Safety Classification of Structures, Systems and Components in
advertisement
DS 367 Safety Classification of Structures, Systems and Components in NPPs - Comparison of versions 5.1 and 5.10 Version 5.1 was sent to MSs Version 5.10 With resolution of MSs’ comments DS 367 version. 5.1 DS 367 version 5..10 1. INTRODUCTION BACKGROUND 1.1 The need to classify equipment in a nuclear plant according to its importance to safety has been recognised since the early days of reactor design and operation. The existing safety classification methods for structures, systems and components (SSCs) have evolved taking into account the lessons learnt during tens of thousands of hours of, mainly light water reactor (LWR), operation. Although the concept of safety functions as being what should be accomplished for safety has been understood for many years and examples based on experience have been provided, the process by which these could be derived from the general safety objectives has not been described in earlier IAEA publications. The classification systems accordingly identified the SSCs, mainly from experience and analysis of specific designs, that were deemed to be of the highest importance in maintaining safe operation, such as the continuing integrity of the primary pressure boundary, and classified this at the highest level 1. INTRODUCTION BACKGROUND 1.1. The need to classify equipment in a nuclear power plant (1SAF) according to its importance to safety has been recognized since the early days of reactor design and operation. The existing methods for safety classification of structures, systems and components (SSCs) have evolved in this light of lessons learnt during the design and operation of existing plants, mainly with light water reactors. Although the concept of a safety function as being what must be accomplished for safety has been understood for many years, and examples based on experience have been provided, the process by which safety functions can be derived from the general safety objectives has not been described in earlier IAEA publications. Therefore, it was mainly from experience and analysis of specific designs that classification systems identified those SSCs that were deemed to be of the highest importance in maintaining safe operation, such as the continuing integrity of the primary pressure boundary, and classified them at the highest level. 1.2 This Safety Guide was prepared under the IAEA programme for safety standards for nuclear power plants. An IAEA Safety Guide on Safety Functions and Component Classification for Boiling Water Reactor (BWR), Pressurized Water Reactor (PWR), and Pressure Tube Reactor (PTR) Plants was issued in 1979 as Safety Series No. 50-SG-D1 and was withdrawn in the year 2000 because the recommendations contained therein were considered not to comply with the IAEA Safety Requirements publication, Safety of Nuclear Power Plants: Design, NS-R-1 [1], 1.2. This Safety Guide was prepared under the IAEA programme for safety standards for nuclear power plants. An IAEA Safety Guide on Safety Functions and Component Classification for Boiling Water Reactor (BWR), Pressurized Water Reactor (PWR), and Pressure Tube Reactor (PTR) Plants was issued in 1979 as Safety Series No. 50-SG-D1 and was withdrawn in the year 2000 because the recommendations contained therein were considered not to comply with the IAEA Safety Requirements publication, Safety of Nuclear Power Plants: Design, published in 1/50 Comments DS 367 version. 5.1 DS 367 version 5..10 published in 2000. 2000. This Safety Guide represents an update of that earlier Safety Series publication. Comments 1.3 In developing this Safety Guide, a review of other relevant IAEA publications has been undertaken. This has included the IAEA Safety Requirements publication, Safety of Nuclear Power Plants: Design, NS-R-1 [1], the IAEA Safety Fundamentals, Fundamental Safety Principles, SF-1 [2], and current and ongoing revisions of Safety Guides and INSAG reports, including Safety Assessment and Verification for Nuclear Power Plants, NS-G-1.2 [3], and Defence in Depth in Nuclear Safety, INSAG-10 [4]. These publications have addressed the issues of safety functions and the safety classification of structures, systems and components (SSCs) for nuclear power plants. Information from a significant number of other international and national publications has been considered in developing this Safety Guide. 1.3. In developing this Safety Guide, relevant IAEA publications (3FRA) has been considered. This included the Safety Requirements publications, Safety of Nuclear Power Plants: Design [1] and Safety Assessment for Facilities and Activities [2], the Fundamental Safety Principles [3], and current versions and ongoing revisions of Safety Guides and INSAG reports, including Safety Assessment and Verification for Nuclear Power Plants [4] and Defence in Depth in Nuclear Safety [5]. These publications have addressed the issues of safety functions and the safety classification of SSCs for nuclear power plants. Information from a significant number of other international and national publications such as Refs [6], [7] and [8] has been considered in developing this Safety Guide. 1.4 The purpose of the safety classification in a nuclear power plant is to identify and classify SSCs on the basis of their safety function and safety significance. Reference [1] requires designers to undertake a number of steps to perform safety classification and to justify the assignment of SSCs to safety classes. 1.4. The purpose of safety classification in a nuclear power plant (1ROM, 1USA, 3FRA) is to identify and categorize the safety functions and to identify and classify the related SSC items on the basis of their safety significance. This will ensure that the appropriate engineering design rules are determined for each safety class, so that SSCs are designed, manufactured, constructed, installed, commissioned, quality assured, maintained, tested and inspected to standards appropriate to their safety significance. Reference [1] requires designers to undertake a number of steps to perform safety classification and to justify the assignment of SSCs to safety classes. 1.5. To adopt the best practices in Member States, the IAEA New reviewed widely the existing safety classification methodologies (3USA) applied in operating nuclear power plants and for new designs. 2/50 DS 367 version. 5.1 DS 367 version 5..10 Comments This Safety Guide is based on this review. The principles and method of classification provided in this Safety Guide aim at harmonizing national practices. Furthermore, this Safety Guide explicitly describes the steps of safety classification, which are often not systematically expressed and documented in national classification methods. The classification principles and method provided in this Safety Guide do not invalidate classifications of SSCs achieved using other methods. OBJECTIVE 1.5 The objective of this Safety Guide is to provide guidance on how to meet the requirements for identification of safety functions and classification of SSCs established in the Ref. [1] and to ensure appropriate quality and reliability of SSCs. This Safety Guide proposes a technology neutral approach and issues relating to particular types of reactor are discussed in general terms. OBJECTIVE 1.6. The objective of this Safety Guide is to provide recommendations and guidance on how to meet the requirements established in Refs [1] and [2] for identification and categorization of safety functions and for classification of related SSCs to ensure quality and reliability accordingly. This Safety Guide presents a technology neutral approach and, therefore, issues relating to particular types of reactor are discussed in general terms. 1.7. This publication is intended for use by organizations new designing, manufacturing, constructing and operating nuclear power plants, as well as by regulatory bodies and their technical support organizations for the conduct of regulatory reviews and assessments. SCOPE 1.6 The recommendations on safety classification as presented in this Safety Guide are intended to be applicable to any plant type, irrespective of the amount of available operating experience. The approach to safety classification presented here is intended to be suitable both for new designs of nuclear power plant and during the periodic safety review of, or upgrades to, 3/50 SCOPE 1.8. This Safety Guide covers all safety aspects of a nuclear (2SPA, ENISS1,3, power plant that are included in the plant’s safety analysis report, 4FRA,1SPA,7SPA0) including the storage and handling of new and spent fuel at the site of the plant. The recommendations on safety classification as presented in this Safety Guide are intended to be applicable to any plant type. The approach is intended to be suitable for new DS 367 version. 5.1 DS 367 version 5..10 existing plants. It is intended to cover all aspects of a nuclear power plant, including the storage and handling of new and spent fuel at the site of the plant, that are included in the plant’s safety analysis report. This publication is intended for use by organizations designing, manufacturing, constructing and operating nuclear power plants, as well as by regulatory bodies and their technical support organizations for the conduct of regulatory review and assessment. designs of nuclear power plants; however, it may also be applied to existing plants or designs that have already been licenced. For the purpose of this Safety Guide, existing nuclear power plants are those nuclear power plants that are: (a) at the operational stage (including long term operation and extended temporary shutdown periods); (b) at a pre-operational stage for which the construction of structures, the manufacturing, installation and/or assembly of components and systems, and commissioning activities are significantly advanced or fully completed; or (c) at a temporary or permanent shutdown stage while nuclear fuel is still within the facility (in the core or the pool). For upgrading of existing plants, the use of this Safety Guide will help to classify new SSCs, and reclassify existing SSCs interfacing with new SSCs if necessary. 1.7 This Safety Guide is written in technology neutral terms. This assumes that there are features of all nuclear power plants that are common to all reactor types. It has been assumed that all plants have a series of physical or other barriers for the retention of an inventory of radioactive material and that all must meet a set of requirements that govern the safe operation of the plant. Further, all plants are assumed to require physical processes to operate, including cooling of the fuel, limitation of chemical attack and mechanical processes to prevent degradation of the barriers retaining radioactive material, although in different designs, each of these aspects may be of different relative importance. This Safety Guide was written for nuclear power plants but could be extended to any type of nuclear facility, if the appropriate amendments are made. 1.9. This Safety Guide is written in technology neutral terms. This assumes that there are features of all nuclear power plants that are common to all reactor types. For example, it is assumed that all plants have a series of physical barriers or other barriers for the retention of the inventory of radioactive material and that all such barriers have to meet a set of requirements that govern the safe operation of the plant. Furthermore, all plants are assumed to require certain physical processes to operate, including cooling of the fuel, limitation of chemical attack and mechanical processes to prevent degradation of the barriers retaining radioactive material, although in different designs, each of these aspects may be of different relative importance. This Safety Guide is applicable for SSCs at nuclear power plants, but the recommendations it provides could be extended to cover any type of nuclear facility, if the appropriate amendments are made. Comments (4FIN & 4USA) STRUCTURE STRUCTURE 1.8 Section 2 provides general recommendations on the 1.10. Section 2 provides the basis and general approach to be (3SPA) 4/50 DS 367 version. 