Difference between revisions of "Safety of Nuclear Reactors (Sustainability Assessment)"
Line 1,077: | Line 1,077: | ||
==Appendix I== | ==Appendix I== | ||
− | '''Examples of reference reactors for INPRO assessment'''<br> | + | <big>'''Examples of reference reactors for INPRO assessment'''<br></big> |
Using of the INPRO methodology in the area of reactor safety requires a reference reactor design in addition to the reactor design being assessed. The reference design should represent the latest design operating in 2013 designed preferably by the same designer as for the plant assessed. For innovative reactors which may have no operating prototypes in 2013, the latest design that has been safely operated or at least licensed can be used as a reference - designed preferably by the same designer as the reactor assessed and using the same technology. <br> | Using of the INPRO methodology in the area of reactor safety requires a reference reactor design in addition to the reactor design being assessed. The reference design should represent the latest design operating in 2013 designed preferably by the same designer as for the plant assessed. For innovative reactors which may have no operating prototypes in 2013, the latest design that has been safely operated or at least licensed can be used as a reference - designed preferably by the same designer as the reactor assessed and using the same technology. <br> | ||
In the following Table 7 potential reference designs are proposed for some novel water-cooled reactor designs. | In the following Table 7 potential reference designs are proposed for some novel water-cooled reactor designs. | ||
Line 1,138: | Line 1,138: | ||
|CEFR | |CEFR | ||
|} | |} | ||
− | |||
==Appendix II== | ==Appendix II== |
Revision as of 13:22, 28 July 2020
INPRO basic principle (BP) for sustainability assessment in the area of nuclear reactor safety - The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation.
Contents
- 1 Introduction
- 2 General features of nuclear energy systems sustainability Assessment in the area of reactor safety
- 2.1 Existing requirements for reactor safety
- 2.2 Requirements for future reactors
- 2.3 The concept of sustainable development and its relationship to the INPRO methodology area of reactor safety
- 2.4 The concept of defence in depth and its relationship with the INPRO methodology area of reactor safety
- 3 Necessary input for INPRO sustainability assessment in the area of reactor safety
- 4 INPRO basic principle, user requirements and criteria for sustainability assessment in the area of reactor safety
- 4.1 INPRO basic principle for sustainability assessment in the area of safety of nuclear reactors
- 4.2 UR1: Robustness of design during normal operation
- 4.3 UR2: Detection and interception of anticipated operational occurrences
- 4.4 UR3: Design basis accidents
- 4.5 UR4: Severe plant conditions
- 4.5.1 Criterion CR4.1: Frequency of release into the containment/ confinement
- 4.5.2 Criterion CR4.2: Robustness of containment/ confinement design
- 4.5.3 Criterion CR4.3: Accident management
- 4.5.4 Criterion CR4.4: Frequency of accidental release into environment
- 4.5.5 Criterion CR4.5: Source term of accidental release into environment
- 4.5.6 Emergency preparedness and response
- 4.6 UR5: Independence of did levels, inherent safety characteristics and passive safety systems
- 4.7 UR6: Human factors related to safety
- 4.8 UR7: Necessary RD&D for advanced designs
- 4.9 Concluding remarks
- 5 Appendix I
- 6 Appendix II
- 7 Appendix III
- 8 Appendix IV
- 9 Appendix V
- 10 Appendix VI
- 11 Appendix VII
- 12 Appendix VIII
- 13 Appendix IX
- 14 Appendix X
- 15 References
Introduction
Objective
This volume of the updated INPRO manual for sustainability assessment provides guidance to the assessor of a planned NES (or a nuclear reactor) on how to apply the INPRO methodology for sustainability assessment in the area of safety of nuclear reactors. The INPRO assessment is expected either to confirm the fulfilment of all INPRO methodology criteria in the area of reactor safety, or to identify which criteria are not fulfilled and note the corrective actions (including potential RD&D) that would be necessary to fulfil them.
This publication discusses the INPRO sustainability assessment method for the area of safety of nuclear reactors. The INPRO sustainability assessment method for safety of nuclear fuel cycle facilities is discussed in a separate report of the INPRO manual.
This publication is intended for use by organizations involved in the development and deployment of a NES including planning, design, modification, technical support and operation for nuclear power plants. The INPRO assessor (or a team of assessors) is assumed to be knowledgeable in the area of nuclear safety and/or may be using the support of qualified organizations (e.g. the IAEA) with relevant experience. Two general types of assessors can be distinguished: a nuclear technology holder (i.e. a designer, developer or supplier of nuclear technology), and a (potential) user of such technology. The current version of the manual includes a number of explanations, discussions, examples and details so it is deemed to be used by technology holders and technology users.
Scope
The INPRO methodology presented in this manual is internationally developed guidance for assessing NES sustainability and is intended for use in support of NES planning studies by focusing on selected areas of reactor safety that are important for public acceptance (see Chapter 2). This manual deals with the long term sustainability of a NES comprised of different types of nuclear reactors. The INPRO methodology user requirements and criteria for sustainability assessment are formulated in this manual in a generic manner to make them applicable to both evolutionary and innovative reactors based on different technologies. However, the major contributions to the INPRO methodology update project have been obtained from the INPRO assessments of evolutionary water-cooled reactors and sodium cooled fast reactors. Other types of innovative reactors with a lower level of design maturity may require modifications or clarifications of selected criteria. Such potential changes will be considered in future revisions of the INPRO methodology after sufficient experience has accrued from INPRO assessments of such reactors.
This manual does not establish any specific safety requirements, recommendations or guidance. IAEA safety requirements and guidance are only issued in the IAEA Safety Standards Series. Therefore, the basic principles, user requirements and associated criteria contained in the INPRO methodology should only be used for sustainability assessments. The INPRO methodology is typically used by Member States in conducting a self-assessment of the sustainability and sustainable development of nuclear energy systems. This manual should not be used for formal or authoritative safety assessments or safety analyses to address compliance with the IAEA Safety Standards or for any national regulatory purpose associated with the licensing or certification of nuclear facilities, technologies or activities.
In the current version of the INPRO methodology, the sustainability issues relevant to safety of reactors and safety of nuclear fuel cycle facilities (NFCFs) are considered in separate manuals. The current methodology does not specifically address innovative integrated system designs (e.g. molten salt reactors with liquid fuel and integrated fast reactors with metallic fuel) whose reactors are combined or co-located with fuel fabrication and/or reprocessing facilities. Reactor and NFCF installations of such integrated systems should be assessed separately against corresponding criteria in the INPRO areas of reactor safety and safety of NFCFs . When more detailed information on the safety issues in integrated systems has been acquired, this approach can be changed in the next revisions of the INPRO methodology.
This version of the INPRO methodology manual for the area of reactor safety is focused on those nuclear power plants that produce primarily electricity, heat and combinations of the two . This publication does not explicitly consider safety issues related to other non-electric applications (hydrogen production, desalination, etc.) or to cogeneration involving such energy products. It is expected that as more detailed information is acquired on the interactions between a reactor and industrial facilities located on the same site, the INPRO criteria may be modified when the methodology is next revised.
Structure
This publication follows the relationship between the concept of sustainable development and different INPRO methodology areas. Section 2 describes the linkage between the United Nations Brundtland Commission’s concept of sustainable development and the IAEA’s INPRO methodology for assessing the sustainability of planned and evolving NESs. Section 2 also considers how the INPRO sustainability assessment methodology in the area of reactor safety relates to the DID concept. Section 3 identifies the necessary inputs for an INPRO assessment in the area of reactor safety. This includes information on design and safety analyses for the planned reactor and for the reference design. Section 4 presents the rationale and background for the INPRO sustainability assessment methodology in the area of reactor safety in terms of the selected basic principle, user requirements and assessment criteria, which consist of indicators and acceptance limits. On the criterion level, guidance is provided on how to determine the values of the indicators and acceptance limits, i.e. how to assess the potential of a NES to fulfil the INPRO methodology criteria. Appendix I presents a list of potential reference reactor designs to be used in the INPRO assessment. Appendices II through X provide complementary information which can be useful for the INPRO assessment of NES against different criteria discussed in the report. Table 1 provides an overview of the INPRO user requirements and criteria that stem from the INPRO basic principle for sustainability assessment in the area of reactor safety.
INPRO basic principle for sustainability assessment in the area of safety of nuclear reactors: The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation. | ||
INPRO user requirements | Criteria | Indicator (IN) and Acceptance Limit (AL) |
---|---|---|
UR1: Robustness of design during normal operation:
The nuclear reactor assessed is more robust than a reference design with regard to operation and systems, structures and components failures. |
CR1.1: Design of normal operation systems | IN1.1: Robustness of design of normal operation systems. |
AL1.1: More robust than that in the reference design. | ||
CR1.2: Reactor performance | IN1.2: Reactor performance attributes. | |
AL1.2: Superior to those of the reference design. | ||
CR1.3: Inspection, testing and maintenance | IN1.3: Capabilities to inspect, test and maintain. | |
AL1.3: Superior to those in the reference design. | ||
CR1.4: Failures and deviations from normal operation | IN1.4: Expected frequency of failures and deviations from normal operation. | |
AL1.4: Lower than that in the reference design. | ||
CR1.5: Occupational dose | IN1.5: Occupational dose values during normal operation and AOOs. | |
AL1.5: Lower than the dose constraints. | ||
UR2: Detection and interception of AOOs:
The nuclear reactor assessed has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions. |
CR2.1: Instrumentation and control (I&C) system and inherent characteristics | IN2.1: Capabilities of the I&C system to detect and intercept and/or capabilities of the reactor’s inherent characteristics to compensate for deviations from normal operational states. |
AL2.1: Superior to those in the reference design. | ||
CR2.2: Grace periods after AOOs | IN2.2: Grace periods until human actions are required after AOOs. | |
AL2.2: Longer than those in the reference design. | ||
CR2.3: Inertia | IN2.3: Inertia to cope with transients. | |
AL2.3: Larger than that in the reference design. | ||
UR3: Design basis accidents (DBAs):
The frequency of occurrence of DBAs in the nuclear reactor assessed is reduced. If an accident occurs, engineered safety features are able to restore the reactor to a controlled state, and subsequently to a safe shutdown state, and ensure the confinement of radioactive material. Reliance on human intervention is minimal, and only required after a sufficient grace period. |
CR3.1: Frequency of DBAs | IN3.1: Calculated frequencies of occurrence of DBAs. |
AL3.1: Frequencies of DBAs that can cause plant damage are lower than those in the reference design. | ||
CR3.2: Grace period for DBAs | IN3.2: Grace periods for DBAs until human intervention is necessary. | |
AL3.2: At least 8 hours and longer than those in the reference design. | ||
CR3.3: Engineered safety features | IN3.3: Reliability and capability of engineered safety features. | |
AL3.3: Superior to those in the reference design. | ||
CR3.4: Barriers | IN3.4: Number of confinement barriers maintained (intact) after DBAs and DECs. | |
AL3.4: At least one and consistent with regulatory requirements for the type of reactor and accident under consideration. | ||
CR3.5: Subcriticality margins | IN3.5: Subcriticality margins after reactor shutdown in accident conditions. | |
AL3.5: Sufficient to cover uncertainties and to maintain shutdown conditions of the core. | ||
UR4: Severe plant conditions:
The frequency of an accidental release of radioactivity into the containment / confinement is reduced. If such a release occurs, the consequences are mitigated, preventing or reducing the frequency of occurrence of accidental release into the environment. The source term of the accidental release into the environment remains well within the envelope of the reference reactor source term and is so low that calculated consequences would not require evacuation of the public. |
CR4.1: Frequency of release into containment / confinement | IN4.1: Calculated frequency of accidental release of radioactive materials into the containment / confinement. |
AL4.1: Lower than that in the reference design. | ||
CR4.2: Robustness of containment / confinement design | IN4.2: Containment loads covered by the design, and natural or engineered processes and equipment sufficient for controlling relevant system parameters and activity levels in containment / confinement. | |
AL4.2: Larger than those in the reference design. | ||
CR4.3: Accident management | IN4.3: In-plant accident management (AM). | |
AL4.3: AM procedures and training sufficient to prevent an accidental release outside containment / confinement and regain control of the reactor. | ||
CR4.4: Frequency of accidental release into environment | IN4.4: Calculated frequency of an accidental release of radioactive materials into the environment. | |
AL4.4: Lower than that in the reference design. Large releases and early releases are practically eliminated. | ||
CR4.5: Source term of accidental release into environment | IN4.5: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release. | |
AL4.5: Remain well within the inventory and characteristics envelope of the reference reactor source term and are so low that calculated consequences would not require public evacuation. | ||
UR5: Independence of DID levels, inherent safety characteristics and passive safety systems:
An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the nuclear reactor assessed strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics and/or passive systems, when appropriate. |
CR5.1: Independence of DID levels | IN5.1: Independence of different levels of DID. |
AL5.1: More independence of the DID levels than in the reference design, e.g. as demonstrated through deterministic and probabilistic means, hazards analysis, etc. | ||
CR5.2: Minimization of hazards | IN5.2: Characteristics of hazards. | |
AL5.2: Hazards smaller than those in the reference design. | ||
CR5.3: Passive safety systems | IN5.3: Reliability of passive safety systems. | |
AL5.3: More reliable than the active safety systems in the reference design. | ||
UR6: Human factors (HF) related to safety:
Safe operation of the nuclear reactor assessed is supported by accounting for HF requirements in the design and operation of the plant, and by establishing and maintaining a strong safety culture in all organizations involved. |
CR6.1: Human factors | IN6.1: HF considerations are addressed systematically throughout the life cycle of the reactor. |
AL6.1: HF assessment results are better than those for the reference design. | ||
CR6.2: Attitude to safety | IN6.2: Prevailing safety culture. | |
AL6.2: Evidence is provided by periodic safety culture reviews. | ||
UR7: Necessary RD&D for advanced designs:
The development of innovative design features of the nuclear reactor assessed includes associated research, development and demonstration (RD&D) to bring the knowledge of plant characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating plants. |
CR7.1: Safety basis and safety issues | IN7.1: Safety basis and a clear process for addressing safety issues. |
AL7.1: The safety basis for advanced designs is defined and safety issues are addressed. | ||
CR7.2: RD&D | IN7.2: RD&D status. | |
AL7.2: Necessary RD&D is defined and performed, and the database is developed. | ||
CR7.3: Computer codes | IN7.3: Status of computer codes. | |
AL7.3 Computer codes or analytical methods are developed and validated. | ||
CR7.4: Novelty | IN7.4: Pilot or demonstration plant. | |
AL7.4: In case of a high degree of novelty: a pilot or demonstration plant is specified, built and operated, lessons are learned and documented, and results are sufficient to be extrapolated to a full-size plant. In case of a low degree of novelty: a rationale is provided for bypassing a pilot or demonstration plant. | ||
CR7.5: Safety assessment | IN7.5: Adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and identification of uncertainties and sensitivities. | |
AL7.5: Uncertainties and sensitivities are identified and appropriately dealt with, and the safety assessment is approved by a responsible regulatory authority. |
General features of nuclear energy systems sustainability Assessment in the area of reactor safety
This section provides an overview of the existing requirements for reactor safety, describes how the INPRO methodology supports the concept of sustainable development, and summarizes how the INPRO methodology follows the DID concept.
