B257.OL3 - 002 - Safety and Design - Rev01

Safety and Design
Philosophy
OL3 EPRTM Advanced Course

TD: B257.OL3.002
Date: 10/2011
Confidential as defined in the Olkiluoto 3 Plant Contract. The reproduction, transmission or use of this document or its
contents is not permitted without express written authority. Offenders will be liable for damages. All rights, including
rights created by patent grant or registration of a utility model or design, are reserved by AREVA.
Learning Objectives
Name the main safety objectives and definitions of nuclear safety
Show the main safety “actors” and their responsibilities
Explain the regulatory requirements in France and in the U.S.
Explain the Defense-in-Depth principle
Explain the classification of safety functions
Describe the role of Probabilistic Safety Assessment in the design
Understand the importance of the Radiological Safety Objectives and the
Technical Acceptance Criteria
Recognize the solutions taken into account in the design for the
protection against internal and external hazards
2 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

B257.OL3.002 – Safety and Design Philosophy 10/2011 © AREVA NP - All rights are reserved, see liability notice
Contents
Chapter 1: Introduction
Chapter 2: Safety Objectives
Chapter 3: Safety Regulations
Chapter 4: Fundamental Design Principles
Chapter 5: Safety During Design Stage
Chapter 6: The Role of Probabilistic Approach in Design
Chapter 7: Internal and External Hazards
Chapter 8: Safety During Operation

Chapter 1
Introduction
Nuclear Power Plants in the World
18 2 31
4 24
7
130 35 14
104 1
26 21 55
1 11 12 3
3 2 2 30 20 2
1 1 5
2 2
6
2
17 2
6
7
2
2
1
2
1
2 Building 1st plants
1 Building new plants
1 Considering 1st plants
Considering new plants
Stable
438
438 44
44 139
139 Considering decommissioning [1]
All plants decommissioned
No commercial reactors Status:
Operation
Operation Construction
Construction Projected
Projected Nuclear free area 12/2008

Nuclear Processes in
Pressurized Water Reactors
Nuclear Fission U-235 (nth, f )
Dual Fission: 99.8 % 2 Fission Products

Ternary Fission: 0.2 % 3 Fission Products
Conversion of Nuclei into other Elements
U-238 U-239 Pu-239 Pu-240 Pu-241 Pu-242

Pu-241 Am-241 Cm-242 Pu-242 Am-243 Cm-244
In the coolant: B-10 Li-7 H-3 O-16 N-16
High
Activation of Nuclides into other Isotopes spontaneous
fission rate
Eg.: Cr-51, Mn-56, Fe-59, Co-58, Co-60, Mo-99
Frequency Distribution
of Fission Products
Travelling range λ
10
U-235
of Fission Fragments
1
Fission Product Yield
in an UO2 matrix
Sr-90
10-1
Cs-137 7-11 µm
Xe-135
Te-132 Clad
10-2
0.57
I-129 Pellet mm
10-3
117 (In, Sn) 8.19
mm
10-4
30Zn Atomic Mass A 65Tb

10-5 6-10 µm 4-5 µm
60 70 80 90 100 110 120 130 140 150 160 170 λ
Z1e+ Z2e+
260 ≈ 1000
Fission Radio- +
Nuclides Nuclides FP1 FP2
Radionuclide Groups for EPRTM Level 2 PSA
Group Fission Product Compounds Initial Mass in
Classification
Number after Release Core + O2 [kg]
1 Xe + Kr 818 Volatile
2 CsI + RbI (I combines with alkali) 63 Volatile
3 TeO2 (directly formed in core) 84 Volatile
4 SrO (ex-vessel oxid) 170 Non-Volatile
5 MoO2 (during concrete attack) 648 Non-Volatile
6 CsOH+RbOH 510 Volatile

7 BaO 237 Non-Volatile
8 La2O3 + Pr2O3 + Nd2O3 + Sm2O3 + Y2O3 1249 Non-Volatile
9 CeO2 513 Non-Volatile
10 Sb 2.3 Non-Volatile
11 Te2 (ex-vessel, does not oxidize) 67 Volatile EPRTM

12 UO2 +NpO2 +PuO2 148057 Non-Volatile
13 Structural materials 4864 Volatile
Fission product inventory based on a 24 month fuel cycle with eavg(U-235) = 4.65%
Radiation Doses
and Dose Limits
Natural Background Radiation Effective Dose [mSv/y]
Cosmic Radiation (at sea level) 0.3
Terrestrial Radiation (U-238, Rn-222, K-40, C-14) 2.1
Sum (worldwide average) 2.4
Artificial Radiation Sources Effective Dose [mSv/y]

Medical treatment, NPPs, weapon tests, etc. 2.0
International Dose Limits Effective Dose [mSv]

Annual limit for Individual Members of the Public 1*
Annual limit for radiation exposed persons 20*
Threshold dose for acute radiation injury 250
Acute radiation sickness** ≥ 1000
Human Lethal Dose** LD50/60 (within 60 days) ≈ 4500
*European Guideline 96/29EURATOM **whole body single dose
Chapter 2
Safety Objectives
General Safety Objective
General Nuclear Safety Objective:

Ensuring that radioactivity does not cause radiation hazards

which
which could
could endanger
endanger the
the safety
safety of
of workers
workers or
or population
population

do
do harm
harm to
to the
the environment
environment or
or property
property
Radiological targets for Design Basis Accidents:
Effective dose < 50 mSv

Organ dose < 150 mSv
There shall be no necessity of protective measures for people

living in the vicinity of the plant (no evacuation, no sheltering)!

