The independent peer review is performed by suitably qualified and experienced individuals, different from those who carried out the safety assessment. Design documents should be contained in a logical and manageable framework. Guidance on performing a systematic assessment of the defence in depth can be obtained from the IAEA safety reports series No. The application of defence in depth in the design should ensure the following: The approach to defence in depth used in the design should ensure that all aspects of design at the SSCs level have been covered, with emphasis on SSCs that are important to safety.
|Published (Last):||18 March 2013|
|PDF File Size:||14.49 Mb|
|ePub File Size:||19.90 Mb|
|Price:||Free* [*Free Regsitration Required]|
Environmental factors. It is likely that some design requirements associated with these factors will conflict with others in the determination of facility layout requirements. The design therefore reflects an assessment of options, demonstrating that an optimized configuration has been sought for the facility layout. The SSCs are then designed, constructed, and maintained such that their quality and reliability is commensurate with this classification.
In addition, all SSCs are identified as either important or not important to safety. The criteria for determining safety importance are based on: Safety function s to be performed; Consequence of failure; Probability that the SSC will be called upon to perform the safety function; and The time following a PIE at which the SSC will be called upon to operate, and the expected duration of that operation.
The design provides appropriately designed interfaces between SSCs of different classes to minimize the risk of an SSC less important to safety from adversely affecting the function or reliability of an SSC of greater importance.
Conservative design measures and sound engineering practices are to be applied in the design basis for normal operation, AOOs, and DBAs. This provides a high degree of assurance that no significant damage will occur to the reactor core, and that radiation doses will remain within established limits. Complementary design features address the performance of the plant in BDBAs, including selected severe accidents.
A BDBA may or may not involve core degradation. Acceptance criteria are assigned to each plant state, taking into account the expectation that frequent PIEs will have only minor or no radiological consequences, and events that may result in severe consequences are of extremely low probability. The design minimizes the unavailability of safety systems.
The design addresses the potential for accidents to occur when the availability of safety systems may be reduced, such as during shutdown, start-up, low power operation, refuelling, and maintenance. The design establishes a set of requirements and limitations for safe normal operation, including: Limits important to safety; Constraints on control systems and procedures; Plant maintenance, testing, and inspection requirements to ensure that SSCs function as intended, taking the ALARA principle into consideration; and Clearly defined operating configurations, such as start-up, power production, shutdown, maintenance, testing, surveillance, and refuelling-these configurations include relevant operational restrictions in the event of safety system and safety support system outages.
These requirements and limitations, together with the results of safety analysis, form the basis for establishing the OLCs according to which the plant will be authorized to operate, as discussed in subsection 4. The response of the plant to a wide range of AOOs allows safe operation or shutdown, if necessary, without the need to invoke provisions beyond defence-in-depth Level 1 or, at most, Level 2.
The facility layout is such that equipment is placed at the most suitable location to ensure its immediate availability when operator intervention is required, allowing for safe and timely access during an AOO. The design is such that releases to the public following a DBA will not exceed the dose acceptance criteria.
In order to prevent progression to a more severe condition that may threaten the next barrier, the design includes provision to automatically initiate the necessary safety systems where prompt and reliable action is required in response to a PIE. Provision is also made to support timely detection of, and manual response to, conditions where prompt action is not necessary.
This includes such responses as manual initiation of systems or other operator actions. The design takes into account operator actions that may be necessary to diagnose the state of the plant and to put it into a stable long-term shutdown condition in a timely manner.
Such operator actions are facilitated by the provision of adequate instrumentation to monitor plant status, and controls for manual operation of equipment. Any equipment necessary for manual response and recovery processes is placed at the most suitable location to allow safe and timely worker access when needed.
This includes events leading to significant core degradation severe accidents , particularly those events that challenge containment. Complementary design features are then considered with the goal of preventing identified BDBA scenarios, and mitigating their consequences if they do occur.
Complementary design features include design or procedural considerations, or both, and are based on a combination of phenomenological models, engineering judgments, and probabilistic methods. The design identifies the rules and practices that have been applied to the complementary design features.
These rules and practices do not necessarily need to incorporate the same degree of conservatism as those applied to the design basis. The design identifies a radiological and combustible gas accident source term for use in the specification of the complementary design features for BDBAs. This source term is referred to as the reference source term, and is based on a set of representative core damage accidents established by the design authority.
