040.1411.131112
ՀԱՅԱՍՏԱՆԻ ՀԱՆՐԱՊԵՏՈՒԹՅԱՆ ԿԱՌԱՎԱՐՈՒԹՅՈՒՆ
ՈՐՈՇՈՒՄ
8 նոյեմբերի 2012 թվականի N 1411-Ն
ՄԻՋՈՒԿԱՅԻՆ ՆՈՐ ԷՆԵՐԳԱԲԼՈԿԻ (ԷՆԵՐԳԱԲԼՈԿՆԵՐԻ) ՆԱԽԱԳԾԱՅԻՆ ԱՆՎՏԱՆԳՈՒԹՅԱՆ ՊԱՀԱՆՋՆԵՐԸ ՀԱՍՏԱՏԵԼՈՒ ՄԱՍԻՆ
(1-ին մաս)
Հիմք ընդունելով «Խաղաղ նպատակներով ատոմային էներգիայի անվտանգ օգտագործման մասին» Հայաստանի Հանրապետության օրենքի 7-րդ հոդվածի 1-ին մասի «իբ» կետը` Հայաստանի Հանրապետության կառավարությունը որոշում է.
1. Հաստատել միջուկային նոր էներգաբլոկի (էներգաբլոկների) նախագծային անվտանգության պահանջները (անգլերենով)` համաձայն հավելվածի:
2. Սույն որոշումն ուժի մեջ է մտնում պաշտոնական հրապարակման օրվան հաջորդող տասներորդ օրը:
(նախաբանը փոփ. 11.05.2023 թիվ 698-Ն որոշում)
ՍՏՈՐԱԳՐՎԵԼ Է ՀԱՅԱՍՏԱՆԻ ՀԱՆՐԱՊԵՏՈՒԹՅԱՆ ՎԱՐՉԱՊԵՏԻ ԿՈՂՄԻՑ
2012 ԹՎԱԿԱՆԻ ՆՈՅԵՄԲԵՐԻ 13-ԻՆ
Հավելված
ՀՀ կառավարության
2012 թվականի նոյեմբերի 8-ի
N 1411-Ն որոշման
Design Safety Requirements to New NPP Unit(s)
CONTENTS
1. General Provisions
2. Definitions
3. Safety principles and objectives
3.1. Design for defense in depth
3.2. Safety functions
3.3. Aging safety margins
3.4. Design to Prevention and Mitigation of Accidents
3.4.1. Prevention of postulated initiating events
3.4.2. Response to PIE
3.4.3. Design Extension Conditions
3.4.4. Severe accident measures
4. Safety Assessment
4.1. Deterministic safety Analysis
4.2. PSA
4.3. Severe Accidents Analysis
5. Safety Classification of Equipment
6. Safety Requirements for Systems, Structures and Components
6.1 Reactor Core and Associated Features
6.2 Reactor Coolant System
6.3 Removal of Residual Heat
6.4 Emergency Core Cooling
6.5 Heat transfer to an ultimate heat sink
6.6 Control of the Technological Processes
6.7 Containment System
6.8 Emergency Power Supply
6.9 Interactions between the electrical power grid and the plant
6.10 Supporting and Auxiliary Systems
7. Radioactive Waste Management
8. Fuel Handling
9. Radiation Protection
10. Emergency Preparedness
11. Quality Management System
1. GENERAL PROVISIONS
The current regulation defines the basic criteria and rules of nuclear safety and radiation protection of nuclear power plants (NPP), as well as the administrative provisions and the technical requirements for ensuring NPP design safety.
Content, completeness and depth of the implementation of these requirements and measures shall comply with the national regulations in the field of nuclear energy, as well as other regulations and state standards and the validity of their application for specific NPPs shall be confirmed by the State Committee on Nuclear Safety Regulation during in the process of licensing (Regulation).
At lack of the required regulations, the proposed specific technical solutions are justified and established in the design in accordance with the achieved level of science and technology. The acceptability of these solutions is determined by the State Committee on Nuclear Safety Regulation in the process of licensing (Regulatory body).
This document does not cover all requirements associated with the safety of nuclear power reactors. Separate documents establish requirements related to selection of the reactor site, construction, plant operational safety and decommissioning.
These requirements are mandatory to all legal entities and physical persons implementing practices related to siting, design, construction, commissioning, operation and decommissioning of nuclear power units, and are applied on the territory of Armenia.
2. DEFINITIONS
The following terms with their corresponding definitions are used in this document:
Accident: means a deviation from normal operation involving release of radioactive products and/or ionizing radiation outside design boundaries specified for normal operation in amounts exceeding the established safe operational limits. An accident is characterized by an initiating event, human and hardware failures, and consequences.
