CHAPTER F FUNDAMENTAL SAFETY OVERVIEW SECTION : - UK...

CHAPTER F SECTION : -

PAGE : 1 / 55 UK-EPR

FUNDAMENTAL SAFETY OVERVIEW VOLUME 1: HEAD DOCUMENT

CHAPTER F: BROAD SAFETY DEMONSTRATION


1. INTRODUCTION

The current status of the EPR safety case is presented in Volume 2 of this Fundamental Safety Overview. The objective of this Chapter of Volume 1 is to give a synthetic view of this safety case.

It is not intended here to address all aspects of the safety case but rather to focus on a few topics illustrative of the implementation of the main safety principles defined in Volume 1 Chapter E. References are made to the relevant parts of Volume 2 where more detailed information can be found.

The present safety case is based on that originally developed for the French Flamanville 3 project. It is clear that in a number of instances the broad safety demonstration for the EPR design has been developed with differences in detail with respect to UK licensing requirements. For this Step 2 submission, a systematic review of all of the existing evidence to demonstrate full compliance with UK licensing requirements, has not been performed. However, a limited review has been undertaken to identify the most significant deviations from UK requirements, and to give confidence that the proposed design can be shown to meet UK requirements. This review will be extended as part of the Step 3 submission to demonstrate that the EPR design proposed for licensing in the UK meets all of the relevant criteria for UK licensing with a significant margin of safety.

2. GENERAL SAFETY DESIGN

The EPR design approach is based on the recommendations of the French and German safety authorities issued on July 1993 regarding the safety approach for a new generation of nuclear plants.

The targets were to improve safety, taking into account experience feedback from existing plants, and to consider protection against severe accidents in the design. A further requirement was for the design to take into account operating constraints and human factors, with the objective of improving radioprotection and limiting the production of radioactive waste.

The EPR design is developed primarily on a deterministic basis, complemented by use of probabilistic assessment.

Two main focuses of the EPR safety approach have been:

• to improve the preventive measures against accidents,

• to mitigate the consequences of severe accidents, even though their probability is reduced.

The main accident prevention approach involves:





• reducing the number of significant incidents by improving the design and manufacturing of the primary loops and the main steam and feedwater lines

• improving the reliability of safety systems by simplifying the design.

• preventing common mode failures by physical separation and diverse back-up of safety functions.

• increasing the grace periods for operator actions by designing components (e.g. the pressuriser and steam generators) with larger water inventories.

• reducing sensitivity to human errors by an optimized man-machine interface using digital instrumentation and control systems and information supplied by modern operator information systems.

The design provisions for reducing risks due to severe accidents are:

• Provision of an additional primary pressure relief device, to ‘practically eliminate’ the risk of reactor vessel failure at high pressure in the case of core melt.

• Prevention of hydrogen combustion by reducing the hydrogen concentration in the containment at an early stage by catalytic H2 recombiners.

• Limitation of molten core concrete interaction by design measures to spread and then the cool the corium in a dedicated spreading compartment, to mitigate the consequences of the considered accident scenarios.

• Control of the containment pressure increase by use of a dedicated containment heat removal system (CHRS), which consists of a spray system and which in addition allows recirculation through the cooling structure of the molten core retention device to mitigate the consequences of the considered accident scenarios.

By these measures, the external source terms are limited such that the need for stringent countermeasures such as relocation or evacuation of the population, should be restricted to the immediate vicinity of the plant and restrictions on the use of foodstuffs limited to the first year harvest.

3. STRUCTURES, SYSTEMS AND COMPONENTS DESIGN

3.1. PRINCIPLES OF SAFETY CLASSIFICATION

The development of EPR is intentionally an evolutionary approach, which is based on the experience gained from the construction and operation of existing plants in France and Germany. The design features of most systems are close to those of existing designs and can therefore be considered as well proven.

The structures, systems and components (SSCs) important to safety are designed according to the general design requirements indicated in Chapter E – Section 5.3. Safety classification of the SSCs is carried out using two complementary approaches:

Mechanical approach: mechanical safety classification.





Mechanical safety classification results in the specification of certain requirements for the design, manufacture and control of equipment. It is based on the "barrier" approach defined in the EPR Technical Guidelines which has the objective of prevention, control and limitation of the off-site radioactivity releases.

The main principle of mechanical safety classification is to classify equipment according to the risk it presents of releasing contamination inside the nuclear installation. The process of equipment classification involves several stages:

1. The list of equipment performing a role of a "barrier" is established. Such equipment is that whose failure, in PCC and RRC reference conditions, could lead to ‘significant contamination’ (activity per volume more than 3 decades above the surrounding environment and above 1MBq/l);

2. The equipment is assigned into one of three levels of mechanical safety classification (M1, M2, M3) each associated with defined standards covering design code compliance, manufacture, control, and in-service inspection. The highest classification level (M1) is associated to the Main Primary System. The classification of the other equipment is based on the level of potential contamination inside the equipment:

• M2: equipment not isolated from primary circuit in PCC/RRC events in which fuel cladding integrity is not assured; all containment penetrations

• M3: other classified equipment

Functional approach: the functional classification.

This approach aims at identifying systems that are important to safety, i.e. carrying out the functions necessary to protect the core and limiting radiological release to the environment in PCC/RRC reference conditions.

Systems are classified according to the situations in which they are required. The result is a deterministic process for specifying stringent requirements for systems needed in PCC situations in terms of design and operability.

In practice:

• F1 classification is associated with PCC conditions and their analysis rules. It leads to specific requirements on system architecture and operability;

• F2 classification is applied to systems which perform essential safety functions in RRC conditions, internal hazard and external hazard conditions, and which perform functions important to monitoring and control of radioactivity in normal operation. F2 classification leads to requirements defined on a case by case basis, rather than specific requirements. For example, design requirements for systems protecting against RRC-A or RCC-B conditions may also be determined partly by results of probabilistic studies.

Links between mechanical and functional approaches

Certain links are made between functional and mechanical classification:





• a functional classification of F2 or above is applied to systems (e.g. valves) forming an interface between equipment of different mechanical classifications;

• all systems performing the role of a barrier are classified as F2.

Additionally,

• mechanical equipment performing an F1 function is classified at least as M3;

• equipment to which the break preclusion assumption is applied (see Volume 2 Chapter C.4.2) is subjected to additional requirements, independent of its level of mechanical safety classification. This is the case for the Main Secondary System. The additional requirements are generally defined in terms of specific design codes, additional stress limits, extended process controls and additional in-service inspections.

The SSCs are designed for an expected plant lifetime of 60 years. Achieving a 60 year design life involves:

- designing to accommodate the number and duration of loading conditions consistent with that lifetime,

- adopting, when necessary, design margins to cover the potential degradation in mechanical and geometrical properties that can result from phenomena such as fatigue, corrosion or irradiation,

- implementing a surveillance program to monitor the state of the SSCs over the plant life, including the recording of the actual SSC operating conditions for comparison with the design basis.

The design requirements applicable to a specific SSC, and in particular those resulting from the safety functions it is designed to ensure, are detailed in the Chapters of Volume 2 dedicated to the SSCs (Volume 2 - Chapters D to L).

3.2. CORE SYSTEM

The design of the core system is presented in Volume 2 – Chapter D.

3.2.1. Overall features

The EPR core consists of 241 fuel assemblies, each composed of 265 fuel rods arranged in a 17x17 lattice and having an active height of 420 cm.

This large core size results in a reduced average core power density, which has a beneficial effect on the margins to the core safety limits. This allows the implementation of fuel management schemes, like low-leakage in-out loading patterns, that enhance the utilisation of fissile material and reduce the amount of high level radioactive waste per unit of electricity generated. It also provides margins to allow Plutonium recycling, in the limit of 50% of MOX fuel assemblies.

The core is surrounded by a heavy stainless steel reflector, which further improves the neutron economy and contributes to limiting the high energy neutron fluence on the reactor vessel.





3.2.2. Core safety design principles

The core safety design relates to the three main plant safety functions:

• control of core power and reactivity,

• removal of decay heat,

• containment of radioactivity inside the first containment barrier.

This results in specific design criteria for the fuel itself and for the associated control, surveillance and protection systems.

a) For normal operation and anticipated operational occurrences, a loss of fuel cladding integrity shall be precluded.

This involves ensuring that:

- departure from Nucleate Boiling (DNB) is unlikely to occur on the most limiting fuel rod

- fuel melting temperature will not be reached in any part of the core, which translates into a limit of 590 W/cm on the maximum local Linear Heat Generation Rate (LHGR).

In normal conditions, the Reactor Control, Surveillance and Limitation system (RCSL, Volume 2 – Chapter G.4) acts to automatically maintain core parameters to well below fuel integrity limits.

For perturbed conditions, if the intervention of the RCSL system is insufficient to control the deviation and return the core to safe conditions, a reactor trip is initiated by the Protection System (Volume 2 – Chapter G.3). It is noted that as the RCSL is not classified at F1 credit for its actions cannot be taken in the analysis of design basis events (see Section 5.2.2.5).

b) For design basis incidents or accidents (PCC-3 and 4, see 5.2), Departure from Nucleate Boiling is tolerated provided it affects only a limited number of fuel rods (< 10%) and the second containment barrier is not breached (i.e. excluding LOCAs). For those rods experiencing DNB, the cladding temperature must remain below 1482°C to avoid embrittlement of the cladding material.

Fuel melting temperature is also tolerated at the hottest spot in the core provided it does not exceed 10% of the fuel pellet cross section.

For fast reactivity transients like those resulting from a control rod ejection, an additional criterion is imposed on the maximum fuel enthalpy (220 cal/g and 200 cal/g for non-irradiated and irradiated fuel, respectively).

In all cases, the core geometry must be maintained so that decay heat can be removed.

Compliance with these criteria is ensured by the intervention of the Protection System, which initiates a reactor trip and, if necessary, actuates the safeguard systems.

c) Specific acceptance criteria are applied for loss of coolant accidents (see 5.2.2.1).





d) For all design basis events, core subcriticality must be achieved and maintained, relying only on safety-classified systems.

3.2.3. Reactivity control

Reactivity control is performed through the use of two functionally diverse means: control rods and soluble boron.

89 identical Rod Cluster Control Assemblies (RCCA) are thus implemented, 36 of them being used in power operation and the other 53 being reserved for reactor shutdown only.

Rapid shutdown of the reactor from any power operation state is obtained by the dropping of the control rods by gravity. The RCCA pattern is designed to provide a sufficient shutdown margin in a postulated adverse initial condition with one RCCA remaining stuck out of the core.

For longer term subcriticality control, an increase in the boron concentration is necessary to compensate for Xenon depletion and allow, if needed, a transition to a cold shutdown state.

In normal conditions, the required boron concentration during shutdown states is ensured by the Chemical and Volume Control System (CVCS, Volume 2 Chapter I.3.2), manually actuated by the operator. In shutdown conditions the subcriticality margin is defined so that the potential consequences of postulated abnormal events, like an uncontrolled RCCA withdrawal or boron dilution, causing an increase of reactivity, remain acceptable.

Since the CVCS is not classified F1, its action may not be credited in Design Basis Fault analyses. Boration is then ensured by a dedicated F1 system, the Extra Boration System (EBS), separate from CVCS (Volume 2 – Chapter F.7). The EBS is also designed to bring the reactor from a power state to a subcritical state when a complete failure of the reactor trip by the rods is postulated (Anticipated Transient Without Scram).

In the specific case of a loss of coolant accident (LOCA), long term subcriticality is ensured through boration by the Safety Injection System (Volume 2 – Chapter F.3).

It is to be noted that due to the high values of natural boron concentration needed at the beginning of the fuel cycle, which makes the control of the primary coolant pH more delicate, it has been decided to use boron enriched in 10B (Volume 2 – Chapter E.2).

3.2.4. Core control at power

During power operation, rod movements are used to compensate the reactivity effects accompanying power level changes; variations in boron concentrations are implemented to cover slow reactivity changes like those due to fuel depletion or Xenon transients.

The rod movements are automatically controlled so that the perturbation of the axial power distribution is minimised. This is achieved by varying the overlaps between the different rod banks. Such control precludes the generation of high power peaking factors and contributes to maintaining sufficient margins to the fuel design limits.





3.2.5. Core surveillance and protection systems

The core state is continuously monitored, with the primary goal of ensuring that the core parameters remain within the most adverse initial conditions postulated in accident analyses (LCO: Limiting Conditions of Operation). The monitoring is performed by the Reactor Control, Surveillance and Limitation System.

In addition to monitoring individual parameters like the neutron flux level or the control rod insertion, core surveillance involves an online calculation of the minimum Departure from Nucleate Boiling Ratio (DNBR). This calculation makes use of fixed in-core flux measurements from which a reconstruction of the 3D core power distribution is elaborated. The fixed in-core instrumentation is also used to estimate the maximum linear heat generation rate (LHGR).

