Safety Functions and Component C!assificationgnssn.iaea.org/Superseded Safety Standards/Safety_Series_050-SG-D1_… · vyes Ma 5 0 S & D 7 - -y Safety Functions and Component C!assification

v y e sMa5 0 S & D 7

- -y

Safety Functions and Component C!assification for BWR, PWR and PTRA Safety Guide

) N T E R N A T ) O N A L A T O M t C E N E R G Y A G E N C Y , V t E N N A , 1 9 7 9

This publication is no longer valid Please see http://www-ns.iaea.org/standards/

CATEGORIES OF IAEA SAFETY SERIES

/vow &z/ery -Series No. 46 onwards ?/:e varioas pM^/i'ca '̂ons ;'n /Ae series are

ini*o /oMf categories, as /b//ows.

(1) IAEA Safety Standards. Publications in this category comprise the Agency's safety standards as defined in "The Agency's Safety S tandards and Measures", approved by the Agency's Board o f Governors on 25 February 1976 and set forth in IAEA docum ent INFCIRC/18/Rev. 1. They are issued under the authority o f the Board o f Governors, and are m andatory fo r the Agency's own operations and for Agency-assisted operations. Such standards comprise the Agency's basic safety standards, the Agency's specialized regulations and the Agency's codes o f practice. 7%e covers are GfisfingMi's%e(f

f%e tv/de red &a?M? on f%e /ower

(2) IAEA Safety Guides. As stated in IAEA docum ent INFCIRC/18/Rev. 1, referred to above, IAEA Safety Guides supplem ent IAEA Safety Standards and recom m end a procedure or procedures tha t might be followed in implementing them . They are issued under the authority o f the D irector General of the Agency. 7%e covers are Ji'sfi'ngMis/:ecf Ay f%e wide greenon f/ie /ower %a//

(3) Recom m endations. Publications in this category, containing general recom m endations on safety practices, are issued under the au tho rity o f the D irector General o f the Agency. 7%e covers are disfingMis/ied f%e w/de &rown &and on f%e /ower %a//

(4) Procedures and Data. Publications in this category contain inform ation on procedures, techniques and criteria pertaining to safety m atters. They are issued under the au thority o f the D irector Genera! o f the Agency. 7%e covers are 6fisfingMis%ed f%e wi'Je N ue &anc? on f%e /ower %a//!

Abfe.' ?%e covers o/pM&/;'ca?;'ons AroMgAf c t/f ?%e /ra /new or^ o/V%e(A ^c/ear &:/efy .Standards J 7^-ograwwe are Ji'snngais^ecf f%e wide

ye//ow Aand OM f/:e apper /:a //


SAFETY FUNCTIONS AND COMPONENT CLASSIFICATION

FOR BWR, PWR AND PTR

A Safety Guide


T he fo llow ing S ta tes are M em bers o f the In te rn a tio n a l A tom ic E nergy A gency:

AFG H AN ISTA NALBANIAA LG ERIAA R G E N T IN AA USTR A LIAAUSTRIABA NGLADESHBELGIUMBOLIVIABRAZILBULGARIABURMABY ELORUSSIAN SOVIET

SOCIALIS T REPUBLIC CANADA CHILE COLOMBIA CO STA RICA CUBA CYPRUSCZECHO SLO VA K IA DEM OCRA TIC KAM PUCHEA DEM OCRATIC PEOPLE'S

REPUBLIC O F K O R E A DENMARKDOMINICAN REPUBLICEC UADOREGYPTEL S A L V A D O RET HIOPIAFINL AN DFR AN CEGABONG ERM AN D EM OC RA TIC REPUBLICGERMANY, F E D E R A L REPU BLIC OFGHANAG REECEG UA TEM A LAHAITI

HOLY SEEH U N G A R YIC EL AN DINDIAIN DO N ESIAIRA NIR A QIR E L A N DIS R A E LITALYIV O R Y COASTJAM AIC AJAPA NJO R D A NK EN Y AK O RE A , REPU BLIC O FKUWAITLEBANONLIBERIALIBYAN ARAB JA M A H IR IY ALIE CHT EN ST EINLU X EM BO U RGM AD A GA SCARMALAYSIAM A HM AURITIUSMEXICOMONACOM ONGOLIAM OROCCON ET H E R L A N D SNEW ZE A L A N DN IC A R A G U AN IG E RN IGE RIANORW AYPAKIS TANPANAMAPA RA G U A YP ERU

PHILIPPINESPOLAN DP O R T U G A LQ A T A RROMANIASAUDI A R ABIASE N E G A LS IE R R A LEONES IN G A PO R ESOU TH A FR IC ASPAINSRI LANKASUDANSWEDENSW ITZ ER LA N DSY R IA N A R AB REPUBLICT H A IL A N DT U N ISIAT U R K E YU GA N D AU K R A IN IA N SO V IET SOCIALIST

REPUBLIC UNION O F SOVIET SOC IA LIST

REPUBLICS U N IT ED A RAB EM IRATES U N IT E D KINGDOM O F G R E A T

B RITA IN AND N O R T H E R N IR E L A N D

U N IT E D REPU BLIC OF CA M E RO O N

U N IT E D REPU BLIC OF TA N Z A N IA

UN IT ED STA TES O F A MERICA U RU G U A Y V EN E Z U E L A VIET NAM Y U G O SL AV IA Z A IR E ZAMBIA

T he Agency 's S ta tu te was approved on 23 O c to be r 1956 by the Conference on the S ta tu te o f the IAEA held a t United Nat ions Headquar ters , New Y ork ; it en tered in to force on 29 Ju ly 1957. The H eadquar te rs of the Agency are situa ted in Vienna. Its pr incipal objective is " to accelerate and enlarge the co n t r ib u t io n o f

( c ) IA EA, 1979

Permission to rep ro d uce or transla te the in fo rm ati on con ta in ed in this pub li ca t ion may be ob ta ined by writing t o the In te rn ationa! A to mic Energy Agency, Wagramerstrasse 5, P.O. Box 100, A -1400 Vienna, Aust ria .

Prin ted by the IAEA in Austria N ovember 1979


SAFETY SERIES No. 50-SG-Di

SAFETY FUNCTIONS AND COMPONENT CLASSIFICATION

FOR BWR, PWR AND PTR

A Safety Guide

INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, 1979


THIS SAFETY GUIDE IS ALSO PUBLISHED IN FRENCH, RUSSIAN AND SPANISH

SAFETY FUNCTIONS AND COMPONENT CLASSIFICATION FOR BWR, PWR AND PTR: A SAFETY GUIDE

IAEA, VIENNA, 1979 STI/PUB/542

ISBN 9 2 - 0 - 1 2 3 9 7 9 - 3


FOREWORD by the Director General

The demand for energy is continually growing, bo th in the developed and the developing countries. Traditional sources o f energy such as oil and gas will probably be exhausted w ithin a few decades, and present world-wide energy demands are already overstraining present capacity. O f the new sources nuclear energy, w ith its proven technology, is the most significant single reliable source available for closing the energy gap that is likely, according to the experts, to be upon us by the tu rn o f the century.

During the past 25 years, 19 countries have constructed nuclear power plants. More than 200 pow er reactors are now in operation, a further 150 are planned, and', in the longer term , nuclear energy is expected to play an increasingly im portant role in the developm ent o f energy programmes throughout the world.

Since its inception the nuclear energy industry has m aintained a safety record second to none. Recognizing the im portance o f this aspect o f nuclear pow er and wishing to ensure the continuation o f this record, the International A tom ic Energy Agency established a wide-ranging programme to provide the Member States w ith guidance on the many aspects o f safety associated with therm al neutron nuclear pow er reactors. The programme, a t present involving the preparation and publication o f about 50 books in the form o f Codes o f Practice and Safety Guides, has become known as the NUSS programme (the letters being an acronym for Nuclear Safety Standards). The publications are being produced in the Agency's Safety Series and each one will be made available in separate English, French, Russian and Spanish versions. They will be revised as necessary in the light o f experience to keep their contents up to date.

The task envisaged in this programme is a considerable and taxing one, entailing num erous meetings for drafting, reviewing, amending, consolidating and approving the docum ents. The Agency wishes to thank all those Member States th a t have so generously provided experts and material, and those many individuals, named in the published Lists o f Participants, who have given their time and efforts to help in implementing the programme. Sincere gratitude is also expressed to the international organizations th a t have participated in the work.