Accident management means a set of actions to prevent escalation of an event into a severe accident, to mitigate the consequences of a severe accident; and to achieve a long term safe stable state.
Active component is a component whose functioning depends on an external input such as actuation, mechanical movement or supply of power.
Anticipated operational occurrence is an operational process deviating from normal operation which is expected to occur at least once during the operating lifetime of a facility but which, in view of appropriate design provisions, does not cause any significant damage to systems and components important to safety or lead to accident conditions.
As Low as Reasonably Achievable (ALARA) means making every reasonable effort, through design and operation, to maintain exposures to radiation as far below the dose limits as practical, taking into account the state of technology and socioeconomic factors)
Beyond Design Basis Accidents: event sequences that could lead to conditions beyond the design basis accident conditions, without significant core degradation and/or with significant core degradation (severe accidents), from which event sequences can be selected to identify and to implement those reasonably practicable provisions for their prevention and mitigation.
Cliff-edge effect is an instance of severely abnormal plant behaviour caused by an abrupt transition from one plant status to another following a small deviation in a plant parameter, and thus a sudden large variation in plant conditions in response to a small variation in an input.
Common cause failure is failure of two or more structures, systems or components due to a single specific event or cause.
Confining safety systems, components are designed to prevent release of radioactive materials and radiation during accidents.
Conservative approach to analysis of accident causes, development and consequences means that values and limits admittedly resulting in the most unfavorable results are taken as parameters and characteristics.
Controlling safety systems, components are designed to initiate safety system actions, monitor and control them in the course of performance of their intended functions.
Design limits are values of parameters and characteristics of systems established by design for operational states and accidents.
Design-basis is the collection of information which identifies the specific functions to be performed by a structure, system, or component, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design.
Design-basis accidents are accidents against which a nuclear power plant is designed according to established design criteria, and for which the damage to the fuel and the release of radioactive material are kept within authorized limits.
Diversity principle is the presence of two or more redundant components or systems to perform an identified function, where the components or systems have different attributes so as to reduce the possibility of common cause failure.
Emergency preparedness establishes the preparedness level and technical facilities used in actions for personnel and public protection in case of an accident.
Fail-safe design is the ability to ensure safety based on natural feedback and processes.
Functional isolation means prevention of influences from the mode of operation or failure of one circuit or system on another.
Hazard is a condition that potentially can cause a disease, injury or loss of human life, or damage to the facility or the environment.
Independence principle improves system reliability using functional and/or physical separation of trains, components for which failure of one train, component does not result in failure of another train, component.
Systems (components) important to safety are safety systems and systems for normal operation failure of which leads to deviation of normal operation, create obstacles for restoration of normal operation and can lead to design base or beyond design base accidents.
Nuclear power plant, NPP is a facility for generation of power (electric and/or thermal) with a nuclear reactor (reactors) and a set of systems, devices, components, buildings and personnel required for this purpose.
Normal operation is operation within specified by design operational limits and conditions.
Normal operating systems, components are systems, structures, components designed for normal operation.
Operation includes particularly start up of reactor into criticality, stable power operation, shut down of reactor, increasing and decreasing of reactor power, shut down state, maintenance, repairs and testing of unit and refueling outages.
Operational states define the status of the NPP under normal operation and anticipated operational occurrences.
Passive component is a component whose functioning does not depend on an external input such as actuation, mechanical movement or supply of power.
Personnel error is a single inadvertent wrong action upon controls, or a single omission of a proper action, or a single inadvertent action during maintenance of equipment and safety- significant systems, components.
Physical separation means separation by geometry (distance, orientation, etc.), by appropriate barriers, or by a combination thereof.
Postulated initiating event is a single failure of NPP systems, external event or operator error resulting in disturbance of normal operation that may lead to violation of limits and/or conditions of safe operation. The initiating event includes all dependent failures.
Protective safety systems, components are designed to prevent or limit failure of nuclear fuel, fuel cladding, piping and components containing radioactive materials.
Redundancy principle improves system reliability by provision of more than a single system, structure or component to perform a safety function.
Risk-informed approach is a process to assign priority and allocate resources in proportion to the relative significance of considered hazards for NPP safety.
Safety criteria are values of parameters established by regulations or license condition as limits for the conditions experienced during normal operation or design basis accidents.
Safety limits for nuclear reactors are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity.
Safety-related SSC are SSC which are relied upon to function following design-based accidents to ensure that specific design limits are not exceeded and to limit the consequences of design-base accidents.
Safety systems, structures, components are systems, structures, components designed to perform safety functions.
Severe accident is an accident resulting in conditions outside the design basis of the plant, possible damage to the reactor core and potential release of radiation to the environment.
