Safety Classification of Structures Systems and Components in by nikeborome

VIEWS: 81 PAGES: 50

									DS 367 Safety Classification of Structures, Systems and Components in NPPs - Comparison of versions 5.1 and 5.10

Version 5.1 was sent to MSs
Version 5.10 With resolution of MSs’ comments
DS 367 version. 5.1                                                DS 367 version 5..10                                                Comments
1. INTRODUCTION                                                    1. INTRODUCTION
BACKGROUND                                                         BACKGROUND
1.1 The need to classify equipment in a nuclear plant according    1.1. The need to classify equipment in a nuclear power plant (1SAF)
to its importance to safety has been recognised since the early    according to its importance to safety has been recognized since
days of reactor design and operation. The existing safety          the early days of reactor design and operation. The existing
classification methods for structures, systems and components      methods for safety classification of structures, systems and
(SSCs) have evolved taking into account the lessons learnt         components (SSCs) have evolved in this light of lessons learnt
during tens of thousands of hours of, mainly light water reactor   during the design and operation of existing plants, mainly with
(LWR), operation. Although the concept of safety functions as      light water reactors. Although the concept of a safety function as
being what should be accomplished for safety has been              being what must be accomplished for safety has been understood
understood for many years and examples based on experience         for many years, and examples based on experience have been
have been provided, the process by which these could be derived    provided, the process by which safety functions can be derived
from the general safety objectives has not been described in       from the general safety objectives has not been described in
earlier IAEA publications. The classification systems              earlier IAEA publications. Therefore, it was mainly from
accordingly identified the SSCs, mainly from experience and        experience and analysis of specific designs that classification
analysis of specific designs, that were deemed to be of the        systems identified those SSCs that were deemed to be of the
highest importance in maintaining safe operation, such as the      highest importance in maintaining safe operation, such as the
continuing integrity of the primary pressure boundary, and         continuing integrity of the primary pressure boundary, and
classified this at the highest level                               classified them at the highest level.

1.2 This Safety Guide was prepared under the IAEA programme        1.2. This Safety Guide was prepared under the IAEA programme
for safety standards for nuclear power plants. An IAEA Safety      for safety standards for nuclear power plants. An IAEA Safety
Guide on Safety Functions and Component Classification for         Guide on Safety Functions and Component Classification for
Boiling Water Reactor (BWR), Pressurized Water Reactor             Boiling Water Reactor (BWR), Pressurized Water Reactor
(PWR), and Pressure Tube Reactor (PTR) Plants was issued in        (PWR), and Pressure Tube Reactor (PTR) Plants was issued in
1979 as Safety Series No. 50-SG-D1 and was withdrawn in the        1979 as Safety Series No. 50-SG-D1 and was withdrawn in the
year 2000 because the recommendations contained therein were       year 2000 because the recommendations contained therein were
considered not to comply with the IAEA Safety Requirements         considered not to comply with the IAEA Safety Requirements
publication, Safety of Nuclear Power Plants: Design, NS-R-1 [1],   publication, Safety of Nuclear Power Plants: Design, published in


                                            1/50
DS 367 version. 5.1                                                   DS 367 version 5..10                                           Comments
published in 2000.                                                    2000. This Safety Guide represents an update of that earlier
                                                                      Safety Series publication.

1.3 In developing this Safety Guide, a review of other relevant       1.3. In developing this Safety Guide, relevant IAEA publications (3FRA)
IAEA publications has been undertaken. This has included the          has been considered. This included the Safety Requirements
IAEA Safety Requirements publication, Safety of Nuclear Power         publications, Safety of Nuclear Power Plants: Design [1] and
Plants: Design, NS-R-1 [1], the IAEA Safety Fundamentals,             Safety Assessment for Facilities and Activities [2], the
Fundamental Safety Principles, SF-1 [2], and current and              Fundamental Safety Principles [3], and current versions and
ongoing revisions of Safety Guides and INSAG reports,                 ongoing revisions of Safety Guides and INSAG reports,
including Safety Assessment and Verification for Nuclear Power        including Safety Assessment and Verification for Nuclear Power
Plants, NS-G-1.2 [3], and Defence in Depth in Nuclear Safety,         Plants [4] and Defence in Depth in Nuclear Safety [5]. These
INSAG-10 [4]. These publications have addressed the issues of         publications have addressed the issues of safety functions and the
safety functions and the safety classification of structures,         safety classification of SSCs for nuclear power plants.
systems and components (SSCs) for nuclear power plants.               Information from a significant number of other international and
Information from a significant number of other international and      national publications such as Refs [6], [7] and [8] has been
national publications has been considered in developing this          considered in developing this Safety Guide.
Safety Guide.

1.4 The purpose of the safety classification in a nuclear power       1.4. The purpose of safety classification in a nuclear power plant (1ROM, 1USA, 3FRA)
plant is to identify and classify SSCs on the basis of their safety   is to identify and categorize the safety functions and to identify
function and safety significance.        Reference [1] requires       and classify the related SSC items on the basis of their safety
designers to undertake a number of steps to perform safety            significance. This will ensure that the appropriate engineering
classification and to justify the assignment of SSCs to safety        design rules are determined for each safety class, so that SSCs are
classes.                                                              designed, manufactured, constructed, installed, commissioned,
                                                                      quality assured, maintained, tested and inspected to standards
                                                                      appropriate to their safety significance. Reference [1] requires
                                                                      designers to undertake a number of steps to perform safety
                                                                      classification and to justify the assignment of SSCs to safety
                                                                      classes.

                                                                      1.5. To adopt the best practices in Member States, the IAEA New
                                                                      reviewed widely the existing safety classification methodologies (3USA)
                                                                      applied in operating nuclear power plants and for new designs.


                                              2/50
DS 367 version. 5.1                                                DS 367 version 5..10                                                   Comments
                                                                   This Safety Guide is based on this review. The principles and
                                                                   method of classification provided in this Safety Guide aim at
                                                                   harmonizing national practices. Furthermore, this Safety Guide
                                                                   explicitly describes the steps of safety classification, which are
                                                                   often not systematically expressed and documented in national
                                                                   classification methods. The classification principles and method
                                                                   provided in this Safety Guide do not invalidate classifications of
                                                                   SSCs achieved using other methods.

OBJECTIVE                                                          OBJECTIVE
1.5 The objective of this Safety Guide is to provide guidance on   1.6. The objective of this Safety Guide is to provide
how to meet the requirements for identification of safety          recommendations and guidance on how to meet the requirements
functions and classification of SSCs established in the Ref. [1]   established in Refs [1] and [2] for identification and
and to ensure appropriate quality and reliability of SSCs. This    categorization of safety functions and for classification of related
Safety Guide proposes a technology neutral approach and issues     SSCs to ensure quality and reliability accordingly. This Safety
relating to particular types of reactor are discussed in general   Guide presents a technology neutral approach and, therefore,
terms.                                                             issues relating to particular types of reactor are discussed in
                                                                   general terms.

                                                                   1.7. This publication is intended for use by organizations new
                                                                   designing, manufacturing, constructing and operating nuclear
                                                                   power plants, as well as by regulatory bodies and their technical
                                                                   support organizations for the conduct of regulatory reviews and
                                                                   assessments.

SCOPE                                                              SCOPE
1.6 The recommendations on safety classification as presented      1.8. This Safety Guide covers all safety aspects of a nuclear (2SPA, ENISS1,3,
in this Safety Guide are intended to be applicable to any plant    power plant that are included in the plant‟s safety analysis report, 4FRA,1SPA,7SPA0)
type, irrespective of the amount of available operating            including the storage and handling of new and spent fuel at the
experience. The approach to safety classification presented here   site of the plant. The recommendations on safety classification as
is intended to be suitable both for new designs of nuclear power   presented in this Safety Guide are intended to be applicable to
plant and during the periodic safety review of, or upgrades to,    any plant type. The approach is intended to be suitable for new


                                            3/50
DS 367 version. 5.1                                                      DS 367 version 5..10                                                    Comments
existing plants. It is intended to cover all aspects of a nuclear        designs of nuclear power plants; however, it may also be applied
power plant, including the storage and handling of new and spent         to existing plants or designs that have already been licenced. For
fuel at the site of the plant, that are included in the plant‟s safety   the purpose of this Safety Guide, existing nuclear power plants
analysis report. This publication is intended for use by                 are those nuclear power plants that are: (a) at the operational
organizations designing, manufacturing, constructing and                 stage (including long term operation and extended temporary
operating nuclear power plants, as well as by regulatory bodies          shutdown periods); (b) at a pre-operational stage for which the
and their technical support organizations for the conduct of             construction of structures, the manufacturing, installation and/or
regulatory review and assessment.                                        assembly of components and systems, and commissioning
                                                                         activities are significantly advanced or fully completed; or (c) at
                                                                         a temporary or permanent shutdown stage while nuclear fuel is
                                                                         still within the facility (in the core or the pool). For upgrading of
                                                                         existing plants, the use of this Safety Guide will help to classify
                                                                         new SSCs, and reclassify existing SSCs interfacing with new
                                                                         SSCs if necessary.

1.7 This Safety Guide is written in technology neutral terms.            1.9. This Safety Guide is written in technology neutral terms.          (4FIN & 4USA)
This assumes that there are features of all nuclear power plants         This assumes that there are features of all nuclear power plants
that are common to all reactor types. It has been assumed that all       that are common to all reactor types. For example, it is assumed
plants have a series of physical or other barriers for the retention     that all plants have a series of physical barriers or other barriers
of an inventory of radioactive material and that all must meet a         for the retention of the inventory of radioactive material and that
set of requirements that govern the safe operation of the plant.         all such barriers have to meet a set of requirements that govern
Further, all plants are assumed to require physical processes to         the safe operation of the plant. Furthermore, all plants are
operate, including cooling of the fuel, limitation of chemical           assumed to require certain physical processes to operate,
attack and mechanical processes to prevent degradation of the            including cooling of the fuel, limitation of chemical attack and
barriers retaining radioactive material, although in different           mechanical processes to prevent degradation of the barriers
designs, each of these aspects may be of different relative              retaining radioactive material, although in different designs, each
importance. This Safety Guide was written for nuclear power              of these aspects may be of different relative importance. This
plants but could be extended to any type of nuclear facility, if the     Safety Guide is applicable for SSCs at nuclear power plants, but
appropriate amendments are made.                                         the recommendations it provides could be extended to cover any
                                                                         type of nuclear facility, if the appropriate amendments are made.

STRUCTURE                                             STRUCTURE
1.8 Section 2 provides general recommendations on the 1.10. Section 2 provides the basis and general approach to be (3SPA)


                                                4/50
DS 367 version. 5.1                                                  DS 367 version 5..10                                  Comments
approach to be adopted in meeting the IAEA requirements on           adopted in meeting the safety requirements on safety (33, 34, & 35 USA)
safety classification, and the defence in depth (DiD) concept for    classification. Section 3 describes the steps in the safety
plant safety. Section 2 also introduces the concept of safety        classification process. Section 4 provides recommendations on
functional groups to perform safety functions to prevent and/or      determining the design rules for plant specific safety functions
mitigate postulated initiating events (PIE). Section 3 describes     and SSCs on the basis of their safety categories and safety
the steps in the safety classification process. Section 4 provides   classes respectively. Appendix I provides a chart indicating how
recommendations on requirements for SSCs based on their safety       safety functions relate to the various levels of defence in depth.
classification. The tables and the appendices cover a number of      Appendix II provides a table indicating the different steps to be
issues including flow charts of the process and examples of          performed in classification of SSCs in line with other design
design requirements. Annex I gives a list of safety functions for    processes. Annex I lists reactor type safety functions for light
light water type reactors, and Annex II provides an example of       water reactors. Annex II gives examples of design rules for
the possible combination approach for deterministic safety           SSCs.
analysis and probabilistic safety analysis results for assessment
of adequacy of safety classification during system level design.




