Safety of Nuclear Reactors (Sustainability Assessment)

Acceptance limit AL1.1: More robust than that in the reference design.

In the following, several design related aspects that, if enhanced, would increase the level of robustness of a nuclear reactor design during normal operations are discussed. It is acknowledged that increasing the robustness of a reactor design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimum combination of design measures is necessary to increase the overall robustness of a design. The INPRO methodology has defined several design related aspects as evaluation parameters (EP1.1.1 to EP1.1.5) for criterion CR1.1:

1. EP1.1.1: Margins of design
2. EP1.1.2: Design simplification
3. EP1.1.3: Improved fabrication and construction
4. EP1.1.4: Improvement of materials
5. EP1.1.5: Redundancy of operational systems.

The use of inherent safety characteristics is an additional means of achieving robustness (discussed separately under UR5). As stated above, these evaluation parameters are meant to be examples for a designer on how to achieve a higher level of robustness in a reactor design by looking for an optimum combination of these parameters. A detailed safety guide for the design of the core of water-cooled reactors is provided in Ref^[13].

For final assesment of CR1.1:
The acceptance limit AL1.1 (design of normal operation systems is more robust than that in the reference design) of CR1.1 is met if evidence available to the INPRO assessor shows that an optimized combination of the recommendations proposed in evaluation parameters EP1.1.1 to EP1.1.5 qualitatively shows the new design to be more robust than the reference design during normal operation and deviations from normal operation. A quantitative increase of robustness can only be demonstrated via the assessment of criterion CR1.4 (failures and deviations from normal operation), i.e. providing arguments that the frequency of AOOs is lower than in the reference design.
For a reactor under development, the developer is to describe measures and features that ensure that the robustness of the innovative design will be comparable or superior to that of the reference design.

Acceptance limit AL1.2: Superior to those of the reference design.

An improvement of performance attributes in normal operation are expected to increase the robustness of a nuclear reactor. Aspects that are linked to the characteristics of operation of the nuclear reactor assessed are defined as evaluation parameters (EP1.2.1 to EP1.2.8) for CR1.2 and discussed as follows:

1. EP1.2.1: Margins of operation;
2. EP1.2.2: Reliability of control systems;
3. EP1.2.3: Ageing management;
4. EP1.2.4: Impact from incorrect human intervention;
5. EP1.2.5: Sufficient technical documentation;
6. EP1.2.6: Appropriate training programmes;
7. EP1.2.7: Plant management organization;
8. EP1.2.8: Use of worldwide operating experience.

For final assesment of CR1.2:
The acceptance limit AL1.2 (reactor performance attributes are superior to those in the reference design) of CR1.2 is met, if evidence available to the INPRO assessor shows that the assessment of the above defined evaluation parameters confirms that the reactor design assessed shows:

• Sufficient operational margins to ensure that key system variables relevant to safety do not exceed limits acceptable for continued operation;
• Reduced impact of incorrect human action by appropriate design;
• Use of advanced control systems;
• Planned implementation of a clear management organization with defined responsibilities;
• Sufficient technical documentation including manuals;
• Appropriate training provisions;
• Planned sharing of operating experience and use of it in the reactor design.

For a (innovative) reactor under development, the developer is to describe measures and features to ensure that reactor performance will be comparable or superior to that in operating plants.

Acceptance limit AL1.3: Superior to those in the reference design.

To meet this criterion, the reactor design is expected to permit more efficient and intelligent inspection, testing and maintenance. The criterion cannot be fully met by merely requiring more inspections and more testing. The programmes of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue etc) so that the right locations are inspected, and the right systems, structures and components are tested and maintained at the right time intervals.
Appropriate inspections, testing and maintenance are important for keeping and improving the level of safety^[34]. Because the methods of inspection, testing and maintenance and their effectiveness, efficiency and accuracy are continuously improving, the acceptance limit AL1.3 mostly requires the state of the art.
General prerequisites for an appropriate inspection, testing or maintenance programme for a reactor include:

1. Knowledge about materials and manufacturing processes, weld locations, non-destructive testing results, locations with high stresses and high cycling frequencies, operating conditions (including chemistry), damage mechanisms (causes and consequences), field experience on similar components (to be documented in a ‘living’ documentation);
2. Implementation of an inspection, testing or maintenance programme including risk-informed approaches (see also criterion CR7.5) taking into account the knowledge as defined above, such as damage mechanisms, design specifics (e.g. stress locations) and operating conditions;
3. Decrease of individual and collective doses caused by inspections, testing or maintenance through design provisions, e.g. choice of materials in connection with adequate water chemistry (to avoid radioactive corrosion products), shielding devices, and easy serviceability. This includes also easy access to working locations, appropriate environmental working conditions and the development of specific tools and robotics in order to reduce dose rates and/or durations of inspections, testing or maintenance (see also criterion CR1.5).

It is recognized that in the early operational stages of an innovative reactor, before the technology (experience) base is fully established, more inspection, testing and maintenance, may be required.
The acceptance limit AL1.3 (capability to inspect, to test and to maintain superior to that in the reference design) of CR1.3 is met, if evidence available to the INPRO assessor confirms that in the reactor assessed:

1. Inspections, testing and maintenance are (will be) more effective and efficient than those in the reference plant;
2. An appropriate inspection, testing and maintenance programmes are (will be) established;
3. Design features to facilitate the performance of inspections, testing and maintenance have been demonstrated.

For a (innovative) reactor under development, measures and features are to be described that ensure that the capability to inspect, test and maintain will be comparable or superior to that in operating nuclear reactors.

Acceptance limit AL1.4: Lower than that in the reference design.

For the reactor design assessed, the expected frequencies of initiating events leading to anticipated operational occurrences (AOOs) are supposed to be lower than those in the reference design. The frequency of these initiating events for operating reactors is determined from operational experience and probabilistic analyses. Apparently, for more robust designs the reduction of these frequencies relative to those for the reference design is possible. However, the frequencies of such initiating events are usually defined as licensing requirements by national regulatory bodies based on detailed national probabilistic studies (see for example Refs^{[35][36][37][38][39]}). Thus, they cannot be easily reduced by a designer because such a reduction would need approval by the responsible regulatory authority.
However, for an INPRO assessment. technical arguments can be presented by the designer/ developer that support a reduction of these frequencies of AOOs. Examples of arguments to support such a reduction of frequencies could be a positive judgment on criteria CR1.1 to CR1.3: improved materials, simplified designs (e.g. less valves), improved design margins (e.g. against overstressing and fatigue, against departure from nuclear boiling, etc.), increased operating margins, increased redundancies of operational systems, less impact from incorrect human intervention (the reactor systems need to be tolerant to human mistakes), more effective and efficient inspections, a continuous monitoring of the plant health, etc.
It is to be mentioned that the frequency of external events per se cannot be influenced by the designer or operator for a given site. An appropriate selection of the site for the nuclear reactor assessed could have a positive effect. However, the frequency of AOOs caused by external events can be influenced by the designer or operator. For some particular external events and NPP locations, the comparison of frequencies of AOOs of the planned reactor against those of the reference design involves comparison against relevant national regulatory requirements.
The acceptance limit AL1.4 (reduced expected frequencies of failures and deviations from normal operation) of CR1.4 is met if technical arguments available to the INPRO assessor show that fewer failures and deviations from normal operation (per year and unit) are expected than in the reference design.

Acceptance limit AL1.5: Lower than the dose constraints.

FIG. 1. Accumulated yearly occupational dose (modified from Ref^[40]).

This criterion focuses on radiation protection of NPP workers. It is important to note that criterion CR1.5 does not consider radiation exposure of workers during accidents; it considers only plant states corresponding to Levels 1 and 2 of DID, i.e. normal operation and anticipated operational occurrences. The issue of avoiding undue burdens from radiation exposure to the public and environment during normal operation and AOOs is covered in a separate area of the INPRO methodology called environmental impact of stressors; after accidents this issue is covered via INPRO NES sustainability user requirement UR4 for the area of reactor safety, which states that accidental releases outside the plant are prevented or mitigated.
The recommendations of the IAEA Safety Standards for considering radiation protection in NPP design are provided in Ref^[41]. Ref^[42] recommends the use of dose constraints “for optimization of protection and safety, the intended outcome of which is that all exposures are controlled to levels that are as low as reasonably achievable, economic, societal and environmental factors being taken into account”.
The role of dose constraints is explained in Ref^[43]:

“3.31. To apply the optimization principle, individual doses should be assessed at the design and planning stage, and it is these predicted individual doses for the various options that should be compared with the appropriate dose constraint. Options predicted to give doses below the dose constraint should be considered further; those predicted to give doses above the dose constraint should normally be rejected.” Known occupational doses from normal operation and AOOs in modern NPPs are already very low, so this INPRO criterion CR1.5 does not go beyond asking for further ad hoc exposure reduction in dose. Fig. 1 shows accumulated yearly occupational doses in operating NPPs versus year of reporting. It is evident that the occupational doses decreased continuously with increasing lifetime and improved NPP designs. This was achieved by such measures as minimizing source terms (e.g. avoiding cobalt impurities in materials, using erosion/corrosion resistant materials for steam line designs to limit deposits, achieving adequate coolant chemistry), incorporating layout features that reduce the collective dose (e.g. strict physical separation/shielding of systems, accessibility, separation, shielding, handling, set down areas), and using maintenance friendly designs of equipment. It is expected that these features can be implemented in new (advanced) designs and thus – with further improvements – actual doses in new reactors may be further decreased.

The reactor assessed needs to ensure an efficient implementation of the concept of optimization of radiation protection for workers during design, commissioning, operation, and decommissioning through the use of automation, remote maintenance and operational experience from existing designs. Experience in operating reactors shows that maintenance, i.e. in-service inspection and periodic tests and repairs (including replacement), are the sources of most occupational doses. Criterion CR1.5 anticipates that new (advanced) reactors can take advantage of design concepts to achieve occupational dose reduction as a zero-cost side-effect of measures such as automated inspection and maintenance. New reactor designs are expected to be maintenance-friendly through careful layout, reliable equipment, and electronic availability of maintenance procedures at the work-face to guide those charged with performing maintenance duties.
In the INPRO methodology, the dose constraints concept is discussed in more detail in the manual on environmental impact of stressors.
The acceptance limit AL1.5 (occupational doses lower than dose constraints) is met if evidence available to the INPRO assessor shows that doses to workers during normal operation and AOOs have been optimized and are (will be) less than the dose constraints defined or accepted by national regulatory bodies.

Acceptance limit AL2.1: Superior to those in the reference design.

INPRO has defined the following evaluation parameters for CR2.1:

1. EP2.1.1: Continuous monitoring of plant health.
2. EP2.1.2: Capability of I&C system
3. EP2.1.3: Compensation of deviations from normal operation.

Inherent safety characteristics of a nuclear reactor, such as a negative reactivity feedback, influence the dynamic behaviour of the plant in a positive way, and can lead to reduced design requirements for the I&C systems.

For final assesment of CR2.1:
The acceptance limit AL2.1 (superior behaviour of I&C in AOOs) is met if evidence available to the INPRO assessor shows that EP2.1.1, EP2.1.2 and EP2.1.3 above have been met.

