Safety of Nuclear Reactors (Sustainability Assessment)

From INPRO Wiki
Revision as of 14:29, 21 July 2020 by SHIROKIYD (talk | contribs)
Jump to navigation Jump to search 
INPRO basic principle (BP) for sustainability assessment in the area of nuclear reactor safety - The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation.

Introduction

Objective

This volume of the updated INPRO manual for sustainability assessment provides guidance to the assessor of a planned NES (or a nuclear reactor) on how to apply the INPRO methodology for sustainability assessment in the area of safety of nuclear reactors. The INPRO assessment is expected either to confirm the fulfilment of all INPRO methodology criteria in the area of reactor safety, or to identify which criteria are not fulfilled and note the corrective actions (including potential RD&D) that would be necessary to fulfil them.
This publication discusses the INPRO sustainability assessment method for the area of safety of nuclear reactors. The INPRO sustainability assessment method for safety of nuclear fuel cycle facilities is discussed in a separate report of the INPRO manual.
This publication is intended for use by organizations involved in the development and deployment of a NES including planning, design, modification, technical support and operation for nuclear power plants. The INPRO assessor (or a team of assessors) is assumed to be knowledgeable in the area of nuclear safety and/or may be using the support of qualified organizations (e.g. the IAEA) with relevant experience. Two general types of assessors can be distinguished: a nuclear technology holder (i.e. a designer, developer or supplier of nuclear technology), and a (potential) user of such technology. The current version of the manual includes a number of explanations, discussions, examples and details so it is deemed to be used by technology holders and technology users.

Scope

The INPRO methodology presented in this manual is internationally developed guidance for assessing NES sustainability and is intended for use in support of NES planning studies by focusing on selected areas of reactor safety that are important for public acceptance (see Chapter 2). This manual deals with the long term sustainability of a NES comprised of different types of nuclear reactors. The INPRO methodology user requirements and criteria for sustainability assessment are formulated in this manual in a generic manner to make them applicable to both evolutionary and innovative reactors based on different technologies. However, the major contributions to the INPRO methodology update project have been obtained from the INPRO assessments of evolutionary water-cooled reactors and sodium cooled fast reactors. Other types of innovative reactors with a lower level of design maturity may require modifications or clarifications of selected criteria. Such potential changes will be considered in future revisions of the INPRO methodology after sufficient experience has accrued from INPRO assessments of such reactors.
This manual does not establish any specific safety requirements, recommendations or guidance. IAEA safety requirements and guidance are only issued in the IAEA Safety Standards Series. Therefore, the basic principles, user requirements and associated criteria contained in the INPRO methodology should only be used for sustainability assessments. The INPRO methodology is typically used by Member States in conducting a self-assessment of the sustainability and sustainable development of nuclear energy systems. This manual should not be used for formal or authoritative safety assessments or safety analyses to address compliance with the IAEA Safety Standards or for any national regulatory purpose associated with the licensing or certification of nuclear facilities, technologies or activities.
In the current version of the INPRO methodology, the sustainability issues relevant to safety of reactors and safety of nuclear fuel cycle facilities (NFCFs) are considered in separate manuals. The current methodology does not specifically address innovative integrated system designs (e.g. molten salt reactors with liquid fuel and integrated fast reactors with metallic fuel) whose reactors are combined or co-located with fuel fabrication and/or reprocessing facilities. Reactor and NFCF installations of such integrated systems should be assessed separately against corresponding criteria in the INPRO areas of reactor safety and safety of NFCFs . When more detailed information on the safety issues in integrated systems has been acquired, this approach can be changed in the next revisions of the INPRO methodology.
This version of the INPRO methodology manual for the area of reactor safety is focused on those nuclear power plants that produce primarily electricity, heat and combinations of the two . This publication does not explicitly consider safety issues related to other non-electric applications (hydrogen production, desalination, etc.) or to cogeneration involving such energy products. It is expected that as more detailed information is acquired on the interactions between a reactor and industrial facilities located on the same site, the INPRO criteria may be modified when the methodology is next revised.

Structure

This publication follows the relationship between the concept of sustainable development and different INPRO methodology areas. Section 2 describes the linkage between the United Nations Brundtland Commission’s concept of sustainable development and the IAEA’s INPRO methodology for assessing the sustainability of planned and evolving NESs. Section 2 also considers how the INPRO sustainability assessment methodology in the area of reactor safety relates to the DID concept. Section 3 identifies the necessary inputs for an INPRO assessment in the area of reactor safety. This includes information on design and safety analyses for the planned reactor and for the reference design. Section 4 presents the rationale and background for the INPRO sustainability assessment methodology in the area of reactor safety in terms of the selected basic principle, user requirements and assessment criteria, which consist of indicators and acceptance limits. On the criterion level, guidance is provided on how to determine the values of the indicators and acceptance limits, i.e. how to assess the potential of a NES to fulfil the INPRO methodology criteria. Appendix I presents a list of potential reference reactor designs to be used in the INPRO assessment. Appendices II through X provide complementary information which can be useful for the INPRO assessment of NES against different criteria discussed in the report. Table 1 provides an overview of the INPRO user requirements and criteria that stem from the INPRO basic principle for sustainability assessment in the area of reactor safety.

Table 1. Overview of the INPRO methodology for sustainability assessment in the area of safety of nuclear reactors
INPRO basic principle for sustainability assessment in the area of safety of nuclear reactors: The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation.
INPRO user requirements Criteria Indicator (IN) and Acceptance Limit (AL)
UR1: Robustness of design during normal operation:

The nuclear reactor assessed is more robust than a reference design with regard to operation and systems, structures and components failures.

CR1.1: Design of normal operation systems IN1.1: Robustness of design of normal operation systems.
AL1.1: More robust than that in the reference design.
CR1.2: Reactor performance IN1.2: Reactor performance attributes.
AL1.2: Superior to those of the reference design.
CR1.3: Inspection, testing and maintenance IN1.3: Capabilities to inspect, test and maintain.
AL1.3: Superior to those in the reference design.
CR1.4: Failures and deviations from normal operation IN1.4: Expected frequency of failures and deviations from normal operation.
AL1.4: Lower than that in the reference design.
CR1.5: Occupational dose IN1.5: Occupational dose values during normal operation and AOOs.
AL1.5: Lower than the dose constraints.
UR2: Detection and interception of AOOs:

The nuclear reactor assessed has improved capabilities to detect and intercept deviations from normal operational states in order to prevent AOOs from escalating to accident conditions.

CR2.1: Instrumentation and control (I&C) system and inherent characteristics IN2.1: Capabilities of the I&C system to detect and intercept and/or capabilities of the reactor’s inherent characteristics to compensate for deviations from normal operational states.
AL2.1: Superior to those in the reference design.
CR2.2: Grace periods after AOOs IN2.2: Grace periods until human actions are required after AOOs.
AL2.2: Longer than those in the reference design.
CR2.3: Inertia IN2.3: Inertia to cope with transients.
AL2.3: Larger than that in the reference design.
UR3: Design basis accidents (DBAs):

The frequency of occurrence of DBAs in the nuclear reactor assessed is reduced. If an accident occurs, engineered safety features are able to restore the reactor to a controlled state, and subsequently to a safe shutdown state, and ensure the confinement of radioactive material. Reliance on human intervention is minimal, and only required after a sufficient grace period.

CR3.1: Frequency of DBAs IN3.1: Calculated frequencies of occurrence of DBAs.
AL3.1: Frequencies of DBAs that can cause plant damage are lower than those in the reference design.
CR3.2: Grace period for DBAs IN3.2: Grace periods for DBAs until human intervention is necessary.
AL3.2: At least 8 hours and longer than those in the reference design.
CR3.3: Engineered safety features IN3.3: Reliability and capability of engineered safety features.
AL3.3: Superior to those in the reference design.
CR3.4: Barriers IN3.4: Number of confinement barriers maintained (intact) after DBAs and DECs.
AL3.4: At least one and consistent with regulatory requirements for the type of reactor and accident under consideration.
CR3.5: Subcriticality margins IN3.5: Subcriticality margins after reactor shutdown in accident conditions.
AL3.5: Sufficient to cover uncertainties and to maintain shutdown conditions of the core.
UR4: Severe plant conditions:

The frequency of an accidental release of radioactivity into the containment / confinement is reduced. If such a release occurs, the consequences are mitigated, preventing or reducing the frequency of occurrence of accidental release into the environment. The source term of the accidental release into the environment remains well within the envelope of the reference reactor source term and is so low that calculated consequences would not require evacuation of the public.