The Codes of Practice and Safety Guides are recom m endations issued by the Agency for use by Member States in the context o f their own nuclear safety requirem ents. A Member State wishing to enter in to an agreement with the Agency for the Agency's assistance in connection with the siting, construction,


commissioning, operation or decommissioning o f a nuclear power plant will be required to foliow those parts o f the Codes o f Practice and Safety Guides that pertain to the activities covered by the agreement. However, it is recognized that the finai decisions and iegai responsibiiities in any licensing procedures aiways rest with the Member State.

The NUSS publications presuppose a singie national fram ework w ithin which the various parties, such as the regulatory body, the applicant/licensee and the supplier or m anufacturer, perform their tasks. Where more than one Member State is involved, however, it is understood tha t certain m odifications to the procedures described may be necessary in accordance with national practice and with the relevant agreements concluded betw een the States and between the various organizations concerned.

The Codes and Guides are w ritten in such a form as would enable a Member State, should it so decide, to make the contents o f such docum ents directly applicable to activities under its jurisdiction. Therefore, consistent with accepted practice for codes and guides, and in accordance w ith a proposal of the Senior Advisory Group, "shall" and "should" are used to distinguish for the potential user between a firm requirem ent and a desirable option.

The task o f ensuring an adequate and safe supply of energy for coming generations, and thereby contributing to their well-being and standard o f life, is a m atter o f concern to us all. It is hoped tha t the publication presented here, together w ith the others being produced under the aegis o f the NUSS programme, will be o f use in this task.

STATEMENT by the Senior Advisory Group

The Agency's plans for establishing Codes o f Practice and Safety Guides for nuclear power plants have been set out in IAEA docum ent G C(X V III)/526/M od.l. The programme, referred to as the NUSS programme, deals w ith radiological safety and is at present limited to land-based stationary plants with therm al neutron reactors designed for the production o f power. The present publication is brought out within this framework.

A Senior Advisory Group (SAG), set up by the D irector General in September 1974 to im plem ent the programme, selected five topics to be covered by Codes of Practice and drew up a provisional list o f subjects for Safety Guides supporting the five Codes. The SAG was entrusted with the task o f supervising, reviewing and advising on the project at all stages and approving draft docum ents fo r onward transmission to the Director General. One Technical Review Com m ittee (TRC), composed o f experts from Member States, was created for each o f the topics covered by the Codes of Practice. '


In accordance with the procedure outlined in the above-mentioned IAEA docum ent, the Codes o f Practice and Safety Guides, which are based on docum entation and experience from various national systems and practices, are first drafted by expert worjdng groups consisting o f two or three experts from Member States together with Agency staff members. They are then reviewed and revised by the appropriate TRC. In this undertaking use is made o f both published and unpublished m aterial, such as answers to questionnaires, subm itted by Member States.

The draft docum ents, as revised by the TRCs, are placed before the SAG. A fter acceptance by the SAG, English, French, Russian and Spanish versions are sent to Member States for comments. When changes and additions have been made by the TRCs in the light o f these com m ents, and after further review by the SAG, the drafts are transm itted to the D irector General, who submits them , as and when appropriate, to the Board o f Governors for approval before final publication.

The five Codes o f Practice cover the following topics:

Governmental organization for the regulation of nuclear power plantsSafety in nuclear power plant sitingDesign for safety o f nuclear power plantsSafety in nuclear power plant operationQuality assurance for safety in nuclear power plants.

These five Codes establish the objectives and minimum requirem ents tha t should be fulfilled to provide adequate safety in the operation o f nuclear power plants.

The Safety Guides are issued to describe and make available to Member States acceptable m ethods o f implementing specific parts o f the relevant Codes o f Practice. M ethods and solutions varying from those set out in these Guides may be acceptable, if they provide at least comparable assurance that nuclear power plants can be operated w ithout undue risk to the health and safety o f the general public and site personnel. A lthough these Codes o f Practice and Safety Guides establish an essential basis for safety, they may no t be sufficient or entirely applicable. O ther safety docum ents published by the Agency should be consulted as necessary.

In some cases, in response to particular circumstances, additional requirem ents may need to be met. Moreover, there will be special aspects which have to be assessed by experts on a case-by-case basis.

Physical security o f fissile and radioactive materials and o f a nuclear power plant as a whole is m entioned where appropriate but is not treated in detail. Non-radiological aspects o f industrial safety and environmental protection are not explicitly considered.


When an appendix is included it is considered to be an integral part o f the docum ent and to have the same status as tha t assigned to the main tex t o f the document.

On the o ther hand annexes, /botno^es, o /par^ 'c ;'pan^ and are only included to provide inform ation or practical examples tha t might be helpful to the user. Lists o f additional bibliographical material may in some cases be available at the Agency.

A list o f relevant de/?nz7/ons appears in each book.These publications are intended for use, as appropriate, by regulatory bodies

and others concerned in Member States. To fully com prehend their contents, it is essential that the o ther relevant Codes o f Practice and Safety Guides be taken into account.


CONTENTS

1. INTRODUCTION .................................;........................................................ 1

1.1. Scope .................................................... ..................................................... 2

2. SAFETYFUNCTIONS ......................... ............... ........................................ 3

2.1. In troduction .................................................... ............................ ......... 32.2. List o f safety functions ....................................................................... 42.3. Applications o f safety functions .......... ...... ..L.;........ ..................... 6

3. RANKING OF SAFETY FUNCTIONS ..................................................... 6

3.1. In troduction ........................................................................................... 63.2. M ethodology ................................................................. ........................ . 7

4. ASSIGNMENT OF SAFETY CLASS REQUIREMENTS .................. . 8

4.1. In troduction ..................................;................................. ................ . 84.2. M ethodology .......................................... ................................................ 8

APPENDIX A. Design requirem ents for structural integrityof boundaries of fluid-retaining com ponents ....................... 11

A .I. In troduction ........................................................................................... 11A.2. Safety classes ........................................................................................... 11

A. 2.1. In troduction A. 2.2. Description

A.3. Assignment to safety classes ........................................ .......... .......... 13

A.3.1. In troduction A. 3.2. Safety class 1 A .3.3. Safety class 2 A. 3.4. Safety class 3 A.3.5. Safety class 4


A. 4. Design requirem ents 17

A. 4.1. IntroductionA .4.2. Design requirem ents for safety class 1A.4.3. Design requirem ents for safety class 2A .4.4. Design requirem ents for safety class 3A .4.5. Design requirem ents for safety class 4

A,5. Summary of application ........................................................................ 19A. 6 . Specific considerations relating to classification

as applied to com ponent design requirem ents ................................. 19

A .6.1. Diversity and redundancy within systemsA.6.2. Non-essential and complex com ponents within systemsA.6 .3. Components with multiple safety functions

A.7. Safety class interface for fluid systems ........................................... 21

Annex to Appendix A. Examples of classification offluid-retaining com ponents in someMember States ..................................................... 21

DEFINITIONS .......................................................................................................... 43

LIST OF PARTICIPANTS ....................................................................................... 47

PROVISIONAL LIST OF NUSS PROGRAMME TITLES ............................. 51


1. INTRODUCTION

This Safety Guide forms part o f the Agency's program m e, referred to as the NUSS programme, for establishing Codes o f Practice and Safety Guides relating to land-based stationary therm al neutron power plants. The Provisional List o f NUSS Programme Titles is printed at the end o f this publication.

The Agency's Code of Practice on Design for Safety o f Nuclear Power Plants (Safety Series No. 50-C-D) establishes certain nuclear safety criteria which define the m inimum safety requirem ents for a nuclear pow er plant. Since these criteria are general in nature, more guidance is required to establish specific design requirem ents. The present Safety Guide aims to provide certain additional guidance implem enting the Code o f Practice and is intended to be applicable to the Boiling Water Reactor (BWR), the Pressurized Water Reactor (PWR) and the pressurized and boiling versions o f the Pressure Tube Reactor (PTR).

The proper design of a nuclear power plant requires the consideration o f many factors which in com bination determ ine the plant's overall safety and reliability. Site-related effects such as natural phenom ena and man-induced events tha t can affect the safe operation of the plant shall be considered in the design. Many structures, systems and com ponents within the nuclear pow er plant are also im portant to the nuclear p lant's overall safety and reliability and shall be carefully taken into account by the designer. AH the operational aspects o f the plant shall be considered in the design so tha t a high level o f safety can be m aintained during the lifetime o f the plant.

