable method should be defined for each external hazard for determining the loads, and thus the structures, systems and equipment which must withstand these loads; in addition, for some external hazards, this approach must be complemented by an event-based approach including, if necessary, functional analysis to evaluate the dependencies between external hazards and internal hazards or events.

C.3

C.3


UK-EPR



TABLE : 1 PAGE: 92 / 104



F 2.2

F 2.2.1

F.2.2 - Requirements for designing protection provisions against specific external hazards F.2.2.1 - Earthquakes

There are two possibilities for the seismic design of a unit: to design with site specific spectra and acceleration values or to design using standardised spectra. In the latter case, an intensity of VIII in the MSK scale may be assumed, for example, for the design of non site specific buildings and equipment; this means that for some sites, adaptations may be necessary on a case-by-case basis.

C.3

In the European seismotectonic context, the three spectra presented in figure F.1 appear well suited and conservative enough for a standard design. Before making any decision to construct a unit on a specific site, the designer must prove that this standard protection is adequate in view of the actual characteristics of the site.

C.3

Safety classified buildings must be designed in relation to earthquakes, using suitable criteria according to the corresponding operational requirements. In addition, the safety functions must be performed for the design earthquake presuming non-seismic damage to equipment; this involves a detailed check of the behaviour of the installation, appropriately taking into account the exact configuration of the equipment.

C.5

An "inspection earthquake" with a unconstrained maximum horizontal acceleration of 0.05 g in free field is adequate; after the occurrence of an earthquake with a level lower than or equal to this, no verification or inspection of the components that are important for safety should be necessary before returning to or maintaining the unit at normal operation. However, adequate provisions must be implemented at the design stage to allow inspections and tests to be carried out that may prove to be necessary if this acceleration level is exceeded.

C.3


UK-EPR



TABLE : 1 PAGE: 93 / 104



To design the components and structures for next generation nuclear power plants, the combination of the design earthquake with the reference loss of coolant accident must be taken into account. To design the reactor vessel internal structures, this requirement may be dealt with by considering a load combination combining the design earthquake and rupture of the largest pipe connected to a main reactor coolant pipe. In addition, with reference to the containment leaktightness and design, the designer must specify his position on the combination of a steam pipe failure with the design earthquake. The systems that are required to deal with reference transients, incidents and accidents must be designed or qualified for the combination of loads resulting from the corresponding reference transients, incidents and accidents and the design earthquake.

C.6

C.5

An event-based approach must be applied to exhaustively identify the equipment, the failure of which may cause the failure of equipment designed for an earthquake, which is required for performing the safety functions; during the construction phase, this approach must be completed by an inspection of the premises. Additional design measures must be implemented where possible to eliminate identified difficulties. In addition, the simultaneous failure of the equipment that is not designed for earthquakes must be considered according to a suitable method.

The designer must also specify how he intends to prove the existence of sufficient design margins that are consistent with the general safety objectives indicated in section A.1.1. The margins must be evaluated with the aim of demonstrating that no cliff edge effect would exist in terms of radiological consequences assuming that the acceleration values are lower than site-specific acceleration values; the corresponding method must take the actual behaviour of the representative equipment and the possibilities of simultaneous equipment failures into account.

To deal with the possibility of a long-term loss of external power sources, all of the emergency power sources must be designed and qualified for earthquakes.

I.5.2 H.3 C.2


UK-EPR



TABLE : 1 PAGE: 94 / 104



F.2.2.2 F.2.2.2 - Aircraft crashes As regards aircraft crashes, provisions must be made to ensure suitable protection of the buildings linked to safety by appropriately considering the general aviation and military aviation traffic close to the site and by anticipating, where possible, their developments during the life of the installation. Protection of the safety systems must be considered in relation to direct impact (penetration) and in relation to indirect impact linked to the vibrations produced.

