pub1218 web: safety series
DESCRIPTION
assessment of defense in depth in nuclear reactorsTRANSCRIPT
S a f e t y R e p o r t s S e r i e sN o. 4 6
A s s e s s m e n t o fD e f e n c e i n D e p t h
f o r N u c l e a r P o w e r P l a n t s
IAEA SAFETY RELATED PUBLICATIONS
IAEA SAFETY STANDARDS
Under the terms of Article III of its Statute, the IAEA is authorized to establish or adopt standards of safety for protection of health and minimization of danger to life and property, and to provide for the application of these standards.
The publications by means of which the IAEA establishes standards are issued in the IAEA Safety Standards Series. This series covers nuclear safety, radiation safety, transport safety and waste safety, and also general safety (i.e. all these areas of safety). The publication categories in the series are Safety Fundamentals, Safety Requirementsand Safety Guides.
Safety standards are coded according to their coverage: nuclear safety (NS), radiation safety (RS), transport safety (TS), waste safety (WS) and general safety (GS).
Information on the IAEA’s safety standards programme is available at the IAEA Internet site
http://www-ns.iaea.org/standards/
The site provides the texts in English of published and draft safety standards. The texts of safety standards issued in Arabic, Chinese, French, Russian and Spanish, the IAEA Safety Glossary and a status report for safety standards under development are also available. For further information, please contact the IAEA at P.O. Box 100, A-1400 Vienna, Austria.
All users of IAEA safety standards are invited to inform the IAEA of experience in their use (e.g. as a basis for national regulations, for safety reviews and for training courses) for the purpose of ensuring that they continue to meet users’ needs. Information may be provided via the IAEA Internet site or by post, as above, or by e-mail to [email protected].
OTHER SAFETY RELATED PUBLICATIONS
The IAEA provides for the application of the standards and, under the terms of Articles III and VIII.C of its Statute, makes available and fosters the exchange of information relating to peaceful nuclear activities and serves as an intermediary among its Member States for this purpose.
Reports on safety and protection in nuclear activities are issued in other publications series, in particular the Safety Reports Series. Safety Reports provide practical examples and detailed methods that can be used in support of the safety standards. Other IAEA series of safety related publications are the Provision for the Application of Safety Standards Series, the Radiological Assessment Reports Series and the International Nuclear Safety Group’s INSAG Series. The IAEA also issues reports on radiological accidents and other special publications.
Safety related publications are also issued in the Technical Reports Series, the IAEA-TECDOC Series, the Training Course Series and the IAEA Services Series, and as Practical Radiation Safety Manuals and Practical Radiation Technical Manuals. Security related publications are issued in the IAEA Nuclear Security Series.
ASSESSMENT OF DEFENCE IN DEPTH
FOR NUCLEAR POWER PLANTS
The following States are Members of the International Atomic Energy Agency:
AFGHANISTANALBANIAALGERIAANGOLAARGENTINAARMENIAAUSTRALIAAUSTRIAAZERBAIJANBANGLADESHBELARUSBELGIUMBENINBOLIVIABOSNIA AND HERZEGOVINABOTSWANABRAZILBULGARIABURKINA FASOCAMEROONCANADACENTRAL AFRICAN REPUBLICCHILECHINACOLOMBIACOSTA RICACÔTE D’IVOIRECROATIACUBACYPRUSCZECH REPUBLICDEMOCRATIC REPUBLIC OF THE CONGODENMARKDOMINICAN REPUBLICECUADOREGYPTEL SALVADORERITREAESTONIAETHIOPIAFINLANDFRANCEGABONGEORGIAGERMANYGHANAGREECE
GUATEMALAHAITIHOLY SEEHONDURASHUNGARYICELANDINDIAINDONESIAIRAN, ISLAMIC REPUBLIC OF IRAQIRELANDISRAELITALYJAMAICAJAPANJORDANKAZAKHSTANKENYAKOREA, REPUBLIC OFKUWAITKYRGYZSTANLATVIALEBANONLIBERIALIBYAN ARAB JAMAHIRIYALIECHTENSTEINLITHUANIALUXEMBOURGMADAGASCARMALAYSIAMALIMALTAMARSHALL ISLANDSMAURITANIAMAURITIUSMEXICOMONACOMONGOLIAMOROCCOMYANMARNAMIBIANETHERLANDSNEW ZEALANDNICARAGUANIGERNIGERIANORWAYPAKISTANPANAMA
PARAGUAYPERUPHILIPPINESPOLANDPORTUGALQATARREPUBLIC OF MOLDOVAROMANIARUSSIAN FEDERATIONSAUDI ARABIASENEGALSERBIA AND MONTENEGROSEYCHELLESSIERRA LEONESINGAPORESLOVAKIASLOVENIASOUTH AFRICASPAINSRI LANKASUDANSWEDENSWITZERLANDSYRIAN ARAB REPUBLICTAJIKISTANTHAILANDTHE FORMER YUGOSLAV REPUBLIC OF MACEDONIATUNISIATURKEYUGANDAUKRAINEUNITED ARAB EMIRATESUNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELANDUNITED REPUBLIC OF TANZANIAUNITED STATES OF AMERICAURUGUAYUZBEKISTANVENEZUELAVIETNAMYEMENZAMBIAZIMBABWE
The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute othe IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957The Headquarters of the Agency are situated in Vienna. Its principal objective is “to accelerate andenlarge the contribution of atomic energy to peace, health and prosperity throughout the world’’.
© IAEA, 2005
Permission to reproduce or translate the information contained in this publication may beobtained by writing to the International Atomic Energy Agency, Wagramer Strasse 5, P.O. Box 100A-1400 Vienna, Austria.
Printed by the IAEA in AustriaFebruary 2005STI/PUB/1218
f .
,
SAFETY REPORTS SERIES No. 46
ASSESSMENT OF DEFENCE IN DEPTH
FOR NUCLEAR POWER PLANTS
INTERNATIONAL ATOMIC ENERGY AGENCYVIENNA, 2005
IAEA Library Cataloguing in Publication Data
Assessment of defence in depth for nuclear power plants. — Vienna : International Atomic Energy Agency, 2005.
p. ; 24 cm. — (Safety reports series, ISSN 1020–6450 ; no. 46)STI/PUB/1218ISBN 92–0–114004–5Includes bibliographical references.
1. Nuclear reactors — Safety measures. 2. Nuclear power plants — Design and construction. 3. Nuclear engineering — Safety measures. I. International Atomic Energy Agency. II. Series.
IAEAL 04–00388
COPYRIGHT NOTICE
All IAEA scientific and technical publications are protected by the terms of the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in 1972 (Paris). The copyright has since been extended by the World Intellectual Property Organization (Geneva) to include electronic and virtual intellectual property. Permission to use whole or parts of texts contained in IAEA publications in printed or electronic form must be obtained and is usually subject to royalty agreements. Proposals for non-commercial reproductions and translations are welcomed and will be considered on a case by case basis. Enquiries should be addressed by email to the Publishing Section, IAEA, at [email protected] or by post to:
Sales and Promotion Unit, Publishing SectionInternational Atomic Energy AgencyWagramer Strasse 5P.O. Box 100A-1400 ViennaAustriafax: +43 1 2600 29302tel.: +43 1 2600 22417http://www.iaea.org/Publications/index.html
FOREWORD
Defence in depth is a comprehensive approach to safety that has been developed by nuclear power experts to ensure with high confidence that the public and the environment are protected from any hazards posed by the use of nuclear power for the generation of electricity. The concepts of defence in depth and safety culture have served the nuclear power industry well as a basic philosophy for the safe design and operation of nuclear power plants.
Properly applied, defence in depth ensures that no single human error or equipment failure at one level of defence, nor even a combination of failures at more than one level of defence, propagates to jeopardize defence in depth at the subsequent level or leads to harm to the public or the environment.
The importance of the concept of defence in depth is underlined in IAEA Safety Standards, in particular in the requirements set forth in the Safety Standards: Safety of Nuclear Power Plants: Design (NS-R-1) and Safety Assessment and Verification for Nuclear Power Plants (NS-G-1.2). A specific report, Defence in Depth in Nuclear Safety (INSAG-10), describes the objectives, strategy, implementation and future development in the area of defence in depth in nuclear and radiation safety. In the report Basic Safety Principles for Nuclear Power Plants (INSAG-12), defence in depth is recognized as one of the fundamental safety principles that underlie the safety of nuclear power plants.
In consonance with those high level publications, this Safety Report provides more specific technical information on the implementation of this concept in the siting, design, construction and operation of nuclear power plants. It describes a method for comprehensive and balanced review of the provisions required for implementing defence in depth in existing plants.
This publication is intended to provide guidance primarily for the self-assessment by plant operators of the comprehensiveness and quality of defence in depth provisions. It can be used equally by regulators and independent reviewers. It offers a tool that is complementary to other methods for evaluating the strengths and weaknesses of defence in depth in specific plants.
The IAEA staff members responsible for this publication were J. Höhn and J. Mišák of the Division of Nuclear Installation Safety.
EDITORIAL NOTE
Although great care has been taken to maintain the accuracy of information contained in this publication, neither the IAEA nor its Member States assume any responsibility for consequences which may arise from its use.
The use of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as registered) does not imply any intention to infringe proprietary rights, nor should it be construed as an endorsement or recommendation on the part of the IAEA.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4. Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. THE CONCEPT OF DEFENCE IN DEPTH. . . . . . . . . . . . . . . . . . . 4
2.1. General considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2. Fulfilment of the fundamental safety functions . . . . . . . . . . . . . 7
3. APPROACH FOR MAKING AN INVENTORY OF THE DEFENCE IN DEPTH CAPABILITIES OF A PLANT . . . . . . . . . 8
3.1. Description of the approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2. Specification of the provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.3. Objective trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4. APPLICATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
APPENDIX I: FUNDAMENTAL SAFETY FUNCTIONS AND SAFETY FUNCTIONS. . . . . . . 23
APPENDIX II: OBJECTIVE TREES FOR ALL LEVELS OF DEFENCE IN DEPTH . . . . . . . . . . . . . . . . . . . . . . . . . 26
APPENDIX III: SCREENING OF DEFENCE IN DEPTH CAPABILITIES OF WWER 440/V213 REACTORS . . . . . . . . . . . . . . . . . . 98
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115DEFINITIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . 120
BLANK
1. INTRODUCTION
1.1. BACKGROUND
The concept of defence in depth has been developed from the original idea of placing multiple barriers between radioactive materials and the environment. At present the concept includes a more general structure of multiple physical barriers and complementary means to protect the barriers themselves, the so-called levels of defence. It ensures that a high level of safety is reliably achieved with sufficient margins to compensate for equipment failures and human errors.
Defence in depth is implemented to provide a graded protection against a wide variety of transients, incidents and accidents, including equipment failures and human errors within nuclear power plants and events initiated outside plants. Defence in depth is an overall safety philosophy that encompasses all safety activities, including the siting, design, manufacture, construction, commissioning, operation and decommissioning of nuclear power plants.
Systematic assessments of the implementation of defence in depth are performed throughout the lifetime of a plant, and are typically conducted by different organizations. For assessment, engineering methods are used, combining qualitative analysis and quantitative methods. Computational analytical tools are typically used to evaluate the performance of the barriers and safety systems.
The concept of defence in depth is applied to a broad variety of safety related activities and measures, be they organizational, behavioural or design related. However, no single method is available for assessing the importance of these measures, which vary in nature. Whilst progress has been made recently in this area through the use of probabilistic methods, the deterministic approach is still primarily directed at evaluating design features only.
Therefore, there is a need for developing a comprehensive deterministic safety assessment approach, which should be able to consider the contributions of the various defence in depth provisions1 to the overall safety aim of defence in depth.
1 Provisions: measures implemented in design and operation such as inherent plant characteristics, safety margins, system design features and operational measures contributing to the performance of the safety functions aimed at preventing the mechanisms from occurring.
1
1.2. OBJECTIVE
The present publication describes a method for assessing the defence in depth capabilities of an existing plant, including both its design features and the operational measures taken to ensure safety. A systematic identification of the required safety provisions for the siting, design, construction and operation of the plant provides the basis for assessing the comprehensiveness and quality of defence in depth at the plant.
The five levels of defence in depth are covered in the present review. For given objectives at each level of defence, a set of challenges2 is identified, and several root mechanisms3 leading to the challenges are specified. Finally, to the extent possible, a comprehensive list of safety provisions, which contribute to preventing these mechanisms from occurring, is provided. A broad spectrum of provisions, which encompass the inherent safety features, equipment, procedures, staff availability, staff training and safety culture aspects, is considered.
For easier and more user friendly applicability, the method that is reviewed in this publication, including the overview of all challenges, mechanisms and provisions for all levels of defence, is illustrated in the form of ‘objective trees’4.
1.3. SCOPE
The assessment method that is reviewed in this publication is directly applicable to existing light water and heavy water reactors, and to spent fuel transported or stored in the pools outside the nuclear reactor coolant system on the site of these reactors. With some minor modifications, the method can also be used for other types of reactor such as reactors cooled with gas or with liquid
2 Challenges: generalized mechanisms, processes or circumstances (conditions) that may have an impact on the intended performance of safety functions. Challenges are caused by a set of mechanisms having consequences that are similar in nature.
3 Mechanisms: specific reasons, processes or situations whose consequences might create challenges to the performance of safety functions.
4 Objective tree: a graphical presentation, for each of the specific safety principles belonging to the five levels of defence in depth, of the following elements from top to bottom: (1) objective of the level; (2) relevant safety functions; (3) identified challenges; (4) constitutive mechanisms for each of the challenges; (5) a list of provisions in design and operation for preventing the mechanism from occurring.
2
metal. In the future the method can be modified also for innovative or new reactor designs.
The assessment method is applicable to all stages of the lifetime of the plant, from design to operation. Siting aspects are in part covered. However, decommissioning has not been considered in the development of this assessment method.
The assessment method described in this publication is not meant to replace the other evaluations required by national or international standards. Rather, it is intended to complement regulatory evaluations and to provide an additional tool for a better appreciation of the defence in depth capabilities of a plant.
With a view to providing a clear interpretation of the term defence in depth and a better understanding of the completeness of this concept, the present publication contains a comprehensive review of the provisions for all levels of defence. However, this publication does not provide any guidance for evaluating the safety significance of omissions or for the prioritization of the defence in depth provisions.
1.4. STRUCTURE
Section 2 addresses the strategy of defence in depth and the importance of fulfilling the safety functions5 (SFs) to achieve the objectives for the different levels of defence. Section 3 provides a detailed description of the approach for making an inventory of the defence in depth capabilities of a plant. Section 4 discusses the applications of the approach and how to use the approach for assessing defence in depth. Section 5 presents conclusions. A discussion of the SFs is presented in Appendix I. In Appendix II, the objective trees graphically represent how, for each relevant safety principle6, the safety objectives of the different levels of defence can be achieved by establishing defence in depth provisions at different stages of the lifetime of the plant. A test application of the approach is summarized in Appendix III. Definitions are provided at the end of the book.
5 Safety function: a specific purpose that must be accomplished for safety in operational states, during and following a design basis accident (DBA) and, to the extent practicable, in, during and following the plant conditions considered beyond the DBA.
6 Safety principle: a commonly shared safety concept stating how to achieve safety objectives at different levels of defence in depth.
3
2. THE CONCEPT OF DEFENCE IN DEPTH
2.1. GENERAL CONSIDERATIONS
Three safety objectives are defined for nuclear installations in the IAEA Safety Fundamentals publication [1]. Safety objectives require that nuclear installations are designed and operated so as to keep all sources of radiation exposure under strict technical and administrative control. The general nuclear safety objective is supported by two complementary objectives, the radiation protection objective and the technical safety objective.
By observing a comprehensive set of safety principles [2], the operators of plants will achieve the nuclear safety objectives. In this process, the measures that are taken to keep radiation exposure in all operational states to levels as low as reasonably achievable, and to minimize the likelihood of an accident that might lead to loss of normal control of the source of the radiation, are essential. For nuclear power plants, the safety objectives are ensured by fulfilling the three fundamental safety functions (FSFs)7 described in Section 2.2.
According to INSAG-10 [3], defence in depth consists of a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive material and workers, the public or the environment, during normal operation, anticipated operational occurrences (AOOs) and, for some barriers, accidents at the plant.
In general, several successive physical barriers for the confinement of radioactive material are in place within a plant. Their specific design may vary depending on the radioactivity of the material and on the possible deviations from normal operation that could result in the failure of some barriers. The number and type of barriers that confine the fission products are dependent on the technology that has been adopted for the reactor. For the reactors under consideration these barriers include the fuel matrix, fuel cladding, pressure boundary of the reactor coolant system, and the containment or confinement.
Defence in depth is generally divided into five levels [3]. Should one level fail, the subsequent level comes into play. Table 1 summarizes the objectives of each level and the corresponding means that are essential for achieving them.
7 The three fundamental safety functions are: (1) control of the reactivity; (2) removal of heat from the fuel; (3) confinement of radioactive material and control of operational discharges, as well as limitation of accidental releases.
4
The levels are intended to be independent to the extent practicable. The general objective of defence in depth is to ensure that a single failure, whether an equipment failure or a human failure, at one level of defence, and even a combination of failures at more than one level of defence, does not propagate to jeopardize defence in depth at subsequent levels. The independence of different levels of defence is crucial to meeting this objective.
Figure 1 is a flow chart showing the logic of defence in depth. Success is defined for each level of defence in depth. According to the philosophy of defence in depth, if the provisions of a given level of defence fail to control the evolution of a sequence, the subsequent level will come into play.
The objective of the first level of defence is the prevention of abnormal operation and system failures. If there is a failure at this level, an initiating event takes place. This can happen either if the defence in depth provisions at Level 1 were not effective enough or if a certain mechanism was not considered in establishing the defence in depth provisions at Level 1. Then the second level of defence will detect these failures, to avoid or to control the abnormal operation. Should the second level fail, the third level ensures that the FSFs will be performed by activation of specific safety systems and other safety
TABLE 1. LEVELS OF DEFENCE IN DEPTH [4]
Levels of defence in depth
ObjectiveEssential means for achieving
the objective
Level 1 Prevention of abnormal operation and failures
Conservative design and high quality in construction and operation
Level 2 Control of abnormal operation and detection of failures
Control, limiting and protection systems and other surveillance features
Level 3 Control of accidents within the design basis
Engineered safety features and accident procedures
Level 4 Control of severe plant conditions, including prevention of accident progression and mitigation of the consequences of severe accidents
Complementary measures and accident management
Level 5 Mitigation of radiological consequences of significant releases of radioactive materials
Off-site emergency response
5
Provisions for Level 1 of defence in depth
SuccessYES
NO
YES
YES
YES
NO
NO
NO
Provisions for Level 2 of defence in depth
Initiating events
Success
Success
Success
Design basis accidents
Provisions for Level 4 of defence in depth
Beyond design basis accidents/ severe accidents
Provisions for Level 3 of defence in depth
Significant radioactivereleases
Fundamental safety functionssuccessfully performed
Limited accidentalradioactive releases
Provisions for Level 5 of defence in depth
Level 1
Level 2
Level 3
Level 4
Objective:Prevention of abnormal operation and failures
Success:Normal operation
Objective: Control of abnormal operationand detection of failures
Success: Return tonormal operationafter recovery from failure. Prevention of progress ofAOOs
Objective:Control of accidents (below the severity level postulated withinthe design basis)
Success: Accident consequences limited within the design basis
Objective: Control of severeplant conditions, includingprevention of accidentprogression and mitigationof the consequencesof severe accidents
Success: Containmentintegrity preserved
FIG. 1. Flow chart for defence in depth.
6
features with a view to limiting the possible consequences of design basis accidents (DBAs). Should the third level fail, the fourth level limits accident progression by means of accident management measures in order to prevent or mitigate severe accident conditions with external releases of radioactive material. The last objective (the fifth level of defence) is the mitigation of the radiological consequences of significant external releases through the off-site emergency response.
A deterministic approach to defence in depth does not explicitly consider the probabilities of occurrence of the challenges or mechanisms (an explanation of these terms is given in Section 3.1) nor does it include the quantification of the probabilities of success associated with the performance of features and systems for each level of defence. However, in the future this deterministic approach can be further complemented by probabilistic safety analysis (PSA) considerations (system reliability, probabilistic targets, etc.), to provide an adequate level of safety ensuring a well balanced design.
2.2. FULFILMENT OF FUNDAMENTAL SAFETY FUNCTIONS
To ensure the safety of plants by avoiding the failure of barriers against the release of radioactive material and by mitigating the consequences of their failure, the following FSFs have to be performed in operational states, during and following DBAs and, to the extent practicable, in, during and following the considered plant conditions beyond the DBA [4]:
(1) Control of reactivity;(2) Removal of heat from the core; (3) Confinement of radioactive materials and control of operational
discharges, as well as limitation of accidental releases.
Henceforth in the present report, FSF (2) ‘removal of heat from the core’, as mentioned in Ref. [4], will be replaced by the more general FSF ‘removal of heat from the fuel’ to cover also the fuel removed from the core but that is still on the site of the plant and is a potential radioactive source.
The FSFs are essential for defence in depth and as a measure of the appropriate implementation of defence in depth through the various provisions for the design and operation of the plant, as indicated by the underlying relevant safety principles. The aim of the defence in depth provisions is to protect the barriers and to mitigate the consequences if the barriers against the release of radioactive material are damaged.
7
Possible challenges to the FSFs are dealt with by the defence in depth provisions established at a given level of defence, which include inherent safety characteristics, safety margins, active and passive systems, procedures, operator actions, organizational measures and safety culture aspects. All those mechanisms that can challenge the performance of the FSFs should be first identified for each level of defence. These mechanisms are used to determine the set of initiating events that can lead to deviation (initiation or worsening) from normal operation.
Each of the FSFs may be subdivided into several derived/subsidiary SFs, as presented in Appendix I. The list in Appendix I is based on Safety of Nuclear Power Plants: Design [4]. Some modifications to the list were necessary to allow a more general applicability of these SFs beyond the scope of Ref. [4]. Independence in the performance of the FSFs/SFs at all levels underlies the defence in depth concept. In addition, the performance of the SFs also establishes the conditions for maintaining the integrity of barriers against the release of radioactive material.
3. APPROACH FOR MAKING AN INVENTORY OF THE DEFENCE IN DEPTH CAPABILITIES OF A PLANT
3.1. DESCRIPTION OF THE APPROACH
The identification of what can have an impact on the performance of an FSF as well as of the variety of options that exist for avoiding this impact for each level of defence is an essential task in the development of the framework for making an inventory of the defence in depth capabilities of a plant. For developing the framework, it is useful to explain the following concepts:
(a) Defence in depth involves multiple barriers against the release of radioactive material as well as several levels of defence, which include organizational, behavioural and design measures (provisions).
(b) Each level of defence has its specific objectives, including the protection of relevant barriers and the essential means for this protection. To ensure achievement of the objective of each level of defence, all FSFs (and derived/subsidiary SFs) relevant for this level need to be performed.
(c) Challenges are generalized mechanisms, processes or circumstances (conditions) that may have an impact on the intended performance of SFs. The nature of challenges is characterized by the safety principle that contributes to the achievement of the objective through the performance
8
of SFs. Challenges are caused by a set of mechanisms having similar consequences.
(d) Mechanisms are more specific processes or situations whose consequences might create challenges to the performance of SFs.
For each of the mechanisms it is possible to find a number of provisions, such as inherent plant safety characteristics, safety margins, system design features and operational measures, which can support the performance of the SFs and prevent the mechanism from taking place.
A framework for making an inventory of the defence in depth capabilities should screen for each level of defence all the challenges and mechanisms, and identify possible safety provisions for achieving the objectives of each level of defence as indicated by the relevant safety principles.
The framework described above may be graphically depicted in terms of an ‘objective tree’, as shown in Fig. 2. At the top of the tree there is the level of defence in depth that is of interest, followed by the objectives to be achieved, including the barriers to be protected against release of radioactive material. Below this, there is a list of FSFs or derived SFs which need to be maintained to achieve both the objectives and the protection of the barriers of the level of defence under consideration. For instance, for Level 2 the objective is to control abnormal operation and to detect failures, as well as to ensure the
Challenge Challenge
Safety function
Provision
Provision
Provision
Mechanism
Provision
Provision
Mechanism
Provision
Provision
Provision
Provision
Mechanism
Challenge Challenge
Objectives and barriers
Level of defence
To be achieved and to be protected
To be maintained
To cope with
Induced by
Measures to be taken to prevent mechanisms from occurring that challenge safety functions
Safety function
FIG. 2. Structure for defence in depth provisions at each level of defence.
9
continued integrity of the first three barriers (the fuel matrix, cladding and pressure boundary of the reactor coolant system) through performance of FSFs/SFs. For Level 3, the objective is to control accidents within the design basis. For these accidents it is required to limit damage of the first two barriers, to avoid consequential damage of the pressure boundary of the reactor coolant system and to avoid any damage of the reactor containment.
There might be an impact on the performance of FSFs/SFs by challenges which are placed on a lower level of the objective tree. On the next lower level of the tree there are several mechanisms listed that can give rise to the challenges. Under each of the mechanisms, there is a list of possible provisions that should be implemented in order to prevent the mechanisms from occurring and to prevent challenges to the SFs from arising.
The following example applicable to pressurized water reactors (PWRs) may further illustrate the approach described. One of the SFs relevant for Levels 1–3 of defence in depth is prevention of unacceptable reactivity transients. This SF can be challenged by insertion of positive reactivity. Several mechanisms lead to such a challenge, including control rod ejection, control rod withdrawal, control rod drop or misalignment, erroneous startup of a circulation loop, release of absorber deposits in the reactor core, incorrect refuelling operations or inadvertent boron dilution. For each of these mechanisms there are a number of provisions to prevent its occurrence. For example, control rod withdrawal can be prevented or its consequences mitigated by:
(1) Design margins minimizing the need for automatic control, (2) An operating strategy with most of the rods out of the core, (3) Monitoring of rod position, (4) Limited speed of rod withdrawal, (5) Limited worth of the control rod groups, (6) A negative feedback reactivity coefficient, (7) Conservative set points of the reactor protection system, (8) A reliable and fast safety shutdown system.
The main objective of the method presented in this publication is making an inventory of the defence in depth capabilities, i.e. the provisions implemented during any stage of the lifetime of the plant. Its essential attribute therefore would be the completeness of the list of mechanisms grouped into generalized challenges endangering the fulfilment of SFs, and sufficient comprehensiveness of the list of safety provisions aimed at preventing those mechanisms from taking place. The top down approach, i.e. from the objectives of each level of defence down through challenges and mechanisms down to the
10
provisions, is considered an appropriate way to develop the objective trees in the most comprehensive way.
3.2. SPECIFICATION OF THE PROVISIONS
The defence in depth capabilities of a plant are established by means of the provisions that prevent mechanisms or combinations of mechanisms from occurring that might challenge the performance of the FSFs and SFs. It is important that the list of provisions is drawn up as comprehensively as possible. A combination of expert judgement, the IAEA reference report INSAG-12 [2] and two IAEA Safety Standards publications [4, 5] has been used to provide guidance on the comprehensive selection of the main challenges, mechanisms and provisions for each of the SFs to be performed. In Ref. [2] a graphical depiction of the elements of defence in depth and safety culture over the lifetime of a plant has been devised, as shown in Fig. 3, which is reproduced from Ref. [2].
Across the horizontal axis of the figure the stages of lifetime of a plant are listed, beginning with design, through construction and operation, and ending with plant decommissioning. Decommissioning is beyond the scope of the present publication. Along the vertical axis of the figure there are the levels of defence in depth. These levels begin at the top with the first level involving the prevention of abnormal events, progressing through levels devoted to the recovery from abnormal events of increasing levels of severity, and concluding with the level of defence aimed at mitigating the radiological consequences of the most severe and most unlikely accidents. Within the figure the major features (elements) are listed that contribute to defence in depth during the nuclear power plant lifetime. Each of the elements is representative of a specific safety principle discussed in detail in Ref. [2]. The lines connecting the safety principles in Fig. 3 indicate the interrelations among the principles.
The safety principles described in Ref. [2] are commonly shared safety concepts that indicate how to achieve safety objectives at different levels of defence in depth. The safety principles do not guarantee that plants will be absolutely free of risk. Nonetheless, INSAG [2] has stated that, if the principles are adequately applied, the nuclear power plants should be very safe. It is therefore considered that the safety principles provide a useful basis for the comprehensiveness of the provisions.
Figure 3 also indicates how to assign individual safety principles to different levels of defence in depth. Assignment of safety principles to a certain level of defence in depth means that non-compliance with such a safety
11
principle can adversely affect achievement of the objectives, in particular for a given level.
The first step for assignment is shown in Fig. 3. A preliminary assignment is done as a horizontal band selected from the safety principles in Fig. 3, located within the boundaries of the different levels of defence. Of course, the complex nature of some of the principles cannot be fully reflected by a one dimensional projection of this kind. Furthermore, the boundaries of the levels are not so clear and some overlapping between levels exists.
The second step for assignment is shown in Fig. 4, which is reproduced from Ref. [2], showing the physical barriers and levels of protection in defence in depth. The message conveyed by Fig. 4 is that any violation of general safety principles such as in design management, quality assurance or safety culture can adversely affect several levels of defence at the same time. Specific safety principles that usually address the performance of various hardware components are typically assigned to different levels of defence.
The third step for assignment of safety principles to individual levels of defence is provided by the explanatory text on the safety principles themselves in Ref. [2] and the derived requirements for design and operation in the IAEA Safety Standards [4, 5].
The results of the assignment of the safety principles are given in Table 2. The numbering of the safety principles given in Table 2, as well as their grouping into siting, design, manufacture and construction, commissioning, operation, accident management and emergency preparedness, are taken directly from Ref. [2].
It can be seen from Table 2 that many principles have a bearing on more than one level of defence. For example ‘achievement of quality’ (safety principle 249 (SP (249)) has an impact across Levels 1–4, since it affects the reliability of all the engineering provisions that are in place to provide the defences at those levels.
The concept of defence in depth relies on a high degree of independence between the levels of defence. In practice, however, some sort of interdependence between the levels of defence exists as a result of the pervading nature of several of the principles. Of course, formal assignment of one safety principle to several levels of defence in depth does not necessarily mean lack of independence between the different levels. This is because the same principle is typically applied to different systems, different manufacturers, different plant staffs and different plant conditions, and not necessarily the same weakness propagates through all of these groupings. However, since interdependence between different levels represents a serious weakening of the defence in depth concept, for each such indicated case a special
12
13
FIG. 3. Schematic presentation of the specific safety principles of INSAG, showing their coherence and their interrelations [2].
Emergency operatingprocedures
Engineering & tech.support of operation
Operational limitsand conditions
Normal operatingprocedures
Conduct ofoperation
Radiation protectionprocedures
Feedback ofoperating experience
Mai
nten
ance
, tes
ting
and
insp
ectio
n
Safety reviewprocedures
Training
Organization, responsibilities and stafffing
Qua
lity
assu
ranc
e in
ope
ratio
n,
staf
f ass
essm
ent a
nd p
eer
revi
ews
Ass
essm
ent o
f acc
iden
t con
sequ
ence
s an
d ra
diol
ogic
al m
onito
ring
Em
erge
ncy
plan
s
Em
erge
ncy
resp
onse
faci
litie
s
Ope
ratio
nal e
xcel
lenc
e
Strategy for accidentmanagement
Training andprocedures for acci-dent management
Engineeredfeatures for acci-
dent management
Pre
-ope
ratio
nal p
lant
adj
ustm
ents
Val
idat
ion
of o
pera
ting
and
func
tiona
l tes
t pro
cedu
res
Ver
ifica
tion
of d
esig
n an
d co
nstr
uctio
n
Ach
iev e
men
t of q
ualit
y
Safety evaluationof design
Proventechnology
Normal heatremoval
General basisfor design
Radiation protectionin design
Reactor coolantsystem integrity
Plantprocesses
controlsystem
Control of accidentswithin the design basis
Monitoringof plantsafetystatus
Automatic safetysystems
Emergency heatremoval
Confinement ofradioactive material
Preservation ofcontrol capability
Station blackout
Reliability targets
Dependent failures
Equipmentqualification
Protection ofconfinement structure
Physical protection
Automatic shutdownsystems
Insp
ecta
bilit
y of
saf
ety
equi
pmen
t
Pro
tect
ion
agai
nst p
ower
tran
sien
t acc
iden
ts
Rea
ctor
cor
e in
tegr
ity
Ultimate heatsink provisions
Rad
iolo
gica
l im
pact
on
the
publ
ic a
nd th
e lo
cal e
nviro
nmen
t
Feasibility ofemergency plans
External factorsaffecting the plant
Designmanagement
DESIGN MANUFACTURE/ CONSTRUCTION
END OF LIFE FUTURE PLANTCOMMISSIONING OPERATION
Collecting baselinedata
SITEDEFENCEIN DEPTH
PREVENTION OFDEVIATION FROM
NORMAL OPERATION
CONTROL OFACCIDENT WITHIN
DESIGN BASIS
CONTROLABNORMALOPERATION
CONTROL OFACCIDENT
PROGRESSION ANDACCIDENT
MITIGATION
OFF-SITEEMERGENCYRESPONSE
(Pol
icie
s, m
anag
emen
t pra
ctic
es, i
ndiv
idua
ls q
uest
ioni
ng,
CULTURErigorous, prudent approach and communication)
SA
FE
TY
Spent fuel storage
Decommissioning
P1218_p13+14.qxd 2005-02-11 10:05 Page 13
14
consideration should be made to check all possible implications of potentialdeficiencies.