Thresholds for the DNBR and LHGR surveillance channels are derived from the accident analyses. They are defined so as to provide sufficient initial margins to the safety limits to cover penalties in DNBR and LHGR that could result from abnormal events.

In the case where an LCO-related threshold of the RCSL system is reached, an alarm is generated which requires the operator to return the reactor to within the authorised operating envelope. If the deviation from the normal operating conditions is not terminated by the operator and worsens, further RCSL set-points will be reached that will initiate automatic actions ("limitations") such as blockage of rod withdrawal or partial dropping of the control rods ("partial trip") to rapidly reduce the power level and then restore margins with respect to the risk of DNB or fuel overheating.

The algorithms to calculate online the DNBR and the LHGR are also implemented in the Protection System to actuate a reactor trip. The trip set-points are determined to avoid Departure from Nucleate Boiling and Fuel Centerline Melting for the abnormal events during which the fuel integrity must be guaranteed.

The design of the DNBR and LHGR I&C channels, and their use in the design basis events analysis, is detailed in Volume 2 – Chapters D.4.4 and P.1.1.

3.2.6. In-Core Neutron Flux Instrumentation

The core monitoring and protection relies on the capacity to predict and measure the three-dimensional power distribution.

This is achieved by the use of fixed Self-Powered Neutron Detectors (SPNDs) distributed over the core (Volume 2 – Chapter G.5.2.2). The information on the local power density provided by every SPND is processed by the Reactor Control, Surveillance and Limitation System and by the Protection System to elaborate a reconstruction of the core 3D power distribution. This power distribution, combined with measurements of other core parameters like pressure, inlet and outlet coolant temperature, coolant flow and control rod positions, is then utilised to calculate safety-relevant state parameters such as the minimum Departure from Nucleate Boiling Ratio or the maximum Linear Heat Generation Rate. The calculated values are compared to thresholds that initiate alarms requiring operator actions or actuate automatic protective actions.





The SPNDs are periodically calibrated to follow the evolution of the core burnup. The calibration is performed by comparing the SPND response with information delivered by a reference, movable, in-core measurement system that consists of stacks of vanadium alloy steel balls pneumatically transported into the reactor core inside the guide thimbles of the fuel assemblies (Aeroball system). The reference power distribution is elaborated from the measurement of the activation of the vanadium balls following their exposure to the core neutron flux (Volume 2 – Chapter G.5.2.1).

Both fixed and movable in-core instrumentation systems penetrate the reactor vessel by the top, thus avoiding multiple penetrations of the vessel bottom head and the associated risk of a loss of coolant accident due to a breach below the core elevation.

3.3. REACTOR COOLANT SYSTEM PRESSURE BOUNDARY

The design of the main primary system & components is described in Volume 2 - Chapters E.1 to E.4.

According to the logic of defence-in-depth, the RCS pressure boundary, as second barrier for radioactivity containment, must meet two requirements:

o a reduced initiating event frequency (increased operating margins, increased system inertia)

o a reduced impact if initiating events do occur.

The main features of the EPR reactor coolant system developed to achieve these goals are:

a) Main RCS piping is designed and manufactured using methods and materials that preclude the occurrence of double-ended guillotine ruptures as initiators of design basis events.

The break preclusion approach for the primary piping is detailed in Volume 2 – Chapter E.2.3. It encompasses:

- stringent design and manufacturing requirements that provide significant margins with respect to the potential damage mechanisms,

- surveillance measures to verify that the actual operating conditions (pressure and temperature loadings, water chemistry) remain within the design limits,

- an in-service inspection program to verify the absence of defects (all welds to be inspectable),

- demonstration that the water leak caused by a hypothetical through-wall crack can be reliably detected well before the crack can reach a size jeopardizing the integrity of the component ("Leak Before Break" concept).

Break preclusion is part of the strategy for reducing initiating event frequency; it implies a re-definition of the bounding primary side design basis accident, which becomes a break in the largest connected pipe, i.e. the surge line between the main reactor coolant piping and the Pressuriser.





However, the 2A-break of a main RCS pipe is still used as a loading case for the reactor inner containment (Volume 2 – Chapter F.2) and for the qualification of in-containment equipment for post-accident environmental conditions (Volume 2 – Chapter C.7). It is also the subject of a specific study to verify the design of the emergency core cooling system (to address the requirement that there should be no cliff-edge effects affecting the reactor core as a consequence of pipe breaks (see Volume 2 – Chapter S.3)).

b) Reactor pressure vessel: stringent design, manufacturing and in-service inspection measures are adopted to prevent risks of loss of integrity of the reactor vessel. Among them (Volume 2 Chapter E.3):

- the vessel is composed mainly of large forgings, which minimizes the number of welds,

- the two core shells, assembled by a circumferential weld (belt line weld), are free from discontinuities,

- a heavy reflector mounted around the sides of the core reduces the fast neutron fluence on the core shells and especially the belt line weld,

- strict requirements on the chemical composition of the base material, in particular limitations on the phosphorus and copper contents, are applied so that the temperature of transition to nil ductility (RTNDT) will not exceed +30°C at the end of the plant life (< -20°C at plant startup),

- all welds are accessible for periodic in-service inspection,

- the evolution of the base material properties are monitored through the irradiation of specimen capsules located within the vessel close to the core periphery,

- fracture mechanics analyses are conducted to demonstrate the tolerance to postulated defects; these analyses mainly concern the nozzles region (due to local stress level) and the core region (due to irradiation)..

c) Reactor coolant pumps: the shaft seals are provided with a leak tight device intended to reduce the risk of coolant leakage in postulated situations where there is damage to the main standstill seals (e.g. total loss of electrical power or heat sink).

d) Steam Generators: the EPR steam generator design involves an increased inner volume (compared with designs prevailing in older generation reactors) to attenuate the impact of transients.

e) Pressuriser: an increase in the Pressuriser internal volume attenuates the impact of transients, in the same way as the increased volume of the steam generators and by correspondingly increasing reactor coolant volume.

f) Primary side pressure relief function: the top of the Pressuriser is equipped with two systems:

- the first discharges reactor coolant to a relief tank via three automatically-operated safety valves devoted principally to the protection of the RCS against overpressure transients.





- the second is specifically dedicated for severe accident situations and is manually actuated to discharge reactor coolant to the Pressuriser Relief Tank, with the object of reducing the pressure to below 2 MPa at vessel failure in case of a postulated core melt.

The design of the RCS pressure boundary against overpressure transients is presented in Volume 2 – Chapters C.6.1 and E.2.4.

g) In terms of installation, adjustments to the height of the different components — RPV, reactor, coolant loops and SGs — alleviates the need for mid-Ioop operation during shutdown phases.

3.4. SECONDARY SYSTEM PRESSURE BOUNDARY

The design of the secondary system is described in Volume 2 – Chapter J.

The break preclusion concept is applied to the portions of steam piping located between the steam generator outlet and the main steam isolation valves (MSIV). This implies that a break of this piping inside the containment is no longer considered as a design basis event. The break preclusion methodology, similar to that adopted for the main primary piping (3.3), is based on the application of suitable design, manufacturing, installation and in-service inspection requirements and is described in Volume 2 – Chapter J.5.

Nevertheless, in order to provide safety margins, a 2A break of the Main Steam Line inside the containment is considered for:

• the design of the containment (pressure, temperature), as well as the verification of the core criteria.

• the qualification of equipment for accidental environmental conditions in the containment,

• the design of SG supports and tube bundle (dynamic effects of secondary depressurization).

The overpressure protection of the secondary pressure boundary is discussed in Volume 2 – Chapter C.6.1. It is provided by means, on each steam line, of a Main Steam Relief Train (consisting of 1 isolation valve and 1 relief valve in series) and 2 safety valves.

The Main Steam Relief Trains are also utilised in accident conditions to remove residual heat by steam release to the atmosphere until the conditions for connection of the LHSI/RHRS are reached (Volume 2 – Chapter F.8). In the case of LOCA, an automatic cooldown can be implemented to quickly cool the RCS so that the delivery pressure of the Safety Injection System is reached more rapidly. Primary system cooldown and depressurisation is achieved by progressively reducing the opening setpoint of the relief valves (automatic or manual action).

The design of the secondary system is described in Volume 2 - Sections J.3 to J.6.

3.5. PROTECTIVE SYSTEMS

The systems considered in this section are those called upon following abnormal initiating events in order to ensure the three fundamental safety functions:





• Control of reactivity,

• Decay heat removal,

• Containment of radioactive materials.

The design of the EPR SSCs incorporates margins to reduce the consequences of postulated initiating events (thermal core margins, increased capacities of primary coolant system and steam generator secondary side) and to provide more time before safety limits are reached. This increases the possibility that automatic actions of the control and limitation systems will be able to return the reactor operating parameters to within the normal range. This is particularly the case for the Reactor Control and Limitation System (Volume 2 – Chapter G.4), which, depending on the detected disturbances, can initiate countermeasures like blocking control rod withdrawal, reducing turbine power or rapidly decreasing core power by dropping control rods.

However, since the control and limitation functions are not safety class F1, credit cannot be taken for their beneficial effect when analysing design basis faults (see 5.2.2.5). The three above safety functions are then ensured by the intervention of a reactor trip, actuated by the Protection System (Volume 2 – Chapter G.3) and, if necessary, by engineered safety systems. These systems, classified F1, are designed, qualified and operated according to stringent requirements in order to ensure a high reliability (Chapter E – Section 5.3). The Design Basis Events analysis (PCC2 to 4 events - Section 5.2.2.5) provides the basis for the specification of the required characteristics and performance of these systems (e.g. flow rates, response times, tank capacities). The design of the safety systems is further discussed in section 3.5.1 below.

According to the defence-in-depth principles, additional safety measures are introduced that aim at:

• further reducing the risks of core melt, which could be caused typically by multiple failures like the total loss of a safeguard system,

• in case core melt nevertheless occurs, limiting the releases of radioactive materials to the environment.

To achieve the first goal, the approach adopted is to ensure that a diverse means can be used as a backup whenever the total failure of a safeguard system induces a significant risk of core melt. The event sequences that fall into this category are identified by Probabilistic Safety Assessment. Depending on the type of sequence, the diverse system may be another, already existing, system, or an additional system specifically introduced to prevent the risk of core melt. For the additional systems, due to the low probability of the event sequences considered, it is acceptable to apply less stringent design requirements than for the normal safeguard systems and a safety classification F2 is therefore adopted. The deterministic analysis of the Risk Reduction Category A (RRC-A) event sequences provides the basis for the specification of the required characteristics and performance of the diverse systems. The acceptance criteria for the RRC-A events are the same as those of the Design Basis category PCC4, but they may be demonstrated using less conservative analysis rules (see 5.3). The diversity of these protective measures is further discussed in section 3.4.2 below.

The second goal (limitation of radioactive releases in case of core melt) is achieved through the implementation of a further set of additional design features intended mainly to preserve the containment integrity:

• Containment Heat Removal System (Volume 2 – Chapter F.2.7),

• Molten core retention, spreading and cooling device (Volume 2 – Chapter F.2.6),





• Hydrogen Catalytic Recombiners (Volume 2 – Chapter F.2.4),

• Diverse primary pressure relief valves (Volume 2 – Chapter E.4.8).

The design requirements for these systems, for which a F2 classification is adopted, are defined on a case-by-case basis and supported by deterministic analysis of selected severe accident scenarios (Risk Reduction Category B event sequences, see 5.4).

3.5.1. Safeguard Systems

The main safeguard systems are arranged in a four-train configuration:

• Safety Injection System (SIS, Volume 2 – Chapter F.3),

• Emergency Feedwater System (EFWS, Volume 2 – Chapter F.6),

• Steam Dump to the atmosphere (Main Steam Relief Train MSRT, Volume 2 – Chapter F.8).

The 4 trains are physically separated. Physical separation reduces the risks of dependent failures between redundant trains, in particular those that could result from internal hazards.

The four-train configuration is also adopted for the associated control systems (Volume 2 – Chapter G) and support systems:

• Emergency Power Supply System, each train being powered by its own Diesel Generator (Volume 2 – Chapter H.3),

• Component Cooling Water System (CCWS, Volume 2 – Chapter I.2.2),

• Essential Service Water System (ESWS, Volume 2 – Chapter I.2.1).

This architecture makes it possible for a system to fulfill its safety function even if one train is affected by a single failure while another train is unavailable due to a preventive maintenance. In practice, the system is sized so that the safety acceptance criteria are met with only 2 trains in operation.

A twofold configuration is adopted for the following systems:

• Extra Boration System (EBS, Volume 2 – Chapter G.5),

• Containment Annular Space Ventilation System (AVS, Volume 2, Chapter F.6.2.2).

• Fuel Pool Cooling System (FPCS, Volume 2, Chapter I.1.3).

