Difference between revisions of "Safety of NFCFs (Sustainability Assessment)"

INPRO user requirement UR1 for sustainability assessment in the area of NFCF safety: The assessed NFCF is more robust than the reference design with regard to operation and systems, structures and components failures. The first INPRO user requirement, UR1, for sustainability assessment in the area of NFCF safety is mostly related to the first level of DID, which is focused on preventing AOOs, i.e. deviations from normal operation and failures of items important to safety. AOOs are defined as those conditions of operation that are caused by events associated with internal or external hazards expected to occur one or more times during the lifetime of an NFCF but that do not cause any significant damage to items important to safety nor lead to accident conditions requiring safety features (Level 3 of DID) to control.
In principle, the design (e.g. mechanical, thermal, electrical, etc.) of normal operating systems in any NFCF can be made more robust, i.e. reducing the likelihood of failures, by increasing design margins, improving the quality of manufacture and construction, and by using materials of higher quality. Sufficient margin in the design needs to be provided so that any small deviation (e.g. resulting from failure) of system parameters from normal operation will not lead to an accident.
It is acknowledged that increasing the robustness of an NFCF design is a challenging task that requires optimisation wherever enhancing one aspect can have a negative influence on other aspects in other areas (e.g. in economics, making the system uncompetitive, or in proliferation resistance). Thus, an optimum combination of design measures is necessary for increasing the overall robustness of a design.
It is important to note that for the assessment of all criteria of user requirement UR1 the INPRO assessor (a technology user) needs information on the facility to be assessed and on a reference facility. The assessed NFCF is expected to demonstrate a safety level superior to that of the reference facility. If a reference facility design is not available to the assessor, it needs to be demonstrated that the assessed facility incorporates the most recent technology and that international best practice has been used, i.e. that the facility is state of the art.
For an operating NFCF, the requirements for design, manufacturing, and operation (and decommissioning) are usually specified in (extensive) national standards or in adopted standards from other countries; the most widely known and used standards are the Nuclear Codes and Standards published by the American Society of Mechanical Engineers.
The major means to achieve an increase in robustness in an NFCF are to ensure a high quality of design, construction and operation, including human performance. For new (innovative or evolutionary) NFCF designs, the expected frequencies of AOOs are expected to be reduced relative to a reference design. This reduction could be achieved by such means as using improved materials, simplified designs to minimize failures and errors, improved design margins (mechanical, thermal, electrical, etc.), increased operating margins, increased redundancies of systems, lessened impacts from incorrect human intervention (the system needs to be tolerant of mistakes), more effective and efficient inspections, continuous monitoring of the plant health, etc. Examples of concepts with increased robustness against certain potential hazards are designs that use passive systems deemed potentially more reliable than active systems (e.g. natural convection cooling), higher reliability self-checking control systems (avoidance of deviations from normal operation), use of non-flammable materials (avoidance of fires), etc. The use of inherent safety characteristics is a useful means of achieving robustness and has been highlighted as a separate user requirement, UR5.
For an NFCF under assessment, measures and features are to be developed that ensure that the robustness of the innovative design against internal and external hazards^[33] will be comparable or superior to that of the reference design.
For (innovative) designs of NFCFs still under development and for which no standards may yet exist, at least for the first plant to be installed, a conservative design approach according to existing standards can be proposed as discussed for user requirement UR7.
User requirement UR1 considers occupational doses corresponding to Levels 1 and 2 of DID, i.e. at normal operation and for anticipated operational occurrences. It is important to note that UR1 does not consider radiation exposure of workers during accidents. Radiation exposure of workers, public and the environment during/after accidents is dealt with in user requirements UR3 and UR4. A similar approach is supposed to be established for limiting chemical doses to workers.
The need to avoid undue burdens from radiation and/or toxic chemical exposure of the public and the environment during normal operation and AOOs (in an NFCF or nuclear reactor) is covered in a separate area of the INPRO methodology focused on the environmental impacts of stressors^[37].
In this context, it bears noting that the International Basic Safety Standards for Radiation Protection and for Safety of Radiation Sources in Ref^[38] define acceptable levels of radiation exposure for workers and the public for planned and emergency (accident) exposure situations Additional detailed guidance on occupational radiation protection in NFCFs is provided in Ref^[19]. Comparable (mostly national) standards exist for toxic chemicals^[39].

INPRO user requirement UR2 for sustainability assessment in the area of NFCF safety: The assessed NFCF has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.
The second user requirement, UR2, for sustainability assessment in the area of NFCF safety involves the limited consideration of selected provisions in the first DID level and mostly relates to the second level of DID, which deals with detection and control of failures and deviations from normal operational states in order to prevent AOOs from escalating to accident conditions. The objective is met if the plant returns to normal operation either automatically or through operator action after an AOO or component failure and a progression to higher levels of DID is avoided.
In the design of a new NFCF (to be installed after 2013), priority is expected to be given to advanced instrumentation and control (I&C) systems and improved reliability of these systems. The facility needs to be designed to give the operator a sufficient grace period after an AOO or failure. In the longer term, priority can be given to design-specific inherent safety features and to robust and simple (possibly passive) control as well as advanced monitoring and alarm systems.
The main function of the I&C system in this level of DID is to detect deviations from normal operation and failures, produce an alarm, and together with operator actions prescribed in detailed operating procedures, enable rapid return of the facility to normal operating conditions with, ideally, no consequences, e.g. no need for follow up inspections or regulatory event reports.
I&C systems process measurement data from several different kinds of instrumentation. Examples of I&C systems include: conventional process instrumentation, vessel fluid level measurement instrumentation, radiation monitoring and alarm instrumentation, accident instrumentation, and hydrogen detection and measurement instrumentation. These instrumentation sets contain channels of different importance to safety.

INPRO user requirement UR3 for sustainability assessment in the area of NFCF safety: The frequency of occurrence of DBAs in the assessed NFCF is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed NFCF to a controlled state, and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of radioactive and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.
The third user requirement, UR3, for sustainability assessment in the area of NFCF safety is mostly related to the third level of DID, which concentrates on the control of accidents to prevent releases of radioactive materials and associated hazardous materials or radiation levels that would require off-site protective actions. The objective is met if the accident consequences are limited to within the design basis. The ‘design bases’ of a facility are the conditions and events taken into account in the NFCF design such that the facility can withstand them by the intended operation of engineered safety features, inherent safety features and prescribed operator interventions without exceeding authorized limits. Thus, a DBA is an accident causing conditions^[40] for which a facility is designed, in accordance with established design criteria and conservative methodology, and for which releases of radioactive and/or chemically toxic materials are kept within authorized limits. Authorized limits of radiation exposure after accidents in nuclear facilities are expected to comply with the IAEA Safety Standards^[19][38]. Examples of limits for chemical exposure can be found in Ref^[39].
A grace period needs to be available before human (operator) intervention is necessary to prevent the escalation of a DBA into an accident with large releases of radioactivity and/or toxic chemicals to the environment. This grace period depends upon the nature of the NFCF, the type of incident, and the system parameters at the time of the incident, etc. However, based on available international experience, a grace period of 10 to 30 minutes is given as the typical decision interval for the operator in the event of a DBA in an NPP^[34]. A similar approach could be adapted for NFCFs other than mining and milling activities.
The term ‘controlled state’ is characterized by a situation in which either the facility’s engineered safety features or its prescribed operator interventions are able to compensate for the loss of functionality resulting from a DBA. The term ‘frequency of occurrence’ as used in user requirement UR3 refers to the number of events per NFCF year that lead to a DBA as determined via probabilistic methods (PSA). In the context of DBAs (caused by postulated initiating events associated with internal or/and external hazards), the term ‘grace period’ refers to the time period during which no operator inventions are needed and solely the actions of automatic active (and/or passive) safety features will suffice to keep the analysed DBA from escalating to a severe accident with potentially large releases to the environment.
Passive safety features can provide additional safety gains. Safety features consisting solely of passive components are very often deemed more reliable than active safety features due to missing (or a reduced number of) active components. In addition, no (or very limited) human actions are needed and, thus, the likelihood of human errors is very low. Nevertheless, failures in passive safety features due to human error in design or maintenance, the presence of unexpected phenomena, and potential adverse system interactions, are expected to be analyzed and may need to be compensated by other design measures. It is acknowledged that some kinds of passive safety features can be difficult to design in NFCFs.
Ensuring the confinement of radioactive and/or chemically toxic materials means that the design of engineered safety features and/or operator actions (procedures) for mitigating the consequences of a DBA need to provide deterministically for the continued integrity of at least one barrier to the unacceptable release of radioactive and/or chemically toxic materials following any DBA.

