comparison of canadian npp design requirements...

Comparison of Canadian NPP Design Requirements with those of Foreign Regulators

Contract No. 87055-10-1059 Final Report ENCO-FR-(11)-26 September 2011

morellol

Text Box

RSP-0273

Canadian Nuclear Safety Commission

87055-10-1059 R403.1

Nuclear Power Plant Design Requirement References

Final Report

ENCO-FR-(11)-26 September 2011

Prepared by:

Prepared for:

DISCLAIMER The Canadian Nuclear Safety Commission is not responsible for the accuracy of the statements made or opinions expressed in this publication and does not assume liability with respect to any damage or loss incurred as a result of the use made of the information contained in this publication.

DOCUMENT REVIEW AND APPROVAL COVER SHEET

CONTRACT No.: 87055-10-1059

PROJECT TITLE: R403.1 Nuclear Power Plant Design Requirement References

PERFORMED BY: ENCO

DELIVERABLE: Final Report

PREPARED FOR: Canadian Nuclear Safety Commission

DATE released

REVISION PREPARED/ REVISED by:

REVIEWED by:

APPROVED by:

29.08.2011 0 M. Tronea I. Popa Date: 22.08.2011

J. Pachner Date: 26.08.2011

B. Tomic Date: 29.08.2011

30.09.2011 1

Implementation

of CNSC

comments

M. Tronea I. Popa Date: 28.09.2011

J. Pachner Date: 29.09.2011

B. Tomic Date: 30.09.2011

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page i

EXECUTIVE SUMMARY

The aim of this project was to provide support to the CNSC in the formulation of a regulatory position on the Canadian design requirements for new nuclear power plants as compared to those applied in other regulatory jurisdictions, specifically in the US, Finland, UK, France and in the European Union.

The regulatory requirements currently applied in various countries that have nuclear power programmes reflect the technology of choice for the respective reactors, the operating experience accumulated as well as the developments due to research and improvement in assessment tools and techniques. While the basic safety principles governing the design of nuclear power reactors are the same regardless of the reactor technology employed, differences arise when the regulatory requirements become prescriptive as regards the design of particular safety systems provided to prevent and / or mitigate accident scenarios which are specific for each reactor type.

During the last decade, a number of new reactor systems have been developed which include significant changes in technology when compared to the reactors currently in operation. These new reactors have been developed in observance of the regulatory requirements and industry standards of the country of origin, and more often than not difficulties arise when such a design is submitted for regulatory approval as part of the licensing process for construction in other countries, which usually have established their own national safety requirements and standards.

Although the harmonisation of nuclear safety standards at international level and the standardisation of nuclear power plants are advocated by several industry organisations and also the regulatory authorities are cooperating on this matter, this process is progressing slowly and differences exist also in the interpretation of the requirements as well as in the expectations regarding their implementation. The expectations with regard to the implementation of safety requirements on design of power reactors are usually expressed in quantitative safety criteria, the harmonisation of which has not been pursued to the same extent as that of the qualitative requirements. Moreover, the regulatory practices for independent review of the safety assessments that underpin the design of reactor safety systems are not harmonised.

The project included benchmarking of the Canadian Regulatory Documents RD-337 and RD-3101 against the requirements established by selected foreign regulators: the United States Nuclear Regulatory Commission (US NRC), the Finnish Radiation and Nuclear Safety Authority (STUK), the United Kingdom Nuclear Installations Inspectorate (NII), the French Nuclear Safety Authority (ASN) and also with the Reference Levels (RL) and Nuclear Safety Objectives (SO) for new reactors established by the Western European Nuclear Regulators’ Association (WENRA) for the purpose of harmonising the regulatory requirements in the European Union. The lessons learned from the application of different requirements were also reviewed as part of the project. The regulatory documents addressed in the scope of the project are on different levels in the regulatory frameworks of the respective countries,

1 RD-310, even though not included in the project scope as defined by CNSC, was considered in the benchmark to the extent needed to minimize the number of differences that would have been identified due to foreign regulations benchmarked containing, to various extents and levels of detail, provisions for safety analyses.

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page ii

varying from legally binding requirements to principles and guidelines used in the regulatory review.

The main differences identified in the benchmarking are related to the design measures for the protection against severe accidents, the design of the containment system, the treatment of aircraft crash, the dose acceptance criteria and safety goals, the application of the single failure criterion, the time available to the operators before their action would be required in response to accidents, the scope of the requirements on electrical systems and the inherent reactivity feedback characteristics of the reactor.

All the differences in requirements have the potential to lead to design changes for a reactor licensed in the above mentioned jurisdictions. Further design changes may arise due to the differences in regulatory review practices and criteria. Since the comparison of regulatory review practices and criteria was outside the scope of the present study, safety criteria were compared only for the cases where these were provided in the regulatory documents subjected to benchmarking. A qualitative discussion on the impact of differing requirements on the conservatism, safety benefits and costs was also provided as part of the project.

The detailed benchmarking and the findings of this study constitute a good basis for the CNSC to identify areas where further development or clarification of the Canadian regulatory requirements and review guidelines may be useful, as well as areas where particular attention should be paid if applications for licensing are submitted for reactor designs developed in accordance with the regulations and standards in force in other countries.

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page iii

TABLE OF CONTENTS

EXECUTIVE SUMMARY.................................................................................................................... i

ABBREVIATIONS ............................................................................................................................... 1

1. INTRODUCTION ........................................................................................................................ 4

1.1 Background............................................................................................................................ 4

1.2 Objective ................................................................................................................................ 5

1.3 Scope...................................................................................................................................... 5

1.4 Work Plan .............................................................................................................................. 6

1.5 Basic Approach...................................................................................................................... 6

1.6 Structure of the Report........................................................................................................... 8

2. DESIGN REQUIREMENTS BENCHMARKED...................................................................... 9

2.1 RD-337, Design of New Nuclear Power Plants ..................................................................... 9

2.2 US NRC 10 CFR Part 50 ..................................................................................................... 10

2.3 Finnish Regulatory Guides .................................................................................................. 10

2.4 UK Safety Assessment Principles........................................................................................ 11

2.5 French-German Technical Guidelines for New Reactors .................................................... 11

2.6 WENRA RL......................................................................................................................... 12

3. US NRC 10 CFR PART 50 BENCHMARK............................................................................. 13

3.1 Differences in Objective and Scope..................................................................................... 13

3.2 Detailed Comparison of Design Requirements.................................................................... 15

3.2.1 Review of dose criteria and safety goals ..................................................................... 16

3.2.2 Review of requirements on Operational Limits and Conditions ................................. 18

3.2.3 Review of requirements on Management of the Design Process ................................ 18

3.2.4 Review of General Requirements on Design .............................................................. 19

3.2.5 Review of requirements on combustible gas control .................................................. 25

3.3 Summary of findings............................................................................................................ 26

3.3.1 Differences in dose criteria and safety goals............................................................... 26

3.3.2 Common findings related to system-specific requirements ........................................ 26

3.3.3 Differences in requirements on electrical systems ...................................................... 26

3.3.4 Protection against severe accidents ............................................................................. 27

3.3.5 Design of control rooms.............................................................................................. 27

3.3.6 Fire protection ............................................................................................................. 28

3.3.7 Design against malevolent acts ................................................................................... 28

3.3.8 Design against accidental aircraft crash ...................................................................... 28

3.4 Lessons learnt in the U.S. Generic Design Certification process ........................................ 29

4. FINNISH REGULATORY GUIDES BENCHMARK............................................................ 32

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page iv

4.1 Differences in Objectives and Scope ................................................................................... 32


4.2.1 Review of Government Decree (733/2008) on the Safety of Nuclear Power Plants .. 35

4.2.2 Review of YVL 1.0, Safety criteria for design of nuclear power plants ..................... 37


4.3.1 Differences in dose criteria and safety goals............................................................... 42

4.3.2 Common findings related to system-specific requirements ........................................ 42

4.3.3 Differences in requirements on electrical systems ...................................................... 43

4.3.4 Protection against severe accidents ............................................................................. 43

4.3.5 Fire protection ............................................................................................................. 43

4.3.6 Design against accidental aircraft crash ...................................................................... 44

4.3.7 Other requirements...................................................................................................... 44

4.4 Lessons Learnt from the Finnish Regulatory Review of OL3 EPR..................................... 44

5. UK SAFETY ASSESSMNENT PRINCIPLES BENCHMARK ............................................ 46



5.2.1 Review of the Engineering Principles ......................................................................... 47

5.2.2 Review of the Radiation Protection Principles............................................................ 56

5.2.3 Review of the Fault Analysis Principles ..................................................................... 56

5.2.4 Review of the Numerical Targets and Legal Limits ................................................... 59

5.2.5 Review of the Accident Management and Emergency Preparedness Principles ........ 61


5.3.1 Differences in dose criteria and safety goals and in the expectations for safety assessment ..................................................................................................................................... 61

5.3.2 Differences in design expectations.............................................................................. 64

5.4 Lessons Learnt in the UK Generic Design Assessment Process.......................................... 66

6. FRENCH-GERMAN TECHNICAL GUIDELINES BENCHMARK................................... 72




6.3.1 Differences in Safety Goals......................................................................................... 86

6.3.2 Differences in design requirements for protection against severe accidents............... 87

6.3.3 Differences in requirements on safety classification of SSCs..................................... 87

6.3.4 Differences in the application of the Single Failure Criterion .................................... 87

6.3.5 Differences regarding the treatment of aircraft crash.................................................. 88

6.3.6 Differences in the requirements for safety assessment................................................ 88

6.3.7 Other notable differences ............................................................................................ 89

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page v

6.4 Application of the TG to Flamanville EPR.......................................................................... 89

7. WENRA SAFETY OBJECTIVES AND REFRENECE LEVELS BENCHMARK ............ 93


7.2 Comparison of Safety Objectives ........................................................................................ 93


7.3.1 Reference Levels in Appendix E - Design Basis Envelope for Existing Reactors...... 98

7.3.2 Reference Levels in Appendix F - Design Extension of Existing Reactors .............. 101

7.3.3 Reference Levels in Appendix G - Safety Classification of Structures, Systems and Components ................................................................................................................................. 102

7.3.4 Reference Levels in Appendix H - Operational Limits and Conditions.................... 102

7.3.5 Reference Levels in Appendix S - Protection against internal fires.......................... 104

7.4 Summary of findings.......................................................................................................... 104

7.4.1 Differences in safety goals ........................................................................................ 104

7.4.2 Coverage of WENRA Reference Levels................................................................... 105

8. CONSERVATISM, SAFETY BENEFITS AND COSTS ..................................................... 111

8.1 Scope and limitations of the assessment of conservatism, safety benefits and costs......... 111

8.2 Differences in regulatory requirements most important to conservatism, safety benefits and costs of design provisions ............................................................................................................... 113

8.2.1 Protection against severe accidents ........................................................................... 113

8.2.2 Containment Design.................................................................................................. 114

8.2.3 Treatment of aircraft crash ........................................................................................ 116

8.2.4 Other significant differences ..................................................................................... 117

9. CONCLUDING REMARKS ................................................................................................... 121

10. REFERENCES ......................................................................................................................... 124

APPENDIX 1A, General Comparison of the Scope of US NRC 10 CFR Part 50 and the CNSC RD-337 APPENDIX 1B, Detailed Comparison of Design Requirements in US NRC 10 CFR Part 50 and RD-337

1.B.1 Review of dose criteria and safety goals 1.B.2 Review of requirements on Operational Limits and Conditions 1.B.3 Review of requirements on Management of the Design Process 1.B.4 Review of General Requirements on Design 1.B.5 Review of requirements for Combustible Gas Control

APPENDIX 2A, General Comparison of the Scope of Finnish YVLs and the CNSC RD-337 APPENDIX 2B, Detailed Comparison of Design Requirements in Finnish Regulations and RD-337

2.B.1 Review of Government Decree (733/2008) on the Safety of Nuclear Power Plants 2.B.2 Review of YVL 1.0, Safety criteria for design of nuclear power plants

APPENDIX 3A, General Comparison of the Scope of UK SAPs and the RD-337

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page vi

APPENDIX 3B, Detailed Comparison of Design Requirements in UK SAPs and RD-337

3.B.1 Review of Engineering Principles 3.B.2 Review of Radiation Protection Principles 3.B.3 Review of Fault Analysis Principles 3.B.4 Review of Numerical Targets and Legal Limits 3.B.5 Review of Accident Management and Emergency Preparedness Principles

APPENDIX 4, Detailed comparison of Design Requirements in French-German TG and RD-337 APPENDIX 5A, Comparison of WENRA SO and the RD-337 APPENDIX 5B, Comparison of WENRA RL and the RD-337

5.B.1 Review of RL in Appendix E - Design Basis Envelope for Existing Reactors 5.B.2 Review of RL in Appendix F - Design Extension of Existing Reactors 5.B.3 Review of RL in Appendix G - Safety Classification of Structures, Systems and Components 5.B.4 Review of RL in Appendix H - Operational limits and conditions 5.B.5 Review of RL in Appendix S - Protection against internal fires

R403.1 Nuclear Power Plant Design Requirement References © ENCO Final Report, ENCO FR-(11)-26, Rev.1 Page 1

ABBREVIATIONS

ABWR Advanced Boiling Water Reactor ACR Advanced CANDU Reactor ACRS Advisory Committee on Reactor Safeguards AFI Alternate Feedwater Injection ALARA As Low As Reasonably Achievable ALARP As low as reasonably practicable ALWR Advanced Light Water Reactor AIA Aircraft Impact Assessment AOO Anticipated Operational Occurrence ASCE American Society of Civil Engineers ASN Autorité de Sûreté Nucléaire ATWS Anticipated Transients Without Scram BDBA Beyond Design Basis Accident BSL Basic safety level BSL(LL) Basic safety level (legal limit) BSO Basic safety objective CBA Cost benefit analysis BWR Boiling Water Reactor CANDU CANada Deuterium Uranium reactor CCF Common Cause Failure CCFP Conditional Containment Failure Probability CDF Core Damage Frequency CFR Code of Federal Regulations CNSC Canadian Nuclear Safety Commission COLA Combined License Application CSA Canadian Standards Association DAC Design Acceptance Criteria DBA Design Basis Accident DBE Design Basis Earthquake DBT Design Basis Threat DEC Design Extension Conditions ECCS Emergency Core Cooling System EPR European Pressurized Reactor or Evolutionary Power Reactor EPRI Electric Power Research Institute EPS Emergency Power Supply EU European Union EUR European Utility Requirements FHA Fire Hazard Analysis