The designer achieves these safety goals through a variety o f means which are m entioned in the Code o f Practice. These means include, among others, redundancy, diversity, and physical separation o f safety- related systems, com ponents and structures. To achieve proper quality o f the systems, com ponents and structures im portant to safety, the designer carefully selects the materials to be used in the power plant, specifies and utilizes a quality assurance program m e, designs the plant so that an in-service inspection programme can be perform ed where necessary during operational states, and uses selected codes and standards.

In the design o f nuclear power plants, it is recognized tha t some systems, com ponents and structures are more im portant to safety than others. This gradation in safety im portance can be incorporated into the design by a num ber o f m ethods. Two such m ethods o f assigning graded requirem ents to safety-related systems, com ponents and structures are the determ inistic m ethod and the probabilistic m ethod. The practice


in various Member States is to use a m ixture o f these m ethods. In the determ inistic m ethod, requirem ents are often placed upon those safety-related systems, com ponents and structures whose failure could result in significant radioactivity releases. These requirem ents are imposed w ithout explicit consideration o f the probability of such failures or mitigating effects. The probabilistic m ethod utilizes the probability that a safety function would be required and the consequences of failure of tha t safety function to assess safety im portance. This m ethod is particularly useful in determining the relative ranking o f the safety im portance o f systems, com ponents and structures.

1.1. Scope

A review o f BWR, PWR and PTR designs shows tha t the design criteria given in the Code o f Practice can currently be m et by having systems, com ponents and structures that perform the safety functions listed in sub-section 2.2. This list o f safety functions may have many applications, such as reminding the designer of safety aspects that shall be considered for the p lant's systems, com ponents and structures. Additional safety functions may in the future be identified and may be added asappropriate .

In sections 3 and 4 o f the Guide a m ethodology is given for the ranking o f safety functions in order o f their im portance to safety and for the assignment o f design requirements.

Although in the longer term this m ethod o f classification might be applied to m any aspects o f nuclear power plant design its present use is very limited. An im portant particular application based on existing practices in a num ber of Member States is provided in A ppendix A, where the safety functions and classification procedure are applied to the structural integrity of the boundaries o f fluid-retaining com ponents. In this example, the safety functions are grouped into classes according to the effect on safety which failure of the pressure envelope of com ponents contributing to the perform ance o f those functions would have: Design requirem ents are then assigned to each safety class. The rules to be observed in such activities as design, m anufacture, inspection, can then be drawn up according to each o f the safety classes, which are arranged with safety class 1 representing the highest level o f im portance to safety. The rules to be. applied to each com ponent can be determ ined once its contribution to a safety function has been stablished.

The user o f this Appendix can thus select a safety-related fluid- retaining com ponent, determ ine its role in accomplishing one or more given safety functions, and thereby assign it to the appropriate safety

2


class. Once a com ponent is assigned to a safety ciass the design requirements appropriate to th a t safety ciass are applied to tha t com ponent.

It may also be possible to apply the safety functions listed in sub-section 2.2 to develop classification systems in such areas as quality assurance, in-service inspection, and seismic classification. These additional potential applications are not provided in the present version of this Safety Guide bu t may be incorporated in fu ture revisions and extensions o f it or may form part o f o ther IAEA Safety Guides.

2. SAFETY FUNCTIONS

2.1. In troduction

This Safety Guide is concerned w ith the need to lim it radiation exposure o f the public and site personnel for all operational states and accident conditions o f a nuclear pow er plant.

To ensure adequate safety, the following general safety requirements, derived from the Code o f Practice, shall be m et by the plant design:

(1) Means shall be provided to safely shut down the reactor andm aintain it in the safe shutdow n condition during and after appropriate operational states and accident conditions.

(2) Means shall be provided to remove residual heat from thecore after reactor shutdown, and during and after appropriate operational states and accident conditions.

(3) Means shall be provided to reduce the potential for the releaseof radioactive m aterials and to ensure tha t any releases arewithin prescribed limits during and after operational statesand within acceptable limits during and after accident conditions.

The safety functions listed in the sub-section 2.2 enable the design to m eet these general requirem ents. These safety functions include those necessary to prevent accident conditions as well as those necessary to mitigate the consequences of accident conditions. They can be accomplished, as appropriate, using systems, com ponents or structures provided for normal operation or provided to prevent anticipated operational occurrences from leading to accident conditions or provided to mitigate the consequences o f accident conditions.

3


2.2. List o f safety functions

The safety functions are:

(a) To prevent unacceptable reactivity transients

(b) To m aintain the reactor in a safe shutdown condition after ail shutdow n actions

(c) To shut down the reactor as required to prevent anticipated operational occurrences from leading to accident conditions and to shut down the reactor to mitigate the consequences o f accident conditions [see also (d)]

(d) To shut down the reactor after a loss-of-coolant accident where such shutdow n action is necessary to perm it acceptable cooling o f the reactor core*

(e ,) To m aintain sufficient reactor coolant inventory for core cooling during and after accident conditions not involving the failure o f the reactor coolant pressure boundary

(62) To m aintain sufficient reactor coolant inventory for core cooling during and after all operational states

(f) To remove heat from the core^ after a failure of the reactor coolant pressure boundary in order to lim it fuel damage

(g) To remove residual heat^ during appropriate operational states and accident conditions w ith the reactor coolant pressure boundary intact

(h) To transfer heat from other safety systems to the ultim ate heat sink ̂

' Note that this safety function is a special case of safety function (c) and applies to reactor designs wherein the loss of the coolant medium from the reactor core does not provide an adequate inherent shutdown mechanism.

̂ This safety function applies to the first step of the heat removal system(s). The remaining step(s) are encompassed in safety function (h).

̂ This is a support function for other safety systems when they are required to perform their safety functions.

4


(i) To ensure necessary services (e.g. electric, pneum atic, hydraulic power supplies, lubrication) as a support function for a safety system

(j) To m aintain acceptable integrity o f the cladding o f the fuel in the reactor core

(k) To m aintain the integrity o f the reactor coolant pressure boundary

(1) To limit the release o f radioactive m aterial from the reactor containm ent during and after accident conditions

(m) To keep the radiation exposure o f the public and site personnel within acceptable limits during and after accident conditions that release radioactive m aterials from sources outside the reactor containm ent

(n) To limit the discharge or release o f radioactive waste and airborne radioactive m aterial below prescribed limits during all operational states

(o) To m aintain control o f environm ental conditions w ithin the nuclear power plant for the operation o f safety systems and for personnel habitability necessary to allow perform ance o f operations im portant to safety

(p) To m aintain control o f radioactive releases from irradiated fuel transported or stored outside the reactor coolant system, but within the site, during all operational states

(q) To remove decay heat from irradiated fuel stored outside the reactor coolant system, bu t within the site

(r) To m aintain sufficient subcriticality o f fuel stored outside the reactor coolant system, bu t w ithin the site

(s) To prevent the failure or limit the consequences o f failure of acom ponent or structure whose failure would cause the impairment of a safety function.

5


2.3. Applications o f safety functions

The !ist o f safety functions given in sub-section 2.2 may be utilized to satisfy one or bo th o f the following objectives:

(1) To provide a reference list as a basis for determining w hether a system, com ponent or structure perform s or contributes to one or more safety functions.

(2) To establish, w ith the particular end usage in mind, an appropriate order o f im portance to safety o f each function, and then, using this order, to group these functions into categories term ed 'safety classes': The general m ethodology

' for ranking safety functions is discussed in section 3. Onepurpose o f establishing safety classes is to provide a basis for

; assigning an appropriate gradation in design requirements.This is discussed in m ore detail in section 4.

An example o f the establishm ent o f safety classes to determ ine particular design requirem ents for fluid-retaining boundaries of com ponents is given in Appendix A.

It is possible th a t the establishm ent of safety classes may prove useful in classifying o ther types o f com ponents and for o ther considerations such as seismic requirem ents or quality assurance.

3. RANKING OF SAFETY FUNCTIONS

3.1. In troduction

As already stated,- safety functions are those functions necessary to fulfil the general safety requirem ents given in sub-section 2.1. I t follows that failure to accomplish a safety function could lead to a reduction in safety in term s o f the possible increase in radiation exposure. In subsection 3.2 a m ethodology is given for ranking safety functions.

As stated in the In troduction (section 1) and in sub-section 2.3 various subjects such as quality assurance, in-service inspection, and seismic classification may be dealt with in fu ture extensions of this Guide. It is expected tha t the num ber of safety classes used would depend oh the subject th a t is being classified, the num ber o f safety functions affected by com ponent failure, and other factors (see sub-section 4.1).