INPRO user requirement UR4 for sustainability assessment in the area of NFCF safety: The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.
The fourth user requirement UR4 for sustainability assessment in the area of NFCF safety is focused on accident conditions more severe than those in DBAs. It is mainly related to the design extension conditions and to the fourth level of DID, which has the objective to mitigate the consequences of accidents that result from failure of the third level and ensure that radioactive releases are kept as low as reasonably achievable. A severe (nuclear fuel cycle) accident is any event affecting the facility that results in off-site radiological consequences equal to or greater than the high contamination level or radiation level criteria for design extension conditions, i.e. an event more severe than a DBA.
An accidental release of radioactivity could occur if the magnitude of an initiating event (associated with external hazards) exceeds the design basis or additional failures of safety systems and/or operator interventions occur after an initiating event (associated with internal or / and external hazards) that lead to the design extension conditions with severe damage to equipment containing radioactive and / or chemically toxic materials. Consequence mitigation calls for keeping those radioactivity and / or toxic chemicals that are released from internal barriers damaged during an accident inside the NFCF containment/ confinement structure to the extent possible by avoiding any cliff-edge effects that could damage the remaining barrier(s) to external release.
Ref^[41] identifies generic criteria for protective actions and other response actions in a nuclear or radiological emergency to reduce the risk of stochastic effects. Projected dose limits indicated as criteria for public evacuation can be used in the INPRO assessment when corresponding national criteria have not been established yet.
For new NFCFs, the capability and reliability of natural and/or engineered processes for controlling complex accident sequences with severe damage is expected to be increased, as well as the capability and reliability of associated instrumentation, control and diagnostic systems. Appropriate severe accident management procedures also need to be developed. Through these measures, the frequency of accidental releases of radioactive and chemically toxic materials can be reduced and the inventory and conditions of release are expected to be constrained to avoid any need to evacuate the population.
When the frequency of accidental releases cannot be calculated with a high level of confidence, the new NFCF design needs to demonstrate deterministically that the probability of an accidental release of radioactivity and/or toxic chemicals into the environment is lower than that for the reference facility, e.g. through improved engineered safety features, prescribed operator actions, and the use of additional inherent safety characteristics or further measures to minimize hazards, and that the consequences (doses, concentrations of toxic chemicals) from an accident would not require public evacuation except as a short term precautionary measure.
It is nevertheless acknowledged that also for new (and advanced) NFCFs, it will still be necessary to establish an emergency preparedness regime^[38][41][42] regardless of the safety level of the new NFCF (as discussed in another area of the INPRO methodology focused on infrastructure^[35]) in order to meet the objective of the fifth level of the DID concept and the corresponding legal and regulatory requirements.

INPRO user requirement UR5 for sustainability assessment in the area of NFCF safety: An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed NFCF strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.
As discussed in Section 2.3, the different levels of DID focus on facility conditions ranging from operational to accident states. The DID levels are arranged with increasing severity from operational states (Level 1) to the control of severe plant conditions, including the prevention of accident progression and the mitigation of severe accident consequences (Level 4). As stated in Ref^[33], the general goal of DID is to ensure that even a combination of equipment or human (operator) failures at one level of defence “would not propagate to jeopardize defence in depth at subsequent levels”. Thus, independence of the safety features designed to cope with processes in the different levels of defence is key to meeting this goal.
To confirm sufficient independence of the DID levels in the assessed NFCF design, a safety assessment is supposed to be performed by the designer (potential supplier) using a suitable combination of deterministic and probabilistic approaches, or hazards analysis.
INPRO user requirement UR5 covers also the role of inherent safety characteristics in new NFCF designs (to be installed after 2013). An inherent safety characteristic is defined in Ref^[43] as a fundamental property of a design concept that results from the basic choices in the materials used or in other aspects of the design that assure that a particular potential hazard cannot become a safety concern in any way. The term inherent safety is normally used with respect to a particular characteristic, not to the plant as a whole; e.g. an area is inherently safe against internal fire if it contains no combustible material. An increased use of inherent safety characteristics in the design will strengthen accident prevention in advanced NFCFs by reducing hazards.
The design of a new NFCF is expected to be such that hazards are eliminated (if possible) or minimized, e.g. avoiding explosions by eliminating or minimizing the use of explosive gases. If hazards cannot be eliminated, appropriate equipment needs to be installed to prevent potential damage and to protect the installation, its personnel, the public and the environment. In addition, administrative measures need to be implemented to avoid operator errors to the extent possible.
The analysis of an inherent safety characteristic is difficult but can be possible with the application of adequate mathematical models and, in some cases, by experimental investigations. The analysis of hazards and their consequences needs to be performed using deterministic and probabilistic approaches. For the deterministic approach, engineering judgment, operating experience, validation of design tools and continuous exchanges of information with other industries are mandatory. For probabilistic approaches, the methods likewise need to be validated and the data used needs to be reliable. Analyses are expected to cover all operating states, including normal operation, shutdowns, and maintenance and repair intervals.
There are also external hazards associated with the site of an NFCF. Examples of external hazards related to siting include earthquakes, flooding, storms, airplane crashes, and fires and explosions outside the plant. By selecting an appropriate site for an NFCF, these hazards can be minimized.
The necessary RD&D effort to achieve sufficient confidence in advanced designs with increased inherent safety characteristics is discussed in user requirement UR7.

INPRO user requirement UR6 for sustainability assessment in the area of NFCF safety: Safe operation of the assessed NFCF is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.
There are two aspects of safety covered in this user requirement. The first aspect focuses on the design of safety related equipment to minimize effects from human errors. The second aspect covers the attitude to safety of workers in the nuclear facilities and related organizations.
The importance of human factors to the safe and reliable operation of nuclear facilities is globally recognized and is an issue that needs to be dealt with systematically in an NFCF design. The designer of a new NFCF is expected to place increased emphasis on human factors to minimize the possibilities for human (e.g. operator or maintenance worker) error. Any relevant experience available from operating NFCFs and the best practices from other industries such as aircraft and chemical plants need to be considered for this process.
There are two perspectives on human factors. On the one side, the operating staff members are seen as valuable resources who play important roles in facility operation, inspection, testing and maintenance, and who sometimes compensate for deficiencies in automatic systems. On the other side, human intervention can also be seen as having limited reliability and a potential to cause disturbances whose consequences need to be taken into account in the design of all facility systems and functions in order to ensure sufficient levels of safety and availability of the facility.

FIG. 2. Components of safety management^[44].

The INPRO task group on safety has summarized the possible negative contributions to accident hazards from human actions into three groups:

• Human errors during plant operation, testing or maintenance that contribute to the failure or unavailability of systems;
• Human errors during plant operation, testing or maintenance that give rise to an initiating event; and
• Human interventions during incident or accident situations that negatively influence the sequence of events.

As a common design principle, it needs to be ensured that:

• Functions assigned to the operating staff constitute consistent tasks that align with the abilities and strengths of the operating staff (e.g. appropriate degrees of automation, appropriate numbers of tasks, appropriate sharing among centralized and local operating actions);
• The man-machine interface (e.g. control room, screen-based and conventional control means, processing of information to be presented to the operators) optimally supports the tasks of operators and minimizes the potential for human errors.