GDA Generic Design Assessment GDC General Design Criteria GE General Electric GPR Groupe Permanent chargé des Réacteurs nucléaires GRS Gesellschaft für Anlagen- und Reaktorsicherheit, German Plant and

Reactor Safety Limited Liability Company HSE Health and Safety Executive I&C Instrumentation and Control IAEA International Atomic Energy Agency ICRP International Commission on Radiological Protection IPSN Institut de Protection et de Sûreté Nucléaire KTA Kerntechnischer Ausschuss, German Nuclear Safety Standards

Commission LERF Large Early Release Frequency LOCA Loss of Coolant Accident LRF Large Release Frequency LWR Light Water Reactor MCCI Molten Core Concrete Interaction MCR Main Control Room NFPA National Fire Protection Association NII Nuclear Installations Inspectorate NPP Nuclear Power Plant OBE Operating Basis Earthquake OL3 Olkiluoto Nuclear Power Plant, Unit 3 OLC Operational Limits and Conditions ONR Office for Nuclear Regulation PGA Peak Ground Acceleration PHWR Pressurized Heavy Water Reactor PS Protection System PSA Probabilistic Safety Analysis PSR Periodic Safety Review PWR Pressurized Water Reactor R2P2 Reducing risks, protecting people: HSE’s decision making process RC Reinforced Concrete RCP Reactor Coolant Pump RCS Reactor Coolant System RD Regulatory Document RHWG Reactor Harmonization Working Group RI Regulatory Issues RIA Reactivity Initiated Accident RL (WENRA) Reference Levels


RPV Reactor Pressure Vessel RSK Reaktor Sicherheitskommission, German Reactor Safety Commission SA Severe Accident SAP Safety Assessment Principle SC steel concrete composite SCR Secondary Control Room SFC Single Failure Criterion SISC Safety Information and Control System SO (WENRA) Safety Objectives SRP Standard Review Plan SSC systems, structures and components SSE Safe Shutdown Earthquake STUK Finnish Radiation and Nuclear Safety Authority SWR Supercritical Water Reactor TAG Technical Assessment Guide TG Technical Guidelines TMI Three Mile Island TOR The tolerability of risk from nuclear power stations URD Utility Requirements Document US NRC United States Nuclear Regulatory Commission WENRA Western European Nuclear Regulators’ Association YVL Ydinvoimalaitosohjeet, Finnish regulatory guides on nuclear safety


1. INTRODUCTION

1.1 Background

Canada is one of the few countries possessing a complete functional infrastructure for the entire process of nuclear fuel production and power generation. The 22 MWe Nuclear Power Demonstration (NPD) started operation in 1962 and successfully demonstrated the unique concepts of on-power refuelling using natural uranium fuel, and heavy water moderator and coolant. These defining features together with passive safety features, pioneer computerized control, and the application of diversity and separation concepts in the design formed the basis of a successful fleet of CANDU power reactors built and operated in Canada and elsewhere.

The 1990s saw a dramatic decrease in the growth of electricity demand, resulting in a veritable halt in the construction of any additional Canadian nuclear generating facilities. The arrival of the new millennium however, has brought with it a renewed enthusiasm, a renaissance for nuclear energy as an economically viable and environmentally sound piece of the puzzle to solving the world’s current energy challenges. With rising oil costs, growing concerns for the negative effects of greenhouse gas emissions on worldwide climate change, and a predicted doubling in world electricity consumption by 2030, nuclear power is again factoring into the energy equation. At this time (2011) there are more than 50 new nuclear power plants under construction and almost 500 planned or proposed throughout the world.

In Canada, six different reactor types were under consideration for the Bruce site in 2006; two EPR units or four AP1000 units were considered by Bruce Power (together with two ACR-1000 twin units) for construction in Alberta (application was withdrawn by Bruce Power in 2008); Areva has recently (2010) expressed its intention to finance and build a new plant in New Brunswick using Atmea (1100 MWe pressurized water reactor) or Kerena (formerly the SWR-1000, a 1250 MWe boiling water reactor) technology.

The Canadian Nuclear Safety Commission (CNSC, formerly the Atomic Energy Control Board) has been successfully regulating this industry for more than 60 years. Continuing its proactive efforts in ensuring a stable and predictable regulatory regime for the industry’s renaissance, CNSC is reviewing the regulatory framework for licensing new nuclear generating stations. Moving towards improved consistency with the international modern regulatory requirements, the International Atomic Energy Agency (IAEA) Safety Requirements NS-R-1, “Safety of Nuclear Power Plants: Design” [1], were used as a basis for the Regulatory Document 377, “Design of New Nuclear Power Plants”, published by the CNSC in September 2008.

However, since the IAEA safety requirements constitute a set of minimum general requirements that must be met by all its member states, the national regulators may chose different approaches for the detailed regulations and guidance, in accordance with their more or less prescriptive orientation. As such, it is recognized that differences might still exist between the Canadian approach and those of foreign nuclear regulatory bodies.

Another aspect which might be a source of differences in design requirements (but also licensing process and practices) is the focus of the older Canadian regulatory documents on national (CANDU) reactor technology. While the IAEA NS-R-1 is intended as a set of


requirements applicable to water-cooled reactors in general, these requirements have been used only to complement the well established Canadian good practices. The resulting document, RD-337, which takes into account decades of experience in the development and safe operation of heavy water reactors, could be therefore different to some extent than the design requirements of countries with a long history of operating light water or gas cooled reactors.

With applications for construction of light water reactors possibly coming up, the CNSC intends to develop review plans for light water reactors, and for this purpose is looking for identification of the above mentioned design requirements differences and of their potential effects.

1.2 Objective

The general objective of this project is to support the CNSC in the formulation of a regulatory position on the Canadian design requirements for new nuclear power plants as compared to those imposed by selected foreign regulators: the United States Nuclear Regulatory Commission (US NRC), the Finnish Radiation and Nuclear Safety Authority (STUK), the United Kingdom Nuclear Installations Inspectorate (NII), but also with the commonly agreed minimum set of regulatory requirements in Europe – the Reference Levels (RL) used in the regulatory framework harmonization by the Western European Nuclear Regulators’ Association (WENRA). In addition, at the request of CNSC, French-German “Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors” were included in the benchmark after the Progress meeting of July 5, 2011.

The specific objectives of the project are to:

• Benchmark the design expectations of the RD-337 against those of the selected foreign regulatory bodies and WENRA RL and identify differences;

• Discuss the impact of the identified differences on the specific (individual design feature) and overall (plant safety) level of conservatism;

• Discuss inferred relative changes in safety benefits versus cost of implementation of major differences identified;

• Discuss, where available, lessons learned from the application of different requirements.

1.3 Scope

The scope of the benchmark includes the following corresponding regulations, standards, guidelines and practices of the above mentioned foreign regulators:

• The US NRC Code of Federal Regulations, 10 CFR Part 50 - “Domestic Licensing of Production and Utilization Facilities”

• Relevant Finnish Regulatory Guides on nuclear safety (YVL)


• “Safety Assessment Principles”, 2006 Edition, Revision 1, published by the UK Health and Safety Executive (HSE)

• “Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors”, adopted during the GPR/German experts plenary meetings held on October 19th and 26th 2000

• “WENRA Reactor Safety Reference Levels”, Reactor Harmonization Working Group, Western European Nuclear Regulators’ Association, January 2008; in addition, for completeness WENRA Safety Objectives for new NPPs (2010) were included by ENCO.

The regulatory documents that are addressed in the scope of the project are on different levels in the regulatory frameworks of the respective countries, varying from the legally binding to principles and guidelines (all are referred to as “regulations” in this report). However, from the perspective of the aims of the project, the specific requirements and criteria established were of interest, rather than the legal status.

1.4 Work Plan

The following work plan and schedule were agreed:

Task No. Activity Start date End date

Start-up meeting June 7

1 Benchmark of RD-377 against the US NRC 10 CFR Part 50

2 Benchmark of RD-377 against the Finnish relevant Regulatory Guides (YVL)

June 8 June 26

Progress meeting July 5

3 Benchmark of RD-377 against the UK Safety Assessment Principles

4 Benchmark of RD-377 against the WENRA RL

5 Benchmark of RD-377 against the French Technical Guidelines (additional scope)

June 27 August 19

Draft Report August 29

Seminar September 2

Final Report September 30

1.5 Basic Approach

To assure the compatibility of the results, the differences in the objectives and scope of the benchmarked regulations were first established. For this purpose, each of the regulations was


assessed from the standpoint of areas covered (e.g. safety concepts in design, system specific design requirements, etc.). This allowed for the comparison with the RD-337. This first step provided the view of the type and level of details of design requirements to be found in each of the documents analyzed and helped streamline the benchmark of the detailed design expectations of the RD-337.

The second step encompassed a systematic comparison of individual design requirements in each of the areas of RD-337 with the corresponding requirements (when those exist) in the foreign regulations. In this step, the requirements that are established in other regulations but not found in RD-337 were identified. For each of the requirements, the intent and the wording were analyzed from the point of view of their effects on safety. This resulted in the selection of those requirements that are comparable and those that do not have appropriate corresponding requirements in other regulations. This process generated the “deltas”. The Project team undertook a comprehensive analysis to assure that even if the requirements are structured in a different way (or established implicitly, etc.), those would still be indentified. Moreover, care was taken for areas where specific safety objectives are allowed to be fulfilled by different means or ways. In such cases while the requirements might be different on a face value, those might be similar/comparable when looked at in functional frame. By doing so, the project team assured that the resulting “deltas” are unique identifiers of fundamentally different requirements being set by different regulatory regimes.

In some cases the regulations establish the quantitative limits, goals or targets. Where available, those were compared as well, and the discussion in this respect documented in the report.

The qualitative evaluation of the level of conservatism in the resulting design was undertaken. This evaluation had to overcome the differences in approaches and philosophy, which are unique to each of the regulations. Nevertheless, the specific requirements that were identified in each of the regulations were initially grouped into areas of safety relevance and the level of conservatism established by each of the requirements and/or the category (in the case the level of conservatism could not be established with individual requirements) was associated where possible.

A discussion on the costs of the implementation of specific safety measures was attempted. This assessment is a notoriously difficult one because of the variations of the costs depending on the supplier or a country where a plant is designed or built.

The lessons learned from the application of the various requirements were identified. In the case of Finnish requirements these mainly rely on the experience from Olkiluoto. For the US, the lessons learned present the experience in several of the reactor types that have been certified (like AP1000 or ABWR). For UK, the discussion is based on the Generic Design Acceptance process, and for the French jurisdiction on the application of the technical guidelines to Flamanville.

This approach was followed for the benchmark of the RD-337 against each of the similar regulations in the selected countries.


1.6 Structure of the Report

Section 2 presents a short description of the Regulatory Document 337, “Design of New Nuclear Power Plants”, and of the regulatory requirements reviewed and compared to it in the benchmark.

Sections 3 to 6 are dedicated to each of the four jurisdictions, USA, Finland, UK and France, with corresponding subsections describing the findings of both the general (scope) and detailed (requirements) comparison and presenting the summary of the most important findings, as well as the lessons learned from the application of those different requirements where those exist.

Section 7 presents the comparison with the WENRA Safety Objectives and Reference Levels.

Section 8 concludes the report with a discussion on the conservatism employed in the different jurisdictions, the safety benefits and the costs of implementing different requirements, where they are known.

The five Appendixes, include the comparison tables corresponding to the five parts of the benchmark: American (1), Finnish (2), British (3), French (4) and WENRA (5) requirements. Four of them are structured in two parts: comparison of the scope (part A) and comparison of the requirements (part B). For the French-German Technical Guidelines there were no exclusions from the scope, all requirements were found relevant for the benchmark and compared in detail with RD-337. For this reason Appendix 4 is not split into parts A and B.

The Appendixes were the working documents for the comparison. They provided the detailed view of the corresponding requirements in the documents compared and formed the basis for documenting the comparison findings.


2. DESIGN REQUIREMENTS BENCHMARKED

2.1 RD-337, Design of New Nuclear Power Plants

The Regulatory Document RD-337 entitled “Design of New Nuclear Power Plants” sets out the expectations of the Canadian Nuclear Safety Commission concerning the design of new water-cooled nuclear power plants (NPPs or plants). It establishes a set of comprehensive design expectations that are risk-informed and align with accepted international codes and practices.

This document provides criteria pertaining to the safe design of new water-cooled NPPs, and offers examples of optimal design characteristics where applicable. All aspects of the design are taken into account, and multiple levels of defence are promoted in design considerations.

To a large degree RD-337 represents the CNSC staff’s adoption of the principles set forth by the IAEA in NS-R-1, “Safety of Nuclear Plant: Design” [1], and the adaptation of those principles to align with Canadian expectations. The scope of RD-337 goes beyond IAEA’s NS-R-1 to address the interfaces between NPP design and other topics, such as environmental protection, radiation protection, ageing, human factors, security, safeguards, transportation, and accident and emergency response planning.

Similar to NS-R-1, RD-337 considers all licensing phases, because information from the design process feeds into the processes for reviewing an application for a licence to construct an NPP, and other licence applications.

The guidance provided is technology-neutral with respect to water-cooled reactors to such extent as CNSC considers practicable. If a design other than a water-cooled reactor is to be considered for licensing in Canada, the design will be subject to the safety objectives, high level safety concepts and safety management expectations associated with this regulatory document. However, CNSC review of such a design will be undertaken on a case by case basis.

RD-337 includes direction concerning:

1. Establishing the safety goals and objectives for the design;

2. Utilizing safety principles in the design;

3. Applying safety management principles;

4. Designing systems, structures, and components;

5. Interfacing engineering aspects, plant features, facility layout; and

6. Integrating safety assessments into the design process.

The Document is structured into 11 sections, of which the first two describe the purpose and the scope of the guidance it provides.

Section 3 references the provisions of Canadian acts and regulations that empower CNSC to carry out the licensing of activities related to the peaceful use of nuclear energy, the prerequisites for CNSC licensing and the obligations of the licensees.

Section 4 defines the safety objectives and concepts that are to be applied in the design of new NPPs.


Section 5 discuses the safety management of the design process in terms of design authority, management, quality assurance, use of operational experience and research, safety assessment, design documentation.

Section 6 provides safety considerations on the application of defence-in-depth, safety functions, accident prevention, radiation protection, etc.

Section 7 states the requirements for general design considerations such as classification of plant structures, systems and components, plant states and postulated initiating events to be considered in the design, reliability, environmental and seismic qualification, fire safety, in-service testing, maintenance, repair, inspection, and monitoring, commissioning, aging and wear, transport and packaging for fuel and radioactive waste, human factors, safeguards, decommissioning and more.