To comply with the single failure criterion, these systems are designed so that their safety functions can be fulfilled by only one train. Due to the 2-fold redundancy, preventive maintenance on these systems is generally not performed during power operation.





Two fold redundancy is also adopted for the reactor building containment isolation function, for systems connected to the Reactor Coolant System or to the inner containment atmosphere. Two isolation valves are generally provided, one being installed inside the containment and the other outside. The two valves are operated independently, which ensures that the containment isolation will be completed in spite of a single failure. In some cases (e.g. recirculation lines of the Safety Injection System), specific design provisions are made that allow the use of a single isolating valve, implemented outside containment (see Volume 2 – Chapter F.2.3).

The design of each safeguard system is described in Volume 2 – Chapter F, which in particular presents:

- its safety role,

- the limiting events considered for its design and the resulting performance requirements,

- the application of the single failure criterion,

- the principles for preventive maintenance and periodic testing.

Some significant features of the EPR safeguard systems are briefly reviewed below:

a) The Safety Injection System takes suction from the In-containment Refueling Water Storage Tank (IRWST). Water is injected into the cold legs of the reactor coolant system in the short term and into both hot and cold legs in the long term. Together with the heat exchangers in the Low-Head Safety Injection (LHSI) flow path, this concept ensures effective emergency core cooling without the need for a Containment Spray System for design basis accidents (a spray system of reduced size is provided for containment cooling in case of severe accidents (the Containment Heat Removal System)).

The delivery head of the Medium Head Safety Injection System (MHSI) is below the secondary safety valves setpoint, thereby reducing the amount of primary coolant that can be transferred to the secondary system in case of steam generator tube rupture.

The IRWST provides the source of emergency core cooling water. It is located inside the containment in order to avoid the requirement for switchover from injection to recirculation mode. In case of core melt accidents it provides water for corium cooling.

b) The Residual Heat Removal System is combined with the Low Head Safety Injection System. It transfers the residual heat from the Reactor Coolant System via the Component Cooling Water System and the Essential Service Water System to the ultimate heat sink (for Flamanville 3: sea water, Volume 2 – Chapter I.2.4).

c) The Steam Dump to the atmosphere is the safety-classified system which is used to remove residual heat by the secondary side when the Main Steam Bypass (to the condenser) is not available.

Following abnormal events, its role is to bring the reactor to the temperature and pressure conditions where the RHRS/LHSI can be connected and then take over the reactor cooldown function (180°C, 30 bars).

In case of small or intermediate primary breaks (including steam generator tube ruptures), Steam Dump to the atmosphere is automatically actuated to perform a rapid cooldown and depressurisation of the Reactor Coolant System (-100°C/hr), to allow injection of water by the MHSI.





d) Each of the four trains of the Emergency Feedwater System provides injection to one of the four Steam Generators and takes suction from an Emergency Feedwater Tank.

Common headers are implemented upstream and downstream of the feedwater pumps. In normal operation, isolation valves ensure a complete separation between the four trains. These valves can be opened by the operator:

- to take suction from the water tank of a train on which a feedwater pump would be unavailable (single failure or preventive maintenance),

- in case of feedwater or steam line rupture, to redirect the feedwater flow of the EFWS train of the affected steam generator towards the 3 safe SGs.

For start-up and shutdown conditions, a dedicated Start-up and Shutdown Feedwater System is provided (Volume 2 – Chapter J.4.4), which reduces the frequency of Emergency Feedwater System actuation and contributes to the overall reliability of the feedwater supply.

e) The Extra Boration System (EBS) is implemented with the primary goal of providing a reliable means of borating the reactor coolant system in case of unavailability of the normal (not F1) method of boration using the Chemical and Volume Control System. The EBS is also used to ensure core sub-criticality following an Anticipated Transient Without Scram (ATWS).

3.5.2. Engineering Defence in Depth

Systems diversity is introduced as far as necessary to limit the risks of core melt that may result from common cause failures. The needs for diversity are identified by Probabilistic Safety Assessment (Volume 2 – Chapter R.3) and the demonstration of the effectiveness of the diverse means is performed by deterministic analysis of the RRC-A event sequences (Volume 2 – Chapter S.1).

Diversity can be provided between the trains of a redundant system or by another system, diverse from the system it has to back up. Both solutions are adopted for EPR.

Table 5-1 presents an overview of the diversity implemented to cope with common mode failures of F1 systems.

When another F1 system does not already exist that may be used as backup, dedicated F2 systems are implemented, e.g.:

a) Two small Diesel Generators ("SBO Diesels"), diverse from the 4 main Diesel Generators, supply power to 2 safeguard trains (1 and 4) in case of Station Blackout (Volume 2 – Chapter H.3).

b) A diverse I&C channel actuates reactor and turbine trip in case of failure in the Protection System.

This channel is implemented outside of the Protection System (in the Process Automation System). Protection against common mode failures in I&C systems is further discussed in Section 3.6.2.

c) A diverse train is added to the two main trains of the Fuel Pool Cooling System (Volume 2 – Chapter I.1.3).





This third train is cooled by the Ultimate Cooling Water System (Volume 2 – Chapter I.2.6), diverse from the main cooling chain CCWS/ESWS, and can be energized by an SBO Diesel.

d) The Containment Heat Removal System (primarily designed to protect the containment integrity in case of severe accidents, Volume 2 – Chapter F.2.7) provides a diverse means of long term cooling of the MHSI flow in case of a primary system break with total loss of the LHSI.

Since the event sequences involving the total loss of a F1 system have a low probability of occurrence, application of the single failure criterion and consideration of unavailability resulting from preventive maintenance, are not imposed in designing these F2 systems. The redundancy of a system is decided on a case-by-case basis so that the probabilistic target for the core melt frequency (see Section 5.6.1) is satisfied.

3.6. I&C SYSTEMS

3.6.1. General features

A description of the Instrumentation and Control (I&C) Systems is given in Volume 2 - Chapter G.

The equipment for I&C encompasses measurement, closed and open loop controls, protection and monitoring systems as well as the human machine interface.

The I&C concept is characterized by the following important features:

• Process oriented structure into functional complexes with a decentralized arrangement, hierarchical structure and matching with process redundancies.

• Clear separation of protection, open/closed loop controls and monitoring supervision functions.

• High degree of automation with extended use of digital technology.

• Strict standardization of signal conditioning and control interface levels.

• Centralized supervision, observation and operation in the Main Control Room which incorporates human factors engineering design features.

• Clearly defined hierarchy in the actuation of the controlled structures and components.

To match the sytems to the tasks required in the important plant areas, the I&C systems are subdivided into:

• a Protection System (PS) for reactor trip and actuation of Engineered Safety Features,

• a Safety Automation System (SAS) for post-accident management, support functions of safety systems and management of PCC events.





• Process Automation System (PAS) and Turbine Generator I&C (TGI) system for control and monitoring in all normal operating conditions.

• a Reactor Control, Surveillance and Limitation System (RCSL) for control and monitoring of the reactor.

• a Process Information and Control System (PICS) for plant supervision and control,

• a Safety Information and Control System (SICS) for backup of Process information and control system (PICS).

The I&C systems involved in the protection against the design basis events are structured like the main safeguard systems (3.5) into four independent divisions, so that they can fulfil their functions despite a single failure and an additional unavailability due to a periodic test.

The automation I&C functions are implemented in digital I&C systems. Specific measures are taken:

- to limit the risks of a total loss of a safety I&C function due to a common cause failure,

- to provide backup I&C functions in case a common cause failure could induce a significant risk of core melt.

Apart from applying stringent design standards and physical separation between redundant I&C divisions that minimise the probability of occurrence of common mode failures, these measures encompass the implementation of an adequate functional, equipment or software diversity between the digital I&C functions.

For the human machine interface level, technological diversity is provided between the computerized Process Information and Control System and the conventional Safety Information and Control System.

3.6.2. Diversity and mitigation of common cause failures of digital I&C

The digital I&C systems of EPR are implemented in two diverse system platforms: TELEPERM XS and SPPA T2000 (formerly TELEPERM XP).

TELEPERM XS supports the Protection System and the Reactor Control, Surveillance (of LCOs) and Limitation Functions, while the Process Automation System (PAS) and the Safety Automation System (SAS) are implemented on the SPPA T2000 platform.

The advantage taken from the use of two system platforms is justified by diversity analysis. The analysis covers the online software of the automation systems, and the hardware modules used for digital processing such as processor boards, I/O modules and communication modules.

• All key electronic modules of TELEPERM XS and SPPA T2000 are either diverse in terms of components, manufacturing and software design, or do not use components identical in design and properties for functions taking credit from the diversity between the two systems.





• All programmable electronic modules of TELEPERM XS and SPPA T2000 are diverse in software. The design features of the system software, libraries used for application software development and hardware modules of TELEPERM XS and SPPA T2000 (TELEPERM XP) are different. Therefore, credit is taken from this hardware and software diversity for designing an I&C architecture with different independent lines of defence implemented with TELEPERM XS and SPPA T2000

• Hardwired electronic modules and electromagnetic devices with a low level of function integration such as passive isolation devices, resistors, capacitors, relays, transformers, cables, connectors and mechanical structures are not prone to simultaneous failures in various equipment packages and therefore not considered as potential causes of common mode failures.

This diversity makes it possible to implement on one platform a function that acts as a backup to a function of the other platform.

Common cause failures affecting the Protection System are then mitigated by implementing diverse backup functions in SPPA T2000 to trip the reactor and actuate safeguard systems as needed. The accident sequences for which diverse I&C functions have to be provided are identified on a case-by-case basis as part of the Probabilistic Safety Assessment, the objective being to meet the probabilistic targets in terms of core melt or large radioactive releases frequency (5.6). The adequacy of the diverse I&C functions is confirmed through the deterministic analysis of the Risk Reduction Category A event sequences (5.3.2).

Apart from being implemented between the two hardware platforms, some diversity is also introduced within the Protection System and the Reactor Trip System in order to prevent the occurrence of common mode failures:

• Two trip channels are generally available for the most frequent design basis events. These channels use different input signals and are processed in functionally isolated processing units of the PS.

• Two diverse means are used to switch off the control rods power supply in case of reactor trip demand: trip breakers (general interruption of power to all rods) and trip contactors (dedicated to groups of 4 rods). The concurrent intervention of these two different devices makes it very unlikely that the control rod power supply be not interrupted following receipt of a trip signal from the Protection System.

The measures taken to cope with common mode failures in I&C systems will be addressed in more detail in a future step of the pre-licensing process (Volume 1 Chapter I).

3.7. PLANT LAYOUT

The Reactor Building is located in the centre of the plot plan, surrounded by the 4 Safeguard Buildings and the Fuel Building which contain the safety systems. The different trains of the safety systems are located in physically separate divisions (Volume 2 – Chapter B.2).

In particular, each division contains one train each of the Low Head Safety Injection/Residual Heat Removal System, the Medium Head Injection System and the Emergency Feedwater System. The related electrical systems as well as the instrumentation and control systems are also located in these divisions.





The Reactor Building, the Fuel Building and the four Safeguard Buildings are all protected against external hazards, such as earthquake and explosion pressure wave. All these buildings are situated on a common raft.

Protection against Airplane Crash is achieved by full hardening of Safeguard Buildings 2 and 3, the Reactor Building and the Fuel Building. The Main Control Room and the Remote Shutdown Station are located in the fully hardened Safeguard Buildings.

Safeguard Buildings 1 and 4 are not full hardened, but are geographically separated, so that only one division would be affected, the other remaining operable.

3.8. CONTAINMENT FUNCTION

The third containment barrier is the ultimate means for protecting the environment from the radiological impact of an accident in case of failure of the two first barriers, particularly one involving core meltdown. In such cases, protection of the population in the vicinity of the plant and compliance with relevant radiological objectives rely on a set of constructional requirements applied to buildings, equipment and systems under the heading "containment function".

These requirements are intended to ensure that radioactive products will be confined within the buildings concerned, whether in the reactor building itself, or in any of the peripheral buildings which may be contaminated via their connections with the reactor building.

Leaktightness requirements are thus defined for all buildings potentially affected by different accident conditions.

3.8.1. REACTOR CONTAINMENT

The design of the reactor containment and the associated systems is detailed in Volume 2 – Chapters C.5.1 and F.2.

The containment is a double-wall structure founded on a basemat (foundation raft).

The inner containment shell is a pre-stressed concrete structure with a steel liner installed on the inner surface including the basemat, thus forming a continuous surface.

The outer containment shell is a reinforced concrete structure. It guarantees protection against external hazards such as airplane crash , explosion pressure wave and withstands the loads of a Design Basis Earthquake.

The two shells are separated by an annular space which is kept under sub-atmospheric pressure in order to collect the leaks through the inner containment and to filter them before they are released to the environment, in case of accidents.