Single failure is a failure that results in the loss of capability of a system or component to perform its intended safety function(s) and any consequential failure(s) that result from it.
Single failure criterion is a criterion applied to a system such that it must be capable of performing its task in the presence of any single failure.
Significant radioactive releases mean large or early releases for which protective measures limited in area and time are insufficient to protect the people and the environment.
Station blackout means the complete loss of alternating current (ac) electric power to the essential and nonessential switchgear buses in a nuclear power plant (i.e., loss of offsite electric power system concurrent with turbine trip and unavailability of the onsite emergency ac power system). Station blackout does not include the loss of available ac power to buses fed by station batteries through inverters or by alternate ac sources as defined in this section, nor does it assume a concurrent single failure or design basis accident.
Supporting safety systems, components are designed to provide safety related SSCs with motive power, cooling fluid and other conditions needed for reliable performance.
Unidentified failure is the failure of a system, component that is not apparent at the time of its initiation during normal operation and cannot be identified by available inspection methods used according to regulations for maintenance and inspections.
Waste handling is physical manipulation (sorting, moving, etc.) of waste or waste packages.
3. SAFETY PRINCIPLES AND OBJECTIVES
The fundamental safety objective is to protect people and the environment from harmful effects of ionizing radiation.
A nuclear power plant is assumed to be safe when its radiation impact in all operational states is kept at a reasonably achievable low level and is maintained below the regulatory prescribed dose limits for internal and external exposure of the personnel and population, and when in case of any accident, including those of very low frequency of occurrence, the radiation consequences can be mitigated.
Measures shall be provided to ensure that radiation doses to the public and to site personnel in all operational states, including maintenance and decommissioning, do not exceed prescribed limits and are as low as reasonably achievable.
The design shall have as an objective the prevention or, if this fails, the mitigation of radiation exposures resulting from design basis accidents and selected severe accidents. Design provisions shall be made to ensure that potential radiation doses to the public and the site personnel do not exceed acceptable limits and are as low as reasonably achievable.
Plant states that could result in high radiation doses or radioactive releases shall be restricted to a very low likelihood, and it shall be ensured that the potential radiological consequences of plant states with a significant likelihood shall be only minor.
For accidents without core melt, there shall be no necessity of protective measures for people living in the vicinity of the NPP.
Accidents with core melt which would lead to large early releases have to be eliminated by design provisions.
The plant shall comply with design limits governing the key physical parameters for each structure, system or component for operational states and design basis accidents. The design limits will be defined in guidance published by the regulatory body.
The plant shall meet the following main nuclear and radiation safety criteria:
* The annual effective dose to the public shall not exceed 0.1 mSv.
* The annual effective dose to plant personnel shall not exceed 20 mSv.
* The annual effective dose of the public from internal and external exposure beyond the boundary of the exclusion zone shall not exceed 1 mSv over the first year following a design basis accident.
* Accidents with core melt shall not lead to permanent relocation, long term restrictions in food consumption, or need for emergency evacuation outside the exclusion zone.
* The frequency of reactor core damage or core melt during accidents shall be less than 10-5 events per reactor per year.
* The formation of a secondary critical mass in case of core damage and/or melt shall be ruled out by engineering decisions.
* The estimated frequency of a large early release of radioactive materials to environment shall be less than 10-6 events per NPP unit per year.
3.1. Design for defense in depth
The defense in depth principle is the fundamental principle of safety for the NPP with implementation of several levels of protection including successive barriers against the release of radioactive substances to the environment and shall be used to demonstrate that the fundamental safety functions are correctly insured.
Design of a plant shall provide levels of defense aimed at preventing accidents and ensuring appropriate protection in the event that prevention fails. The design shall consider possibilities of multiple failures and the use of diversified means to fulfill the three basic safety functions.
Defense in depth includes multiple physical barriers to confine radioactive material at specified locations. The barriers consist of the fuel matrix, fuel cladding, the reactor coolant system pressure boundary and containment. The design shall prevent as far as practicable challenges to the physical barriers, failure of a barrier when challenged; and failure of a barrier as a consequence of failure of another barrier.
The first level of defense requires the prevention of transients, accidents and other deviations from normal operation. The plant must be designed, constructed, maintained and operated in accordance with high quality levels and proven engineering practices, selection and application of appropriate design codes and materials.
The second level of defense is to detect and intercept deviations from normal operational states in order to prevent anticipated operational occurrences from escalating to accident conditions. The plant shall include specific systems and operating procedures to prevent or minimize damage from such PIEs.
The third level of defense requires design features and operational procedures to control consequences of transients or accidents and to achieve a stable and acceptable plant state. Inherent or engineered safety features safety systems and procedures shall be provided that are capable of leading the plant first to a controlled state, and subsequently to a safe shutdown state, and maintaining at least one barrier for the confinement of radioactive material. Selected multiple failure events including possible failure or inefficiency of safety systems shall be considered on this level.