Section 8 provides system-specific expectations for the reactor core, reactor coolant system, steam supply system, means of shutdown, emergency core cooling system, containment, ultimate heat sink, emergency heat removal and power supply, control facilities, waste treatment and control, fuel handling and storage and radiation protection.

Section 9 provides requirements for the objectives and contents of safety analyses, including hazard, deterministic and probabilistic safety analyses.

Section 10 discusses environmental protection.

Section 11 presents the conditions under which CNSC will consider alternative approaches to the ones described in the previous 10 sections of the document.

2.2 US NRC 10 CFR Part 50

The Title 10 Code of Federal Regulations Part 50, “Domestic Licensing of Production and Utilization Facilities”, includes design requirements applicable to both existing and new NPPs, but also administrative requirements related to the licensing process, as well as requirements for construction, operation, etc. and methodologies to be employed for various tasks by the licensee (e.g. performance of the primary containment leakage testing). Of particular interest are also the Appendices to Part 50, of which the most relevant are:

Appendix A - General Design Criteria for Nuclear Power Plants,

Appendix B - Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants,

Appendix I - Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion "As Low as is Reasonably Achievable" for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents.

2.3 Finnish Regulatory Guides

A number of Finnish Regulatory Guides on Nuclear Safety (YVL) are relevant from the point of view of design requirements. As it is recognized that some of the YVLs contain very detailed requirements that are not to be found in RD-337 (e.g. requirements for documentation of the design basis for the electric motors of the nuclear facility pumps), the main document for the benchmark was YVL 1.0, “Safety criteria for design of nuclear power


plants”. The other YVLs were considered to a level of detail similar to that of the RD-337 requirements. In addition, the Decision of the Council of State (395/91) on the general regulations for the safety of nuclear power plants contains general principles and design requirements for nuclear power plants equipped with a light water reactor. These requirements are partially reproduced in the YVLs and were considered in the scope of the benchmark to the extent necessary for a correct understanding of their intent. Decision 395/91 was superseded by the Government Decree on Safety of NPPs 27.11.2008/733 and the requirements therein were also considered in the scope of the benchmark.

2.4 UK Safety Assessment Principles

The SAPs provide inspectors with a framework for making consistent regulatory judgements on nuclear safety cases. The principles are supported by Technical Assessment Guides (TAGs), and other guidance, to further assist decision making by the nuclear safety regulatory process. The SAPs also provide nuclear site duty holders with information on the regulatory principles against which their safety provisions will be judged. However, they are not intended or sufficient to be used as design or operational standards, reflecting the non-prescriptive nature of the UK’s nuclear regulatory system. In most cases the SAPs are guidance to inspectors, but where guidance refers to legal requirements they can be mandatory depending on the circumstances. A number of numerical targets are included in the SAPs and some of these embody specific statutory limits that must be met.

The SAPs are for regulatory assessment throughout the life-cycle of an activity on a nuclear licensed site. Specific sections of the SAPs are devoted to siting and decommissioning. However, not every principle in the other sections will apply to all the other life-cycle stages and as always the principles are a reference set from which the inspector chooses those to be used for the particular stage in the life-cycle.

One of the aims of the SAPs is the safety assessment of new (proposed) nuclear facilities. They represent NII’s view of good practice and NII would expect modern facilities to have no difficulty in satisfying their overall intent.

The 2006 edition of the SAPs is the result of a review with the aim of ensuring the internationally endorsed standards and recommendations are taken into account, and has included benchmarking against the IAEA standards, as they existed in 2004. The UK’s goal-setting legal framework for health and safety does not apply IAEA requirements in a prescriptive manner, but they are reflected within the principles.

2.5 French-German Technical Guidelines for New Reactors

These technical guidelines, adopted during the GPR/German experts plenary meetings held in October 2000, present the opinion of the French Groupe Permanent chargé des Réacteurs nucléaires (GPR) concerning the safety philosophy and approach as well as the general safety requirements to be applied for the design and construction of the next generation of nuclear power plants of the PWR (pressurized water reactor) type, assuming the construction of the first units of this generation would start at the beginning of the 21st century. These technical guidelines are based on common work of the French Institut de Protection et de Sûreté


Nucléaire (IPSN, now L'Institut de Radioprotection et de Sûreté Nucléaire, IRSN) and of the German Gesellschaft für Anlagen- und Reaktorsicherheit (GRS). Moreover, these technical guidelines were extensively discussed with members of the German Reaktor Sicherheitskommission (RSK) until the end of 1998 and further with German experts.

The guidelines are based on the concept of deriving the design of the new plants in an "evolutionary" way from the design of existing plants, taking into account the operating experience and the in-depth studies conducted for such plants, but introduction of innovative features is also considered, especially in preventing and mitigating severe accidents.

2.6 WENRA RL

WENRA’s Reactor Harmonization Working Group has developed Reactor Safety Reference Levels in five main areas that correspond closely to the Convention on Nuclear Safety and the structure used by IAEA, as well as to the structure of many national regulations, namely: safety management, design, operation, safety verification, and emergency preparedness.

The main issues under these areas that include requirements for NPP design are:

Area Issue

E: Design Basis Envelope for Existing Reactors

Design F: Design Extension of Existing Reactors

G: Safety Classification of Structures, Systems and Components

Operation H: Operational limits and conditions

Emergency preparedness S: Protection against internal fires

These RL in Issues E, F and G and the relevant ones in Issues H and S were used in the benchmarking the RD-337.

In addition, in 2010, WENRA has adopted and published a statement on the safety objectives for new nuclear power plants. The statement is based on a study that was published by WENRA in January 2010 for public consultation and on consideration of comments received from stakeholders. Seven high level qualitative safety objectives have been endorsed: WENRA considers that the design of new nuclear power plants shall take into account the operating experience feedback, lessons learnt from accidents, developments in nuclear technology and improvements in safety assessment. Hence, these objectives have been established so that new nuclear power plants to be licensed across Europe in the next years are expected to be even safer than the existing ones, especially through design improvements. WENRA is continuing its harmonization work on the basis of these objectives.


3. US NRC 10 CFR PART 50 BENCHMARK

3.1 Differences in Objective and Scope

As described in Section 2.2, The Title 10 Code of Federal Regulations Part 50, “Domestic Licensing of Production and Utilization Facilities”, includes design requirements applicable to both existing and new NPPs, but also administrative requirements related to the licensing process, as well as requirements for construction, operation, etc. and methodologies to be employed for various tasks by the licensee (e.g. performance of the primary containment leakage testing). A detailed table of comparison of the scope of 10 CFR Part 50 with that of RD-337 is provided in Appendix 1A. The main findings are presented and summarised in the following.

The General Provisions (parts 50.1 ÷ 50.9) and the requirement of licence and exceptions to it, parts (50.10 ÷ 50.12) refer to administrative requirements of the US licensing process and are not of interest under the scope of the benchmark.

Part 50.13 refers to attacks and destructive acts by enemies of the United States and defence activities, and states that “An applicant for a license to construct and operate a production or utilization facility, or for an amendment to such license, is not required to provide for design features or other measures for the specific purpose of protection against the effects of (a) attacks and destructive acts, including sabotage, directed against the facility by an enemy of the United States, whether a foreign government or other person, or (b) use or deployment of weapons incident to U.S. defence activities.”

RD-337, in Section 7.22 Robustness against Malevolent Acts, requires for design features specifically provided for protection against design basis threats (DBTs), in accordance with the requirements of the Nuclear Security Regulations in force in Canada.

The section referring to Classification and Description of Licences (parts 50.20 ÷ 50.23), as well as the one referring to Applications for Licenses, Certifications, and Regulatory Approvals (parts 50.30 ÷ 50.39) contain licensing administrative requirements and are not of interest for the benchmark, with the exception of part 50.34 which includes requirements for dose limits to be used in safety assessment. These requirements are subject to more detailed review in Section 3.2 and Appendix 1B.

From the section on Standards for Licenses, Certifications and Regulatory Approvals, of interest are the requirements in Part 50.44 on combustible gas control for nuclear power reactors. These are addressed in more details in Section 3.2.

Part 50.46 on acceptance criteria for emergency core cooling system is specific to light water reactors (LWR) and has no equivalent in RD-337.

Similarly, part 50.46a on acceptance criteria for reactor coolant system venting systems has no equivalent in RD-337.

Part 50.48 on Fire Protection requires a fire protection plan that satisfies Criterion 3 of Appendix A to Part 50. A more detailed comparison of Appendix A with RD-337 is presented in Section 3.2 and Appendix 1B of this report. Part 50.48 references a national US Standard: National Fire Protection Association (NFPA) Standard 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 Edition" (NFPA 805). Comparison of the NFPA standard with the relevant CSA (Canadian Standards Association) standard is not under the scope of this benchmark.


Part 50.49 includes comprehensive requirements on the environmental qualification of electric equipment important to safety. There are no equivalent requirements in RD-337, since only general requirements are provided in Section 7.8 Equipment Environmental Qualification. However, 10 CFR 50.49 does not address environmental qualification for severe accident conditions.

Several parts in the section on Issuance, Limitations, and Conditions of Licenses and Construction Permits contain design requirements of interest for the benchmark.

Parts 50.61, 50.61a and 50.62 include fracture toughness requirements for protection against pressurized thermal shock events and requirements for reduction of risk from anticipated transients without scram (ATWS)2 events for light-water-cooled nuclear power plants, for which there are no equivalents in RD-337.

Part 50.63 provides requirements for the loss of all alternating current power. RD-337 does not include any specific requirements / expectations for capability to withstand a station black-out. Section 8.9 Emergency Power Supply (EPS) includes a very general requirement: “The EPS system has sufficient capacity and capability, within a specified mission time, to support severe accident management actions”.

Part 50.68 provides requirements on prevention of criticality accidents that are more prescriptive than those in RD-337 Section 8.12 Fuel Handling and Storage.

The last part of interest from the design requirements point of view is Part 50.150 on aircraft impact assessment. RD-337 does not explicitly require an aircraft impact assessment.

In RD-337 Section 7.4.2 External Hazards, potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation. It is required that “The design considers all natural and human-induced external events that may be linked with significant radiological risk. The subset of external events that the plant is designed to withstand is selected, and design basis events are determined from this subset.”

10 CFR 50.150 requires that “The assessment must be based on the beyond-design-basis impact of a large, commercial aircraft used for long distance flights in the United States, with aviation fuel loading typically used in such flights, and an impact speed and angle of impact considering the ability of both experienced and inexperienced pilots to control large, commercial aircraft at the low altitude representative of a nuclear power plant’s low profile”. “Using realistic analyses, the applicant shall identify and incorporate into the design those design features and functional capabilities to show that, with reduced use of operator actions: (i) The reactor core remains cooled, or the containment remains intact; and (ii) Spent fuel cooling or spent fuel pool integrity is maintained.”

Of the 10 CFR Part 50 appendices, Appendix A contains the general design criteria (GDC) that are referenced by 10 CFR Part 52 for new reactors. These GDCs are compared in detail with RD-337 requirements and the findings presented in Section 3.2 and Appendix 1B.

Appendix B to Part 50 includes Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants. These requirements are less comprehensive than those of RD-337

2 Traditionally, ATWS analysis was not required for CANDU reactors because of the two special shutdown systems provided in addition to the normal regulating system shutdown, making failure to shutdown the reactor to constitute a “triple failure” (with a frequency of less than 1E-7/ryr). So, ATWS was excluded from the licensing basis accident analysis due to its estimated low frequency of occurrence.


Section 5.0 on Design Control. A more detailed comparison is provided in Section 3.2 and Appendix 1B.

Appendix G to Part 50 specifies fracture toughness requirements for ferritic materials of pressure-retaining components of the reactor coolant pressure boundary of light water nuclear power reactors. There are no equivalent requirements in RD-337.

Appendix I to Part 50, Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion "As Low as is Reasonably Achievable" for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents, specifies design objectives that refer to doses from normal operation. There are no equivalent requirements specified in RD-337, but Section 6.4 “Radiation Protection and Acceptance Criteria” makes reference to the limits prescribed for normal operation in the Radiation Protection Regulations. More details are provided in Section 3.2 and Appendix 1B.

Appendix K to Part 50 presents requirements on the evaluation models for the Emergency Core Cooling System that are LWR specific and have no equivalent in RD-377.

Appendix R to Part 50 applies to licensed nuclear power electric generating stations that were operating prior to January 1, 1979. It outlines criteria (fire damage limits) for systems, structures and components (SSCs) important to safety (for hot shutdown, cold shutdown and design basis accidents). It requires a fire hazard analysis. Section 9.3 of RD-337 treats hazard analysis in general, but does not address in particular the fire hazard analysis required to demonstrate that the general provisions in section 7.12.1 are met. It includes prescriptive requirements (“Specific Requirements”) on automatic fire protection features and manual fire fighting capabilities, emergency lighting, fire barriers, etc. While RD-337 does not include such detailed and prescriptive requirements, it is likely that they are covered in the industrial standards (e.g. CSA) accepted by CNSC for use in the design of fire protection for NPPs.

Appendix S to Part 50 refers to earthquake engineering criteria for NPPs. RD-337 specifies in Section 7.13 Seismic Qualification that “The seismic qualification of all SSCs aligns with the requirements of Canadian national—or equivalent—standards.” It also gives the categories of SSCs that have to be qualified to the Design Basis Earthquake (DBE). Appendix S to Part 50 does not specify the SSCs that have to be qualified.

DBE corresponds to Safe Shutdown Earthquake (SSE). 10 CFR Part 50 Appendix S prescribes a minimum horizontal peak ground acceleration (PGA) of 0.1g. RD-337 does not specify PGA values, so it should be checked whether the Canadian standards have more stringent requirements (CSA N289.1-08 [2] which specifies a probability of exceedance for the DBE of 1E-4/year).

Appendix S and RD-337 Section 7.13 differ in scope and level of detail. An assessment of the differences between US and Canadian requirements on seismic qualification would require a comparison of standards and review criteria. More details are provided in Appendix 1A to this report.

3.2 Detailed Comparison of Design Requirements

The findings of the detailed comparison of 10 CFR Part 50 design requirements with those of the RD-337 are discussed in the following. The majority of these requirements are contained in the Appendix A to Part 50, with a smaller number of relevant aspects covered in the sections and sub-section of Part 50 itself and in the other appendices.