Acceptance limit AL2.2: Longer than those in the reference design.
The ‘grace period’ for normal operation is defined as the time available, in case of a failure or the beginning of an AOO, before human (operator) action is required. The appropriate value of the grace period depends on the type of nuclear facility, the ease of diagnosis of the failure and the complexity of the human action to be taken.
In case of deviations from normal plant states, the time period for the operator to cope with such deviations can be divided into three different parts:

1. Time to detect;
2. Time to diagnose the deviations and to initiate the necessary countermeasures; and
3. Time for manual control actions, i.e. time for a repair or other measures.

The time needed by the operator for detecting a deviation is dependent on the situation and alarm signals. The time to diagnose the situation appropriately is mainly dependent on the time and aids available to operators to identify the plant state. In addition, reliability of the I&C system is important.
It is common practice to assume that, within a time period no longer than 30 minutes, the operator will have detected and identified the situation sufficiently to perform appropriate manual actions based on the fact that operators are trained to cope with anticipated operational occurrences. Therefore, the design of the reactor needs to be such that all necessary safety related actions within this time period are automated.
The acceptance limit AL2.2 (sufficient grace periods after AOOs) is met if evidence available to the INPRO assessor shows that grace periods are longer than those in the reference design and amount to at least 30 minutes after detection of a failure or AOO.

Acceptance limit AL2.3: Larger than that in the reference design.
The term ‘inertia’ means the capability of a nuclear reactor to cope with AOOs; the main objective of a high inertia is to avoid consequences with safety implications that could delay a return to normal operation.
A nuclear reactor is usually designed to stay within the design limits (e.g. temperatures, pressures, stresses, etc.) for all AOOs, taking into account also a single failure and the repair status of components. Nevertheless, slower transients of system parameters (e.g. slower changes in temperature or pressure) are generally considered preferable.
A high inertia resulting in a slow response to initiating events is usually achieved by sufficiently large mass within the primary system (e.g. in HTGRs), sufficiently large primary water inventory (e.g. in water-cooled reactors), small excess reactivity (e.g. in HWRs), and a large secondary side mass (e.g. in PWRs and liquid metal cooled reactors).
For example, in a PWR with a sufficiently large pressurizer, an AOO with a primary pressure increase (e.g. after a loss of load) will result in no loss of primary coolant mass via the valves of the pressurizer. Any contamination of the confinement/containment by radioactive coolant will thus be avoided due to sufficient inertia of the system.
To demonstrate the adequacy of the nuclear reactor design, the system behaviour for all AOOs has to be analysed with validated and verified computer models (see also EP2.1.3 of criterion CR2.1 and criterion CR7.3).
The acceptance limit AL2.3 (inertia is higher than that of the reference design) of CR2.3 is met if evidence available to the INPRO assessor shows that the assessed reactor has a system inertia higher than that of the reference design.

Acceptance limit AL3.1: Frequencies of DBAs that can cause plant damage are lower than those in the reference design.
This criterion CR3.1 asks for a reduced frequency of occurrence (probability) of NPP DBAs caused by both internal and external events and probable combinations thereof.
The frequency of occurrence of DBAs is to be determined via a probabilistic risk assessment. Based on design and confirmed by operating experience (more than ten thousand reactor years of operation) and analytical assessments, the correlation between the frequency of occurrence and the value of consequences (e.g. damage or dose) is such that consequences increase with decreasing frequencies of occurrence.
The approach to assessment of CR3.1 for accidents caused by internal events is discussed in Appendix IV.
The frequency of accidents caused by external events depends heavily on the site selected for the plant and can therefore be influenced both by the NPP designer and the (future) owner/operator of the plant. Such accidents need to be discussed during the INPRO assessment with reference to the national safety standards regulating these issues.
The acceptance limit AL3.1 (Reduced frequency of DBAs that can cause plant damage relative to that of a reference plant) of CR3.1 is met if evidence available to the INPRO assessor shows lower frequencies of design basis accidents than in the reference design.

Acceptance limit AL3.2: At least 8 hours and longer than those in the reference design.
The criterion CR3.2 ‘grace periods for DBAs’ is applicable in Level 3 of DID and implies a similar concept as introduced earlier for control of AOOs (see CR2.2) in Level 2 of DID. For DBAs (caused by internal and external events and probable combinations thereof) the criterion requires that actions of automatic active and/or passive safety systems provide an adequate grace period for the operator before intervention is necessary.
Because the control of DBAs is very important – the next DID level would be the potential for a highly degraded core – the grace period available for operators during the DBA are longer than for AOOs. For the purpose of INPRO assessment of NES sustainability, a basis for the definition of an adequate grace period may be the shift change of operators, usually, taking place every 8 hours, because a new operator crew will take over responsibility and possibly bring fresh insights into accident diagnosis.
There are a few points which may further contribute to the discussion of adequate grace period: shift change after 8 hours may be undesirable for the sake of accident progression knowledge continuity; the next shift may need to be called earlier; accident diagnosis in advanced reactors may be made more efficient, etc. However, these points are deemed to be considered rather as an input for developing efficient operation manuals and accident management procedures whereas 8 hours can be proposed as a limit for design provisions on the adequate grace period for DBAs.
Such a longer grace period results in extended design requirements as compared with those for AOOs, mainly longer fully automated system responses (e.g. emergency power supply, residual heat removal, battery power for I&C, etc.). Sufficient battery power (DC) is required for the I&C systems to identify and assess the plant state and initiate necessary actions. Usually battery power is used for many purposes (e.g. instrumentation, valves, lighting, etc.). The capacity of batteries in most operating reactors is usually designed to use this power for all purposes for about 2–4 hours . For innovative designs, passive safety systems may reduce the need for emergency power supply (via diesels or turbines) for residual heat removal systems.
The acceptance limit AL3.2 (increased grace period for a DBA relative to a reference plant) of CR3.2 is met if evidence available to the INPRO assessor shows that the reactor assessed in case of DBAs has grace periods longer than those of the reference design and at least 8 hours long.

Acceptance limit AL3.3: Superior to those in the reference design.
The capability of the engineered safety features is characterized by their sufficiency to restore the reactor to a controlled state after DBAs without operator action. The term ‘controlled state’ is characterized by a situation in which the engineered safety features are able to compensate for loss of functionality resulting from a DBA (caused by internal and external events and probable combinations thereof). The reactor has to be taken to a safe shutdown state at least within the designed grace period (see CR3.2) with the assurance that sufficient core cooling exists. For this purpose, an optimized combination of active and passive engineered safety features is expected to be used.
A probabilistic safety assessment^[45] (together with an uncertainty analysis) for the safety-related part of the I&C system needs to be performed with high quality to demonstrate calculated high reliability (low unavailability) of the safety related I&C for all states of the nuclear reactor (full and reduced power operation, shutdown state).
Complementary information on engineered safety features is provided in Appendix V.
The acceptance limit AL3.3 (reliability and capability of engineered safety features) of CR3.3 is met if evidence available to the INPRO assessor shows that the reactor assessed, in case of a DBA (caused by internal or external events and probable combinations thereof), shows an increased reliability of its safety systems compared to the reference plant and the engineered safety features in the reactor assessed are sufficient to reach a controlled state after a DBA based on automatic actions within a grace period of at least 8 hours (as defined in CR3.2).

Acceptance limit AL3.4: At least one and consistent with regulatory requirements for the type of reactor and accident under consideration.
The indicator IN3.4 ‘number of barriers maintained’ and the corresponding acceptance limit AL3.4 ‘at least one and consistent with regulatory requirements for the type of accident under consideration’ mean that the safety systems and safety features are expected to deterministically provide for continued integrity at least of one barrier (containing the radioactive material) following any accident caused by internal or external events and probable combinations thereof. However, when national regulatory documents or international safety standards require to maintain more than one barrier after a certain type of accidents these requirements are to be used as the acceptance limit values (for this type of accidents) for INPRO assessment.
The indicator IN3.4 consists of two parameters that are considered on different levels of DID: number of barriers after DBAs and number of barriers after DECs. The latter requires to demonstrate the maintenance of at least one barrier (e.g. containment) after all DECs including those with the severe damage of reactor core. For existing and evolutionary water-cooled reactors, it overlays the first part of indicator that focuses on DBAs unless national regulations or international safety standards require to maintain more than one barrier after a certain type of DBAs. Moreover, the existing and evolutionary water-cooled reactors are usually designed to maintain integrity of the reactor core (and corresponding barriers) after DBAs, which is the part of their licensing requirements. Thus, the INPRO assessment of evolutionary water-cooled reactors against this criterion can be focused only on the number of confinement barriers maintained intact after DECs unless national regulations or international safety standards require to maintain more than one barrier after a certain type of DBAs. However, the innovative reactors may involve different layout of physical barriers (e.g. molten salt reactors) and different number of co-located fuel cycle steps (e.g. on-site reprocessing and re-fabrication) with different requirements on confinement barriers. Thus, the INPRO assessment of innovative reactors against this criterion has to be focused on the number of confinement barriers maintained intact after DBAs and DECs.
Complementary information on the confinement barriers is provided in Appendix VI.
The acceptance limit AL3.4 (barriers) of CR3.4 is met if evidence available to the INPRO assessor confirms, deterministically after all DBAs and DECs (caused by internal or external events), that number of confinement barriers maintained intact in new design is consistent with regulatory requirements for the type of reactor and accident under consideration and in any case at least one (intact) barrier remains against an accidental release of radioactivity (fission products) to the environment.

Acceptance limit AL3.5: Sufficient to cover uncertainties and to maintain shutdown conditions of the core.
Indicator IN3.5 ‘Subcriticality margins after reactor shutdown in accident conditions’ refers to the magnitudes of reactivity of the shutdown reactor core when these parameters are supposed to be negative. Reactivity is a core characteristic related to the increase (positive reactivity) or decrease (negative reactivity) of the neutron population driven by the ongoing chain fission reactions . The value of reactivity and its behaviour as a function of time depends primarily on the core size and geometry, fuel composition (enrichment, burn-up, burnable poisons, etc), fuel structure, geometry and temperature, coolant and moderator parameters (temperature, density, poison concentration), and control rod positions and characteristics.
Shutdown system designs may vary greatly depending on the reactor type. Most designs involve inserting control rods into the core and/or the neutron reflector. Many designs involve a combination of control rod insertion and soluble neutron poison injection. To obtain necessary reliability of the shutdown function, the primary shutdown system can be supplemented by one or more back-up systems with a different physical mechanism. Shutdown systems can also use physical mechanisms based on passive components to increase their reliability.
In accident conditions caused by external or internal events, sufficient shutdown reactivity has to be available to make the core subcritical in the shortest possible time and to reliably keep it subcritical over a long period of time. The generally agreed value of the calculated minimum shutdown reactivity margin including a consideration of uncertainties (i.e. margin defined in addition to uncertainties) and a worst single failure in the shutdown system (e.g. most effective control rod stuck) is 1 % ∆k/k.
The acceptance limit AL3.5 (sufficient subcriticality margins) of CR3.5 is met by the reactor assessed if evidence available to the INPRO assessor confirms a calculated shutdown reactivity margin of at least 1 % ∆k/k, including consideration of uncertainties and a worst single failure.