In the case of multi-unit plants, the use of available support from other units is relied upon only if it can be established that the safe operation of the other units is not compromised. To the extent practicable, the design provides biological shielding of appropriate composition and thickness to protect operational personnel during BDBAs, including severe accidents.
Severe Accidents The design should be balanced such that no particular design feature or event makes a dominant contribution to the frequency of severe accidents, taking uncertainties into account. Early in the design process, the various potential barriers to core degradation are identified, and features that can be incorporated to halt core degradation at those barriers are considered.
The design also identifies the equipment to be used in the management of severe accidents. A reasonable level of confidence that this equipment will perform as intended in the case of a severe accident is demonstrated by environmental, fire, and seismic assessments. Particular attention is placed on the prevention of potential containment bypass in accidents involving significant core degradation.
This applies to any system that can be shown with a reasonable degree of assurance to be able to function in the environmental conditions expected during a severe accident. Containment maintains its role as a leak-tight barrier for a period that allows sufficient time for the implementation of off-site emergency procedures following the onset of core damage.
Containment also prevents uncontrolled releases of radioactivity after this period. The design authority establishes initial severe accident management guidelines, taking into account the plant design features and the understanding of accident progression and associated phenomena.
The design considers prevention of recriticality following severe accidents. The plant design takes into account the potential for internal hazards, such as flooding, missile generation, pipe whip, jet impact, fire, smoke, and combustion by-products, or release of fluid from failed systems or from other installations on the site.
Appropriate preventive and mitigation measures are provided to ensure that nuclear safety is not compromised. The design considers the possible interaction of external and internal events, such as external events initiating internal fires or floods that may lead to the generation of missiles. Where two fluid systems operating at different pressures are interconnected, failure of the interconnection is considered. Either both withstand the higher pressure, or provision is made so that the pressure of the system operating at the lower pressure will not be exceeded.
The subset of external events that the plant is designed to withstand is selected, and design basis events are determined from this subset. Various interactions between the plant and the environment, such as population in the surrounding area, meteorology, hydrology, geology and seismology are identified during the site evaluation and environmental assessment processes. These interactions are taken into account in determining the design basis for the NPP.
Applicable natural external hazards include such events as earthquakes, droughts, floods, high winds, tornadoes, tsunami, and extreme meteorological conditions.
Human-induced external events include those that are identified in the site evaluation, such as potential aircraft crashes, ship collisions, and terrorist activities. Such combinations are identified early in the design phase, and are confirmed using a systematic approach.
Events that may result from other events, such as a flood following an earthquake, are considered to be part of the original PIE. These rules comply with appropriate accepted engineering practices. The design also identifies SSCs to which design limits are applicable.
A reliability analysis is performed for each of these SSCs. Where possible, the design provides for testing to demonstrate that these reliability requirements will be met during operation. The safety systems and their support systems are designed to ensure that the probability of a safety system failure on demand from all causes is lower than The reliability model for each system uses realistic failure criteria and best estimate failure rates, considering the anticipated demand on the system from PIEs.
Design for reliability includes consideration of mission times for SSCs important to safety. The design takes into account the availability of off-site services upon which the safety of the plant and protection of the public may depend, such as the electricity supply and external emergency response services. Common-cause failures may also occur when multiple components of the same type fail at the same time. This may be caused by such occurrences as a change in ambient conditions, saturation of signals, repeated maintenance error or design deficiency.
The potential for common-cause failures of items important to safety is considered in determining where to apply the principles of diversity, separation, and independence to achieve the necessary reliability. Such failures may simultaneously affect a number of different items important to safety.
The event or cause may be a design deficiency, a manufacturing deficiency, an operating or maintenance error, a natural phenomenon, a human-induced event, or an unintended cascading effect from any other operation or failure within the plant. The design provides sufficient physical separation between redundant divisions of safety support systems and process systems.
This applies to equipment and to routing of the following items: Electrical cables for power and control of equipment; Piping for service water for the cooling of fuel and process equipment; and Tubing and piping for compressed air or hydraulic drives for control equipment. Where physical separation is not possible, safety support system equipment may share physical space.