Existing requirements for reactor safety
The INPRO methodology’s basic principle, user requirements and criteria for sustainability assessment in the area of reactor safety have been established taking into account the large body of existing work on the safety of reactors operating today, as well as previous work on establishing the requirements for next generation (advanced) reactors.
The IAEA has produced internationally endorsed requirements and published them as the IAEA Safety Standards. These publications define the elements necessary to ensure the safety of nuclear power plants.
National regulatory bodies determine the licensing requirements that must be met by all national or foreign organisations involved in the design, construction, operation, decommissioning etc. of a nation’s NPPs.
Various utility groups have developed corresponding utility requirements documents reflecting their experience from the construction, licensing and operation of NPPs over the past several decades, representing over 10 000 reactor-years of operating experience. Documents have been prepared for evolutionary and innovative designs by organizations such as EPRI (Advanced Light Water Reactor Utility Requirements Document – ALWR-URD), Japanese Utilities (JURD), Korean Utilities (KURD), Chinese Utilities (CURD) and the European Utilities (European Utility Requirements – EUR). These documents were authored primarily by electricity-generating utilities whose experiences with well-characterized reactor designs could be used to inform the development of modern (advanced) nuclear designs.
In 2004, the IAEA[1] presented an overview of these utility documents. A summary of the essence of these utility requirements for advanced reactor designs is presented below:
- A design life of 60 years;
- Reliable and flexible operation, with high overall plant availability, low levels of unplanned outages, short refuelling outages, good controllability (e.g. 100–50–100 % load following capability), and operating cycles extended up to 24 months;
- Increased margins to reduce sensitivity to disturbances and to reduce the number of safety challenges;
- Improved automation and man-systems interface, which, together with the increased margins, provide more time for the operator to act in accident/incident situations and reduce the probability of operator errors;
- Calculated core damage frequency – less than 10-5 per reactor-year; cumulative frequency of accidental releases to the outside following core damage – less than 10-6 per reactor-year; and
- Design measures to cope with severe accidents.
In one specific area, there is a distinct difference between utility requirements for Europe and for the United States. This difference is attributed to the higher population density in Europe leading to more restrictive release targets for the European Utility Requirements as follows:
- To limit emergency protection actions beyond 800 m from the reactor to a minimum during early releases from the containment;
- To avoid delayed actions (temporary transfer of people) at any time beyond about 3 km from the reactor;
- To avoid long term actions, involving permanent (longer than 1 year) resettlement of the public, at any distance beyond 800 m from the reactor; and
- To ensure that restrictions on the consumption of foodstuffs and crops will be limited in terms of time and geographical area.
These requirements have been developed by utilities and are to be considered primarily as design targets. They should not be interpreted as requirements for the emergency preparedness arrangements to be implemented.
Requirements for future reactors
The scope of the INPRO methodology covers nuclear reactors expected to come into service in the twenty-first century, together with the associated fuel cycles. It is recognized that a mixture of evolutionary and innovative designs will be brought into service and will co-exist within this period.
The ‘Three Agency Study’[2] published in 2002 provides an overview of trends in the development of advanced (innovative) NESs. The range of reactors with advanced design features includes water-cooled, gas-cooled, liquid metal-cooled systems and molten salt reactors of various sizes to be used for various purposes.
In the global nuclear community, it is generally assumed that for widespread and long term use of nuclear power to be sustainable, a nuclear fuel strategy is required that utilizes, at least as a component, breeding, reprocessing and recycling of fissile material. In some countries or regions and for intermediate time scales, it is expected that advanced once-through (open) fuel cycle strategies featuring improved safety, proliferation resistance and physical protection will be followed. Ultimately, however, the development and implementation of advanced reactors and fuel strategies will include closed fuel cycles that make better use of uranium (and thorium) resources.
The Generation IV International Forum (GIF)[3] has defined six advanced (innovative) nuclear reactors and their associated fuel cycles that are to be developed in a joint effort by the countries participating in that programme with the aim of achieving full commercialization of these designs. The innovative reactor designs considered are a fast sodium cooled reactor, a fast gas cooled reactor, a molten salt reactor, a supercritical water-cooled reactor, a lead cooled reactor, and a very high temperature gas-cooled reactor. The 14 members participating in the GIF programme are: Argentina, Australia, Brazil, Canada, China, EURATOM, France, Japan, Republic of Korea, the Russian Federation, Republic of South Africa, Switzerland, the United Kingdom, and the United States. The GIF’s risk and safety working group developed the Integrated Safety Assessment Methodology (ISAM) to be used continuously by the developers of the innovative reactor designs. This methodology is based principally on probabilistic safety assessment and offers assessment tools well suited to all stages of design development.
National licensing requirements are well established for currently operating nuclear power reactors. A vendor of a given reactor design is expected to meet all these requirements at all levels that are specific to that reactor type, and exceptions, even at the detailed level, are unusual.
As mentioned before, this report discusses INPRO methodology criteria for nuclear reactors; INPRO criteria for safety of nuclear fuel cycle facilities are treated in a separate report of the updated INPRO manual. The INPRO methodology user requirements for sustainability assessment in the area of reactor safety are intended to be as generic as possible; where they cannot be made fully generic, this has been noted.
The concept of sustainable development and its relationship to the INPRO methodology area of reactor safety
The United Nations World Commission on Environment and Development Report[4] (often known as the Brundtland Commission Report) defines sustainable development as “development that meets the needs of the present without compromising the ability of future generations to meet their own needs” (para. 1). This definition:
“contains within it two key concepts:
- the concept of ‘needs’, in particular the essential needs of the world’s poor, to which overriding priority should be given; and
- the idea of limitations imposed by the state of technology and social organization on the environment’s ability to meet present and future needs.”
Based on this definition of sustainable development a three-part test of any approach to sustainability and sustainable development was proposed within the INPRO project: 1) current development should be fit for the purpose of meeting current needs with minimized environmental impacts and acceptable economics, 2) current research development and demonstration programmes should establish and maintain trends that lead to technological and institutional developments that serve as a platform for future generations to meet their needs, and 3) the approach to meeting current needs should not compromise the ability of future generations to meet their needs.
The definition of sustainable development may appear obvious, yet passing the three-part test is not always straightforward when considering the complexities of implemented nuclear energy systems and their many supporting institutions. Many approaches may only pass one or perhaps two parts of the test in a given area and may fail the others.
The Brundtland Report’s overview (para.61 in Ref.[4]) of nuclear energy summarized the topic as follows:
“After almost four decades of immense technological effort, nuclear energy has become widely used. During this period, however, the nature of its costs, risks, and benefits have become more evident and the subject of sharp controversy. Different countries world-wide take up different positions on the use of nuclear energy. The discussion in the Commission also reflected these different views and positions. Yet all agreed that the generation of nuclear power is only justifiable if there are solid solutions to the unsolved problems to which it gives rise. The highest priority should be accorded to research and development on environmentally sound and ecologically viable alternatives, as well as on means of increasing the safety of nuclear energy.”
The Brundtland Commission Report presented its comments on nuclear energy in Chapter 7, Section III[4]. In the area of nuclear energy, the focus of sustainability and sustainable development is on solving certain well-known problems (referred to here as ‘key issues’) of institutional and technological significance. Sustainable development implies progress and solutions in the key issue areas. Seven key issues are discussed in Ref[4]:
- Proliferation risks;
- Economics;
- Health and environment risks;
- Nuclear accident risks;
- Radioactive waste disposal;
- Sufficiency of national and international institutions (with particular emphasis on intergenerational and transnational responsibilities);
- Public acceptability.
The INPRO methodology for self-assessing the sustainability and sustainable development of a nuclear energy system is based on the broad philosophical outlines of the Brundtland Report’s concept of sustainable development described above. Although three decades have passed since the publication of the Brundtland Commission Report and eighteen years have passed since the initial consultancies on development of the INPRO methodology in 2001 the definitions and concepts remain valid. The key issues for sustainable development of NESs have remained essentially unchanged over the intervening decades, although significant historical events have starkly highlighted some of them.
During this period, several notable events have had a direct bearing on nuclear energy sustainability. Among these were events pertaining to non-proliferation, nuclear security, waste management, cost escalation of new construction and, most notably, to reactor safety.
Each INPRO methodology manual examines a key issue of NES sustainable development. The structure of the methodology is a hierarchy of INPRO basic principles, INPRO user requirements for each basic principle, and specific INPRO criteria for measuring whether each INPRO UR has been met. Under each INPRO UR, the CR includes measures that take into consideration the three-part test based on Brundtland Report definition of sustainable development which was described above.
This INPRO manual focusses on the key issue of nuclear reactor safety. In the Brundtland Commission Report[4] section on nuclear energy (Chapter 7, Section III), the most detailed discussion is on the key issue of reactor safety. The report justified its principal focus on reactor safety with the following argument:
“Nuclear safety returned to the newspaper headlines following the Three Mile Island (Harrisburg, United States) and the Chernobyl (USSR) accidents. Probabilistic estimates of the risks of component failure, leading to a radioactive release in Western style light water reactors were made in 1975 by the U.S. Nuclear Regulatory Commission. The most serious category of release through containment failure was placed at around 1 in 1,000,000 years of reactor operation. Post-accident analysis of both Harrisburg and Chernobyl - a completely different type of reactor - have shown that in both cases, human operator error was the main cause. They occurred after about 2,000 and 4,000 reactor-years respectively. The frequencies of such occurrences are well-nigh impossible to estimate probabilistically. However, available analyses indicate that although the risk of a radioactive release accident is small, it is by no means negligible for reactor operations at the present time.”
In addition, the Brundtland Commission Report[4]noted that national governments were responding to nuclear accidents by following one of three general policy directions:
“National reactions indicate that as they continue to review and update all the available evidence, governments tend to take up three possible positions:
- remain non-nuclear and develop other sources of energy;
- regard their present nuclear power capacity as necessary during a finite period of transition, to safer alternative energy sources; or
- adopt and develop nuclear energy with the conviction that the associated problems and risks can and must be solved with a level of safety that is both nationally and internationally acceptable.”
These typical national policy directions remain consistent with practice to the current day. Within the context of a discussion on sustainable development of nuclear energy systems, it would seem that the first two policy positions cannot result in development of a sustainable nuclear energy system in the long term since nuclear energy systems are either avoided altogether or phased out over time. However, it is arguable that both policy approaches can meet the three-part Brundtland sustainable development test if technology avoidance or phase-out policies are designed in a way that avoids foreclosing or damaging the economic and technological opportunity for future generations to change direction and start or re-establish a nuclear energy system. This has certain specific implications regarding long term nuclear education, knowledge retention and management and with regard to how spent nuclear fuels and other materials, strategic to nuclear energy systems, are stored or disposed of.
The third policy direction proposes to develop nuclear energy systems that ‘solve’ the problems and risks through a national and international consensus approach to enhance safety. This is a sustainable development approach, in which the current generation has decided that nuclear energy is necessary to meet its needs, while taking a positive approach to developing enhanced safety to preserve the option in the future. In addition to the general outlines of how and why nuclear reactor safety is a principal key issue affecting the sustainability and sustainable development of nuclear energy systems, the Commission Report also advised that key institutional arrangements should be developed. Since that time, efforts to establish such institutional arrangements have achieved a large measure of success. The Brundtland Commission Report was entirely clear that enhanced reactor safety is a key element of the sustainable development of nuclear energy systems. It is not possible to measure nuclear energy system sustainability apart from direct consideration of certain safety issues.
Understanding the psychology of risk perception in the area of nuclear safety is critical to understanding nuclear energy system sustainability and sustainable development. In a real measured sense, taking into account the mortality and morbidity statistics of other non-nuclear energy generation technology chains (used for similar purpose), nuclear energy has an outstanding safety record, despite the severe reactor accidents that have occurred. However, it should not be presumed that this means that reactor safety is not a key issue affecting nuclear energy system sustainability. How do dramatically low risk estimations (ubiquitous in nuclear energy system probabilistic risk assessment) sometimes psychologically disguise high consequence events in the minds of designers and operators, while the lay public perception of risk (in a statistical sense) may be tilted quite strongly either toward supposed consequences of highly unlikely, but catastrophic disasters, or toward a complacent lack of interest in the entire subject? This issue has been studied for many years[5][6]. What should be the proper metrics for the INPRO sustainability assessment methodology given that the technical specialist community has developed an approach that may seem obscure and inaccessible to the lay public?
For example, if the radioactive dose consequence of a severe reactor accident is calculated in terms of mortality/morbidity estimates in the known exposed public, the outcomes may seem far less than catastrophic. However, if the impacts of economic and population dislocations that can be attributed directly or indirectly to the severe reactor accident (such as Chernobyl and Fukushima) are estimated and these figures are converted (using the methods of cost benefit analysis) into ‘total costs’ and ‘years of life lost’, a severe reactor accident can take on an epic scale – as has been observed in practice in the severe cases. The apparent paradox is that both estimates (dose and other collateral impacts) measure something that has occurred, and both are ‘true’ in their own sense. The paradox is resolved by noting that, while public exposures to radiation may be kept small and inconsequential through a combination of plant design, other technical measures and emergency responses, experience demonstrates that the perception of a population about an event is at least as important to the overall outcome as are measured evidences of radioactive dose. The affected population will have thoughts and feelings and will take actions based on their individual intellectual and emotional judgements about the accident – whether those judgements are technically informed or not.