Acceptance limit AL4.1: Lower than that in the reference design.
An accidental release of radioactivity into the containment/ confinement could occur if the integrity of a major part of nuclear fuel in the reactor core or in the spent nuclear fuel pool is lost during an accident. Table 3 gives examples of very low core damage frequencies (CDFs) claimed by the designers of AP1000^[47], EPR^[48] and KERENA (SWR1000)^[49].
During an accident, a highly degraded core with an accidental release of volatile fission products from the damaged nuclear fuel elements (or coated fuel particles in the case of an HTGR) will result if safety systems are not able to restore (and keep) the core in a safe state (e.g. cooled and subcritical). Usually, the volatile fission products will be released into the containment/confinement atmosphere. Depending on the design, molten and solid core material may enter the containment/confinement after destruction (failure) of the reactor pressure vessel (RPV); the integrity of the containment/confinement may thus be threatened, e.g. for light water reactors (LWRs) by core/concrete-interactions or hydrogen (or steam) explosions.
To reduce the releases of fission products from the RPV into the containment/ confinement, a failure of the RPV needs to be avoided. Examples of potential countermeasures against RPV failures which have been proposed to be included in new reactor designs are vessel-internal core catchers, outside cooling of the RPV by flooding of the RPV cavity, and RPV venting systems.
The frequency of an accidental release of radioactivity into the containment/ confinement has to be determined via probabilistic methods. A probabilistic safety assessment (PSA) checks the balance of the safety concept (no single accident dominates the core damage frequency) and the overall level of safety (risk) via a qualitative and quantitative assessment of active (and passive) safety systems. Additionally, a PSA achieves the key objective of reviewing the complete plant design, which is otherwise generally performed by separate analyses according to deterministic principles.
It is to be noted that not only during full power operation but also during shutdown, an accident with a highly degraded core may occur due to failures of safety systems. Therefore, for both a new reactor and a reference design, normal operation as well as shutdown states have to be analyzed.
The acceptance limit AL4.1 (reduced frequency of accidental release into containment/ confinement) is met if evidence available to the INPRO assessor shows that calculated frequencies of a highly degraded core (CDF) are significantly lower than in the reference plant and below the best estimate value recommended by the International Nuclear Safety Advisory Group (INSAG) of 10^-5 per year and unit^[7], taking uncertainties into account.

Acceptance limit AL4.2: Larger than those in the reference design.
Typical lists of internal and external events that should be considered in the design of containment/ confinement systems are provided in Ref^[50].
If a plant reaches a state with a highly degraded core and/or degraded fuel in the spent fuel pool, active and/or passive engineered or natural processes are normally available to mitigate consequences including those to avoid loss of containment/ confinement integrity. An example of such an engineered process is a spray system to reduce the load (temperature and pressure) on the containment/ confinement – the last barrier – and to reduce and/or control the activity in the containment/ confinement atmosphere, thereby also reducing the potential for a complete failure of the containment/ confinement leading to an accidental release outside containment/ confinement. In Table 4 some relevant system parameters and mitigating measures (processes) in some water-cooled reactors are presented as examples.

Processes to mitigate consequences including those to avoid loss of containment/ confinement integrity can be very reactor design-specific, e.g. for molten salt reactors and HTGRs they are quite different from those for water-cooled reactors. During the design phase of new reactors special attention needs to be given to considering related preventive and mitigative measures in a balanced way. To avoid a loss of containment/ confinement integrity due to, e.g. overpressure and high temperatures – compared to operating reactors – the containment/ confinement of new reactors is expected to be designed against higher loads caused by an accident with an accidental release of radioactive material into the containment/ confinement. Closure of containment penetrations such as steam or feed water lines in LWRs can be designed with higher reliability, e.g. by increasing the reliability of valves. In addition to loads on the inside of the containment/ confinement (e.g. overpressure) also loads on the outside caused by external events (e.g. tsunami) are expected to be covered with greater margins in new designs.
The acceptance limit AL4.2 (containment loads larger than those in the reference design) is met if evidence available to the INPRO assessor shows that assessed design employs superior mechanisms and systems (processes) to control and mitigate accidents with a highly degraded core to avoid loss of integrity of the containment/ confinement, and / or the containment/ confinement has been designed demonstrating greater margins between calculated peak accident loads and design loads than in the reference design.

Acceptance limit AL4.3: AM procedures and training sufficient to prevent an accidental release outside containment / confinement and regain control of the reactor.
In accidents more severe than DBAs, the in-plant AM measures provide tools to the operator for preventing a further release into the containment/confinement, and/or for reducing the air concentration of radio-nuclides already there, in order to prevent an accidental release of radioactivity to the outside of the plant (into the environment)^[51] that would need emergency response measures.
The in-plant AM measures and actions in case of a highly degraded core are very plant-specific^[52]. Off-site provisions needed for AM measures are only necessary after a sufficient period to enable their successful implementation, e.g. by bringing mobile equipment to the plant site, i.e. the plant needs to be self-sufficient for an extended period relying for instance on passive safety features. The consideration of potential cliff-edge effects in the scenarios of accidents is expected to be taken into account in the development of AM procedures. Experiences from operating reactors with installed AM measures have shown that the feasibility and effectiveness of these measures have to be demonstrated and operators have to be trained sufficiently.
Complementary information on the accident management measures is provided in Appendix VII.
The acceptance limit AL4.3 (sufficient AM measures to prevent accidental release to the outside) is met in the reactor assessed if evidence available to the INPRO assessor shows that procedures and trainings are available, sufficient to maintain the integrity of the containment/ confinement, i.e. prevent major releases of radioactivity to the environment and regain control of the reactor after an accident.

Acceptance limit AL4.4: Lower than that in the reference design. Large releases and early releases are practically eliminated.
An accidental release of radioactivity to the environment can occur if the containment/ confinement loses its integrity after an accident with severe core damage. Examples for causes of containment failures are overpressure due to hydrogen or steam explosion and penetration of the base plate by a molten core-concrete interaction (mainly in water-cooled reactors )^[53]. Scenarios of a containment/ confinement failure need to be prevented or mitigated by design measures as discussed above, e.g. by increasing the design pressure of the containment. Other examples for design measures to prevent containment failure due to melt-through of the basement floor of advanced water reactors are the core catchers in the EPR or advanced WWER designs, the reactor pressure vessel internal (corium) retention device for the KERENA (SWR1000), and the water-filled calandria vessel and vault in the Enhanced CANDU-6 (EC6) reactor. Examples for design measures to prevent containment failures due to over pressurization are the inclusion of containment cooling systems, and hydrogen catalytic re-combiners or igniters.
Different reactor designs may place different emphasis on specific preventive or mitigative measures. The most widespread currently operating reactor designs, water cooled reactors, include robust containment buildings as part of their system of barriers necessary to keep the calculated frequency of an accidental release sufficiently low. Other designs, e.g. HTGRs, may place major emphasis on retention of the radioactivity inside the fuel matrix (TRISO particles).
INPRO sustainability criteria call for the calculated frequency of accidental release to be lower than in the reference design. It is assumed that the calculated frequency of accidental release from the reference NPP design is lower than 10^-6 per unit-year. Via a probabilistic safety analysis, the frequency of an accidental release of radioactivity into the environment including uncertainties is expected to be determined covering all plant states (normal operation, shut down) and internal as well as external events and probable combinations thereof leading to accidents; the probabilistic analyses has to use best estimate methods and consider associated uncertainties (see criterion CR7.5).
Modern reactor designs have significantly reduced the potential for a containment failure that would lead to accidental releases of radioactivity. Table 5 gives examples of very low calculated frequencies of containment failures claimed by the designers.

However, it is worth noting that the calculated frequency of accidental release to the environment depends on the assumed reliability of the reactor components and the assumed reliability of human performance. The former may theoretically vary depending on preventive maintenance management and the latter may theoretically depend on social conditions^[54]. Therefore, detailed calculations involve human factor related data based on data appropriate for a given organisation and / or country.
In 2015 the Contracting Parties of the Convention on Nuclear Safety adopted the Vienna Declaration on Nuclear Safety. The first principle of this declaration states:

“New nuclear power plants are to be designed, sited, and constructed, consistent with the objective of preventing accidents in the commissioning and operation and, should an accident occur, mitigating possible releases of radionuclides causing long-term off site contamination and avoiding early radioactive releases or radioactive releases large enough to require long-term protective measures and actions.”

In 2016 this principle was incorporated in the revised IAEA Safety Standards^[9] in requirements associated with Level 4 of DID:

“The safety objective in the case of a severe accident is that only protective actions that are limited in terms of lengths of time and areas of application would be necessary and that off-site contamination would be avoided or minimized. Event sequences that would lead to an early radioactive release or a large radioactive release3 are required to be ‘practically eliminated’.

Footnote 3: An ‘early radioactive release’ in this context is a radioactive release for which off-site protective actions would be necessary but would be unlikely to be fully effective in due time. A ‘large radioactive release’ is a radioactive release for which off-site protective actions that are limited in terms of lengths of time and areas of application would be insufficient for the protection of people and of the environment.

Footnote 4: The possibility of certain conditions arising may be considered to have been ‘practically eliminated’ if it would be physically impossible for the conditions to arise or if these conditions could be considered with a high level of confidence to be extremely unlikely to arise.”

It is recognised that the existing reference plant selected for the INPRO assessment of a new reactor design might not comply with this new requirement. However, the new reactor designs are expected to demonstrate practical elimination of large releases and early releases (see summary report of the Diplomatic Conference held in the IAEA^[55]).
The acceptance limit AL4.4 (frequency of accidental release into environment) is met if evidence available to the INPRO assessor shows with a high level of confidence that the calculated (best estimate) frequency for an accidental release of radioactivity to the environment due to a failure of the containment/ confinement is lower than in the reference design and well below 10^-6 per unit-year^[7]. For potential sites located close to densely populated areas, e.g. with urban district heating facilities, a lower value than 10^-6 per unit-year might be required by regulatory authorities. In the assessed reactors large releases and early releases have to be practically eliminated (Ref^[14] provides detailed interpretation of this concept).

Acceptance limit AL4.5: Remain well within the inventory and characteristics envelope of the reference reactor source term and are so low that calculated consequences would not require public evacuation.
Radiological criteria for evacuation of population are normally formulated in terms of projected dose^[56]. The calculated consequences (public dose) of radioactive releases to the outside of the NPP after severe accidents need to be kept sufficiently low (lower than the levels defined for evacuation) to avoid the necessity for commencing the evacuation of people living in the vicinity of the plant^[57].
Estimation of the consequence of the accidental external release involves the accident modelling within the containment/ confinement to determine the source term for the release and occasionally the modelling of transport of the radionuclides outside of the NPP. The magnitude of given radioactivity inventories and the physical and chemical form of given inventories define the source term for determining atmospheric dispersion of radioactive material as well as radiation exposure.
Since the results of modelling of radionuclide transport in the environment may heavily depend on a series of assumptions such as weather conditions (wind directions in different altitudes, humidity etc) the first part of the acceptance limit in this INPRO criterion requires that source term characteristics in the new reactor including the inventory of released radionuclides remain well within the envelope of the reference reactor source term. In this context ‘well within the envelope’ means that all source term characteristics for the new design will be equal to or lower than those for the reference design and at least some of them will be lower by more than the level of uncertainties associated with accident consequence modelling within the reactor containment/ confinement.
For new NPPs the capability and reliability of natural and/or engineered processes for controlling complex accident sequences with severe damage is expected to be increased through improved instrumentation, control and diagnostic systems and the development of appropriate severe accident management procedures. By these measures, the frequency of accidental release of radioactivity can be reduced and the inventory and conditions of release can be kept lower than in the reference design.
It is noted that to meet the objective of Level 5 of DID, emergency protection and response measures have to be planned around the NPP^[10] commensurate with the hazard of the accidental release of radioactive and chemically toxic material to the environment. This issue is covered in another report of the updated INPRO methodology called infrastructure.
Complementary information on the estimation of consequence of the accidental external release is provided in Appendix VIII.
The acceptance limit AL4.5 of CR4.5 is met if evidence available to the INPRO assessor shows that the calculated inventory and characteristics of the accidental release source term remain well within those of the reference reactor and are low enough so that calculated consequences would not require evacuation of the population.