In some cases, the assignment of safety principles to levels of defence inTable 2 reflects differences in current national practices. For instance, in somecountries, normal operating procedures (SP (288)) cover both normal andabnormal operational regimes. In other countries, abnormal operationalregimes are covered by emergency operating procedures (EOPs)8 (SP (290));the same EOPs are also applicable for accidents within the design basis and tosome extent (before significant core degradation) also for beyond design basisaccidents (BDBAs).
Naturally, a certain amount of subjectivity in the assignment of safetyprinciples cannot be avoided. However, this subjectivity is not detrimental to
8 Emergency operating procedures: plant specific procedures containinginstructions to operating staff for implementing preventive accident managementmeasures. The EOPs typically contain all the preventive measures (for both DBAs andBDBAs).
Fifth level: Off-site emergency response
Fourth level: Accident management including confinement protection
Fourth barrier: Confinement
Third level: Control of accidents in design basis
Second level: Control of abnormal operation
First level: Prevention of deviation from normal operation
Third barrier: Primary circuit boundary
Second barrier: Fuel rod cladding
First barrier: Fuel matrix
Fission products
General means of protection: conservativedesign, quality assurance and safety culture
Normal operatingsystems
Safety and protectionsystems, engineeredand special safetyfeatures
FIG. 4. Interrelationship between physical barriers and levels of protection in defencein depth [2].
P1218_p13+14.qxd 2005-02-11 10:05 Page 14
the comprehensiveness of the objective trees, since safety principles represent only one of various sources of information for development of the approach.
3.3. OBJECTIVE TREES
The objective trees are presented in Appendix II for all the levels of defence based on the approach described. The trees themselves are self-explanatory, i.e. no additional text is provided to explain the challenges, mechanisms and provisions. Further guidance can be found in Refs [2, 4, 5].
The following remarks can be made on the formulation of provisions in the objective trees:
(a) Impacts of mechanisms should first be analysed with adequate tools, even if this is not always explicitly expressed in the provisions. The selection and implementation of an appropriate measure always needs to be based on the results of such an analysis. Lack of analysis can easily represent a source of weakening of defence in depth.
(b) The intention of objective trees is to provide a comprehensive list of the possible options for provisions. Not necessarily all of them are to be implemented in parallel. The plant operator, on the basis of the insights offered by this approach, is in a better position to decide upon the required level of implementation of the provisions, including any need for a modified or additional provision.
(c) The provisions offered in the objective trees were mainly derived from the IAEA and INSAG safety principles, the IAEA Safety Standards and on the basis of an additional engineering judgement from those experts who participated in the development of this publication. The various types of provision include: inherent plant safety features, systems, procedures, availability and training of staff, safety management and safety culture measures.
(d) For safety principles that are common to several levels of defence, several ways of presenting the objective trees are used. If a substantial difference in the formulation of provisions for different levels is identified, a separate objective tree is developed for each of the respective levels. Otherwise, the same objective tree can simply be used for each of the relevant levels. However, it should be clear for such cases that the objectives and means at different levels are different and that the same objective tree applies to different plant systems, i.e. the plant process systems, the control systems and the safety systems. To keep both the number and the structure of objective trees within reasonable limits,
15
TABLE 2. ASSIGNMENT OF SAFETY PRINCIPLES TO INDIVIDUAL LEVELS OF DEFENCE IN DEPTH
Phases of plant life
No.of SP
Safety principle (SP)Level of defence
1 2 3 4 5
Siting 136 External factors affecting the plant o
138 Radiological impact on the public and the local environment
o o o o o
140 Feasibility of emergency plans o
142 Ultimate heat sink provisions o o o o
Design 150 Design management o o o o
154 Proven technology o o o o
158 General basis for design o o o o
164 Plant process control systems o o
168 Automatic safety systems o
174 Reliability targets o
177 Dependent failures o
182 Equipment qualification o
186 Inspectability of safety equipment o o o o
188 Radiation protection in design o
192 Protection against power transient accidents o o o
195 Reactor core integrity o o o
200 Automatic shutdown systems o o
203 Normal heat removal o o
205 Startup, shutdown and low power operation o o o o
207 Emergency heat removal o o
209 Reactor coolant system integrity o o
217 Confinement of radioactive material o o
221 Protection of confinement structure o o
227 Monitoring of plant safety status o o o o
230 Preservation of control capability o o o o
233 Station blackout o o
237 Control of accidents within the design basis o
240 New and spent fuel storage o o
242 Physical protection of plant o o
16
Manufacture and construction
246 Safety evaluation of design o o o o
249 Achievement of quality o o o o
Commissioning 255 Verification of design and construction o o o o
258 Validation of operating and functional test procedures
o o o o
260 Collection of baseline data o o o o
262 Pre-operational adjustment of plant o o o o
Operation 265 Organization, responsibilities and staffing o o o o o
269 Safety review procedures o o o o
272 Conduct of operations o
278 Training o o o
284 Operational limits and conditions o o o
288 Normal operating procedures o
290 Emergency operating procedures o o o o
292 Radiation protection procedures o o o o
296 Engineering and technical support of operations o o o o o
299 Feedback of operating experience o o o o
305 Maintenance, testing and inspection o o o o
312 Quality assurance in operation o o o o
Accident management
318 Strategy for accident management o
323 Training and procedures for accident management
o
326 Engineered features for accident management
o
Emergency preparedness
333 Emergency plans o o
336 Emergency response facilities o o
339 Assessment of accident consequences and radiological monitoring
o o o
TABLE 2. ASSIGNMENT OF SAFETY PRINCIPLES TO INDIVIDUAL LEVELS OF DEFENCE IN DEPTH (cont.)
Phases of plant life
No.of SP
Safety principle (SP)Level of defence
1 2 3 4 5
17
similar provisions to avoid the occurrence of different mechanisms were sometimes condensed in the tree presentation (e.g. SP (136) in Appendix II).
In total 68 different objective trees have been developed for 53 specific safety principles assigned to the five levels of defence:
— Eleven trees exclusively for Level 1;— Seven trees exclusively for Level 2;— Two trees common to Levels 1 and 2;— Three trees common to Levels 1–3;— Eleven trees exclusively to Level 3;— Nineteen trees common to Levels 1–4;— One tree common to Levels 2–4;— Five trees common to Levels 3 and 4;— Eight trees exclusively for Level 4; — One tree for Level 5, incorporating seven principles.
4. APPLICATIONS
Users of the method presented in this publication are expected to review and compare provisions for defence in depth identified in the objective trees with the existing defence in depth capabilities of their plant. The objective trees provide the rationale for the bottom up method, starting with the screening of individual provisions. Users should evaluate for each provision the level of its implementation. If the implementation of provisions is satisfactory, then the relevant mechanism can be considered as having been prevented from occurring. Deviations should be discussed and either justified by compensatory features specific to the plant or reconsidered for further strengthening of the defence in depth of the plant.
A large number of provisions are identified in the objective trees presented on the basis of the IAEA Safety Standards [1, 4, 5], relevant INSAG reports [2, 3] and good engineering practices. The present guidance is not intended to be a stand-alone document. Reference to the supporting publications mentioned is necessary to obtain a full explanation of the provisions. The method described is flexible enough to encourage expansion in order to include specific provisions and mechanisms identified in national
18
standards or relating to specific plant types. During the review, the plant operator or the regulator needs to determine whether particular standards are mandatory. In general, it is the responsibility of every plant operator to select a proper set of provisions and to consider modified or additional provisions in order to avoid mechanisms that challenge the SFs.
The method described in the present report indicates, from a qualitative point of view, what kind of provisions can be implemented to avoid the occurrence of mechanisms. However, the method described neither gives preference to individual provisions nor specifies the way to implement or quantify the efficiency of a provision. Indeed, the adequacy of provisions has to be determined by the user. In particular, for the omission of a provision, a detailed justification is necessary.
The objective of the proposed screening approach is deterministic in nature and the approach can also be used for safety assessment of a plant without a PSA or with an incomplete PSA. A plant specific PSA, sufficiently broad in scope and with a sufficient level of detail, can be used to support the judgement on the adequacy of the defence in depth and of the logical structure of the defences. In addition, a good quality PSA facilitates a deep understanding of the interrelation between the various defences and supports prioritization of provisions according to their contribution to risk reduction.
The guidance given in this report helps in identifying dependences of principles that might affect defences at more than one level and principles that are linked to other principles. These dependences indicate for the reviewer where further attention is needed for the screening of the affected levels of defence.
It is to be noted that decisions on whether or not to implement the missing or incomplete provisions need to be made after full consideration of the safety implications and priorities. It is definitely the responsibility of the plant staff to set up a programme for implementation of corrective measures or of the nuclear regulator to require corrective measures. Introduction of new equipment and programmes to implement an additional provision for defence in depth can also introduce (apart from additional costs) additional complexity to the operation of a plant and additional potential failure modes. There is no consideration in this approach of the side effects of increased complexity and operational difficulties caused by the implementation of additional defence in depth measures. The approach is not developed to identify new weaknesses in defence in depth introduced by implementing new modifications or provisions. A PSA study is an appropriate tool for such an evaluation.
By way of example, some results of the first test application of the method are provided in Appendix III. The screening of the defence in depth capabilities for WWER 440/V213 units at the Bohunice nuclear power plant was
19
performed for selected safety principles, which contributed to the achievement of safety objectives for Levels 3 and 4 of defence. The objective of this test application was to demonstrate that the approach is helpful and easily applicable to existing plants in order to screen systematically their defence in depth capabilities, and to identify strengths and weaknesses. The test application was carried out in a self-assessment mode by the plant operators. The results have been considered as a starting point for an in depth evaluation to qualify appropriate measures within the current plant upgrading programme.
5. CONCLUSIONS
Defence in depth is expected to remain an essential strategy to ensure nuclear safety for both existing and new plants. The method presented offers a further perspective that serves plant safety by screening the defence in depth capabilities of plants in a systematic manner. It has been developed in reliance upon basic safety principles [1, 2] and internationally agreed IAEA safety requirements [4, 5], which lay down the most important measures (provisions) to be implemented for assuring a sound and balanced defence in depth.
The approach does not include any quantification of the extent of defence in depth at a plant nor a prioritization of the provisions of defence. It is intended only for screening, i.e. for determination of both the strengths and weaknesses for which provision should be considered.
The screening approach, which uses objective trees, offers a user friendly tool for determining the strengths and weaknesses of defence in depth at a specific plant. The top down approach has been used for the development of objective trees, i.e. from the objectives of each level of defence down to the challenges and mechanisms, and finally to the provisions. A demonstration of defence in depth in a comprehensive and systematic way may provide reassurance for the plant operators that their safety strategy is sound and well balanced among the levels of defence. From a regulatory point of view, identification of deficiencies of defence in depth might be a valuable complement to traditional regulatory approaches.
There are no strict criteria on what is considered a sufficient level of implementation of individual provisions. The level of detail and completeness of evaluation is at the discretion of the user of the screening approach.
While the approach is primarily intended to facilitate self-assessment of defence in depth by plant operators, it can also be used by regulators or by
20
independent reviewers. A commitment by the operator to self-assessment is an essential feature of a good safety culture. The approach has been developed to be as complete as possible, but it is sufficiently flexible to allow inclusion of other mechanisms and provisions that are related to specific plant types or that are identified in national standards. In this respect, the approach might be very beneficial for checking the completeness and balance of any measures implemented for major safety improvement or modernization activities or for plant reorganizations.
This approach is also considered as an appropriate tool for presenting progress in strengthening defence in depth. Repeated screenings after a certain period of time are needed for this purpose. In particular, plant operators are encouraged to repeat in full the approach after completion of a major safety improvement programme or a substantial reorganization in the plant.
Feedback is welcome from users to the developers of the method for improving it. In this connection, the appropriateness of the mechanisms and challenges set in the objective trees needs to be verified. Comments on the text in the boxes of the objective trees are also welcome in order to address more precisely the relevant safety aspects. Special attention needs to be given to the objective trees of those safety principles that are applicable to more than one level of defence and to the need to make further appropriate distinctions between provisions belonging to different levels of defence.
21
BLANK
Appendix I
FUNDAMENTAL SAFETY FUNCTIONS AND SAFETY FUNCTIONS
Safety functions are subdivisions of the FSFs including those necessary to prevent accident conditions or escalation of accident conditions and those necessary to mitigate the consequences of accident conditions. They can be accomplished, as appropriate, using systems, components or structures provided for normal operation, those provided to prevent AOOs from leading to accident conditions or those provided to mitigate the consequences of accident conditions, and also with prepared staff actions.
The following set of SFs have been taken directly from Ref. [4] as appropriate to develop the objective trees in Appendix II:
(1) To prevent unacceptable reactivity transients;(2) To maintain the reactor in a safe shutdown condition after all shutdown
actions;(3) To shut down the reactor as necessary to prevent AOOs from leading to
DBAs and to shut down the reactor to mitigate the consequences of DBAs;
(4) To maintain sufficient reactor coolant inventory for core cooling in and after accident conditions not involving the failure of the reactor coolant pressure boundary;
(5) To maintain sufficient reactor coolant inventory for core cooling in and after all postulated initiating events considered in the design basis;
(6) To remove heat from the core9 after a failure of the reactor coolant pressure boundary in order to limit fuel damage;
(7) To remove residual heat in appropriate operational states and in accident conditions with the reactor coolant pressure boundary intact;
(8) To transfer heat from other safety systems to the ultimate heat sink;(9) To ensure necessary services (such as electrical, pneumatic, and hydraulic
power supplies and lubrication) as a support function for a safety system10;(10) To maintain acceptable integrity of the cladding of the fuel in the reactor
core;
9 This SF applies to the first step of the heat removal system(s). The remaining step(s) are encompassed in SF (8).
10 This is a support function for other safety systems when they must perform their safety functions.
23
(11) To maintain the integrity of the reactor coolant pressure boundary;(12) To limit the release of radioactive material from the reactor containment
in accident conditions and conditions following an accident;(13) To limit the radiation exposure of the public and site personnel in and
following DBAs and selected severe accidents that release radioactive materials from sources outside the reactor containment;
(14) To limit the discharge or release of radioactive waste and airborne radioactive materials to below prescribed limits in all operational states;
(15) To maintain control of environmental conditions within the plant for the operation of safety systems and for habitability for personnel necessary to allow performance of operations important to safety;
(16) To maintain control of radioactive releases from irradiated fuel transported or stored outside the reactor coolant system, but within the site, in all operational states;
(17) To remove decay heat from irradiated fuel stored outside the reactor coolant system but within the site;
(18) To maintain sufficient subcriticality of fuel stored outside the reactor coolant system but within the site;
(19) To prevent the failure or limit the consequences of failure of a structure, system or component whose failure would cause the impairment of an SF.
In order to distinguish better provisions aimed at limiting releases of radioactive material from the reactor containment (SF (12)) and provisions aimed at preventing loss of containment integrity, the following SF was added to the original set of SFs as given in Ref. [4]:
(20) To maintain the integrity of the reactor containment in accident conditions and conditions following an accident.
The SFs are intended as a basis for determining whether a structure, system or component performs or contributes to one or more SFs. They are also intended to provide a basis for assigning an appropriate gradation of importance to safety structures, systems and components that contribute to the various SFs. This means that the SFs are mostly related to the structures, systems or components. In the present report, the SFs are used in a more general sense, not necessarily related only to plant equipment but also to human factors such as personnel actions. In particular, there is no plant equipment directly considered at Level 5 of the defence in depth. Therefore, one more special SF has been added to the list in the framework of this report:
24
(21) To limit the effects of releases of radioactive materials on the public and environment.
The set of SFs can be grouped with respect to the FSFs as follows:
(a) SFs related to FSF (1) “control of the reactivity”: SFs (1)–(3) and (18);(b) SFs related to FSF (2) “removal of heat from the fuel”: SFs (4)–(8) and (17);(c) SFs related to FSF (3) “confinement of radioactive materials and control
of operational discharges, as well as limitation of accidental releases”: SFs (10)–(14), (16), (20) and (21).
There are also three special SFs related to all FSFs: SFs (9), (15) and (19).Established SFs (with shorter versions of the text) and their grouping in
accordance with the text above are graphically depicted in Fig. 5.
Fundamentalsafety functions
FSF(1) Controllingthe reactivity
FSF(2) Coolingthe fuel
Safetyobjectives
FSF(3) Confining the radioactive material
SF(4) to maintain sufficient RCS inventory for
non-LOCA accidents
SF(10) to maintainacceptable claddingintegrity in the core
SF(11) to maintainRCS Integrity
SF(12) to limit rad-releasesfrom the containment
under accident conditions
SF(19) to prevent failureof a system with potential
impairment of an SF
SF(9) to ensure necessary services as support for safety systems
SF(1) to prevent unacceptable
reactivity transients
SF(2) to maintain reactor in a safe
shutdown condition
SF(3) to shut down reactor as necessary
SF(18) to maintain subcriticality
of fuel outside RCS
Safety functions
SF(15) to maintain control of environmental conditions
within the plant
SF(21) to limit effects of rad-releases on the public
and environment
SF(20) to maintain integrity of the containment
SF(16) to maintain control of rad-releases from the
fuel outside the RCS
SF(14) to limit rad-discharges during
operational states
SF(13) to limit rad-releases from sources outside the containment
SF(5) to maintain sufficient RCS inventory
for all design basis events
SF(6) to remove heat from the core
under LOCA conditions
SF(7) to remove heat from the core under
non-LOCA conditions
SF(8) to transfer heat from safety systems to ultimate heat sink
SF(17) to remove decay heat from fuel
outside the RCS
FIG. 5. Overview and grouping of SFs used in the present report (RCS, reactor coolant system; LOCA, loss of coolant accident).
25
Appendix II
OBJECTIVE TREES FOR ALL LEVELS OF DEFENCE IN DEPTH
The first five figures (Figs 6–10) in this Appendix are provided to remind the reader of the objectives to be achieved, including the barriers to be protected, through the performance of FSFs/SFs for each level of defence.
Level of defence:
Objectives:
Safety functions:
Level 1 of
defence
Prevention of abnormal operation and failures (limited fuel failures within prescribed limits
due to long term operational effects, no reactor coolant system damage)
All FSFs/ relevant SFs
might be affected
FIG. 6. Objectives to be achieved and barriers to be protected for Level 1 of defence in depth.
26
Level of defence:
Objectives:
Safety functions:
Level 2 of
defence
Control of abnormal operation and detection of failures
(continued integrity of barriers against release of radioactivity)
All FSFs/ relevant SFs
might be affected
FIG. 7. Objectives to be achieved and barriers to be protected for Level 2 of defence in depth.
Level of defence:
Objectives:
Safety functions:
Level 3of
defence
Control of accidents within the design basis(limited damage to fuel, no consequential
damage of RCS; radioactive materials retained within the containment)
All FSFs/ relevant SFs
might be affected
FIG. 8. Objectives to be achieved and barriers to be protected for Level 3 of defence in depth (RCS, reactor coolant system).
27
Level of defence:
Objectives:
Safety functions:
Level 4of
defence
Control of severe plant conditions, including prevention of accident progression and mitigation
of the consequences of severe accidents (preserving the integrity of the containment)
All FSFs/ relevant SFs
might be affected
FIG. 9. Objectives to be achieved and barriers to be protected for Level 4 of defence in depth.
Level of defence:
Objectives:
Safety functions:
Level 5 of
Defence
Mitigation of radiological consequences
of significant releases of radioactive materials
SF(21) might be affected: To limit the effects of releases
of radioactive materials on the public and environment
FIG. 10. Objectives to be achieved and barriers to be protected for Level 5 of defence in depth.
28
This Appendix goes on to provide a full set of objective trees (shown in Figs 11–78) for the purpose of practical screening of the defence in depth capabilities of plants. In each of the captions to the objective trees the levels of defence are indicated to which the provisions contribute to fulfilling the objectives. Next in the caption the corresponding safety principle(s) is given as a commonly shared safety concept(s), stating how the safety objectives at relevant levels of defence can be achieved. Each objective tree itself starts with an indication of the FSFs/SFs to be performed in order to achieve the objectives for the given safety principle(s); it is then followed by the challenges which might have an impact on the performance of SFs and the mechanisms leading to individual challenges, and finally a list of the provisions to be implemented to avoid occurrence of the mechanisms. In some objective trees, second order (more detailed) provisions are indicated by text without boxes (e.g. Fig. 15).
To keep the size of some of the objective trees within reasonable limits, their presentations for different SFs at the same level of defence are given on more than one page, e.g. SP (200) for Levels of defence 3 and 4, which are presented separately for SF (2) and SF (3) in Figs 33 and 34, respectively.
29
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el,
conf
inin
g ra
dio
activ
e m
ater
ial
Imp
lem
enta
tion
of
mea
sure
s d
eriv
ed
fro
m q
uant
ified
p
rob
abili
ties
and
sa
fety
ana
lysi
s
Site
sei
smol
ogy
unfa
vour
able
for
eart
hqua
kes,
sta
bilit
y of
pla
nt s
truc
ture
s, e
tc.
Site
hyd
rolo
gy
unfa
vour
able
for
ex
tern
al f
lood
ing
Site
hyd
rolo
gy
unfa
vour
able
for
rad
ioac
tivity
d
isse
min
atio
n
Ext
rem
e m
eteo
rolo
gica
l co
nditi
ons
(win
d,
high
/low
tem
p.,
etc.
)
Ana
lysi
s of
eff
ects
on
pla
nt s
afet
y
Inve
stig
atio
n of
lik
elih
ood
of
hum
an
ind
uced
eve
nts
sign
ifica
nt f
or
rad
iolo
gica
l ris
k
Nat
ural
fac
tors
at
site
aff
ectin
g th
e p
lant
Hum
an a
ctiv
ities
at
site
aff
ectin
g th
e p
lant
Che
mic
al
haza
rds
Airc
raft
im
pac
t
Rel
ease
of t
oxic
an
d fl
amm
able
ga
ses
Incl
usio
n of
ad
equa
te m
argi
n in
to s
truc
tura
l d
esig
n
Sel
ectio
n of
sub
set
of P
IEs
as
des
ign
bas
is
Lim
itatio
ns
on h
uman
act
iviti
es
in t
he p
lant
vic
inity
Eva
luat
ion
of
feas
ibili
ty o
f pos
sib
le
com
pen
satin
g sa
fety
feat
ures
Inve
stig
atio
n of
lik
elih
ood
of
natu
ral
even
ts s
igni
fican
t fo
r ra
dio
logi
cal r
isk
Eva
luat
ion
of
feas
ibili
ty o
f pos
sib
le
com
pen
satin
g sa
fety
feat
ures
Ana
lysi
s of
eff
ects
on
pla
nt s
afet
y
Imp
lem
enta
tion
of
mea
sure
s d
eriv
ed
from
qua
ntifi
ed
pro
bab
ilitie
s an
d
safe
ty a
naly
sis
Incl
usio
n of
ad
equa
te m
argi
n in
to s
truc
tura
l d
esig
n
Sel
ectio
n of
sub
set
of P
IEs
as
des
ign
bas
is
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
FIG
. 11.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th (
PIE
, pos
tula
ted
initi
atin
g ev
ent)
. Saf
ety
prin
cipl
e (1
36):
ext
erna
l fac
tors
aff
ectin
g th
e pl
ant.
30
Safety functions:
Challenges:
Mechanisms:
Provisions:
SF(16) affected: To maintain control of
radioactive releases from the fuel outside the RCS
Dissemination of radioactivity
by water supplies
Dissemination of radioactivity by food chain
Dissemination of radioactivity
by air
SF(14) affected: To limit radioactive discharges
during operational states
Unanticipated pathways for the
transport of radioactive materials
Analysis of radio- active effects of normal and ab-
normal operation
Investigation of physical and environmental characteristics
Investigation of population distribution around site
FIG. 12. Objective tree for Level 1 of defence in depth. Safety principle (138): radiological impact on the public and the local environment.
31
SF(16) affected: To maintain control of
radioactive releases from the fuel outside the RCS
SF(14) affected: To limit radioactive discharges
during operational states
Unanticipated pathways for the
transport of radioactive materials
Dissemination of radioactivity
by water supplies
Dissemination of radioactivity by food chain
Dissemination of radioactivity
by air
Limits on radioactive effluents
Environmental monitoring through samples of animals
and vegetables
Safety functions:
Challenges:
Mechanisms:
Provisions:
FIG. 13. Objective tree for Level 2 of defence in depth (RCS, reactor coolant system). Safety principle (138): radiological impact on the public and the local environment.
32
Safety functions:
Challenges:
Mechanisms:
Provisions:
SF(14) affected: To limit radioactive discharges
during operational states
SF(16) affected: To maintain control of
radioactive releases from the fuel outside the RCS
Non-anticipated pathways for the
transport of radioactive materials
Dissemination of radioactivity
by water supplies
Dissemination of radioactivity by food chain
Dissemination of radioactivity
by air
Set of radiological acceptance criteria for accidental radio-
active releases
Adequate radiation monitoring in DBAs
and BDBAs
Determination of radiological impacts in
plant vicinity
For DBAs For BDBAs
Stationary dose rate meters Information to MCR Determination of con- centration of selected radionuclides in gas and liquid samples Monitoring effluents prior to or during dis- charge to the environ- ment
FIG. 14. Objective tree for Levels 3 and 4 of defence in depth (MCR, main control room). Safety principle (138): radiological impact on the public and the local environment.
33
Sup
po
rt s
yste
ms
for
UH
S n
ot
pro
per
ly
des
igne
d
SF
(8) a
ffec
ted
: T
o t
rans
fer
heat
fro
m o
ther
sa
fety
sys
tem
s to
the
ul
timat
e he
at s
ink
SF
(6) a
ffec
ted
: T
o r
emo
ve
heat
fro
m t
he c
ore
aft
er
a fa
ilure
of
the
RC
PB
to
lim
it fu
el d
amag
e
SF
(7) a
ffec
ted
: T
o r
emo
ve
resi
dua
l hea
t in
op
erat
iona
l sta
tes
and
ac
cid
ents
with
RC
PB
inta
ct
Long
ter
m u
ltim
ate
heat
sin
k (U
HS
) no
t ad
equa
teC
halle
nges
:
Mec
hani
sms:
Pro
visi
ons
:
Saf
ety
func
tions
:
Rat
es w
ithin
lim
its
Pre
ssur
e lim
its
Inte
rco
nnec
tion
and
is
ola
tion
cap
abili
ties
Leak
det
ectio
n P
ow
er a
nd fl
uid
sup
ply
LOO
PR
edun
dan
cyD
iver
sity
Ind
epen
den
ceS
afet
y m
arg
ins
Des
ign
pre
caut
ions
for
exte
rnal
haz
ard
s
Ven
ting
A
dd
itio
nal w
ater
fo
r sp
ray
syst
em
Pro
ven
com
po
nent
s R
edun
dan
cy
Div
ersi
ty
Inte
rco
nnec
tion
Iso
latio
n P
hysi
cal
sep
arat
ion
Nat
ural
p
heno
men
a H
uman
ind
uced
ev
ents
D
iver
sity
of
UH
S
Div
ersi
ty o
f sup
ply
syst
ems
(po
wer
,flu
id)
Nat
ural
phe
nom
ena
Hum
an in
duc
ed
even
ts
Hea
t tr
ansp
ort
sy
stem
s (H
TS
) vu
lner
able
Bo
dy
of
wat
er (s
ea,
river
, la
ke,e
tc.)
lost
due
to
ext
er-
nal h
azar
ds
Atm
osp
heric
UH
S
not
des
igne
d
to w
ithst
and
ex
trem
e ev
ents
Hea
t tr
ansp
ort
sy
stem
s (H
TS
) no
t re
liab
le
Eva
po
ratio
n o
f w
ater
pro
cess
in
UH
S
imp
acte
d
Rai
sing
of
the
tem
per
atur
e p
roce
ss o
f UH
S
imp
acte
d Ext
end
ed c
apab
ilitie
s fo
r he
at t
rans
fer
in c
ase
of
seve
re a
ccid
ents
Pro
per
des
ign
of t
he
HT
S
HT
Ss
des
igne
d
acco
rdin
g t
o t
he
imp
ort
ance
of t
heir
cont
ribut
ion
to H
T
Ext
erna
l haz
ard
s p
rop
erly
ad
dre
ssed
in
UH
S d
esig
n
Ana
lysi
s o
f all
site
rel
evan
t ex
trem
e ev
ents
fo
r d
esig
n
FIG
. 15.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
; LO
OP,
loss
of
off-
site
pow
er; U
HS,
ulti
mat
e he
at s
ink)
. Saf
ety
prin
cipl
e (1
42):
ulti
mat
e he
at s
ink
prov
isio
ns.
34
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el,
conf
inin
g ra
dioa
ctiv
e m
ater
ial
Deg
rade
d fu
nctio
nal c
apab
ility
of
item
s im
port
ant t
o sa
fety
du
e to
wea
knes
s in
trod
uced
du
ring
desi
gn m
anag
emen
t
Lack
of c
o-or
dina
tion
amon
g gr
oups
invo
lved
in th
e de
sign
Lack
of q
ualif
ied
desi
gn p
erso
nnel
Lack
of q
ualit
y as
sura
nce
(QA
) pr
ogra
mm
e fo
r des
ign
Lack
of c
onfig
urat
ion
cont
rol
Des
ign
is u
nder
aut
horit
y of
a h
ighl
y qu
alifi
ed
engi
neer
ing
man
ager
Ensu
re a
cle
ar s
et o
f int
erfa
ces
betw
een
grou
ps a
nd b
etw
een
desi
gner
s, s
uppl
iers
an
d co
nstr
ucto
rs
QA
is c
arrie
d ou
t for
all
desi
gn
activ
ities
impo
rtan
t to
safe
ty
Saf
ety
desi
gn b
asis
is
effe
ctiv
ely
reco
rded
at
the
star
t
Saf
ety
desi
gn b
asis
is k
ept
up to
dat
e w
hen
desi
gn c
hang
es o
ccur
Des
ign
allo
ws
for
subs
eque
nt p
lant
mod
ifica
tion
Str
uctu
res,
sys
tem
s an
d co
mpo
nent
s im
port
ant
to s
afet
y ha
ve t
he a
ppro
pria
te:
Esta
blis
h a
grou
p w
ith
resp
onsi
bilit
y fo
r en
surin
g th
at a
ll sa
fety
req
uire
men
ts
are
fulfi
lled
Att
itude
s an
d ac
tions
of
the
desi
gn m
anag
er
refle
ct s
afet
y cu
lture
S
afet
y an
d re
gula
tory
re
quire
men
ts in
des
ign
are
met
Ade
quat
e nu
mbe
r of
qua
lifie
d pe
rson
nel f
or
each
des
ign
activ
ity
Ade
qute
trai
ning
fo
r des
ign
pers
onne
l
Gro
up re
mai
ns fa
mili
ar
with
the
feat
ures
and
lim
itatio
ns
of c
ompo
nent
s in
clud
ed in
des
ign
Dire
ct a
cces
s of
the
grou
p to
the
desi
gn m
anag
er
Com
mun
icat
ion
of d
esig
ner w
ith fu
ture
op
erat
ing
staf
f
Req
uire
men
ts fr
om th
e fu
ture
ope
ratin
g st
aff a
re re
cogn
ized
in th
e de
sign
A
ppro
pria
te in
put f
rom
des
ign
to th
e op
erat
ing
proc
edur
es a
nd to
trai
ning
A
dequ
ate
safe
ty d
esig
n in
form
atio
n gi
ven
to e
nsur
e sa
fe o
pera
tion
and
mai
nten
ance
Gen
erat
ion
of r
adio
activ
e w
aste
(act
ivity
and
vol
ume)
is
min
imiz
ed a
t des
ign
stag
e by
app
ropr
iate
:
Des
ign
mea
sure
s O
pera
tiona
l pra
ctic
es
Dec
omm
issi
onin
g pr
actic
es
Cha
ract
eris
tics
Spe
cific
atio
ns
Mat
eria
l com
posi
tion
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons: F
IG. 1
6. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce in
dep
th. S
afet
y pr
inci
ple
(150
): d
esig
n m
anag
emen
t.