                                             5/50
DS 367 version. 5.1                                                   DS 367 version 5..10                                                 Comments
2 REQUIREMENTS AND GENERAL APPROACH FOR                               2 BASIS AND GENERAL APPROACH TO SAFETY
SAFETY CLASSIFICATION                                                 CLASSIFICATION
REQUIREMENTS FOR A SAFETY CLASSIFICATION                              REQUIREMENTS FOR A SAFETY CLASSIFICATION
PROCESS                                                               PROCESS
2.1 The requirements for a safety classification system are           2.1. The basic requirements for a safety classification system are
established in Ref. [1]. These are repeated in the following          established in Ref. [1] and are repeated in the following
paragraphs.                                                           paragraphs. Additional related requirements are established in
                                                                      Ref. [2]. The recommendations on how to meet these
                                                                      requirements are developed in this Safety Guide.

2.2 Ref. [1] in paragraph 4.7 states “A systematic approach shall     2.2. Paragraph 4.1 of Ref. [1] states that “A systematic approach (14UK)
be followed to identify the structures, systems and components        shall be followed to identify the items important to safety that are Editing update + (DS 414)
that are necessary to fulfil the safety functions at the various      necessary to fulfil the fundamental safety functions, and to
times following a PIE.”                                               identify the inherent features that are contributing to or affecting
                                                                      the fundamental safety functions, for all the levels of defence in
                                                                      depth.”

2.3 Ref. [1] in paragraph 5.1 states “All structures, systems and     2.3. Requirement 23 of Ref. [1] states that “All items important (14UK)
components, including software for instrumentation and control        to safety shall be identified and the items identified shall be Editing update + (DS 414)
(I&C), that are items important to safety shall be first identified   classified on the basis of their function and their safety
and then classified on the basis of their function and significance   significance.”
with regard to safety. They shall be designed, constructed and
maintained such that their quality and reliability is commensurate
with this classification.”

2.4 Ref. [1] in paragraph 5.2 states “The method for classifying      2.4. Paragraph 5.35 of Ref. [1] states that “The method for (14UK)
the safety significance of a structure, system or component shall     classifying the safety significance of items important to safety Editing update + (DS 414)
primarily be based on deterministic methods, complemented             shall primarily be based on deterministic methods complemented
where appropriate, by probabilistic methods and engineering           where appropriate by probabilistic methods, with account taken
judgement, with account taken of factors such as:                     of factors such as:
(1) the safety function(s) to be performed by the item;               (1) the safety function(s) to be performed by the item;


                                              6/50
DS 367 version. 5.1                                                   DS 367 version 5..10                                                Comments
(2)    the consequences of failure to perform its function;           (2) the consequences of failure to perform the safety function;
(3)    the probability that the item will be called upon to perform   (3) the frequency at which the item will be called upon to
       a safety function;                                                 perform a safety function;
(4)    the time following a postulated initiating event at which,     (4) the time following a postulated initiating event at which, or
       or the period throughout which, it will be called upon to          the period for which, it will be called upon to operate.”
       operate.”

2.5 Ref. [1] in paragraph 5.3 states “Appropriately designed          2.5. Requirement 22 of Ref. [1] states that “Interference between (14UK)
interfaces shall be provided between structures, systems and          safety systems and systems of lower classification or between Editing update + (DS 414)
components of different classes to ensure that any failure in a       redundant elements of systems of the same class shall be
system classified in a lower class will not propagate to a system     prevented by means such as physical separation of safety
classified in a higher class.”                                        systems, electrical isolation, functional independence and
                                                                      independence of communication (data transfer), as appropriate.”

FUNDAMENTAL SAFETY FUNCTIONS                                                                                                              Deleted
2.6 Fundamental safety functions are derived from the need to deleted                                                                     Deleted
achieve the general nuclear safety objective Ref. [2]: “To protect
individuals, society and the environment from harm by
establishing and maintaining in nuclear installations effective
defences against radiological hazards.”

2.7 Ref. [1] in paragraph 4.6 states “To ensure safety, the           2.6. Requirement 4 of Ref. [1] states that “Fulfilment of the Editing update (DS 414)
following fundamental safety functions shall be performed in          following fundamental safety functions shall be ensured for all (3JPN) Footnote
operational states, in and following a design basis accident and,     plant states:
to the extent practicable, on the occurrence of those selected        (1) control of reactivity;
accident conditions that are beyond the design basis accidents:




                                              7/50
DS 367 version. 5.1                                                                    DS 367 version 5..10                                                                  Comments
(1)      control of reactivity;                                                        (2) removal of heat from the core;
(2)      removal of heat from the core; and                                            (3) confinement of radioactive material, provision of shielding
(3)      confinement of radioactive material and control of                                against radiation and control of operational discharges, as
operational discharges, as well as limitation of accidental                                well as limitation of accidental radioactive releases.” 1
releases.”
[The intent on the core in (2) is for fuel in the core and spent fuel
in the storage.]
PLANT SPECIFIC SAFETY FUNCTIONS                                                        deleted                                                                               Deleted
2.8      For each type of nuclear power plant, based on the                            (see in 2.10 )                                                                        Used for 2.10 and in
fundamental safety functions, the plant specific safety functions                                                                                                            Section 3
should be defined to prevent or mitigate PIEs. Plant specific                                                                                                                (7FRA, 3ROM comments
safety functions should be defined at an adequate level of detail                                                                                                            was used later)
that will allow the identification of SSCs that are required for
performing these safety functions. In line with Refs. [2] and [4],
preventive safety functions prevent abnormal operation or system
failures. Mitigative safety functions control the consequences of
abnormal operation or failures that have occurred. A practical
example is shown in Annex I.

DEFENCE IN DEPTH AND BARIERS                                                                                                                                                 Title deleted
2.9 Ref. [1] in paragraph 4.5 states “The objective of the safety deleted                                                                                                    Deleted
approach shall be: to provide adequate means to maintain the
plant in a normal operational state; to ensure the proper short
term response immediately following a postulated initiating
event; and to facilitate the management of the plant in and
following any design basis accident, and in those selected
accident conditions beyond the design basis accidents.”


1
    The three fundamental safety functions also have to be performed for spent fuel storage systems. In particular, fundamental safety function (2) refers to fuel in the core and spent fuel in storage at the
site.




                                                           8/50
DS 367 version. 5.1                                        DS 367 version 5..10                                             Comments


2.10     The concept of successive barriers to release of deleted                                                           Deleted
radioactivity is part of the defence in depth strategy.
Furthermore, according to paragraph 2.10 of Ref. [1],
“Application of the concept of defence in depth in the design of a
plant provides a series of levels of defence (inherent features,
equipment and procedures) aimed at preventing accidents and
ensuring appropriate protection in the event that prevention
fails.”

IDENTIFICATION AND CATEGORISATION OF SAFETY                                                                                 Deleted
FUNCTIONAL GROUPS
                                                           GENERAL     APPROACH                 TO       THE       SAFETY new
                                                           CLASSIFICATION PROCESS

     (see 2.18 below)                                                     FIG 1. Main steps in classifying SSCs.            Similar steps - , terms are
                                                                                                                            changed
                                                              Definition and review of postulated initiating events        First step is new (13JPN)
                                                              Identification of safety functions:
                                                                  preventive safety functions, aimed at preventing
                                                                   failures and abnormal operation
                                                                   mitigatory safety functions, aimed at controlling
                                                                   postulated initiating events and mitigating their
                                                                   consequences
                                                              Categorization of safety functions
                                                              Identification of SSCs or groups of SSCs to perform safety
                                                               functions
                                                              Assignment of SSCs to one of three safety classes
                                                              Identification of design rules for classified SSCs

                                                           2.7. The approach to safety classification recommended in this New



                                       9/50
DS 367 version. 5.1                                                                  DS 367 version 5..10                                                               Comments
                                                                                     Safety Guide involves, broadly, categorization of safety Text is giving an overview
                                                                                     functions, followed by classification of the SSCs. The main steps of the general process
                                                                                     involved are shown in Fig. 1. The details of the safety
                                                                                     classification process, together with explanations of key concepts
                                                                                     and terms, are set out in Section 3 and the last step shown in Fig.
                                                                                     1 is set out in Section 4.

                                                                                     2.8. For a specific plant, prerequisites for classifying all SSCs New
                                                                                     according to their safety significance are the following:         On the basis of 2.8 of ver.
                                                                                           A list of all postulated initiating events2 considered in 5.1
                                                                                               the plant design basis;
                                                                                           The identification of the safety functions implemented
                                                                                               to achieve the fundamental safety functions for the
                                                                                               different plant states.

                                                                                     2.9. Initially during the design, the postulated initiating events                 New, to summarize first
                                                                                     should be arranged in groups in which properties of the initiating                 box of Fig.1
                                                                                     events are the same (or very similar) (see Ref. [1], para 5.9 and                  On the basis of MSs
                                                                                     Ref. [10], para. 5.34). At least one significant bounding                          comments
                                                                                     postulated initiating event should be identified in each group.

(see 2.8 before)                                                                     2.10. The safety functions that prevent and mitigate these events Editing
                                                                                     should be derived at an adequate level of detail in order later to (7FRA)
                                                                                     identify the SSCs that perform these safety functions. These
                                                                                     safety functions will be specific to each plant.

2.11 The use of the defence in depth concept is required in the (see 2.18 below)                                                                                        Modified and moved down
design process and it should be applied in the safety                                                                                                                   (2.18)
classification process. The preventive plant specific safety

2
    As indicated in the IAEA Safety Glossary [9], the primary causes of postulated initiating events may be credible equipment failures and operator errors or human induced or natural events.




                                                         10/50
DS 367 version. 5.1                                                  DS 367 version 5..10                                                   Comments
functions should be allocated to the defence in depth level 1 and
the mitigatory plant specific safety functions to the defence in
depth levels 2 – 5 described in Table 1 of Ref. [4] and shown in
Appendix I.
2.12 Safety functional groups, defined as all the SSCs, including    (see 2.12 below))                                                      Modified and moved down
supporting items that work together to perform a plant specific                                                                             And used in section 3 as
safety function, derived from fundamental safety functions, to                                                                              well
prevent or mitigate a postulated initiating event and allocated to
one defence in depth level, should be identified.
2.13 The safety functional groups should be categorized              2.11. These plant specific safety functions (see Section 3) should      (4JPN, 5JPN, 6JPN)
according to their safety significance. Safety categorization        then be categorized into a limited number of categories, on the        Plant    specific    safety
should be based on the consequences of the failure of the SSCs       basis of their safety significance (i.e. the frequency of occurrence   functions should then be
to perform their assigned safety functions.                          of the postulated initiating events they prevent or mitigate, the      categorized Similar to ver
                                                                     consequences of the failure of the safety function, and the time       5.1 Para 2.13
                                                                     during which or after which they are required to perform).
                                                                                                                                            box 3, See Section 3

(see 2.12 before)                                                    2.12. The SSCs or groups of SSCs that work together to perform (15UK).
                                                                     the plant specific safety functions should then be identified.      Para 2.12 of ver 5.1 was
                                                                                                                                         modified – ( SFG in 3.24 )
2.14 Safety classes of the SSCs should be derived from the           2.13. The SSCs are subsequently classified, mainly on the basis Similar to 2.14 of ver 5.1
relevant safety categories as described by Fig. 1 in Section 3.      of the category of the safety function they perform. Preliminary box 4
                                                                     safety classifications of SSCs are then subject to verification. In
                                                                                                                                         (UK16)
                                                                     this Safety Guide three classes of SSCs are recommended, based
                                                                     on experience in Member States.

2.15 Because not all SSCs within a safety functional group may (see 3.25 below)                                                             Moved to section 3
have an equal contribution towards achieving the desired safety
function, appropriate safety classes for the SSCs, which belong
to that safety functional group should be derived.