The findings of the review are grouped into 5 sections which, to the extent practical, follow the structure of the RD-337 and cover all the relevant sections of the 10 CFR Part 50 for which a detailed comparison was identified as necessary following the comparison of scope:

1. Review of dose criteria and safety goals

• Appendix I to Part 50 — Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion "As Low as is Reasonably Achievable" for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents

• § 50.34 Contents of applications; technical information

• § 50.67 Accident source term

• Safety Goals in the Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition — Severe Accidents (NUREG-0800, Chapter 19) [3]

2. Review of requirements on Operational Limits and Conditions

• § 50.36 Technical specifications

3. Review of requirements on Management of the Design Process

• Appendix B to Part 50 — Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants

4. Review of General Requirements on Design

• Appendix A to Part 50 — General Design Criteria for Nuclear Power Plants

5. Review of requirements on combustible gas control

• § 50.44 Combustible gas control for nuclear power reactors

3.2.1 Review of dose criteria and safety goals

The design objectives in Appendix I to 10 CFR Part 50 imply an As Low As Reasonably Achievable (ALARA) annual dose (as design objective) of less than 0.05 mSv during normal conditions, including expected occurrences.

RD-337 specifies a dose acceptance criterion of 0.5 mSv (calculated for 30 days) for any anticipated operational occurrence (AOO). In accordance with the CNSC Regulatory Document RD-310, “Safety Analysis for Nuclear Power Plants” [4], AOOs include all events with frequencies of occurrence equal to or greater than 10-2 per reactor year.

It appears that the design objectives in 10 CFR Part 50 Appendix A may be stricter in what regards AOOs. Further investigation is necessary for determining how these criteria are applied in practice in the review of AOO analyses.


Although at a first glance it appears that the dose criteria for design basis accidents (DBA) in RD-337 are more restrictive than those imposed by the NRC regulations, the comparison has no practical value since the assumptions for the analysis differ.

The 25 rem (250 mSv) criterion in 10 CFR 100.11, 50.34 & 50.67 is often used as a de facto acceptance criterion for DBA by the NRC staff. This can be observed in the licensees’ submittals for design certifications (comparison of DBA doses with acceptance criteria) and corresponding NRC Safety Evaluation Reports.

However, this use is not in line with NRC Policy Statements and with the explanations provided in the footnotes in 10 CFR 100.11, 50.34 & 50.67. NRC Policy statement on severe reactor accidents regarding future designs and existing plants [5] states that “Severe nuclear accidents are those in which substantial damage is done to the reactor core, whether or not there are serious offsite consequences.” Based on this definition, the type of accident described in 10 CFR 100.11, 50.34 & 50.67, involving a substantial amount of core melt discharged into an intact containment is a Severe Accident, not a DBA.

Also, the accident referred to in 10 CFR 100.11, 50.34 & 50.67 is not an actual accident scenario, as the assumption of substantial core melt outside of the reactor vessel and inside the containment is the initial condition for the analysis, irrespective of the requisite sequence of events (i.e., the specifics of the other aspects of the plant design) that may or could have led to such condition. The magnitude of the calculated dose itself should not be viewed in terms of acceptability or a lack thereof. It is a dose value that is used in the evaluation of containment design (and size of the Exclusion and Low Population Zones) to assure low risk of public exposure to radiation in the event of accidents involving core melt (10 CFR 50.34, Note 7) in an intact containment.

The Core Damage Frequency (CDF) value in RD-337 (1 E-5/year) is lower than the value in NUREG-0800 (1 E-4/year), by one order of magnitude.

The goals for the large release frequency cannot be compared, since, although the values for the frequency are the same (1 E-6/year), the NRC documents do not define the large release in a quantitative manner (the magnitude of the release is not defined, only a qualitative definition of large release is provided).

In practice, the Advanced Light Water Reactors (ALWRs) offered by U.S. vendors have been designed taking account of the guidelines provided in the Electric Power Research Institute (EPRI) ALWR Utility Requirements Document (URD) [6]. The safety goals in EPRI ALWR URD are:

− CDF < 1 E-5/year

− Cumulative frequency of sequences resulting in more than 250 mSv whole body dose over 24 hours at 0.5 miles from any individual reactor < 1 E-6/year [the scope of the PRA shall include internal and external events (excluding seismic events and sabotage) and including assessment for low power and shutdown operating conditions]

− the safety goals for the containment are the same as those in NUREG-0800 (i.e. containment integrity be maintained for approximately 24 hours following the onset of core damage for the more likely severe accident challenges).

RD-337 Safety goals include a requirement for the Small Release Frequency, defined as the sum of frequencies of all event sequences that can lead to a release to the environment of


more than 1015 becquerel of iodine-131, to be less than 10-5 per reactor year. This safety goal does not have an equivalent in the US requirements.

The RD-337 para. on containment integrity following onset of core damage (Section 7.3.4, “Containment maintains its role as leak tight barrier for a period that allows sufficient time for implementation of off-site emergency procedures following the onset of core damage. Containment also prevents uncontrolled releases of radioactivity after this period”) meets the intent of the safety goals for the containment, as set in NUREG-0800.

However, the time for implementation of evacuation cannot be an input to the design unless it is quantified / estimated. A designer needs a clear requirement for the performance of the containment. If such specifications are not provided, this can be interpreted as crediting accident management measures for maintaining containment integrity (it should be clarified if the containment performance is to be achieved through design features alone or accident management measures are credited).

3.2.2 Review of requirements on Operational Limits and Conditions

The requirements on the content of the Operational Limits and Conditions (OLCs) in 10 CFR 50.36 are more detailed (and prescriptive) than the corresponding requirements in Section 4.3.3 of RD-337. 10 CFR 50.36 sets requirements for “technical specifications”, five categories being defined:

(1) Safety limits, limiting safety system settings, and limiting control settings

(2) Limiting conditions for operation

(3) Surveillance requirements

(4) Design features

(5) Administrative controls,

Although all these categories of technical specifications are in principle equivalent with the OLCs listed RD-337, 10 CFR 50.36 provides more details for each category and also a number of criteria for establishing the technical specifications. However, the CNSC uses CSA standards to supplement the requirements in RD-337. CSA standard N290.15, “Requirements for the safe operating envelope of nuclear power plants”, issued in 2010, contains detailed provisions for OLCs. CSA Standard N286.05, “and Management system requirements for nuclear power plants”, issued in 2005 and reaffirmed in 2010, details the administrative controls for the plant operation.

3.2.3 Review of requirements on Management of the Design Process

The requirements in RD-337 Section 5.0 are more comprehensive than the requirements on Design Control in 10 CFR Part 50 Appendix B. Appendix B requires provisions to assure that appropriate quality standards are specified and included in design documents and that deviations from such standards are controlled and measures for the selection and review for suitability of application of materials, parts, equipment, and processes that are essential to the safety-related functions of the structures, systems and components. It does not define a design authority and it does not include a requirement for technically qualified and appropriately


trained staff to be employed in the design activities. As further examples, Appendix B does not require the assessment of the impact on safety of design changes that may have significant interdependencies, nor the preservation of safety design information necessary for safe operation and maintenance of the plant and any subsequent plant modifications.

3.2.4 Review of General Requirements on Design

The NRC general requirements on design are specified by the 55 General Design Criteria included in the Appendix A to Part 50. The findings of the comparison of the GDC with RD-337 are discussed in the following. The detailed comparison table is presented in Appendix 1B, Section 1.B.4.

Criterion 1, Quality standards and records, explicitly specifies that “records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit”.

While the intent seems to be generally covered by the requirements in sections 5.1, 5.2, with regard to “design information”, and “configuration management during construction and operation”, it may worth of specifically addressing, in a future revision of RD-337, the requirements for record keeping.

Other sections of RD-337 where requirements equivalent to those of Criterion 1 are covered are 5.3 Quality Assurance Program, 5.4 Proven Engineering Practices and 7.1 Classification of SSCs.

Criterion 2, Design bases for protection against natural phenomena; The design requirements relevant for comparison with Criterion 2 are covered in RD-337 Sections 7.4.2 External Hazards and 7.4.3 Combinations of Events. RD-337 does not explicitly require the design bases for the SSCs important to safety to reflect “consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated”.

Criterion 3, Fire protection; The provisions of Section 7.12 Fire Safety of RD-337 with regard to fire protection are more comprehensive (moreover since they include specific provisions for the protection of workers) than the corresponding requirements in Criterion 3 of NRC 10 CFR Part 50 Appendix A.

However, Appendix R to Part 50 - Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979, includes detailed/prescriptive requirements which are not covered by RD-337 but which are likely to be covered by industrial standards (e.g. CSA) accepted by CNSC for use in the design of the fire protection for nuclear power plants.

Appendix R specifically requires a fire hazard analysis. Section 9.3 of RD-337 treats hazard analysis in general, but does not address in particular the fire hazard analysis required to demonstrate that the general provisions in section 7.12.1 are met. In the future revisions of the RD-337 it may be worth explicitly requiring a fire hazard analysis to demonstrate the achievement of the fire protection objectives for design.

Criterion 4, Environmental and dynamic effects design bases; Requirements on the consideration of environmental conditions in the design of SSCs stated in Criterion 4 are equivalent to those in Section 7.8 Equipment Environmental Qualification of RD-337.


Criterion 5, Sharing of structures, systems, and components; Section 7.6.5 Shared Systems - Sharing of SSCs between Reactors of RD-337 includes requirements equivalent to those of Criterion 5.

Criterion 10, Reactor design; The requirements of RD-337 Section 8.1 Reactor Core are more comprehensive than those in Criterion 10, addressing details such as loads that the reactor core must withstand or accounting for degradation mechanisms.

Criterion 11, Reactor inherent protection includes requirements equivalent to those on design of reactor core in Section 8.1 of RD-337, although Criterion 11 refers to the inherent protection through the design of the core and associated coolant systems, while the requirement in RD-337 does not necessarily ask for inherent features.

Criterion 12, Suppression of reactor power oscillations includes requirements equivalent to those in Section 8.1.2 Control System of RD-337.

Criterion 13, Instrumentation and control; The requirements in Section 7.9 Instrumentation and Control of RD-337 are more comprehensive than those of Criterion 13, addressing the capability to trend and automatically record measurement of parameters important to safety, minimization of the likelihood of operator action defeating the effectiveness of safety and control systems, minimization of the likelihood of inadvertent manual or automatic override, automation of safety actions to eliminate the need for operator action within a justified period of time from the onset of AOOs or DBAs.

Criterion 14, Reactor coolant pressure boundary; Although Section 8.2 Reactor Coolant System of RD-337 includes comprehensive requirements on the design of the reactor coolant system and on the reactor coolant pressure boundary, there is no explicit requirement for “an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture”, as in Criterion 14. However, if such a wording is used in a regulatory requirement, it implies the existence of numerical criteria for judging compliance.

Criterion 15, Reactor coolant system design; The requirement for a sufficient margin to ensure that the appropriate design limits of the reactor coolant pressure boundary are not exceeded in Section 8.2 Reactor Coolant System of RD-337 refers also to DBAs, while these are not addressed in the corresponding requirement in Criterion 15.

Criterion 16, Containment design; Requirements equivalent to those of Criterion 16 are provided in Section 8.6, Containment, of RD-337.

Criterion 17, Electric power systems; RD-337 includes, requirements only for the emergency power supply (Section 8.9). The requirements on electrical systems in Criterion 17 are more comprehensive and prescriptive, addressing the on-site and off-site and their redundancy, independence and availability in accident situations.

Criterion 18, Inspection and testing of electric power systems; The requirements on inspection and testing of electric power systems in Criterion 18 are in principle equivalent but more detailed than the requirements in Section 8.9 on control, monitoring and testing of the Emergency Power Supply (EPS) and those in Section 7.14, In-service Testing, Maintenance, Repair, Inspection, and Monitoring (applicable to all SSCs important for safety) of RD-337.

Criterion 19, Control room; Although the requirements in Section 8.10.1, Main Control Room (MCR), and 8.10.2, Secondary Control Room (SCR), of RD-337 are more extensive than those in Criterion 19 and more demanding due to the specific provisions regarding the “secondary control room”, the radiation protection aspects are not explicitly addressed. RD-337 requires the identification of events posing direct threat to the operation of MCR and


SCR but does not specifically address radiation levels, nor does it impose a limit, such as the one in Criterion 19.

Criterion 20, Protection system functions; The requirements in Criterion 20 address the means of arresting AOO progression into DBA. Although both Criterion 20 and RD-337 (Sections 7.9.1, Instrumentation and Control General Considerations, 8.1. Means of shutdown, 8.1.4 Reactor Trip Parameters) requirements are expressed with use of technology specific terminology they are equivalent.

Criterion 21, Protection system reliability and testability; The requirements on reliability and testability in Criterion 21 can be considered equivalent with the more general RD-337 provisions in Sections 7.6.2, Single Failure Criterion, and 7.6.4, Allowance for Equipment Outages, and those in Section 8.4.2, Reliability.

Criterion 22, Protection system independence requirements are covered by the provisions in Sections 7.6, Design for Reliability, and 8.4, Means of Shutdown, of RD-337.

Criterion 23, Protection system failure modes; There is no specific requirement in RD-337 addressing in particular the application of fail-safe design to the protection system. The protection system includes the reactor protection system and the safety engineered features actuation system. However, equivalence in the requirements was considered, based on the provisions in Section 7.6, Design for Reliability, of RD-337.

Criterion 24, Separation of protection and control systems; Although there is no specific requirement in RD-337 addressing in particular the application of the separation principle in the design to the protection system, the general provisions set out in Section 7.6.1, Common-cause Failures, and those in Section 7.6.5, regarding Shared Instrumentation for Safety Systems are considered equivalent to those of Criterion 24.

Criterion 25, Protection system requirements for reactivity control malfunctions sets out requirements equivalent to those on Means of Shutdown in Section 8.4 of RD-337.

Criterion 26, Reactivity control system redundancy and capability; RD-337 Section 8.1.2 requirements on Control System are formulated in a technology-neutral manner and do not prescribe the design of the reactivity control systems.

Criterion 27, Combined reactivity control systems capability sets out a LWR specific requirement on the “combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained”.

Criterion 28, Reactivity limits; RD-337 includes equivalent requirements to those of Criterion 28 in Sections 8.1 Reactor Core, and 8.4 Means of Shutdown, with the exception that RD-337 does not specify the postulated reactivity accidents to be considered.

Criterion 29, Protection against anticipated operational occurrences; Criterion 29 requirement on protection and reactivity control systems to be designed to assure an extremely high probability of accomplishing their safety functions in the event of AOOs is equivalent to RD-337 requirements in Sections 8.1.2 Control System, 8.4 Means of Shutdown and 7.6 Design for Reliability.