Complementary
Safety Objectives
The General Nuclear Safety Objective is supported by
two complementary Safety Objectives:
Radiation Protection Objective
Ensuring that radiation exposure for all operational states
is kept below prescribed limits and
As Low As Reasonably Achievable ALARA Concept
Ensuring mitigation of the radiological consequences of any accidents
Technical Safety Objective

Preventing accidents in nuclear installations
Mitigating the consequences of any accidents that do occur
Ensuring that the probability of accidents with
serious radiological consequences is extremely low.

Conditions for
SAFETY depends on reliability of equipment Nuclear Safety
Probability of equipment failure leading
to an accident is as low as possible
If failure should occur, other equipment or system
should be able to mitigate the consequences of the LOCA
accident
Safety
SAFETY depends on the actions of people Injection
System (SIS)
Training
Safety culture → strict adherence
SAFETY depends on efficient organization of work

Quality management
Adherence to procedures and regulations
Questioning attitude

Achieving the Safety Objectives
Safety
Safety Objectives
Objectives require
require that
that nuclear
nuclear installations
installations are
are designed
designed
and
and operated
operated so
so as
as to
to keep
keep all
all sources
sources of
of radiation
radiation exposure
exposure
under
under strict
strict technical
technical and
and administrative
administrative control.
control.
Regulatory and supervisory activities → leading to

Technical solutions as result of:
Design
Erection and construction
Commissioning
Operation
Maintenance and decommissioning activities
Organization structures and related human behavior

Safety Culture of individuals as well as organizations
Safety Culture – INSAG-4
Safety culture is that assembly of characteristics and attitudes
in organizations and individuals which establishes that, as an overriding
priority, Nuclear Plant Safety Issues receive the attention warranted by
their significance.
Safety involves many elements:

Individual awareness of the importance of safety.
Knowledge and competence, conferred by training and instruction of personnel and by their
self-education.
Commitment, requiring demonstration at senior management level of the high priority of safety
and adoption by individuals of the common goal of safety.
Motivation, through leadership, the setting of objectives and systems of rewards and sanctions,
and through individuals' self-generated attitudes.
Supervision, including audit and review practices, with readiness to respond to individuals'
questioning attitudes.
Responsibility, through formal assignment and description of duties and their understanding by
individuals.

The Main Actors Responsible for Nuclear
Safety
International
International Organizations
Organizations
STATE
STATE
SAFETY AUTHORITIES
DESIGNERS,
DESIGNERS,
MANUFACTURERS, OPERATING
OPERATING
MANUFACTURERS, D E+C C O DC
CONSTRUCTORS ORGANIZATION
ORGANIZATION
CONSTRUCTORS
D = Design
E+C = Erection +
Construction
C = Commissioning
O = Operation
DC = Decommissioning
Responsibilities of the Safety Authority
The Safety Authority Regulatory may vary from country to country.
Always have the statutory authority, competence and resources to:

set safety standards
license and inspect installations
set, monitor and enforce licence conditions
ensure that corrective actions are taken wherever unsafe or
potentially unsafe conditions are detected
None of these functions should be interpreted as reducing or relieving the
operating organization of the responsibility for safety
The regulatory body shall be effectively independent of the organization
charged with promotion or utilisation of nuclear energy
No other responsibility shall influence or conflict with its responsibility for
safety

Responsibilities of the Operating Organization
The prime responsibility for the safety of the installation

normally is assigned to the operating organization.
It is responsible for:
Specifying its safety criteria (but often set forth by the Safety Authority)
Assuring that the design, construction and operation
of the installation meet the relevant safety standards
Establishment of procedures and arrangements to
ensure the safe control of the installation under all conditions
Establishment and maintenance of a competent fully trained staff
Control of fissile and radioactive materials utilized or generated
It 'owns' the plant operating licence
There is a clear separation of responsibilities between
the regulatory body and the operating organization.
It cannot delegate the prime responsibility for safety!!!

Responsibilities of Other Bodies
Other bodies may have professional or
legal responsibilities that are significant to safety:
Designers
Manufacturers
Constructors
Such bodies are also required to meet:

quality standards
and specifications.

Chapter 3
Safety Regulations and Regulatory

Bodies
Implementation of Safety Standards
Safety Standards are defined internationally and nationally by country

as a guidance for achieving the Nuclear Safety Objectives.
Implementation of Safety Standards in a framework of

laws, ordinances, regulations, guidelines or recommendations, depending on
treated subject, is issued by:
Legislation (laws, acts, decrees, supporting regulations)
Safety Authorities
Expert organizations (INSAG: International Nuclear Safety Advisory Group)

independent from plant operators and suppliers
Operator organizations (WANO, INPO, VGB,…)
• WANO: World Association of Nuclear Operators (4 regional centres)
• INPO: Institute of Nuclear Power Operation (Atlanta, USA)
• VGB: Association of Large Power Plant Operating Companies (Essen, Germany)