3.1 (see below)                                                      2.14. The safety classification process described in this Safety Very Similar to 3.1 &2.16
                                                                     Guide highlights the significant linkage that exists between of ver 5.1


                                             11/50
DS 367 version. 5.1                                                DS 367 version 5..10                                            Comments
                                                                   design, analysis of postulated initiating events and the Editing update including
                                                                   consequences of failure of safety functions, and classification of MS comment
                                                                   SSCs. The aim of safety classification is to determine the
                                                                   appropriate engineering design rules for all SSCs, to ensure that
                                                                   SSCs are designed, manufactured, constructed, installed,
                                                                   commissioned, quality assured, maintained, tested and inspected
                                                                   to standards appropriate to their safety significance (see Section
                                                                   4).

2.16 The safety classification process should ultimately assign deleted                                                            Deleted, used for a similar
design requirements for all SSCs that will achieve the                                                                             para in Section 3 (3.33)
appropriate performance of each safety functional group.

                                                                   2.15. The basis for the classification and the results of the Separated MS comment
                                                                   classification should be documented in an auditable record.   (12USA) to 3.1 of ver 5.1

(old 2.19 see below)                                               2.16. Safety classification is an iterative process that should be (9SPA, ENISS 9, 6CAN),
                                                                   carried out throughout the design process. Any preliminary box 4
                                                                   assignments of SSCs to particular safety classes should be
                                                                   justified using deterministic safety analysis and, where possible,
                                                                   probabilistic safety analysis.

APPLICATION OF THE SAFETY CLASSIFICATION                                                                                           Deleted
PROCESS
2.17 The safety classification should be performed during plant    2.17. The safety classification should be performed during plant Edited (PSR deleted)
design, system design and equipment design phases and should       design, system design and equipment design phases and should (12FRA)
be reconsidered for any relevant changes during construction,      be reconsidered for any relevant changes during construction,
commissioning and commercial operation and subsequent stages       commissioning and commercial operation and subsequent stages
in the plant‟s lifetime including periodic safety reviews.         in the plant‟s lifetime.

2.18 The safety classification process should take the following   (see Fig. 1 before)                                             Modified in fig 1 and



                                           12/50
DS 367 version. 5.1                                                 DS 367 version 5..10                                                 Comments
steps:                                                                                                                                   moved up
    (1) identification of plant specific safety functions to prevent                                                                     (13JPN)
         or mitigate postulated initiating events based on the three
         fundamental safety functions;
    (2) allocation of the plant specific safety functions to defence
         in depth levels;
    (3) identification of the safety functional groups to perform
         plant specific safety functions at different defence in
         depth levels and allocation of SSCs to perform the
         required functions within these safety functional groups;
    (4) assignment of safety functional groups to safety
         categories based on the consequence of the groups‟
         failure;
    (5) assignment of the individual SSCs within safety
         functional groups to safety classes based on their
         importance in achieving the plant specific safety
         functions;
(6) assignment of design requirements to the SSCs based upon
their classification.
VERIFICATION AND REVISION OF SAFETY CLASSES                                                                                              deleted
2.11 (see before)                                                    2.18. The safety classification process recommended in this         Editing updates
                                                                     Safety Guide is consistent with the concept of defence in depth     box 5
                                                                     that is required in the design process [1]. The preventive safety
                                                                     functions (for use in normal operation) may be associated with
                                                                     defence in depth level 1 and the mitigatory safety functions (for
                                                                     mitigation of the consequences of anticipated operational
                                                                     occurrences and design basis accidents and consequences in
                                                                     excess of acceptance criteria for design basis accidents) with
                                                                     defence in depth levels 2 to 4, as described in Refs [1] and [5].
                                                                     See the chart in Appendix I for further detail.

2.19 Safety classification may be an iterative process during the (see 2.16 before)


                                             13/50
DS 367 version. 5.1                                       DS 367 version 5..10                                            Comments
design process. Any preliminary safety class assignments should
be finalized using deterministic safety analysis and, where
available, probabilistic safety analysis.
2.20 During the plant periodic safety reviews and before (see 3.3 below)                                                  PSR was deleted other part
modifications, this safety classification method should be applied                                                        was moved to Section 3
to determine if there are any changes to the safety functions to be
performed.

                                                          2.19. Although the precise nature of the steps taken at each stage New paragraph introduced
                                                          could vary according to regulatory requirements and the plant (harmonization of the MS
                                                          design, the safety classification process should include the steps practices)
                                                          outlined in Section 3. Different methods for the safety
                                                          classification of SSCs have been used for different types of
                                                          reactors and in different States for operating nuclear power plants
                                                          and for new designs. The differences between the various
                                                          methods are, for instance, the number of classes and the grouping
                                                          of safety functions.




                                      14/50
DS 367 version. 5.1                                                              DS 367 version 5..10                                                   Comments

       3. SAFETY CLASSIFICATION PROCESS                                          3. SAFETY CLASSIFICATION PROCESS

    3.1 The safety classification process described within this                  3.1. [this sentence is now in 2.18, replace instead with this brief    (12USA)
    section highlights the significant linkage that exists between               intro]
    safety design, functional analysis and classification. Although
    the precise nature of the steps taken at each stage could vary
                                                                                 3.1. This section describes in detail the step-by-step approach to
    according to the regulatory requirements and the plant design,
                                                                                 safety classification of SSCs, as shown in Fig. 1.
    the safety classification process should include the steps
    outlined in the sub-sections below. The safety classification
    process should ultimately establish design requirements for all
    SSCs to achieve appropriate performance of safety functional
    groups.
                                                                                 ESTABLISHING THE INPUT TO THE CLASSIFICATION                           New title
                                                                                 PROCESS: REVIEW OF POSTULATED INITIATING
                                                                                 EVENTS

                                                                                 3.2 In order to establish the inputs required to start the New + Paragraph             3.5
                                                                                 classification process, the safety objective for the design safety added as footnote
                                                                                 should be analysed and the specific safety challenges associated
                                                                                 with the specific reactor type (or technology) and with a specific
                                                                                 plant should be identified, as well as the philosophy for
                                                                                 prevention of these challenges and mitigation of their effects.
                                                                                 The list of postulated initiating events (or bounding postulated
                                                                                 initiating events; see Ref. [2] and para 7.3 of Ref. [11] 3 )
                                                                                 applicable to the reactor type (or technology) should be reviewed
                                                                                 and adapted to the particular plant taking into consideration the
                                                                                 relevant internal and external hazards 4 in accordance with the

3
    A list of bounding postulated initiating events for each reactor type is available in accident studies and is typically provided by the designer.
4
    Postulated initiating events that originate in internal and external hazards (e.g. fire in one electricity supply bus)



                                                      15/50
                                                                 requirement established in Ref. [1], para. 5.8. Grouping or
                                                                 bounding of postulated initiating events should be performed and
                                                                 assessed during the design prior to the safety classification
                                                                 process using deterministic safety analysis and probabilistic
                                                                 safety assessments. The methods are described in Refs [10, 11,
                                                                 12].

 3.2. A complete set of plant specific safety functions based on (see 3.7 below)                                                    Moved down
 the fundamental safety functions should also be defined during
 the initial design phase for a new nuclear power plant. For a
 specific nuclear power plant, a list of plant specific safety
 functions may already exist. If such a list does not exist, the
 fundamental safety functions should be broken down into plant
 specific safety functions and associated supporting functions for
 each defence in depth level.

3.3. The plant specific safety functions applied to safety (see 2.5 below)                                                          Moved down
functional groups will prevent or mitigate the postulated
initiating events that have been identified and should be broken
down as required into SSC level safety functions associated with
each defence in depth level. For each defence in depth level, the
fundamental safety functions should be broken down into a
consistent group of plant specific safety functions (e.g. reactivity
control may be broken down into a) preventing unacceptable
reactivity transients, as defence in depth level 1 function and b)
shutting down the reactor, c) maintaining the reactor in safe
shutdown condition, both as defence in depth levels 2 and 3
functions). Acceptance criteria for the performance of plant level
safety functions should be defined at each defence in depth level.
These are refined during the design process to establish a
complete set of safety functions.
 3.4 For an existing plant the design should be reviewed (see next para 3.3)                                                        Para 3.4 and 3.5 of ver 5.1
 periodically to ensure that the postulated initiating events and a                                                                 was combined into 3.3
 sufficient list of plant specific safety functions to deal with


                                           16/50
them are appropriately defined.

3.5 For plant modifications, the sub-set of newly identified or       3.3. For plant modifications, the newly identified or modified         Paras 3.4 and 3.5 of ver
modified plant specific safety functions should be assessed,          postulated initiating events should be assessed, with account          5.1 was combined and
taking into consideration the affected interfaces with existing       taken of interfaces with existing safety functions and safety          modified
safety functional groups.                                             classes of SSCs that may be affected.                                  (ENISS 17)


SAFETY FUNCTIONS TO PREVENT OR MITIGATE IDENTIFICATION OF PLANT SPECIFIC SAFETY
POSTULATED INITIATING EVENTS            FUNCTIONS

                                                                      3.4. At the early stage of design, „reactor type safety functions‟, Similar to para 2.8 of ver. 5.1
                                                                      which are necessary to fulfil the fundamental safety functions in
                                                                      all plant states, should be identified in accordance with the safety
                                                                      objective for the design safety. These comprise preventive safety
                                                                      functions and mitigatory safety functions. Example of reactor
                                                                      type safety functions for existing designs of light water reactors
                                                                      is provided in Annex I.

(see 3.3 before)                                                      3.5. Safety functions should be defined to an adequate level of (23 UK, 25 UK)
                                                                      detail in order to allow the identification of the SSCs that are
                                                                      required for performing these safety functions. Therefore the
                                                                      reactor type safety functions should be broken down to „plant
                                                                      specific safety functions‟, which prevent or mitigate the
                                                                      bounding postulated initiating events.

3.6 Plant specific safety functions to prevent deviation from         3.6. The plant specific safety functions are specific to the plant     3.6 of ver 5.1 was
normal operation as well as to mitigate the consequences of           design, and each should be linked to particular bounding               modified and used for 3.18
anticipated operational occurrences (AOO) and accidents               postulated initiating events. The plant specific safety functions      as well
should be allocated to each of the five defence in depth levels, if   should be refined in the design process to establish a complete         (Editing + allocation to
appropriate, so that the relevant success criteria can be achieved    set of safety functions to fulfil the fundamental safety functions.    DID levels removed but
(see Appendix 1).                                                     Some plant specific safety functions can be defined to cover           covered by introduction of
                                                                      more than one postulated initiating event.                             plant    specific   safety
                                                                                                                                             functions/bounding PIEs)


                                             17/50
                                                                                                                                              (17FRA,Belg2, CORDEL,
                                                                                                                                              CAN Genera,, 17FRA)
    (See 3.2 below)                                                        3.7. For existing nuclear power plant designs, lists of plant (23 UK & 24UK)
                                                                           specific safety functions are usually available. In some safety (12SPA, 21UK,
                                                                           classification schemes, reactor type safety functions are detailed ENISS12,13)
                                                                           enough such that they can be used as plant specific safety
                                                                           functions and to be allocated to bounding postulated initiating
                                                                           events.

    3.7                                                                    3.8. The preventive plant specific safety functions keep the plant (3INS, 26UK, 24USA,
    Defence in depth level 1 safety functions should be provided to        parameters within their expected normal range, maintain the 18FRA, Belg2,4, FIN5,)
    keep the plant within the normal operational envelope, by              integrity of the main confinement barriers5 (see para. 2.12 of Ref.
    preventing failures.                                                   [1]) and prevent system failures that may cause initiating events.
                                                                           Failures of SSCs can originate from malfunctions, the effect of
                                                                           external and internal hazards or human induced events. Specific
                                                                           events can be ruled out of the plant design basis (for example:
                                                                           rupture of reactor pressure vessel for pressurized water
                                                                           reactors)6.

                                                                           3.9.     Preventive plant specific safety functions should ensure New on the basis of 2.8 of
                                                                           that the fundamental safety functions are fulfilled in normal ver 5.1
                                                                           operation. Some plant specific safety functions support the three
                                                                           fundamental safety functions only indirectly (e.g. safety function
                                                                           (19) in Annex I). Preventive plant specific safety functions
                                                                           identified during the early stage of the design should be
                                                                           reviewed.