Acceptance limit AL5.1: More independence of the DID levels than in the reference design, e.g. as demonstrated through deterministic and probabilistic means, hazards analysis, etc.
A deterministic method for assessing the DID capabilities of a nuclear reactor design is described in Ref^[60]. The method is based on objective trees for each level of DID that define the following elements from top to bottom: the objective of the DID level, the relevant safety functions to be met, identified general challenges to the safety functions based on specific root mechanisms for each of these challenges and a list of provisions in design and operation for preventing the mechanism from occurring.
New reactor designs are expected to strive to the extent practicable to achieve greater independence of DID levels than in the reference design. Special attention should be demonstrated in the design to such hazards as fire, flooding or earthquakes that could potentially impair several levels of DID (for example, they could bring about accident situations and, at the same time, inhibit the means of coping with such situations)^[7]. Moreover, for some events (such as sudden reactor pressure vessel failure), where it is not feasible to have independent levels of DID, several levels of precautions need to be demonstrated in the design (e.g. selection of materials, periodic inspection, additional margins of safety, etc.) to make this event practically eliminated.
For design extension conditions the analyses undertaken for the design needs to include identification of the safety features designed for use in such conditions or needs to demonstrate that safety features are capable of mitigating consequences of core damage and of preventing release of radioactivity. These safety features need to be independent, to the extent practicable, from those used in more frequent accidents.
A probabilistic safety assessment (PSA)^[45], if done carefully, will highlight systems and elements that are not sufficiently independent, and identify cross-links that compromise the independence of the levels of DID. The nuclear reactor assessed is expected to demonstrate calculated frequency ranges of reaching the different levels of DID after an initiating event below (superior to) those of the reference reactor.
The acceptance limit AL5.1 (independence of DID levels) is met for the reactor assessed if evidence available to the INPRO assessor demonstrates that the different levels of DID (at least in several selected aspects) are more independent than in the reference plant based on a deterministic assessment and probabilistic analyses.

Acceptance limit AL5.2: Hazards smaller than those in the reference design.
In this publication hazards are generally interpreted as potential sources of danger. Examples of hazards include overheating, fire, explosions, criticality, release of radioactive material, radiation exposure, etc. This criterion CR5.2 encompasses five evaluation parameters focussed on specific groups of hazards and formulated as follows:

1. EP5.2.1: Stored energy;
2. EP5.2.2: Flammability;
3. EP5.2.3: Excess reactivity in the core;
4. EP5.2.4: Reactivity feedbacks;
5. EP5.2.5: Criticality outside the reactor core.

In addition to hazards jeopardizing the nuclear fuel in the reactor core the assessment of criterion CR5.2 has to cover also potential hazards endangering the on-site storage and handling of fresh fuel and spent fuel in the corresponding near reactor spent fuel pool.
As stated before the EPs are meant to be examples for a designer on how to minimize hazards in a new design. It is expected that designers will come up with additional examples of reducing hazards.

For final assessment of criterion CR5.2:
The acceptance limit AL5.2 (reduced hazards) is met if evidence available to the INPRO assessor shows that the reactor design assessed demonstrates a reduction (or elimination) of hazards compared to those in the reference design.

Acceptance limit AL5.3: More reliable than the active safety systems in the reference plant.
This criterion needs to be assessed only when the new reactor design incorporates passive safety systems or components to perform safety functions where the reference design uses active systems/ components.
The advantages and disadvantages of passive safety systems are discussed in Ref^[62]. The essential advantages of passive systems are their independence from external support systems such as electric power, their generally greater simplicity and their potential for increased reliability. Disadvantages may include lower driving heads in fluid systems (compared to pumps) and potentially reduced flexibility in the definition of operator / control system actions at abnormal operating conditions of the plant.
Thus, safety systems that use passive components are expected to be more reliable than those using purely active components. However, the use of passive components in safety systems does not eliminate potential hidden failures potentially caused by inappropriate maintenance. Moreover, special considerations are necessary for certain reactor states in which passive safety systems may require specific working conditions to start and operate correctly, e.g. sufficient temperature differences for natural convection.
As described in the introduction to this section, the IAEA report Ref^[59] discusses all technical aspects of passive safety systems in water cooled reactors. The acceptance limit AL5.3 (increased reliability of passive safety systems) is met if evidence available to the INPRO assessor shows that the use of passive components makes the affected safety systems more reliable than the reference plant’s corresponding systems with active components.

Acceptance limit AL6.1: HF assessment results are better than those for the reference design.
The importance of the human factor for safe and reliable operation of NPPs is globally recognized and is an issue that needs to be dealt with systematically in a reactor design^[53]. Thus, the designer of a new reactor is expected to place increased emphasis on human factors to minimize the possibilities for human (e.g. operator or maintainer) error. The experience available from operating nuclear plants and the best practices from other industries such as aircraft and chemical plants needs to be taken into account for this process.
A human factor engineering programme plan is an essential part of reactor design. Listed below are examples of some design and operational features and assessments. Some of these have already been implemented in existing reactors but can be subject to further improvements in new reactors:

1. Feedback of experience including a formal methodology;
2. A PSA taking human error into account;
3. Use of adequate (and quantitative) models considering the causes of human error, which may assist to find appropriate design measures to avoid the causes and thus minimize human errors;
4. Existence of a main control room, a remote shutdown station and a technical support centre;
5. Using visualizations of plant equipment status (components, systems, etc.), the dynamics of processes, the performance of automated processes and their relation with the state of the plant to help guide operator actions;
6. Monitoring by knowledge-based (expert) systems;
7. Appropriate ambient conditions in the relevant rooms (e.g. main control room);
8. Appropriate plant operating procedures (e.g. alarm sheets, procedures for normal operation, incident and accident situations);
9. Appropriate organisational and administrative structure;
10. Existence of a verification of design implementation adequacy;
11. Control of human reliability (e.g. personnel selection, periodic training, etc.);
12. Application of formal human response models.

Complementary information on human factor consideration is provided in Appendix IX.
The acceptance limit AL6.1 (systematically addressed human factors) is met for the reactor assessed if evidence available to the INPRO assessor shows that human factors are considered during the lifetime of the reactor including the planning, construction, operating and decommissioning phases, i.e. evidence of improvement of the design and operational features listed above (bullets 1 to 11) is available to the assessor.

Acceptance limit AL6.2: Evidence is provided by periodic safety culture reviews.

The periodic reviews concerning safety culture have to cover not only the operating organization but also regulatory and other responsible government authorities as well as industrial entities. The assessment of this criterion CR6.2 is based on the outcome of safety culture reviews of at least the following organisations: operating organisation, regulatory body, NPP developer and supplier, and fuel suppliers.
The assessment of CR6.2 regarding safety culture of an operating organisation can only be performed once the organization is actually operating a facility. But the need to inculcate a safety culture within an organization and the need for a safety management system need to be recognized in the planning phase for nuclear power. Furthermore, the proposed policies and management structure of the owner/operator can be assessed before operation to determine if they are consistent with a safety culture.
Complementary information on safety culture consideration is provided in Appendix X.
The acceptance limit AL6.2 (evidence that a safety culture prevails) of CR6.2 is met for the nuclear energy system assessed if evidence available to the INPRO assessor shows that safety culture reviews are being (or planned to be) performed at appropriate intervals.
The INPRO methodology recommends using the support of experienced organizations for such reviews. IAEA offers a service to its Member States called ISCA (Independent Safety Culture Assessment) that can assist with evaluating the status of safety culture. Another method of safety culture assessment is provided in Ref^[63].

Acceptance limit AL7.1: The safety basis for advanced designs is defined and safety issues are addressed.

The term ‘safety basis’ or ‘safety case’ is understood to be the documentation of safety requirements and safety analyses of a new reactor design before it is being constructed and operated. It is a structured argument, supported by evidence, intended to justify that a system is acceptably safe. It is acknowledged that the safety basis of evolutionary designs is usually covered by established mechanisms; the safety basis of innovative designs has to be developed based on intensive RD&D.
The safety basis includes a well-defined concept for achieving safety with a logical and auditable process for determining design and safety requirements for the new nuclear reactor. Licensing authorities need to be contacted early during the development phase to achieve a common basis of understanding during the development of an innovative design. To develop innovative reactor designs, there is a need for technology specific (or ideally technology-neutral) safety goals to be developed by regulatory (licensing) authorities. These safety goals will then be used by developers for the establishment of a safety concept. One of the main requirements for an adequate safety concept is a complete implementation of the DID concept into an innovative reactor design.
Iteration among design, RD&D and safety analysis is a necessary part of this process to achieve an optimized design. Once the safety requirements have been defined, it has to be demonstrated and documented in the safety basis that they are met. Of high importance are sensitivity analyses to study the important parameters and to confirm that specified safety limits are covering identified uncertainties.
For the final design it has to be demonstrated that in the safety basis all safety issues are covered, and the results are well documented. Pre-operational tests and tests during operation (especially when they are easily possible) are expected to be performed to confirm the adequacy of an innovative design and to supplement the experimental database used for computer codes validation.
The acceptance limit AL7.1 (safety basis defined, and safety issues addressed) for the reactor assessed is met if evidence available to the INPRO assessor confirms that a safety basis with a consistent safety concept has been developed that demonstrates the appropriate safety goals are met. Results of the process addressing all safety issues including sensitivity and uncertainty analyses and independent reviews are properly documented.

Acceptance limit AL7.2: Necessary RD&D is defined and performed, and the database is developed.

FIG 2. Overview of the different tasks for definition of RD&D.

Research, development and demonstration (RD&D) on the reliability of innovative components and systems, including passive systems and inherent safety characteristics, need to be performed to achieve a thorough understanding of all relevant physical and engineering phenomena required to support the safety assessment. At least the following are expected to be met by the RD&D programme of a developer for an innovative design:

1. All significant phenomena, affecting safety, associated with design and operation of an innovative nuclear plant are identified, understood, modelled and simulated (this includes the knowledge of uncertainties, and the effect of scaling and environment);
2. Safety-related system or component behaviour is modelled with acceptable accuracy, including knowledge of all safety-relevant parameters and phenomena, and validated with a reliable database.

It is common practice to assess nuclear system or component behaviour on the basis of code calculations, operating experience and commonly accepted engineering practice. For innovative designs, there is currently limited operating experience. Innovative designs may use new core materials, employ fluids in new thermal-hydraulic regimes, and use radically different fuel and coolants. Development of computer codes to model such innovative designs can proceed in parallel. These computer codes need to be formally verified and validated defining their regions of applicability, using state-of-the-art techniques established in international standards (e.g. validation matrices, uncertainty quantification, proof of scalability, automated verification tools, code qualification reports, etc.) and need to be well documented (e.g. software requirements specifications, theory manuals, user manuals, flow charts, etc.).
Usually, uncertainties are taken into account in a design by applying safety margins. Computer codes and analytical methods need to be based on models that have been validated against experimental data, but this is possible to a lesser extent for innovative designs at early stages of development than for operating designs. In addition to model validation by separate effect tests, plant behaviour calculations are subject to validation against system response (integral) tests. Where such tests are conducted in small-scale facilities, it is necessary to adopt appropriate scaling philosophies.