5.1 DS 367 version 5..10 approach to be adopted in meeting the IAEA requirements on safety classification, and the defence in depth (DiD) concept for plant safety. Section 2 also introduces the concept of safety functional groups to perform safety functions to prevent and/or mitigate postulated initiating events (PIE). Section 3 describes the steps in the safety classification process. Section 4 provides recommendations on requirements for SSCs based on their safety classification. The tables and the appendices cover a number of issues including flow charts of the process and examples of design requirements. Annex I gives a list of safety functions for light water type reactors, and Annex II provides an example of the possible combination approach for deterministic safety analysis and probabilistic safety analysis results for assessment of adequacy of safety classification during system level design. adopted in meeting the safety requirements on safety (33, 34, & 35 USA) classification. Section 3 describes the steps in the safety classification process. Section 4 provides recommendations on determining the design rules for plant specific safety functions and SSCs on the basis of their safety categories and safety classes respectively. Appendix I provides a chart indicating how safety functions relate to the various levels of defence in depth. Appendix II provides a table indicating the different steps to be performed in classification of SSCs in line with other design processes. Annex I lists reactor type safety functions for light water reactors. Annex II gives examples of design rules for SSCs. 5/50 Comments DS 367 version. 5.1 DS 367 version 5..10 2 REQUIREMENTS AND GENERAL APPROACH FOR SAFETY CLASSIFICATION REQUIREMENTS FOR A SAFETY CLASSIFICATION PROCESS 2.1 The requirements for a safety classification system are established in Ref. [1]. These are repeated in the following paragraphs. 2 BASIS AND GENERAL APPROACH TO SAFETY CLASSIFICATION REQUIREMENTS FOR A SAFETY CLASSIFICATION PROCESS 2.1. The basic requirements for a safety classification system are established in Ref. [1] and are repeated in the following paragraphs. Additional related requirements are established in Ref. [2]. The recommendations on how to meet these requirements are developed in this Safety Guide. 2.2 Ref. [1] in paragraph 4.7 states “A systematic approach shall be followed to identify the structures, systems and components that are necessary to fulfil the safety functions at the various times following a PIE.” 2.2. Paragraph 4.1 of Ref. [1] states that “A systematic approach (14UK) shall be followed to identify the items important to safety that are Editing update + (DS 414) necessary to fulfil the fundamental safety functions, and to identify the inherent features that are contributing to or affecting the fundamental safety functions, for all the levels of defence in depth.” 2.3 Ref. [1] in paragraph 5.1 states “All structures, systems and components, including software for instrumentation and control (I&C), that are items important to safety shall be first identified and then classified on the basis of their function and significance with regard to safety. They shall be designed, constructed and maintained such that their quality and reliability is commensurate with this classification.” 2.3. Requirement 23 of Ref. [1] states that “All items important (14UK) to safety shall be identified and the items identified shall be Editing update + (DS 414) classified on the basis of their function and their safety significance.” 2.4 Ref. [1] in paragraph 5.2 states “The method for classifying the safety significance of a structure, system or component shall primarily be based on deterministic methods, complemented where appropriate, by probabilistic methods and engineering judgement, with account taken of factors such as: (1) the safety function(s) to be performed by the item; 2.4. Paragraph 5.35 of Ref. [1] states that “The method for (14UK) classifying the safety significance of items important to safety Editing update + (DS 414) shall primarily be based on deterministic methods complemented where appropriate by probabilistic methods, with account taken of factors such as: (1) the safety function(s) to be performed by the item; 6/50 Comments DS 367 version. 5.1 DS 367 version 5..10 (2) (3) (2) the consequences of failure to perform the safety function; (3) the frequency at which the item will be called upon to perform a safety function; (4) the time following a postulated initiating event at which, or the period for which, it will be called upon to operate.” (4) the consequences of failure to perform its function; the probability that the item will be called upon to perform a safety function; the time following a postulated initiating event at which, or the period throughout which, it will be called upon to operate.” 2.5 Ref. [1] in paragraph 5.3 states “Appropriately designed interfaces shall be provided between structures, systems and components of different classes to ensure that any failure in a system classified in a lower class will not propagate to a system classified in a higher class.” 2.5. Requirement 22 of Ref. [1] states that “Interference between (14UK) safety systems and systems of lower classification or between Editing update + (DS 414) redundant elements of systems of the same class shall be prevented by means such as physical separation of safety systems, electrical isolation, functional independence and independence of communication (data transfer), as appropriate.” FUNDAMENTAL SAFETY FUNCTIONS 2.6 Fundamental safety functions are derived from the need to deleted achieve the general nuclear safety objective Ref. [2]: “To protect individuals, society and the environment from harm by establishing and maintaining in nuclear installations effective defences against radiological hazards.” 2.7 Ref. [1] in paragraph 4.6 states “To ensure safety, the following fundamental safety functions shall be performed in operational states, in and following a design basis accident and, to the extent practicable, on the occurrence of those selected accident conditions that are beyond the design basis accidents: 7/50 Comments Deleted Deleted 2.6. Requirement 4 of Ref. [1] states that “Fulfilment of the Editing update (DS 414) following fundamental safety functions shall be ensured for all (3JPN) Footnote plant states: (1) control of reactivity; DS 367 version. 5.1 DS 367 version 5..10 (1) control of reactivity; (2) removal of heat from the core; and (3) confinement of radioactive material and control of operational discharges, as well as limitation of accidental releases.” [The intent on the core in (2) is for fuel in the core and spent fuel in the storage.] PLANT SPECIFIC SAFETY FUNCTIONS 2.8 For each type of nuclear power plant, based on the fundamental safety functions, the plant specific safety functions should be defined to prevent or mitigate PIEs. Plant specific safety functions should be defined at an adequate level of detail that will allow the identification of SSCs that are required for performing these safety functions. In line with Refs. [2] and [4], preventive safety functions prevent abnormal operation or system failures. Mitigative safety functions control the consequences of abnormal operation or failures that have occurred. A practical example is shown in Annex I. (2) removal of heat from the core; (3) confinement of radioactive material, provision of shielding against radiation and control of operational discharges, as well as limitation of accidental radioactive releases.” 1 deleted (see in 2.10 ) DEFENCE IN DEPTH AND BARIERS 2.9 Ref. [1] in paragraph 4.5 states “The objective of the safety deleted approach shall be: to provide adequate means to maintain the plant in a normal operational state; to ensure the proper short term response immediately following a postulated initiating event; and to facilitate the management of the plant in and following any design basis accident, and in those selected accident conditions beyond the design basis accidents.” 1 Comments Deleted Used for 2.10 and in Section 3 (7FRA, 3ROM comments was used later) Title deleted Deleted The three fundamental safety functions also have to be performed for spent fuel storage systems. In particular, fundamental safety function (2) refers to fuel in the core and spent fuel in storage at the site. 8/50 DS 367 version. 5.1 DS 367 version 5..10 Comments 2.10 The concept of successive barriers to release of deleted radioactivity is part of the defence in depth strategy. Furthermore, according to paragraph 2.10 of Ref. [1], “Application of the concept of defence in depth in the design of a plant provides a series of levels of defence (inherent features, equipment and procedures) aimed at preventing accidents and ensuring appropriate protection in the event that prevention fails.” Deleted IDENTIFICATION AND CATEGORISATION OF SAFETY FUNCTIONAL GROUPS Deleted GENERAL APPROACH CLASSIFICATION PROCESS (see 2.18 below) TO THE SAFETY new FIG 1. Main steps in classifying SSCs. Definition and review of postulated initiating events Identification of safety functions: preventive safety functions, aimed at preventing failures and abnormal operation mitigatory safety functions, aimed at controlling postulated initiating events and mitigating their consequences Categorization of safety functions Identification of SSCs or groups of SSCs to perform safety functions Assignment of SSCs to one of three safety classes Identification of design rules for classified SSCs Similar steps - , terms are changed First step is new (13JPN) 2.7. The approach to safety classification recommended in this New 9/50 DS 367 version. 5.1 DS 367 version 5..10 Comments Safety Guide involves, broadly, categorization of safety Text is giving an overview functions, followed by classification of the SSCs. The main steps of the general process involved are shown in Fig. 1. The details of the safety classification process, together with explanations of key concepts and terms, are set out in Section 3 and the last step shown in Fig. 1 is set out in Section 4. 2.8. For a specific plant, prerequisites for classifying all SSCs New according to their safety significance are the following: On the basis of 2.8 of ver. A list of all postulated initiating events2 considered in 5.1 the plant design basis; The identification of the safety functions implemented to achieve the fundamental safety functions for the different plant states. 2.9. Initially during the design, the postulated initiating events should be arranged in groups in which properties of the initiating events are the same (or very similar) (see Ref. [1], para 5.9 and Ref. [10], para. 5.34). At least one significant bounding postulated initiating event should be identified in each group. (see 2.8 before) 2.10. The safety functions that prevent and mitigate these events Editing should be derived at an adequate level of detail in order later to (7FRA) identify the SSCs that perform these safety functions. These safety functions will be specific to each plant. 2.11 The use of the defence in depth concept is required in the (see 2.18 below) design process and it should be applied in the safety classification process. The preventive plant specific safety 2 New, to summarize first box of Fig.1 On the basis of MSs comments Modified and moved down (2.18) As indicated in the IAEA Safety Glossary [9], the primary causes of postulated initiating events may be credible equipment failures and operator errors or human induced or natural events. 10/50 DS 367 version. 5.1 functions should be allocated to the defence in depth level 1 and the mitigatory plant specific safety functions to the defence in depth levels 2 – 5 described in Table 1 of Ref. [4] and shown in Appendix I. 2.12 Safety functional groups, defined as all the SSCs, including supporting items that work together to perform a plant specific safety function, derived from fundamental safety functions, to prevent or mitigate a postulated initiating event and allocated to one defence in depth level, should be identified. 2.13 The safety functional groups should be categorized according to their safety significance. Safety categorization should be based on the consequences of the failure of the SSCs to perform their assigned safety functions. (see 2.12 before) 2.14 Safety classes of the SSCs should be derived from the relevant safety categories as described by Fig. 1 in Section 3. DS 367 version 5..10 Comments (see 2.12 below)) Modified and moved down And used in section 3 as well 2.11. These plant specific safety functions (see Section 3) should then be categorized into a limited number of categories, on the basis of their safety significance (i.e. the frequency of occurrence of the postulated initiating events they prevent or mitigate, the consequences of the failure of the safety function, and the time during which or after which they are required to perform). (4JPN, 5JPN, 6JPN) Plant specific safety functions should then be categorized Similar to ver 5.1 Para 2.13 box 3, See Section 3 2.12. The SSCs or groups of SSCs that work together to perform (15UK). the plant specific safety functions should then be identified. Para 2.12 of ver 5.1 was modified – ( SFG in 3.24 ) 2.13. The SSCs are subsequently classified, mainly on the basis Similar to 2.14 of ver 5.1 of the category of the safety function they perform. Preliminary box 4 safety classifications of SSCs are then subject to verification. In (UK16) this Safety Guide three classes of SSCs are recommended, based on experience in Member States. 