Criterion 30, Quality of reactor coolant pressure boundary; Equivalent requirements are set out in RD-337 Sections 7.7, Pressure Retaining SSCs, and 8.2, Reactor Coolant System.


RD-337 does not specifically require for “the highest quality standards practical” for the quality of the reactor coolant pressure boundary. However, it is not clear how it is determined in practice, as part of the NRC regulatory review, what the highest standards are.

RD-337 does not require for the identification (to the extent practical) of the location of reactor coolant leakages.

Criterion 31, Fracture prevention of reactor coolant pressure boundary; The requirements in Criterion 31 are in principle equivalent to those in Sections 7.7, Pressure Retaining SSCs, and 8.2, Reactor Coolant System.

RD-337 does not explicitly require for the probability of rapidly propagating fracture to be minimized. It does, however, include requirements on leak-before-break detection capability.

RD-337 does not explicitly address uncertainties in determining material properties, effects of irradiation, stresses and size of flaws. In a future revision of RD-337, it could be explicitly required that such uncertainties are catered for in the design (a similar requirement on uncertainties is provided in Section 8.1.1 on Fuel Elements and Assemblies).

Criterion 32, Inspection of reactor coolant pressure boundary; The requirements set out in Criterion 32 are equivalent to those of RD-337 Sections 8.2.1, In-service Pressure Boundary Inspection, and 7.7, Pressure-retaining SSCs.

Criterion 33, Reactor coolant makeup; RD-337 includes in section 8.2, Reactor Coolant System, sub-section 8.2.2, Inventory, requirements equivalent in principle with those of Criterion 33. However, the requirements in RD-337 are oriented towards to safety function to be accomplished, while the requirements in Criterion 33 refer to a specific system.

RD-337 does not include requirements on the power supply to the systems involved in maintaining coolant inventory.

Criterion 34, Residual heat removal requires a system to remove residual heat the safety function of which shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded. Equivalent requirements are set out in RD-337 Section 8.2.4, Removal of Residual Heat from Reactor Core. However, the requirements in RD-337 may be more stringent due to the provision for the residual heat removal system to be designed to nominal conditions of Reactor Coolant System (RCS) in case its operation is required when the RCS is hot and pressurized.

Criterion 35, Emergency core cooling; Although the requirements in RD-337 Section 8.5, Emergency Core Cooling System (ECCS), are more detailed than those in Criterion 35, RD-337 does not include explicit requirements for the ECCS to limit the clad metal-water reaction (see also IAEA NS-R-1 para. 6.35 (1) & (2)).

Criterion 36, Inspection of emergency core cooling system; There is no specific requirement in RD-337 addressing the periodic inspection of the ECCS components. However, this requirement can be considered as generally covered by the requirements in Section 7.14, In-service Testing, Maintenance, Repair, Inspection, and Monitoring: “In order to maintain the NPP within the boundaries of the design, the SSCs important to safety are calibrated, tested, maintained and repaired (or replaced), inspected, and monitored over the lifetime of the plant. These activities are performed to standards commensurate with the importance of the respective safety functions of the SSCs, with no significant reduction in system availability or undue exposure of the site personnel to radiation. […]”.


Criterion 37, Testing of emergency core cooling system sets out requirements equivalent in principle with those of Section 8.5 Emergency Core Cooling System of RD-337, but with less details on the objectives of the testing.

Criterion 38, Containment heat removal; The general requirements on containment in Section 8.6.1 and those on Containment Pressure and Energy Management in Section 8.6.9 of RD-337 are equivalent to those of Criterion 38 with the difference that RD-337 does not explicitly cover the requirement for the containment heat removal function to be accomplished on the assumption of single failure and the loss of off-site power.

Criterion 39, Inspection of containment heat removal system; There is no specific requirement in RD-337 addressing the periodic inspection of the containment heat removal system. However, this requirement can be considered as generally covered by the requirements in Section 7.14, In-service Testing, Maintenance, Repair, Inspection, and Monitoring: “In order to maintain the NPP within the boundaries of the design, the SSCs important to safety are calibrated, tested, maintained and repaired (or replaced), inspected, and monitored over the lifetime of the plant. These activities are performed to standards commensurate with the importance of the respective safety functions of the SSCs, with no significant reduction in system availability or undue exposure of the site personnel to radiation. […]”.

Criterion 40, Testing of containment heat removal system; There is no specific requirement in RD-337 addressing the testing of the containment heat removal system. However, this requirement can be considered as generally covered by the requirements in RD-337 Section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Criterion 41, Containment atmosphere cleanup; RD-337 does not explicitly cover the requirement for the containment atmosphere cleanup function to be accomplished on the assumption of single failure and the loss of off-site power.

Criterion 42, Inspection of containment atmosphere cleanup systems; There is no specific requirement in RD-337 addressing the periodic inspection of the containment atmosphere cleanup systems. However, this requirement can be considered as generally covered by the requirements in Section 7.14, In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Criterion 43, Testing of containment atmosphere cleanup systems; There is no specific requirement in RD-337 addressing the testing of the containment atmosphere cleanup systems. However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Criterion 44, Cooling water; Requirements equivalent to those of Criterion 44 are covered in RD-337 Section 8.7, Heat Transfer to an Ultimate Heat Sink. RD-337 does not explicitly cover the requirement for the function of heat transfer to an ultimate heat sink to be accomplished on the assumption of single failure and the loss of off-site power.

However, RD-337 requires for the heat transfer to an ultimate heat sink to be available in case of severe accidents.

Criterion 45, Inspection of cooling water system; There is no specific requirement in RD-337 addressing the inspection of the systems contributing to heat transfer to an ultimate heat sink. However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.


Criterion 46, Testing of cooling water system; There is no specific requirement in RD-337 addressing the testing of the systems contributing to heat transfer to an ultimate heat sink. However, this requirement can be considered as generally covered by the requirements in section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Criterion 50, Containment design basis; The requirements in Section 8.6, Containment of RD-337 appear to be more restrictive, since they explicitly ask for severe accident conditions to be considered in the design of the containment system. However, Criterion 50 references § 50.44, which requires 100 % fuel clad-coolant reaction to be assumed in the safety analyses, requirement not covered in RD-337.

Criterion 51, Fracture prevention of containment pressure boundary; There is no equivalent requirement in RD-337.

The reactor containment pressure boundary, as addressed in the NRC licensing review process, consists of those ferritic steel parts of the reactor containment system which sustain loading and provide a pressure boundary in the performance of the containment function under the operating, maintenance, testing and postulated accident conditions cited by General Design Criterion (GDC) 51. Within this context, typically reviewed are the ferritic materials of components such as freestanding containment vessels, equipment hatches, personnel airlocks, heads of primary containment drywells, tori, containment penetration sleeves, process pipes, end closure caps and flued heads, and penetrating-piping systems connecting to penetration process pipes and extending to and including the system isolation valves.

RD-337 does not include provisions on fracture prevention of the containment pressure boundary.

Criterion 52, Capability for containment leakage rate testing includes requirements equivalent with those in Section 8.6.4, Leakage, Leak Rate Testing, of RD-337.

Criterion 53, Provisions for containment testing and inspection includes requirements equivalent in principle with those of RD-337 Sections 8.6.5, Containment Penetrations, 8.6.4 Leakage and 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Criterion 54, Piping systems penetrating containment; includes requirements equivalent in principle with those of RD-337 Sections 8.6.1 General Requirements, 8.6.4 Leakage and 8.6.6 Containment Isolation.

Criterion 55, Reactor coolant pressure boundary penetrating containment; RD-337 Section 8.6.6, Containment Isolation, contains requirements similar to those of Criterion 55. For lines that are part of the reactor coolant pressure boundary that penetrate the containment, the requirement for the isolation valves to be as close as practical to the containment is not covered in RD-337. Also, the use of check valves as automatic isolation valves outside containment is not prohibited.

Criterion 56, Primary containment isolation includes requirements equivalent in principle with those of RD-337 Section 8.6.6 Containment Isolation. The use of check valves as automatic isolation valves outside containment is not prohibited in RD-337.

Criterion 57, Closed system isolation valves; includes requirements equivalent in principle with those of RD-337 Section 8.6.6 Containment Isolation.

RD-337 does not explicitly prohibit the use of a check valve. It does not specify that the isolation valve shall be either automatic, or locked closed, or capable of remote manual operation (except for cases where failure of the closed system is a postulated initiating event (PIE) or occurs as the result of a PIE).


Criterion 60, Control of releases of radioactive materials to the environment; The requirements on control of radioactive releases to environment set out in RD-337 Section 8.11, Waste Treatment and Control, are more comprehensive than those in Criterion 60. However, RD-337 does not explicitly require that the capacity of the waste management systems takes account of unfavourable site environmental conditions that could impose unusual operational limitations upon the release of effluents to the environment.

Criterion 61, Fuel storage and handling and radioactivity control; The requirements on fuel handling and storage set out in Section 8.12 of RD-337 are more comprehensive than those in Criterion 61. However, the need for containment, confinement and filtering systems is not explicitly addressed.

Criterion 62, Prevention of criticality in fuel storage and handling requirement is equivalent to those on irradiated and non-irradiated fuel handling and storage in Section 8.12 of RD-337. Criterion 63, Monitoring fuel and waste storage; The requirements in RD-337 Section 8.12 address only the monitoring of water pools used for fuel storage. Criterion 63 requires also monitoring of radioactive waste systems and associated handling areas.

Criterion 64, Monitoring radioactivity releases; The requirements on monitoring of radioactivity releases set out in RD-337 Section 8.13, Radiation Protection, are more comprehensive (and more prescriptive) than the requirements in Criterion 64.

Single Failure Criterion (SFC) In the NRC regulations, single failure criterion is required to be applied at system level. Explicit requirements in 10 CFR Part 50 Appendix A include:

Criterion 17 - Electric power systems

Criterion 21 - Protection system reliability and testability

Criterion 34 - Residual heat removal

Criterion 35 - Emergency core cooling

Criterion 38 - Containment heat removal

Criterion 41 - Containment atmosphere cleanup

Criterion 44 - Cooling water

In RD-337, the single failure criterion is required to be applied at “safety group” level. RD-337 explicitly requires application of SFC at system level in sections:

8.2.4 Removal of Residual Heat from Reactor Core

8.4 Means of Shutdown

8.9 Emergency Power Supply.

3.2.5 Review of requirements on combustible gas control

The requirements on combustible gas control set out in 10 CRR 50.44 are more comprehensive and more prescriptive than those in RD-337. 100% fuel clad-coolant reaction is required to be assumed in the safety analyses.


3.3 Summary of findings

3.3.1 Differences in dose criteria and safety goals

There are significant differences in the dose criteria and safety goals and in the assumptions and criteria for safety analysis, which make the comparison of little value. Moreover, the current Canadian guidance for review of the safety analysis is not detailed enough to allow a comparison with acceptance criteria in the Standard Review Plan (SRP) for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition (NUREG-0800) [3]. Without such a comparison, it is difficult to assess the implications for the acceptance of the designs.

3.3.2 Common findings related to system-specific requirements

For each of the safety related systems covered by the GDCs in 10 CFR Part 50 Appendix A the system safety function can be accomplished, assuming a single failure, e.g. there is an explicit requirement “for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available)”.

RD-337 includes general requirements in Sections 7.10 Safety Support Systems and 7.6.2 Single Failure Criterion, which may be considered as meeting the intent of the requirement for a safety function to be fulfilled regardless of failures in support systems and single failures.

In specific cases, RD-337 includes requirements similar to the above mentioned requirement from 10 CFR Part 50 Appendix A also for particular systems (e.g. 8.2.4 Removal of Residual Heat from Reactor Core – […] The means of removing residual heat meets reliability requirements on the assumptions of a single failure and the loss of off-site power, by incorporating suitable redundancy, diversity, and independence.). However, this approach is not consistent, i.e. the requirement on the safety function to be fulfilled also on the assumption of single failure and the loss of off-site power is not included in the system-specific expectations for all the systems in Section 8 of RD-337. In the NRC regulations, SFC (single failure criterion) is required to be applied at system level, while in RD-337, the SFC is applied at “safety group” level. It is likely that this difference in approaches has lead to differences in the design of the reactor systems in US and Canadian jurisdictions.

Also, the requirements for in-service periodic inspection and testing of systems important to safety are specified for each system in 10 CFR Part 50 Appendix A (including mentioning of particular components), while in RD-337 they are stated in a generic manner in Section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

3.3.3 Differences in requirements on electrical systems

RD-337 includes requirements only for the emergency power supply. The requirements on electrical systems in 10 CFR Part 50 Appendix A Criterion 17 are more comprehensive.


10 CFR 50.49 includes comprehensive requirements on the environmental qualification of electric equipment important to safety. There are no equivalent requirements in RD-337, since only general requirements are provided in Section 7.8 Equipment Environmental Qualification. Full details for all the equipment included in the EQ program are provided in CSA N290.13, “Environmental qualification of equipment for CANDU nuclear power plants”. However, 10 CFR 50.49 does not address environmental qualification for severe accident conditions.

RD-337 does not include any specific requirements / expectations for capability to withstand a station black-out. Section 8.9 Emergency Power Supply includes a very general requirement: “The EPS system has sufficient capacity and capability, within a specified mission time, to support severe accident management actions”.

3.3.4 Protection against severe accidents

RD-337 includes some general provisions for design features to assist in the management of severe accidents. These requirements are specified in a technology-neutral manner. 10 CFR Part 50 does not explicitly address design against severe accidents (except for requiring consideration of a source term based on the assumption of a severe accident, in 50.67 or for addressing specific features for LWRs backfitted as a result of actions taken post Three Mile Island (TMI), in section 50.34), but the SRP includes criteria for the review of the plant behaviour in severe accidents. The SRP is not a substitute for the NRC’s regulations, and compliance with it is not required. However, an applicant is required to identify differences between the design features, analytical techniques, and procedural measures proposed for its facility and the SRP acceptance criteria and evaluate how the proposed alternatives to the SRP acceptance criteria provide acceptable methods of compliance with the NRC regulations (the evaluation of the conformance with the SRP is part of the application for a license). The acceptance criteria in the SRP (Chapter 19) are derived from a series of NRC Policy Statements and Commission Papers (SECY documents). The SRP, Policy Statements, SECY Papers and Regulatory Guides used by the NRC provide for a significantly more detailed framework than that of RD-337.

The requirements on combustible gas control set out in 10 CRR 50.44 are more comprehensive and more prescriptive than those in RD-337. In the NRC regulations, 100% fuel clad-coolant reaction is required to be assumed in the safety analyses.

RD-337 does not include any specific requirements / expectations for capability to withstand a station black-out.

