Safety Nuclear Power Plant: Prabir C Basu

Nuclear Power Plant

Prabir C Basu
Structural Engineering and Nuclear Facility Safety

• Introduction
• Concept of nuclear safety
• Development of nuclear safety
• Defence in depth
• Measures of defence in depth (DiD)
• Summary

• Any industrial activity induces certain risks to the
human being and the environment.
• Additional risk associated with NPP is due to the
potential of radiation hazard.
• Endeavor is to keep the risk “as – low – reasonably –
• Effect of radiological hazard general is generally very
minimal during normal operation.
• Abnormal operating conditions and accident
conditions has higher impact on design and
operation of a nuclear power plant (NPP).
• Unlike conventional facilities, an NPP design is
governed by accident scenario rather than process
• SAFETY is the paramount concern for design,
construction and operation of an NPP
• The development of nuclear safety goes back to the
earliest use of nuclear energy in the peaceful
purpose and has progressed from simple concepts
and methods into a methodology based on a firm
foundation of experience.

Concept of nuclear safety
• The fundamental safety objective is to protect
environment, public and site personnel by establishing
and maintaining effective safety measures against
radiological hazards during normal and accident
• Radiation exposure to the public shall be within the limit
prescribed by Atomic Energy Regulatory Board (AERB).
• The safety principles and requirements for minimizing
the risks associated with an NPP are derived from
fundamental safety objective.
• The fundamental safety objective applies to all stages in
the lifetime of an NPP, including planning, siting, design,
manufacture, construction, commissioning and
operation, as well as decommissioning
Concept of nuclear safety
• Safety Principles
– Principle 1: Responsibility for safety;
– Principle 2: Role of government;
– Principle 3: Effective leadership and management;
– Principle 4: Justification of facilities and activities;
– Principle 5: Optimisation of protection;
– Principle 6: Limitation of risks to individuals;
– Principle 7: People and the environment, present and
future, must be protected against radiation
– Principle 8: Prevention of accidents;
– Principle 9: Emergency preparedness and response;
– Principle 10: Protective action to reduce existing and
unregulated radiation risks .
Concept of nuclear safety
• The safety principles as agreed by international
community and prescribed in IAEA document on safety
• To achieve the fundamental safety principle
– Safety requirements are derived from the safety principles, and
– Safety measures are implemented in line with the safety
• In India, safety requirements with respect to radiation
protection, stipulates that for all operational states of an
NPP and for any associated activities, doses from
exposure to radiation within the installation or exposure
due to any planned radioactive release from the
installation are kept below the limits prescribed by AERB.
nuclear safety

These safety
criteria are for
which design
has to meet.

Concept of nuclear safety
Plant states
Normal operation
Abnormal operation and non-detection of failures

Design basis accident (DBA): Single failure criteria

DEC-A: Accident progression of core melt down

DEC-B: Severe plant condition with core melt

Severe accident with containment impairment

Accident progression of NPP 9
Concept of nuclear safety
Plant states
Operational state Accident condition Practically

Normal Anticipated Design Design extension Large release

operation operational basis of radio-
occurrences accident activity from
(AOO) (BDA) containment
Accident Accident Accident with
without with core core melt and
core melt melt containment
(DEC-A) (DEC-B) impairment