CR4.1: Frequency of release into containment / confinement IN4.1: Calculated frequency of accidental release of radioactive materials into the containment / confinement.
AL4.1: Lower than that in the reference design.
CR4.2: Robustness of containment / confinement design IN4.2: Containment loads covered by the design, and natural or engineered processes and equipment sufficient for controlling relevant system parameters and activity levels in containment / confinement.
AL4.2: Larger than those in the reference design.
CR4.3: Accident management IN4.3: In-plant accident management (AM).
AL4.3: AM procedures and training sufficient to prevent an accidental release outside containment / confinement and regain control of the reactor.
CR4.4: Frequency of accidental release into environment IN4.4: Calculated frequency of an accidental release of radioactive materials into the environment.
AL4.4: Lower than that in the reference design. Large releases and early releases are practically eliminated.
CR4.5: Source term of accidental release into environment IN4.5: Calculated inventory and characteristics (release height, pressure, temperature, liquids/gas/aerosols, etc) of an accidental release.
AL4.5: Remain well within the inventory and characteristics envelope of the reference reactor source term and are so low that calculated consequences would not require public evacuation.
UR5: Independence of DID levels, inherent safety characteristics and passive safety systems:

An assessment is performed to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the nuclear reactor assessed strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an increased emphasis on inherently safe characteristics and/or passive systems, when appropriate.

CR5.1: Independence of DID levels IN5.1: Independence of different levels of DID.
AL5.1: More independence of the DID levels than in the reference design, e.g. as demonstrated through deterministic and probabilistic means, hazards analysis, etc.
CR5.2: Minimization of hazards IN5.2: Characteristics of hazards.
AL5.2: Hazards smaller than those in the reference design.
CR5.3: Passive safety systems IN5.3: Reliability of passive safety systems.
AL5.3: More reliable than the active safety systems in the reference design.
UR6: Human factors (HF) related to safety:

Safe operation of the nuclear reactor assessed is supported by accounting for HF requirements in the design and operation of the plant, and by establishing and maintaining a strong safety culture in all organizations involved.

CR6.1: Human factors IN6.1: HF considerations are addressed systematically throughout the life cycle of the reactor.
AL6.1: HF assessment results are better than those for the reference design.
CR6.2: Attitude to safety IN6.2: Prevailing safety culture.
AL6.2: Evidence is provided by periodic safety culture reviews.
UR7: Necessary RD&D for advanced designs:

The development of innovative design features of the nuclear reactor assessed includes associated research, development and demonstration (RD&D) to bring the knowledge of plant characteristics and the capability of analytical methods used for design and safety assessment to at least the same confidence level as for operating plants.

CR7.1: Safety basis and safety issues IN7.1: Safety basis and a clear process for addressing safety issues.
AL7.1: The safety basis for advanced designs is defined and safety issues are addressed.
CR7.2: RD&D IN7.2: RD&D status.
AL7.2: Necessary RD&D is defined and performed, and the database is developed.
CR7.3: Computer codes IN7.3: Status of computer codes.
AL7.3 Computer codes or analytical methods are developed and validated.
CR7.4: Novelty IN7.4: Pilot or demonstration plant.
AL7.4: In case of a high degree of novelty: a pilot or demonstration plant is specified, built and operated, lessons are learned and documented, and results are sufficient to be extrapolated to a full-size plant. In case of a low degree of novelty: a rationale is provided for bypassing a pilot or demonstration plant.
CR7.5: Safety assessment IN7.5: Adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and identification of uncertainties and sensitivities.
AL7.5: Uncertainties and sensitivities are identified and appropriately dealt with, and the safety assessment is approved by a responsible regulatory authority.

General features of nuclear energy systems sustainability Assessment in the area of reactor safety

This section provides an overview of the existing requirements for reactor safety, describes how the INPRO methodology supports the concept of sustainable development, and summarizes how the INPRO methodology follows the DID concept.

Existing requirements for reactor safety

The INPRO methodology’s basic principle, user requirements and criteria for sustainability assessment in the area of reactor safety have been established taking into account the large body of existing work on the safety of reactors operating today, as well as previous work on establishing the requirements for next generation (advanced) reactors.
The IAEA has produced internationally endorsed requirements and published them as the IAEA Safety Standards. These publications define the elements necessary to ensure the safety of nuclear power plants.
National regulatory bodies determine the licensing requirements that must be met by all national or foreign organisations involved in the design, construction, operation, decommissioning etc. of a nation’s NPPs.
Various utility groups have developed corresponding utility requirements documents reflecting their experience from the construction, licensing and operation of NPPs over the past several decades, representing over 10 000 reactor-years of operating experience. Documents have been prepared for evolutionary and innovative designs by organizations such as EPRI (Advanced Light Water Reactor Utility Requirements Document – ALWR-URD), Japanese Utilities (JURD), Korean Utilities (KURD), Chinese Utilities (CURD) and the European Utilities (European Utility Requirements – EUR). These documents were authored primarily by electricity-generating utilities whose experiences with well-characterized reactor designs could be used to inform the development of modern (advanced) nuclear designs.
In 2004, the IAEA [7] presented an overview of these utility documents. A summary of the essence of these utility requirements for advanced reactor designs is presented below:

  • A design life of 60 years;
  • Reliable and flexible operation, with high overall plant availability, low levels of unplanned outages, short refuelling outages, good controllability (e.g. 100–50–100 % load following capability), and operating cycles extended up to 24 months;
  • Increased margins to reduce sensitivity to disturbances and to reduce the number of safety challenges;
  • Improved automation and man-systems interface, which, together with the increased margins, provide more time for the operator to act in accident/incident situations and reduce the probability of operator errors;
  • Calculated core damage frequency – less than 10-5 per reactor-year; cumulative frequency of accidental releases to the outside following core damage – less than 10-6 per reactor-year; and
  • Design measures to cope with severe accidents.

In one specific area, there is a distinct difference between utility requirements for Europe and for the United States. This difference is attributed to the higher population density in Europe leading to more restrictive release targets for the European Utility Requirements as follows:

  • To limit emergency protection actions beyond 800 m from the reactor to a minimum during early releases from the containment;
  • To avoid delayed actions (temporary transfer of people) at any time beyond about 3 km from the reactor;
  • To avoid long term actions, involving permanent (longer than 1 year) resettlement of the public, at any distance beyond 800 m from the reactor; and
  • To ensure that restrictions on the consumption of foodstuffs and crops will be limited in terms of time and geographical area.

These requirements have been developed by utilities and are to be considered primarily as design targets. They should not be interpreted as requirements for the emergency preparedness arrangements to be implemented.

Requirements for future reactors

The scope of the INPRO methodology covers nuclear reactors expected to come into service in the twenty-first century, together with the associated fuel cycles. It is recognized that a mixture of evolutionary and innovative designs will be brought into service and will co-exist within this period.
The ‘Three Agency Study’ [8] published in 2002 provides an overview of trends in the development of advanced (innovative) NESs. The range of reactors with advanced design features includes water-cooled, gas-cooled, liquid metal-cooled systems and molten salt reactors of various sizes to be used for various purposes.
In the global nuclear community, it is generally assumed that for widespread and long term use of nuclear power to be sustainable, a nuclear fuel strategy is required that utilizes, at least as a component, breeding, reprocessing and recycling of fissile material. In some countries or regions and for intermediate time scales, it is expected that advanced once-through (open) fuel cycle strategies featuring improved safety, proliferation resistance and physical protection will be followed. Ultimately, however, the development and implementation of advanced reactors and fuel strategies will include closed fuel cycles that make better use of uranium (and thorium) resources.
The Generation IV International Forum (GIF) [9] has defined six advanced (innovative) nuclear reactors and their associated fuel cycles that are to be developed in a joint effort by the countries participating in that programme with the aim of achieving full commercialization of these designs. The innovative reactor designs considered are a fast sodium cooled reactor, a fast gas cooled reactor, a molten salt reactor, a supercritical water-cooled reactor, a lead cooled reactor, and a very high temperature gas-cooled reactor. The 14 members participating in the GIF programme are: Argentina, Australia, Brazil, Canada, China, EURATOM, France, Japan, Republic of Korea, the Russian Federation, Republic of South Africa, Switzerland, the United Kingdom, and the United States. The GIF’s risk and safety working group developed the Integrated Safety Assessment Methodology (ISAM) to be used continuously by the developers of the innovative reactor designs. This methodology is based principally on probabilistic safety assessment and offers assessment tools well suited to all stages of design development.
National licensing requirements are well established for currently operating nuclear power reactors. A vendor of a given reactor design is expected to meet all these requirements at all levels that are specific to that reactor type, and exceptions, even at the detailed level, are unusual.
As mentioned before, this report discusses INPRO methodology criteria for nuclear reactors; INPRO criteria for safety of nuclear fuel cycle facilities are treated in a separate report of the updated INPRO manual. The INPRO methodology user requirements for sustainability assessment in the area of reactor safety are intended to be as generic as possible; where they cannot be made fully generic, this has been noted.

