The first level of defense addresses prevention of accidents through the design of the plant, including quality assurance, redundancy, separation, testing, and inspection. The plant is designed and built to operate as intended with a high degree of reliability. Negative reactivity coefficients that lead to inherently stable operating conditions, safety margins in design, reliable and known materials performance in structures and components, adequate instrumentation and control, and so on, are among the preventive measures employed in reactor design.
Nuclear safety of normal operation forms one of the most important pillars since anticipated operational occurrences and accident conditions starts from normal operation. Robust design and “Safety First approach” best describe this area.
Nuclear safety of normal operation is even part of the definition of nuclear safety:
‘Safety’ is the achievement of proper operating conditions, prevention of accidents and mitigation of accident consequences, resulting in protection of workers, the public and the environment from undue radiation hazards.
Nuclear safety of normal operation constitute the first level of defense, and it is based on the following aspects:
- Safety Culture
- robust reactor design
- qualified personnel
- conservatism – diversity – redundancy
- quality assurance
- testing and inspection
- operational limits and conditions
Organizations and individuals involved in activities that may have an impact at each level of defence in depth need to be committed to a strong safety culture (see Safety Culture, INSAG-4).
According to SAFETY SERIES No. 75-INSAG-4:
“Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.”
This aspect of nuclear safety seems to be very soft, but the opposite is true. It states that nuclear safety principle stands first. It is also known as “the Safety First principle”. This principle must be observed by both operating personnel and management. The operating organization and the governmental organization, as well as organizations involved in design, manufacturing, construction, maintenance, testing and in-service inspection and emergency interventions, must ensure that appropriate prerequisites are met and that appropriate methods are used.
The plant is designed and built to operate as intended with a high degree of reliability. The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.
As an example, negative reactivity coefficients that lead to inherently stable operating conditions, safety margins in design, reliable and known materials performance in structures and components, adequate instrumentation and control, and so on, are among the preventive measures employed in reactor design.
To demonstrate that the fundamental safety objective is achieved in the design of a nuclear power plant, a comprehensive safety assessment of the design is required to be carried out. Its objective is to identify all possible sources of radiation and to evaluate possible doses that could be received by workers at the installation and by members of the public, as well as possible effects on the environment, as a result of operation of the plant. Current developments for ensuring the stable, safe and competitive operation of nuclear reactors are closely related to the advances that are being made in safety analysis. Deterministic safety analyses for anticipated operational occurrences, design basis accidents (DBAs) and beyond design basis accidents (BDBAs) are essential instruments for confirming the adequacy of safety provisions.
Fundamental Safety Functions
Fulfilment of the following fundamental safety functions for a nuclear power plant shall be ensured for all plant states:
- Shut down the reactor and achieve subcritical condition during and after anticipated operational occurrences or design basis accident conditions
- Remove residual heat from the core after reactor shutdown from all anticipated operational occurrences or design basis accident conditions
- Reduce the potential for the release of radioactive material and ensure that any releases are below acceptable limits during anticipated operational occurrences and design basis accident conditions.
Qualified and Experienced Personnel
In order to achieve and maintain high levels of safety, nuclear power plants are required to be staffed with an adequate number of highly qualified and experienced personnel who are duly aware of the technical and administrative requirements for safety and are motivated to adopt a positive attitude to safety, as an element of safety culture.
See also: NS-G-2.8, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants. Vienna : International Atomic Energy Agency, 2002.
Conservatism is broadly applied at the first three levels of defence. Conservative assumptions are made for site selection, design and construction, commissioning and operation. Appropriate conservative assumptions and safety margins are also considered in the review of modifications, the assessment of ageing effects, periodic safety reassessment, and the development of emergency plans, as well as in regulatory review and subsequent licensing decisions. At Levels 4 and 5, best estimate considerations are increasingly important.
There are three ways of analysing anticipated operational occurrences and design basis accidents to demonstrate that the safety requirements, which are currently used to support applications for licensing, are met:
- Use of conservative computer codes with conservative initial and boundary conditions (conservative analysis).
- Use of best estimate computer codes combined with conservative initial and boundary conditions (combined analysis).
- Use of best estimate computer codes with conservative and/or realistic input data but coupled with an evaluation of the uncertainties in the calculation results, with account taken of both the uncertainties in the input data and the uncertainties associated with the models in the best estimate computer code (best estimate analysis).
Deterministic safety analyses for design purposes should be characterized by their conservative assumptions and bounding analysis.
For beyond design basis accidents, best estimate calculations are used in several States, together with an evaluation of the uncertainties associated with the relevant phenomena. However, in determining what measures should be taken to mitigate the consequences of beyond design basis accidents, an uncertainty analysis is not usually performed.
See also: SAFETY MARGINS OF OPERATING REACTORS: ANALYSIS OF UNCERTAINTIES AND IMPLICATIONS FOR DECISION MAKING IAEA, VIENNA, 2003 IAEA-TECDOC-1332. ISBN 92–0–118102–7
The term redundancy is the provision of alternative (identical or diverse) system, structure and components, so that any of the redundant systems can perform the required function regardless of the state of operation or failure of the other. Redundant systems are of special importance in systems, such as I&C, electric power supply and emergency cooling.
This requirement leads to an n + 2 degree of redundancy, for example 4 X 50% or 3 X 100% redundancy concepts.
For example, the onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. This is an illustration of redundancy and diversity.
Redundancy and Single Failure Criterion
A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither a single failure of any active component (assuming passive components function properly) nor a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.
Diversity and Common-cause Failure
Functional diversity or diversity in component design is closely related to the common-cause failure. Common cause failures (CCF) are a serious threat to redundant system reliability. Design diversity has long been used to protect redundant systems against common-cause failures. That means, by the use of two or more independent and different methods for achieving the same result.
The design of equipment shall take due account of the potential for common cause failures of items important to safety, to determine how the concepts of diversity, redundancy, physical separation and functional independence have to be applied to achieve the necessary reliability.
For example, two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.
Separation, also referred to as physical separation, concerns separation by geometry (e.g., distance or orientation), barriers, or a combination of these. Separation is also used in the context of electrical isolation, functional independence and independence of communication. Functional separation is commonly used in I&C, where the protection system shall be separated from control systems to the extent that failure of any single control system component leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.
Separation, redundancy, physical barriers, and electrical isolation are design measures that are applied to address potential vulnerabilities related to a single failure of equipment and the propagation of failure effects.
Specific Safety Requirements; SSR-2/1 (Rev. 1) Requirement 21: Physical separation and independence of safety systems
“Interference between safety systems or between redundant elements of a system shall be prevented by means such as physical separation, electrical isolation, functional independence and independence of communication (data transfer), as appropriate.”
Each level of defence can be effective only if the quality of design, materials, structures, components and systems, operation and maintenance can be relied upon. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. They can also ensure that the intent of the design is achieved in the plant as built and that the plant is being operated as intended and maintained as designed.
Operational Limits and Conditions – Technical Specification
Operational limits and conditions are usually defined in Technical Specification. This document establishes requirements for items such as safety limits, limiting safety system settings, limiting control settings, limiting conditions for operation, surveillance requirements, design features, and administrative controls. The operating organization shall ensure that the plant is operated in accordance with the set of these operational limits and conditions.
The plant shall be operated within the operational limits and conditions to prevent situations arising that could lead to anticipated operational occurrences or accident conditions, and to mitigate the consequences of such events if they do occur. The operational limits and conditions shall be developed for ensuring that the plant is being operated in accordance with the design assumptions and intent, as well as in accordance with its licence conditions.
See also: NUREG-1431, Standard Technical Specifications – Westinghouse Plants.