Concept of nuclear safety
Plant states
• Main purposes of nuclear safety are
– Adequate design for normal operation;
– Maintaining the reactor in to safe state during the plant states
of AOO, DBA, DEC-A and DEC-B; and
– Mitigation measures to response against large release of
radioactive material.
• Maintenance of reactor safe state during AOO, DBA,
DEC-A and DEC-B is ensured by performing basic safety
functions during these plant states:
– Control of activity,
– Heat removal from reactor and spent fuel pool, and
– Confinement of radioactive material, shielding against
radiation and control of planned radioactive releases, as well
as limitation of accidental radioactive releases.
Concept of nuclear safety
Reactor safe state
• Control state ensured safety of the reactor by performing
fundamental safety function following an anticipated
operational occurrence or accident condition till the
reactor is brought down to safe state / safe shutdown
– Characteristics of this state are:
• Core is subcritical,
• Coe heat is adequately removed,
• Activity discharges are within acceptable limits.
– In case of a DBA, it is mandatory to reach the safe shutdown
state following a controlled state.
– During an accident (DBA and DEC without core melt), controlled
state shall not be continued for more than 24 hours.
a) Concept of nuclear safety
Reactor safe state
• Safe shutdown state is the state of the plant,
following an anticipated operational occurrence or
accident conditions, in which the fundamental safety
functions can be ensured and maintained
– This state is characterized by:
a) Reactor under shutdown with desired margin below sub-
b) Continuous decay heat removal up to ultimate heat sink through
designed cooling chain.
c) Availability of containment functions.
– During a design basis accident, it is mandatory to reach the
safe shutdown state following a controlled state.
Concept of nuclear safety
Reactor safe state
• Safe state is the one in which, following DEC-A, the
reactor is subcritical and the fundamental safety
functions can be ensured and maintained stable for a
long time.
– This state is characterised by:
• Core is in long term subcritical state.
• Long term decay heat removal is established
• Containment functions are available and activity discharges are in
accordance with the acceptable limits.
– Design provisions shall be made to achieve and maintain
safe state for 72hours from the initiation DEC-A.
– Subsequently it is desirable to reach safe shutdown state.

Concept of nuclear safety
Reactor safe state
• Severe accident safe state shall be reached at the
earliest after an accident initiation (following DEC-A).
It should be possible to maintain this state
– During this state there is:
• No possibility of re-criticality.
• Fuel or debris are continuously cooled.
• Uncontrolled release of radioactivity to environment is arrested.
• Means to maintain above conditions are available for long term,
including critical parameter monitoring.
• Monitoring of radiological releases and containment conditions.
– The severe accident safe state should reach from DEC-B
within about one week from accident initiation.
Development of nuclear safety
• Nuclear industry started with small experimental
nuclear facilities, progressively constructed big units
for generating larger amount of energy and handling
of larger quantity of radioactive materials. This led to
increased potential of risk prompting the need for
safety enhancement.
• Concurrently,
– the continuous growth in knowledge,
– the development of safety concepts and
– the increasing expertise and experience gained from
operating NPPs under normal and abnormal conditions
and from accidents.
have resulted in more comprehensive and
systematic approaches to safety. 16
Development of nuclear safety
• The concept of placing multiple barriers between
radioactive materials and the environment was
gradually developed.
• Several successive physical barriers for the
confinement of radioactive material are put in place.
• For water reactors at power operation, the barriers
confining the fission products are typically:
– the fuel matrix;
– the fuel cladding;
– the boundary of the reactor coolant system;
– the containment system.
Development of nuclear safety
• This concept alone does not provide the necessary
assurance of safety, since it does not include the
means to provide the barriers themselves with
successive layers or levels of protection.
• The multi barrier approach was intended to provide
redundant means to ensure the fulfilment of the
basic safety functions at each plant states.

Development of nuclear safety

• The concept of DEFENCE IN DEPTH (DID) was

therefore gradually developed and refined to
constitute an increasingly effective approach for
safety combining both
– Prevention of a wide range of postulated incidents and
accidents and
– Mitigation of their consequences.
• Incidents and accidents were postulated on the basis
of single initiating events selected according to the
order of magnitude of their frequency, estimated
from general industrial experience.
• Defence in depth consists of a hierarchical
deployment of different levels of
– Equipment, and
– Procedures
in order to maintain the effectiveness of physical
barrier placed between radioactive materials and
workers, the public or the environment, in
– normal operation,
– anticipated operational occurrences, and,
– for some barriers, in accidents at the plant.

• Defence in depth is implemented through design and
operation procedure in order to provide a graded
protection against a wide variety of
– transients,
– Incidents, and
– accidents,
– equipment failures and human errors within the plant
(internal events - IE), and
– events initiated outside the plant (external events – EE).

• For a given type of reactor, the required number and
strength of levels of defence depends on the risk
represented by
– the amount and type of radioactive material present in
the installation;
– the potential for its dispersion due to the physical and
chemical nature of these products; and
– the possibility of nuclear, chemical or thermal reactions
that could occur under normal or abnormal conditions
and the kinetics of such events.