Regardless o f the subject tha t is classified, or the num ber o f safety classes used, the system is generally applicable. The same safety

6


functions would be considered and the same general m ethodology would be used to rank the safety functions. However, the distribution o f the safety functions among the safety classes could differ in o ther applications added to future editions o f this Safety Guide.

The requirem ents assigned to each safety class would also depend on the subject being classified. If this subject were in-service inspection, there would be in-service inspection requirem ents for each safety class.

As stated earlier, a m ixture o f determ inistic and probabilistic m ethods have been used in various Member States to assign graded requirem ents to systems, com ponents and structures im portant to safety. The determ inistic m ethod may differ from one application to another. The general probabilistic m ethod, outlined below, should be able to be used in all applications.

3.2. M ethodology

The ranking o f a safety function in order of its im portance by the probabilistic m ethod involves the com bination o f :

( 1) the consequence o f failure o f that safety function, and(2 ) the probability that the safety function would be required.

The first po in t takes in to account only the magnitude of the potential increase in radiation exposure upon failure o f tha t safety function. In general when these analyses show that the consequences o f failure are large for a postulated accident the safety function will usually get a high ranking. For example, the consequences o f failure o f safety function (k) could be quite large. By contrast, the consequences of failure o f safety function (n) would be small. In Appendix A safety function (k) is ranked higher than safety function (n).

The second point takes in to account only the probability that the safety function will be required. To illustrate this it is useful to compare safety functions (k) and (f). The consequences o f failure o f safety function (k), as stated above, could be quite large. Similarly the consequences o f failure o f safety function (f) could be quite large. However, safety function (f) is only required after an accident. Failure o f safety function (f) independent o f an accident would not lead to a potential increase in radiation exposure. Iii A ppendix A safety function (f) is ranked lower than safety function (k).

Thus any ranking o f safety functions should include considerations o f probability as well as consequences o f failure. The judgem ents used in A ppendix A for the ranking o f the safety functions reflect the

7


̂ analyses perform ed in various Member States o f num erous postulated accidents for the various reactor types. These analyses have directly and/or indirectly evaluated the probability tha t a safety function would be required and the consequences o f failure to accomplish this safety function where there is an assumed failure o f the boundary o f a fluid- retaining com ponent. As m entioned in sub-section 2.3, the same general methodology could be used to rank safety functions for o ther applications.

4. ASSIGNMENT OF SAFETY CLASS REQUIREMENTS

4.1. In troduction

For each safety function listed in sub-section 2.2 it is theoretically possible to establish a different design requirem ent. As discussed in more detail in sub-section A.2.1 o f Appendix A, this has no t proven to be practical for fluid-retaining com ponents. I t has been found practical to group these safety functions in to safety classes. Each safety class contains safety functions w ith a similar degree o f im portance to safety. The safety classes themselves are then ranked according to their order of im portance to safety, and requirem ents are assigned to each safety class.

The num ber of safety classes that are used in applications other than th a t described in A ppendix A may well depend upon the subject being classified, the type of equipm ent being classified, and the availability o f inform ation on different levels o f design requirem ents for that subject or equipm ent type. The num ber o f safety classes could also be influenced by the num ber o f safety functions th a t would be affected by a particular failure. For failures involving the structural integrity of the boundaries o f fluid-retaining com ponents (the case discussed in Appendix A) almost all the safety functions were utilized and subsequently grouped into four safety classes. If fewer safety functions were involved a smaller num ber o f safety classes might be justified.

4.2. M ethodology

Accidents w ith a large potential increase in radiation exposure should have a low probability o f occurrence whereas a greater probability of occurrence w ith a small potential increase can be tolerated from a safety point o f view.


In sub-section 3.2 it has been indicated tha t the ranking o f the safety functions in order o f their im portance to safety is arrived at by using the probabilistic m ethod which considers the com bination o f :

( 1) the consequence o f failure of tha t safety function, and(2 ) the probability th a t the safety function would be required.

To assign safety class design requirem ents with respect to the principles stated above, it is necessary to introduce a new point to be combined with the two last points:

(3) the probability th a t the safety function would no t be accomplished when required.

The product o f these three factors m ust be acceptably low. That is, the product o f the probability that a safety function would be required, the probability th a t the safety function would no t be accomplished when required, and the consequences of failure o f that safety function, m ust be acceptable. This Guide does no t present quantitative values for this product o r for the individual factors.

When analyses have indicated tha t this product is to o large, design and/or administrative measures are taken to reduce it. Numerous examples o f such measures exist. Sometimes it is possible to reduce the consequences o f failure to achieve an acceptable product. For example, radioactive m aterial in the waste treatm ent systems may be stored in several small tanks rather than in one large tank, to minimize the radioactivity release if the tank were to fail. Usually o ther m ethods are used to affect the o ther factors; as stated in the In troduction (section 1) they include redundancy, diversity, plant layout, use o f proven equipm ent, in-service inspection, and use o f selected codes and standards. Appendix A provides guidance in one o f these areas: the use o f selected codes and standards to achieve a required level of structural integrity o f the boundaries o f fluid-retaining com ponents. The desired structural integrity is determ ined by design requirem ents. The term "design requirem ents" as used in the context o f A ppendix A is intended to be broadly interpreted and includes such considerations as mechanical design, quality, fabrication, and inspection (pre-service). These requirem ents are applied to the individual com ponents necessary to perform the safety functions grouped into each safety class.

The probability o f com ponent failure is affected by the design requirem ents established for tha t com ponent, i.e. the m ore stringent the design requirem ents, the smaller the probability that the safety function

9


would no t be accomplished by th a t com ponent when required. Consequently, the highest ranked safety functions and the safety class into which they are placed have the m ost stringent design requirem ents w ith a gradation in design requirem ents for lower safety classes.

Similarly, if o ther subjects were classified, the m ost stringent requirem ents would be placed on the highest safety class w ith a gradation in requirem ents for the lower safety classes.

10


Appendix A

DESIGN REQUIREMENTS FOR STRUCTURAL INTEGRITY OF BOUNDARIES

OF FLUID-RETAINING COMPONENTS

A .I. INTRODUCTION

This appendix describes the application o f classification o f safety functions to the selection o f appropriate design codes and standards to achieve a required level o f structural integrity o f the boundaries of fluid-retaining com ponents im portant to safety.

The specific classification o f safety functions into safety classes, in the context o f the integrity o f the boundaries of fluid-retaining com ponents, is discussed in sections A.2 and A.3. Examples o f the design requirem ents assigned to the safety classes are given in section A.4, and examples o f classification o f fluid-retaining com ponents in some Member States are given in the Annex to this Appendix.

A.2. SAFETY CLASSES

A.2.1. In troduction

As stated previously the purpose o f establishing safety classes is to provide a.basis upon which a stepwise hierarchy o f design requirem ents can be developed. It would, o f course, be possible to establish design requirem ents corresponding to each individual safety function. This would, however, be som ewhat unwieldy in view o f the num ber o f safety functions. Practice in several Member States has shown tha t four safety classes is a practical num ber in the context o f design requirem ents for boundaries o f fluid-retaining com ponents. By using four safety classes as the hierarchical steps referred to above, a useful gradation in design requirem ents can be established on the basis o f relative im portance to safety. Fewer classes would result in over-stringent design requirem ents being applied in satisfying certain safety functions (those o f less im portance to safety w ithin a class). More classes would result in unpractically fine distinctions being drawn between the design requirem ents appropriate to adjacent safety classes in the hierarchical order.

11


The structuring in to the four safety classes reflects the analysis of num erous postulated accidents for the various reactor types. Safety class 1 is m ost im portant to safety and safety classes 2, 3 and 4 are successively of less im portance.

A .2.2. Description

c/a&y 7

Safety class 1 incorporates those safety functions necessary to prevent, in the absence o f appropriate safety system action, the release of a substantial fraction o f the core fission product inventory to the environment.

.Sa/ety c/aM 2

Safety class 2 incorporates those safety functions necessary to mitigate the consequences o f an accident which would otherwise lead to the release o f a substantial fraction o f the core fission product inventory to the environm ent. The consequences o f failure o f these safety class 2 safety functions need only be considered after an initial failure o f another safety function.