Standards related to Nuclear Safety: International
Standards
International Atomic Energy Agency (IAEA)
issues 2 series of safety-related publications
Safety Standards Series: a basis for national regulations
Safety Reports Series: provides information on ways of ensuring safety
Technical Standards:
International Organization for Standardization (ISO)
Institute of Electrical and Electronics Engineers (IEEE)
American Society of Mechanical Engineers (ASME)
German Nuclear Safety Standards Commission
(Kerntechnischer Ausschuss, KTA)
DIN Deutsches Institut für Normung e.V.
Association Française pour les règles de conception et de
construction des matériels des Chaudières Électro Nucléaires
Association Française de Normalization AFNOR, France

Licences
Requirement for the Construction of a Nuclear Power Plant:
Decision in principle (often taken by government or parliament)

A Construction Licence
Requirement for the Operation of the Nuclear Power Plant:
An Operating Licence
The licensee (= operating organization) is responsible for
safe operation of the plant.
The licensee is obliged to demonstrate that safety principles are met
Meeting the safety principles demonstrated in the
Safety Analysis Report

The Safety Analysis Report
(SAR)
The SAR describes and justifies to the Safety Authority
provisions adopted at each stage in the life of the installation to comply with
the regulations and guarantee nuclear safety
D = Design
in: DC E+C = Erection+
Construction
C = Commissioning
The SAR analyzes Design Basis Events O = Operation
the automatic actions of the design, DC = Decommisioning
combined with operator actions

(as directed by Emergency Operating Procedures)
and verifies the safe mitigation of those events
The SAR often is issued as:

Preliminary Safety Analysis Report (PSAR)
as a basis for granting a construction license
Final Safety Analysis Report (FSAR) (U.S. only FSAR)
as a basis for granting an operation license
PSAR and FSAR
Data on the structures, systems and components of a new
Nuclear Power Plant are submitted to the licensing (safety) authority:
The
The Preliminary
Preliminary Safety
Safety Analysis
Analysis Report
Report (PSAR)
(PSAR) often
often describes:
describes:

Design
Design bases
bases of
of aa system,
system, or
or aa system
system entity
entity

Technical
Technical basic
basic solutions
solutions and
and placement
placement at
at the
the plant
plant

All
All safety
safety functions
functions

The
The plant’s
plant’s main
main processes
processes

Evaluation
Evaluation of
of plant
plant operation
operation during
during transients
transients and
and accidents
accidents
The
The Final
Final Safety
Safety Analysis
Analysis Report
Report (FSAR)
(FSAR) often
often presents
presents in
in detail:
detail:

System-specific
System-specific technical
technical solutions
solutions

The
The designed
designed operating
operating ranges
ranges of
of systems
systems

The
The necessary
necessary measurements
measurements and
and controls
controls

System
System analyses,
analyses, etc.
etc.

Designer (Supplier) Contribution to SAR
The operating organization (often also the owner) is

responsible for the safety and quality of its installations
thus is responsible for SAR and associated licensing
However, the designer is in charge of SAR chapters

within its scope of supply mainly of*
The Nuclear Steam Supply System (NSSS) and
Accident Analyses
The designer also supports the operating organization

during the licensing process, e.g. participates on meetings
with the safety authority

Chapter 4
Fundamental Design Principles

The Three Fundamental
Safety Functions (1/2)
Nuclear Reactor Safety requires that 3 Safety Functions
should be fulfilled at all times:
Control Remove Confine Radioactive

Reactivity Nuclear Heat Materials
To avoid To assure To avoid

Power Excursions Fuel Cooling Radioactivity
no local 1. at power Release
overheating 2. at shutdown to environment

The Three Fundamental
Safety Functions (2/2)
Safety functions for the control of reactivity:
provide for normal reactivity control within safe limits;
prevent unacceptable reactivity transients;
shut down the reactor as necessary to prevent anticipated operational occurrences from leading to design
basis accident conditions;
shut down the reactor to mitigate the consequences of accident conditions;
maintain the reactor in a safe shutdown condition after all shutdown actions.
Safety functions for the removal of heat from the core:
remove heat from the core during power operations;
remove residual heat in appropriate operational states and design basis accident conditions with the
reactor coolant boundary intact;
maintain sufficient coolant inventory for core cooling in normal operational states and following any PIEs;
remove heat from the core after a failure of the reactor coolant pressure boundary in order to limit fuel
damage;
transfer heat to the ultimate heat sink from intermediate heat sinks used in removing heat from the core.
Safety functions for the confinement of radioactive materials and control of operational
discharges as well as limitation of accidental releases:
maintain the integrity of the cladding for the fuel in the reactor core;
maintain the integrity of the reactor coolant pressure boundary; and
limit the release of radioactive materials and minimize the exposure of the public and personnel to
radiation.