35
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el,
conf
inin
g ra
dioa
ctiv
e m
ater
ial
Deg
rade
d fu
nctio
nal
capa
bilit
y of
item
s im
port
ant t
o sa
fety
Mec
hani
sms:
Pro
visi
ons:
Cha
lleng
es:
Saf
ety
func
tions
:
Non
-ant
icip
ated
beh
avio
ur
of th
e pl
ant u
nder
nor
mal
or
abn
orm
al c
ondi
tions
Und
etec
tabl
e fa
ilure
s of
ite
ms
impo
rtan
t to
safe
ty
Non
-ant
icip
ated
failu
re
mod
es o
f ite
ms
impo
rtan
t to
saf
ety
Non
-ant
icip
ated
lim
itatio
ns
on th
e pe
rfor
man
ce o
f the
en
gine
ered
saf
ety
feat
ures
Non
-ant
icip
ated
de
grad
atio
n of
the
barr
iers
Des
ign,
man
ufac
ture
and
co
nstr
uctio
n pe
rfor
med
in
com
plia
nce
with
ap
plic
able
sta
ndar
ds
Reg
ular
in
-ser
vice
insp
ectio
ns
Use
of s
ervi
ces
of
expe
rienc
ed a
nd
appr
oved
sup
plie
rs
Rea
listic
mod
ellin
g an
d da
ta
Alte
rnat
ive
use
of c
onse
rvat
ive
mod
els
Expe
rimen
tally
val
idat
ed
anal
ytic
al m
odel
s: c
ompa
rison
with
bo
th p
lant
test
ing
and
benc
hmar
k ca
lcul
atio
ns, p
eer
revi
ews
Per
form
ance
of
dete
rmin
istic
an
d pr
obab
ilist
ic
safe
ty a
naly
ses
Pre
fere
nce
give
n to
eq
uipm
ent w
ith p
redi
ctab
le
mod
es o
f fai
lure
Sel
ectio
n of
item
s co
nsis
tent
with
re
liabi
lity
goal
s
Exam
inat
ion
of r
elev
ant
oper
atio
nal e
xper
ienc
e to
sel
ect t
echn
olog
y
Pro
visi
on fo
r in
-ser
vice
per
form
ance
m
onito
ring
Pre
fere
nce
give
n to
eq
uipm
ent w
ith r
evea
led
mod
es o
f fai
lure
Use
of t
echn
olog
y pr
oven
in a
n eq
uiva
lent
pr
evio
us a
pplic
atio
n
New
tech
nolo
gies
app
lied
only
if b
ased
on
rese
arch
an
d ap
prop
riate
test
ing
and
scal
ing
up
Exam
inat
ion
of r
elev
ant
oper
atio
nal e
xper
ienc
e to
sel
ect t
echn
olog
y
FIG
. 17.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (1
54):
pro
ven
tech
nolo
gy.
36
Mec
hani
sms:
Pro
visi
ons:
Cha
lleng
es:
Saf
ety
func
tions
:A
ll FS
Fs a
ffect
ed:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el,
conf
inin
g ra
diac
tive
mat
eria
l
Inad
equa
cy o
f des
ign
basi
s fo
r A
OO
s an
d D
BA
s
Spec
ifica
tion
of re
quire
d op
erat
iona
l con
ditio
ns
and
requ
irem
ents
for
plan
t pro
cess
con
trol
Pro
cess
con
trol
sy
stem
s de
sign
ed
to p
reve
nt
abno
rmal
ope
ratio
n
Ade
quat
e de
sign
m
argi
ns fo
r sta
ble
oper
atio
n
Cla
ssifi
catio
n of
PIE
s ac
cord
ing
to
prob
abili
ty
Cla
ssifi
catio
n of
SS
Cs
to d
efin
e co
des
(for
vario
us s
tage
s of
life
time)
for:
Acc
epta
nce
crite
ria
for e
ach
PIE
Con
serv
ativ
e an
alys
is
for
all P
IEs
Inad
equa
te p
lant
pe
rfor
man
ce
in B
DB
As
Inad
equa
cy o
f des
ign
basi
s fo
r no
rmal
op
erat
ion
Pla
nt c
ontr
ol
syst
ems
do n
ot
oper
ate
as in
tend
edIn
adeq
uate
se
lect
ion
of P
IEs
SS
Cs
do n
ot
func
tion
as in
tend
ed
Saf
ety
asse
ssm
ent
not
prop
erly
pe
rfor
med
Saf
ety
verif
icat
ion
not
prop
erly
pe
rfor
med
SS
Cs
not
pro
perly
de
sign
ed t
o co
pe
with
DB
As
BD
BA
s no
t pr
oper
ly a
ddre
ssed
in
des
ign
Iden
tific
atio
n of
sce
nario
s an
d ac
cept
ance
cr
iteria
for B
DB
As
Rea
listic
an
alys
is fo
r B
DB
As
Impl
emen
tatio
n of
ad
ditio
nal s
afet
y fe
atur
es to
m
itiga
te B
DB
As
Gua
rant
ee
inde
pend
ence
of
SS
Cs
from
oth
er
plan
t sy
stem
s
Req
uire
men
ts
on p
erio
dic
test
ing
to v
erify
SS
C
perf
orm
ance
Qua
lific
atio
n of
SS
C
for e
nviro
nmen
tal
cond
ition
s
Def
initi
on o
f bo
undi
ng P
IEs
to d
eter
min
e S
SC
ca
pabi
lity
with
mar
gin
Inde
pend
ent
verif
icat
ion
by
utili
ty
Rev
iew
by
re
gula
tor
Rev
iew
s by
ad
hoc
mis
sion
s,
e.g.
thos
e of
the
IAEA
Per
form
ance
of
PS
A
Des
ign
Con
stru
ctio
n,
man
ufac
ture
an
d in
stal
latio
n O
pera
tion
and
mai
nten
ance
Spe
cific
atio
n of
eve
nt
clas
sific
atio
n ap
proa
ch
List
of D
BA
s to
form
de
sign
bas
is
FIG
. 18.
Obj
ectiv
e tr
ee fo
r L
evel
s 1–
4 of
def
ence
in d
epth
(SS
Cs,
str
uctu
res,
sys
tem
s an
d co
mpo
nent
s; P
IE, p
ostu
late
d in
itiat
ing
even
t).
Safe
ty p
rinc
iple
(15
8): g
ener
al b
asis
for
des
ign.
37
Neu
tron
ic a
nd th
erm
ohyd
raul
ic
par
amet
ers
not m
aint
aine
d in
op
erat
ing
rang
es, l
ead
ing
to h
ighe
r d
eman
ds
on s
afet
y sy
stem
s
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
SFs
(1) –
(3) a
ffec
ted
Rel
iab
ility
of
safe
ty s
yste
ms
imp
aire
d b
y th
eir
freq
uent
act
uatio
n
Use
of
pro
per
op
erat
ing
pro
ced
ures
Saf
ety
limits
set
up
b
ased
on
cons
erva
tive
anal
ysis
Sys
tem
to
reso
lve
def
icie
ncie
s in
au
tom
atic
con
trol
ex
ped
itiou
sly
Avo
idan
ce o
f fr
eque
nt
actu
atio
n of
pla
nt s
afet
y sy
stem
s
Def
initi
on o
f op
erat
ing
rang
e of
pla
nt v
aria
ble
sM
inim
izat
ion
of
man
ual o
per
ator
act
ions
Inco
rrec
t op
erat
or a
ctio
n d
urin
g m
anua
l op
erat
ion
Trip
set
poi
nts
and
saf
ety
limits
set
up
inco
rrec
tlyA
utom
atic
con
trol
in
suff
icie
nt
FIG
. 19.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(164
): p
lant
pro
cess
con
trol
sys
tem
s.
38
SFs
(1)–
(3) a
ffec
ted
Neu
tron
ic a
nd t
herm
ohyd
raul
ic
par
amet
ers
not
mai
ntai
ned
in
op
erat
ing
rang
es,
lead
ing
to h
ighe
r d
eman
ds
on s
afet
y sy
stem
s
Rel
iab
ility
of
safe
ty s
yste
ms
imp
aire
d b
y th
eir
freq
uent
act
uatio
n
Aut
omat
ic c
ontr
ol
insu
ffic
ient
Kee
pin
g au
tom
atic
con
trol
sy
stem
op
erat
iona
l
Pro
per
trip
se
t p
oint
s to
act
uate
au
tom
atic
act
ion
Pro
per
trip
se
t p
oint
s to
act
uate
au
tom
atic
act
ion
Inco
rrec
t op
erat
or a
ctio
n d
urin
g m
anua
l op
erat
ion
Trip
set
poi
nts
and
saf
ety
limits
set
up
inco
rrec
tly
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 20.
Obj
ectiv
e tr
ee f
or L
evel
2 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(164
): p
lant
pro
cess
con
trol
sys
tem
s.
39
Deg
rade
d pe
rfor
man
ce o
f FS
F du
e to
in
adeq
uate
res
pons
e of
au
tom
atic
saf
ety
syst
ems
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el,
conf
inin
g ra
dioa
ctiv
e m
ater
ial
Saf
ety
syst
ems
fail
due
to
failu
re o
f su
ppor
ting
syst
em
Deg
rade
d pe
rfor
man
ce
of s
afet
y sy
stem
s du
e to
ha
rsh
oper
atin
g en
viro
nmen
t
Inad
equa
te
perf
orm
ance
of
safe
ty s
yste
ms
Inte
rfer
ence
of
pro
cess
sy
stem
s
Hig
her
prio
rity
give
n to
sa
fety
fu
nctio
ns
Isol
atio
n of
pr
oces
s an
d sa
fety
sys
tem
s
Saf
ety
syst
ems
beca
me
unav
aila
ble
durin
g pr
evio
us
oper
atio
n
Saf
ety
syst
ems
fail
to r
eact
on
dem
and
Sys
tem
s de
sign
ac
cord
ing
to s
ingl
e fa
ilure
crit
erio
n
Env
ironm
enta
l qu
alifi
catio
n of
equ
ipm
ent
(see
als
o S
P (1
82))
Pre
fere
nce
to
fail-
safe
des
igne
d sy
stem
s
Pre
vent
ion
of c
omm
on-
caus
e fa
ilure
s in
saf
ety
syst
ems
(see
als
o S
P (1
77))
Impl
emen
tatio
n of
co
nser
vativ
e de
sign
fo
r pe
rfor
man
ce o
f sa
fety
sys
tem
s
Trai
ning
of o
pera
tors
to
rea
ct in
cas
e of
failu
res
in
safe
ty s
yste
ms
Con
side
ratio
n of
failu
res
of s
uppo
rt s
yste
ms
in e
mer
genc
y op
erat
ing
proc
edur
es
Rel
iabl
e in
stru
men
tatio
n an
d co
ntro
l
Rel
iabl
e su
ppor
ting
elec
tric
al s
yste
ms
Hig
hly
relia
ble/
redu
ndan
t in
itiat
ion
of
safe
ty s
yste
ms
Ade
quat
e re
spon
se ti
me
Con
side
ratio
n of
failu
res
of s
afet
y sy
stem
s in
em
erge
ncy
oper
atin
g pr
oced
ures
Trai
ning
of o
pera
tors
to
rea
ct in
cas
e of
failu
res
in
safe
ty s
yste
ms
Lim
iting
con
ditio
ns
for
oper
atio
n w
ith
unav
aila
ble
safe
ty s
yste
ms
Str
inge
nt
requ
irem
ents
to
prec
lude
byp
assi
ng
safe
ty s
yste
ms
Aut
omat
ic
self-
test
ing
of
safe
ty s
yste
ms
Indi
catio
n of
op
erat
ing
stat
us o
f sa
fety
sys
tem
s
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 21.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(168
): a
utom
atic
saf
ety
syst
ems.
40
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el,
conf
inin
g ra
dio
activ
e m
ater
ial
Saf
ety
syst
ems
fail
whe
n re
qui
red
to
per
form
the
ir fu
nctio
n d
ue t
o lo
w r
elia
bili
ty
Saf
ety
syst
em r
elia
bili
ty
not
com
men
sura
te
with
the
imp
orta
nce
to s
afet
y
Vul
nera
bili
ty o
f sa
fety
sy
stem
s to
com
mon
ca
use
failu
res
Insu
ffic
ient
re
liab
ility
of
sup
por
ting
syst
ems
Ens
urin
g ea
sy a
nd
freq
uent
insp
ectio
ns
Ens
urin
g ac
cess
to
safe
ty e
qui
pm
ent
thro
ugho
ut p
lant
life
time
Ens
urin
g in
-ser
vice
in
spec
tion
to m
onito
r m
ater
ial d
egra
dat
ion
Per
iod
ic t
ests
to
con
firm
fun
ctio
nal
cap
abili
ty
Mon
itorin
g of
op
erat
iona
l sta
tus
of s
afet
y sy
stem
s
Aut
omat
ic
self-
test
ing
cap
abili
ties
See
pro
visi
ons
for
SP
(177
): D
epen
den
t fa
ilure
s
Set
up
rel
iab
ility
tar
gets
b
ased
on
a d
etai
led
p
rob
abili
ty a
naly
sis
for
safe
ty s
yste
ms
Rel
iab
ility
ana
lysi
s fo
r sa
fety
sys
tem
s an
d fu
nctio
ns
Sp
ecifi
catio
n of
con
diti
ons
for
cons
iste
nt t
estin
g w
ith
relia
bili
ty t
arge
ts
Inst
alla
tion
of s
yste
ms
pre
fera
bly
te
stab
le in
ser
vice
Inst
all a
dd
ition
al e
qui
pm
ent
as n
eces
sary
to
reac
h th
e re
liab
ility
tar
get
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons: FIG
. 22.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(174
): r
elia
bilit
y ta
rget
s.
41
Inde
pend
ence
of
safe
ty s
yste
ms
from
oth
er p
lant
syst
ems
Fail-
safe
des
ign
of s
afet
y sy
stem
s to
the
exte
ntpo
ssib
le
Suf
ficie
ntre
dund
ancy
and
dive
rsity
in p
ower
sour
ces
Red
unda
ncy,
div
er-
sity
, ind
epen
denc
eof
aux
iliar
y se
rvic
esfo
r sa
fety
sys
tem
s
Inte
ract
ion
of s
imul
tane
ousl
yop
erat
ed s
afet
ysy
stem
s
CC
F du
e to
inte
rnal
even
ts (l
oss
of p
ower
,la
ck o
f fue
l for
DG
s,et
c.)
Inde
pend
ent,
re-
dund
ant s
yste
ms
linke
d w
ithdi
vers
ity
QA
pro
gram
me
impl
emen
ted
in a
llph
ases
of p
lant
lifet
ime
Inde
pend
ent
verif
icat
ion/
asse
ssm
ent o
fde
sign
Mar
gins
inco
rpo-
rate
d in
des
ign
toco
pe w
ith a
gein
gan
d w
ear-
out
Coo
rdin
atio
n of
diffe
rent
ope
ratio
nal
mai
nten
ance
,su
ppor
t gro
ups
CC
F du
e to
sys
tem
erro
rs in
des
ign,
con
-st
ruct
ion,
ope
ratio
n,m
aint
enan
ce, t
ests
Dem
onst
ratio
n of
safe
ty fo
r al
l ope
-ra
tiona
l sta
tes
and
DB
As
on a
ny u
nit
Saf
e sh
utdo
wn
and
cool
ing
of o
ne r
e-ac
tor
with
sev
ere
acci
dent
on
anot
her
CC
F du
e to
eve
nts
orig
inat
ed in
oth
erun
its o
n th
e sa
me
site
Ris
k an
alys
is o
fin
tern
al h
azar
dsan
d im
plem
enta
tion
of c
ount
erm
easu
res
Phy
sica
l sep
ara-
tion
by b
arrie
rs,
dist
ance
or
orie
ntat
ion
Red
unda
nt s
yste
ms
loca
ted
indi
ffere
ntco
mpa
rtm
ents
Cru
cial
equ
ipm
ent
qual
ified
for
envi
ronm
enta
lco
nditi
ons
Ext
erna
l eve
nts
con-
side
red
as in
itiat
ors
for
inte
rnal
haz
ards
(fire
s, fl
oods
, etc
.)
CC
F du
e to
inte
rnal
haza
rds
(floo
ding
,m
issi
les,
pip
e w
hip,
jet i
mpa
ct)
Fire
haz
ard
anal
ysis
perf
orm
ed to
spe
cify
barr
iers
, det
ectio
n,fig
htin
g sy
stem
s
Pre
fere
nce
give
n to
fa
il-sa
fe o
pera
tion
of s
yste
ms
Use
of n
on-
com
bust
ible
, fire
reta
rdan
t and
hea
tre
sist
ant m
ater
ials
Sep
arat
ion
of r
edun
-da
nt s
yste
ms
byfir
e re
sist
ant
wal
ls/d
oors
Pre
fera
ble
use
ofno
n-fla
mm
able
lubr
ican
ts
Con
trol
of
com
bust
ible
s an
dig
nitio
n so
urce
s
Suf
ficie
nt fi
refig
htin
g ca
pabi
lity
avai
labl
e
Aut
omat
ic in
itiat
ion
of fi
re fi
ghtin
gsy
stem
Insp
ectio
n, m
aint
e-na
nce,
test
ing
offir
e fig
htin
g s
yste
m
Fire
res
ista
nt s
ys-
tem
s fo
r sh
utdo
wn,
RH
R, m
onito
ring,
conf
. of r
adio
activ
ity
Avo
id im
pairm
ent
of s
afet
y sy
stem
sby
func
tion
of fi
refig
htin
g sy
stem
s
Ext
erna
lfir
e fig
htin
gse
rvic
esco
nsid
ered
Org
aniz
atio
n of
rele
vant
trai
ning
of p
lant
per
sonn
el
CC
F du
e to
fire
san
d in
tern
alex
plos
ions
Suf
ficie
nt m
argi
nsin
ant
i-se
ism
icde
sign
Saf
ety
equi
pmen
tqu
alifi
ed fo
rse
ism
ic e
vent
s by
test
s an
d an
alys
is
Eve
nts
poss
ibly
indu
ced
by e
arth
-qu
akes
, e.g
. flo
ods,
cons
ider
ed
Failu
re o
f non
-saf
ety
equi
pmen
t to
affe
ctpe
rfor
man
ce o
f sa-
fety
equ
ip. a
void
ed
CC
F du
e to
eart
hqua
kes
Ass
essm
ent
of r
isk
from
hum
an-i
nduc
ed h
azar
ds
Sub
set o
f hum
anin
duce
d ev
ents
incl
uded
inde
sign
CC
F du
e to
hum
anm
ade
haza
rds
(air-
craf
t cra
sh, g
ascl
ouds
, exp
losi
ons)
Mos
t ext
rem
e co
n-co
nditi
ons
cons
ide-
red
in s
peci
alde
sign
feat
ures
CC
F du
e to
ext
erna
lev
ents
(hig
h w
inds
,flo
ods,
ext
rem
em
eteo
rol.
cond
.)
Saf
ety
syst
ems
fail
whe
npe
rfor
min
g th
eir
func
tions
due
to c
omm
on-c
ause
failu
re v
ulne
rabi
litie
s
All
FSFs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
, con
finin
g ra
dioa
ctiv
e m
ater
ial
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Con
side
ratio
n of
se
ism
icity
in
site
sel
ectio
n
No
shar
ing
of
impo
rtan
t sys
tem
s be
twee
n un
its
Avoi
danc
e of
ove
r-
pres
suriz
atio
n of
one
sy
stem
from
ano
ther
in
terc
onne
cted
sys
tem
Tran
spor
t ro
utes
pro
hibi
ted
in
vici
nity
of t
he p
lant
FIG
. 23
. O
bjec
tive
tree
for
Lev
el 3
of
defe
nce
in d
epth
(C
CF,
com
mon
cau
se f
ailu
re;
DG
, di
esel
gen
erat
or;
RH
R,
resi
dual
hea
t re
mov
al).
Saf
ety
prin
cipl
e (1
77):
dep
ende
nt f
ailu
res.
42
All
FSFs
affe
cted
: co
ntro
lling
pow
er,
cool
ing
fuel
, con
finin
g ra
dioa
ctiv
e m
ater
ial
Saf
ety
com
pone
nts
and
syst
ems
not
qual
ified
to
func
tion
unde
r ac
cide
nt c
ondi
tions
Req
uire
d re
liabi
lity
not
mai
ntai
ned
thro
ugho
ut
plan
t lif
etim
e
Abi
lity
of p
lant
to
with
stan
d en
viro
nmen
tal c
ondi
tions
af
fect
ed b
y ag
eing C
omm
on c
ause
fa
ilure
effe
cts
of a
gein
g to
be
addr
esse
d in
des
ign
Spe
cific
atio
n of
env
ironm
enta
l con
ditio
ns
Spe
cific
atio
n of
pro
cess
con
ditio
ns
Spe
cific
atio
n of
dut
y cy
cles
S
peci
ficat
ion
of m
aint
enan
ce s
ched
ules
S
peci
ficat
ion
of s
ervi
ce li
fetim
e S
peci
ficat
ion
of t
ype
test
ing
sche
dule
s S
peci
ficat
ion
of r
epla
cem
ent
part
s S
peci
ficat
ion
of r
epla
cem
ent
inte
rval
s E
tc.
Ana
lysi
s an
d te
stin
g w
here
pr
otot
ype
test
ing
not p
ract
ical
Ear
thqu
akes
E
xtre
me
wea
ther
con
ditio
ns
Tem
pera
ture
s P
ress
ure
Rad
iatio
n V
ibra
tion
Hum
idity
Je
t im
ping
emen
t E
tc.
Con
side
ratio
n of
age
ing
on
plan
t's c
apac
ity to
with
- st
and
envi
ronm
enta
l effe
cts
of a
ccid
ents
in d
esig
n
Test
ing
of
prot
otyp
e eq
uipm
ent
Con
side
ratio
n of
ex
tern
al e
vent
co
nditi
ons
in d
esig
n
Con
side
ratio
n of
S
A c
ondi
tions
in
des
ign
of
futu
re p
lant
s
Spe
cific
atio
n of
en
viro
nmen
tal
cond
ition
s fo
r D
BA
s
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Equ
ipm
ent
qual
ifica
tion
not
verif
ied
by te
stin
g
Acc
iden
t con
ditio
ns
not p
rope
rly
addr
esse
d in
des
ign
FIG
. 24.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th (
SA, s
ever
e ac
cide
nt).
Saf
ety
prin
cipl
e (1
82):
equ
ipm
ent q
ualif
icat
ion.
43
Bar
riers
des
igne
d fo
r ap
pro
pria
tein
spec
tions
Bar
riers
con
stru
cted
for
app
rop
riate
insp
ectio
ns
Sp
ecia
l met
hod
s fo
rIS
I of R
CS
bou
ndar
yan
d o
ther
bar
riers
Rep
air
ofd
efec
ts in
bar
riers
Des
ign
for
rad
iolo
gica
lp
rote
ctio
n of
ISI
wor
kers
Insp
ectio
ns li
mite
dd
ue t
o d
iffic
ultie
sin
the
acc
ess
tosa
fety
eq
uip
men
t
Saf
ety
rela
ted
equi
pm
ent
des
igne
dfo
r in
spec
tions
Saf
ety
rela
ted
equi
pm
ent
cons
truc
ted
for
insp
ectio
ns
Pro
visi
ons
at t
he d
esig
nst
age
for
insp
ectio
nac
cess
Freq
uenc
y of
insp
ectio
nsac
cord
ing
to m
ater
ial
deg
rad
atio
nP
rovi
sion
s at
the
des
ign
stag
e fo
r ea
sy a
ndfr
eque
nt in
spec
tions
Des
ign
for
rad
iolo
gica
lp
rote
ctio
n of
ISI w
orke
rsIS
I for
saf
ety
syst
ems
incl
.ca
ble
s, ju
nctio
ns,
pen
etra
tions
and
deg
rad
ing
mat
eria
ls
Saf
ety
anal
ysis
to e
stab
lish
adeq
uate
saf
ety
mar
gin
Saf
ety
rela
ted
item
s d
esig
ned
with
ad
equa
tesa
fety
mar
gins
Insu
ffic
ient
saf
ety
mar
gins
in d
esig
n to
cop
e w
ithes
tab
lishe
d in
spec
tion
inte
rval
Und
etec
ted
degr
adat
ion
of
func
tiona
l cap
abili
ty o
f saf
ety
rela
ted
equi
pmen
t due
to
lack
of i
nspe
ctio
ns
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 25
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(ISI
, in
-ser
vice
ins
pect
ion;
RC
S, r
eact
or c
oola
nt s
yste
m).
Saf
ety
prin
cipl
e (1
86):
eas
e of
acc
ess
of s
afet
y eq
uipm
ent f
or in
spec
tion.
44
Are
a m
onito
ring
syst
em
Und
etec
ted
leak
s of
radi
oact
ive
was
te a
nd a
irbor
nera
dioa
ctiv
e m
ater
ials
Con
serv
ativ
e pr
oces
sm
onito
ring
syst
em
Env
ironm
enta
lm
onito
ring
prog
ram
me
Inco
rrec
t mea
sure
men
tof
effl
uent
act
ivity
Dis
char
ges
abov
e th
epr
escr
ibed
lim
its
SF(
14) a
ffect
ed:
to li
mit
radi
oact
ive
disc
harg
esdu
ring
oper
atio
nal
stat
es
Sui
tabl
e co
ntai
ners
for
radi
oact
ive
mat
eria
ls
Ven
tilat
ion
syst
ems
with
adeq
uate
filtr
atio
n
Faci
litie
s fo
r pe
rson
nel
and
area
mon
itorin
g
Faci
litie
s fo
r pe
rson
nel
deco
ntam
inat
ion
Sur
face
fini
shin
g to
faci
litat
e de
cont
amin
atio
n
Con
tam
inat
ion
of w
orke
rs b
y ra
dioa
ctiv
e m
ater
ial
Ade
quat
e sh
ield
ing
ofpl
ant c
ompo
nent
sR
adia
tion
prot
ectio
nre
quire
men
ts o
n pl
ant l
ayou
t
App
ropr
iate
loca
tion
of p
lant
com
pone
nts
Use
of m
ater
ials
with
lim
ited
activ
atio
n by
neu
tron
s
Avo
idan
ce o
f des
ign
feat
ures
whi
ch r
etai
n ac
tivat
ed m
ater
ials
Cho
ice
of m
ater
ial w
ithlo
w r
esid
ual a
ctiv
ity
Mon
itorin
g an
d co
ntro
l of
wor
king
env
ironm
ent
Min
imiz
atio
n of
hum
an a
ctiv
ities
in r
adia
tion
field
s
Con
trol
of a
cces
sto
rad
ioac
tive
area
sP
lann
ed a
nd a
utho
rized
mai
nten
ance
and
eng
inee
ring
mod
ifica
tion
activ
ities
Con
serv
ativ
e de
sign
of
radi
oact
ive
was
te s
yste
ms
Dire
ct e
xpos
ure
ofw
orke
rs to
rad
iatio
n
Rad
iatio
n ex
posu
re o
f ope
ratin
g an
dm
aint
enan
ce s
taff
abov
epr
escr
ibed
lim
its
SF(
15) a
ffect
ed:
to m
aint
ain
cont
rol
of e
nviro
nmen
tal c
ondi
tions
with
in th
e pl
ant
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 26.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(188
): r
adia
tion
prot
ectio
n in
des
ign
(see
als
o SP
(29
2)).
45
Con
serv
ativ
em
echa
nica
ld
esig
n of
rod
hou
sing
Qua
lifie
dm
ater
ial a
ndfa
bric
atio
n of
rod
hou
sing
Con
trol
rod
ejec
tion
Des
ign
mar
gins
min
imiz
ing
auto
mat
icco
ntro
l
Op
erat
iona
lst
rate
gyw
ith m
ost
rod
s w
ithd
raw
n
Con
trol
rod
with
dra
wal
Sta
rtup
test
s of
rod
alig
nmen
t
Rel
iab
le a
ndfa
il-sa
fed
esig
n of
rod
con
trol
Con
trol
rod
mal
func
tion
(dro
p, a
lignm
ent)
Ad
equa
teop
erat
ing
pro
ced
ures
Lock
ing
of a
ctua
tors
for
loop
conn
ectio
n
Err
oneo
usst
artu
pof
loop
Ana
lysi
s of
pot
entia
l for
occu
rren
ce a
ndco
nseq
uenc
es
Ad
equa
teco
olan
tch
emis
try
Rel
ease
of
abso
rber
dep
osits
Insp
ectio
nof
fuel
asse
mb
lylo
catio
ns
Ad
equa
teop
erat
ing
pro
ced
ures
Inco
rrec
tre
fuel
ling
oper
atio
ns
Ad
equa
teop
erat
ing
pro
ced
ures
Aut
omat
icin
terlo
cks
top
reve
nt d
ilutio
n
Inad
vert
ent
bor
ond
ilutio
n
Inse
rtio
n of
rea
ctiv
ity w
ithp
oten
tial f
or fu
el d
amag
e
SF(
1) a
ffec
ted
:to
pre
vent
unac
cep
tab
le r
eact
ivity
tran
sien
ts
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 27.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f def
ence
in d
epth
. Saf
ety
prin
cipl
e (1
92):
pro
tect
ion
agai
nst p
ower
tran
sien
t acc
iden
ts.
46
Mon
itorin
gof
rod
posi
tion
Lim
ited
spee
d of
rod
with
draw
al
Lim
ited
wor
thof
con
trol
rod
grou
ps
Con
trol
rod
with
draw
al
In-c
ore
inst
rum
enta
tion
Mon
itorin
gof
rod
posi
tion
Con
trol
rod
mal
func
tion
(dro
p, a
lignm
ent)
Lim
itatio
ns o
nin
activ
e lo
oppa
ram
eter
s
Lim
itatio
ns o
nsp
eed
for
a lo
opco
nnec
tion
Err
oneo
usst
artu
pof
loop
Ade
quat
eco
olan
tch
emis
try
In-c
ore
inst
rum
enta
tion
Rel
ease
of
abso
rber
depo
sits
In-c
ore
inst
rum
enta
tion
Suf
ficie
ntsh
utdo
wn
mar
gin
Neg
ativ
ere
activ
ityco
effic
ient
feed
back
Inco
rrec
tre
fuel
ling
oper
atio
ns
Ade
quat
eop
erat
ing
proc
edur
es
Mon
itorin
gsy
stem
for
mak
e-up
wat
er
Long
tim
e al
low
ed fo
r op
erat
or
resp
onse
Inad
vert
ent
boro
ndi
lutio
n
Inse
rtio
n of
rea
ctiv
ity w
ithpo
tent
ial f
or fu
el d
amag
e
SF(
1) a
ffect
ed:
to p
reve
ntun
acce
ptab
le r
eact
ivity
tran
sien
ts
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 28.
Obj
ectiv
e tr
ee f
or L
evel
2 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(192
): p
rote
ctio
n ag
ains
t pow
er tr
ansi
ent a
ccid
ents
.
47
Neg
ativ
ere
activ
ityco
effic
ient
feed
bac
k
Lim
ited
wor
th o
fa
sing
le r
od
Rel
iab
le a
ndfa
st s
afet
ysh
utd
own
syst
em
Con
trol
rod
ejec
tion
Neg
ativ
ere
activ
ityco
effic
ient
feed
bac
k
Con
serv
ativ
ese
t p
oint
s of
reac
tor
pro
tect
ion
syst
em
Rel
iab
le a
ndfa
st s
afet
ysh
utd
own
syst
em
Con
trol
rod
with
dra
wal
Con
serv
ativ
ese
t p
oint
s of
reac
tor
pro
tect
ion
syst
em
Rel
iab
le a
ndfa
st s
afet
ysh
utd
own
syst
em
Con
trol
rod
mal
func
tion
(dro
p, a
lignm
ent)
Rel
iab
le a
ndfa
st s
afet
ysh
utd
own
syst
em
Err
oneo
usst
artu
pof
loop
Inse
rtio
n of
rea
ctiv
ity w
ithp
oten
tial f
or fu
el d
amag
e
SF(
1) a
ffect
ed:
to p
reve
ntun
acce
pta
ble
rea
ctiv
itytr
ansi
ents
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 29.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(192
): p
rote
ctio
n ag
ains
t pow
er tr
ansi
ent a
ccid
ents
.