5
  The confinement barriers are different for different plant designs and include the fuel with its cladding (whereby the ceramic material of the fuel itself has an important barrier
function, including for the pebble bed modular reactor), the reactor coolant system boundary and the containment.
6
 Failure of the reactor pressure vessel is nowhere considered as a bounding postulated initiating event, but has to be prevented, because it can not be mitigated in the plant design
basis.



                                                 18/50
                                                                    3.10. Mitigatory plant specific safety functions should new
                                                                    mitigate the consequences of initiating events such that the
                                                                    acceptance criteria are met for all anticipated operational
                                                                    occurrences and design basis accidents and the consequences of
                                                                    other accidents are reduced.

3.8 Defence in depth level 2 safety functions are mitigatory        3.11. Safety functions for the mitigation of anticipated Modified              on    MSs‟
safety functions and should detect, control and recover from        operational occurrences should detect and intercept deviations comments
failures that occur during anticipated operational occurrences.     from normal operation in order to prevent anticipated operational (15, 17USA, 19FRA)
The assignment of these defence in depth level 2 safety             occurrences from escalating to an accident condition.
functions should be to return the plant to normal operational
conditions as promptly as possible, following an anticipated
operational occurrence, before the occurrence can progress to a
design basis accident (DBA) or a beyond design basis accident
(BDBA).

3.9 Defence in depth level 3 safety functions are mitigatory        3.12. Safety functions for the mitigation of design basis accidents (21FRA), (27UK)
safety functions and should control accidents within the design     should control accidents within the acceptance criteria of the
basis. Defence in depth level 3 safety functions could be           plant‟s design basis. Mitigatory safety functions for design basis
subdivided into defence in depth level 3A and 3B safety             accidents can be subdivided into levels A and B, depending on
functions, as described below.                                      the potential consequences of the accident and the timing of
                                                                    achieving a controlled state or safe shutdown state, as described
                                                                    in following paragraphs. This subdivision is based on the
                                                                    definition of plant states in Ref. [1].

3.10 Defence in depth level 3A safety functions should              3.13. Level A mitigatory safety functions for design basis (21FRA, 14USA).
establish a controlled state following a design basis accident. A   accidents should establish a controlled state following a design
controlled state should be reached as soon as possible,             basis accident. A controlled state should be reached as soon as
preferably using automatic means, and is reached once the           possible. A controlled state should be ensured by means of
fundamental safety functions are restored.                          operator actions or by the active or passive safety systems that
                                                                    control reactivity, heat removal and releases to the environment
                                                                    within prescribed limits. However automatic means should be
                                                                    preferred to reach the controlled state



                                            19/50
    3.11 Defence in depth level 3B safety functions should:             3.14. Level B mitigatory safety functions for design basis (28UK) (21FRA, FIN5,
                                                                        accidents should:                                                  CORDEL6).
             a) after a controlled state is reached, achieve a safe
                shutdown state and maintain it as long as necessary              a) After a controlled state is reached, achieve and
                following a design basis accident, or                                maintain a safe shutdown state following a design
             b) minimize the consequences on the remaining                           basis accident;
                barriers from the occurrence of the design basis                 b) Minimize the challenge to the remaining barriers
                accident.                                                            (see para. 2.12 of Ref. [1]) from the design basis
    In a safe shutdown state, the reactor should remain sub-critical,                accident.
    decay heat should be removed indefinitely and all remaining         A safe shutdown state should be ensured by means of operator
    barriers should remain intact.                                      actions or by the active or passive safety features that control
                                                                        reactivity, heat removal and releases to the environment within
                                                                        prescribed limits. In a safe shutdown state, plant parameters are
                                                                        well below the design limits for components and structures, the
                                                                        reactor remains sub-critical, decay heat is removed for as long as
                                                                        necessary.

    3.12 Defence in depth level 4 safety functions are mitigatory       3.15. Safety functions for the mitigation of consequences in (8SAF & 29UK) (27UK)
    safety functions and should control of severe plant conditions,     excess of acceptance criteria for design basis accidents should
    including prevention of accident progression and mitigation of      limit accident progression (e.g. in-vessel mitigation before
    the consequences of severe accidents. Defence in depth level 4      significant core degradation occurs) and should mitigate the
    safety functions could be subdivided into defence in depth level    consequences of a severe accident7 (e.g. ex-vessel mitigation to
    4A and 4B safety functions, as described below.                     control the remains of a significantly degraded core).



    3.13 Defence in depth level 4A safety functions should be (see 3.15 before)                                                                Version 5.1 para 3.13 was
    those mitigatory safety functions required to arrest the progress                                                                          deleted
    of beyond design basis accidents, such as in-vessel mitigation                                                                             (Belg. 2 and other related)
    before significant core degradation occurs.

7
 Mitigation of the consequences of severe accidents includes limitation of radiological consequences, control of reactivity excursions, removal of decay heat for as long as
necessary, confinement of radioactive material by means of the remaining barriers, and monitoring of the state of the plant and radiation levels.



                                                20/50
3.14 Defence in depth level 4A safety functions should also be (see 3.15 before)                                                          Version 5.1 para 3.14 was
used to ensure that fundamental safety functions are maintained                                                                           deleted
as far as possible and should include monitoring of the state of                                                                          (Belg. 2 and other related)
the plant and radiation levels.

3.15 Defence in depth level 4B safety functions should be (see 3.15 before)                                                               Version 5.1 para 3.15 was
those mitigatory safety functions required to control the remains                                                                         deleted
of a significantly degraded core, such as ex-vessel mitigation,                                                                           (Belg. 2 and other related)
limiting radiological consequences, controlling further
reactivity excursion, removing decay heat as long as required
and confining radioactive material.

3.16 Defence in depth level 5 safety functions should include (see 3.15 before)                                                           Version 5.1 para 3.16 was
radiation monitoring and meteorological measurements for                                                                                  deleted
plume concentration prediction, emergency planning, and                                                                                   (Belg. 2 and other related)
mitigation of releases following failures of the confinement
safety function. The safety classification of equipment for any
recovery or clean-up measures needed should be defined on a
case-by-case basis and requirements identified.

3.17 Functions not included within the defence in depth levels deleted                                                                    Version 5.1 para 3.17 was
described above, should be classified as non-safety.                                                                                      deleted
                                                                                                                                          (Belg. 2 and other related)

IDENTIFICATION AND CATEGORIZATION OF SAFETY CATEGORIZATION OF SAFETY FUNCTIONS
FUNCTIONAL GROUPS
3.18 Safety functional groups should be categorized primarily         3.16. The plant specific safety functions, preventive or            Original 3.18 of ver 5.1
according to their safety significance based on the consequences      mitigatory, which are required to be performed in operational       was combined with new
of their failure. The relation of the safety function to defence in   states and in the event of a fault or accident, should be           paragraph to define the
depth level reflects the likelihood of the safety functional group    categorized on the basis of their safety significance. The safety   safety significance of a
being called upon to operate. This should result in “highest”         significance of each safety function is determined by taking        safety function.
categorization on the safety functional groups where there are        account of the factors (2), (3) and (4) indicated in para. 2.4.     (32UK, CORDEL 2)



                                             21/50
    potentially the most severe consequences if they fail and which
    are most likely to be called upon to operate.

(See 3.23 through 3.26 below)                                         3.17. Factor (2) of para. 2.4 reflects the potential severity of the Modified and combined
                                                                      consequences of failure of a plant specific safety function. The paras 3.23 through 3.26 of
                                                                      severity should be divided into three levels, high, medium and ver 5.1
                                                                      low, as follows:
                                                                       The severity should be considered „high‟ if:
                                                                                  The failure of the safety function could lead to a
                                                                                   release of radioactive material that exceeds the
                                                                                   specified limits for design basis accidents set by the
                                                                                   regulatory body; or
                                                                                  The values of key physical parameters could
                                                                                   challenge or exceed specified design limits 8 for
                                                                                   design basis accidents9.
                                                                       The severity should be considered „medium‟ if:
                                                                                  The failure of the safety function could lead to a
                                                                                   release of radioactive material below the specified
                                                                                   limits for design basis accidents set by the regulatory
                                                                                   body; or
                                                                                  The values of key physical parameters could exceed
                                                                                   the specified design limits for anticipated
                                                                                   operational occurrences, but remain within the
                                                                                   specified design limits for design basis accidents9.
                                                                       The severity should be considered „low‟ if:
                                                                                  The failure of the safety function could lead to a
                                                                                   release of radioactive material below the limits for
                                                                                   the plant conditions for anticipated operational
8
    Also called safety acceptance criteria.
9
    See Requirements 15, 19, 20 and 21 of Ref. [1].



                                                      22/50
                                                                                     occurrences; or
                                                                                    The values of key physical parameters could exceed
                                                                                     the specified design limits for normal operation 10 ,
                                                                                     but would remain within the specified design limits
                                                                                     for anticipated operational occurrences9.

(See 3.6 before)                                                        3.18. Factor (3) of para. 2.4 reflects the probability that a plant     Updated in order to be
                                                                        specific safety function will be called upon. This should be taken      consistent with the new
                                                                        into account in the categorization of mitigatory safety functions.      version of NS-R-1 factors
                                                                        It should be expressed primarily through the probability of             and     to  reduce    the
                                                                        occurrence of postulated initiating events leading to anticipated       reemphasis made on DID
                                                                        operational occurrences, design basis accidents and design              levels
                                                                        extension conditions. For preventive safety functions, no               (CORDEL2)
                                                                        differentiation is necessary regarding probability.

                                                                        3.19. Factor (4) of para. 2.4 reflects the time at which or the         New in order to be
                                                                        period for which a plant specific safety function will be called        consistent with the new
                                                                        upon. The time factor should be considered for the mitigation of        version of NS-R-1 factors
                                                                        design basis accidents. For example, a controlled state should be       and to introduce how
                                                                        reached as soon as possible, preferably using automatic means.          factor 4 should be
                                                                        After a controlled state is reached, a safe shutdown state should       considered
                                                                        be achieved and maintained as long as is necessary. The safety
                                                                        functions that need to be performed to reach and maintain the
                                                                        safe shutdown state may be categorized lower than the safety
                                                                        functions needed to reach the controlled state11.

                                                                        3.20. Because of the importance of the objective to limit New,         added       for
                                                                        radiological consequences for workers, the public and the clarification of the method


10
     The limits specified in the technical specifications.
11
   For example, safety functions F1A, F1B and F2 of the European Utility Requirements for LWR Nuclear Power Plants [7] need to be performed to reach a controlled state or for
a safe shutdown state.



                                                      23/50
                                                                                  environment, and for the purposes of safety classification, with         regard     to         the
                                                                                  particular emphasis should be placed on the barriers aimed at classification       of          the
                                                                                  limiting releases of radioactive material (see para. 2.12 of Ref. confinement barriers
                                                                                  [1]). Depending on the reactor type (or technology), the emphasis
                                                                                  placed on the different barriers (e.g. fuel cladding, pressure
                                                                                  boundary and confinement system) might be different. For many
                                                                                  reactor types, the integrity function of the reactor coolant
                                                                                  boundary plays a very important role 12 , not only for retaining
                                                                                  radionuclides, but also to ensure sufficient core cooling.13

                                                                                  3.21. The safety significance of all plant specific safety functions New Paragraph       to
                                                                                  should be established and each plant specific safety function introduce      the     Safety
                                                                                  should be categorized in one of the following safety categories Categories definitions
                                                                                  according to the risk14.
                                                                                  Safety category 1:
                                                                                   Any preventive plant specific safety function whose failure
                                                                                      would result in consequences with a „high‟ severity should
                                                                                      be assigned to safety category 1.
                                                                                   Any mitigatory plant specific safety function required to
                                                                                      reach a controlled state following a design basis accident or
                                                                                      anticipated operational occurrence or any other mitigatory
                                                                                      plant specific safety function whose failure would result in
                                                                                      consequences with a „high‟ severity should be assigned to
                                                                                      safety category 1.
                                                                                  Safety category 2:

12
     Reference [5] identifies pressure integrity criteria for five different categories of safety functions.
13
   Consequently, maintaining the integrity of the reactor coolant boundary is considered in Table 1 a preventive safety function and is assigned to the highest category. The highest
category should apply to those components of the reactor coolant boundary where loss of integrity is not covered by mitigatory safety functions, e.g. failure of the reactor pressure
vessel. At the other extreme, for those components of the reactor coolant boundary where loss of integrity is already mitigated by operational systems (e.g. failure of a transducer
line), safety category 3 would be appropriate.
14
     Risk is understood as a combination of the probability of occurrence of an event and the severity of its consequences [9].



