Difference between revisions of "Safety of NFCFs (Sustainability Assessment)"

From INPRO Wiki
Jump to navigation Jump to search
Line 1,940: Line 1,940:
 
==See also==
 
==See also==
 
*[[NFCF]]
 
*[[NFCF]]
*[[Mining and milling of uranium and thorium (Sustainability Assessment)]]
+
*[[Mining and milling of uranium and thorium (Sustainability Assessment)|Mining and milling of uranium and thorium]]
 
*[[Uranium refining/conversion and enrichment (Sustainability Assessment)|Uranium refining/conversion and enrichment]]
 
*[[Uranium refining/conversion and enrichment (Sustainability Assessment)|Uranium refining/conversion and enrichment]]
 
*[[Uranium_oxide_and_MOX_fuel_fabrication_(Sustainability_Assessment)|Uranium oxide and MOX fuel fabrication]]
 
*[[Uranium_oxide_and_MOX_fuel_fabrication_(Sustainability_Assessment)|Uranium oxide and MOX fuel fabrication]]

Revision as of 14:30, 6 August 2020

INPRO basic principle (BP) for sustainability assessment in the area of NFCF safety - The planned NFCF is safer  than the reference NFCF. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.

Contents

Introduction

Objective

This volume of the updated INPRO manual provides guidance to the assessor of a planned NES (or a facility) on how to apply the INPRO methodology in the area of NFCF safety. The INPRO assessment is expected either to confirm the fulfilment of all INPRO methodology NFCF criteria, or to identify which criteria are not fulfilled and note the corrective actions (including RD&D) that would be necessary to fulfil them. It is recognized that a given Member State may adopt alternative criteria with indicators and acceptance limits that are more relevant to its circumstances. Accordingly, the information presented in Chapters 5 to 10 (INPRO methodology criteria, user requirements and basic principle for sustainability assessment in the area of safety of NFCFs) should be viewed as guidance. However, the use of such alternative criteria should be justified as providing an equivalent level of enhanced safety as the INPRO methodology.
This report discusses the INPRO sustainability assessment method for the area of safety of NFCFs. The INPRO sustainability assessment method for safety of nuclear reactors is discussed in a separate report of the INPRO manual . This publication is intended for use by organizations involved in the development and deployment of a NES including planning, design, modification, technical support and operation for NFCF. The INPRO assessor (or a team of assessors) is assumed to be knowledgeable in the area of safety of NFCFs and/or may be using the support of qualified national or international organizations (e.g. the IAEA) with relevant experience. Two general types of assessors can be distinguished: a nuclear technology holder (i.e. a designer, developer or supplier of nuclear technology), and a (potential) user of such technology. The role of a technology user in an INPRO assessment is to check in a simplified way whether the supplier’s facility design appropriately accounts for nuclear safety related aspects of long term sustainability as defined by the INPRO methodology. A designer (developer) can use this guidance to check whether a new design under development meets the sustainability focused INPRO methodology criteria in the area of fuel cycle safety and can additionally initiate modifications during early design stages if necessary to improve the safety level of the design. The current version of the manual includes a number of explanations, discussions, examples and details so it is deemed to be used by technology holders and technology users.

Scope

This manual provides guidance for assessing the sustainability of a NES in the area of NFCF safety. This report deals with NFCFs that may be potentially involved in the NES, i.e. mining, milling , refining, conversion, enrichment, fuel fabrication, spent fuel storage, and spent fuel reprocessing facilities. It is clear that operations of NFCFs are more varied in their processes and approaches than are nuclear reactor systems. Most significant of these variations is the fact that some countries pursue an open fuel cycle, i.e. spent fuel is treated as a waste, while some others have a policy of closing the fuel cycle, i.e. treating the spent fuel as a resource, and a number of states have yet to make a final decision on an open or closed fuel cycle. Further, diversity is large if one considers different types of fuels used in different types of reactors and the different routes used for processing the fuels before and after their irradiation depending upon the nature of the fuel (e.g. fissile material: low enriched uranium/ natural uranium/ uranium-plutonium/ plutonium/ thorium; fuel form: metal/ oxide/ carbide/ nitride) and varying burnup and cooling times. Taking into account this complexity and diversity, the approach adopted in this report has been to deal with the issues as far as possible in a generic manner, rather than describing the operations that are specific to certain fuel types. This approach has been chosen in order to arrive at a generalized procedure that enables the user of this report (the assessor) to apply it with suitable variations as applicable to the specific fuel cycle technology being assessed. In addition, it is recognized that the defence in depth (DID) approach and ultimate goal of inherent safety form the fundamental tenets of safety philosophy. The DID approach is applied to the specific safety issues of NFCFs.
As the safety issues relevant to the sustainability assessment of refining and conversion facilities are similar to those of enrichment facilities, the INPRO methodology criteria for those two types of facilities are combined in this manual and not discussed separately. Based on similar considerations, the assessments of uranium and uranium-plutonium mixed oxide (MOX) fuel fabrication facilities have likewise been combined . However, particular care must be taken to ensure that using a graded assessment approach and enhanced safety measures for higher risk facilities (e.g. using plutonium or uranium with higher enrichments/criticality risks) will yield appropriately enhanced levels of safety.
It should be noted that for NFCFs the INPRO methodology includes the consideration of chemical and industrial safety issues, principally where these could affect facility integrity or radiological safely. Although otherwise beyond the scope of this guidance, it bears noting that care is required due to the different public perceptions of the risks posed by conventional and radiological events and releases and, conversely, the negative reactions that may be generated about an NFCF’s radiological safety if conventional safety events occur.
In the current version of the INPRO methodology, the sustainability issues relevant to safety of reactors and safety of NFCFs are considered in different areas. Innovative integrated systems combining reactors, fuel fabrication and reprocessing facilities on the same site such as molten salt reactors with nuclear fuel in liquid form and integrated fast reactors with metallic fuel has not been specifically addressed. Reactor and NFCF installations of such integrated systems are expected to be assessed simultaneously and independently against corresponding criteria in the INPRO areas of reactor safety and safety of NFCFs. When more detailed information on the safety issues in integrated systems has been acquired, this approach can be changed in the next revisions of the INPRO methodology.
NFCFs processing nuclear materials in a given stage of the fuel cycle may be based on different technologies with different safety issues. Different kinds of fuel may be fabricated or reprocessed in different facilities serving different reactors. In this report, the discussion is restricted to the fabrication of fuels most commonly used in power reactors; however, the requirements and criteria have been formulated in a sufficiently generic manner and are therefore expected to be applicable to innovative technologies. Nevertheless, the fabrication or reprocessing technologies for innovative types of fuels (e.g. TRISO fuel with carbon matrix, metal fuel, nitride fuel) may involve safety issues requiring the modification of specific INPRO methodology criteria or the introduction of new or complementary criteria. It is expected that the future accrual of more detailed information on safety issues in innovative NFCFs will give rise to proposed modifications of the INPRO criteria and that these will be considered in future revisions of the methodology.
In this version of the INPRO methodology, the transportation of fresh nuclear fuel, spent nuclear fuel, and other radioactive materials or wastes throughout the nuclear fuel cycle has not been generally considered as independent stages of the nuclear fuel cycle. The INPRO methodology does not define specific requirements and criteria for such transportation but assumes that the safety issues of transportation are to be considered as part of the INPRO assessments of those NFCFs from which such packaging and transportation activities originate, e.g. fuel fabrication facilities for fresh fuel transportation and spent fuel storage facilities for spent fuel transportation. The IAEA has developed a set of safety standards to establish requirements and recommendations that need to be satisfied to ensure safety and to protect persons, property and the environment from the effects of radiation in the transport of radioactive material[1][2][3][4][5][6].
This manual does not establish any specific safety requirements, recommendations or criteria. The INPRO methodology is an internationally developed metric for measuring nuclear energy system sustainability and is intended for use in support of nuclear energy system planning studies. IAEA safety requirements and guidance are only issued in the IAEA Safety Standards Series. Therefore, the basic principles, user requirements and associated criteria contained in the INPRO methodology should only be used for sustainability assessments. The INPRO methodology is typically used by Member States in conducting a self-assessment of the sustainability and sustainable development of nuclear energy systems. This manual should not be used for formal or authoritative safety assessments or safety analyses to address compliance with the IAEA Safety Standards or for any national regulatory purpose associated with the licensing or certification of nuclear facilities, technologies or activities.
The manual does not provide guidance on implementing fuel cycle safety activities in a country. Rather, the intention is to check whether such activities and processes are (or will be) implemented in a manner that satisfies the INPRO methodology criteria, and hence the user requirements and the basic principle for sustainability assessment in the area of safety of NFCFs.

Structure

This publication follows the relationship between the concept of sustainable development and different INPRO methodology areas. Section 2 describes the linkage between the United Nations Brundtland Commission’s concept of sustainable development and the IAEA’s INPRO methodology for assessing the sustainability of planned and evolving NESs. It further describes general features of NFCF safety and presents relevant background information for the INPRO assessor. Section 3 identifies the information that needs to be assembled to perform an INPRO assessment of NES sustainability in the area of NFCF safety. Separate page NFCF identifies the different types of facilities that can form part of a nuclear fuel cycle. This page also provides an overview of the general safety aspects of those facilities. Section 4 presents the rationale and background of the basic principle and user requirements for sustainability assessment in the INPRO methodology area of NFCF safety. Criteria are then presented in Sections 5 to 9 along with a procedure at the criterion level for assessing the potential of each NFCF to fulfil the respective INPRO methodology requirements. The Annex presents a brief overview of the selected IAEA Safety Standards for NFCFs that are the basis of the INPRO methodology in this area. The Annex also explains the relationship and differences between the IAEA Safety Standards and the INPRO methodology. Table 1 provides an overview of the basic principle and user requirements for sustainability assessment in the area of NFCF safety.

Table 1. Overview of the INPRO basic principle and User requirements for sustainability assessment in the area of NFCF safety
INPRO basic principle for sustainability assessment in the area of NFCF safety: The planned NFCF is safer than the reference NFCF. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
UR1: Robustness of design during normal operation The assessed NFCF is more robust than the reference design with regard to operation and systems, structures and components failures.
UR2: Detection and interception of AOOs The assessed NFCF has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.
UR3: Design basis accidents (DBAs) The frequency of occurrence of DBAs in the assessed NFCF is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed NFCF to a controlled state, and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of radioactive and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.
UR4: Severe plant conditions The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.
UR5: Independence of DID levels and inherent safety characteristics An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed NFCF strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.
UR6: Human factors (HF) related to safety Safe operation of the assessed NFCF is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.
UR7: RD&D for advanced designs The development of innovative design features of the assessed NFCF includes associated research, development and demonstration (RD&D) to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

NFCF safety issues related to nuclear energy system sustainability

This section presents the relationship of the INPRO methodology with the concept of sustainable development, a comparison of NFCFs with chemical plants and nuclear reactors, and a summary of INPRO recommendations on the application of the DID concept to NFCFs.

The concept of sustainable development and its relationship with the INPRO methodology in the area of NFCF safety

The United Nations World Commission on Environment and Development Report [7](often called the Brundtland Commission Report), defines sustainable development as “development that meets the needs of the present without compromising the ability of future generations to meet their own needs” (para.1). Moreover, this definition:

“contains within it two key concepts:

  • the concept of ‘needs’, in particular the essential needs of the world’s poor, to which overriding priority should be given; and
  • the idea of limitations imposed by the state of technology and social organization on the environment’s ability to meet present and future needs.”

Based on this definition of sustainable development a three-part test of any approach to sustainability and sustainable development was proposed within the INPRO project: 1) current development should be fit to the purpose of meeting current needs with minimized environmental impacts and acceptable economics, 2) current research, development and demonstration programmes should establish and maintain trends that lead to technological and institutional developments that serve as a platform for future generations to meet their needs, and 3) the approach to meeting current needs should not compromise the ability of future generations to meet their needs.
The definition of sustainable development may appear obvious, yet passing the three-part test is not always straightforward when considering the complexities of implemented nuclear energy systems and their many supporting institutions. Indeed, many approaches may only pass one or perhaps two parts of the test in a given area and fail the others. Where deficiencies are found, it is important that appropriate programmes be put in place to meet all test requirements to the extent practicable. Nevertheless, in carrying out an NFCF INPRO assessment, it may be necessary to make judgements based upon incomplete knowledge and to recognize, based upon a graded approach, the variable extent of the applicability of these tests for a given area.
The Brundtland Commission Report’s overview (para.61 in Ref[7]) on nuclear energy summarized the topic as follows:

“After almost four decades of immense technological effort, nuclear energy has become widely used. During this period, however, the nature of its costs, risks, and benefits have become more evident and the subject of sharp controversy. Different countries world-wide take up different positions on the use of nuclear energy. The discussion in the Commission also reflected these different views and positions. Yet all agreed that the generation of nuclear power is only justifiable if there are solid solutions to the unsolved problems to which it gives rise. The highest priority should be accorded to research and development on environmentally sound and ecologically viable alternatives, as well as on means of increasing the safety of nuclear energy.”

The Brundtland Commission Report presented its comments on nuclear energy in Chapter 7, Section III. In the area of nuclear energy, the focus of sustainability and sustainable development is on solving certain well known problems (referred to here as ‘key issues’) of institutional and technological significance. Sustainable development implies progress and solutions in the key issue areas. Seven key issues are discussed:

  1. Proliferation risks;
  2. Economics;
  3. Health and environment risks;
  4. Nuclear accident risks;
  5. Radioactive waste disposal;
  6. Sufficiency of national and international institutions (with particular emphasis on intergenerational and transnational responsibilities);
  7. Public acceptability.

The INPRO methodology for self-assessing the sustainability and sustainable development of a NES is based on the broad philosophical outlines of the Brundtland Commission’s concept of sustainable development described above. Although three decades have passed since the publication of the Brundtland Commission Report and eighteen years have passed since the initial consultancies on development of the INPRO methodology in 2001 the definitions and concepts remain valid. The key issues for sustainable development of NESs have remained essentially unchanged over the intervening decades, although significant historical events have starkly highlighted some of them.
During this period, several notable events have had a direct bearing on nuclear energy sustainability. Among these were events pertaining to non-proliferation, nuclear security, waste management, cost escalation of new construction and, most notably, to nuclear safety.
Each INPRO methodology manual examines a key issue of NES sustainable development. The structure of the methodology is a hierarchy of INPRO basic principles, INPRO user requirements for each basic principle, and specific INPRO criteria for measuring whether each user requirement has been met. Under each INPRO basic principle for the sustainability assessment of NESs, the criteria include measures that take into consideration the three-part test based on the Brundtland Commission’s definition of sustainable development as described above.
The Commission Report noted that national governments were responding to nuclear accidents by following one of three general policy directions:

“National reactions indicate that as they continue to review and update all the available evidence, governments tend to take up three possible positions:

  • remain non-nuclear and develop other sources of energy;
  • regard their present nuclear power capacity as necessary during a finite period of transition to safer alternative energy sources; or
  • adopt and develop nuclear energy with the conviction that the associated problems and risks can and must be solved with a level of safety that is both nationally and internationally acceptable.”

These three typical national policy directions remain consistent with practice to the current day. Within the context of a discussion on sustainable development of nuclear energy systems, it would seem that the first two policy positions cannot result in development of a sustainable nuclear energy system in the long term since nuclear energy systems are either avoided altogether or phased out over time. However, it is arguable that both policy approaches can meet the three-part Brundtland sustainable development test if technology avoidance or phase-out policies are designed to avoid foreclosing or damaging the economic and technological opportunity for future generations to change direction and start or re-establish a nuclear energy system. This has certain specific implications regarding long term nuclear education, knowledge retention and management and with regard to how spent nuclear fuels and other materials, strategic to nuclear energy systems, are stored or disposed of.
The third policy direction proposes to develop nuclear energy systems that “solve” the problems and risks through a national and international consensus approach to enhance safety. This is a sustainable development approach where the current generation has decided that nuclear energy is necessary to meet its needs, while taking a positive approach to develop enhanced safety to preserve the option in the future. In addition to the general outlines of how and why nuclear reactor safety is a principal key issue affecting the sustainability and sustainable development of nuclear energy systems, the Commission Report also advised that several key institutional arrangements should be developed. Since that time, efforts to establish such institutional arrangements have achieved a large measure of success. The Brundtland Commission Report was entirely clear that enhanced nuclear safety is a key element to sustainable development of nuclear energy systems. It is not possible to measure nuclear energy system sustainability apart from direct consideration of certain safety issues.
Understanding the psychology of risk perception in the area of nuclear safety is critical to understanding NES sustainability and sustainable development. In a real measured sense, taking into account the mortality and morbidity statistics of other non-nuclear energy generation technology chains (used for similar purpose), nuclear energy has an outstanding safety record, despite the severe reactor accidents that have occurred. However, it should not be presumed that this means that reactor safety is not a key issue affecting nuclear energy system sustainability. How do dramatically low risk estimations (ubiquitous in nuclear energy system probabilistic risk assessment) sometimes psychologically disguise high consequence events in the minds of designers and operators, while the lay public perception of risk (in a statistical sense) may be tilted quite strongly either toward supposed consequences of highly unlikely, but catastrophic disasters, or toward a complacent lack of interest in the entire subject? This issue has been studied for many years. What should be the proper metrics for the INPRO sustainability assessment methodology given that the technical specialist community has developed an approach that may seem obscure and inaccessible to the lay public?
With regard to nuclear safety, the public are principally focussed on the individual and collective risks and magnitude of potential consequences in case of accidents (radiological, economic and other psychosocial consequences taken together). In the current INPRO manual, the URs and CRs focus on assessment of the NES characteristics associated with the majority of these issues. Unlike several other key sustainability issues assessed in other areas of the INPRO methodology, Brundtland sustainability in the area of nuclear safety is intimately tied to public perception of consequence and risk. Continuously allaying public concern about nuclear reactor safety is central to sustainability and sustainable development of nuclear energy systems.
This report describes how to assess NES sustainability with respect to the safety of NFCFs.

How NFCFs compare with nuclear reactors and chemical plants

As stated in Section 3 of Ref[8], NFCFs imply a great diversity of technologies and processes. They differ from nuclear power plants (NPPs) in several important aspects, as discussed in the following paragraphs.
First, fissile materials and wastes are handled, processed, treated, and stored throughout NFCF mostly in dispersible (open) forms. Consequently, materials of interest to nuclear safety are more distributed throughout NFCF in contrast to NPP, where the bulk of nuclear material is located in the reactor core or fuel storage areas. For example, nuclear materials in current reprocessing plants are present for most or part of the process in solutions that are transferred between vessels used for different parts of the processes, whereas in most NPPs nuclear material is present in concentrated form as solid fuel.
Second, NFCFs are often characterized by more frequent changes in operations, equipment and processes, which are necessitated by treatment or production campaigns, new product development, research and development, and continuous improvement.
Third, the treatment processes in most NFCFs use large quantities of hazardous chemicals, which can be toxic, corrosive and/or combustible.
Fourth, the major steps in NFCFs consist of chemical processing of fissile materials, which may result in the inadvertent release of hazardous chemicals and/or radioactive substances, if not properly managed.
Fifth, the range of hazards in some NFCFs can include inadvertent criticality events, and these events can occur in different locations and in association with different operations.
Finally, in NFCFs a significantly greater reliance is placed on the operator, not only to run a facility during its normal operation, but also to respond to anticipated operational occurrences and accident conditions [9].
Whereas the reactor core of an NPP presents a very large inventory of radioactive material and coolant at high temperature and pressure and within a relatively small volume, the current generation of NFCFs operate at near ambient pressure and temperature and with comparatively low inventories at each stage of the overall process. Accidents in NFCFs may have relatively low consequences when compared against nuclear power plants. Exceptions to this are facilities used for the large scale interim storage of liquid fission products separated from spent fuel and, where applicable, facilities for separating and storing plutonium.
In some cases in an NFCF, there are rather longer timescales involved in the development of accidents and less stringent process shutdown requirements are necessary to maintain the facility in a safe state, as compared to an NPP. Nevertheless, the INPRO area of NFCF safety applies the principles of the DID concept and encourages the NFCF designers to enhance the independence of DID levels in new facilities. NFCFs also often differ from NPPs with respect to the enhanced importance of ventilation systems in maintaining their safety even under normal operation. This is because nuclear materials in these facilities are in direct contact with ventilation or off-gas systems. Various forms and types of barriers between radioactive inventories and operators may have different vulnerabilities. Fire protection and mitigation assume greater importance in an NFCF due to the presence of larger volumes of organic solutions and combustible gases. With fuel reprocessing or fuel fabrication facilities, the wide variety of processes and material states such as liquids, solutions, mixtures and powders needs to be considered in safety analysis.
From this point of view, the safety features of NFCFs are often more similar to chemical process plants than those of NPPs. In addition, radioactivity and toxic chemical releases and criticality issues warrant more attention in NFCFs than in NPPs . Further comparisons of the relevant features of an NPP, a chemical process plant and an NFCF are presented in Table 2.

Table 2. Typical differences between NPPs, chemical process plants and NFCFs (modified from Ref[10]).
Feature NPP Chemical Process Plant NFCF
Type of hazardous materials Mainly nuclear and radioactive materials A variety of materials dependent on the plant (acids, toxins, explosives, combustibles, etc.) - Nuclear and radioactive materials;

- Acids, toxins, combustibles (nitric acid, hydrogen fluoride, solvents, process and radiolytic hydrogen, etc.)

Areas of hazardous sources and inventories - Localized in core, fuel storage and spent fuel pool;

- Standardized containment system, cooling of residual heat, criticality management

Distributed in the process and present throughout the process equipment - Present throughout the process equipment in the facility;

- Consisting both of nuclear materials and chemically hazardous materials;
- Containment relies on both physical barriers and ventilation

Physical forms of hazardous materials (at normal operation) - Fuel in general is in solid form ;

- Other radioactive materials in solid, liquid, gaseous form

Wide variety of physical forms dependent on the process, e.g. solid, liquid, gas, slurry, powder - Wide variety of physical forms of nuclear and radioactive materials;

- Wide variety of physical forms of chemically hazardous materials

As outlined above, from a safety point of view, NFCFs are characterized by a variety of physical and chemical treatments applied to a wide range of radioactive materials in the form of liquids, gases and solids. Accordingly, it is necessary to incorporate a correspondingly wide range of specific safety measures in these activities. Radiation protection requirements for the personnel are more demanding, especially in view of the many human interventions required for the operation and maintenance of an NFCF. The safety issues encountered in various NFCFs have been discussed in [8][9]. A comprehensive description of the safety issues of fuel cycle facilities is provided in Ref[11].

FIG.1. Conceptual comparison of safety characteristics between an NPP and a reprocessing facility.

For most existing NFCFs, the emphasis is on the control of operations using administrative and operator controls to ensure safety as well as engineered safety features, as opposed to the emphasis on engineered safety features used in reactors. There is also more emphasis on criticality prevention in view of the greater mobility (distribution and transfer) of fissile materials. Because of the intimate human contact with nuclear materials in the process, which may include (open) handling and transfer of nuclear materials in routine processing, special attention is warranted to ensure worker safety. Potential intakes of radioactive materials require control to prevent and minimize contamination and thus ensure adherence to specified operational dose limits. In addition, releases of radioactive materials into the facilities and through monitored and unmonitored pathways can result in significant exposures.
The number of physical barriers in an NFCF that are necessary to protect the workers, the environment and the public depends on the potential internal and external hazards, and the consequences of failures; therefore the barriers are different in number and strength for different kinds of NFCFs (the graded approach). For example, in mining, the focus is on preventing contamination of ground or surface water with releases from uranium mining tails. Toxic chemicals and uranium by-products are the potential hazards of the conversion stage and for forms of in-situ mining. In enrichment and fuel fabrication facilities (with no recycling of separated or recovered nuclear material from spent fuel), safety is focused on preventing criticality in addition to avoiding contamination via low-level radioactive material.
It might be possible to enhance safety features in a nuclear energy system by co-location of front end (e.g. mining/ milling, conversion and enrichment, and fuel production facilities) and back end (reprocessing and waste management) facilities. This would have benefits through minimal transport, optimisation and alignment of processes, avoiding multiple handling of radioactive materials in different plants of the fuel cycle and comprehensive and integrated waste treatment and storage facilities.
Compared to safety of operating NPPs, only limited open literature is available on the experience related to safety in the operation of NFCFs. Examples of United States Nuclear Regulatory Commission regulation are provided in Refs[12][13][14][15][16]. Safety of and regulations for NFCFs have been discussed in IAEA meetings and conferences [8][9]. Aspects of uranium mining have been reported extensively [17][18][19][20][21][22][23][24]. The Nuclear Energy Agency of the Organization for Economic Cooperation and Development published a comprehensive report on safety of nuclear installations in 2005[25]. Safety guides on conversion/enrichment facilities, fuel fabrication, reprocessing and spent fuel storage facilities have also been published by the IAEA[26][27][28][29][30]. It is obvious that in well-designed NFCFa, the safety related events that have a high hazard potential will have low frequency of occurrence and vice versa. For example, Fig. 1 (modified from Ref[31]) conceptually compares the relationship between potential consequences and frequency for safety related events in a nuclear power plant and a reprocessing facility.
The figure demonstrates that, compared to accidents in an NPP, an NFCF may have relatively higher consequences of accidents having higher probability of occurrence, e.g. accidental criticality. However, accidents with very high consequences have essentially lower probability than in NPPs and can only occur in a few high inventory NFCFs, typically large reprocessing plants and associated liquid high level waste interim storage facilities[32].

Application of the Defence-In-Depth concept to NFCFs

The original concept of defence in depth was developed by the International Safety Advisory Group (INSAG) and published in 1996 [33]. Historically it is based on the idea of multiple levels of protection, including consecutive barriers preventing the release of radioisotopes to the environment, as already formulated in Ref[34]:

“All safety activities, whether organizational, behavioural or equipment related, are subject to layers of overlapping provisions, so that if a failure were to occur it would be compensated for or corrected without causing harm to individuals or the public at large”

The application of DID to NFCFs takes into account their following features:

  • The energy potentially released in a criticality accident in a fuel cycle facility tends to be relatively small. However, generalization is difficult as there are several fuel fabrication or reprocessing options for the same or different type of fuels;
  • The power density in a fuel cycle facility in normal operation is typically several orders of magnitude less than in a reactor core;
  • In a reprocessing facility, irradiated fuel pins are usually mechanically cut (chopped) into small lengths suitable for dissolution and the resultant solution is further subjected to chemical processes. This may create a possibility for larger releases of radioactivity to the environment on a routine basis as compared to reactors;
  • The likelihood of a release of chemical energy is higher in fuel cycle facilities of reprocessing, re-fabrication, etc. Chemical reactions are part of the processes used for fresh fuel fabrication as well as for reprocessing of spent nuclear fuel.

The numbers of barriers to radioactive releases to the environment depend in different types of NFCFs on the forms, conditions, inventories and radiotoxicity levels of the processed nuclear materials. Table 3 gives a summary of the typical numbers of barriers to radioactive releases to the environment in existing NFCFs at different steps of nuclear fuel cycle.