In such cases, the reasons for the lack of separation and justification for the space sharing arrangement is explained in the design documentation. Where space sharing is necessary, services for safety and for other important process systems are arranged in a manner that incorporates the following considerations: A safety system designed to act as backup is not located in the same space as the primary safety system; and If a safety system and a process system must share space, then the associated safety functions are also provided by another safety system to counter the possibility of failures in the process system.
The design provides effective protection against common-cause events where sufficient physical separation among individual services or groups of services does not exist. The design authority assesses the effectiveness of specified physical separation or protective measures against common-cause events.
Diversity is applied to redundant systems or components that perform the same safety function by incorporating different attributes into the systems or components. Such attributes include different principles of operation, different physical variables, different conditions of operation, or production by different manufacturers. It is important that any diversity used actually achieves the desired increase in reliability.
For example, to reduce the potential for common-cause failures, the application of diversity is examined for any similarity in materials, components, and manufacturing processes, or subtle similarities in operating principles or common support features. If diverse components or systems are used, there should be a reasonable assurance that such additions are of overall benefit, taking into account associated disadvantages such as the extra complication in operational, maintenance, and test procedures, or the consequent use of equipment of lower reliability.
The single failure criterion requires that each safety group perform all safety functions required for a PIE in the presence of any single component failure, and: All failures caused by that single failure; All identifiable but non-detectable failures, including those in the non-tested components; and All failures and spurious system actions that cause or are caused by the PIE. Each safety group is able to perform the required safety functions under the worst permissible systems configuration, taking into account such considerations as maintenance, testing, inspection and repair, and equipment outage.
Analysis of all possible single failures, and all associated consequential failures, is conducted for each element of each safety group until all safety groups have been considered. Unintended actions and failure of passive components are considered as two of the modes of failure of a safety group. The single failure is assumed to occur prior to the PIE, or at any time during the mission time for which the safety group is required to function following the PIE.
Passive components may be exempt from this expectation. Exemptions for passive components apply only to those components that are designed and manufactured to high standards of quality, that are adequately inspected and maintained in service, and that remain unaffected by the PIE. Design documentation includes analytical justification of such exemptions, taking loads and environmental conditions into account, as well as the total period of time after the PIE for which the functioning of the component is necessary.
Check valves are active components if they must change state following a PIE. Exceptions to the single failure criterion are infrequent, and clearly justified. To the greatest extent practicable, application of this principle enables plant systems to pass into a safe state if a system or component fails, with no necessity for any action to be taken. The design considers the time allowed for each equipment outage and the respective response actions.
Shared Instrumentation for Safety Systems Instrumentation is not typically shared between safety systems. Where justified, there may be sharing between a safety system and a non-safety system such as a process or control system. Reliability and effectiveness of a safety system will not be impaired by normal operation, by partial or complete failure in other systems, or by any cross-link generated by the proposed sharing.
The design includes provisions to ensure that the sharing of instruments does not result in an increased frequency in demand on the safety system during operation. The design provides for periodic testing of the entire channel of instrumentation logic, from sensing device to actuating device.
If the design includes sharing of instrumentation between a safety system and a non-safety system, then the following expectations apply: Sharing is limited to the sensing devices and their pre-amplifiers or amplifiers as needed to get the signal to the point of processing; The signal from each sensing device is electrically isolated so that failures cannot be propagated from one system to the other; and Isolation devices between systems of different safety importance are always associated with the system classified as being of greater importance to safety.
RD-337: Design of New Nuclear Power Plants
Detailed requirements are provided in the following sections. Alternative approaches may be acceptable, provided these elements are addressed in an equivalent manner that is demonstrated to be effective in managing aging. A specific individual or organizational unit for example, an existing organization such as operation, maintenance, engineering, or quality management, or a dedicated aging management unit shall be assigned responsibility to coordinate relevant programs, including supporting programs, periodic reviews of the effectiveness of the AMPs, and continuous improvement of the AMPs training shall be provided to operations, maintenance, engineering, and other pertinent staff to ensure they have an adequate awareness and understanding of aging management concepts and program requirements, and to enable them to make informed and positive contributions to the management of aging at the NPP in addition to the internal teams, external organizations may be required to provide expert services on specific topics, such as condition assessments, research, and standards development 4. Data entered into the system shall be auditable, to demonstrate an adequate verification of the data entered, detailed description of the basis for any conclusion, and all applicable references to source information.
Archived Web Page - RD–334: Aging Management for Nuclear Power Plants