                                                       24/50
           Any preventive plant specific safety function whose failure
            would result in consequences with a „medium‟ severity
            should be assigned to safety category 2.
         Any mitigatory plant specific safety function required to
            reach a safe shutdown state following a design basis accident
            or any other mitigatory plant specific safety function whose
            failure would result in consequences with a „medium‟
            severity should be assigned to safety category 2.
        Safety category 3:
         Any preventive plant specific safety function designed to
            keep the main reactor process variables (i.e. the main plant
            parameters) within their specified ranges for normal
            operation or any other preventive plant specific safety
            function whose failure would result in consequences with a
            „low‟ severity (e.g. an anticipated operational occurrence)
            should be assigned to safety category 3.
         Any mitigatory plant specific safety function designed for
            early interception of departure from normal operation before
            a reactor trip is initiated or the safety systems are challenged
            or any other mitigatory plant specific safety function whose
            failure would result in consequences with a „low‟ severity
            should be assigned to safety category 3.
         Any mitigatory plant specific safety function designed to
            limit the consequences of hazards should be assigned at least
            to safety category 3.
         Even if they are not directly needed to ensure the
            performance of the fundamental safety functions, monitoring
            of releases of radioactive material at the site should be
            assigned at least to safety category 3.
        Safety category 4:
         Any mitigatory plant specific safety function required to
            control consequences in excess of acceptance criteria for
            design basis accidents, in order to prevent core melt or to


25/50
                                                                    mitigate other consequences in a design extension condition,
                                                                    should be assigned to safety category 4.

3.19 Each plant specific safety function allocated to a defence (Last sentence of para. 3.22 below)                                Modified (34UK)
in depth level, whether preventive or mitigatory should be
achieved by a single safety functional group. However, one
safety functional group may perform more than one plant
specific safety function, depending on the design.

3.20 Each safety functional group should contain all the (See 3.23 below)                                                          (15SPA)
necessary design features to achieve the desired capability,
dependability and robustness

3.21 The objective of preventive plant specific safety functions Deleted                                                           Deleted (see para 3.8)
is to decrease the probability of failures to where the                                                                            (8CAN). (35UK)
radiological consequences associated with this failure provide
an acceptable risk. Safety functional groups that only prevent
the occurrence of an abnormal event should be assigned to
defence in depth level 1.

3.22 Where a postulated initiating event occurs which could deleted                                                                (see para 3.10)
cause unacceptable consequences, mitigatory actions should be
included to decrease the consequences of this event to remain
within an acceptable consequence range. Safety functional
groups which perform at least one plant specific safety function
to mitigate the consequence of a postulated initiating event
should be assigned to defence in depth levels 2 to 4. The safety
requirements related to each level of defence in depth should be
defined. An enveloping safety functional group can be defined
to cover several levels of defence in depth, if appropriate.

3.23 The severity level of consequence of failure of the safety (see 3.17 below)                                                   Modified 3.23 of ver 5.1
functional group to perform its plant specific safety functions                                                                    moved up to 3.17


                                          26/50
should be divided into consequence levels such as the high,
medium and low.

3.24 The level of consequence should be considered “high” if (see 3.17 below)                                                            Modified 3.23 of ver 5.1
the potential consequences of failure to maintain the safety                                                                             moved up to 3.17
function of either a preventive or mitigatory safety functional
groups are radiological releases that challenge or exceed the
applicable operational limits or safety acceptance criteria which
have to be consistent with regulatory limits established for
design basis accidents or similar events.

3.25 The level of consequence should be considered “medium” (see 3.17 below)                                                             Modified 3.23 of ver 5.1
if the potential consequences are radiological releases in excess                                                                        moved up to 3.17
of normal operational limits, but certainly less than the design                                                                         (34FRA)
basis accident design limits or related safety acceptance criteria.

3.26 The level of consequence should be considered “low” if (see 3.17 below)                                                             Modified 3.23 of ver 5.1
the consequences are radiological releases close to but below                                                                            moved up to 3.17
the normal operational limits. This reflects the uncertainty that                                                                        (6INS) (38FRA) (34FRA)
may exist in the safety analysis or other parameters associated
with plant operation.

3.27 Safety functional groups should be categorized according       3.22. The plant specific safety functions categorized according to
to Table 1. Safety category 1 is defined to be the most stringent   the concepts set out in para. 3.21 are summarized in Table 1.
severity level of consequence of failure of the safety functional   Plant specific safety functions whose failure would lead to the
group to perform its plant specific safety functions.               most severe consequences should be assigned to safety category
                                                                    1, as described in para. 3.21. Where a safety function could be
                                                                    considered to be in more than one category, depending on events
                                                                    considered, it should be categorized in the highest category.

3.28 The limiting values that are assigned to each of the levels deleted                                                                 Deleted (37UK)
of radiological release will depend on the applicable operational
limits or safety acceptance criteria which have to be consistent


                                            27/50
 with regulatory limits for the plant.

Table 1 Relationship between Safety Function Type and Safety        TABLE 1. RELATIONSHIP BETWEEN TYPE OF SAFETY                         Modified table    (no     DiD
                                                                                                                                         levels)
Categories of Safety Functional Groups                              FUNCTION AND SAFETY CATEGORIES FOR PLANT
                                                                                                                                         (CORDEL 8)
                                                                    SPECIFIC SAFETY FUNCTIONS

 3.29 By assigning safety categories to safety functional groups,   3.23. By categorizing the plant specific safety functions in
 a set of common design requirements can be identified that will    accordance with Table 1, engineering design rules (functional
 ensure that the appropriate quality and reliability is achieved.   requirements such as single failure criterion, diversity, etc.),
 Design measures should be applied consistently within a safety     linked to the applicable safety categories, can be assigned to the
 category or using a graded approach for the different safety       plant specific safety functions or to groups of SSCs performing
 categories or safety classes. This is considered further in        plant specific safety functions. This is further considered in
 Section 4.                                                         Section 4.

 3.30 A deterministic safety analysis should be performed that deleted                                                                   Deleted see Appendix II
 will cover all postulated initiating events defined during the
 plant level and system level design. This analysis should
 confirm that the safety functional groups have the appropriate
 design requirements, are assigned to the appropriate defence in
 depth level and that the acceptance criteria for each postulated
 initiating event are met. This analysis should also provide a
 preliminary estimation of the plant behaviour and of the
 required systems performances.

 3.31 When appropriate design information and performance deleted                                                                        (16SPA)
 and reliability data for generic equipment is available, an initial                                                                     Deleted see Appendix II
 probabilistic safety assessment (PSA) should be performed, as
 appropriate, at this stage of the design. The purpose of this
 preliminary PSA is to identify potential additional initiating
 events (multiple failures, losses of support functions, etc.) and
 the required safety functions.




                                            28/50
                                                                  GROUPING         OF      STRUCTURES,          SYSTEMS       AND
                                                                  COMPONENTS
                                                                  3.24. All the SSCs required to perform each plant specific safety new
                                                                  function should be identified and grouped into „safety functional
                                                                  groups‟ 15 . Depending on the design, a particular SSC can be
                                                                  allocated to more than one plant specific safety function, and
                                                                  thus could be assigned to several safety functional groups.
ASSIGN STRUCTURES, SYSTEMS AND COMPONENTS CLASSIFICATION OF STRUCTURES, SYSTEMS AND
TO SAFETY CLASSES                                                 COMPONENTS
 3.32 As indicated in paragraph 3.27, this guide recommends (see below 3.25)                                                        Moved to 3.25
 that Safety Class 1 should be assigned to the SSCs which have
 the most severe consequences if they fail. This is the “highest”
 safety class for a safety classification scheme with four safety
 classes (1 - 4), as shown below in Fig. 1.

 3.33 SSCs should initially be assigned to the safety class               3.25. Initially, SSCs (including supporting SSCs) should be [2.15 of ver 5.1 is also
 corresponding to the safety category of the safety functional            assigned to the safety class corresponding to the safety category included in the para 3.25]
 group they belong to; however, some SSCs in a safety                     of the plant specific safety function that they fulfil (see Fig. 2).
 functional group may change class.                                       However, because not all SSCs within a safety functional group
                                                                          may have an equal contribution towards achieving the desired
                                                                          safety function, some SSCs may then be assigned to a different
                                                                          safety class, as described in paras 3.26 and 3.27.

Fig. 1. Assignment of SSCs to Safety Classes                              Fig 2. Assignment of SSCs to Safety Classes                                Modified
                                                                          See below after the table




15
  All SSCs working together to perform one plant specific safety function are in one safety functional group. All safety functional groups (all SSCs) that work together to mitigate
the consequences of anticipated operation occurrences and design basis accidents form a „safety group‟ (see the IAEA Safety Glossary [9]).



                                                 29/50
         Safety Category 1           SSCs assigned to                   SSCs assigned to the
      Safety Functional Group    Preliminary Safety Class 1                 Safety Class 1
     (Highest Safety Category)     (Highest Safety Class)               (Highest Safety Class)




        Safety Category 2            SSCs assigned to                   SSCs assigned to the
     Safety Functional Group     Preliminary Safety Class 2               Safety Class 2




        Safety Category 3            SSCs assigned to                   SSCs assigned to the
     Safety Functional Group     Preliminary Safety Class 3               Safety Class 3




        Safety Category 4            SSCs assigned to                   SSCs assigned to the
     Safety Functional Group     Preliminary Safety Class 4               Safety Class 4




                                                                      Not Safety Classified SSCs




 3.34 The safety class may be downgraded if justified by an                                        3.26. If justified by an appropriate safety analysis, a safety class (44, 7UK, 14JPN, 46FRA)
 appropriate safety analysis (See Figure II-1 in Annex II). A                                      lower than the safety class initially assigned can be proposed for (46UK, CAN1, ENISS 5)
 downgrade, generally of one level, is possible in the following                                   a SSC. For example, an SSC can be assigned to a lower safety
 cases:                                                                                            class, generally of one level lower, in the following cases:
            (1) SSCs the failure of which would not affect the                                     • The SSC does not directly support the accomplishment of the
                capability of the safety functional group to                                           plant specific safety function in the corresponding safety
                perform its plant specific safety function. This                                       category;
                may be, for example, a small instrumentation                                       • The SSC would already in operation at the moment the
                line or sensors monitoring the operation or the                                        postulated initiating event occurs, and would not be affected
                status of SSCs performing the safety function                                          by it;
                but not involved in its control.
                                                                                                   • The corresponding plant specific safety function is fulfilled
            (2) SSCs performing auxiliary functions, already in                                        by more than one SSC, providing the following conditions
                operation at the moment of the postulated                                              apply:
                initiating event, and not affected by it.
                                                                                                                  The SSC to be assigned to a lower safety class is
            (3) Plant specific safety function performed by more                                                     less likely to be used;
                than one diverse SSC, provided the SSC is less
                likely to be used, it is possible to deploy it and                                                It will be possible to deploy it in time for it to be
                there is sufficient time for it to be deployed.                                                      effective.
 3.35 If there are SSCs within certain safety functional groups                                    3.27. If there are main SSCs (also known as lead SSCs or          (15JPN, Belg.2),
 that cannot be accepted to fail (e.g. reactor pressure vessel for                                 frontline SSCs16) within certain safety functional groups whose
16
     Main SSCs are those SSCs in a safety functional group that, with the support of supporting SSCs, perform the preventive and mitigatory plant specific safety functions.