Table 3. Typical numbers of barriers in existing NFCFs
Facility type Number of barriers
Mining 0–1
Milling / Processing / Conversion 1–2
Enrichment 2
Fuel manufacture Low radioactivity 1–2
High radiotoxicity 2–3
Fresh fuel storage 2
Fresh fuel transportation 2
Spent fuel transportation 3
Spent fuel storage Wet 2
Dry 3
Reprocessing 3
Reprocessing product storage including waste Low radiotoxicity 2
High radiotoxicity 3

Table 4 summarises how INPRO uses the DID concept within this sustainability assessment methodology for the area of NFCF safety. The INPRO methodology applies this DID concept to all NCFCs as part of a graded approach that considers the level of risks in each individual facility.

Table 4. INPRO proposals for applying the defence-in-depth concept to sustainability assessment in the area of NFCF safety
Level DID level purpose[11] INPRO methodology proposals for NFCFs
1 Prevent deviations from normal operation and the failure of items important to safety. Enhance prevention by increasing the robustness of the design, and by further reducing human error probabilities in the routine operation of the plant. Enhance the independence among DID levels.
2 Detect and control deviations from operational states in order to prevent anticipated operational occurrences at the facility from escalating to accident conditions. Give priority to advanced monitoring, alarm and control systems with enhanced reliability and intelligence. Together with qualified procedures for operators, the systems need to be able to anticipate and detect abnormal operational states, prevent their progression and restore normalcy. Enhance the independence among DID levels.
3 Prevent releases of radioactive material and associated hazardous material or radiation levels that require off-site protective actions. Decrease the expected frequency of accidents. Achieve fundamental safety functions by an optimized combination of inherent safety characteristics, passive safety features, automatic systems and operator actions; limit and mitigate accident consequences; minimize reliance on human intervention, e.g. by increasing grace periods. Enhance the independence among DID levels.
4 Mitigate the consequences of accidents that result from failure of the third level of DID and ensure that the confinement function is maintained, thus ensuring that radioactive releases are kept as low as reasonably achievable. Decrease the expected frequency of severe plant conditions; increase the reliability and capability of systems to control and monitor severe accident sequences; reduce the characteristics of the source term of the potential emergency off-site releases of radioactivity Avoid ‘cliff-edge’ failures of items important to safety. Enhance the independence among DID levels.
(5) Mitigate the radiological consequences and associated chemical consequences of releases or radiation levels that could potentially result from accidents. Emergency preparedness is covered in another area of the INPRO methodology called Infrastructure[35].

Necessary INPUT for a sustainability assessment in the area of safety of nuclear fuel cycle facilities

Definition of a nuclear energy system to be assessed

See NES for clear definition of nuclear energy system.
For a NES sustainability assessment in this area of the INPRO methodology, the NFCF to be assessed and a reference design have to be defined. Where possible, the reference design has to be determined as an NFCF of most recent design operating in 2013, preferably from the same designer as the assessed facility, and complying with the current safety standards. In such a case, the INPRO assessment in this area is expected to demonstrate an increased safety level to achieve long term sustainability in the assessed NFCF in comparison to the reference design. If a reference design cannot be identified within the same technology lineage, a similar existing comparable technology or, when other options are not available, an existing facility of different technology used for the same purpose can be used as a reference. If a reference design cannot be defined, it needs to be demonstrated through the assessment of RD&D results that the NFCF design employs the best international practice to achieve a safety level comparable to most recent technology and that the assessed facility is therefore state of the art.

INPRO assessment by a technology user

An INPRO assessor, being a technology user, needs sufficiently detailed design information on the NFCF to be assessed. This includes information relating to the design basis of the plant, engineered safety features, confinement systems, human system interfaces, control and protection systems, etc. The design information needs to highlight the structures, systems and components (important to safety) that are of evolutionary or innovative design[36] and this could be the focus of the INPRO assessment.
In addition to the information on the NFCF to be assessed, the INPRO assessor needs the same type of information on a reference plant design in order to perform a comparison of both designs. Details of the information needed are outlined in the discussion of the INPRO methodology criteria in the following sections.
If not available in the public domain, the necessary design information could be provided by the designer (potential supplier). Therefore, a close co-operation between the INPRO assessor as a technology user and the designer (potential supplier) is necessary as detailed in the INPRO methodology overview manual.
In addition, all relevant operational and maintenance data and history of the reference facility will be useful as well as any records of modifications, any failures and incidents in the reference NFCF or similar facilities.

Results of safety assessments

To assess sustainability, the INPRO assessor will need access to the results of a safety assessment of a reference plant and to the basic design information of the NFCF to be assessed that includes a safety analysis that evaluates and assesses challenges to safety under various operational states, AOO and accident conditions using deterministic and probabilistic methods; this safety assessment is supposed to be performed and documented by the designer (potential supplier) of the NFCF to be assessed.
For an NFCF to be assessed using the INPRO methodology, the safety assessment would need to include details of the RD&D carried out for advanced aspects of the design. Such information is usually found in a (preliminary) safety report (or comparable document) that may be available in public domain or could be provided by the designer (potential supplier) of the NFCF. Thus, as stated before, a close co-operation between the INPRO assessor as a technology user and the designer (potential supplier) is necessary.

INPRO assessment by a technology developer

In principle, an INPRO assessment can be carried out by a technology developer at any stage of the development of an advanced NFCF design. This assessment can be performed as an internal evaluation and does not require results of the formal safety assessment. However, it needs to be recognized that the extent and level of detail of design and safety assessment information available will increase as the design of an advanced NFCF progresses from the conceptual stage to the development of the detailed design. This will need to be taken into account in drawing conclusions on whether an INPRO methodology sustainability requirement for safety has been met by the advanced design.
One potential mode for the technology developer’s use of the INPRO methodology is in performing a limited scope assessment. Limited scope INPRO assessments can be focused on specific areas and specific nuclear energy system installations having different levels of maturity. A limited scope study may assess the facility design under development and may help highlight gaps to be closed in on-going RD&D studies and define the scope of data potentially needed to make future judgements on system sustainability.

Other sources of INPUT

The assessor can use the IAEA Fuel Incident Notification and Analysis System (FINAS) and other international and national event reporting systems for specific and general information relevant to the technology type and detailed design of an advanced NFCF.

INPRO basic principle for sustainability assessment in the area of safety of nuclear fuel cycle Facilities

This section presents some background on the INPRO basic principle (BP) and user requirements (UR) for sustainability assessment in the area of NCFC safety. It is noted that the INPRO methodology in this area was originally developed with a nuclear power plant in mind and had to be adapted, especially at the criterion level, to the individual NFCF.
INPRO basic principle for sustainability assessment in the area of NFCF safety: The planned NFCF is safer than the reference NFCF. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
The main goal of the INPRO basic principle is to encourage the designer/developer to increase the safety level of a new facility to be installed after 2013. To achieve this goal, the INPRO methodology proposes that NFCF designers/ developers undertake the following key measures:

  • Incorporate enhanced defence in depth into an advanced NFCF design as a part of the fundamental safety approach.
  • Incorporate, when appropriate, inherently safe characteristics and passive systems into advanced NFCF designs as a part of a fundamental safety approach to excel in safety and reliability.
  • Reduce the risk from radiation exposures to workers, the public and the environment during construction/ commissioning, operation, and decommissioning of an advanced NFCF.
  • Perform sufficient RD&D work to bring the knowledge of NFCF characteristics and the capability of analytical methods used for design and safety assessment of a plant with innovative features to at least the same confidence level as for a reference plant.
  • Take human factors into account in the design and operation of an NFCF and establish and maintain a safety culture in all organizations involved in a nuclear power program.

The INPRO methodology has developed seven user requirements to specify in more detail the main measures presented above. These user requirements are to be fulfilled primarily by the designer (developer, supplier) of the NES but also in some cases by the operator. As stated before, the role of the INPRO assessor is to check, based on evidence provided by the designer and operator, whether they have implemented the necessary measures as required by the INPRO methodology. The following sections provide rationale and background information for each user requirement (UR).

UR1

ᅠ User requirement UR1: robustness of design during normal operationᅠ

INPRO user requirement UR1 for sustainability assessment in the area of NFCF safety: The assessed NFCF is more robust than the reference design with regard to operation and systems, structures and components failures. The first INPRO user requirement, UR1, for sustainability assessment in the area of NFCF safety is mostly related to the first level of DID, which is focused on preventing AOOs, i.e. deviations from normal operation and failures of items important to safety. AOOs are defined as those conditions of operation that are caused by events associated with internal or external hazards expected to occur one or more times during the lifetime of an NFCF but that do not cause any significant damage to items important to safety nor lead to accident conditions requiring safety features (Level 3 of DID) to control.
In principle, the design (e.g. mechanical, thermal, electrical, etc.) of normal operating systems in any NFCF can be made more robust, i.e. reducing the likelihood of failures, by increasing design margins, improving the quality of manufacture and construction, and by using materials of higher quality. Sufficient margin in the design needs to be provided so that any small deviation (e.g. resulting from failure) of system parameters from normal operation will not lead to an accident.
It is acknowledged that increasing the robustness of an NFCF design is a challenging task that requires optimisation wherever enhancing one aspect can have a negative influence on other aspects in other areas (e.g. in economics, making the system uncompetitive, or in proliferation resistance). Thus, an optimum combination of design measures is necessary for increasing the overall robustness of a design.
It is important to note that for the assessment of all criteria of user requirement UR1 the INPRO assessor (a technology user) needs information on the facility to be assessed and on a reference facility. The assessed NFCF is expected to demonstrate a safety level superior to that of the reference facility. If a reference facility design is not available to the assessor, it needs to be demonstrated that the assessed facility incorporates the most recent technology and that international best practice has been used, i.e. that the facility is state of the art.
For an operating NFCF, the requirements for design, manufacturing, and operation (and decommissioning) are usually specified in (extensive) national standards or in adopted standards from other countries; the most widely known and used standards are the Nuclear Codes and Standards published by the American Society of Mechanical Engineers.
The major means to achieve an increase in robustness in an NFCF are to ensure a high quality of design, construction and operation, including human performance. For new (innovative or evolutionary) NFCF designs, the expected frequencies of AOOs are expected to be reduced relative to a reference design. This reduction could be achieved by such means as using improved materials, simplified designs to minimize failures and errors, improved design margins (mechanical, thermal, electrical, etc.), increased operating margins, increased redundancies of systems, lessened impacts from incorrect human intervention (the system needs to be tolerant of mistakes), more effective and efficient inspections, continuous monitoring of the plant health, etc. Examples of concepts with increased robustness against certain potential hazards are designs that use passive systems deemed potentially more reliable than active systems (e.g. natural convection cooling), higher reliability self-checking control systems (avoidance of deviations from normal operation), use of non-flammable materials (avoidance of fires), etc. The use of inherent safety characteristics is a useful means of achieving robustness and has been highlighted as a separate user requirement, UR5.
For an NFCF under assessment, measures and features are to be developed that ensure that the robustness of the innovative design against internal and external hazards[33] will be comparable or superior to that of the reference design.
For (innovative) designs of NFCFs still under development and for which no standards may yet exist, at least for the first plant to be installed, a conservative design approach according to existing standards can be proposed as discussed for user requirement UR7.
User requirement UR1 considers occupational doses corresponding to Levels 1 and 2 of DID, i.e. at normal operation and for anticipated operational occurrences. It is important to note that UR1 does not consider radiation exposure of workers during accidents. Radiation exposure of workers, public and the environment during/after accidents is dealt with in user requirements UR3 and UR4. A similar approach is supposed to be established for limiting chemical doses to workers.
The need to avoid undue burdens from radiation and/or toxic chemical exposure of the public and the environment during normal operation and AOOs (in an NFCF or nuclear reactor) is covered in a separate area of the INPRO methodology focused on the environmental impacts of stressors[37].
In this context, it bears noting that the International Basic Safety Standards for Radiation Protection and for Safety of Radiation Sources in Ref[38] define acceptable levels of radiation exposure for workers and the public for planned and emergency (accident) exposure situations Additional detailed guidance on occupational radiation protection in NFCFs is provided in Ref[19]. Comparable (mostly national) standards exist for toxic chemicals[39].

UR2

ᅠ User requirement UR2: detection and interception of AOOsᅠ

INPRO user requirement UR2 for sustainability assessment in the area of NFCF safety: The assessed NFCF has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.
The second user requirement, UR2, for sustainability assessment in the area of NFCF safety involves the limited consideration of selected provisions in the first DID level and mostly relates to the second level of DID, which deals with detection and control of failures and deviations from normal operational states in order to prevent AOOs from escalating to accident conditions. The objective is met if the plant returns to normal operation either automatically or through operator action after an AOO or component failure and a progression to higher levels of DID is avoided.
In the design of a new NFCF (to be installed after 2013), priority is expected to be given to advanced instrumentation and control (I&C) systems and improved reliability of these systems. The facility needs to be designed to give the operator a sufficient grace period after an AOO or failure. In the longer term, priority can be given to design-specific inherent safety features and to robust and simple (possibly passive) control as well as advanced monitoring and alarm systems.
The main function of the I&C system in this level of DID is to detect deviations from normal operation and failures, produce an alarm, and together with operator actions prescribed in detailed operating procedures, enable rapid return of the facility to normal operating conditions with, ideally, no consequences, e.g. no need for follow up inspections or regulatory event reports.
I&C systems process measurement data from several different kinds of instrumentation. Examples of I&C systems include: conventional process instrumentation, vessel fluid level measurement instrumentation, radiation monitoring and alarm instrumentation, accident instrumentation, and hydrogen detection and measurement instrumentation. These instrumentation sets contain channels of different importance to safety.

UR3

ᅠ User requirement UR3: design basis accidentsᅠ

INPRO user requirement UR3 for sustainability assessment in the area of NFCF safety: The frequency of occurrence of DBAs in the assessed NFCF is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed NFCF to a controlled state, and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of radioactive and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.
The third user requirement, UR3, for sustainability assessment in the area of NFCF safety is mostly related to the third level of DID, which concentrates on the control of accidents to prevent releases of radioactive materials and associated hazardous materials or radiation levels that would require off-site protective actions. The objective is met if the accident consequences are limited to within the design basis. The ‘design bases’ of a facility are the conditions and events taken into account in the NFCF design such that the facility can withstand them by the intended operation of engineered safety features, inherent safety features and prescribed operator interventions without exceeding authorized limits. Thus, a DBA is an accident causing conditions[40] for which a facility is designed, in accordance with established design criteria and conservative methodology, and for which releases of radioactive and/or chemically toxic materials are kept within authorized limits. Authorized limits of radiation exposure after accidents in nuclear facilities are expected to comply with the IAEA Safety Standards[19][38]. Examples of limits for chemical exposure can be found in Ref[39].
A grace period needs to be available before human (operator) intervention is necessary to prevent the escalation of a DBA into an accident with large releases of radioactivity and/or toxic chemicals to the environment. This grace period depends upon the nature of the NFCF, the type of incident, and the system parameters at the time of the incident, etc. However, based on available international experience, a grace period of 10 to 30 minutes is given as the typical decision interval for the operator in the event of a DBA in an NPP[34]. A similar approach could be adapted for NFCFs other than mining and milling activities.
The term ‘controlled state’ is characterized by a situation in which either the facility’s engineered safety features or its prescribed operator interventions are able to compensate for the loss of functionality resulting from a DBA. The term ‘frequency of occurrence’ as used in user requirement UR3 refers to the number of events per NFCF year that lead to a DBA as determined via probabilistic methods (PSA). In the context of DBAs (caused by postulated initiating events associated with internal or/and external hazards), the term ‘grace period’ refers to the time period during which no operator inventions are needed and solely the actions of automatic active (and/or passive) safety features will suffice to keep the analysed DBA from escalating to a severe accident with potentially large releases to the environment.
Passive safety features can provide additional safety gains. Safety features consisting solely of passive components are very often deemed more reliable than active safety features due to missing (or a reduced number of) active components. In addition, no (or very limited) human actions are needed and, thus, the likelihood of human errors is very low. Nevertheless, failures in passive safety features due to human error in design or maintenance, the presence of unexpected phenomena, and potential adverse system interactions, are expected to be analyzed and may need to be compensated by other design measures. It is acknowledged that some kinds of passive safety features can be difficult to design in NFCFs.
Ensuring the confinement of radioactive and/or chemically toxic materials means that the design of engineered safety features and/or operator actions (procedures) for mitigating the consequences of a DBA need to provide deterministically for the continued integrity of at least one barrier to the unacceptable release of radioactive and/or chemically toxic materials following any DBA.

UR4

ᅠ User requirement UR4: severe plant conditionsᅠ

INPRO user requirement UR4 for sustainability assessment in the area of NFCF safety: The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.
The fourth user requirement UR4 for sustainability assessment in the area of NFCF safety is focused on accident conditions more severe than those in DBAs. It is mainly related to the design extension conditions and to the fourth level of DID, which has the objective to mitigate the consequences of accidents that result from failure of the third level and ensure that radioactive releases are kept as low as reasonably achievable. A severe (nuclear fuel cycle) accident is any event affecting the facility that results in off-site radiological consequences equal to or greater than the high contamination level or radiation level criteria for design extension conditions, i.e. an event more severe than a DBA.
An accidental release of radioactivity could occur if the magnitude of an initiating event (associated with external hazards) exceeds the design basis or additional failures of safety systems and/or operator interventions occur after an initiating event (associated with internal or / and external hazards) that lead to the design extension conditions with severe damage to equipment containing radioactive and / or chemically toxic materials. Consequence mitigation calls for keeping those radioactivity and / or toxic chemicals that are released from internal barriers damaged during an accident inside the NFCF containment/ confinement structure to the extent possible by avoiding any cliff-edge effects that could damage the remaining barrier(s) to external release.
Ref[41] identifies generic criteria for protective actions and other response actions in a nuclear or radiological emergency to reduce the risk of stochastic effects. Projected dose limits indicated as criteria for public evacuation can be used in the INPRO assessment when corresponding national criteria have not been established yet.
For new NFCFs, the capability and reliability of natural and/or engineered processes for controlling complex accident sequences with severe damage is expected to be increased, as well as the capability and reliability of associated instrumentation, control and diagnostic systems. Appropriate severe accident management procedures also need to be developed. Through these measures, the frequency of accidental releases of radioactive and chemically toxic materials can be reduced and the inventory and conditions of release are expected to be constrained to avoid any need to evacuate the population.
When the frequency of accidental releases cannot be calculated with a high level of confidence, the new NFCF design needs to demonstrate deterministically that the probability of an accidental release of radioactivity and/or toxic chemicals into the environment is lower than that for the reference facility, e.g. through improved engineered safety features, prescribed operator actions, and the use of additional inherent safety characteristics or further measures to minimize hazards, and that the consequences (doses, concentrations of toxic chemicals) from an accident would not require public evacuation except as a short term precautionary measure.
It is nevertheless acknowledged that also for new (and advanced) NFCFs, it will still be necessary to establish an emergency preparedness regime[38][41][42] regardless of the safety level of the new NFCF (as discussed in another area of the INPRO methodology focused on infrastructure[35]) in order to meet the objective of the fifth level of the DID concept and the corresponding legal and regulatory requirements.

UR5

ᅠ User requirement UR5: independence of DID levels AND inherent safety characteristicsᅠ

INPRO user requirement UR5 for sustainability assessment in the area of NFCF safety: An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed NFCF strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.
As discussed in Section 2.3, the different levels of DID focus on facility conditions ranging from operational to accident states. The DID levels are arranged with increasing severity from operational states (Level 1) to the control of severe plant conditions, including the prevention of accident progression and the mitigation of severe accident consequences (Level 4). As stated in Ref[33], the general goal of DID is to ensure that even a combination of equipment or human (operator) failures at one level of defence “would not propagate to jeopardize defence in depth at subsequent levels”. Thus, independence of the safety features designed to cope with processes in the different levels of defence is key to meeting this goal.
To confirm sufficient independence of the DID levels in the assessed NFCF design, a safety assessment is supposed to be performed by the designer (potential supplier) using a suitable combination of deterministic and probabilistic approaches, or hazards analysis.
INPRO user requirement UR5 covers also the role of inherent safety characteristics in new NFCF designs (to be installed after 2013). An inherent safety characteristic is defined in Ref[43] as a fundamental property of a design concept that results from the basic choices in the materials used or in other aspects of the design that assure that a particular potential hazard cannot become a safety concern in any way. The term inherent safety is normally used with respect to a particular characteristic, not to the plant as a whole; e.g. an area is inherently safe against internal fire if it contains no combustible material. An increased use of inherent safety characteristics in the design will strengthen accident prevention in advanced NFCFs by reducing hazards.
The design of a new NFCF is expected to be such that hazards are eliminated (if possible) or minimized, e.g. avoiding explosions by eliminating or minimizing the use of explosive gases. If hazards cannot be eliminated, appropriate equipment needs to be installed to prevent potential damage and to protect the installation, its personnel, the public and the environment. In addition, administrative measures need to be implemented to avoid operator errors to the extent possible.
The analysis of an inherent safety characteristic is difficult but can be possible with the application of adequate mathematical models and, in some cases, by experimental investigations. The analysis of hazards and their consequences needs to be performed using deterministic and probabilistic approaches. For the deterministic approach, engineering judgment, operating experience, validation of design tools and continuous exchanges of information with other industries are mandatory. For probabilistic approaches, the methods likewise need to be validated and the data used needs to be reliable. Analyses are expected to cover all operating states, including normal operation, shutdowns, and maintenance and repair intervals.
There are also external hazards associated with the site of an NFCF. Examples of external hazards related to siting include earthquakes, flooding, storms, airplane crashes, and fires and explosions outside the plant. By selecting an appropriate site for an NFCF, these hazards can be minimized.
The necessary RD&D effort to achieve sufficient confidence in advanced designs with increased inherent safety characteristics is discussed in user requirement UR7.

UR6

ᅠUser Requirement UR6: human factors related to safetyᅠ

INPRO user requirement UR6 for sustainability assessment in the area of NFCF safety: Safe operation of the assessed NFCF is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.
There are two aspects of safety covered in this user requirement. The first aspect focuses on the design of safety related equipment to minimize effects from human errors. The second aspect covers the attitude to safety of workers in the nuclear facilities and related organizations.
The importance of human factors to the safe and reliable operation of nuclear facilities is globally recognized and is an issue that needs to be dealt with systematically in an NFCF design. The designer of a new NFCF is expected to place increased emphasis on human factors to minimize the possibilities for human (e.g. operator or maintenance worker) error. Any relevant experience available from operating NFCFs and the best practices from other industries such as aircraft and chemical plants need to be considered for this process.
There are two perspectives on human factors. On the one side, the operating staff members are seen as valuable resources who play important roles in facility operation, inspection, testing and maintenance, and who sometimes compensate for deficiencies in automatic systems. On the other side, human intervention can also be seen as having limited reliability and a potential to cause disturbances whose consequences need to be taken into account in the design of all facility systems and functions in order to ensure sufficient levels of safety and availability of the facility.

FIG. 2. Components of safety management[44].

The INPRO task group on safety has summarized the possible negative contributions to accident hazards from human actions into three groups:

  • Human errors during plant operation, testing or maintenance that contribute to the failure or unavailability of systems;
  • Human errors during plant operation, testing or maintenance that give rise to an initiating event; and
  • Human interventions during incident or accident situations that negatively influence the sequence of events.

As a common design principle, it needs to be ensured that:

  • Functions assigned to the operating staff constitute consistent tasks that align with the abilities and strengths of the operating staff (e.g. appropriate degrees of automation, appropriate numbers of tasks, appropriate sharing among centralized and local operating actions);
  • The man-machine interface (e.g. control room, screen-based and conventional control means, processing of information to be presented to the operators) optimally supports the tasks of operators and minimizes the potential for human errors.

It is expected that the ability to predict human response to both normal and abnormal situations will improve significantly over the next decades and will have a major impact on facility design and operation. Simulator technologies are constantly improving and can thus allow more realistic representations (and progression predictions) of transient and accident plant states in expert systems.
A human factors engineering (HFE) program plan needs to be an essential part of the NFCF design process that helps to integrate the operating staff and facility systems and to minimise the frequency of potential human errors. Ref[45] has defined HFE as follows: “The application of knowledge about human capabilities and limitations to designing the plant, its systems, and equipment. HFE affords reasonable assurance that the design of the plant, systems, equipment, human tasks, and the work environment are compatible with the sensory, perceptual, cognitive, and physical attributes of the personnel who operate, maintain, and support the plant or other facility”. Listed below are examples of some design and operational features and assessments that are largely already implemented in existing NFCFs but can be subjected to further improvements in new NFCFs:

  • Feedback from experience including a formal methodology;
  • A probabilistic safety assessment (PSA) taking human error into account;
  • Use of adequate (and quantitative) models that consider the causes of human error and, as such, may help the designer find appropriate measures to avoid the causes of human errors and thus minimize their occurrence;
  • The existence of a separate main control room;
  • Visualization of the status of facility equipment (components, systems, etc.), the dynamics of processes, the performance of automated processes and their relation with the state of the facility in a manner that helps guide operator actions;
  • Monitoring by knowledge-based (expert) systems;
  • Appropriate ambient conditions in safety relevant rooms (e.g. main control room);
  • Appropriate plant operating procedures (e.g. alarm sheets, procedures for normal operations, incidents and accident situations);
  • Formal verification of adequate design implementation;
  • Management of human reliability (e.g. personnel selection, periodic training, etc.).

The term ‘safety culture’ was introduced in 1986 by the International Safety Advisory Group in a summary report of the post-accident review meeting on the Chernobyl accident[46] and was further elaborated in Refs[34][47]. Ref[47] defined safety culture in the following way :

“Safety culture is the assembly of characteristics and attitudes in organizations and individuals, which establish that, as an overriding priority, protection and safety issues receive the attention warranted by their significance”.

This definition emphasizes that safety culture relates to the structure and style of organizations (governmental institutions, owner/operator, and industrial entities) as well as to the habits and attitudes of individuals (managers and employees). Safety culture demands a commitment to safety on three levels: policy, management and individual[44][48][49][50][51][52][53][54]. The policy level requires a clear statement of safety policy, adequate management structures and related resources, and the establishment of self-regulation (by regular review). To fulfil their commitments, managers need to define clearly the responsibilities, accountabilities and safety practices for the control of work, ensure that staff are qualified and trained, establish a system of rewards and sanctions, and perform audits, reviews and benchmarking comparisons. In carrying out their tasks, individuals need to maintain an attentive and questioning attitude, adopt a rigorous and prudent approach, and participate in effective communications (see Fig. 2 taken from Ref[44]). The importance of the management system for safety culture in nuclear facilities has been described in Ref[44], which defines this system as “those arrangements made by the organization for the management of safety in order to promote a strong safety culture and achieve good safety performance”. Organizations go through a number of stages in developing their safety cultures[48]:

  • Safety is compliance driven and is based mainly on rules and regulation;
  • Good safety performance becomes an organizational goal;
  • Safety is seen as a continuing process of improvement to which everyone can contribute.