It is expected that the ability to predict human response to both normal and abnormal situations will improve significantly over the next decades and will have a major impact on facility design and operation. Simulator technologies are constantly improving and can thus allow more realistic representations (and progression predictions) of transient and accident plant states in expert systems.
A human factors engineering (HFE) program plan needs to be an essential part of the NFCF design process that helps to integrate the operating staff and facility systems and to minimise the frequency of potential human errors. Ref^[45] has defined HFE as follows: “The application of knowledge about human capabilities and limitations to designing the plant, its systems, and equipment. HFE affords reasonable assurance that the design of the plant, systems, equipment, human tasks, and the work environment are compatible with the sensory, perceptual, cognitive, and physical attributes of the personnel who operate, maintain, and support the plant or other facility”. Listed below are examples of some design and operational features and assessments that are largely already implemented in existing NFCFs but can be subjected to further improvements in new NFCFs:

• Feedback from experience including a formal methodology;
• A probabilistic safety assessment (PSA) taking human error into account;
• Use of adequate (and quantitative) models that consider the causes of human error and, as such, may help the designer find appropriate measures to avoid the causes of human errors and thus minimize their occurrence;
• The existence of a separate main control room;
• Visualization of the status of facility equipment (components, systems, etc.), the dynamics of processes, the performance of automated processes and their relation with the state of the facility in a manner that helps guide operator actions;
• Monitoring by knowledge-based (expert) systems;
• Appropriate ambient conditions in safety relevant rooms (e.g. main control room);
• Appropriate plant operating procedures (e.g. alarm sheets, procedures for normal operations, incidents and accident situations);
• Formal verification of adequate design implementation;
• Management of human reliability (e.g. personnel selection, periodic training, etc.).

The term ‘safety culture’ was introduced in 1986 by the International Safety Advisory Group in a summary report of the post-accident review meeting on the Chernobyl accident^[46] and was further elaborated in Refs^[34][47]. Ref^[47] defined safety culture in the following way :

“Safety culture is the assembly of characteristics and attitudes in organizations and individuals, which establish that, as an overriding priority, protection and safety issues receive the attention warranted by their significance”.

This definition emphasizes that safety culture relates to the structure and style of organizations (governmental institutions, owner/operator, and industrial entities) as well as to the habits and attitudes of individuals (managers and employees). Safety culture demands a commitment to safety on three levels: policy, management and individual^{[44][48][49][50][51][52][53][54]}. The policy level requires a clear statement of safety policy, adequate management structures and related resources, and the establishment of self-regulation (by regular review). To fulfil their commitments, managers need to define clearly the responsibilities, accountabilities and safety practices for the control of work, ensure that staff are qualified and trained, establish a system of rewards and sanctions, and perform audits, reviews and benchmarking comparisons. In carrying out their tasks, individuals need to maintain an attentive and questioning attitude, adopt a rigorous and prudent approach, and participate in effective communications (see Fig. 2 taken from Ref^[44]). The importance of the management system for safety culture in nuclear facilities has been described in Ref^[44], which defines this system as “those arrangements made by the organization for the management of safety in order to promote a strong safety culture and achieve good safety performance”. Organizations go through a number of stages in developing their safety cultures^[48]:

• Safety is compliance driven and is based mainly on rules and regulation;
• Good safety performance becomes an organizational goal;
• Safety is seen as a continuing process of improvement to which everyone can contribute.

Ref^[49] presents practical advice on how to strengthen safety culture. The status of requirements for establishing, implementing, assessing and continually improving a management system for safety culture are reflected in the IAEA Safety Standards, e.g. Refs^{[50][51][52][53]}. These include generic guidance on establishing, implementing, assessing and continually improving such a management system. As outlined above, safety culture is a complex concept (see also Ref^[54]) and there is no single indicator that can be used for determining its status. To capture both observable behaviour and people’s attitudes and basic beliefs, several methods need to be applied including interviews, focus groups, questionnaires, observations and document reviews.
When applying these assessment tools, the key safety culture characteristics and attributes described in Refs^[44][51] can be used for the identification of strengths and weaknesses in an organization’s safety culture. Annex 1 of Ref^[44]sets out a series of questions for each of the major areas of concern – safety requirements and organization, planning, control and support, etc. – that are helpful in assessing the effectiveness of a safety management system and the status of an organization’s safety culture. Monitoring and measurement of the established and implemented management system effectiveness, self-assessment and performance evaluation of management at all levels, independent assessments conducted regularly, management system reviews, identification of non-conformance and establishment of corrective and preventive actions, and finally identification of improvement opportunities^[50][51] are all important elements to consider as evidence as to whether safety culture prevails.
The assessment of a safety culture can only be completed once an organization is actually operating a facility. But the necessity to inculcate a safety culture within an organization and the necessity of a safety management system need to be recognized in the planning phase for a NES. Furthermore, the proposed policies and management structures of the owner/operator can be assessed prior to operation to determine if they are consistent with safety culture. IAEA offers a service to its Member States called ISCA (Independent Safety Culture Assessment) that can assist with evaluating the status of safety culture.

INPRO user requirement UR7 for sustainability assessment in the area of NFCF safety: The development of innovative design features of the assessed NFCF includes associated research, development and demonstration (RD&D) to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.
INPRO user requirement UR7 discusses the necessary RD&D efforts for developing NFCFs with primarily innovative but also evolutionary design features.
It is well known that intensive research may be needed to bring the level of knowledge of facility behaviour and the capability of computer codes to model phenomena and system behaviour for innovative NFCF designs to at least the same confidence level as for operating facilities.

FIG. 3. Overview of the different tasks for definition of RD&D

A sound knowledge of the phenomena (e.g. chemical reaction rates, partition coefficients, solubility), and component and system behaviour, where applicable, is required to support the development of analysis tools for NFCF accidents. Hence, the more a facility differs from operating designs, the more RD&D is required. RD&D provides the basis for understanding events that threaten the integrity of barriers defined by the defence in depth concept. RD&D is also expected to provide information to reduce allowances for uncertainties in design, operating envelopes, and in estimates of accident frequencies and consequences.
For most NFCFs, it is acknowledged that the analytical tools (modelling tools) needed for completing a safety assessment comparable to the safety assessments done for nuclear reactors are currently not yet available. To promote the development of safety codes and analytical methods in the area of NFCF safety, the INPRO task group has described a situation that can hopefully be reached within the next decades.
As the development of an innovative design proceeds, RD&D is carried out to identify phenomena important to facility safety and operations and to develop and demonstrate an understanding of such phenomena. At any given point in the development process, the current understanding is incorporated into computer or analytical models that form the basis for design analysis and safety assessments. Such models are then used as tools for sensitivity analyses to identify important parameters and estimate safety margins. The results of such analyses are also used to identify coupled effects and interactions among systems that are important to safety. It is not unusual to obtain unexpected results, particularly in the early stages of development. The results, whether expected or not, are used to guide the RD&D program in efforts such as those to improve conceptual understanding, obtain more accurate data, confirm the extent of system interactions/independence, and adequately characterize the design. The RD&D, in turn, leads to improvements in understanding and in the analytical tools used in design and safety analyses.
The process is iterative: At the pre-conceptual stage of development, physical understanding, analytical models, supporting data bases, and codes may be simplistic and involve significant uncertainties. As development proceeds, understanding increases and uncertainties (both in conceptual understanding and in data) are reduced, and the validation of analytical models and codes improves. At the time of commercialization, all safety relevant phenomena and system interactions need to be identified and understood and the associated codes and models need to be adequately qualified and validated for use in the safety analyses, which in turn demonstrate that the facility design is safe. Complementary aspects are outlined in Ref^[55].
At least the following requirements need to be met by the RD&D program of a developer for an innovative or evolutionary design:

• All significant phenomena affecting safety associated with the design and operation of an innovative NFCF have to be identified, understood, modelled and simulated (this includes the knowledge of uncertainties, and the effects of scaling and environment);
• Safety-related systems, structures and components behaviour need to be modelled with acceptable accuracy, including knowledge of all safety-relevant parameters and phenomena, and validated with a reliable database.