48
Del
ayed
or
inco
mpl
ete
cont
rol r
od in
sert
ion
due
to c
ore
dist
ortio
nby
mec
hani
cal e
ffect
s
Pre
vent
ion
of e
ffect
ive
core
coo
ling
due
to c
ore
dist
ortio
nby
mec
hani
cal e
ffect
s
Fuel
cla
ddin
g fa
ilure
du
e to
mec
hani
cal
dam
age
Exce
ssiv
e ax
ial f
orce
sin
duce
d by
inte
rnal
load
s(s
prin
gs)
Dyn
amic
forc
es in
duce
dby
ear
thqu
akes
Ana
lytic
al a
ndex
perim
enta
l ver
ifica
tion
of c
ore
stab
ility
dur
ing
eart
hqua
kes
Cor
e de
sign
ed to
w
ithst
and
stat
ic a
nd
dyna
mic
load
s in
clud
ing
seis
mic
effe
cts
QA
of
fuel
des
ign
and
rea
cto
rve
ssel
inte
rnal
s
Fuel
des
ign
mar
gins
toen
sure
acc
epta
ble
desi
gn li
mits
incl
udin
gfu
el re
load
Prev
entio
n of
fuel
rod
dis
torti
on o
r dis
plac
emen
t u
nder
ste
ep ra
dial
gra
dien
tof
hea
t pro
duct
ion
Ana
lysi
s o
fp
ote
ntia
l saf
ety
imp
act
of
rest
rain
ts
QA
mea
sure
sin
des
ign
and
man
ufac
ture
of
fuel
Lim
itatio
n o
fra
dia
tion
ind
uced
dim
ensi
ona
lch
ang
es
App
rova
l of f
uel d
esig
nan
d m
anuf
actu
reby
reg
ulat
or
Ther
mal
, mec
hani
cal a
ndra
diat
ion
effe
cts
incl
udin
gfre
tting
and
wea
r dur
ing
oper
atio
nal r
egim
es
Des
ign
top
reve
ntfu
el r
od
vib
ratio
ns
Inst
alla
tion
of
mec
hani
cal
rest
rain
ts
Ana
lysi
s o
f p
ote
ntia
lsa
fety
imp
act
of
rest
rain
ts
Fue
l ro
d v
ibra
tions
ind
uced
by
ther
mo
hyd
raul
icef
fect
s
QA
mea
sure
sin
des
ign
and
man
ufac
ture
of
fuel
and
RC
S
Ver
ifica
tion
of
fuel
inte
grit
y d
urin
gre
load
ing
Lim
iting
co
nditi
on
se
t up
fo
r o
per
atio
n w
ith d
amag
ed f
uel
Mo
nito
ring
of
loo
sep
arts
Fue
l dam
aged
by
loo
se p
arts
Ad
equa
te d
esig
nm
arg
in f
or
the
fuel
to
with
stan
dne
utro
n irr
adia
tion
Co
nser
vativ
e lim
itfo
r m
axim
umfu
el b
urnu
p
Expe
rimen
tal v
erifi
catio
nof
fuel
des
ign
for i
nten
ded
perfo
rman
ce
Exc
essi
ve a
xial
fo
rces
ind
uced
by
mat
eria
lg
row
th
SFs
(1),
(3),
(6),
(7),
(10)
affe
cted
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Rea
ctiv
ity in
sert
ion
due
to
co
re d
isto
rtio
n b
y m
echa
nica
l eff
ects
FIG
. 30.
O
bjec
tive
tree
for
Lev
el 1
of
defe
nce
in d
epth
(Q
A, q
ualit
y as
sura
nce;
RC
S, r
eact
or c
ore
cool
ant)
. Saf
ety
prin
cipl
e (1
95):
re
acto
r co
re in
tegr
ity.
49
Rea
ctiv
ity in
sert
ion
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Del
ayed
or
inco
mp
lete
cont
rol r
od in
sert
ion
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Pre
vent
ion
of e
ffec
tive
core
coo
ling
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Fuel
cla
dd
ing
failu
red
ue t
o m
echa
nica
l dam
age
In-c
ore
mon
itorin
g of
neut
ron
flux
shap
ing
and
rad
ioac
tivity
in R
CS
inop
erat
iona
l reg
imes
Ther
mal
, mec
hani
cal a
ndra
dia
tion
effe
cts,
incl
.fr
ettin
g an
d w
ear
dur
ing
oper
atio
nal r
egim
es
Fuel
rod
vib
ratio
nm
onito
ring
thro
ugh
nois
e an
alys
is
Fuel
rod
vib
ratio
nsin
duc
ed b
yth
erm
ohyd
raul
icef
fect
s
Mon
itorin
g of
ra
dio
activ
ity le
vel i
n R
CS
dur
ing
oper
atio
nal r
egim
es
Fue
l dam
aged
by
loos
e p
arts
Ad
equa
te d
esig
nm
argi
n fo
rth
e fu
el t
o w
ithst
and
neut
ron
irrad
iatio
n
Con
serv
ativ
e lim
itfo
r m
axim
umfu
el b
urnu
p
Exp
erim
enta
l ver
ifica
tion
of fu
el d
esig
nfo
r in
tend
edp
erfo
rman
ce
Exc
essi
ve a
xial
forc
esin
duc
ed b
y m
ater
ial
grow
th
SFs
(1),
(3),
(6),
(7),
(10)
affe
cted
Saf
ety
func
tions
Cha
lleng
es
Mec
hani
sms
Pro
visi
ons
FIG
. 31.
Obj
ectiv
e tr
ee f
or L
evel
2 o
f de
fenc
e in
dep
th (
RC
S, r
eact
or c
oola
nt s
yste
m).
Saf
ety
prin
cipl
e (1
95):
rea
ctor
cor
e in
tegr
ity.
50
Rea
ctiv
ity in
sert
ion
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Del
ayed
or
inco
mp
lete
cont
rol r
od in
sert
ion
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Pre
vent
ion
of e
ffec
tive
core
coo
ling
due
to
core
dis
tort
ion
by
mec
hani
cal e
ffec
ts
Fuel
cla
dd
ing
failu
re
due
to
mec
hani
cal d
amag
e
Anal
ysis
/exp
erim
ents
to v
erify
cor
est
abili
ty u
nder
DB
A dy
nam
ic fo
rces
Spec
ial Q
Am
easu
res
in d
esig
nan
d m
anuf
actu
reof
fuel
Res
train
ts to
avo
idab
rupt
cha
nges
in c
ore
geom
etry
Anal
ysis
of p
oten
tial
safe
ty im
pact
of re
stra
ints
Des
ign
of c
ore
inte
rnal
s w
ithsu
ffici
ent s
afet
ym
argi
ns
Mec
hani
cal l
oad
s in
duc
ed b
y D
BA
s
SFs
(1),
(3),
(6),
(7),
(10)
affe
cted
Saf
ety
func
tions
Cha
lleng
es
Mec
hani
sms
Pro
visi
ons
FIG
. 32.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th (
QA
, qua
lity
assu
ranc
e). S
afet
y pr
inci
ple
(195
): r
eact
or c
ore
inte
grity
.
51
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Con
sequ
ence
anal
ysis
of e
vent
s
Dev
elop
men
t and
impl
emen
tatio
n of
oper
atin
g pr
oced
ures
to p
reve
nt e
vent
s
Inst
alla
tion
ofm
onito
ring
for
abso
rber
posi
tion
Impl
emen
tatio
n of
spee
d lim
itatio
nof
abs
orbe
rm
ovem
ent
Red
unda
ncy
and
dive
rsity
of
shut
dow
n sy
stem
Inad
vert
ent
abso
rber
mov
emen
t(m
aint
enan
ce)
Con
sequ
ence
anal
ysis
of e
vent
s
Dev
elop
men
t and
impl
emen
tatio
n of
oper
atin
g pr
oced
ures
to p
reve
nt e
vent
s
Pre
vent
ion
offo
rmat
ion
of c
lean
wat
er p
lugs
Slo
w a
nd r
apid
dilu
tion
of b
oron
cont
ent
At l
east
two
inde
pend
ent
mea
ns fo
r sh
uttin
g d
own
the
reac
tor
Con
sequ
ence
anal
ysis
ofev
ents
Dev
elop
men
t and
impl
emen
tatio
n of
oper
atin
g pr
oced
ures
to p
reve
nt e
vent
s
Ade
quat
esh
utdo
wn
mar
gin
Rap
id c
ool-
dow
n du
e to
depr
essu
rizat
ion
of s
econ
dary
circ
uit
Dev
elop
men
t and
impl
emen
tatio
n of
oper
atin
g pr
oced
ures
to p
reve
nt e
vent
s
Est
ablis
hmen
t of
oper
atin
g lim
its a
ndco
nditi
ons
with
suffi
cien
t mar
gin
Inad
equa
teR
CS
coo
ling
byop
erat
or
Inad
vert
ent r
eact
ivity
inse
rtio
n in
toth
e co
re d
urin
g a
nd a
fter
shu
tdow
n
SF(
2) a
ffect
ed:
to m
aint
ain
reac
tor
in s
afe
shut
dow
n co
nditi
ons
See
SF(
3)
SF(
3) a
ffect
ed:
to s
hut d
own
reac
tor
asne
cess
ary
...
Sin
gle
failu
re in
the
mea
ns o
f sh
utdo
wn
FIG
. 33
. O
bjec
tive
tree
for
Lev
els
3 an
d 4
of d
efen
ce i
n de
pth
(RC
S, r
eact
or c
ore
cool
ant)
. Sa
fety
pri
ncip
le (
200)
: au
tom
atic
sh
utdo
wn
syst
ems,
see
als
o SF
(2)
.
52
Saf
ety
func
tions
:
Cha
lleng
es:
Pro
visi
ons:
Mec
hani
sms:
See
SF(
2)
SF(
2) a
ffect
ed:
to m
aint
ain
reac
tor
in s
afe
shut
dow
nco
nditi
ons
For
deta
ilsse
e e.
g. r
epor
tsW
WE
R-S
C-
121
and
214
Del
ayed
or
inco
mpl
ete
cont
rol r
odin
sert
ion
Con
sequ
ence
anal
ysis
of e
vent
s
Mak
ing
ATW
Ssu
ffici
ently
un-
likel
y or
avo
idin
gse
vere
acc
iden
tsP
reve
ntio
nof
ATW
S o
rlim
itatio
n of
thei
r ef
fect
s,fo
r de
tails
see
IAE
A-E
BP
-W
WE
R-1
2 [6
]
Des
igni
ng p
lant
ssu
ch th
at A
TWS
sdo
not
con
trib
ute
sign
ifica
ntly
to r
isk
Failu
re o
fan
aut
omat
icsh
utdo
wn
syst
em
Min
imiz
e us
e of
com
-m
on s
enso
rs a
ndde
vice
s ba
sed
on r
elia
bilit
y an
alys
is
Sep
arat
ion
of e
lec-
tric
al b
usse
s an
d lo
gica
l circ
uits
toav
oid
inte
rfer
ence
s
Shu
tdow
n ca
pabi
lity
is m
aint
aine
dby
usi
ng th
e m
eans
for
cont
rol p
urpo
ses
Insu
ffici
ent
inde
pend
ence
of s
hutd
own
from
con
trol
sys
tem
Effe
ctiv
enes
s,sp
eed
of a
ctio
n an
dsh
utdo
wn
mar
gin
com
ply
with
lim
its
Shu
tdow
nm
eans
do
not
com
ply
with
spec
ified
lim
its
One
of t
he tw
o sh
utdo
wn
syst
ems
shal
l be
capa
ble
with
mar
gin
and
SFC
Tran
sien
t rec
ritic
ality
is o
nly
perm
itted
with
out v
iola
ting
fuel
and
com
pone
nt li
mits
Rea
ctor
can
not b
ere
nder
ed s
ubcr
itica
lfr
om o
pera
tiona
lst
ates
and
DB
As
Test
s sh
all b
epe
rfor
med
toid
entif
yfa
ilure
s
Bur
nup
Cha
nges
inph
ysic
al p
rope
rtie
sP
rodu
ctio
n of
gas
Wea
r-ou
t and
irrad
iatio
n ef
fect
s of
shut
dow
n sy
stem
s sh
ould
be a
ddre
ssed
in d
esig
n
Inst
rum
enta
tion
and
reac
tivity
con
trol
devi
ces
vuln
erab
leto
long
term
ope
ratio
n
Inad
equa
tem
eans
tosh
ut d
own
the
reac
tor
SF(
3) a
ffect
ed:
to s
hut d
own
reac
tor
asne
cess
ary
...
FIG
. 34
. O
bjec
tive
tree
for
Lev
els
3 an
d 4
of d
efen
ce i
n de
pth
(AT
WS,
adv
ance
d tr
ansi
ent
with
out
scra
m;
SFC
, si
ngle
fai
lure
cr
iteri
on).
Saf
ety
prin
cipl
e (2
00):
aut
omat
ic s
hutd
own
syst
ems,
see
als
o SF
(3)
.
53
Con
serv
ativ
e
seis
mic
stru
ctur
al
desi
gn
Use
of a
dequ
ate
stru
ctur
al
mat
eria
ls
Ope
ratio
nal
proc
edur
es to
avoi
d in
adve
rtent
RC
S dr
aini
ng
In-s
ervi
ce
insp
ectio
n
of p
ress
ure
boun
dary
Loss
of
prim
ary
cool
ant
inve
ntor
y
Con
serv
ativ
e
desi
gn
of s
econ
dary
syst
em
Qua
lific
atio
n of
oper
ator
s fo
r
mai
ntai
ning
nor
mal
heat
rem
oval
Impl
emen
tatio
n
of a
dequ
ate
oper
atin
g
proc
edur
es
Degr
aded
heat
rem
oval
capa
bilit
y
in s
econ
dary
sys
tem
Con
serv
ativ
e
ther
mal
nucl
ear
desi
gn
Rel
iabl
e
rod
cont
rol
syst
em
Qua
lifie
d
oper
ator
s
Ade
quat
e
oper
atin
g
proc
edur
es
Und
esire
d
incr
ease
in c
ore
pow
er
gene
ratio
n
Deg
rade
d
capa
bilit
y
of c
ore
heat
rem
oval
Ade
quat
e
stru
ctur
al
desi
gn
Ade
quat
e
mat
eria
l
for r
eact
or
cool
ant s
yste
m
Ade
quat
e
wat
er
chem
istr
y
cont
rol
Rel
iabl
e
man
ufac
ture
of R
CS
com
pone
nts
Coo
lant
flow
bloc
kage
s
in c
ore
chan
nels
Con
serv
ativ
e
nucl
ear
desi
gn
Ade
quat
e
oper
atin
g
proc
edur
es
Qua
lifie
d
oper
ator
s
Abn
orm
al p
eaki
ng
fact
or d
ue to
unex
pect
ed fl
ux
dist
ribut
ion
Ano
mal
ous
tem
pera
ture
dist
ribut
ion
in th
e co
re
SFs
(7),
(10)
and
(1
1) a
ffect
ed
Cha
lleng
es
Mec
hani
sms
Pro
visi
ons
Saf
ety
func
tions
FIG
. 35.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th (
RC
S, r
eact
or c
oola
nt s
yste
m).
Saf
ety
prin
cipl
e (2
03):
nor
mal
hea
t rem
oval
.
54
Inst
alla
tion
of
reac
tor c
oola
nt
mak
e-up
syst
em
Inst
alla
tion
of
reac
tor c
oola
nt
inve
ntor
y
mon
itorin
g
Inst
alla
tion
of
relia
ble
and
fast
shu
tdow
n
syst
em
Loss
of
prim
ary
cool
ant
inve
ntor
y
Impl
emen
tatio
n of
seco
ndar
y si
de
cont
rol
syst
ems
Impl
emen
tatio
n of
seco
ndar
y pr
oces
s
mon
itorin
g
syst
em
Inst
alla
tion
of
relia
ble
and
fast
shu
tdow
n
syst
em
Inst
alla
tion
of
stea
m d
ump
syst
em
Deg
rade
d
heat
rem
oval
capa
bilit
y
in s
econ
dary
sys
tem
Neu
tron
flux
and
tem
pera
ture
mon
itorin
g
syst
ems
Rea
ctor
pow
er c
ontr
ol
or li
mita
tion
syst
em
Rel
iabl
e
and
fast
shut
dow
n
syst
em
Ove
rall
nega
tive
reac
tivity
coef
ficie
nt
Und
esire
d
incr
ease
in c
ore
pow
er
gene
ratio
n
Deg
rade
d
capa
bilit
y
of c
ore
heat
rem
oval
Loos
e
part
mon
itorin
g
syst
em
Tem
pera
ture
mea
sure
men
t
at c
ore
exit
Coo
lant
flow
bloc
kage
s
in c
ore
chan
nels
Per
iodi
c
in-c
ore
flux
map
ping
Tem
pera
ture
mea
sure
men
t
at c
ore
exit
Abn
orm
al p
eaki
ng
fact
or d
ue to
unex
pect
ed fl
ux
dist
ribut
ion
Ano
mal
ous
tem
pera
ture
dist
ribut
ion
in th
e co
re
SF
(7),
(10)
an
d (1
1) a
ffect
ed
Cha
lleng
es:
Pro
visi
ons:
Saf
ety
func
tions
:
Mec
hani
sms:
FIG
. 36.
Obj
ectiv
e tr
ee f
or L
evel
2 o
f de
fenc
e in
dep
th.
Safe
ty p
rinc
iple
(20
3): n
orm
al h
eat r
emov
al.
55
Lim
ited
pre
senc
e o
fp
erso
nnel
in s
ensi
tive
area
s to
pre
vent
hum
anin
duc
ed e
vent
s
Eva
luat
ion
of
limita
tion
and
/o
r up
gra
de
of
avai
lab
ility
of
inst
rum
enta
tion/
mea
sure
-m
ent
in n
on-
po
wer
reg
imes
Sp
ecia
l att
entio
nd
evo
ted
to
fue
lha
ndlin
go
per
atio
ns
Dev
elo
pm
ent
of
valid
ated
EO
Ps
app
licab
le f
or
star
tup
, shu
tdo
wn
and
low
po
wer
reg
imes
Ad
min
istr
ativ
eco
ntro
l to
ens
ure
that
wo
rk is
do
ne c
ons
iste
ntw
ith r
elev
ant
req
uire
men
ts
Dev
elo
pm
ent
of
valid
ated
SA
Gs
app
licab
le f
or
star
tup
, shu
tdo
wn
and
low
po
wer
reg
imes
Hig
her
likel
iho
od
of
hum
anin
duc
edev
ents
Incr
ease
d p
lant
vul
nera
bili
ty d
ue t
o h
ighe
r lik
elih
oo
d o
f ev
ents
Red
uced
co
ola
nt in
vent
ory
,un
usua
l rea
ctiv
ity f
eed
bac
kan
d o
ther
cha
nged
pla
nto
per
atio
nal p
aram
eter
s
Deg
rad
ed b
arrie
rsag
ains
t re
leas
e o
fra
dio
activ
ity (o
pen
RC
S,
op
en c
ont
ainm
ent)
Lim
ited
ava
ilab
ility
of
vario
us c
om
po
nent
s/sy
stem
s d
ue t
o m
aint
e-na
nce/
rep
lace
men
t
Det
aile
d e
valu
atio
no
fp
lant
par
amet
ers
inno
n-p
ow
er r
egim
es
Det
aile
d e
valu
atio
no
f st
atus
of
pla
ntsy
stem
s in
non-
po
wer
reg
imes
Con
sid
erat
ion
of s
pec
ific
cond
ition
s to
ensu
re s
uffic
ient
red
und
ancy
, rel
ia-
bili
ty a
nd c
apac
ity o
f eq
uip
men
t fo
rd
etec
tion
and
con
trol
of a
ccid
ents
Co
mp
rehe
nsiv
e lis
to
f in
adve
rten
t ev
ents
sp
ecifi
cto
no
n-p
ow
er o
per
atio
nal
reg
imes
Pro
ced
ures
and
set
-up
of
acce
pta
nce
crite
ria f
or
acci
den
t an
alys
is o
f ev
ents
in n
on-
po
wer
reg
imes
PS
A s
tud
y to
iden
tify
pla
nt v
ulne
rab
ilitie
sin
no
n-p
ow
er o
per
atio
nal
reg
imes
Che
ckin
g c
om
ple
tene
ss o
f p
lant
limits
and
co
nditi
ons
ap
plic
able
for
non-
po
wer
op
erat
iona
lre
gim
es
Saf
ety
anal
ysis
rep
ort
for
star
tup
, shu
tdo
wn
and
low
po
wer
op
erat
iona
lre
gim
es
Set
up
acc
epta
ble
rel
axat
ion
in s
afet
y re
qui
rem
ents
dur
ing
no
n-p
ow
er o
per
atio
nal
reg
imes
Deg
rad
ed c
apab
ility
to
co
pe
with
acc
iden
ts in
no
n-p
ow
er m
od
es
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
FIG
. 37
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(RC
S, r
eact
or c
oola
nt s
yste
m;
SAG
, se
vere
acc
iden
t gu
idel
ine)
. Sa
fety
pr
inci
ple
(205
): s
tart
up, s
hutd
own
and
low
pow
er o
pera
tion.
56
SF
(6) a
ffec
ted
:to
rem
ove
hea
t f
rom
the
co
re u
nder
LOC
A c
ond
itio
ns
SF
(7) a
ffec
ted
:to
rem
ove
hea
tfr
om
the
co
re u
nder
non-
LOC
A c
ond
itio
ns
SF
(10)
aff
ecte
d:
to m
aint
ain
acce
pta
ble
clad
din
g in
teg
rity
in t
he c
ore
Eff
ectiv
ena
tura
l circ
ulat
ion
in p
rimar
y ci
rcui
t
Ad
equa
te s
eco
ndar
y s
ide
heat
rem
ova
lca
pab
ility
Dev
elo
pm
ent
and
imp
lem
enta
tion
of
EO
Ps
Loss
of
forc
edre
acto
r co
ola
ntflo
w a
ccid
ents
Co
mp
rehe
nsiv
eLO
CA
ana
lysi
sfo
r w
hole
sp
ectr
umo
f ac
cid
ents
Rel
iab
lean
d e
ffic
ient
EC
CS
for
who
le s
pec
trum
of
acci
den
ts
Rel
iab
le a
ndef
ficie
nt r
esid
ual
heat
rem
ova
lsy
stem
Dev
elo
pm
ent
and
imp
lem
enta
tion
of
EO
Ps
Pro
of
of
long
-ter
mo
per
abili
ty o
fhe
at r
emo
val
syst
ems
Loss
of
reac
tor
coo
lant
inve
nto
ryac
cid
ents
Inst
alla
tion
of
relia
ble
and
eff
icie
nt E
FW
Sfo
r w
hole
sp
ectr
umo
f ac
cid
ents
Dev
elo
pm
ent
and
imp
lem
enta
tion
of
EO
Ps
Loss
of
norm
alse
cond
ary
sid
ehe
at r
emo
val
cap
abili
ty
Ana
lysi
s o
f ac
cid
ents
dur
ing
shu
tdo
wn
op
erat
iona
l mo
des
Ded
icat
ed a
nd p
rote
cted
heat
rem
ova
lsy
stem
s
Just
ifica
tion
of
use
of
atm
osp
here
as
even
tual
ulti
mat
ehe
at s
ink
Dev
elo
pm
ent
and
imp
lem
enta
tion
of
EO
Ps
Loss
of
cap
abili
tyfo
r fu
el c
oo
ling
in s
hutd
ow
nm
od
es
Lack
of
cap
abili
ty f
or
fuel
coo
ling
dur
ing
acci
den
t co
nditi
ons
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Saf
ety
func
tions
:
FIG
. 38.
O
bjec
tive
tree
for
Lev
el 3
of
defe
nce
in d
epth
(E
CC
S, e
mer
genc
y co
re c
oolin
g sy
stem
, EF
WS,
em
erge
ncy
feed
wat
er s
yste
m).
Sa
fety
pri
ncip
le (
207)
: em
erge
ncy
heat
rem
oval
.
57
Bor
ic w
ater
for
core
coo
ling
Rec
ritic
ality
due
to c
hang
es in
fuel
geo
met
ry/
com
pos
ition
Exc
essi
ve h
eat
pro
duc
tion
due
to
recr
itica
lity
Sec
ond
ary
sid
eb
leed
and
feed
RC
Sd
epre
ssur
izat
ion
Wat
er in
ject
ion
into
the
cor
eb
y an
ym
eans
Cor
e he
at-u
pan
d r
eloc
atio
n
Pre
vent
ion
of c
ore
heat
-up
Hyd
roge
nge
nera
tion
Inad
equa
tere
mov
al o
f hea
tfr
om d
egra
ded
core
In-v
esse
lco
olin
g of
cor
ed
ebris
by
inje
ctio
nin
to t
he v
esse
l
In-v
esse
lre
tent
ion
by
exte
rnal
cool
ing
RC
Sd
epre
ssur
izat
ion
Low
er h
ead
failu
re
Feed
ste
amge
nera
tors
RC
Sd
epre
ssur
izat
ion
Ind
uced
ste
am g
ener
ator
tub
e ru
ptu
re
Con
seq
uent
ial
dam
age
of R
CS
due
to in
adeq
uate
hea
tre
mov
al
Inst
alla
tion
of in
tern
alsp
ray
Inst
alla
tion
of e
xter
nal
spra
y
Filte
red
vent
ing
Sup
pre
ssio
np
ool c
oolin
g
Sum
p c
oolin
g
Fan
cool
ers
Slo
w o
verp
ress
ure
due
to
ste
am g
ener
atio
n(s
ee a
lso
SP
(221
))
Pro
visi
ons
to r
e-es
tab
lish
the
ultim
ate
heat
sin
k
Con
sid
erat
ion
ofal
tern
ate
ultim
ate
heat
sin
k(e
.g. a
tmos
phe
re)
Una
vaila
bili
tyof
the
ulti
mat
ehe
at s
ink
Inad
equa
te h
eat
rem
oval
from
the
cont
ainm
ent
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el, c
onfin
ing
radi
oact
ive
mat
eria
l
FIG
. 39.
Obj
ectiv
e tr
ee f
or L
evel
4 o
f de
fenc
e in
dep
th (
RC
S, r
eact
or c
oola
nt s
yste
m).
Saf
ety
prin
cipl
e (2
07):
em
erge
ncy
heat
rem
oval
.
58
Cla
ssfic
atio
no
f co
mp
one
nts
Ass
ignm
ent
of
des
ign
cod
es f
or
each
co
mp
one
nt
Use
of
pro
ven
mat
eria
ls
Co
nsid
erat
ion
of
det
erio
ratio
np
heno
men
a (e
mb
rittle
men
t,er
osi
on,
co
rro
sio
n, f
atig
ue)
and
pro
visi
on
of
des
ign
mar
gin
s
Str
uctu
ral
anal
ysis
fo
r al
ld
esig
n co
nditi
ons
to v
erify
inte
grit
y
Des
ign
mea
nsag
ains
t p
oss
ible
inte
rnal
and
ext
erna
l lo
ads,
with
suf
ficie
nt m
arg
in
RC
So
verp
ress
ure
pro
tect
ion
Op
erat
ing
rest
rictio
ns t
o a
void
gro
wth
of
po
tent
ial
und
etec
ted
def
ects
Inad
equa
te d
esig
no
r se
lect
ion
of
mat
eria
ls
Use
of
pro
ven
tech
nolo
gie
san
d e
stab
lishe
dco
des
Mul
tiple
insp
ectio
ns a
nd t
ests
of
RC
Sin
teg
rity
(ultr
aso
nic,
rad
io-
gra
phi
c, h
ydro
test
s, e
tc.)
Inap
pro
pria
tefa
bric
atio
nm
etho
ds
Deg
rad
ed p
erfo
rman
ceo
f p
ress
ure
bo
und
ary
mat
eria
ls
SF
(11)
aff
ecte
d:
to m
aint
ain
RC
Sin
teg
rity
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Use
of
exp
erie
nced
m
anuf
actu
rer
with
es
tab
lishe
d Q
A
mea
sure
s
FIG
. 40.
O
bjec
tive
tree
for
Lev
el 1
of
defe
nce
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
; QA
, qua
lity
assu
ranc
e). S
afet
y pr
inci
ple
(209
):
reac
tor
cool
ant s
yste
m in
tegr
ity.
59
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Imp
lem
enta
tion
of
auto
mat
ic in
terlo
cks
to p
reve
nt R
CS
ove
r-
load
ing
dur
ing
test
ing
Feas
ible
re
pai
rs
and
re
pla
cem
ent
Sp
ecia
l p
roce
dur
es fo
r R
CS
tes
ting
dur
ing
oper
atio
n
Allo
wab
le R
CS
te
st p
aram
eter
s th
roug
hout
life
time
Sys
tem
fo
r m
onito
ring
frac
tion
of c
omp
onen
tlif
etim
e sp
ent
Mod
ern
ND
T m
etho
ds
to r
ecog
nize
p
ossi
ble
def
ects
Mea
ns
for
LBB
con
cep
t im
ple
men
tatio
n
Sam
plin
g fo
r R
PV
bas
ic a
nd
wel
d m
ater
ials
Deg
rad
ed
per
form
ance
of p
ress
ure
bou
ndar
y m
ater
ials
SF(
11) a
ffec
ted
: to
mai
ntai
n R
CS
in
tegr
ity
Inad
equa
te
com
pon
ent
in-s
ervi
ce in
spec
tions
an
d t
ests
FIG
. 41.
O
bjec
tive
tree
for
Lev
el 2
of
defe
nce
in d
epth
(N
DT,
non
-des
truc
tive
test
ing;
LB
B, l
eak
befo
re b
reak
; RP
V, r
eact
or p
ress
ure
vess
el; R
CS,
rea
ctor
coo
lant
sys
tem
). S
afet
y pr
inci
ple
(209
): r
eact
or c
oola
nt s
yste
m in
tegr
ity.
60
Proo
f of t
heac
cept
abili
tyof
alte
rnat
ive
solu
tions
Plan
t upg
radi
ng th
roug
hin
stal
latio
n of
conf
inem
ent
Con
finem
ent
not
inst
alle
d
Set-
up o
f lim
itsfo
r con
tain
men
ttig
htne
ss
Reg
ular
tight
ness
test
s
Spec
ifica
tion
ofpr
ogra
mm
eto
impr
ove
tight
ness
Prev
entio
n of
rele
ases
thro
ugh
open
ings
and
pene
tratio
ns
Con
tain
men
ttig
htne
ss d
e-gr
aded
dur
ing
oper
atio
n
Adeq
uate
redu
ndan
cy o
fco
ntai
nmen
tis
olat
ion
Mai
nten
ance
, tes
ts,
surv
eilla
nce
and
insp
ectio
n of
isol
atio
n sy
stem
Func
tiona
lte
sts
ofis
olat
ion
syst
ems
Mon
itorin
gof
isol
atio
nst
atus
Rec
over
yof
cont
ainm
ent
isol
atio
n
Dep
res-
suriz
atio
nof
cont
ainm
ent
Failu
re o
fco
ntai
nmen
tis
olat
ion
Mai
nten
ance
,su
rvei
llanc
e an
din
spec
tion
ofco
ntai
nmen
t sys
tem
Func
tiona
lte
st o
fco
ntai
nmen
tsy
stem
Adeq
uate
capa
bilit
y fo
rre
sidu
al h
eat
rem
oval
Con
tain
men
t spr
ayan
dfa
n co
oler
s
Sum
p an
dsu
ppre
ssio
npo
olco
olin
g
Seco
ndar
yco
ntai
nmen
t
Rel
ease
post
-acc
iden
tm
ixtu
reth
roug
h fil
ters
Con
tain
men
tpr
essu
re in
crea
sedu
e to
ene
rgy
rele
ase
from
RC
S
Lack
ing
orin
suffi
cien
tco
ntai
nmen
tfu
nctio
n
Prev
entio
nof
ope
ratio
nof
pre
ssur
ere
lief s
yste
m
Pres
sure
cont
rol i
n pr
essu
rere
lief t
ank
Rel
ease
thro
ugh
the
RC
S pr
essu
rere
lief s
yste
m d
urin
gac
cide
nt c
ondi
tions
Mea
sure
s to
pro
tect
RC
S in
tegr
ity(s
ee S
P (2
09))
Res
idua
l hea
tre
mov
al to
min
imiz
efu
el d
amag
e
Ope
ratio
n of
cont
ainm
ent
spra
ys to
rem
ove
radi
oact
ive
mat
eria
ls
Use
of
spra
yad
ditiv
es
Ope
ratio
n of
vent
ilatio
n an
dfil
ter s
yste
m
Acci
dent
con
ditio
nsw
ith R
CS
boun
dary
failu
re
Lim
its fo
rpr
imar
y co
olan
tra
dioa
ctiv
ity
Spec
ifica
tion
of li
mits
for
fuel
failu
res
Fuel
tight
ness
test
befo
rere
load
ing
Ope
ratio
n of
cool
ant
purif
icat
ion
syst
em
Insu
ffici
ent c
ontro
lof
radi
oact
ivity
in R
CS
leak
ing
atno
rmal
rate
Hig
h ra
dioa
ctiv
ityle
vel i
n th
eco
ntai
nmen
t lea
king
at n
omal
rate
Prim
ary
tose
cond
ary
syst
emle
akag
es
Inte
rface
LOC
As
ISI
to re
duce
prob
abili
tyof
occ
urre
nce
Dev
elop
men
tan
d ap
plic
atio
nof
PR
ISE
man
agem
ent
Isol
atio
nof
hig
h pr
essu
resy
stem
s
Dep
ress
uriz
atio
nof
RC
S
Iden
tific
atio
nof
byp
ass
rout
ean
dFP
rete
ntio
n
Con
tain
men
tby
pass
SF(1
2) a
ffect
ed: t
o li
mit
radi
oac-
tive
rele
ase
from
the
cont
ainm
ent
in a
ccid
ent c
ondi
tions
and
con
di-
tions
follo
win
g an
acc
iden
t
Safe
ty fu
nctio
ns:
Cha
lleng
es:
Mec
hani
sms:
Prov
isio
ns:
FIG
. 42.
O
bjec
tive
tree
for
Lev
el 3
of
defe
nce
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
; LO
CA
, los
s of
coo
lant
acc
iden
t; IS
I, i
n-se
rvic
e in
spec
tion;
PR
ISE
, pri
mar
y to
sec
onda
ry le
akag
e; F
P, f
issi
on p
rodu
ct).
Saf
ety
prin
cipl
e (2
17):
con
fine
men
t of
radi
oact
ive
mat
eria
l (se
e al
so S
F (
12))
.
