ASN Report 2018

• Level 3: Control of accidents without core meltdown The aim here is to postulate that certain accidents, chosen for their “envelope” characteristics (the most penalising in a given family), can happen and to design and size backup systems to withstand those conditions. Such accidents are generally studied with pessimistic hypotheses, that is to say the various parameters governing this accident are assumed to be as unfavourable as possible. In addition, the single failure criterion is applied, in other words we postulate that in the accident situation and in addition to the accident, there will be the most prejudicial failure of one of the components used to manage this situation. As a result of this, the systems brought into play in the event of an accident (safeguard systems ensuring emergency shutdown, injection of cooling water into the reactor, etc.) comprise at least two redundant and independent channels. • Level 4: Control of accidents with core meltdown These accidents have been considered since the Three Mile Island accident (1979) and are now taken into account in the design of new reactors such as the EPR. The aim is to preclude such accidents or to design systems that can withstand them. • Level 5: Mitigation of the radiological consequences of significant releases This requires implementation of the measures provided for in the emergency plans, including measures to protect the general public: shelter, taking of stable iodine tablets to saturate the thyroid and avoid fixation of released radioactive iodine, evacuation, restrictions on consumption of water and of agricultural products, etc. 1.2.3  –  Positioning of barriers To limit the risk of releases, several barriers are placed between the radioactive substances and the environment. Barriers must be designed to have a high degree of reliability and must be monitored to detect any weaknesses or failures. There are three such barriers for pressurised water reactors: the fuel cladding, the boundary of the reactor primary system, and the containment (see chapter 10). 1.2.4  –  Deterministic and probabilistic approaches Postulating the occurrence of certain accidents and verifying that, thanks to the planned functioning of the equipment, the consequences of these accidents will remain limited, is known as a deterministic approach. This approach is simple to apply in principle and allows an installation to be designed (and its systems to be sized) with good safety margins, by using so-called “envelope” cases. The deterministic approach is however unable to identify the most probable scenarios because it focuses attention on accidents studied with pessimistic hypotheses. The deterministic approach therefore needs to be supplemented by an approach that better reflects possible accident scenarios in terms of their probability, that is to say the probabilistic approach used in the “Probabilistic Safety Assessments” (PSA). Thus for nuclear power plants, the level 1 Probabilistic Safety Assessments (PSA) consist in establishing event trees for each “initiating event” leading to the activation of a safeguard system (level 3 of defence in depth), defined by the failure (or the success) of the actions provided for in the reactor management procedures and the failure (or correct operation) of the reactor. The probability of each sequence is then calculated based on statistics on the reliability of systems and on the rate of success of actions (including data on “human reliability”). Similar sequences of events that correspond to the same initiating event are grouped into families, making it possible to determine the contribution of each family to the probability of reactor core meltdown. Although the PSAs are limited by uncertainties concerning the reliability data and approximations in the modelling of the facility, they consider a broader set of accidents than the deterministic assessments and enable the design resulting from the deterministic approach to be verified and supplemented if necessary. They are therefore to be used as a complement to deterministic studies and not as a substitute for them. The deterministic studies and probabilistic assessments constitute an essential element in the demonstration of nuclear safety that addresses equipment internal faults, internal and external hazards, and plausible combinations of these events. To be more precise, the internal faults correspond to malfunctions, failures or damage to facility equipment, including as a result of inappropriate human action. Internal or external hazards correspond to events originating inside or outside the facility respectively and which can call into question the safety of the facility. Internal faults for example include: ∙ ∙ loss of the electrical power supplies or the cooling systems; ∙ ∙ ejection of a rod cluster control assembly; ∙ ∙ rupture of a pipe in the primary or secondary system of a nuclear reactor; ∙ ∙ reactor emergency shutdown failure. With regard to internal hazards, the following in particular must be considered: ∙ ∙ flying projectiles, notably those resulting from the failure of rotating equipment; ∙ ∙ pressure equipment failures; ∙ ∙ collisions and falling loads; ∙ ∙ explosions; ∙ ∙ fires; ∙ ∙ hazardous substance emissions; ∙ ∙ floods originating within the perimeter of the facility; ∙ ∙ electromagnetic interference; ∙ ∙ malicious acts. The 5 levels of “Defence in Depth” Limiting the consequences of discharges On-site emergency plan Limiting the consequences of a severe accident Serious accident management Control of accidents Maintaining within the authorised range Design Operation Prevention of anomalies Regulation systems, periodic checks Backup systems, accident procedures ASN report on the state of nuclear safety and radiation protection in France in 2018  111 02 – THE PRINCIPLES OF NUCLEAR SAFETY AND RADIATION PROTECTION AND THE REGULATION AND OVERSIGHT STAKEHOLDERS 02