3.3.5 Design of control rooms

The requirements in RD-337 are more extensive than those in US NRC 10 CFR Part 50 Appendix A and more demanding due to the specific provisions regarding the “secondary control room”. However, the radiation protection aspects are not explicitly addressed. RD-337 requires the identification of events posing direct threat to the operation of MCR and SCR but does not specifically address radiation levels, nor does it impose a limit, such as the one in Criterion 19 in 10 CFR Part 50 Appendix A.


3.3.6 Fire protection

The provisions of RD-337 with regard to fire protection are more comprehensive (moreover since they include specific provisions for the protection of workers) than the corresponding requirements in Criterion 3 of US NRC 10 CFR Part 50 Appendix A. However, Appendix R to Part 50--Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979 includes detailed / prescriptive requirements which are not covered by RD-337 but which are likely to be covered by industrial standards (e.g. CSA) accepted by CNSC for use in the design of the fire protection for nuclear power plants. Appendix R specifically requires a fire hazard analysis. Section 9.3 of RD-337 treats hazard analysis in general, but does not address in particular the fire hazard analysis required to demonstrate that the general provisions in section 7.12.1 are met.

3.3.7 Design against malevolent acts

10 CFR 50.13 states that “An applicant for a license to construct and operate a production or utilization facility, or for an amendment to such license, is not required to provide for design features or other measures for the specific purpose of protection against the effects of (a) attacks and destructive acts, including sabotage, directed against the facility by an enemy of the United States, whether a foreign government or other person, or (b) use or deployment of weapons incident to U.S. defense activities.” Nevertheless, in 10 CFR 50.150, the NRC required an Aircraft Impact Assessment. RD-337, in Section 7.22 Robustness against Malevolent Acts, requires for design features specifically provided for protection against design basis threats, in accordance with the requirements of the Nuclear Security Regulations in force in Canada. However, RD-337 does not include further details on the assessment of malevolent events.

3.3.8 Design against accidental aircraft crash

RD-337 does not explicitly require an aircraft impact assessment. In RD-337 Section 7.4.2 External Hazards, potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation. It is required that “The design considers all natural and human-induced external events that may be linked with significant radiological risk. The subset of external events that the plant is designed to withstand is selected, and design basis events are determined from this subset.” 10 CFR 50.150 requires that “The assessment must be based on the beyond-design-basis impact of a large, commercial aircraft used for long distance flights in the United States, with aviation fuel loading typically used in such flights, and an impact speed and angle of impact considering the ability of both experienced and inexperienced pilots to control large, commercial aircraft at the low altitude representative of a nuclear power plant’s low profile”. “Using realistic analyses, the applicant shall identify and incorporate into the design those design features and functional capabilities to show that, with reduced use of operator actions: (i) The reactor core remains cooled, or the containment remains intact; and (ii) Spent fuel cooling or spent fuel pool integrity is maintained.”


3.4 Lessons learnt in the U.S. Generic Design Certification process

One of the most important design changes of new reactors followed the issuance of the US NRC requirement (10 CFR Part 50.150) for an Aircraft Impact Assessment (AIA) “based on the beyond-design-basis impact of a large, commercial aircraft used for long distance flights in the United States, with aviation fuel loading typically used in such flights, and an impact speed and angle of impact considering the ability of both experienced and inexperienced pilots to control large, commercial aircraft at the low altitude representative of a nuclear power plant’s low profile”.

AP1000

The AP1000 received design certification in 2005, before the NRC brought in the rule on aircraft impact. The company thus redesigned the AP1000 shield building to use a modular, steel concrete composite (SC) structure, replacing the existing reinforced concrete (RC) design and submitted their justification of the design. One effect of strengthened building was to reduce passive heat removal airflow, NRC noted, but this effect was acceptable while affording greater protection from external impact.

Further safety justifications of the new design were requested by NRC:

• Design of the SC structure must demonstrate the ability to function as a unit during Design Basis Event (DBE)

• The design of the SC/RC connection must function following a DBE

• Design of the tension girder (air-inlets) must be supported by a confirmation test or a validated benchmarked analysis method.

A new set of design changes were made to address the NRC concerns:

• Added Shear Reinforcing Tie Bars that tie the entire SC structure together so that the Shield Building acts as a single unit

• Increased SC plate thickness and changed to a more ductile material to improve its strength, ductility and resistance to buckling

• Simplified air-inlet design to increase its structural integrity

• Redesigned SC-RC connections to improve strength and ductility.

Westinghouse has completed a comprehensive test program to confirm the behaviour of SC structures.

The eventual conclusion of the NRC's Advisory Committee on Reactor Safeguards (ACRS) was: "Analyses show that the containment remains intact following the impact of a large commercial aircraft. The reactor core remains cooled, and spent fuel integrity is maintained." The AP1000 presents "a small target with a reduced set of safety-related structures, systems and components." The ACRS noted that passive systems provide core cooling, no active equipment is required for fuel pond cooling and at least one backup water source is always available.

Separately from penetration and fire, the 'shock loadings' on the power plant buildings from aircraft impact were shown to be less than potential earthquakes already accounted for during normal design analysis.

One feature of the AP1000 containment is an opening in the roof for passive heat removal, surrounded by a water storage tank. A concern had been the potential for "significant aircraft


impact debris" to pass through the gap and hit the steel containment vessel. The ACRS actually concluded that "no significant debris would impact the containment vessel" but a conservative analysis by Westinghouse showed that the vessel could be dented but not penetrated.

The NRC review of the application from Westinghouse to amend the AP1000 design is expected to be completed, with revised design certification, in September 2011. Other design changes to be incorporated in this revision include:

• Redesign of the Reactor Vessel Support System to increase stiffness.

• Increase in the range of foundation soil conditions considered.

• Closure of four digital instrumentation and control design acceptance criteria (DAC)3, with only one remaining open. Numerous I&C changes were made to reflect design evolution, such as addition of a reactor trip function, implementation of a rod withdrawal prohibit, and modification of the containment isolation logic for the Component Cooling System.

• Closure of four human factors engineering DAC, with none remaining open.

• Modification of the reactor coolant pump (RCP) design, including an increase in its rotational inertia.

• Addition of a flow skirt at the inlet to the reactor vessel lower plenum.

• Redesign of the Steam and Power Conversion Systems.

More details on these changes are available on the AP1000 website: http://www.ap1000.westinghousenuclear.com/ap1000_nui_reg.html and in the US NRC electronic library.

ABWR

Assessment of the Aircraft Impact Assessment rule on the ABWR reactor design was performed by General Electric (GE) Nuclear Energy in accordance with 10 CFR 50.150(a) to identify and incorporate into the design those design features and functional capabilities to show that with the reduced use of operator actions, (i) the reactor core remains cooled or the containment remains intact; and (ii) spent fuel cooling or spent fuel pool integrity is maintained. An Alternate Feedwater Injection (AFI) System located in a remote facility was identified as necessary for conformance with the rule.

The AFI system is designed to mitigate the consequences of an aircraft impact. It is capable of injecting water into the reactor pressure vessel (RPV) at operating pressure and is located outside of the reactor building. The system is designed to be capable of providing sufficient core cooling in the unlikely event that all normal and emergency core cooling systems are unavailable. The system has a dedicated water source (minimum of 1,136,000 litres) located at least 300 feet from the reactor building, control building and turbine building and injection is provided through the non-safety-related portion of the reactor water cleanup system tie-in lines to the feedwater system. The AFI system capacity and discharge pressure (at rated pressure) are comparable to the same parameters in the high-pressure core flooder system. There are no automatic controls or functions associated with the AFI system, and it’s I&C are hard-wired and manually initiated. The system’s I&C is only used for indication purposes, 3 Closing DACs as part of the Design Certification Amendment relieves substantial burden in the review of future combined license applications (COLAs).


and the water level and pressure instrumentation in the AFI pump room use a separate set of transmitters and a separate power supply independent of the existing I&C. The power supply for the AFI system is non-safety-related and is independent and physically separated from the emergency power supplies such that a simultaneous loss due to a beyond design basis event is unlikely. The injection can be initiated within 30 minutes after the loss of normal makeup systems.

EPR

A US version of the European Pressurized Reactor, the US-EPR quoted as 1710 MWe gross and about 1580 MWe net, was submitted for US design certification in December 2007, and this is expected to be granted early 2013. Design changes for compliance with the Aircraft Impact Assessment rule will most likely not be necessary, since the initial design intent is to withstand the impact of large commercial aircrafts. No other major design changes related to the specifics of the US design requirements were made public up to present. However, much of the one million man-hours of work involved in developing this US EPR is making the necessary changes to output electricity at 60 Hz instead of the original design's 50 Hz.


4. FINNISH REGULATORY GUIDES BENCHMARK

4.1 Differences in Objectives and Scope

The Government Decree on the Safety of Nuclear Power Plants (733/2008) lays down general provisions and safety requirements of which many are relevant for NPP design. A detailed review of the decree was performed and the results of its comparison with RD-337 are presented in Section 4.2 and Appendix 2B.

YVL 1.0, Safety Criteria for Design of Nuclear Power Plants, is the most relevant Finnish regulatory guide for the benchmark. A detailed review has been conducted and the main findings are presented in Section 4.2 and Appendix 2B.

The whole set of YVLs was reviewed for relevance to the benchmark and for differences in scope as compared to RD-337. The results of this review are discussed in the following for the YVLs that were found relevant and presented in Appendix 2A. A number of YVLs include requirements for other stages in the plant life cycle (e.g. construction, operation, etc. Those are listed in Appendix 2A as not under the scope of RD-337.

YVL 1.4, Management Systems for Nuclear Facilities, very similar in scope and content with IAEA GS-R-3, does not include specific management system requirements for the design process.

It is worth mentioning that it requires that “the licensee’s quality manuals on the construction phase, which describe management system procedures relating to quality and safety management, are to be submitted to STUK for approval. The quality manuals of the vendor, of the suppliers of fuel and the most important components and equipment as well as of the design organisations shall be submitted to STUK for information. STUK may also require at its discretion that the quality manuals of other organisations participating in the facility project be submitted for information.”

YVL 1.11, Nuclear Power Plant Operating Experience Feedback, does not include specific requirements relevant for the use of operational experience feedback in the design, as those of RD-337 Section 5.5, Operational Experience and Safety Research.

YVL 2.0, System Design for Nuclear Power Plants, contains general provisions on the design of SSCs important to safety and on the information to be included in the safety analysis reports. The general provisions on the design of SSCs are covered by RD-337. There are no findings arising from the review of YVL2.0 in addition to the issues identified in the review of the 2008 Government Decree on Safety of NPPs and of YVL1.0.

YVL 2.1, Nuclear Power Plant Systems, Structures and Components and their Safety Classification, contains, in comparison with RD-337, more detailed requirements on the safety classification of SSCs, including the definition of 4 safety classes plus the EYT class (classified non-nuclear, includes all systems, structures and components not assigned to Safety Classes 1, 2, 3 or 4) and criteria for assigning SSCs to each of the safety classes (supplemented by an illustration of SSC safety classification for a LWR).

The fact that YVL 2.1 prescribes the safety classification of SSCs has complicated the regulatory review of the Olkiluoto 3 (OL3) EPR. The safety classification for the EPR SSCs was different than that prescribed by the YVL 2.1 and a direct correspondence could not be established. Further investigations are necessary to understand how this issue was solved in the licensing of the EPR in Finland.


YVL 2.2, Transient and Accident Analyses for Justification of Technical Solutions at Nuclear Power Plants, includes requirements more detailed than the equivalent requirements in RD-337 and RD-310 and includes examples of events to be analysed, together with specific assumptions for the analysis. Due to the difference in the level of detail of Finish and Canadian requirements, an evaluation of the potential impact on the implementation of design requirements is not possible.

YVL 2.4, Primary and Secondary Circuit Pressure Control at a Nuclear Power Plant, contains, in addition to requirements equivalent in scope and substance to those in RD-337 Section 7.7 Pressure-retaining SSCs, more comprehensive / detailed requirements on pressure control for LWRs, including on the analysis of events resulting in pressure increase.

YVL 2.6, Seismic Events and Nuclear Power Plants, requirements are more detailed / prescriptive than those of RD-337 Section 7.13 Seismic Qualification.

Examples of prescriptive requirements are: “A design basis earthquake means the probabilistic estimate of a site-specific earthquake with the severest impact. It shall be so defined that, in the current geological circumstances, stronger earthquakes are anticipated not more often than once in a hundred thousand years (1E-5/year) on median level. The definition of design basis earthquake shall be presented and justified, and, in addition to the area’s seismic history, also regional and local geology as well as tectonics shall be considered.”, or “The vertical and horizontal PGA values used shall be justified. The minimum value of the horizontal component shall be 0.1g. The vertical component’s value shall then be at least two thirds of the horizontal component’s value.”

References used for YVL 2.6 include Finnish national standards and American Society of Civil Engineers (ASCE) standard 4-98, “Seismic Analysis of Safety-Related Nuclear Structures” [7].

YVL 2.7, Ensuring a Nuclear Power Plant's Safety Functions in Provision for Failures, specifies the systems which have to meet the single failure criterion (some of them under the assumption of a single failure plus any other component inoperable due to repair or maintenance).

Regarding the systems contributing to containment protection in severe accidents, YVL 2.7 requires that: “Systems ensuring containment integrity in connection with a severe accident shall be capable of accomplishing their safety functions even in the event of a single failure.”

YVL 2.8, Probabilistic Safety Analysis in Safety Management of Nuclear Power Plants, includes general requirements equivalent to those in RD-337 and in CNSC Regulatory Standard S-294 [8] and expectations for the Probabilistic Safety Analysis (PSA) at design stage, in the construction phase and in the operational phase.

In addition, YVL 2.8 specifies numerical design objectives:

• The mean value of the probability of core damage is less than 1E-5/year.

• The mean value of the probability of a release exceeding the target value defined in section 12 of the Government Resolution (395/1991) must be smaller than 5E-7/year. (the target value = 100 TBq of Cs-137).

YVL 3.0, Pressure Equipment of Nuclear Facilities, does not include specific design requirements. It focuses on manufacturing, installation, etc. and regulatory control.

YVL 3.1, Nuclear Facility Pressure Vessels (in Finnish), contains general requirements for pressure vessels design criteria similar to those of RD-337 Section 7.7, Pressure-retaining


SSCs, but also more detailed requirements for documenting the pressure vessels’ design criteria and solutions, supporting analyses, manufacturing, factory tests, and installation. There are no requirements at this level of detail in RD-337.