Example:
Total Decay Heat Related to 4500 MWth
UO2 Fuel Management
18M Equilibrium Cycle
241 fuel assemblies ( 527.5 kg
U or U-Pu).
UO2 fuel with 5 % enrichment
of U235
MOX Fuel Management
18M Equilibrium Cycle
68 MOX Fuel Assemblies
Characteristics of MOX:
1,2% ~ 54 MWth
• U235 content: 0.2 %
• Avg. Pu content: 11.3%
• Fissile Pu: 7.0 %

Fundamental Safety Principles
To
To achieve
achieve the
the 33 Safety
Safety Functions
Functions at
at any
any time
time
the
the design
design of
of aa Nuclear
Nuclear Power
Power Plant
Plant
relies upon two
relies upon two main
main Safety
Safety Principles:
Principles:
The 3 Protective Barriers

1. Using Leak Tight Barriers between
radioactive products and environment
The Defence in Depth Concept

2. providing a series of levels of defence
(inherent features, equipment and procedures) for
preventing accidents
ensuring appropriate protection if prevention fails

The Three Protective Barriers
Steam Generator 1 Fuel Cladding

3
Pressurizer 2 Reactor Coolant Boundary
Control
Reactor Rod 3 Reactor Containment
Coolant Drives
Pump
First Nuclear Fuel enclosed within a

Barrier Zircalloy cladding
1 Core Second Reactor Coolant System
2
RPV Barrier within a metal enclosure
Third Double concrete shell: inner
Barrier wall covered with metal liner
Each barrier acting independently!

Component Values
of Protective Barriers
No. Protective Barrier Component Wall Thickness Data [mm]
1 Fuel Cladding 0.57

Reactor Pressure Vessel (body) 250
RPV Closure Head 230
2 Reactor Coolant
Pressurizer Shell 140
Boundary
Reactor Coolant Lines 76
Surge Line 40.5
Steam Generator U-Tubes 1.09
Inner and outer Concrete Shell 1800
Reactor 3000
3 Basemat
Containment
6
Steel Liner
The resistance and leak tightness of just one of these Barriers
is sufficient to contain the radioactive products.
Defense in Depth Concept
The Concept of „Defense in Depth“ involves:
Prevention
Prediction
Ensuring the resistance of the

Detection
3 Protective Barriers
by
Response
Identifying the threats of their integrity
Providing successive Lines of Defense
Guarentee high effectiveness
TMI-2 Originally it had three Levels of Defense:
1Third
After the Three Miles Island accident (1979),
Core the Defense in Depth has been extended
Melt to a 4th and 5th Level
accounting for Severe Accidents
Levels of Defence
LEVEL GOAL PLANT STATE REQUIREMENTS
1 Prevention Abnormal Operation System High quality Design, Construction

Failures and Operation
2 Control Abnormal Operation Detection of anomalies,

Prevention Accidental Conditions Protection measures
3 Control Accident Anticipate DB Accidents

Prevention Core Melt Down Redundant Safety Systems
4 Control Severe Conditions Dedicated Measures,

Prevention Accident Progression Anticipate consequences
Mitigation Severe Consequences Corium stabilization
5 Mitigation Radiological Limited Offsite Measures

Consequences in time and space
Original 3 Levels of Defense According to

IAEA document INSAG-10
Extended 2 Levels after TMI-2
Chapter 5
Safety During Design Stage

Deterministic Approach
Buildings, Systems and Equipment are engineered for the
events taken into account in the Deterministic Approach:

Deterministic
Deterministic Design
Design Methods
Methods

Components
Components or
or Systems
Systems are
are designed
designed to
to fulfill
fulfill aa physical
physical function
function
as
as planned
planned and
and as
as technically
technically appropriate
appropriate

Deterministic
Deterministic Acceptance
Acceptance Criteria
Criteria

Likelihood
Likelihood of
of initiating
initiating events
events and
and severity
severity of
of their
their consequences
consequences

Deterministic
Deterministic Safety
Safety Analysis
Analysis (transient
(transient calculations)
calculations)

on
on the
the basis
basis of
of given
given assumptions
assumptions and
and acceptance
acceptance criteria
criteria
whether the required
whether the required safety
safety level
level can
can be
be assured
assured or
or not
not

Implementation of the
Deterministic Safety Approach
The Deteministic Approach is based on the need

to control normal and abnormal events.
Anticipated Operating Conditions (AOC)

The more probable an AOC is,
the less severe the consequences should be
Four categories were (originally) considered for internal events
All possible accidents have not the same probability to occur
All possible accidents have not the same consequences
List of common industrial risks

Internal hazards
External hazards
Postulated Initiating Events
A number of Postulated Initiating Events (PIEs) are
selected and analysed in the SAR based on their potential threat
to the fulfilment of the 3 Fundamental Safety Functions.
Design Bases Condition (DBC) Determ. + Prob. Approach

DBC-1: Transients related to normal operation (Reactor States A to F)
DBC-2: Anticipated operational occurrences
DBC-3: Infrequent accidents
DBC-4: Limiting accidents
Design Extension Condition (DEC) Probabilistic Approach

DEC-A: Reduction of risk and prevention of core meltdown
DEC-B: Reduction of risk and control of core meltdown
Internal and External Hazards Determ. and Load Case Approach

Definition of Reactor States
Controlled State = The end of the Safe Shutdown State = Core heat
fast transient period removal is durably ensured
Core sub-critical, Core sub-critical,
Core inventory stable, Core inventory stable,
Radioactivity releases below Radioactivity releases maintained
acceptable limits, within the limits of the corresponding DBC
event
Core power adequately removed (e.g.
an open cooling chain such as SG and the Core power removed durably (e.g.
EFW system). residual heat removed by the SIS/RHRS).
RCS Coolant RCS Pressure RCS Avg. Temp.