The fourth level of defense is to mitigate the consequences of accidents that result from failure of the third level of defense in depth. The most important objective for this level is to ensure the confinement function, by limiting the radioactive releases so that the protection of the people and environment is ensured by implementing protective measures limited in time and areas. Level four includes additional features which are necessary for the practical elimination of sequences possibly leading to significant radioactive releases.
Practical elimination of situations that could lead to early large realizes of radioactive materials and control of accidents with core melt to limit realizes are the objectives of this level.
The fifth level requires mitigation of radiological consequences of significant releases of radioactive materials to protection of plant personnel and the public. An emergency control center and emergency plans and emergency procedures shall be developed to protect on-site and off-site personnel from potential radiological consequences of accidents.
The design shall be such that the first, or at most the second, level of defense is capable of preventing escalation to accident conditions for all but the most improbable PIEs.
The reduction of frequencies of occurrence of accidents (including core melt accidents) has to be obtained by reducing the frequencies of occurrence of initiating events and by further improving the availability of safety systems.
Accidents during shutdown states must be taken into account at the design stage.
The quality of design, manufacturing and construction is essential for safety in the frame of the first level of DiD. Quality must be obtained and demonstrated notably by an adequate set of requirements for design, manufacturing including test and inspections, construction, as well as by quality assurance. At the design stage consideration must be given to the inspectability and testability of equipment as well as to the possibility of replacement of some equipment, considering that maintenance and testing activities are essential to maintain the safety of the plant throughout operation.
3.2. Safety functions
The following fundamental safety functions shall be performed in operational states, in and following a design basis accident and, to the extent practicable, on the occurrence of those selected accident conditions that are beyond design basis accidents:
* Control of reactivity;
* Removal of heat from the core and from the spent fuel pools;
* Confinement of radioactive materials and control of operational discharges, as well as limitation of accidental releases.
A systematic approach shall be followed to identify the structures, systems and components (SSC) that are necessary to fulfill the safety functions. The capacity and reliability of SSC to perform safety functions shall be demonstrated by design descriptions, operational experience and analysis in the PSAR and FSAR. SSC needed to perform safety functions shall meet the appropriate safety requirements in Chapter 6 of these requirements.
3.3. Aging safety margins
Appropriate margins shall be provided in the design for all SSC important to safety so as to take into account relevant aging and wear-out mechanisms and potential age-related degradation, in order to ensure the capability of the structure, system or component to perform the necessary safety function throughout its design life.
Aging and wear-out effects in all normal operating conditions, testing, maintenance, maintenance outages, and plant states in a PIE and post-PIE shall also be taken into account. Provision shall also be made for monitoring, testing, sampling and inspection, to assess aging mechanisms predicted at the design stage and to identify unanticipated behavior or degradation that may occur in service.
3.4. Design to Prevention and Mitigation of Accidents
3.4.1. Prevention of postulated initiating events
Normal operation. The plant shall be designed to operate safely within a defined range of parameters (pressure, temperature, power etc.). The design shall be such that the response of the plant to a wide range of anticipated operational occurrences will allow safe operation or shutdown, if necessary, without the necessity of invoking provisions beyond the second level of defense in depth.
The potential for accidents to occur in low power and shutdown states, when the availability of safety systems may be reduced, shall be addressed in the design, and appropriate limitations on the unavailability of safety systems shall be specified.
The design shall establish requirements and limitations for safe operation, including:
* control system and procedural constraints on process variables and other parameters;
* requirements for maintenance, testing and inspection of the plant to ensure that structures, systems and components function as intended in the design, with the ALARA principle taken into consideration;
* clearly defined operational configurations, including operational restrictions in the event of safety system outages.
These requirements and limitations shall be a basis for establishing operational limits and conditions under which the operating organization will be authorized to operate the plant.
Design solutions to reduce the frequencies of initiating events have to be considered for all types of events which contribute to the total core melt frequency or large early release frequency significantly. It is important to consider initiating events during all operating states, including full power, low power, and all relevant shutdown conditions.
Quality of design, manufacturing, construction operation and maintenance shall ensure that those malfunctions leading to the actuation of safety systems are unlikely.
Postulated initiating events. The design for the nuclear power plant shall apply a systematic approach to identifying a comprehensive set of postulated initiating events such that all credible events with the potential for serious consequences and all credible events with a significant frequency of occurrence are anticipated and are considered in the design. The PIEs should be selected to challenge all of the plant safety functions and SSC important to safety.
The PIEs to be used in the overall safety assessment of the plant may be limited to a number of representative event sequences. These sequences shall be bounding cases and provide the basis for quantitative design limits for structures, systems and components important to safety.