C.3

These objectives may be dealt with by designing the reactor building, the spent fuel building and some of the auxiliaries buildings (to ensure without redundancy the protection of the equipment needed to shut down the reactor and prevent core meltdown)24 with load diagrams according to times C1 and C2 presented in figure F.2, applied to a circular area of 7 m

2 in the following way:

1. The load diagram according to time C1 must be used to design the internal structures of these buildings against the vibrations produced, presuming an elastic linear behaviour of the material and an impact at the centre of each external protection wall. To avoid extreme excitations, decoupling of the internal structures from the external walls must be used. Where possible, attaching systems and components to the external walls must be avoided. The corresponding response spectra to be considered for the design of the equipment must only be calculated for the main structural elements of these buildings.

2. With reference to protection against penetration, the load diagram according to time C1 must be used to design the external walls of the same buildings against the loads resulting from a direct impact, to make sure that there will be neither penetration nor chipping and that deformations (frames, concrete) would be limited.

24

This paragraph means that some of the auxiliaries buildings may be designed without protection in relation to aircraft crashes so long as the equipment inside the protected buildings is sufficient for shutting down the reactor and preventing core meltdown without redundancy.


UK-EPR



TABLE : 1 PAGE: 95 / 104



3. Also, the load diagram according to time C2 must be used to design the final limit state (according to Eurocode 2, part 1)25:

a) of the reactor building to ensure that perforation is avoided and that the chipping which may occur would not compromise shutdown of the reactor and prevention of core meltdown,

b) of the spent fuel building to ensure no uncovering of spent fuel.

Dynamic analysis of the vibrations produced may be carried out by using a modal analysis superposition technique with the combination of modal responses according to the "square root of the sum of the square numbers" method.

It is highlighted that, with a suitable configuration providing geographical separation of non-protected redundant equipment, the corresponding load combination approach does not need to be completed with an event-based approach. However, in relation to the fact that steam pipes are installed in pairs and are not protected against aircraft crashes, it is highlighted that the simultaneous drainage of two steam generators should be studied with the appropriate rules.

F.2.2.3 F.2.2.3 - Explosions With reference to external explosions, for the design of next generation nuclear power plants, a triangular-shaped pressure wave with a straight front with a maximum overpressure of 100 mbars and a duration of 300 ms must be taken into account as a standard load as a function of time. I.e., by taking into account possible reflections on the building walls and roofs, the load as a function of time on the building walls will consist of a maximum overpressure wave of 200 mbars on the flat walls.

C.3

25

The definition of the final limit state in Eurocode 2, part 1, is "associated to the collapse or other forms of structural failure that may jeopardize the safety of people". Thus, the demonstration relating to this paragraph may take into account protection walls other than the reactor building and the spent fuel building external walls.


UK-EPR



TABLE : 1 PAGE: 96 / 104



For adequate protection of the next generation nuclear power plants, the reactor building, the spent fuel building, the safeguard buildings and the diesel generator buildings must be protected along with the site-specific structures and ducts linked to the townswater supply. In addition, protection of the nuclear auxiliaries building must be considered in relation to the radioactive discharge risk.

C.3 C.5 P.3

Before a decision is made on the construction of a unit on a specific site, the designer must prove that the standard protection relating to explosions is appropriate taking into account the current and planned industrial development around the site. In the opposite case, administrative measures must be taken or additional protections must be implemented.

C.3.8

G

G 1

G - SYSTEM DESIGN REQUIREMENTS AND SAFETY FUNCTION EFFICIENCY

G.1- Designing the spent fuel pool cooling system

The spent fuel pool cooling system may consist of two separate identical trains, each train with two pumps and a heat exchanger cooled by the intermediate cooling system.

I.1.3

The following requirements would be applied to the spent fuel pool cooling system: • the design of the spent fuel pool and the configuration of the suction branch pipe and pool cooling

system outlets would be such that they would avoid direct recirculation between the cooling system discharge and suction;

• the pool temperature would be maintained below 50°C in normal operation (power and shutdown states up to the start of core discharging in state E) with a pump from one of the trains in operation;

• the pool temperature would be maintained below 50°C during shutdown states E and F with two trains in operation and one pump from each train in operation;

• the system and the spent fuel pool should be able to withstand a temperature of 100°C. System restart and operation must be possible with the spent fuel pool at 100°C.