The volume of the inner containment is approximately 80 000 m3 and the inner shell and basemat are designed to remain leak tight within the specified leakage criterion of 0.3% per day of the volume of gas inside the containment at a maximum pressure of 5.5 bar abs. which is the design pressure under accident conditions at a temperature of 170°C.





The containment is accessible during normal power operation. The possibility of access is used for optimising refueling outage operations and minimising operator dose. For this purpose, the reactor building is subdivided into a non restricted area (operating floor, annular space outside secondary shield) and a restricted area. Adequate ventilation paths are provided to enable accessibility.

As part of the defence-in-depth approach, the following features have been introduced mainly to allow for phenomena associated with low pressure core melt scenarios. Their aim is to preserve containment leaktightness and minimise radioactivity releases in case of severe accidents:

• elimination of all leakage paths with the potential to provide a direct path to the environment. To this end, the reactor is designed so that all the containment penetrations emerge in peripheral buildings, thus enabling recovery of any leakage,

• incorporation into the containment of a water storage tank used, in particular, to control design basis and severe accidents. This in-containment refueling water storage tank (IRWST) is located so as to permit direct suction from the tank by the dedicated systems in the safeguard buildings, reducing the likelihood of failures associated with changeover to recirculation operation.

• provision of a catching and spreading system for the corium produced by a core meltdown following low pressure discharge of the molten core material from the reactor pressure vessel. In terms of civil structures, this includes a channel placed vertically below the reactor pressure vessel, which catches the corium, then conveys it by gravity to a large spreading compartment. This area has a layer of protective sacrificial material that protects the basemat, which is also thicker than used in previous reactors, avoiding corium-to-basemat concrete interaction and precluding melt-through. Supply of water from the IRWST after spreading of corium into the spreading area is actuated passively by heat produced by the corium,

• the inner containment (and its pre-stressing system) is designed to allow for the effects of pressure (and temperature) associated with the different core melt scenarios considered, including the effects of a deflagration involving the maximum amount of hydrogen that could be generated by such scenarios,

• addition of an active ultimate containment heat removal system, based on containment spray and removal of residual heat from the corium. This system which is made up of two identical cooling trains is designed to remove residual heat from the containment without venting being necessary. The operation of both trains, supplied by the IRWST, is required for the first 15 days of the accident. After this period, one train is sufficient to remove residual heat,

• increase of containment design margins by providing extended "grace periods" for operator action. The first of these relates to the inner containment and aims at ensuring the containment design pressure will not be exceeded within the first twelve hours after the start of a core melt scenario without forced circulation in the ultimate containment heat removal system. The second applies to the outer containment and require3s that sub-atmospheric pressure is maintained in the space between inner and outer containments for a period of several hours after start of core melt, without venting.





3.8.2. PRESSURE DESIGN OF THE INNER CONTAINMENT

The addition of a steel liner serves to separate the Ieaktightness aspect from the pressure withstand capability within the overall containment function. Thus containment Ieaktightness is ensured by the steel liner and pressure resistance is provided by the concrete inner containment wall and its pre-stressing system. This approach is similar to that applied in French 900 MW PWRs.

In light of the experience gained in designing such containments, the EPR design has been based on the concept of absolute design pressure, which is the basis for design of the entire civil structure, and specifically the pre-stressed concrete. The absolute design pressure is an envelope of the pressure levels reached under accident conditions postulated in the reactor design, including design basis transients and accidents (Plant Condition Categories 2 to 4) and multiple failure sequences and core melt accidents (Risk Reduction Categories A and B). On the basis of these transient analyses, the design pressure of the EPR inner containment has been set at 5.5 bar abs associated with a design temperature of 170°C (Volume 2 – Chapter F.2.1.3).

It is to be noted that, according to the defence-in-depth principle, double-ended ruptures of the main primary pipes and main steam lines are considered to determine the pressure and temperature loadings of the inner containment, although they are not part of the list of design basis events due to application of the Break Preclusion concept.

To demonstrate that the inner containment design is achieved in terms of both Ieaktightness and pressure resistance, an initial test is performed in air, at ambient temperature. A pressure of 6 bar abs is imposed to account for the effects of temperature on the steel liner and for the thrust that would be exerted by the liner on the concrete structure at the design temperature (170°C). The stress measured at this pressure serves as verification of inner containment pressure resistance.

As part of the defence-in-depth approach, a study is also conducted to verify that the inner containment will remain leak tight at even higher pressure levels. An absolute pressure of 6.5 bar abs has been defined for this verification (Volume 2 – Chapter C.5.0).

3.8.3. BUILDINGS INVOLVED IN THE CONTAINMENT FUNCTION AND CONTAINMENT BYPASSES

The EPR layout is designed so that all containment penetrations emerge in peripheral buildings: the latter therefore play an important role in containing radioactive products. The buildings of interest are the four divisions of the safeguards building, the fuel building and, to a lesser extent, the nuclear auxiliary building. In this context, the buildings are subject to Ieaktightness criteria for situations in which they may be used for leakage recovery (Volume 2 – Chapter F.2.1.2).

Containment bypass identification and prevention has relied on experience gained from analyses of existing reactors, with allowance for the specific features of the EPR. Three groups of potential bypasses have been identified and analyzed, which are:

• bypasses induced by initiating events via circuits connected to the reactor coolant system due to failure of reactor coolant pressure boundary isolation. The main systems involved are the Safety Injection/Residual Heat Removal system (SIS/RHR), the Chemical and Volume Control System and the Nuclear Sampling System,

• bypasses induced by accident sequences such as a steam generator tube rupture with stuck open relief or safety valves,





• bypasses induced by severe accidents or core melt sequences such as single or multiple steam generator tube ruptures due to core melt.

Some of these bypasses are precluded by specific design measures (e.g. rupture of the check valves in the SIS/RHR injection lines in the reactor coolant system cold legs in power operation). Others are mitigated so that they do not lead to core melt (e.g. break in the SIS/RHR system during RHR operation).

The containment function also involves situations where the RCS is open and the core has been offloaded and stored in the fuel pool. For these "open" scenarios, deadlines are imposed for the re-closure of the equipment hatch cover.

This aspect of design is described in Volume 2 - Chapter B.9.2.





4. PLANT COMMISSIONING

Plant commissioning tests cover all operations performed on equipment, systems and structures to ensure their successful operation in compliance with design requirements, specifically those that are safety-classified.

A preliminary test program is described in Volume 2 – Chapter N. The tests are carried out in three main phases:

Pre-operational tests:

• Phase I: includes preliminary tests and initial start-up of equipment, functions or groups of functions without any interaction between the reactor coolant system or its auxiliary systems and the secondary systems;

• Phase II: includes cold and hot functional tests of the reactor coolant and secondary systems prior to fuel loading.

Initial start-up tests:

• Phase III: includes core loading, cold and hot pre-critical tests and actual start-up including “Demonstration Run” up to “Commercial Operation Date”.

The start-up tests include:

• Standard start-up tests, which are designed to verify the proper operation of installed equipment and compliance with the relevant performance objectives;

• Tests which are repeated at different power levels during power escalation (core physics and control systems tests) for the purpose of confirming the validity of hypotheses used in operating and safety analyses and in protection system design at all power levels;

• Operating procedure validation tests: normal operating procedures are widely used in start-up testing and can thus be duly validated. Incident, accident procedures are validated, whenever possible, during plant unit commissioning. The latter are in any case tested by simulators or using computer codes.

• “First-of-a-kind” tests performed when needed in order to verify a concept not yet validated. Such tests may require specific instrumentation capable of confirming theoretical data.





5. FAULTS AND HAZARDS ANALYSIS

5.1. SCOPE OF FAULT ANALYSIS

The fault analysis is based primarily on deterministic analyses, complemented by a Probabilistic Safety Assessment.

Four Plant Condition Categories (PCC) and two Risk Reduction Categories (RRC) are considered in the safety analysis.

The Plant Condition Categories contain events caused typically by failure of one component, failure of a single I&C function, a single operator error, or a loss of offsite power. The safety analysis of the PCC events supports the deterministic design of the safety systems (Design Basis Events) (see Volume 2 – Chapter P).

Risk Reduction Category events are analysed in order to provide a framework for the design of additional equipment needed to meet probabilistic objectives for core melt/large radioactivity releases and to reduce the radiological consequences in case of a postulated low pressure core melt event. The corresponding scenarios are defined with the aid of Probabilistic Safety Assessment.

RRC-A events are principally related to the prevention of core melt. They are event combinations involving multiple failures, such as an initiating event combined with a common cause failure of a required safety system. The RRC-A events are analysed in Volume 2 – Chapter S.1.

RRC-B events, or Severe Accidents, are analysed to assist in the design of features for preventing large releases in case of a postulated core melt. They are addressed in Volume 2 – Chapter S.2.

In addition to the PCC and RRC categories, fault analysis also cover events that have been excluded from the design basis due to probabilistic or deterministic reasons but are nevertheless analysed in order to verify the absence of any cliff-edge effect in the plant safety demonstration (Volume 2 – Chapter S.3).

The deterministic analyses are complemented by a Probabilistic Safety Assessment, whose current state of progress is presented in Volume 2 – Chapter R.

Internal and external hazards are the subject of a separate treatment, which consists essentially in ensuring that the safety functions needed to bring the plant in a safe shutdown state are not unacceptably affected by hazards. The deterministic design against internal and external hazards is discussed in Volume 2 – Chapters C.3 and C.4. Hazards are also covered by the Probabilistic Safety Assessment to verify that they do not contribute predominantly to the risk of core melt or large radioactivity releases (Volume 2 – Chapter R.4).

The fault analysis is aimed at covering the whole plant life and all operating modes. In particular:

a) The shutdown states are explicitly addressed in the deterministic and probabilistic fault analyses:





- The list of Design Basis Events incorporates events occurring at shutdown (see 5.2.1 and Table 5-2), including refuelling outages; they are selected if they result from particular plant conditions specific to shutdown states or if their consequences are expected to be of a different nature and/or more severe than at power,

- The Probabilistic Safety Assessment separately addresses the shutdown states, with the objective of demonstrating that they do not contribute predominantly to the core melt frequency (5.6.1).

b) Maintenance is covered by postulating that equipment on which a maintenance operation is being performed when a design basis fault occurs is and remains unavailable for fault control and mitigation.

c) The commissioning period will be covered mainly by requiring that the plant be maintained within the bounding initial conditions (plant parameters, availability of protective systems) postulated in the fault analysis for the commercial plant life.

Given its unique characteristics, the plant decommissioning phase will be the subject of specific fault analysis.

5.2. DESIGN BASIS EVENTS

The design basis events are grouped into categories of transient initiators, based on their estimated frequency of occurrence and their environmental impact. Four categories are defined, referred to as Plant Condition Categories (PCCs):

• Plant Condition Category 1 (PCC1): normal operating conditions,

• PCC2 : design basis transients (10-2/y.r < f)

• PCC3 : design basis incidents (10-4/y.r < f < 10-2/y.r),

• PCC4 : design basis accidents (10-6/y.r < f < 10-4/y.r).

The identification of these events and their classification by category subsequently serves for the design of the systems intended to control them and to prevent unacceptable impact on the plant or its environment.

5.2.1. LIST OF DESIGN BASIS EVENTS

Due to the evolutionary nature of the EPR, the list of postulated events in the Plant Condition Categories has been developed starting from the lists established for previous PWR designs. It has been adapted and extended to account for:

- the central EPR objective of reducing the frequency of the initiating events,

- specific EPR design features,

- requirements of the French Safety Authority.

The extension of design basis events for EPR include, in particular, consideration of the various reactor states in which the initiating events may occur and the consideration of events occurring in peripheral buildings.





The list of PCC2 to PCC4 events is presented in Table 5-2.

As noted previously, due to application of the break preclusion concept, the double-ended guillotine break of a main coolant line (2A-LOCA) is not analysed as a PCC event. However, it is the subject of a specific study to verify the design of the emergency core cooling system (to address the requirement that there should be no cliff-edge effects affecting the reactor core as a consequence of pipe breaks, see Volume 2 – Chapter S.3). It is also considered as a load case for the containment design (Volume 2 Chapter C.5) and for the determination of the post-accident environmental conditions considered for the qualification of in-containment equipment (Volume 2 – Chapter C.7).

Although consideration of breaks in the main steam lines are excluded as a result of the break preclusion concept, steam system pipework break is considered as a PCC 4 event, to bound all cases of failure which could occur to any pipe connected to the main steam lines. It is also considered as a loading case for the containment design.

5.2.2. ANALYSIS RULES FOR DESIGN BASIS EVENTS

Basically, a conservative approach is adopted for analysing the PCC events, to demonstrate that the radiological consequences of the postulated faults will remain low.