Safety class 2 also includes those safety functions necessary to prevent anticipated operational occurrences from leading to accident conditions, except those safety functions tha t perform a support role to another safety function, namely safety functions (h), (i) and (o) o f sub-section 2 .2 .

Safety class 2 also includes o ther functions which according to the methodology described in sub-section 3.2 could result in a large product of the consequence o f failure o f tha t safety function and the probability that the safety function would be required, e.g. reactor residual heat removal.

-Sa/efy c /an 3

Safety class 3 incorporates those safety functions (namely safety functions (h), (i) and (o) o f sub-section 2 .2 ) which perform a support role to safety functions in safety classes 1, 2 and 3. Their inclusion in safety class 3 rather than safety class 1 or 2 is a recognition th a t the consequence of failure o f the support functions would no t lead to a direct increase in radiation exposure.

12


Safety class 3 rather than safety class 1 or 2 is a recognition tha t the consequence o f failure o f the support functions would no t lead to a direct increase in radiation exposure.

Safety class 3 also incorporates those safety functions necessary to prevent the radiation exposure to the public or site personnel from exceeding the relevant acceptable limits from sources outside the reactor coolant system, and those safety functions associated with reactivity control on a slower tim e scale than the reactivity control functions in safety classes 1 and 2. Additionally, safety class 3 incorporates the safety functions associated with m aintaining subcriticality o f fuel stored outside the reactor coolant system and with removing decay heat from irradiated fuel stored outside the reactor coolant system.

-Sa/efy c/a&s 4

Safety class 4 incorporates those safety functions which do not fall w ithin safety classes 1, 2 or 3.

A.3. ASSIGNMENT TO SAFETY CLASSES


Certain safety functions listed in sub-section 2.2 are no t perform ed by fluid-retaining com ponents. Such safety functions will no t, therefore, be included in this particular set o f safety classes.

On the basis o f the m ethodology established in sub-section 3.2, a grouping into the four safety classes resulting from assessment o f some national practices is shown in sub-sections A .3.2 to A .3.5. The grouping shown incorporates an assignment o f safety functions th a t is broadly representative o f the practices in Member States, taking into account the inherent differences in reactor types and safety approaches. However, because o f those differences, there is a variation in the assignment o f particular com ponents, as can be seen in the Annex. Since the end objective for safety classes in this A ppendix is the establishm ent o f design requirem ents for com ponents, the groupings have been expressed in terms o f " the com ponents necessary to perform a safety function". When a com ponent perform s two or more safety functions, it shall be classified in the safety class containing the safety function m ost im portant to safety.

13


A.3.2. Safety class' 1

Safety class 1 includes:

(1) Those com ponents tha t comprise the reactor coolant system pressure boundary.'*

Excluded^ from safety class 1 are those fluid systems com ponents tha t are part o f the reactor coolant pressure boundary, the failure o f which would result in a loss o f reactor coolant within the make-up capacity o f normally operating coolant inventory control systems to m aintain a coolant inventory sufficient for an orderly shutdow n and cooldown.

(2) Those com ponents necessary to shut down the reactor following a loss-of-coolant accident where such shutdow n action is necessary to perm it acceptable cooling o f the reactor core.

/MHcn'onfdJ (see F oo tno te 1)

A.3.3. Safety class 2

Safety class 2 includes:

(1) Those com ponents tha t are part o f the reactor coolant system pressure boundary no t in safety class 1 .

In addition, safety class 2 includes those com ponents th a t are necessary to accomplish the following safety functions:

^ The reactor coolant system pressure boundary is comprised of those components whose failure could cause a loss o f coolant from the reactor core and which cannot be isolated from the core in accordance w ith an appropriate interface (see section A.7).

s This exclusion is intended to apply to small components. Therefore, regardless of the capability of the make-up system, an upper pipe size is specified in some Member States (e.g. about l ! in. nominal pipe size or approximately 32 mm nominal inside diameter).

14


(2) To shut down the reactor as required to prevent anticipated operational occurrences from leading to accident conditions and to shut down the reactor to mitigate the consequences of accident conditions.

(3) To m aintain sufficient reactor coolant inventory for core cooling during and after all accident conditions no t involving the failure o f the reactor coolant pressure boundary (this is understood to apply to only appropriate parts o f the steam and feedwater systems o f direct cycle reactors).

(4) To remove heat from the core (see F oo tno te 2) after a failure o f the reactor coolant system pressure boundary in order to lim it fuel damage.

(5) To remove residual heat (see F oo tno te 2) during appropriate operational states and accident conditions, w ith the reactor coolant system pressure boundary intact.

/Mwc/YOM fgj

(6 ) To limit the release o f radioactive m aterial from the reactor containm ent during and after accident conditions.

/MHcn'oM

This may be achieved by a com bination o f the containm ent envelope and the use o f com ponents tha t perform one or more of the following functions:

(i) To limit leakage from the containm ent envelope(ii) To reduce the pressure and tem perature o f the

environment inside the containm ent envelope during and after accident conditions

(iii) To remove radioactive m aterials from , and control the hydrogen concentration of, the containm ent atmosphere during and after accident conditions.

A.3.4. Safety class 3

Safety class 3 includes those com ponents th a t are necessary to accomplish the following safety functions:

15


(1) To prevent unacceptable reactivity transients.

(2) To m aintain the reactor in a safe shutdow n condition after all shutdow n actions.

.Sa/e/y /MHCfz'on f&J

(3) To m aintain sufficient reactor coolant inventory for core cooling during and after all operational states.

/HHCfZOH f63 J

(4) To transfer heat from other safety systems to the ultim ate heat sink.

(se e F o o tn o te 3 )

(5) To ensure necessary services (e.g. electrical, pneum atic, hydraulic, power supplies, lubrication as a support function for a safety system.

(6 ) To keep the radiation exposure o f the public and site personnel within acceptable limits during and after accident conditions tha t release radioactive materials from sources outside the reactor containm ent.

(7) To m aintain control of environmental conditions w ithin the nuclear pow er plant for the operation o f safety systems and for personnel habitability necessary to allow perform ance o f operations im portant to safety.

(8) To m aintain control o f radioactive releases for the spent fuel transported or stored outside the reactor coolant system, but w ithin the site, during all operational states.

̂ Note that this safety function may be classified in safety class 4 if failure of a fluid-retaining boundary could not result in a reactor power excursion.

̂ With regard to fluid-retaining components outside the reactor containment the risk o f a release of radioactivity to the public or site personnel in present reactor designs is such that it is considered appropriate in accordance with practice in certain Member States to rank safety function (m) in safety class 3.

16


(9) To remove decay heat from irradiated fuel stored outside the reactor coolant system, bu t within the site.

/MMcR'oT!

(10) To m aintain sufficient subcriticality o f fuel stored outside the reactor coolant system.

/MHCO'oH f/*)

Safety class 3 includes in addition:

(11) Those com ponents provided to lim it the discharge or release o f radioactive waste and airborne radioactive m aterial below prescribed limits during all operational states which, if they failed, would result in the exposure o f the public or site personnel in excess o f prescribed limits.

A .3.5. Safety c!ass4

Safety class 4 includes those com ponents tha t are necessary to accomplish the following safety functions:

(1) To limit the discharge or release o f radioactive waste and airborne radioactive m aterial below prescribed limits during all operational states which if they failed would no t result in the exposure o f the public or site personnel in excess of prescribed limits.

A.4. DESIGN REQUIREMENTS


As stated in section 4, the design requirem ents m ust be appropriate to the safety class.

As stated in sub-section 4.2, the term "design requirem ents" as used in this context is intended to be broadly interpreted and includes such considerations as mechanical design, quality, fabrication, and inspection.

17


As a cautionary note, a tten tion is drawn to the fact tha t existing design codes and standards for the boundaries o f fluid-retaining com ponents do no t cover all design requirem ents that m ust be satisfied, e.g. those concerned w ith corrosion, erosion, etc. Furtherm ore, as stated in the In troduction (section 1), adequate assurance of com ponent reliability involves o ther considerations such as overall quality assurance, in-service inspection, and environmental effects which may no t be covered in existing design codes and standards.

A. 4.2. Design requirem ents for safety class 1

The design requirem ents for safety class 1 shall be the highest^ for nuclear pow er plant com ponents.

A .4.3. Design requirem ents for safety class 2

The design requirements^* for safety class 2 are less restrictive than those established for class 1.

A .4.4. Design requirem ents for safety class 3

The design requirem ents for safety class 3 are less restrictive'" than those established for class 2 and are similar to those for class 4 with additional design requirem ents in recognition o f im portance to safety.