2.15 Because not all SSCs within a safety functional group may (see 3.25 below) have an equal contribution towards achieving the desired safety function, appropriate safety classes for the SSCs, which belong to that safety functional group should be derived. 3.1 (see below) Moved to section 3 2.14. The safety classification process described in this Safety Very Similar to 3.1 &2.16 Guide highlights the significant linkage that exists between of ver 5.1 11/50 DS 367 version. 5.1 DS 367 version 5..10 Comments design, analysis of postulated initiating events and the Editing update including consequences of failure of safety functions, and classification of MS comment SSCs. The aim of safety classification is to determine the appropriate engineering design rules for all SSCs, to ensure that SSCs are designed, manufactured, constructed, installed, commissioned, quality assured, maintained, tested and inspected to standards appropriate to their safety significance (see Section 4). 2.16 The safety classification process should ultimately assign deleted design requirements for all SSCs that will achieve the appropriate performance of each safety functional group. Deleted, used for a similar para in Section 3 (3.33) 2.15. The basis for the classification and the results of the Separated MS comment classification should be documented in an auditable record. (12USA) to 3.1 of ver 5.1 (old 2.19 see below) 2.16. Safety classification is an iterative process that should be (9SPA, ENISS 9, 6CAN), carried out throughout the design process. Any preliminary box 4 assignments of SSCs to particular safety classes should be justified using deterministic safety analysis and, where possible, probabilistic safety analysis. APPLICATION OF THE SAFETY CLASSIFICATION PROCESS 2.17 The safety classification should be performed during plant design, system design and equipment design phases and should be reconsidered for any relevant changes during construction, commissioning and commercial operation and subsequent stages in the plant’s lifetime including periodic safety reviews. 2.17. The safety classification should be performed during plant Edited (PSR deleted) design, system design and equipment design phases and should (12FRA) be reconsidered for any relevant changes during construction, commissioning and commercial operation and subsequent stages in the plant’s lifetime. 2.18 The safety classification process should take the following (see Fig. 1 before) 12/50 Deleted Modified in fig 1 and DS 367 version. 5.1 DS 367 version 5..10 steps: (1) identification of plant specific safety functions to prevent or mitigate postulated initiating events based on the three fundamental safety functions; (2) allocation of the plant specific safety functions to defence in depth levels; (3) identification of the safety functional groups to perform plant specific safety functions at different defence in depth levels and allocation of SSCs to perform the required functions within these safety functional groups; (4) assignment of safety functional groups to safety categories based on the consequence of the groups’ failure; (5) assignment of the individual SSCs within safety functional groups to safety classes based on their importance in achieving the plant specific safety functions; (6) assignment of design requirements to the SSCs based upon their classification. VERIFICATION AND REVISION OF SAFETY CLASSES 2.11 (see before) 2.18. The safety classification process recommended in this Safety Guide is consistent with the concept of defence in depth that is required in the design process [1]. The preventive safety functions (for use in normal operation) may be associated with defence in depth level 1 and the mitigatory safety functions (for mitigation of the consequences of anticipated operational occurrences and design basis accidents and consequences in excess of acceptance criteria for design basis accidents) with defence in depth levels 2 to 4, as described in Refs [1] and [5]. See the chart in Appendix I for further detail. 2.19 Safety classification may be an iterative process during the (see 2.16 before) 13/50 Comments moved up (13JPN) deleted Editing updates box 5 DS 367 version. 5.1 DS 367 version 5..10 design process. Any preliminary safety class assignments should be finalized using deterministic safety analysis and, where available, probabilistic safety analysis. 2.20 During the plant periodic safety reviews and before (see 3.3 below) modifications, this safety classification method should be applied to determine if there are any changes to the safety functions to be performed. Comments PSR was deleted other part was moved to Section 3 2.19. Although the precise nature of the steps taken at each stage New paragraph introduced could vary according to regulatory requirements and the plant (harmonization of the MS design, the safety classification process should include the steps practices) outlined in Section 3. Different methods for the safety classification of SSCs have been used for different types of reactors and in different States for operating nuclear power plants and for new designs. The differences between the various methods are, for instance, the number of classes and the grouping of safety functions. 14/50 DS 367 version. 5.1 DS 367 version 5..10 3. SAFETY CLASSIFICATION PROCESS 3.1 The safety classification process described within this section highlights the significant linkage that exists between safety design, functional analysis and classification. Although the precise nature of the steps taken at each stage could vary according to the regulatory requirements and the plant design, the safety classification process should include the steps outlined in the sub-sections below. The safety classification process should ultimately establish design requirements for all SSCs to achieve appropriate performance of safety functional groups. Comments 3. SAFETY CLASSIFICATION PROCESS 3.1. [this sentence is now in 2.18, replace instead with this brief intro] (12USA) 3.1. This section describes in detail the step-by-step approach to safety classification of SSCs, as shown in Fig. 1. ESTABLISHING THE INPUT TO THE CLASSIFICATION PROCESS: REVIEW OF POSTULATED INITIATING EVENTS New title 3.2 In order to establish the inputs required to start the New + Paragraph classification process, the safety objective for the design safety added as footnote should be analysed and the specific safety challenges associated with the specific reactor type (or technology) and with a specific plant should be identified, as well as the philosophy for prevention of these challenges and mitigation of their effects. The list of postulated initiating events (or bounding postulated initiating events; see Ref. [2] and para 7.3 of Ref. [11] 3 ) applicable to the reactor type (or technology) should be reviewed and adapted to the particular plant taking into consideration the relevant internal and external hazards 4 in accordance with the 3 A list of bounding postulated initiating events for each reactor type is available in accident studies and is typically provided by the designer. 4 Postulated initiating events that originate in internal and external hazards (e.g. fire in one electricity supply bus) 15/50 3.5 requirement established in Ref. [1], para. 5.8. Grouping or bounding of postulated initiating events should be performed and assessed during the design prior to the safety classification process using deterministic safety analysis and probabilistic safety assessments. The methods are described in Refs [10, 11, 12]. 3.2. A complete set of plant specific safety functions based on (see 3.7 below) the fundamental safety functions should also be defined during the initial design phase for a new nuclear power plant. For a specific nuclear power plant, a list of plant specific safety functions may already exist. If such a list does not exist, the fundamental safety functions should be broken down into plant specific safety functions and associated supporting functions for each defence in depth level. 3.3. The plant specific safety functions applied to safety (see 2.5 below) functional groups will prevent or mitigate the postulated initiating events that have been identified and should be broken down as required into SSC level safety functions associated with each defence in depth level. For each defence in depth level, the fundamental safety functions should be broken down into a consistent group of plant specific safety functions (e.g. reactivity control may be broken down into a) preventing unacceptable reactivity transients, as defence in depth level 1 function and b) shutting down the reactor, c) maintaining the reactor in safe shutdown condition, both as defence in depth levels 2 and 3 functions). Acceptance criteria for the performance of plant level safety functions should be defined at each defence in depth level. These are refined during the design process to establish a complete set of safety functions. 3.4 For an existing plant the design should be reviewed (see next para 3.3) periodically to ensure that the postulated initiating events and a sufficient list of plant specific safety functions to deal with 16/50 Moved down Moved down Para 3.4 and 3.5 of ver 5.1 was combined into 3.3 them are appropriately defined. 3.5 For plant modifications, the sub-set of newly identified or modified plant specific safety functions should be assessed, taking into consideration the affected interfaces with existing safety functional groups. 3.3. For plant modifications, the newly identified or modified postulated initiating events should be assessed, with account taken of interfaces with existing safety functions and safety classes of SSCs that may be affected. Paras 3.4 and 3.5 of ver 5.1 was combined and modified (ENISS 17) SAFETY FUNCTIONS TO PREVENT OR MITIGATE IDENTIFICATION OF PLANT SPECIFIC SAFETY POSTULATED INITIATING EVENTS FUNCTIONS 3.4. At the early stage of design, ‘reactor type safety functions’, Similar to para 2.8 of ver. 5.1 which are necessary to fulfil the fundamental safety functions in all plant states, should be identified in accordance with the safety objective for the design safety. These comprise preventive safety functions and mitigatory safety functions. Example of reactor type safety functions for existing designs of light water reactors is provided in Annex I. (see 3.3 before) 3.5. Safety functions should be defined to an adequate level of (23 UK, 25 UK) detail in order to allow the identification of the SSCs that are required for performing these safety functions. Therefore the reactor type safety functions should be broken down to ‘plant specific safety functions’, which prevent or mitigate the bounding postulated initiating events. 3.6 Plant specific safety functions to prevent deviation from normal operation as well as to mitigate the consequences of anticipated operational occurrences (AOO) and accidents should be allocated to each of the five defence in depth levels, if appropriate, so that the relevant success criteria can be achieved (see Appendix 1). 3.6. The plant specific safety functions are specific to the plant design, and each should be linked to particular bounding postulated initiating events. The plant specific safety functions should be refined in the design process to establish a complete set of safety functions to fulfil the fundamental safety functions. Some plant specific safety functions can be defined to cover more than one postulated initiating event. 17/50 3.6 of ver 5.1 was modified and used for 3.18 as well (Editing + allocation to DID levels removed but covered by introduction of plant specific safety functions/bounding PIEs) (17FRA,Belg2, CORDEL, CAN Genera,, 17FRA) 3.7. For existing nuclear power plant designs, lists of plant (23 UK & 24UK) specific safety functions are usually available. In some safety (12SPA, 21UK, classification schemes, reactor type safety functions are detailed ENISS12,13) enough such that they can be used as plant specific safety functions and to be allocated to bounding postulated initiating events. (See 3.2 below) 3.7 Defence in depth level 1 safety functions should be provided to keep the plant within the normal operational envelope, by preventing failures. 