It is both unrealistic and unhelpful to suppose that a massive public education campaign can eliminate the difference between the judgments of experts and those of the lay public. Continuous communication and education programmes can help, but there are also limits to what can be achieved. Reactor designs, construction and operations, decommissioning, and emergency planning and response must therefore be reconciled to the reality of the current public mindsets. The close relationship between public perception of risk and public acceptance should be considered universal with regard to the key issue of nuclear safety. It can have tremendous impact across national and regional boundaries and even on different continents – in a psychological sense, a severe nuclear accident anywhere is a nuclear accident everywhere.
With regard to nuclear reactor safety, the public are principally focussed on the individual and collective risks and magnitude of potential consequences in case of reactor accidents (radiological, economic and other psychosocial consequences taken together). Considering the experience of all reactor accidents to date it is clear that a few key issues are central to positively influencing the public debate over nuclear safety and improving public acceptance of nuclear energy:
- Significant radioactive releases need to be avoided, avoiding the need to relocate significant populations even in the case of a severe nuclear accident.
- In the extremely unlikely event of a significant release of radioactivity, fully competent emergency planning, preparedness and response capabilities are expected to be in place and available for immediate action .
- Design basis accidents need to be made even more unlikely than in previous designs, even if releases of radioactivity are insignificant and dose to the most exposed public is inconsequential (from a regulatory limit perspective).
- Facility upsets and failures that could cause a departure from normal safe operations are expected to be rarer than in previous designs. Regular upsets and failures and/or difficult recoveries tend to undermine public confidence in both worker safety and public safety.
- Where practicable, inherent and passive safety features could be incorporated to reduce risks posed by active system faults and human operator error.
- Unacceptable occupational doses and hazards need to be avoided. Unacceptable doses and hazards to nuclear workers undermine public confidence in safety and health.
- Superior performance in the overall reactor plant lifecycle risk posed to the public needs to be demonstrated in comparison to previous reactor designs. Inferior performance on overall risk undermines public confidence in safety.
- Continuing improvements in safety by design through research and development programmes need to continue and be practically applied in new reactor designs. Continuing improvements help support public confidence in the safety of nuclear energy.
- Stakeholder communication and public outreach and education on all principal aspects of facility safety listed above (at a minimum) need to be continuous, accurate and transparent . Without an effective communication and education programme, it is very difficult to influence the stakeholder and public mindsets.
In the current INPRO manual, the URs and CRs focus on assessment of the NES characteristics associated with the majority of these issues. Unlike several other key sustainability issues assessed in other areas of the INPRO methodology, Brundtland sustainability in the area of reactor safety is intimately tied to public perception of consequence and risk. Continuously allaying public concern about nuclear reactor safety is central to sustainability and sustainable development of nuclear energy systems.
The concept of defence in depth and its relationship with the INPRO methodology area of reactor safety
The DID concept provides an overall strategy for designing safety measures and features of nuclear installations[7][8][9]. The concept is twofold: firstly, to prevent accidents and, secondly, if prevention fails, to mitigate their potential consequences and prevent any evolution to more serious conditions. Accident prevention is the first priority, because provisions to prevent deviations of the plant state from well-known operational conditions are generally more effective and more predictable than measures aimed at mitigation of such departures – plant performance generally deteriorates when the status of the plant or a component departs from normal operating conditions. Thus, preventing the degradation of (normal operation) plant status and performance generally will provide the most effective protection of workers, the public and the environment.
The objectives of implementing DID in a design are as follows:
- To compensate for potential failures of humans, systems, structures and components;
- To maintain the effectiveness of the barriers by averting damage to the plant and to the barriers themselves; and
- To protect the public and the environment from harm in the event that these barriers are not fully effective.
When properly implemented, DID ensures that no single technical, human or organizational failure could lead to harmful effects, and that the combinations of failures that could give rise to significant harmful effects are of very low probability.
DID is characterized by five levels of protection, with the top level being prevention, and the remaining four levels representing the response to increasing challenges to plant and public safety[9]. Ref[9] states:
“The purpose of the first level of defence is to prevent deviations from normal operation and the failure of items important to safety. This leads to requirements that the plant be soundly and conservatively sited, designed, constructed, maintained and operated in accordance with quality management and appropriate and proven engineering practices”
For example, design features that reduce the potential for internal hazards, e.g. fire, contribute to the prevention of accidents.
The purpose of the second level of DID is to “detect and control deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions”[9]. The second level “necessitates the provision of specific systems and features in the design, the confirmation of their effectiveness through safety analysis, and the establishment of operating procedures to prevent such initiating events, or otherwise to minimize their consequences, and to return the plant to a safe state”.
The purpose of the third level of defence is the control of postulated accidents , preventing damage to the reactor core, i.e. assuring its structural integrity, preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state. To achieve this objective, inherent safety features, engineered safety systems and accident procedures have to be provided.
The purpose of DID Level 4 is[9]:
“… to mitigate the consequences of accidents that result from failure of the third level of defence in depth. This is achieved by preventing the progression of such accidents and mitigating the consequences of a severe accident.”
It is related to the control of potential severe plant conditions and the minimisation of off-site contamination.
The purpose of the fifth level of defence is to mitigate the consequences of potential accidental radiological releases. This requires adequate emergency plans, procedures and emergency response facilities.
Ensuring the independence of the different levels of protection in the DID concept is key to avoiding the propagation of failures into subsequent levels.
Based on the DID concept, the INPRO methodology has developed general proposals for designers/developers to meet the INPRO user requirements of sustainable development in the area of safety of nuclear reactors. These proposals are based on extrapolations of trends published in Section 5 of Ref[7] and are presented in Table 2. These proposals are focused on the prevention, reduction and containment of radioactive releases. INPRO NES sustainability assessment user requirements related to the off-site emergency preparedness and response measures, which are focused on reducing the consequences of a potential accidental release of radioactivity from the NPP, are considered in the INPRO area of infrastructure[10].
Level | DID level purpose | INPRO methodology proposals for nuclear reactors |
---|---|---|
1 | Prevention of deviations from normal operation and the failures of items important to safety | Enhance prevention by increased emphasis on robustness of the design of normal operation systems, and further reducing the probability of human error in the routine operation of the plant. Enhance the independence among DID levels. |
2 | Detect and control deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions. | Give priority to inherently safe design characteristics and advanced control and monitoring systems with enhanced reliability, intelligence and the ability to anticipate and compensate abnormal operational states. Enhance the independence among DID levels. |
3 | Control of accidents. Preventing damage to the reactor core and preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state | Decrease expected frequency of accidents. Achieve fundamental safety functions by an optimized combination of active and passive design features; limit and mitigate consequences; minimize reliance on human intervention, e.g. by increasing grace period. Enhance the independence among DID levels. |
4 | Mitigate the consequences of accidents that result from failure of the third level by preventing the progression of such accidents and mitigating the consequences of a severe accident. | Decrease expected frequency of severe plant conditions; increase reliability and capability of systems to control and monitor severe accident sequences ; reduce the characteristics of source term of the potential emergency off-site releases of radioactivity. Avoid ‘cliff-edge’ failures of items important to safety. Enhance the independence among DID levels. |
(5) | Mitigation of radiological consequences of radioactive releases | Emergency preparedness is covered in another area of the INPRO methodology called Infrastructure[10] INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Methodology for Sustainability Assessment of Nuclear Energy Systems: Infrastructure, IAEA Nuclear Energy Series, No. NG-T-3.12, IAEA, Vienna (2014). </ref>. |
The first four sustainability assessment user requirements of the INPRO methodology in the area of safety of nuclear reactors are directly linked to the first four levels of the DID concept. The rest of the user requirements are related to specific aspects of this concept. A nuclear power plant is considered as having an acceptable level of safety if it fulfils all applicable (national and international) safety related standards and regulations, i.e. when it is licensed for operation. In fact, the reference design is assumed to be compliant with these standards and regulations. The INPRO methodology intends to go beyond these standards and regulations by taking into account trends and anticipated future directions of development (Section 5 of Ref[7]) to achieve safety enhancements in the assessed new design that contribute to the long term sustainability of the nuclear energy system.
Necessary input for INPRO sustainability assessment in the area of reactor safety
This section gives guidance on the information needed by an assessor to be able to perform an INPRO sustainability assessment in the area of safety of nuclear reactors. As explained earlier, an INPRO sustainability assessment is not an assessment of compliance with the IAEA Safety Standards.
Definition of Nuclear Energy System
See NES for clear definition of nuclear energy system.
In the INPRO methodology area of safety of nuclear reactors, the design of the reactor assessed is generally to be compared to a reference design. The goal of the INPRO assessment in this area is then to demonstrate an increased safety level in the assessed reactor design in comparison to the reference design. The nuclear reactor assessed, and the reference reactor should preferably be of the same lineage and from the same designer. Examples of potential reference reactors are presented in Appendix I.
INPRO assessment by a technology user
As a technology user, an INPRO assessor needs rather detailed design information on the nuclear reactor to be assessed. This includes information relating to: the design basis of the plant; design information on the reactor core, fuel, primary circuit, reactor heat removal system, engineered safety systems, containment systems, human system interfaces, control and protection systems, etc. The design information needs to highlight the structures, systems and components that are of evolutionary or innovative design and these would be the focus of the INPRO assessment.
In addition to the information on the nuclear reactor to be assessed, the INPRO assessor needs the same type of information on a reference plant design in order to perform a comparison of both designs. Details of the information needed are outlined in the discussion of the INPRO methodology criteria in the following sections of this report.
If not available in the public domain, the necessary information is to be provided by the designer (potential supplier). Therefore, a close cooperation between the INPRO assessor as a technology user and the designer (potential supplier) is necessary (as discussed in the overview manual of the INPRO methodology).
The role of technology user in the INPRO assessment is primarily to check in a simplified way whether the designer (supplier) has appropriately taken into account the nuclear safety aspects in its design as defined by the INPRO methodology. A technology user is assumed – in order to minimize its risk – to be primarily interested in installing reactors based on proven technology with designs that have been licensed (at least in the country of the supplier) and that have operated successfully for a sufficiently long time.
Results of safety analyses
The INPRO assessor will need access to results of a safety assessment that includes a safety analysis which evaluates and assesses challenges to safety under various operational states, anticipated occurrences and accident conditions using deterministic and probabilistic methods; this safety assessment is expected to be performed and documented by the designer (potential supplier) of the reactor to be assessed and the reference reactor.
For the reactor to be assessed, the safety assessment would need to include details of the research, development and demonstration (RD&D) carried out for advanced aspects of the design. Such information is usually found in a preliminary safety analysis report (PSAR) available in the public domain and is otherwise to be provided by the designer (potential supplier) of the reactor.
INPRO assessment by a technology developer
In principle, an INPRO assessment can be carried out by a technology developer at any stage of the development of an advanced reactor design. A designer (developer) can use this report to check whether its new design under development meets the INPRO methodology sustainability criteria regarding nuclear safety but can additionally initiate modifications during early design stages if necessary to improve the safety level of its design. However, it needs to be recognized that the extent and available level of detail of design and safety assessment information will increase as the design of an advanced nuclear reactor progresses from the conceptual stage to development of the detailed design. This will need to be taken into account in drawing conclusions on whether an INPRO methodology criterion in the area of safety has been met by the advanced design.
One potential mode of the INPRO methodology application by a technology developer is to perform a limited scope assessment. Limited scope INPRO assessments can be focused on the specific areas and specific installations in a nuclear energy system having different levels of maturity. Limited scope studies may assess reactor designs under development, including innovative designs, and may help to highlight gaps to be closed by on-going R&D studies and to define the scope of data needed for making a future judgement on system sustainability.
Other sources of INPUT
The NESA support package introduced in the overview manual of the INPRO methodology includes information on safety related issues that were collected form the public domain. This includes preliminary safety analysis reports from several advanced reactor designs, exemplary limited scope assessments performed by designers participating in INPRO activities, etc.
The final report of the nuclear energy system assessment (NESA) of the planned nuclear energy system in Belarus is documented in Ref[11]; it includes an assessment of the WWER reactor AES-2006 using the INPRO methodology.
INPRO basic principle, user requirements and criteria for sustainability assessment in the area of reactor safety
The INPRO methodology for assessing NES sustainability in the area of nuclear reactor safety defines one INPRO basic principle and a supporting set of INPRO user requirements and criteria and focuses on examining the expected safety impact of future changes in nuclear technology. Using the INPRO methodology to assess the sustainability of a NES is a bottom-up exercise. It consists of determining for each INPRO methodology criterion the value of each of the INPRO methodology indicators for that criterion and comparing that value with the corresponding INPRO methodology acceptance limit. The comparison then provides a basis for judging the capability of the assessed NES to meet the respective sustainability criterion. As will be shown in discussing the INPRO basic principle and user requirements for this assessment area, the methodology encourages innovations that enhance the safety of nuclear reactors.
One of the basic assumptions of the INPRO methodology is the expectation that – to fulfil the needs of sustainable energy supply in the twenty-first century – the global number of nuclear reactors in operation will have to increase considerably compared to the situation today. Keeping the safety level of newly deployed reactors (after 2013) at the same level as the global operating systems today would lead to an overall increase in the numerical risk of nuclear accidents. It is expected, however, that this increase in calculated risk would be compensated by the increased safety level of the newly deployed reactors, based in part on lessons learned from systems in operation. Therefore, the INPRO methodology evaluates enhancements in the safety of new reactor designs but does not evaluate compliance with national or international (e.g. IAEA) safety standards. The reference design is assumed to comply with applicable safety standards because it is an operating plant. Similarly, a new reactor is assumed to be designed so that it complies with applicable safety standards. Confirmation of compliance of the reference or new design with national or international safety standards is outside the scope of the INPRO methodology. If such confirmation is needed, a separate peer review (e.g. using IAEA review services such as TSRs ) should be performed.
The INPRO methodology’s basic principle and its set of user requirements and criteria for sustainability assessment in the area of reactor safety are expected to apply to any type of advanced design and should foster appropriate developments and improvements that can be communicated to and be accepted by all stakeholders in nuclear energy.
The legal and organizational framework related to safety of nuclear reactors is dealt with in another report of the updated INPRO methodology focused on infrastructure.
INPRO basic principle for sustainability assessment in the area of safety of nuclear reactors
INPRO basic principle for sustainability assessment in the area of nuclear reactor safety: The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation.