• The implementation of a DiD concept is centred on
– several levels of protection, and
– successive barriers preventing the release of radioactive
material to the environment.
[Basic Safety Principles for Nuclear Power Plants]
• The objectives are as follows:
– to compensate for potential human and component
– to maintain the effectiveness of the barriers by averting
damage to the plant and to the barriers themselves; and
– to protect the public and the environment from harm in
the event that these barriers are not fully effective.
• The strategy for DiD is twofold:
– first, to prevent accidents, and
– second, if prevention fails, to
• limit their potential consequences, and
• prevent any evolution to more serious conditions.
• The accident prevention first priority is because the
provisions to prevent deviations of the plant state from
normal operating conditions are generally more effective
and more predictable than measures aimed at mitigation
of the consequences of such deviations.
• Should preventive measures fail, mitigation measures,
e.g., the use of a well designed confinement function,
can provide the necessary additional protection of the
public and the environment.
• DiD is generally structured in five levels. Should one level
fail, the subsequent level comes into play.
• The objective of
– The first level protection is the prevention of abnormal
operation and system failures.
– The second level protection is to control abnormal
operation and detection of SSC’s failure.
– The third level protection ensures that safety functions are
performed by engineered safety systems and features.
– The fourth level protection limits the accident progression
through accident management, so as to prevent or
mitigate severe accident conditions with external
radiological releases.
– The fifth level of protection is the mitigation of
consequences of radiological releases through the off-site
emergency response.
DID Operation states Objective Essential means
I Normal Prevention of abnormal Conservative design, high
operation operation and failures quality construction ,

II Transient states Control of abnormal Control, limiting and

operation and failures protection system & other
detection surveillance
III DBA Control of accidents Safety Systems /
within the design basis Engineered safety
features and accident
• Design basis accident (DBA) is a set of accident
conditions that are to be considered in the design
– derived from postulated initiating events,
– establishes the bounding conditions for the NPP design,
– NPP to withstand the effect without exceeding the
acceptable limits of radiation protection.

DID Operation states Objective Essential means
IV DEC-A Control of plant accident Additional safety
conditions (DEC-A); Systems / Features and
prevention of accident accident
progression to core melt procedures
DEC-B Control of severe plant Complementary safety
conditions with core melt, features to mitigate core
to limit off-site releases melt, management of
and mitigation of the accidents with core melt
consequences of severe (severe accidents)

• Design extension conditions (DEC)
– is a set of additional accident scenarios to be addressed in
the design;
– A DEC is either more severe than DBAs or that involves
additional failures.
– Is derived on the basis of engineering judgment,
deterministic assessments and probabilistic assessments
– Require practicable provisions for the prevention of such
accidents or mitigation of their consequences, and
– Its impact should be withstood by an NPP without
unacceptable radiological consequences,

DID Operation states Objective Essential means
V Severe accident Mitigation of radiological Off-site emergency
with consequences of response and
containment significant releases of intervention levels
impairment radioactive materials

• Pre-requisites for effective implementation of measures
at Levels 1 to 5 of DiD:
– appropriate conservatism,
– quality assurance and
– safety culture.
• These pre-requisites are
– interrelated and
– fulfilled as part of policy for safe design and operation.
• The independence of different levels of defence is a key
to meet the general objective of DID, which is to ensure:
A single failure (equipment failure or human failure) at
one level of defence, and even combinations of failures
at more than one level of defence, would not propagate
to jeopardize DID at subsequent levels.
• All the elements of DiD shall normally available when
a plant is at power.
• At the design stage, due consideration shall be given
to in-service surveillance such as non-destructive
testing or functional periodic testing that contribute
to the prevention of incidents and accidents.
• These measures are necessary to contribute to the
control of accidents.
• Hazards such as fire, flooding or earthquakes
(external events) could potentially impair several
levels of defence simultaneously (common cause
failure). Special attention is paid to such hazards.
• Irrespective of these efforts, there can be no
guarantee that conditions that exceed design basis
accident conditions will not occur. Such conditions
are anticipated by both preventive measures and
mitigation measures (for accident management).
• Owing to the relatively slow development from most
initiating events to severe accident conditions, it is in
principle possible for plant personnel to diagnose the
status of the plant and to restore failed safety related

Measures of defence-in-depth
• The public and the environment are protected
primarily by means of the barriers, which may serve
– operational and safety purposes, or
– safety purposes only.
• The defence in depth concept applies to the
protection of barriers’ integrity against internal and
external events that may jeopardize it.
• Situations in which one or more barriers are
breached (such as during shutdown) necessitate
special attention.