State Plant Operation Level [bar] [oC]
A Normal Power Operation Full 155 to 135 312.6 to 303.3
B Normal Shutdown with SGs Full 135 to 30 303.3 to 120
C Intermediate Shutdown with RHRS Full 30 to 1 120 to 55
D Reactor at Cold Shutdown Mid-loop 1 55 to 15
E Refueling Shutdown Cavity Flooded 1 55 to 15
F Reactor Completely Unloaded Cavity Flooded 1 Not aplicable

Safety Analysis Rules
Only SC2&SC3 systems can be used for the safety demonstration.
non safety classified equipment can be considered (limited exceptions).
The most penalizing aggravating failure must be taken into account. In particular:
A stuck rod as possible aggravating failure for reference transients, incidents and accidents
(no superposition with another aggravating failure);
The failure to close of a main steam relief valve as a possible aggravating failure for
reference transients (ex: homogeneous dilution and rod cluster control assembly
withdrawal);
Preventive maintenance must be combined with the implementation of the most penalizing
aggravating failure;
Manual action from the main control room at the earliest, 30 minutes after the first significant
information is given to the operator.
Local manual action, outside the main control room, at the earliest time, 1 hour.
Loss of off site power at the most penalizing time superimposed with the reference
transients, incidents and accidents (except those initiated by human action
Only seismic classified equipment can be used for the safety demonstration.
The technical decoupling criteria to be complied similar to those of the reference accidents.

General Acceptance Criteria for DBC
Technical decoupling criteria:
For reference transients (DBC 2)
• The integrity of the fuel cladding has to be maintained.
- define a limit for the departure from nucleate boiling ratio (DNBR)
- a criterion concerning pellet-cladding interaction (PCI).
For the surge line break in reactor state A (DBC 4),
• The peak cladding temperature < 1200°C,
• The maximum cladding oxidation < 17 % of the cladding thickness,
• The maximum hydrogen generation < 1 % of the amount that would be generated if all
the active part of the cladding were to react.
• Prevent long duration of deteriorated core cooling conditions (could lead to extended fuel
damage).
Other decoupling technical criteria:

the maximum energy release inside the fuel during fast transients (ex:rod cluster control
assembly ejection - DBC 4),
the long term coolability of the reactor core after a LOCA,
the maximum numbers of fuel rods which could experience departure from nucleate boiling in
DBC 3 and 4
the maximum peak cladding temperature for fast transients to avoid cladding embrittlement,
the maximum fuel melting in DBC 3 and 4.

Offiste Radiological Impact of Accidents
Operating Compliance with the following principles: Site Boundary Doses
Conditions [mSv]
► No short term countermeasures (shelters, evacuation, distribution of

For design iodine tablets).
basis ► No need for long-term rehousing. Whole body < 10
accidents Thyroid gland < 100
► Food restrictions limited to the immediate vicinity of the affected site, i.e.
DBC 3 and 4 within 2 km.
For complex ► The same acceptance criteria of DBC 4 are met.

sequences Whole body < 10
Thyroid gland < 100
DEC-A
► No need for countermeasures over the first 24 hours, i.e. effective dose
< 500 mSv,
► Short term countermeasures (shelters, evacuation) are required only in
the immediate vicinity of the site, i.e. within 2 km, under the 50 - 500 mSv
For severe criterion,
accidents ► No long term rehousing necessary, except for the population residing in 
the immediate vicinity (within 2 km) of the site, under the 5-15 mSv per
DEC-B month criterion,
► Restricted consumption applies only to the first harvest following the
event

Design Basis Condition
DBC-1 DBC-2* DBC-3* DBC-4*
Change (+/-) in RCS- Turbine Trip Small MS or FW LOOP > 2 h (C)
Temp. piping failure
Step load changes Short LOOP < 2h LOOP > 2 h (A) SL Break (A,B)
Ramp load changes Loss MFW + ST/SD SB-LOCA ≤ DN50 FWL Break (A,B)
Load reduction Loss of 1 RCP SGTR 1A (A) LB-LOCA to SL
Loss of grid, Uncontr. RCCA FA loading in an RCP shaft break
Aux. Sys. available bank withdrawal (A) improper position
LMFW, ST/SD Sys. CVCS malfunction Forced decrease of the SGTR 2A (A)
available with decrease of CB coolant flow (4 RCP)
Partial Reactor Trip Loss of 1 train SIS/RHR Uncontr. RCCA Fuel handling
(C,D) withdrawal (B,C,D) accident
RCS: Reactor Coolant System RCCA: Rod Cluster Control Assembly *Selection
LMFW: Loss of Main Feedwater CVCS: Chemical and Volume Control System
ST/SD: Start-up and Shutdown SGTR: Steam Generator Tube Rupture
RT: Reactor Trip LOOP: Loss of Offsite Power
RCP: Reactor Coolant Pump LOCA: Loss of Coolant Accident
Transient Calculations
The Transient Analysis is made with conservative hypotheses:
In the choice of the initial conditions
In the choice of the mitigating systems and equipment
In the definition of their performance
The single failure application
Operational Transients
Operational Transients Limitation
Limitation Functions
Functions
I&C
Accidental Transients
Accidental Transients Protective
Protective Functions
Functions
Deterministic Safety
Analysis
RCL utilizes LOCA
Break
Transient
Calculations

Requirements for Category 1
Operating Conditions
ItIt is
is the
the first
first level
level of
of the
the Defense
Defense in
in Depth:
Depth:
An
An outstanding
outstanding quality
quality design
design to
to avoid
avoid any
any failure!
failure!
When operating the plant under Normal Operating Conditions:
All equipment is used below its Design Pressure and Temperature