Ref[49] presents practical advice on how to strengthen safety culture. The status of requirements for establishing, implementing, assessing and continually improving a management system for safety culture are reflected in the IAEA Safety Standards, e.g. Refs[50][51][52][53]. These include generic guidance on establishing, implementing, assessing and continually improving such a management system. As outlined above, safety culture is a complex concept (see also Ref[54]) and there is no single indicator that can be used for determining its status. To capture both observable behaviour and people’s attitudes and basic beliefs, several methods need to be applied including interviews, focus groups, questionnaires, observations and document reviews.
When applying these assessment tools, the key safety culture characteristics and attributes described in Refs[44][51] can be used for the identification of strengths and weaknesses in an organization’s safety culture. Annex 1 of Ref[44]sets out a series of questions for each of the major areas of concern – safety requirements and organization, planning, control and support, etc. – that are helpful in assessing the effectiveness of a safety management system and the status of an organization’s safety culture. Monitoring and measurement of the established and implemented management system effectiveness, self-assessment and performance evaluation of management at all levels, independent assessments conducted regularly, management system reviews, identification of non-conformance and establishment of corrective and preventive actions, and finally identification of improvement opportunities[50][51] are all important elements to consider as evidence as to whether safety culture prevails.
The assessment of a safety culture can only be completed once an organization is actually operating a facility. But the necessity to inculcate a safety culture within an organization and the necessity of a safety management system need to be recognized in the planning phase for a NES. Furthermore, the proposed policies and management structures of the owner/operator can be assessed prior to operation to determine if they are consistent with safety culture. IAEA offers a service to its Member States called ISCA (Independent Safety Culture Assessment) that can assist with evaluating the status of safety culture.

UR7

ᅠUser requirement UR7: necessary RD&D for ADVANCED designsᅠ

INPRO user requirement UR7 for sustainability assessment in the area of NFCF safety: The development of innovative design features of the assessed NFCF includes associated research, development and demonstration (RD&D) to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.
INPRO user requirement UR7 discusses the necessary RD&D efforts for developing NFCFs with primarily innovative but also evolutionary design features.
It is well known that intensive research may be needed to bring the level of knowledge of facility behaviour and the capability of computer codes to model phenomena and system behaviour for innovative NFCF designs to at least the same confidence level as for operating facilities.

FIG. 3. Overview of the different tasks for definition of RD&D

A sound knowledge of the phenomena (e.g. chemical reaction rates, partition coefficients, solubility), and component and system behaviour, where applicable, is required to support the development of analysis tools for NFCF accidents. Hence, the more a facility differs from operating designs, the more RD&D is required. RD&D provides the basis for understanding events that threaten the integrity of barriers defined by the defence in depth concept. RD&D is also expected to provide information to reduce allowances for uncertainties in design, operating envelopes, and in estimates of accident frequencies and consequences.
For most NFCFs, it is acknowledged that the analytical tools (modelling tools) needed for completing a safety assessment comparable to the safety assessments done for nuclear reactors are currently not yet available. To promote the development of safety codes and analytical methods in the area of NFCF safety, the INPRO task group has described a situation that can hopefully be reached within the next decades.
As the development of an innovative design proceeds, RD&D is carried out to identify phenomena important to facility safety and operations and to develop and demonstrate an understanding of such phenomena. At any given point in the development process, the current understanding is incorporated into computer or analytical models that form the basis for design analysis and safety assessments. Such models are then used as tools for sensitivity analyses to identify important parameters and estimate safety margins. The results of such analyses are also used to identify coupled effects and interactions among systems that are important to safety. It is not unusual to obtain unexpected results, particularly in the early stages of development. The results, whether expected or not, are used to guide the RD&D program in efforts such as those to improve conceptual understanding, obtain more accurate data, confirm the extent of system interactions/independence, and adequately characterize the design. The RD&D, in turn, leads to improvements in understanding and in the analytical tools used in design and safety analyses.
The process is iterative: At the pre-conceptual stage of development, physical understanding, analytical models, supporting data bases, and codes may be simplistic and involve significant uncertainties. As development proceeds, understanding increases and uncertainties (both in conceptual understanding and in data) are reduced, and the validation of analytical models and codes improves. At the time of commercialization, all safety relevant phenomena and system interactions need to be identified and understood and the associated codes and models need to be adequately qualified and validated for use in the safety analyses, which in turn demonstrate that the facility design is safe. Complementary aspects are outlined in Ref[55].
At least the following requirements need to be met by the RD&D program of a developer for an innovative or evolutionary design:

  • All significant phenomena affecting safety associated with the design and operation of an innovative NFCF have to be identified, understood, modelled and simulated (this includes the knowledge of uncertainties, and the effects of scaling and environment);
  • Safety-related systems, structures and components behaviour need to be modelled with acceptable accuracy, including knowledge of all safety-relevant parameters and phenomena, and validated with a reliable database.

Figure 3 gives an overview of tasks to be performed in defining the necessary RD&D for an innovative design.
For an innovative design, the first task is to identify all technology differences from operating designs. To identify the knowledge state and the importance of phenomena and system behaviour, an appropriate tool has to be used such as the PIRT process (Phenomena Identification and Ranking Tables), which is based mainly on engineering judgment. In addition, the adequacy and applicability of design and safety analysis computer codes have to be assessed. Both the PIRT results and the assessment of the adequacy and applicability of related computer codes inform the identification and prioritization of required RD&D efforts. An additional peer review by researchers and appropriate safety experts would strengthen the choice of the selected RD&D tasks.
Besides phenomenological data, reliability data including uncertainty bands[56] for designated components need to be evaluated to the extent possible. This is especially valid for passive safety features. During the process of generating new and/or more detailed data (e.g. for computation fluid dynamics codes) the selected RD&D tasks are expected to be repeatedly assessed and necessary changes adopted. Qualified data need to be included in a technology base, e.g. validation matrices.

Concluding remarks

To assess long term sustainability with regard to the safety of an NFCF to be installed after 2013, the INPRO methodology has formulated one basic principle with seven user requirements. INPRO’s sustainability assessment approach in the area of NFCF safety is based on the IAEA Safety Standards and, as derived from those, the application of a DID oriented strategy for comparing the safety attributes of the assessed NFCF designs to those of reference designs. The assessment approach is supported by an increased emphasis on inherent safety characteristics and, where appropriate, passive safety features. Greater independence of the different levels of defence in depth is considered a key element for avoiding failure propagation from one DID level to the next. Using a graded approach, the number of physical barriers in a nuclear facility that are necessary to protect the environment and people depends on the potential internal and external hazards and the potential consequences of failures; therefore, the barriers will vary in number and strength depending on the type of NFCF.
The end point of the enhanced defence in depth strategy of the INPRO methodology is that, even in case of accidents, no emergency environmental releases of radioactivity and/or toxic chemicals can occur that would necessitate public evacuation. Nevertheless, effective emergency planning, preparedness and response capabilities will remain a prudent requirement.

Adaptation of the INPRO methodology to uranium and thorium mining and milling

See Mining and milling of uranium and thorium to find necessary background with a short description of the main processes found in a facility for uranium and thorium mining and milling (or processing). The sustainability assessment method is described in terms of the corresponding criteria of the INPRO methodology in the area of safety, which are adapted as necessary to the specific issues potentially affecting this type of NFCF.
The INPRO methodology for sustainability assessment in the areas of nuclear safety was developed originally with a focus on nuclear power plants and was later adapted to NFCFs. The use of the INPRO methodology for an assessment of a uranium or thorium mining and milling facility required significant modifications of the methodology, as several user requirements and criteria are not directly applicable for such a facility. This section presents how the INPRO methodology in the area of NFCF safety was adapted to a mining and milling facility.

INPRO basic principle for sustainability assessment of uranium and thorium mining and milling facilities in the area of safety

INPRO basic principle for sustainability assessment of uranium or thorium mining and milling facility in the area of safety: The planned uranium or thorium mining and milling facility is safer than the reference mining and milling facility.
The rationale for the BP was provided in Section 4. The definition of the reference NFCF is at NFCF page. This definition comprises several options that can be used to determine the reference NFCF depending on the type of facility assessed and the specific technology used. In the context of uranium and thorium mining and milling, the concept of a reference design is primarily applicable to a milling facility and tailings management facility. Definition of the reference facility for the mine assessed can be fairly challenging compared to other types of NFCF because of very broad variety of technologies used in mining as stipulated by the different types of deposits and different geological/ hydrological conditions. However, when a reference facility cannot be defined for a given mine, at least the systems dealing with radiological hazards (e.g. shielding, ventilation, protection against radon and dust) can be assessed against INPRO criteria.
The INPRO methodology has defined a set of requirements for mining and milling facilities and criteria for the assessment. Several INPRO criteria defined for the sustainability assessment of mining and milling facilities in the area of safety involve consideration of ‘state of the art’ concept as the acceptance limits. These sustainability assessment criteria are related to those specific features of the mining and milling facilities that are important to radiation protection and safety (control of radiation sources). The criteria should therefore not be interpreted as nuclear safety recommendations, industrial safety requirements or general requirements for the mining or milling technology used.
The INPRO methodology user requirements pertaining to mining and milling facilities are displayed in Table 5.

Table 5. INPRO User requirements and criteria for sustainability assessment of mining and milling facilities in the area of NFCF safety
User requirement Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The design for the mining/ milling facility assessed is more robust than the reference design with regard to operation and systems, structures and component failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: Superior to that in the reference design.
CR1.2: Facility performance IN1.2: Facility performance attributes.
AL1.2: Superior to those in the reference design
CR1.3: Inspection, testing and maintenance IN1.3: Capability to inspect, test and maintain.
AL1.3: Superior to that in the reference design.
CR1.4: Failures and deviations from normal operation IN1.4: Expected frequency of failures and deviations from normal operation.
AL1.4: Lower than that in the reference design.
CR1.5: Occupational dose IN1.5: Occupational dose values during normal operation and AOOs.
AL1.5: Lower than the dose constraints.
UR2: Detection and interception of AOO:

The mining/milling facility assessed is capable to monitor, detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: I&C systems and operator procedures IN2.1: I&C system to monitor, detect, trigger alarms, and, together with operator actions, intercept and compensate AOOs that could lead to radiation exposure of workers.
AL2.1: Availability of such systems and/or operator procedures.
CR2.2: Grace periods for AOOs IN2.2: Grace periods until human (operator) actions are required after detection (and alarm) of AOOs.
AL2.2: Adequate grace periods are defined in the design analyses.
UR3: Accidents:

The frequency of occurrence of accidents in the mining/ milling facility assessed is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the facility assessed to a controlled state, and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of nuclear and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.

CR3.1: Frequency of accidents IN3.1: Calculated frequency of occurrence of accidents.
AL3.1: Lower than that in the reference design.
CR3.2: Engineered safety features and operator procedures IN3.2: Reliability and capability of engineered safety features and/or operator procedures.
AL3.2: Superior to those in the reference design.
CR3.3: Grace periods for accidents IN3.3: Grace periods for accidents until human intervention is necessary.
AL3.3: Longer than those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after an accident.
AL3.4: At least one.
UR4: Severe plant conditions
None User requirement UR4 was found to be not directly applicable to a mining and milling facility
UR5: Inherent safety characteristics:

To excel in safety and reliability, the mining/ milling facility assessed strives for elimination or minimization of some hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.

CR5.1: Minimization of hazards IN5.1: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.
AL5.1: Hazards minimized according to the state of the art.
UR6: Human factors related to safety:

Safe operation of the mining/ milling facility assessed is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.

CR6.1: Human factors IN6.1: Human factors addressed systematically over the life cycle of the mining/ milling facility assessed.
AL6.1: Evidence is available.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety reviews.
UR7: RD&D for advanced designs:

The development of innovative design features of the mining/ milling facility assessed includes associated RD&D to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

CR7.1: RD&D IN7.1: RD&D status.
AL7.1: RD&D defined, performed and database developed.
CR7.2: Safety assessment IN7.2: Adequate safety assessment.
AL7.2: Approved by a responsible regulatory authority.

User requirement UR1: Robustness of design during normal operation

The rationale for UR1 was described in Section 4.1. User requirement UR1 is focused on preventing AOOs. For a mining and milling facility, examples of AOOs that could potentially cause radiation doses to workers include the following:

  • In an underground mine, a malfunction of the ventilation system (needs to be compensated by switchover to a backup system);
  • In a milling facility, a malfunction of the dust prevention equipment in the crushing and grinding unit (leading to accumulation of radioactive dust);
  • In a milling facility, a (small) leakage of (liquid or gaseous) radioactive material in the processing unit.

It is acknowledged that an insufficient radiation protection program (RPP) or a failure by the workers to follow its (administrative) procedures (e.g. keeping distance and limiting presence, wearing of protective respiratory equipment or dose monitoring devices) and to apply (technical) measures defined in the RPP (e.g. shielding) could be also a reason for radiation exposure of workers in a mining and milling facility. This issue of human behaviour (safety culture) is covered in user requirement UR6.
INPRO methodology selected five criteria for UR1 as displayed in Table 5.

Criterion CR1.1: Design of normal operation systems

Indicator IN1.1: Robustness of design of normal operation systems.ᅠ

Acceptance limit AL1.1: Superior to that in the reference design.
All equipment and systems relevant for safety used in a mining and milling facility need to be designed against loads caused by events associated with internal and external hazards (see Section 2.1 of NFCF). The design (e.g. mechanical, thermal, electrical, etc.) of normal operating systems in a mining and milling facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by the use of materials of higher quality.
As stated before, in the case of underground mining, the ventilation system and corresponding power supply system are the main operating systems relevant for radiological safety of mine workers . Design of these systems is expected to be more robust in terms of reliability and needs to ensure that radon levels in the mine remain below safety limits. To minimize radon inhalation in an underground uranium mine, one could increase the robustness of the ventilation system by means of enhanced redundancy (e.g. by incorporating a standby system and an auxiliary power supply). Higher robustness of these systems could be achieved by increasing the quality of manufacture and installation and using improved materials adapted to the environment in the mine.
For in-situ leaching mines, the equipment (e.g. piping and pumps) used for processing the uranium solution can be made more robust through design measures similar to those described above for the ventilation system.
The tailings management facility contains large volumes of radioactive (with low activity) and chemically toxic materials as waste from the mining and milling process and these wastes are normally stored and occasionally need to be disposed of. To prevent leakage of these materials to the environment, the tailings management facility needs to be isolated appropriately. The robustness of the isolation function can be increased by such design measures as introducing a liner or even using several layers of barriers against leakage.
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is more robust than the reference design. Alternatively, if a reference design cannot be defined, it needs to be demonstrated that the design of the facility assessed has taken available information on best international practice into account and is therefore state of the art.

Criterion CR1.2: Facility performance

Indicator IN1.2: Facility performance attributes.ᅠ

Acceptance limit AL1.2: Superior to those of the reference design.
Superior facility performance can increase the robustness of mining and milling facilities. As stated in Section 1.5 and 2.2 of Mining and milling of uranium and thorium Page, dust that contains radioactive material is one potential source of internal radiation exposure of workers in a uranium or thorium underground or open pit mine and milling facility. Modern operational methods (e.g. wet processes in drilling, hooded equipment in the milling facility) that minimize the generation and spreading of contaminated dust constitute an example of high quality of operation. Prevention of dust inhalation can be further improved by using higher levels of automation.
Uranium or thorium ore can also be a direct source for external radiation exposure for workers in an underground or open pit mine. In case of high concentrations of uranium in the ore, automation and tele-operation (e.g. raise bore method[25]) can minimize the external radiation exposure of workers.
As part of a successful radiation protection program, administrative and engineering procedures (e.g. shielding, compartmentalization, sampling of dust and radon, monitoring of workers’ dose, wearing of protective respiratory equipment, etc.) need to be in place to protect the workers against external and internal radiation exposure. The workers are supposed to receive sufficient training in these administrative and engineering procedures. Worldwide operating experience in uranium and thorium mining and milling facilities is expected to be taken into account in designing the radiation protection program of a new facility.
The acceptance limit AL1.2 of CR1.2 is met if evidence available to the INPRO assessor shows that the quality of operation in the facility assessed is superior to that in the reference design. If a reference facility cannot be defined, it needs to be demonstrated that the operation of the facility assessed accounts for available information on best international practice and is therefore state of the art with regard to high quality of operation.

Criterion CR1.3: Inspection, testing and maintenance

Indicator IN1.3: Capability to inspect, test and maintain.ᅠ

Acceptance limit AL1.3: Superior to that in the reference design.
The assessed design of mining/ milling facility is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms, so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
In an underground mine, the parts of the ventilation system needing inspection, testing and maintenance (e.g. fans, motors, etc.) need to be located in fresh air so that they can be easily inspected, tested and maintained during operation[11].
In a milling facility, the equipment used to minimize dust in the air (e.g. hooding, exhaust system) and to chemically process the ore needs to be designed to enable easy inspection, testing and maintenance.
The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the capability to inspect and test systems relevant to radiation protection in the facility assessed is superior to that in the reference design (or is state of the art and allows easy inspection, testing and maintenance).

Criterion CR1.4: Failures and deviations from normal operation

Indicator IN1.4: Expected frequency of failures and deviations from normal operation.ᅠ

Acceptance limit AL1.4: Lower than that in the reference design.
The frequency of failures and deviations from normal operation defined for a mining and milling facility needs to be derived from operational experience and supported by safety analyses (PSA, if available). For the facility assessed, the designer is expected to reduce these frequencies by increasing the robustness of the design (discussed in CR1.1 above), enabling high quality of operation (discussed in CR1.2), and ensuring efficient and intelligent inspection and maintenance (discussed in CR1.3).
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the frequencies of failures and deviations from normal operation are lower than those in the reference design. If quantitative results from operational experience and PSA are not available, a deterministic analysis needs to be developed that supports a reduction of these frequencies through increased design robustness, high quality of operation, and intelligent inspection and maintenance programs.

Criterion CR1.5: Occupational dose

Indicator IN1.5: Occupational dose values during normal operation and AOOs.ᅠ

Acceptance limit AL1.5: Lower than the dose constraints.
The mining and milling facility assessed is expected to use operational experience from existing deigns to ensure efficient implementation of the concept of optimised radiation protection for workers during design, commissioning, operation, and decommissioning. Criterion CR1.5 anticipates that new mining and milling facilities will use careful layout and reliable equipment to optimise the radiation protection of workers.
Regulatory limits in the country have to comply with international standards. Ref[38] states that:

“For occupational exposure of workers over the age of 18 years, the dose limits are:
(a) An effective dose of 20 mSv per year averaged over five consecutive years (100 mSv in 5 years) and of 50 mSv in any single year;
(b) An equivalent dose to the lens of the eye of 20 mSv per year averaged over five consecutive years (100 mSv in 5 years) and of 50 mSv in any single year;
(c) An equivalent dose to the extremities (hands and feet) or to the skin of 500 mSv in a year”

Ref[38] further recommends using dose constraints “for optimization of protection and safety, the intended outcome of which is that all exposures are controlled to levels that are as low as reasonably achievable, economic, societal and environmental factors being taken into account”. The role of dose constraints is explained in Refs[19][57]. In the INPRO methodology, the dose constraints concept is discussed in more detail in the manual on environmental impact of stressors[37].
Innovative and proven techniques, such as increased automation, improved operation and maintenance techniques and effective (engineered) safety features, are required to be used in the optimization of protective measures. Ref[19] provides detailed guidance on how to achieve a successful radiation protection program for workers in a uranium (or thorium) mine and milling facility.
The acceptance limit AL1.5 is met if evidence available to the INPRO assessor shows that the dose values of workers during normal operation and AOOs are (will be) lower than the dose constraints defined for the location of the planned facility.

User requirement UR2: Detection and interception of AOO

The rationale of UR2 was provided in Section 4.2. The criteria selected for user requirement UR2 are presented in Table 5.

Criterion CR2.1: I&C systems and operator procedures

Indicator IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs that could lead to radiation exposure of workers.ᅠ

Acceptance limit AL2.1: Availability of such systems and/or operator procedures.
A mining and milling facility is expected to be designed to cope with AOOs (see beginning of Section 5.2) using preferably automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures need to be. Passive and active control systems are deemed more reliable than administrative (manual) control but it is acknowledged that they are difficult to develop for mining/ milling facilities.
In an underground mine, an important deviation from normal operational state, i.e. an AOO, is the faulty operation of the ventilation system leading to build-up of radon in the atmosphere inside the mine. In case operational limits of radiation levels are violated, the I&C systems initiate an alarm. To take timely corrective action (e.g. switch over to a backup ventilation system or evacuate the mine), it is necessary to have continuous monitoring of radon levels in the atmosphere, and associated alarm systems. The availability of such a monitoring system is thus an acceptance criterion.
I&C systems need to be available also in the milling facility for controlling the air quality (radioactive dust concentration) and the radiation levels of equipment (accumulation of radioactive dust), and for detecting any leakage of radioactive (and chemically toxic) materials from the chemical processing equipment.
In the event that the barriers of the tailings management facility are breached and radionuclides find their way into ground water, it is important that the leakage is detected as early as possible and actions initiated to arrest further leakage[58]. This necessitates a regular system of radioactivity monitoring in nearby water bodies and bore wells. The requirements for an adequate monitoring system (and program) for a tailings facility are described in Ref[20] The availability of such a monitoring system is thus an acceptance criterion.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that are capable of detecting safety-relevant deviations from normal operation, providing alarms, and initiating compensatory actions.

Criterion CR2.2: Grace periods for AOOs

Indicator IN2.2: Grace periods until human (operator) actions are required after detection (and alarm) of AOOs.ᅠ

Acceptance limit AL2.2: Adequate grace periods are defined in the design analyses.
Grace periods for AOOs are adequate if the time periods available before operator actions are required are long enough for the operator to react reasonably. The appropriate value of this grace period depends on ease of diagnosis of a failure, and the complexity of the human action to be taken. Simple failures and consecutive straightforward actions require shorter grace periods. The facility needs to have sufficient inertia to withstand transients, i.e. react slowly after AOOs.
In an underground mine, as stated before, after a failure of the ventilation system is detected, actions (e.g. switch over to a backup system or evacuation of the mine) are required to protect the workers against radiation exposure. Depending on the speed of build-up of radon concentrations in the mine without ventilation, an adequate grace period for necessary actions needs to be defined.
In a milling facility, after detecting excessive concentrations of dust in the air, or after detecting excessive radiation from equipment due to an accumulation of radioactive dust, or due to a leakage of radioactive material from the chemical processing unit, alarms are expected to be given and timely corrective actions have to be initiated by the operator. Such corrective actions may require the shutdown of the facility (including evacuation of workers) to minimize radiation exposure.
The grace period available to the operator for each AOO needs to be defined within the design analysis.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that an adequate grace period for each AOO has been determined in the design analysis for the facility assessed.

User requirement UR3: Accidents

The rationale of UR3 was provided in Section 4.3. UR3 for mining and milling facilities deals with accidents . Examples of accidents for mining and milling facilities include:

  • In an underground mine, a complete failure of the ventilation system;
  • In a milling facility, a rupture of components (pipes, vessels) in the chemical processing unit of the milling facility with subsequent (large) spillage of radioactive and/or chemically toxic material;
  • A fire in an underground mining facility;
  • A loss of the integrity of the tailings (storage and disposal) facility due to external hazards such as flooding (or dam break) with a significant release of solid and/or liquid radioactive and chemically toxic material to the environment .

Other external hazards (defined in Sections 2.1 and 2.6 of NFCF), such as earthquakes, flooding, etc, can also lead to accidents in all types of mines and milling facilities. As stated before, the facilities need to be designed against both external and internal hazards.
The criteria selected for user requirement UR3 are presented in Table 5.

Criterion CR3.1: Frequency of accidents

Indicator IN3.1: Calculated frequency of occurrence of accidents.ᅠ

Acceptance limit AL3.1: Lower than that in the reference design.
Examples of mining and milling facility accidents with potential radiological and chemical hazards, including their tailings storage and disposal facilities, have been presented above (beginning of Section 5.4). Deterministic considerations of potential accidents in mining and milling facilities have to be complemented by probabilistic analysis. It is expected that further development of probabilistic methods and tools applicable to mining and milling facilities will enable an expansion of the scope of probabilistic safety assessment to eventually cover all major hazards, initiating events and scenarios.
Accidents are expected to have very low frequencies (similar to the DBA frequencies in a modern NPP) and the value of the frequency needs to be confirmed by a probabilistic safety analysis covering both internal and external hazards. The calculated frequency of accidents caused by external hazards can be influenced by the designer, e.g. by increasing the robustness of the confinement wall (building for milling etc.), and by the future owner/operator of the facility by selecting an appropriate site (see UR5).
The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows that based on probabilistic analyses the frequencies of accidents in the facility assessed is lower than for the reference facility. If quantitative results are not available, deterministic analysis needs to be developed that supports low frequencies based on an increase of design robustness, high quality of operation, intelligent inspection and maintenance programs, and advanced I&C systems.

Criterion CR3.2: Engineered safety features and operator procedures

Indicator IN3.2: Reliability and capability of engineered safety features and/or operator procedures.ᅠ

Acceptance limit AL3.2: Superior to those in the reference design.
Engineered safety features (automatic) are expected to be designed and installed in the facility. After detection of the accident these features need to be capable of controlling the accident, restoring the facility to a controlled state, and keeping the radiological consequences of the accident within authorized limits. To assure necessary reliability, these features need to be designed with sufficient levels of redundancy, diversity and independence.
In case automatic systems are not available, adequate operator procedures are necessary. Redundant, diverse and independent passive and active systems are deemed more reliable than administrative controls (operator interventions) but it is acknowledged that they are difficult to develop for mining/ milling facilities.
Examples of safety features in mining/ milling facilities are as follows. In a milling facility the safety systems can be available that detect a rupture of equipment with subsequent large spillage of radioactive and chemically toxic material and thereupon provide an alarm to initiate the necessary corrective actions. Operator procedures and corresponding equipment (e.g. an emergency exhaust system) need to be available to mitigate the consequences of this kind of accident.
In case of a fire in a mining/ milling facility, (automatic) firefighting systems (e.g. spray systems) can be available that can extinguish the fire. In case of detection of a large leakage from the tailings storage and disposal facility, a program needs to be initiated to stop the leakage and perform remediation of the environment[59].
As mentioned above, the facility is also expected to have engineered safety features protecting against external hazards (see Section 2.1 and 2.6 of NFCF), e.g. shock absorbers and dampers for safety related equipment to mitigate the effects of an earthquake.
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the reliability and capability of engineered safety features (automatic systems) and/or operator procedures in the facility assessed is superior to that in the reference design and assure that after the beginning of an accident the necessary actions to mitigate the accident consequences will be initiated in time to prevent an accidental release of nuclear material and/or toxic chemicals from the facility. Alternatively, if a reference facility cannot be found, it needs to be demonstrated that the design of the facility assessed involves best international practice and is therefore state of the art.