Currently, nuclear facilities have significant restrictions with regard to siting, primarily due to the perceived high risk of potential consequences during severe accidents but also to a lesser degree due to the perceived risk of radioactive releases during normal operation. An advanced design is expected to allow – after achieving public acceptance of this development –a reduction of the restrictions on NPP siting. This is a long term objective to be achieved during the twenty-first century.
To approach the goal of the INPRO basic principle, the INPRO methodology proposes that designers/developers undertake the following key measures:
- Incorporate enhanced DID into an advanced nuclear reactor design as a part of the fundamental safety approach and ensure that the levels of protection in DID are more independent from each other than in a reference plant;
- Incorporate, where appropriate, inherently safe characteristics and passive systems into advanced nuclear reactor designs as a part of a fundamental safety approach to excel in safety and reliability;
- Take human factors into account in the design and operation of a nuclear reactor;
- Perform sufficient RD&D work to bring the knowledge of nuclear plant characteristics and the capability of analytical methods used for design and safety assessment of a plant with innovative features to at least the same confidence level as for a reference plant.
In addition, the INPRO methodology encourages the establishment and maintenance of a strong safety culture in all organizations involved in a nuclear power programme.
The INPRO methodology has developed seven INPRO user requirements for NES sustainability assessment in the area of reactor safety to specify in more detail the main measures presented above. These INPRO user requirements are to be fulfilled primarily by the designer (developer, supplier) of the NES . As stated before, the role of the INPRO assessor is to check, based on evidence provided by the designer, whether the designer has implemented the necessary measures as required by the INPRO methodology. The assessor’s product is therefore not an assessment of compliance with the IAEA Safety Standards but rather a sustainability assessment against the INPRO user requirements and criteria.
The following sections present the rationale and background information for each INPRO NES sustainability user requirement and criterion and then describe how indicators and acceptance limits are used to determine whether each CR has been met.
UR1: Robustness of design during normal operation
INPRO user requirement UR1 for sustainability assessment in the area of safety of nuclear reactor: The nuclear reactor assessed is more robust than a reference design with regard to operation and systems, structures and components failures.
This sustainability assessment INPRO user requirement mostly relates to the first level of the DID concept, which has the objective of preventing anticipated operational occurrences (AOOs). The objective is met if the plant stays in normal operation.
AOOs are those conditions of operation caused by plant internal and external events, and probable combinations thereof, that are expected to occur one or more times during the life of a nuclear reactor but neither cause significant damage to items important to safety nor lead to accident conditions that would rely on safety systems (Level 3 of DID) for coping. Examples of AOOs caused by internal or external events in a nuclear power plant[12] include faults such as a turbine trip, malfunction of individual items of a normally running plant, failure to function of individual items of control equipment, trips of a feedwater pump, loss of power to a main (reactor) coolant pump, etc.
The major means to achieve robustness of a reactor design are to ensure a high quality of design, manufacture, construction, and operation (and decommissioning), including adequate attention to human performance. It is important to note that for the assessment of all criteria of INPRO user requirement UR1 the assessor (a technology user) needs information on the reactor to be assessed and on a reference reactor design. The reactor assessed needs to be shown to be safer than the reference reactor.
For operating and evolutionary reactors, the requirements for design, manufacturing and operation are usually specified in (extensive) national standards or adopted standards from other countries; the most widely known and used standards are the Nuclear Codes and Standards published by the American Society of Mechanical Engineers (ASME) and for electric components and I&C the standards published for NPPs by the Institute of Electrical and Electronics Engineers (IEEE). For (innovative) designs still under development and for which no standards may yet exist, at least for the first plant to be installed, a conservative design approach according to existing standards can be proposed as discussed in more detail in the INPRO manual sections for sustainability assessment user requirement UR7.
INPRO assessment of a NES against criteria CR1.1 and CR1.2 of UR1 involves the consideration of multiple technical parameters. For these two criteria the INPRO methodology has developed a series of evaluation parameters (EPs) which are intended as recommendations to the INPRO assessor on how to assess the criteria. Criteria CR1.3, CR1.4 and CR1.5 do not require development of evaluation parameters.
The INPRO methodology criteria for UR1 are presented in Table 1.
Criterion CR1.1: Design of normal operation systems
ᅠIndicator IN1.1: Robustness of design of normal operation systems.ᅠ
|
||||||||||
---|---|---|---|---|---|---|---|---|---|---|
In the following, several design related aspects that, if enhanced, would increase the level of robustness of a nuclear reactor design during normal operations are discussed. It is acknowledged that increasing the robustness of a reactor design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimum combination of design measures is necessary to increase the overall robustness of a design. The INPRO methodology has defined several design related aspects as evaluation parameters (EP1.1.1 to EP1.1.5) for criterion CR1.1:
The use of inherent safety characteristics is an additional means of achieving robustness (discussed separately under UR5). As stated above, these evaluation parameters are meant to be examples for a designer on how to achieve a higher level of robustness in a reactor design by looking for an optimum combination of these parameters. A detailed safety guide for the design of the core of water-cooled reactors is provided in Ref[13].
For final assesment of CR1.1: |
Criterion CR1.2: Reactor performance
ᅠIndicator IN1.2: Reactor performance attributes.ᅠ
|
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
An improvement of performance attributes in normal operation are expected to increase the robustness of a nuclear reactor. Aspects that are linked to the characteristics of operation of the nuclear reactor assessed are defined as evaluation parameters (EP1.2.1 to EP1.2.8) for CR1.2 and discussed as follows:
For final assesment of CR1.2:
For a (innovative) reactor under development, the developer is to describe measures and features to ensure that reactor performance will be comparable or superior to that in operating plants. |
Criterion CR1.3: Inspection, testing and maintenance
ᅠIndicator IN1.3: Capabilities to inspect, test and maintain.ᅠ
|
---|
To meet this criterion, the reactor design is expected to permit more efficient and intelligent inspection, testing and maintenance. The criterion cannot be fully met by merely requiring more inspections and more testing. The programmes of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue etc) so that the right locations are inspected, and the right systems, structures and components are tested and maintained at the right time intervals.
It is recognized that in the early operational stages of an innovative reactor, before the technology (experience) base is fully established, more inspection, testing and maintenance, may be required.
For a (innovative) reactor under development, measures and features are to be described that ensure that the capability to inspect, test and maintain will be comparable or superior to that in operating nuclear reactors. |
Criterion CR1.4: Failures and deviations from normal operation
ᅠIndicator IN1.4: Expected frequency of failures and deviations from normal operation.ᅠ
|
---|
For the reactor design assessed, the expected frequencies of initiating events leading to anticipated operational occurrences (AOOs) are supposed to be lower than those in the reference design.
The frequency of these initiating events for operating reactors is determined from operational experience and probabilistic analyses. Apparently, for more robust designs the reduction of these frequencies relative to those for the reference design is possible. However, the frequencies of such initiating events are usually defined as licensing requirements by national regulatory bodies based on detailed national probabilistic studies (see for example Refs[35][36][37][38][39]). Thus, they cannot be easily reduced by a designer because such a reduction would need approval by the responsible regulatory authority. |
Criterion CR1.5: Occupational dose
ᅠIndicator IN1.5: Occupational dose values during normal operation and AOOs.ᅠ
|
---|
This criterion focuses on radiation protection of NPP workers. It is important to note that criterion CR1.5 does not consider radiation exposure of workers during accidents; it considers only plant states corresponding to Levels 1 and 2 of DID, i.e. normal operation and anticipated operational occurrences. The issue of avoiding undue burdens from radiation exposure to the public and environment during normal operation and AOOs is covered in a separate area of the INPRO methodology called environmental impact of stressors; after accidents this issue is covered via INPRO NES sustainability user requirement UR4 for the area of reactor safety, which states that accidental releases outside the plant are prevented or mitigated.
The reactor assessed needs to ensure an efficient implementation of the concept of optimization of radiation protection for workers during design, commissioning, operation, and decommissioning through the use of automation, remote maintenance and operational experience from existing designs. Experience in operating reactors shows that maintenance, i.e. in-service inspection and periodic tests and repairs (including replacement), are the sources of most occupational doses. Criterion CR1.5 anticipates that new (advanced) reactors can take advantage of design concepts to achieve occupational dose reduction as a zero-cost side-effect of measures such as automated inspection and maintenance. New reactor designs are expected to be maintenance-friendly through careful layout, reliable equipment, and electronic availability of maintenance procedures at the work-face to guide those charged with performing maintenance duties. |
UR2: Detection and interception of anticipated operational occurrences
INPRO user requirement UR2 for sustainability assessment in the area of nuclear reactor safety: The nuclear reactor assessed has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.
This INPRO NES sustainability user requirement UR2 mostly relates to the second level of the DID concept, which has the purpose of detecting and controlling deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions. The purpose is achieved if the plant returns to normal operation and the progression of AOOs to more severe conditions avoided.
In the design of new reactors, priority is given to advanced instrumentation and control (I&C) systems, and improved reliability of these systems. Optimization of a combination of reliable passive and active systems is important. When appropriate, priority can be given to (design-specific) inherent limiting characteristics (sometimes called ‘self-controlling properties’ or ‘inherent safety features’, see INPRO NES sustainability user requirement UR5 in this publication and Ref[44] for more detailed discussions) and to robust and simple (possibly passive) control systems and advanced monitoring systems.
The main function of the I&C system in this level of DID is to detect AOOs and enable the rapid return of the plant to normal operation conditions with, ideally, no consequences, e.g. no need for follow up inspections or regulatory event reports. I&C system data processing involves measurement data from several different sets of instrumentation, e.g. conventional process instrumentation, in-core instrumentation, ex-core instrumentation, rod position measurement instrumentation, reactor vessel water level measurement instrumentation, loose parts and vibration monitoring instrumentation, radiation monitoring instrumentation, accident instrumentation, hydrogen detection instrumentation, and boron instrumentation. These instrumentation sets may contain channels of different importance to safety. For innovative reactor designs, inherent characteristics and/or passive systems (or components) may be able to assist or even partially replace certain capabilities of the I&C system.
In addition to those AOOs that can influence the nuclear fuel in the reactor core, the design also has to cover the potential AOOs that involve the on-site handling and storage of fresh fuel and spent fuel outside the reactor core.
The INPRO methodology criteria for UR2 are presented in Table 1.
Criterion CR2.1: I&C system and inherent characteristics
ᅠIndicator IN2.1: Capabilities of the I&C system to detect and intercept and/or capabilities of the reactor’s inherent characteristics to compensate for deviations from normal operational states.ᅠ
|
||||||
---|---|---|---|---|---|---|
INPRO has defined the following evaluation parameters for CR2.1:
Inherent safety characteristics of a nuclear reactor, such as a negative reactivity feedback, influence the dynamic behaviour of the plant in a positive way, and can lead to reduced design requirements for the I&C systems.
For final assesment of CR2.1: |
Criterion CR2.2: Grace periods after AOOs
ᅠIndicator IN2.2: Grace periods until human actions are required after AOOs.ᅠ
|
---|
The ‘grace period’ for normal operation is defined as the time available, in case of a failure or the beginning of an AOO, before human (operator) action is required. The appropriate value of the grace period depends on the type of nuclear facility, the ease of diagnosis of the failure and the complexity of the human action to be taken.
The time needed by the operator for detecting a deviation is dependent on the situation and alarm signals.
The time to diagnose the situation appropriately is mainly dependent on the time and aids available to operators to identify the plant state. In addition, reliability of the I&C system is important. |
Criterion CR2.3: Inertia
ᅠIndicator IN2.3: Inertia to cope with transients.ᅠ
|
---|
The term ‘inertia’ means the capability of a nuclear reactor to cope with AOOs; the main objective of a high inertia is to avoid consequences with safety implications that could delay a return to normal operation. |
UR3: Design basis accidents
INPRO user requirement UR3 for sustainability assessment in the area of nuclear reactor safety: The frequency of occurrence of DBAs in the nuclear reactor assessed is reduced. If an accident occurs, engineered safety features are able to restore the reactor to a controlled state, and subsequently to a safe shutdown state, and ensure the confinement of radioactive material. Reliance on human intervention is minimal, and only required after a sufficient grace period.
This INPRO user requirement UR3 for sustainability assessment in the area of reactor safety mostly relates to the third level of the DID concept, which has the purpose of controlling accidents, preventing damage to the reactor core and preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state.
The ‘design basis’ of a plant comprises the conditions and events taken into account in the design of the nuclear reactor such that the plant can withstand them by the planned operation of safety systems without exceeding authorized limits. Hence, a DBA is an accident causing conditions for which a facility is designed in accordance with established design criteria and conservative methodology, and for which the damage to the fuel and releases of radioactive material are kept within authorized limits[12].
The NPP design has to consider potential DBAs in all relevant operating stages of the nuclear reactor (e.g. commissioning, commercial operation and decommissioning) and operating phases (e.g. reactor start-up, power operation, hot stand-by, system shutdown, refuelling outage). In addition to accidents impacting the nuclear fuel in the reactor core, the design has to cover also accidents endangering the fresh fuel storage, on-site fuel transportation systems and the corresponding near reactor spent fuel pool.
The term ‘frequency of occurrence’ used in UR3 means the number of events per reactor year leading to a DBA as determined via probabilistic methods (probabilistic risk assessment).
An NPP has to be designed against DBAs caused by internal and external events (design basis external events – DBEE) and probable combinations thereof. A DBEE is “an external event or a combination of external events selected for the design of all or any part of a nuclear power plant, characterized by or having associated with it certain parameter values”[18]. DBEEs are the external events considered in the design basis of the plant and “to perform the safety functions required for DBEEs the designer should use either systems specific to external events or the safety systems already present in the plant for internal events”[18]. Examples of external events to be considered in the design are earthquake, flooding, external explosion, severe storm, airplane crash, sabotage, etc.[17][18]. As mentioned above, the frequency of external events per se cannot be influenced by the designer or operator for a given site. An appropriate selection of the site for the nuclear reactor assessed could have a positive effect. However, the frequency of DBAs caused by external events can be influenced by designer or operator. Based on lessons learned from the accident in Fukushima[19][20][21][22], also probable combinations of external events should be considered in the design such as an earthquake plus a fire and/or tsunami.
The term ‘controlled state’ is characterized by a situation in which the engineered safety features are able to compensate for the loss of functionality resulting from the DBA. An optimized combination of active and passive engineered safety features is expected to be used.