All procedures and control systems are defined
to maintain the plant within its design limits
Protection System and Safeguard Systems are not actuated
Pressure p Temperature T
p(design) = 176 bar T(design) = 351 oC

p(operation) = 155 bar T(RPV outlet) = 330 oC

Conclusion
Safety
=
Leaktight Barriers
+
Defense in Depth

Chapter 6
The Role of Probabilistic Approach in

Design
Introduction of Probabilistic Approach
in Plant Design
All the American and French plants that are operating now
were designed and licensed exclusively with an Deterministic Approach.
The Deterministic Approach is complemented in the evaluation

of the Safety Level by the Probabilistic Approach.
DETERMINISTIC PROBABILISTIC
DOMAIN DOMAIN
MODIFICATION Probability
Regulations Risk
Codes CONCEPTION Criteria
Specifications
Consequences
JUSTIFICATION NPP EVALUATION

Probabilistic Safety Assessment
The Probabilistic Safety Assessment (PSA) quantifies the probability of a specified risk.
List all Abnormal Events (probabilities) that can lead to this risk
Analyze the automatic responses of the Reactor
+ the operator actions required to mitigate the consequences
Quantify the risks from the initiators probabilities,
the systems reliabilities and human error assessments
The PSA will have to be presented for the licensing of new plants.
IAEA recommendations for future plants are:

Probability of core damage frequency < 10-5 per year per reactor!
Practical elimination of accident sequences leading to
large radioactivity release! ( large release frequency < 10-6 )

Definition of PSA Phases
The objective of PSA is to identify the more probable risks associated
with a plant in order to act on them to improve the global plant safety.
Level 1 PSA Level 2 PSA Level 3 PSA

RISK of RISK of RISK on
Core Damage Radioactive Release the Population
out of the living outside the
Reactor Building Plant Perimeter
TMI-2
1Third
Core
Melt

Application of PSA Level 1
During EPRTM Design (2/2)
The PSA level 1 is used from the beginning of the EPRTM design in order
to support and to optimize the design of Systems and of the Process.
General Objectives:
Assessment of core damage frequency
Verification of the well-balanced design
Give assistance to plant designers
To justify the preventive maintenance schedule
[r.y.] : per reactor-year

Probabilistic Safety Objectives :
► Total core damage frequency < 10-5/ r.y.
► Cumulative Frequency of Radioactive

release outside the containment boundary < 10-7/ r.y.

Design Extension Conditions
DEC-A (Complex Sequences)* DEC-B (Severe Accidents)
ATWS through Control Rods failure High Pressure Core Melt and DCH
ATWS through PS failure Rapid Reactivity Insertion
Station Blackout (SBO) state (A) Hydrogen Detonation
Total Loss of FW: LMFW+ ST/SD + 4 EFWS Steam Explosion w. risk CONT seal loss
SB-LOCA < DN50 failure of MHSI (A) Core Melt Sequences with CONT bypass
SB-LOCA < DN50 failure of LHSI (A) Fuel Melt in Spent Fuel Pool
Total Loss of CCWS or LUHS 100 h
Non CVCS homogeneous dilution (C)
Core Melt Accidents with
2A-SGTR with stuck open MSRV
Large Early Release „practically
eliminated“ under EPR design.
The DEC-A was introduced
ATWS: Anticipated Transient without Scram
to define a limited number of
CCWS: Component Cooling Water System
additional measures to reach LUHS: Loss of Ultimate Heat Sink
the overall probabilistic targets. MSRV: Main Steam Relief Valve
DCH: Direct Containment Heating
Level 1 PSA
Results of Level 1 PSA : Results for STD EPRTM
► For all reactor States: power Overall Core Damage Frequency
states to shutdown states CDF = 9.1x10-7/r.y
► For all initiating events
♦ Internal events
6.2 • 10– 8
♦ Internal hazards 8.5 • 10– 7
♦ External hazards
► Preventive Maintenance included
► Functional dependencies are
taken in account (I&C, Electrical
Power Supply, Cooling)
CDF [r.y.] : reactor-year
► Human Reliability Analysis (Pre
and Post-Accident)
Power States Shutdown States
► Reliability data fully referenced

EPRTM Design Improvements
Derived from Level 1 PSA
CHRS : Improved redundancy and reliability of the cooling system of the
Containment Heat Removal System (EVU) by providing two diversified cooling
chains from the Component Cooling Water (RRI) and Essential Service Water (SEC)
Systems. Each is dedicated to the cooling of the associated CHRS (EVU) train.
LOCA : Safety Injection System SIS: confirmation that

automatic actuation is necessary during all plant operating states
FPCS : Addition of a third fuel pool cooling train cooled by the CHRS (EVU)
cooling chain and independent from the Component Cooling Water (RRI) System.
LOOP : Implementation of 2 Small Diesel Generators

used in case of SBO, i.e. loss of 4 emergency diesel generators
MFW : Reduction of the frequency of the Loss of Main Feedwater event by the
addition of a fourth main feedwater pump and the Startup and Shutdown System.