Criterion CR3.3: Grace periods for accidents

Indicator IN3.3: Grace periods for accidents until human intervention is necessary.ᅠ

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace period’ is provided in CR2.2 as introduced earlier for control of AOOs in Level 2 of DID. For accidents (caused by events associated with internal or / and external hazards) the criterion requires that the system response and/or automatic actions of active and/or passive safety systems provide an adequate grace period for the operator to intervene.
In case of a complete failure of the ventilation system, the workers in an underground mine have to be evacuated to the surface to avoid excessive inhalation of radon . This action has to be initiated by automatic systems or the mine operators before excessive inhalation can occur in view of the speed of radon build-up in the mine.
After detection of large spills of radioactive (and chemically toxic) material in the chemical processing unit of the milling facility, automatic systems (ventilation, exhaust system) are expected to mitigate this accident before corrective actions initiated by the facility operator. The operator intervention needs to start after the detection of this accident within a grace period defined for this accident in the design documentation.
After detection of a fire in the facility, within a grace period defined for this accident in the design documentation in addition to the automatic systems the operator is expected to perform the necessary actions to protect the workers.
The potential migration of radionuclides (and toxic chemicals) from a tailing storage and disposal facility through the surrounding soil after a leakage event needs to be analysed within an environmental impact assessment (EIA) during the site licensing process. Usually, it takes a long time (e.g. a few months to several years) for radioactive (and chemically toxic) material to reach the public domain. It is recognized that the migration time would depend upon the type of soil and ground conditions (water table, etc.) at a given tailings facility site, and will vary from site to site. A uranium mining and milling facility site is supposed to have a system for detecting leakages by monitoring the radioactivity in bore wells and water bodies in the vicinity of the tailing facility. Thus, after detection of a large leakage, a program for corrective (remedial) actions has to be initiated by the operator within a grace period that is evaluated in the facility design analysis and shown to be sufficient to avoid excessive contamination of the environment.
The grace periods have to be defined for each accident within the design analyses.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the facility assessed has longer accident grace periods than the reference design. Alternatively, if a reference design is not available, it needs to be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.4: Barriers

Indicator IN3.4: Number of confinement barriers maintained (intact) after an accident.ᅠ

Acceptance limit AL3.4: At least one.
An accident with a loss of integrity of the tailing pond dam of a tailings storage and disposal facility would result in a loss of the single confinement barrier and lead to a large release of low radioactive and chemically toxic material into the environment. Geotechnical monitoring to detect the movements may allow sufficient time for correcting them before dam failure or for repairing the dam of the tailing storage and disposal facility and for remedial actions to avoid further contamination. Ideally, it might be worthwhile to consider the design of a double barrier for a tailings storage and disposal facility. This system needs to have monitoring systems in between the two barriers which would cause an alarm if radioactivity (and/or toxic chemicals) were to penetrate the first barrier. Such a double barrier would ensure that always one barrier is intact as required by Level 3 of the defence in depth concept.
For the chemical processing unit in a milling facility, the building needs to be designed as a confinement that prevents accidental releases of spilled radioactive (and chemically toxic) materials to the outside.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that engineered safety features and/or operator procedures are adequately defined and able to keep the accident consequences within design limits.
Examples: (1) The assessed mine tailings storage and disposal facility is monitored and potential breaches are effectively isolated in time to prevent excessive releases to the environment. (2) In a milling facility, the chemical processing unit building is able to contain major spills of radioactive (and chemically toxic) materials under the accident conditions and prevent their release to the environment.

User requirement UR4: Severe plant conditions

User requirement UR4 was found to be not directly applicable to a mining and milling facility.

User requirement UR5: Inherent safety characteristics

Rationale of UR5 was provided in Section 4.5. The criterion selected for user requirement UR5 is presented in Table 5.

Criterion CR5.1: Minimization of hazards

Indicator IN5.1: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.ᅠ

Acceptance limit AL5.1: Hazards minimized according to the state of the art.
A mining/ milling facility and its tailings facility may have to define a design basis event with flooding and consequent release of radioactive (and chemically toxic) material to the environment. Thus, if the facility site has no upstream dams and no catchment areas, the facility would be superior from a safety point of view in this particular aspect (flooding), because a potential hazard would be eliminated. Similarly, other external hazards can be reduced for new facilities by appropriate siting.
Using fire resistant materials and reducing the amount of burnable material in a mine and milling facility would reduce the hazard of a fire. Eliminating specific dangerous chemicals from the ore processing technology would eliminate the hazard of their release.
The hazard of a release of radioactive (and chemically toxic) material could be reduced in the tailings storage and disposal facility by increasing the robustness of the barriers and applying a passive approach such as earthen covers or a permanent water pond over the tailings.
The acceptance limit AL5.1 of CR5.1 is met if evidence available to the INPRO assessor shows that hazards in the NFCF assessed have been minimized by applying the state of the art technology.

User requirement UR6: Human factors related to safety

Descriptions of the user requirement UR6 and corresponding criteria are common for all NFCFs discussed in this report (i.e. mining/ milling, conversion, enrichment, fuel fabrication, spent fuel storage and reprocessing). The rationale of UR6 was provided in Section 4.6. There are two aspects of safety covered in this user requirement. The first one is focused on the design of equipment related to safety to minimize human errors, and the second one covers the attitude to safety of people in nuclear facilities and related organizations. The criteria selected for user requirement UR6 ar presented in Table 5.

Criterion CR6.1: Human factors

Indicator IN6.1: Human factors addressed systematically over the life cycle of the mining/ milling facility assessed.ᅠ

Acceptance limit AL6.1: Evidence is available.
In the lifecycle of mining and milling facilities and other NFCFs, humans are considered as a valuable resource that plays important roles in the design, construction, commissioning, operation, testing, maintenance and inspections, and decommissioning of the facilities. However human interventions have limited reliability and may create unnecessary disturbances that have to be analysed in the facility design to achieve a sufficient level of safety.
Human factors are important for safe and reliable operation of mining and milling facilities and the designer of a new facility is expected to place increased emphasis on them to minimize the possibilities for the human errors during plant normal operation to initiate an incident or accident or contribute to the failure of backup (safety) systems. The possibilities for human errors committed during incident or accident scenarios to aggravate the scenarios and their consequences also need to be minimized. As a common principle it has to be ensured that:

  • The functions assigned to personnel constitute consistent tasks and correspond to the abilities and strengths of the personnel (e.g. appropriate number of tasks and sharing among centralized and local operating actions);
  • The human-systems interface (i.e. control means, processing of information to be presented to the operators) supports the tasks of personnel and minimizes the potential for error.

Addressing human factors in the design of safety related equipment and the radiation protection program (RPP) in mining and milling facilities and other NFCFs will increase the level of safety. Human errors during the facility operation, including maintenance, inspections and tests, and decommissioning need to be considered in the facility safety analysis.
The training programmes that have to be developed and implemented in the mining and milling facility are discussed in the criterion CR1.2. The acceptance limit AL6.1 of CR6.1 is met if evidence available to the INPRO assessor shows that human factors were addressed in the design and the RPP of the mining/milling facility assessed.

Criterion CR6.2: Attitude to safety

Indicator IN6.2: Prevailing safety culture.ᅠ

Acceptance limit AL6.2: Evidence is provided by periodic safety reviews.
Safety culture is discussed in this report in Section 4.6.
The periodic reviews concerning safety culture are expected to cover not only the operating organization but also regulatory and other responsible government authorities as well as industrial entities. The assessment of this criterion CR6.2 is based on the outcome of safety culture reviews of at least the following organisations: operating organisation, facility / installation developer and supplier, and regulatory authority.
The assessment of CR6.2 regarding safety culture of an operating organisation can only be performed once an organization is actually operating a facility. But the need to inculcate a safety culture within an organization and the need for a safety management system needs to be recognized in the planning phase for an NFCF. Furthermore, the proposed policies and management structure of the owner/operator can be assessed, prior to operation, to determine if they are consistent with safety culture.
The acceptance limit AL6.2 (evidence that a safety culture prevails) of CR6.2 is met for the NFCF assessed if evidence available to the INPRO assessor shows that such reviews are being (planned to be) performed at appropriate intervals. The INPRO methodology recommends using the support of experienced organizations for such reviews.

User requirement UR7: RD&D for advanced designs

A description of the user requirement UR7 and corresponding criteria are common for all NFCFs discussed in this report (i.e. mining/ milling, conversion, enrichment, fuel fabrication, spent fuel storage and reprocessing). The rationale of UR7 was provided in Section 4.7. The user requirement UR7 discusses the necessary RD&D effort for developing a facility with primarily innovative but also evolutionary design features.
The criteria selected for user requirement UR7 are presented in Table 5.

Criterion CR7.1: RD&D

Indicator IN7.1: RD&D status.ᅠ

Acceptance limit AL7.1: RD&D defined, performed and database developed.
RD&D on the reliability of innovative components and systems of an NFCF needs to be performed to achieve a thorough understanding of all relevant physical and engineering phenomena required to support the safety assessment. At least the following criteria are expected be met by the RD&D program of a developer for an innovative design (but also for an evolutionary design):

  • Significant phenomena associated with the innovative technologies used in NFCF and affecting safety were identified, understood, modelled and simulated (this includes the knowledge of uncertainties, and the effect of scaling and environment);
  • Safety-related system or component behaviour was modelled with acceptable accuracy, including knowledge of all safety-relevant parameters and phenomena, and validated with a reliable database.
  • The necessity of using a pilot facility in the development process was clarified.

The acceptance limit AL7.1 of CR7.1 is met if evidence available to the INPRO assessor shows that for an NFCF with innovative (or evolutionary) design features relevant to safety sufficient RD&D has been performed prior to start-up of the facility.

Criterion CR7.2: Safety assessment

Indicator IN7.2: Adequate safety assessment.ᅠ

Acceptance limit AL7.2: Approved by a responsible regulatory authority.
A safety case of a facility with innovative or evolutionary features needs to be established based on a comprehensive safety assessment that meets national and international standards[21][60][61][62][63]. Where appropriate, a risk informed approach is expected to be adopted in the design, construction and operation of NFCFs. In line with the risks involved, the emphasis needs to be more on long term effects on environment and public[56][62][64][65][66].
The acceptance limit AL7.2 of CR7.2 is met if evidence available to the INPRO assessor shows that an adequate safety assessment has been performed for the facility assessed and was accepted by the responsible regulatory authority in the country of origin.

Adaptation of the INPRO methodology to a uranium refining/ conversion and enrichment facilities

See Uranium refining/conversion and enrichment for a short description of the main processes in U refining/conversion and enrichment facilities.
Adapting the INPRO methodology for use in assessing uranium refining/ conversion and enrichment facilities entails more significant modifications and adjustments than for other types of NFCFs. Although significant technical differences exist between refining/ conversion and enrichment facilities, it was nevertheless found that applying the INPRO methodology to these diverse facilities does not require a separate treatment. The following sections describe how the INPRO methodology in the area of safety is adapted to facilities for U refining/ conversion and enrichment.

INPRO basic principle for sustainability assessment of uranium refining/ conversion or enrichment facility in the area of safety

INPRO basic principle for sustainability assessment of uranium refining/ conversion or enrichment facility in the area of safety: The planned refining/ conversion or enrichment facilities are safer than the respective reference facilities. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
The rationale of the BP was provided in Section 4. An explanation of the requirement for superiority in the INPRO methodology area of NFCF safety is provided in section 5.1. The INPRO methodology has defined a set of requirements for uranium refining/ conversion and enrichment facilities as displayed in Table 6.

Table 6. INPRO User requirements and criteria for sustainability assessment of uranium refining/ conversion or enrichment facility in the area of NFCF safety
User requirement Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The uranium refining, conversion or enrichment facility assessed is more robust than the reference design with regard to operation and systems, structures and components failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: Superior to that in the reference design.
CR1.2: Subcriticality IN1.2: Subcriticality margins.
AL1.2: Sufficient to cover uncertainties and avoid criticality.
CR1.3: Facility performance IN1.3: Facility performance attributes.
AL1.3: Superior to those in the reference design
CR1.4: Inspection, testing and maintenance IN1.4: Capability to inspect, test and maintain.
AL1.4: Superior to that in the reference design.
CR1.5: Failures and deviations from normal operation IN1.5: Expected frequency of failures and deviations from normal operation.
AL1.5: Lower than that in the reference design.
CR1.6: Occupational dose IN1.6: Occupational dose values during normal operation and AOOs.
AL1.6: Lower than the dose constraints.
UR2: Detection and interception of AOO:

The uranium refining, conversion or enrichment facility assessed has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: I&C systems and operator procedures IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.
AL2.1: Availability of such systems and operator procedures.
CR2.2: Grace periods for AOOs IN2.2: Grace periods until human actions are required after AOOs.
AL2.2: Adequate grace periods are defined in the design analyses.
UR3: Accidents:

The frequency of occurrence of DBAs in the uranium refining, conversion or enrichment facility assessed is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed facility to a controlled state and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of nuclear and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.

CR3.1: Frequency of DBAs IN3.1: Calculated frequency of occurrence of DBAs.
AL3.1: Lower than that in the reference design.
CR3.2: Engineered safety features and operator procedures IN3.2: Reliability and capability of engineered safety features and/or operator procedures.
AL3.2: Superior to those in the reference design.
CR3.3: Grace periods for DBAs IN3.3: Grace periods for DBAs until human intervention is necessary.
AL3.3: Longer than those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after an accident.
AL3.4: At least one.
CR3.5: Robustness of containment design IN3.5: Containment loads covered by design of the facility assessed.
AL3.5: Greater than those in the reference design.
UR4: Severe plant conditions:

The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.

CR4.1: In-facility severe accident management IN4.1: Natural or engineered processes, equipment, and AM procedures and training to prevent an accidental release to the environment in the case of accident.
AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
CR4.2: Frequency of accidental release into environment IN4.2: Calculated frequency of an accidental release of radioactive materials and/or toxic chemicals into the environment.
AL4.2: Lower than that in the reference facility.
CR4.3: Source term of accidental release into environment IN4.3: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.
AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
UR5: Independence of DID levels and inherent safety characteristics:

To excel in safety and reliability, the refining, conversion or enrichment facility assessed strives for elimination or minimization of some hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics when appropriate.

CR5.1: Minimization of hazards IN5.1: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.
AL5.1: Hazards are reduced in relation to those in the reference facility.
UR6: Human factors related to safety:

Safe operation of the refining, conversion or enrichment facility assessed is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.

CR6.1: Human factors IN6.1: Human factors addressed systematically over the life cycle of the refining, conversion or enrichment facility.
AL6.1: Evidence is available.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety reviews.
UR7: RD&D for advanced designs:

The development of innovative design features of the refining, conversion or enrichment facility assessed includes associated RD&D to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

CR7.1: RD&D IN7.1: RD&D status.
AL7.1: RD&D defined, performed and database developed.
CR7.2: Safety assessment IN7.2: Adequate safety assessment.
AL7.2: Approved by a responsible regulatory authority.

User requirement UR1: Robustness of design during normal operation

The rationale of UR1 was provided in Section 4.1. UR1 deals with prevention of AOOs. For refining/ conversion and enrichment facilities, examples of AOOs are[26]:

  • Leakage (e.g. due to corrosion) of flammable (explosive) gases such as H2 leading to explosive mixtures in air;
  • Leakage of radioactive and/or toxic chemicals such as UF6, HF, and NH3; and
  • Fire in a room with significant amount of fissile or toxic chemical material.
  • Temporary loss of utilities such as electrical power, pressurized air, coolant, ventilation.

Criteria selected for user requirement UR1 are presented in Table 6.

Criterion CR1.1: Design of normal operation systems

Indicator IN1.1: Robustness of design of normal operation systems.ᅠ

Acceptance limit AL1.1: Superior to that in the reference design.
The design (e.g. mechanical, thermal, electrical, etc.) of normal operating systems in a uranium refining/ conversion or enrichment facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by use of materials of higher quality.
For an enrichment facility using centrifuges, the separating element is expected to be designed with a lesser number of probable leakage points. The provision of secondary seals in the centrifuges would lessen the probability of leakage and make the system more robust. Passive safety through low pressure operations and a hermetically sealed design would ensure increased robustness. Vessels can be designed for preventing criticality, considering the maximum enrichment targeted. Isolation of the cascade hall and handling area, clear operation limits for critical parameters and adequate factors of safety in containment are other measures towards increasing robustness. A stable power supply is considered as an important requirement of enrichment processes based on centrifuges. Thus, the power supply needs to be of a high standard (including a backup power supply).
The use of corrosion resistant materials in a refining and conversion facility can reduce the probability of leaks in equipment containing corrosive material (e.g. HF).
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the normal operation system design of the facility assessed is superior to that of the reference facility design (e.g. has increased design margins, improved quality of manufacture and construction, or uses materials of higher quality), or, if no reference plant can be defined, took best international practice into account and is therefore state of the art technology.

Criterion CR1.2: Subcriticality

Indicator IN1.2: Subcriticality margins.ᅠ

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
Ref[67] introduces the effective neutron multiplication factor (keff) as “the ratio of the total number of neutrons produced by a fission chain reaction to the total number of neutrons lost by absorption and leakage”, and subcriticality as the state characterised by keff<1 which can be maintained by appropriate combination of the control parameters, such as isotopic composition, geometry, mass, volume, concentration / density, characteristics of neutron absorption and moderation. Ref[67] further requires that “safety margins should be applied to determine the safety limits” and in applying safety margins to keff “consideration should be given to uncertainty in the calculation” including the possibility of any code bias.
The INPRO task group for the area of NCFC safety has proposed that, for a new NFCF that handles uranium with the enrichments above 1 % 235U, a criticality analysis needs to be performed that demonstrates ample design margins by showing that a keff< 0.90 characterizes all possible configurations of fissile material and thereby provides high confidence that potential criticality accidents are avoided. In this analysis, all parameters influencing keff, such as mass, concentration, shape, moderation, etc, have to be considered. All process equipment in the material handling areas needs to be designed to ensure subcriticality under submerged and water filled conditions.
The acceptance limit AL1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur, taking uncertainties into account.

Criterion CR1.3: Facility performance

Indicator IN1.3: Facility performance attributes.ᅠ

Acceptance limit AL1.3: Superior to those in the reference design.
Superior facility performance can reduce the frequency of AOOs and accidents in a uranium refining/ conversion or enrichment facility.
The clear definition of roles and responsibilities, appropriate surveillance and the training of personnel in the handling of UF6 gas cylinders and the actions to be taken in the event of leakage of UF6 gas, etc, complemented by instructions based upon learning from experience where available, will ensure that facilities for refining/ conversion and enrichment can operate in a safe regime.
The strategy of ageing management is expected to cover all relevant stages in the NFCF lifecycle, including design, manufacture, construction, commissioning, operation and decommissioning, all normal operation states, AOOs and accidents influencing a given system, and all relevant mechanisms of ageing, including but not limited to corrosion, deposits, irradiation, fatigue and wear. The NFCF designer has to determine the design life of safety related equipment, to provide appropriate design margins to take due account of age related degradation and to provide methods and tools for assessing ageing during the NFCF operation. The NFCF operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the NFCF lifecycle. Implementation of this plan needs to involve activities for managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects.
Acceptance criteria for the quality of operation can be taken to be:

  • High(er) degree of remote control;
  • Availability of operations manuals and emergency instructions manuals;
  • Availability of procedures for feedback on the application of operations manuals;
  • Availability of surveillance requirements including periodic tests to verify the performance level for safe operation;
  • Consideration of ageing management in the design documentation;
  • Availability of plan for implementation of ageing management;
  • Periodic and intensive training of operators;
  • Periodic mock-ups to ensure readiness of operators to handle emergencies.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to the reference facility design or, when no reference facility can be defined, at least took best international practice into account and is therefore state of the art technology.

Criterion CR1.4: Inspection, testing and maintenance

Indicator IN1.4: Capability to inspect, test and maintain.ᅠ

Acceptance limit AL1.4: Superior to that in the reference design.
To achieve an improved capability to inspect, test and maintain, the design of uranium refining/ conversion or enrichment facility assessed is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms, so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capability to inspect, test and maintain the systems relevant to safety in the facility assessed is superior to that in the reference design, or is state of the art, and allows easy inspection, testing and maintenance.

Criterion CR1.5: Failures and deviations from normal operation

Indicator IN1.5: Expected frequency of failures and deviations from normal operation.ᅠ

Acceptance limit AL1.5: Lower than that in the reference design.
The frequency of failures and deviations from normal operation (see examples in the beginning of Section 6.2) in a refining/ conversion and enrichment facility needs to be derived from operational experience and supported by PSA. For the design assessed, these frequencies can be reduced through increased robustness of the design, high quality of operation, and efficient and intelligent inspection.
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that in the facility assessed the frequencies of failures and deviations from normal operation are lower than those in the reference design, or, if a reference facility cannot be defined, that the facility assessed took best international practice into account and is therefore state of the art technology. If quantitative results from operational experience and PSA are not available, alternatively, deterministic analysis can be developed that supports a reduction of the probability of occurrence for deviations from normal operation and failures in the facility assessed.

Criterion CR1.6: Occupational dose

Indicator IN1.6: Occupational dose values during normal operation and AOOs.ᅠ

Acceptance limit AL1.6: Lower than the dose constraints.
The limit (effective dose) and dose constraints for occupational workers were discussed in section 5.2.5. Innovative and proven techniques such as increased automation, improved O&M techniques and effective (engineered) safety features can be used to further reduce occupational exposure in refining/ conversion and enrichment facilities.
In refining/ conversion and enrichment facilities, the radiological hazard from radium and radon is much lower than in the mining and milling facilities discussed above; however, the radiological hazard cannot be neglected. Both radiological and chemical toxicity limits are applicable to the working environment in the refining/ conversion and enrichment facilities. The radiological limit for UF6 concentration in air can be derived from annual limits on intake (ALI) values introduced in Ref[68] at the level of 13 Bq/m3, subject to small variations with respect to enrichment. The uranium air concentration chemical limit is normally stated as 0.2 mg/m3[69]. Table 7 gives the uranium concentrations in air that correspond to the radiological limit as well as the uranium activity levels in air that correspond to the chemical toxicity limit.
Comparing the activities and concentrations in Table 7 against the corresponding limits shows that the chemical toxicity limit (0.2 mg/m3) is more restrictive than the radiological limit (13 Bq/m3) up to the enrichment value of 2.3%. For enrichments higher than 2.3%, the radiological limit becomes more important and for the enrichment of 5% the maximum permitted concentration of uranium in air due to its radiological properties is less than half of chemical toxicity limit.
A detailed guide on how to achieve a successful radiation protection program for workers in a refining/ conversion and enrichment facility is provided in Ref[26]. The acceptance limit AL1.6 of CR1.6 is met if evidence available to the INPRO assessor shows that the dose values of workers during normal operation and AOOs will be lower than the dose constraints defined for the location of the planned facility.

Table 7. Radiological and chemical toxicity limits for UF6 as uranium in air
Enrichment Radiological limit, Bq/m3 Concentration of U in air corresponding to the radiological limit mg/m3 Chemical toxicity limit, mg/m3 Activity of U in air corresponding to the chemical toxicity limit Bq/m3
0.7 13 0.52 0.2 5
1 0.42 6
2 0.22 12
2.3 0.20 13
3 0.14 18
3.5 0.12 22
5 0.08 33

User requirement UR2: Detection and interception of AOOs

The rationale of UR2 was provided in Section 4.2. The criteria selected for user requirement UR2 are presented in Table 6

Criterion CR2.1: I&C systems and operator procedures

Indicator IN2.1: I&C system to monitor, detect, trigger alarms, and, together with operator actions, intercept and compensate AOOs.ᅠ

Acceptance limit AL2.1: Availability of such systems and operator procedures.
Refining/ conversion and enrichment facilities are expected to be designed to cope with AOOs (see beginning of Section 6.2) by using automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures need to be. Passive and automatic active control systems are deemed more reliable than administrative (manual) control. The operator needs to get appropriate information in a control room about automatic actions during normal operation and AOOs and the status and performance of the facility.
Monitoring of operational data is important for early detection of the onset of integrity loss of system components in uranium refining/ conversion and enrichment facilities and to avoid complete failures of components. Such systems for monitoring component health might include, e.g. a diagnostic system of the rotating machinery for fans, pumps, and turbines. The basic monitoring of pumps may be done by monitoring the pump house vibrations.
Provision of an on-line digital I&C system with an intelligent controller and sufficient capability to monitor would ensure that an enrichment facility could be safely operated. Redundancy in devices for detecting overloading of the separation system and measurement of a parameter based on different principles wherever applicable, would provide enhanced safety. For example, use of two independent parameters to indicate faulty operation of centrifuges (e.g. current drawn by motor and vibration) would enable prompt correcting action. A strategy to isolate and limit damage to the separation system needs to be available.
For mitigating a leakage of toxic or explosive gases, a detection and exhaust scrubbing system needs to be available that automatically removes such gases from the air in the building and thereby avoids toxic or explosive concentrations. To fight fires, a detection and, preferably, an automatic fire extinguishing system (e.g. a spray system) needs to be available and related criticality considerations taken into account (e.g. exclusion of water).
An emergency power supply system is expected to be available for systems relevant to safety, such as monitoring, detection and alarm systems for radiation protection and criticality, detection and alarm systems for fires and leaks of hazardous materials, ventilation systems, etc. A loss of external power needs to be compensated by a back-up power system available at the site of the facility.
Safe operating conditions of all systems are expected to be clearly defined in the design analysis and different limits for alarm (and shutdown) conditions (e.g. pressure, temperature and overloading) need to be determined. For the operational I&C systems to be acceptable, the results of the analyses need to demonstrate that all limits for alarm (and actions including shutdown) are met in case of assumed deviations from normal operation. In addition to automatic systems the systems and clearly defined procedures for the operator on how to restore the facility after an AOO to normal operational state need to be available.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that are capable of detecting failures and deviations from normal operation of systems relevant for safety, providing alarm, and initiate automatic or manual actions that bring the facility back to normal operation.

Criterion CR2.2: Grace periods for AOOs.

Indicator IN2.2: Grace periods until human actions are required after AOOs.ᅠ

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of the ‘adequate grace period’ is provided in section 5.3.2. The grace period available for the operator for each AOO needs to be defined in the safety analysis of the facility design. In addition to the automatic actions of the normal operation systems a refining/ conversion or enrichment facility is expected to have sufficient inertia to withstand transients, i.e. react slowly after AOO.
After detection of an AOO (see beginning of Section 7.4.2) in a refining/ conversion or enrichment facility, automatic operational systems (presented in Section 6.3.1 above) need to mitigate these incidents before the operator intervention. For example, 30 minutes are deemed sufficient in case of a leak of UF6 gas during normal operation. Efficient automatic measures can facilitate longer grace periods.
In an enrichment facility with centrifuges, sufficient grace periods for operator actions necessary for keeping an AOO from progressing into an accident can be assured by providing surge suppression limiters, a fly wheel in the driving system of the centrifuge machine in case of electricity fault, adequate thermal inertia of the heating furnace, and multi-stage control for limiting transients.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that adequate grace periods have been determined for all AOOs in the design analysis for the facility assessed.

