User requirement UR5: Independence of DID levels and inherent

Rationale of UR5 was provided in Section 5.7. Criteria selected for user requirement UR5 are presented in Table 24.

TABLE 24. CRITERIA FOR USER REQUIREMENT UR5

User requirement Criteria Indicator (IN) and Acceptance Limit (AL) UR5: Independence of DID levels and

inherent safety characteristics:

An assessment is performed for the uranium or MOX fuel fabrication facility to demonstrate that the DID levels are more independent from each other than in the reference design. To excel in safety and reliability, the assessed facility strives for better elimination or minimization of hazards relative to the reference design by incorporating into its design an

IN5.1: Independence of different levels of DID in the assessed fuel fabrication facility.

AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through

IN5.2: Examples of hazards: fire, flooding, release of radioactive material, radiation exposure, etc.

AL5.2: Hazards are reduced in relation to those in the reference facility.

8.5.6.1. Criterion CR5.1: Independence of DID levels

Indicator IN5.1: Independence of different levels of DID in the assessed fuel fabrication facility.

Acceptance limit AL5.1: More independence of the DID levels is demonstrated compared to that in the reference design, e.g. through deterministic and probabilistic means, hazards analysis, etc.

Systems that provide for different levels of defence in depth may be either dependent or independent. Independent systems can provide protection from potential hazards with higher reliability. Using the same system or several dependant systems in different levels of defence in depth can make these levels vulnerable to the common cause failure. Ref [18] states:

“To qualify as independent, the failure of one item relied on for safety (IROFS) should neither cause the failure nor increase the likelihood of failure of another IROFS. No single credible event should be able to defeat the system of IROFS such that an accident is possible. A systematic method of hazard identification should thus be used to provide a high degree of assurance that all credible failure mechanisms that could contribute to (i.e. by initiating or failing to prevent or mitigate) an accident have been identified.”

Ref [18] further provides an exemplary list of factors undermining independence of the systems, structures and components, and therefore having significant effect on the likelihood of an accident sequence:

“A partial list of conditions that will almost always lead to two or more IROFS not being independent follows:

 The same individual performs administrative actions.

 Two different individuals perform administrative actions but use the same equipment and/or procedures.

 Two engineered controls share a common hardware component or common software.

 Two engineered controls measure the same physical variable using the same model or type of hardware.

 Two engineered controls rely on the same source of essential utilities (e.g. electricity, instrument air, compressed nitrogen, water).

 Two engineered controls are collocated such that credible internal or external events (e.g.

structural failure, forklift impacts, fires, explosions, chemical releases) can cause both to fail.

 Administrative or engineered controls are susceptible to failure because of the presence of credible environmental conditions (e.g. two operator actions defeated by corrosive atmosphere, sensors rendered inoperable because of high temperature).”

The analysis of independence of systems, structures and components in NFCF is normally part of the application of the ‘double contingency principle’ defined in Ref [115]. This principle states that “process designs should, in general, incorporate sufficient factors of safety to require at least two unlikely, independent, and concurrent changes in process conditions before a criticality accident is possible.”

It is expected that the deterministic method for assessing the DID capabilities of a nuclear reactor design described in Ref [116] will be adapted to fuel fabrication facility. This method is based on objective trees for each level of DID defining the following elements from top to bottom: the objective of the DID level, the relevant safety functions to be met, identified general challenges to the safety functions based on specific root mechanisms for each of these challenges and a list of provisions in design and operation for preventing the mechanism from occurring.

Special attention is expected to be demonstrated in the design to such hazards as fire, flooding or earthquakes which could potentially impair several levels of DID; for example, they could bring about accident situations and, at the same time, inhibit the means of coping with such situations [39].

The safety analysis report of a fuel fabrication facility needs to demonstrate clearly the independence of the levels of defence. A probabilistic safety analysis [117], if done carefully, would highlight systems and elements which are not sufficiently independent, and identify cross-links which compromise the independence of the levels of DID. A fuel fabrication facility assessed is expected to demonstrate calculated frequency ranges of reaching the different levels of DID after an initiating event below (superior to) those of a reference facility.

The acceptance limit AL5.1 (independence of DID levels) is met for the fuel fabrication facility assessed if evidence available to the INPRO assessor shows that demonstrates improved independence of the different levels of DID in comparison to a reference plant based on a deterministic and probabilistic analyses. Alternatively, if a reference facility cannot be found, it could be demonstrated that the design of the facility assessed took available information on best international practice into account and is therefore state of the art.

8.5.5.2. Criterion CR5.2: Minimization of hazards

The assessment of CR5.1 (minimisation of hazards) presented for a uranium conversion and enrichment facility in Section 7.4.6.1 is deemed to be sufficient similar to a fuel fabrication facility. Thus, this approach can be used by the assessor also for the fuel fabrication facility.

8.5.7. User requirement UR6 and UR7

Rationale for UR6 and UR7 is provided in Section 5.8 and 5.9. Assessment of user requirement UR6 (human factors related to safety) and UR7 (RD&D for advanced designs) for fuel fabrication facilities (U, Pu, MOX) is deemed to be sufficiently similar to the assessment method of UR6 and UR7 described in Sections 6.3.7 and 6.3.8 for mining and milling facilities (including criteria, indicators and acceptance limits).