The postulated initiating events shall be identified on the basis of engineering judgement and a combination of deterministic assessment and probabilistic assessment. A justification of the extent of usage of deterministic safety analysis and probabilistic safety analysis shall be provided, to show that all foreseeable events have been considered.
Internal fire hazard. The design shall foresee implementation of the defence in depth principle to fire protection, providing measures to prevent fires from starting, to detect and extinguish quickly any fires that do start and to prevent the spread of fires and their effects in or to any area that may affect safety.
SSCs important to safety shall be designed and located so as to minimize the frequency and the effects of fire and to maintain capability for shutdown, residual heat removal, confinement of radioactive material and monitoring of plant state during and after a fire event.
Design shall include fire hazard evaluation.. A fire hazard analysis of the plant shall be carried out to determine the necessary rating of the fire barriers.
Fire detection and fire fighting systems shall be provided. Fire fighting systems shall be automatically initiated where necessary, and systems shall be designed and located so as to ensure that their rupture or spurious /inadvertent operation does not significantly impair the capability of safety related SSC, nor simultaneously affect redundant safety systems (which would render ineffective the measures taken to comply with the single failure criterion).
Buildings that contain equipment that is important to safety shall be subdivided into fire compartments that segregate such items from fire loads and segregate redundant safety systems from each other. When a fire compartment approach is not practicable, fire cells shall be used. The spread of fire in fire cell shall be avoided by substituting the fire resistant barriers primarily with passive provisions (e.g. distance, thermal insulation, etc.), that take into account all physical and chemical phenomena that can lead to fire propagation. Provision of active measures (e.g. fire extinguishing systems) may also be used in order to achieve a satisfactory level of protection. The achievement of a satisfactory level of protection shall be demonstrated by the results of the fire hazard analysis.
Access and escape routes for fire fighting and operating personnel shall be available.
These requirements shall be met by suitable incorporation of redundant parts, diverse systems, physical separation and design for fail-safe operation.
Other internal hazards. The potential for internal hazards such as flooding, missile generation, pipe whip, explosions, jet impact, or release of fluid from failed systems or from other installations on the site shall be taken into account in the design of the plant. Corresponding preventive and mitigating measures shall be provided to ensure that safety is not compromised. Since certain external hazards may initiate internal fires or floods, the interaction of external and internal hazards shall also be considered in the design.
External hazards. The design shall include due consideration of those natural and human induced external hazards (i.e. hazards of origin external to the plant) that have been identified in the site evaluation process. Natural external hazards and human induced external hazards arising from nearby industries and transport routes shall be addressed. Causality and likelihood shall be considered in postulating potential combination of hazards. In the short term, the safety of the plant shall not be permitted to be dependent on the availability of off-site services such as electricity supply and fire fighting services. The design shall take due account of site specific conditions to determine the maximum delay time by which off-site services need to be available.
Site related design considerations. In the design of a nuclear power plant, interactions between the plant and the environment, including meteorology, hydrology, geology and seismology, shall be taken into account. The seismic design of the plant shall provide for a sufficient safety margin to protect against seismic events and to avoid cliff edge effects. Nuclear power plants to be sited in volcanic areas shall be assessed with a view to identifying special design features which may be necessary as a result of the characteristics of the site.
The availability of off-site services such as the electricity supply, water supply, and fire-fighting services, shall also be taken into account.
For multiple unit plant sites, the design shall take due account of the potential for specific hazards giving rise to simultaneous impacts on several units on the site.
3.4.2. Response to PIE
The plant design shall be such that its sensitivity to PIEs is minimized. The expected plant response to any PIE shall be that:
1. a PIE produces no significant safety related effect or produces only a change in the plant towards a safe condition by inherent characteristics; or
2. following a PIE, the plant is rendered safe by passive safety features or by the action of systems that are continuously operating; or
3. following a PIE, the plant is rendered safe by the action of safety systems that need to be brought into service in response to the PIE; or
4. following a PIE, the plant is rendered safe by specified procedural actions.
Where prompt and reliable action is necessary in response to a PIE, the necessary actions of safety systems shall be initiated automatically or accomplished by passive means such that operator action is not necessary within 30 minutes after of the initiating event. Any operator actions required by the design within 30 minutes after of the initiating event shall be justified.
Operator actions necessary to diagnose the state of the plant and to put it into a stable long term shutdown condition shall be facilitated by instrumentation to monitor plant status and controls for manual operation of equipment.
Equipment necessary in manual response and recovery processes shall be placed at the most suitable location to ensure its ready availability at the time of need and to allow human access in the anticipated environmental conditions.