61
Ana
lysi
s an
dim
plem
enta
tion
ofad
equa
te o
pera
ting
proc
edur
es
Pre
vent
ion
ofre
activ
ityin
duce
dac
cide
nts
Rel
iabi
lity
of r
esid
ual h
eat
rem
oval
sys
tem
Mai
nten
ance
,te
stin
g, in
spec
tions
of
rele
vant
sys
tem
sim
port
ant f
or s
afet
y
Pre
vent
ion
of e
mpt
ying
fuel
poo
l by
syst
em la
yout
Con
trol
of w
ater
leve
lan
d le
ak d
etec
tion
in th
e fu
el p
ool
Che
mis
try
and
radi
oact
ivity
mon
itorin
g
Inst
alla
tion
ofve
ntila
tion/
filtr
atio
nsy
stem
Dam
age
offu
el a
ssem
bly
by o
verh
eatin
g
Ana
lysi
s an
dim
plem
enta
tion
ofad
equa
te o
pera
ting
proc
edur
es
Pre
vent
ion
ofhe
avy
load
drop
on
fuel
asse
mbl
ies
Pre
vent
ion
ofdr
oppi
ngof
fuel
in tr
ansi
t
Pre
vent
ion
ofun
acce
ptab
leha
ndlin
g st
ress
esof
fuel
ele
men
ts
Dam
age
offu
el a
ssem
bly
by m
echa
nica
llo
ads
Rad
ioac
tivity
rel
ease
durin
g ac
cide
nts
in s
pent
fuel
pool
s
Am
ount
and
con
-ce
ntra
tion
of r
adio
-ac
tive
mat
eria
l with
inpr
escr
ibed
lim
its
Inst
alla
tion
of s
uita
ble
mea
ns to
con
trol
re-
leas
es o
f rad
ioac
tive
liqui
d in
to e
nviro
nmen
t
Unc
ontr
olle
dre
leas
e of
rad
io-
activ
e liq
uid
into
env
ironm
ent
Am
ount
and
con
-ce
ntra
tion
of r
adio
-ac
tive
mat
eria
l with
inpr
escr
ibed
lim
its
Inst
alla
tion
of v
entil
atio
nan
d fil
trat
ion
syst
emto
con
trol
rel
ease
sof
gas
es
Test
ing
of
effic
ienc
y of
filte
r sy
stem
s
Unc
ontr
olle
dre
leas
e of
rad
io-
activ
e ga
ses
into
envi
ronm
ent
Rad
ioac
tivity
rel
ease
due
to a
ccid
ents
in r
adw
aste
trea
tmen
t sys
tem
s
Det
erm
inis
tic/p
roba
bilis
ticsa
fety
anal
ysis
Use
of c
ertif
ied
cont
aine
rs w
ithad
equa
tede
sign
Mea
sure
s to
prev
ent d
ropp
ing
offu
el c
onta
iner
in tr
ansi
t
Pre
vent
ion
of e
xter
nal
caus
es o
f dam
age
(fire
s, ..
.)
Cou
nter
-m
easu
res
agai
nst
dis
sem
inat
ion
of r
adio
-ac
tivity
in a
ccid
ents
Dam
age
offu
el tr
ansp
ort
cont
aine
r
Rad
ioac
tivity
rel
ease
due
to a
ccid
ents
durin
g sp
ent f
uel
tran
spor
t
Pre
vent
ion
ofun
acce
ptab
leha
ndlin
g st
ress
esof
fuel
ass
embl
ies
Rel
iabl
ere
sidu
al h
eat
rem
oval
from
the
cont
aine
r
Ade
quat
eop
erat
ing
proc
edur
es
Rad
ioac
tivity
mon
itorin
g
Inst
alla
tion
ofve
ntila
tion/
filtr
atio
nsy
stem
Dam
age
offu
el s
tora
geco
ntai
ner
Rad
ioac
tivity
rel
ease
durin
g ac
cide
nts
in d
ry s
pent
fuel
stor
age
SF(
13) a
ffect
ed: t
o li
mit
radi
oact
ive
rele
ases
from
sou
rces
out
side
the
cont
ainm
ent
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Red
uctio
n of
like
lihoo
d of
acc
iden
ts b
y ap
prop
riate
sel
ectio
n of
tran
spor
t rou
te
FIG
. 43.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(217
): c
onfi
nem
ent o
f ra
dioa
ctiv
e m
ater
ial (
see
also
SF
(13
)).
62
Que
nch
tank
scru
bbin
g
Auxi
liary
pres
suriz
ersp
ray
Rel
ease
thro
ugh
quen
ch ta
nk
Dep
ress
uri-
zatio
n of
RC
S
Exte
rnal
cool
ing
of R
PV
Prev
entio
n of
MC
CI a
eros
ols
by fl
oodi
ngde
bris
RC
S/R
PVbo
unda
ryfa
ilure
Sour
ce te
rmin
to th
eco
ntai
nmen
t
Ope
ratio
nof
spr
ays
Filte
rsy
stem
Aero
sol
disp
ersi
on
Ope
ratio
nof
spr
ays
Spra
yad
ditiv
es
Gas
eous
disp
ersi
on
Fiss
ion
prod
ucts
in c
onta
imen
tat
mos
pher
e
Add
base
Low
pH
Sum
pco
olin
g
Exce
ssiv
esu
mp
wat
erte
mpe
ratu
re
Set-
up o
flim
its fo
rco
ntai
nmen
ttig
htne
ss
Nor
mal
leak
age
from
cont
ainm
ent
Mon
itorin
gof
isol
atio
nst
atus
Rec
over
y of
cont
ainm
ent
isol
atio
n
Dep
ress
uri-
zatio
n of
cont
ainm
ent
Floo
dco
ntai
nmen
tle
ak
Impa
ired
cont
ainm
ent
func
tion
Prev
entio
n of
cont
ainm
ent
failu
re(s
ee S
P (2
21))
Con
tain
men
tfa
ilure
due
to p
hysi
cal
phen
omen
a
Dep
ress
uri-
zatio
n of
cont
ainm
ent
Dev
elop
men
tan
d ap
plic
atio
nof
PR
ISE
man
agem
ent
Prev
entio
n of
inte
rface
syst
emLO
CA
Iden
tific
atio
nof
byp
ass
rout
e an
dFP
rete
ntio
n
Con
tain
men
tby
pass
sequ
ence
s
Feed
ing
of s
team
gene
rato
rs
Dep
ress
uri-
zatio
n of
cont
ainm
ent
Indu
ced
SG tu
befa
ilure
Sour
ce te
rmin
to e
nviro
nmen
t
SF(1
2) a
ffect
ed: t
o li
mit
radi
oact
ive
rele
ases
from
the
cont
ainm
ent
unde
r acc
iden
t con
ditio
ns
Safe
ty fu
nctio
ns:
Cha
lleng
es:
Mec
hani
sms:
Prov
isio
ns:
Rel
ease
of
fissi
on p
rodu
cts
from
wat
er
FIG
. 44
. O
bjec
tive
tree
for
Lev
el 4
of
defe
nce
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
; R
PV
, re
acto
r pr
essu
re v
esse
l; M
CC
I, m
olte
n co
rium
–con
cret
e in
tera
ctio
n; P
RIS
E,
prim
ary
to s
econ
dary
lea
kage
; L
OC
A,
loss
of
cool
ant
acci
dent
; SG
, st
eam
gen
erat
or).
Saf
ety
prin
cipl
e (2
17):
con
fine
men
t of
radi
oact
ive
mat
eria
l.
63
Con
sid
erat
ion
of a
ll en
ergy
sou
r-ce
s in
des
ign
(prim
ary,
sec
on-
dar
y co
olan
t, a
ccum
ulat
edhe
at, c
hem
ical
rea
ctio
ns)
Per
form
ance
of
cont
ainm
ent
over
pre
ssur
e t
ests
Per
form
ance
of
func
tiona
l tes
tsof
con
tain
men
tsy
stem
s
Inst
alla
tion
and
pro
of o
f suf
ficie
ntp
erfo
rman
ceof
fan
cool
ers
Inst
alla
tion
of p
ress
ure
sup
pre
ssio
nsy
stem
Res
idua
l hea
tre
mov
al/s
ump
and
pre
ssur
e su
pp
ress
ion
poo
l coo
ling
Rel
ease
of
pos
t-ac
cid
ent
mix
ture
thro
ugh
filte
rs
Enl
arge
men
tof
inte
rnal
cont
ainm
ent
open
ings
Con
tain
men
tov
erp
ress
ure
due
to
ener
gyfr
om R
CS
Ana
lyse
s/re
duc
tion
of h
ydro
gen
sour
ces
from
chem
/rad
ioly
t. r
eact
ion
(mat
eria
ls, c
ond
ition
s)
Inst
alla
tion
ofhy
dro
gen
rem
oval
syst
ems
Ad
diti
onof
non
-co
nden
sib
les
Mix
ing
ofco
ntai
nmen
tat
mos
phe
re t
o av
oid
loca
l bur
ning
Con
tain
men
tov
erp
ress
ure
due
to
hyd
roge
nco
mb
ustio
n
Arr
ange
men
t fo
rsw
itchi
ng o
ffco
ntai
nmen
tco
olin
g
Inst
alla
tion
ofva
cuum
bre
aker
s
Ad
diti
onof
non
-co
nden
sib
les
Con
tain
men
tun
der
pre
ssur
e
Pre
vent
ion
of m
issi
lefo
rmat
ion
in d
esig
n
Enf
orce
men
t of
inte
rnal
con
tain
men
tst
ruct
ures
Inst
alla
tion
ofb
arrie
rs a
roun
dcr
itica
lco
mp
onen
ts
Pro
tect
ion
of c
on-
tain
men
t sh
ell
from
falli
ngin
tern
al w
alls
Con
tain
men
td
amag
e b
yin
tern
alm
issi
les
Loss
of
cont
ainm
ent
inte
grity
SF(
20) a
ffec
ted
:to
mai
ntai
nin
tegr
ityof
the
con
tain
men
t
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Inst
alla
tion
of
inte
rnal
sp
rays
w
ith s
uffic
ient
ca
pac
ity
FIG
. 45
. O
bjec
tive
tree
for
Lev
el 3
of
defe
nce
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
). S
afet
y pr
inci
ple:
pro
tect
ion
of c
onfi
nem
ent
stru
ctur
e (2
21).
64
Inst
alla
tion
ofin
tern
al s
pray
syst
em
Inst
alla
tion
ofex
tern
al s
pray
syst
em
Inst
alla
tion
offa
n co
oler
syst
em
Inst
alla
tion
offil
tere
d ve
ntin
gsy
stem
Inst
alla
tion
ofsu
mp
cool
ing
equi
pmen
t
Inst
alla
tion
ofsu
ppre
ssio
npo
ol c
oolin
gsy
stem
Stea
mge
nera
tion
Inst
alla
tion
offil
tere
d ve
ntin
gsy
stem
Inst
alla
tion
ofig
nite
rs a
ndre
com
bine
rs
Gen
erat
ion
ofno
n-co
nden
-sa
ble
gase
s
Slow
over
pres
suriz
atio
n o
f the
con
tain
men
t
Rea
ctor
coo
-la
nt s
yste
m d
epre
s-su
rizat
ion
Addi
tiona
l bar
-rie
rs to
min
i-m
ize
coriu
mdi
sper
sion
Dire
ctco
ntai
nmen
the
atin
g
Igni
ters
and
reco
mbi
ners
Iner
ting
ofco
ntai
nmen
tat
mos
pher
e
Mix
ing
ofco
ntai
nmen
tat
mos
pher
e
Filte
red
vent
ing
to re
duce
pre-
burn
ing
pres
sure
Bur
nabl
ega
sco
mbu
stio
n
Tim
ing
ofca
vity
/dr
ywel
lflo
odin
g
In-v
esse
lre
tent
ion
byex
tern
alco
olin
g
In-v
esse
lre
tent
ion
by in
tern
alflo
odin
g
Ex-v
esse
lst
eam
expl
osio
ns
In-v
esse
lre
tent
ion
by e
xter
nal
cool
ing
In-v
esse
lre
tent
ion
by in
tern
alflo
odin
g
Adeq
uate
stea
m fl
owpa
ths
from
cavi
ty
Rap
id s
team
gene
ratio
ndu
ring
ves-
sel f
ailu
re
Rap
idov
erpr
essu
rizat
ion
of t
he c
onta
inm
ent
Coo
ling
of
cont
ainm
ent
atm
osph
ere
Prot
ectio
n of
pene
tratio
nsfro
m fl
ame
effe
cts
Addi
tion
ofba
rrie
rs s
uch
as s
ump
prot
ectio
n
Tem
pera
ture
indu
ced
degr
adat
ion
Con
tain
men
tpe
netra
tion
failu
re
Inst
alla
tion
of v
acuu
mbr
eake
rs
Addi
tion
ofno
n-co
nden
-sa
ble
gase
s
Auto
mat
icor
man
ual
switc
h-of
f c
oolin
g
Con
dens
atio
naf
ter r
elea
seof
non
-con
den-
sabl
e ga
ses
Und
er-
pres
sure
failu
re o
f the
con
tain
men
t
Cor
ium
spre
adin
g:co
re c
atch
er
Floo
ding
ofca
vity
/dr
ywel
l
Addi
tiona
lba
rrie
rs fo
rca
vity
doo
rs,
sum
ps, e
tc.
Cor
eco
ncre
tein
ter-
actio
n
Bas
emat
mel
t-th
roug
hof
the
cont
ainm
ent
Prev
entio
nof
ener
getic
expl
osio
ns
Enfo
rcem
ent
ofst
ruct
ures
In-v
esse
lst
eam
expl
osio
nm
issi
les
Prev
entio
nof
hydr
ogen
deto
natio
n
Prot
ectio
n of
stee
l she
llfro
m fa
lling
conc
rete
wal
ls
Prev
entio
nof
HPM
E by
depr
essu
riza-
tion
of R
CS
Prev
entio
nof
ex-
vess
elst
eam
expl
osio
ns
Con
side
ratio
nof
nee
dfo
rba
rrie
rs
Mis
sile
s fro
mex
-ves
sel
expl
osio
nev
ents
Dam
age
of th
e co
ntai
nmen
tby
inte
rnal
mis
sile
s
SF(2
0) a
ffect
ed:
to m
aint
ain
inte
grity
of
the
cont
ainm
ent
Safe
ty fu
nctio
ns:
Cha
lleng
es:
Mec
hani
sms:
Prov
isio
ns:
FIG
. 46
. O
bjec
tive
tree
for
Lev
el 4
of
defe
nce
in d
epth
(H
PM
E,
high
pre
ssur
e m
elt
ejec
tion;
RC
S, r
eact
or c
oola
nt s
yste
m).
Saf
ety
prin
cipl
e (2
21):
pro
tect
ion
of c
onfi
nem
ent s
truc
ture
.
65
Insu
fficie
nt d
isplay
of in
form
atio
n ne
eded
to a
scer
tain
the
stat
us in
NO
Inap
prop
riate
disp
lay
of s
afet
y
relev
ant
info
rmat
ion
Sel
ecte
d
para
met
ers
to
be m
onito
red
in th
e M
CR
Cle
ar in
dica
tion
of p
lant
sta
tus
in
the
MC
R
Adeq
uate
mea
ns
as m
eter
s,
stat
us li
ghts
para
met
er tr
ends
Man
–mac
hine
inte
rfac
e an
d
hum
an fa
ctor
s
engi
neer
ing
Mea
ns
to d
etec
t
even
ts
in th
e M
CR
Mea
ns
of d
iagn
osin
g
auto
mat
ic
coun
term
easu
res
Appr
opria
te
set o
f alar
ms
for
flow,
vib
ratio
n, le
aks,
moi
stur
e, ra
diat
ion.
..
Inte
rnal
ly o
r
exte
rnal
ly in
i-
tiate
d ev
ents
not a
nnou
nced
Use
of q
ualif
ied
oper
ator
s
Lack
of
qual
ifica
tion
of c
ontr
ol r
oom
oper
ator
s
Proc
edur
es fo
r
info
rmat
ion
trans
fer;
mea
ns fo
r
com
mun
icatio
n
Def
icie
nt
com
mun
icat
ion
amon
g st
aff
of o
pera
tors
Cond
uct o
f ope
ratio
ns o
utsid
e pr
oven
safe
bou
ndar
ies d
ue to
def
icien
cies
in
know
ledge
and
und
erst
andi
ng o
f plan
t
safe
ty s
tatu
s by
ope
ratin
g st
aff
Ope
rato
r ac
tion
not
influ
ence
d by
ear
ly
war
ning
of d
evel
opin
g
prob
lem
s
Flow
redu
ctio
n
Vib
ratio
nLe
aks
and
moi
stur
e
Irrad
iatio
n
Ade
quat
e
mon
itorin
g of
equi
pmen
t
syst
ems
All
FSFs
affe
cted
:
cont
rolli
ng r
eact
ivity
,
cool
ing
fuel
, con
finin
g
rad
ioac
tive
mat
eria
l
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 47.
Obj
ectiv
e tr
ee fo
r L
evel
s 1
and
2 of
def
ence
in d
epth
(N
O, n
orm
al o
pera
tion;
MC
R, m
ain
cont
rol r
oom
). S
afet
y pr
inci
ple
(227
):
mon
itori
ng o
f pl
ant s
afet
y st
atus
.
66
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Inad
equa
te o
pera
tor r
espo
nse
durin
g ac
cide
nt c
ondi
tions
due
tode
ficie
ncie
s in
kno
wle
dge
and
unde
r-st
andi
ng o
f pla
nt’s
saf
ety
stat
us
Dis
play
of s
elec
-te
d pa
ram
eter
sto
be
mon
itore
din
the
MC
R
Dis
play
of s
elec
-te
d pa
ram
eter
sto
be
mon
itore
din
the
EC
R
Ope
ratio
n of
safe
ty s
yste
ms
not i
ndic
ated
to o
pera
tor
Mea
nsto
det
ect
even
tsin
MC
R
Inte
rnal
ly o
rex
tern
ally
ini-
tiate
d ev
ents
not r
epor
ted
Mea
nsto
mon
itor
plan
t sta
tus
in M
CR
/EC
R
Pro
visi
ons
for
rele
vant
org
aniz
a-tio
n an
d pr
esen
ta-
tion
of d
ata
Mis
sing
info
rmat
ion
on p
lant
stat
us
Ope
rato
rs h
ave
acce
ssto
the
mos
t im
port
ant
info
rmat
ion
Incl
usio
n of
mon
itorin
g of
plan
t sta
tus
intr
aini
ng
Mis
unde
rsta
ndin
gby
ope
rato
r
Mea
ns fo
r c
omm
unic
atio
nam
ong
staf
fas
req
uire
d
Com
mun
ica-
tion
bet
wee
npl
ant s
taff
inef
fect
ive
All
FSFs
affe
cted
:co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
,co
nfin
ing
radi
oact
ive
mat
eria
l
FIG
. 48
. O
bjec
tive
tree
for
Lev
els
3 an
d 4
of d
efen
ce i
n de
pth
(MC
R,
mai
n co
ntro
l ro
om;
EC
R,
emer
genc
y co
ntro
l ro
om).
Saf
ety
prin
cipl
e (2
27):
mon
itori
ng o
f pl
ant s
afet
y st
atus
.
67
Deg
rada
tion
of o
pera
tors
’co
ntro
lca
pabi
litie
s
Fire
res
ista
ntde
sign
of t
heco
ntro
l roo
m
Inst
alla
tion
of fi
rede
tect
ion
and
fire
extin
guis
hing
sys
tem
s
Pro
visi
on o
f pro
tect
ive
equi
pmen
t for
con
trol
room
ope
rato
rs
Fire
in th
eco
ntro
l roo
m
Iden
tific
atio
n of
inte
rnal
/ex
tern
al e
vent
s w
ith d
irect
thre
at to
MC
R (r
adia
tion,
expl
osiv
e or
toxi
c ga
ses)
Clo
sed
loop
ven
tilat
ion
syst
em to
ens
ure
cont
rol r
oom
habi
tabi
lity
Inst
alla
tion
of w
arni
ng s
yste
mfo
r co
ntro
l roo
m in
habi
tabi
lity
Pro
visi
on o
f pro
tect
ive
equi
pmen
t for
con
trol
room
ope
rato
rs
Con
serv
ativ
e se
ism
icst
ruct
ural
des
ign
of c
ontr
ol r
oom
build
ing
Est
ablis
hmen
t of e
mer
genc
yco
ntro
l roo
m(s
), co
ntro
lpa
nels
Rel
iabl
e po
wer
sup
ply
for
impo
rtan
t I&
C d
urin
gst
atio
n bl
acko
ut
Rel
iabl
e co
mm
unic
atio
nam
ong
rem
ote
loca
tions
impo
rtan
t for
per
form
ance
of s
afet
y fu
nctio
ns
Pro
visi
ons
for r
eact
or s
hutd
own,
resi
dual
hea
t rem
oval
and
conf
inem
ent o
f rad
. mat
eria
l in
cas
e M
CR
bec
omes
uni
nhab
itabl
e
Phy
sica
l pro
tect
ion
of c
ontr
ol r
oom
s
Ser
ious
ext
erna
lly o
rin
tern
ally
indu
ced
haza
rd, o
r sa
bota
geaf
fect
ing
cont
rol r
oom
All
FSFs
affe
cted
: con
trol
ling
reac
tivity
, coo
ling
fuel
,co
nfin
ing
radi
oact
ive
mat
eria
l and
SF
(15)
in p
artic
ular
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Pro
paga
tion
of d
ange
rous
su
bsta
nces
from
ex
tern
al s
ourc
es o
r ot
her
plan
t loc
atio
ns
FIG
. 49.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
(M
CR
, mai
n co
ntro
l roo
m; I
&C
, inf
orm
atio
n an
d co
ntro
l). S
afet
y pr
inci
ple:
pr
eser
vatio
n of
con
trol
cap
abili
ty (
230)
.
68
Det
erm
inat
ion
of ti
me
perio
d th
at p
lant
is a
ble
to
with
stan
d w
ithou
t los
s
of s
afet
y fu
nctio
ns
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Ana
lysi
s of
the
risk
(CD
F) in
cas
e of
st
atio
n bl
acko
ut
Ana
lysi
s of
nu
clea
r po
wer
pla
nt
vuln
erab
ility
to
stat
ion
blac
kout
Ana
lysi
s of
saf
ety
func
tions
affe
cted
du
ring
stat
ion
blac
kout
Esta
blis
hmen
t of d
iver
se
pow
er s
uppl
y so
urce
s:
dies
els,
turb
ines
an
d ba
tterie
s
Ens
uran
ce o
f hi
gh r
elia
bilit
y of
no
rmal
and
em
erge
ncy
pow
er s
uppl
ies
Inst
alla
tion
of a
dditi
onal
po
wer
sou
rces
: hyd
ro,
gas
and
grid
as
need
ed
base
d on
ana
lyse
s
Sim
ulta
neou
s lo
ss
of o
n-si
te a
nd o
ff-si
te
AC
pow
er
Saf
ety
syst
ems
or
equi
pmen
t fai
lure
due
to
sta
tion
blac
kout
All
FSFs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
, con
finin
g ra
dioa
ctiv
e m
ater
ial
FIG
. 50.
Obj
ectiv
e tr
ee f
or L
evel
s 3
and
4 of
def
ence
in d
epth
(C
DF,
cor
e da
mag
e fr
eque
ncy)
. Saf
ety
prin
cipl
e: s
tatio
n bl
acko
ut (
233)
.
69
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
:co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
rad
ioac
tive
mat
eria
l
No
tim
ely
or
inad
equa
te r
esp
ons
e to
PIE
s le
adin
g t
o d
evel
op
men
t o
f ac
cid
ents
to
bey
ond
d
esig
n b
asis
No
suf
ficie
nt
safe
ty p
rovi
sio
nsIn
adeq
uate
man
ual
ove
rrid
e ac
tions
No
suf
ficie
nt
auto
mat
ic p
rovi
sio
ns
Eff
icie
nt
neut
roni
c fe
edb
ack
Eff
icie
nt
pro
cess
co
ntro
l sy
stem
s
Bac
kup
by
auto
mat
ic a
ctua
tion
of
eng
inee
red
sa
fety
fea
ture
s
Ad
equa
te
man
ual c
ont
rol
Ad
equa
te in
stru
men
tatio
n an
d
dia
gno
stic
aid
s
Sui
tab
le lo
catio
n o
f eq
uip
men
t fo
r m
anua
l act
ions
Pro
visi
on
of
acce
ssib
le
envi
ronm
ent
for
op
erat
or
actio
ns
Pro
visi
on
of
just
ifica
tion
of
suff
icie
nt t
ime
for
op
erat
or
dec
isio
n
Sym
pto
m b
ased
em
erg
ency
op
erat
ing
p
roce
dur
es
No
rmal
cap
abili
ty
shut
do
wn,
co
olin
g
and
co
nfin
emen
t o
f ra
dio
activ
e m
ater
ial
Ap
pro
pria
te s
afet
y eq
uip
men
t
Des
ign
carr
ied
out
ag
ains
t a
set
of
DB
As
der
ived
fro
m P
IEs
FIG
. 51.
Obj
ectiv
e tr
ee f
or L
evel
3 o
f de
fenc
e in
dep
th (
PIE
, po
stul
ated
ini
tiatin
g ev
ent)
. Sa
fety
pri
ncip
le (
237)
: co
ntro
l of
acc
iden
ts
with
in th
e de
sign
bas
is.
70
New
and
spe
nt fu
el s
tora
gede
sign
inad
equa
teN
ew a
nd s
pent
fuel
sto
rage
oper
atio
n in
adeq
uate
Cap
acity
suffi
cien
t for
new
and
spe
ntfu
el s
tora
ge
Des
ign
of c
oolin
gsy
stem
s fo
r al
lex
tern
al lo
ads
rele
vant
to s
ite
Sys
tem
sfo
r co
olin
g fu
elun
der
all a
ntic
i-pa
ted
cond
ition
s
Per
iodi
c te
stin
gof
coo
ling
syst
ems
Pre
vent
ion
ofun
inte
ntio
nal
empt
ying
of f
uel
pool
by
desi
gn
Impl
emen
tatio
nof
ade
quat
eop
erat
ing
proc
edur
es
Loss
of c
oolin
gca
pabi
lity
durin
gst
orag
e or
tran
spor
t
Rel
iabl
efu
el c
oolin
gdu
ring
stor
age
and
tran
spor
t
Per
iodi
cte
stin
g of
sto
rage
and
hand
ling
equi
pmen
t
Mea
ns to
prev
ent d
ropp
ing
of fu
el d
urin
gha
ndlin
g
Use
of a
ppro
pria
teha
ndlin
g ro
utes
toav
oid
fuel
dam
age
if dr
oppe
d
Mea
ns to
prev
ent d
ropp
ing
of h
eavy
obj
ects
on fu
el
Use
of a
ppro
pria
tepr
oced
ures
toen
sure
phy
sica
lpr
otec
tion
of fu
el
Mea
ns to
dete
ct, h
andl
e an
dst
ore
defe
ctiv
efu
el
Pro
visi
on o
f shi
elds
for
fuel
sto
rage
and
hand
ling
whe
rene
cess
ary
Mea
nsfo
r ra
dioa
ctiv
itym
onito
ring
and
rem
oval
Pre
vent
ion
ofex
cess
ive
stre
sses
in fu
el a
ssem
blie
sdu
ring
hand
ling
Dam
age
of fu
eldu
ring
stor
age
or tr
ansp
ort
Mea
ns to
keep
con
figur
atio
nof
sto
red
fuel
as d
esig
ned
Mea
ns to
cont
rol p
aram
eter
sin
poo
l to
avoi
din
sert
ion
of r
eact
ivity
Mea
ns to
avoi
d fu
el r
eloc
atio
nin
tran
spor
t con
tain
erdu
ring
hand
ling
Inse
rtio
n of
reac
tivity
dur
ing
stor
age
or tr
ansp
ort
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
SF(
16) a
ffect
ed: t
o co
ntro
l rad
. rel
ease
s fr
om th
e fu
el o
utsi
de th
e R
CS
S
F(17
) affe
cted
: to
rem
ove
deca
y he
at fr
om fu
el o
utsi
de th
e R
CS
S
F(18
) affe
cted
: to
mai
ntai
n su
bcrit
ical
ity o
f fue
l out
side
the
RC
S
Inst
alla
tion
of
wat
er le
vel c
ontr
ol
and
leak
det
ectio
n eq
uipm
ent
FIG
. 52.
Obj
ectiv
e tr
ee fo
r L
evel
s 1
and
2 of
def
ence
in d
epth
(R
CS,
rea
ctor
coo
lant
sys
tem
). S
afet
y pr
inci
ple
(240
): n
ew a
nd s
pent
fuel
sto
rage
.
71
Damage tosafety equipment
due to unauthorizedactivity
Unauthorized releaseof radioactive
material
Diversion or removalof nuclearmaterial
Implementationof physicalprotection
programme
Arrangementfor access
control
Arrangementfor security
guards
Implementationof emergency
physical protectionprocedures
Lack ofvigilance
Safety functions:
Challenges
Mechanisms:
Provisions:
All FSFs affected: controlling reactivity, cooling fuel, confining radioactive material
Physical protection of vital equipment
outside nuclear power plant
FIG. 53. Objective tree for Level 1 of defence in depth. Safety principle (242): physical protection of plant.
72
Damage tosafety equipment
due to unauthorizedactivity
Unauthorized releaseof radioactive
material
Diversion or removalof nuclearmaterial
Probabilisticsafety analysis
for potential threats
Separation oflocation forredundantequipment
Installation ofemergency
control room
Installationof securityhardware
and devices
Verification/modification of
plant layouts forpotential threats
Designaudit on
postulatedthreats
Design vulnerabilitiesto potential
threats
All FSFs affected: controlling reactivity, cooling fuel, confining radioactive material
Safety functions:
Challenges:
Mechanisms:
Provisions:
FIG. 54. Objective tree for Level 2 of defence in depth. Safety principle (242): physical protection of plant.
73
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el,
conf
inin
g ra
dio
activ
e m
ater
ial
Inad
equa
te p
lant
saf
ety
per
form
ance
due
to
def
icie
nt v
erifi
catio
n of
des
ign
by
safe
ty e
valu
atio
n
Reg
ulat
ory
safe
ty a
sses
smen
t la
ckin
g or
del
ayed
Ind
epen
den
t sa
fety
as
sess
men
t b
y ut
ility
lack
ing
or d
elay
ed
Saf
ety
issu
es
not
adeq
uate
ly
add
ress
ed b
y d
esig
ner
Reg
ular
co
ntac
ts b
etw
een
des
igne
r an
d u
tility
d
urin
g d
esig
n p
hase
Def
initi
on o
f che
ck
poi
nts
for
revi
ewin
g fin
al
des
ign
and
ad
equa
cy
of s
afet
y re
late
d it
ems
Co-
ord
inat
ed
safe
ty a
sses
smen
t of
des
ign,
man
ufac
ture
an
d c
onst
ruct
ion
Sp
ecifi
catio
n of
ou
tsta
ndin
g is
sues
to
be
reso
lved
dur
ing
cons
truc
tion
Pre
limin
ary
safe
ty
anal
ysis
rep
ort
sub
mitt
ed t
o re
gula
tor
in d
ue t
ime
Reg
ular
con
tact
s w
ith r
egul
ator
to
use
feed
bac
k in
des
ign
FIG
. 55.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
46):
saf
ety
eval
uatio
n of
des
ign.