A .4.5. Design requirem ents fo r safety class 4

The design requirem ents for safety class 4 are to be consistent with the highest non-nuclear power plant codes and standards w ith additional design requirem ents as may be appropriate in recognition o f im portance to safety.

̂ Examples of design requirements for this safety class exist in some Member States. One of them is ASME HI, Division 1 Class 1. In the area of fabrication and controls, another is given in class 1 of "Cahier de prescriptions de fabrication et de controle" (Electricite de France). See also the Annex to this Appendix, under France.

̂ Examples of design requirements for this safety class exist in some Member States. One of them is ASME [II, Division 1 Class 2 and MC, and Division 2. In the area o f fabrication and controls, another is given in class la and 2 o f "Cahier de prescriptions de fabrication et de controle" (Electricite de France). See also the Annex to this Appendix, under France.

Examples of design requirements for this safety class exist in some Member States. One of them is ASME III, Division 1 Class 3. In the area of fabrication and controls, another is given in class 3 of "Cahier de prescriptions de fabrication et de controle" (Electricite de France). See also the Annex to this Appendix, under France.

18


A.5. SUMMARY OF APPLICATION

The grouping o f com ponents necessary to perform safety functions into safety classes has been done in the context o f the integrity of the boundary o f the fluid-retaining com ponents. As stated in sub-section A .2.1, the m ethodology used reflects the analysis o f num erous postulated accidents for the various reactor types (and the relative im portance of the safety functions).

The assignment o f particular design requirem ents to each safety class allows the user o f this Safety Guide to determ ine those particular design requirem ents for any relevant com ponent w ithout the need for extensive additional analysis.

The user of this Appendix can select a safety-related fluid-retaining com ponent, determ ine its role in accomplishing one or more functions, and thereby place it in the appropriate safety class. Once a com ponent is assigned to a safety class the design requirem ents appropriate to that safety class are applied to th a t com ponent.

Additional instructions appear in sections A .6 and A .7. These instructions are to be applied as a final step in the classification process and may result in the raising or lowering o f the safety class o f components under particular circumstances.

A .6 . SPECIFIC CONSIDERATIONS RELATING TO CLASSIFICATIONAS APPLIED TO COMPONENT DESIGN REQUIREMENTS

The purpose o f this section is to give guidance on classification for:

(a) Diversity and redundancy w ithin systems.(b) Non-essential and com plex com ponents w ithin systems.(c) Com ponents with m ultiple safety functions.

Sub-section A .6.1 gives classification guidance on m ultiple systems, each o f which could accomplish the same safety function. Sub-section A.6.2 gives classification guidance on an individual system which contains com ponents, some o f which are necessary for the accomplishment o f the task assigned to the system while others perform associated tasks. Finally, sub-section A.6.3 is concerned w ith the classification o f an individual com ponent which may perform m ultiple safety functions.

19


A.6.1. Diversity and redundancy within systems

It may be possible to accomplish certain safety functions with more than one system. F or example, residual heat may be removed not only by the system provided for this purpose but also by systems used to remove core heat during pow er operation, and perhaps o ther systems as well.

The fact th a t more than one system may be provided which is capable o f satisfying a particular safety function is ignored for purposes of classification when following a determ inistic approach. Only those -components tha t are part o f the system specifically assigned to accomplish the safety function need be designed to the safety classification requirem ents o f the assigned system. Generally no credit relative to classification is given for redundancy w ithin an assigned system (i.e. redundant com ponents w ithin the system assigned to accomplish a safety function are all classified to the level designated for tha t safety function).

At the discretion o f the jurisdiction having authority , and on a case-by-case basis, com ponents which would on the foregoing basis fall into safety class 3 may be assigned to safety class 4 provided th a t adequate redundancy and/or diversity exists to warrant such reclassification.

A.6.2. Non-essential and com plex com ponents within systems

For a system to perform its intended safety function certain principal com ponents are necessary. O ther associated com ponents within the same system may be used for testing, m aintenance, operator training, or o ther purposes which are no t directly related to the safety function of the system. In section A .3 use is made o f the phrase "those com ponents necessary .... ". The in ten t o f this phrase is to apply a particular classification to only those com ponents in a system tha t are required to achieve the intended safety function. The o ther com ponents, such as those used fo r testing, m aintenance, operator training or o ther purposes, may have their own im portance to safety and shall be classified on the basis o f their own im portance to safety.

Similarly, it should be recognized that, w ithin a com plex com ponent, parts may perform different safety functions and therefore could be classified in different safety classes.

A.6.3. Com ponents w ith m ultiple safety functions

Some com ponents may contribute as fluid-retaining boundaries to more than one safety function. For example, pipes penetrating a

2 0


containm ent serve bo th as part of the containm ent envelope and as part o f a fluid-conveying system. In such cases, the highest ranked safety function is used as the basis for determining the safety class to which the com ponent is assigned unless a suitable interface exists between portions belonging to different safety classes (see section A .7).

A.7. SAFETY CLASS INTERFACE FO R FLUID SYSTEMS

Suitable interfaces shall be provided between connected systems or com ponents whenever failure o f a lower safety class system or com ponent could prevent the higher class safety function from being accomplished. The com ponents o f the interface shall have the same safety class as the higher safety class com ponents.

One use of an appropriate interface by the designer may be to limit the ex ten t o f the higher safety class system or set o f components.

Annex to Appendix A

EXAMPLES OF CLASSIFICATION OF FLUID-RETAINING COMPONENTS

IN SOME MEMBER STATES

To illustrate applications o f this Safety Guide, a num ber o f examples provided by some Member States are given in this Annex. They do no t necessarily represent actual reactor plants in construction or operation. O ther examples may be included in fu ture revisions o f the Guide. The examples here, given for inform ation only and not part o f the Guide, have been provided by Canada, France, the Federal Republic of Germany, Japan, Sweden and the United States o f America.

21


CANADA

77m- w/ornM tfon Aa ̂Aeen prow ded to ;7?MStrate %ow t/:e present ^a/ety CMi'de coMM &e app?zed to a CbndM Pressure Tlv&e Reactor. 77;e exawp/es gi'^en do n o t necessarz/y represent actMa/ reactor p/ants fn constr^ctton o r tn operation. 77ze terw tno/ogy Msed ts, ;'n w any cases, Mn;'

Safety Safetyclass*' function

Exam ple o f com ponent

2 g Certain com ponents o f the auxiliary feedwatersystem

The secondary sides o f steam generators and steam mains w ithin c o n t a i n m e n t

2 1 Reactor building

Com ponents o f the dousing system, including valves and spray headers

Those com ponents o f systems open to the ' reactor building that are required to serve as part o f the containm ent envelope in certain circumstances

C om ponents o f the containm ent button-up system

3 a C om ponents o f the liquid zone control system

3 b N ot applicable

3 C2 C om ponents o f the D2O inventory controlsystem

3 h C om ponents o f the m oderator system, includingcalandria, pum ps and heat exchangers, and cover gas system

3 n See F oo tno te 14

3 p Com ponents of the spent fuel transfer tunnel

3 q C om ponents o f the spent fuel bay cooling system

While the methodology of this Safety Guide would classify the secondary sides of the steam generators as safety class 2, it is current Canadian practice to assign the complete steam generators to a classification equivalent to safety class 1.

Any components of the systems listed in safety class 4 that perform safety function n shall be re-assigned to safety class 3 if they contain greater than small quantities of radioactive materials.

23


Safety Safetyclass" function Exam ple o f com ponent

C om ponents o f the service water systems, either low pressure, high pressure and recirculated systems where applicable, including pumps, valves and secondary sides o f heat exchangers called up in safety functions f and

C om ponents o f the fuel oil supply system for the on-site or emergency power supply system generators'^

C om ponents of the main control room air conditioning system '^

Com ponents o f the spent resin transfer system'"'

C om ponents o f the liquid waste disposal system''*

The D^O upgrading tower."*

Components have been assigned to safety class 4 instead of 3 on the basis of redundancy and diversity (see sub-section A.6.1).