User requirement UR3: Design basis accidents

Rationale of UR3 was provided in Section 4.3. Ref[26] admits that specification of DBA will depend on the facility design and national requirements. However, it recommends that[26]:

“… particular consideration should be given to the following hazards in the specification of design basis accidents for conversion facilities:
(a) A release of HF or ammonia (NH3) due to the rupture of a storage tank;
(b) A release of UF6 due to the rupture of a storage tank, piping or a hot cylinder;
(c) A large fire originating from H2 or solvents;
(d) An explosion of a reduction furnace (release of H2);
(e) Natural phenomena such as earthquakes, flooding or tornadoes;
(f) An aircraft crash;
(g) Nuclear criticality accidents, e.g. in a wet process area with a 235U content of more than 1% (reprocessed uranium or unirradiated LEU).”

The following recommendation is provided for DBA consideration in enrichment facility[26]:

“… particular consideration should be given to the following hazards in the specification of design basis accidents for enrichment facilities:
(a) The rupture of an overfilled cylinder during heating (input area);
(b) The rupture of a cylinder containing liquid UF6 or the rupture of piping containing liquid UF6 (depending on the facility design for product take-off);
(c) A large fire, especially for diffusion facilities;
(d) Natural phenomena such as earthquakes, flooding or tornadoes (…);
(e) An aircraft crash;
(f) A nuclear criticality accident.”

Criteria selected for user requirement UR3 are presented in Table 6.

Criterion CR3.1: Frequency of DBAs.

Indicator IN3.1: Calculated frequency of occurrence of DBAs.ᅠ

Acceptance limit AL3.1: Lower than that in the reference design.
The DBAs to be considered in a refining/ conversion or enrichment facility have been listed in the beginning of Section 6.4. The frequency of occurrence of a DBA in the facility assessed is to be determined via a probabilistic risk assessment.
The calculated frequency of DBAs caused by external hazards can be influenced by the designer primarily by increasing the robustness of the confinement wall, and by the owner/ operator by selecting an appropriate site (see UR7). The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows the use of probabilistic analyses to determine that DBAs in the assessed facility are less probable than in the reference design. If quantitative results of probabilistic analyses are not available, a deterministic analysis needs to be available that supports a reduction of these frequencies based on an increase of design robustness, high quality of operation, an intelligent inspection and maintenance programs, advanced I&C systems and/or operator procedures, increased grace time and inertia.

Criterion CR3.2: Engineered safety features and operator procedures

Indicator IN3.2: Reliability and capability of engineered safety features and/or operator procedures.ᅠ

Acceptance limit AL3.2: Superior to those in the reference design.
Engineered safety features (automatic) are expected to be designed and installed in the facility. After detection of the accident these features need to be capable of controlling the accident, restoring the facility to a controlled state, and keeping the radiological consequences of the accident within authorized limits. To assure necessary reliability, these features need to be designed with sufficient levels of redundancy, diversity and independence. Redundant, diversified and independent passive and automatic active systems are deemed more reliable than administrative control (operator intervention) but it is acknowledged that passive systems are difficult to be designed for refining/ conversion or enrichment facility.
The engineered safety features of a refining/conversion facility can be essentially different from an enrichment facility and in the following several examples they are discussed separately.
In refining/ conversion facility, a release of gaseous or liquid radioactive and/or chemically toxic material (UF6, HF, and NH3) is expected to be timely detected, an alarm started (to initiate evacuation of the facility) and automatic systems (e.g. exhaust scrubbers, shut down of gas supply) need to be available to mitigate the consequences of these DBA, i.e. limit exposure of the workers to chemicals and/or radioactive material. The release in the working area needs to be contained within the process area itself. Process specific, sub-atmospheric pressure operation is likely to ensure that this can be achieved.
In case of a fire in refining/ conversion facility, e.g. originating from release of H2 or solvents, alarm needs to be initiated, and automatic fire fighting systems (spray systems) start in rooms with flammable chemicals that are capable of extinguishing the fire taking criticality considerations into account (e.g. exclusion of water). Alternatively or additionally, equipment needs to be available for the operator to fight the fire manually.
In an enrichment facility based on centrifuges, in the event of a beginning failure, automatic provisions can be available in the form of suitable brakes, to absorb the momentum of a failing centrifuge. This would keep the damage localized and prevent the failed centrifuge from becoming a missile. Safety interlocks need to be provided for addressing the instability and vibration in motors for the centrifuges.
As mentioned above, refining/ conversion and enrichment facilities are expected to have engineered safety features to protect against DBAs caused by external hazards (see Section 2.1 and 2.6 of NFCF). For example, to mitigate an earthquake[70], equipment in the facility – that if failed would create a radiological and/or chemical hazard – needs to be protected by shock absorbers, dampers, etc.
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the assessed facility’s engineered safety features (automatic systems) and/or operator procedures are superior to those in the reference facility and assure that after the beginning of a DBA the necessary actions to mitigate the accident consequences will be initiated in a timely manner and successfully completed. The INPRO assessor’s judgement of the superiority of the new design has to be supported by the results of equipment tests and/or deterministic and probabilistic analyses described in the facility design information. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.3: Grace periods for DBAs

Indicator IN3.3: Grace periods for DBAs until human intervention is necessary.ᅠ

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace periods’ is provided in section 5.3.2 for the control of AOOs (see CR2.2) in Level 2 of DID. The criterion CR3.3 ‘grace periods for DBAs’ implies a similar concept. For DBAs (caused by events associated with internal or / and external hazards) the criterion requires that the system response (inertia) and/or automatic actions of active (and/or passive) safety features provide an adequate grace period for the operator to intervene. Adequate grace periods are also assumed to be longer than those for the reference design.
Since a large-scale gas leak has a potential to propagate outside the facility, a grace time of 15 minutes is expected to be provided for mitigating the gas leak, by for example, starting an emergency exhaust scrubber/ventilation system.
For a criticality accident, a grace period of a few minutes can be achieved by providing shielded enclosures wherever concentrations of uranium are expected to be high. Lower pressure in the process handling area and criticality monitors are normally provided. Risk to humans is expected to be limited to the material handling area only.
The grace periods have to be determined for each DBA in the design analyses.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the assessed facility’s grace periods for DBAs are longer than those of the reference design. Alternatively, it may be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.4: Barriers

Indicator IN3.4: Number of confinement barriers maintained (intact) after DBAs.ᅠ

Acceptance limit AL3.4: At least one.
The design of engineered safety features and/or operator procedures are expected to provide deterministically for continued integrity at least of one barrier containing the radioactive and chemically toxic material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers may be used as an INPRO methodology indicator with a sufficiently low value (e.g. less than 10-6 per year) as its acceptance limit.
Examples of barriers in refining/conversion and enrichment facilities are the casing of machinery (pumps, valves, centrifuge) and equipment (vessels, piping), and a building structure with isolated compartments. The ventilation system including a cleaning system such as wet scrubbers or cold traps and a stack could also be regarded as a dynamic confinement. The design analysis needs to confirm that at least one barrier against an accidental release of radioactive and/ chemically toxic material into the outside of the plant will remain intact after a DBA.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that after a DBA at least one barrier remains intact in the facility assessed avoiding an accidental release of radioactivity and/or toxic chemicals to the outside of the facility that would require evacuation.

Criterion CR3.5: Robustness of containment design

Indicator IN3.5: Containment loads covered by design of the facility assessed.ᅠ

Acceptance limit AL3.5: Greater than those in the reference design.
To avoid a loss of containment/confinement integrity due to for example overpressure and high temperatures – compared to operating refining/ conversion or enrichment facility – the containment of new facility is expected to be designed against higher loads caused by an accident with an accidental release of radioactive material and/or toxic chemicals into the containment.
The containment, i.e. the building structure of the facility needs also to be designed for external hazards challenging the integrity of the structure with a higher margin.
The acceptance limit AL3.5 of CR3.5 is met if evidence available to the INPRO assessor shows that the confinement/containment of the refining/ conversion or enrichment facility assessed has been designed against higher loads and with higher reliability compared to a reference design. Alternatively, if a reference design is not available, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

User requirement UR4: Severe plant conditions

Rationale of UR4 was provided in Section 4.4. Criteria selected for user requirement UR4 are presented in Table 6.

Criterion CR4.1: In-facility severe accident management

Indicator IN4.1: Natural or engineered processes, equipment, and AM procedures and training to prevent an accidental release to the environment in the case of accident.ᅠ

Acceptance limit AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
Examples of relevant system parameters are concentrations of UF6 and other radioactive and/or toxic chemicals in air, and activity, temperature and pressure inside the confinement/ containment. An emergency ventilation system is expected to be capable of reducing these system parameters to acceptable levels enabling mitigating measures by operators.
In an enrichment facility with centrifuges cascade segment isolation and cascade isolation based on pressure rise are processes to limit the consequences of accidents with a large release of UF6. Emergency exhaust scrubber with alkali washing needs to be provided to bring down concentration of UF6 to less than 0.2 mg/m3 within 30 minutes. Failure of one system normally does not lead to the failure of other systems by preventing transmission of shock or vibration to other cascades. Each cascade and handling system need to be made as independent modules. Reliability of secondary back-up seals in the centrifuges is expected to be excellent, with a failure rate better than 10-4 per operation year. This needs to be confirmed by accelerated tests under simulated conditions.
If a large release of fissile material into the confinement (the building of the facility) leads to a critical configuration, this needs to be automatically detected (neutron flux increase) and lead to initiation of measures to end the criticality (injection of neutron absorbers).
In case automatic systems alone are not sufficient to prevent an accidental release to the environment and regain control of the NFCF, adequate operator procedures need to be established to handle a severe accident. For example, after detection of a large release of toxic and/or radioactive material into the confinement/ containment, the operator cuts off the source, activates the isolation of the process and the area, followed by evacuation/scrubbing. Next step would be activation of an on-site emergency plan documented in a safety manual to prevent spread of toxic and/or radioactive material into uncontrolled areas. Periodic mock-up drills and training programs are necessary to ensure that operators are in readiness to handle such emergencies.
The acceptance limit AL4.1 of CR4.1 is met if evidence available to the INPRO assessor shows that in the facility assessed processes and equipment are available to control relevant parameters (e.g. temperature, activity, concentrations of chemicals) and AM measures have been prepared that are sufficient to prevent an accidental release to the outside of the facility.

Criterion CR4.2: Frequency of accidental release into environment

Indicator IN4.2: Calculated frequency of an accidental release of radioactive materials and/or toxic chemicals into the environment.ᅠ

Acceptance limit AL4.2: Lower than that in the reference facility.
An accidental release of radioactivity and/or toxic chemicals from the refining/ conversion or enrichment facility into the environment can occur only if the containment loses its integrity during an accident with severe damage. An example for a cause of containment failure is overpressure due to a hydrogen explosion. Via a probabilistic safety analysis the frequency of a containment failure including uncertainties needs to be determined covering all plant states (normal operation, shut down) and internal as well as external hazards leading to accidents; the probabilistic analyses is supposed to use best estimate methods and consider the associated uncertainties.
INPRO suggests that calculated frequency of accidental release outside the facility assessed needs to be reduced as compared against reference facility, e.g. by increasing the design pressure of the containment. Where PSA data for reference facilities are not available, INPRO suggests using limit of <10-6 per facility-year as the target value for calculated frequency of accidental release to the environment.
When the frequency of accidental release of radioactivity cannot be calculated with a high level of confidence the new NFCF design needs to demonstrate deterministically that probability of an accidental release of radioactivity and/or toxic chemicals into the environment due to a failure of the containment/ confinement has been reduced compared against reference facility, e.g. through improved engineered safety features, prescribed advanced operator actions, and increased use of inherent safety characteristics or by additional minimization of hazards, and that the consequences (dose, concentration of toxic chemicals) of an accident do not require the evacuation of population except as a short time precautionary measure.
The acceptance limit AL4.2 of CR4.2 is met if evidence available to the INPRO assessor shows that in the facility assessed the calculated (best estimate) frequency for an accidental release of radioactivity and/or toxic chemicals into the environment due to a failure of the containment is lower than in reference facility. Alternatively, if PSA data for a reference design is not available, it could be demonstrated that frequency for an accidental release of radioactivity from NFCF is well below 10-6 per unit-year or that the design of the NFCF took available information on best international practice into account and is therefore state of the art.

Criterion CR4.3: Source term of accidental release into environment

Indicator IN4.3: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.ᅠ

Acceptance limit AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
Evacuation of population is the protective action in an emergency which can reduce the risk of stochastic effects, i.e. reduce consequences of the accident. Radiological criteria for evacuation of populations are normally formulated in terms of projected dose[41].
Estimation of the consequence of the emergency external release can be divided into two major parts. First part is focused on the definition of the characteristics of the release source term. These characteristics can be calculated as the result of the accident consequence modelling within the NFCF either deterministically or as a part of PSA Level 2 analysis. Second part models the transportation of the radionuclides to the population outside of the NFCF through different potential routes and scenarios (PSA Level 3).
The definition of source term of an accidental release to the environment involves the inventory of radioactive materials released, the description of physical and chemical forms of release and other release characteristics such as the height of damaged zone of the confinement, pressure and temperature of the released gas (including potential explosions).
Since the results of modelling of radionuclide transport in the environment may heavily depend on a series of assumptions such as weather conditions (wind directions in different altitudes, humidity etc) the first part of acceptance limit in this INPRO criterion states that source term characteristics in the new NFCF including the inventory of released radionuclides remains well within the envelope of reference facility source term. In this context ‘well within the envelope’ means that in the new NFCF source term all characteristics will be equal or lower compared against reference design and at least some of them will be lower by the level of uncertainties associated with the accident consequence modelling within the confinement.
For new NFCF the capability and reliability of natural and/or engineered processes for controlling of the complex accident sequences with severe damage are expected to be increased, including their instrumentation, control and diagnostic systems, and appropriate severe accident management procedures need to be developed. By these measures, the frequency of accidental release of radioactivity can be reduced and the inventory and conditions of release are expected to be restrained to avoid the evacuation of population.
It is noted that to meet the objective of Level 5 of defence in depth an emergency protection and response has to be planned around the NFCF[35] commensurate with the hazard of the accidental release of radioactive and chemically toxic material into the environment.
The acceptance limit AL4.3 of CR4.3 is met if evidence available to the INPRO assessor shows that in the NFCF assessed the calculated inventory and characteristics of an accidental release remain well within the inventory and characteristics envelope of reference facility source term and low enough so that calculated consequences would not require evacuation of population.

User requirement UR5: Inherent safety characteristics

INPRO methodology requirement on the independence of DID levels has been found not to be fully applicable for a uranium refining/conversion and enrichment facility. Rationale of UR5 was provided in Section 4.5. Criterion selected for user requirement UR5 is presented in Table 6.

Criterion CR5.1: Minimization of hazards

Indicator IN5.1: Examples of hazards: fire, flooding, release of radioactive material, criticality, radiation exposure, etc.ᅠ

Acceptance limit AL5.1: Hazards are reduced in relation to those in the reference facility.
To minimize the fire hazard a specific safety (fire) analysis is required[26]. Using of fire resistant material and reduction of the amount of burnable material in a refining/ conversion or enrichment facility would reduce the hazard of a fire. In a conversion facility there are the following chemicals causing fire hazards: anhydrous ammonia (explosive and flammable), nitric acid (ignition if in contact with organic materials) and hydrogen (explosive and flammable). Compartmentalizing of buildings and ventilation ducts needs to be performed to prevent spreading of fires. Ventilation ducts need to be equipped with fire dampers and be made of fire resistant material. Buildings are normally divided into separate fire areas to make sure that a fire breaking out within a given fire area would not be able to spread beyond this sector. The higher the fire risk, the greater the number of areas in a building. For example, damage to the separation system in an enrichment facility and process handling system in a refining/ conversion facility needs to be confined within the given area and not to spread to other areas. The design of ventilation systems is expected to be given particular consideration with regard to fire prevention.
The hazard of release of radioactive and/or chemically toxic material is normally minimized by establishing several barriers, such as glove box or hooding of equipment, compartmentalized building, and a dynamic confinement by a ventilation system.
The hazard of radiation exposure of workers in the facility can be minimized by establishing and maintaining an adequate radiation protection program in accordance with national and international standards[19]. An adequately sized ventilation system can minimize the hazard of radiation exposure of workers.
To reduce the hazard of a criticality accident, control of the inventory of radioactive materials is the first step. This can be achieved not merely through administrative measures but also through monitoring systems that will give a warning if set limits of inventories are exceeded. Sub-atmospheric pressure operation would also minimize releases from equipment containing fissile material.
The external hazards can be reduced for new facilities by appropriate selection of their site. For example, to minimize the hazard of flooding the facility needs to be located at sufficient elevation.
The acceptance limit AL5.1 of CR5.1 is met if evidence available to the INPRO assessor shows that in the refining/ conversion or enrichment facility assessed hazards have been reduced compared to a reference facility. Alternatively, if a reference facility cannot be found, it needs to be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

User requirement UR6 and UR7

Rationale for UR6 and UR7 are provided in Section 4.6 and 4.7, respectively. Assessment of user requirement UR6 (human factors related to safety) and UR7 (RD&D for advanced designs) for the refining / conversion or enrichment facility is deemed to be sufficiently similar to the assessment method of UR6 and UR7 described in Sections 5.7 and 5.8 for mining and milling facilities (including criteria, indicators and acceptance limits).
A number of areas for RD&D exist with regard to stable and safe operation of centrifugation, including development of frictionless bearings, avoiding external drives for gas transport, etc. Use of non-hydrogenous coolants can contribute to safety with regard to criticality. Development of materials to withstand corrosion by UF6 is another area for RD&D. The existence of a robust RD&D programme on the above areas and other such areas would be a necessary step for enhancing safety.

Adaptation of the INPRO methodology to a uranium and MOX fuel production facility

The use of the INPRO methodology for an assessment of a uranium and MOX fuel fabrication facility required significant modifications and adjustments compared to other types of NFCF. The significant technical differences between the uranium and MOX fuel fabrication facilities are acknowledged but it was found that the application of the INPRO methodology does not require a separate treatment.
In this section the INPRO methodology in the area of safety adapted to these NFCF is presented.

INPRO basic principle for sustainability assessment of fuel fabrication facility in the area of safety

INPRO basic principle for sustainability assessment of fuel fabrication facility in the area of safety: The planned uranium or MOX fuel fabrication facility is safer than the reference fuel fabrication facility. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
Rationale of the BP was provided in Section 4. Explanation on the requirement of superiority in the INPRO methodology area of NFCF safety is provided in section 5.1. INPRO methodology defined a set of requirements to fuel fabrication facilities as displayed in Table 8.

Table 8. INPRO User requirements and criteria for sustainability assessment of fuel fabrication facility in the area of NFCF safety
User requirement Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The uranium or MOX fuel fabrication facility assessed is more robust than the reference design with regard to operation and systems, structures and components failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: Superior to that in the reference design.
CR1.2: Subcriticality IN1.2: Subcriticality margins.
AL1.2: Sufficient to cover uncertainties and avoid criticality.
CR1.3: Facility performance IN1.3: Facility performance attributes.
AL1.3: Superior to those in the reference design
CR1.4: Inspection, testing and maintenance IN1.4: Capability to inspect, test and maintain.
AL1.4: Superior to that in the reference design.
CR1.5: Failures and deviations from normal operation IN1.5: Expected frequency of failures and deviations from normal operation.
AL1.5: Lower than that in the reference design.
CR1.6: Occupational dose IN1.6: Occupational dose values during normal operation and AOOs.
AL1.6: Lower than the dose constraints.
UR2: Detection and interception of AOO:

The uranium or MOX fuel fabrication facility assessed has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: I&C systems and operator procedures IN2.1: I&C system to monitor, detect, trigger alarms, and, together with operator actions, intercept and compensate AOOs that could lead to radiation exposure of workers.
AL2.1: Availability of such systems and/or operator procedures.
CR2.2: Grace periods for AOOs IN2.2: Grace periods until human (operator) actions are required after detection (and alarm) of AOOs.
AL2.2: Adequate grace periods are defined in the design analyses.
UR3: Accidents:

The frequency of occurrence of DBAs in the uranium or MOX fuel fabrication facility assessed is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed facility to a controlled state and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of nuclear and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.

CR3.1: Frequency of DBAs IN3.1: Calculated frequency of occurrence of DBAs.
AL3.1: Lower than that in the reference design.
CR3.2: Engineered safety features and operator procedures IN3.2: Reliability and capability of engineered safety features and/or operator procedures.
AL3.2: Superior to those in the reference design.
CR3.3: Grace periods for DBAs IN3.3: Grace periods for DBAs until human intervention is necessary.
AL3.3: Longer than those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after an accident.
AL3.4: At least one.
CR3.5: Robustness of containment design IN3.5: Containment loads covered by design of the facility assessed.
AL3.5: Greater than those in the reference design.
UR4: Severe plant conditions:

The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.

CR4.1: In-facility severe accident management IN4.1: Natural or engineered processes, equipment, and AM procedures and training to prevent an accidental release to the environment in the case of accident.
AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
CR4.2: Frequency of accidental release into environment IN4.2: Calculated frequency of an accidental release of radioactive materials and/or toxic chemicals into the environment.
AL4.2: Lower than that in the reference facility.
CR4.3: Source term of accidental release into environment IN4.3: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.
AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
UR5: Independence of DID levels and inherent safety characteristics:

An assessment is performed for the uranium or MOX fuel fabrication facility to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed facility strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.

CR5.1: Independence of DID levels IN5.1: Independence of different levels of DID in the assessed fuel fabrication facility.
AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
CR5.2: Minimization of hazards IN5.2: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.
AL5.2: Hazards are reduced in relation to those in the reference facility.
UR6: Human factors related to safety:

Safe operation of the assessed fuel fabrication facility is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.

CR6.1: Human factors IN6.1: Human factors addressed systematically over the life cycle of the fuel fabrication facility
AL6.1: Evidence is available.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety reviews.
UR7: RD&D for advanced designs:

The development of innovative design features of the assessed fuel fabrication facility includes associated RD&D to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

CR7.1: RD&D IN7.1: RD&D status.
AL7.1: RD&D defined, performed and database developed.
CR7.2: Safety assessment IN7.2: Adequate safety assessment.
AL7.2: Approved by a responsible regulatory authority.

User requirement UR1: Robustness of design during normal operation

The rationale of UR1 was provided in Section 4.1. UR1 is focused on prevention of abnormal operation and failures. For a U or MOX fuel fabrication facility, the following examples of AOOs to be prevented are similar to those presented in Section 6.2 for refining/ conversion and enrichment facilities[27][28]:

  • Leakage (e.g. due to corrosion) of flammable (explosive) gases such as H2;
  • Leakage of radioactive and/or toxic chemicals such as U and U-Pu compounds, UF6, HF, and NH3;
  • Fire in a room with significant amounts of fissile or toxic chemical material;
  • Loss of utilities such as electrical power, pressurized air, coolant, ventilation.

The criteria selected for user requirement UR1 are presented in Table 8.

Criterion CR1.1: Design of normal operation systems

Indicator IN1.1: Robustness of design of normal operation systems.ᅠ

Acceptance limit AL1.1: Superior to that in the reference design.
Normal operation systems and equipment relevant for safety used in a fuel production facility need to be designed against loads caused by postulated initiating events including events associated with external hazards (see Section 2.1 of NFCF). The design (e.g. mechanical, thermal, electrical, etc.) of normal operation systems in a fuel production facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by use of materials of higher quality. It is acknowledged that increasing the robustness of a facility design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimised combination of design measures is necessary to increase the overall robustness of a design.
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior in this respect to the reference design (e.g. has increased design margins, improved quality of manufacture and construction, or uses materials of higher quality), or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Criterion CR1.2: Subcriticality

Indicator IN1.2: Subcriticality margins.ᅠ

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
Criticality control in fuel production facilities necessitates the mass control of fissile material, the use of safe geometry (with respect to criticality) in equipment layout to provide safe separation between equipment as well as storage systems, the minimization of hydrogenous materials in process and the use of neutron absorbing materials.
As proposed by the INPRO task group in this area and previously discussed in section 6.2.2 for uranium refining/ conversion and enrichment facilities, the adequate avoidance of criticality in facilities that handle MOX, Pu or U enriched above 1 % 235U is expected to be shown by a criticality analysis that demonstrates a design margin of keff < 0.90 for all possible configurations of fissile material. In this analysis, all parameters relevant to criticality, such as mass concentration, shape, moderation, etc, have to be considered. All process equipment in the material handling area needs to be designed to remain subcritical under submerged and water filled conditions.
The acceptance limit AL1.2 of CR1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur taking uncertainties into account.

Criterion CR1.3: Facility performance

Indicator IN1.3: Facility performance attributes.ᅠ

Acceptance limit AL1.3: Superior to those in the reference design.
Superior performance attributes can increase the robustness of a uranium or MOX fuel fabrication facility. A distinctive feature of fuel fabrication facilities is the presence of large inventories of powders of uranium oxide, plutonium oxide or mixed oxide. These are usually in finely divided form, and unless a high quality of operation is ensured, spillage of these fuel materials inside the enclosures could lead to long term accumulation in various difficult-to-access areas and in glass panels of glove boxes. This could ultimately lead to increased dosage to the operator.
High quality of operation, by way of intensive training of operators, is also essential to ensure that human factors do not lead to unexpected accumulations of fissile material in any part of the plant and thus lead to criticality: Strict adherence to administrative procedures is an indication of high quality of training. An inappropriate response to an alarm indicating an emergency could also be a result of inadequate operator training.
The strategy of ageing management is expected to cover all relevant stages in the fuel production facility lifecycle, including design, manufacture, construction, commissioning, operation and decommissioning, and needs to address all relevant mechanisms of ageing for the operational states and accident conditions influencing a given system. The designer of a fuel production facility has to determine the design life of SSCs important to safety, provide appropriate design margins to take due account of age related degradation and provide methods and tools for assessing ageing during the fuel production facility operation. The operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the fuel production facility lifecycle. Implementation of this plan will involve activities for managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects.
A high degree of automation/remote control/robotics would lead to reduction of dose received by the operators. Typical items that are taken into account for establishing acceptance criteria for facility performance include:

  • High(er) degree of remote control;
  • Availability of operations manuals and emergency instructions manuals;
  • Availability of procedure for the feedback on application of operations manuals;
  • Availability of surveillance requirements including periodic tests to verify the performance level for safe operation;
  • Consideration of ageing management in the design documentation;
  • Availability of plan for implementation of ageing management;
  • Periodic and intensive training of operators;
  • Periodic mock-ups to ensure readiness of operators to handle emergencies.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to a reference design or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Criterion CR1.4: Inspection, testing and maintenance

Indicator IN1.4: Capability to inspect, test and maintain.ᅠ

Acceptance limit AL1.4: Superior to that in the reference design.
To achieve an improved capability to inspect, test and maintain, the design of fuel fabrication facility assessed is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue, etc.), so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capability to inspect, test and maintain systems relevant to safety in the facility assessed is superior to that in the reference design or, in case a reference facility could not be defined, is state of the art and allows easy inspection, testing and maintenance.