FIG 3. Objectives Provisions Tree approach (modified from Ref^[65]).

The design process may involve several iterative RD&D cycles, design modifications and verifications of compliance with the design objectives including safety objectives. Standard safety assessment is based on deterministic and probabilistic techniques and requires essential efforts and detailed information on system design and operating conditions that may not be fully available for innovative systems at the early design stages. However, if the design process is organised correctly the level of design maturity can be expected to grow along with the knowledge accrued in RD&D and verification studies. A few formal approaches applicable at different design stages have been developed to define necessary RD&D in an efficient and effective manner.
An overview of tasks to be performed at the conceptual design stages for defining necessary RD&D is given in Figure 2. For an innovative design the first task is to identify all technology differences from operating designs. To identify the knowledge state and the importance of phenomena and system behaviour an appropriate tool has to be used, e.g. the Phenomena Identification and Ranking Table (PIRT) process which is a structured expert elicitation process based largely on engineering judgment. In addition, adequacy and applicability of the design and safety computer codes have to be assessed. Both the PIRT and the assessment of the adequacy and applicability of related computer codes lead to the required RD&D efforts and a priority list. An additional peer review by RD&D experts would strengthen the choice of the selected tasks. Besides phenomenological data, reliability data including uncertainty bands for designated components need to be evaluated to the extent possible. This is especially valid for passive safety systems.
The Objectives Provisions Tree (OPT) tool of the IAEA^[65] uses the structured hierarchic DID framework to examine safety provisions (inherent features, equipment, and procedures) in innovative reactors. The OPT approach considers every DID level by defining objectives to be achieved, safety functions to be implemented, challenges to overcome, potential safety function failure mechanisms and the provisions incorporated to prevent or compensate failures. Figure 3 shows a diagram demonstrating the OPT approach and an example displaying its application.
Implementation of the OPT approach will help to define technology specific RD&D necessary to develop reliable and efficient provisions preventing or controlling safety functions failures.
During the process of generating new and/or more detailed data (e.g. for computational fluid dynamics codes) the selected RD&D tasks should be repeatedly assessed, and necessary changes adopted. Qualified data should be included in a technology base, e.g. validation matrices (see also criterion CR7.3).
Some innovative reactor components cannot be tested in full size and not with the appropriate boundary and initial conditions, e.g. because of power limitations, or for core melt scenarios tests have to be performed always at a smaller scale and mostly also without using radioactive material. Thus, to reach sufficient confidence in the interpretation of such test results appropriate ‘scaling’ effects have to be taken into account.
Scaling investigations can be performed with analytical methods and by carrying out experiments with different sizes. To the extent possible both methods should be combined.
In the past large efforts have been undertaken to provide reliable thermal-hydraulic system codes for the analyses of transients and accidents in operating nuclear power plants with water cooled reactors. Many separate effects tests and integral system tests were carried out to establish a data base for code development and code validation.
In this context the question has to be answered as to what extent the results of down-scaled test facilities represent the thermal-hydraulic behaviour expected for a full-scale nuclear reactor under accidental conditions. Scaling principles provide a scientific-technical basis and a valuable orientation for the design of down-scaled test facilities. However, it is impossible for a down-scaled facility to reproduce all the physical phenomena of a full-scale plant in the correct timely sequence and significance. The designer/ developer needs to optimize a scaled-down facility for the processes (phenomena) of primary interest. Consequently, this leads to scaling distortions of other processes with less importance. Taking into account these issues, a goal-oriented code validation strategy is required, based on the analyses of separate effects tests and integral system tests as well as transients occurring in full-scale nuclear reactors. The validation matrices developed in the Committee on the Safety of Nuclear Installations of the Nuclear Energy Agency of the Organization for Economic Co-operation and Development may be a good basis for the realization of these tasks for LWRs (see details in CR7.3). In certain cases, separate effect tests in full scale could play an important role.
For innovatively designed reactors special attention should be directed to detect, study and model new phenomena, as well as to perform scaling considerations during the experimental and analytical work. In any case, code calculations with respect to scaling should always be performed with ‘best-estimate models’ along with a capability to perform uncertainty analysis.
The acceptance limit AL7.2 (RD&D defined, performed and database developed) for the reactor assessed is met if evidence available to the INPRO assessor indicates that:

1. Measured data are available in the region of application;
2. Scaling considerations including uncertainty analyses have been performed and well documented;
3. It was demonstrated that all phenomena are understood, data uncertainties are quantified, and documented in reports.

For probabilistic analyses the availability of reliability data with uncertainty bands is required.

Acceptance limit AL7.3: Computer codes or analytical methods are developed and validated.
It is common practice to design and assess the behaviour of structures, systems and components of nuclear energy systems on the basis of code calculations. For operating nuclear facilities many suitable, i.e. verified and validated, computer codes are available.
For an innovative nuclear reactor new or more detailed models – established analysis methodologies, analytical models of systems, structures and components behaviour, developed using a representative database based on RD&D programme results – have to be implemented in computer codes, verified and validated. To confirm applicability of these computer codes to the design of systems, structures and components of the innovative reactor, the region of code application has to be covered by the validation matrixes used for quantifying uncertainties and sensitivities.
International standards, e.g. validation matrices, uncertainty quantification approaches combined with scaling considerations, etc, should be used. For example, agreed validation matrices exist for the thermal-hydraulic behaviour of water-cooled reactors. International experts within the Committee on the Safety of Nuclear Installations of the Nuclear Energy Agency of the Organization for Economic Co-operation and Development have selected well documented and accurate separate and integral experiments and plant behaviour data for these validation matrices. The selection process put emphasis on the inclusion of at least two test facilities of different size for each phenomenon or system behaviour. These test matrices are reconsidered periodically.
The computer codes need to have detailed documentation (code manuals) covering the theoretical basis of code development, a list of restrictions or application ranges, and a user guide. In addition to that an independent peer review of the computer codes and their applicability should be performed.
The acceptance limit AL7.3 (validated computer codes and analytical methods) is met if evidence available to the INPRO assessor shows that for computer codes used in design and analysis of innovative reactors:

1. The region of code application is covered by the code validation matrix so that the validation results can be used to quantify uncertainties and sensitivities;
2. Independent reviews have been performed;
3. Complete code documentation including detailed code manuals is available.

Acceptance limit AL7.4: In case of a high degree of novelty: a pilot or demonstration plant is specified, built and operated, lessons are learned and documented, and results are sufficient to be extrapolated to a full-size plant. In case of a low degree of novelty: a rationale is provided for bypassing a pilot or demonstration plant.
The demonstration of an innovative technology typically progresses from bench-scale experiments, to small-scale industrial tests, to large-scale tests, to (possibly) small pilot plants, to large-scale demonstration plants, and finally to full commercialization. The need for a pilot plant or a demonstration plant will depend on the degree of novelty of the processes and the associated potential risk to the owner and the public.
Pilot plants are small compared to demonstration or commercial plants. Not all components of a full-size power plant need to be installed in a pilot plant; at a later stage the rest of the components may be added. For example, a pilot plant may consist of a segment of the core, reactor coolant system and important (possibly new) components. Pilot plants are supposed to be designed such that new phenomena and major interactions thereof can be studied and/or demonstrated. It should be noted that (additionally) installed instrumentation in pilot plants may influence the thermal-hydraulic behaviour due to possible disturbances caused by this instrumentation (not foreseen for the full-size plant).
It is recognized that a small pilot plant can be used only to demonstrate adequate safety features for anticipated occurrences corresponding to Levels 1 and 2 of the DID concept. The safe behaviour of an innovative nuclear reactor during accidents (with a potential for radioactive release) cannot be sufficiently studied in a pilot plant and has to be demonstrated as defined in the CR7.3 above, using codes or analytical approaches validated against suitable experiments, e.g. integrated multiple-effects tests. These methods are covered in CR7.5. Nonetheless, pilot plants should be able to demonstrate the ability to cope with potential accident initiators.
It is important that the pilot plant facility is of adequate scale, such that the results and experience gained from the facility could be extrapolated with a reasonable degree of accuracy to the full-scale plant.
Demonstration plants are usually intended to demonstrate that safety, operational (and to a certain degree economic) targets are achieved or achievable and that the (possibly complex) interactions between (new) components in different operational states and sequences behave as predicted by codes.
For both types of plant, it is important to document their operation for a sufficiently long time to achieve adequate confidence in a new design. It is also evident that some innovative components don’t need to be tested in a nuclear environment.
Pilot as well as demonstration plants are not intended to be commercially viable.
It is evident that a design-specific project plan (roadmap) with a well-defined process for the demonstration of innovatively designed components or systems has to be established and reconsidered periodically or after the accomplishment of milestones. There are examples showing that the application of larger sized test facilities resulted in the detection of new phenomena not seen in smaller ones.
Examples of significant novelty in advanced reactor components include: the supercritical-water cooled power reactor, additives to coolant fluids (e.g. sodium) with the characteristic to avoid an exothermic reaction with the fluid (e.g. water) on the secondary side of heat exchangers, radical new fuel and core physics, new concepts for shutdown/control concepts, new heat removal systems, etc.
The result of the decision process for whether to build and operate a pilot plant depends on several issues, e.g. the amount of available separate effects and integral tests, the degree of novelty, the available budget, the experience of operating crews, the overall time schedule up to commercialization, etc.
If a pilot plant has been (will be) built, the INPRO methodology recommends an independent peer review of this plant to support confidence in the adequacy of the pilot plant.
The acceptance limit AL7.4 (adequate pilot or demonstration plant built or rationale for not building provided) for the reactor assessed is met if evidence available to the INPRO assessor shows that the degree of novelty of innovative safety components and systems has been identified and depending on the novelty a pilot or demonstration plant has been built, operated as part of the RD&D programme and an independent peer review about the adequacy of the pilot plant has been performed. Otherwise a rationale needs to be provided for bypassing a pilot or demonstration plant and going directly to an FOAK plant.