74
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Deg
rade
d fu
nctio
nal c
apab
ility
of
item
s im
porta
nt to
saf
ety
due
to
limita
tions
in q
ualit
y ac
hiev
eddu
ring
man
ufac
ture
or c
onst
ruct
ion
All
FSFs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
, con
finin
g ra
dioa
ctiv
e m
ater
ial
Inad
equa
te
spec
ificat
ion
for
man
ufac
ture
/con
stru
ctio
n of
item
s im
porta
nt to
saf
ety
Unq
ualif
ied
supp
liers
fo
r ite
ms
impo
rtan
t to
safe
ty
Lack
of c
ompl
ianc
e w
ith
spec
ified
QA
requ
irem
ents
by
man
ufac
ture
rs o
r co
nstru
ctor
s
Lack
of u
tiliti
es re
view
or
aud
it of
man
ufac
- tu
rers
and
con
tract
ors
prac
tices
and
doc
umen
ts
Cod
es a
nd
stan
dard
s co
ntai
ning
ac
cept
ance
crit
eria
fo
r nu
clea
r in
dust
ry
Com
pete
nt
unit
resp
onsi
ble
for
qual
ity o
f equ
ipm
ent
and
plan
t sup
plie
d
Arr
ange
men
ts fo
r m
anuf
actu
re,
cons
truc
tion
and
staf
f tra
inin
g
Sel
ectio
n of
org
ani-
za
tion
actin
g on
be
half
of o
pera
tor
in q
ualit
y m
atte
rs
Incl
usio
n of
con
tract
ors
into
QA
prog
ram
me
of o
pera
ting
orga
niza
tion
Det
aile
d sp
ecifi
catio
n fo
r pr
oces
ses
and
prod
ucts
Saf
ety
clas
sific
atio
n of
pl
ant c
ompo
nent
s an
d sy
stem
s
Form
al
proc
ess
for
sele
ctio
n of
qu
alifi
ed s
taff
Mai
nten
ance
of
reco
rds
on
qual
ifica
tion
and
trai
ning
of s
taff
Inde
pend
ent c
ertif
icat
ion
of c
ompe
tenc
e fo
r su
pplie
rs o
f im
porta
nt
safe
ty re
late
d eq
uipm
ent
Reg
ulat
ory
revi
ew
perf
orm
ed o
f im
port
ant s
afet
y re
late
d ite
ms
Rev
iew
and
aud
it of
pr
actic
es a
nd d
ocu-
m
enta
tion
of m
anu-
fa
ctur
ers/
cons
truct
ors
Sele
ctio
n of
man
ufac
ture
r ba
sed
on d
emon
stra
tion
of th
eir c
apab
ility
to m
eet
spec
ial r
equi
rem
ents
Pro
cedu
res
for
cont
rol o
f pr
oces
ses
and
docu
men
ts
Pro
cedu
res
for
setti
ng o
f ins
pect
ions
, te
st s
ched
ules
an
d ho
ld p
oint
s
Adeq
uate
met
hods
of
test
ing
and
insp
ectio
ns a
nd p
rom
pt
corre
ctiv
e ac
tions
Sat
isfa
ctor
y w
orki
ng
cond
ition
s fo
r st
aff
Pro
cedu
res
for
mai
nten
ance
of
rec
ords
Pro
cedu
res
for
iden
tific
atio
n an
d co
ntro
l of m
ater
ials
/ co
mpo
nent
s
Util
ity a
rran
gem
ents
fo
r re
view
an
d au
dit
Ext
erna
l org
aniz
atio
ns
cont
ract
ed fo
r re
view
an
d au
dit
FIG
. 56.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
49):
ach
ieve
men
t of
qual
ity.
75
Deg
rade
d pl
ant p
erfo
rman
ce d
ue to
as-b
uilt
safe
ty re
late
d an
d ra
diat
ion
prot
ectio
n ite
ms
not
com
plyi
ng w
ith d
esig
n in
tent
No
com
pre
hens
ive
com
mis
sion
ing
pro
gram
me
Non
-eff
ectiv
e in
de-
pen
den
t re
gula
tory
revi
ew o
f com
mis
sion
ing
pro
gram
me
and
its
resu
lts
The
pro
gram
me
and
its
resu
lts s
ubje
ct t
osu
rvei
llanc
e an
d r
evie
wb
y th
e re
gula
tor
Sys
tem
atic
saf
ety
reas
sess
men
tp
erfo
rmed
thr
ough
out
pla
ntop
erat
iona
l life
time
Com
mis
sion
ing
pro
gram
me
est
ablis
hed
to
dem
onst
rate
com
plia
nce
of t
he p
lant
with
the
des
ign
inte
nt
Che
cks
and
tes
ts o
ffu
nctio
nal r
equi
rem
ents
not
pro
per
ly p
erfo
rmed
dur
ing
com
mis
sion
ing
Det
ecte
d w
eakn
esse
ssno
t p
rop
erly
corr
ecte
d
Rev
iew
of r
esul
ts u
sed
by
the
des
igne
r to
imp
rove
futu
re p
lant
sP
rogr
essi
ve t
estin
g: h
old
poi
nts
ensu
ring
adeq
uate
resu
lts b
efor
e re
sum
ptio
n of
syst
ems
test
sP
erfo
rman
ce o
fte
sts
in c
omb
inat
ion
und
er a
s re
alis
tic c
ond
ition
sas
pos
sib
leR
efer
ral o
f var
iatio
ns fr
omth
e d
esig
n in
tent
foun
d b
yte
sts
to t
he o
per
atin
gor
gani
zatio
n
Ope
ratin
g or
gani
zatio
n ve
rifie
sby
ana
lysi
s an
d te
stin
g th
at p
lant
ope
ratio
n co
ntin
ues
in li
ne w
ith O
LC,
saf
ety
requ
irem
ents
and
ana
lysi
s
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
,co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Mec
hani
sms:
Pro
visi
ons:
Cha
lleng
es:
Saf
ety
func
tions
:
FIG
. 57.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
3 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
55):
ver
ific
atio
n of
des
ign
and
cons
truc
tion.
76
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Item
s im
porta
nt to
saf
ety
not i
n co
mpl
ianc
e w
ith d
esig
n in
tent
with
resp
ect t
o th
eir
miti
gativ
e fe
atur
es fo
r BD
BAs
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Rad
iatio
n pr
otec
tion
item
s no
t in
com
plia
nce
with
des
ign
inte
nt w
ith re
spec
t to
thei
r m
itiga
tive
feat
ures
for B
DB
As
Sou
rces
of
exp
osur
e no
t en
tirel
y un
der
co
ntro
l
Non
-cor
rect
ion
of
wea
knes
ses
det
ecte
d
Seq
uenc
e of
tes
ting
not
adeq
uate
with
re
spec
t to
top
ics
and
pha
ses
No
com
ple
te t
est
of c
omp
onen
ts
and
sys
tem
s un
der
real
istic
con
diti
ons
Com
mis
sion
ing
pro
gram
me
not
cont
rolle
d b
y re
gula
tor
Che
cks
and
te
sts
not
pro
- p
erly
don
e d
u-
ring
com
mis
sion
ing
Com
mis
sion
ing
prog
ram
me
esta
blis
hed
to d
emon
stra
te
com
plia
nce
of th
e pl
ant
with
the
desi
gn in
tent
Pro
gram
me
and
its
resu
lts s
ubje
ct to
su
rvei
llanc
e an
d re
view
by
the
regu
lato
r
Ref
erra
l of v
aria
tions
fr
om t
he d
esig
n in
tent
fo
und
by
test
s to
the
op
erat
ing
orga
niza
tion
Rev
iew
of r
esul
ts
used
by
des
igne
r to
imp
rove
fu
ture
pla
nts
Pro
gres
sive
test
ing:
hold
po
ints
ens
urin
g ad
equa
te re
sults
be
fore
pro
ceed
ing
Per
form
ance
of
test
s in
com
bin
atio
n un
der
as
real
istic
co
nditi
ons
as p
ossi
ble
Saf
ety
pro
visi
ons
in t
he p
lant
and
ou
tsid
e p
rep
ared
to
miti
gate
har
m
Com
mis
sion
ing
test
s co
nduc
ted
: co
nstr
uctio
n un
til
full
pow
er
FIG
. 58.
Obj
ectiv
e tr
ee f
or L
evel
4 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(255
): v
erif
icat
ion
of d
esig
n an
d co
nstr
uctio
n.
77
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Func
tiona
l cap
abili
ty o
f saf
ety
rela
ted
eq
uip
men
t co
mp
rom
ised
b
y d
efic
ient
func
tiona
l te
st p
roce
dur
es
Func
tiona
l tes
t p
roce
dur
es fo
r sa
fety
rel
ated
eq
uip
men
t no
t va
lidat
ed
Use
of c
omm
issi
onin
g p
hase
to
chec
k m
etho
ds
to
be
used
in fu
nctio
nal t
estin
g of
eq
uip
men
t re
late
d t
o sa
fety
Use
of d
esig
n an
d s
afet
y re
por
t d
ata
for
valid
atio
n of
func
tiona
l te
st p
roce
dur
es fo
r eq
uip
men
t re
late
d t
o sa
fety
Use
of s
imul
ator
for
staf
f p
rep
arat
ion,
tra
inin
g an
d
pla
nt fa
mili
ariz
atio
n
Use
of s
imul
ator
for
valid
atio
n of
pro
ced
ures
for
norm
al
oper
atio
n
Invo
lvem
ent
of p
lant
op
erat
iona
l sta
ff in
co
mm
issi
onin
g at
an
ear
ly s
tage
Use
of c
omm
issi
onin
g p
hase
fo
r te
stin
g an
d u
pd
atin
g of
p
roce
dur
es fo
r no
rmal
op
erat
ion
Pro
ced
ures
for
norm
al p
lant
op
erat
ion
not
valid
ated
Op
erat
or a
ctio
n co
mp
rom
ised
by
def
icie
nt
oper
atin
g p
roce
dur
es
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
FIG
. 59.
Obj
ectiv
e tr
ee fo
r L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
58):
val
idat
ion
of o
pera
ting
and
func
tiona
l tes
t pro
cedu
res.
78
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Und
etec
ted
deg
rad
atio
n o
f fu
nctio
nal
per
form
ance
of
item
s im
po
rtan
t to
sa
fety
(par
ticul
arly
bar
riers
) d
ue t
o la
ck o
f b
asel
ine
dat
a
No
pre
-ser
vice
b
asel
ine
dat
a fo
r R
CS
pre
ssur
e b
oun
dar
y
Inad
equa
te b
asel
ine
dat
a fo
r sy
stem
s o
r co
mp
one
nts
Co
llect
ion
of
bas
elin
e d
ata
dur
ing
co
mm
issi
oni
ng
and
ear
ly o
per
atio
n
Pre
-ser
vice
insp
ectio
n an
d t
ests
of
RP
V
Pre
-ser
vice
insp
ectio
n an
d t
ests
of
RP
B
Sur
veill
ance
pro
gra
mm
e fo
r d
etec
tion
of
com
po
nent
deg
rad
atio
n D
iag
nost
ic s
yste
m f
or
rout
inel
y m
oni
tore
d s
afet
y p
aram
eter
s C
olle
ctio
n an
d r
eten
tion
of
bas
elin
e d
ata
on
syst
ems
and
co
mp
one
nts
Dia
gno
stic
sys
tem
fo
r tr
end
ana
lysi
s in
clud
ing
req
uire
d d
ata
FIG
. 60
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(RC
S, r
eact
or c
oola
nt s
yste
m; R
PV
, rea
ctor
pre
ssur
e ve
ssel
; RP
B,
reac
tor
pres
sure
bou
ndar
y). S
afet
y pr
inci
ple
(260
): c
olle
ctio
n of
bas
elin
e da
ta.
79
Com
mis
sion
ing
prog
ram
me
to d
eter
min
eas
-bui
lt ch
arac
teris
tics
Doc
umen
tatio
nof
com
mis
sion
ing
test
s
Sys
tem
s pe
rfor
man
ce te
sted
and
adju
sted
to d
esig
n va
lues
and
safe
ty a
naly
ses
with
mar
gin
Per
form
ance
of a
s-bu
iltsy
stem
s de
term
ined
and
wel
l doc
umen
ted
Pre
vent
ion
of tr
ansi
tion
to th
e ne
xt c
omm
issi
onin
gte
st b
efor
e im
plem
enta
tion
of m
easu
res
Sys
tem
s no
t ade
quat
ely
test
ed a
nd a
djus
ted
durin
g co
mm
issi
onin
g
Ope
ratio
nal l
imits
and
con
ditio
ns m
odifi
ed to
com
ply
with
as-
built
sys
tem
s
Saf
ety
anal
ysis
mod
ified
to p
erfo
rman
ceof
as-
built
sys
tem
s
Pla
nt s
imul
ator
mod
ified
to c
ompl
y w
ithas
-bui
lt sy
stem
s
Ope
ratin
g pr
oced
ures
mod
ified
to p
erfo
rman
ceof
as-
built
sys
tem
s
Ope
rato
r tra
inin
gm
odifi
ed to
com
ply
with
as-
built
sys
tem
s
Res
ults
of c
omm
issi
onin
gte
sts
for p
roce
ss a
nd s
afet
ysy
stem
s no
t util
ized
pro
perly
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
; co
olin
g fu
el, c
onfin
ing
radi
oact
ive
mat
eria
l
Deg
rade
d pl
ant s
afet
y pe
rfor
man
ce c
ause
d by
as-
built
pro
cess
and
saf
ety
syst
ems
bein
g no
t com
plia
nt w
ith d
esig
n in
tent
FIG
. 61.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
62):
pre
-ope
ratio
nal a
djus
tmen
t of
plan
t.
80
Fina
ncia
lTe
chni
cal
sup
por
tM
ater
ial
Che
mis
try
Rad
iolo
gica
lp
rote
ctio
nO
ther
sta
ffre
sour
ces
e.g.
mai
nten
ance
All F
SFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el, c
onfin
ing
radi
oact
ive
mat
eria
l
Deg
rad
ed r
esp
on-
sib
ility
of o
per
atin
g or
gani
zatio
n fo
r sa
fe o
per
atio
n
Deg
rad
ed s
taff
ac
tions
in
norm
al
oper
atio
ns
Deg
rad
ed s
taff
ac
tions
in
acci
den
t si
tuat
ions
an
d b
eyon
d
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Imp
orta
nt
elem
ents
for
achi
evin
g sa
fety
no
t es
tab
lishe
d
Op
erat
ion
not
gove
rned
b
y sa
fety
Res
ourc
es
not
pro
vid
ed
by
exec
utiv
e m
anag
emen
t
Mis
sing
or
inco
mp
lete
jo
b
des
crip
tions
Loss
of
co
rpor
ate
mem
ory
Insu
ffic
ient
nu
mb
er o
f q
ualif
ied
st
aff
Und
ue s
tres
s or
d
elay
in
act
iviti
es
Wea
k su
per
visi
on
dur
ing
per
iod
s of
exc
eptio
nal
wor
kloa
d
Insu
ffic
ient
st
affin
g sp
ecifi
catio
ns
Sta
ff no
t qua
lifie
d fo
r spe
cial
task
s;
emer
genc
y se
rvic
e no
t ava
ilabl
e
Res
pon
sib
le
pla
nt m
anag
er
in p
lace
Org
aniz
atio
nal
stru
ctur
e un
der
p
lant
man
ager
in
pla
ce
Exe
cutiv
e m
anag
emen
t su
pp
orts
p
lant
man
ager
Imp
lem
enta
tion
and
enf
orce
men
t of
saf
ety
cultu
re
prin
cip
les
Exec
utiv
e m
anag
emen
t pr
ovid
es re
sour
ces
to o
pera
tion
Job
d
escr
iptio
ns
to s
tate
resp
onsi
bili
ties
Long
ter
m
int.
tra
inin
g p
rogr
amm
e fo
r cr
ucia
l sta
ff
Sha
ring
of
exp
erie
nce
of
seni
or e
xper
ts
with
new
sta
ff
Com
pet
itive
co
nditi
ons
for
nece
ssar
y ex
per
tise
Mai
ntai
ning
m
otiv
atio
n of
sta
ff du
ring
shut
dow
n pe
riods
Mai
ntai
ning
do
cum
enta
tion
impo
rtan
t for
co
rpor
ate
mem
ory
Sup
por
t of
go
od s
tud
ents
in
rel
evan
t ar
eas
Eno
ugh
qua
lifie
d s
taff
ar
e em
plo
yed
Ap
pro
pria
te
sche
dul
e fo
r no
rmal
ac
tiviti
es
Ap
pro
pria
te
sche
dul
e fo
r su
per
visi
on b
y ex
tern
al e
xper
ts
Bac
kup
fo
r ke
y p
ositi
ons
Taki
ng
acco
unt
of
attr
ition
Res
erva
tion
of t
ime
for
retr
aini
ng
Qua
lifie
d s
taff
fo
r d
amag
e as
sess
men
t an
d c
ontr
ol
Qua
lifie
d
staf
ffo
r A
MP
Qua
lifie
d
staf
f fo
r fir
e fig
htin
g
Qua
lifie
d
staf
f fo
r fir
st a
id
trea
tmen
t
Qua
lifie
d
staf
f for
on-
an
d o
ff-s
ite
mon
itorin
g
Em
erge
ncy
serv
ices
in
the
lo
calit
y
FIG
. 62
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(AM
P, a
ccid
ent
man
agem
ent
prog
ram
me)
. Sa
fety
pri
ncip
le (
265)
: or
gani
zatio
n, r
espo
nsib
ilitie
s an
d st
affi
ng.
81
Inde
pend
ent p
lant
unit
sepa
rate
from
oper
atio
n fo
r pl
ant
safe
ty r
evie
w
Saf
ety
revi
ewre
port
ing
lines
dire
ctly
esta
blis
hed
tose
nior
man
agem
ent
Use
of e
xter
nal s
uppo
rt fo
rin
depe
nden
t saf
ety
revi
ew(s
ee S
P (2
96))
Lack
of i
ndep
ende
nce
in r
evie
win
g ro
utin
epl
ant s
afet
y
Rep
ortin
g on
pla
nt d
efi-
cien
cies
loca
lly a
nd a
tsi
mila
r pl
ants
(see
SP
(299
))
Day
to d
ayas
sess
men
t of o
pera
tiona
lsa
fety
Exa
min
atio
nof
abn
orm
al e
vent
s(s
ee S
P (2
99))
Rev
iew
s of
val
idity
of m
odifi
catio
nsto
pro
cedu
res,
trai
ning
pro
-gr
amm
e, li
mits
and
con
ditio
ns,
and
syst
ems
desi
gn
Non
-com
preh
ensi
vesa
fety
rev
iew
of
rout
ine
oper
atio
n
Abn
orm
al p
lant
man
oeuv
res
Maj
or p
lant
eng
inee
ring
Spe
cial
pro
cedu
res
Unu
sual
test
s or
exp
erim
ents
Inde
pend
ent r
evie
ww
ithin
the
form
al a
ppro
val
proc
ess
for:
Inad
equa
te s
afet
y re
view
of u
nusu
al c
onfig
urat
ion
or c
ondi
tions
Und
etec
ted
degr
adat
ion
ofpl
ant o
pera
tiona
l saf
ety
due
to n
on-e
ffect
ive
safe
tyre
view
pro
cedu
res
All
FSFs
affe
cted
:co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
,co
nfin
ing
radi
oact
ive
mat
eria
lS
afet
y fu
nctio
ns:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
:
FIG
. 63.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
69):
saf
ety
revi
ew p
roce
dure
s.
82
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
affe
cted
: co
ntro
lling
reac
tivity
, co
olin
g fu
el, c
onfin
ing
radi
oact
ive
mat
eria
l
Sta
ff un
able
to
saf
ely
oper
ate
the
plan
t
Lack
of
sa
fety
cul
ture
Ope
ratio
ns
cond
ucte
d ou
tsid
e of
pr
oced
ures
Lack
of
qual
ified
st
aff
Sta
ff on
dut
y no
t ale
rt o
r m
enta
lly
impa
ired
Lack
of
info
rmat
ion
on p
lant
sa
fety
sta
tus
Env
ironm
ent
not
cond
uciv
e to
saf
ety
Inad
equa
te
resp
onse
of
in
divi
dual
s
Lack
of
adhe
renc
e to
app
rove
d pr
oced
ures
Ope
ratio
ns
cond
ucte
d by
un
auth
oriz
ed
pers
onne
l
Sta
ff ad
equa
tely
qu
alifi
ed a
nd
trai
ned
Mea
sure
s to
ens
ure
heal
th a
nd fi
tnes
s of
dut
y pe
rson
nel
Con
tinuo
us
mon
itorin
g of
pl
ant s
tatu
s
Des
ired
beha
viou
r re
info
rced
by
sup
ervi
sors
an
d m
anag
ers
Saf
ety
awar
enes
s of
act
iviti
es a
nd
pote
ntia
l err
ors
Hie
rarc
hy o
f ap
prov
ed
proc
edur
es
Adm
inis
trat
ive
proc
edur
es to
pre
vent
un
auth
oriz
ed
actio
ns
Qua
lific
atio
n re
quire
men
ts
for
auth
oriz
ed
staf
f
Dis
cipl
inar
y ac
tions
fo
r al
coho
l an
d dr
ug a
buse
Con
trol
roo
m
data
che
ckin
g an
d re
cord
ing
Avo
idan
ce o
f in
appr
opria
te
wor
k pa
tter
ns
Que
stio
ning
at
titud
e fa
cing
unu
sual
ph
enom
ena
Upd
ated
w
ritte
n pr
oced
ures
Phy
sica
l fea
ture
s to
avo
id in
tent
iona
l or
uni
nten
tiona
l ac
ts
Form
al
com
mun
icat
ion
syst
em
with
reco
rded
and
re
triev
able
info
rmat
ion
Str
ong
cont
rol
of
mai
nten
ance
an
d su
rvei
llanc
e
Att
entio
n to
goo
d ho
usek
eepi
ng
Sta
ff di
scip
line
Rig
orou
s an
d pr
uden
t re
spon
se to
al
arm
s
Pro
mpt
re
med
ial a
ctio
ns
to d
etec
ted
defic
ienc
ies
App
ropr
iate
leve
l of
app
rova
l for
de
viat
ions
from
pr
oced
ures
Phy
sica
l pro
tect
ion
feat
ures
and
m
easu
res
(see
SP
(24
2))
FIG
. 64.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th. S
afet
y pr
inci
ple
(272
): c
ondu
ct o
f op
erat
ions
.
83
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Rou
tine
staf
f act
iviti
es
pote
ntia
lly c
ompr
omis
ing
safe
ty d
ue to
ove
rall
lack
of
qua
lifie
d pe
rson
nel
Deg
rad
ed p
lant
saf
ety
per
form
ance
due
to
inap
pro
pria
te s
afet
y m
anag
emen
t
Unq
ualif
ied
con
duc
t of
con
trol
roo
m
oper
atio
ns w
ith li
mite
d
or d
egra
ded
kno
wle
dge
Failu
res
of p
lant
sy
stem
s in
itiat
ed o
r re
sulti
ng fr
om
unq
ualif
ied
mai
nten
ance
Insu
ffic
ient
d
evel
opm
ent
of s
afet
y aw
aren
ess
Inef
fect
ive
staf
f tr
aini
ng
Sp
ecia
lized
m
anag
emen
t tr
aini
ng
insu
ffic
ient
Deg
rad
ed o
r ou
t-of
-dat
e kn
owle
dge
Lim
ited
the
oret
ical
an
d p
ract
ical
kn
owle
dge
of
the
pla
nt
Sp
ecia
lized
m
aint
enan
ce
staf
f tra
inin
g in
suff
icie
nt
Com
pre
hens
ive
trai
ning
p
rogr
amm
e fo
r al
l sta
ff
Sup
por
t of
tra
inin
g or
gani
zatio
n w
ith
suff
icie
nt r
esou
rces
an
d fa
cilit
ies
Incl
usio
n of
saf
ety
cultu
re p
rinci
ple
s in
to t
rain
ing
Avo
idan
ce o
f con
flict
w
ith p
rod
uctio
n ne
eds
and
tra
inin
g of
per
sonn
el
Ass
essm
ent
and
im
pro
vem
ent
of
trai
ning
pro
gram
me
Trai
ning
of
ext
erna
l per
sonn
el
and
co-
oper
atio
n w
ith p
lant
per
sonn
el
Ap
pro
val o
f tr
aini
ng
pro
gram
me
by
regu
lato
ry b
ody
Incl
usio
n of
tes
ts
of a
ll p
erso
nnel
in
to t
rain
ing
pro
gram
me
Sys
tem
atic
ap
pro
ach
to
trai
ning
Incl
usio
n of
a v
arie
ty o
f as
pect
s: n
eutr
onic
s, T
H,
radi
olog
ical
, tec
hnol
ogic
al,
into
trai
ning
Imp
orta
nce
of
mai
ntai
ning
fund
amen
tal
safe
ty fu
nctio
ns
into
tra
inin
g
Imp
orta
nce
of
mai
ntai
ning
pla
nt
limits
and
con
diti
ons
into
tra
inin
g
Incl
usio
n of
pla
nt la
yout
, ro
le a
nd lo
catio
n of
im
port
ant c
ompo
nent
s an
d sy
stem
s in
to tr
aini
ng
Incl
usio
n of
loca
tion
of ra
- m
ater
ials
and
mea
sure
s to
pre
vent
thei
r di
sper
sal i
nto
trai
ning
Cov
erin
g p
lant
nor
mal
, ab
norm
al a
nd a
ccid
ent
cond
ition
s in
tra
inin
g
Incl
usio
n of
rel
evan
t p
lant
wal
k-th
roug
h in
to s
taff
tr
aini
ng
Inte
rval
s fo
r re
fres
hmen
t tr
aini
ng s
pec
ified
Prio
rity
of s
afet
y ov
er
pro
duc
tion
in t
rain
ing
Rol
e of
man
ager
s in
en
surin
g p
lant
sa
fety
Incl
usio
n of
PS
A
resu
lts in
to
trai
ning
Fam
iliar
izat
ion
with
re
sults
of
acci
den
t an
alys
is
with
in D
BA
s
Ana
lysi
s of
op
erat
iona
l exp
erie
nce
feed
bac
k fr
om s
ame
or s
imila
r p
lant
s
Det
aile
d
trai
ning
ab
out
norm
al o
per
atin
g p
roce
dur
es
Pla
nt
fam
iliar
izat
ion
and
on
the
job
tr
aini
ng
Sim
ulat
or
trai
ning
for
pla
nt o
per
atin
g re
gim
es
Incl
usio
n of
ana
lysi
s of
op
erat
ing
even
ts
into
tra
inin
g
Arr
ange
men
t fo
r fo
rmal
ap
pro
val
(lice
nsin
g) o
f op
erat
ors
Incl
usio
n of
PS
A
resu
lts
into
tr
aini
ng
Fam
iliar
izat
ion
of s
taff
w
ith r
esul
ts o
f ac
cid
ent
anal
ysis
w
ithin
DB
A
Det
ails
of a
ccid
ents
w
ithin
DB
As
incl
udin
g d
iagn
ostic
ski
lls
Det
aile
d E
OP
tra
inin
g,
retr
aini
ng a
nd t
estin
gof
op
erat
ing
per
sonn
el
Em
pha
sis
on t
eam
w
ork
and
co
ord
inat
ion
of
activ
ities
Use
of p
lant
full
scop
e si
mul
ator
in
trai
ning
for
acci
den
ts
with
in D
BA
s
Ana
lysi
s of
act
ual t
rans
ient
s an
d a
ccid
ents
in
sim
ilar
pla
nts
On
the
job
tr
aini
ng
Use
of s
pec
ial
equi
pm
ent
and
m
ock-
ups
in t
rain
ing
Pot
entia
l saf
ety
cons
eque
nces
of
tec
hnic
al o
r p
roce
dur
al e
rror
s
Rec
ord
s of
re
liab
ility
and
faul
ts
of p
lant
sys
tem
s d
urin
g m
aint
enan
ce
Ana
lysi
s of
spu
rious
in
itiat
ion
of e
vent
s an
d ac
tivat
ion
of p
lant
sys
tem
s du
ring
mai
nten
ance
FIG
. 65.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
3 of
def
ence
in d
epth
(T
H, t
herm
ohyd
raul
ic).
Saf
ety
prin
cipl
e (2
78):
trai
ning
(se
e al
so S
P (
323)
).
84
Dev
elop
men
t of
har
mon
ized
set
of O
LC t
o av
oid
sys
tem
inte
rfer
ence
sO
LC b
ased
on
cons
erva
tive
anal
ysis
Rev
iew
and
mod
ifica
tion
of O
LC a
ccor
din
g to
exp
erie
nce
Form
al a
pp
rova
l of O
LCac
cord
ing
to t
heir
safe
tysi
gnifi
canc
eD
ocum
enta
tion
of a
ll d
ecis
ions
from
OLC
and
act
ions
tak
en
Con
trol
roo
mC
ond
ition
sfo
r te
mp
orar
ysu
spen
sion
Saf
ety
func
tions
:
Mec
hani
sms:
Cha
lleng
es:
Pro
visi
ons:
Con
duct
of o
pera
tions
out
side
pr
oven
saf
e bo
unda
ries
due
to
inap
prop
riate
set
of o
pera
tiona
l lim
its a
nd c
ondi
tions
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Ope
ratin
g va
riabl
es a
nd
cond
ition
s ou
tsid
e th
e re
gion
co
nser
vativ
ely
dem
onst
rate
d to
be
safe
Deg
rad
ed in
stru
men
tatio
n m
easu
rem
ents
for
key
safe
ty
varia
ble
s
Inad
equa
te s
ettin
g of
saf
ety
syst
em
actu
atio
n se
t p
oint
s
Insu
ffic
ient
rea
din
ess
or a
vaila
bili
ty o
f sa
fety
sys
tem
s
Insu
ffic
ient
num
ber
of
staf
f fo
r op
erat
ions
Una
utho
rized
p
lant
co
nfig
urat
ion
or t
ests
Dev
elop
OLC
d
efin
ed fo
r al
l mod
es
of o
per
atio
n
Sp
ecify
and
fo
llow
sta
ffin
g re
qui
rem
ents
for
oper
atio
n
Sur
veill
ance
p
rogr
amm
e im
ple
men
ted
co
mp
lyin
g w
ith O
LC
Con
ditio
ns a
re
defin
ed b
ased
on
the
relia
bilit
y an
d re
spon
se e
xpec
ted
FIG
. 66.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
3 of
def
ence
in d
epth
(O
LC
, ope
ratio
nal l
imits
and
con
ditio
ns).
Saf
ety
prin
cipl
e (2
84):
ope
ratio
nal
limits
and
con
ditio
ns.
85
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
All
FSFs
aff
ecte
d:
cont
rolli
ng r
eact
ivity
, co
olin
g fu
el, c
onfin
ing
rad
ioac
tive
mat
eria
l
Op
erat
ions
con
duc
ted
out
sid
e p
rove
n sa
fe b
ound
arie
s, w
ith
viol
atio
n of
the
aut
horiz
ed
limits
and
con
diti
ons
Lack
of
adhe
renc
e to
ap
pro
ved
p
roce
dur
es
Def
icie
ncie
s in
th
e se
t of
no
rmal
op
erat
ing
pro
ced
ures
Suf
ficie
ntly
det
aile
d o
per
atin
g p
roce
dur
es b
ased
on
pla
nt d
esig
n an
d s
afet
y an
alys
is
Incl
usio
n of
sp
ecifi
catio
ns fo
r p
erio
dic
te
stin
g, c
alib
ratio
n an
d in
spec
tion
of s
afet
y sy
stem
s
Imp
lem
enta
tion
of s
pec
ial c
ontr
ols
and
pro
ced
ures
for
spec
ial t
ests
In p
roce
dur
es fo
r co
re
load
ing
and
unl
oad
ing
atte
ntio
n is
pai
d t
o av
oid
ing
criti
calit
y or
oth
er a
ccid
ents
Ad
min
istr
ativ
e p
roce
dur
e w
ith r
ules
for
dev
elop
men
t,
valid
atio
n, a
ccep
tanc
e,
mod
ifica
tion
and
with
dra
wal
Incl
usio
n of
cha
nges
of o
per
atin
g st
ates
, low
pow
er o
per
atio
n, t
est
cond
ition
s an
d s
afet
y sy
stem
s un
avai
lab
ility
Est
ablis
hed
rul
es,
regu
lato
ry r
equi
rem
ents
an
d Q
A c
ontr
ols
are
fulfi
lled
Op
erat
iona
l lim
its a
nd c
ond
ition
s ar
e no
t ex
ceed
ed b
ecau
se o
f d
efic
ienc
ies
in n
orm
al
oper
atin
g p
roce
dur
es
Op
erat
ing
per
sonn
el
are
app
rop
riate
ly
qua
lifie
d
Op
erat
ors
are
trai
ned
on
maj
or r
evis
ions
p
rior
to t
heir
imp
lem
enta
tion
Op
erat
ing
pro
ced
ures
ar
e id
entif
ied
and
acc
essi
ble
in
cont
rol r
oom
and
oth
er
nece
ssar
y lo
catio
ns
FIG
. 67.
Obj
ectiv
e tr
ee f
or L
evel
1 o
f de
fenc
e in
dep
th (
QA
, qua
lity
assu
ranc
e). S
afet
y pr
inci
ple
(288
): n
orm
al o
pera
ting
proc
edur
es.
86
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Inad
equa
te o
per
ato
r re
spo
nse
to a
bno
rmal
or
acci
den
t co
nditi
ons
due
to
lack
of
app
rop
riate
inst
ruct
ions
Inad
equa
te
sele
ctio
n o
f E
OP
s b
y th
e o
per
ato
r in
cas
e o
f ne
ed
No
n-co
mp
rehe
nsiv
e se
t o
f E
OP
s
EO
Ps
inad
equa
te
for
bey
ond
d
esig
n b
asis
co
nditi
ons
Imp
rove
men
t o
f d
iag
nosi
s in
stru
men
tatio
n an
d d
isp
lay
Dev
elo
pm
ent
and
im
ple
men
tatio
n o
f ap
pro
pria
te t
rain
ing
p
rog
ram
me
Imp
lem
enta
tion
of
ind
epen
den
t d
iag
nosi
s p
roce
dur
e an
d a
ssig
nmen
t o
f in
dep
end
ent
per
son
Dev
elo
pm
ent
of
pro
ced
ures
fo
r b
oth
D
BA
s an
d B
DB
As
Imp
lem
enta
tion
of
even
t o
rient
ed
pro
ced
ures
Imp
lem
enta
tion
of
sym
pto
m o
rient
ed
pro
ced
ures
Inst
ruct
ions
fo
r lo
ng t
erm
re
cove
ry
actio
ns
Act
ions
fo
r lim
itatio
n o
f ra
dio
log
ical
co
nseq
uenc
es
See
SP
(323
)
FIG
. 68.