I.1.3

I.1.3

I.1.3

I.1.3, I.1.6


UK-EPR



TABLE : 1 PAGE: 97 / 104



Such a design allows availability of a pump to be maintained after loss of a train by applying an active single failure on the other train, recognising that "the exclusion" of the passive single failure on this other train may be tolerated if strict requirements are applied at the design and construction stage and to the in-service inspection of the spent fuel pool cooling system and the intermediate cooling system headers.

I.1.3

However, the approach relating to the initiating events for the spent fuel pool cooling system and the associated support systems, must be defined by the designer, with classification of these events into unit operating condition and risk reduction operating condition categories and the associated analysis rules. The design requirements for the spent fuel pool cooling system must reflect the importance of the residual heat removal function. For reference transients, incidents and accidents, the strictest requirements should be applied to the most frequent operating conditions. In particular, adequate limitations for the spent fuel pool temperature must be defined for the reference transients presuming the failure of one of the system trains, even during preventive maintenance26 and periodic tests; these limitations must take the requirements applied to the leaktight liner of the pool and the concrete structures into account and be consistent with the protection of other safety systems.

P.0 P.2

S.1.0

It is also highlighted that the designer must plan provisions that allow the total loss of the spent fuel pool cooling system to be controlled whilst maintaining the containment function; in the opposite case, the likelihood of water boiling in the spent fuel pool must be reduced by adequate improvements, in particular, the support systems of the pool cooling system. In addition, as indicated in paragraph E.2.2.6, fuel meltdown in the pool must be "practically eliminated"; the designer must provide justifications of this "practical elimination", including the results from the probabilistic safety analyses.

I.1.3 R.3.2 S.2.4

26

The time needed to re-establish the function in the event of maintenance may be taken into account.


UK-EPR



TABLE : 1 PAGE: 98 / 104



G 2

G.2 - Efficiency of the containment leaktightness As indicated in paragraph B.1.4.1, a low leak rate from the containment internal wall is essential. Due attention must be paid to the following points: • high-performance concrete must be specified in detail; acceptance criteria and adequate tests

concerning parameters such as porosity, permeability, handleability, withdrawal and creep must be defined irrespective of the choice of site. After selecting the site, these tests must be implemented;

C.5

• in addition investigations carried out via calculation in a first stage, the validity of the construction tolerances and construction processes for the combined use of high-performance concrete and 55T15 tendons must be experimentally checked at least via laboratory tests with the specific composition of the concrete;

• the material qualification process for the leaktight liner and the injection products must be specified; selection of these components will be based on the results from the corresponding tests;

• the containment building internal wall must be equipped with adequate instrumentation for accurately monitoring the loss of prestressing over time in discrete areas; provisions must be made to be able to replace or complement the corresponding systems, if necessary.

Information must also be provided by the designer concerning the provisions implemented to prevent uncollected leaks from the containment over the entire life of the installation. In all cases, the validity must be proven by suitable tests.

F.2.1


UK-EPR



TABLE : 1 PAGE: 99 / 104



Detailed information must also be provided by the designer regarding the following subjects concerning the design of the inter-containment space ventilation system: • assumptions relating to steam condensation in the concrete of the containment internal wall must be

defined after suitable evaluation of the experimental results27 available; the inter-containment space ventilation system must be designed accordingly;

• the time during which the inter-containment space would be maintained at negative pressure after the ventilation system for this space is shut down must be specified and justified;

F.2.2

• the design of the inter-containment space ventilation system must also appropriately take into account possible leaks or ruptures for the components located on the containment building external wall;

F.2.2

• the absence of emergency power for the inter-containment space ventilation system fans via small generating units must be justified;

F.2.2

• the importance of a permanent and recorded iodine and aerosol measurement in the inter-containment space ventilation pipes downstream of the filters must be examined;

F.2.2

• detailed information must also be provided regarding the containment methods associated to the inter-containment space ventilation system rooms, with classification of the corresponding equipment.