3.8. The preventive plant specific safety functions keep the plant (3INS, 26UK, 24USA, parameters within their expected normal range, maintain the 18FRA, Belg2,4, FIN5,) integrity of the main confinement barriers5 (see para. 2.12 of Ref. [1]) and prevent system failures that may cause initiating events. Failures of SSCs can originate from malfunctions, the effect of external and internal hazards or human induced events. Specific events can be ruled out of the plant design basis (for example: rupture of reactor pressure vessel for pressurized water reactors)6. 3.9. Preventive plant specific safety functions should ensure New on the basis of 2.8 of that the fundamental safety functions are fulfilled in normal ver 5.1 operation. Some plant specific safety functions support the three fundamental safety functions only indirectly (e.g. safety function (19) in Annex I). Preventive plant specific safety functions identified during the early stage of the design should be reviewed. 5 The confinement barriers are different for different plant designs and include the fuel with its cladding (whereby the ceramic material of the fuel itself has an important barrier function, including for the pebble bed modular reactor), the reactor coolant system boundary and the containment. 6 Failure of the reactor pressure vessel is nowhere considered as a bounding postulated initiating event, but has to be prevented, because it can not be mitigated in the plant design basis. 18/50 3.10. Mitigatory plant specific safety functions should new mitigate the consequences of initiating events such that the acceptance criteria are met for all anticipated operational occurrences and design basis accidents and the consequences of other accidents are reduced. 3.8 Defence in depth level 2 safety functions are mitigatory safety functions and should detect, control and recover from failures that occur during anticipated operational occurrences. The assignment of these defence in depth level 2 safety functions should be to return the plant to normal operational conditions as promptly as possible, following an anticipated operational occurrence, before the occurrence can progress to a design basis accident (DBA) or a beyond design basis accident (BDBA). on MSs’ 3.11. Safety functions for the mitigation of anticipated Modified operational occurrences should detect and intercept deviations comments from normal operation in order to prevent anticipated operational (15, 17USA, 19FRA) occurrences from escalating to an accident condition. 3.9 Defence in depth level 3 safety functions are mitigatory safety functions and should control accidents within the design basis. Defence in depth level 3 safety functions could be subdivided into defence in depth level 3A and 3B safety functions, as described below. 3.12. Safety functions for the mitigation of design basis accidents (21FRA), (27UK) should control accidents within the acceptance criteria of the plant’s design basis. Mitigatory safety functions for design basis accidents can be subdivided into levels A and B, depending on the potential consequences of the accident and the timing of achieving a controlled state or safe shutdown state, as described in following paragraphs. This subdivision is based on the definition of plant states in Ref. [1]. 3.10 Defence in depth level 3A safety functions should establish a controlled state following a design basis accident. A controlled state should be reached as soon as possible, preferably using automatic means, and is reached once the fundamental safety functions are restored. 3.13. Level A mitigatory safety functions for design basis (21FRA, 14USA). accidents should establish a controlled state following a design basis accident. A controlled state should be reached as soon as possible. A controlled state should be ensured by means of operator actions or by the active or passive safety systems that control reactivity, heat removal and releases to the environment within prescribed limits. However automatic means should be preferred to reach the controlled state 19/50 3.11 Defence in depth level 3B safety functions should: a) after a controlled state is reached, achieve a safe shutdown state and maintain it as long as necessary following a design basis accident, or b) minimize the consequences on the remaining barriers from the occurrence of the design basis accident. In a safe shutdown state, the reactor should remain sub-critical, decay heat should be removed indefinitely and all remaining barriers should remain intact. 3.14. Level B mitigatory safety functions for design basis (28UK) (21FRA, FIN5, CORDEL6). accidents should: a) After a controlled state is reached, achieve and maintain a safe shutdown state following a design basis accident; b) Minimize the challenge to the remaining barriers (see para. 2.12 of Ref. [1]) from the design basis accident. A safe shutdown state should be ensured by means of operator actions or by the active or passive safety features that control reactivity, heat removal and releases to the environment within prescribed limits. In a safe shutdown state, plant parameters are well below the design limits for components and structures, the reactor remains sub-critical, decay heat is removed for as long as necessary. 3.12 Defence in depth level 4 safety functions are mitigatory safety functions and should control of severe plant conditions, including prevention of accident progression and mitigation of the consequences of severe accidents. Defence in depth level 4 safety functions could be subdivided into defence in depth level 4A and 4B safety functions, as described below. 3.15. Safety functions for the mitigation of consequences in (8SAF & 29UK) (27UK) excess of acceptance criteria for design basis accidents should limit accident progression (e.g. in-vessel mitigation before significant core degradation occurs) and should mitigate the consequences of a severe accident7 (e.g. ex-vessel mitigation to control the remains of a significantly degraded core). 3.13 Defence in depth level 4A safety functions should be (see 3.15 before) those mitigatory safety functions required to arrest the progress of beyond design basis accidents, such as in-vessel mitigation before significant core degradation occurs. 7 Version 5.1 para 3.13 was deleted (Belg. 2 and other related) Mitigation of the consequences of severe accidents includes limitation of radiological consequences, control of reactivity excursions, removal of decay heat for as long as necessary, confinement of radioactive material by means of the remaining barriers, and monitoring of the state of the plant and radiation levels. 20/50 3.14 Defence in depth level 4A safety functions should also be (see 3.15 before) used to ensure that fundamental safety functions are maintained as far as possible and should include monitoring of the state of the plant and radiation levels. Version 5.1 para 3.14 was deleted (Belg. 2 and other related) 3.15 Defence in depth level 4B safety functions should be (see 3.15 before) those mitigatory safety functions required to control the remains of a significantly degraded core, such as ex-vessel mitigation, limiting radiological consequences, controlling further reactivity excursion, removing decay heat as long as required and confining radioactive material. Version 5.1 para 3.15 was deleted (Belg. 2 and other related) 3.16 Defence in depth level 5 safety functions should include (see 3.15 before) radiation monitoring and meteorological measurements for plume concentration prediction, emergency planning, and mitigation of releases following failures of the confinement safety function. The safety classification of equipment for any recovery or clean-up measures needed should be defined on a case-by-case basis and requirements identified. Version 5.1 para 3.16 was deleted (Belg. 2 and other related) 3.17 Functions not included within the defence in depth levels deleted described above, should be classified as non-safety. Version 5.1 para 3.17 was deleted (Belg. 2 and other related) IDENTIFICATION AND CATEGORIZATION OF SAFETY CATEGORIZATION OF SAFETY FUNCTIONS FUNCTIONAL GROUPS 3.18 Safety functional groups should be categorized primarily according to their safety significance based on the consequences of their failure. The relation of the safety function to defence in depth level reflects the likelihood of the safety functional group being called upon to operate. This should result in “highest” categorization on the safety functional groups where there are 21/50 3.16. The plant specific safety functions, preventive or mitigatory, which are required to be performed in operational states and in the event of a fault or accident, should be categorized on the basis of their safety significance. The safety significance of each safety function is determined by taking account of the factors (2), (3) and (4) indicated in para. 2.4. Original 3.18 of ver 5.1 was combined with new paragraph to define the safety significance of a safety function. (32UK, CORDEL 2) potentially the most severe consequences if they fail and which are most likely to be called upon to operate. 3.17. Factor (2) of para. 2.4 reflects the potential severity of the Modified and combined consequences of failure of a plant specific safety function. The paras 3.23 through 3.26 of severity should be divided into three levels, high, medium and ver 5.1 low, as follows: The severity should be considered ‘high’ if: The failure of the safety function could lead to a release of radioactive material that exceeds the specified limits for design basis accidents set by the regulatory body; or The values of key physical parameters could challenge or exceed specified design limits 8 for design basis accidents9. The severity should be considered ‘medium’ if: The failure of the safety function could lead to a release of radioactive material below the specified limits for design basis accidents set by the regulatory body; or The values of key physical parameters could exceed the specified design limits for anticipated operational occurrences, but remain within the specified design limits for design basis accidents9. The severity should be considered ‘low’ if: The failure of the safety function could lead to a release of radioactive material below the limits for the plant conditions for anticipated operational (See 3.23 through 3.26 below) 8 Also called safety acceptance criteria. 9 See Requirements 15, 19, 20 and 21 of Ref. [1]. 22/50 (See 3.6 before) occurrences; or The values of key physical parameters could exceed the specified design limits for normal operation 10 , but would remain within the specified design limits for anticipated operational occurrences9. 3.18. Factor (3) of para. 2.4 reflects the probability that a plant specific safety function will be called upon. This should be taken into account in the categorization of mitigatory safety functions. It should be expressed primarily through the probability of occurrence of postulated initiating events leading to anticipated operational occurrences, design basis accidents and design extension conditions. For preventive safety functions, no differentiation is necessary regarding probability. Updated in order to be consistent with the new version of NS-R-1 factors and to reduce the reemphasis made on DID levels (CORDEL2) 3.19. Factor (4) of para. 2.4 reflects the time at which or the period for which a plant specific safety function will be called upon. The time factor should be considered for the mitigation of design basis accidents. For example, a controlled state should be reached as soon as possible, preferably using automatic means. After a controlled state is reached, a safe shutdown state should be achieved and maintained as long as is necessary. The safety functions that need to be performed to reach and maintain the safe shutdown state may be categorized lower than the safety functions needed to reach the controlled state11. New in order to be consistent with the new version of NS-R-1 factors and to introduce how factor 4 should be considered added for 3.20. Because of the importance of the objective to limit New, clarification of the method radiological consequences for workers, the public and the 10 The limits specified in the technical specifications. 11 For example, safety functions F1A, F1B and F2 of the European Utility Requirements for LWR Nuclear Power Plants [7] need to be performed to reach a controlled state or for a safe shutdown state. 