4 h

4 i

4 o

4 n


FRANCE

Safety SafetyExample o f com ponentclass function

PWR

1 k Components of the reactor coolant system :- main pipes and connected pipes up to and

including the second isolation valve, excluding branch lines w ith a nom inal pipe size 3/8 inch or smaller -vessel- steam generators (prim ary side)* pumps* pressurizer

2 k - com ponents o f the reactor coolant pressureboundary no t in safety class 1

Components of the following safety systems:

2 f, e - safety injection system (emergency core cooling)and emergency boration system (portions that may recirculate reactor coolant)

2 1 - containm ent spray system

2 1 - containm ent structure and penetrating pipings

2 a, e^ - system that injects boric acid to control reactorcore reactivity changes and control volumetric balance of reactor coolant system

2 g - secondary side o f steam generators and steamlines up to and including steam line valves

2 b, g - residual heat removal system and portions ofemergency and norm al feedwater systems inside containm ent up to and including outerm ost containm ent isolation valves

3 Com ponents of the following safety systems:

3 h, q -cooling systems for safety class 2 and 3 safetysystems and spent fuel pool

25


Safety Safetyclass function Example of com ponent

3 a - system that provides boric acid (make-up system)and chemical additive

3 g - emergency feedwater system outside containm ent

3 m - waste disposal systems (com ponents containinglarge quantities o f radioactive gas held for decay)

3 m. n - systems that process (purification andregeneration) reactor coolant system

4 o - containm ent building ventilation.

26


GERMANY, FEDERAL REPUBLIC OF

Status July 1978

Safety Safetyclass'^ function

Example o f com ponent

BWR

1 k Components o f the reactor coolant pressureboundary, including reactor pressure vessel, main coolant recirculation pum p's housing, and all connecting pipes up to and including their second isolation valve

2 a, b, c The control assembly drive system and hydrauliccomponents required for control assembly operation (scram system)

2 e i , f , g The residual heat removal system. The pressuresuppression pool and the pressure relief system are also necessary for these functions

Normal feedwater and condenser system is not considered a safety system

2 e^ The residual heat removal system. This system isalso used in the low-pressure range when during normal cool-down procedure the main heat sink is no more effective. The norm al feedwater and condenser system is no t considered a safety system

2 1 The containm ent structure, piping penetratingthe containm ent up to and including the first isolation valves seen either from inside or outside the containm ent

In the FRG at present no safety classes are established. However, "Anforderungsstufen", which describe the safety aspects, also contain detailed quality assurance provisions. Since the classification principals of IAEA safety classes and "Anforderungsstufen" are nearly identical, a direct relation of components to IAEA safety classes can in essence be established within the framework of Germanpractice.

27


Safety Safety,6 ̂ . Example o f com ponent

class'" function

3 h The service cooling water system and thecom ponent coolant system for interm ediate heat removal

3 m Air filtration systems which control or removeradioactive materials

3 n Liquid waste processing system, gaseous wasteprocessing system

3 o Air cooling systems for standby diesel generatorroom cooling. Ventilation system for the control room

3 p Com ponents and equipm ent used to control orremove radioactive material from the reactor building

3 q The cooling system for the irradiated fuelstorage pool

4 n Com ponents o f the liquid waste processingsystem (see n above) which serve the flushing process o f the system

PWR

1 k Com ponents o f reactor coolant pressure boundary,including reactor pressure vessel, prim ary side of steam generator, pressurizer, reactor coolant pumps, pipes connecting the com ponents m entioned above up to and including their first isolation valve

2 c Control rod assembly system and the extraborating system

2 e^ Extra borating system (in case the volume controlsystem, being an operating not a safety system, is out o f service). In the low pressure range: residual heat removal system

28


2

2

2

3

3

3

3

3

3

3

3

4

Safetyfunction


f Residual heat removal system (equivalent toECCS)

g Main loops of residual heat removal system

1 The containm ent structure, piping penetratingthe containm ent up to and including the first isolation valves seen either from inside or outside the containm ent

a, b Volume control system and boric acid controlsystem

e^ Volume control system

h The service cooling water system and thecom ponent coolant system for interm ediate heat removal

m Air filtration systems which control or removeradioactive materials

n Radioactive waste collection and processingsystems, gaseous waste processing system

o Air cooling systems for standby diesel generatorroom cooling. V entilation system for the control room

p Com ponents and equipm ent used to control orremove radioactive m aterial from the containm ent

q The cooling system for the irradiated fuelstorage pool

n Condensate seal water system (for volumecontrol system).

29


Federal Republic of Germany: Schematic structure of specification system for fluid-retaining nuclear components

The specifications o f the nuclear power plant vendor (controlled by the official technical surveillance, TUV (Technischer Oberwachungs-Verein), are based on the conventional power plant regulations and amend these under the nuclear safety aspect. With respect to design and the calculation of stresses the ASME Boiler and Pressure Vessel Code, Section III, NB and NC, is essentially applied. Design stress intensity values are adapted to the steel quality as accepted under FRG regulations.

JAPAN

Safety Safetyclass'^ function17 __ Example o f com ponent

PTR

Components of the reactor coolant system, including pressure tubes, steam drums, down- comers, recirculation pum ps, check valves, main steam lines and feed water lines up to second isolation valves; excluding branch lines with a nominal pipe size 1 inch or smaller

Not applicable

Reactor coolant system instrum ent lines and sampling lines

Components of the reactor core isolation cooling system including pum ps and valves

Components o f high pressure coolant injection system, low pressure coolant injection system, accumulator system and emergency long term recirculation cooling system, including valves, pumps, tanks and prim ary sides o f heat exchangers

Components o f residual heat removal system, including valves, pum ps, and prim ary sides o f heat exchangers

Reactor containm ent and com ponents of systems that remove radioactive materials from the containm ent atm osphere following an accident

List continued on p. 34

' ̂ A Japanese reactor designed to the requirements of Appendix A to this Safety Guide would use codes similar to the following:Safety class 1 — ASME HI, Division 1 Class 1Safety class 2 — ASME III, Division 1 Class 2 and MC, and Division 2Safety class 3 — ASME 11!, Division 1 Class 3Safety class 4 — Highest Non-nuclear Codes and Standards

31


JAPAN: ATR REACTOR StMPUFIED


TVo?3fM)7!

SC-1 R eactorC oolant System ............................. .................................................................................................. (D

SC-2 Reactor Coolant System Instrum ent Lines and Sampling Lines ........................................................ (2)Reactor Core Isolation Cooling System ........................................... ....................................................... (3)High Pressure Coolant Injection System .................................................................................................. (4—1)Low Pressure Coolant Injection System ........................................., .................................................... .. (4—2)A ccum ulatorSystem .................................................................................................................................... (4—3)R esidualH eatR em ovalSystem ................................................................................................................ (5)R eactorC ontainm ent .................................................................................................................................... @

SC-3 Reactor Auxiliary Cooling System ................. ........................................................................................... (7 — 1)and its Sea Water Cooling System .............................................................................................................. (7—2)Emergency DieselGenerators ..................................................................................................................... (§)Central Control Room V entilation and Air Conditioning SystemEmergency Diesel G enerator Room V entilation and Air Conditioning S y s te m ............................. (9)Spent Fuel Pool Building Ventilation SystemRadioactive Waste Disposal Room Ventilation System ........................................................................ (1̂ )Radioactive Gaseous Waste Storage TankRadioactive Liquid W asteStorageTank ...................................... ............................................................ (11)Irrad ia ted F u e lP o o lW ate rC o o lin g S y s tem .......................... ................................................................... (f^)

SC-4 Radioactive Waste Disposal System


Safety Safetyclass'*' function

17 ^ ___ Example of com ponent

List continued ftom p. 3!

3 h Com ponents of the reactor auxiliary coolingsystem and its sea water cooling system as support function for the system o f (f) and (g), including secondary side o f heat exchangers, pumps and valves

3 i The com ponents to furnish emergency on-sitepower such as diesel generators, its fuel oil systems, lubrication oil systems and cooling water systems for the diesel generators

3 m Components o f spent fuel pool building ventilationsystem, components of radioactive waste disposal room ventilation system

3 n Radioactive gaseous waste storage tank andradioactive liquid waste storage tank

3 o Com ponents of central control room ventilationand air conditioning system

Components o f emergency diesel generator room ventilation and air conditioning system

3 p Components and equipm ent used to control orremove radioactive materials from the fuel building atmosphere

3 q Irradiated fuel pool including its liner andcomponents o f irradiated fuel pool water cooling system

4 n Com ponents of radioactive waste disposalsystem except major tanks categorized in safety class3.