Acceptance limit AL7.5: Uncertainties and sensitivities are identified and appropriately dealt with, and the safety assessment is approved by a responsible regulatory authority.
The safety assessment is expected to be performed using a suitable combination of deterministic and probabilistic evaluations and documented in an appropriate format^[66]. The analysis needs to cover all modes of operation of the installation to obtain a complete assessment of conformance with the DID concept. Deterministic safety assessment^[46] uses a pre-defined set of accidents to define the design of the safety systems. Normally pessimistic assumptions on accident initiation and evolution, plant state, and plant response are applied. Probabilistic safety assessment (PSA)^[67][68] calculates the frequency and consequences of all accidents down to very low probability of occurrence. Best estimate analyses are commonly used in PSA because a realistic response to an initiating event is needed to estimate the risk and to determine the margins in predicted plant behaviour between a conservative deterministic safety assessment and a best estimate result.
A deterministic safety assessment needs a sound data base and incorporates some conservatism (margins) by using pessimistic assumptions to cover uncertainties in input data such as model parameters and plant state. The value of a PSA depends also very much on the availability of well-based data on, primarily, the reliability of components. Because all data (including experimental data) are somewhat uncertain, PSA normally includes uncertainty analyses. It is commonly accepted that PSA provides a broader and deeper understanding of safety and risk relevant issues than deterministic methods alone (see above); therefore, PSA is increasingly used for optimization of the various levels of DID, and the optimal allocation of available resources.
The extent to which each method is used needs to be consistent with the confidence in the method for the particular application in terms of reliability data, failure modes and physical phenomena. In some innovative systems, the application of probabilistic methods could be more restricted in comparison with those accepted for operating reactor types, as a consequence of changes in technology and the resulting limited availability of data.
The degree of conservatism in a deterministic safety assessment is commensurate with the uncertainties in the technology evaluated; thus, when the important phenomena are well known, and codes are validated a realistic hypothesis (best estimate) could be considered in the assessment. A best estimate assessment needs to be accompanied by a consideration of the uncertainties of experimental data used for the code models, and uncertainties of the plant status. Where the technology itself is uncertain, a more traditional approach is normally taken: for example, when other liquid metals than those used today are foreseen in a reactor, the currently available codes are not sufficiently developed to simulate all phenomena. Until these tools are available and proven accurate enough, additional or extended safety margins and conservatism are expected to be implemented in the simulations of plant behaviour. In addition to the assessment of the vulnerability of a nuclear reactor to severe accidents and accidental releases, a probabilistic safety assessment is used starting at the design stage to:

1. Determine more realistic loads and conditions for mitigation systems, including containment;
2. Assess the balance of the design and possible weakness;
3. Integrate human factors into the safety assessment;
4. Identify safety margins;
5. Help to define operational safety requirements;
6. Identify sensitivities and uncertainties.

In principle, a PSA is expected to investigate all possible accident scenarios. Practically, all scenarios involve phenomena associated with some uncertainty; therefore, there exists a fundamental uncertainty in the results of these analyses. A thorough uncertainty analysis can identify areas that need further investigation. Furthermore, if the PSA generates ‘point’ estimates, an uncertainty analysis may contribute to the credibility of these results. Sensitivity studies – determining the difference in results using a defined value of a variable and a given deviation from that reference value – are a tool to define the required accuracy (or allowable uncertainty) of a variable. Typically, three classes of uncertainties are identified:

1. Parameter (data) uncertainty, like initiating event frequencies, component failure rates, human error probabilities, etc. The uncertainties are propagated through the assessment steps to generate a probability distribution of the end result.
2. Model uncertainty associated with phenomenological models of the physical-chemical processes and related assumptions. They are treated similar to the parameter uncertainties.
3. Completeness uncertainties reflect limitations of the scope or truncation effects. In principle, such uncertainties cannot be quantified within a given PSA scope, but by performing additional analyses of excluded events their significance can be evaluated.

In case a required accuracy has not been achieved, either additional experiments have to be performed or design provisions have to be implemented to cope with these uncertainties. Detailed consideration of uncertainties in reliability data of components and human performance involves human factor related data appropriate for a given organisation and / or country.
Safety assessment has to cover all relevant operating stages of the nuclear reactor and its operating phases. In addition to AOOs and accidents which may influence the nuclear fuel in the reactor core, the safety assessment has to cover also potential AOOs and accidents in the near reactor handling and storage of fresh fuel and spent fuel.
For assessing the adequate performance of NPP safety analyses, there exist a number of IAEA publications, e.g. Refs^[69][70]. The safety assessment should be periodically re-examined and updated^[71].
‘Risk informed decision making’^{[72][73][74][75][76][77]} includes design criteria that implicitly involve probabilistic considerations and that are complemented by explicit probabilistic arguments for clarifying design objectives. Weaknesses and vulnerabilities of a design can be identified and judged against design objectives. Various options available for improving safety can be quantitatively assessed and compared also with respect to cost effectiveness. Decisions concerning reliable assurance of safe operation and control of risk can be based on such additional justification.
In Ref^[72] various publications, national positions and examples of such options for several reactor designs are provided, e.g. the implementation of strategies for fission product retention in a faulted non-isolated steam generator, modification and back fits to PWR and BWR containments, provisions against LOCA outside BWR containments, protection of suction strainers against clogging, etc. The listed examples demonstrate substantial use of PSA in safety relevant decisions by regulators and licensees.
It is, however, evident that, due to the non-availability of experience-based data on the behaviour of innovative designs, a risk-informed approach is more appropriate for operating (or evolutionary) reactor designs with well recorded operational behaviour than for innovative designs.
The acceptance limit AL7.5 (adequate safety assessment covering uncertainties and sensitivities) is met if evidence available to the INPRO assessor shows that an adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and a thorough analysis of uncertainties including complementary sensitivity studies has been performed for the facility assessed and was accepted by the responsible regulatory authority in the country of origin.

The following discusses an example of how to approach the INPRO assessment of reactor core design and other safety related components with respect to design margins (robustness).
The nuclear fuel in the reactor core generates heat that has to be transported out of the core in normal operation conditions by the primary coolant. Different types of reactors use different coolants, e.g. water, sodium, lead, helium, and molten salt, at different temperatures and pressures. Natural flow through the core during normal operation, as used in some boiling water reactors (BWRs), has the advantage that no active re-circulation pumps are necessary, which is clearly a simplification of the design in comparison to a reactor with forced flow. However, every reactor design with forced flow has also a capability to remove some power produced within the core by natural convection; the ease of transition (from forced flow to natural convection) depends on the design and transition sequence. An increase of the fraction of core heat that can be removed by natural circulation is therefore regarded as an increase of robustness.
The reactor design incorporates systems to control power distribution in the core and the overall power level, e.g. by control rods, liquid poison, and/or reactivity feedbacks , and a diverse and redundant safety system to shut down the reactor to decay heat generation level. An appropriate instrumentation and control (I&C) system has to be included to measure and control local and integral physical (neutron flux), thermal (temperature) and thermal-hydraulic states (pressure, flow). Most values measured by the I&C system will also be used by the reactor protection system, possibly with different instruments.
The core design may be divided into several areas:

• Thermal and mechanical fuel design;
• Neutronic core design; and
• Thermal-hydraulic core design including the core’s cooling circuit.

The thermal fuel design determines the margins of the fuel against specified limits on such quantities as centerline fuel temperature, fission gas release, or maximum fuel cladding temperature. In the mechanical fuel design, it has to be shown that the fuel and the core internals can cope with loads resulting from operational states (fission gas pressure, vibrations, lift-up, etc.) as well as with external loads, e.g. from earthquakes and hydraulic forces (in case of pipe breaks).
The neutronic design of the core is focused on the optimization of power distribution and burnup of the fuel but includes also the demonstration of sufficient safety margins during operation and transients. The thermal-hydraulic core design has to demonstrate that primarily the fuel is sufficiently cooled during normal operation, transients and accidents. The goal is to avoid exceeding such design limits as (in water cooled reactors) departure from nucleate boiling (DNB) or dry out (i.e. exceeding the critical heat flux, CHF) during normal operations and transients and to at least limit the exceeding of those limits during DBAs. In non-water-cooled reactors, a comparable design limit is typically the maximum allowable fuel element temperature.
For example, important design parameters for the core of an advanced heavy water reactor (AHWR) include the following:

1. Neutronic characteristics:
   1. Doppler, void and power coefficients of reactivity;
   2. Efficiency of the regulating group of control rods;
   3. Shutdown margins.
2. Fuel thermal design margins:
   1. Fuel centerline temperature (normal operation);
   2. Stored energy in fuel;
   3. Linear heat generation rate; and
   4. Design margins on clad temperature (for corrosion and oxidation considerations).
3. Fuel mechanical design margins:
   1. Design margins on clad stress and strains; and
   2. Fission gas release.
4. Thermal hydraulic design margins:
   1. Minimum Critical Heat Flux Ratio (MCHFR);
   2. Margins to instability (margin on sub-cooling);
   3. Decay heat ratio; and
   4. Fraction of core heat that can be removed by natural circulation.

This list can be used by the INPRO assessor to compare the core design of the reactor to be assessed with that of the reference design.

Examples of monitoring systems for water cooled reactors are given below, some of which may also be applicable to various non-water-cooled designs.
Leakage monitoring. The leakage monitoring system is designed to be able to adequately detect and localize leakages in the reactor coolant pressure boundary during plant operation. This system is sensitive enough to detect those leakages that would not yet lead to an automatic activation of safety measures (e.g. due to pressure build-up, etc). Measured values include air humidity or dew point temperature; air temperature; radioactivity of compartment exhaust air; and condensate in recirculation air coolers. There are also leak monitoring systems based on acoustics, i.e. the noise caused by leakage.
Loose parts monitoring. Experiences in operating nuclear power plants have shown that the occurrence of loose parts in the primary circuit cannot be completely eliminated. Parts carried away by the coolant medium may cause damage to the fuel rods or other in-vessel components. A loose-parts monitoring system is used to detect such incidents.
Vibration monitoring system of RPV internals. This system measures and analyses continuous and cyclic characteristic vibration values.
Diagnostics of rotating machinery. Increasing plant availability and plant safety, as well as reducing costs of maintaining rotating machinery, such as fans, pumps and turbines, requires reliable information on the condition of these components. For example, the basic monitoring of pumps is usually done by monitoring the pump house vibrations and, for re-circulation pumps, the shaft vibration.
Chemical monitoring. The aim is to maintain chemistry conditions that ensure a high corrosion resistance in parts of the power plant systems and components, something which is essential for safe and economic plant operation. The chemistry manual describes water chemistry aspects for relevant plant systems such as the reactor coolant system; reactor auxiliary systems; the steam, condensate and feed water cycles; non-nuclear auxiliary systems and the radioactive waste processing system.
Seismic monitoring. The seismic instrumentation informs the operator if a significant seismic event occurs and records the seismic characteristics (acceleration, frequency, etc.).
In-core monitoring. The importance of in-core monitoring systems and their relevance to reactor safety may be different in different reactor designs. Such systems may be designed to determine the power distribution in the reactor core, to confirm that power distribution characteristics stay within regulatory limits at different power levels and that deviation from the originally calculated distribution does not exceed prescribed uncertainty limits. Theoretically, discrepancies of core power distribution can be caused by different potential errors, e.g. errors in the core calculations, errors during the reactor reloading etc However, different reactor designs may have several alternative tools and methods for protecting against such errors. In-core monitoring systems are normally based on temperature distribution measurements and/ or neutron flux distribution measurements and involve detectors, signal transfer and processing, and the analysis of 3-D power distribution.
Monitoring environmental impacts of radioactive releases. A special computer system archives and processes all radiological data from various plant systems in order to obtain a comprehensive overview of the radiological situation of the plant and its environment.
Monitoring supported by computerized aids to operators. State-of-the-art I&C systems are digital. This allows – in combination with the progress in computer speed and capacity – the installation of advanced real-time aids for operators, e.g. screens showing a failure location, prognosis of possible system behaviour as a consequence of this failure, and a list of possible countermeasures. In addition, computerized manuals are becoming the state of the art. Taking advanced system modelling and computer capabilities into account, advanced control systems including expert systems (artificial intelligence methods) may be implemented in the longer term.