The concept of sustainable development and its relationship to the INPRO methodology area of reactor safety

The United Nations World Commission on Environment and Development Report [10] (often known as the Brundtland Commission Report) defines sustainable development as “development that meets the needs of the present without compromising the ability of future generations to meet their own needs” (para. 1). This definition:

“contains within it two key concepts:

  • the concept of ‘needs’, in particular the essential needs of the world’s poor, to which overriding priority should be given; and
  • the idea of limitations imposed by the state of technology and social organization on the environment’s ability to meet present and future needs.”

Based on this definition of sustainable development a three-part test of any approach to sustainability and sustainable development was proposed within the INPRO project: 1) current development should be fit for the purpose of meeting current needs with minimized environmental impacts and acceptable economics, 2) current research development and demonstration programmes should establish and maintain trends that lead to technological and institutional developments that serve as a platform for future generations to meet their needs, and 3) the approach to meeting current needs should not compromise the ability of future generations to meet their needs.
The definition of sustainable development may appear obvious, yet passing the three-part test is not always straightforward when considering the complexities of implemented nuclear energy systems and their many supporting institutions. Many approaches may only pass one or perhaps two parts of the test in a given area and may fail the others.
The Brundtland Report’s overview (para.61 in Ref. [10]) of nuclear energy summarized the topic as follows:

“After almost four decades of immense technological effort, nuclear energy has become widely used. During this period, however, the nature of its costs, risks, and benefits have become more evident and the subject of sharp controversy. Different countries world-wide take up different positions on the use of nuclear energy. The discussion in the Commission also reflected these different views and positions. Yet all agreed that the generation of nuclear power is only justifiable if there are solid solutions to the unsolved problems to which it gives rise. The highest priority should be accorded to research and development on environmentally sound and ecologically viable alternatives, as well as on means of increasing the safety of nuclear energy.”

The Brundtland Commission Report presented its comments on nuclear energy in Chapter 7, Section III [10]. In the area of nuclear energy, the focus of sustainability and sustainable development is on solving certain well-known problems (referred to here as ‘key issues’) of institutional and technological significance. Sustainable development implies progress and solutions in the key issue areas. Seven key issues are discussed in Ref [10]:

  1. Proliferation risks;
  2. Economics;
  3. Health and environment risks;
  4. Nuclear accident risks;
  5. Radioactive waste disposal;
  6. Sufficiency of national and international institutions (with particular emphasis on intergenerational and transnational responsibilities);
  7. Public acceptability.

The INPRO methodology for self-assessing the sustainability and sustainable development of a nuclear energy system is based on the broad philosophical outlines of the Brundtland Report’s concept of sustainable development described above. Although three decades have passed since the publication of the Brundtland Commission Report and eighteen years have passed since the initial consultancies on development of the INPRO methodology in 2001 the definitions and concepts remain valid. The key issues for sustainable development of NESs have remained essentially unchanged over the intervening decades, although significant historical events have starkly highlighted some of them.
During this period, several notable events have had a direct bearing on nuclear energy sustainability. Among these were events pertaining to non-proliferation, nuclear security, waste management, cost escalation of new construction and, most notably, to reactor safety.
Each INPRO methodology manual examines a key issue of NES sustainable development. The structure of the methodology is a hierarchy of INPRO basic principles, INPRO user requirements for each basic principle, and specific INPRO criteria for measuring whether each INPRO UR has been met. Under each INPRO UR, the CR includes measures that take into consideration the three-part test based on Brundtland Report definition of sustainable development which was described above.
This INPRO manual focusses on the key issue of nuclear reactor safety. In the Brundtland Commission Report [10] section on nuclear energy (Chapter 7, Section III), the most detailed discussion is on the key issue of reactor safety. The report justified its principal focus on reactor safety with the following argument:

“Nuclear safety returned to the newspaper headlines following the Three Mile Island (Harrisburg, United States) and the Chernobyl (USSR) accidents. Probabilistic estimates of the risks of component failure, leading to a radioactive release in Western style light water reactors were made in 1975 by the U.S. Nuclear Regulatory Commission. The most serious category of release through containment failure was placed at around 1 in 1,000,000 years of reactor operation. Post-accident analysis of both Harrisburg and Chernobyl - a completely different type of reactor - have shown that in both cases, human operator error was the main cause. They occurred after about 2,000 and 4,000 reactor-years respectively. The frequencies of such occurrences are well-nigh impossible to estimate probabilistically. However, available analyses indicate that although the risk of a radioactive release accident is small, it is by no means negligible for reactor operations at the present time.”

In addition, the Brundtland Commission Report [10] noted that national governments were responding to nuclear accidents by following one of three general policy directions:

“National reactions indicate that as they continue to review and update all the available evidence, governments tend to take up three possible positions:

  • remain non-nuclear and develop other sources of energy;
  • regard their present nuclear power capacity as necessary during a finite period of transition, to safer alternative energy sources; or
  • adopt and develop nuclear energy with the conviction that the associated problems and risks can and must be solved with a level of safety that is both nationally and internationally acceptable.”

These typical national policy directions remain consistent with practice to the current day. Within the context of a discussion on sustainable development of nuclear energy systems, it would seem that the first two policy positions cannot result in development of a sustainable nuclear energy system in the long term since nuclear energy systems are either avoided altogether or phased out over time. However, it is arguable that both policy approaches can meet the three-part Brundtland sustainable development test if technology avoidance or phase-out policies are designed in a way that avoids foreclosing or damaging the economic and technological opportunity for future generations to change direction and start or re-establish a nuclear energy system. This has certain specific implications regarding long term nuclear education, knowledge retention and management and with regard to how spent nuclear fuels and other materials, strategic to nuclear energy systems, are stored or disposed of.
The third policy direction proposes to develop nuclear energy systems that ‘solve’ the problems and risks through a national and international consensus approach to enhance safety. This is a sustainable development approach, in which the current generation has decided that nuclear energy is necessary to meet its needs, while taking a positive approach to developing enhanced safety to preserve the option in the future. In addition to the general outlines of how and why nuclear reactor safety is a principal key issue affecting the sustainability and sustainable development of nuclear energy systems, the Commission Report also advised that key institutional arrangements should be developed. Since that time, efforts to establish such institutional arrangements have achieved a large measure of success. The Brundtland Commission Report was entirely clear that enhanced reactor safety is a key element of the sustainable development of nuclear energy systems. It is not possible to measure nuclear energy system sustainability apart from direct consideration of certain safety issues.
Understanding the psychology of risk perception in the area of nuclear safety is critical to understanding nuclear energy system sustainability and sustainable development. In a real measured sense, taking into account the mortality and morbidity statistics of other non-nuclear energy generation technology chains (used for similar purpose), nuclear energy has an outstanding safety record, despite the severe reactor accidents that have occurred. However, it should not be presumed that this means that reactor safety is not a key issue affecting nuclear energy system sustainability. How do dramatically low risk estimations (ubiquitous in nuclear energy system probabilistic risk assessment) sometimes psychologically disguise high consequence events in the minds of designers and operators, while the lay public perception of risk (in a statistical sense) may be tilted quite strongly either toward supposed consequences of highly unlikely, but catastrophic disasters, or toward a complacent lack of interest in the entire subject? This issue has been studied for many years [11, 12]. What should be the proper metrics for the INPRO sustainability assessment methodology given that the technical specialist community has developed an approach that may seem obscure and inaccessible to the lay public?
For example, if the radioactive dose consequence of a severe reactor accident is calculated in terms of mortality/morbidity estimates in the known exposed public, the outcomes may seem far less than catastrophic. However, if the impacts of economic and population dislocations that can be attributed directly or indirectly to the severe reactor accident (such as Chernobyl and Fukushima) are estimated and these figures are converted (using the methods of cost benefit analysis) into ‘total costs’ and ‘years of life lost’, a severe reactor accident can take on an epic scale – as has been observed in practice in the severe cases. The apparent paradox is that both estimates (dose and other collateral impacts) measure something that has occurred, and both are ‘true’ in their own sense. The paradox is resolved by noting that, while public exposures to radiation may be kept small and inconsequential through a combination of plant design, other technical measures and emergency responses, experience demonstrates that the perception of a population about an event is at least as important to the overall outcome as are measured evidences of radioactive dose. The affected population will have thoughts and feelings and will take actions based on their individual intellectual and emotional judgements about the accident – whether those judgements are technically informed or not.
It is both unrealistic and unhelpful to suppose that a massive public education campaign can eliminate the difference between the judgments of experts and those of the lay public. Continuous communication and education programmes can help, but there are also limits to what can be achieved. Reactor designs, construction and operations, decommissioning, and emergency planning and response must therefore be reconciled to the reality of the current public mindsets. The close relationship between public perception of risk and public acceptance should be considered universal with regard to the key issue of nuclear safety. It can have tremendous impact across national and regional boundaries and even on different continents – in a psychological sense, a severe nuclear accident anywhere is a nuclear accident everywhere.
With regard to nuclear reactor safety, the public are principally focussed on the individual and collective risks and magnitude of potential consequences in case of reactor accidents (radiological, economic and other psychosocial consequences taken together). Considering the experience of all reactor accidents to date it is clear that a few key issues are central to positively influencing the public debate over nuclear safety and improving public acceptance of nuclear energy:

  1. Significant radioactive releases need to be avoided, avoiding the need to relocate significant populations even in the case of a severe nuclear accident.
  2. In the extremely unlikely event of a significant release of radioactivity, fully competent emergency planning, preparedness and response capabilities are expected to be in place and available for immediate action .
  3. Design basis accidents need to be made even more unlikely than in previous designs, even if releases of radioactivity are insignificant and dose to the most exposed public is inconsequential (from a regulatory limit perspective).
  4. Facility upsets and failures that could cause a departure from normal safe operations are expected to be rarer than in previous designs. Regular upsets and failures and/or difficult recoveries tend to undermine public confidence in both worker safety and public safety.
  5. Where practicable, inherent and passive safety features could be incorporated to reduce risks posed by active system faults and human operator error.
  6. Unacceptable occupational doses and hazards need to be avoided. Unacceptable doses and hazards to nuclear workers undermine public confidence in safety and health.
  7. Superior performance in the overall reactor plant lifecycle risk posed to the public needs to be demonstrated in comparison to previous reactor designs. Inferior performance on overall risk undermines public confidence in safety.
  8. Continuing improvements in safety by design through research and development programmes need to continue and be practically applied in new reactor designs. Continuing improvements help support public confidence in the safety of nuclear energy.
  9. Stakeholder communication and public outreach and education on all principal aspects of facility safety listed above (at a minimum) need to be continuous, accurate and transparent . Without an effective communication and education programme, it is very difficult to influence the stakeholder and public mindsets.

In the current INPRO manual, the URs and CRs focus on assessment of the NES characteristics associated with the majority of these issues. Unlike several other key sustainability issues assessed in other areas of the INPRO methodology, Brundtland sustainability in the area of reactor safety is intimately tied to public perception of consequence and risk. Continuously allaying public concern about nuclear reactor safety is central to sustainability and sustainable development of nuclear energy systems.

The concept of defence in depth and its relationship with the INPRO methodology area of reactor safety

The DID concept provides an overall strategy for designing safety measures and features of nuclear installations [13-15]. The concept is twofold: firstly, to prevent accidents and, secondly, if prevention fails, to mitigate their potential consequences and prevent any evolution to more serious conditions. Accident prevention is the first priority, because provisions to prevent deviations of the plant state from well-known operational conditions are generally more effective and more predictable than measures aimed at mitigation of such departures – plant performance generally deteriorates when the status of the plant or a component departs from normal operating conditions. Thus, preventing the degradation of (normal operation) plant status and performance generally will provide the most effective protection of workers, the public and the environment.
The objectives of implementing DID in a design are as follows:

  • To compensate for potential failures of humans, systems, structures and components;
  • To maintain the effectiveness of the barriers by averting damage to the plant and to the barriers themselves; and
  • To protect the public and the environment from harm in the event that these barriers are not fully effective.

When properly implemented, DID ensures that no single technical, human or organizational failure could lead to harmful effects, and that the combinations of failures that could give rise to significant harmful effects are of very low probability.
DID is characterized by five levels of protection, with the top level being prevention, and the remaining four levels representing the response to increasing challenges to plant and public safety [15]. Ref [15] states:

“The purpose of the first level of defence is to prevent deviations from normal operation and the failure of items important to safety. This leads to requirements that the plant be soundly and conservatively sited, designed, constructed, maintained and operated in accordance with quality management and appropriate and proven engineering practices”

For example, design features that reduce the potential for internal hazards, e.g. fire, contribute to the prevention of accidents.
The purpose of the second level of DID is to “detect and control deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions” [15]. The second level “necessitates the provision of specific systems and features in the design, the confirmation of their effectiveness through safety analysis, and the establishment of operating procedures to prevent such initiating events, or otherwise to minimize their consequences, and to return the plant to a safe state”.
The purpose of the third level of defence is the control of postulated accidents , preventing damage to the reactor core, i.e. assuring its structural integrity, preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state. To achieve this objective, inherent safety features, engineered safety systems and accident procedures have to be provided.
The purpose of DID Level 4 is [15]:

“… to mitigate the consequences of accidents that result from failure of the third level of defence in depth. This is achieved by preventing the progression of such accidents and mitigating the consequences of a severe accident.”

It is related to the control of potential severe plant conditions and the minimisation of off-site contamination.
The purpose of the fifth level of defence is to mitigate the consequences of potential accidental radiological releases. This requires adequate emergency plans, procedures and emergency response facilities.
Ensuring the independence of the different levels of protection in the DID concept is key to avoiding the propagation of failures into subsequent levels.
Based on the DID concept, the INPRO methodology has developed general proposals for designers/developers to meet the INPRO user requirements of sustainable development in the area of safety of nuclear reactors. These proposals are based on extrapolations of trends published in Section 5 of Ref [13] and are presented in Table 2. These proposals are focused on the prevention, reduction and containment of radioactive releases. INPRO NES sustainability assessment user requirements related to the off-site emergency preparedness and response measures, which are focused on reducing the consequences of a potential accidental release of radioactivity from the NPP, are considered in the INPRO area of infrastructure [1].

Table 2. INPRO proposals for applying the defence in depth concept to nes sustainability assessment in the area of reactor safety
Level DID level purpose INPRO methodology proposals for nuclear reactors
1 Prevention of deviations from normal operation and the failures of items important to safety Enhance prevention by increased emphasis on robustness of the design of normal operation systems, and further reducing the probability of human error in the routine operation of the plant. Enhance the independence among DID levels.
2 Detect and control deviations from normal operational states in order to prevent anticipated operational occurrences at the plant from escalating to accident conditions. Give priority to inherently safe design characteristics and advanced control and monitoring systems with enhanced reliability, intelligence and the ability to anticipate and compensate abnormal operational states. Enhance the independence among DID levels.
3 Control of accidents. Preventing damage to the reactor core and preventing radioactive releases requiring off-site protective actions and returning the plant to a safe state Decrease expected frequency of accidents. Achieve fundamental safety functions by an optimized combination of active and passive design features; limit and mitigate consequences; minimize reliance on human intervention, e.g. by increasing grace period. Enhance the independence among DID levels.
4 Mitigate the consequences of accidents that result from failure of the third level by preventing the progression of such accidents and mitigating the consequences of a severe accident. Decrease expected frequency of severe plant conditions; increase reliability and capability of systems to control and monitor severe accident sequences ; reduce the characteristics of source term of the potential emergency off-site releases of radioactivity. Avoid ‘cliff-edge’ failures of items important to safety. Enhance the independence among DID levels.
(5) Mitigation of radiological consequences of radioactive releases Emergency preparedness is covered in another area of the INPRO methodology called Infrastructure[1].

The first four sustainability assessment user requirements of the INPRO methodology in the area of safety of nuclear reactors are directly linked to the first four levels of the DID concept. The rest of the user requirements are related to specific aspects of this concept. A nuclear power plant is considered as having an acceptable level of safety if it fulfils all applicable (national and international) safety related standards and regulations, i.e. when it is licensed for operation. In fact, the reference design is assumed to be compliant with these standards and regulations. The INPRO methodology intends to go beyond these standards and regulations by taking into account trends and anticipated future directions of development (Section 5 of Ref [13]) to achieve safety enhancements in the assessed new design that contribute to the long term sustainability of the nuclear energy system.

Necessary input for INPRO sustainability assessment in the area of reactor safety=

This section gives guidance on the information needed by an assessor to be able to perform an INPRO sustainability assessment in the area of safety of nuclear reactors. As explained earlier, an INPRO sustainability assessment is not an assessment of compliance with the IAEA Safety Standards.

Definition of Nuclear Energy System

See NES for clear definition of nuclear energy system.
In the INPRO methodology area of safety of nuclear reactors, the design of the reactor assessed is generally to be compared to a reference design. The goal of the INPRO assessment in this area is then to demonstrate an increased safety level in the assessed reactor design in comparison to the reference design. The nuclear reactor assessed, and the reference reactor should preferably be of the same lineage and from the same designer. Examples of potential reference reactors are presented in Annex I.

INPRO assessment by a technology user

As a technology user, an INPRO assessor needs rather detailed design information on the nuclear reactor to be assessed. This includes information relating to: the design basis of the plant; design information on the reactor core, fuel, primary circuit, reactor heat removal system, engineered safety systems, containment systems, human system interfaces, control and protection systems, etc. The design information needs to highlight the structures, systems and components that are of evolutionary or innovative design and these would be the focus of the INPRO assessment.
In addition to the information on the nuclear reactor to be assessed, the INPRO assessor needs the same type of information on a reference plant design in order to perform a comparison of both designs. Details of the information needed are outlined in the discussion of the INPRO methodology criteria in the following sections of this report.
If not available in the public domain, the necessary information is to be provided by the designer (potential supplier). Therefore, a close cooperation between the INPRO assessor as a technology user and the designer (potential supplier) is necessary (as discussed in the overview manual of the INPRO methodology).
The role of technology user in the INPRO assessment is primarily to check in a simplified way whether the designer (supplier) has appropriately taken into account the nuclear safety aspects in its design as defined by the INPRO methodology. A technology user is assumed – in order to minimize its risk – to be primarily interested in installing reactors based on proven technology with designs that have been licensed (at least in the country of the supplier) and that have operated successfully for a sufficiently long time.