This conservative approach is defined by a set of analysis rules and acceptance criteria which are detailed in Volume 2 Chapter P.1.0. The most relevant points are summarized below:

5.2.2.1. Acceptance criteria

The acceptance criteria have been defined taking into account the following objectives in terms of radiological consequences (Chapter E Section 3.2):

• PCC2: radiological consequences not to be higher than those resulting from normal operation. In the UK, a legal limit of 1 mSv/yr is applied to the effective dose to any member of the public from normal operation of a nuclear facility: effective doses due to EPR operation are expected to be only a small fraction of this level (see Volume 1 Chapter G.2)

• PCC3 and PCC4: no need for countermeasures for protection of the public (sheltering, evacuation, distribution of iodine tablets) ; to that end, the following limits are adopted, which have been agreed with the French regulator:

effective dose < 10 mSv,

thyroid equivalent dose < 100 mSv.

In practice, rather than determining the effective dose in each sequence analysed, decoupling criteria are used, which apply to thermal-hydraulic parameters representative of the plant states reached during the fault sequence. These are:

a) no fuel cladding failure in PCC2 events (no Departure from Nucleate Boiling, no fuel centerline melting).

b) no fuel cladding failure in PCC3 and PCC4 events involving a failure of the secondary side pressure boundary (e.g. main steam line break).





For other PCC3 and PCC4 events, the proportion of fuel rods experiencing DNB must remain lower than 10%.

c) Decoupling criteria for Loss of Coolant Accidents:

- peak cladding temperature must remain lower than 1200°C,

- maximum cladding oxidation must remain lower than 17% of the cladding thickness,

- maximum hydrogen generation must remain lower than 1% of the amount that would be generated if all the active part of the cladding had reacted,

- core geometry must remain coolable, i.e. calculated changes in core geometry shall be such that the core remains amenable to cooling,

- long term core cooling shall be ensured, i.e. the calculated core temperature shall be maintained at an acceptably low value and decay heat shall be removed.

Note: The radiological consequence calculations for LOCA are performed using the conservative (decoupling) assumption that clad failure occurs on 10% of fuel rods.

d) Peak cladding temperature must be lower than 1482°C for the fast transients which do not involve fuel cladding oxidation (e.g. rod ejection).

e) Maximum linear power density than 590 W/cm in PCC2 events.

f) Fuel melting at the hot spot must not exceed 10 % by volume in PCC 3 and PCC4 events, i.e. considering a cross section of the hottest fuel rod at the elevation of the power peak, less than 10% of this area is allowed to reach the melting temperature.

5.2.2.2. Safe end state

The safety analysis is performed up to a “safe shutdown state”. This safe shutdown state is defined as:

- core subcritical (even after xenon depletion),

- stable decay heat removal by closed-loop line of cooling using LHSI/CCWS/ESWS,

- activity releases and barrier integrity within the prescribed limits for each PCC.

An intermediate step is introduced in the analysis, referred to as the “controlled state”, defined as the state in which the fast transient phase has ended and the plant is stabilised with:

− core subcritical,

− heat removal ensured (an open-loop line of cooling such as Steam Generators and the Emergency Feedwater System can be used),

− core coolant inventory stable.

5.2.2.3. Initial conditions

Events postulated in the safety analyses are assumed to occur during normal plant operation.





The initial conditions assumed in the safety analysis cover all possible standard reactor states from full power operation to cold shutdown including refuelling outage. Six standard reactor states are defined, from state A (power operation and hot and intermediate shutdown) to state F (core totally unloaded). They are described in Table 5-3.

Within the given standard reactor states, the most penalizing operating condition is considered with regard to the applicable PCC decoupling criteria. Physical parameters are assumed to be within the limits imposed by the plant controls or by the limiting conditions of operation (LCO functions). A conservative combination of parameters is considered, including uncertainties, deadbands and response times.

5.2.2.4. Operator actions

The benefit of operator actions may be credited after a period of grace starting from the moment when the first significant information is transmitted to the operator. This grace period is:

- 30 minutes for a manual action from the main control room,

- 1 hour for a manual action performed outside the main control room.

Operators are assumed to act according to Emergency Operating Procedures (EOP). Operator errors are addressed in the Probabilistic Safety Assessment.

5.2.2.5. Systems used in the PCC analysis

The way the operation of a system is accounted for in a PCC event analysis is dependent on its safety classification (F1/F2/NC) as defined in Volume 2 – Chapter C.2.

F1 systems

As a general rule, only the action of F1 systems is assumed when demonstrating compliance with the PCC acceptance criteria, with the following distinction between F1A and F1B systems:

- the controlled state must be reached relying only on F1A systems,

- the transfer from the controlled state to the safe shutdown state must be done relying only on F1A and/or F1B systems.

The performance of the F1 systems credited in the PCC event analyses are defined conservatively, in particular taking account of uncertainties in equipment characteristics and system actuation set-points, and assuming the most adverse environmental conditions.

A single failure is postulated. It is defined as any active or passive failure, independent of the initiating event, which affects all or part of any one item of that has a beneficial effect on the transient.

It is to be noted that:

a) An active single failure must be considered to occur at any time after the beginning of the transient. A passive single failure needs only to be considered after 24 hours from the beginning of the transient





b) A leak rate of 200 l/min is conventionally postulated for a passive single failure in a pipe; if the leak cannot be detected or isolated, it must be postulated that it might increase up to the flow rate corresponding to a complete pipe break.

c) A stuck control rod is considered as a single failure.

d) The non-closure of a safety valve after actuation is considered as a single failure.

e) The spurious opening of a safety valve is considered as an initiating event and not a single failure.

Finally, when preventive maintenance is scheduled on a train while a system is in demand or in standby mode, the PCC event analysis is conducted assuming this train is unavailable

F2 and NC systems

In analysing PCC events, F2 or NC systems are assumed either to work properly or not to work at all. More specifically, the following principles are applied:

a) If a transient leads to the actuation of a F2 or NC system, and if the operation of this system has a beneficial effect, the PCC event analysis is performed ignoring the system.

b) If a transient leads to the actuation of a F2 or NC system, and if the operation of this system has an adverse effect, the PCC event analysis is performed considering that the system operates normally.

c) If a transient has no impact on F2 or NC system performance (no change of status, no change of operating and environmental conditions), and if the system was operating prior to the accident, the system is assumed to continue normal operation. No spurious actions due to mal-operation of I&C system are assumed.

5.2.2.6. Superposition of loss of offsite power supply

In addition to being an initiating event by itself, loss of offsite electric power supply is also considered as a failure that can be superimposed on other PCC event sequences.

Both cases with and without coincidental loss of offsite power are considered for the PCC2 to PCC4 events, the following rules being applied in case of coincident offsite power loss:

- the acceptance criteria are those applied to Plant Condition Category 4,

- the loss of offsite power is postulated to occur at the most adverse time between the occurrence of the initiating event, the turbine trip and Safety Injection initiation,

- only benefits from seismically classified systems may be credited.

5.2.3. RESULTS OF THE DESIGN BASIS EVENTS ANALYSES

The plant response to the various PCC events is described in Volume 2 Chapter P.2, which provides more detailed information on each transient. It is shown that the decoupling acceptance criteria for each Plant Condition Category are met.

The results of these accident simulations provide information:





• to verify that the radiological consequences of the PCC events are acceptably low,

• to establish the design and performance requirements for protective systems.

Results will further be used to define the boundaries of the normal operating domain within which the plant will have to be maintained so that the consequences of Design Basis Events are acceptable (Technical Specifications, Limiting Conditions of Operation LCOs).

5.2.3.1. Radiological consequences

Offsite radiological consequences have been calculated for a selection of transients. These calculations have been performed using the characteristics of the French Flamanville 3 site. They should therefore be viewed as preliminary assessments that will have to be adapted in a future step to the case of a UK site.

The methods and assumptions used for the assessment of radiological consequences are described in Volume 2 Chapter P.3. As a general principle:

• the calculation of the release of radioactivity is based on conservative assumptions (e.g. initial activity inventory in reactor coolant system and other systems, fraction of fuel cladding failure, retention rates etc),

• the calculation of the dose uses more realistic methods and assumptions, in order to provide a reasonable but still conservative estimate of the radiological consequences.

The following PCC events have been selected in order to cover the different plant initial states and scenarios for radioactivity release:

PCC2

- Loss of Condenser Vacuum

PCC3

- Loss of primary coolant outside containment

- Steam Generator tube rupture (1 tube)

PCC4

- Large break loss of coolant accident during power operation

- Loss of coolant accident in shutdown state

- Rupture of systems in the Nuclear Auxiliary Building after an earthquake

- Steam Generator tube rupture (2 tubes in 1 SG)

- Fuel handling accident (drop of a fuel assembly in the spent fuel pool)

The radiation exposure resulting from these events is presented in Table 5-4. The doses have been calculated over two timescales:





- 7 days, for a person present in the immediate vicinity of the site (500 m),

- 50 years, for a person living at a distance of 2 km.

For the PCC2 event (loss of condenser vacuum), the doses are very low and a small fraction of the UK legal limit for normal operation.

The effective dose resulting from PCC3 and PCC4 events is lower than 1 mSv, with the exception of the Fuel Handling accident (PCC4) for which it is 5.5 mSV. In all cases, the calculated effective doses are below the limits set out in Section 5.2.2.1.

Comparison of the radiological consequences with the UK numerical targets and limits for accident conditions will be provided later in the pre-licensing process.

It is noted that the radiological consequences of steam generator tube rupture events are well below the limits due largely to the following design provisions:

• The delivery head of the Medium Head Safety Injection System (MHSI) is below the secondary safety valves set point, thereby reducing the amount of water which can be transferred from the primary system to the affected steam generator secondary side.

• The detection of the affected steam generator credited in the safety analyses is based on a straightforward symptom (water level measurement in the affected steam generator). This initiates an automatic increase of the setpoint of the Main Steam Relief valves which eliminates the primary-to-secondary leak. Earlier manual actions based on the increased activity in the affected steam generator are possible, but they are not credited in the safety analyses.

• The steam generator secondary volume has been increased to provide a longer grace period with respect to the risk of water filling of the steam generator secondary side.

5.2.3.2. Protective systems design requirements

Table 5-5 indicates the main F1 systems which ensure the performance of the safety functions in design basis events. A more detailed account of all systems involved for a given PCC event is presented in the section of Volume 2 – Chapter P dedicated to that event. The general scheme of intervention of the F1 systems is the following:

a) Core subcriticality is ensured at short term by dropping of the control rods, which is actuated by the Protection System; in the longer term, subcriticality is provided by injection of borated water by the Extra Boration System until operation of the LHSI/RHRS (non-LOCA events) or the Safety Injection System (LOCA events).

b) Decay heat removal is ensured in short term by the secondary side systems (Emergency Feedwater System and Atmospheric Steam Dump System); these systems are further used to cool down and depressurise the reactor coolant system until the Low Head Safety Injection can be connected to provide decay heat removal in the long term (manual action).

In case of LOCA, a rapid cooldown by the secondary side is automatically actuated (-100°C/hr) to reach a primary pressure level that allows sufficient flow delivery by the Medium Head Safety Injection.





c) Containment is ensured by actuation of dedicated isolation devices. Long term in-containment heatup if any is controlled by Low Head Safety Injection.

The transient studies are performed assuming the required minimum performance of these systems in terms of minimum flow rates, actuation thresholds or response times etc. The acceptability of the consequences of the PCC events confirms the adequacy of these minimum performance levels, which therefore serve as a basis for specifying the system design requirements. It is noted that the current PCC analysis is still not complete and that future studies may result in some quantitative changes in these requirements.

The PCC analysis also provides the verification that the F1 systems can fulfill their function despite a single failure or any unavailabilities that could arise from preventive maintenance. An active single failure and an additional unavailability due to a preventive maintenance (if that maintenance is scheduled during plant operation) are systematically postulated for each design basis event analysis: thus it is demonstrated that the controlled state and the safe shutdown state (5.2.2.2) can be reached using only the remaining available trains.

The tolerance to a passive single failure is verified by dedicated analysis, as presented in Volume 2 – Chapter P.1.2. Since a passive single failure is postulated after 24 hours (5.2.2.5), it occurs when the plant has already been returned to a safe shutdown state. The analysis of its effects can thus be conducted generically for each F1 system involved in maintaining the safe state rather than on an event by event basis. The assessment shows that the consequences of passive single failures are limited, mainly due to:

- the possibility of detecting the failure and isolating the affected part of a system within 30 minutes from the main control room,

- the separation between the redundant trains, which limits the consequences of a failure to only one division.

The Emergency Feedwater System is a special case since it contains interconnections between its 4 trains. Although operation of this system is not required after 24 hours (long term decay heat removal by then is ensured by LHSI/RHRS), its tolerance to a passive single failure occurring at shorter times has been analysed to verify the absence of any cliff-edge effects. It is shown that the consequences of a leak affecting the headers connecting the 4 trains are acceptable, given the means of isolation and the capacity of the EFWS water tanks.