Obj
ectiv
e tr
ee f
or L
evel
s 2–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
90):
em
erge
ncy
oper
atin
g pr
oced
ures
.
87
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
SF(
12) a
ffect
ed: t
o lim
it ra
dioa
ctiv
e re
leas
es
from
the
cont
ainm
ent u
nder
acc
iden
t con
ditio
ns
SF(
15) a
ffect
ed: t
o m
aint
ain
cont
rol o
f env
ironm
enta
l co
nditi
ons
with
in th
e pl
ant
Rad
iatio
n ex
posu
re a
bove
pr
escr
ibed
lim
its d
ue to
in
effe
ctiv
e ra
diat
ion
prot
ectio
n m
easu
res
Inad
equa
te r
adia
tion
prot
ectio
n pr
oced
ures
(se
e S
P (1
88))
Rad
iatio
n pr
otec
tion
mea
sure
s no
t pro
vide
d by
spe
cial
ized
sta
ff
Lack
of a
utho
rity
of
radi
atio
n pr
otec
tion
staf
f
Lack
of s
peci
al
equi
pmen
t for
crit
ical
in
-pla
nt a
ctiv
ities
Rad
iatio
n pr
otec
tion
prog
ram
me
esta
blis
hed
at th
e pl
ant
Mea
sure
men
t of
radi
oact
ivity
leve
l in
key
are
as
Mon
itorin
g of
rad
io-
activ
e ef
fluen
ts fr
om
plan
t
Mon
itorin
g of
was
te
prep
arat
ion
for
stor
age
Mot
ivat
ion
of
wor
kers
to c
ontr
ol
thei
r do
ses
Mon
itorin
g of
cle
anup
of
con
tam
inat
ion
Per
sonn
el d
ose
mon
itorin
g an
d re
cord
s
Cle
ar p
roce
dure
s on
ra
diat
ion
prot
ectio
n
Suf
ficie
ntly
edu
cate
d an
d tr
aine
d st
aff
avai
labl
e at
the
plan
t
Sta
ffing
pro
vide
d fo
r ea
ch r
adia
tion
prot
ectio
n ta
sk
Res
pons
ibili
ties
in
emer
genc
ies
esta
blis
hed
Dire
ct r
epor
ting
of r
adia
tion
prot
ectio
n st
aff t
o pl
ant m
anag
er
Eas
y ac
cess
of
radi
atio
n pr
otec
tion
staf
f to
plan
t man
ager
Spe
cial
equ
ipm
ent
to p
rote
ct w
orke
rs
durin
g in
-pla
nt a
ctiv
ities
Spe
cial
tech
nica
l mea
ns
to p
reve
nt u
naut
horiz
ed
acce
ss to
rad
iatio
n ar
eas
Trai
ning
of w
orke
rs
to u
se s
peci
al
equi
pmen
t
FIG
. 69.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
. Saf
ety
prin
cipl
e (2
92):
rad
iatio
n pr
otec
tion
proc
edur
es.
88
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Eng
inee
ring
and
tech
nica
l su
ppor
t ina
dequ
ate
to
mai
ntai
n re
quire
d ca
pabi
lity
of
disc
iplin
es im
port
ant t
o sa
fety
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Ove
rall
lack
o
f ex
per
tise
in t
he c
oun
try
Insu
ffic
ient
co
ord
inat
ion
of
tech
nica
l su
pp
ort
fo
r N
PP
s
Lack
of
reso
urce
s fo
r co
mp
rehe
nsiv
e en
gin
eerin
g a
nd
tech
nica
l sup
po
rt
Insu
ffic
ient
ex
per
tise
in
tech
nica
l sup
po
rt
org
aniz
atio
ns
Ed
ucat
ion
and
tra
inin
g
pro
vid
ed (l
inks
with
un
iver
sitie
s, e
tc.)
Co
ntac
t to
fo
reig
n p
artn
ers
or
inte
rnat
iona
l o
rgan
izat
ions
Est
ablis
hmen
t o
f lin
ks w
ith t
he p
lant
su
pp
liers
Sup
po
rt f
rom
re
leva
nt
rese
arch
p
rog
ram
mes
Def
initi
on
of
nece
ssar
y ex
per
tise
need
ed
to e
nsur
e p
lant
saf
ety
thro
ugho
ut li
fetim
e
Inte
rnal
gro
up f
or
sup
po
rt o
f o
per
atio
n; in
de-
p
end
ent
asse
ssm
ent
and
co
ntro
l by
exte
rnal
sup
po
rt
Str
ateg
y fo
r as
sist
ance
in
eva
luat
ion
of
even
ts,
pla
nt m
od
ifica
tions
, rep
airs
, te
sts
and
ana
lytic
al s
upp
ort
Link
s an
d c
lear
in
terf
aces
with
ext
erna
l te
chni
cal s
upp
ort
o
rgan
izat
ions
Incl
usio
n o
f re
sults
of
rese
arch
p
rog
ram
mes
into
te
chni
cal s
upp
ort
Mo
re e
ffic
ient
use
of
exp
ertis
e o
f p
lant
p
erso
nnel
Sha
ring
of
reso
urce
s w
ith
oth
er o
rgan
izat
ions
ha
ving
sim
ilar
need
s
Use
of
reso
urce
s fr
om
inte
rnat
iona
l sp
ons
ors
hip
p
rog
ram
mes
Ava
ilab
ility
of
suff
icie
nt
reso
urce
s to
co
ntra
ct
exte
rnal
o
rgan
izat
ions
Eva
luat
ion
of
exp
ertis
e av
aila
ble
and
dev
elo
pm
ent
of
lack
ing
exp
ertis
e su
pp
ort
ed
Invo
lvem
ent
of
seve
ral
eng
inee
ring
and
te
chni
cal s
upp
ort
o
rgan
izat
ions
Ad
equa
te
qua
lity
assu
ranc
e p
rog
ram
mes
in t
echn
ical
su
pp
ort
org
aniz
atio
ns
Sup
port
com
petit
ive
wor
king
co
nditi
ons
in te
chni
cal
supp
ort o
rgan
izat
ions
co
mpa
red
to o
ther
indu
strie
s
Sup
po
rt o
f re
leva
nt
rese
arch
p
rog
ram
mes
Link
s w
ith f
ore
ign
tech
nica
l sup
po
rt
org
aniz
atio
ns
FIG
. 70.
Obj
ectiv
e tr
ee f
or L
evel
s 1–
4 of
def
ence
in d
epth
(N
PP,
nuc
lear
pow
er p
lant
). S
afet
y pr
inci
ple
(296
): e
ngin
eeri
ng a
nd te
chni
cal
supp
ort o
f op
erat
ions
.
89
Res
earc
h ac
tiviti
es:
corr
ectiv
e m
easu
res,
new
pla
nt d
esig
ns,
etc.
Co
mp
ilatio
no
f m
aint
enan
cean
d s
urve
illan
ced
ata
Tre
nd a
naly
sis
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Und
etec
ted
late
nt w
eakn
esse
s in
pla
nt s
afet
y d
ue t
o in
effe
ctiv
e sa
fety
rev
iew
p
roce
dur
es
Uni
dent
ified
deg
rada
tion
tren
ds in
the
pe
rfor
man
ce o
f ite
ms
impo
rtan
t to
safe
ty
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
rad
ioac
tive
mat
eria
l
Saf
ety
sig
nific
ant
even
ts n
ot
pro
mp
tly
det
ecte
d a
nd
rep
ort
ed
Saf
ety
sig
nific
ant
even
ts n
ot
pro
per
ly
eval
uate
d
Ad
equa
te c
orre
ctiv
e m
easu
res
not
timel
y or
ef
fect
ivel
y im
ple
men
ted
Insu
ffic
ient
mea
sure
s to
avo
id
rep
etiti
ons
Gen
eric
less
ons
le
arne
d in
o
per
atio
nal s
afet
y no
t sh
ared
Po
tent
ial p
recu
rso
rs
of
acci
den
ts
not
iden
tifie
d
Pro
gra
mm
e fo
r fe
edb
ack
of
op
erat
ing
ex
per
ienc
e
Res
earc
h to
un
der
stan
d
per
form
ance
an
d im
pro
vem
ents
Mea
ns
to d
etec
t ev
ents
In-d
epth
ev
ent
anal
ysis
(d
irect
and
ro
ot
caus
e)
Sys
tem
atic
p
rog
ram
me
on
less
ons
lear
ned
fr
om
pre
curs
ors
Crit
eria
fo
r se
verit
y o
f ev
ents
Coo
rdin
atio
n of
dat
a sh
arin
g na
tiona
lly
and
inte
rnat
iona
lly
(IRS
, WA
NO
, IN
PO
...)
Dis
sem
inat
ion
of
safe
ty s
igni
fican
t in
form
atio
n (n
at.,
inte
rnat
.)
FIG
. 71
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(IR
S, I
ncid
ent
Rep
ortin
g Sy
stem
; W
AN
O,
Wor
ld A
ssoc
iatio
n of
Nuc
lear
O
pera
tors
; IN
PO
, Ins
titut
e of
Nuc
lear
Pow
er O
pera
tions
). S
afet
y pr
inci
ple
(299
): f
eedb
ack
of o
pera
ting
expe
rien
ce.
90
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
Deg
rad
ed f
unct
iona
l cap
abili
ty
of
item
s im
po
rtan
t to
saf
ety
due
to
lack
of
effe
ctiv
enes
s o
f m
aint
enan
ce a
ctiv
ities
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Del
ayed
imp
lem
enta
tion
of
corr
ectiv
e m
aint
enan
ce
Una
war
enes
s o
f sy
stem
s un
avai
lab
ility
fo
r m
aint
enan
ce
Pro
ble
ms
caus
ed
by
inco
rrec
tly
per
form
ed
mai
nten
ance
Und
etec
ted
bar
rier
deg
rad
atio
n ca
used
b
y irr
adia
tion,
the
rmal
cy
clin
g, e
tc.
Reg
ular
, sch
edul
ed
in-s
ervi
ce
insp
ectio
ns
Reg
ular
, sch
edul
ed
func
tiona
l tes
ting
Reg
ular
, sch
edul
ed
mai
nten
ance
Use
of
the
resu
lts o
f as
sess
men
t at
the
des
ign
stag
e an
d r
esul
ts o
f te
sts
fro
m c
om
mis
sio
ning
Mo
difi
catio
n o
f in
spec
tions
ac
cord
ing
to
exp
erie
nce
and
req
uire
men
ts
Sp
ecia
l att
entio
n g
iven
to
the
prim
ary
circ
uit
bo
und
ary
Use
of
rem
ova
ble
sam
ple
s fo
r te
stin
g w
here
ne
cess
ary
Writ
ten
and
ap
pro
ved
pro
ced
ures
su
pp
ort
ed b
y Q
A
Pro
gra
mm
e is
b
ased
on
req
uire
d
relia
bili
ty t
arg
ets
Tes
ting
of
ind
ivid
ual c
om
po
nent
s an
d p
artia
l sys
tem
s
Writ
ten
and
ap
pro
ved
pro
ced
ures
su
pp
ort
ed b
y Q
A
Tre
nd a
naly
sis
to
imp
rove
the
eff
ectiv
enes
s o
f th
e m
aint
enan
ce
pro
gra
mm
e
Co
ntro
l ro
om
st
aff
rem
ain
info
rmed
of
the
stat
us o
f m
aint
enan
ce w
ork
Rad
iatio
n co
ntro
l o
f w
ork
ers
Mai
nten
ance
w
ork
ers
are
care
fully
p
rep
ared
fo
r th
eir
dut
ies
(see
SP
(278
))
Writ
ten
and
ap
pro
ved
pro
ced
ures
su
pp
ort
ed b
y Q
A
Wo
rker
s ar
e tr
aine
d a
nd a
war
e o
f th
e sa
fety
asp
ects
of
the
per
form
ed t
asks
Site
su
per
visi
on
dur
ing
w
ork
per
form
ed
by
cont
ract
ors
FIG
. 72
. O
bjec
tive
tree
for
Lev
els
1–4
of d
efen
ce i
n de
pth
(QA
, qu
ality
ass
uran
ce).
Saf
ety
prin
cipl
e (3
05):
mai
nten
ance
, te
stin
g an
d in
spec
tion.
91
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons:
Deg
rade
d fu
nctio
nal c
apab
ility
of i
tem
s im
port
ant t
o sa
fety
due
to la
ck o
f co
mpl
ianc
e w
ith a
pplic
able
QA
re
quire
men
ts in
ope
ratio
n
All
FSFs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
cool
ing
fuel
, con
finin
g ra
dioa
ctiv
e m
ater
ial
Inad
equa
te s
et
of q
ualit
y re
quire
men
ts
in o
pera
tion
Unq
ualif
ied
oper
atin
g st
aff
for
QA
are
a
Def
icie
nt
oper
atin
g or
gani
zatio
n m
anag
emen
t
Lack
of
qual
ity
cont
rol a
nd
verif
icat
ion
Cla
ssifi
catio
n of
item
s an
d ac
tiviti
es
Qua
lity
com
men
sura
te
with
impo
rtan
ce
to s
afet
y
Com
preh
ensi
ve
qual
ity
assu
ranc
e pr
ogra
mm
e
Sel
ectio
n an
d tr
aini
ng o
f st
aff f
or
QA
dut
ies
App
ropr
iate
ad
apta
tion
to n
atio
nal
cultu
ral a
nd
tech
nica
l nor
ms
Goo
d m
anag
emen
t an
d or
gani
zatio
nal
arra
ngem
ents
Cle
ar li
nes
of
resp
onsi
bilit
ies
Def
initi
on o
f hi
erar
chy
of
proc
edur
es
Inde
pend
ence
of
qu
ality
as
sura
nce
staf
f
Impl
emen
tatio
n of
qu
ality
con
trol
pr
oced
ures
Con
trol
and
ve
rific
atio
n of
qua
lity
Mai
nten
ance
of
docu
men
ts
and
reco
rds
FIG
. 73.
Obj
ectiv
e tr
ee fo
r L
evel
s 1–
4 of
def
ence
in d
epth
(Q
A, q
ualit
y as
sura
nce)
. Saf
ety
prin
cipl
e (3
12):
qua
lity
assu
ranc
e in
ope
ratio
n.
92
Sub
criti
calit
yC
ore
co
olin
gR
CS
inte
grit
yC
ont
ainm
ent
inte
grit
yM
itig
atio
n o
fra
dio
activ
ity r
elea
se
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Inad
equa
te a
ccid
ent
man
agem
ent
stra
teg
ies
Inco
mp
lete
rev
iew
of
pla
nt
des
ign
cap
abili
ties
app
licab
le f
or
AM
P
Iden
tific
atio
n o
f eq
uip
men
t re
qui
red
to
op
erat
e o
utsi
de
its d
esig
n ra
nge
Det
erm
inat
ion
of
per
form
ance
o
f eq
uip
men
t o
utsi
de
des
ign
rang
e
Eva
luat
ion
of
effe
cts
of
equi
pm
ent
and
sys
tem
fai
lure
List
mad
e o
f eq
uip
men
t ab
le t
o a
cco
mp
lish
func
tions
un
der
AM
co
nditi
ons
Iden
tific
atio
n o
f al
tern
ativ
e eq
uip
men
t to
per
form
fu
nctio
ns r
equi
red
fo
r A
M
List
mad
e o
f p
oss
ible
des
ign
mo
difi
catio
ns
to a
cco
mp
lish
AM
req
uire
men
ts
Unc
lear
sp
ecifi
catio
n o
f ex
tern
al n
eed
s fo
r A
MP
Ob
ject
ives
of
stra
teg
ies
not
spec
ified
ad
equa
tely
Str
ateg
ies
form
ally
inad
equa
te
Det
erm
inat
ion
of
need
s fo
r ex
tern
al m
ater
ials
Ava
ilab
ility
o
f ex
tern
al m
ater
ials
as
nee
ded
BD
BA
ana
lyse
s p
erfo
rmed
an
d o
bje
ctiv
es a
nd c
riter
ia
set
up
Pro
per
str
ateg
ies
set
up f
or:
Dec
isio
n ta
ken
abo
ut
pre
vent
ion
or
miti
gat
ion
stra
teg
y fo
r A
MP
Dev
elo
pm
ent
of
list
of
stra
teg
ies
for
AM
Def
initi
on
of
entr
y an
d e
xit
cond
itio
ns
for
AM
act
ions
Def
initi
on
of
dia
gno
stic
m
eans
and
to
ols
Val
idat
ion
of
stra
teg
ies
by
rele
vant
ana
lyse
s
Arr
ang
emen
t o
f st
rate
gy
in t
he f
low
cha
rt f
orm
at
Ind
epen
den
t re
view
o
f A
MP
FIG
. 74
. O
bjec
tive
tree
for
Lev
el 4
of
defe
nce
in d
epth
(A
MP,
acc
iden
t m
anag
emen
t pr
ogra
mm
e; A
M,
acci
dent
man
agem
ent;
RC
S,
reac
tor
cool
ant s
yste
m).
Saf
ety
prin
cipl
e (3
18):
str
ateg
y fo
r ac
cide
nt m
anag
emen
t.
93
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
Inad
equa
te r
esp
ons
e o
f A
M p
erso
nnel
d
ue t
o la
ck o
f A
M p
roce
dur
es
Lack
of
per
sonn
el f
or
acci
den
t m
anag
emen
t
Inad
equa
te r
esp
ons
e o
f A
M p
erso
nnel
d
ue t
o la
ck o
f A
M t
rain
ing
Per
sonn
el
assi
gnm
ent
not
effe
ctiv
e fo
r B
DB
As
Em
erg
ency
op
erat
ing
p
roce
dur
es n
ot
dev
elo
ped
ad
equa
tely
fo
r B
DB
As
Sev
ere
acci
den
t g
uid
elin
es
inad
equa
te
Tra
inin
g
pro
gra
mm
e fo
r A
M in
adeq
uate
Per
form
ance
of
trai
ning
fo
r A
M
inad
equa
te
Rev
iew
of
emer
gen
cy
org
aniz
atio
n an
d
qua
lific
atio
ns
of
per
sonn
el
Dev
elo
pm
ent
of
a lis
t o
f re
qui
red
q
ualif
icat
ions
Suf
ficie
nt
hum
an r
eso
urce
s fo
r ac
cid
ent
man
agem
ent
Def
initi
on
of
lines
o
f re
spo
nsib
ility
an
d a
utho
rity
for
all p
erso
nnel
Est
ablis
hmen
t o
f a
spec
ialis
t te
am
to a
dvi
se o
per
ato
rs
in e
mer
gen
cies
On-
call
syst
em
for
per
sonn
el
Sp
ecifi
catio
n o
f sc
enar
ios
rep
rese
ntat
ive
or
cont
ribut
ing
si
gni
fican
tly t
o r
isk
Def
initi
on
of
pla
nt s
tate
s to
be
cove
red
by
EO
Ps
and
the
ir sy
mp
tom
s
Pro
po
sal a
nd
verif
icat
ion
of
reco
very
ac
tions
fo
r B
DB
As
Ava
ilab
ility
o
f in
form
atio
n to
det
ect
leve
l and
tr
end
of
seve
rity
Ver
ifica
tion
of
per
form
ance
o
f re
qui
red
eq
uip
men
t un
der
B
DB
A c
ond
itio
ns
Def
initi
on
of
cond
itio
ns
for
op
erat
or
invo
lvem
ent
incl
. exi
t fr
om
EO
P
Ver
ifica
tion
and
val
idat
ion
of
EO
Ps
for
sele
cted
BD
BA
s
Ava
ilab
ility
o
f E
OP
s in
all
op
erat
ing
lo
catio
ns
Pro
ced
ures
fo
r al
l str
ateg
ies
and
che
cks
of
thei
r ef
fect
iven
ess
Use
r fr
iend
ly f
orm
at
of
SA
G
Co
mp
letn
ess
of
gui
del
ines
vs
str
ateg
ies
for
acci
den
t m
anag
emen
t
Ava
ilab
ility
o
f in
form
atio
n ne
eded
to
det
ect
leve
l/tre
nd
of
seve
rity
Ver
ifica
tion
of
per
form
ance
o
f an
d a
cces
s to
eq
uip
men
t re
qui
red
fo
r ea
ch s
trat
egy
Def
initi
on
of
exp
ecte
d
po
sitiv
e an
d n
egat
ive
effe
cts
for
each
str
ateg
y in
cl. u
ncer
tain
ties
Def
initi
on
of
entr
y an
d
exit
cond
itio
ns
for
each
str
ateg
y an
d f
urth
er s
tep
s
Ver
ifica
tion
and
, to
the
ext
ent
po
ssib
le,
valid
atio
n o
f S
AG
s
Ava
ilab
ility
o
f S
AG
s in
all
op
erat
ing
lo
catio
ns
Def
initi
on
of
trai
ning
ne
eds
for
diff
eren
t p
erso
nnel
Incl
usio
n o
f si
mul
ato
rs
to r
easo
nab
le
exte
nt in
tra
inin
g
pro
gra
mm
e
Det
ails
co
vere
d
of
phe
nom
eno
log
y o
f se
vere
acc
iden
ts
in p
rog
ram
me
Fam
iliar
izat
ion
of
staf
f w
ith r
esul
ts
of
seve
re a
ccid
ent
anal
ysis
fo
r th
e N
PP
Incl
usio
n o
f re
leva
nt
pla
nt w
alk-
thro
ugh
into
tra
inin
g
pro
gra
mm
e
Ava
ilab
ility
of
AM
P d
evel
op
men
t m
ater
ial f
or
trai
ning
Ava
ilab
ility
o
f so
ftw
are
too
ls
for
valid
atio
n an
d t
rain
ing
Co
nsis
tenc
y o
f p
roce
dur
es
and
gui
del
ines
w
ith s
imul
atio
n
Ava
ilab
ility
o
f tr
aini
ng
pro
gra
mm
e to
reg
ulat
or
Arr
ang
emen
t fo
r re
gul
ar r
etra
inin
g
and
tes
ting
o
f p
erso
nnel
Invo
lvem
ent
of
emer
gen
cy
staf
f in
fu
nctio
nal t
ests
o
f eq
uip
men
t
Incl
usio
n o
f re
leva
nt
op
erat
ing
eve
nts
into
tra
inin
g
Incl
usio
n o
f o
ther
site
an
d e
xter
nal
per
sonn
el in
to
trai
ning
FIG
. 75
. O
bjec
tive
tree
for
Lev
el 4
of
defe
nce
in d
epth
(A
M,
acci
dent
man
agem
ent;
AM
P, a
ccid
ent
man
agem
ent
prog
ram
me;
SA
G,
seve
re a
ccid
ent g
uide
lines
; NP
P, n
ucle
ar p
ower
pla
nt).
Saf
ety
prin
cipl
e (3
23):
trai
ning
and
pro
cedu
res
for
acci
dent
man
agem
ent.
94
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
All
FS
Fs
affe
cted
: co
ntro
lling
rea
ctiv
ity,
coo
ling
fue
l, co
nfin
ing
ra
dio
activ
e m
ater
ial
AM
eq
uip
men
t fa
ils
to p
erfo
rm a
s in
tend
ed
und
er s
ever
e ac
cid
ent
cond
itio
ns
AM
eq
uip
men
t p
erfo
rman
ce
adve
rsel
y af
fect
ed b
y se
vere
ac
cid
ent
cond
itio
ns
AM
per
sonn
el
do
no
t re
act
as in
tend
ed
Info
rmat
ion
and
crit
eria
fo
r d
iag
nosi
s an
d m
anag
emen
t o
f se
vere
acc
iden
ts b
y p
erso
nnel
inad
equa
te
AM
inst
rum
enta
tion
adve
rsel
y af
fect
ed
by
seve
re a
ccid
ent
cond
itio
ns
Sys
tem
s to
rem
ove
he
at u
nder
sev
ere
acci
den
t co
nditi
ons
(s
ee S
P (2
07))
Sp
ecifi
catio
n o
f en
viro
nmen
tal
cond
itio
ns f
or
seve
re
acci
den
ts in
diff
eren
t lo
catio
ns
Qua
lific
atio
n te
sts
pre
fera
bly
with
p
roto
typ
es in
co
mb
inat
ion
with
ana
lysi
s
Co
nsid
erat
ion
of
des
ign
mar
gin
s fo
r A
M e
qui
pm
ent
per
form
ance
Nee
d a
dd
ress
ed f
or
spec
ial
equi
pm
ent
to m
itig
ate
seve
re a
ccid
ents
(v
entin
g,H
2 re
com
bin
ers)
Sys
tem
s to
pro
tect
co
ntai
nmen
t in
teg
rity
und
er s
ever
e ac
cid
ent
cond
itio
ns (s
ee S
P (2
21))
Ver
ifica
tion
with
man
ufac
ture
r o
per
abili
ty o
f eq
uip
men
t co
nsid
erin
g p
ress
ure,
tem
per
- at
ure,
rad
iatio
n, h
umid
ity, j
ets
Det
erm
inat
ion
and
do
cu-
men
tatio
n o
f as
bui
lt ch
arac
teris
tics
of
NP
P s
yste
ms
app
licab
le t
o A
M
Co
nsid
erat
ion
of
feas
ible
d
esig
n ch
ang
es
of
equi
pm
ent
app
licab
le t
o A
M
Sp
ecifi
catio
n o
f re
serv
e o
r re
pla
ceab
le
equi
pm
ent
for
AM
Eva
luat
ion
of
per
form
ance
o
f in
stru
men
tatio
n al
so b
eyo
nd it
s o
per
atio
nal r
ang
e
Ext
ensi
on
of
rang
e o
f in
dic
atio
ns
by
inst
rum
ents
Pro
tect
ion
of
inst
rum
ents
ag
ains
t d
amag
e in
sev
ere
cond
itio
ns
Fun
ctio
ning
ens
ured
o
f in
stru
men
tatio
n in
sta
tion
bla
cko
ut
cond
itio
ns
Sep
arat
ion
of
norm
al
and
em
erg
ency
in
stru
men
tatio
n an
d m
oni
torin
g
Inst
alla
tion
of
inst
rum
enta
tion
pro
vid
ed s
pec
ifica
lly
for
acci
den
t m
anag
emen
t
Co
mp
utat
iona
l aid
s av
aila
ble
to
co
mp
ensa
te
for
insu
ffic
ient
in
stru
men
tatio
n
Ava
ilab
ility
of
imp
ort
ant
info
rmat
ion
in c
ont
rol r
oo
m a
nd in
em
erg
ency
cen
tre
Crit
eria
set
up
fo
r d
iag
nosi
s o
f se
vere
ac
cid
ents
bas
ed o
n av
aila
ble
inst
rum
enta
tion
Det
erm
inat
ion
of
time
mar
gin
fo
r st
artu
p
of
syst
ems
FIG
. 76.
Obj
ectiv
e tr
ee f
or L
evel
4 o
f de
fenc
e in
dep
th (
AM
, acc
iden
t man
agem
ent;
NP
P, n
ucle
ar p
ower
pla
nt).
Saf
ety
prin
cipl
e (3
26):
en
gine
ered
fea
ture
s fo
r ac
cide
nt m
anag
emen
t.
95
Saf
ety
func
tions
:
Cha
lleng
es:
Mec
hani
sms:
Pro
visi
ons
:
On-
site
em
erg
ency
cen
tre
not
esta
blis
hed
or
not
man
aged
ad
equa
tely
SF
s (1
2), (
13),
(16)
, (21
) af
fect
ed
Em
erg
ency
pla
ns
inad
equa
te
reg
ard
ing
on-
site
m
easu
res
Inst
itutio
nal
arra
ngem
ent
inad
equa
te
Lack
of
cons
iste
ncy
with
oth
er
AM
mea
sure
s
Info
rmat
ion
for
estim
atio
n o
f co
nseq
uenc
es
inad
equa
te
On-
site
em
erg
ency
cen
tre
not
equi
pp
ed
adeq
uate
ly
Mea
ns o
f co
mm
unic
atio
n fo
r d
irect
ing
act
iviti
es in
th
e p
lant
inad
equa
te
Def
initi
on
of
org
aniz
atio
nal
arra
ngem
ent
for
on-
site
em
erg
ency
Res
po
nsib
ilitie
s o
f p
erso
nnel
fo
r em
erg
ency
ac
tions
Ava
ilab
ility
o
f q
ualif
ied
p
erso
nnel
Ava
ilab
ility
o
f re
qui
red
to
ols
Reg
ular
d
rills
o
f em
erg
ency
p
lans
Def
initi
on
of
crite
ria
for
activ
atio
n o
f o
n-si
te e
mer
gen
cy
cent
re (i
ncl.
timin
g)
Co
nsis
tenc
y w
ith
pla
nt d
amag
e st
ates
Bo
und
ary
cond
itio
ns
for
off
-site
p
lann
ing
Suf
ficie
nt
info
rmat
ion
for
dec
isio
ns in
em
erg
enci
es
Pro
visi
ons
mad
e fo
r fle
xib
le a
dap
tatio
n to
par
ticul
ar
circ
umst
ance
s
Ass
essm
ent
met
hod
s fo
r es
timat
ion
of
rad
iolo
gic
al
cons
eque
nces
Info
rmat
ion
on
met
eoro
log
y
Ava
ilab
ility
of
map
s o
f em
erg
ency
zo
nes
with
cha
ract
eris
tics
On-
site
m
oni
torin
g
for
char
acte
rizat
ion
of
the
sour
ce t
erm
Off
-site
m
oni
torin
g
(net
wo
rk o
f st
atio
ns,
mo
bile
lab
s)
Em
erg
ency
cen
tre
pla
ced
saf
ely
apar
t fr
om
the
co
ntro
l ro
om
Co
mp
utat
iona
l ai
ds
Mea
ns
for
per
man
ent
reco
rdin
g o
f im
po
rtan
t in
form
atio
n
Inst
rum
enta
tion
to v
erify
imp
ort
ant
pla
nt c
ond
itio
ns
Har
dw
are
and
so
ftw
are
for
eval
uatio
n o
f d
ata
and
pla
nt c
ond
itio
ns
Sta
ffin
g
of
the
cent
re
with
ap
pro
pria
te
qua
lific
atio
ns
Pro
tect
ive
mea
ns
for
per
sonn
el
Co
mm
unic
atio
n ch
anne
ls w
ith
all u
nits
of
emer
gen
cy
org
aniz
atio
n
Bas
is s
et u
p
for
info
rmin
g
exte
rnal
o
rgan
izat
ions
Tra
nsm
issi
on
lines
to
off
-site
ce
ntre
Suf
ficie
nt
red
und
anci
es a
nd s
afe
com
mun
icat
ion
lines
(d
edic
ated
line
s, r
adio
)
FIG
. 77
. O
bjec
tive
tree
for
Lev
el 4
of
defe
nce
in d
epth
(A
M,
acci
dent
man
agem
ent)
. Sa
fety
pri
ncip
les:
em
erge
ncy
plan
s (3
33),
em
erge
ncy
resp
onse
fac
ilitie
s (3
36).
96
Inve
stig
atio
n of
site
cha
ract
eris
tics
from
sta
ndpo
int
of e
mer
genc
y
Ana
lysi
sof
radi
olog
ical
impa
ct o
fse
vere
acc
iden
ts
Emer
genc
yzo
nes
inac
cord
ance
with
site
cha
ract
eris
tics
Rad
ioac
tivity
tran
spor
t via
vege
tatio
n,ai
r,an
imal
s &
wat
er
Site
cha
ract
eris
tics
unfa
vour
able
for
emer
genc
y pl
anni
ng(d
isse
min
atio
n of
rad.
)
On-
site
emer
genc
ypl
an
Off-
site
emer
genc
y pl
anco
nsis
tent
with
on-s
ite p
lan
Reg
ulat
ory
revi
ew/
appr
oval
ofem
erge
ncy
plan
s
Per
iodi
c re
visi
onan
d up
datin
gof
em
erge
ncy
plan
s
Mis
sing
or
inad
equa
teem
erge
ncy
plan
s
No
adeq
uate
off-
site
pub
licpr
otec
tion
mea
sure
s
Com
mun
icat
ion
lines
bet
wee
non
-site
and
off-
site
cent
res
and/
or p
lant
Mob
ilera
diol
ogic
alm
onito
ring
Net
wor
k of
fixed
mon
itorin
gst
atio
ns
Topo
logi
cal
char
acte
ristic
sof
em
erge
ncy
zone
s
Pro
visi
on o
fon
-line
met
eoro
logi
cal
data
On-
site
mon
itorin
gto
def
ine
sour
ce te
rman
d re
leas
e ra
te
Rap
idsa
mpl
ean
alys
is
Pop
ulat
ion
data
Inad
equa
tein
form
atio
n fo
res
timat
ion
ofco
nseq
uenc
es
Off-
site
emer
genc
yce
ntre
Tech
nica
lco
mpe
tenc
e of
cent
re s
taff
Ade
quat
e ha
rd-
war
e w
ithre
liabl
e po
wer
supp
ly
Ass
essm
ent
met
hods
/sof
twar
e,co
mpu
tatio
nal
tool
s
Pro
cedu
res
for e
valu
atio
nof
cons
eque
nces
Estim
atio
nof
cons
eque
nces
inad
equa
te
Set
up
crite
ria,
tool
s an
d m
etho
dsto
info
rmau
thor
ities
Set
up
crite
ria,
tool
s an
d m
etho
dsto
info
rmpu
blic
Ava
ilabi
lity
ofre
liabl
e co
mm
uni-
catio
n m
eans
(de-
dica
ted
lines
, rad
io, .