Results of safety analyses

The INPRO assessor will need access to results of a safety assessment that includes a safety analysis which evaluates and assesses challenges to safety under various operational states, anticipated occurrences and accident conditions using deterministic and probabilistic methods; this safety assessment is expected to be performed and documented by the designer (potential supplier) of the reactor to be assessed and the reference reactor.
For the reactor to be assessed, the safety assessment would need to include details of the research, development and demonstration (RD&D) carried out for advanced aspects of the design. Such information is usually found in a preliminary safety analysis report (PSAR) available in the public domain and is otherwise to be provided by the designer (potential supplier) of the reactor.

INPRO assessment by a technology developer

In principle, an INPRO assessment can be carried out by a technology developer at any stage of the development of an advanced reactor design. A designer (developer) can use this report to check whether its new design under development meets the INPRO methodology sustainability criteria regarding nuclear safety but can additionally initiate modifications during early design stages if necessary to improve the safety level of its design. However, it needs to be recognized that the extent and available level of detail of design and safety assessment information will increase as the design of an advanced nuclear reactor progresses from the conceptual stage to development of the detailed design. This will need to be taken into account in drawing conclusions on whether an INPRO methodology criterion in the area of safety has been met by the advanced design.
One potential mode of the INPRO methodology application by a technology developer is to perform a limited scope assessment. Limited scope INPRO assessments can be focused on the specific areas and specific installations in a nuclear energy system having different levels of maturity. Limited scope studies may assess reactor designs under development, including innovative designs, and may help to highlight gaps to be closed by on-going R&D studies and to define the scope of data needed for making a future judgement on system sustainability.

Other sources of INPUT

The NESA support package introduced in the overview manual of the INPRO methodology includes information on safety related issues that were collected form the public domain. This includes preliminary safety analysis reports from several advanced reactor designs, exemplary limited scope assessments performed by designers participating in INPRO activities, etc.
The final report of the nuclear energy system assessment (NESA) of the planned nuclear energy system in Belarus is documented in Ref [16]; it includes an assessment of the WWER reactor AES-2006 using the INPRO methodology.

INPRO basic principle, user requirements and criteria for sustainability assessment in the area of reactor safety

The INPRO methodology for assessing NES sustainability in the area of nuclear reactor safety defines one INPRO basic principle and a supporting set of INPRO user requirements and criteria and focuses on examining the expected safety impact of future changes in nuclear technology. Using the INPRO methodology to assess the sustainability of a NES is a bottom-up exercise. It consists of determining for each INPRO methodology criterion the value of each of the INPRO methodology indicators for that criterion and comparing that value with the corresponding INPRO methodology acceptance limit. The comparison then provides a basis for judging the capability of the assessed NES to meet the respective sustainability criterion. As will be shown in discussing the INPRO basic principle and user requirements for this assessment area, the methodology encourages innovations that enhance the safety of nuclear reactors.
One of the basic assumptions of the INPRO methodology is the expectation that – to fulfil the needs of sustainable energy supply in the twenty-first century – the global number of nuclear reactors in operation will have to increase considerably compared to the situation today. Keeping the safety level of newly deployed reactors (after 2013) at the same level as the global operating systems today would lead to an overall increase in the numerical risk of nuclear accidents. It is expected, however, that this increase in calculated risk would be compensated by the increased safety level of the newly deployed reactors, based in part on lessons learned from systems in operation. Therefore, the INPRO methodology evaluates enhancements in the safety of new reactor designs but does not evaluate compliance with national or international (e.g. IAEA) safety standards. The reference design is assumed to comply with applicable safety standards because it is an operating plant. Similarly, a new reactor is assumed to be designed so that it complies with applicable safety standards. Confirmation of compliance of the reference or new design with national or international safety standards is outside the scope of the INPRO methodology. If such confirmation is needed, a separate peer review (e.g. using IAEA review services such as TSRs ) should be performed.
The INPRO methodology’s basic principle and its set of user requirements and criteria for sustainability assessment in the area of reactor safety are expected to apply to any type of advanced design and should foster appropriate developments and improvements that can be communicated to and be accepted by all stakeholders in nuclear energy.
The legal and organizational framework related to safety of nuclear reactors is dealt with in another report of the updated INPRO methodology focused on infrastructure.

INPRO basic principle for sustainability assessment in the area of safety of nuclear reactors

INPRO basic principle for sustainability assessment in the area of nuclear reactor safety: The safety of the planned nuclear installation is superior to that of the reference nuclear installation such that the frequencies and consequences of the accidents are greatly reduced. In the event of an accident, off-site releases of radionuclides are prevented or mitigated so that there will be no need for public evacuation.
Currently, nuclear facilities have significant restrictions with regard to siting, primarily due to the perceived high risk of potential consequences during severe accidents but also to a lesser degree due to the perceived risk of radioactive releases during normal operation. An advanced design is expected to allow – after achieving public acceptance of this development –a reduction of the restrictions on NPP siting. This is a long term objective to be achieved during the twenty-first century.
To approach the goal of the INPRO basic principle, the INPRO methodology proposes that designers/developers undertake the following key measures:

  • Incorporate enhanced DID into an advanced nuclear reactor design as a part of the fundamental safety approach and ensure that the levels of protection in DID are more independent from each other than in a reference plant;
  • Incorporate, where appropriate, inherently safe characteristics and passive systems into advanced nuclear reactor designs as a part of a fundamental safety approach to excel in safety and reliability;
  • Take human factors into account in the design and operation of a nuclear reactor;
  • Perform sufficient RD&D work to bring the knowledge of nuclear plant characteristics and the capability of analytical methods used for design and safety assessment of a plant with innovative features to at least the same confidence level as for a reference plant.

In addition, the INPRO methodology encourages the establishment and maintenance of a strong safety culture in all organizations involved in a nuclear power programme.
The INPRO methodology has developed seven INPRO user requirements for NES sustainability assessment in the area of reactor safety to specify in more detail the main measures presented above. These INPRO user requirements are to be fulfilled primarily by the designer (developer, supplier) of the NES. As stated before, the role of the INPRO assessor is to check, based on evidence provided by the designer, whether the designer has implemented the necessary measures as required by the INPRO methodology. The assessor’s product is therefore not an assessment of compliance with the IAEA Safety Standards but rather a sustainability assessment against the INPRO user requirements and criteria.
The following sections present the rationale and background information for each INPRO NES sustainability user requirement and criterion and then describe how indicators and acceptance limits are used to determine whether each CR has been met.

UR1: robustness of design during normal operation

INPRO user requirement UR1 for sustainability assessment in the area of safety of nuclear reactor: The nuclear reactor assessed is more robust than a reference design with regard to operation and systems, structures and components failures.
This sustainability assessment INPRO user requirement mostly relates to the first level of the DID concept, which has the objective of preventing anticipated operational occurrences (AOOs). The objective is met if the plant stays in normal operation.
AOOs are those conditions of operation caused by plant internal and external events, and probable combinations thereof, that are expected to occur one or more times during the life of a nuclear reactor but neither cause significant damage to items important to safety nor lead to accident conditions that would rely on safety systems (Level 3 of DID) for coping. Examples of AOOs caused by internal or external events in a nuclear power plant [17] include faults such as a turbine trip, malfunction of individual items of a normally running plant, failure to function of individual items of control equipment, trips of a feedwater pump, loss of power to a main (reactor) coolant pump, etc.
The major means to achieve robustness of a reactor design are to ensure a high quality of design, manufacture, construction, and operation (and decommissioning), including adequate attention to human performance. It is important to note that for the assessment of all criteria of INPRO user requirement UR1 the assessor (a technology user) needs information on the reactor to be assessed and on a reference reactor design. The reactor assessed needs to be shown to be safer than the reference reactor.
For operating and evolutionary reactors, the requirements for design, manufacturing and operation are usually specified in (extensive) national standards or adopted standards from other countries; the most widely known and used standards are the Nuclear Codes and Standards published by the American Society of Mechanical Engineers (ASME) and for electric components and I&C the standards published for NPPs by the Institute of Electrical and Electronics Engineers (IEEE). For (innovative) designs still under development and for which no standards may yet exist, at least for the first plant to be installed, a conservative design approach according to existing standards can be proposed as discussed in more detail in the INPRO manual sections for sustainability assessment user requirement UR7.
INPRO assessment of a NES against criteria CR1.1 and CR1.2 of UR1 involves the consideration of multiple technical parameters. For these two criteria the INPRO methodology has developed a series of evaluation parameters (EPs) which are intended as recommendations to the INPRO assessor on how to assess the criteria. Criteria CR1.3, CR1.4 and CR1.5 do not require development of evaluation parameters.