Measures of defence-in-depth
• Measures at Level 1 include a broad range of
conservative provisions
– in design, from siting through to the end of plant life,
– aimed at confining radioactive material, and
– minimizing deviations from normal operating conditions
(including transient conditions and plant shutdown states).
• The safety provisions at Level 1 are taken through
– the site selection and evaluation,
– design,
– manufacturing, construction,
– commissioning,
– operating and maintenance requirements
Measures of defence-in-depth
• Furthermore, Level 1 provides the initial basis for
protection against
– Internal hazards (e.g., pressure and temperature due to
LOCA, internal flooding, etc.), and
– External and internal hazards (e.g. earthquakes, aircraft
crashes, blast waves, fire, flooding).
• Even though some additional protection may be
required at higher levels of defence.

Measures of defence-in-depth
• The objective L2 of DID is to bring the plant back to
normal operating conditions as soon as possible.
• Level 2 incorporates inherent plant features, such as
– core stability and thermal inertia, and
– systems to control abnormal operation (anticipated
operational occurrences), with account taken of
phenomena capable of causing further deterioration in the
plant status.
• The systems to mitigate the consequences of such
operating occurrences are designed according to
specific criteria (such as redundancy, layout and
Measures of defence-in-depth
• Diagnostic tools and equipment such as automatic
control systems can be provided to actuate corrective
actions before reactor protection limits are reached;
examples are
– power operated relief valves,
– automatic limitation systems on reactor power and on
coolant pressure, temperature or level, and process
control function,
– systems which record and announce faults in the control
– ongoing surveillance of quality and compliance with the
design assumptions by means of in-service inspection
– periodic testing of SSCs is also necessary to detect any
degradation of equipment and systems before it can
affect the safety of the plant.
Measures of defence-in-depth
• In spite of provisions for prevention, accident conditions
may occur.
• The measures taken at this level are aimed at preventing
core damage in particular.
• Engineered safety features and protection systems are
provided to
– prevent evolution towards severe accidents, and
– confine radioactive materials within the containment system.
• Engineered safety features are designed on the basis of
postulated accidents representing the limiting loads of
sets of similar events (e.g., LOCA, MSLB, or loss of control
of criticality, such as in a slow uncontrolled boron
dilution or a control rod withdrawal).
Measures of defence-in-depth
• The broad aim of the fourth level of defence is to
ensure that the likelihood of an accident entailing
severe core damage, and the magnitude of
radioactive releases in the unlikely event that a
severe plant condition occur, are both kept ALARA,
economic and social factors being taken into
• Accident management may not be used to excuse
design deficiencies at prior levels.
• Consideration is given to severe plant conditions that
were not explicitly addressed in the original design
(Levels 1 to 3) of currently operating plants (Gen-
2)owing to their very low probabilities.
Measures of defence-in-depth
• The most important objective for mitigation of the
consequences of an accident in Level 4 is the protection
of the confinement. For most reactor designs there
exists a containment structure which withstands
pressure, with strict design limits on permissible
leakage under a specified pressure.
• The role of the operators is vital in actuating hardware
features for accident management and in taking actions
beyond the originally intended functions of systems or
using temporary or ad hoc systems.
• Adequate staff preparation and training for such
conditions is a prerequisite for effective accident
• Managerial provisions such as an on-site emergency plan
are also necessary.
Measures of defence-in-depth
• Both onsite and off-site emergency management
plans are safety measures in this level.
• Operating organization is responsible for om-site
emergency plan.
• Off-site emergency procedures are prepared in
consultation with the operating organization and the
authorities in charge and must comply with
international agreements.
• Both on-site and off-site emergency plans are
exercised periodically to the extent necessary to
ensure the readiness of the organizations involved.
• Main purposes of nuclear safety are
– Adequate design for normal operation;
– Maintaining the reactor in to safe state during the plant
states of AOO, DBA, DEC-A and DEC-B; and
– Mitigation measures to response against large release of
radioactive material.
• Each level of DiD is defence against the
corresponding plant state,
• Defence at a level is implemented by incorporating
the measures (engineering of SSCs and procedure)
for performing the basic safety functions relevant
for corresponding plant states of that level.