23/50 environment, and for the purposes of safety classification, with regard to particular emphasis should be placed on the barriers aimed at classification of limiting releases of radioactive material (see para. 2.12 of Ref. confinement barriers [1]). Depending on the reactor type (or technology), the emphasis placed on the different barriers (e.g. fuel cladding, pressure boundary and confinement system) might be different. For many reactor types, the integrity function of the reactor coolant boundary plays a very important role 12 , not only for retaining radionuclides, but also to ensure sufficient core cooling.13 the the Paragraph to 3.21. The safety significance of all plant specific safety functions New the Safety should be established and each plant specific safety function introduce should be categorized in one of the following safety categories Categories definitions according to the risk14. Safety category 1: Any preventive plant specific safety function whose failure would result in consequences with a ‘high’ severity should be assigned to safety category 1. Any mitigatory plant specific safety function required to reach a controlled state following a design basis accident or anticipated operational occurrence or any other mitigatory plant specific safety function whose failure would result in consequences with a ‘high’ severity should be assigned to safety category 1. Safety category 2: 12 Reference [5] identifies pressure integrity criteria for five different categories of safety functions. 13 Consequently, maintaining the integrity of the reactor coolant boundary is considered in Table 1 a preventive safety function and is assigned to the highest category. The highest category should apply to those components of the reactor coolant boundary where loss of integrity is not covered by mitigatory safety functions, e.g. failure of the reactor pressure vessel. At the other extreme, for those components of the reactor coolant boundary where loss of integrity is already mitigated by operational systems (e.g. failure of a transducer line), safety category 3 would be appropriate. 14 Risk is understood as a combination of the probability of occurrence of an event and the severity of its consequences [9]. 24/50 Any preventive plant specific safety function whose failure would result in consequences with a ‘medium’ severity should be assigned to safety category 2. Any mitigatory plant specific safety function required to reach a safe shutdown state following a design basis accident or any other mitigatory plant specific safety function whose failure would result in consequences with a ‘medium’ severity should be assigned to safety category 2. Safety category 3: Any preventive plant specific safety function designed to keep the main reactor process variables (i.e. the main plant parameters) within their specified ranges for normal operation or any other preventive plant specific safety function whose failure would result in consequences with a ‘low’ severity (e.g. an anticipated operational occurrence) should be assigned to safety category 3. Any mitigatory plant specific safety function designed for early interception of departure from normal operation before a reactor trip is initiated or the safety systems are challenged or any other mitigatory plant specific safety function whose failure would result in consequences with a ‘low’ severity should be assigned to safety category 3. Any mitigatory plant specific safety function designed to limit the consequences of hazards should be assigned at least to safety category 3. Even if they are not directly needed to ensure the performance of the fundamental safety functions, monitoring of releases of radioactive material at the site should be assigned at least to safety category 3. Safety category 4: Any mitigatory plant specific safety function required to control consequences in excess of acceptance criteria for design basis accidents, in order to prevent core melt or to 25/50 mitigate other consequences in a design extension condition, should be assigned to safety category 4. 3.19 Each plant specific safety function allocated to a defence (Last sentence of para. 3.22 below) in depth level, whether preventive or mitigatory should be achieved by a single safety functional group. However, one safety functional group may perform more than one plant specific safety function, depending on the design. Modified (34UK) 3.20 Each safety functional group should contain all the (See 3.23 below) necessary design features to achieve the desired capability, dependability and robustness (15SPA) 3.21 The objective of preventive plant specific safety functions Deleted is to decrease the probability of failures to where the radiological consequences associated with this failure provide an acceptable risk. Safety functional groups that only prevent the occurrence of an abnormal event should be assigned to defence in depth level 1. Deleted (see para 3.8) (8CAN). (35UK) 3.22 Where a postulated initiating event occurs which could deleted cause unacceptable consequences, mitigatory actions should be included to decrease the consequences of this event to remain within an acceptable consequence range. Safety functional groups which perform at least one plant specific safety function to mitigate the consequence of a postulated initiating event should be assigned to defence in depth levels 2 to 4. The safety requirements related to each level of defence in depth should be defined. An enveloping safety functional group can be defined to cover several levels of defence in depth, if appropriate. (see para 3.10) 3.23 The severity level of consequence of failure of the safety (see 3.17 below) functional group to perform its plant specific safety functions Modified 3.23 of ver 5.1 moved up to 3.17 26/50 should be divided into consequence levels such as the high, medium and low. 3.24 The level of consequence should be considered “high” if (see 3.17 below) the potential consequences of failure to maintain the safety function of either a preventive or mitigatory safety functional groups are radiological releases that challenge or exceed the applicable operational limits or safety acceptance criteria which have to be consistent with regulatory limits established for design basis accidents or similar events. Modified 3.23 of ver 5.1 moved up to 3.17 3.25 The level of consequence should be considered “medium” (see 3.17 below) if the potential consequences are radiological releases in excess of normal operational limits, but certainly less than the design basis accident design limits or related safety acceptance criteria. Modified 3.23 of ver 5.1 moved up to 3.17 (34FRA) 3.26 The level of consequence should be considered “low” if (see 3.17 below) the consequences are radiological releases close to but below the normal operational limits. This reflects the uncertainty that may exist in the safety analysis or other parameters associated with plant operation. Modified 3.23 of ver 5.1 moved up to 3.17 (6INS) (38FRA) (34FRA) 3.27 Safety functional groups should be categorized according to Table 1. Safety category 1 is defined to be the most stringent severity level of consequence of failure of the safety functional group to perform its plant specific safety functions. 3.22. The plant specific safety functions categorized according to the concepts set out in para. 3.21 are summarized in Table 1. Plant specific safety functions whose failure would lead to the most severe consequences should be assigned to safety category 1, as described in para. 3.21. Where a safety function could be considered to be in more than one category, depending on events considered, it should be categorized in the highest category. 3.28 The limiting values that are assigned to each of the levels deleted of radiological release will depend on the applicable operational limits or safety acceptance criteria which have to be consistent 27/50 Deleted (37UK) with regulatory limits for the plant. Table 1 Relationship between Safety Function Type and Safety Categories of Safety Functional Groups 3.29 By assigning safety categories to safety functional groups, a set of common design requirements can be identified that will ensure that the appropriate quality and reliability is achieved. Design measures should be applied consistently within a safety category or using a graded approach for the different safety categories or safety classes. This is considered further in Section 4. TABLE 1. RELATIONSHIP BETWEEN TYPE OF SAFETY FUNCTION AND SAFETY CATEGORIES FOR PLANT SPECIFIC SAFETY FUNCTIONS Modified table levels) (CORDEL 8) (no 3.23. By categorizing the plant specific safety functions in accordance with Table 1, engineering design rules (functional requirements such as single failure criterion, diversity, etc.), linked to the applicable safety categories, can be assigned to the plant specific safety functions or to groups of SSCs performing plant specific safety functions. This is further considered in Section 4. 3.30 A deterministic safety analysis should be performed that deleted will cover all postulated initiating events defined during the plant level and system level design. This analysis should confirm that the safety functional groups have the appropriate design requirements, are assigned to the appropriate defence in depth level and that the acceptance criteria for each postulated initiating event are met. This analysis should also provide a preliminary estimation of the plant behaviour and of the required systems performances. Deleted see Appendix II 3.31 When appropriate design information and performance deleted and reliability data for generic equipment is available, an initial probabilistic safety assessment (PSA) should be performed, as appropriate, at this stage of the design. The purpose of this preliminary PSA is to identify potential additional initiating events (multiple failures, losses of support functions, etc.) and the required safety functions. (16SPA) 28/50 Deleted see Appendix II DiD GROUPING OF STRUCTURES, SYSTEMS AND COMPONENTS 3.24. All the SSCs required to perform each plant specific safety new function should be identified and grouped into ‘safety functional groups’ 15 . Depending on the design, a particular SSC can be allocated to more than one plant specific safety function, and thus could be assigned to several safety functional groups. ASSIGN STRUCTURES, SYSTEMS AND COMPONENTS CLASSIFICATION OF STRUCTURES, SYSTEMS AND TO SAFETY CLASSES COMPONENTS Moved to 3.25 3.32 As indicated in paragraph 3.27, this guide recommends (see below 3.25) that Safety Class 1 should be assigned to the SSCs which have the most severe consequences if they fail. This is the “highest” safety class for a safety classification scheme with four safety classes (1 - 4), as shown below in Fig. 1. 3.33 SSCs should initially be assigned to the safety class corresponding to the safety category of the safety functional group they belong to; however, some SSCs in a safety functional group may change class. Fig. 1. Assignment of SSCs to Safety Classes 15 3.25. Initially, SSCs (including supporting SSCs) should be [2.15 of ver 5.1 is also assigned to the safety class corresponding to the safety category included in the para 3.25] of the plant specific safety function that they fulfil (see Fig. 2). However, because not all SSCs within a safety functional group may have an equal contribution towards achieving the desired safety function, some SSCs may then be assigned to a different safety class, as described in paras 3.26 and 3.27. Fig 2. Assignment of SSCs to Safety Classes See below after the table Modified All SSCs working together to perform one plant specific safety function are in one safety functional group. All safety functional groups (all SSCs) that work together to mitigate the consequences of anticipated operation occurrences and design basis accidents form a ‘safety group’ (see the IAEA Safety Glossary [9]). 29/50 Safety Category 1 Safety Functional Group (Highest Safety Category) SSCs assigned to Preliminary Safety Class 1 (Highest Safety Class) SSCs assigned to the Safety Class 1 (Highest Safety Class) Safety Category 2 Safety Functional Group SSCs assigned to Preliminary Safety Class 2 SSCs assigned to the Safety Class 2 Safety Category 3 Safety Functional Group SSCs assigned to Preliminary Safety Class 3 SSCs assigned to the Safety Class 3 Safety Category 4 Safety Functional Group SSCs assigned to Preliminary Safety Class 4 SSCs assigned to the Safety Class 4 Not Safety Classified SSCs 3.34 The safety class may be downgraded if justified by an appropriate safety analysis (See Figure II-1 in Annex II). A downgrade, generally of one level, is possible in the following cases: (1) SSCs the failure of which would not affect the capability of the safety functional group to perform its plant specific safety function. This may be, for example, a small instrumentation line or sensors monitoring the operation or the status of SSCs performing the safety function but not involved in its control. (2) SSCs performing auxiliary functions, already in operation at the moment of the postulated initiating event, and not affected by it. (3) Plant specific safety function performed by more than one diverse SSC, provided the SSC is less likely to be used, it is possible to deploy it and there is sufficient time for it to be deployed. 