Common cause failures. The potential for common cause failures of safety-related systems and components shall be considered to determine where the principles of diversity, redundancy, physical separation and functional independence should be applied to achieve the necessary reliability.
Single failure criterion. The single failure criterion shall be applied to each safety-related system incorporated in the plant design. Spurious action shall be considered to be one mode of failure when applying the concept to a safety group or safety system. Single failures shall be considered to occur concurrently with all identifiable but non-detectible failures.
To test compliance with the single failure criterion, the safety system shall be analyzed in the following way. A single failure (and all its consequential failures and identifiable but non-detectable failures) shall be assumed in turn to occur for each element of the safety system until all possible failures have been analyzed. The analyses of each pertinent safety system shall be conducted in turn until all safety systems and all failures have been considered. In the single failure analysis, no more than one random failure is assumed to occur.
In the conduct of a single failure analysis, any potentially harmful consequences of the PIE for the safety system shall be assumed to occur. In addition, the worst permissible configuration of safety systems performing the safety function is assumed, accounting for maintenance, testing, inspection and repair, and allowable equipment outage times.
In the single failure analysis, it may not be necessary to assume the failure of a passive component designed, manufactured, inspected and maintained in service to extremely high quality, provided that it remains unaffected by the PIE. However, when it is assumed that a passive component does not fail, such an analytical approach shall be justified, with account taken of the loads and environmental conditions, as well as the total period of time after the initiating event for which functioning of the component is necessary.
Fail-safe design. The principle of fail-safe design shall be considered and incorporated into the design of systems and components important to safety for the plant as appropriate.
Equipment outages. The design shall ensure, by measures such as increased redundancy, that reasonable on-line maintenance and testing of systems important to safety can be conducted without the necessity to shutdown the plant. Equipment outages, including unavailability of systems or components due to failure, shall be taken into account, and the impact of the anticipated maintenance, test and repair work on the reliability of each individual safety system shall be included in this consideration in order to ensure that the safety function can still be achieved with the necessary reliability. The time allowed for equipment outages and the actions to be taken shall be analyzed and defined for each case before the start of plant operation and included in the plant operating instructions.
3.4.3. Design Extension Conditions
To enhance the safety of the nuclear power plant by strengthening the plant's capabilities to withstand, without unacceptable radiological consequences, accidents that are either more severe than design basis accidents or that involve additional failures, and to ensure sufficient margins to «cliff-edge» effects design extension conditions should be established.
Two categories of DEC should be analyzed:
* DEC A for which prevention of severe fuel damage in the core or in the spent fuel storage can be achieved;
* DEC B with postulated severe fuel damage.
The analysis shall identify reasonably practicable provisions that can be implemented for the prevention of severe accidents. Additional efforts to this end shall be implemented for spent fuel storage with the goal that a severe accident in such storage becomes extremely unlikely to occur with a high degree of confidence.
3.4.4. Severe accident measures
Level four is aimed at preventing the progression of the accident and mitigating the consequences of a severe accident. In case of a severe accident, the most important objective for this level is to ensure the confinement function by limiting the radioactive releases so that the protection of the people and environment is ensured by implementing protective measures limited in time and areas. Level four includes additional features which are necessary for the practical elimination of sequences possibly leading to significant radioactive releases.
Measures shall be taken for protection of confining safety systems from damage during severe accidents. Measures shall be taken to ensure that the radiological consequences of severe accidents are mitigated and protection of the people and environment is ensured by implementing protective measures limited in time and areas.
Such measures include: engineered safety features; accident management procedures; and possibly off-site intervention measures.
The design of severe accident features shall consider the principle that plant states that could result in high radiation doses or radioactive releases are of very low probability of occurrence, and plant states with significant probability of occurrence have only minor radiological consequences.
The design shall be such as to ensure that plant states that could lead to high radiation doses or large radioactive releases are practically eliminated and that there are no, or only minor, potential radiological consequences for plant states with a significant likelihood of occurrence.
Consideration shall be given to the plant's full design capabilities, including the use of safety and non-safety systems beyond their originally intended functions and anticipated operational states; and the use of temporary systems. It shall be shown that such systems are able to function in the environmental conditions to be expected.
4. SAFETY ASSESSMENT
In the design of a nuclear power plant, a comprehensive safety assessment shall be carried out to identify all sources of exposure and to evaluate radiation doses that could be received by workers at the NPP and the public.
The assessment shall include both a deterministic and probabilistic assessment.
The safety assessment shall examine the following categories of initiating events:
* All planned normal operational modes of the nuclear power plant;
* Nuclear power plant performance in anticipated operational occurrences;
* Design basis accidents;
* Design extension conditions;
* Event sequences that may lead to a severe accident.