Criterion CR1.5: Failures and deviations from normal operation

Indicator IN1.5: Expected frequency of failures and deviations from normal operation.ᅠ

Acceptance limit AL1.5: Lower than that in the reference design.
The estimated frequencies of the AOOs selected (see beginning of Section 7.2) for a fuel production facility need to be derived from operational experience and supported by PSA. For the design assessed, theses frequencies can be reduced through achieving increased robustness of the design (discussed in CR1.1 above), high quality of operation (discussed in CR1.2), and efficient and intelligent inspection and maintenance (discussed in CR1.3).
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that in the facility assessed the frequencies of AOOs are lower than those in the reference design, or, in case a reference facility could not be defined, that the facility assessed took best international practice into account and is therefore state of the art technology. If quantitative results from operational experience and PSA are not available, alternatively, deterministic analysis needs to be developed that indicates the reduction of probability of occurrence for AOOs.

Criterion CR1.6: Occupational dose

Indicator IN1.6: Occupational dose values during normal operation and AOOs.ᅠ

Acceptance limit AL1.6: Lower than the dose constraints.
Fuel production facilities may control contamination using such independent strategies as maintaining differential pressure in process enclosures and operating areas, providing easy access to equipment in operating areas, using automation/robotics for handling radioactive materials, zoning the layout of the plant for hazardous operations, providing single port entry and exit for personnel and equipment and employing multiple levels of filtration.
The assessment of CR1.6 for a conversion and enrichment facility was presented in Section 6.2.6 and is deemed substantially similar to the corresponding assessment for a fuel production facility (U, Pu or MOX). Therefore, the assessor is requested to use the assessment approach described for a conversion and enrichment facility also for a fuel production facility.

User requirement UR2: Detection and interception of AOO

Rationale of UR2 was provided in Section 4.2. Criteria selected for user requirement UR2 are presented in Table 8.

Criterion CR2.1: I&C systems and operator procedures

Indicator IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.ᅠ

Acceptance limit AL2.1: Availability of such systems and operator procedures.
A fuel production facility is expected to be designed to cope with AOOs (see beginning of Section 7.2) using automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures need to be. Passive and active control systems are deemed more reliable than administrative (manual) control. The operator needs to get appropriate information in a control room about automatic actions during normal operation and AOOs and the status and performance of the facility.
Fuel fabrication facilities involve many safety critical systems such as glove boxes, furnaces, vacuum systems etc, thus, instrumentation and control systems play an important role in ensuring healthiness and safety of various systems and ensuring that they operate in safe regimes of parameters. The design analysis is expected to define safe operating conditions for every system, and different limits for alarm and shutdown conditions need to be indicated. For example, furnaces need to be equipped with temperature control systems to shut down the power supply to prevent escalation of temperature in case of loss of cooling water. Pressure control systems in glove boxes need to be able to detect loss of negative pressure (e.g. through a puncture in a glove) and actuate additional exhaust systems to ensure that the glove box pressure remains below the one in the operating area. Measurement of these parameters based on different principles wherever applicable and by more than one device for measurement would provide enhanced safety.
Online monitoring systems, with accessibility to inspect and more than one way to measure the same parameter, are necessary requirements. Access has to be provided for condition monitoring parameters and trending to predict incipient failures. In the ventilation systems, continuous monitoring of pressure drops across HEPA filters would ensure an adequate number of air changes in operating areas. Similarly, on-line monitoring is required to ensure adequate cooling water supply to sintering furnaces and ensure that the furnace is shut down when water flow is reduced below a certain level.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that are capable of detecting failures and deviations from normal operation of systems relevant for safety, providing alarm, initiate automatic (and manual actions), and bring the facility back to normal operation.

Criterion CR2.2: Grace periods for AOOs

Indicator IN2.2: Grace periods until human actions are required after AOOs.ᅠ

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of ‘adequate grace period’ is provided in section 5.3.2. The grace period available for the operator for each AOO needs to be defined in the safety analysis of the facility design. After detection of an AOO (see beginning of Section 7.2) in a fuel production facility, the automatic operational systems (presented in Section 7.3.1 above) needs to control these incidents before the operator intervention. The operation manual is expected to list all anticipated incidents, a corresponding action plan and the time until the actions have to be completed by the workers. For example, the design of glove boxes in MOX fabrication facilities needs to ensure that, in the event of a ventilation failure, radioactivity levels in the operating areas do not exceed regulatory limits for at least one hour, so that operators can safely shut down furnaces and other systems before evacuating the laboratory.
In addition to the automatic actions of the normal operation systems a fuel fabrication facility is expected to have sufficient inertia to withstand transients, i.e. react slowly after AOOs. For example, design of furnaces and (redundant) cooling systems needs to ensure that in the event of a temporary loss of cooling water supply, the furnace casing temperature will not exceed design limits within a reasonable time frame to enable the operator to bring the furnaces to a safe shut down state if necessary or continue to operate if he can restore water supply in time.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that adequate grace periods have been determined for all AOOs in the design analysis for the facility assessed.

User requirement UR3: Design basis accidents

The rationale of UR3 was provided in Section 4.3. Refs[27][28] recognise that specification of DBAs will depend on the facility design and national requirements. However, they recommend that particular consideration needs to be given to the following hazards in the specification of DBAs at fuel fabrication facilities[27][28]:

  • A nuclear criticality accident;
  • A release of uranium, e.g. in the explosion of a reaction vessel during the conversion of UF6 to UO2;
  • A hydrogen explosion, e.g. in the pellet sintering equipment;
  • A release of UF6 due to the rupture of a hot cylinder;
  • A release of HF due to the rupture of a storage tank;
  • A fire;
  • Natural phenomena such as earthquakes, flooding, or tornadoes;
  • An aircraft crash.

The criteria selected for user requirement UR3 are presented in Table 8.

Criterion CR3.1: Frequency of DBAs

Indicator IN3.1: Calculated frequency of occurrence of DBAs.ᅠ

Acceptance limit AL3.1: Lower than that in the reference design.
Examples of the DBAs to be considered in a fuel fabrication facility have been provided above in the beginning of Section 6.4. The frequency of occurrence of a DBA in the facility assessed is to be determined via a probabilistic risk assessment. Ref[12] gives an overview of the methods used for probabilistic evaluations of NFCFs, such as layer of protection analysis and the index method, and the areas of their application. Several examples of probabilistic studies of NFCFs and an overview of the regulatory requirements in different countries can be found in Ref[71].br> The frequency of DBA caused by external hazards can be influenced by the designer, e.g. via an increase of robustness of the confinement wall, and by the owner/ operator of the facility by selecting an appropriate site (see UR7).br> When the probabilistic risk assessment results are not available for the NFCF assessed, the superiority of the new design, i.e. improvements to reduce frequency of initiating events, can be demonstrated deterministically.br> The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows that in the facility assessed based on probabilistic analyses the frequency for the defined DBAs is superior to a reference design. If quantitative results are not available a deterministic analysis needs to support a reduction of these frequencies based on an increase of design robustness, high quality of operation, an intelligent inspection and maintenance programs, advanced I&C systems and increased inertia.

Criterion CR3.2: Engineered safety features and operator procedures

Indicator IN3.2: Reliability and capability of engineered safety features and/or operator procedures.ᅠ

Acceptance limit AL3.2: Superior to those in the reference design.
In case of a DBA (see beginning of Section 6.4) there need to be automatic reliable engineered safety features available that after detection of an accident are capable of controlling the accident, restoring the facility to a controlled state, and keeping the consequences within authorized limits. To assure necessary reliability these features have to be designed with sufficient level of redundancy, diversity and independence.
In case automatic systems are not available, adequate operator procedures are necessary. Redundant, diversified and independent passive and automatic active systems are deemed to be more reliable than administrative control (operator intervention) however it is acknowledged that they are difficult to be designed for fuel fabrication facility.
As mentioned above the facility is expected to have engineered safety features protecting against DBA caused by (credible) external hazards (see Section 2.1 and 2.6 of NFCF).
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the reliability and capability of engineered safety features in the facility assessed is superior to a reference design and assure that after the beginning of a DBA the necessary actions to mitigate the consequences of the accidents will be timely initiated. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.3: Grace periods for DBAs

Indicator IN3.3: Grace periods for DBAs until human intervention is necessary.ᅠ

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace period’ is provided in section 5.3.2 as introduced earlier for control of AOOs (see CR2.2) in Level 2 of DID. The criterion CR3.3 ‘grace period for DBA’ implies a similar concept. For DBA (caused by events associated with internal and external hazards) the criterion requires that the system response (inertia) and/or automatic actions of active (and/or passive) safety features provide an adequate grace period for the operator to intervene. Adequate grace periods in the new facility are also assumed to be longer than those in the reference design.
For example, a criticality accident in a fuel fabrication plant could be caused by human errors such as double batching or by flooding of glove boxes containing large inventories of fissile material. Provision of a criticality monitor (e.g. neutron counter, liquid level monitor in a glove box) is essential . In the event of criticality, a grace time of a few minutes only may be available to take necessary protective measures, e.g. halt flow of liquid, close valve. In the event of flooding of glove boxes due to a coolant pipe rupture, and unavailability of automatic safety features, the grace time available for the operator to avoid criticality or release of radioactive material would depend on the design of the box and the flow rate of water. The safety analysis needs to take into account these factors and define the time limits sufficient for human action. The grace periods have to be provided for each DBA by the design.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the facility assessed the grace periods are superior to a reference design. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.4: Barriers

Indicator IN3.4: Number of confinement barriers maintained (intact) after DBAs.ᅠ

Acceptance limit AL3.4: At least one.
The design of engineered safety features is expected to provide deterministically for continued integrity at least of one barrier containing the radioactive and chemically toxic material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers could be used as an INPRO methodology indicator with a sufficient low value of it as acceptance limit.
The most important engineered safety features of a fuel fabrication facility are the barriers against a release of radioactive material into the environment. At present, all Pu (but also some U) based materials are handled in glove boxes, whose panels and gloves constitute one barrier (another barrier is the building wall). However, it is important to ensure that a glove box is designed as a second barrier and larger inventories of fuel materials are always maintained in another suitable enclosure which would constitute the first barrier. For example, in glove boxes containing equipment with moving parts such as a press or grinder, this equipment needs to be surrounded by a safe enclosure which would ensure that any flying object from the equipment would not damage the glass panel of the box.
It is apparent that the higher the number of such barriers, the safer the system with respect to release of radioactivity and thus would meet the requirement of defence in depth concept.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that after a DBA at least one barrier remains intact in the facility assessed avoiding a large release of radioactivity and/or toxic chemicals to the outside of the facility.

User requirement UR4: Severe plant conditions

Rationale of UR4 was provided in Section 4.4. INPRO methodology has defined the three criteria for UR4: in-facility severe accident management, frequency of accidental release into environment, source term of accidental release into environment.
It is noted that a fuel production facility using enriched uranium (> 1 % of 235U) or plutonium has a higher probability of a criticality accident due to the existence of high density fissile material (pellets) than an enrichment plant where fissile material is mostly in volatile form (UF6). However, the INPRO assessment of a fuel production facility against user requirement UR4 (Severe plant conditions) is deemed to be sufficiently similar to the assessment of an enrichment facility. Therefore, the assessor is requested to use the assessment method of UR4 described in Section 6.5 for an enrichment facility (including criteria, indicators and acceptance limits) also for a fuel production facility.

User requirement UR5: Independence of DID levels and inherent safety characteristics

Rationale of UR5 was provided in Section 4.5. Criteria selected for user requirement UR5 are presented in Table 8.

Criterion CR5.1: Independence of DID levels

Indicator IN5.1: Independence of different levels of DID in the assessed fuel fabrication facility.ᅠ

Acceptance limit AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
Systems that provide for different levels of defence in depth may be either dependent or independent. Independent systems can provide protection from potential hazards with higher reliability. Using the same system or several dependant systems in different levels of defence in depth can make these levels vulnerable to the common cause failure. Ref[12] states:

“To qualify as independent, the failure of one item relied on for safety (IROFS) should neither cause the failure nor increase the likelihood of failure of another IROFS. No single credible event should be able to defeat the system of IROFS such that an accident is possible. A systematic method of hazard identification should thus be used to provide a high degree of assurance that all credible failure mechanisms that could contribute to (i.e. by initiating or failing to prevent or mitigate) an accident have been identified.”

Ref[12] further provides an exemplary list of factors undermining independence of the systems, structures and components, and therefore having significant effect on the likelihood of an accident sequence:

“A partial list of conditions that will almost always lead to two or more IROFS not being independent follows:

  • The same individual performs administrative actions.
  • Two different individuals perform administrative actions but use the same equipment and/or procedures.
  • Two engineered controls share a common hardware component or common software.
  • Two engineered controls measure the same physical variable using the same model or type of hardware.
  • Two engineered controls rely on the same source of essential utilities (e.g. electricity, instrument air, compressed nitrogen, water).
  • Two engineered controls are collocated such that credible internal or external events (e.g. structural failure, forklift impacts, fires, explosions, chemical releases) can cause both to fail.
  • Administrative or engineered controls are susceptible to failure because of the presence of credible environmental conditions (e.g. two operator actions defeated by corrosive atmosphere, sensors rendered inoperable because of high temperature).”

The analysis of independence of systems, structures and components in NFCF is normally part of the application of the ‘double contingency principle’ defined in Ref[72]. This principle states that “process designs should, in general, incorporate sufficient factors of safety to require at least two unlikely, independent, and concurrent changes in process conditions before a criticality accident is possible.”
It is expected that the deterministic method for assessing the DID capabilities of a nuclear reactor design described in Ref[73] will be adapted to fuel fabrication facility. This method is based on objective trees for each level of DID defining the following elements from top to bottom: the objective of the DID level, the relevant safety functions to be met, identified general challenges to the safety functions based on specific root mechanisms for each of these challenges and a list of provisions in design and operation for preventing the mechanism from occurring.
Special attention is expected to be demonstrated in the design to such hazards as fire, flooding or earthquakes which could potentially impair several levels of DID; for example, they could bring about accident situations and, at the same time, inhibit the means of coping with such situations[33].
The safety analysis report of a fuel fabrication facility needs to demonstrate clearly the independence of the levels of defence. A probabilistic safety analysis[74], if done carefully, would highlight systems and elements which are not sufficiently independent, and identify cross-links which compromise the independence of the levels of DID. A fuel fabrication facility assessed is expected to demonstrate calculated frequency ranges of reaching the different levels of DID after an initiating event below (superior to) those of a reference facility.
The acceptance limit AL5.1 (independence of DID levels) is met for the fuel fabrication facility assessed if evidence available to the INPRO assessor shows that demonstrates improved independence of the different levels of DID in comparison to a reference plant based on a deterministic and probabilistic analyses. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR5.2: Minimization of hazards

The assessment of CR5.1 (minimisation of hazards) presented for a uranium conversion and enrichment facility in Section 6.6.1 is deemed to be sufficient similar to a fuel fabrication facility. Thus, this approach can be used by the assessor also for the fuel fabrication facility.

User requirement UR6 and UR7

Rationale for UR6 and UR7 is provided in Section 4.6 and Section 4.7. Assessment of user requirement UR6 (human factors related to safety) and UR7 (RD&D for advanced designs) for fuel fabrication facilities (U, Pu, MOX) is deemed to be sufficiently similar to the assessment method of UR6 and UR7 described in Sections 5.7 and 5.8 for mining and milling facilities (including criteria, indicators and acceptance limits).

Adaptation of the INPRO methodology to a reprocessing facility

See Reprocessing of spent nuclear fuel for a short description of the main processes in a reprocessing facility.
The use of the INPRO methodology for an assessment of a reprocessing facility required significant modifications and adjustments compared to other types of NFCFs.
The following sections present the INPRO methodology in the area of safety adapted to a reprocessing facility.

INPRO basic principle for sustainability assessment of reprocessing facility in the area of safety

INPRO basic principle for sustainability assessment of reprocessing facility in the area of safety: The planned reprocessing facility is safer than the reference reprocessing facility. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
The rationale of the BP was provided in Section 4. An explanation on the requirement of superiority in the INPRO methodology area of NFCF safety is provided in section 5.1. The INPRO methodology has defined a set of requirements to reprocessing facilities as displayed in Table 9.

Table 9. INPRO User requirements and criteria for sustainability assessment of spent fuel reprocessing facility in the area of NFCF safety
User requirement Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The assessed reprocessing facility is more robust than the reference design with regard to operation and systems, structures and components failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: Superior to that in the reference design.
CR1.2: Subcriticality IN1.2: Subcriticality margins.
AL1.2: Sufficient to cover uncertainties and avoid criticality.
CR1.3: Facility performance IN1.3: Facility performance attributes.
AL1.3: Superior to those in the reference design
CR1.4: Inspection, testing and maintenance IN1.4: Capability to inspect, test and maintain.
AL1.4: Superior to that in the reference design.
CR1.5: Failures and deviations from normal operation IN1.5: Expected frequency of failures and deviations from normal operation.
AL1.5: Lower than that in the reference design.
CR1.6: Occupational dose IN1.6: Occupational dose values during normal operation and AOOs.
AL1.6: Lower than the dose constraints.
UR2: Detection and interception of AOO:

The assessed reprocessing facility has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: I&C systems and operator procedures IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.
AL2.1: Availability of such systems and operator procedures.
CR2.2: Grace periods for AOOs IN2.2: Grace periods until human (operator) actions are required after detection (and alarm) of AOOs.
AL2.2: Adequate grace periods are defined in the design analyses.
UR3: Design basis accidents:

The frequency of occurrence of DBAs in the assessed reprocessing facility is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed facility to a controlled state and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of nuclear and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.

CR3.1: Frequency of DBAs IN3.1: Calculated frequency of occurrence of DBAs.
AL3.1: Lower than that in the reference design.
CR3.2: Engineered safety features and operator procedures IN3.2: Reliability and capability of engineered safety features and/or operator procedures.
AL3.2: Superior to those in the reference design.
CR3.3: Grace periods for DBAs IN3.3: Grace periods for DBAs until human intervention is necessary.
AL3.3: Longer than those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after an accident.
AL3.4: At least one.
CR3.5: Robustness of containment design IN3.5: Containment loads covered by design of the facility assessed.
AL3.5: Greater than those in the reference design.
UR4: Severe plant conditions:

The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.

CR4.1: In-facility severe accident management IN4.1: Natural or engineered processes, equipment, and AM procedures and training to prevent an accidental release to the environment in the case of accident.
AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
CR4.2: Frequency of accidental release into environment IN4.2: Calculated frequency of an accidental release of radioactive materials and/or toxic chemicals into the environment.
AL4.2: Lower than that in the reference facility.
CR4.3: Source term of accidental release into environment IN4.3: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.
AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
UR5: Independence of DID levels and inherent safety characteristics:

An assessment is performed for the reprocessing facility to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed reprocessing facility strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.

CR5.1: Independence of DID levels IN5.1: Independence of different levels of DID in the assessed reprocessing facility.
AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
CR5.2: Minimization of hazards IN5.2: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.
AL5.2: Hazards are reduced in relation to those in the reference facility.
UR6: Human factors related to safety:

Safe operation of the assessed reprocessing facility is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.

CR6.1: Human factors IN6.1: Human factors addressed systematically over the life cycle of the reprocessing facility.
AL6.1: Evidence is available.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety reviews.
UR7: RD&D for advanced designs:

The development of innovative design features of the assessed reprocessing facility includes associated RD&D to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

CR7.1: RD&D IN7.1: RD&D status.
AL7.1: RD&D defined, performed and database developed.
CR7.2: Safety assessment IN7.2: Adequate safety assessment.
AL7.2: Approved by a responsible regulatory authority.

User requirement UR1: Robustness of design during normal operation

Rationale of UR1 was provided in Section 4.1. UR1 deals with prevention of AOOs. For a reprocessing facility, examples of AOOs are[75][31][76][77][78][79][80][81][82][83][84][85][86][87][88][89][90]:

  • Leakage (e.g. due to corrosion) of flammable (explosive) gases such as H2;
  • Leakage (small) of radioactive and/or toxic chemicals;
  • Change in process parameters such as flow and temperature that lead to process malfunction;
  • Fire in a room with significant amount of fissile material or toxic chemicals;
  • Loss of utilities such as electrical power, pressurized air, coolant, ventilation.

Criteria selected for user requirement UR1 are presented in Table 9.

Criterion CR1.1: Design of normal operation systems

Indicator IN1.1: Robustness of design of normal operation systems.ᅠ

Acceptance limit AL1.1: Superior to that in the reference design.
Normal operation equipment and systems relevant for safety used in a spent nuclear fuel reprocessing facility need to be designed against loads caused by internal and external hazards (see Section 2.1 of NFCF). The design of normal operation systems in a fuel production facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by use of materials of higher quality. It is acknowledged that increasing the robustness of a facility design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimised combination of design measures is necessary to increase the overall robustness of a design.
The general approach to the analysis of robustness can be explained as a two steps algorithm:

  • Definition of ‘challenge’ for a given system, structure or component;
  • Analysis of reaction to the challenge which may be one of the following:
    • Withstand with full recovery;
    • Withstand with some loss of functionality;
    • Loss of function.

Systems, structures and components with increased capacity for ‘a’ option (and ‘b’, when appropriate) have superior robustness compared against alternatives.
An example of robustness of the chemical process in a reprocessing facility is linked to the concentration of Pu and U in the liquid phase. To avoid that any minor variations in the organic/aqueous flows or temperature may result in loss of Pu or U to waste streams or formation of a third phase, the concentrations of Pu and U in organic streams in the flow sheet need to be kept well below the theoretical loading limits. The sensitivity of the flow sheet to variations in flow or temperature needs to be analysed and documented in the safety report. Pu accumulation due to second organic phase formation and polymerisation (with or without precipitation) for Pu bearing systems are the anticipated process upsets in facilities reprocessing Pu rich spent nuclear fuels. Thus, sufficient margin between third phase formation limits and prevailing organic Pu concentration needs to be maintained. For solutions containing high concentrations of Pu, the aqueous acidity needs to remain above 0.2 M in order to prevent hydrolysis and polymerisation of Pu. To prevent a solvent (diluents) flash resulting in a fire and/or explosion, the operating temperature of the extractors is limited to 50 °C.
Inside a hot cell, a likelihood of break or leak is expected to be minimised by design. Improved materials and welding and inspection practices can ensure that there are no breaks during the entire life time of the plant.
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to a reference design (e.g. has increased design margins, improved quality of manufacture and construction, or uses materials of higher quality), or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Criterion CR1.2: Subcriticality

Indicator IN1.2: Subcriticality margins.ᅠ

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
As it was discussed in section 6.2.2. for uranium refining/ conversion or enrichment facility, to avoid criticality accident in a reprocessing facility a criticality analysis needs to be performed demonstrating a design margin of keff < 0.90 for all possible configurations of fissile material. In this analysis, mass concentration, shape, moderation, etc. have to be considered. All process equipment in the material handling area has to be designed for criticality for submerged and water filled conditions.
The acceptance limit AL1.2 of CR1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur taking uncertainties into account.

Criterion CR1.3: Facility performance

Indicator IN1.3: Facility performance attributes.ᅠ

Acceptance limit AL1.3: Superior to those in the reference design.
The strategy of ageing management is expected to cover all relevant stages in the reprocessing facility lifecycle, all normal operation states, AOOs and accidents influencing a given system, and all relevant mechanisms of ageing. The designer of reprocessing facility has to determine the design life of SSC important to safety, to provide appropriate design margins to take due account of age related degradation and to provide methods and tools for assessing ageing during the reprocessing facility operation. The reprocessing facility operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the reprocessing facility lifecycle. Implementation of this plan will involve activities on managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects.
Enhancement of the operation quality could be achieved through increased emphasis on automation and on-line monitoring. Similar to the more detailed discussion for fuel fabrication facilities in section 7.2.3, the acceptance criteria for quality of operation can be taken to be:

  • High(er) degree of remote control;
  • Availability of clear operating procedures and manuals, providing comprehensive data on the permissible range of various parameters, and emergency instructions manuals;
  • Availability of procedure for the feedback on application of operations manuals including a system of recording and analysing deviations from operating procedures, consequences of the events and methods to avoid recurrences.;
  • Availability of surveillance requirements including periodic tests to verify the performance level for safe operation;
  • Consideration of ageing management in the design documentation;
  • Availability of plan for implementation of ageing management;
  • Periodic and intensive training of operators;
  • Periodic mock-ups to ensure readiness of operators to handle emergencies.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior to a reference design, or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art technology.

Criterion CR1.4: Inspection, testing and maintenance

Indicator IN1.4: Capability to inspect, test and maintain.ᅠ

Acceptance limit AL1.4: Superior to that in the reference design.
Improved capabilities to inspect, to test and to maintain means that the reprocessing facility design assessed is expected to permit efficient and intelligent inspection, testing and maintenance, not just require more inspections and more testing, i.e. the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue, etc.), so that the right locations are inspected and right systems, structures and components are tested and maintained at the right time intervals. For example, provision for in-service inspection (ISI) of the components and equipment installed inside the hot cells is an essential requirement for fuel reprocessing plants in order that corrosion of equipment is detected at an early stage and actions taken to avoid leakage of radioactive solutions from the equipment. Particular innovations possible in this area include techniques for the measurement of thickness of the dissolver vessels to evaluate their residual life and ISI of welds of dissolver and hold up tanks.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capabilities to inspect, test and maintain systems relevant to safety in the facility assessed are superior to those in the reference design or, in case a reference facility could not be defined, are state of the art and allow easy inspection, testing and maintenance.

Criterion CR1.5: Failures and deviations from normal operation

Indicator IN1.5: Expected frequency of failures and deviations from normal operation.ᅠ

Acceptance limit AL1.5: Lower than that in the reference design.
Examples of AOOs are provided in the beginning of Section 8.2. The frequency of AOOs for a reprocessing facility need to be derived from operational experience of comparable facilities and supported by PSA.
The probability of occurrence of various types of failures has been analysed via a probabilistic safety assessment of reprocessing plants in Refs[31][89][90]. Failure probabilities for various events in existing facilities such as loss of cooling water to high level waste storage tanks have been determined in Ref[89]. The database for equipment failures is usually derived from data available for equipment in reactors, e.g. see Refs[91][92].
For the facility assessed, it can be possible to reduce the frequencies of AOOs, by increased robustness of the design, high quality of operation, and efficient and intelligent inspection. The consequences of all AOOs that can take place in the plant (e.g. inadvertent closure of valves, change in flows, mixing of solutions, transfer of fissile materials, etc.) need to be clearly addressed in the design analysis.
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that that in the facility assessed the frequencies of AOOs (see beginning of Section 8.2 above) have been reduced in comparison to a reference design or, in case a reference facility could not be defined, that the facility assessed took best international practice into account and is therefore state of the art technology. If quantitative results from operational experience and PSA are not available, alternatively, deterministic analysis can be developed that support a reduction of probability of occurrence for AOOs in the facility assessed.