For advanced (innovative) reactor designs using passive design features to achieve almost all of the fundamental safety functions may be possible. These features could include passive shutdown, passive decay heat removal systems and passively operated coolant injection systems.
A reduced frequency of occurrence of DBAs, longer grace periods after detection of DBAs, enhanced reliability and capacity of engineered safety features, and increased subcriticality margins after DBAs will make the reactor design more robust against DBAs.
The INPRO methodology criteria for UR3 are presented in Table 1.
Criterion CR3.1: Frequency of DBAs
ᅠIndicator IN3.1: Calculated frequencies of occurrence of DBAs.ᅠ
|
---|
This criterion CR3.1 asks for a reduced frequency of occurrence (probability) of NPP DBAs caused by both internal and external events and probable combinations thereof. |
Criterion CR3.2: Grace period for DBAs
ᅠIndicator IN3.2: Grace periods for DBAs until human intervention is necessary.ᅠ
|
---|
The criterion CR3.2 ‘grace periods for DBAs’ is applicable in Level 3 of DID and implies a similar concept as introduced earlier for control of AOOs (see CR2.2) in Level 2 of DID. For DBAs (caused by internal and external events and probable combinations thereof) the criterion requires that actions of automatic active and/or passive safety systems provide an adequate grace period for the operator before intervention is necessary. |
Criterion CR3.3: Engineered safety features
ᅠIndicator IN3.3: Reliability and capability of engineered safety features.ᅠ
|
---|
The capability of the engineered safety features is characterized by their sufficiency to restore the reactor to a controlled state after DBAs without operator action. The term ‘controlled state’ is characterized by a situation in which the engineered safety features are able to compensate for loss of functionality resulting from a DBA (caused by internal and external events and probable combinations thereof). The reactor has to be taken to a safe shutdown state at least within the designed grace period (see CR3.2) with the assurance that sufficient core cooling exists. For this purpose, an optimized combination of active and passive engineered safety features is expected to be used. |
Criterion CR3.4: Barriers
ᅠIndicator IN3.4: Number of confinement barriers maintained (intact) after DBAs and DECs.ᅠ
|
---|
The indicator IN3.4 ‘number of barriers maintained’ and the corresponding acceptance limit AL3.4 ‘at least one and consistent with regulatory requirements for the type of accident under consideration’ mean that the safety systems and safety features are expected to deterministically provide for continued integrity at least of one barrier (containing the radioactive material) following any accident caused by internal or external events and probable combinations thereof. However, when national regulatory documents or international safety standards require to maintain more than one barrier after a certain type of accidents these requirements are to be used as the acceptance limit values (for this type of accidents) for INPRO assessment. |
Criterion CR3.5: Subcriticality margins
ᅠIndicator IN3.5: Subcriticality margins after reactor shutdown in accident conditions.ᅠ
|
---|
Indicator IN3.5 ‘Subcriticality margins after reactor shutdown in accident conditions’ refers to the magnitudes of reactivity of the shutdown reactor core when these parameters are supposed to be negative. Reactivity is a core characteristic related to the increase (positive reactivity) or decrease (negative reactivity) of the neutron population driven by the ongoing chain fission reactions . The value of reactivity and its behaviour as a function of time depends primarily on the core size and geometry, fuel composition (enrichment, burn-up, burnable poisons, etc), fuel structure, geometry and temperature, coolant and moderator parameters (temperature, density, poison concentration), and control rod positions and characteristics. |
UR4: Severe plant conditions
INPRO user requirement UR4 for sustainability assessment in the area of safety of nuclear reactor: The frequency of an accidental release of radioactivity into the containment / confinement is reduced. If such a release occurs, the consequences are mitigated, preventing or reducing the frequency of occurrence of accidental release into the environment. The source term of the accidental release into the environment remains well within the envelope of the reference reactor source term and is so low that calculated consequences would not require evacuation of the public.
This INPRO user requirement UR4 for sustainability assessment in the area of reactor safety is mostly related to the prevention of accident progression and the mitigation of severe accident consequences. An accidental release of radioactivity from the reactor fuel into the containment/ confinement could occur if, after an initiating (internal or external) event, additional failures of safety systems would occur and lead to severe core damage, i.e. loss of integrity of the fuel cladding in a majority of nuclear fuel elements of water-cooled reactors (coated fuel particles in the case of HTGRs). Potential reasons for reaching severe plant conditions include reaching a so-called cliff edge effect during the progression of certain external and internal events or probable combinations thereof. Ref[46] defines a cliff edge effect as “an instance of severely abnormal plant behaviour caused by an abrupt transition from one plant status to another following a small deviation in a plant parameter, and thus a sudden large variation in plant conditions in response to a small variation in an input”. In addition to accidents impacting the nuclear fuel in the reactor core, the design has to cover also accidents endangering the spent fuel in the corresponding spent fuel pool.
Mitigating the consequences means that the radioactivity released from the core during severe accidents needs to be kept safely inside the containment/ confinement of the reactor. For new reactors, the reliability of safety systems for controlling such complex accident sequences with severe core damage is expected to be increased, including their instrumentation, control and diagnostic systems, and appropriate severe accident management procedures are developed. By these measures, the frequency of occurrence of severe accidents with an emergency radioactivity release into the environment can be reduced.
The design of NPPs has to consider potential severe plant conditions in all relevant operating stages of the nuclear reactor (e.g. commissioning, commercial operation and decommissioning) and operating phases (e.g. reactor start-up, power operation, hot stand-by, system shutdown, refuelling outage). Indications of increased design robustness against severe accidents with severe core damage include: (i) a reduced frequency of severe accidents caused by internal and external events and probable combinations thereof, (ii) existence of sufficient engineered processes and equipment to control relevant system parameters and activity levels in the containment/ confinement, (iii) sufficient in-plant accident management to prevent or mitigate an accidental release of radioactivity from the plant to its environs and (iv) increased design margins of the containment/ confinement against internal and external loads. Based on the lessons learned from the accident at Fukushima Daiichi in 2011, the design of new reactors needs to demonstrate an increased robustness against some extreme situations (with more than one initial event and multiple failures).
The INPRO methodology requirements for NES sustainability assessment that relate to emergency preparedness and response, i.e. Level 5 of DID, have been considered as part of the national infrastructure necessary to create and maintain a sustainable nuclear energy system. Such requirements are therefore described in the INPRO manual covering the Infrastructure area[10].
The INPRO methodology criteria for UR4 are presented in Table 1.
Criterion CR4.1: Frequency of release into the containment/ confinement
ᅠIndicator IN4.1: Calculated frequency of accidental release of radioactive materials into the containment / confinement.ᅠ
|
---|
An accidental release of radioactivity into the containment/ confinement could occur if the integrity of a major part of nuclear fuel in the reactor core or in the spent nuclear fuel pool is lost during an accident. Table 3 gives examples of very low core damage frequencies (CDFs) claimed by the designers of AP1000[47], EPR[48] and KERENA (SWR1000)[49]. |
Type of reactor | Frequency of core damage per year |
---|---|
AP1000
|
2.4·10-7 |
EPR (power operation plus shutdown)
|
6.1·10-7 |
KERENA (with AM measures)
|
4.1·10-8 |
Note: AM - accident management (see CR4.3).
Criterion CR4.2: Robustness of containment/ confinement design
ᅠIndicator IN4.2: Containment loads covered by the design, and natural or engineered processes and equipment sufficient for controlling relevant system parameters and activity levels in containment / confinement.ᅠ
|
---|
Typical lists of internal and external events that should be considered in the design of containment/ confinement systems are provided in Ref[50]. Processes to mitigate consequences including those to avoid loss of containment/ confinement integrity can be very reactor design-specific, e.g. for molten salt reactors and HTGRs they are quite different from those for water-cooled reactors. During the design phase of new reactors special attention needs to be given to considering related preventive and mitigative measures in a balanced way. To avoid a loss of containment/ confinement integrity due to, e.g. overpressure and high temperatures – compared to operating reactors – the containment/ confinement of new reactors is expected to be designed against higher loads caused by an accident with an accidental release of radioactive material into the containment/ confinement. Closure of containment penetrations such as steam or feed water lines in LWRs can be designed with higher reliability, e.g. by increasing the reliability of valves. In addition to loads on the inside of the containment/ confinement (e.g. overpressure) also loads on the outside caused by external events (e.g. tsunami) are expected to be covered with greater margins in new designs. |
Relevant System Parameter | Engineered Mitigating Processes | Explanations |
---|---|---|
Water level inside RPV | System for water injection from sources inside and outside containment. | The core melt might be stopped (as occurred in the Three Mile Island Unit 2 accident). |
Water level in the containment | System for water injection into RPV cavity from sources inside and outside containment. | The RPV could be cooled from the outside; the melt progression might be at least delayed; the melt could be retained within the RPV. |
Activity level in containment | Designed path of fission products through water pools inside containment to enable scrubbing. Containment spray system for scrubbing of fission products. Containment internal filters between compartments. | Scrubbing means retention of fission products in water; it is a very effective method to reduce the activity level in the containment atmosphere. Containment internal filters will reduce the activity level. |
Containment pressure | Outside or inside cooling of contai nment. Venting to the environment via filter. Hydrogen re-combiners or igniters (in case the containment is not inerted) |
Outside or inside cooling of containment will limit the pressure. Venting reduces the load on the containment. Hydrogen re-combiners or igniters avoid hydrogen explosion. |
Criterion CR4.3: Accident management
ᅠIndicator IN4.3: In-plant AM.ᅠ
|
---|
In accidents more severe than DBAs, the in-plant AM measures provide tools to the operator for preventing a further release into the containment/confinement, and/or for reducing the air concentration of radio-nuclides already there, in order to prevent an accidental release of radioactivity to the outside of the plant (into the environment)[51] that would need emergency response measures. |
Criterion CR4.4: Frequency of accidental release into environment
ᅠIndicator IN4.4: Calculated frequency of an accidental release of radioactive materials into the environment.ᅠ
|
---|
An accidental release of radioactivity to the environment can occur if the containment/ confinement loses its integrity after an accident with severe core damage. Examples for causes of containment failures are overpressure due to hydrogen or steam explosion and penetration of the base plate by a molten core-concrete interaction (mainly in water-cooled reactors )[53]. Scenarios of a containment/ confinement failure need to be prevented or mitigated by design measures as discussed above, e.g. by increasing the design pressure of the containment. Other examples for design measures to prevent containment failure due to melt-through of the basement floor of advanced water reactors are the core catchers in the EPR or advanced WWER designs, the reactor pressure vessel internal (corium) retention device for the KERENA (SWR1000), and the water-filled calandria vessel and vault in the Enhanced CANDU-6 (EC6) reactor. Examples for design measures to prevent containment failures due to over pressurization are the inclusion of containment cooling systems, and hydrogen catalytic re-combiners or igniters.
In 2016 this principle was incorporated in the revised IAEA Safety Standards[9] in requirements associated with Level 4 of DID:
It is recognised that the existing reference plant selected for the INPRO assessment of a new reactor design might not comply with this new requirement. However, the new reactor designs are expected to demonstrate practical elimination of large releases and early releases (see summary report of the Diplomatic Conference held in the IAEA[55]). |
Plant | Frequency/a of sum of containment failure modes |
---|---|
EPR[48]
|
4·10-8 |
AP1000[47]
|
2·10-8 |
Criterion CR4.5: Source term of accidental release into environment
ᅠIndicator IN4.5: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.ᅠ
|
---|
Radiological criteria for evacuation of population are normally formulated in terms of projected dose[56]. The calculated consequences (public dose) of radioactive releases to the outside of the NPP after severe accidents need to be kept sufficiently low (lower than the levels defined for evacuation) to avoid the necessity for commencing the evacuation of people living in the vicinity of the plant[57]. |
Emergency preparedness and response
The accidents at Three Mile Island Unit 2 (with an intact containment and no significant accidental release of radioactive materials to the environment), Chernobyl and Fukushima[19] (with large accidental releases of radioactive materials to the environment) have sensitized the public regarding the releases of radioactive elements to the environment. Moreover, if nuclear energy is to play a major role in the future, many more plants will have to be installed, and these are expected to be of designs that can be easily sited. Some countries have the good fortune to have numerous large remote sites available for nuclear power plants to be located, but many countries do not; hence design of a new nuclear plant does not need to rely too heavily on distance from the population. Therefore, it is generally agreed that new nuclear reactors are expected to be designed in such a way that for any postulated accident even with a highly degraded core, a significant release of radioactive material to the environment will be impossible or extremely unlikely.
As discussed in the previous Section 4.6, the INPRO methodology in effect asks the designer to prevent or mitigate the scenarios of accidental release to assure that projected doses to the public will be lower than the dose criteria for emergency evacuation.
To achieve this goal, engineered safety features of new reactors (as discussed for UR4) need to be able to control scenarios of accidents more severe than DBAs and mitigate their consequences, e.g. to prevent complete containment/ confinement failure that results in accidental radioactive releases. Control and mitigation measures need to address all threats (caused by internal and external events and probable combinations thereof). New reactor designs are expected to show that an accidental release of radioactivity into the environment requiring evacuation of population has been practically eliminated, e.g. through use of inherent safety characteristics. It is however acknowledged that also for new (and advanced) reactors emergency preparedness arrangements will have to be established to meet the objective of the fifth level of DID.
Level 5 of DID assumes that an accidental release of radioactivity into the environment will occur during an accident with severe core damage due to a failure of the containment/ confinement. The objective of this fifth DID level is to ensure that necessary emergency response measures such as sheltering, distribution of iodine, evacuation, relocation, etc. can be taken to protect the people and the environment after such an accidental release. The INPRO methodology NES sustainability requirement on emergency preparedness is discussed in another manual[10] focused on Infrastructure (see EP1.2.4 in Ref[10]).
UR5: Independence of did levels, inherent safety characteristics and passive safety systems
INPRO user requirement UR5 for sustainability assessment in the area of reactor safety: An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the nuclear reactor assessed strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics and/or passive systems, when appropriate.
As discussed in Section 2.2 the different levels of DID range from operating to accident plant states. They are arranged with increasing severity from operational states (Level 1) to the mitigation of radiological consequences of significant releases of radioactive material to the environment (Level 5). As stated in Ref[7] the general goal of DID is to ensure that even a combination of equipment or human failures at one level of defence will not progress to subsequent DID levels and jeopardize DID at those levels. Thus, the independence of safety systems designed to cope with different levels of defence is key in meeting this goal.