On the basis of this assessment, the robustness of the engineering design in withstanding postulated initiating events and accidents shall be established, the effectiveness of the safety systems and safety related systems and components or systems shall be demonstrated, and requirements for emergency response shall be established.
The safety assessment shall be part of the design process, with iteration between the design and confirmatory analytical activities, and increasing in the scope and level of detail as the design program progresses.
The operating organization shall ensure that an independent verification of the safety assessment is performed by individuals or groups separate from those carrying out the design, before the design is submitted to the regulatory body.
On the basis of this analysis, the design basis for systems and components important to safety shall be established and confirmed. It shall also be demonstrated that the plant as designed is capable of meeting prescribed limits for radioactive releases and for potential radiation doses for each category of plant states, and that defense in depth has been affected.
The computer programs, analytical methods and plant models used in the safety assessment shall be verified and validated, and adequate consideration shall be given to uncertainties.
4.1. Deterministic safety Analysis
The plant states shall be identified and grouped into a limited number of categories according to their probability of occurrence. The categories shall cover normal operation (1), anticipated operational occurrences (2), design basis accidents (3), BDBA (4) and severe accidents (5).
._____________________________________________________________________.
| |Plant state |Occurrence |Acceptance criteria|
|________________| |(1/reactor | |
| | |year) | |
|________________|_________________|______________|___________________|
|Operational |Normal operation |10(2)-1 |No additional |
|states |_________________| |fuel damage. DNBR |
| |Anticipated | | |
| |operational | | |
| |occurrences | | |
|________________|_________________|______________|___________________|
|Accident |Design basis |10(-4)-10(-2) |No radiological |
|conditions |accidents | |impact at all, or |
| | | |no radiological |
| | | |impact outside the |
| | | |exclusion area |
|________________|_________________|______________|___________________|
| |Design extension |10(-5)-10(-4) |Radiological |
| |conditions | |consequences |
| |(no core melt) | |outside the |
| | | |exclusion area |
| | | |within limits |
|________________|_________________|______________| |
| |Severe accidents |10(-6)-10(-5) | |
| |(with core melt) | | |
|________________|_________________|______________|___________________|
| |Conditions |<10(-6) |Emergency response |
| |practically | |needed |
| |eliminated | | |
._____________________________________________________________________.
Internal events. An analysis of the PIEs shall be made to establish internal events which may affect the safety of the plant. These events may include equipment failures or abnormal operation.
External events. The design basis natural and human induced external events shall be determined for the proposed combination of site and plant. All those events with which significant radiological risk may be associated shall be considered. A combination of deterministic and probabilistic methods shall be used to select a subset of external events that the plant is designed to withstand, and from which the design bases are determined.
Natural external events which shall be considered include those which have been identified in site characterization, such as earthquakes, floods, high winds, and extreme meteorological conditions. Human induced external events that shall be considered include those that have been identified in site characterization and for which design bases have been derived. The list of these events shall be reassessed for completeness at an early stage of the design process.
Station blackout. The external events shall include station blackout (SBO). The ability to withstand a station blackout event shall be included in the facility design. The facility shall be able to withstand for a specified duration and recover from a station blackout. The specified station blackout duration shall be based on the following factors:
* The redundancy of the onsite emergency ac power sources;
* The reliability of the onsite emergency ac power sources;
* The expected frequency of loss of offsite power; and
* The probable time needed to restore offsite power.
The reactor core and associated coolant, control, and protection systems, including station batteries and any other necessary support systems, must provide sufficient capacity and capability to ensure that the core is cooled and appropriate containment integrity is maintained in the event of a station blackout for the specified duration. The capability for coping with a station blackout of specified duration shall be determined by an appropriate coping analysis.
Combinations of events. Where combinations of randomly occurring events could credibly lead to anticipated operational occurrences or accident conditions, they shall be considered in the analysis. Certain events may be the consequences of other events, such as a flood following an earthquake. Such consequential effects shall be considered to be part of the original PIE.
Design basis accidents. A set of design basis accidents shall be derived from the listing of PIEs for the purpose of setting the boundary conditions according to which the structures, systems and components important to safety shall be designed.
Deterministic safety analysis shall include:
* confirmation of operational limits and conditions compliance with the design assumptions for normal operation;
* identification of the postulated initiating events characteristics, including those specific for the selected site;
* analysis and assessment of postulated initiating events' progression;
* comparison of analysis results of postulated initiating events' against the radiological acceptance criteria and the other design limits;
* confirmation of the design basis;
* substantiation of plant capabilities to manage all anticipated operational occurrences and design basis accidents through a combination of safety systems' automatic actions and required actions of the operating personnel.
Conservative approach must be applied for deterministic analyses.
The analysis of design extension conditions for the plant could be done with a best estimate approach.