..)
Unr
elia
ble
com
mun
icat
ion
mea
ns to
auth
oriti
es
Del
ayed
, mis
lead
ing
or in
corr
ect
info
rmat
ion
give
n to
auth
oriti
es a
nd p
ublic
Tech
nica
lco
mpe
tenc
e of
auth
oriti
es/
advi
sors
Nat
iona
l and
inte
rnat
iona
lgu
idel
ines
Crit
eria
for g
rade
dre
spon
se-n
otifi
catio
n,sh
elte
ring,
pro
phy-
laxi
s, e
vacu
atio
n
Inco
rrec
tde
cisi
ons
byau
thor
ities
Ava
ilabi
lity
ofpr
otec
tive
equi
pmen
t
Ava
ilabi
lity
ofra
diop
rote
ctio
npr
ophy
laxi
s
Med
ical
care in
emer
genc
ies
Evac
uatio
nm
eans
Con
trol
ofin
gres
s an
deg
ress
Dec
onta
min
atio
nm
eans
for
emer
genc
ies
Food
and
wat
ersu
pply
inem
erge
ncie
s
Engi
neer
ing
and
tech
nica
lsu
ppor
t
Insu
ffici
ent
reso
urce
s fo
rem
erge
ncy
resp
onse
Per
iodi
cex
erci
ses
and
drill
s
Emer
genc
yre
spon
seno
t per
form
edas
inte
nded
Inad
equa
teof
f-si
te re
spon
seto
emer
genc
ies
SF(
21) a
ffect
ed: t
o lim
itth
e ef
fect
s of
radi
oact
ive
rele
ases
on
the
publ
ican
d en
viro
nmen
t
Saf
ety
func
tions
Cha
lleng
es
Mec
hani
sms
Pro
visi
ons
FIG
. 78.
Obj
ectiv
e tr
ee fo
r L
evel
5 o
f def
ence
in d
epth
. Saf
ety
prin
cipl
es: r
adio
logi
cal i
mpa
ct o
n th
e pu
blic
and
the
loca
l env
iron
men
t (13
8),
feas
ibili
ty o
f em
erge
ncy
plan
s (1
40),
org
aniz
atio
n re
spon
sibi
litie
s an
d st
affin
g (2
65),
eng
inee
ring
and
tech
nica
l sup
port
of
oper
atio
ns (
296)
, em
erge
ncy
plan
s (3
33),
em
erge
ncy
resp
onse
faci
litie
s (3
36),
ass
essm
ent o
f acc
iden
t con
sequ
ence
s an
d ra
diol
ogic
al m
onito
ring
(33
9).
97
Appendix III
SCREENING OF DEFENCE IN DEPTH CAPABILITIES OFWWER 440/V213 REACTORS
The following partial test application was performed and provided by the Bohunice plant, Slovakia; it has not been reviewed by the IAEA.
III.1. OBJECTIVES OF THE REVIEW
A test application of the screening method has been performed by the staff of the Bohunice plant within the framework of the preparation of the safety upgrading programme for the V-2 plants. The Bohunice V-2 plant consists of two units equipped with WWER 440/V213 reactors. The units were commissioned in 1984 and 1985, respectively. A comprehensive description of the plant and its specific design features can be found in Ref. [7].
Since commissioning, the V-2 plants have been in stable routine operation. The operational record of the units is good. An upgrading programme for the plant has recently been developed. The safety concept (basic engineering) of the programme was at the time of the test application ready for regulatory review. The key features of the upgrading programme are:
(a) A safety upgrading based mostly on Ref. [8] was planned.(b) Replacement of equipment for which no spare parts are available was
planned.(c) A power uprating of up to 107% of nominal power was considered.(d) An extension of operational lifetime of up to 40 years was planned.
As the plant was in a preparatory phase for the upgrading programme, both the present status and some planned upgrading measures were considered in the review. An important objective was to verify that the upgrading programme covers all the safety issues identified.
III.2. SCOPE OF THE REVIEW
The scope of the review was limited to several selected safety principles related to Levels 3 and 4 of defence in the areas of siting and design, namely to the safety principles as follows:
98
— SP (142), ultimate heat sink provisions;— SP (150), design management;— SP (154), proven technology;— SP (158), general basis for design; — SP (168), automatic safety systems.
The plant Safety Analysis Report, updated in 1996, the operational documentation and the operational feedback database were used as background documents for the review. In addition, the results of a PSA Level 1 study developed for full power, low power and shutdown operational regimes were available for the review, as well as specific analyses of internal flooding and fires. Plant design documentation was also used to an appropriate extent. However, it should be emphasized that due to the limited scope and time available for the review, the objectives of the screening were more related to verification of the applicability of the approach than to evaluation of the safety status of the plant. Therefore, this section cannot be considered as a formal safety review of the plant.
III.3. COURSE OF THE REVIEW
As described in Sections 3 and 4 of the present publication, a bottom up approach was used for screening. Screening for each safety principle started from the bottom of the relevant objective tree. Implementation of provisions aimed at avoiding the occurrence of related mechanisms was evaluated as a first step. In a second step, conclusions were derived for all mechanisms based on the level of implementation of the provisions. Finally, during the third step, conclusions were formulated regarding sufficient prevention of challenges.
As stated above, the review was performed for five selected safety principles. However, with the aim of limiting the scope of the present report, only the review for SP (168) will be presented below as an example. The objective of this example is to illustrate the way and level of detail used for evaluation of the individual provisions.
99
III.4. EXAMPLE OF REVIEW FOR SAFETY PRINCIPLE (168) – AUTOMATIC SAFETY SYSTEMS
III.4.1. Review of provisions
III.4.1.1. Indication of operating status of safety systems
The operating status of safety systems is indicated in the main control room (MCR). The status of information and control (I&C) systems, in particular of the reactor trip system (RTS) and the emergency safety features actuation system (ESFAS), is indicated satisfactorily (several improvements have been implemented) given the technology used at the time of the construction of the plant. The status of all permissions disabling activation of the system is indicated, and an alarm on activation of one out of three measuring channels is provided. Loss of power supply to some parts of the system is indicated. Secondary devices (indicators and set point generators) have been improved to detect several kinds of failure. The alarm is activated on the front panel of the devices. The I&C shift foreman periodically checks the alarm status in the I&C compartments. Indication of the operating status in sufficient detail is included in the specification for the new reactor protection system (RPS), which will be installed as a part of the upgrading programme.
The status of electrical systems is also indicated satisfactorily except for the position of breakers. They can be set in a test position in which the component (pump) is not able to fulfil its SF. However, this position is not indicated in the MCR. That is why the test procedures are written in a very detailed way, ensuring that the component breaker remains in the operating position after the test. Independent checking of the status of the breakers is done in busbar cabinets during operation. Correction of this deficiency is included in the upgrading programme.
The status of the mechanical parts of the systems is indicated by means of valve positions and the indications of several other variables. The positions of man-ual valves are not detected and indicated. That is why periodic surveillance proce-dures are written in a detailed way that ensures proper valve (including manual) alignment after the test to ensure operability of the system. Independent and regularchecking of valve positions, especially of manual valves, is done during operation.
III.4.1.2. Automatic self-testing of safety systems
A self-testing capability of the safety I&C equipment already existed in the original design. It is achieved by means of comparison of the prescribed status and the values obtained by measuring channels. Should the deviation
100
between the channels exceed a preset value, the alarm is activated in the MCR. However, some failures within the system could remain undetected. That is why the specifications for limits and conditions of the plant give time intervals for testing the operability of the systems. Detailed procedures are developed to test the systems and to detect any failure causing loss of an SF of the system. The PSA study of the systems showed that the existing combination of self-testing capability and periodic testing performed by the operators ensures sufficient reliability of the system.
Within the framework of the safety upgrading programme, replacement of safety I&C equipment (RTS and ESFAS) is being prepared. New up to date technology is assumed for implementation. The self-testing capability is one of the key features of the design of the new system.
A new self-testing capability is also being prepared for battery status evaluation, to detect a failure which could cause a battery to be unable to fulfil its design SF. This will be implemented within the upgrading programme.
III.4.1.3. Stringent requirements to preclude bypassing of safety systems
The only bypassing possibility exists in protection systems of the normal operation components. No bypassing capability exists in the design of the safety I&C systems. For the testing of the diesel generator loading sequencer the bypassing capability was implemented. It allows an automatic startup of the containment spray system pump during the test. A procedure and independent checking are used to control bypassing. In case of an omission, the bypass can cause early or spurious actuation of the pump, but successful startup of the pump cannot be endangered. However, the need for a reset capability for some ESFAS signals was identified in the course of development of the symptom based EOPs. This capability will be implemented in the new ESFAS.
A bypassing capability within the mechanical systems exists only for pilot valves of the pressurizer safety valves. Keys are used to block the pilot valve during the test or for isolation of a leaking valve. The usage of the keys is controlled by the test procedure and by the containment access administrative procedure.
III.4.1.4. Limiting conditions for operation with unavailable safety systems
Limits and conditions are developed according to NUREG-0452 (Rev. 3) [9] and to satisfy the requirements given in IAEA Safety Series No. 50-SG-O711.
11 INTERNATIONAL ATOMIC ENERGY AGENCY, Maintenance of Nuclear Power Plants, Safety Series No. 50-SG-O7 (Rev. 1), IAEA, Vienna (1990).
101
Operability of the safety systems in specified operational modes is accordingly required. Operator actions are prescribed for operation when safety systems are unavailable. The time to accomplish the actions is specified. Allowed outage time for operation with an unavailable safety system is specified. The allowed outage time is specified on the basis of engineering judgement and taking into account the safety implications and ability to repair the unavailable component. An evaluation of the allowed outage time recently performed on the basis of a PSA showed that the specified time is very conservative and could be extended without increasing the risk.
III.4.1.5. Highly reliable/redundant initiation of safety systems
The existing RTS includes four levels of initiating signal. However, only one of them, first order reactor scram (AZ I) signals, is designed to perform the trip function. Some postulated initiating events are detected by two parameters, some by one parameter and some by using only third order reactor scram (AZ III) channels. The selection of initiation criteria does not guarantee fulfilment of the acceptance criteria when the single failure criterion is assumed.
Regarding the new RTS, the requirement exists to detect every postulated initiating event by two parameters. If two parameters are not available, the only parameter should be processed by two diverse logics and diverse sensors should be used in redundant trains.
For ESFAS, redundant initiation is used whenever practical. Safety functions not activated by two parameters should be performed by diverse safety systems independently of ESFAS.
The reliability requirements are defined according to the recommendations in INSAG-12 [2]. The Slovak regulations recommend failure rate targets for the reactor trip system of <10–5 per demand and for the ESFAS system of <10–3 per demand.
III.4.1.6. Adequate response time
The response times for all types of measuring channel of existing RPS (RTS and ESFAS) were measured in experiments. The results were used in modelling of system behaviour for safety analyses. The response time of one of the channels gave unsatisfactory results. That is why the set point of a particular variable was adjusted to compensate for inadequate response time and to meet the safety criteria. The logics of a particular signal will be modified in the new design of the RPS.
102
The experience with the Bohunice V-1 (two older V230 units at the same site) upgrading programme shows that even damping and hysteresis of existing electromechanical devices should be carefully evaluated. Appropriate measures should be implemented into a new technology. All these aspects have been taken into account in the V-2 upgrading programme.
III.4.1.7. Consideration of failures of safety systems in emergency operating procedures
When entering EOPs, operators are required to perform immediate actions to ensure basic conditions for successful implementation of the procedures. Afterwards they check for the symptoms of emergency conditions. Should emergency conditions be diagnosed, automatic actions are verified. This means that the safety system performance is checked. Any deviation in safety system performance is corrected manually.
The symptom based EOPs are written in a two column format. The left hand column provides an operator action and an expected plant response to the action. The right hand column is called ‘Response Not Obtained’ (RNO). The RNO column is used for an operator contingency action in case of a failure of the left hand column action (the operator could not perform the prescribed action or the plant response to the operator action was not as expected). This is systematically done throughout the procedure. A best estimate approach is used in analyses to support EOPs. Design basis accidents and BDBAs are covered by EOPs up to the significant core damage level. Possible failures of safety, safety related, support and normal operation systems and items are considered. The validation process for EOPs also considers validation of RNO operator actions. Emergency operating procedures are subject to the comprehensive maintenance programme. This means that the plant experience gained in training, analyses (both deterministic and probabilistic) and research, as well as the overall industry experience, are incorporated into the procedures.
III.4.1.8. Training of operators to react in case of failures in safety systems
Training sessions are designed to train the operators in usage of both columns of the EOPs. Operators are trained to react in the case of a failure of the system designed to cope with the accident, i.e. they are trained to react in the case of failures in the safety systems.
An additional diverse way to respond to failures in the safety systems is now described. An independent person (shift supervisor or safety engineer) periodically monitors the critical safety function (CSF) status trees. In the case of failures in safety systems and/or operator failures, significant deviation of
103
status of CSFs is expected. This deviation should be detected and appropriate function restoration procedures should be implemented to bring the plant back into safe conditions. The operators are trained in usage of the function restoration procedures.
III.4.1.9. Reliable electrical and ventilation support systems
The electrical power supply systems of all the safety systems are classified as safety system support systems in the upgrading programme. This means that the qualification criteria (e.g. environmental and seismic) used for the support systems are the same as those used for the safety systems themselves. Obsolete equipment (e.g. batteries and rechargers) was replaced by new equipment. The battery discharge time was increased to two hours. The trains of the supporting electrical systems are separated from each other and from the normal operation systems. Limited interconnections are allowed to ensure high reliability of the safety systems or plant availability. Detailed criteria for this kind of interconnection are being developed for the upgrading programme. A PSA was done for the electrical power supply systems. The high reliability of the systems was confirmed. However, some deficiencies were identified in the power supply for the feedwater valves. To improve the capability of the system to perform the SF, the power supply was rearranged from another train than that used in the original design.
The pending issues to be covered by the upgrading programme are completion of seismic qualification and improvements in fire resistance related to correcting the deficiencies identified in the separation of the cables of the safety trains.
III.4.1.10. Reliable instrumentation and control
The I&C systems designed for actuation of all safety systems are classified as safety systems. This means that the qualification criteria (e.g. environmental and seismic) applicable to safety systems are used. The decision was taken for several reasons to replace the existing RPS (RTS and ESFAS) with a new one. The safety concept (basic engineering) is complete. Detailed analyses of all the logics of the existing system and of the experience gained in the course of the EOP development, PSA studies, periodic safety analyses and operational experience were used in the development of the new concept. A preliminary PSA was done for the new configuration of the system. The results are satisfactory.
The heating, ventilation and air conditioning (HVAC) systems are designed as the normal operation systems. They will be requalified to safety
104
system support systems. Safety related functions will be identified and measures to satisfy criteria will be implemented (seismic resistance and emergency power supply).
III.4.1.11. Consideration of failures of support systems in emergency operating procedures
After entering EOPs the operators are required to take immediate steps to ensure that the basic conditions exist for successful implementation of the procedures. Then they check for symptoms of emergency conditions. Should emergency conditions be diagnosed, automatic actions should be verified. This means that the performance of the safety systems is checked, including the performance of the support systems. Any deviation in the performance of the support systems for the safety system should be corrected.
III.4.1.12. Training of operators to react in case of failures in support systems
Scenarios for training sessions are designed to train the operators in the usage of both columns of the EOPs. Operators are trained to react in the case of a failure of the system designed to deal with the accident. Thus they are trained to react in the case of failures in safety system support systems.
An additional diverse way to respond to failures in the support systems is the following. An independent person (a shift supervisor or safety engineer) periodically monitors the critical safety function status trees. In the case of failures in the safety system support systems the safety system also fails, and a significant deviation of status of the CSFs is expected. This deviation should be detected and appropriate function restoration procedures should be implemented to bring the plant back into safe conditions. The operators are trained in the usage of the function restoration procedures.
III.4.1.13. Environmental qualification of equipment
The safety I&C systems located inside the containment were environmentally qualified (see also SP (182)) for large break, loss of coolant accident conditions according to the original design. However, formal documentation from this qualification was not available. The parts of the system located inside the I&C rooms but outside the containment were not environmentally qualified. The valves of the safety systems located inside the containment were also not fully qualified. The plant launched a wide environmental qualification programme. In the first step the items to be environmentally qualified were identified. Environmental criteria were set up
105
for every room containing items to be qualified. Each item was evaluated according to these criteria. There were several types of conclusion. If the environmental qualification criteria were fully met, the item was accepted for future operation. If the criteria were not met, the item had to be either replaced by a new one or upgraded to meet the criteria. This activity started prior to development of the upgrading programme and the results are used in the upgrading programme.
III.4.1.14. Systems design according to the single failure criterion
The RTS is designed with (1 + 1) × 100% redundancy. There are three measuring channels within each redundancy for every parameter. A two out of three voting system is used to generate an output signal. Two parallel output relays are installed in every redundancy. Finally, there is a one out of two voting system of two redundancies. The system is designed to meet the single failure criterion. The only exception is the power supply system of control rod drives. There are four parallel lines with only one breaker in each of them.
The ESFAS system is designed with (1 + 2) × (1 + 1) × 100% redundancy. There are three measuring channels within each half-redundancy for every variable. A two out of three voting system is used to generate an output signal. Two parallel output relays are installed in every half-redundancy. Finally, there is a one out of two voting system of the two half-redundancies. Every redundancy is designed to actuate the safety features of a particular train in the safety systems. The system is designed to meet the single failure criterion.
The front line active safety systems are designed with (1 + 2) × 100% redundancy (high pressure safety injection system, low pressure safety injection system and containment spray system). The support systems (ESFAS, electrical emergency power supply system and service water system) are designed in the same manner. The passive safety system (hydro-accumulators) is designed with (2 + 2) × 50% redundancy. The secondary side active safety system (emergency feedwater system) and RTS are designed with (1 + 1) ×100% redundancy. In general, the single failure criterion is applied in the design of safety systems. However, the understanding and application of the single failure criterion has developed over the years. The Nuclear Regulatory Authority of the Slovak Republic issued a document with guidelines on the application of the single failure criterion. There is a project to apply this document to the upgrading programme. If necessary, several questions need to be clarified and items of equipment modified (e.g. the power supply system for the control rod drives and the steam generator fast acting isolation valves).
106
III.4.1.15. Preference for fail-safe designed systems
The fail-safe design of the reactor protection system means that in the case of its failure the reactor is tripped; spurious actuation of the system trips the reactor and puts it into safe conditions.
An essential part of the existing reactor trip system has been designed as a fail-safe system. Special measures were implemented to ensure reactor trip in the case of a failure causing loss of reactor trip capability. Nevertheless, several types of failure remain undetected. They cause a loss of individual measuring channel capability to generate a trip signal. Information and control personnel frequently check and test the system to ensure its high reliability.
The fail-safe feature is also specified as a requirement for the new RPS system. The possibility of undetectable failures will be significantly reduced.
However, it is more complicated to specify a safe action or position of the actuator in the case of an ESFAS. The steam line fast acting isolation valve (FAIV) is normally open and its safe action is to close in order to isolate the affected steam generator. Spurious actuation (closure) of the valve is the initiating event for a loss of secondary heat sink SF of a particular steam generator. It is a specific feature of the WWER 440 reactor that this function is important even in cold shutdown conditions, because steam generators are used as a secondary residual heat removal system. The ESFAS system is designed to keep the actuators in their installed positions in the case of a loss of power supply. Individual spurious actuations of some actions of the ESFAS system can occur due to some failures within the system and consequently some initiating events can take place. However, overall complex actuation of ESFAS actions is not expected in the case of a loss of power supply. On the other hand, the ESFAS system is not able to fulfil its SF in the case of an emergency and the operator is obliged to shut down the unit manually within the specified time. Thus, the ESFAS system is designed as a fail-safe system to the extent possible. The issue of undetected failures within the RTS is also applicable to the ESFAS system. Several types of failure remain undetected. They can cause the loss of individual measuring channel capability to activate an output signal. Information and control personnel frequently check and test the system to ensure its high reliability.
The fail-safe design principle will be applied in the new system to the extent possible. The possibility for undetectable failures will be significantly reduced.
107
III.4.1.16. Prevention of common cause failures in safety systems
There are two redundancies in the reactor trip system (see also SP (177)). They are independent of each other, of other safety systems and of other plant systems. Power supply sources of redundancies are also independent, as are the HVAC systems of redundancies. Redundant systems are located in physically separated compartments. However, sensors are not qualified for harsh environments. The original seismic qualification is not sufficient for newly obtained seismic input data.
ESFAS systems are installed in three redundancies. They are independent of each other, of the reactor protection system and of other plant systems. The power supply sources and HVAC systems of redundancies are independent. Redundancies are located in physically separated compartments. However, sensors are not qualified for harsh environments. Seismic qualification is not sufficient for new seismic input data. Two out of three of the redundancies can be affected by the consequences of high energy line breaks.
Another issue related to common cause failures is related to the initiation of specific events (see also SP (154), Proven technology, ‘Revealed modes of failures’, and SP (158), General basis for design, ‘Development of list of DBAs’, to form the design basis). For example, there was an operational event during operation at full power with a failure of one output ESFAS relay, which initiated actions corresponding to the main steam header break and closed the FAIVs of all the steam generators. The safety valves of the steam generators ensured the secondary heat sink function and the integrity of the steam generators. The reactor was tripped due to the high rate of main steam header pressure drop. This event was not considered in the original safety analysis report. Post-event analyses gave positive results; all safety criteria were met. However, this kind of event should be identified in the failure mode and the effect analysis, and in addition should be analysed within the scope of the DBAs. The design of the new ESFAS system must avoid this kind of failure.
III.4.1.17. Implementation of conservative design for performance of safety systems
At the system level all aspects of conservative design have already been considered. These include robustness of the items (components) of automatic safety systems and their sufficient capacity with adequate margins.
108
III.4.1.18. Higher priority given to safety functions
The priority of SFs over functions of normal operation was implemented in the original design of automatic safety systems. However, due to the new safety classification of functions and systems, some deficiencies were identified. Prioritization of SFs was identified as a new issue, which is to be ensured within the ESFAS system itself. Both types of priority will be considered in the upgrading programme.
The priority of automatic actions over manual operator actions was ensured in the original design. In the course of development of the new symptom based EOPs some operator actions were identified as significant. An example is the reduction of safety injection flow; the operator cannot take this action in the wide range of pressure below 8.3 MPa and temperature above 180oC. The safety signal reset capability is to be implemented when justified.
III.4.1.19. Isolation of process and safety systems
The original automatic safety systems are separated from normal operation systems. There are special sensors available for the reactor trip system, the ESFAS system, the normal operation control systems, the analog indicators in the main control room and the process information system. A common part of the sensors is an instrumentation line of particular redundancy. This is a very good solution from the point of view of safety. The disadvantages of this design are the large number of detectors and the high maintenance costs. These issues have become more important, as due to requirements regarding environmental qualification all safety sensors have to be replaced by new ones. The only detectors commonly shared by safety and normal operation systems are neutron flux power range ex-core detectors. The signals of these detectors from safety and normal operation systems are properly isolated.
Regarding the new design of safety systems it is proposed to reduce significantly the number of sensors and to allow multipurpose usage of sensors. An additional reduction of sensors will be achieved by integration of the reactor trip and ESFAS systems. Proven isolation devices will be used for the isolation of process systems from safety systems.
109
III.5. REVIEW OF MECHANISMS
III.5.1. Unavailability of safety systems during previous operation
All provisions are adequately implemented in existing systems. The quality of these provisions corresponds to the technology level used at the time of their construction. A combination of implemented provisions and checks by personnel in the field ensure satisfactory reliability of the system.
All provisions will also be implemented in the new system; however, with higher quality. A justified RESET capability will be implemented.
III.5.2. Failure of safety systems to react on demand
Selection of initiation criteria does not always guarantee fulfilment of acceptance criteria when the single failure criterion is assumed. The response time became adequate after an adjustment was made to the system. Emergency operating procedures and operator training are satisfactory regarding consideration of failures in the safety systems. Diverse initiation criteria will be implemented in the new reactor trip system.
III.5.3. Failure of safety systems due to failure of supporting systems
The supporting electrical systems are reliable. The supporting ventilation systems will be improved within the upgrading programme. Emergency operating procedures and operator training are satisfactory in the case of failures in the supporting systems to the safety system.
III.5.4. Degraded performance of safety system due to harsh operating environment
An environmental qualification programme was started several years ago. A list of equipment to be replaced and a list of equipment to be requalified have been developed. Measures will be implemented within the upgrading programme. Supporting ventilation systems will also be improved within the upgrading programme.
III.5.5. Inadequate performance of safety systems
The single failure criterion is applied in the design of the reactor trip and ESFAS system. A weak point is the power supply system of the control rods. The new system will be designed to meet fully the criterion.
110
The fail-safe criterion is not fully implemented for the reactor trip system but will be implemented in the design of the new system. The ESFAS system is designed as fail-safe to the extent possible; the same principle will be applied to the new system.
III.5.6. Interference of process systems
Priority of SFs over normal operation and over operator actions was implemented in the original design and will also be implemented in the new design. RESET capabilities will be implemented to allow justified controlled operator actions. It is expected that the number of interconnections between safety and normal operation systems will be higher in the new systems. Proven isolation devices will be implemented to allay safety concerns.
III.6. REVIEW OF CHALLENGES
III.6.1. Degraded performance of fundamental safety functions due to inadequate response of automatic safety systems
A decision on replacement of the original automatic safety I&C systems by new ones has been made. Areas identified for improvement are the following:
— Operating status indication,— Self-testing capability,— Diversity of initiating criteria,— Supporting ventilation systems,— Seismic and environmental qualification of equipment,— Single failure criterion application,— Fail-safe principle,— Controlled operator intervention.
Deficiencies identified in the original system will be resolved in the new system, and the challenges of degraded performance of FSFs due to no timely or inadequate response of the automatic safety systems will be eliminated.
111
III.7. RESULTS AND LESSONS LEARNED FROM THE REVIEW
The test application of the screening method demonstrated that the approach is based on sound concepts and can be effectively used in plants. It can be considered a good method for the periodic safety review. It can also be used in a limited scope for review of the plant quality assurance programme, evaluation of plant modifications and evaluation of events or precursors. Because of the wide scope of the aspects reviewed, the approach can effectively support the questioning attitude as part of the plant safety culture.
When the review is being performed as a self-assessment, the level of satisfaction heavily depends on the plant safety culture and the desire for improvement. In any case the approach helps in identifying missing or weak provisions. The understanding of the importance of the provisions and of the interactions among the provisions or mechanisms is improved because of the complexity of the approach and its visualization in the form of objective trees.
For the Bohunice plant, the results of the screening were found to be in compliance with the recommendations of Ref. [8] and with the plant findings. Appropriate measures are planned for implementation within the upgrading programme. This is an important conclusion of this screening from the plant perspective. Screening was a starting point for a deeper evaluation of the areas needing improvement within the development of the safety concept of the upgrading programme. The test application contributed to the comprehensiveness of the plant upgrading programme.
The application also contributed to improvements of the screening method. For example, inclusion in the approach of the following modifications was proposed:
(a) The provision ‘Periodic surveillance testing and in-field audits of safety systems’ should be added to prevent the mechanism ‘Safety systems become unavailable during previous operation’.
(b) The provision ‘Install reliable supporting electrical systems’ was originally concentrated on electrical systems only. It was recommended that this should be made broader to assume all kinds of supporting systems, not only electrical ones. A typical additional supporting system is the ventilation system. The importance of this system was confirmed by available PSA studies.
Owing to the large number of provisions, mechanisms and challenges, some coding system would be helpful for practical reasons in full scope applications. The coding system can be developed in a future version of this approach. Development of the electronic version of this approach with links to
112
various supporting documents is recommended, to provide correct and complete information from original documents in support of appropriate evaluation of particular provisions. This should provide the user with an easy cross-checking capability for the evaluated provisions, mechanisms and challenges, to assist in ensuring the consistency and quality of the screening document. The system should be flexible, to allow the user to establish links with the existing plant documentation.
113
BLANK
REFERENCES
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, The Safety of Nuclear Installations, Safety Series No. 110, IAEA, Vienna (1993).
[2] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Basic Safety Principles for Nuclear Power Plants, 75-INSAG-3 Rev. 1, INSAG-12, InternationalAtomic Energy Agency, Vienna (1999).
[3] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, International Atomic Energy Agency, Vienna (1996).
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, Safety Standards Series No. NS-R-1, IAEA, Vienna (2000).
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Operation, Safety Standards Series No. NS-R-2, IAEA, Vienna (2000).
[6] INTERNATIONAL ATOMIC ENERGY AGENCY, Anticipated Transients without Scram for WWER Reactors, IAEA-EPB-WWER-12, Vienna (1999).
[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Design Basis and Design Features of WWER-440 Model 213 Nuclear Power Plants, IAEA-TECDOC-742, Vienna (1994).
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Issues and the Ranking for WWER 440 Model 213 Nuclear Power Plants, IAEA-EPB-WWER-03, Vienna (1996).
[9] NUCLEAR REGULATORY COMMISSION, Standard Technical Specifications for Westinghouse Pressurized Water Reactors, Rep. NUREG-0452 Rev. 3, Office of Standards Development, Washington, DC.
115
BLANK
DEFINITIONS
accident. Any unintended event, including operating errors, equipment failures or other mishaps, the consequences or potential consequences of which are not negligible from the point of view of protection or safety.
accident conditions. Deviations from normal operation more severe than anticipated operational occurrences, including design basis accidents and severe accidents.
accident management. The taking of a set of actions during the evolution of a beyond design basis accident:
— To prevent the escalation of the event into a severe accident;— To mitigate the consequences of a severe accident; and— To achieve a long term safe stable state.
anticipated operational occurrence. An operational process deviating from normal operation which is expected to occur at least once during the operating lifetime of a facility but which, in view of appropriate design provisions, does not cause any significant damage to items important to safety nor lead to accident conditions.
beyond design basis accident. Accident conditions more severe than a design basis accident.
design basis. The range of conditions and events taken explicitly into account in the design of a facility, according to established criteria, such that the facility can withstand them without exceeding authorized limits by the planned operation of safety systems.
design basis accident. Accident conditions against which a nuclear power plant is designed according to established design criteria, and for which the damage to the fuel and the release of radioactive material are kept within authorized limits.
initiating event. An identified event that leads to anticipated operational occurrences or accident conditions and challenges safety functions.
117
normal operation. Operation within specified operational limits and conditions. For a nuclear power plant, this includes starting, power operation, shutting down, shutdown, maintenance, testing and refuelling.
operational limits and conditions. A set of rules setting forth parameter limits, the functional capability and the performance levels of equipment and personnel approved by the regulatory body for safe operation of an authorized facility.
operational states. States defined under normal operation and anticipated operational occurrences.
— Some States and organizations use the term operating conditions (for contrast with accident conditions) for this concept.
plant equipment.Plant equipment
Safety related items1
Protection system
Safety system support features
Safety actuation system
1 In this context, an 'item' is a structure, system or component.
Items important to safety1
Items not important to safety1
Safety systems
118
plant states.
postulated initiating event. An event identified during design as capable of leading to anticipated operational occurrences or accident conditions. The primary causes of postulated initiating events may be credible equipment failures and operator errors (both within and external to the facility), and human induced or natural events.
severe accidents. Accident conditions more severe than a design basis accident and involving significant core degradation.
validation. The process of determining whether a product or service is adequate to perform its intended function satisfactorily.
verification. The process of determining whether the quality or performance of a product or service is as stated, as intended or as required.
(a) Accident conditions which are not explicitly considered design basis accidents but which are encompassed by them.(b) Beyond design basis accidents without significant core degradation.
operational states accident conditions
beyond design basis accidents
anticipated operational occurrences
normal operation
design basis accidents
severe accidents(a) (b)
accident management
119
CONTRIBUTORS TO DRAFTING AND REVIEW
Aeberli, W. Beznau NPP, Switzerland
Butcher, P. AEA Technology, United Kingdom
Camargo, C. Comissão Nacional de Energia Nuclear, Brazil
Fil, N. Gidropress Experimental Design Bureau, Russian Federation
Höhn, J. International Atomic Energy Agency
Lipár, M. International Atomic Energy Agency
Mauersberger, H. Nuclear&Technical Safety Services, Austria
Mišák, J. International Atomic Energy Agency
Nano, J. NPP Bohunice, Slovakia
Powers, D. Sandia National Laboratories, United States of America
Prior, R. Nuclear Consultants International (PTY), South Africa
Tuomisto, H. Fortum Engineering, Finland
Vayssier, G.L.C.M. Nuclear Safety Consultancy, Netherlands
Vidard, M. Electricité de France, France
120