5.3. RISK REDUCTION CATEGORY A

Risk Reduction Category A (RRC-A) has been introduced in order to define a limited number of additional safety measures necessary to meet the overall probabilistic targets for core melt (Chapter E Section 5.4).

RRC-A covers event sequences (“complex sequences”) considered likely to lead to core melt due to multiple failures. Such sequences result either from a complete loss of an F1 function after occurrence of a PCC initiating fault, or from an adverse combination of independent events.

The Iist of RCC-A sequences to be addressed is derived from Probabilistic Safety Assessment (Volume 2 Chapter R.3). The current list is indicated in Table 5-6 (limited changes to that list are still possible to reflect the progress of the EPR detailed design and the safety case).





The deterministic analysis of the complex sequences is aimed at demonstrating the effectiveness of the safety measures implemented to reduce the risk of core melt to an acceptable level. In particular, it provides the design basis for the additional systems that must be introduced to meet that objective.

5.3.1. SAFETY MEASURES FOR MITIGATION OF COMPLEX SEQUENCES

These safety measures are essentially of two types, depending on the RRC-A sequence concerned:

a) provision of a dedicated system, diverse from the safety system whose complete failure is postulated as part of the RRC-A event definition.

These systems are classified F2, which means that they are designed with less stringent requirements than the F1 systems; in particular, application of the single failure criterion is not mandatory.

Examples are :

• provision of 2 SBO Diesel generators, diverse from the 4 main Diesel generators, to cope with a Station Blackout.

• provision of a diverse channel to trip the reactor and the turbine in case of ATWS caused by a failure in the Protection System; this channel is implemented outside of the Protection System (in the Process Automation System).

b) implementation of a dedicated operating procedure involving the use of systems originally designed to cope with PCC events. The most significant examples are:

• "Feed & Bleed" operation in the case of total loss of feedwater: manual opening of the Pressuriser safety valves to reduce the reactor coolant pressure to the delivery pressure of the Safety Injection System.

• Reactor Coolant System cooldown and depressurisation by the secondary side (in the case of total loss of cooling systems or loss of coolant accident with failure of MHSI): actuation of the Main Steam Relief Trains (or Main Steam Bypass if available).

5.3.2. ANALYSIS RULES FOR RRC-A EVENTS

As a general principle, as the sequences are identified using PSA analysis, the assessment of multiple failure (RRC-A) conditions is performed with more realistic assumptions than those applied for PCC events, in particular:

- the initial plant parameters are taken at their best estimate values,

- no single failure is postulated in addition to the multiple failures defined in the event sequence,

- the action of non F1 classified systems may be taken into account to mitigate the consequences of the accident, provided these systems do not operate outside their design range and cannot be made unavailable as a consequence of the event sequence.





The acceptance criteria are the decoupling criteria used for PCC4 events. Thus, radiological consequences of RRC-A sequences are implicitly limited to radiological limits of PCC 4 events, which removes the need for a specific radiological assessment of RRC-A sequences.

5.3.3. RESULTS OF THE RRC-A EVENTS ANALYSES

Volume 2 chapter S.1.2 presents the analysis of each RRC-A sequence of Table 5-6.

Due to the additional safety measures introduced in 5.3.1, the PCC4 decoupling criteria are met for all RRC-A events. It is also verified that, in cases where operator actions are required, a minimum grace period of 30 minutes is available.

5.4. INTERNAL & EXTERNAL HAZARDS

The protective measures against hazards consist essentially in ensuring that the safety functions needed to bring the plant in a safe shutdown state are not unacceptably affected:

- core subcriticality,

- decay heat removal,

- radioactivity containment.

This is mainly achieved through design provisions such as:

• the design of structures, systems and components so that they remain leaktight and/or operable under the loads induced by a hazard (typically applicable in case of earthquake),

• the redundant trains of safety systems are physically or geographically separated so that a hazard affecting one train cannot affect the others (typically applicable in case of internal hazards like a fire).

5.4.1. Internal hazards

The list of internal hazards taken into account in the EPR design is given in Chapter E – Section 5.5.1.

Protection against internal hazards is provided through:

• a geographical or physical separation between redundant trains of safety systems, so that a hazard affecting one train cannot impair the others,

• more generally, isolation means that limit the extension of an internal hazard (e.g. fire barriers, anti-missile walls),

• design of SSCs against specific loads induced by hazards (e.g. pipe whip, jet impingement, degraded ambient conditions).





The protective measures taken specifically against the different internal hazards and the analyses conducted to demonstrate their adequacy are defined in Volume 2 – Chapter C.4. The main objective is to ensure that a sufficient degree of redundancy remains available in the safety systems needed to bring the reactor to a safe shutdown state.

5.4.2. External hazards

The list of external hazards taken into account in the EPR design is given in Volume 1 Chapter E – Section 5.5.2.

The basic approach to external hazards is to consider them as load cases. Protection relies upon both the deterministic design of the structures and equipment with respect to reference load combinations and, for some hazards affecting only a part of the plant, on the geographical separation of the systems and components. The objective is:

• to ensure that the safety functions necessary for bringing the plant to a safe shutdown state will not be unacceptably affected,

• to limit the occurrence of induced internal or external hazards.

A preliminary analysis of the different external hazards, as developed for the Flamanville 3 site, is presented in Volume 2 – Chapter C.3. The analysis will be adapted to specific UK EPR site(s) later in the EPR licensing process.

A brief summary is given below regarding earthquake and airplane crash.

5.4.2.1. Protection against earthquake

Protection is provided by designing the systems, structures and components (SSCs) needed to fulfill the three fundamental safety functions (core subcriticality, decay heat removal, confinement of radioactivity) so that these SSCs can withstand the loads induced by earthquakes.

The SSCs concerned and their seismic classification rules (SC1 and SC2) are indicated in Volume 2 – Chapter C.2. Class SC1 typically contains the F1 systems necessary for the management of PCC events and the structures and components composing the containment barriers. The class SC2 consists of SSCs whose failure in case of earthquake could jeopardise SC1 SSCs. According to the type and function of a SSC, the requirements for its seismic design can be:

• Stability: capacity of a component to withstand loadings which tend to modify its position or orientation.

• Integrity: capacity of the pressure housing of a component to safely withstand the specified loadings.

• Functional capability: capacity of the pressure boundary of a component to withstand the specified loadings with limited deformation, so that the component function is not adversely affected by a possible flow reduction.

• Operability: the capacity of a system or system portion to accomplish its function during and/or after an earthquake.





The specific requirements applicable to each SSC are indicated in the corresponding chapter of Volume 2.

The design of the standard (not site-specific) part of the EPR plant uses a standard EUR (European Utilities Requirements) spectrum with an horizontal acceleration of 0,25 g. Site-specific SSCs are designed with a spectrum envelope of the seismotectonic characteristics particular to the site (0.15 g in the case of Flamanville 3).

The choice of level of seismic event and the conservative nature of the seismic design process ensure the existence of safety margins with respect to earthquakes. It will be verified for each EPR site that this seismic level is effectively conservative. If this analysis does not predict a safety margin, a more detailed analysis of a selection of plant items will be performed based on conservative assumptions which are more realistic than those used for the design, (e.g. modelling of the ground conditions, damping, seismic capacity).

As part of the defence-in-depth approach, the seismic design loads are combined with loadings resulting from certain PCC2 to 4 events, even if these events are independent of the occurrence of an earthquake:

• The combination of the loadings resulting from the Design Earthquake with those resulting from LOCA (guillotine break of the Pressuriser surge line) is taken into account for the design of the inner containment and reactor building internal structures.

• The combination of the loadings resulting from the Design Earthquake with those resulting from PCC2 to 4 events is taken into account in the dimensioning of SC1 equipment, even if the PCC event is not initiated by a failure of a non-seismic equipment item. The acceptance criteria associated with PCC4 are then adopted. These criteria ensure in particular the capacity of the equipment to withstand an earthquake in the long-term phase of an accident.

• The sequence of qualification of the seismic class 1 equipment (defined in Volume 2 – Chapter C.7) for accident conditions comprises a seismic test phase combined with irradiation and thermodynamic loadings.

The Design Earthquake is complemented by an Inspection Earthquake of 0.05 g. Dedicated instrumentation will be installed to detect seismic events exceeding this level. In the case of such events an inspection would be required to verify the plant integrity.

5.4.2.2. Airplane crash

Protection against aircraft crash is provided as follows:

• total protection is provided for buildings that could contain nuclear fuel. These buildings are protected by an "aircraft shell”. This applies to the reactor building and the fuel building,

• protection is provided for buildings containing essential safety equipment, either by protecting them with an aircraft shell, or by ensuring sufficient geographical separation between redundant systems.

The design of the aircraft shell covers all aircraft types.





5.5. SEVERE ACCIDENTS (RRC-B EVENTS)

This is the second stage in the risk reduction approach adopted for the EPR design.

This second stage comprises two objectives:

a) Accident situations that could lead to an early containment failure and large early releases must be ‘practically eliminated’, through dedicated design and operating provisions.

b) Despite their expected low probability of occurrence, the low pressure core melt situations have to be mitigated so that their radiological consequences remain low and would necessitate only very limited protective measures (Volume 1 - Chapter E Section 3.2).

5.5.1. ‘PRACTICALLY ELIMINATED’ SITUATIONS

Accident situations involving core melt which could lead to large early releases have to be ‘practically eliminated’ by design measures or analytical demonstration. To that end, the following events have been identified against for which specific preventative measures have to be implemented:

• core melt at high pressure resulting in direct containment heating (DCH).

• fast reactivity accidents.

• steam explosions which could threaten containment integrity.

• hydrogen detonations.

• containment bypass.

• fuel melting in the fuel pool.

The provisions introduced to avoid the occurrence of these events and the current state of the analyses supporting their design, mostly conducted with realistic methods and assumptions, are presented in Volume 2 Chapters S.2 and S.4. They are briefly reviewed below.

5.5.1.1. Prevention of core melt at high pressure

The objective is to transfer high pressure core melt sequences to the low pressure domain with a high reliability so that high pressure core melt sequences can be effectively discounted. This objective implies limiting the pressure in the reactor coolant system to the range of 15 to 20 bar at the moment of the reactor pressure vessel rupture in order that loads from ejected melt from the vessel (risk of Direct Containment Heating) and loads on the vessel supports and reactor pit structures can be withstood.

The objective is achieved by adding two redundant dedicated relief trains to the normal Pressuriser discharge system. The valves are manually activated by the operator on detection of a core outlet temperature exceeding a defined threshold (current value: 650°C). A grace period of at least 2 hours is available for this action (Volume 2 Chapter S.2.2.2).





5.5.1.2. Prevention of fast reactivity accidents

The accidents concerned correspond to heterogeneous boron dilution scenarios, in which:

- a water slug at low boron concentration is formed in the Reactor Coolant System or in a connected system,

- this water slug is subsequently transported to the reactor core, inducing an uncontrolled reactivity insertion.

Preliminary results presented in Volume 2 Chapter S.2.4 show that:

• the transport to the core of deborated water volumes larger than 4 m³ must be prevented to avoid a potential risk of core damage.

• automatic isolation of the CVCS suction line from the Volume Control Tank (Volume 2 Chapter I.2) brings a significant reduction in the probability of heterogeneous dilution scenarios arising from a malfunction of the CVCS makeup or operator error.

• With the proposed design, the probability for a water slug larger than 4 m³ being formed and transported to the core is then estimated as less than 10-8/r.y.

5.5.1.3. Prevention of steam explosions which could threaten the containment integrity

Fuel-coolant interaction is a process by which molten fuel transfers its thermal energy to the surrounding coolant, leading to break up of corium with possible formation of a coolable debris bed or potential evolution to an energetic steam explosion.

In-vessel steam explosion

A large in-vessel release of mechanical energy could threaten the reactor pressure vessel integrity. The assessment of the risk of such events is based on experiments studies of the thermal-hydraulic behaviour of prototypic corium and the load-bearing capacity of the reactor vessel head.

It is concluded that the in-vessel steam explosion does not represent an unacceptable threat to the vessel integrity and that specific design measures to prevent it are not justified (Volume 2 - Chapter S.2.1.2).

Ex-vessel steam explosion

The reactor cavity is designed to avoid water accumulations in case of loss of coolant accidents (see Volume 2 - Chapter F.2). Therefore, at the time of the reactor vessel failure, corium which is discharged into the reactor cavity cannot come into contact with a large mass of water.

The compartment dedicated to melt spreading is also designed to be initially dry and only thin water films may develop because of steam condensation. The time delay associated with the flooding strategy outlined in Volume 2 - Chapter F.2.6 ensures the formation of crusts or viscous layers at the melt surface. Experimental data have shown that the flooding of the melt under these conditions, with low flow rate, does not lead to energetic interactions that could endanger the containment leak tightness.





5.5.1.4. Prevention of hydrogen detonation

The hydrogen control concept is based on the use of Passive Autocatalytic Recombiners installed in the Containment (Volume 2 – Chapter F.2.4).