Criterion CR1.6: Occupational dose

Indicator IN1.6: Occupational dose values during normal operation and AOOs.ᅠ

Acceptance limit AL1.6: Lower than the dose constraints.
The assessment of CR1.6 for a conversion and enrichment facility presented in Section 7.2.6 is deemed to be sufficiently similar to the assessment of a reprocessing facility. Therefore, the INPRO assessor is requested to use the assessment approach described for a conversion and enrichment facility also for a reprocessing facility.

User requirement UR2: Detection and interception of AOOs

The rationale of UR2 was provided in Section 4.2. Criteria selected for user requirement UR2 are presented in Table 9.

Criterion CR2.1: I&C systems and operator procedures

Indicator IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.ᅠ

Acceptance limit AL2.1: Availability of such systems and operator procedures.
A reprocessing facility is expected to be designed to cope with AOOs (see beginning of Section 8.2) using automatic operational systems, i.e. I&C systems that bring the facility back to normal operating conditions. In case automatic systems are not available, adequate operator procedures are necessary. Passive and automatic active control systems are deemed more reliable than administrative (manual) control, but it is acknowledged that they are difficult to design for such facilities.
The design analysis is expected to specify clearly the regime of safe operating conditions for all equipment and processes. Necessary instrumentation for detecting malfunctions needs to be clearly identified. The availability of redundant monitoring systems based on different principles will ensure that the deviations from the intended conditions are detected efficiently. For example, reliable, continuous air monitoring systems to detect release of radioactivity to operating areas, criticality and temperature monitors need to be provided, with necessary interlocks and alarm annunciation systems.
Precise and reliable liquid flow metering devices need to be provided for the process streams to ensure that changes in flow ratios that may lead to process malfunction can be quickly detected and corrected. Fail-safe process interlocks are expected to be provided to maintain the desired solvent to aqueous ratio in the solvent extractors (pulse columns, mixer-settlers or centrifugal extractors). In the event of a major transient in a particular flow to the extractor, the interlock logic needs to stop all the input flows of the related extractor without fail.
On-line monitoring of Pu in process streams is essential to detect and intercept any process malfunction leading to Pu accumulation in undesired streams and in vessels of critically unsafe geometry. I&C systems play a vital role in avoiding runaway conditions in evaporators and preventing the formation of red oil. The provision of automatically closing fire barriers/ fire dampers in ventilation systems can ensure that fire does not spread to other areas.
Continuous monitoring of the temperatures and pressures in the process tanks can provide timely indications of process malfunctions. Pressures, temperatures and gamma activity levels inside the process enclosures need to be monitored to ensure detection of fire and criticality events. The monitoring of Pu concentrations in process streams is vital for not only detecting process malfunctions but also detecting accumulations of Pu in certain streams due to the phenomenon of third phase formation.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that I&C systems are available in the facility assessed that can detect failures and deviations from normal operation of systems relevant to safety, provide alarms, initiate automatic and/or manual actions, and bring the facility back to normal operation.

Criterion CR2.2: Grace periods for AOOs

Indicator IN2.2: Grace periods until human actions are required after AOOs.ᅠ

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of ‘adequate grace period’ is provided in section 5.3.2. The grace period available to the operator for each AOO needs to be defined in the safety analysis of the facility design. After detection of an AOO (see beginning of Section 8.2) in a reprocessing facility, automatic operational (I&C) systems (presented in Section 8.3.1 above) need to control these incidents before the operator intervention.
A minimum period of 30 minutes is envisaged as an adequate grace period with regard to disturbances in the process, due to flow variations, loss of power at site, loss of ventilation, loss of process coolant water, etc. For example, the failure of ventilation systems for hot cells does not lead to leakage of radioactivity to the operating areas beyond permissible limits within 30 minutes. This grace period will be adequate for human intervention to start auxiliary ventilation systems, and complete other safety actions such as the evacuation of operating areas.
The system is expected to have sufficient inertia to withstand transients, i.e. react slowly after AOOs. For example, the flow sheet of the processes needs to be robustly designed such that transients in flows do not lead to large losses of fissile material to waste streams. Sufficient heat transfer area needs to be available for liquid waste storage tanks to dissipate the large inventory of decay heat by natural convection for sufficient long periods in the event of transients in the cooling water flow. Build-up of radiolytic hydrogen in a liquid waste storage tank can take place in the event of a failure of the air sparging system. Availability of enough vapour space in liquid waste storage tanks would ensure that the radiolytic hydrogen level can be kept below explosion limit for a minimum period of eight hours.
To demonstrate the adequacy of the reprocessing facility design, the system behaviour for all AOOs needs to be analysed with validated and verified computer models.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that an adequate grace period has been determined in the design analysis for the facility assessed for all AOOs.

User requirement UR3: Design basis accidents

Rationale of UR3 was provided in Section 4.3. Examples of DBAs for a reprocessing plant are[88]:

  • A criticality accident;
  • A large scale leakage of radioactive material;
  • A total loss of power leading to ventilation failure;
  • Pressurization in the evaporator due to red-oil reactions;
  • A large fire and explosion inside a hot cell.

External hazards (defined in Section 2.1 and 2.6 of NFCF) such as earthquake, flooding, etc. could also lead to a DBA in a reprocessing facility. As stated before, the facilities need to be designed against all external and internal hazards.
The criteria selected for user requirement UR3 are presented in Table 9.

Criterion CR3.1: Frequency of DBAs

Indicator IN3.1: Calculated frequency of occurrence of DBAs.ᅠ

Acceptance limit AL3.1: Lower than that in the reference design.
Several examples of potential DBA in spent fuel reprocessing facility are introduced in the beginning of section 8.4. The frequency of occurrence of a DBA in the facility assessed is to be determined via a probabilistic risk assessment. Ref[93] estimates the frequency of pressurization due to red-oil reactions in the evaporator to be 10-6 per year. Such an assessment is necessary for other events such as loss of control of flow metering systems, total loss of electrical power leading to ventilation failure, etc.
The probability of a fire can be estimated based on a comprehensive knowledge of various fire loads in the plant, using codes such as COMPBRN-III[94].
The calculated frequency of DBA caused by external hazards can be influenced by the designer, e.g. via an increase of robustness of the confinement wall, and by the owner/ operator of the facility by selecting an appropriate site (see also user requirement UR7).
The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor shows that in the facility assessed based on probabilistic analyses the frequency for the defined DBA is superior to a reference design. If quantitative results are not available the deterministic analysis can be developed that support a reduction of these frequencies based on an increase of design robustness, high quality of operation, an intelligent inspection and maintenance programs, advanced I&C systems, and increased inertia.

Criterion CR3.2: Engineered safety features and operator procedures

Indicator IN3.2: Reliability and capability of engineered safety features and/or operator procedures.ᅠ

Acceptance limit AL3.2: Superior to those in the reference design.
Engineered safety features need to be available that, after detection of a DBA, can automatically and reliably control the accident, restoring the facility to a controlled state and keeping the consequences within authorized limits. To assure necessary reliability, these features have to be designed with sufficient levels of redundancy, diversity and independence. In case automatic systems are not available, adequate operator procedures are necessary. Redundant, diversified and independent passive and automatic active systems are deemed more reliable than administrative controls (operator interventions) yet are nevertheless acknowledged to be difficult to design for spent fuel reprocessing facilities.
An example of such engineered safety features is seen in the provision of a secondary enclosure with an automatic exhaust system to restore the negative pressure momentarily lost because of a breach of the barrier (e.g. breaking of a glove box panel). The availability and performance of alternate power supply systems based on diesel generators (or batteries) needs to be periodically checked to ensure that they act reliably during an electrical power supply failure. The facility is also expected to have engineered safety features protecting against DBAs caused by external hazards (see Section 2.1 and 2.6 of NFCF), e.g. shock absorbers and dampers to mitigate an earthquake.
The acceptance limit AL3.2 of CR3.2 is met if evidence available to the INPRO assessor shows that the reliability and capability of engineered safety features in the facility assessed is superior to a reference design and assure that after the beginning of a DBA the necessary actions to mitigate the consequences of the accidents will be timely initiated. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.3: Grace periods for DBAs

Indicator IN3.3: Grace periods for DBAs until human intervention is necessary.ᅠ

Acceptance limit AL3.3: Longer than those in the reference design.
An explanation of ‘adequate grace period’ is provided in section 5.3.2 as introduced earlier for control of AOOs (see CR2.2) in Level 2 of DID. The criterion CR3.3 ‘grace period for DBAs’ implies a similar concept. For DBAs (caused by events associated with internal and external hazards), the criterion requires that the system response (inertia) and/or automatic actions of active (and/or passive) safety features provide an adequate grace period for interventions by the operator. Adequate grace periods in new reprocessing facilities are also assumed to be longer than those in the reference design.
There is practically no grace period for a criticality event in a spent fuel reprocessing facility, since the excursion occurs rather rapidly. However, prompt operator action can avert further excursions and consequent release of radioactivity and exposure to personnel. Grace periods for such actions are estimated to be only a few minutes.
Large scale leakages of process vessels leading to releases of radioactivity inside an enclosure such as glove box or hot cell are expected to be among the design basis events for a reprocessing facility. While the time necessary for attending to the large scale leak would depend upon the volume of the process/storage vessel and the leak, a grace period of at least several minutes can be expected.
Since the process solutions in a reprocessing plant include large inventories of combustible organics, a fire incident inside a process enclosure needs to be attended to expeditiously to ensure that it does not lead to a major fire and an explosion. Grace periods available for action in such a case could be 5 to 10 minutes depending upon the location of the fire and the layout of the process vessels.
The available grace periods have to be determined for each DBA in the design analyses. In the analysis, the DBAs need to be clearly specified and those identified that may require human intervention within a given period.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the facility assessed the grace periods are longer than those in the reference design. Alternatively, if a reference facility cannot be found, it needs to be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.4: Barriers

Indicator IN3.4: Number of confinement barriers maintained (intact) after DBAs.ᅠ

Acceptance limit AL3.4: At least one.
The design of engineered safety features is expected to provide deterministically for continued integrity of at least of one barrier containing the radioactive and chemically toxic material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers could be used as an INPRO methodology indicator with a sufficiently low value of its acceptance limit.
In most NFCFs, the operator is protected by two confinement systems (e.g. a static and a dynamic confinement) that are designed against a release of radioactivity into the working area of the facility. However, due to the large volume and high radiotoxicity (and chemical toxicity) of materials handled in a reprocessing facility, two static safety barriers, e.g. the casing of the equipment and a hot cell or glove box, plus a dynamic confinement system in form of a ventilation system (inside a hot cell and in the working area), are required to protect the operator against releases of radioactive materials and toxic chemicals. Against the release of radioactivity and/or toxic chemicals to the environment, the last physical barrier is provided by the walls of the facility building. Thus, in the design of a reprocessing facility, there are usually three physical barriers, which are combined with ventilation of the hot cell and working area to prevent an accidental release of radioactivity into the environment.
The INPRO task group proposed that, after a DBA in reprocessing facility, at least one barrier will remain intact between the radioactive material and/or toxic chemicals and the operator. A second barrier – the walls of the facility building – will also remain intact between the radioactivity and the environment.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that, after a DBA in the facility assessed, at least one barrier remains intact between the radioactive material and/or toxic chemicals and the operator.

Criterion CR3.5: Robustness of containment design

The INPRO assessment of CR3.5 presented for a uranium conversion and enrichment facility in Sections 6.4.5 is deemed to be sufficiently similar to the assessment of a reprocessing facility. Thus, this approach can be used by the INPRO assessor also for reprocessing facilities.

User requirement UR4: Severe plant conditions

The rationale of UR4 was provided in Section 4.4. The INPRO methodology has defined three criteria for UR4: in-facility severe accident management, frequency of accidental release to the environment, source term of accidental release to the environment.
It is noted that a spent fuel reprocessing facility using enriched uranium (> 1 % of 235U) and plutonium has a higher probability of a criticality accident due to the existence of fissile material in liquid form than do other kinds of NFCFs. However, the INPRO assessment of spent fuel reprocessing facilities against user requirement UR4 (severe plant conditions) is deemed to be sufficiently similar to the assessment of an enrichment facility. Therefore, the assessor is requested to use the assessment method of UR4 described in Section 6.5 for an enrichment facility (including criteria, indicators and acceptance limits) also for a spent fuel reprocessing facility.

User requirement UR5: Independence of DID levels and inherent safety characteristics

The rationale of UR5 was provided in Section 4.5. The criteria selected for user requirement UR5 are presented in Table 9.

Criterion CR5.1: Independence of DID levels

Indicator IN5.1: Independence of different levels of DID in the assessed reprocessing facility.ᅠ

Acceptance limit AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
The INPRO assessment method of CR5.1 presented in Section 5.6.1 for a fuel fabrication facility is deemed to be formulated in sufficiently general terms so that it can be used also to assess a reprocessing facility.

Criterion CR5.2: Minimization of hazards

Indicator IN5.2: Examples of hazards: fire, criticality, release of radioactive material, radiation exposure, etc.ᅠ

Acceptance limit AL5.2: Hazards are reduced in relation to those in the reference facility.
Ref[43] explains the concept of inherent safety as the achievement of safety through fundamental conceptual design choices that eliminate or exclude inherent hazards. An inherent safety characteristic is a fundamental property of a design concept that results from basic choices in the materials used or in other aspects of the design and assures that a particular potential hazard cannot in any way become a safety concern.
Inherent safety can be built into the design of reprocessing plants through careful examination of the major events and by introducing innovations that circumvent such events. For example, the use of borated steels and use of vessels coated with boron compounds can ensure that criticality is not possible in a process vessel at any concentration of fissile material. The use of air operated motors in place of electrically operated motors (to avoid sparks) is an example of an inherently safe characteristic. The use of alternate extractants that are analogous to TBP but have a higher number of carbon atoms (e.g. tri-n-amyl phosphate) can ensure that third phase formation (which can lead to criticality) can be avoided altogether. By limiting the temperatures and concentrations of nitric acid in the evaporators, red oil formation can be avoided. Using fire resistant material and reducing the amount of burnable material in a reprocessing facility would reduce the hazard of a fire.
The acceptance limit AL5.2 of CR5.2 is met if evidence available to the INPRO assessor shows that hazards in the NFCF assessed have been reduced compared to those in the reference facility. Alternatively, if a reference facility cannot be found, it needs to be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

User requirements UR6 and UR7

The rationales for UR6 and UR7 are provided in Sections 4.6 and 4.7. The assessment of user requirements UR6 (human factors related to safety) and UR7 (RD&D for advanced designs) for the reprocessing facilities is deemed to be sufficiently similar to the assessment method of UR6 and UR7 described in 4.6 and 4.7 for mining and milling facilities (including criteria, indicators and acceptance limits).

Adaptation of the INPRO methodology to a storage facility

Adapting the INPRO methodology for use in assessing SNF storage facilities in the area of NFCF safety required significant modifications and adjustments in relation to the methodology used for other types of NFCFs.
It is noted that general requirements for sustainable management of all types of radioactive waste generated during the operation and decommissioning of all facilities in a nuclear energy system are discussed in the INPRO methodology manual on waste management. The following sections describe how the INPRO methodology in the area of safety is adapted and applied to an SNF storage facility.

INPRO basic principle for sustainability assessment of spent nuclear fuel storage facility in the area of safety

INPRO basic principle for sustainability assessment of spent nuclear fuel storage facility in the area of safety: The planned spent nuclear fuel storage facility is safer than the reference spent nuclear fuel storage facility. In the event of an accident, off-site releases of radionuclides and/or toxic chemicals are prevented or mitigated so that there will be no need for public evacuation.
The rationale of the BP was provided in Section 4. An explanation on the requirement of superiority in the INPRO methodology area of NFCF safety is provided in section 5.1. The INPRO methodology has defined a set of requirements for spent fuel storage facilities as displayed in Table 10.

Table 10. INPRO User requirements and criteria for sustainability assessment of storage facilities in the area of NFCF safety
User requirement Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The assessed SNF storage facility is more robust than the reference design with regard to operation and systems, structures and components failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: Superior to that in the reference design.
CR1.2: Subcriticality IN1.2: Subcriticality margins.
AL1.2: Sufficient to cover uncertainties and avoid criticality.
CR1.3: Facility performance IN1.3: Facility performance attributes.
AL1.3: Superior to those in the reference design
CR1.4: Inspection, testing and maintenance IN1.4: Capability to inspect, test and maintain.
AL1.4: Superior to that in the reference design.
CR1.5: Failures and deviations from normal operation IN1.5: Expected frequency of failures and deviations from normal operation.
AL1.5: Lower than that in the reference design.
CR1.6: Occupational dose IN1.6: Occupational dose values during normal operation and AOOs.
AL1.6: Lower than the dose constraints.
UR2: Detection and interception of AOOs:

The assessed SNF storage facility has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: I&C systems and operator procedures IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.
AL2.1: Availability of such systems and operator procedures.
CR2.2: Grace periods for AOOs IN2.2: Grace periods until human actions are required after AOOs.
AL2.2: Adequate grace periods are defined in the design analyses.
UR3: Design basis accidents:

The frequency of occurrence of DBAs in the assessed SNF storage facility is reduced. If an accident occurs, engineered safety features and/or operator actions are able to restore the assessed facility to a controlled state and subsequently to a safe state, and the consequences are mitigated to ensure the confinement of nuclear and/or toxic chemical material. Reliance on human intervention is minimal, and only required after sufficient grace period.

CR3.1: Frequency of DBAs IN3.1: Calculated frequency of occurrence of DBAs.
AL3.1: Lower than that in the reference design.
CR3.2: Engineered safety features and operator procedures IN3.2: Reliability and capability of engineered safety features and/or operator procedures.
AL3.2: Superior to those in the reference design.
CR3.3: Grace periods for DBAs IN3.3: Grace periods for DBAs until human intervention is necessary.
AL3.3: Longer than those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after an accident.
AL3.4: At least one.
CR3.5: Robustness of containment design IN3.5: Containment loads covered by design of the facility assessed.
AL3.5: Greater than those in the reference design.
UR4: Severe plant conditions:

The frequency of an accidental release of radioactivity into the environment is reduced. The source term of accidental release into the environment remains well within the envelope of the reference facility source term and is so low that calculated consequences would not require public evacuation.

CR4.1: In-facility severe accident management IN4.1: Natural or engineered processes, equipment, and AM procedures and training to prevent an accidental release to the environment in the case of accident.
AL4.1: Sufficient to prevent an accidental release to the environment and regain control of the facility.
CR4.2: Frequency of accidental release into environment IN4.2: Calculated frequency of an accidental release of radioactive materials and/or toxic chemicals into the environment.
AL4.2: Lower than that in the reference facility.
CR4.3: Source term of accidental release into environment IN4.3: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.
AL4.3: Remains well within the inventory and characteristics envelope of the reference facility source term and is so low that calculated consequences would not require evacuation of population.
UR5: Independence of DID levels and inherent safety characteristics:

An assessment is performed for the SNF storage facility to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed SNF storage facility strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics.

CR5.1: Independence of DID levels IN5.1: Independence of different levels of DID in the assessed SNF storage facility.
AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.
CR5.2: Minimization of hazards IN5.2: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.
AL5.2: Hazards minimized according to the state of the art.
UR6: Human factors related to safety:

Safe operation of the assessed SNF storage facility is supported by accounting for HF requirements in the design and operation of the facility, and by establishing and maintaining a strong safety culture in all organizations involved in the life cycle of the facility.

CR6.1: Human factors IN6.1: Human factors addressed systematically over the life cycle of the SNF storage facility.
AL6.1: Evidence is available.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety reviews.
UR7: RD&D for advanced designs:

The development of innovative design features of the assessed SNF storage facility includes associated RD&D to bring the knowledge of facility characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating facilities.

CR7.1: RD&D IN7.1: RD&D status.
AL7.1: RD&D defined, performed and database developed.
CR7.2: Safety assessment IN7.2: Adequate safety assessment.
AL7.2: Approved by a responsible regulatory authority.

User requirement UR1: Robustness of design during normal operation

The rationale of UR1 was provided in Section 4.1. UR1 deals with prevention of AOOs. For an SNF storage facility, examples of AOOs include a temporary loss of:

  • Ventilation;
  • Forced cooling in a dry or wet storage facility;
  • Utilities such as supply of electricity and pressurized air.

The criteria selected for user requirement UR1 are presented in Table 10.

Criterion CR1.1: Design of normal operation systems

Indicator IN1.1: Robustness of design of normal operation systems.ᅠ

Acceptance limit AL1.1: Superior to that in the reference design.
All safety-relevant equipment and systems in an SNF storage facility are normally designed against loads caused by events associated with internal and external hazards (see Section 2.1 of NFCF). It is acknowledged that increasing the robustness of a spent fuel storage facility design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Accordingly, an optimum combination of design measures is necessary to increase the overall robustness of a design. The design of an SNF storage facility can be made more robust, i.e. reducing the likelihood of failures, by increasing the design margins, improving the quality of manufacture and construction, and by using materials of higher quality.
The design of structures and components of an SNF storage facility needs to consider relevant loading conditions (stress, temperature, corrosive environment, radiation levels, etc.) and creep, fatigue, thermal stresses, corrosion and changes in material properties with time (e.g. concrete shrinkage). For example, materials of structures and components of the SNF storage facility that are in direct contact with the spent fuel need to be compatible with the material of the spent fuel to minimize chemical and galvanic reactions that could degrade the integrity of the spent fuel during its storage.
The acceptance limit AL1.1 of CR1.1 is met if evidence available to the INPRO assessor shows that the design of the facility assessed is superior in this regard to the reference design, or, in case a reference facility could not be defined, took best international practice into account and is therefore state of the art.

Criterion CR1.2: Subcriticality

Indicator IN1.2: Subcriticality margins.ᅠ

Acceptance limit AL1.2: Sufficient to cover uncertainties and avoid criticality.
As discussed in section 6.2.2. for uranium refining/ conversion and enrichment facilities, to avoid a criticality accident in an SNF storage facility that could result in a large release of radiation and radioactive material, a criticality analysis needs to be performed that demonstrates a design margin of keff<0.90 for all possible configurations of fissile material. In this analysis, mass concentration, shape, moderation, etc. have to be considered.
The acceptance limit AL1.2 of CR1.2 is met if evidence available to the INPRO assessor shows that in the facility assessed no critical configuration can occur, taking uncertainties into account.

Criterion CR1.3: Facility performance

Indicator IN1.3: Facility performance attributes.ᅠ

Acceptance limit AL1.3: Superior to those in the reference design.
The strategy of ageing management needs to cover all relevant stages in the SNF storage facility lifecycle, all normal operation states, all AOOs and accidents influencing a given system, and all relevant mechanisms of ageing. The designer of an SNF storage facility has to determine the design life of safety related equipment, provide appropriate design margins to take due account of age related degradation and provide methods and tools for the assessment of ageing during operation. The operating organization has to develop a plan for ageing management implementation at the different stages of the facility lifecycle. Superior performance of the facility is aligned with increased robustness of its design. Superior performance implies:

  • Increased emphasis on automation and on-line monitoring;
  • A system of recording and analysing deviations from operating procedures, consequences of events and methods to avoid recurrences;
  • Availability of clear operating procedures and manuals, providing comprehensive data on the permissible ranges of various parameters;
  • Consideration of ageing management in the design documentation;
  • Availability of a plan for implementation of ageing management;
  • Operator training as an important route to ensuring quality of operation.

The acceptance limit AL1.3 of CR1.3 is met if evidence available to the INPRO assessor shows that the performance attributes of the facility assessed are superior to those of the reference design, or, in case a reference facility could not be defined, took best international practice into account and are therefore state of the art.

Criterion CR1.4: Inspection, testing and maintenance

Indicator IN1.4: Capability to inspect, test and maintain.ᅠ

Acceptance limit AL1.4: Superior to that in the reference design.
The assessed design of SNF storage facility is expected to permit efficient and intelligent inspection, testing and maintenance and not just require more inspections and more testing. In particular, the programs of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue, etc.), so that the right locations are inspected and the right systems, structures and components are tested and maintained at the right time intervals.
The acceptance limit AL1.4 of CR1.4 is met if evidence available to the INPRO assessor shows that the capability to inspect, to test and to maintain systems relevant for safety in the facility assessed is superior to a reference design or, in case a reference facility could not be defined, is state of the art and allows easy inspection, testing and maintenance.

Criterion CR1.5: Failures and deviations from normal operation

Indicator IN1.5: Expected frequency of failures and deviations from normal operation.ᅠ

Acceptance limit AL1.5: Lower than that in the reference design.
The frequencies of the AOOs selected (see beginning of Section 9.2) for an SNF storage facility need to be derived from operational experience of comparable facilities and supported by PSA. For the facility assessed, it can be possible to reduce these frequencies by increased robustness of the design, high quality of operation, and efficient and intelligent inspection.
The acceptance limit AL1.5 of CR1.5 is met if evidence available to the INPRO assessor shows that in the facility assessed the frequencies of AOOs have been reduced in comparison to those in the reference design or, in case a reference facility could not be defined, that the facility assessed took best international practice into account and is therefore state of the art. If quantitative results from operational experience and PSA are not available, alternatively, a deterministic analysis can be developed that indicates a reduced probability of occurrence for AOOs in the facility assessed.

Criterion CR1.6: Occupational dose

Indicator IN1.6: Occupational dose values during normal operation and AOOs.ᅠ

Acceptance limit AL1.6: Lower than the dose constraints.
The assessment of CR1.6 presented in Section 6.2.6 for a conversion and enrichment facility is deemed to be substantially similar to the assessment of a storage facility for spent nuclear fuel. Therefore, the INPRO assessor is requested to use the assessment approach described for a conversion and enrichment facility also for such a storage facility.

User requirement UR2: Detection and interception of AOOs

The rationale of UR2 was provided in Section 4.2. The criteria selected for user requirement UR2 are presented in Table 10.