Figure 3 gives an overview of tasks to be performed in defining the necessary RD&D for an innovative design.
For an innovative design, the first task is to identify all technology differences from operating designs. To identify the knowledge state and the importance of phenomena and system behaviour, an appropriate tool has to be used such as the PIRT process (Phenomena Identification and Ranking Tables), which is based mainly on engineering judgment. In addition, the adequacy and applicability of design and safety analysis computer codes have to be assessed. Both the PIRT results and the assessment of the adequacy and applicability of related computer codes inform the identification and prioritization of required RD&D efforts. An additional peer review by researchers and appropriate safety experts would strengthen the choice of the selected RD&D tasks.
Besides phenomenological data, reliability data including uncertainty bands^[56] for designated components need to be evaluated to the extent possible. This is especially valid for passive safety features. During the process of generating new and/or more detailed data (e.g. for computation fluid dynamics codes) the selected RD&D tasks are expected to be repeatedly assessed and necessary changes adopted. Qualified data need to be included in a technology base, e.g. validation matrices.

Acceptance limit AL1.1: Superior to that in the reference design.
The design (e.g. mechanical, thermal, electrical, etc.) of normal operating systems in a uranium refining/ conversion or enrichment facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by use of materials of higher quality.
For an enrichment facility using centrifuges, the separating element is expected to be designed with a lesser number of probable leakage points. The provision of secondary seals in the centrifuges would lessen the probability of leakage and make the system more robust. Passive safety through low pressure operations and a hermetically sealed design would ensure increased robustness. Vessels can be designed for preventing criticality, considering the maximum enrichment targeted. Isolation of the cascade hall and handling area, clear operation limits for critical parameters and adequate factors of safety in containment are other measures towards increasing robustness. A stable power supply is considered as an important requirement of enrichment processes based on centrifuges. Thus, the power supply needs to be of a high standard (including a backup power supply).
The use of corrosion resistant materials in a refining and conversion facility can reduce the probability of leaks in equipment containing corrosive material (e.g. HF).
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the normal operation system design of the facility assessed is superior to that of the reference facility design (e.g. has increased design margins, improved quality of manufacture and construction, or uses materials of higher quality), or, if no reference plant can be defined, took best international practice into account and is therefore state of the art technology.

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
Ref [101] introduces the effective neutron multiplication factor (k_eff) as “the ratio of the total number of neutrons produced by a fission chain reaction to the total number of neutrons lost by absorption and leakage”, and subcriticality as the state characterised by k_eff<1 which can be maintained by appropriate combination of the control parameters, such as isotopic composition, geometry, mass, volume, concentration / density, characteristics of neutron absorption and moderation. Ref [101] further requires that “safety margins should be applied to determine the safety limits” and in applying safety margins to k_eff “consideration should be given to uncertainty in the calculation” including the possibility of any code bias.
The INPRO task group for the area of NCFC safety has proposed that, for a new NFCF that handles uranium with the enrichments above 1 % ²³⁵U, a criticality analysis needs to be performed that demonstrates ample design margins by showing that a k_eff< 0.90 characterizes all possible configurations of fissile material and thereby provides high confidence that potential criticality accidents are avoided. In this analysis, all parameters influencing k_eff, such as mass, concentration, shape, moderation, etc, have to be considered. All process equipment in the material handling areas needs to be designed to ensure subcriticality under submerged and water filled conditions.
The acceptance limit AL1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur, taking uncertainties into account.

Acceptance limit AL1.3: Superior to those in the reference design.
Superior facility performance can reduce the frequency of AOOs and accidents in a uranium refining/ conversion or enrichment facility.
The clear definition of roles and responsibilities, appropriate surveillance and the training of personnel in the handling of UF₆ gas cylinders and the actions to be taken in the event of leakage of UF₆ gas, etc, complemented by instructions based upon learning from experience where available, will ensure that facilities for refining/ conversion and enrichment can operate in a safe regime.
The strategy of ageing management is expected to cover all relevant stages in the NFCF lifecycle, including design, manufacture, construction, commissioning, operation and decommissioning, all normal operation states, AOOs and accidents influencing a given system, and all relevant mechanisms of ageing, including but not limited to corrosion, deposits, irradiation, fatigue and wear. The NFCF designer has to determine the design life of safety related equipment, to provide appropriate design margins to take due account of age related degradation and to provide methods and tools for assessing ageing during the NFCF operation. The NFCF operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the NFCF lifecycle. Implementation of this plan needs to involve activities for managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects.
Acceptance criteria for the quality of operation can be taken to be:

• High(er) degree of remote control;
• Availability of operations manuals and emergency instructions manuals;
• Availability of procedures for feedback on the application of operations manuals;
• Availability of surveillance requirements including periodic tests to verify the performance level for safe operation;
• Consideration of ageing management in the design documentation;
• Availability of plan for implementation of ageing management;
• Periodic and intensive training of operators;
• Periodic mock-ups to ensure readiness of operators to handle emergencies.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to the reference facility design or, when no reference facility can be defined, at least took best international practice into account and is therefore state of the art technology.

Acceptance limit AL1.4: Superior to that in the reference design.
To achieve an improved capability to inspect, test and maintain, the design of uranium refining/ conversion or enrichment facility assessed is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms, so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capability to inspect, test and maintain the systems relevant to safety in the facility assessed is superior to that in the reference design, or is state of the art, and allows easy inspection, testing and maintenance.

Acceptance limit AL1.5: Lower than that in the reference design.
The frequency of failures and deviations from normal operation (see examples in the beginning of Section 7.4.2) in a refining/ conversion and enrichment facility needs to be derived from operational experience and supported by PSA. For the design assessed, these frequencies can be reduced through increased robustness of the design, high quality of operation, and efficient and intelligent inspection.
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that in the facility assessed the frequencies of failures and deviations from normal operation are lower than those in the reference design, or, if a reference facility cannot be defined, that the facility assessed took best international practice into account and is therefore state of the art technology. If quantitative results from operational experience and PSA are not available, alternatively, deterministic analysis can be developed that supports a reduction of the probability of occurrence for deviations from normal operation and failures in the facility assessed.

Acceptance limit AL1.6: Lower than the dose constraints.
The limit (effective dose) and dose constraints for occupational workers were discussed in section 6.3.2.5. Innovative and proven techniques such as increased automation, improved O&M techniques and effective (engineered) safety features can be used to further reduce occupational exposure in refining/ conversion and enrichment facilities.
In refining/ conversion and enrichment facilities, the radiological hazard from radium and radon is much lower than in the mining and milling facilities discussed above; however, the radiological hazard cannot be neglected. Both radiological and chemical toxicity limits are applicable to the working environment in the refining/ conversion and enrichment facilities. The radiological limit for UF₆ concentration in air can be derived from annual limits on intake (ALI) values introduced in Ref [102] at the level of 13 Bq/m³, subject to small variations with respect to enrichment. The uranium air concentration chemical limit is normally stated as 0.2 mg/m³ [103]. Table 6 gives the uranium concentrations in air that correspond to the radiological limit as well as the uranium activity levels in air that correspond to the chemical toxicity limit.
Comparing the activities and concentrations in Table 6 against the corresponding limits shows that the chemical toxicity limit (0.2 mg/m³) is more restrictive than the radiological limit (13 Bq/m³) up to the enrichment value of 2.3%. For enrichments higher than 2.3%, the radiological limit becomes more important and for the enrichment of 5% the maximum permitted concentration of uranium in air due to its radiological properties is less than half of chemical toxicity limit.
A detailed guide on how to achieve a successful radiation protection program for workers in a refining/ conversion and enrichment facility is provided in Ref [32]. The acceptance limit AL1.6 of CR1.6 is met if evidence available to the INPRO assessor shows that the dose values of workers during normal operation and AOOs will be lower than the dose constraints defined for the location of the planned facility.