The recombiners act so that the average hydrogen concentration in the whole containment does not exceed 10%vol, which removes the risk of global detonation.

A range of representative and bounding scenarios has been simulated to verify that the pressure and temperature transient induced by a combustion of the non-recombined hydrogen would not jeopardise the containment integrity (Volume 2 – Chapter S.2.2.3).

5.5.1.5. Prevention of containment bypass

Core melt sequences involving containment bypass are all core melt events that result in the reactor coolant being connected directly with the atmosphere (whether the bypass is prior to or subsequent to the core melt) e.g.:

a) LOCA sequences involving breaks in systems connected to the Reactor Coolant System and partly located outside containment (e.g. SIS/RHR, CVCS, Vent and Drain System),

b) Bypass induced by steam generator tube rupture accident sequences,

c) Bypass induced by severe accident sequences,

d) Core melt situations occurring during shutdown states with an open containment building.

Protection against these sequences is mainly provided through (see Volume 2 – Chapter S.2.4.5):

• isolation features on the systems connected to the reactor coolant system and stringent requirements for the design of these systems to limit the risks of loss of integrity in case of core melt.

• the delivery head of MHSI being lower than the Main Steam Safety Valve opening pressure, which reduces the risk of radioactivity release via these valves in case of steam generator tube rupture(s); in addition, automatic shutdown of charging pumps on a “high steam generator water level” signal, limits the risk due to overfilling of the secondary side of a steam generator.

• the opening of the dedicated relief valves in core melt scenarios at high pressure which enables a rapid depressurization of the reactor coolant system, and thus reduces the loading on the systems connected to the reactor coolant system.

• ability to reliably isolate the containment before significant radioactivity releases could occur, in shutdown states with an open containment; in particular, the hatch can be closed manually within about 30 minutes from the first indication of an event which could escalate into a severe accident.

5.5.1.6. Prevention of fuel melt in fuel pool

A risk of fuel melt can arise in the case of total loss of the Fuel Pool Cooling System or in the case of complete water drainage. Provisions to avoid such risks include (see Volume 2 – Chapter I.1.3):





• the addition of a diverse train to the two main trains of the Fuel Pool Cooling System; the additional train uses a diversified heat sink and power supply so that the probability of pool steaming following a total loss of the Fuel Pool Cooling function is sharply reduced.

• specific design provisions against drainage, such as provision of automatic isolation of pipework connected to the bottom part of the fuel pool.

5.5.2. ANALYSIS OF LOW PRESSURE CORE MELT SEQUENCES

Deterministic analyses are conducted for low pressure core melt sequences in order to demonstrate that their radiological consequences meet the stringent objectives defined for EPR severe accidents (see Volume 1 Chapter E Section 3.2).

The mitigation of these radiological consequences requires that the integrity of the containment is preserved. The main challenges to the containment integrity to consider are:

- Hydrogen combustion,

- Containment overpressurisation,

- Corium-basemat (foundation raft) interaction,

Core melt scenarios are selected to be representative of the different in-vessel and in-containment physical phenomena. They are also chosen to provide boundary conditions for verifying the adequacy of the specific design provisions for mitigation of severe accidents i.e.:

- the dedicated depressurisation system (Volume 2 Chapter E.2.4),

- the hydrogen recombiners (Volume 2 Chapter F.2.4),

- the ex-vessel core melt spreading and cooling system (Volume 2 Chapter F.2.6).

- the containment heat removal system (Volume 2 Chapter F.2.7),

Selection and the analysis of these scenarios are presented in Volume 2 Chapter S.2.2. The results show that the envisaged design provisions are effective in preventing containment failure in cases of low pressure core melt, and that a sufficient time delay is available before operator action is needed.

Evaluation of the radiological consequences of severe accidents is described in Volume 2 Chapter S.3, using reasonably conservative data and assumptions, independent of the particular core melt scenario. Considering a leak rate of the containment of 0.3% vol/day (maximum specified leak rate under design pressure and temperature), it is shown that the radiological objectives are met, i.e.:

- evacuation or re-housing of population is not necessary ; only sheltering in the immediate vicinity of the plant might be necessary,

- the long term objectives are largely met.





5.6. PROBABILISTIC SAFETY ASSESSMENT

The Probabilistic Safety Assessment (PSA) is presented in Volume 2 – Chapter R.

In its current stage, the PSA is principally directed at a preliminary quantification of the core melt frequency (Level 1 PSA).

The analysis of the probability of large radioactivity releases (Level 2) is still only partially complete. An intermediate step has been to quantify the risk of loss of containment in case of core melt (Level "1+").

The commitment for further PSA work (Levels 2 and 3) to support of UK EPR pre-licensing is included in Volume 1 Chapter I.

It is to be noted that, apart from providing calculations of the integral frequencies of core melt and large releases, the EPR probabilistic safety assessment is also used:

• to confirm and supplement the list of initiating events considered in the design and to classify them into the different Plant Condition Categories,

• to ensure that reactor safety features are provide protection which is suitably balanced with respect to the initiating events, to eliminate scenarios with a dominant impact on the core melt frequency,

• to consolidate the list of RRC-A sequences (5.3),

• to provide a basis for judging whether certain core melt sequences, resulting in large early releases, can be practically eliminated, to supplement the deterministic measures taken to prevent them (5.5.1).

5.6.1. PROBABILISTIC TARGETS

A fundamental target for the EPR design is to keep the probability of core melt below 10-5/reactor.year, considering all types of fault and initial reactor states (see Volume 1 Chapter E Section 5.4).

In practice, the following intermediate objectives are adopted:

• Internal initiating events (i.e. excluding hazards):

core melt frequency (CMF) < 10-6/r.y for power states

CMF < 10-7/r.y for any family of events; in addition, a family of events should not contribute more than 30% to the total CMF.

CMF in shutdown states lower than CMF for power states

preventive maintenance should induce only a minor part of the total CMF.

• Hazards:

CMF < 5.10-6/r.y for external hazards

CMF < 3.10-6/r.y for internal hazards





In addition, an objective of 10-7/r.y is set for the probability of large early releases, with a limit of 10-8/r.y for each type of event contributing to that risk.

5.6.2. LEVEL 1 PSA

The methods and data used for the Level 1 PSA for internal initiating events, and the results obtained are presented in Volume 2 – Chapter R.1.

The global probability of core melt resulting from internal initiating events is estimated at 6.10-7/r.y. In addition:

- the CMF for each family of events is lower than 10-7/r.y and does not contribute more than 30% to the global risk (see Table 5-7).

- shutdown states make only a minor contribution to the total CMF.

- preventive maintenance accounts for less than 15% of the global CMF.

These results cover scenarios involving fuel melt inside the reactor pressure vessel. A complementary analysis presented in Volume 2 – Chapter R.3 addresses the specific risk of fuel meltdown in the spent fuel pool that could be induced by a total loss of the fuel pool cooling system or by accidental drainage of the fuel pool. Preliminary results indicate that the probability of fuel melt for these scenarios is very low (< 10-8/r.y).

The probabilistic assessment for internal and external hazards is presented in Volume 2 – Chapter R.4. The hazards considered are those listed in Volume 1 Chapter E Section 5.5.

With regard to external hazards, this assessment has been conducted considering the specific characteristics of the Flamanville 3 site (e.g. seismic level, airplane crash probability, extreme weather conditions).

Preliminary results indicate Core Melt Frequencies of 8.4 10-8/r.y and 6.4 10-7/r.y respectively for internal and external hazards, showing compliance with the probabilistic objectives stated in 5.6.1.

5.6.3. LEVEL 2 PSA

As indicated above, a Level 2 PSA is in progress and the main results currently available concern the probability of containment failure in the case of core melt events (Level "1+" PSA).

The Level 1+ assessment is presented in Volume 2 – Chapter R.2. It consists in quantifying the risk of large radiological releases by identifying the risk of early or delayed containment failure in case of core melt. The analysis is carried out at a macroscopic level using simplified decoupling assumptions,

This assessment leads to the following results:

• probability of early containment failure = 3.9 10-8/r.y

• probability of delayed containment failure = 5.3 10-8/r.y

These results meet the 10-7/r.y objective for the frequency of large radioactivity releases.





It is noted that a failure of the containment will not necessarily result in a large release of radioactivity.

Source terms due to smaller more frequent releases will be quantified in the PSA Level 2 currently being developed.





6. RADIOLOGICAL & ENVIRONMENTAL IMPACT

The ALARA approach is applied to minimise the radiological impact of plant operation on site workers and members of the public (Volume 1 Chapter E Section 3).

6.1. OCCUPATIONAL EXPOSURE

The design provisions and measures introduced to minimise occupational collective dose are described in Volume 2 Chapter L. These measures make use of experience accumulated in the operation of existing PWRs in France and Germany and concern, in particular, the following aspects:

a) Minimization of sources of radiation:

Special attention is given to the choice of materials. Whenever possible, cobalt-based hard-facing alloys are avoided in systems containing primary coolant or in those which are directly linked to the reactor coolant system. As far as possible, the presence of nuclides like antimony and silver is limited (not used in alloys, cladding of control rods and secondary neutron sources).

Primary coolant chemistry is also an important contributor to source term reduction. A suitable chemical specification is implemented. Purification systems (demineralisers, degasifiers) are designed to reduce the fission and corrosion products in the primary coolant to as low as practicable.

b) Layout:

Layout contributes to reducing occupational exposure through features like proper zoning, separation of high radiation components, provision of ease of access to components, shielding, setdown areas, ventilation paths, etc. Details are given in Volume 2 Chapter L.3.

c) Maintenance and in-service inspection:

Components are designed to reduce the frequency of maintenance work and the necessary effort involved per operation.

Attention has been paid to potential reduction of doses during inspections; in particular, the number of welds to be inspected in areas with high local dose rates is kept at a minimum.

The most dose-inducing maintenance operations are the subject of specific provisions in order to:

- reduce the time or number of personnel required to perform them,

- allow the use of removal aids (rails, rings, lifting gear) and remote control equipment.





A first assessment of the collective dose to workers resulting from normal operation of the EPR, especially from outage operations, is presented in Volume 2 Chapter L.3. This total collective dose is assessed at 0.37 man.Sv/year.

This evaluation will be further refined in the future, in particular with the assessment of individual doses and the consideration of abnormal events.

6.2. OFF-SITE DOSES IN NORMAL OPERATION

The management of the radioactive wastes and the provisions made to limit their release into the environment are described in Volume 2 - Chapter K.

Volume 1 Chapter G and Volume 3 of this Fundamental Safety Overview present an assessment of the effective doses to the public resulting from expected gaseous and liquid radioactive waste releases.

Considering the specific conditions of the Flamanville 3 site in France, the effective annual dose to the persons of the public located in the vicinity of the plant is estimated as:

- 1 μSv due to liquid wastes (3 μSv for a specific group assumed to absorb more sea food),

- 3 μSv from gaseous wastes (6 μSv for the specific case of babies).

These values are well below the UK legal limit of 1 mSv/year described in Chapter E Section 3.2.

7. HUMAN FACTORS

A Human Factors Engineering Program is implemented with the general objectives to:

- provide operating personnel with the resources they need for their work, so that they can achieve the required performance in terms of safety, quality, reliability and availability,

- provide working conditions that minimize risks to health (conventional security and radiological risks in particular).

This programme applies to the work situations that will arise during future operation (normal and abnormal operation, testing , planned shutdowns, equipment isolation, emergency situations, etc.) and maintenance. Its content and current results are presented in Volume 2 – Chapter Q.

The programme encompasses:

a) Systematic identification and analysis of the tasks to be performed to control, monitor and maintain the plant and their allocation between humans and automated systems.

Automation is adopted when it improves significantly safety, availability or cost and applies more particularly to tasks that otherwise would likely represent a source of human errors (e.g. those requiring a short response time or the prior analysis of a large amount of information).





In accordance with the Design Basis Faults analysis rules (5.2.2.4), all actions required within 30 minutes of an accident to reach a controlled or safe shutdown state are automated.

b) Design of the Human-Machine Interface

This covers topics such as:

- layout of the control room floor and control room,

- design of the principles for information displays, controls, alarms and operator dialogs,

- coding and labeling conventions for control room and plant displays, controls and location aids,

- layout of hardwired control boards,

- design of the screen-based HMI, including HMI standard dialogues for access to information and controls, screen displays layout,

- control room physical environment (lighting, air conditioning requirements etc.),

- layout of operator work stations and work space.

These topics are developed in Volume 2 Chapters Q.3 and Q.4. The architecture of the related I&C systems is presented in Volume 2 Chapter G.

c) Control staff organization

The composition and role of the operating staff are defined according to the principle that process control and supervision be centralized in the Main Control Room.