YVL 3.5, Ensuring the Firmness of Pressure Vessels of an NPP (in Finnish), sets out detailed requirements for primary circuit, steel containment and other safety-critical nuclear pressure equipment strength analysis (stress analysis, fracture analysis and the application of the leak-before-break principle in analysis) and consideration of analyses assumptions (loads under normal operation, anticipated operational transients, DBAs and SAs, including external events such as earthquake and airplane crash. There are no requirements at this level of detail in RD-337.

YVL 4.3, Fire Protection at Nuclear Facilities; The provisions in Section 7.12 Fire Safety of RD-337 are rather general, focusing on safety objectives for fire protection. YVL 4.3 contains more detailed / prescriptive provisions, referencing specific national standards and specifying fire resistance values for fire compartments. YVL 4.3 explicitly requires a fire hazard analysis (“Fire hazards analyses shall always be performed for the containment and the control room.”) and gives some guidance on the FHA.

Given the difference in the level of detail between the provisions on fire protection in RD-337 and YVL 4.3, an analysis of the potentially significant differences was not possible. Such an analysis would require a review of the Canadian national standards (CSA) on fire protection for NPPs, because most of the requirements in YVL 4.3 are at that level of detail (the review should include a comparison of the specification for the fire resistance rating of the fire barriers).

YVL 5.1, Nuclear Power Plant Diesel Generators and their Auxiliary Systems (in Finnish), includes detailed requirements which do not have an equivalent in RD-337. It references 1980 German standard KTA Safety Standard No. 3702 [9] for detailed criteria for design, factory tests and on-site commissioning tests for diesel generators. The KTA standard 3702 was revised in 20004.

YVL 5.2, Electrical Power Systems and Components at Nuclear Facilities, includes a section on provisions for station black-out which does not have an equivalent in RD-337. More details are presented in Appendix 2B of this report.

YVL 5.5, Instrumentation Systems and Components at Nuclear Facilities, contains requirements generally equivalent with those of RD-337 Section 7.9, Instrumentation and Control, and Section 8.10, Control Facilities. The YVL requirements more detailed than those in RD-337. Further details are presented in Appendix 2B of this report.

YVL 5.6, Air-Conditioning and Ventilation Systems and Components of Nuclear Facilities; The requirements of RD-337 Section 8.11.2 Control of Airborne Material within the Plant are less detailed than the requirements in YVL 5.6.

YVL 6.2, Design Bases and General Design Criteria for Nuclear Fuel, includes, in addition to general requirements equivalent to those in RD-337 Section 8.1.1, Fuel Elements and Assemblies, fuel safety criteria for AOOs and DBAs (among which some reflecting common fuel safety criteria for LWRs).

YVL 7.1, Limitation of Public Exposure in the Environment of and Limitation of Radioactive Releases from a Nuclear Power Plant (in Finnish and in Swedish), reiterates the dose limits 4 http://www.kta-gs.de/e/standards/3700/3702_e.pdf


for normal operation, anticipated operational occurrences and accidents included in Sections 8, 9 and 10 of GD 733/2008.

YVL 7.2, Assessment of radiation doses to the population in the environment of a nuclear power plant, contains requirements which do not have an equivalent in RD-337 or RD-310. It should be noted that there are also significant differences between the dose limits for AOOs and DBAs in the Finish regulations and the corresponding dose acceptance criteria in RD-337.

YVL 7.11, Radiation Monitoring Systems and Equipment of a Nuclear Power Plant, contains significantly more detailed requirements than those of RD-337 Section 8.13.

In Section 4.3 Measuring equipment used in a severe accident, YVL 7.11 specifies requirements for radiation monitoring in the containment, available in severe accident conditions, including measuring ranges.

YVL 7.18, Radiation Safety Aspects in the Design of a Nuclear Power Plant, contains requirements significantly more detailed than those of RD-337 Section 8.13.


4.2.1 Review of Government Decree (733/2008) on the Safety of Nuclear Power Plants

Section 2, Definitions

RD-337 does not include specific provisions for the category of beyond Design Basis Accidents (BDBA) without severe fuel damage, termed Design Extension Conditions (DEC) in the Finish regulations (DBAs are termed “postulated accidents” in Finish regulations).

The fact that Finish regulations impose a dose limit for DEC, results in these being treated as DBAs. While for postulated accidents the Finish regulations specify estimated frequency values, there is no guideline on the frequency of DEC.

It can be inferred from the Finnish regulations that DEC have an estimated frequency of occurrence of less than 1E-3/year, which implies that some of the DEC should be treated as DBAs in accordance with the RD-310 classification of events.

Section 3, Assessment and verification of safety

Requirements in this section are equivalent with those in RD-337 Section 5.6, Safety Assessment. RD-337 explicitly requires an independent peer review of the safety assessment before the design is submitted for approval to the regulator.

YVL 2.0 includes similar provisions (e.g. “The licensee shall assess the acceptability of the conceptual design plan by audits conducted prior to starting detailed systems design. Inspections shall be conducted throughout the design process. As regards extensive plans with a significant bearing on nuclear safety, or plans requiring special know-how, the licensee shall consider whether to commission their independent safety assessment to an assessor entirely independent of the licensee’s organisation. The minimum competence required of individuals and organisations conducting design audits and independent safety assessments is that which is required in the design task, and it shall have been proven in practice. After the assessments have been carried out the licensee shall satisfy himself of the acceptability of the design by safety assessments based on sufficient own know-how.”


Section 4, Safety classification, contains requirements equivalent to those in Section 7.1, Classification of SSCs, of RD-337.

Section 5, Ageing management, contains requirements equivalent to those in Section 7.17, Ageing and Wear, of RD-337.

Section 6, Management of human factors, contains requirements equivalent to those in Section 7.21 Human Factors, of RD-337.

Section 7, Radiation safety of nuclear power plant workers, contains requirements equivalent to those in Sections 4.1.1, Radiation Protection Objective, and 8.13, Radiation Protection.

Section 8, Limit for normal operation imposes an annual dose limit of 0.1 mSv for exposure from normal operation of a nuclear power plant while RD-337 does not mention the dose limit for exposure from normal operation.

Section 9, Limit for an anticipated operational occurrence contains more restrictive requirements in terms of dose limit for AOOs than RD-337.

The limit for AOOs in RD-337 is of 0.5mSv (calculated for a period of 30 days after the analyzed event), while the limit for AOOs in the Finnish regulations is of 0.1 mSv (annual dose).

YVL 2.2 imposes supplementary requirements:” In addition, it shall be shown that, as a result of any anticipated operational transient, the global collective 500 years effective dose commitment of the population does not exceed the limit value of 5 manSv/GWe (of installed electrical power)”.

Section 10, Limits for accident

There are significant differences regarding the dose limits / acceptance criteria for DBAs between the Finnish regulations and RD-337.

For DBAs with frequencies (f) in the range 1E-3/year ≤ f < 1E-2/year and for some of the DBAs with f < 1E-3/year, the dose limits in the Finish regulations are more restrictive than the dose limits in RD-337.

Section 12, Prevention of accidents and mitigation of consequences, contains requirements equivalent to those in RD-337 Section 4.3.1, Defence-in-depth.

Section 13, Engineered barriers for preventing the dispersion of radioactive materials, contains requirements equivalent to those in RD-337 Sections 4.3.1, Defence-in-depth, 4.3.2 Consideration of Physical Barriers, and 6.1, Application of Defence-in-depth. It should be noted that the Finnish requirement on prevention of containment melt-through may be interpreted as referring to a “core catcher”. (“The nuclear power plant shall be equipped with systems that ensure the stabilisation and cooling of molten core material generated during a severe accident. Direct interaction of molten core material with the load bearing containment structure shall be reliably prevented”.)

Section 14, Safety functions and provisions for ensuring them

Inherent safety features, passive systems, fail-safe design are addressed in RD-337 Section 4.3.1, Defence-in-depth, and Section 6.3, Accident Prevention and Plant Safety Characteristics. In addition, the Finnish regulations specify that “the combined effect of a nuclear reactor's physical feedbacks shall be such that it mitigates the increase in reactor power.”


The Finnish regulations also require for the provision of specific I&C systems dedicated to severe accident management, independent of the I&C systems for operational conditions and postulated accidents. They also require that the redundancy of systems protecting the containment integrity in severe accidents meets the single failure criterion.

Section 15, Fuel handling and storage, contains requirements equivalent with but less comprehensive than those in RD-337 Section 8.12 Fuel Handling and Storage.

Section 16, Management and storage of radioactive waste, contains requirements equivalent with but less comprehensive than those in RD-337 Section 8.11, Waste Treatment and Control.

Section 17, Protection against external events, contains requirements equivalent to those in RD-337 Section 7.4.2, External Hazards. However, the treatment of aircraft crash seems different: RD-337 requires consideration of aircraft crashes according to site specific conditions, while the Finnish regulations prescribe the consideration of a large aircraft crash.

Section 18, Protection against internal events, contains requirements equivalent to those in RD-337 Section 7.4.1 Internal Hazards.

Section 19, Monitoring and control of a nuclear power plant, contains requirements equivalent to those in RD-337 Section 7.9, Instrumentation and Control, and Section 8.10, Control Facilities.

Section 20, Decommissioning, contains requirements equivalent to those in RD-337 Section 7.24, Decommissioning.

Section 21, Construction, includes requirements equivalent to those in RD-337 Section 5.2, Design Management.

Section 22, Commissioning, includes requirements equivalent to those in RD-337 Section 7.16 Commissioning.

Section 25, Technical Specifications, contains requirements equivalent to those in RD-337 Section 4.3.3 Operational Limits and Conditions.

Sections 28, Safety culture, 29, Safety and quality management and 30, Lines of management, responsibilities and expertise contain requirements equivalent to those in RD-337 Section 5.0 Safety Management During Design.

Section 32, Transitional provision, exempts the units in operation before December 2008 from the requirements on dose limits for accidents, the requirements for a “core catcher”, requirements on inherent safety features, passive systems, fail-safe design, instrumentation and control for severe accidents, safe shutdown state following severe accidents, design against large aircraft crash, provision of emergency control post independent of the main control room.

4.2.2 Review of YVL 1.0, Safety criteria for design of nuclear power plants

Section 1, General, quotes the Council of State Decision (395/91) general objective of the nuclear power plant safety, that is “plant operation does not cause radiation hazards which could endanger safety of workers or population in the vicinity or could otherwise harm the environment or property”.


The introductory part of Section 2, Radiation Safety, quotes the Council of State Decision (395/91) radiation protection objective, formulated as “radiation exposure arising from the operation of a nuclear power plant shall be kept as low as reasonably achievable. A nuclear power plant and its operation shall also be designed so that the limits presented in this decision are not exceeded.”

These objectives are equivalent to those stated in RD-337 Section 4.0, Safety Objectives and Concepts. Detailed instructions as to how to take radiation safety into account in nuclear power plant design can be found in Guide YVL 7.18. YVL 7.18 includes requirements on radiation shields design, choice of materials and precautions against corrosion in the primary circuit, layout design, radiation safety aspects in system design, etc.

Section 2.1, Limitation of worker radiation exposure, contains plant design and radiation monitoring requirements equivalent with those of RD-337 Section 8.13, Radiation Protection .

Detailed requirements for the radiation protection of nuclear power plant workers are presented in Guide YVL 7.9. In Guide YVL 7.10, requirements for worker radiation dose monitoring and dose reporting are presented. Guide YVL 7.11 deals with radiation monitoring systems and equipment. YVL 7.11 requirements are significantly more detailed than those of RD-337 Section 8.13. In Section 4.3 Measuring equipment used in a severe accident, YVL 7.11 specifies requirements for radiation monitoring in the containment, available in severe accident conditions, including measuring ranges.

Section 2.2, Limitation and monitoring of radioactive discharges, contains general requirements for monitoring releases of radioactive substances and the radiation exposure of the population living in the vicinity of the plant, more detailed / prescriptive than equivalent requirements in Section 8.13.5, Monitoring Environmental Impact, of RD-337.

In addition, detailed requirements for the limitation of a nuclear power plant's radioactive discharges into the environment are presented in Guide YVL 7.1. Requirements for the measurement of releases are presented in Guide YVL 7.6. Radiation monitoring in the plant's environment is dealt with in Guide YVL 7.7 and meteorological measurements in Guide YVL 7.5.

Section 2.3, Ventilation, contains requirements on ventilation and filtering systems equivalent to those of RD-337 Sections 8.11.2, Control of Airborne Material within the Plant and 8.11.3, Control of Gaseous Releases to the Environment. Detailed requirements for the nuclear power plant's ventilation systems are presented in Guide YVL 5.6, which includes requirements on area and zone classification, supply and exhaust air, fire safety, as well as regulatory control during construction, commissioning and operation.

Section 2.4, Nuclear waste handling and treatment systems, includes a general requirement for the nuclear power plant to have “adequate rooms for the handling, treatment and storage of low and medium level radioactive waste. Systems shall be designed for these rooms to safely handle, treat and transfer waste and to measure the amount and quality of radioactive substances in the waste”. An equivalent requirement is provided in Section 8.11 Waste Treatment and Control of RD-337.

Detailed requirements for radioactive waste handling and storage at the nuclear power plant are presented in Guide YVL 8.3. This Guide gives the general principles that shall be followed when planning and implementing the treatment, storage, transfer, activity monitoring and record-keeping of low and intermediate level waste. The guide does not include any detailed design criteria for treatment and storage facilities.


Section 2.5, Decommissioning, contains requirements equivalent to those of RD-337 Section 7.24, Decommissioning.

The introductory part of Section 3, Nuclear Safety, provides basic safety requirements equivalent to those in Sections 4.0, Safety Objectives and Concepts, and 6.0, Safety Considerations, of RD-337. Detailed requirements for the application of failure criteria and the diversity principle can be found in Guide YVL 2.7. YVL 2.7 specifies the systems which have to meet the single failure criterion (some of them under the assumption of a single failure plus any other component inoperable due to repair or maintenance).


Section 3.1, Reactor, includes requirements on fuel and reactor design and on reactivity control and reactor shutdown equivalent to those in Sections 8.1, Reactor Core and 8.4, Means of Shutdown, of RD-337.

Detailed requirements for fuel design and design limits are presented in Guide YVL 6.2. In addition to general requirements equivalent to those in RD-337 Section 8.1.1, Fuel Elements and Assemblies, YVL 6.2 includes fuel safety criteria for AOOs and DBAs (among which some reflecting common fuel safety criteria for LWRs).