Ref[14] explains that “the full independence of the levels of defence in depth cannot be reached, due to several constraints, such as the common exposure to external hazards, the unavoidable sharing of some SSCs, e.g. the containment or the control room and ultimately the operating crew”. INPRO methodology in the area of reactor safety is focused on the improvement or expansion of the independence of DID levels in new reactors rather than on achievement of full independence. To confirm sufficient independence of the DID levels of the reactor assessed a safety assessment had to be performed using a suitable combination of deterministic and probabilistic approaches, or hazards analysis.
Design assessments regarding the DID concept could be quite different for different reactor designs. It is evident that inherent safety characteristics increase the independence of the different DID levels since “inherent safety feature represents conclusive, or deterministic safety, not probabilistic safety”[58] unlike engineered systems, structures and components that “remain in principle subject to failure (however low the probability of such failure)”[58].
The second part of INPRO user requirement UR5 for sustainability assessment in the area of reactor safety is focused on the role of inherent safety and passive safety features in new nuclear designs. Some background on these safety features is provided as follows.
Inherent safety characteristics
An increased use of inherent safety characteristics in the design will strengthen accident prevention in advanced nuclear plants by reducing hazards. A plant design possesses an inherently safe characteristic against a potential hazard if the hazard is rendered technically impossible. An inherent safety characteristic in a reactor design can be achieved through the choice of nuclear physics, and the physical and chemical properties of nuclear fuel, coolant and other components. The term inherent safety is normally used with respect to a particular characteristic, not to the plant as a whole. For example, an area is inherently safe against internal fire if it contains no combustible material; a reactor is partially inherently safe against reactivity insertion if the physically available amount of excess reactivity is small and overall reactivity feedback is negative so that no large power excursions can occur; a reactor is inherently safe against loss of the heat sink if decay heat can be removed by conduction, thermal radiation and natural convection to the environment without fuel damage, etc.
Examples of reactor concepts with increased robustness against certain potential hazards are designs with all cooling loops inside the pressure vessel (avoidance of loss of coolant in case of loop breaks), use of liquid metals or molten salts (avoidance of high system pressures), use of small excess reactivity (avoidance of large power excursions), low power density cores (limiting fuel temperature in reactivity transients), use of passive safety systems (potentially higher reliability, e.g. natural convection), and use of non-flammable materials (avoidance of fires), etc.
The design of a new reactor is expected to be such that hazards are eliminated (if possible) or minimized, e.g. by limiting the use of explosive gases to the absolute necessary amount, or by using inherent safety features in the core design and operation to limit excess reactivity. If hazards cannot be eliminated, appropriate protective measures have to be installed. In addition, administrative measures need to exist to avoid human errors to the extent possible (e.g. by limiting the transport of hazardous material inside the containment/confinement during shutdown periods).
The analysis of hazards and their consequences are performed using deterministic and probabilistic approaches. For the deterministic approach, engineering judgment, operating experience, validation of design tools and a continuous exchange of information also with other industries is mandatory. For probabilistic approaches, the methods need also to be validated, and the data used have to be reliable. Analyses need to cover all operating states including full power, shutdowns, and maintenance and repair intervals.
There are also external hazards associated with the site of an NPP. Examples of such hazards related to the siting are earthquakes, flooding, storms, and explosions outside the plant. By selecting an appropriate site for an NPP these hazards can be minimized.
The analysis of an inherent safety characteristic is difficult but is possible by the application of adequate mathematical models and, in some cases, by experimental investigations. The necessary RD&D effort to achieve sufficient confidence in advanced designs with increased inherent safety characteristics is discussed in UR7.
Passive safety systems
Passive safety systems can provide additional safety margins; in such cases, deterministic (conservative) design requirements such as the single active failure criterion may not be necessary (since safety will not depend as much on active components), assuming that reliability models are developed for passive systems. Nevertheless, failures in passive systems due to human error in design or maintenance, the presence of unexpected phenomena, and potential adverse system interactions, need to be analysed and may need to be compensated by other design measures.
Safety systems with passive components are very often deemed more reliable due to missing (or a reduced number of) active components; in addition, no (or very limited) human actions are needed and thus, the likelihood of human errors is very low.
A comprehensive description of passive safety systems for water cooled reactors including the associated physical phenomena is provided in the IAEA report[59].
The following passive safety systems are discussed[59]:
- For core heat removal: accumulators, core make-up tanks, elevated gravity drain tanks, passively cooled steam generator natural convection, passive residual heat removal heat exchangers, passively cooled isolation condensers and sump natural circulation device;
- For containment cooling and pressure suppression: containment pressure suppression pools, containment passive heat removal/pressure suppression systems, and passive containment spray systems.
In addition, in Ref[59] the specific designs of twenty advanced reactors are presented with emphasis on passive safety systems. The IAEA has defined four categories of passive systems, as indicated in Table 6 below.
Needed function | Category | |||
---|---|---|---|---|
A | B | C | D | |
I&C Signal. | – | – | – | X |
External power source or forces. | – | – | – | Batteries or compressed fluids or gravity driven injections. |
Moving mechanical parts. | – | – | X | (X) |
Moving working fluids. | – | X | (X) | (X) |
Examples | Fuel cladding, pressure boundary. | Cooling system based on natural circulation. | Accumulators, filtered venting activated by rupture discs. | Emergency core cooling, based on gravity driven fluids and activated by battery-powered valves. |
Note: X = function included
For example, category A is characterized by:
- No signal input of intelligence (I&C signal);
- No external power source or forces;
- No moving mechanical parts; and
- No moving working fluid.
Typical examples of category A are physical barriers against fission product release, such as the fuel cladding and the pressure boundary system. The reliability data of a passive safety system or a passive component have to be taken from operating experience and analyses ; it is evident that moving parts (e.g. valves) might decrease reliability of such systems.
The INPRO methodology criteria for UR5 are presented in Table 1.
Criterion CR5.1: Independence of DID levels
ᅠIndicator IN5.1: Independence of different levels of DID.ᅠ
|
---|
A deterministic method for assessing the DID capabilities of a nuclear reactor design is described in Ref[60]. The method is based on objective trees for each level of DID that define the following elements from top to bottom: the objective of the DID level, the relevant safety functions to be met, identified general challenges to the safety functions based on specific root mechanisms for each of these challenges and a list of provisions in design and operation for preventing the mechanism from occurring. |
Criterion CR5.2: Minimization of hazards
ᅠIndicator IN5.2: Characteristics of hazards.ᅠ
|
||||||||||
---|---|---|---|---|---|---|---|---|---|---|
In this publication hazards are generally interpreted as potential sources of danger. Examples of hazards include overheating, fire, explosions, criticality, release of radioactive material, radiation exposure, etc. This criterion CR5.2 encompasses five evaluation parameters focussed on specific groups of hazards and formulated as follows:
In addition to hazards jeopardizing the nuclear fuel in the reactor core the assessment of criterion CR5.2 has to cover also potential hazards endangering the on-site storage and handling of fresh fuel and spent fuel in the corresponding near reactor spent fuel pool.
For final assessment of criterion CR5.2: |
Criterion CR5.3: Passive safety systems
ᅠIndicator IN5.3: Reliability of passive safety systems.ᅠ
|
---|
This criterion needs to be assessed only when the new reactor design incorporates passive safety systems or components to perform safety functions where the reference design uses active systems/ components. |
INPRO user requirement UR6 for sustainability assessment in the area of reactor safety: Safe operation of the nuclear reactor assessed is supported by accounting for HF requirements in the design and operation of the plant, and by establishing and maintaining a strong safety culture in all organizations involved.
There are two aspects of safety covered in this INPRO user requirement for NES sustainability assessment. The first one is focused on the design of equipment related to safety, especially the control room, to minimize human errors, and the second one covers the attitude to safety of people in nuclear facilities and related organizations.
The INPRO methodology criteria for UR6 are presented in Table 6.
Criterion CR6.1: Human factors
ᅠIndicator IN6.1: HF considerations are addressed systematically throughout the life cycle of the reactor.ᅠ
|
---|
The importance of the human factor for safe and reliable operation of NPPs is globally recognized and is an issue that needs to be dealt with systematically in a reactor design[53]. Thus, the designer of a new reactor is expected to place increased emphasis on human factors to minimize the possibilities for human (e.g. operator or maintainer) error. The experience available from operating nuclear plants and the best practices from other industries such as aircraft and chemical plants needs to be taken into account for this process.
Complementary information on human factor consideration is provided in Appendix IX. |
Criterion CR6.2: Attitude to safety
ᅠIndicator IN6.2: Prevailing safety culture.ᅠ
|
---|
The periodic reviews concerning safety culture have to cover not only the operating organization but also regulatory and other responsible government authorities as well as industrial entities. The assessment of this criterion CR6.2 is based on the outcome of safety culture reviews of at least the following organisations: operating organisation, regulatory body, NPP developer and supplier, and fuel suppliers. |
UR7: Necessary RD&D for advanced designs
INPRO user requirement UR7 for sustainability assessment in the area of reactor safety: The development of innovative design features of the nuclear reactor assessed includes associated research, development and demonstration (RD&D) to bring the knowledge of plant characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating plants.
INPRO user requirement UR7 for sustainability assessment in the area of reactor safety discusses the necessary research, development and demonstration (RD&D) effort for development of nuclear reactors with primarily innovative but also evolutionary design features.
It is well-known that intensive research is needed to bring the level of knowledge of plant behaviour and the capability of computer codes to model phenomena and system behaviour for innovative reactor designs to at least the same confidence level as for operating plants.
A sound knowledge of the phenomena, component, and system behaviour is required to develop computer models for accident analysis of reactors. Hence, the more a plant differs from operating designs, the more RD&D is required. RD&D provides the basis for understanding events that threaten the integrity of barriers defined by the DID concept. RD&D can also provide information to reduce allowances for uncertainties in design, operating envelopes, and in estimates for accident frequencies and consequences.
As the development of an innovative design proceeds, RD&D is carried out to identify phenomena important to plant safety and operation and to develop and demonstrate an understanding of such phenomena. At any given point in the development process the current understanding is incorporated into (computer or analytical) models that form the basis for design and for safety assessments. Such models are then used as a tool for sensitivity analyses to identify important parameters and to estimate safety margins. The results of such analyses are also used to identify coupled effects and interactions among systems that are important to safety. It is not unusual to obtain unexpected results, particularly in the early stages of development. The results, whether expected or not, are used to guide the RD&D programme to e.g. improve conceptual understanding, obtain more accurate data, confirm the extent of system interactions/independence, and characterize the design. The RD&D, in turn, leads to improvements in understanding and in the analytical tools used in design and in safety analyses.
The process is iterative: At the pre-conceptual stage of development, physical understanding, analytical models, supporting data bases, and codes may be simplistic and involve significant uncertainties; but as development proceeds, understanding increases and uncertainties (both in conceptual understanding and in data) are reduced, and the validation of analytical models and codes improves. At the time of commercialization, all safety relevant phenomena and system interactions need to be identified and understood and the associated codes and models need to be adequately qualified and validated for use in the safety analyses, which in turn demonstrates that the plant design is safe. Complementary aspects are outlined in Ref[64].
The INPRO methodology criteria for UR7 are presented in Table 1.
Criterion CR7.1: Safety basis and safety issues
ᅠIndicator IN7.1: Safety basis and a clear process for addressing safety issues.ᅠ
|
---|
The term ‘safety basis’ or ‘safety case’ is understood to be the documentation of safety requirements and safety analyses of a new reactor design before it is being constructed and operated. It is a structured argument, supported by evidence, intended to justify that a system is acceptably safe. It is acknowledged that the safety basis of evolutionary designs is usually covered by established mechanisms; the safety basis of innovative designs has to be developed based on intensive RD&D. |
Criterion CR7.2: RD&D
ᅠIndicator IN7.2: RD&D status.ᅠ
|
---|
Research, development and demonstration (RD&D) on the reliability of innovative components and systems, including passive systems and inherent safety characteristics, need to be performed to achieve a thorough understanding of all relevant physical and engineering phenomena required to support the safety assessment. At least the following are expected to be met by the RD&D programme of a developer for an innovative design:
It is common practice to assess nuclear system or component behaviour on the basis of code calculations, operating experience and commonly accepted engineering practice. For innovative designs, there is currently limited operating experience. Innovative designs may use new core materials, employ fluids in new thermal-hydraulic regimes, and use radically different fuel and coolants. Development of computer codes to model such innovative designs can proceed in parallel. These computer codes need to be formally verified and validated defining their regions of applicability, using state-of-the-art techniques established in international standards (e.g. validation matrices, uncertainty quantification, proof of scalability, automated verification tools, code qualification reports, etc.) and need to be well documented (e.g. software requirements specifications, theory manuals, user manuals, flow charts, etc.). The design process may involve several iterative RD&D cycles, design modifications and verifications of compliance with the design objectives including safety objectives. Standard safety assessment is based on deterministic and probabilistic techniques and requires essential efforts and detailed information on system design and operating conditions that may not be fully available for innovative systems at the early design stages. However, if the design process is organised correctly the level of design maturity can be expected to grow along with the knowledge accrued in RD&D and verification studies. A few formal approaches applicable at different design stages have been developed to define necessary RD&D in an efficient and effective manner.
For probabilistic analyses the availability of reliability data with uncertainty bands is required. |
Criterion CR7.3: Computer codes
ᅠIndicator IN7.3: Status of computer codes.ᅠ
|
---|
It is common practice to design and assess the behaviour of structures, systems and components of nuclear energy systems on the basis of code calculations. For operating nuclear facilities many suitable, i.e. verified and validated, computer codes are available.
|
Criterion CR7.4: Novelty
ᅠIndicator IN7.4: Pilot or demonstration plant.ᅠ
|
---|
Acceptance limit AL7.4: In case of a high degree of novelty: a pilot or demonstration plant is specified, built and operated, lessons are learned and documented, and results are sufficient to be extrapolated to a full-size plant. In case of a low degree of novelty: a rationale is provided for bypassing a pilot or demonstration plant. |
Criterion CR7.5: Safety assessment
ᅠIndicator IN7.5: Adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and identification of uncertainties and sensitivities.ᅠ
|
---|
The safety assessment is expected to be performed using a suitable combination of deterministic and probabilistic evaluations and documented in an appropriate format[66]. The analysis needs to cover all modes of operation of the installation to obtain a complete assessment of conformance with the DID concept. Deterministic safety assessment[46] uses a pre-defined set of accidents to define the design of the safety systems. Normally pessimistic assumptions on accident initiation and evolution, plant state, and plant response are applied. Probabilistic safety assessment (PSA)[67][68] calculates the frequency and consequences of all accidents down to very low probability of occurrence. Best estimate analyses are commonly used in PSA because a realistic response to an initiating event is needed to estimate the risk and to determine the margins in predicted plant behaviour between a conservative deterministic safety assessment and a best estimate result.