                                                              30/50
pressurized light water reactors), then these SSCs should be failure cannot be accepted because the conditional probability for
allocated to the highest safety class (Class 1), and additional unacceptable consequences is 1 or close to 1 (e.g. the reactor
requirements specified on a case by case basis.                 pressure vessel for light water reactors), then these SSCs should
                                                                be allocated to the highest safety class, and additional
                                                                requirements should be specified on a case by case basis.

                                                                    3.28. Supporting SSCs should be assigned to the same class as New –SC meeting
                                                                    that of the frontline SSCs to be supported. The class of a
                                                                    supporting SSC can then be lowered according to the rules set
                                                                    out in para. 3.26.

3.36 An SSC may be allocated to more than one safety                3.29. If an SSC contributes to the performance of several plant
functional group. However, an SSC should be allocated to only       specific safety functions of different categories, it should be
one safety class which should be the higher one with more           assigned to the class corresponding to the highest safety category
conservative requirements for the SSCs that have been               requiring the most conservative design rules.
identified.

3. 37 No account should be taken of whether a safety 3.30. In the classification of SSCs, no account should be taken of                  (23USA, CORDEL 10).
functional group contains active or passive SSCs, or a mixture whether the operation of the SSC is active or passive, or a
of them, as this has neither effect on the safety category of the mixture.
group nor on the safety class of the SSCs.

3.38 Any SSC or a part of that SSC whose failure could              3.31. Any SSC that is not part of a safety functional group but (CAN 1, CORDEL 10)
adversely affect a safety functional group in accomplishing its     whose failure could adversely affect this safety functional group
plant specific safety function, even though it is not part of it,   in accomplishing its plant specific safety function (if this cannot
should be classified in accordance with the safety category of      be precluded by design) should be classified in accordance with
that safety functional group. No lowering of classification         the safety category of that safety functional group. The SSC may
should occur in this case.                                          be later be assigned to a lower safety class depending on the
                                                                    conditional probability of the consequential failure of the safety
                                                                    functional group.

3. 39 Where the safety class of connecting or interacting SSCs 3.32. Where the safety class of connecting or interacting SSCs is (48UK)
is not the same (including safety classes to non safety SSCs), not the same (including cases where an SSC in a safety class is


                                            31/50
 the SSCs should be isolated by a safety classified device of the           connected to an SSC not important to safety), interference
 higher classification (e.g., optical isolators or automatic valves)        between the SSCs should be prohibited by means of a device
 from the effects of failures in the lower safety classification            (e.g. an optical isolator or automatic valve) classified in the
 SSC. An exception is where the failure of the SSC with the                 higher safety class, to ensure that there will be no effects of a
 lower safety class (including a potential common-cause failure             failure of the SSC in the lower safety class. An exception may be
 of identical or redundant items) cannot prevent accomplishment             made where there is no mechanism to propagate a failure from
 of the safety functions of the SSC with the higher safety class.           the lower safety class SSC to the higher safety class SSC (e.g.
                                                                            because of physical separation). See Requirement 60 of Ref. [1].

 3.40 The safety classification process, which follows the steps deleted                                                          Deleted text
 listed in paragraph 2.18, is presented in flowchart form in
 Appendix II.
                                                                 3.33. By assigning each SSC to a safety class, a set of common
                                                                 engineering design rules can be identified that will ensure that
                                                                 the appropriate quality and reliability is achieved.
                                                                 Recommendations on assigning engineering design rules are
                                                                 provided in Section 4.

VERIFICATION OF THE SAFETY CLASSIFICATION                                   VERIFICATION OF THE SAFETY CLASSIFICATION
USING DETERMINISTIC AND PROBABILISTIC SAFETY
ANALYSIS
 3.41 The adequacy of the safety classification should be                   3.34. The adequacy of the safety classification should be verified         (12JPN & 7, 24, 25, 33,
 verified using deterministic safety analysis complemented, as              using deterministic safety analysis, which should cover all                34, & 35USA)
 appropriate, by insights from the PSA and supported by                     postulated initiating events and all aspects of the prevention of          (48, 49, & 50 FRA, 51,
 engineering judgement. The particular methods involved should              events that are credited in the concept for the design safety of the       7UK, ENISS gen5)
 depend on the design information available and regulations                 plant. This should be complemented, as appropriate, by insights
 from the Member State.                                                     from probabilistic safety assessment and should be supported by
                                                                            engineering judgement 17 . Consistency between safety
                                                                            classifications verified using of deterministic analyses and
                                                                            probabilistic analyses will provide confidence that the

17
     Experts providing engineering judgement, including knowledgeable personnel of the operating organization of the plant, should have expertise in probabilistic safety assessment,
     safety analysis, plant operation, design engineering and systems engineering.



                                                   32/50
                                                                 classification is correct. If there are deviations between the
                                                                 safety classifications resulting from probabilistic safety
                                                                 assessment and those from the deterministic calculations, then
                                                                 the more conservative safety classification (i.e. the higher safety
                                                                 class) should be used; however, the methods used will depend on
                                                                 the design information available and national regulations.

                                                                  3.35. The safety classification process should be verified in order new
                                                                  to confirm that:
                                                                           a. A complete set of bounding postulated initiating
                                                                              events has been defined;
                                                                           b. A sufficient set of preventive plant specific safety
                                                                              functions has been provided to prevent system
                                                                              failures which could cause initiating events;
                                                                           c. An adequate set of mitigatory plant specific safety
                                                                              functions, including consideration of common cause
                                                                              interactions, is available to maintain the
                                                                              consequences of an event within acceptable limits.
3.42 Probabilistic methods should only be used when the PSA deleted                                                                   Deleted
has a level of detail adequate to support the classification
process.
3.43 The process should confirm that a complete set of (see 3.36 below)                                                               (26 USA),
postulated initiating events has been defined for the plant and a
sufficient set of preventive plant specific safety functions has
been provided to prevent the postulated initiating events from
happening and, if they do occur, adequate mitigatory plant
specific safety functions are available to maintain the
fundamental safety functions as far as possible and keep any
consequences below acceptable limits. It should, in addition,
establish that the requirements for the safety functional groups
are properly defined and that the SSCs that comprise them have
adequate performance to provide the plant specific safety
functions.



                                           33/50
3.44 If there are deviations between the PSA results and the                                                                       Deleted
deterministic based safety classification of an item then the
most conservative safety classification (higher safety class)
should be used.

3.45 Safety analysis should confirm, using appropriately 3.36. Safety analysis should confirm that:
conservative assumptions regarding SSC performance                        a) all the plant specific safety functions are performed
characteristics, that the safety functional groups performing all             by SSCs within safety functional groups;
the plant specific safety functions and the SSCs allocated to the
                                                                          b) the SSCs in each safety functional group are
group have the adequate design requirements and are assigned
                                                                              assigned to the correct safety class and the
to the correct safety category/class and that the operational
                                                                              appropriate engineering design rules are applied;
limits or other safety acceptance criteria which have to be
consistent with regulatory limits for each postulated initiating          c) the operational limits or other safety acceptance
event have been met.                                                          criteria for each postulated initiating event will be
                                                                              met.
3.46 If the analysis shows that the operational limits and safety deleted                                                           Deleted
acceptance criteria which have to be consistent with regulatory
limits are not exceeded and that the reliability targets are met
for all the postulated initiating events, the design is acceptable
and the set of defined safety functions is complete.

3.47 Ideally, the final goal should be to obtain balance between deleted                                                           Deleted
deterministic and probabilistic based safety classification as this
will provide confidence that the classification is correct. In
Annex II Fig. II-1 depicts how a balance between deterministic
and probabilistic methods could be obtained.




                                          34/50
DS 367 version. 5.1                                                 DS 367 version 5..10                                             Comments
    4 SELECTION OF APPLICABLE REQUIREMENTS                          4. SELECTION OF APPLICABLE DESIGN RULES FOR
    FOR STRUCTURES, SYSTEMS AND COMPONENTS                          STRUCTURES, SYSTEMS AND COMPONENTs
                                                                    4.1. A complete set of engineering design rules should be new
                                                                    specified for each plant specific safety function. The SSCs in
                                                                    each safety functional group should possess all the design
                                                                    features necessary to achieve the appropriate capability,
                                                                    dependability and robustness.

4.1 Selection of applicable design requirements is intended to 4.2. The engineering design rules selected should reflect the (54UK         &     54FRA)
                                                               required quality and should be assigned in accordance with the Nationally
reflect the required quality commensurate with safety function of
the SSC. Nationally adopted codes and standards should be      category of the safety function and the safety class of the SSC.
applied for design requirements.                               The appropriate codes and standards, including nationally
                                                               adopted international codes and standards, should be used for
                                                               determining the engineering design rules for all types of SSCs.
4.2    Once SSCs are assigned to Safety Classes, design Included in 4.2                                                         Included in 4.2 (52FRA,
requirements can be assigned to them placing the “highest”                                                                      21SPA, 53UK)
safety class and the most stringent requirements on SSCs where
their failure causes the most severe consequences with the
greatest likelihood of being called upon to operate.

4.3 The requirements for individual SSCs may be consistent deleted                                                                   Deleted
with the entire safety functional group(s) to which it belongs.

4.4 These requirements are related to the three characteristics of 4.3. Engineering design rules are related to the three            (3SPA) to perform its
capability, dependability and robustness. SSCs should be characteristics of capability, dependability and robustness:                designated safety function.
designed, constructed, qualified, operated, tested and maintained            a) Capability is the ability of an SSC to perform its   (14SAF & 28USA &
to:                                                                              designated safety function as required, with        22SPA)
          (1)                              Perform its designated                account taken of uncertainties;
          safety function as required, taking uncertainties into             b) Dependability is the ability of an SSC within a
          account (capability),                                                  safety functional group to perform the required



                                            35/50
DS 367 version. 5.1                                                    DS 367 version 5..10                                                 Comments
           (2)     Ensure that failures within the safety functional                   safety function with a sufficiently low failure
           group cannot degrade the ability of the group to                            rate;
           perform its designated safety function (dependability),                 c) Robustness is the ability to ensure that no
           and                                                                         operational loads or loads caused by any
           (3) Ensure that no operational loads or loads caused by                     associated postulated initiating events on an SSC
           any associated postulated initiating events should be                       in a safety functional group will adversely affect
           able to adversely affect the ability of the safety                          the ability of the safety functional group to
           functional group to perform its designated safety                           perform its designated safety function.
           function (robustness).                                      SSCs should be designed, constructed, qualified, operated, tested
                                                                       and maintained to ensure the proper capability, dependability and
                                                                       robustness.

4.5 The dependability and robustness of an SSC should be 4.4. The engineering design rules relating to dependability and (UK53)
achieved within an acceptable range of probability of failure and robustness of an SSC may be adjusted in accordance with the
its related consequences.                                         probability of failure of the SSC and the associated
                                                                  consequences.
4.6 In Appendix III, Tables 2 and 3 provide examples of design                                                                              Covered by 4.5
requirements in terms of capability, dependability and
robustness.

4.7 When defining the design requirements (e.g. redundancy,                                                                                 Deleted
diversity, etc.) for safety functional groups, including
interactions between information technology, instrumentation &
control and other types of system, requirements from the
appropriate codes and standards should be included.

4.8 In Appendix III, Table 4 provides examples of design 4.5. Annex II provides examples of engineering design rules for (5SAF)
requirements for SSCs of different safety classes, depending on SSCs of different safety classes, depending on their preventive or
their preventive or mitigatory safety functions.                mitigatory safety functions.

4.9 The appropriate codes and standards should be used for                                                                                  Deleted



                                               36/50
DS 367 version. 5.1                                                 DS 367 version 5..10                                            Comments
defining design requirements for all types of SSCs.