Acceptance limit AL2.1: Availability of such systems and operator procedures.
Refining/ conversion and enrichment facilities are expected to be designed to cope with AOOs (see beginning of Section 7.4.2) by using automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures need to be. Passive and automatic active control systems are deemed more reliable than administrative (manual) control. The operator needs to get appropriate information in a control room about automatic actions during normal operation and AOOs and the status and performance of the facility.
Monitoring of operational data is important for early detection of the onset of integrity loss of system components in uranium refining/ conversion and enrichment facilities and to avoid complete failures of components. Such systems for monitoring component health might include, e.g. a diagnostic system of the rotating machinery for fans, pumps, and turbines. The basic monitoring of pumps may be done by monitoring the pump house vibrations.
Provision of an on-line digital I&C system with an intelligent controller and sufficient capability to monitor would ensure that an enrichment facility could be safely operated. Redundancy in devices for detecting overloading of the separation system and measurement of a parameter based on different principles wherever applicable, would provide enhanced safety. For example, use of two independent parameters to indicate faulty operation of centrifuges (e.g. current drawn by motor and vibration) would enable prompt correcting action. A strategy to isolate and limit damage to the separation system needs to be available.
For mitigating a leakage of toxic or explosive gases, a detection and exhaust scrubbing system needs to be available that automatically removes such gases from the air in the building and thereby avoids toxic or explosive concentrations. To fight fires, a detection and, preferably, an automatic fire extinguishing system (e.g. a spray system) needs to be available and related criticality considerations taken into account (e.g. exclusion of water).
An emergency power supply system is expected to be available for systems relevant to safety, such as monitoring, detection and alarm systems for radiation protection and criticality, detection and alarm systems for fires and leaks of hazardous materials, ventilation systems, etc. A loss of external power needs to be compensated by a back-up power system available at the site of the facility.
Safe operating conditions of all systems are expected to be clearly defined in the design analysis and different limits for alarm (and shutdown) conditions (e.g. pressure, temperature and overloading) need to be determined. For the operational I&C systems to be acceptable, the results of the analyses need to demonstrate that all limits for alarm (and actions including shutdown) are met in case of assumed deviations from normal operation. In addition to automatic systems the systems and clearly defined procedures for the operator on how to restore the facility after an AOO to normal operational state need to be available.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that are capable of detecting failures and deviations from normal operation of systems relevant for safety, providing alarm, and initiate automatic or manual actions that bring the facility back to normal operation.

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of the ‘adequate grace period’ is provided in section 6.3.3.2. The grace period available for the operator for each AOO needs to be defined in the safety analysis of the facility design. In addition to the automatic actions of the normal operation systems a refining/ conversion or enrichment facility is expected to have sufficient inertia to withstand transients, i.e. react slowly after AOO.
After detection of an AOO (see beginning of Section 7.4.2) in a refining/ conversion or enrichment facility, automatic operational systems (presented in Section 7.4.3.1 above) need to mitigate these incidents before the operator intervention. For example, 30 minutes are deemed sufficient in case of a leak of UF6 gas during normal operation. Efficient automatic measures can facilitate longer grace periods.
In an enrichment facility with centrifuges, sufficient grace periods for operator actions necessary for keeping an AOO from progressing into an accident can be assured by providing surge suppression limiters, a fly wheel in the driving system of the centrifuge machine in case of electricity fault, adequate thermal inertia of the heating furnace, and multi-stage control for limiting transients.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that adequate grace periods have been determined for all AOOs in the design analysis for the facility assessed.

Acceptance limit AL3.1: Lower than that in the reference design.
The DBAs to be considered in a refining/ conversion or enrichment facility have been listed in the beginning of Section 7.4.4. The frequency of occurrence of a DBA in the facility assessed is to be determined via a probabilistic risk assessment.
The calculated frequency of DBAs caused by external hazards can be influenced by the designer primarily by increasing the robustness of the confinement wall, and by the owner/ operator by selecting an appropriate site (see UR7). The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows the use of probabilistic analyses to determine that DBAs in the assessed facility are less probable than in the reference design. If quantitative results of probabilistic analyses are not available, a deterministic analysis needs to be available that supports a reduction of these frequencies based on an increase of design robustness, high quality of operation, an intelligent inspection and maintenance programs, advanced I&C systems and/or operator procedures, increased grace time and inertia.

Acceptance limit AL3.2: Superior to those in the reference design.
Engineered safety features (automatic) are expected to be designed and installed in the facility. After detection of the accident these features need to be capable of controlling the accident, restoring the facility to a controlled state, and keeping the radiological consequences of the accident within authorized limits. To assure necessary reliability, these features need to be designed with sufficient levels of redundancy, diversity and independence. Redundant, diversified and independent passive and automatic active systems are deemed more reliable than administrative control (operator intervention) but it is acknowledged that passive systems are difficult to be designed for refining/ conversion or enrichment facility.
The engineered safety features of a refining/conversion facility can be essentially different from an enrichment facility and in the following several examples they are discussed separately.
In refining/ conversion facility, a release of gaseous or liquid radioactive and/or chemically toxic material (UF6, HF, and NH3) is expected to be timely detected, an alarm started (to initiate evacuation of the facility) and automatic systems (e.g. exhaust scrubbers, shut down of gas supply) need to be available to mitigate the consequences of these DBA, i.e. limit exposure of the workers to chemicals and/or radioactive material. The release in the working area needs to be contained within the process area itself. Process specific, sub-atmospheric pressure operation is likely to ensure that this can be achieved.
In case of a fire in refining/ conversion facility, e.g. originating from release of H₂ or solvents, alarm needs to be initiated, and automatic fire fighting systems (spray systems) start in rooms with flammable chemicals that are capable of extinguishing the fire taking criticality considerations into account (e.g. exclusion of water). Alternatively or additionally, equipment needs to be available for the operator to fight the fire manually.
In an enrichment facility based on centrifuges, in the event of a beginning failure, automatic provisions can be available in the form of suitable brakes, to absorb the momentum of a failing centrifuge. This would keep the damage localized and prevent the failed centrifuge from becoming a missile. Safety interlocks need to be provided for addressing the instability and vibration in motors for the centrifuges.
As mentioned above, refining/ conversion and enrichment facilities are expected to have engineered safety features to protect against DBAs caused by external hazards (see Section 4.2.1 and 4.2.6). For example, to mitigate an earthquake [47], equipment in the facility – that if failed would create a radiological and/or chemical hazard – needs to be protected by shock absorbers, dampers, etc.
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the assessed facility’s engineered safety features (automatic systems) and/or operator procedures are superior to those in the reference facility and assure that after the beginning of a DBA the necessary actions to mitigate the accident consequences will be initiated in a timely manner and successfully completed. The INPRO assessor’s judgement of the superiority of the new design has to be supported by the results of equipment tests and/or deterministic and probabilistic analyses described in the facility design information. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace periods’ is provided in section 6.3.3.2 for the control of AOOs (see CR2.2) in Level 2 of DID. The criterion CR3.3 ‘grace periods for DBAs’ implies a similar concept. For DBAs (caused by events associated with internal or / and external hazards) the criterion requires that the system response (inertia) and/or automatic actions of active (and/or passive) safety features provide an adequate grace period for the operator to intervene. Adequate grace periods are also assumed to be longer than those for the reference design.
Since a large-scale gas leak has a potential to propagate outside the facility, a grace time of 15 minutes is expected to be provided for mitigating the gas leak, by for example, starting an emergency exhaust scrubber/ventilation system.
For a criticality accident, a grace period of a few minutes can be achieved by providing shielded enclosures wherever concentrations of uranium are expected to be high. Lower pressure in the process handling area and criticality monitors are normally provided. Risk to humans is expected to be limited to the material handling area only.
The grace periods have to be determined for each DBA in the design analyses.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the assessed facility’s grace periods for DBAs are longer than those of the reference design. Alternatively, it may be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL3.4: At least one.
The design of engineered safety features and/or operator procedures are expected to provide deterministically for continued integrity at least of one barrier containing the radioactive and chemically toxic material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers may be used as an INPRO methodology indicator with a sufficiently low value (e.g. less than 10^-6 per year) as its acceptance limit.
Examples of barriers in refining/conversion and enrichment facilities are the casing of machinery (pumps, valves, centrifuge) and equipment (vessels, piping), and a building structure with isolated compartments. The ventilation system including a cleaning system such as wet scrubbers or cold traps and a stack could also be regarded as a dynamic confinement. The design analysis needs to confirm that at least one barrier against an accidental release of radioactive and/ chemically toxic material into the outside of the plant will remain intact after a DBA.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that after a DBA at least one barrier remains intact in the facility assessed avoiding an accidental release of radioactivity and/or toxic chemicals to the outside of the facility that would require evacuation.