3.35 If there are SSCs within certain safety functional groups that cannot be accepted to fail (e.g. reactor pressure vessel for 16 3.26. If justified by an appropriate safety analysis, a safety class (44, 7UK, 14JPN, 46FRA) lower than the safety class initially assigned can be proposed for (46UK, CAN1, ENISS 5) a SSC. For example, an SSC can be assigned to a lower safety class, generally of one level lower, in the following cases: • The SSC does not directly support the accomplishment of the plant specific safety function in the corresponding safety category; • The SSC would already in operation at the moment the postulated initiating event occurs, and would not be affected by it; • The corresponding plant specific safety function is fulfilled by more than one SSC, providing the following conditions apply: The SSC to be assigned to a lower safety class is less likely to be used; It will be possible to deploy it in time for it to be effective. 3.27. If there are main SSCs (also known as lead SSCs or frontline SSCs16) within certain safety functional groups whose (15JPN, Belg.2), Main SSCs are those SSCs in a safety functional group that, with the support of supporting SSCs, perform the preventive and mitigatory plant specific safety functions. 30/50 pressurized light water reactors), then these SSCs should be failure cannot be accepted because the conditional probability for allocated to the highest safety class (Class 1), and additional unacceptable consequences is 1 or close to 1 (e.g. the reactor requirements specified on a case by case basis. pressure vessel for light water reactors), then these SSCs should be allocated to the highest safety class, and additional requirements should be specified on a case by case basis. 3.28. Supporting SSCs should be assigned to the same class as New –SC meeting that of the frontline SSCs to be supported. The class of a supporting SSC can then be lowered according to the rules set out in para. 3.26. 3.36 An SSC may be allocated to more than one safety functional group. However, an SSC should be allocated to only one safety class which should be the higher one with more conservative requirements for the SSCs that have been identified. 3.29. If an SSC contributes to the performance of several plant specific safety functions of different categories, it should be assigned to the class corresponding to the highest safety category requiring the most conservative design rules. 3. 37 No account should be taken of whether a safety 3.30. In the classification of SSCs, no account should be taken of functional group contains active or passive SSCs, or a mixture whether the operation of the SSC is active or passive, or a of them, as this has neither effect on the safety category of the mixture. group nor on the safety class of the SSCs. 3.38 Any SSC or a part of that SSC whose failure could adversely affect a safety functional group in accomplishing its plant specific safety function, even though it is not part of it, should be classified in accordance with the safety category of that safety functional group. No lowering of classification should occur in this case. (23USA, CORDEL 10). 3.31. Any SSC that is not part of a safety functional group but (CAN 1, CORDEL 10) whose failure could adversely affect this safety functional group in accomplishing its plant specific safety function (if this cannot be precluded by design) should be classified in accordance with the safety category of that safety functional group. The SSC may be later be assigned to a lower safety class depending on the conditional probability of the consequential failure of the safety functional group. 3. 39 Where the safety class of connecting or interacting SSCs 3.32. Where the safety class of connecting or interacting SSCs is (48UK) is not the same (including safety classes to non safety SSCs), not the same (including cases where an SSC in a safety class is 31/50 the SSCs should be isolated by a safety classified device of the higher classification (e.g., optical isolators or automatic valves) from the effects of failures in the lower safety classification SSC. An exception is where the failure of the SSC with the lower safety class (including a potential common-cause failure of identical or redundant items) cannot prevent accomplishment of the safety functions of the SSC with the higher safety class. connected to an SSC not important to safety), interference between the SSCs should be prohibited by means of a device (e.g. an optical isolator or automatic valve) classified in the higher safety class, to ensure that there will be no effects of a failure of the SSC in the lower safety class. An exception may be made where there is no mechanism to propagate a failure from the lower safety class SSC to the higher safety class SSC (e.g. because of physical separation). See Requirement 60 of Ref. [1]. Deleted text 3.40 The safety classification process, which follows the steps deleted listed in paragraph 2.18, is presented in flowchart form in Appendix II. 3.33. By assigning each SSC to a safety class, a set of common engineering design rules can be identified that will ensure that the appropriate quality and reliability is achieved. Recommendations on assigning engineering design rules are provided in Section 4. VERIFICATION OF THE SAFETY CLASSIFICATION USING DETERMINISTIC AND PROBABILISTIC SAFETY ANALYSIS 3.41 The adequacy of the safety classification should be verified using deterministic safety analysis complemented, as appropriate, by insights from the PSA and supported by engineering judgement. The particular methods involved should depend on the design information available and regulations from the Member State. 17 VERIFICATION OF THE SAFETY CLASSIFICATION 3.34. The adequacy of the safety classification should be verified using deterministic safety analysis, which should cover all postulated initiating events and all aspects of the prevention of events that are credited in the concept for the design safety of the plant. This should be complemented, as appropriate, by insights from probabilistic safety assessment and should be supported by engineering judgement 17 . Consistency between safety classifications verified using of deterministic analyses and probabilistic analyses will provide confidence that the (12JPN & 7, 24, 25, 33, 34, & 35USA) (48, 49, & 50 FRA, 51, 7UK, ENISS gen5) Experts providing engineering judgement, including knowledgeable personnel of the operating organization of the plant, should have expertise in probabilistic safety assessment, safety analysis, plant operation, design engineering and systems engineering. 32/50 classification is correct. If there are deviations between the safety classifications resulting from probabilistic safety assessment and those from the deterministic calculations, then the more conservative safety classification (i.e. the higher safety class) should be used; however, the methods used will depend on the design information available and national regulations. 3.35. The safety classification process should be verified in order new to confirm that: a. A complete set of bounding postulated initiating events has been defined; b. A sufficient set of preventive plant specific safety functions has been provided to prevent system failures which could cause initiating events; c. An adequate set of mitigatory plant specific safety functions, including consideration of common cause interactions, is available to maintain the consequences of an event within acceptable limits. Deleted 3.42 Probabilistic methods should only be used when the PSA deleted has a level of detail adequate to support the classification process. (26 USA), 3.43 The process should confirm that a complete set of (see 3.36 below) postulated initiating events has been defined for the plant and a sufficient set of preventive plant specific safety functions has been provided to prevent the postulated initiating events from happening and, if they do occur, adequate mitigatory plant specific safety functions are available to maintain the fundamental safety functions as far as possible and keep any consequences below acceptable limits. It should, in addition, establish that the requirements for the safety functional groups are properly defined and that the SSCs that comprise them have adequate performance to provide the plant specific safety functions. 33/50 3.44 If there are deviations between the PSA results and the deterministic based safety classification of an item then the most conservative safety classification (higher safety class) should be used. Deleted 3.45 Safety analysis should confirm, using appropriately 3.36. Safety analysis should confirm that: conservative assumptions regarding SSC performance a) all the plant specific safety functions are performed characteristics, that the safety functional groups performing all by SSCs within safety functional groups; the plant specific safety functions and the SSCs allocated to the b) the SSCs in each safety functional group are group have the adequate design requirements and are assigned assigned to the correct safety class and the to the correct safety category/class and that the operational appropriate engineering design rules are applied; limits or other safety acceptance criteria which have to be c) the operational limits or other safety acceptance consistent with regulatory limits for each postulated initiating criteria for each postulated initiating event will be event have been met. met. Deleted 3.46 If the analysis shows that the operational limits and safety deleted acceptance criteria which have to be consistent with regulatory limits are not exceeded and that the reliability targets are met for all the postulated initiating events, the design is acceptable and the set of defined safety functions is complete. 3.47 Ideally, the final goal should be to obtain balance between deleted deterministic and probabilistic based safety classification as this will provide confidence that the classification is correct. In Annex II Fig. II-1 depicts how a balance between deterministic and probabilistic methods could be obtained. 34/50 Deleted DS 367 version. 5.1 DS 367 version 5..10 4 SELECTION OF APPLICABLE REQUIREMENTS FOR STRUCTURES, SYSTEMS AND COMPONENTS Comments 4. SELECTION OF APPLICABLE DESIGN RULES FOR STRUCTURES, SYSTEMS AND COMPONENTs 4.1. A complete set of engineering design rules should be new specified for each plant specific safety function. The SSCs in each safety functional group should possess all the design features necessary to achieve the appropriate capability, dependability and robustness. 4.1 Selection of applicable design requirements is intended to reflect the required quality commensurate with safety function of the SSC. Nationally adopted codes and standards should be applied for design requirements. 4.2. The engineering design rules selected should reflect the (54UK & 54FRA) required quality and should be assigned in accordance with the Nationally category of the safety function and the safety class of the SSC. The appropriate codes and standards, including nationally adopted international codes and standards, should be used for determining the engineering design rules for all types of SSCs. 4.2 Once SSCs are assigned to Safety Classes, design Included in 4.2 Included in 4.2 (52FRA, requirements can be assigned to them placing the “highest” 21SPA, 53UK) safety class and the most stringent requirements on SSCs where their failure causes the most severe consequences with the greatest likelihood of being called upon to operate. 4.3 The requirements for individual SSCs may be consistent deleted with the entire safety functional group(s) to which it belongs. Deleted 4.4 These requirements are related to the three characteristics of 4.3. Engineering design rules are related to the three capability, dependability and robustness. SSCs should be characteristics of capability, dependability and robustness: designed, constructed, qualified, operated, tested and maintained a) Capability is the ability of an SSC to perform its to: designated safety function as required, with (1) Perform its designated account taken of uncertainties; safety function as required, taking uncertainties into b) Dependability is the ability of an SSC within a account (capability), safety functional group to perform the required (3SPA) to perform its designated safety function. (14SAF & 28USA & 22SPA) 35/50 DS 367 version. 