In principle, a PSA is expected to investigate all possible accident scenarios. Practically, all scenarios involve phenomena associated with some uncertainty; therefore, there exists a fundamental uncertainty in the results of these analyses. A thorough uncertainty analysis can identify areas that need further investigation. Furthermore, if the PSA generates ‘point’ estimates, an uncertainty analysis may contribute to the credibility of these results. Sensitivity studies – determining the difference in results using a defined value of a variable and a given deviation from that reference value – are a tool to define the required accuracy (or allowable uncertainty) of a variable. Typically, three classes of uncertainties are identified:
In case a required accuracy has not been achieved, either additional experiments have to be performed or design provisions have to be implemented to cope with these uncertainties. Detailed consideration of uncertainties in reliability data of components and human performance involves human factor related data appropriate for a given organisation and / or country. |
Concluding remarks
To achieve long term sustainability for nuclear reactors to be installed after 2013 one basic principle has been formulated by the INPRO methodology along with seven user requirements for sustainability assessment in the area of reactor safety. The approach to safety is based on the application of an enhanced DID strategy compared to reference designs, supported by increased emphasis on inherent safety characteristics and passive features. Greater independence of the different levels of DID is considered a key element to avoid failure propagation from one level to the subsequent one. The number of physical barriers in a nuclear facility that are necessary to protect the environment and people depends on the potential internal and external hazards and the potential consequences of failures; therefore, the barriers will vary in number and strength depending on the type of nuclear reactor (e.g. with high or very low power density cores).
The end point of the enhanced DID strategy is that, even in case of accidents with severe core damage, emergency radioactivity releases from the plant large enough to require evacuation of population must be made very unlikely.
The developer of a new reactor design needs to consider the objectives of nuclear safety together with those of physical protection and proliferation resistance during all design stages.
Appendix I
Examples of reference reactors for INPRO assessment
Using of the INPRO methodology in the area of reactor safety requires a reference reactor design in addition to the reactor design being assessed. The reference design should represent the latest design operating in 2013 designed preferably by the same designer as for the plant assessed. For innovative reactors which may have no operating prototypes in 2013, the latest design that has been safely operated or at least licensed can be used as a reference - designed preferably by the same designer as the reactor assessed and using the same technology.
In the following Table 7 potential reference designs are proposed for some novel water-cooled reactor designs.
Designer | Reactor assessed | Reference plant |
---|---|---|
Gidropress | AES-2006/V-491 | WWER1000/V-320 |
Westinghouse | AP1000 | SNUPPS, Sizewell B (UK) |
AREVA | EPR | N4, Civaux 1,2 (France) |
Hitachi-GE | ABWR | BWR5, Kashiwazaki Kariwa (Japan) |
Candu Energy Inc. | EC6 | CANDU6, Point Lepreau (Canada) |
GE-Hitachi | ESBWR | BWR6, Leibstadt (Switzerland) |
KEPCO | APR1400 | OPR1000, Shin Kori 2 (Republic of Korea) |
Mitsubishi | US-APWR | PWR (four-loop), Ohi 4 (Japan) |
In the following Table 8 potential reference designs are proposed for some innovative sodium cooled fast reactors.
Designer | Reactor assessed | Reference plant |
---|---|---|
IGCAR | CFBR | PFBR (India) |
OKBM | BN-1200 | BN-800 (Russian Federation) |
CIAE | CFR-1000 | CEFR |
Appendix II
ᅠExample of approach to the assessment of reactor core design marginsᅠ
|
---|
The following discusses an example of how to approach the INPRO assessment of reactor core design and other safety related components with respect to design margins (robustness).
The thermal fuel design determines the margins of the fuel against specified limits on such quantities as centerline fuel temperature, fission gas release, or maximum fuel cladding temperature. In the mechanical fuel design, it has to be shown that the fuel and the core internals can cope with loads resulting from operational states (fission gas pressure, vibrations, lift-up, etc.) as well as with external loads, e.g. from earthquakes and hydraulic forces (in case of pipe breaks).
This list can be used by the INPRO assessor to compare the core design of the reactor to be assessed with that of the reference design. |
Appendix III
ᅠExamples of monitoring systemsᅠ
|
---|
Examples of monitoring systems for water cooled reactors are given below, some of which may also be applicable to various non-water-cooled designs. |
Appendix IV
ᅠFrequencies of DBAᅠ
|
---|
In the following, the approach to assessment of CR3.1 for accidents caused by internal events is discussed. The correlation between the probability of occurrence (i.e. the calculated frequency) and dose or damage to an individual or the public (and environment) is schematically shown in Figure 4, which illustrates three aspects:
It has to be mentioned that a DBA may be caused either by a sequence of events, i.e. in such a case the frequency of an initiating event is not necessarily equal to the frequency of the DBA, or by a single initiating event (e.g. large pipe break) causing the DBA immediately. The frequencies of several internal initiating events of DBAs to be used in probabilistic analyses – similar to the frequencies of AOOs (see CR1.4) – are usually postulated by national regulatory bodies based on comprehensive (national) risk studies[35][38][39]. Thus, a change (reduction) of these values would need the approval of licensing authorities as part of a licensing process. However, for the purpose of INPRO assessment of NES sustainability, technical arguments can be developed by the designer/developer that support potential expected reduction of the frequencies of these specific internal initiating events of DBAs in the new reactor compared to the reference plant. Arguments to support such a reduction include those based on: improved materials (e.g. with higher strength), improved design margins (e.g. against overstressing and fatigue, against departure from nuclear boiling, etc.), more effective and efficient inspections (e.g. introduction of a leak before break concept), and continuous monitoring of plant health, etc. Thus, for the purpose of INPRO assessment of NES sustainability, lower frequencies of occurrence of the group of DBAs discussed above in a new reactor design could be tentatively justified by provisions implemented in Level 1 of DID. As an example of frequencies of occurrence of DBAs for new LWRs, INPRO methodology proposes for a small break (SB) LOCA the value of FSB: and for a medium or large break (LB) LOCA: These frequencies FSB and FLB could be used as INPRO methodology acceptance limits for those specific DBAs of LWRs when the corresponding frequencies of the reference design are higher than FSB and FLB or not available to the INPRO assessor. |
Appendix V
ᅠEmgineered safety featuresᅠ
|
---|
Engineered safety features (safety systems) are designed to ensure the fundamental safety functions by providing the safe shutdown of the reactor, the removal of the residual heat from the reactor core, and confinement of radioactive material to limit the consequences of DBAs (caused by internal and external events and probable combinations thereof). Engineered safety features and protection systems should be provided to prevent evolution towards severe accidents and to prevent core damage in particular[7], and also to confine radioactive materials within the containment system.
|
Event | Probability of failure of engineered safety system* per demand and unit |
---|---|
Loss of heat sink | 8.0·10-6 |
Loss of feed water supply | 2.1·10-5 |
Breaks in reactor coolant pipe > 200 cm2 | < 3.0·10-3 |
Breaks in reactor coolant pipe 80 to 200 cm2 | 3.5·10-3 |
Breaks in reactor coolant pipe 2 to 12 cm2 | 1.1·10-3 |
ATWS** during loss of main feed water | 8.4·10-3 |
Notes: * - loss of safety function, ** - anticipated transient without scram (ATWS)
Appendix VI
ᅠConfinement barriersᅠ
|
---|
The general strategy for DID is twofold: first, to prevent accidents and, second, if prevention fails, to limit their potential consequences and prevent any evolution of accidents to more serious conditions, i.e. Levels 4 and 5 of DID. Should preventive measures fail, mitigatory measures, in particular a well-designed containment/confinement can provide the necessary final protection of the public and environment. Generally, several successive physical barriers for the confinement of radioactive material are put in place. Their specific design may vary depending on the radioactivity of the material, on the possible loads on the different barriers and, evidently, on the reactor design itself. |
DID Levels | INPRO requirement on minimum number of barriers maintained | Minimum number of barriers maintained (example of operating PWR) |
---|---|---|
1 | All barriers provided by the design for normal operation | 4 - fuel matrix, fuel cladding, primary circuit boundary, containment |
2 | ||
3 | At least one | 3a - fuel matrixb, fuel claddingb, containment |
4 | At least one | At least one |
Notes:
a – assuming that primary coolant boundary was damaged after LOCA.
b – limited number of fuel rods may fail.
Appendix VII
ᅠAccident managementᅠ
|
---|
The AM is defined in the IAEA Safety Glossary[12] as follows:
The IAEA published a safety guide on the AM programmes for NPPs[52] providing detailed recommendations on the development of such programmes, on the structure of AM guidance, and on the AM strategies to be developed for different accidental scenarios. Ref[52] states:
The in-plant AM measures and actions in case of a highly degraded core are very plant-specific. For water-cooled reactors, examples for in-plant AM measures which can be initiated by the operator when appropriate include:
In the past – based on experience from the accidents at Three Mile Island and Chernobyl – some operating reactors had to be back-fitted (improved or modified), e.g. enhancing ranges of instrumentation, installing filtered containment venting systems and hydrogen recombiners etc. Besides the use of designated safety features, all types of nuclear power plants have the potential to use other (operational) systems to regain control of the facility after an accident with severe core damage and/or heavily degraded fuel in the spent fuel pool.
|
Appendix VIII
ᅠEstimation of consequence of external releaseᅠ
|
---|
International Commission on Radiological Protection[83] recognises three types of radiation exposure situations that for the case of NPP can be presented as follows:
Evacuation of population is a protective action in an emergency that can reduce the risk of stochastic effects, i.e. reduce consequences of the accident. Radiological criteria for evacuation of population are normally formulated in terms of projected dose. Dose calculations need to be performed with validated computer codes; these calculations have to include uncertainty analyses. To avoid the necessity for protective actions such as evacuation of people around an NPP the calculated public dose after a severe accident needs to be below the criteria for evacuation of population for emergency exposure situations. |
Appendix IX
ᅠHuman factor considerationᅠ
|
---|
There are two perspectives of the human factor: On the one side, the operating staff is seen as a valuable resource that is playing an important role in plant operation, testing, maintenance and inspection of the plant, and sometimes compensating deficiencies in automatic systems. On the other side, human intervention has also to be seen as a factor of disturbance and of limited reliability, the consequences of which have to be taken into account in the design of all plant systems and functions, to ensure a sufficient level of safety and availability of the plant.
As a common design principle, it has to be ensured that:
It is expected that the ability to predict human response to both normal and abnormal situations will improve much over the next decades and will have a major impact on plant design and operation. Simulator technology and the capacity (e.g. speed and memory) of computers are constantly improving and thus will allow more realistic representation (and prediction of development) of transient and accident plant states in expert systems. |
Appendix X
ᅠSafety culture considerationᅠ
|
---|
The term ‘safety culture’ was introduced in 1986 by the International Nuclear Safety Advisory Group in a summary report on the post-accident review meeting on the Chernobyl accident[85] and was further elaborated in a report dealing with safety principles for nuclear power plants[86]. In 1991 an additional report from the International Nuclear Safety Advisory Group was published describing the concept of safety culture[87] in more detail. The latter report defined safety culture in the following way:
A similar definition is given by the Advisory Committee on the Safety of Nuclear Installations (ACSNI)[88]. This definition emphasizes that safety culture relates to the structure and style of organizations (governmental institutions, owner/operator, and industrial entities) as well as to the habit and attitude of individuals (managers and employees). Safety culture needs a commitment to safety on three levels: policy, management and individual. The policy level requires a clear statement of safety policy, adequate management structures and related resources, and establishment of self-regulation (by regular review). To fulfil their commitments, managers need to clearly define the responsibilities, accountabilities and safety practices for the control of work, ensure that staff are qualified and trained, establish a system of rewards and sanctions, and perform audits, reviews and benchmarking comparisons. In carrying out their tasks, individuals need to maintain an attentive and questioning attitude, adopt a rigorous and prudent approach, and participate in effective communications (see Figure 5 taken from Ref[29]).
Safety culture is a complex concept (see also Ref[91]) and there is no simple indicator that can be used as a yardstick for determining its status. The multilevel nature of culture, and the tacit nature of some of the levels (basic assumptions), increases the difficulty of measurement. Therefore, to capture both observable behaviour and people’s attitudes and basic beliefs, several methods need to be applied including interviews, focus groups, questionnaires, observations and document reviews. |
[ + ] Assessment Methodology | |||||
---|---|---|---|---|---|
|
References
- ↑ 1.0 1.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Status of Advanced Light Water Cooled Reactor Designs - 2004, IAEA-TECDOC-1391, Vienna (2004).
- ↑ OECD INTERNATIONAL ENERGY AGENCY, OECD NUCLEAR ENERGY AGENCY, INTERNATIONAL ATOMIC ENERGY AGENCY, Innovative Nuclear Reactor Development Opportunities for International Cooperation, OECD/IEA, Paris (2002).
- ↑ UNITED STATES DEPARTMENT OF ENERGY, A Technology Roadmap for Generation IV Nuclear Energy Systems, GIF-002-00, USDOE, Washington (2002).
- ↑ 4.0 4.1 4.2 4.3 4.4 4.5 UNITED NATIONS, Our Common Future (Report to the General Assembly), World Commission on Environment and Development, UN, New York (1987).
- ↑ CHOI, Y.S., KIM, J.S., LEE, B.W., Public's perception and judgment on nuclear power, Annals of Nuclear Energy, Volume 27, Issue 4, Elsevier (2000).
- ↑ SJÖBERG, L., DROTTZ-SJÖBERG, B.M., Knowledge and risk perception among nuclear power plant employees, Risk Analysis, Volume 11, Issue 4, Society for Risk Analysis (1991).
- ↑ 7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, INSAG Series No. 10, IAEA, Vienna (1996).
- ↑ CARNINO, A. GASPARINI, M. Defence in depth and development of safety requirements for advanced nuclear reactors, Proceedings of an OECD/NEA Workshop on Advanced Nuclear Safety Issues and Research Needs, Paris, 18 – 20 February (2002).