4.10 Fire protection and fire suppression requirements should be 4.6. Design rules relating to fire protection and fire suppression edited
applied as outlined in Ref. [8] for the design of SSCs and as should be applied as outlined in Ref. [13] for the design of SSCs
appropriate, for the maintenance of safety functions.            and as appropriate, for the performance of safety functions.

4.11 The requirements for instrumentation & control and             4.7. The design rules for instrumentation and control and edited
information technology equipment and software should be             information technology equipment and software should be
applied in accordance with the recommendations provided in          applied in accordance with the recommendations provided in
Refs. [9] and [10].                                                 Refs [14] and [15].

4.12     Quality assurance or management requirements for           4.8. Quality assurance or management system requirements for (30USA) (55UK)
procurement, construction, inspection, installation, testing,       the design, qualification, procurement, construction, inspection,
surveillance, and modification of SSCs should be assigned based     installation, testing, surveillance and modification of SSCs
on their safety class as outlined in Refs. [11].                    should be assigned on the basis of their safety class, in
                                                                    accordance with the requirements established in Ref. [16].

4.13 The seismic classification of safety and non-safety class 4.9. The seismic categorization of safety related SSCs and SSCs edited
SSCs should be in accordance with the recommendations not important to safety should be determined in accordance with
provided in Ref.[7] .                                          the recommendations provided in Ref. [17].

4.14 Environmental qualification of SSCs should be determined       4.10. The environmental qualification of SSCs should be edited
by the conditions associated with normal operation and for          determined in accordance with the conditions associated with
postulated initiating events where the SSCs may be called on to     normal operation and for postulated initiating events where the
operate. As a minimum, environmental qualification should           SSCs may be called on to operate.              At a minimum,
include consideration of humidity, temperature, pressure,           environmental qualification should include consideration of
vibration, chemical effects, radiation, operating time, aging,      humidity, temperature, pressure, vibration, chemical effects,
submergence, synergistic effects, and electromagnetic               radiation, operating time, ageing, submergence, electromagnetic
interference, radio frequency interference and voltage surges, as   interference, radio frequency interference and voltage surges, as
applicable.                                                         applicable.




                                             37/50
            Definition and review of postulated initiating events




                       Identification of safety functions:
   preventive safety functions, aimed at preventing failures and abnormal
                                    operation
 mitigatory safety functions, aimed at controlling postulated initiating events
                      and mitigating their consequences




                    Categorization of safety functions




   Identification of SSCs or groups of SSCs to perform safety functions




             Assignment of SSCs to one of three safety classes




              Identification of design rules for classified SSCs




                    FIG 1. Main steps in classifying SSCs. (new)




                                       38/50
Table 2 Relationship between Safety Function Type and Safety Categories of Safety        Functional Groups (5.1)

                          Safety
                       Functional
Safety Function                            Severity level of consequence of failure of the safety functional
                     Group defence
     Type                                       group to perform its plant specific safety functions
                      in depth DiD
                          Level                 High                       Medium                    Low
Preventive          DiD level 1           Safety Category 1           Safety Category 2        Safety Category 3
AOO Mitigation      DiD level 2           Safety Category 1           Safety Category 2        Safety Category 3
                    DiD level 3A          Safety Category 1           Safety Category 2        Safety Category 3

Accident            DiD level 3B          Safety Category 2           Safety Category 3        Safety Category 3
Mitigation          DiD level 4A        Safety Category 4   18,19
                                                                      Safety Category 4        Safety Category 4
                    DiD level 4B          Safety Category 4           Safety Category 4        Safety Category 4

Radiological
Release             DiD level 5                                     Not safety categorized
Mitigation

Functions not included above                                        Not safety categorized

TABLE 3. RELATIONSHIP BETWEEN TYPE OF SAFETY FUNCTION AND SAFETY CATEGORIES
FOR PLANT SPECIFIC SAFETY FUNCTIONS (5.10)

                                    Severity of the consequences of the failure of plant specific safety functions
     Type of safety function
                                             High                         Medium                     Low
Preventive safety functions            Safety category 1             Safety category 2         Safety category 3
Safety functions for mitigation
of anticipated operational             Safety category 1             Safety category 2         Safety category 3
occurrences
Safety functions for mitigation
of design basis accidents (level       Safety category 1             Safety category 2         Safety category 3
A)
Safety functions for mitigation
of design basis accidents (level       Safety category 2             Safety category 3        No safety category
B)
Safety functions for mitigation
of consequences in design             Safety category 420                                            N/A
                                                                           N/A21
extension conditions
Other safety functions                                              No safety category

18
  SSCs in safety functional groups assigned to safety category 4 could have a safety class non nuclear-safety or
specific requirements.
19
  If sufficient analysis and understanding exists regarding an event phenomena and consequences, the safety
category 3 can be assigned.
20
  SSCs performing safety functions in safety category 4 could be assigned to safety class 3 or classified as not
important to safety, with additional specific requirements to be applied.
21
  These categories are not applicable because the consequences in a design extension condition have already
exceeded the consequence levels of medium (for design basis accidents) and low (for anticipated operational
occurrences).



                                                 39/50
        Safety Category 1                                    SSCs assigned to                                                 SSCs assigned to the
     Safety Functional Group                             Preliminary Safety Class 1                                               Safety Class 1
    (Highest Safety Category)                              (Highest Safety Class)                                             (Highest Safety Class)




        Safety Category 2                                    SSCs assigned to                                                 SSCs assigned to the
     Safety Functional Group                             Preliminary Safety Class 2                                             Safety Class 2




        Safety Category 3                                    SSCs assigned to                                                 SSCs assigned to the
     Safety Functional Group                             Preliminary Safety Class 3                                             Safety Class 3




        Safety Category 4                                    SSCs assigned to                                                 SSCs assigned to the
     Safety Functional Group                             Preliminary Safety Class 4                                             Safety Class 4




                                                                                                                            Not Safety Classified SSCs




Fig. 1. Assignment of SSCs to Safety Classes (ver 5.1)




                        Preliminary assignment of SSCs                                Final assignment of SSCs
                               to Safety Classes                                          to Safety Classes


                                              SSCs (SFG - main & supporting
     Plant Specific Safety                                                                                         SSCs assigned to the
                                                    SSCs) assigned to
     Function Category 1                                                                                               Safety Class 1
                                                Preliminary Safety Class 1
  (Highest Safety Category)                                                                                        (Highest Safety Class)
                                                  (Highest Safety Class)



                                              SSCs (SFG - main & supporting
    Plant Specific Safety                                                                                          SSCs assigned to the
                                                    SSCs) assigned to
    Function Category 2                                                                                              Safety Class 2
                                                Preliminary Safety Class 2



                                              SSCs (SFG - main & supporting
    Plant Specific Safety                                                                                          SSCs assigned to the
                                                    SSCs) assigned to
    Function Category 3                                                                                              Safety Class 3
                                                Preliminary Safety Class 3




    Plant Specific Safety
                                                Not safety classified SSCs                                       Not Safety Classified SSCs
    Function Category 4




                            FIG. 2. Assignment of SSCs to safety classes (Modified 5.10)




                                                                40/50
APPENDIX I
SAFETY FUNCTIONS IN RELATION TO THE CONCEPT OF DEFENCE IN
DEPTH



  Challenges/mechanisms affecting the performance of the safety functions


                            Provisions for Level 1           Objective: Prevention of abnormal operation and failure
                            of Defence in Depth

                                              YES
                                   Success                        Normal operation
    LEVEL 1
                                            NO

                                Initiating vent


                             Provisions for Level 2           Objective: Detection of failures and control of abnormal operation
                             of Defence in Depth

                                                  YES
                                                                Observance of the acceptance criteria established for anticipated
                                   Success
    LEVEL 2                                                     operational occurrences (return to normal operation)
                                            NO

                             Design basis
                              accidents

   LEVEL 3                Provisions for Level 3 of          Objective: Control of design basis accidents
                          Defence in Depth
                                                  YES
                                                                Observance of the acceptance criteria established for
                                    Success                     design basis accidents

                                            NO
                                Design Extension
                                Conditions

   LEVEL 4                                                   Objective: Control of consequences in design extension conditions
                              Provisions for Level 4
                              of Defence in Depth

                                                  YES
                                     Success                       Limiting core damage and confinement preservation

                                            NO


                               Significant Off-site
                              Radioactive Release

                             Provisions for Level 5         Objective: Mitigation of radiological consequences of significant
                             of Defence in Depth            releases of radioactive material
    LEVEL 5



Fig. 3 Logic flow diagram for the allocation of safety functions to levels of defence in depth,
                 showing safety functions and success criteria. (modified)




                                                          41/50
APPENDIX II
Relationship between Design and Safety Analysis processes and the safety Classification
Process (new)


 Design and safety analysis processes                Safety classification process
 Development of the basic objective for the          Review of the applicable postulated initiating
 design safety of the nuclear power plant            events and identification of bounding
                                                     postulated initiating events
 Specification of parameters for normal
 operating conditions
 Review of failures of SSCs which could be
 caused by malfunctions, the effect of external
 and internal hazards or human induced events
 Grouping of postulated initiating events,
 Development/review of reactor type safety           Assignment of safety functions to bounding
 functions based on the fundamental safety           postulated initiating events
 functions for preventing or mitigating              • Review of reactor type safety functions
 bounding postulated initiating events                  (for preventing initiating events or
                                                        mitigating each bounding postulated
 Decomposition of reactor type safety
                                                        initiating event)
 functions into plant specific safety functions
 (for preventing or mitigating each bounding         •   Decomposition of reactor type safety
 postulated initiating event) at an adequate             functions into plant specific safety
 level of detail in order to allow the                   functions (for preventing initiating events
 identification of the SSCs that are required            or mitigating each bounding postulated
 for performing these safety functions                   initiating event)
 Specification of acceptance criteria for plant      Categorization of the plant specific safety
 specific safety functions                           functions(with consideration given to
                                                     frequency, consequences of failure and time
 Conduct of preliminary safety analysis
                                                     before the safety function is called upon, for
                                                     the bounding postulated initiating events)
 Definition of safety functional groups (and         Review of the safety functional groups (and
 the list of main and supporting SSCs) to fulfil     the list of main and supporting SSCs)
 plant specific safety functions
                                                     Assignment of main and supporting SSCs to
                                                     safety classes (on the basis of the category of
                                                     their associated plant specific safety
                                                     function(s))
                                                     •   Assignment of functional requirements to
                                                         the plant specific safety functions
                                                     •   Assignment of design rules to SSCs
                                                         within each safety functional group
 Conduct of final safety analysis                    Verification of safety classification




                                             42/50
                REFERENCES (NEW REFERENCES ARE YELLOW)

[1]    INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
       Design, IAEA Safety Standards Series No. SSR-2/1, IAEA, Vienna (20xx).(in
       preparation).
[2]    INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities
       and Activities, IAEA Safety Standards Series No. GSR Part 4, IAEA, Vienna (2008).
[3]    EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE
       ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL                        ATOMIC
       ENERGY          AGENCY,    INTERNATIONAL           LABOUR      ORGANIZATION,
       INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY
       AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS
       ENVIRONMENT         PROGRAMME,          WORLD      HEALTH      ORGANIZATION,
       Fundamental Safety Principles, Main Safety Principles, Safety Fundamentals No. SF-
       1, Vienna (2006).
[4]    INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment and
       Verification for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.2,
       IAEA, Vienna (2001).
[5]    INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP, Defence in Depth in
       Nuclear Safety, INSAG-10, IAEA, Vienna (1996).
[6]    AMERICAN NUCLEAR SOCIETY, Safety and Pressure Integrity Classification
       Criteria for Light Water Reactors, ANSI/ANS-58.14, ANS, La Grange Park, Il (1993).
[7]    UNITED STATES REGULATORY COMMISSION, Guidelines for Categorizing
       Structures, Systems, and components in Nuclear Power plants According to their
       Safety Significance, USNRC, Washington DC (2006).
[8]    BRITISH ENERGY PLC, ELECTRICITÉ DE FRANCE, FORTUM, IBERDROLA,
       NRG, ROSENERGOATOM, SOGIN, SWISSNUCLEAR, TRACTEBEL, TVO,
       VATTENFALL, VGB POWERTECH, European Utility Requirements for LWR
       Nuclear Power Plants, Volumes 2.1 and 2.8,
       http://www.europeanutilityrequirements.org/
[9]    INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary,
       Terminology Used in Nuclear Safety and Radiation Protection, IAEA, Vienna (2007).
[10]   INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of
       Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety
       Standards Series No. SSG-3, IAEA, Vienna (2010).