Criterion CR1.1: Design of normal operation systems

ᅠIndicator IN1.1: Robustness of design of normal operation systems.ᅠ
  • Acceptance limit AL1.1: More robust than that in the reference design.

In the following, several design related aspects that, if enhanced, would increase the level of robustness of a nuclear reactor design during normal operations are discussed. It is acknowledged that increasing the robustness of a reactor design is a challenging task for a designer because enhancing one aspect could have a negative influence on other aspects. Thus, an optimum combination of design measures is necessary to increase the overall robustness of a design. The INPRO methodology has defined several design related aspects as evaluation parameters (EP1.1.1 to EP1.1.5) for criterion CR1.1:

  1. EP1.1.1: Margins of design
  2. EP1.1.2: Design simplification
  3. EP1.1.3: Improved fabrication and construction
  4. EP1.1.4: Improvement of materials
  5. EP1.1.5: Redundancy of operational systems.

The use of inherent safety characteristics is an additional means of achieving robustness (discussed separately under UR5). As stated above, these evaluation parameters are meant to be examples for a designer on how to achieve a higher level of robustness in a reactor design by looking for an optimum combination of these parameters. A detailed safety guide for the design of the core of water-cooled reactors is provided in Ref [18].

Evaluation parameter EP1.1.1: Margins of design

The term margin of design is defined here as the difference in absolute or relative values between the limiting value of an assigned safety related parameter, such as stress, temperature, etc, the surpassing of which leads to the failure of a structure, system or component (safety limit) and the design value of the corresponding parameter, calculated using conservative approach. Loads and resulting stresses have a great influence on robustness of components, because a design with higher margins against overstressing and fatigue (due to cycling loads) can reduce the (expected) failure rates substantially. An increase of design margins will increase the robustness of a design.
Refs [19–21] give detailed explanation on the application of different margins in the reactor design, operation and safety assessment.
According to Ref [13], Level 1 of DID should also provide the initial basis for protection against external hazards. The design of the reactor assessed is expected to be made more robust against relevant external hazards by an increase of design margins . The robustness of the design against external hazards can involve two aspects: selection of the reactor site and the characteristics of plant systems, structures and components relevant to the external hazards. The selection of site normally can help to eliminate or minimize the frequency and magnitude of some of the external hazards. However, the plant has to be designed against all potential external events at a given site with sufficient margins. Examples of such external natural hazards are extreme meteorological conditions (e.g. frost, snow, drought, etc.), flooding (e.g. tsunamis, dam failures), storms (e.g. hurricane) and earthquakes. Examples of external human induced hazards are aircraft crashes, explosions outside the plant site, etc [22, 23]. However additional protection may be required at higher levels of defence to cope with these hazards. Based on lessons learned from the Fukushima Daiichi accident [24–28], probable combinations of external events (e.g. an earthquake plus a fire and/or tsunami) need to be considered in the design. Appendix II gives an example of basic approach to the assessment of design margins of the reactor core.
Acceptability of EP1.1.1 (design margins): Evidence available to the INPRO assessor shows that design margins are larger than those in the reference design.

Evaluation parameter EP1.1.2: Design simplification

In general, the higher the complexity of a system, the higher the probability that something may fail or malfunction in the system. Thus, an increase of simplicity, i.e. a reduction of complexity, can increase the robustness of a design.
One of the potential options for simplifying the reactor design is to reduce when possible the length of primary circuit pipes and the number of bends. Another simplification option could be to reduce the number of main cooling system components. The design of cooling systems for reactors (used for the transport of energy from the core to a turbine or other energy-converting processes) ranges from a single direct cycle (e.g. high temperature gas cooled reactors - HTGRs) or several parallel direct cycles (e.g. BWRs) up to two (e.g. pressurized water reactors (PWRs) and heavy water reactors (HWRs)) or three (e.g. sodium cooled reactors) separate cycles in series with heat exchangers in between. A designer has to consider several trade-offs in reducing the complexity: reducing the number of loops (e.g. for PWRs) for a given core power will result in larger steam generators; this may possibly result in thermal-hydraulic instabilities or the need for new materials. On the other hand, these considerations may lead to innovative designs, e.g. special heat exchangers for sodium cooled reactors to reduce the number of loops in series to two loops; this reduction could also be supported by a development of a non-flammable sodium coolant.
If appropriate, reducing the numbers of other lines in a reactor system, such as feed water trains and main steam lines, may also be considered. Another option is to reduce the number of active components (e.g. motor operated valves and pumps) in a system.
However, increasing simplicity by reducing active components or reducing the number of lines must not compromise reactor safety and has to be considered carefully for its potential to negatively influence the redundancy of the system.
Acceptability of EP1.1.2: Evidence available to the INPRO assessor demonstrates less design complexity than in the reference design.

Evaluation parameter EP1.1.3: Improved fabrication and construction

The basis of improved fabrication and construction is the establishment of an adequate management programme in the organizations involved in NPP design, fabrication and construction [29–31], which is a topic covered in another INPRO manual focused on infrastructure [1]. Improving the fabrication and construction of NPP systems, structures and components can improve plant performance of plant, including safety characteristics, and is linked to progress in fabrication and construction technologies.
An example of improved fabrication concerns the issue of welding and is discussed in the following. Every weld in a pipe or vessel can be a source of failure; therefore, a reduction of welds in piping or vessels clearly results in an increase of robustness of the design of a reactor. In addition, fewer welds require fewer in service inspections and thus lead to reduced doses for the personnel. As in other areas, progress in welding engineering and the fabrication of pipes exists. Progress in welding engineering includes the application of automatic welding machines during fabrication, which results typically in weld characteristics better than those achieved with manual welding procedures. Progress in pipe fabrication includes the elimination of longitudinal welds through the use of a cold-drawing (extrusion) process.
Acceptability of EP1.1.3: Evidence available to the INPRO assessor demonstrates methods of fabrication and construction better than those in the reference design.

Evaluation parameter EP1.1.4: Improvement of materials

Mechanical failures of reactor components comprise a significant part of initiating events. For operating reactors many efforts have been undertaken on national and international levels to advance the knowledge of failure mechanisms and to improve the properties of materials. Experiences have shown operational benefits (e.g. improved material behaviour) achieved with only minor changes to materials or specifications (likewise for environmental conditions, e.g. coolant pH). Much emphasis with considerable success has been put on the feedback of operating experience into design solutions. The improvements achieved up till now promise that further advances in material properties will lead to better designs with increased robustness.
Acceptability of EP1.1.4: Evidence available to the INPRO assessor demonstrates the use of materials better than those in the reference plant.

Evaluation parameter EP1.1.5: Redundancy of operational systems

Increased redundancies of operational systems may help to avoid transients (e.g. caused by faulty control system actions, trips and setbacks) by reducing the probability of degradation or loss of a function. Provided that redundant operational systems are sufficiently independent, increased redundancy can reduce effects from common cause failures. It can also provide better flexibility during operation, e.g. through different capacities of redundant pumps in a PWR’s chemistry and volume control systems.
It is acknowledged that an increase of redundancy may increase the complexity of a system as discussed in evaluation parameter EP1.1.2 above. Thus, as mentioned at the beginning of Section 4.3.1, the design has to be optimized in this respect. Design simplification generally cannot be used as justification for reducing the redundancy of operational systems.
Acceptability of EP1.1.5: Evidence available to the INPRO assessor demonstrates that the redundancy of operational systems is greater than that in the reference design.

For final assesment of CR1.1:
The acceptance limit AL1.1 (design of normal operation systems is more robust than that in the reference design) of CR1.1 is met if evidence available to the INPRO assessor shows that an optimized combination of the recommendations proposed in evaluation parameters EP1.1.1 to EP1.1.5 qualitatively shows the new design to be more robust than the reference design during normal operation and deviations from normal operation. A quantitative increase of robustness can only be demonstrated via the assessment of criterion CR1.4 (failures and deviations from normal operation), i.e. providing arguments that the frequency of AOOs is lower than in the reference design.
For a reactor under development, the developer is to describe measures and features that ensure that the robustness of the innovative design will be comparable or superior to that of the reference design.

Criterion CR1.2: Reactor performance

ᅠIndicator IN1.2: Reactor performance attributes.ᅠ
  • Acceptance limit AL1.2: Superior to those of the reference design.