I.4.2

G 3

G.3 - DESIGN OF THE INSTRUMENTATION AND CONTROL 1. The requirements that apply to safety classified instrumentation and control must be described by the designer in a specification; compliance of these requirements with the demonstration of safety relating to the reference transients, incidents and accidents and to operating conditions with multiple failures must be justified.

G.1.0 G.3 G.4 G.5

27

Including the MAEVA installation results.


UK-EPR



TABLE : 1 PAGE: 100 / 104



G 3 2. The instrumentation and control functions may be F1A, F1B or F2 classified according to the general safety function classification (see section B.2.1). The effectiveness of automatic actions in these classes must guarantee the grace period defined for manual countermeasures in the event of an incident.

C.2.1 G.1 P.2

S.1.2

G 3 3. To perform these functions, the instrumentation and control system architecture may be installed as follows: a) interfaces with the process (instrumentation, shutoff devices and actuators); b) PLCs (monitoring and controlling the unit in all normal conditions, controlling the core, limitation functions, protection functions, support functions and post-accident functions, controlling the actuators and ranking classified function controls); c) monitoring and controlling the unit with man-machine interfaces.

G.2 Q.4

G 3 4. The physical structure of the instrumentation and control equipment and systems must be designed so that adequate independence may be demonstrated between the various defence in depth function levels. This particularly applies to the interfaces between systems with various safety classifications. Likewise, independence must be demonstrated for the redundant equipment installed to respond to the single failure criterion and to the separation and maintenance requirements (to protect against internal hazards); F1 functions should be able to respond to the single failure criterion during maintenance or periodic tests. The independence must be justified by provisions such as segregation, isolation, autonomy and diversity; in particular, provisions (including software and hardware diversity) must be implemented to limit common causes of software failure, as indicated in section A.2.2.

G


UK-EPR



TABLE : 1 PAGE: 101 / 104



G 3 5. In principle, the demonstration of safety should be carried out considering the methods normally used by the operators in the main control room. However, installing an F1B classified conventional man-machine interface in the main control room to be able to carry out the demonstration of safety with F1 classified equipment when the operators would use an F2 classified computerised man-machine interface, could be accepted provided that:

a) the computerised man-machine interface architecture and equipment meet the requirements that apply to F1B systems,

b) the corresponding software meets the detailed qualification requirements to be proposed by the designer,

c) the methods implemented to detect and indicate failures in essential F2 equipment and functions in the computerised man-machine interface meet the requirements that apply to F1B equipment and functions.

G.4

G.4

G.4

G.4

G.3 6. In addition to the main control room, an Emergency Control Centre must be installed in case the main control room becomes unavailable. The designer must specify the situations for which the main control room would be unavailable, the consequences of such situations and the tasks to be performed accordingly from the Emergency Control Centre and the associated means.

G.2 Q.4


UK-EPR



TABLE : 1 PAGE: 102 / 104



G 3 7. Instrumentation and control failures must be systematically considered for the design of and demonstration of safety for next generation nuclear power plants. In particular, the designer must consider all reasonable initiating event generation possibilities resulting from inappropriate instrumentation and control system actions and check if these initiating events are covered by analysing the reference transients, incidents and accidents and the operating conditions with multiple failures. On the other hand, such inappropriate instrumentation and control system actions must also be considered as single aggravating factors when analysing reference transients, incidents and accidents. Only unscheduled actions (single or multiple) that may result from a single failure in the instrumentation and control sub-systems or support systems are to be considered. In all cases, adequate techniques must be implemented when designing equipment, software and

functional applications to reduce the possibilities of inappropriate actions. Specific attention should be paid at the design stage to the simultaneous control actions that are sensitive to design errors or operator errors.

G.3 G.4

P

G.6

G 3 8. As indicated in parts A.1, F.1 and F.2, the demonstration of safety for next generation nuclear power plants must deal with internal and external hazards. This includes consequences such as hazards regarding the instrumentation and control systems.