In the following, the approach to assessment of CR3.1 for accidents caused by internal events is discussed.
For the design of safety systems, a limited number of DBAs has been defined. The selection of different accident sequences is based on operating experience and analytical evaluations. For operating water-cooled reactors, DBAs caused by internal events range from operational transients (e.g. total loss of feed water) without loss-of-coolant up to medium and large break LOCAs (guillotine break of main coolant pipe).

FIG. 4. Correlation between the frequency of accidents and dose or damage in reference NPPs and in new NESs, respectively.

The correlation between the probability of occurrence (i.e. the calculated frequency) and dose or damage to an individual or the public (and environment) is schematically shown in Figure 4, which illustrates three aspects:

• The higher the consequences (damage) the lower is the frequency of occurrence. Note that medium and large break LOCAs have not occurred at all to date in operating reactors;
• The frequency of accidents in the (new) NES assessed is lower than in operating designs (the reference plant);
• Large radioactive releases (see discussion of CR4.4) are practically eliminated in the (new) NES .
  

It has to be mentioned that a DBA may be caused either by a sequence of events, i.e. in such a case the frequency of an initiating event is not necessarily equal to the frequency of the DBA, or by a single initiating event (e.g. large pipe break) causing the DBA immediately. The frequencies of several internal initiating events of DBAs to be used in probabilistic analyses – similar to the frequencies of AOOs (see CR1.4) – are usually postulated by national regulatory bodies based on comprehensive (national) risk studies^[35][38][39]. Thus, a change (reduction) of these values would need the approval of licensing authorities as part of a licensing process. However, for the purpose of INPRO assessment of NES sustainability, technical arguments can be developed by the designer/developer that support potential expected reduction of the frequencies of these specific internal initiating events of DBAs in the new reactor compared to the reference plant. Arguments to support such a reduction include those based on: improved materials (e.g. with higher strength), improved design margins (e.g. against overstressing and fatigue, against departure from nuclear boiling, etc.), more effective and efficient inspections (e.g. introduction of a leak before break concept), and continuous monitoring of plant health, etc. Thus, for the purpose of INPRO assessment of NES sustainability, lower frequencies of occurrence of the group of DBAs discussed above in a new reactor design could be tentatively justified by provisions implemented in Level 1 of DID. As an example of frequencies of occurrence of DBAs for new LWRs, INPRO methodology proposes for a small break (SB) LOCA the value of FSB:

and for a medium or large break (LB) LOCA:

These frequencies FSB and FLB could be used as INPRO methodology acceptance limits for those specific DBAs of LWRs when the corresponding frequencies of the reference design are higher than FSB and FLB or not available to the INPRO assessor.

Engineered safety features (safety systems) are designed to ensure the fundamental safety functions by providing the safe shutdown of the reactor, the removal of the residual heat from the reactor core, and confinement of radioactive material to limit the consequences of DBAs (caused by internal and external events and probable combinations thereof). Engineered safety features and protection systems should be provided to prevent evolution towards severe accidents and to prevent core damage in particular^[7], and also to confine radioactive materials within the containment system.
Ref^[62] states:

“171. Initiation and operation of the engineered safety features are highly reliable. This reliability is achieved by: the appropriate use of fail-safe design; by protection against common cause failures; and by independence between safety systems and plant process systems. The design of these systems ensures that failure of a single component would not cause loss of the function served by a safety system (the single failure criterion).” It also claims that “in current and future plants, consideration is given to improving safety systems in terms of reliability and response time”^[62].

To provide the necessary level of reliability of safety systems it is common engineering practice to cover a ‘single failure’ in the design of a safety system; the ‘single failure’ is usually selected to represent the worst failure of an active component in the system.
The coincidence of several identical component failures due to common cause (dependencies) is called a common cause failure (CCF). Physical or spatial separation, structural protection and diversity can be used to prevent potential CCF^[7]. CCFs have to be taken into account especially for the safety systems designed to be redundant. For example, for the assessments of evolutionary PWRs it was underlined that “the unavailability of a redundant safety system consisting of identical trains probably cannot be demonstrated to be less than 10-4 per demand”^[78].
As in other facilities, operator intervention is necessary in nuclear plants for plant operating purposes at least some time after a DBA has occurred. There are evaluation methods available to assess the reliability of intervention of plant operating staff^[79].
The consideration of potential cliff-edge effects in the scenarios of accidents needs to be taken into account in the selection of design strategy for the fulfilment of fundamental safety functions, e.g. removal of the residual heat, and in the design of safety systems.
Another issue influencing the reliability of safety systems is the necessary maintenance/repair period of safety system components. In principle, there are three options for maintenance of the necessary level of system reliability in this situation:

• Provision of an additional parallel system (as it was done in several NPPs in Germany);
• Provision of redundant ‘active’ components (e.g. pumps) but no redundancy for passive components (e.g. pipes); this approach has been chosen e.g. for the EPR design;
• Definition by the regulator of (short) acceptable specific maintenance/repair periods for safety systems of reactors without additional systems or components. For most operating reactors these periods have been licensed because, during these (short) periods of maintenance/repair, the overall safety risk is assumed to be only marginally increased.

Enhanced reliability of engineered safety features may be achieved by inclusion of passive systems into (advanced) reactor designs, although other methods can also be effective, e.g. increased redundancy and diversity of active systems. Advanced reactors might include such passive design features as passive shutdown, passive decay heat removal and passively operated coolant injection systems. Even the use of exclusively passive systems might be possible for an innovative design. In the design of new reactors, the passive safety systems are expected to be given priority only when they are at least as capable and reliable as active systems.
The engineered safety features generally include a mechanical part and I&C. The latter normally controls the mechanical equipment to implement a given safety function and provides operator with necessary information on the process and status of the system. The I&C encompasses all associated equipment including individual measuring instruments for process parameters and component actuation devices. One of the most notable safety related I&C is the safety protection system (SPS) which consists of the reactor protection system (RPS) and the actuation system of engineered safety features. In a typical water-cooled reactor, the SPS controls implementation of the most important safety functions:

• Shutdown of the reactor;
• Residual heat removal from the reactor core;
• Containment isolation.

The design of SPS normally incorporates the following principles:

• Fail-safe principle. If the system fails, it settles in a safe state;
• Single-failure criterion: SPS retains its functional capability even in case of a single failure accompanied by unavailability of another component due to repair or maintenance;
• Diversity principle and diverse process variables: SPS measures at least two different process parameters for one objective. Passive signal indicators possible for an innovative design;
• Redundancy principle: Sufficient redundancy of SPS components to perform safety function in case of failure of components;
• Common mode failure principle: Common mode failure due to internal or external hazards prevented to the extent possible by physical/ spatial separation and structural protection;
• Qualification for operation in harmful environments: SPS designed for environment characteristics of DBAs – temperature, humidity, chemical hazards, radiation etc;
• Automation principle: Automatic initiation and operation at least in the initial phase of an accident to reduce necessity of human intervention;
• Independence from other systems including other I&C: SPS functionally and physically separated from other systems including the control system and other automation systems;
• Control and monitoring: operators in the main control room continuously provided with reliable information on the status of SPS;
• Periodic testing: SPS functions can be tested during operation of the plant. Tests ensure that the design basis functional requirements are met;
• Self-diagnosis, validation of input and actuation signals: SPS monitors the validity of input and output signals and internal processes, and issues alarm signals when needed. Adequate self-diagnosis capability covers all potential hardware and software faults.

The IAEA published a safety guide on the design of I&C systems for NPPs^[80] providing detailed recommendations on the design basis, architecture, safety classification, management system, software and human-machine interface for the I&C systems.
The probabilistic methodology to evaluate the reliability (or unavailability) of safety systems comprises the following main steps:

• Identification of initiating events and their frequencies of occurrence;
• Determination of the unavailability of system functions considered in the event sequences, taking human factors and common cause failures into account;
• Determination of the frequency for a highly degraded core (with either a destruction of fuel elements (LWRs, HWRs), the loss of retention capabilities for normally contained fission products (HTGRs), or the loss of the integrity of the primary circuit (molten salt reactors) without and with accident management (AM) actions.

The fault tree analysis is a systematic method of determining the dependency between the failure of a system and failure of its components. The result of such an analysis is the probability of system failure. This method is used for components of engineered safety systems as well as for the I&C systems.
Table 9 presents some examples of reliability data (probability for failure) of engineered safety systems for different initiating events in an operating PWR (Germany).

The general strategy for DID is twofold: first, to prevent accidents and, second, if prevention fails, to limit their potential consequences and prevent any evolution of accidents to more serious conditions, i.e. Levels 4 and 5 of DID. Should preventive measures fail, mitigatory measures, in particular a well-designed containment/confinement can provide the necessary final protection of the public and environment. Generally, several successive physical barriers for the confinement of radioactive material are put in place. Their specific design may vary depending on the radioactivity of the material, on the possible loads on the different barriers and, evidently, on the reactor design itself.
For water cooled reactors, barriers confining the fission products are typically the fuel matrix (partially), the fuel cladding, the pressure boundary of the reactor coolant system (during power operation, but not during shut down), and finally the containment system.
INPRO methodology requirements on the integrity of confinement barriers for the reactor core are summarised in Table 10. For the near reactor spent fuel pools the requirements and barriers depend on the design and generally remain the same except for the primary circuit boundary.
Examples of minimum number of barriers maintained for different accidents in PWR are presented in Table 10.
Because the last barrier against a release of radioactive material into the environment is so important, the containment/ confinement system has to be well designed (against internal and external events and probable combinations thereof) and carefully maintained. An additional requirement for water-cooled reactors is the permanent or periodic confirmation of leak tightness of the containment.
For HTGRs the main barrier against an accidental release of radioactivity is the coated fuel particle^[81]. For molten salt reactors the fuel rod integrity is not relevant, and the main barriers are the primary circuit boundary and containment. Different barriers exist also for designs with a double walled pressure vessel or designs with submerged (in water) pressure vessels^[1][82].

The AM is defined in the IAEA Safety Glossary^[12] as follows:

“The taking of a set of actions during the evolution of an accident:

(a) To prevent escalation to a severe accident;
(b) To mitigate the consequences of a severe accident;

(c) To achieve a long term safe stable state.”

The IAEA published a safety guide on the AM programmes for NPPs^[52] providing detailed recommendations on the development of such programmes, on the structure of AM guidance, and on the AM strategies to be developed for different accidental scenarios. Ref^[52] states:

“2.10. The accident management programme should be developed and maintained consistent with the plant design and its current configuration …

2.11. The accident management programme should address all modes and states of operation and all fuel locations, including the spent fuel pool, and should take into account possible combinations of events that could lead to an accident …
2.12. A structured top-down approach should be used to develop the accident management guidance. This approach should begin with the objectives (including the identification of plant challenges and plant vulnerabilities) and the strategies, followed by measures to implement the strategies. In combination, these strategies and measures should include consideration of plant capabilities. Finally, procedures and guidelines should be developed to implement these strategies and measures …
…
2.14. Multiple strategies should be identified, evaluated and, when appropriate, developed to achieve the objectives of accident management, which include:
(a) Preventing or delaying the occurrence of fuel rod degradation;
(b) Terminating the progress of fuel rod degradation once it has started;
(c) Maintaining the integrity of the reactor pressure vessel …;
(d) Maintaining the integrity of the containment and preventing containment bypass …;
(e) Minimizing releases of radioactive substances …;

(f) Returning the plant to a long term safe stable state in which the fundamental safety functions can be preserved.”