It is assumed for the design of the control room that the plant is run by two operators (Reactor Operator and Turbine Operator) and one shift supervisor. The tasks they have to perform are indicated in Volume 2 Chapter Q.3.1.2.

d) Operator guidance development

The development and organization of the operating procedures is presented in Volume 2 Chapter M.

Besides constituting the means to perform overall process supervision and monitoring and allowing performance of elementary process control actions, procedures provide guidance for more complex tasks. This is ensured by:

- alarm sheets,

- procedures for normal operation (including startup and shutdown procedures),

- incident and accident procedures.





The operating instructions comprise the “operational method”, available on paper; and the operating procedures, shown on the screens of the computerised workstations (for the Process Information and Control System PICS) and on paper for the conventional workstations (Safety Information and Control System).

This aspect of the HMI is presented in Volume 2 Chapter Q.3.

e) Verification and validation

Verification and validation is embedded in the overall design process for the Human- Machine Interface, of the main control room and of the remote shutdown station, and of the design of the individual I&C systems.

V&V includes verification of individual design specifications against the upstream requirements. Mockup and simulator tests are performed and the interaction with operating procedures, Human-Machine Interface and control room equipment will be tested.

In future design studies, the extent to which human error contributes to the general level of risk will be analysed and evaluated as part of the probabilistic safety assessment. This requires quantitative models for human behaviour, development of justifiable quantitative human error probabilities, and provision of suitable evidence that features included in the design are appropriate to the EPR general risk levels (Volume 2 Chapter R.2)

8. DECOMMISSIONING

The consideration of the future dismantling operations has been integrated in the EPR design process in order to:

• minimise the exposure of the decommissioning workers and the public to radioactivity, and more generally to hazardous materials,

• minimise the volume of radioactive wastes to be disposed of,

Measures to meet these objectives include:

• anticipation of the dismantling process by simulating activation of materials and postulating events potentially conducive to spread of contamination,

• use of feedback from large component maintenance worksites,

• choice of materials that help reduce system activation and the volume of active wastes, enhance fuel cladding strength and improve RCS corrosion and erosion resistance,

• construction measures aimed at facilitating dismantling operations and removal of contaminated structures and equipment, and permitting use of shields,

• Measures applicable to systems to avoid radioactive build-up and spread of contamination, and facilitate decontamination of rooms and equipment.

These measures are discussed in Volume 2 – Chapter T.





TABLE 5-1

EXAMPLES OF SYSTEMS DIVERSITY

Main Safety System (F1) Systems usable as Backup

RCCA Subcriticatility by control rods

Extra Boration System Chemical & Volume Control System

PS Reactor Protection System

Process Automation System

(Diversified trip signal )

MHSI Medium Head Safety Injection System

Accumulator Injection System

+ Depressurisation by Secondary Side

Low Head Safety Injection System

+ Depressurisation by Secondary Side

Fast Depressurization via Secondary Side + Pressuriser Relief Valves

LHSI Low Head Safety Injection System

Medium Head Safety Injection System

For Small Breaks: Residual Heat Removal System by Secondary Side

Containment Heat Removal System

(long term cooling of IRWST)

RHRS Residual Heat Removal System

RCS closed: Secondary Side Residual Heat Removal System

RCS open: Medium Head Safety Injection System + Steaming into the Containment

FPCS Fuel Pool Cooling System

Third (diversified) FPCS train

Main Diesels SBO Diesels CCWS/ESWS

Cooling Chain & Ultimate Heat Sink

RCS closed: Secondary Side Residual Heat Removal System

RCS open: Low Head Safety Injection System + Steaming into the Containment

(Cooling of 2 LHSI pumps by the air-cooled trains of the Safety Chilled Water System)

Ultimate Cooling Water System

(heat sink for 3rd FPCS train)

Note: columns 2 to 4 indicate systems that are available to act as backup in case of total loss of an F1 system of column 1.





TABLE 5-2 (1/3)

LIST OF DESIGN BASIS EVENTS

PCC2: DESIGN BASIS TRANSIENTS

2a - Spurious reactor trip

2b - Feedwater malfunction causing a reduction in feedwater temperature

2c - Feedwater malfunction causing an increase in feedwater flow

2d - Excessive increase in secondary steam flow

2e - Turbine trip

2g - Loss of condenser vacuum

2h - Short term loss of offsite power (≤ 2 hours)

2i - Loss of normal feedwater flow (loss of all MFW pumps and of the startup and shutdown pump)

2k - Partial loss of core coolant flow (Loss of one RCP)

2m - Uncontrolled rod cluster control assembly (RCCA) bank withdrawal (state A)

2p - RCCA misalignment up to rod drop, without limitation function

2q - Startup of an inactive reactor coolant loop at an improper temperature

2r - CVCS malfunction that results in a decrease in boron concentration in the reactor coolant

2s - CVCS malfunction causing increase or decrease in reactor coolant inventory

2t - Primary side pressure transients (spurious Pressuriser spraying, spurious Pressuriser heating)

2v - Uncontrolled RCS level drop

2w - Loss of one cooling train of the SIS/RHRS in RHR mode

2x - Loss of one train of the Fuel Pool Cooling System (state A)





TABLE 5-2 (2/3)


PCC3: DESIGN BASIS INCIDENTS

3a - Small steam or feedwater system piping failure including break of connecting lines (no greater than DN 50) to SG (states A and B)

3b - Long term loss of offsite power (> 2 hours) (state A)

3c - Inadvertent opening of a Pressuriser safety valve

3d - Inadvertent opening of a SG relief train or of a safety valve (state A)

3e - Small break (not greater than DN 50) including a break occurring on the Extra Boration System injection line (states A and B)

3f - Steam Generator tube rupture (1 tube)

3g - Inadvertent closure of one/all main steam isolation valves

3h - Inadvertent loading of a fuel assembly in an improper position

3i - Forced decrease of reactor coolant flow (4 pumps)

3k - Leak in the gaseous waste processing system

3m - Uncontrolled rod cluster control assembly (RCCA) bank withdrawal (states B,C and D)

3p - Uncontrolled single rod cluster control assembly withdrawal

3q - Loss of primary coolant outside the containment

3r - Long term loss of offsite power (> 2 hours), fuel pool cooling aspects (state A)

3s - Loss of one train of the Fuel Pool Cooling System (state F)

3t Isolable piping failure on a system connected to the fuel pool





TABLE 5-2 (3/3)


PCC4: DESIGN BASIS ACCIDENTS

4a - Long term loss of offsite power in state C (> 2 hours)

4b - Steam system piping break (states A and B)

4c - Feedwater system piping break (states A and B)

4d - Inadvertent opening of a SG relief train or safety valve (state B)

4e - Spectrum of RCCA ejection accidents (states A and B)

4f - Intermediate and large break LOCA (up to the surge line break, in states A and B)

4g - Small break LOCA (not greater than DN 50) including a break in the EBS injection line (states C and D)

4h - Reactor Coolant Pump seizure (locked rotor)

4i - Reactor Coolant Pump shaft break

4k - Steam Generator tube rupture (2 tubes in 1 SG) (state A)

4m - Fuel handling accident

4p - Boron dilution due to a non-isolable rupture of a heat exchanger tube (states B, C, D)

4q - Isolable Safety Injection System break (≤ DN 250) in residual heat removal mode (states C, D)

4r - Safety Injection System break in residual heat removal mode, fuel pool drainage aspects (state E)

4s - Rupture of radioactivity-containing systems in the Nuclear Auxiliary Building





(1) This pressure limit depends on the I&C design (e.g. 120 bar with respect to overcooling and 60 bar for isolation of the accumulators)

STANDARD REACTOR STATES

TABLE 5-3

(2) RCS can be rapidly re-closed when partly open (e.g. vent line) (3) During 3/4 loop operation after core refuelling the containment can be open (4) State F is similar to state E; the only one difference is that the core is totally unloaded





TABLE 5-4

RADIOLOGICAL CONSEQUENCES OF DESIGN BASIS EVENTS

Short term

500m – 7 days

Long term

2 km – 50 yrs

DESIGN BASIS TRANSIENTS (PCC2)

Dose (Sv) Adult (Sv) Child (Sv) Adult (Sv)

Loss of condenser vacuum Effective dose

Thyroid

1.9 E-5

2.2 E-4

2.5 E-5

4.0 E-4

6.9 E-5

1.7 E-5

DESIGN BASIS INCIDENTS (PCC3)

Loss of primary coolant outside the containment

Effective dose

Thyroid

5.6 E-6

1.7 E-5

6.0 E-6

2.9 E-5

6.8 E-6

1.3 E-6

Steam generator tube rupture

Effective dose

Thyroid

1.9 E-4

3.3 E-4

2.0 E-4

5.9 E-4

1.2 E-4

2.5 E-5

DESIGN BASIS ACCIDENTS (PCC4)

Large break LOCA (at power)

Effective dose

Thyroid

2.9 E-4

2.4 E-4

2.3 E-4

3.9 E-4

1.4 E-4

1.9 E-5

LOCA in shutdown state Effective dose

Thyroid

2.3 E-5

9.3 E-5

2.2 E-5

1.5 E-4

1.4 E-4

7.0 E-6

Multiple failure of components in Nuclear Auxiliary Building

Effective dose

Thyroid

3.8 E-4

2.1 E-4

3.8 E-4

3.1 E-4

7.3 E-5

1.7 E-5

Steam generator tube rupture (2 tubes)

Effective dose

Thyroid

4.6 E-4

1.1 E-3

4.8 E-4

1.9 E-3

5.0 E-4

8.6 E-5

Fuel handling accident Effective dose

Thyroid

5.5 E-3

1.8 E-4

5.5 E-3

2.7 E-4

6.1 E-4

2.0 E-5





TABLE 5-5

SAFETY FUNCTIONS & ASSOCIATED F1 SYSTEMS USED IN DESIGN BASIS EVENTS ANALYSIS

Control of fuel integrity at power Reactor Trip, RCCA

Control of core reactivity at shutdown

Short term: RCCA

Long term: Extra Boration System, LHSI/RHRS

Control of Reactor Coolant Inventory

Small Break LOCA: MHSI + MSRT

Intermediate & Large break LOCA: MHSI + Accumulators + LHSI

Control of Reactor Coolant temperature

Hot shutdown: EFWS + MSRT

Cold shutdown: LHSI in RHR-mode

Control of Reactor Coolant Pressure

Overpressure protection: Reactor Trip + PSV + MSSV

Depressurisation to cold shutdown: PSV

Control of Containment Heat removal: LHSI

SGTR bypass: dedicated design of MHSI, MSRT





Table 5-6

LIST OF RISK REDUCTION CATEGORY A EVENTS

N° Functional sequence

19.1.2 FSa ATWS by rod failure

19.1.2 FSb ATWS by PS failure

19.1.2 FSc Station blackout (at power)

19.1.2 FSd Total loss of feedwater (at power)

19.1.2 FSe Total loss of cooling chain inducing a break in RCP seals (at power)

19.1.2 FSf LOCA up to 20 cm2 with loss of partial cooldown signal (at power)

19.1.2 FSg LOCA up to 20 cm2 without MHSI (at power)

19.1.2 FSh LOCA up to 20 cm2 without LHSI (at power)

19.1.2 FSi Uncontrolled RCS level drop without SI signal from PS (in shutdown state)

19.1.2 FSj Non CVCS homogeneous dilution with failure of dilution source isolation by operator (in shutdown state)

19.1.2 FSk Total loss of cooling chain (in shutdown state)

19.1.2 FSl Total loss of cooling chain or loss of ultimate heat sink during 100 hours

19.1.2 FSm Loss of the two main trains of the Fuel Pool Cooling System during refuelling outage





TABLE 5-7

CORE MELT FREQUENCY PER FAMILY OF INTERNAL EVENTS

Family of events

CMF States A,B

(/r.a)

CMF States C,D,E

(/r.a)

CMF All states

(/r.a)

Contri-bution

(%)

LOCA 1.37 E-7 4.44 E-10 1.37 E-7 23

LOCA with containment bypass

3.72 E-9 3.65 E-10 4.09 E-9 -

Secondary piping break 2.51 E-8 - 2.51 E-8 4

Steam generator tube rupture

1.41 E-9 - 1.41 E-9 -

Loss of feedwater 1.10 E-7 - 1.10 E-7 18

Loss of offsite power 6.63 E-8 1.52 E-8 8.15 E-8 14

Primary side transients 1.26 E-9 1.29 E-8 2.55 E-8 4

Loss of cooling chain or ultimate heat sink

8.17 E-8 1.75 E-8 9.92 E-8 16

Anticipated Transient Without Scram

1.24 E-7 - 1.24 E-7 20

Heterogeneous dilution 5.20 E-9 5.20 E-9 1

TOTAL 6.1 E-7

CHAPTER F FUNDAMENTAL SAFETY OVERVIEW SECTION : - UK...

Documents

Transcript of CHAPTER F FUNDAMENTAL SAFETY OVERVIEW SECTION : - UK...