G.3 G.4

G 3 The possibilities of hazards resulting from instrumentation and control equipment must also be considered

G 4

G.4 - USING TECHNICAL CODES As indicated in section A.1.2, design, manufacturing, construction and operating quality is essential for safety within the framework of the first "defence in depth" level. Quality must be obtained and demonstrated, in particular, via an adequate set of design, manufacturing, construction and operating requirements and via quality assurance. These requirements may be grouped into technical codes.

-

B.6, B.7,


UK-EPR



TABLE : 1 PAGE: 103 / 104



G 4

With reference to the instrumentation and control equipment for next generation nuclear power plants, the following points are highlighted: • black box type components (hardware and software) must have a validated specification based on

specific tests and if possible on relevant operating experience; • in principle, unused software parts must be avoided (i.e. dead codes) for instrumentation and control

systems carrying out F1 functions; exceptions must be justified. Any dead code must be identified. Dead codes must be specified, coded, checked and validated with the remaining system codes concerned.

B.6, B.7, G

G 4 With reference to the civil engineering for next generation nuclear power plants: • compliance with the applicable rules must be demonstrated, taking into account additions and

amendments in relation to existing technical codes; • an average residual compression criterion in the current part of the containment internal wall is not

enough to guarantee adequate leaktightness of this internal wall, including discrete areas, in accident conditions; additional criteria such as suitable limitation of the size of cracks should be considered;

• • provisions must be implemented to ensure the leaktightness of the containment building internal

wall and its penetrations for a pressuriser surge pipe rupture combined with the design earthquake; provided that they are justified, the corresponding criteria may be less strict than those applied for the leaktightness in severe accident situations;

• the provisions made to meet the design objectives in terms of life time must be specified and justified taking into account the uncertainties relating to the parameters which affect containment ageing;

• adequate rules must be defined to meet the operational requirements relating, on one hand, to buildings other than the reactor building, and on the other hand, to metal structures (reactor building penetrations, spent fuel pool leaktight liner, etc.).

•

C.5, B.6

C.5


UK-EPR



TABLE : 1 PAGE: 104 / 104



G 4 With reference to the heating, ventilation and air conditioning systems for next generation nuclear power plants: • the design of the static and dynamic containment systems for the peripheral buildings, including the

nuclear auxiliaries building, must be consistent with achievement of the safety objectives indicated in section A.1.1; sensitivity studies concerning the availability of ventilation systems and the leak rates for these buildings must be presented for severe accidents;

I.4.0 S.2.3 F.2.1

• the exact list of rooms with iodine risk, including the rooms where radioactive liquids circulate in accident situations, must be specified by the designer, along with adequate criteria for the containment function of these rooms in the various accident situations, taking into account the negative pressure effects from the windward side of these buildings;

I.4.0 I.4.1 F.2.1

• a method must be presented concerning the definition of basic and extreme atmospheric conditions (temperature, humidity, duration, etc.) along with the requirements to be applied, in particular, to the ventilation systems in order to deal with these conditions;

I.4.0

• the design provisions made to ensure habitability of the main control room must be described in detail.

F.4.1

SUB CHAPTER: C.1 : -

UK-EPR


FIGURE : 1 PAGE : 1 / 1 CHAPTER C: DESIGN BASIS AND GENERAL LAYOUT

1

2

3

4

5

6

7

8

9

10 11

FIG 1: SCHEMATIC DIAGRAM OF THE EPR’S MAIN PRIMARY AND SECONDARY SYSTEMS

SUB CHAPTER: C.1 : -

UK-EPR


FIGURE : 2 PAGE : 1 / 1 CHAPTER C: DESIGN BASIS AND GENERAL LAYOUT

FIG 2: SCHEMATIC DRAWING OF EPR CONTAINMENT – REACTOR BUILDING AND CONNECTING BUILDINGS

UB CHAPTER: C.1S

FIGURE : 3 PAGE : 1 / 1

UK-EPR


CHAPTER C: DESIGN BASIS AND GENERAL LAYOUT STANDARD

FIG 3: PROCESS FOR ESTABLISHING THE LIST OF INITIATING EVENTS (PCC2 TO PCC4)

Design Phases

List of events N4 plant

List of events Konvoi plant unit

Convergence Vo initial list

Phase EPR PCCs

Incorporation of new events (eg. PTR)