5.1 DS 367 version 5..10 (2) Ensure that failures within the safety functional group cannot degrade the ability of the group to perform its designated safety function (dependability), and (3) Ensure that no operational loads or loads caused by any associated postulated initiating events should be able to adversely affect the ability of the safety functional group to perform its designated safety function (robustness). Comments safety function with a sufficiently low failure rate; c) Robustness is the ability to ensure that no operational loads or loads caused by any associated postulated initiating events on an SSC in a safety functional group will adversely affect the ability of the safety functional group to perform its designated safety function. SSCs should be designed, constructed, qualified, operated, tested and maintained to ensure the proper capability, dependability and robustness. 4.5 The dependability and robustness of an SSC should be 4.4. The engineering design rules relating to dependability and (UK53) achieved within an acceptable range of probability of failure and robustness of an SSC may be adjusted in accordance with the its related consequences. probability of failure of the SSC and the associated consequences. 4.6 In Appendix III, Tables 2 and 3 provide examples of design requirements in terms of capability, dependability and robustness. Covered by 4.5 4.7 When defining the design requirements (e.g. redundancy, diversity, etc.) for safety functional groups, including interactions between information technology, instrumentation & control and other types of system, requirements from the appropriate codes and standards should be included. Deleted 4.8 In Appendix III, Table 4 provides examples of design 4.5. Annex II provides examples of engineering design rules for (5SAF) requirements for SSCs of different safety classes, depending on SSCs of different safety classes, depending on their preventive or their preventive or mitigatory safety functions. mitigatory safety functions. 4.9 The appropriate codes and standards should be used for 36/50 Deleted DS 367 version. 5.1 DS 367 version 5..10 Comments defining design requirements for all types of SSCs. 4.10 Fire protection and fire suppression requirements should be 4.6. Design rules relating to fire protection and fire suppression edited applied as outlined in Ref. [8] for the design of SSCs and as should be applied as outlined in Ref. [13] for the design of SSCs appropriate, for the maintenance of safety functions. and as appropriate, for the performance of safety functions. 4.11 The requirements for instrumentation & control and information technology equipment and software should be applied in accordance with the recommendations provided in Refs. [9] and [10]. 4.7. The design rules for instrumentation and control and edited information technology equipment and software should be applied in accordance with the recommendations provided in Refs [14] and [15]. 4.12 Quality assurance or management requirements for procurement, construction, inspection, installation, testing, surveillance, and modification of SSCs should be assigned based on their safety class as outlined in Refs. [11]. 4.8. Quality assurance or management system requirements for (30USA) (55UK) the design, qualification, procurement, construction, inspection, installation, testing, surveillance and modification of SSCs should be assigned on the basis of their safety class, in accordance with the requirements established in Ref. [16]. 4.13 The seismic classification of safety and non-safety class 4.9. The seismic categorization of safety related SSCs and SSCs edited SSCs should be in accordance with the recommendations not important to safety should be determined in accordance with provided in Ref.[7] . the recommendations provided in Ref. [17]. 4.14 Environmental qualification of SSCs should be determined by the conditions associated with normal operation and for postulated initiating events where the SSCs may be called on to operate. As a minimum, environmental qualification should include consideration of humidity, temperature, pressure, vibration, chemical effects, radiation, operating time, aging, submergence, synergistic effects, and electromagnetic interference, radio frequency interference and voltage surges, as applicable. 37/50 4.10. The environmental qualification of SSCs should be edited determined in accordance with the conditions associated with normal operation and for postulated initiating events where the SSCs may be called on to operate. At a minimum, environmental qualification should include consideration of humidity, temperature, pressure, vibration, chemical effects, radiation, operating time, ageing, submergence, electromagnetic interference, radio frequency interference and voltage surges, as applicable. Definition and review of postulated initiating events Identification of safety functions: preventive safety functions, aimed at preventing failures and abnormal operation mitigatory safety functions, aimed at controlling postulated initiating events and mitigating their consequences Categorization of safety functions Identification of SSCs or groups of SSCs to perform safety functions Assignment of SSCs to one of three safety classes Identification of design rules for classified SSCs FIG 1. Main steps in classifying SSCs. (new) 38/50 Table 2 Relationship between Safety Function Type and Safety Categories of Safety Safety Function Type Safety Functional Group defence in depth DiD Level Functional Groups (5.1) Severity level of consequence of failure of the safety functional group to perform its plant specific safety functions High Medium Low Preventive DiD level 1 Safety Category 1 Safety Category 2 Safety Category 3 AOO Mitigation DiD level 2 Safety Category 1 Safety Category 2 Safety Category 3 DiD level 3A Safety Category 1 Safety Category 2 Safety Category 3 DiD level 3B Safety Category 2 Safety Category 3 Safety Category 3 Safety Category 4 Safety Category 4 Safety Category 4 Safety Category 4 Accident Mitigation DiD level 4A DiD level 4B Radiological Release Mitigation Safety Category 4 18,19 Safety Category 4 Not safety categorized DiD level 5 Functions not included above Not safety categorized TABLE 3. RELATIONSHIP BETWEEN TYPE OF SAFETY FUNCTION AND SAFETY CATEGORIES FOR PLANT SPECIFIC SAFETY FUNCTIONS (5.10) Severity of the consequences of the failure of plant specific safety functions Type of safety function High Medium Low Preventive safety functions Safety category 1 Safety category 2 Safety category 3 Safety functions for mitigation of anticipated operational occurrences Safety category 1 Safety category 2 Safety category 3 Safety functions for mitigation of design basis accidents (level A) Safety category 1 Safety category 2 Safety category 3 Safety functions for mitigation of design basis accidents (level B) Safety category 2 Safety category 3 No safety category Safety functions for mitigation of consequences in design extension conditions Safety category 420 N/A21 N/A Other safety functions No safety category 18 SSCs in safety functional groups assigned to safety category 4 could have a safety class non nuclear-safety or specific requirements. 19 If sufficient analysis and understanding exists regarding an event phenomena and consequences, the safety category 3 can be assigned. 20 SSCs performing safety functions in safety category 4 could be assigned to safety class 3 or classified as not important to safety, with additional specific requirements to be applied. 21 These categories are not applicable because the consequences in a design extension condition have already exceeded the consequence levels of medium (for design basis accidents) and low (for anticipated operational occurrences). 39/50 Safety Category 1 Safety Functional Group (Highest Safety Category) SSCs assigned to Preliminary Safety Class 1 (Highest Safety Class) SSCs assigned to the Safety Class 1 (Highest Safety Class) Safety Category 2 Safety Functional Group SSCs assigned to Preliminary Safety Class 2 SSCs assigned to the Safety Class 2 Safety Category 3 Safety Functional Group SSCs assigned to Preliminary Safety Class 3 SSCs assigned to the Safety Class 3 Safety Category 4 Safety Functional Group SSCs assigned to Preliminary Safety Class 4 SSCs assigned to the Safety Class 4 Not Safety Classified SSCs Fig. 1. Assignment of SSCs to Safety Classes (ver 5.1) Preliminary assignment of SSCs to Safety Classes Final assignment of SSCs to Safety Classes Plant Specific Safety Function Category 1 (Highest Safety Category) SSCs (SFG - main & supporting SSCs) assigned to Preliminary Safety Class 1 (Highest Safety Class) SSCs assigned to the Safety Class 1 (Highest Safety Class) Plant Specific Safety Function Category 2 SSCs (SFG - main & supporting SSCs) assigned to Preliminary Safety Class 2 SSCs assigned to the Safety Class 2 Plant Specific Safety Function Category 3 SSCs (SFG - main & supporting SSCs) assigned to Preliminary Safety Class 3 SSCs assigned to the Safety Class 3 Plant Specific Safety Function Category 4 Not safety classified SSCs Not Safety Classified SSCs FIG. 2. Assignment of SSCs to safety classes (Modified 5.10) 40/50 APPENDIX I SAFETY FUNCTIONS IN RELATION TO THE CONCEPT OF DEFENCE IN DEPTH Challenges/mechanisms affecting the performance of the safety functions Provisions for Level 1 of Defence in Depth Objective: Prevention of abnormal operation and failure YES LEVEL 1 Normal operation Success NO Initiating vent Provisions for Level 2 of Defence in Depth Objective: Detection of failures and control of abnormal operation YES LEVEL 2 Observance of the acceptance criteria established for anticipated operational occurrences (return to normal operation) Success NO Design basis accidents LEVEL 3 Provisions for Level 3 of Defence in Depth YES Success Objective: Control of design basis accidents Observance of the acceptance criteria established for design basis accidents NO Design Extension Conditions LEVEL 4 Provisions for Level 4 of Defence in Depth Objective: Control of consequences in design extension conditions YES Limiting core damage and confinement preservation Success NO Significant Off-site Radioactive Release Provisions for Level 5 of Defence in Depth Objective: Mitigation of radiological consequences of significant releases of radioactive material LEVEL 5 Fig. 3 Logic flow diagram for the allocation of safety functions to levels of defence in depth, showing safety functions and success criteria. (modified) 41/50 APPENDIX II Relationship between Design and Safety Analysis processes and the safety Classification Process (new) Design and safety analysis processes Safety classification process Development of the basic objective for the design safety of the nuclear power plant Review of the applicable postulated initiating events and identification of bounding postulated initiating events Specification of parameters for normal operating conditions Review of failures of SSCs which could be caused by malfunctions, the effect of external and internal hazards or human induced events Grouping of postulated initiating events, Development/review of reactor type safety functions based on the fundamental safety functions for preventing or mitigating bounding postulated initiating events Decomposition of reactor type safety functions into plant specific safety functions (for preventing or mitigating each bounding postulated initiating event) at an adequate level of detail in order to allow the identification of the SSCs that are required for performing these safety functions Specification of acceptance criteria for plant specific safety functions Conduct of preliminary safety analysis Definition of safety functional groups (and the list of main and supporting SSCs) to fulfil plant specific safety functions Assignment of safety functions to bounding postulated initiating events • Review of reactor type safety functions (for preventing initiating events or mitigating each bounding postulated initiating event) • Decomposition of reactor type safety functions into plant specific safety functions (for preventing initiating events or mitigating each bounding postulated initiating event) Categorization of the plant specific safety functions(with consideration given to frequency, consequences of failure and time before the safety function is called upon, for the bounding postulated initiating events) Review of the safety functional groups (and the list of main and supporting SSCs) Assignment of main and supporting SSCs to safety classes (on the basis of the category of their associated plant specific safety function(s)) Conduct of final safety analysis • Assignment of functional requirements to the plant specific safety functions • Assignment of design rules to SSCs within each safety functional group Verification of safety classification 42/50 REFERENCES (NEW REFERENCES ARE YELLOW) [1] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR-2/1, IAEA, Vienna (20xx).