34


SWEDEN

Safety Safety Example o f com ponentclass function

BWR

k Components o f the reactor coolant system,including reactor pressure vessel and connecting main piping such as main steam and feed water lines up to and including their outer isolation valve

d Not applicable

c, k The portion o f the control rod drive mechanismtha t contains reactor coolant or hydraulic components required for emergency control rod insertion (scram system)

e) Components of the auxiliary feed water system.The normal feed water is not considered a safety system

f Com ponents o f the emergency core coolingsystem for directly cooling the reactor core

g Com ponents tha t provide emergency residualheat removal from the reactor core (not including secondary systems)

k Instrum ent lines inside containm ent connecteddirectly to the reactor coolant system

1 The containm ent structure, piping penetratingthe containm ent up to and including the first isolation valve seen either from inside or outside the containm ent

e^ Not applicable. The norm al feedwater systemis not considered a safety system. For the safety function, credit is taken for the auxiliary feed water system (com pare , e j )

h Components o f cooling systems such as a safety-related interm ediate cooling system

35


Safety Safetyclass function Example of com ponent

3 m Com ponents of control building ventilationsystem

3 o Air coolers for safety equipm ent cooling

3 q Com ponents of the spent fuel pool w ater coolingsystem

4 a Normal operation reactivity control system

4 n Com ponents of the radioactive waste collectionand processing systems.

36


Sweden: Schematic structure o f design requirem ents for fluid- retaining nuclear com ponents in BWRs

The specifications of the nuclear power plant vendor (controlled by the Swedish Nuclear Power Inspectorate) are based on the conventional power plant regulations and amend these with regard to the aspects o f nuclear safety. With respect to design and the calculation of stresses the ASME Boiler and Pressure Vessel Code, Section III is essentially applied. Design stress intensity values are adapted to the material quality as accepted under European regulations.

2 3

Design classes

' Adapted and modified to European codes and standards.

37


UNITED STATES OF AMERICA

Safety Safety. Example 01 com ponent

class function

BWR

1 k Com ponents o f the reactor coolant system,including reactor vessel, main coolant recirculating pipes and pumps, control rod drive com ponents, and main lines, such as steam lines, up to and including isolation valves

1 d N ot applicable

2 k Lines o f 3/4 inch or less, such as instrum ent linesand sample lines connected to the reactor-coolant system

2 c Components required for emergency control rodinsertion and components necessary for emergency injection o f boron into the reactor coolant system

2 e, Components of the reactor core isolation coolingsystem

2 f Com ponents that provide emergency core cooling

2 g Com ponents of the residual heat removal system.Includes emergency shutdown condenser if provided. Normal steam lines, feedwater system, and condenser are not considered safety systems

2 1 The containm ent structure, drywell vacuumbreakers, containm ent cooling system com ponents, hydrogen recombiner system com ponents, standby gas treatm ent system com ponents, and primary containm ent isolation valves and guard pipes

A USA reactor designed to the requirements of Appendix A to thisSafety Guide would use the following:Safety class 1 — ASME III, Division 1 Class 1Safety class 2 — ASME III, Division 1 Class 2 and MC, and Division 2Safetyclass3 —ASMEIII,DivisionlClass3Safety class 4 — Highest Non-nuclear Codes and Standards

38


3

3

3

3

3

3

3

3

3

4

4

4

Safetyfunction


a No applicable fluid system

b Not applicable

es Not applicable. The norm al feedwater is notconsidered a safety system

h Components o f cooling system such as an in termediate cooling system, service water, emergency cooling pond, cooling tow er, or atm ospheric air heat exchangers

i Components to furnish air for safety relief valvesand main steam line isolation valves and emergency on-site pow er such as batteries or diesel fuel oil storage

m Components o f air filtration systems tha t controlor remove radioactive materials outside the containm ent following accidents

o Components o f heating, cooling and cleaningsystems necessary for safe safety system operations and for personnel habitability

q The com ponents required to cool irradiated fuel

r Not applicable

n Components o f the radioactive waste collectionand processing systems and the offgas system

p Components and equipm ent used to control orremove radioactive m aterials from the fuel building atm osphere during normal operation

s Components such as steam or water lineslocated adjacent to com ponents o f a safety system

39


Safety Safetyclass'^ function Example of com ponent

PWR

1 k Com ponents of the reactor coolant system,including reactor vessel, main coolant circulating pipes, pressure boundary parts o f main coolant circulating pumps, rod drive mechanism housings, and the primary side o f steam generators

1 d N ot applicable

2 c Com ponents necessary to inject boric acid intothe emergency core cooling system or the reactor coolant system following an accident

2 e i , f Components that provide emergency core cooling

2 g Com ponents of the residual heat removal system,the secondary side o f steam generators and com ponents that provide overpressure protection for the steam generator secondary side or are necessary for natural circulation cooling o f the reactor coolant system

2 k Instrum ent and sample lines connected to thereactor coolant system

2 1 The containm ent structure and isolation system,post-accident containm ent heat removal system com ponents and components o f systems tha t remove radioactive material from , and control the hydrogen concentration of, containm ent atmosphere following an accident

3 a, b Com ponents o f the reactor auxiliary systems thatare necessary to inject (remove) boric acid into (from) the reactor coolant system for core reactivity compensation and during or following anticipated operational occurrences

40


Safety Safety. . Example o f com ponent

class function

3 e^ Components of the reactor auxiliary systemstha t are necessary to m aintain sufficient reactor coolant or emergency feedwater inventory for core cooling during and following normal operational states

3 h Components of cooling systems such as an in termediate cooling system, service water, emergency cooling pond, cooling tower, or atm ospheric air heat exchangers

3 i Components necessary to furnish emergency onsite electrical power such as diesel fuel oil storage tanks and transfer pumps

3 m Com ponents of the shield building, the spent fuelbuilding, and secondary containm ent air filtration systems that control or remove radioactive materials following accidents

3 o Components of heating, cooling and cleaningsystems necessary for safe safety system operations and for personnel habitability

3 q Components required to cool irradiated fuel

3 r Components of the reactor auxiliary systems thatare necessary to inject boron in to the irradiatedfuel storage pool

4 ' n Components of the radioactive waste managementsystems

4 p Components used to remove radioactive materialfrom the irradiated fuel storage building atm osphere during normal operation

4 s Components such as steam or water lines adjacentto components o f a safety system.

41


DEFINITIONS

7%e/b?/ow;'Mg (?e/??!;7;*o?M are ^ fen d ed /o r M.ye ;'/! ^ e yVBASIS' prograwwe and way wof Meceâr;7y con/orw ô de/znzY/on ̂adopfed eêw êre /o r wferfMÔMa/ M̂ e.

Acceptable Limits

Limits acceptable to the Regulatory Body.

A ccident Conditions

Substantial deviations from Operational States which are expected to be infrequent, and which could lead to release of unacceptable quantities o f radioactive materials if the relevant engineered safety features did no t function as per design intent.*

Anticipated Operational Occurrences

All operational processes deviating from Normal Operation which are expected to occur once or several times during the operating life o f the plant and which, in view o f appropriate design provisions, do n o t cause any significant damage to Items Im portan t to Safety nor lead to A ccident Conditions^ (see O perational States).

* A substantial deviation may be a major fuel failure, a Loss o f Coolant Accident (LOCA), etc. Examples of engineered safety features are: an Emergency Core Cooling System (ECCS), and containment.

̂ Examples of Anticipated Operational Occurrences are loss o f normal electric power and faults such as a turbine trip, malfunction of individual items of a normally running plant, failure to function of individual items of control equipment, loss o f power to main coolant pump.

43


Items Im portan t to Safety

The items which comprise:

(1) those structures, systems, and com ponents whose m alfunction or failure could lead to undue radiation exposure o f the Site Personnel o r members o f the public

(2) those structures, systems and components which prevent Anticipated Operational Occurrences from leading to Accident Conditions;

(3) those features which are provided to mitigate the consequences o f m alfunction or failure of structures, systems or com ponents.

Normal Operation

Operation o f a Nuclear Power Plant within specified operating limits and conditions including shutdown, power operation, shutting down, starting up, m aintenance, testing and refuelling (see O perational States).

Nuclear Power Plant

A therm al neutron reactor or reactors together w ith all structures, systems and com ponents necessary for safety and for the production o f power, i.e. heat o r electricity.

O

Documents

Safety Functions and Component C!assificationgnssn.iaea.org/Superseded Safety Standards/Safety_Series_050-SG-D1_… · vyes Ma 5 0 S & D 7 - -y Safety Functions and Component C!assification