                                       43/50
[11]   INTERNATIONAL ATOMIC ENERGY AGENCY, Deterministic Safety Analysis
       for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-2, IAEA, Vienna
       (2010).
[12]   INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of
       Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety
       Standards Series No. SSG-4, IAEA, Vienna (2010).
[13]   INTERNATIONAL ATOMIC ENERGY AGENCY, Protection against Internal Fires
       and Explosions in the Design of Nuclear Power Plants, IAEA Safety Standards Series
       No. NS-G-1.7, IAEA, Vienna (2004).
[14]   INTERNATIONAL ATOMIC ENERGY AGENCY, Software For Computer Based
       Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series
       No. NS-G-1.1, IAEA, Vienna (2000).
[15]   INTERNATIONAL ATOMIC ENERGY AGENCY, Instrumentation and Control
       Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series
       No. NS-G-1.3, IAEA Vienna (2003).
[16]   INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for
       Facilities and Activities, IAEA Safety Standards Series No. GS-R-3, IAEA, Vienna
       (2006).
[17]   INTERNATIONAL          ATOMIC     ENERGY      AGENCY,      Seismic   Design   and
       Qualification for Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.6,
       IAEA, Vienna (2003).




                                       44/50
ANNEX I
 REACTOR TYPE Safety Functions for Light Water Reactors


TABLE I-1. EXAMPLE OF REACTOR TYPE SAFETY FUNCTIONS22 FOR BOILING
WATER REACTORS AND PRESSURIZED WATER REACTORS (no DiD levels)

Safety functions23                                                                Preventive       Mitigatory
(1) to prevent unacceptable reactivity transients;                                F1
(2) to maintain the reactor in a safe shutdown condition after all shutdown F1                     F1
actions;
(3) to shut down the reactor as necessary to prevent anticipated F1                                F1
operational occurrences from leading to design basis accidents and to shut
down the reactor to mitigate the consequences of design basis accidents;
(4) to maintain sufficient reactor coolant inventory for core cooling in and                       F2
after accident conditions not involving the failure of the reactor coolant
pressure boundary;
(5) to maintain sufficient reactor coolant inventory for core cooling in and                       F2
after all postulated initiating events considered in the design basis;
(6) to remove heat from the core after a failure of the reactor coolant                            F2
pressure boundary in order to limit fuel damage;
(7) to remove residual heat in appropriate operational states and accident F2                      F2
conditions with the reactor coolant pressure boundary intact;
(8) to transfer heat from other safety systems to the ultimate heat sink;                          F2
(9) to ensure necessary services (such as electrical, pneumatic, hydraulic F1, F2, F3 F1, F2, F3
power supplies, lubrication) as a support function for a safety system;    supporting supporting
(10) to maintain acceptable integrity of the cladding of the fuel in the F3                        F3
reactor core;
(11) to maintain the integrity of the reactor coolant pressure boundary;          F 2, F3          F2, F3
(12) to limit the release of radioactive material from the reactor                                 F3
containment in accident conditions and conditions following an accident;

(13) to limit the radiation exposure of the public and site personnel in and                       F3
following design basis accidents and selected severe accidents that release
radioactive material from sources outside the reactor containment;
(14) to limit the discharge or release of radioactive waste and airborne F3
radioactive material to below prescribed limits in all operational states;
(15) to maintain control of environmental conditions within the plant for                          F1, F2, F3
the operation of safety systems and for habitability for personnel                                 supporting
necessary to allow performance of operations important to safety;


22
  This list of safety functions is taken from the annex of the IAEA Safety Requirements publication, Safety of
Nuclear Power Plants: Design, published in 2000. The numbering (in brackets) of the safety functions listed in
that annex has been retained for ease of identification.
23
  The three fundamental safety functions are as follows: F1: control of reactivity; F2: removal of heat from the
core; F3: confinement of radioactive material.



                                                 45/50
(16) to maintain control of radioactive releases from irradiated fuel F3
transported or stored outside the reactor coolant system, but within the
site, in all operational states;
(17) to remove decay heat from irradiated fuel stored outside the reactor       F2
coolant system, but within the site;
(18) to maintain sufficient subcriticality of fuel stored outside the reactor   F1
coolant system but within the site;
(19) to prevent the failure or limit the consequences of failure of a F1, F2, F3 F1, F2, F3
structure, system or component whose failure would cause the supporting          supporting
impairment of a safety function.




                                               46/50
                   ANNEX II: EXAMPLES OF DESIGN RULES FOR SSCS


TABLE II-1 EXAMPLE OF DESIGN RULES FOR CATEGORIES OF SAFETY
FUNCTIONS (modified no DiD levels)

      SAFETY                      CAPABILITY                   DEPENDABILITY                  ROBUSTNESS
     CATEGORY
Safety    Preventive Prevent deviation from                  Meet regulatory               Withstand normal
Category-            design basis accident                   requirements for              operation, anticipated
1                    regulatory limits                       design basis accidents        operational occurrence
                                                                                           and design basis
                                                                                           accident conditions
              Mitigatory Achieve anticipated                 Meet regulatory               Withstand conditions
                         operational occurrence              requirements for              due to normal
                         and design basis accident           anticipated operational       operation and
                         regulatory limits as                occurrences and design        postulated initiating
                         appropriate                         basis accidents24 as          events to be mitigated
                                                             required
Safety    Preventive Prevent deviation from                  Meet regulatory               Withstand normal
Category-            normal operation                        requirements for              operation, and
2                    regulatory limits.                      anticipated operational       anticipated operational
                                                             occurrences                   occurrence conditions
              Mitigatory Achieve anticipated                 Meet regulatory               Withstand conditions
                         operational occurrence              requirements for              due to normal
                         and design basis accident           anticipated operational       operation and
                         limits as appropriate               occurrences and design        postulated initiating
                                                             basis accidents1 as           events to be mitigated
                                                             required
Safety    Preventive Prevent deviation from                  Meet requirements for         Withstand normal
Category-            normal operating limits                 normal operation              operation conditions
3
          Mitigatory Achieve anticipated                     Achieve regulatory            Withstand conditions
                     operational occurrence                  requirements for              due to normal
                     and design basis accident               normal operation,             operation and
                     limits as appropriate                   anticipated operational       postulated initiating
                                                             occurrences and design        events to be mitigated
                                                             basis accidents 1 as
                                                             required
Safety    Mitigatory Achieve requirements for                Achieve appropriate           Withstandconditions
Category-            design extension                        regulatory                    due to normal
4                    conditions                              requirements                  operation and
                                                                                           postulated initiating
                                                                                           events to be mitigated




24
  Regulatory requirements may be deterministically developed or probabilistically developed, and may include
requirements such as a target dependability for a mitigation system determined by the national regulatory cut-off
probability for a specific event category divided by the probability of occurrence of that specific initiating event.



                                                   47/50
TABLE II-II EXAMPLES OF DESIGN RULES FOR SSCS

                  CHALLENGES (examples)        DESIGN SOLUTIONS (examples)
CAPABILITY       Failure to perform safety      Appropriate code selection
                 function adequately            Conservative margins
                                                Material selection
                                                Design qualification
DEPENDABILITY Effect of :                       Appropriate code selection
                                                Fail-safe design
                  Single failure               Reliability/availability
                                                Diversity
                  Common cause failure         Redundancy
                  Errors in design,            Independence
                   construction, maintenance    Maintainability
                   and operation                Testability
                                                Material selection
                  Failure of supporting        Design qualification
                   systems
ROBUSTNESS       Effect of :                      Appropriate code selection
                  Internal hazards               Fail-safe design
                  External hazards               Material selection
                  Harsh and moderate             Seismic and environmental
                    environmental conditions       qualification
                  Induced loads                  Diversity
                                                  Separation
                                                  Independence
                                                  Maintainability
                                                  Testability




                                    48/50
TABLE II-III. EXAMPLES OF DESIGN RULES AND CODES FOR SSCS BASED ON
SAFETY CLASSES (MODIFIED)


                                      Preventive safety functions                       Mitigatory safety functions
Design rules and codes    Safety class      Safety class     Safety class    Safety class      Safety class   Safety Class
                          1                 2                3               1                 2              3
Quality assurance         Nuclear           Nuclear          Commercial      Nuclear           Nuclear        Commercial
                          grade             grade            grade or        grade             grade          grade or
                                                             specific                                         specific
                                                             requirements                                     requirements
Environmental             Harsh or          Harsh or         Harsh or mild   Harsh or          Harsh or       Harsh or mild
qualification             mild25            mild                             mild              mild

 Pressure retaining       High              High             High            High              C3             C4
components (example       pressure : C1     pressure : C2    pressure : C3   pressure: C2
codes)26                  Low               Low              Low pressure    Low
                          pressure : C2     pressure : C3    : C4            pressure : C3

Electrical components     1E [II-3]         1E               Non 1E          1E                1E             Non 1E
(IEEE)
Instrumentation and       B or C            B or C           B or C          A                 B              C
control (IEC 61226
category [III-4])27
Seismic qualification     Seismic           Seismic          Specific        Seismic           Seismic        Specific
                          category 1        category 1       requirements    category 1        category 1     requirements




25
  Harsh or mild environmental conditions; SSCs need to be qualified for normal operation and for postulated
initiating events, depending on the environmental conditions at their location in the plant.
26
  C1 indicates quality level 1, for example level 1 of ASME III [II-1] or RCC-M [II-2] (e.g. reactor pressure
boundary); C2 indicates quality level 2. for example level 2 of ASME III [II-1] or RCC-M [II-2] (e.g. emergency
core cooling system); C3 indicates quality level 3, for example level 3 of ASME III [II-1] or RCC-M [II-2] (e.g.
component cooling water system, essential service water system); C4 is a quality class comprising non nuclear
grade pressure retaining components with special requirements (for example seismic design, quality
requirements): components in class C4 can be designed in accordance with any pressure retaining component
design code, with account taken of special requirements (e.g. for the fire system).
27
  Category A denotes functions that play a principal role in the achievement or maintenance of plant safety to
prevent design basis accidents from leading to unacceptable consequences. Category B denotes functions that
play a complementary role to the category A functions in the achievement or maintenance of plant safety,
particularly functions required to operate after the controlled state has been achieved, to prevent design basis
accidents from leading to unacceptable consequences, or to mitigate the consequences of a design basis accident.
Category C denotes functions that play an auxiliary or indirect role in the achievement or maintenance of plant
safety.



                                                     49/50
                                 REFERENCES TO ANNEX II (NEW)

[II-1] AMERICAN SOCIETY OF MECHANICAL ENGINEERS, Boiler and Pressure Vessel Code, Section
 III: Rules of the Construction of Nuclear Facility Components, ASME, Fairfield NJ (2010).
[II-2] FRENCH SOCIETY FOR DESIGN AND CONSTRUCTION RULES FOR NUCLEAR ISLAND
 COMPONENTS, Design and Conception Rules for Mechanical Components of PWR Nuclear Islands, RCC-
 M, AFCEN, Paris (2008).
[II-3] INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, IEEE Standard for Qualifying
 Class 1E Electric Cables and Field Splices for Nuclear Power Generating Stations, IEEE (2004).
[II-4] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants – Instrumentation
 and Control Important to Safety – Classification of Instrumentation and Control Functions, IEC 61226, IEC,
 Geneva (2009).




                                       50/50

								
To top