Acceptance limit AL3.5: Greater than those in the reference design.
To avoid a loss of containment/confinement integrity due to for example overpressure and high temperatures – compared to operating refining/ conversion or enrichment facility – the containment of new facility is expected to be designed against higher loads caused by an accident with an accidental release of radioactive material and/or toxic chemicals into the containment.
The containment, i.e. the building structure of the facility needs also to be designed for external hazards challenging the integrity of the structure with a higher margin.
The acceptance limit AL3.5 of CR3.5 is met if evidence available to the INPRO assessor shows that the confinement/containment of the refining/ conversion or enrichment facility assessed has been designed against higher loads and with higher reliability compared to a reference design. Alternatively, if a reference design is not available, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
Examples of relevant system parameters are concentrations of UF6 and other radioactive and/or toxic chemicals in air, and activity, temperature and pressure inside the confinement/ containment. An emergency ventilation system is expected to be capable of reducing these system parameters to acceptable levels enabling mitigating measures by operators.
In an enrichment facility with centrifuges cascade segment isolation and cascade isolation based on pressure rise are processes to limit the consequences of accidents with a large release of UF₆. Emergency exhaust scrubber with alkali washing needs to be provided to bring down concentration of UF₆ to less than 0.2 mg/m³ within 30 minutes. Failure of one system normally does not lead to the failure of other systems by preventing transmission of shock or vibration to other cascades. Each cascade and handling system need to be made as independent modules. Reliability of secondary back-up seals in the centrifuges is expected to be excellent, with a failure rate better than 10^-4 per operation year. This needs to be confirmed by accelerated tests under simulated conditions.
If a large release of fissile material into the confinement (the building of the facility) leads to a critical configuration, this needs to be automatically detected (neutron flux increase) and lead to initiation of measures to end the criticality (injection of neutron absorbers).
In case automatic systems alone are not sufficient to prevent an accidental release to the environment and regain control of the NFCF, adequate operator procedures need to be established to handle a severe accident. For example, after detection of a large release of toxic and/or radioactive material into the confinement/ containment, the operator cuts off the source, activates the isolation of the process and the area, followed by evacuation/scrubbing. Next step would be activation of an on-site emergency plan documented in a safety manual to prevent spread of toxic and/or radioactive material into uncontrolled areas. Periodic mock-up drills and training programs are necessary to ensure that operators are in readiness to handle such emergencies.
The acceptance limit AL4.1 of CR4.1 is met if evidence available to the INPRO assessor shows that in the facility assessed processes and equipment are available to control relevant parameters (e.g. temperature, activity, concentrations of chemicals) and AM measures have been prepared that are sufficient to prevent an accidental release to the outside of the facility.

Acceptance limit AL4.2: Lower than that in the reference facility.
An accidental release of radioactivity and/or toxic chemicals from the refining/ conversion or enrichment facility into the environment can occur only if the containment loses its integrity during an accident with severe damage. An example for a cause of containment failure is overpressure due to a hydrogen explosion. Via a probabilistic safety analysis the frequency of a containment failure including uncertainties needs to be determined covering all plant states (normal operation, shut down) and internal as well as external hazards leading to accidents; the probabilistic analyses is supposed to use best estimate methods and consider the associated uncertainties.
INPRO suggests that calculated frequency of accidental release outside the facility assessed needs to be reduced as compared against reference facility, e.g. by increasing the design pressure of the containment. Where PSA data for reference facilities are not available, INPRO suggests using limit of <10^-6 per facility-year as the target value for calculated frequency of accidental release to the environment.
When the frequency of accidental release of radioactivity cannot be calculated with a high level of confidence the new NFCF design needs to demonstrate deterministically that probability of an accidental release of radioactivity and/or toxic chemicals into the environment due to a failure of the containment/ confinement has been reduced compared against reference facility, e.g. through improved engineered safety features, prescribed advanced operator actions, and increased use of inherent safety characteristics or by additional minimization of hazards, and that the consequences (dose, concentration of toxic chemicals) of an accident do not require the evacuation of population except as a short time precautionary measure.
The acceptance limit AL4.2 of CR4.2 is met if evidence available to the INPRO assessor shows that in the facility assessed the calculated (best estimate) frequency for an accidental release of radioactivity and/or toxic chemicals into the environment due to a failure of the containment is lower than in reference facility. Alternatively, if PSA data for a reference design is not available, it could be demonstrated that frequency for an accidental release of radioactivity from NFCF is well below 10^-6 per unit-year or that the design of the NFCF took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
Evacuation of population is the protective action in an emergency which can reduce the risk of stochastic effects, i.e. reduce consequences of the accident. Radiological criteria for evacuation of populations are normally formulated in terms of projected dose [58].
Estimation of the consequence of the emergency external release can be divided into two major parts. First part is focused on the definition of the characteristics of the release source term. These characteristics can be calculated as the result of the accident consequence modelling within the NFCF either deterministically or as a part of PSA Level 2 analysis. Second part models the transportation of the radionuclides to the population outside of the NFCF through different potential routes and scenarios (PSA Level 3).
The definition of source term of an accidental release to the environment involves the inventory of radioactive materials released, the description of physical and chemical forms of release and other release characteristics such as the height of damaged zone of the confinement, pressure and temperature of the released gas (including potential explosions).
Since the results of modelling of radionuclide transport in the environment may heavily depend on a series of assumptions such as weather conditions (wind directions in different altitudes, humidity etc) the first part of acceptance limit in this INPRO criterion states that source term characteristics in the new NFCF including the inventory of released radionuclides remains well within the envelope of reference facility source term. In this context ‘well within the envelope’ means that in the new NFCF source term all characteristics will be equal or lower compared against reference design and at least some of them will be lower by the level of uncertainties associated with the accident consequence modelling within the confinement.
For new NFCF the capability and reliability of natural and/or engineered processes for controlling of the complex accident sequences with severe damage are expected to be increased, including their instrumentation, control and diagnostic systems, and appropriate severe accident management procedures need to be developed. By these measures, the frequency of accidental release of radioactivity can be reduced and the inventory and conditions of release are expected to be restrained to avoid the evacuation of population.
It is noted that to meet the objective of Level 5 of defence in depth an emergency protection and response has to be planned around the NFCF [2] commensurate with the hazard of the accidental release of radioactive and chemically toxic material into the environment.
The acceptance limit AL4.3 of CR4.3 is met if evidence available to the INPRO assessor shows that in the NFCF assessed the calculated inventory and characteristics of an accidental release remain well within the inventory and characteristics envelope of reference facility source term and low enough so that calculated consequences would not require evacuation of population.