- ↑ 9.0 9.1 9.2 9.3 9.4 9.5 9.6 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards, Specific Safety Requirements No. SSR-2/1 (Rev.1), IAEA, Vienna (2016).
- ↑ 10.0 10.1 10.2 10.3 10.4 10.5 10.6 INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Methodology for Sustainability Assessment of Nuclear Energy Systems: Infrastructure, IAEA Nuclear Energy Series No. NG-T-3.12, Vienna (2014).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Assessment of the Planned Nuclear Energy System in Belarus, IAEA-TECDOC-1716, IAEA, Vienna (2013).
- ↑ 12.0 12.1 12.2 INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary, Terminology used in Nuclear Safety and Radiation Protection 2018 Edition, IAEA, Vienna (2018).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Design of the Reactor Core for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. NS-G-1.12, IAEA, Vienna (2005).
- ↑ 14.0 14.1 14.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Considerations on the Application of the IAEA Safety Requirements for the design of Nuclear Power Plants, IAEA-TECDOC-1791, IAEA, Vienna (2016).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Margins of Operating Reactors. Analysis of Uncertainties and Implications for Decision Making, IAEA-TECDOC-1332, IAEA, Vienna (2003).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Implications of Power Uprates on Safety Margins of Nuclear Power Plants, IAEA-TECDOC-1418, IAEA, Vienna (2004).
- ↑ 17.0 17.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Seismic Design and Qualification for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. NS-G-1.6, IAEA, Vienna (2003).
- ↑ 18.0 18.1 18.2 18.3 INTERNATIONAL ATOMIC ENERGY AGENCY, External Events Excluding Earthquakes in the Design of Nuclear power Plants, IAEA Safety Standards Series, Safety Guide No. NS-G-1.5, IAEA, Vienna (2003).
- ↑ 19.0 19.1 19.2 INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Report on Protection against Extreme Earthquakes and Tsunamis in the Light of the Accident at the Fukushima Daiichi Nuclear Power Plant, International Experts Meeting Vienna, 4-7 September 2012, IAEA, Vienna (2012).
- ↑ 20.0 20.1 INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Report on Reactor and Spent Fuel Safety in the Light of the Accident at the Fukushima Daiichi Nuclear Power Plant, International Experts Meeting, 19-22 March 2012, IAEA, Vienna (2012).
- ↑ 21.0 21.1 INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Report on Preparedness and Response for a Nuclear or Radiological Emergency in the Light of the Accident at the Fukushima Daiichi Nuclear Power Plant, IAEA, Vienna (2013).
- ↑ 22.0 22.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Mission Report, The Great East Japan Earthquake Expert Mission, IAEA International Fact Finding Expert Mission of the Fukushima Daiichi NPP Accident following the Greta East Japan Earthquake and Tsunami, 24 may – 2 June 2011, IAEA, Vienna (2011).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards, General Safety Requirements No. GSR Part 2, Vienna (2016).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series, Safety Guide No. GS-G-3.1, Vienna (2006).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards, Safety Guide No. GS-G-3.5, IAEA, Vienna (2009).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants, Safety Standards Series, Safety Guide No. NS-G-2.2, IAEA, Vienna (2000).
- ↑ 27.0 27.1 27.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Ageing Management and Development of a Programme for Long Term Operation of Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide No. SSG-48, IAEA, Vienna (2018).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Modifications to Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. NS-G-2.3, IAEA, Vienna (2001).
- ↑ 29.0 29.1 29.2 29.3 29.4 29.5 29.6 INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Management of Operational Safety in Nuclear Power Plants, INSAG-13, INSAG Series No. 13, IAEA, Vienna (1999).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants, Safety Standards Series, Safety Guide No. NS-G-2.8, IAEA, Vienna (2002).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Commissioning and Operation, IAEA Safety Standards, Specific Safety Requirements No. SSR-2/2 (Rev.1), IAEA, Vienna (2016).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, IRS Guidelines, Joint IAEA/NEA International Reporting System for Operating Experience, Service Series 19, IAEA, Vienna (2010).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Improving the International System for Operating Experience Feedback, A Report by the International Nuclear safety group, INSAG-23, IAEA, Vienna (2008).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Maintenance, Surveillance and In-service Inspection in Nuclear Power Plants, Safety Standards Series, Safety Guide No. NS-G-2.6, IAEA, Vienna (2002).
- ↑ 35.0 35.1 NUCLEAR REGULATORY COMMISSION, Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), US NRC, Washington (1975).
- ↑ 36.0 36.1 GESELLSCHAFT FUER REAKTORSICHERHEIT, German Risk Study: Nuclear power Plants, Phase B – A Summary, GRS-74, Munich (1990).
- ↑ GESELLSCHAFT FUER REAKTORSICHERHEIT, Safety Analysis for Boiling Water Reactors – A Summary, GRS-98, Munich (1993).
- ↑ 38.0 38.1 NUCLEAR REGULATORY COMMISSION, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, NUREG/CR-6928 (INL/EXT-06-11119), US NRC, Washington (2007).
- ↑ 39.0 39.1 IDAHO NATIONAL LABORATORY, Initiating Event Rates at U.S. Nuclear Power Plants: 1988 – 2015, INL/EXT-16-39534, INL, Idaho Falls (2016).
- ↑ WORLD ASSOCIATION OF NUCLEAR OPERATORS, Performance Indicators 2011, WANO, London (2011).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Radiation Protection Aspects of Design for Nuclear Power Plants, IAEA Safety Standards, Safety Guide No. NS-G-1.13, IAEA, Vienna (2005).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Radiation Protection and safety of Radiation Sources: International Basic Safety Standards, IAEA Safety Standards, General Safety Requirements Part 3, No. GSR Part 3, IAEA, Vienna (2014).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Occupational Radiation Protection, IAEA Safety Standards Series, General Safety Guide No. GSG-7, IAEA, Vienna (2018).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Design Features to Achieve Defence in Depth in Small and Medium Sized Reactors, IAEA Nuclear Energy Series, No. NP-T-2.2, IAEA, Vienna (2009).
- ↑ 45.0 45.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Determining the quality of probabilistic safety assessments (PSA) for applications in nuclear power plants, IAEA-TECDOC-1511, IAEA, Vienna (2006).
- ↑ 46.0 46.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Deterministic Safety Analysis for Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide No. SSG-2, IAEA, Vienna (2010).
- ↑ 47.0 47.1 UK HEALTH AD SAFETY EXECUTIVE, Generic Design Assessment – New Civil Reactor Build. Step 3 Probabilistic Safety Analysis of the Westinghouse AP1000, Division 6, Assessment Report No. AR 09/017-P, Merseyside, UK. [1]
- ↑ 48.0 48.1 AREVA, UK-EPR. Fundamental Safety Overview. Report, Volume 2: Design and safety. Chapter R: Probabilistic Safety Assessment. [2], and [3]
- ↑ BRETTSCHUH, W. MESETH, J. Design Features, Safety Assessments and Verification of Key Systems, and Economic Advancements for SWR1000, presented at the IAEA Consultancy Meeting on Recent Developments in Evolutionary Reactors (LWR), Vienna, (2004).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Design of Reactor Containment Systems for Nuclear Power Plants, IAEA Safety Standards, Safety Guide No. NS-G-1.10, IAEA, Vienna (2004).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Implementation of Accident Management Programmes in Nuclear Power Programmes, IAEA Safety Reports Series No. 32, IAEA, Vienna (2004).
- ↑ 52.0 52.1 52.2 52.3 INTERNATIONAL ATOMIC ENERGY AGENCY, Accident Management Programmes for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. SSG-54, IAEA, Vienna (2019).
- ↑ 53.0 53.1 OECD NUCLEAR ENERGY AGENCY, Level 2 PSA Methodology and Severe Accident Management, NEA/CSNI/R(97) 11, OECD/GD(97)198, Paris (1997).
- ↑ US DEPARTMENT OF ENERGY, Human Performance Improvement Handbook. Volume 1: Concepts And Principles, DOE Standard, DOE-HDBK-1028-2009, Washington (2009).
- ↑ DIPLOMATIC CONFERENCE TO CONSIDER A PROPOSAL BY SWITZERLAND TO AMEND THE CONVENTION ON NUCLEAR SAFETY, Summary Report, CNS/DC/2015/3/Rev.2, IAEA, Vienna, (2015)
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards, General Safety Requirements Part 7, No. GSR Part 7, IAEA, Vienna (2015).
- ↑ OECD NUCLEAR ENERGY AGENCY, Discussion on Implementation of ICRP Recommendations Concerning Reference Levels and Optimization, Radiological Protection NEA/CRPPH/R(2013)2, OECD/NEA, Paris (2013).
- ↑ 58.0 58.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).
- ↑ 59.0 59.1 59.2 59.3 59.4 INTERNATIONAL ATOMIC ENERGY AGENCY, Passive Safety Systems and Natural Circulation in Water Cooled Nuclear Power Plants, IAEA-TECDOC-1624, IAEA, Vienna (2009).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Assessment of Defence in Depth for Nuclear Power Plants, IAEA Safety Reports Series No. 46, IAEA, Vienna (2005).
- ↑ DINSMORE COMEY, D. The Fire at the Brown’s Ferry Nuclear Power Station, Friends of the Earth, California (1976), [4]
- ↑ 62.0 62.1 62.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Basic Safety Principles, 75-INSAG-3 Rev.1, A Report by the International Nuclear Safety Group, INSAG-12, IAEA, Vienna (1999).
- ↑ UK HEALTH AND SAFETY EXECUTIVE, Development of a business excellence model of safety culture: Safety culture improvement matrix, Entec UK Ltd, UK HSE, London (1999).
- ↑ INTERNATIONAL ATOMIC ENERCY AGENCY, Maintaining Knowledge, Training and Infrastructure for Research and Development in Nuclear Safety, INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, INSAG-16, IAEA, Vienna (1999).
- ↑ 65.0 65.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Considerations in the Development of Safety Requirements for Innovative Reactors: Application to Modular High Temperature Gas Cooled Reactors, IAEA-TECDOC-1366, IAEA, Vienna (2003).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Format and Content of the Safety Analysis Report for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. GS-G-4.1, IAEA, Vienna (2004).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide No. SSG-3, IAEA, Vienna (2010).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide No. SSG-4, IAEA, Vienna (2010).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Accident Analysis for Nuclear Power Plants, IAEA Safety Reports Series No. 23, IAEA, Vienna (2002).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, The Role of Probabilistic Safety Assessment and Probabilistic Safety Criteria in Nuclear Power Plant Safety, IAEA Safety Series No. 106, Vienna (1992).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review for Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide No. SSG-25, IAEA, Vienna (2013).
- ↑ 72.0 72.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Risk informed regulation of nuclear facilities: Overview of the current status, IAEA-TECDOC-1336, IAEA, Vienna (2005).
- ↑ SOUSA, A.L. et al, The Role of Risk Informed Decision Making in the Licensing of Nuclear Power Plants, Academy Publish, Publishing Services LLC, USA, Wyoming (2012).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, A Framework for an Integrated Risk Informed Decision Making Process, A report by the International Nuclear Safety Group, INSAG-25, IAEA, Vienna (2011).
- ↑ NUCLEAR REGULATORY COMMISSION, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk Informed Decision Making, NUREG-1855 Volume 1, US NRC, Washington (2009).
- ↑ ELECTRIC POWER RESEARCH INSTITUTE, Risk Informed Regulation: Potential Application to Advanced Nuclear Plants, EPRI, Palo Alto, CA:2000, TP-114441, Palo Alto (2000).
- ↑ OECD NUCLEAR ENERGY AGENCY, Probabilistic Risk Criteria and safety Goals, NEA/CSNI/R(2009)16, NEA, Paris (2009).
- ↑ GROUPE PERMANENT CHARGÉ DES RÉACTEURS NUCLÉAIRES, Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors, Autorité de Sureté Nucléaire (ASN), Paris (2001).
- ↑ 79.0 79.1 79.2 OECD NUCLEAR ENERGY AGENCY, Critical Operation Actions – Human Reliability Modelling and Data Issues, NEA/CSNI/R(98) 1, OECD, Paris (1998).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Design of Instrumentation and Control Systems for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide No. SSG-39, IAEA, Vienna (2016).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Current Status and Future Development of Modular High Temperature Gas Cooled Reactor Technology, IAEA-TECDOC-1198, Vienna (2001).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Innovative Small and Medium Sized Reactors: Design Features, Safety Approaches and R&D Trends, IAEA-TECDOC-1451, IAEA, Vienna (2005).
- ↑ INTERNATIONAL COMMISSION ON RADIOLOGICAL PROTECTION, The 2007 Recommendations of the International Commission on Radiological Protection, ICRP Publication 103. Annals of the ICRP 37 (2-4). Ottawa (2007).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Prospective Radiological Environmental Impact Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSG-10, IAEA, Vienna (2018)
- ↑ INTERNATIONAL ATOMIC ENERCY AGENCY, Summary report on the post-accident review meeting on the Chernobyl accident, IAEA Safety Series No.75-INSAG-1, IAEA, Vienna (1986).
- ↑ INTERNATIONAL ATOMIC ENERCY AGENCY, Basic safety principles for nuclear power plants, A report by the INTERNATIONAL SAFETY NUCLEAR ADVISORY GROUP, INSAG-3, IAEA Safety Series No.75, IAEA, Vienna (1988).
- ↑ INTERNATIONAL ATOMIC ENERCY AGENCY, Safety culture, A report by the INTERNATIONAL SAFETY NUCLEAR ADVISORY GROUP, INSAG-4, IAEA Safety Series No. 75, IAEA, Vienna (1991).
- ↑ UK HEALTH AND SAFETY EXECUTIVE, ACSNI study group on human factors, third report, organizing for safety, HSE Books, ISBN 0118821040, UK London (1993).
- ↑ 89.0 89.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Developing safety culture in nuclear activities: Practical suggestions to assist progress, Safety Reports Series No. 11, IAEA, Vienna (1998).
- ↑ INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Key practical Issues in Strengthening Safety Culture, INSAG-15, INSAG Series No. 15, IAEA, Vienna (2002).
- ↑ INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture in Nuclear Installations, Guidance for Use in the Enhancement of Safety Culture, IAEA-TECDOC-1329, IAEA, Vienna (2002).