Criterion CR2.1: I&C systems and operator procedures

Indicator IN2.1: I&C system to monitor, detect, trigger alarms and, together with operator actions, intercept and compensate AOOs.ᅠ

Acceptance limit AL2.1: Availability of such systems and operator procedures.
The design analysis is expected to specify the regime of safe operating conditions for all equipment and processes. Necessary instrumentation for detecting malfunctions needs to be clearly identified. For example, reliable, continuous air monitoring systems to detect release of radioactivity to operating areas, water level in pools, criticality and temperature monitors can be provided, with necessary interlocks and alarm annunciation systems.
Different from other kinds of NFCFs, an automatic compensation of AOOs is deemed not necessary in an SNF storage facility, i.e. timely operator intervention can be sufficient.
The acceptance limit AL2.1 of CR2.1 is met if evidence available to the INPRO assessor shows that the I&C systems in the facility assessed can detect failures and deviations from normal operation of systems relevant to safety and provide alarms. The operator is able to perform interventions that bring the facility back to normal operation.

Criterion CR2.2: Grace periods for AOOs

Indicator IN2.2: Grace periods until human actions are required after AOOs.ᅠ

Acceptance limit AL2.2: Adequate grace periods are defined in design analyses.
An explanation of ‘adequate grace period’ is provided in section 5.3.2. The grace period available to the operator for each AOO needs to be defined in the safety analysis of the facility design. The appropriate value of this grace period depends on the ease of failure diagnosis and the complexity of the human action to be taken; i.e. simple failures and consecutive straightforward actions allow for shorter grace periods.
Compared to other kinds of NFCFs, the inertia of an SNF storage facility is very high, resulting in a very slow response to deviations from normal operation. For example, analyses typically show that the cooling system of the pool of an SNF storage facility can be stopped for about 10 days without loss of integrity of the SNF[25]. Thus, it is expected that the design analysis of such a facility will clearly demonstrate sufficient inertia to cope with AOOs.
The acceptance limit AL2.2 of CR2.2 is met if evidence available to the INPRO assessor shows that adequate grace periods have been determined for all AOOs in the design analysis for the facility assessed.

User requirement UR3: Design basis accidents

The rationale of UR3 was provided in Section 4.3. Ref[29] provides examples of events that may be associated with DBAs in a SNF storage facility:

“It should be noted that many events would be addressed either as anticipated operational occurrences or as design basis accidents. However, some of these events could also lead to severe accidents, which are beyond the design basis. Whilst the probability of such beyond design basis accidents occurring is extremely low, in the preparation of operating procedures and contingency plans the operating organization should consider events such as the following:
(a) Crane failure with a water filled and loaded cask, suspended outside the pool;
(b) Loss of safety related facility process systems such as supplies of electricity, process water, compressed air and ventilation;
(c) Explosions due to the buildup of radiolytic gases;
(d) Fires leading to the damage of items important to safety (to reduce the risk of fire, the amount of combustible material or waste should be controlled, as should be the amount of other flammable materials (…));
(e) Extreme weather conditions, which could alter operating characteristics or impair pool or cask heat removal systems;
(f) Other natural events such as earthquake or tornado;
(g) External human induced events (airplane crash, sabotage, etc.);
(h) Failure of the physical protection system.
Consideration should also be given to the possible misuse of chemicals (e.g. unintended introduction into the pool water of acidic or alkaline fluids used for the regeneration of ion exchange resin).”

As stated before, the facilities need to be designed against all external and internal hazards. The criteria selected for user requirement UR3 are presented in Table 10.

Criterion CR3.1: Frequency of DBAs

Indicator IN3.1: Calculated frequency of occurrence of DBAs.ᅠ

Acceptance limit AL3.1: Lower than that in the reference design.
Examples of DBAs to be considered in a SNF storage facility have been defined above (beginning of Section 9.4). The frequency of occurrence of a DBA in the facility assessed needs to be determined via a probabilistic risk assessment.
The calculated frequency of DBAs caused by external hazards can be influenced by the designer via an increased robustness of the confinement (building) walls, and by the future owner/ operator of the facility by selecting an appropriate site (see UR7).
The acceptance limit AL3.1 of CR3.1 is met if evidence available to the INPRO assessor uses probabilistic analyse to show that the frequency of the defined DBAs in the facility assessed is lower than that in the reference design. If quantitative results are not available, technical arguments can be developed that indicate a reduction of these frequencies based on an increase of design robustness, high quality of operation, intelligent inspection and maintenance programs, advanced I&C systems, and increased inertia.

Criterion CR3.2: Engineered safety features and operator procedures

Indicator IN3.2: Reliability and capability of engineered safety features and/or operator procedures.ᅠ

Acceptance limit AL3.2: Superior to those in the reference design.
For accidents in SNF storage facilities, automatic engineered safety features are deemed to be not necessary due to the slow response of the system to accidents other than criticality accidents. Thus, to meet the acceptance limit AL3.2 of CR3.2, superior operator procedures (in comparison to those for the reference facility) need to be available to control accidents, restore the facility to a controlled state and keep the consequences (e.g. dose) below authorized limits. In case a reference facility cannot be defined, it can be demonstrated that the design took best international practice into account and is therefore state of the art.

Criterion CR3.3: Grace periods for DBAs

Indicator IN3.3: Grace periods for DBAs until human intervention is necessary.ᅠ

Acceptance limit AL3.3: Longer than those in the reference design.
The criterion CR3.3 ‘grace periods for DBAs’ implies a similar concept as introduced earlier for control of AOOs (see CR2.2). However, similar to the situation for AOOs, the system response to DBAs in an SNF storage facility is rather slow due to the high inertia, thus leaving ample time for the operator to intervene. Thus, it is assumed that sufficient grace periods are available for all DBAs in such a facility.
The acceptance limit AL3.3 of CR3.3 is met if evidence available to the INPRO assessor shows that in the facility assessed the grace periods are longer than those in the reference design. Alternatively, if a reference facility cannot be found, it can be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

Criterion CR3.4: Barriers

Indicator IN3.4: Number of confinement barriers maintained (intact) after DBAs.ᅠ

Acceptance limit AL3.4: At least one.
The design of the facility is expected to provide deterministically for continued integrity at least of one barrier containing the radioactive material following any DBA caused by events associated with internal or external hazards. Alternatively, the probability of losing all barriers could be used as an INPRO methodology indicator with a sufficient low value as its acceptance limit.
The acceptance limit AL3.4 of CR3.4 is met if evidence available to the INPRO assessor shows that after a DBA in the facility assessed, at least one barrier remains intact, avoiding a release of radioactive material from the facility.

Criterion CR3.5: Robustness of containment design

The INPRO assessment of CR3.5 presented for a uranium conversion and enrichment facility in Section 6.4.5 is deemed to be substantially similar to that for a spent nuclear fuel storage facility. Thus, that approach can be used by the INPRO assessor also for the storage facility.

User requirements UR4 – UR7

The rationale for UR4 – UR7 is provided in Sections 4.4 - 4.7.
The INPRO assessment of the spent fuel storage facility against user requirement UR4 (severe plant conditions) is deemed to be substantially similar to the assessment method of UR4 described in Section 6.5 for an enrichment facility (including criteria, indicators and acceptance limits).
The INPRO assessment of the spent fuel storage facility against user requirement UR5 (independence of DID levels and inherent safety characteristics) is deemed to be substantially similar to the assessment method of UR5 described in Section 7.6 for fuel manufacturing facilities and in Section 6.6.1 (criterion on minimisation of hazards) for uranium conversion and enrichment facilities.
The INPRO assessment of the spent fuel storage facility against user requirement UR6 (human factors related to safety) is deemed to be substantially similar to the assessment method of UR6 described in Section 5.7 for mining and milling facilities (including criteria, indicators and acceptance limits).
The INPRO assessment of the spent fuel storage facility against user requirement UR7 (RD&D for advanced designs) is deemed to be substantially similar to the assessment method of UR7 described in Section 5.8 for mining and milling facilities (including criteria, indicators and acceptance limits).

See also

Assessment Methodology
Areas of INPRO Sustainability Assessment OverviewEconomicsSafety (Nuclear Reactors)Safety (NFCF)Waste managementEnvironmental Impact on StressorsEnvironmental Impact from Depletion of ResourcesInfrastructure
Requirements Basic PrincipleUser requirementsCriteria

References

  1. INTERNATIONAL ATOMIC ENERGY AGENCY, Regulations for the Safe Transport of Radioactive Material, IAEA Safety Standards Series No. SSR-6 (Rev. 1), IAEA, Vienna (2018).
  2. INTERNATIONAL ATOMIC ENERGY AGENCY, Advisory Material for the IAEA Regulations for the Safe Transport of Radioactive Material, IAEA Safety Standards Series No. TS-G-1.1 (Rev. 1), IAEA, Vienna (2008).
  3. INTERNATIONAL ATOMIC ENERGY AGENCY, Planning and Preparing for Emergency Response to Transport Accidents Involving Radioactive Material, IAEA Safety Standards Series No. TS-G-1.2 (ST-3), IAEA, Vienna (2002).
  4. INTERNATIONAL ATOMIC ENERGY AGENCY, Compliance Assurance for the Safe Transport of Radioactive Material, IAEA Safety Standards Series No. TS-G-1.5, IAEA, Vienna (2009).
  5. INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for the Safe Transport of Radioactive Material, IAEA Safety Standards Series No. TS-G-1.4, IAEA, Vienna (2008).
  6. INTERNATIONAL ATOMIC ENERGY AGENCY, Radiation Protection Programmes for the Transport of Radioactive Material, IAEA Safety Standards Series No. TS-G-1.3, IAEA, Vienna (2007).
  7. 7.0 7.1 UNITED NATIONS, Our Common Future (Report to the General Assembly), World Commission on Environment and Development, UN, New York (1987).
  8. 8.0 8.1 8.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of and Regulations for Nuclear Fuel Cycle Facilities, Technical Committee meeting in Vienna (2000), IAEA-TECDOC-1221, IAEA, Vienna (2001).
  9. 9.0 9.1 9.2 RANGUELOVA, V., NIEHAUS, F., et al, Safety of Fuel Cycle Facilities, Topical Issue Paper No.3 in Proceedings of International Conference on Topical Issues in Nuclear Safety, Vienna, 3-6 Sept. 2001, IAEA, STI/PUB/1120, IAEA, Vienna (2002).
  10. INTERNATIONAL ATOMIC ENERGY AGENCY, Procedures for Conducting Probabilistic Safety Assessment for Non-Reactor Nuclear Facilities, IAEA-TECDOC-1267, IAEA, Vienna (2002).
  11. 11.0 11.1 11.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Fuel Cycle Facilities, IAEA Safety Standards, Specific Safety Requirements No. SSR-4, IAEA, Vienna (2017).
  12. 12.0 12.1 12.2 12.3 NUCLEAR REGULATORY COMMISSION, Standard Review Plan for the Review of a License Application for a Fuel Cycle Facility, NUREG-1520 Rev.1. US NRC, Washington (2010).
  13. NUCLEAR REGULATORY COMMISSION, Standard Review Plan for the In-Situ Leach Uranium Extraction License Application, NUREG-1569. US NRC, Washington (2003).
  14. NUCLEAR REGULATORY COMMISSION, Consolidated Guidance about Material Licensees, NUREG-1556 series. US NRC, Washington (1998).
  15. NUCLEAR REGULATORY COMMISSION, Integrated Safety Analysis Guidance Document, NUREG-1513. US NRC, Washington (2001).
  16. NUCLEAR REGULATORY COMMISSION, Risk Analysis and Evaluation of Regulatory Options for Nuclear By-product Materials Systems, NUREG/ CR-6642. US NRC, Washington (2000).
  17. NTERNATIONAL ATOMIC ENERGY AGENCY, Treatment of Liquid Effluent from Uranium Mines and Mills, IAEA-TECDOC-1419, IAEA, Vienna (2005).
  18. INTERNATIONAL ATOMIC ENERGY AGENCY, The Long Term Stabilization of Uranium Mill Tailings, IAEA-TECDOC-1403, IAEA, Vienna (2004).
  19. 19.0 19.1 19.2 19.3 19.4 19.5 INTERNATIONAL ATOMIC ENERGY AGENCY, Occupational Radiation Protection, Safety Guide, IAEA Safety Standards No. GSG-7, IAEA, Vienna (2018).
  20. 20.0 20.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Monitoring and Surveillance of Residues from the Mining and Milling of Uranium and Thorium, Safety Reports Series No. 27, IAEA, Vienna (2003).
  21. 21.0 21.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Radioactive Waste from the Mining and Milling of Ores, Safety Guide, IAEA Safety Standards Series No. WS-G-1.2, IAEA, Vienna (2002).
  22. INTERNATIONAL ATOMIC ENERGY AGENCY, Guidebook on Good Practice in the Management of Uranium Mining and Mill Operations and the Preparation for their Closure, IAEA-TECDOC-1059, IAEA, Vienna (1998).
  23. INTERNATIONAL ATOMIC ENERGY AGENCY, Innovations in Uranium Exploration, Mining and Processing Techniques, and New Exploration Target Areas, IAEA-TECDOC-868, IAEA, Vienna (1996).
  24. INTERNATIONAL ATOMIC ENERGY AGENCY, Guidebook on Environmental Impact Assessment for In Situ Leach Mining Projects, IAEA-TECDOC-1428, IAEA, Vienna (2005).
  25. 25.0 25.1 25.2 OECD/NUCLEAR ENERGY AGENCY (NEA), The Safety of the Nuclear Fuel Cycle, Third Edition, NEA No.3588, OECD/NEA, Paris (2005).
  26. 26.0 26.1 26.2 26.3 26.4 26.5 26.6 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Conversion Facilities and Uranium Enrichment Facilities, IAEA Safety Standards, Specific Safety Guide No. SSG-5, IAEA, Vienna (2010).
  27. 27.0 27.1 27.2 27.3 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Uranium Fuel Fabrication Facilities, IAEA Safety Standards, Specific Safety Guide No. SSG-6, IAEA, Vienna (2010).
  28. 28.0 28.1 28.2 28.3 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Uranium and Plutonium Mixed Fuel Fabrication Facilities, IAEA Safety Standards, Specific Safety Guide No. SSG-7, IAEA, Vienna (2010).
  29. 29.0 29.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Storage of Spent Nuclear Fuel, IAEA Safety Standards, Specific Safety Guide No. SSG-15, IAEA, Vienna (2012).
  30. INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Fuel Reprocessing Facilities, IAEA Safety Standards, Specific Safety Guide No. SSG-42, IAEA, Vienna (2017).
  31. 31.0 31.1 31.2 UEDA, Y., Current Studies on Utilization of Risk Information for Fuel Cycle Facilities in Japan, Workshop on Utilization of Risk Information for Nuclear Safety Regulation, Tokyo, May (2005).
  32. INTERNATIONAL ATOMIC ENERGY AGENCY, Experiences and Lessons Learned Worldwide in the Cleanup and Decommissioning of Nuclear Facilities in the Aftermath of Accidents, IAEA Nuclear Energy Series No. NW-T-2.7, IAEA, Vienna (2014)
  33. 33.0 33.1 33.2 33.3 INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in Depth in Nuclear Safety, INSAG-10, A report by the International Safety Advisory Group, IAEA, Vienna (1996).
  34. 34.0 34.1 34.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Basic Safety Principles for Nuclear Power Plants, 75-INSAG-3, Rev.1, INSAG-12, IAEA, Vienna (1999).
  35. 35.0 35.1 35.2 INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Methodology for Sustainability Assessment of Nuclear Energy Systems: Infrastructure, IAEA Nuclear Energy Series, No. NG-T-3.12, IAEA, Vienna (2014).
  36. INTERNATIONAL ATOMIC ENERGY AGENCY, Terms for Describing New, Advanced Nuclear Power Plants, IAEA-TECDOC-936, IAEA, Vienna (1997).
  37. 37.0 37.1 INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Methodology for Sustainability Assessment of Nuclear Energy Systems: Environmental Impact of Stressors, IAEA Nuclear Energy Series No. NG-T-3.15, IAEA, Vienna (2016).
  38. 38.0 38.1 38.2 38.3 38.4 INTERNATIONAL ATOMIC ENERGY AGENCY, Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards Interim Edition, IAEA Safety Standards, General Safety Requirements Part 3, No. GSR Part 3, IAEA, Vienna (2014).
  39. 39.0 39.1 INTERNATIONAL LABOUR ORGANIZATION, Chemical Exposure Limits, Resource list. [1] Official web-site (2011)
  40. INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary, Terminology used in Nuclear Safety and Radiation Protection, 2018 Edition, IAEA, Vienna (2018).
  41. 41.0 41.1 41.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards, General Safety Requirements Part 7, No. GSR Part 7, IAEA, Vienna (2015).
  42. INTERNATIONAL ATOMIC ENERGY AGENCY, Criteria for Use in Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards, General Safety Guide No. GSG-2, IAEA, Vienna (2011).
  43. 43.0 43.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Terms for Advanced Nuclear Plants, IAEA-TECDOC-626, IAEA, Vienna (1991).
  44. 44.0 44.1 44.2 44.3 44.4 44.5 INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Operational Safety in Nuclear Power Plants, INSAG Series No. 13, IAEA, Vienna (1999).
  45. NUCLEAR REGULATORY COMMISSION, Human Factors Engineering Program Review Model, NUREG-0711, Rev.3. US NRC, Washington (2012).
  46. INTERNATIONAL ATOMIC ENERCY AGENCY, Summary report on the post-accident review meeting on the Chernobyl accident, IAEA Safety Series No.75-INSAG-1, IAEA, Vienna (1986).
  47. 47.0 47.1 INTERNATIONAL ATOMIC ENERCY AGENCY, Safety culture, INSAG-4, IAEA Safety Series No. 75, IAEA, Vienna (1991).
  48. 48.0 48.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Developing Safety Culture in Nuclear Activities: Practical Suggestions to Assist Progress, Safety Reports Series No. 11, IAEA, Vienna (1998).
  49. 49.0 49.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Key Practical Issues in Strengthening Safety Culture, INSAG Series No. 15, IAEA, Vienna (2002).
  50. 50.0 50.1 50.2 INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards Series No. GSR Part 2, IAEA, Vienna (2016).
  51. 51.0 51.1 51.2 51.3 INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series, Safety Guide No. GS-G-3.1, IAEA, Vienna (2006).
  52. 52.0 52.1 INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards, Safety Guide No. GS-G-3.5, IAEA, Vienna (2009).
  53. 53.0 53.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Establishing the Safety Infrastructure for a Nuclear Power Programme, IAEA Safety Standards, Specific Safety Guide No. SSG-16, IAEA, Vienna (2012).
  54. 54.0 54.1 INTERNATIONAL ATOMIC ENERCY AGENCY, Safety Culture in Nuclear Installations, Guidance for Use in the Enhancement of Safety Culture, IAEA-TECDOC-1329, IAEA, Vienna (2002).
  55. INTERNATIONAL ATOMIC ENERCY AGENCY, Maintaining Knowledge, Training and Infrastructure for Research and Development in Nuclear Safety, INSAG Series No. 16, IAEA, Vienna (1999).
  56. 56.0 56.1 NUCLEAR REGULATORY COMMISSION, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk Informed Decision Making, NUREG-1855 Volume 1, US NRC, Washington (2009).
  57. INTERNATIONAL ATOMIC ENERCY AGENCY, Setting Authorized Limits for Radioactive Discharges: Practical Issues to Consider, IAEA-TECDOC-1638, IAEA, Vienna (2010).
  58. INTERNATIONAL ATOMIC ENERGY AGENCY, Environmental and Source Monitoring for Purposes of Radiation Protection, IAEA Safety Standards, Safety Guide No. RS-G-1.8, IAEA, Vienna (2005).
  59. INTERNATIONAL ATOMIC ENERGY AGENCY, Environmental Contamination from Uranium Production Facilities and Their Remediation, Proceedings of an International Workshop, Lisbon, 11-13 February 2004, STI/PUB/1228, IAEA, Vienna (2005).
  60. INTERNATIONAL ATOMIC ENERGY AGENCY, Disposal of Radioactive Waste, IAEA Safety Standards, Specific Safety Requirements No. SSR-5, IAEA, Vienna (2011).
  61. INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and activities, IAEA Safety Standards, General Safety Requirements Part 4, No. GSR Part 4 (Rev. 1), IAEA, Vienna (2016).
  62. 62.0 62.1 INTERNATIONAL ATOMIC ENERGY AGENCY, A Framework for an Integrated Risk Informed Decision Making Process, A report by the International Nuclear Safety Group, INSAG-25, IAEA, Vienna (2011).
  63. INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety Case and Safety Assessment for the Disposal of Radioactive Waste, IAEA Safety Standards, Specific Safety Guide No. SSG-23, IAEA, Vienna (2012).
  64. INTERNATIONAL ATOMIC ENERCY AGENCY, Risk Informed Regulation of Nuclear Facilities: Overview of the Current Status, IAEA-TECDOC-1436, IAEA, Vienna (2005).
  65. ELECTRIC POWER RESEARCH INSTITUTE, Risk Informed Regulation: Potential Application to Advanced Nuclear Plants, TP-114441, EPRI, Palo Alto, CA (2000).
  66. OECD/ NUCLEAR ENERGY AGENCY, Probabilistic Risk Criteria and safety Goals, NEA/CSNI/R(2009)16, OECD/NEA, Paris (2009).
  67. 67.0 67.1 INTERNATIONAL ATOMIC ENERGY AGENCY, Criticality Safety in the Handling of Fissile Material, IAEA Safety Standards, Specific Safety Guide No. SSG-27, IAEA, Vienna (2014).
  68. INTERNATIONAL COMMISSION ON RADIOLOGICAL PROTECTION, 1990 Recommendations of the International Commission on Radiological Protection, ICRP Publication 60, Pergamon Press (1991).
  69. NUCLEAR REGULATORY COMMISSION, Nuclear Regulatory Commission Issuances, NUREG-0750, vol.62, No.1. US NRC, Washington (2005)
  70. INTERNATIONAL ATOMIC ENERGY AGENCY, Seismic Hazards in Site Evaluation for Nuclear Installations, IAEA Safety Standards, Specific Safety Guide No. SSG-9, IAEA, Vienna (2010).
  71. OECD NUCLEAR ENERGY AGENCY, Safety Assessment of Fuel Cycle Facilities – Regulatory Approaches and Industry Perspectives, OECD/NEA Workshop, Toronto, Canada (2011)
  72. AMERICAN NUCLEAR SOCIETY, Nuclear Criticality Safety in Operations with Fissionable Materials Outside Reactors, ANSI/ANS-8.1-1998. Historical standard, ANS, La Grange Park, USA (1998)
  73. INTERNATIONAL ATOMIC ENERGY AGENCY, Assessment of Defence in Depth for Nuclear Power Plants, IAEA Safety Reports Series No. 46, IAEA, Vienna (2005).
  74. YOSHIDA, K., TAMAKI, H., KIMOTO, T., WATANABE, N., MURAMATSU, K., Methodology Development and Application of PSA for MOX Fuel Fabrication Facilities, WGRISK – WGOE/FCS joint workshop on PSA of Non-reactor Nuclear Facilities, OECD/NEA, Paris (2004).
  75. INTERNATIONAL ATOMIC ENERGY AGENCY, Guidance for the Application of an Assessment methodology for Innovative Nuclear Energy Systems, Volume 9, Safety of Nuclear Fuel Cycle Facilities, IAEA-TECDOC-1575, IAEA, Vienna (2008).
  76. INTERNATIONAL ATOMIC ENERGY AGENCY, Status and Trends in Spent Fuel Reprocessing, IAEA-TECDOC-1103, IAEA, Vienna (1999).
  77. INTERNATIONAL ATOMIC ENERGY AGENCY, Status and Trends in Spent Fuel Reprocessing, IAEA-TECDOC-1467, IAEA, Vienna (2005).
  78. INTERNATIONAL ATOMIC ENERGY AGENCY, Spent Fuel Reprocessing Options, IAEA-TECDOC-1587, Vienna (2008).
  79. LONG, J., Engineering for Nuclear Fuel Reprocessing, Gordon and Breach Publishers, New York, (1967).
  80. SCHULZ, W., BURGER, L., NAVARATIL, J., BENDER, K., Science and Technology of TBP Volume III, Applications of Tri-Butyl Phosphate in Nuclear Fuel Reprocessing, CRC Press, Florida (1984).
  81. SKIBA, O., IVANOV, V., The State and Prospects of the Fuel Cycle Development Using Pyro-electrochemical Processing in Molten Salts, Molten Salts in Nuclear Technologies Seminar, Dimitrovgrad, June 19-22, (1995).
  82. PADDLEFORD, D., FAUSKE, H., Safe Venting of Red Oil Runaway Reactions, Report WSRC-MS-94-0649, US-DOE, Washington (1994).
  83. RUDISILL, T., CROOKS, W., Initiation Temperature of Runaway TBP/HNO3 Reactions, Report WSRC-TR-2000-00427, US-DOE, Washington (2000).
  84. JAMES, N., SHEPPARD, G., Red-oil Hazards in Nuclear Fuel Reprocessing, Nuclear Engineering and Design, Vol. 130, issue 1, Elsevier (1991).
  85. VANDERCOOK, R., Summary of Red Oil Issues at Hanford, WHC-WM-TI-466, Westinghouse Hanford Company (1991).
  86. WATKIN, J., GORDON, P., LAGNEW, S., “Red Oil” Safety Evaluation Project, Briefing presented to the Defence Nuclear Facilities Safety Board, USA, Washington (1993).
  87. DEPARTMENT OF ENERGY, Control of Red Oil Explosions in Defence Nuclear Facilities, Technical report DNFSB/TECH-33, Defence Nuclear Facilities Safety Board, USA, Washington (2003). [2]
  88. 88.0 88.1 OECD/NUCLEAR ENERGY AGENCY (NEA), Spent Nuclear Fuel Reprocessing Flowsheet, NEA/NSC/WPFC/DOC(2012)15, OECD/NEA, Paris (2012).
  89. 89.0 89.1 89.2 KOHATA, Y., MATSUOKA, S., TAKEBE, K., TAKEUCHI, A., KUROIWA, K., HAYASHI, K., Study on Application of Probabilistic Safety Assessment to Rokkasho Reprocessing Plant, WGRISK – WGOE/FCS joint workshop on PSA of Non-reactor Nuclear Facilities, OECD/NEA, Paris (2004).
  90. 90.0 90.1 ISHIDA, M., NAKANO, T., MORIMOTO, K., NOJIRI, I., PSA Application on the Tokai Reprocessing Plant, WGRISK – WGOE/FCS joint workshop on PSA of Non-reactor Nuclear Facilities, OECD/NEA, Paris (2004).
  91. NUCLEAR REGULATORY COMMISSION, Severe accident risks: an assessment for five U.S. Nuclear Power Plants, NUREG-1150, Final report, US NRC, Washington (1990).
  92. IEEE guide to the collection and presentation of electrical, electronic, sensing component and mechanical equipment reliability data for nuclear power generating stations, IEEE-Standard 500 (1984).
  93. INTERNATIONAL ATOMIC ENERGY AGENCY, Storage of Radioactive Waste, IAEA Safety Standards, General Safety Guide No. WS-G-6.1, IAEA, Vienna (2006).
  94. COMPBRN-III-A computer code for modelling compartment fires, UCLA-ENG-8524, (1985).