Acceptance limit AL5.1: Hazards are reduced in relation to those in the reference facility.
To minimize the fire hazard a specific safety (fire) analysis is required [32]. Using of fire resistant material and reduction of the amount of burnable material in a refining/ conversion or enrichment facility would reduce the hazard of a fire. In a conversion facility there are the following chemicals causing fire hazards: anhydrous ammonia (explosive and flammable), nitric acid (ignition if in contact with organic materials) and hydrogen (explosive and flammable). Compartmentalizing of buildings and ventilation ducts needs to be performed to prevent spreading of fires. Ventilation ducts need to be equipped with fire dampers and be made of fire resistant material. Buildings are normally divided into separate fire areas to make sure that a fire breaking out within a given fire area would not be able to spread beyond this sector. The higher the fire risk, the greater the number of areas in a building. For example, damage to the separation system in an enrichment facility and process handling system in a refining/ conversion facility needs to be confined within the given area and not to spread to other areas. The design of ventilation systems is expected to be given particular consideration with regard to fire prevention.
The hazard of release of radioactive and/or chemically toxic material is normally minimized by establishing several barriers, such as glove box or hooding of equipment, compartmentalized building, and a dynamic confinement by a ventilation system.
The hazard of radiation exposure of workers in the facility can be minimized by establishing and maintaining an adequate radiation protection program in accordance with national and international standards [25]. An adequately sized ventilation system can minimize the hazard of radiation exposure of workers.
To reduce the hazard of a criticality accident, control of the inventory of radioactive materials is the first step. This can be achieved not merely through administrative measures but also through monitoring systems that will give a warning if set limits of inventories are exceeded. Sub-atmospheric pressure operation would also minimize releases from equipment containing fissile material.
The external hazards can be reduced for new facilities by appropriate selection of their site. For example, to minimize the hazard of flooding the facility needs to be located at sufficient elevation.
The acceptance limit AL5.1 of CR5.1 is met if evidence available to the INPRO assessor shows that in the refining/ conversion or enrichment facility assessed hazards have been reduced compared to a reference facility. Alternatively, if a reference facility cannot be found, it needs to be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL1.1: Superior to that in the reference design.
Normal operation systems and equipment relevant for safety used in a fuel production facility need to be designed against loads caused by postulated initiating events including events associated with external hazards (see Section 4.2.1). The design (e.g. mechanical, thermal, electrical, etc.) of normal operation systems in a fuel production facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by use of materials of higher quality. It is acknowledged that increasing the robustness of a facility design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimised combination of design measures is necessary to increase the overall robustness of a design.
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior in this respect to the reference design (e.g. has increased design margins, improved quality of manufacture and construction, or uses materials of higher quality), or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
Criticality control in fuel production facilities necessitates the mass control of fissile material, the use of safe geometry (with respect to criticality) in equipment layout to provide safe separation between equipment as well as storage systems, the minimization of hydrogenous materials in process and the use of neutron absorbing materials.
As proposed by the INPRO task group in this area and previously discussed in section 7.4.2.2 for uranium refining/ conversion and enrichment facilities, the adequate avoidance of criticality in facilities that handle MOX, Pu or U enriched above 1 % ²³⁵U is expected to be shown by a criticality analysis that demonstrates a design margin of k_eff < 0.90 for all possible configurations of fissile material. In this analysis, all parameters relevant to criticality, such as mass concentration, shape, moderation, etc, have to be considered. All process equipment in the material handling area needs to be designed to remain subcritical under submerged and water filled conditions.
The acceptance limit AL1.2 of CR1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur taking uncertainties into account.

Acceptance limit AL1.3: Superior to those in the reference design.
Superior performance attributes can increase the robustness of a uranium or MOX fuel fabrication facility. A distinctive feature of fuel fabrication facilities is the presence of large inventories of powders of uranium oxide, plutonium oxide or mixed oxide. These are usually in finely divided form, and unless a high quality of operation is ensured, spillage of these fuel materials inside the enclosures could lead to long term accumulation in various difficult-to-access areas and in glass panels of glove boxes. This could ultimately lead to increased dosage to the operator.
High quality of operation, by way of intensive training of operators, is also essential to ensure that human factors do not lead to unexpected accumulations of fissile material in any part of the plant and thus lead to criticality: Strict adherence to administrative procedures is an indication of high quality of training. An inappropriate response to an alarm indicating an emergency could also be a result of inadequate operator training.
The strategy of ageing management is expected to cover all relevant stages in the fuel production facility lifecycle, including design, manufacture, construction, commissioning, operation and decommissioning, and needs to address all relevant mechanisms of ageing for the operational states and accident conditions influencing a given system. The designer of a fuel production facility has to determine the design life of SSCs important to safety, provide appropriate design margins to take due account of age related degradation and provide methods and tools for assessing ageing during the fuel production facility operation. The operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the fuel production facility lifecycle. Implementation of this plan will involve activities for managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects.
A high degree of automation/remote control/robotics would lead to reduction of dose received by the operators. Typical items that are taken into account for establishing acceptance criteria for facility performance include:

• High(er) degree of remote control;
• Availability of operations manuals and emergency instructions manuals;
• Availability of procedure for the feedback on application of operations manuals;
• Availability of surveillance requirements including periodic tests to verify the performance level for safe operation;
• Consideration of ageing management in the design documentation;
• Availability of plan for implementation of ageing management;
• Periodic and intensive training of operators;
• Periodic mock-ups to ensure readiness of operators to handle emergencies.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to a reference design or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Acceptance limit AL1.4: Superior to that in the reference design.
To achieve an improved capability to inspect, test and maintain, the design of fuel fabrication facility assessed is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue, etc.), so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capability to inspect, test and maintain systems relevant to safety in the facility assessed is superior to that in the reference design or, in case a reference facility could not be defined, is state of the art and allows easy inspection, testing and maintenance.

Acceptance limit AL1.5: Lower than that in the reference design.
The estimated frequencies of the AOOs selected (see beginning of Section 8.5.2) for a fuel production facility need to be derived from operational experience and supported by PSA. For the design assessed, theses frequencies can be reduced through achieving increased robustness of the design (discussed in CR1.1 above), high quality of operation (discussed in CR1.2), and efficient and intelligent inspection and maintenance (discussed in CR1.3).
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that in the facility assessed the frequencies of AOOs are lower than those in the reference design, or, in case a reference facility could not be defined, that the facility assessed took best international practice into account and is therefore state of the art technology. If quantitative results from operational experience and PSA are not available, alternatively, deterministic analysis needs to be developed that indicates the reduction of probability of occurrence for AOOs.

Acceptance limit AL1.6: Lower than the dose constraints.
Fuel production facilities may control contamination using such independent strategies as maintaining differential pressure in process enclosures and operating areas, providing easy access to equipment in operating areas, using automation/robotics for handling radioactive materials, zoning the layout of the plant for hazardous operations, providing single port entry and exit for personnel and equipment and employing multiple levels of filtration.
The assessment of CR1.6 for a conversion and enrichment facility was presented in Section 7.4.2.6 and is deemed substantially similar to the corresponding assessment for a fuel production facility (U, Pu or MOX). Therefore, the assessor is requested to use the assessment approach described for a conversion and enrichment facility also for a fuel production facility.

Acceptance limit AL2.1: Availability of such systems and operator procedures.
A fuel production facility is expected to be designed to cope with AOOs (see beginning of Section 8.5.2) using automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures need to be. Passive and active control systems are deemed more reliable than administrative (manual) control. The operator needs to get appropriate information in a control room about automatic actions during normal operation and AOOs and the status and performance of the facility.
Fuel fabrication facilities involve many safety critical systems such as glove boxes, furnaces, vacuum systems etc, thus, instrumentation and control systems play an important role in ensuring healthiness and safety of various systems and ensuring that they operate in safe regimes of parameters. The design analysis is expected to define safe operating conditions for every system, and different limits for alarm and shutdown conditions need to be indicated. For example, furnaces need to be equipped with temperature control systems to shut down the power supply to prevent escalation of temperature in case of loss of cooling water. Pressure control systems in glove boxes need to be able to detect loss of negative pressure (e.g. through a puncture in a glove) and actuate additional exhaust systems to ensure that the glove box pressure remains below the one in the operating area. Measurement of these parameters based on different principles wherever applicable and by more than one device for measurement would provide enhanced safety.
Online monitoring systems, with accessibility to inspect and more than one way to measure the same parameter, are necessary requirements. Access has to be provided for condition monitoring parameters and trending to predict incipient failures. In the ventilation systems, continuous monitoring of pressure drops across HEPA filters would ensure an adequate number of air changes in operating areas. Similarly, on-line monitoring is required to ensure adequate cooling water supply to sintering furnaces and ensure that the furnace is shut down when water flow is reduced below a certain level.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that are capable of detecting failures and deviations from normal operation of systems relevant for safety, providing alarm, initiate automatic (and manual actions), and bring the facility back to normal operation.

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of ‘adequate grace period’ is provided in section 6.3.3.2. The grace period available for the operator for each AOO needs to be defined in the safety analysis of the facility design. After detection of an AOO (see beginning of Section 8.5.2) in a fuel production facility, the automatic operational systems (presented in Section 8.5.3.1 above) needs to control these incidents before the operator intervention. The operation manual is expected to list all anticipated incidents, a corresponding action plan and the time until the actions have to be completed by the workers. For example, the design of glove boxes in MOX fabrication facilities needs to ensure that, in the event of a ventilation failure, radioactivity levels in the operating areas do not exceed regulatory limits for at least one hour, so that operators can safely shut down furnaces and other systems before evacuating the laboratory.
In addition to the automatic actions of the normal operation systems a fuel fabrication facility is expected to have sufficient inertia to withstand transients, i.e. react slowly after AOOs. For example, design of furnaces and (redundant) cooling systems needs to ensure that in the event of a temporary loss of cooling water supply, the furnace casing temperature will not exceed design limits within a reasonable time frame to enable the operator to bring the furnaces to a safe shut down state if necessary or continue to operate if he can restore water supply in time.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that adequate grace periods have been determined for all AOOs in the design analysis for the facility assessed.