An improvement of performance attributes in normal operation are expected to increase the robustness of a nuclear reactor. Aspects that are linked to the characteristics of operation of the nuclear reactor assessed are defined as evaluation parameters (EP1.2.1 to EP1.2.8) for CR1.2 and discussed as follows:

  1. EP1.2.1: Margins of operation;
  2. EP1.2.2: Reliability of control systems;
  3. EP1.2.3: Ageing management;
  4. EP1.2.4: Impact from incorrect human intervention;
  5. EP1.2.5: Sufficient technical documentation;
  6. EP1.2.6: Appropriate training programmes;
  7. EP1.2.7: Plant management organization;
  8. EP1.2.8: Use of worldwide operating experience.
Evaluation parameter EP1.2.1: Margins of operation

An increase of the difference between an operating level and automatic reactor shutdown (scram) level for reactor conditions resulting in scram, e.g. high power, low flow, low pressure, etc, leads to an increased operational margin. Increased operational margins [32] are expected to contribute essentially to the reduction of occurrence of deviations from normal operation and component failures leading to scrams. An example is the power level (trip level), which initiates scram; sometimes this level is itself power-dependent. Before this trip level is actually reached, operational control systems are to be capable of reducing the power increase. In principle, the difference between an operating level and trip level could be set at a higher value and thus the operational margin would be increased (in this case for an overshooting of power). However, it is pointed out that this increased margin may result in a lower power output of the plant.
Acceptability of EP1.2.1: Evidence available to the INPRO assessor demonstrates operational margins larger than those in the reference design.

Evaluation parameter EP1.2.2: Reliability of control systems

Advanced self-checking control systems with increased reliability could help to avoid deviations from normal operation. Such advanced control systems could reduce the frequency of anticipated operational occurrences (AOOs) as well as the demand on operators.
Acceptability of EP1.2.2: Evidence available to the INPRO assessor demonstrates that the control systems of the reactor assessed are more reliable than those in the reference design.

Evaluation parameter EP1.2.3: Ageing management

The strategy of ageing management normally has to cover all relevant stages in the NPP lifecycle, including design, manufacture, construction, commissioning, commercial operation and decommissioning, all normal operational states, AOOs and accidents influencing a given system, and all relevant mechanisms of ageing including but not limited to embrittlement, fatigue and wear.
The NPP designer has to determine the design life of items important to safety, to provide appropriate design margins to take due account of age-related degradation and to provide methods and tools for assessing ageing during the NPP operation [15, 33]. The NPP operating organization has to develop a plan for preparing, coordinating, maintaining and improving activities for ageing management implementation at the different stages of the NPP lifecycle. Implementation of this plan involves activities on managing ageing mechanisms, detecting and assessing ageing effects, and managing ageing effects [33].
Ref [33] provides detailed guidance on the establishment, implementation and improvement of ageing management programme.
Acceptability of EP1.2.3: Evidence available to the INPRO assessor demonstrates an improvement of the ageing management strategy of the reactor assessed compared to the reference design.

Evaluation parameter EP1.2.4: Impact from incorrect human intervention

Impact from incorrect human intervention needs to be reduced. Reduced impact means the reactor systems are more tolerant to operator mistakes during normal operation and AOO conditions. This important characteristic is an expected corollary of having advanced fault tolerant control systems and/or passive features (see also UR6, human factors related to safety).
Acceptability of EP1.2.4: Evidence available to the INPRO assessor demonstrates that incorrect human intervention during normal operation has less impact on reactor operation than in the reference design.

Evaluation parameter EP1.2.5: Sufficient technical documentation

Sufficient technical documentation (mostly to be provided by the designer) including manuals have to be available when the plant is close to starting operation and further on. It should be noted that high performance requires knowledge of the actual state as well as documentation of all modifications since the beginning of operation [34], taking into account a planned service time of 60 years. Continuous documentation from the start of operation is important, e.g. to keep records of abnormal occurrences, accumulated loads on components, etc. In the following some important documentation is briefly discussed. Technical documentation normally includes:

  • Design documentation containing information necessary for plant operation, maintenance, tests, ageing management, potential modifications, etc;
  • Documentation which has been developed (received) during purchasing of the plant, plant systems structures and components, nuclear fuel and services;
  • Plant documentation including plant modifications documentation which is required for verifying fulfilment and compliance with statutory and regulatory requirements and for evaluation of supplies and services;
  • Safety and licensing documentation including compilation of licensing notices and documents for verifying fulfilment of safety rules and commitments;
  • Quality assurance and quality control documentation including a compilation of the quality control records;
  • Documents developed during NPP commissioning and operation: safety-related operating records; records of the plant maintenance; records of radiological protection of personnel and environment;
  • Working documentation including technical specifications, manuals and other technical documents for systems, structures and components.

A series of manuals is needed for an NPP, e.g. operating, chemistry, nuclear testing, and conventional testing manuals (see also Ref [35]). In the following a brief description of these manuals is given. The operating manual contains all operating and safety-related instructions for the control room (shift personnel) that are necessary for normal operation of the plant and for mitigating the consequences of transients and accidents.
The chemistry manual describes general and specific aspects of chemical-related conditions and actions, as well as chemistry monitoring. The main goal of the chemistry manual is to maintain chemistry conditions in relevant power plant systems and components that ensure a high corrosion resistance. It also provides a basis for establishing proper chemical operating conditions in auxiliary systems and in radioactive waste processing systems.
The nuclear testing manual contains the programme of periodic testing. The objective is to verify, at regular intervals or as a consequence of certain plant events, availability, performance, and quality features of systems, components and structures important for safety of the plant.
The conventional testing manual encompasses mandatory periodic tests of systems, structures and components necessary to ensure compliance with non-nuclear standards and regulations, e.g. pressure vessel codes.
Currently, computerized manuals are becoming state of the art. Taking advanced system modelling and computer capabilities into account, advanced control systems including expert systems (based on artificial intelligence methods) are expected to be implemented in new designs.
Acceptability of EP1.2.5: Evidence available to the INPRO assessor shows that sufficient (as described above) technical documentation including manuals are (or will be) available prior the start of operation and will be continuously updated.

Evaluation parameter Evaluation parameter EP1.2.6: Appropriate training programmes

Appropriate training on the safety aspects of the nuclear power plant must be provided to all personnel who are directly involved in plant operation and plant and system maintenance, including those who hold responsible positions within the power plant management [36]. The vendor of a nuclear power plant usually offers training programmes and associated courses to the operator/owner of the plant. Training involves group and modular training. It is important to provide well-written training material. The use of simulators for operator training is mandatory.
Acceptability of EP1.2.6: Evidence available to the INPRO assessor shows that appropriate training programmes are established and will be implemented for the reactor assessed.

Evaluation parameter EP1.2.7: Plant management organization

A clear plant management organization with defined responsibilities (see Refs [35, 37] for international experience) is a prerequisite for high performance of the plant.
A pre-condition for granting a construction permit for a nuclear installation is that the applicant has the necessary expertise for start-up and operation, and that the competence of the operating personnel and the operating organization is appropriate and meets all licensing requirements. In addition to the organization’s structure, functions and the number of personnel required, the owner/operator defines qualification requirements in sufficient detail and corresponding recruitment activities during the construction phase. The organization’s structure, job descriptions, qualification requirements, authority and responsibility of personnel and the lines of management are described by the owner either in the administrative rules or in the plant manual.
Examples of plant operational functions that have to be addressed within the plant management organization are: responsible plant managers for operation, maintenance, technical support, quality assurance, environmental protection, nuclear and industrial safety, and administration (see also CR6.2, safety culture).
Acceptability of EP1.2.7: Evidence available to the INPRO assessor shows that a clear plant management organization with defined responsibilities will be established before start-up.

Evaluation parameter EP1.2.8: Use of worldwide operating experience

Operational experience and related evaluations of existing NPPs are collected by international organizations. Examples are the European BWR Forum, BWR Owners Group, Joint IAEA and Nuclear Energy Agency (Organization for Economic Co-operation and Development) International Reporting System for Operating Experience [38], World Association of Nuclear Operators, CANDU Owners Group, etc. As discussed in the introduction section of this report, national utility organizations in several countries (China, European Union, Japan, Republic of Korea, USA) have prepared documents that describe requirements for new designs based on experience with operating plants.
Consequently, this experience needs to be taken into account in the design of a new reactor. An overview of international activities in this area is presented in Ref [39].
Acceptability of EP1.2.8: Evidence available to the INPRO assessor shows that experience from operating nuclear power plants has been taken into account in the reactor design.

For final assesment of CR1.1:
The acceptance limit AL1.2 (reactor performance attributes are superior to those in the reference design) of CR1.2 is met, if evidence available to the INPRO assessor shows that the assessment of the above defined evaluation parameters confirms that the reactor design assessed shows:

  • Sufficient operational margins to ensure that key system variables relevant to safety do not exceed limits acceptable for continued operation;
  • Reduced impact of incorrect human action by appropriate design;
  • Use of advanced control systems;
  • Planned implementation of a clear management organization with defined responsibilities;
  • Sufficient technical documentation including manuals;
  • Appropriate training provisions;
  • Planned sharing of operating experience and use of it in the reactor design.