Basic Design

V1 adapted list

Phase ASN requirements taken into account

(eg. RHR)

EPR PCCs

"Exclusion" of events

eg. LOCA 2A, RTV)

In-depth study phase Stipulations concerning operating conditions

(eg. maintenance)

Final list

EPR PCCs

Preliminary Safety Analysis Report

New ASN requirements taken into account

"Exclusion" of events

(eg. VVP branch pipes)

Equipment reliability requirements

Analysis of events in "specific studies"

SUB CHAPTER: C.1 SECTION : - FIGURE : 4 PAGE : 1 / 1

UK-EPR



FIG 4: MAIN DATA IN TERMS OF EPR CONTAINMENT PRESSURE

PCC Value (AG) Full power negative pressure 0.85 bar indicative pressure values PCC1

Atmospheric pressure 1 bar 1.25 bars AG pressures after 15 days

1.3 bars AG pressure after 7 days 2 bars AG pressure after 3 days LOCA (SLB) pressure 4.8 bars PCC4 5 bars AG pressure after 12 hours (period of grace)

Pressure in LOCA 2A 5.3 bars "specific study"

Design pressure 5.5 bars “Demonstrated” margin

Test pressure 6 bars

Verification pressure 6.5 bars Qualification pressure of equipment required for

containment in case ofsevere accidents

Theoretical margin Ultimate liner pressure Y bars Ultimate internal containment pressure


UK-EPR



FIG 5: PRINCIPLE FOR DIVIDING UP SERIOUS ACCIDENT SEQUENCES

Principle presented on the basis:

- of evolution of internal containment pressure as a function of time

- of hypotheses presented in figure 4 regarding containment resistance

Pressure

PDS3

Field of "practically eliminated" sequences

Y bars PDS2

6.5 bars

5.5 bars PDS1 12 hrs 24 hrs Time

PDS 1: sequences with integral containment

PDS 2: sequences leading to delayed containment loss

PDS 3: sequences leading to early containment loss


UK-EPR



FIG.6: PRINCIPLE OF FUNCTION SAFETY CLASSIFICATION

Minimum functional

requirement

Type of action

Plant unit states

Main parameters

T = 0 Initiating event Beginning of the transient Auto-

F1A matic

Core subcritical Controlled state Decay heat removal

over the short-term Manual

Stable water

inventory Or Auto- Tolerable discharge

F1B matic

Core subcritical Safe state Decay heat removal

over the long-term Tolerable discharge

Maintaining

safe state F2 classification is required for the

following functions:

F1B RRC-A final state

attained Preventing

significant discharges in RRC-B

Control of internal and external hazards within the scope of event-driven studies

Time

SUB CHAPTER: C.1 SECTION : - FIGURES : 7Aà7C PAGE : 1 / 1

UK-EPR



All equipment

NF

F1BF1A

All safety-classified

equipment F2

Figure 7A: Schematic representation of functional classification

All equipment

NM

M3

M2

M1All safety-classified

equipment

Figure 7B: Schematic representation of mechanical classification

SC1All equipment

NSC SC2

All safety-classified

equipment

Figure 7C: Schematic representation of seismic classification

SUB CHAPTER: C1 : -

UK-EPR


CHAPTER C: DESIGN B YOUT FIGURE : 7D PAGE : 1 / 1

ASIS AND GENERAL LA

FIG. 7D: SCHEMATIC PRESENTATION COMBINING THE DIFFERENT CLASSIFICATIONS

(REGARDLESS OF THE NUMBER OF ITEMS OF EQUIPMENT CONCERNED)

All equipment

All safety-classified equipment

F1A

F1B

M1

M2

F2

M3

Z4

SCNM / F2

M2 / F1A M2 / F1BM2 / F2

M3 / F2M3 / F1A

M3 / F1B

M1 / F1A

M1 / NF

NM / F2

M3 / NF

M3 / F2M3 / NF

NM / NF NM / F2

1

chapter c. design basis and general layout sub-chapter c.1 general safety...

Documents