4.2. PSA
Probabilistic safety analysis shall be carried out with the objective to:
* give confidence that the design will comply with the general safety objectives;
* provide confidence that small deviations in plant parameters that could give rise to severely abnormal plant behavior («cliff edge effects') will be prevented;
* provide evaluation of plant risk profile;
* identify systems and emergency procedures for which improvements or procedural modifications could reduce the risk of core damage and/or large early release.
The probabilistic safety analyses shall include:
* all modes of plant operation;
* all possible internal hazards (fires, floods, missiles, etc.) and external hazards (natural and human-induced hazards);
* all possible important system and operator dependencies (functional dependencies, area dependencies and other interactions and impacts, leading to common cause failures);
* uncertainty, importance and sensitivity analysis of the results;
* realistic modeling of plant response, taking into account operator actions in accordance with operational and accident instructions.
Probabilistic safety analyses shall be performed according to state-of-the-art methodology, documented and maintained according to the quality management program of the operating organization.
Probabilistic safety analyses shall be used to support the deterministic assessments in the decision making for plant design and operation, for assessment of necessary changes of SSCs, operational limits and conditions, operating and emergency operating procedures and training programs of the operating personnel.
4.3. Severe Accidents Analysis
Severe accidents are low probability accident conditions, which lead to significant core degradation and jeopardize the integrity of barriers to the release of radioactive material.
Consideration shall be given to these severe accident sequences, using a combination of engineering judgment and probabilistic methods, to determine those sequences for which reasonably practicable preventive or mitigating measures can be identified.
Sequences which leading to significant radioactive releases should be identified and should be shown that frequency of accuracy of such accidents are very low and can be practically eliminated.
Acceptable measures need not involve the application of conservative engineering practices, but rather should be based upon realistic or best estimate assumptions, methods and analytical criteria. On the basis of operational experience, relevant safety analysis and results from safety research, the analysis of severe accidents shall take into account the following:
* Sequences that may lead to a severe accident shall be identified using a combination of probabilistic methods, deterministic methods and engineering judgment.
* These event sequences shall then be reviewed against a set of criteria aimed at determining which severe accidents shall be addressed in the design.
* Potential design or procedural changes that could either reduce the likelihood of these selected events, or mitigate their consequences should these selected events occur, shall be evaluated and shall be implemented if reasonably practicable.
5. SAFETY CLASSIFICATION OF EQUIPMENT
All safety-related SSC, including software for instrumentation and control (I&C), shall be identified and classified on the basis of their function and significance to safety.
They shall be designed, constructed and maintained such that their quality and reliability is commensurate with this classification.
The method for classifying the safety significance of a structure, system or component shall primarily be based on deterministic methods, complemented by probabilistic methods and engineering judgment, with due account taken of factors such as:
* the safety function(s) to be performed by the item;
* the consequences of failure to perform a safety function;
* the frequency with which the item will be called upon to perform a safety function;
* the time following a postulated initiating event at which, or the period for which, the item will be called upon to perform a safety function.
Appropriately designed interfaces shall be provided between SSC of different classes to ensure that any failure in a system classified in a lower class will not propagate to a system classified in a higher class.
Equipment that performs multiple functions shall be classified in a safety class that is consistent with the most important function performed by the equipment.
If a SSC has been classified differently based on deterministic and probabilistic methods, the SSC shall be placed in the higher of the two classes.
Components or structures which form the interface between components belonging to different classes shall be assigned to the highest class.
Safety classes to which components belong and special rule requirements applied to them shall be indicated in the documents for design, manufacturing and delivery of SSC.
6. SAFETY REQUIREMENTS FOR SYSTEMS, STRUCTURES AND COMPONENTS
Design rules and limits. Engineering design rules for SSC shall comply with accepted national standard engineering practices, or standards and practices used internationally or established in another country and whose use is applicable and also accepted by the State Committee on Nuclear Safety Regulation.
Protective safety systems. The design shall provide for protective safety systems assuring reliable emergency shut-down and maintaining safe conditions of the plant in any normal operating modes and in case of design-basis accidents. Emergency shut-down systems shall have sufficient capacity and speed of response for normal operation and design-basis accidents. Emergency shut-down shall be assured regardless of whether electric power is available or lost. Protective safety systems shall include systems for emergency heat removal from the reactor system and containment and ensure their required capacity. The design shall justify the permissible number of protective safety system activation cycles over the plant life time (including spurious activations) in terms of effect on component service life.
The protective safety systems shall be designed for high functional reliability and periodic testability commensurate with their safety function(s). Redundancy and independence designed into the protective systems shall be sufficient at least to ensure that:
------------------------------------------------------------
ԻՐՏԵԿ - շարունակությունը հաջորդ մասում