For a (innovative) reactor under development, the developer is to describe measures and features to ensure that reactor performance will be comparable or superior to that in operating plants.

Criterion CR1.3: Inspection, testing and maintenance

ᅠIndicator IN1.3: Capabilities to inspect, test and maintain.ᅠ
  • Acceptance limit AL1.3: Superior to those in the reference design.

To meet this criterion, the reactor design is expected to permit more efficient and intelligent inspection, testing and maintenance. The criterion cannot be fully met by merely requiring more inspections and more testing. The programmes of inspection, testing and maintenance need to be driven by a sound understanding of failure mechanisms (corrosion, erosion, fatigue etc) so that the right locations are inspected, and the right systems, structures and components are tested and maintained at the right time intervals.
Appropriate inspections, testing and maintenance are important for keeping and improving the level of safety [40]. Because the methods of inspection, testing and maintenance and their effectiveness, efficiency and accuracy are continuously improving, the acceptance limit AL1.3 mostly requires the state of the art.
General prerequisites for an appropriate inspection, testing or maintenance programme for a reactor include:

  1. Knowledge about materials and manufacturing processes, weld locations, non-destructive testing results, locations with high stresses and high cycling frequencies, operating conditions (including chemistry), damage mechanisms (causes and consequences), field experience on similar components (to be documented in a ‘living’ documentation);
  2. Implementation of an inspection, testing or maintenance programme including risk-informed approaches (see also criterion CR7.5) taking into account the knowledge as defined above, such as damage mechanisms, design specifics (e.g. stress locations) and operating conditions;
  3. Decrease of individual and collective doses caused by inspections, testing or maintenance through design provisions, e.g. choice of materials in connection with adequate water chemistry (to avoid radioactive corrosion products), shielding devices, and easy serviceability. This includes also easy access to working locations, appropriate environmental working conditions and the development of specific tools and robotics in order to reduce dose rates and/or durations of inspections, testing or maintenance (see also criterion CR1.5).

It is recognized that in the early operational stages of an innovative reactor, before the technology (experience) base is fully established, more inspection, testing and maintenance, may be required.
The acceptance limit AL1.3 (capability to inspect, to test and to maintain superior to that in the reference design) of CR1.3 is met, if evidence available to the INPRO assessor confirms that in the reactor assessed:

  1. Inspections, testing and maintenance are (will be) more effective and efficient than those in the reference plant;
  2. An appropriate inspection, testing and maintenance programmes are (will be) established;
  3. Design features to facilitate the performance of inspections, testing and maintenance have been demonstrated.

For a (innovative) reactor under development, measures and features are to be described that ensure that the capability to inspect, test and maintain will be comparable or superior to that in operating nuclear reactors.

Criterion CR1.4: Failures and deviations from normal operation

ᅠIndicator IN1.4: Expected frequency of failures and deviations from normal operation.ᅠ
  • Acceptance limit AL1.4: Lower than that in the reference design.

For the reactor design assessed, the expected frequencies of initiating events leading to anticipated operational occurrences (AOOs) are supposed to be lower than those in the reference design. The frequency of these initiating events for operating reactors is determined from operational experience and probabilistic analyses. Apparently, for more robust designs the reduction of these frequencies relative to those for the reference design is possible. However, the frequencies of such initiating events are usually defined as licensing requirements by national regulatory bodies based on detailed national probabilistic studies (see for example Refs [41–45]). Thus, they cannot be easily reduced by a designer because such a reduction would need approval by the responsible regulatory authority.
However, for an INPRO assessment. technical arguments can be presented by the designer/ developer that support a reduction of these frequencies of AOOs. Examples of arguments to support such a reduction of frequencies could be a positive judgment on criteria CR1.1 to CR1.3: improved materials, simplified designs (e.g. less valves), improved design margins (e.g. against overstressing and fatigue, against departure from nuclear boiling, etc.), increased operating margins, increased redundancies of operational systems, less impact from incorrect human intervention (the reactor systems need to be tolerant to human mistakes), more effective and efficient inspections, a continuous monitoring of the plant health, etc.
It is to be mentioned that the frequency of external events per se cannot be influenced by the designer or operator for a given site. An appropriate selection of the site for the nuclear reactor assessed could have a positive effect. However, the frequency of AOOs caused by external events can be influenced by the designer or operator. For some particular external events and NPP locations, the comparison of frequencies of AOOs of the planned reactor against those of the reference design involves comparison against relevant national regulatory requirements.
The acceptance limit AL1.4 (reduced expected frequencies of failures and deviations from normal operation) of CR1.4 is met if technical arguments available to the INPRO assessor show that fewer failures and deviations from normal operation (per year and unit) are expected than in the reference design.

Criterion CR1.5: Occupational dose

ᅠIndicator IN1.5: Occupational dose values during normal operation and AOOs.ᅠ
  • Acceptance limit AL1.5: Lower than the dose constraints.
FIG. 1. Accumulated yearly occupational dose (modified from Ref[2]).

This criterion focuses on radiation protection of NPP workers. It is important to note that criterion CR1.5 does not consider radiation exposure of workers during accidents; it considers only plant states corresponding to Levels 1 and 2 of DID, i.e. normal operation and anticipated operational occurrences. The issue of avoiding undue burdens from radiation exposure to the public and environment during normal operation and AOOs is covered in a separate area of the INPRO methodology called environmental impact of stressors; after accidents this issue is covered via INPRO NES sustainability user requirement UR4 for the area of reactor safety, which states that accidental releases outside the plant are prevented or mitigated.
The recommendations of the IAEA Safety Standards for considering radiation protection in NPP design are provided in Ref [46]. Ref [47] recommends the use of dose constraints “for optimization of protection and safety, the intended outcome of which is that all exposures are controlled to levels that are as low as reasonably achievable, economic, societal and environmental factors being taken into account”.
The role of dose constraints is explained in Ref [48]:

“3.31. To apply the optimization principle, individual doses should be assessed at the design and planning stage, and it is these predicted individual doses for the various options that should be compared with the appropriate dose constraint. Options predicted to give doses below the dose constraint should be considered further; those predicted to give doses above the dose constraint should normally be rejected.” Known occupational doses from normal operation and AOOs in modern NPPs are already very low, so this INPRO criterion CR1.5 does not go beyond asking for further ad hoc exposure reduction in dose. Fig. 1 shows accumulated yearly occupational doses in operating NPPs versus year of reporting. It is evident that the occupational doses decreased continuously with increasing lifetime and improved NPP designs. This was achieved by such measures as minimizing source terms (e.g. avoiding cobalt impurities in materials, using erosion/corrosion resistant materials for steam line designs to limit deposits, achieving adequate coolant chemistry), incorporating layout features that reduce the collective dose (e.g. strict physical separation/shielding of systems, accessibility, separation, shielding, handling, set down areas), and using maintenance friendly designs of equipment. It is expected that these features can be implemented in new (advanced) designs and thus – with further improvements – actual doses in new reactors may be further decreased.

The reactor assessed needs to ensure an efficient implementation of the concept of optimization of radiation protection for workers during design, commissioning, operation, and decommissioning through the use of automation, remote maintenance and operational experience from existing designs. Experience in operating reactors shows that maintenance, i.e. in-service inspection and periodic tests and repairs (including replacement), are the sources of most occupational doses. Criterion CR1.5 anticipates that new (advanced) reactors can take advantage of design concepts to achieve occupational dose reduction as a zero-cost side-effect of measures such as automated inspection and maintenance. New reactor designs are expected to be maintenance-friendly through careful layout, reliable equipment, and electronic availability of maintenance procedures at the work-face to guide those charged with performing maintenance duties.
In the INPRO methodology, the dose constraints concept is discussed in more detail in the manual on environmental impact of stressors.
The acceptance limit AL1.5 (occupational doses lower than dose constraints) is met if evidence available to the INPRO assessor shows that doses to workers during normal operation and AOOs have been optimized and are (will be) less than the dose constraints defined or accepted by national regulatory bodies.

[ + ]
Assessment Methodology
Areas of INPRO Sustainability Assessment OverviewEconomicsSafety (Nuclear Reactors)Safety (NFCF)Waste managementEnvironmental Impact on StressorsEnvironmental Impact from Depletion of ResourcesInfrastructure
Requirements Basic PrincipleUser requirementsCriteria

References

  1. INTERNATIONAL ATOMIC ENERGY AGENCY, INPRO Methodology for Sustainability Assessment of Nuclear Energy Systems: Infrastructure, IAEA Nuclear Energy Series, No. NG-T-3.12, IAEA, Vienna (2014).
  2. WORLD ASSOCIATION OF NUCLEAR OPERATORS, Performance Indicators 2011, WANO, London (2011).
Retrieved from "http://inpro-dev.westeurope.cloudapp.azure.com/wiki/index.php?title=Safety_of_Nuclear_Reactors_(Sustainability_Assessment)&oldid=272"