The in-plant AM measures and actions in case of a highly degraded core are very plant-specific. For water-cooled reactors, examples for in-plant AM measures which can be initiated by the operator when appropriate include:

• Monitoring of RPV, plant systems, structures and components status, and the containment environment;
• Projection on the development of accident scenario;
• Injection of boron into the core (e.g. in case of ATWS);
• Depressurization of RPV to avoid high pressure failure of RPV;
• Restoration of heat removal from the core;
• Spraying into the containment atmosphere when it is necessary and allowed (i.e. does not compromise safety characteristics);
• Prevention of the containment bypass (trough the potential rupture of SG tube);
• Supply of AC/DC power (e.g. via mobile equipment from outside the containment);
• Removal of hydrogen from the containment atmosphere;
• Flooding of the reactor cavity to remove the heat from RPV from outside (when appropriate);
• Filtered containment venting.

In the past – based on experience from the accidents at Three Mile Island and Chernobyl – some operating reactors had to be back-fitted (improved or modified), e.g. enhancing ranges of instrumentation, installing filtered containment venting systems and hydrogen recombiners etc. Besides the use of designated safety features, all types of nuclear power plants have the potential to use other (operational) systems to regain control of the facility after an accident with severe core damage and/or heavily degraded fuel in the spent fuel pool.
Ref^[52] provides the recommendations on organization of trainings for the personnel involved in the AM programme including the following:

“2.95. A list of persons who will be part of accident management should be established, and these persons should be designated as emergency workers. This list should take into account accidents developing over a long period so that adequate shift staffing is maintained at the plant (e.g. during holidays and overnight).
2.97. Appropriate training should be provided to members of the operating organization personnel responsible for accident management; the training should be commensurate with their roles and responsibilities.”

International Commission on Radiological Protection^[83] recognises three types of radiation exposure situations that for the case of NPP can be presented as follows:

• A planned radiation exposure situation that arises from the planned (normal) operation of the NPP. For public exposure the dose limit is defined as an effective dose of 1 mSv in a year. In this situation to determine the actual licensed public dose limit the concept of dose constraint has to be taken into account;
• An emergency exposure situation that arises as a result of an accident. In this situation a reference level expressed in terms of residual dose shall be defined, typically an effective dose in the range 20 – 100 mSv that includes dose contributions via all exposure pathways. The protection strategy shall be optimized by planning for residual doses to be as low as reasonably achievable below the reference level;
• An existing exposure situation that arises from natural background radiation, past practices outside regulatory control, or after an emergency exposure situation.

Evacuation of population is a protective action in an emergency that can reduce the risk of stochastic effects, i.e. reduce consequences of the accident. Radiological criteria for evacuation of population are normally formulated in terms of projected dose. Dose calculations need to be performed with validated computer codes; these calculations have to include uncertainty analyses. To avoid the necessity for protective actions such as evacuation of people around an NPP the calculated public dose after a severe accident needs to be below the criteria for evacuation of population for emergency exposure situations.
Estimation of the consequence of the accidental external release can be divided into two major parts. The first part is focused on the definition of the characteristics of the release source term. These characteristics can be calculated as the result of the accident consequence modelling within the reactor containment/ confinement either deterministically or as a part of PSA Level 2 analysis. The second part models the transport of the radionuclides to the population outside of the NPP through different potential routes and scenarios (PSA Level 3). In addition to exposure due to releases of radioactivity to the environment, radiation transport from the damaged reactor core through the containment/ confinement wall, i.e. irradiation from the reactor building, has to be considered in the calculation of consequences (dose).
The latter part of estimation of the consequence of the accidental external release, the modelling of the radionuclides transport to the population outside of the NPP involves simulation of environmental dispersion and transfer, identification of exposure pathways, selection of population groups and evaluation of doses^[84].
The definition of source term for an accidental release to the environment is the prerequisite to the modelling of the radionuclides transport. Source term definition involves the inventory of radioactive materials released, the description of physical and chemical forms of release and other release characteristics such as the height of damaged zone of the confinement wall, pressure and temperature of the released gas and aerosols (including potential explosions).
Accident sequences within the reactor building resulting in the release of radioactivity to the environment may involve containment/ confinement failures or may maintain some of the confinement barriers intact. Containments, e.g. of water-cooled reactors, are designed to be nominally leak-tight. However, leak tight means a small leakage rate that stays within specified limits. During a severe accident, increasing containment pressures and leakages (usually specified between 0.25 – 1 volume % per day) may result in radioactive material first being released to compartments outside the containment, usually in a surrounding building or annulus, and then released to the environment either through a stack (about 100 m high) or directly through other small leakage paths. In the analysis of consequences after an accident with severe core damage, filter efficiencies and natural fission product retention mechanisms (e.g. scrubbing in pools) are usually taken into account but are conservatively neglected in some countries (e.g. Germany).
In some designs with confinements, e.g. for HTGRs, temporary openings will allow a pressure reduction, and therefore, for such designs an accidental release of radioactivity (fission products) into the confinement is expected to be kept very low.

There are two perspectives of the human factor: On the one side, the operating staff is seen as a valuable resource that is playing an important role in plant operation, testing, maintenance and inspection of the plant, and sometimes compensating deficiencies in automatic systems. On the other side, human intervention has also to be seen as a factor of disturbance and of limited reliability, the consequences of which have to be taken into account in the design of all plant systems and functions, to ensure a sufficient level of safety and availability of the plant.
There are three possible (negative) contributions of human interventions to accident hazards:

• Human errors during plant operation, testing or maintenance, contributing to the failure of safety systems or to their unavailability;
• Human errors during plant operation, testing or maintenance giving rise to an initiating event; and
• Human interventions during incident or accident situations, negatively influencing the sequence of events.

As a common design principle, it has to be ensured that:

• Functions, assigned to the operating staff, constitute consistent tasks and correspond to the abilities and strengths of the operating staff (e.g. appropriate degree of automation, appropriate number of tasks, appropriate sharing among centralized and local operating actions); and that
• The man-systems interface (i.e. control room, screen-based and conventional control means, processing of information to be presented to the operators) optimally supports the tasks of operators and minimizes the potential for a human error.

It is expected that the ability to predict human response to both normal and abnormal situations will improve much over the next decades and will have a major impact on plant design and operation. Simulator technology and the capacity (e.g. speed and memory) of computers are constantly improving and thus will allow more realistic representation (and prediction of development) of transient and accident plant states in expert systems.
An increased use of expert systems (artificial intelligence) and real-time operator aids will lower the burden on operators during normal operation and short-term response to abnormal and accident situations. Although the necessity of human action in plant operation is expected to be minimized for a new reactor, knowledge about human behaviour is nevertheless very important.
The history of human errors by reactor personnel during operation is usually found in documented reactor operating experience; however, similar data from non-nuclear facilities must also be applied with due care to the evaluation of human factors for reactors. The human response to expected and unforeseen situations is investigated in all industries. However, the time available or the complexity of necessary actions may vary, e.g. seconds or minutes for aircraft pilots or hours for the operating personnel of a nuclear power plant. Nevertheless, data of human responses can be exchanged between different industries such as aircraft, space flight and chemical plants. This is also true for human response models. It is, however, difficult to make any generalizations; this is due to the variety of processes and a very limited number of published applications.
Human interventions prior to an event have usually not been found to be among the dominant risk contributors; this is based on observations and assessments of different industrial facilities^[79]. But human (erroneous) interventions after an initiating event in a nuclear reactor represent the greatest challenge. Ref^[79] describes relevant research and developmental work in different countries, reviews the applied approaches to human reliability assessments and their limitations, surveys the results of human reliability assessments, and outlines related developments and trends.
Less dependence on operators for normal operation and short-term accident management and the use of expert systems for early diagnosis and real-time operator aids may help to reduce the likelihood of human errors.
Formal human response models need to be used to estimate the likelihood of human errors after an initiating event. These models can either be adapted from other industries or developed specifically for use in the nuclear industry. To further develop confidence in human performance models, the use of simulators needs to be encouraged. Although environmental conditions (especially the human stress factors) in simulator training are not equivalent to real situations, a thorough evaluation of the results can assist model development.

The term ‘safety culture’ was introduced in 1986 by the International Nuclear Safety Advisory Group in a summary report on the post-accident review meeting on the Chernobyl accident^[85] and was further elaborated in a report dealing with safety principles for nuclear power plants^[86]. In 1991 an additional report from the International Nuclear Safety Advisory Group was published describing the concept of safety culture^[87] in more detail. The latter report defined safety culture in the following way:

“Safety culture is the assembly of characteristics and attitudes in organizations and individuals, which establish that, as an overriding priority, protection and safety issues receive the attention warranted by their significance.”

A similar definition is given by the Advisory Committee on the Safety of Nuclear Installations (ACSNI)^[88].

FIG. 5. Components of safety management^[29].

This definition emphasizes that safety culture relates to the structure and style of organizations (governmental institutions, owner/operator, and industrial entities) as well as to the habit and attitude of individuals (managers and employees). Safety culture needs a commitment to safety on three levels: policy, management and individual. The policy level requires a clear statement of safety policy, adequate management structures and related resources, and establishment of self-regulation (by regular review). To fulfil their commitments, managers need to clearly define the responsibilities, accountabilities and safety practices for the control of work, ensure that staff are qualified and trained, establish a system of rewards and sanctions, and perform audits, reviews and benchmarking comparisons. In carrying out their tasks, individuals need to maintain an attentive and questioning attitude, adopt a rigorous and prudent approach, and participate in effective communications (see Figure 5 taken from Ref^[29]).
The importance of the management system for safety culture in NPPs has been described in Ref^[29], which defines this system as “those arrangements made by the organization for the management of safety in order to promote an adequate safety culture and achieve good safety performance”.
Practical recommendations on the implementation of safety culture in a given organization are provided in Refs^[89][90]. Organizations go through a number of stages in developing their safety cultures. These stages are^[89]:

• Safety is compliance driven and is based mainly on rules and regulation.
• Good safety performance becomes an organizational goal.
• Safety is seen as a continuing process of improvement to which everyone can and should contribute.

Safety culture is a complex concept (see also Ref^[91]) and there is no simple indicator that can be used as a yardstick for determining its status. The multilevel nature of culture, and the tacit nature of some of the levels (basic assumptions), increases the difficulty of measurement. Therefore, to capture both observable behaviour and people’s attitudes and basic beliefs, several methods need to be applied including interviews, focus groups, questionnaires, observations and document reviews.
When applying these assessment tools, the key safety culture characteristics and attributes described in Ref^[29] can be used for the identification of strengths and weaknesses in an organization’s safety culture. Annex 1 of Ref^[29] sets out a series of questions for each of the major areas of concern – safety requirements and organization, planning, control and support, etc. – that are helpful in assessing the effectiveness of a safety management system and the status of the safety culture of an organization. Monitoring and measurement of the established and implemented management system effectiveness, self-assessment performance evaluation of management at all levels, independent assessments conducted regularly, management system review, identification of non-conformance and establishment of corrective and preventive actions, and finally identification of improvement opportunities are important elements to consider in assessing whether there is evidence that safety culture prevails.