Level 2 PSA
Scope and Methdodology
Main objective:
Assess containment response to potential loads
Assess characteristics of radiological releases accompanying severe core damage accidents.
The results of the PSA Level 2 are expressed in:
• terms of containment release categories,
• their associated frequencies per reactor and per year,
• source terms associated with the identified containment release categories.
Input: The results of the Level 1 PSA in terms of Plant Damage States (PDS) frequencies
The PDSs provide the interface between the Level 1 and the Level 2 parts of the PSA.
They define the initial and boundary conditions for the Level 2.
Methodology
1. Developing the interface between the Level 1 and 2 PSA,
2. Identifying physical phenomena important to containment integrity that could occur in the
course of severe accidents
3. Developing Containment Event Trees (CET) and quantifying accident progression event trees
(APETs)
4. Defining Plant release categories (RC)
5. Estimating radiological accident source terms
6. Conducting a sensitivity analysis.

Contribution of
Release Categories to Core Melt

Chapter 7
Internal and External Hazard

Internal Hazards
Internal hazards are events originated in the plant site with the potential
of causing adverse conditions or even damages inside or on safety
classified buildings.
List of Internal Hazards

Failure of pipes, vessels, tanks, pumps and valves
Flooding
Internal missiles
Load drop
Internal explosion
Fire
Electromagnetic interference
Pressure build-up due to arcs in switchgears,
Short circuit of an emergency diesel generator.

Example:
Protection Againts Internal Missiles
Mitigation Methods:
Partition
Geographical separation of trains Walls
Partition walls
Concrete structures (e.g. partition walls
between the individual reactor coolant loops
in the containment, missile protection
cylinder in the containment)
Probability of occurrence of internally
generated missiles reduced by safety- Missile
oriented design and engineering principles.
Protection
• Overspeed protection devices, Ring
• Restraints
• Stem threads on valves.
Reactor Coolant Pumps

Steam Generators
Reactor Pressure Vessel
Pressurizer tank

External Hazards
External hazards charactereistics:
Natural or man-made
Site dependent events
Treated as load cases
Protection achieved by two methods:
● Design against the generated loads or
● Geographical separation (systems or components).
List of External Hazards
Safe shutdown earthquake (SSE),
Airplane crash (APC)
Explosion pressure wave (EPW).
External Air Temperatures and Humidity Conditions
Wind
Lightning
Snow
Cooling Water Temperatures
Precipitation and External Flooding
Site proximity hazards.

Example:
Airplane Crash
Safeguard Buildings
Considered as a load.
Division 2 Division 3
Two categories are considered:
Design Basis Aircraft: light aircraft
• The outer walls of safety relevant Main Control Room
buildings (e.g Safeguard Building)
sufficiently thick to prevent
penetration Division 1 Division 4
Design Extension Aircraft: military IRWST
aircraft and large commercial
aircraft.
• Buildings Protected by Design SPREADING
(reactor building, fuel building, AREA
safeguard building 2 and 3)
• Buildings Protected by Geographical
Separation Spent Fuel Storage Pool
Fuel Building
Airplane crash Protected Buildings
Chapter 8
Safety During Operation

Protection of the Nuclear Fuel
The most important Safety Task during operation
is the Protection of the Nuclear Fuel from Fuel Rod Failure !
Hold-down Spring
Cladding
Fuel Pellets
Main causes for Fuel Rod Failure:
PCI
Pellet-Cladding Interaction
DNB
Departure from Nucleate
of
Boiling UO2 Pellet Tubes Zircalloy

Temperature Profile
in the Fuel Pellet
Temperature [oC] The Linear Power Density q' [W/cm] determines the
maximum temperature at pellet center.
3000 Gap
UO2 2800 He
Melting Point* 2500 Kr
Xe-136
2000
Protection
Cladding
(590 W/cm) Fuel
Fuel Rod
Rod Cladding
Cladding
1500 Composition:
Composition:
Hot Point Zircalloy:
Zircalloy: >> 90%
90% Zr,
Zr,
(420 W/cm) Cr,
Cr, Fe,
Fe, Ni,
Ni, Sn
Sn
1000
TTmelt (Zr) = 1852 ooC
melt (Zr) = 1852 C
Average Point
(156.1 W/cm) 500 Tclad ≈ 340 °C
Pellet
q' (EPR) *Tmelt(UO2) is max.
0
0 1 2 3 4 5 decreasing by 3.2 K
Pellet Radius [mm] per MWd/kg exposure.
Pellet Cladding Interaction
Center Line Melting
Pellet Cladding Interaction may result in
Cladding Pellet
Stress Corrosion Cracking SCC of cladding.
Zirkonium Alloy Clad Crack Evolution
Gap
Pellet σ Thermal
Expansion σ
of
Pellet
(a) Before Load Ramp (b) During Load Ramp

1 mm
Crack always starts at the
cladding inner surface
Crack progresses towards the
outer cladding diameter 1 mm

Heat Transfer from
Fuel Rod to Coolant
Z [cm] Average surface heat flux
Single-phase q'' (EPRTM
TM) = 52.33 W/cm22.
vapor
q''crit [W/cm2]
Average Fluid Temperature
Annular flow
DNBR =
Temperature at Wall
q''act [W/cm2]
Slug flow
q" ≥ q"crit
Saturated flow
DNB
Operating Band Nucleate Boiling
T [K] Single-phase
liquid
Tsat Fuel rods damaged after DNB
Safety Requirements for Operating Conditions
Requirements for preventing damage of Fuel and Control Rods:

DBC1:
DBC1: Normal
Normal Operation:
Operation: Start-up
Start-up and
and Shutdown,
Shutdown, LoadLoad Follow
Follow
>> No
No center
center line
line melting
melting in
in the
the Fuel
Fuel Pellets
Pellets
>> Cladding
Cladding temperature
temperature maymay not not substantially
substantially exceed
exceed T(coolant)
T(coolant)
>> PCI
PCI shall
shall be
be prevented
prevented
OL3

DBC2:
DBC2: Operational
Operational Transients:
Transients: Incident
Incident Conditions
Conditions
>> No
No center
center line
line melting
melting in
in the
the Fuel
Fuel Pellets
Pellets
>> Cladding
Cladding temperature
temperature << 1482°
1482°C
C
>> PCI
PCI shall
shall be
be extremely
extremely low
low

DBC3:
DBC3: Infrequent
Infrequent Accidents
Accidents
>> Number
Number ofof fuel
fuel rods
rods reaching
reaching the the DNB
DNB may
may not
not exceed
exceed 1%
1%

DBC4:
DBC4: Limiting
Limiting Accidents
Accidents
>> The
The number
number of of damaged
damaged fuel fuel rods
rods may
may not
not exceed
exceed 10%
10%
Core Surveillance and Protection
PROTECTION SURVEILLANCE The EPRTM has 2 independent systems
SYSTEM SYSTEM for Core Supervision:
1. Reactor Control, Surveillance
DNBR
DNBR
and Limitation System RCSL

DNBRNom control variable states
Operational
actuate alarms
Margin prevent control rod withdrawal
DNBLCO 2. Protection System PS

perform Reactor Trip
Uncertenties
DNBRNom Nominal operational DNBR

DNBRT DNBRT Low DNBR Trip Threshold
DNBLCO DNB LCO Threshold
LCO Limiting Condition of Operation
Uncertainties
Margin for
Statistic transients for
which the Threshold q' [W/cm] DNBR
low DNBR
protection is DNBLCO ≤ 450 1.86
Deterministic
not effective DNBRT ≤ 590 1.40
The Most Important Facts to Remember
The EPRTM
TM safety principles are coherent with the general safety
objectives defined by guidelines for Next Generation PWR Plants.

Compliance with the regulations and guidance of the IAEA and EUR.
The EPRTM
TM features technical measures reducing the hypothetical
Core Damage Frequency to a value much < 10–5

–5 per reactor per year
The 3 safety levels of currently operating PWR’s have been extended

for the EPR to 4thth and 5thth level in order to limit the residual risk
associated with beyond design events.
A Severe Accident Strategy with a Core Melt Stabilization System
and a reinforced confinement function is a major feature of the EPRTM
TM
Protection against internal and external hazard incorporated into

design.
A stronger role of the Probabilistic Risk Assesment during all stages of
the plant.


B257.OL3 - 002 - Safety and Design - Rev01

Uploaded by

Copyright:

Available Formats

B257.OL3 - 002 - Safety and Design - Rev01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B257.OL3 - 002 - Safety and Design - Rev01

Uploaded by

Copyright:

Available Formats

Safety and Design

OL3 EPRTM Advanced Course

2 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

3 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

5 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Nuclear Fission U-235 (nth, f )

Dual Fission: 99.8 % 2 Fission Products

Conversion of Nuclei into other Elements

U-238 U-239 Pu-239 Pu-240 Pu-241 Pu-242

30Zn Atomic Mass A 65Tb

3 TeO2 (directly formed in core) 84 Volatile

4 SrO (ex-vessel oxid) 170 Non-Volatile

5 MoO2 (during concrete attack) 648 Non-Volatile

6 CsOH+RbOH 510 Volatile

8 La2O3 + Pr2O3 + Nd2O3 + Sm2O3 + Y2O3 1249 Non-Volatile

9 CeO2 513 Non-Volatile

11 Te2 (ex-vessel, does not oxidize) 67 Volatile EPRTM

13 Structural materials 4864 Volatile

Artificial Radiation Sources Effective Dose [mSv/y]

International Dose Limits Effective Dose [mSv]

General Nuclear Safety Objective:

Radiological targets for Design Basis Accidents:

Effective dose < 50 mSv

There shall be no necessity of protective measures for people

11 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Technical Safety Objective

12 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

SAFETY depends on efficient organization of work

13 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Regulatory and supervisory activities → leading to

Organization structures and related human behavior

Safety involves many elements:

15 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

The Safety Authority Regulatory may vary from country to country.

Always have the statutory authority, competence and resources to:

17 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

The prime responsibility for the safety of the installation

18 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Such bodies are also required to meet:

19 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Safety Regulations and Regulatory

Safety Standards are defined internationally and nationally by country

Implementation of Safety Standards in a framework of

Expert organizations (INSAG: International Nuclear Safety Advisory Group)

21 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

22 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Decision in principle (often taken by government or parliament)

Requirement for the Operation of the Nuclear Power Plant:

23 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

combined with operator actions

The SAR often is issued as:

25 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

The operating organization (often also the owner) is

thus is responsible for SAR and associated licensing

However, the designer is in charge of SAR chapters

The designer also supports the operating organization

26 Training Center AREVA NP GmbH Proprietary - CONFIDENTIAL

Fundamental Design Principles

Control Remove Confine Radioactive