(in preparation). [2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4, IAEA, Vienna (2008). [3] EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ENERGY AGENCY, INTERNATIONAL LABOUR ATOMIC ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION, Fundamental Safety Principles, Main Safety Principles, Safety Fundamentals No. SF1, Vienna (2006). [4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment and Verification for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.2, IAEA, Vienna (2001). [5] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996). [6] AMERICAN NUCLEAR SOCIETY, Safety and Pressure Integrity Classification Criteria for Light Water Reactors, ANSI/ANS-58.14, ANS, La Grange Park, Il (1993). [7] UNITED STATES REGULATORY COMMISSION, Guidelines for Categorizing Structures, Systems, and components in Nuclear Power plants According to their Safety Significance, USNRC, Washington DC (2006). [8] BRITISH ENERGY PLC, ELECTRICITÉ DE FRANCE, FORTUM, IBERDROLA, NRG, ROSENERGOATOM, SOGIN, SWISSNUCLEAR, TRACTEBEL, TVO, VATTENFALL, VGB POWERTECH, European Utility Requirements for LWR Nuclear Power Plants, Volumes 2.1 and 2.8, http://www.europeanutilityrequirements.org/ [9] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary, Terminology Used in Nuclear Safety and Radiation Protection, IAEA, Vienna (2007). [10] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-3, IAEA, Vienna (2010). 43/50 [11] INTERNATIONAL ATOMIC ENERGY AGENCY, Deterministic Safety Analysis for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-2, IAEA, Vienna (2010). [12] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-4, IAEA, Vienna (2010). [13] INTERNATIONAL ATOMIC ENERGY AGENCY, Protection against Internal Fires and Explosions in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.7, IAEA, Vienna (2004). [14] INTERNATIONAL ATOMIC ENERGY AGENCY, Software For Computer Based Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.1, IAEA, Vienna (2000). [15] INTERNATIONAL ATOMIC ENERGY AGENCY, Instrumentation and Control Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.3, IAEA Vienna (2003). [16] INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Facilities and Activities, IAEA Safety Standards Series No. GS-R-3, IAEA, Vienna (2006). [17] INTERNATIONAL ATOMIC ENERGY AGENCY, Seismic Design and Qualification for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.6, IAEA, Vienna (2003). 44/50 ANNEX I REACTOR TYPE Safety Functions for Light Water Reactors TABLE I-1. EXAMPLE OF REACTOR TYPE SAFETY FUNCTIONS22 FOR BOILING WATER REACTORS AND PRESSURIZED WATER REACTORS (no DiD levels) Safety functions23 Preventive (1) to prevent unacceptable reactivity transients; F1 Mitigatory (2) to maintain the reactor in a safe shutdown condition after all shutdown F1 actions; F1 (3) to shut down the reactor as necessary to prevent anticipated F1 operational occurrences from leading to design basis accidents and to shut down the reactor to mitigate the consequences of design basis accidents; F1 (4) to maintain sufficient reactor coolant inventory for core cooling in and after accident conditions not involving the failure of the reactor coolant pressure boundary; F2 (5) to maintain sufficient reactor coolant inventory for core cooling in and after all postulated initiating events considered in the design basis; F2 (6) to remove heat from the core after a failure of the reactor coolant pressure boundary in order to limit fuel damage; F2 (7) to remove residual heat in appropriate operational states and accident F2 conditions with the reactor coolant pressure boundary intact; F2 (8) to transfer heat from other safety systems to the ultimate heat sink; F2 (9) to ensure necessary services (such as electrical, pneumatic, hydraulic F1, F2, F3 F1, F2, F3 power supplies, lubrication) as a support function for a safety system; supporting supporting (10) to maintain acceptable integrity of the cladding of the fuel in the F3 reactor core; F3 (11) to maintain the integrity of the reactor coolant pressure boundary; F2, F3 F 2, F3 (12) to limit the release of radioactive material from the reactor containment in accident conditions and conditions following an accident; F3 (13) to limit the radiation exposure of the public and site personnel in and following design basis accidents and selected severe accidents that release radioactive material from sources outside the reactor containment; F3 (14) to limit the discharge or release of radioactive waste and airborne F3 radioactive material to below prescribed limits in all operational states; (15) to maintain control of environmental conditions within the plant for the operation of safety systems and for habitability for personnel necessary to allow performance of operations important to safety; F1, F2, F3 supporting 22 This list of safety functions is taken from the annex of the IAEA Safety Requirements publication, Safety of Nuclear Power Plants: Design, published in 2000. The numbering (in brackets) of the safety functions listed in that annex has been retained for ease of identification. 23 The three fundamental safety functions are as follows: F1: control of reactivity; F2: removal of heat from the core; F3: confinement of radioactive material. 45/50 (16) to maintain control of radioactive releases from irradiated fuel F3 transported or stored outside the reactor coolant system, but within the site, in all operational states; (17) to remove decay heat from irradiated fuel stored outside the reactor coolant system, but within the site; F2 (18) to maintain sufficient subcriticality of fuel stored outside the reactor coolant system but within the site; F1 (19) to prevent the failure or limit the consequences of failure of a F1, F2, F3 F1, F2, F3 structure, system or component whose failure would cause the supporting supporting impairment of a safety function. 46/50 ANNEX II: EXAMPLES OF DESIGN RULES FOR SSCS TABLE II-1 EXAMPLE OF DESIGN RULES FOR CATEGORIES OF SAFETY FUNCTIONS (modified no DiD levels) SAFETY CATEGORY CAPABILITY DEPENDABILITY ROBUSTNESS Meet regulatory requirements for design basis accidents Withstand normal operation, anticipated operational occurrence and design basis accident conditions Meet regulatory requirements for anticipated operational occurrences and design basis accidents24 as required Withstand conditions due to normal operation and postulated initiating events to be mitigated Meet regulatory requirements for anticipated operational occurrences Withstand normal operation, and anticipated operational occurrence conditions Meet regulatory requirements for anticipated operational occurrences and design basis accidents1 as required Withstand conditions due to normal operation and postulated initiating events to be mitigated Safety Preventive Prevent deviation from Categorynormal operating limits 3 Mitigatory Achieve anticipated operational occurrence and design basis accident limits as appropriate Meet requirements for normal operation Withstand normal operation conditions Achieve regulatory requirements for normal operation, anticipated operational occurrences and design basis accidents 1 as required Withstand conditions due to normal operation and postulated initiating events to be mitigated Safety Mitigatory Achieve requirements for Categorydesign extension 4 conditions Achieve appropriate regulatory requirements Withstandconditions due to normal operation and postulated initiating events to be mitigated Safety Preventive Prevent deviation from Categorydesign basis accident 1 regulatory limits Mitigatory Achieve anticipated operational occurrence and design basis accident regulatory limits as appropriate Safety Preventive Prevent deviation from Categorynormal operation 2 regulatory limits. Mitigatory Achieve anticipated operational occurrence and design basis accident limits as appropriate 24 Regulatory requirements may be deterministically developed or probabilistically developed, and may include requirements such as a target dependability for a mitigation system determined by the national regulatory cut-off probability for a specific event category divided by the probability of occurrence of that specific initiating event. 47/50 TABLE II-II EXAMPLES OF DESIGN RULES FOR SSCS CHALLENGES (examples) CAPABILITY Failure to perform safety function adequately DEPENDABILITY Effect of : Single failure Common cause failure Errors in design, construction, maintenance and operation Failure of supporting systems ROBUSTNESS Effect of : Internal hazards External hazards Harsh and moderate environmental conditions Induced loads 48/50 DESIGN SOLUTIONS (examples) Appropriate code selection Conservative margins Material selection Design qualification Appropriate code selection Fail-safe design Reliability/availability Diversity Redundancy Independence Maintainability Testability Material selection Design qualification Appropriate code selection Fail-safe design Material selection Seismic and environmental qualification Diversity Separation Independence Maintainability Testability TABLE II-III. EXAMPLES OF DESIGN RULES AND CODES FOR SSCS BASED ON SAFETY CLASSES (MODIFIED) Preventive safety functions Design rules and codes Safety class 1 Nuclear grade Safety class 2 Nuclear grade Environmental qualification Harsh or mild25 Harsh or mild Pressure retaining components (example codes)26 High pressure : C1 Low pressure : C2 Electrical components (IEEE) Instrumentation and control (IEC 61226 category [III-4])27 Seismic qualification Quality assurance Mitigatory safety functions Safety class 3 Commercial grade or specific requirements Harsh or mild Safety class 1 Nuclear grade Safety class 2 Nuclear grade Safety Class 3 Commercial grade or specific requirements Harsh or mild Harsh or mild Harsh or mild High pressure : C2 Low pressure : C3 High pressure : C3 Low pressure : C4 High pressure: C2 Low pressure : C3 C3 C4 1E [II-3] 1E Non 1E 1E 1E Non 1E B or C B or C B or C A B C Seismic category 1 Seismic category 1 Specific requirements Seismic category 1 Seismic category 1 Specific requirements 25 Harsh or mild environmental conditions; SSCs need to be qualified for normal operation and for postulated initiating events, depending on the environmental conditions at their location in the plant. 26 C1 indicates quality level 1, for example level 1 of ASME III [II-1] or RCC-M [II-2] (e.g. reactor pressure boundary); C2 indicates quality level 2. for example level 2 of ASME III [II-1] or RCC-M [II-2] (e.g. emergency core cooling system); C3 indicates quality level 3, for example level 3 of ASME III [II-1] or RCC-M [II-2] (e.g. component cooling water system, essential service water system); C4 is a quality class comprising non nuclear grade pressure retaining components with special requirements (for example seismic design, quality requirements): components in class C4 can be designed in accordance with any pressure retaining component design code, with account taken of special requirements (e.g. for the fire system). 27 Category A denotes functions that play a principal role in the achievement or maintenance of plant safety to prevent design basis accidents from leading to unacceptable consequences. Category B denotes functions that play a complementary role to the category A functions in the achievement or maintenance of plant safety, particularly functions required to operate after the controlled state has been achieved, to prevent design basis accidents from leading to unacceptable consequences, or to mitigate the consequences of a design basis accident. Category C denotes functions that play an auxiliary or indirect role in the achievement or maintenance of plant safety. 49/50 REFERENCES TO ANNEX II (NEW) [II-1] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, Boiler and Pressure Vessel Code, Section III: Rules of the Construction of Nuclear Facility Components, ASME, Fairfield NJ (2010). [II-2] FRENCH SOCIETY FOR DESIGN AND CONSTRUCTION RULES FOR NUCLEAR ISLAND COMPONENTS, Design and Conception Rules for Mechanical Components of PWR Nuclear Islands, RCCM, AFCEN, Paris (2008). [II-3] INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, IEEE Standard for Qualifying Class 1E Electric Cables and Field Splices for Nuclear Power Generating Stations, IEEE (2004). [II-4] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants – Instrumentation and Control Important to Safety – Classification of Instrumentation and Control Functions, IEC 61226, IEC, Geneva (2009). 50/50