Acceptance limit AL3.1: Lower than that in the reference design.
Examples of the DBAs to be considered in a fuel fabrication facility have been provided above in the beginning of Section 8.5.4. The frequency of occurrence of a DBA in the facility assessed is to be determined via a probabilistic risk assessment. Ref [18] gives an overview of the methods used for probabilistic evaluations of NFCFs, such as layer of protection analysis and the index method, and the areas of their application. Several examples of probabilistic studies of NFCFs and an overview of the regulatory requirements in different countries can be found in Ref [114].br> The frequency of DBA caused by external hazards can be influenced by the designer, e.g. via an increase of robustness of the confinement wall, and by the owner/ operator of the facility by selecting an appropriate site (see UR7).br> When the probabilistic risk assessment results are not available for the NFCF assessed, the superiority of the new design, i.e. improvements to reduce frequency of initiating events, can be demonstrated deterministically.br> The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows that in the facility assessed based on probabilistic analyses the frequency for the defined DBAs is superior to a reference design. If quantitative results are not available a deterministic analysis needs to support a reduction of these frequencies based on an increase of design robustness, high quality of operation, an intelligent inspection and maintenance programs, advanced I&C systems and increased inertia.

Acceptance limit AL3.2: Superior to those in the reference design.
In case of a DBA (see beginning of Section 8.5.4) there need to be automatic reliable engineered safety features available that after detection of an accident are capable of controlling the accident, restoring the facility to a controlled state, and keeping the consequences within authorized limits. To assure necessary reliability these features have to be designed with sufficient level of redundancy, diversity and independence.
In case automatic systems are not available, adequate operator procedures are necessary. Redundant, diversified and independent passive and automatic active systems are deemed to be more reliable than administrative control (operator intervention) however it is acknowledged that they are difficult to be designed for fuel fabrication facility.
As mentioned above the facility is expected to have engineered safety features protecting against DBA caused by (credible) external hazards (see Section 4.2.1 and 4.2.6).
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the reliability and capability of engineered safety features in the facility assessed is superior to a reference design and assure that after the beginning of a DBA the necessary actions to mitigate the consequences of the accidents will be timely initiated. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace period’ is provided in section 6.3.3.2 as introduced earlier for control of AOOs (see CR2.2) in Level 2 of DID. The criterion CR3.3 ‘grace period for DBA’ implies a similar concept. For DBA (caused by events associated with internal and external hazards) the criterion requires that the system response (inertia) and/or automatic actions of active (and/or passive) safety features provide an adequate grace period for the operator to intervene. Adequate grace periods in the new facility are also assumed to be longer than those in the reference design.
For example, a criticality accident in a fuel fabrication plant could be caused by human errors such as double batching or by flooding of glove boxes containing large inventories of fissile material. Provision of a criticality monitor (e.g. neutron counter, liquid level monitor in a glove box) is essential . In the event of criticality, a grace time of a few minutes only may be available to take necessary protective measures, e.g. halt flow of liquid, close valve. In the event of flooding of glove boxes due to a coolant pipe rupture, and unavailability of automatic safety features, the grace time available for the operator to avoid criticality or release of radioactive material would depend on the design of the box and the flow rate of water. The safety analysis needs to take into account these factors and define the time limits sufficient for human action. The grace periods have to be provided for each DBA by the design.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the facility assessed the grace periods are superior to a reference design. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Acceptance limit AL3.4: At least one.
The design of engineered safety features is expected to provide deterministically for continued integrity at least of one barrier containing the radioactive and chemically toxic material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers could be used as an INPRO methodology indicator with a sufficient low value of it as acceptance limit.
The most important engineered safety features of a fuel fabrication facility are the barriers against a release of radioactive material into the environment. At present, all Pu (but also some U) based materials are handled in glove boxes, whose panels and gloves constitute one barrier (another barrier is the building wall). However, it is important to ensure that a glove box is designed as a second barrier and larger inventories of fuel materials are always maintained in another suitable enclosure which would constitute the first barrier. For example, in glove boxes containing equipment with moving parts such as a press or grinder, this equipment needs to be surrounded by a safe enclosure which would ensure that any flying object from the equipment would not damage the glass panel of the box.
It is apparent that the higher the number of such barriers, the safer the system with respect to release of radioactivity and thus would meet the requirement of defence in depth concept.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that after a DBA at least one barrier remains intact in the facility assessed avoiding a large release of radioactivity and/or toxic chemicals to the outside of the facility.

Acceptance limit AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
Systems that provide for different levels of defence in depth may be either dependent or independent. Independent systems can provide protection from potential hazards with higher reliability. Using the same system or several dependant systems in different levels of defence in depth can make these levels vulnerable to the common cause failure. Ref [18] states:

“To qualify as independent, the failure of one item relied on for safety (IROFS) should neither cause the failure nor increase the likelihood of failure of another IROFS. No single credible event should be able to defeat the system of IROFS such that an accident is possible. A systematic method of hazard identification should thus be used to provide a high degree of assurance that all credible failure mechanisms that could contribute to (i.e. by initiating or failing to prevent or mitigate) an accident have been identified.”

Ref [18] further provides an exemplary list of factors undermining independence of the systems, structures and components, and therefore having significant effect on the likelihood of an accident sequence:

“A partial list of conditions that will almost always lead to two or more IROFS not being independent follows:

• The same individual performs administrative actions.
• Two different individuals perform administrative actions but use the same equipment and/or procedures.
• Two engineered controls share a common hardware component or common software.
• Two engineered controls measure the same physical variable using the same model or type of hardware.
• Two engineered controls rely on the same source of essential utilities (e.g. electricity, instrument air, compressed nitrogen, water).
• Two engineered controls are collocated such that credible internal or external events (e.g. structural failure, forklift impacts, fires, explosions, chemical releases) can cause both to fail.
• Administrative or engineered controls are susceptible to failure because of the presence of credible environmental conditions (e.g. two operator actions defeated by corrosive atmosphere, sensors rendered inoperable because of high temperature).”

The analysis of independence of systems, structures and components in NFCF is normally part of the application of the ‘double contingency principle’ defined in Ref [115]. This principle states that “process designs should, in general, incorporate sufficient factors of safety to require at least two unlikely, independent, and concurrent changes in process conditions before a criticality accident is possible.”
It is expected that the deterministic method for assessing the DID capabilities of a nuclear reactor design described in Ref [116] will be adapted to fuel fabrication facility. This method is based on objective trees for each level of DID defining the following elements from top to bottom: the objective of the DID level, the relevant safety functions to be met, identified general challenges to the safety functions based on specific root mechanisms for each of these challenges and a list of provisions in design and operation for preventing the mechanism from occurring.
Special attention is expected to be demonstrated in the design to such hazards as fire, flooding or earthquakes which could potentially impair several levels of DID; for example, they could bring about accident situations and, at the same time, inhibit the means of coping with such situations [39].
The safety analysis report of a fuel fabrication facility needs to demonstrate clearly the independence of the levels of defence. A probabilistic safety analysis [117], if done carefully, would highlight systems and elements which are not sufficiently independent, and identify cross-links which compromise the independence of the levels of DID. A fuel fabrication facility assessed is expected to demonstrate calculated frequency ranges of reaching the different levels of DID after an initiating event below (superior to) those of a reference facility.
The acceptance limit AL5.1 (independence of DID levels) is met for the fuel fabrication facility assessed if evidence available to the INPRO assessor shows that demonstrates improved independence of the different levels of DID in comparison to a reference plant based on a deterministic and probabilistic analyses. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.