Section 3.2, Reactor primary circuit and cooling systems, includes requirements for ensuring the integrity of the reactor primary circuit, the reactor coolant system and primary circuit cooling and decay heat removal. Equivalent requirements are set out in Sections 8.2, Reactor Coolant System, 8.5, Emergency Core Cooling System, 8.7, Heat Transfer to an Ultimate Heat Sink, and 7.7 Pressure-retaining SSCs.

In addition, YVL 1.0 includes some LWR specific requirements for the reactor coolant system. This includes the prevention of high pressure core melt ejection scenarios.

In addition to requirements equivalent in scope and substance to those in RD-337 Section 7.7 Pressure-retaining SSCs, YVL 2.4 contains more comprehensive /detailed requirements on pressure control for LWRs, including on the analysis of events resulting in pressure increase.

Section 3.3, Containment function, includes requirements on:

• Containment design,

• Penetrations, access openings and isolation,

• Pressure and temperature management,

• Treatment of combustible gases,

• Containment bypass prevention and control,

• Management of the reactor debris,

• Cleaning of the gas space (between the primary and secondary containment)

Equivalent requirements are provided in RD-337 Sections 8.6, Containment, 7.3.4, Beyond Design Basis Accidents, 7.7, Pressure-retaining SSCs.

In addition, the YVL requires:

• a double wall containment building (“The containment shall be encased in a secondary containment building so that any radioactive substances which leak from the primary containment can be collected and treated as appropriate.”)


• hydrogen control in severe accidents assume 100% fuel clad – water reaction.

• consideration of the potential for high-pressure core melt ejection scenarios to be taken into account in the design of the containment.

• provision of a filtered containment venting system.

Section 3.4, Protection systems, and Section 3.6 Monitoring and control, contain requirements equivalent to those of RD-337 Sections 7.9, Instrumentation and Control and 8.4, Means of Shutdown and 8.10, Control Facilities. More detailed design requirements for the design of the protection system are presented in Guide YVL 5.5. A significant difference is that both YVL 1.0 and YVL 5.5 Section 2.5.4, Severe accident, specifically require for instrumentation dedicated for severe accident management, independent of any other I&C systems:

“Monitoring equipment shall be designed for the nuclear power plant to manage and monitor the progress of severe accidents and to give data about:

• the possible re-criticality of the reactor or its debris

• the threat of a reactor pressure vessel melt-through

• the location of the reactor debris

• other factors possibly endangering containment integrity.

The measurement systems designed for accident monitoring and management shall maintain operability even in the event of a single failure.”

“The design of the monitoring instrumentation for severe accidents shall fulfil the following requirements:

• The measuring methods chosen shall be suitable for monitoring severe accidents.

• The instrumentation shall be independent from all the other instrumentation at the plant.

• The power supply of the instrumentation (electricity, compressed air, etc.) shall be independent from all other power supplies of the plant.

The requirements apply also to control actions possibly needed during a severe reactor accident”.) Section 3.5, Electrical systems, contains requirements for a specific configuration of the on-site electrical power supply system serving the safety functions, as well as for a power supply unit which is independent of the electrical power supply units designed for operational conditions and postulated accidents, and for the capacity of batteries backing up the operation of electrical systems important to safety. RD-337 includes requirements only for the emergency power supply (Section 8.9). Section 3.7, Fire protection, and YVL 4.3 contain more detailed / prescriptive requirements than the corresponding requirements in RD-337 Section 7.12, Fire Safety. The provisions in Section 7.12 of RD-337 are rather general, focusing on safety objectives for fire protection.

YVL 4.3 contains more detailed / prescriptive provisions, referencing specific national standards and specifying fire resistance values for fire compartments. YVL 4.3 explicitly requires a fire hazard analysis (“Fire hazards analyses shall always be performed for the containment and the control room.”) and gives some guidance on the fire hazard analysis (FHA).


Section 3.8, Fuel handling and treatment systems, and YVL 6.8 provide requirements equivalent to but more detailed than those of RD-337 Section 8.12, Fuel Handling and Storage.

YVL 1.0 includes provisions for the capacity of the spent fuel storage to accommodate one full core load.

Section 3.9, Safety classification, quotes the Council of State Decision (395/91) requirement for classifying SSCs according to their safety significance and refers to Guide YVL 2.1 for detailed requirements. In comparison with RD-337, the YVL 2.1 guide contains more detailed requirements on the safety classification of SSCs, including the definition of 4 safety classes plus the EYT class (classified non-nuclear, includes all systems, structures and components not assigned to Safety Classes 1, 2, 3 or 4) and criteria for assigning SSCs to each of the safety classes (supplemented by an illustration of SSC safety classification for a LWR).

Section 3.10, Provision made for inspections, testing and maintenance, contains requirements equivalent to but less detailed than those of RD-337 Section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring.

Section 3.11 Shared systems, structures and components, contains provisions more demanding than those of RD-337 Section 7.6.5, Shared Systems - Sharing of SSCs between Reactors, requiring that, in case SSCs performing the same safety function are shared between reactor units, it is demonstrated that the reliability of the safety function is greater than in the absence of sharing.

Section 3.12, Environmental conditions, contains requirements equivalent to those of RD-337 Section 7.8 Equipment Environmental Qualification. Requirements for the environmental qualification of electrical and instrumentation components are presented in Guide YVL 5.5 and the environmental qualification of other structures and components is prescribed in YVL Guides which apply to these structures and components. YVL 5.5 requests that “Prior to qualification tests, the test samples undergo artificial ageing equivalent to planned service lifetime.” Ageing, i.e. taking into account the cumulative ageing effects during equipment’s installed life, is not addressed in RD-337 in the context of environmental qualification.

Section 3.13, Human errors, contains general requirements on prevention, detection and mitigation of human errors equivalent to those in Section 7.21, Human Factors, of RD-337.

The requirements regarding control rooms design to minimize human error are more comprehensive in RD-337.

YVL 1.0 explicitly mentions component accessibility and labelling considerations for prevention of maintenance errors.

YVL 1.0 (with reference. to YVL 2.7) explicitly mentions human error considerations for safety analyses (including possibility of multiple human errors assessed in PSA).

Section 3.14, External events, contains requirements equivalent to those of RD-337 Section 7.4.2, External Hazards. In addition, Guide YVL 2.6 deals with how earthquakes are taken into account in nuclear power plant design.

YVL 2.6 requirements are more detailed / prescriptive than those of RD-337 Section 7.13 Seismic Qualification. Examples of prescriptive requirements:

“A design basis earthquake means the probabilistic estimate of a site-specific earthquake with the severest impact. It shall be so defined that, in the current geological circumstances, stronger earthquakes are anticipated not more often than once in a hundred thousand years (1×10–5/y) on median level. The definition of design basis earthquake shall be presented and


justified, and, in addition to the area’s seismic history, also regional and local geology as well as tectonics shall be considered.”

“The vertical and horizontal PGA values used shall be justified. The minimum value of the horizontal component shall be 0.1g. The vertical component’s value shall then be at least two thirds of the horizontal component’s value.”

References used for YVL 2.6 include Finnish national standards and American Society of Civil Engineers (ASCE) standard 4-98, “Seismic Analysis of Safety-Related Nuclear Structures”.

Section 3.15, Ageing of components and materials, contains requirements equivalent to those of RD-337 Section 7.17 Ageing and Wear.


In general, the requirements on plant systems in the YVL guides are more detailed / prescriptive than the equivalent requirements in RD-337.

4.3.1 Differences in dose criteria and safety goals

There are significant differences regarding the dose limits / acceptance criteria for AOOs and DBAs.

Finish regulations are more restrictive in terms of dose limit for AOOs. RD-337 does not mention the dose limit for exposure from normal operation of a nuclear power plant, while the Finnish regulations impose an annual limit of 0.1mSv. The limit for AOOs in RD-337 is of 0.5 mSv (calculated for a period of 30 days after the analyzed event), while the limit for AOOs in the Finnish regulations is of 0.1 mSv (annual dose). YVL 2.2 imposes supplementary requirements: “In addition, it shall be shown that, as a result of any anticipated operational transient, the global collective 500 years effective dose commitment of the population does not exceed the limit value of 5 manSv/GWe (per installed electrical power)”.

For DBAs with frequencies (f) in the range 1E-3/year ≤ f < 1E-2/year and for some of the DBAs with f < 1E-3/year, the dose limits in the Finish regulations are more restrictive than the dose limits in RD-337.

The probabilistic safety goals for CDF and Large Release Frequency (LRF) are the same. RD-337 specifies also a Small Release Frequency for which there is no equivalent in the Finnish regulations.

4.3.2 Common findings related to system-specific requirements

The Finnish regulations specify requirements for individual SSCs important to safety to meet the single failure criterion. RD-337 includes general requirements in Sections 7.10 Safety Support Systems and 7.6.2 Single Failure Criterion, which may be considered as meeting the intent of the requirement for a safety function to be fulfilled regardless of failures in support systems and single failures.


4.3.3 Differences in requirements on electrical systems

RD-337 includes requirements only for the emergency power supply. The requirements in the Finnish YVLs are much more comprehensive and detailed. YVL 5.2 also includes a section on provisions for station black-out, Section 2.5 Total loss of alternating current power. (“In accordance with Guide YVL 1.0, in nuclear power plant design, the possibility of the on-site and off-site power supply units being simultaneously lost shall be considered. As provision against such a situation, the plant shall have available a power supply unit which is independent of the electrical power supply units designed for operational conditions and postulated accidents. It must be possible to introduce this power supply unit into operation quickly enough and its capability shall be sufficient to remove reactor decay heat, to ensure primary circuit integrity and to maintain reactor sub-criticality. [...]).


The Finnish regulations and guides specifically require for I&C systems dedicated for severe accident management, independent of any other I&C systems and designed against single failure.


The Finnish requirement on prevention of containment melt-through may be interpreted as referring to a “core catcher”. (“The nuclear power plant shall be equipped with systems that ensure the stabilisation and cooling of molten core material generated during a severe accident. Direct interaction of molten core material with the load bearing containment structure shall be reliably prevented”. “The containment lower space shall be so designed that a core melt possibly formed in a severe accident with high certainty does not cause a containment melt-through”.)

The Finish regulations explicitly require for the prevention of and protection against high-pressure core melt ejection scenarios.

The YVL requirements on hydrogen control in severe accidents assume 100% fuel clad – water reaction. YVL 1.0 explicitly requires for the systems provided for the control of combustible gases to be designed against single failure and to rely preferably on passive features (not needing external power supply).

The Finnish regulations also require for the provision of a filtered containment venting system.

4.3.5 Fire protection

The provisions in Section 7.12, Fire Safety, of RD-337 are rather general, focusing on safety objectives for fire protection.

YVL 4.3 contains more detailed / prescriptive provisions, referencing specific national standards and specifying fire resistance values for fire compartments. YVL 4.3 explicitly requires a fire hazard analysis (FHA), (“Fire hazards analyses shall always be performed for the containment and the control room.”) and gives some guidance on the FHA.


Given the difference in the level of detail between the provisions on fire protection in RD-337 and YVL 4.3, an analysis of the potentially significant differences was not possible. Such an analysis would require a review of the Canadian national standards (CSA) on fire protection for NPPs, because most of the requirements in YVL 4.3 are at that level of detail (the review should include a comparison of the specification for the fire resistance rating of the fire barriers).

4.3.6 Design against accidental aircraft crash

RD-337 requires consideration of aircraft crashes according to site specific conditions, while the Finnish regulations prescribe the consideration of a large aircraft crash. However, no guidance is provided on the analysis of aircraft crash.

4.3.7 Other requirements

The Finnish regulations specify that “the combined effect of a nuclear reactor's physical feedbacks shall be such that it mitigates the increase in reactor power.”

The YVL requires for a double wall containment building (“The containment shall be encased in a secondary containment building so that any radioactive substances which leak from the primary containment can be collected and treated as appropriate.”)

YVL 1.0 includes provisions for the capacity of the spent fuel storage to accommodate one full core load. (“There shall be so much storage space for spent fuel at the plant site that all fuel assemblies in the reactor can be transferred to the storage pools and that fuel in any storage pool can be transferred to other storage pools.”)

Regarding the sharing of systems, the provisions in YVL 1.0 are more demanding than the equivalent provisions in RD-337, requiring that, in case SSCs performing the same safety function are shared between reactor units, it is demonstrated that the reliability of the safety function is greater than in the absence of sharing.

4.4 Lessons Learnt from the Finnish Regulatory Review of OL3 EPR

STUK’s experience in using the YVLs in the review and assessment for the licensing of the Olkiluoto 3 (OL3) EPR reactor is summarised in a series of presentations available on STUK’s website5. In addition, a joint statement6 was issued by STUK, UK HSE and French ASN regarding the need for independence between the control systems and safety systems in the EPR reactor. It should be noted that this issue has been raised not only due to non-compliance with STUK requirements, but it has been identified also by the other two European regulators having reviewed the EPR.

5 http://www.stuk.fi/sateilytietoa/koulutus/en_GB/workshop_1_4_sept_npp_licensing/ 6 http://www.hse.gov.uk/newreactors/joint-regulatory-statement.pdf


The main changes to the EPR design arising from the regulatory review undertaken by STUK based on the Finnish regulations and YVL guides are summarised below (it should be noted that the detailed design changes for all the systems mentioned have not been made public):

- Major changes to the reactor containment and safety system buildings to provide protection against large plane crash;

- Addition of a steel liner to the containment for improving leak-tightness and provision of a filtered containment venting system;

- Modifications to the Emergency Core Cooling to ensure reliability of circulation with very large flow area through sump strainers and strainer back- flushing system;

- Redundancy and diversity was improved in some safety systems (extra boration system, increase in the capacity of the safety injection system, etc.), including in systems dedicated to severe accident management, to meet the single failure criterion requirements in YVL guides;

- Improvements to the design features for severe accident management (molten core management, hydrogen management, high pressure melt prevention – i.e. provision of primary coolant system dedicated depressurisation valves) to increase their reliability;

- Security was improved by measures protecting from chemical, biological and microwave weapons;

- Separation of Severe Accident Management systems from other systems (process, electric supply, I&C);

- Improved physical separation to provide protection against fires and floods (e.g. layout changes in essential service water pump stations, additional walls to provide divisional separation inside annulus, cable separation in annulus, safeguard buildings, entrance to control room, additional fire dampers in Heating, Ventilation and Air Conditioning systems);

- Increased diversity to provide reliability against common cause failures (diversified protection relays in electrical systems, hard wired back-up for digital I&C);

- Increased reliability of the plant/system/equipment performance (pipe whip restraints in primary and secondary systems, mechanical cleaning for containment cooling and condensate systems, two spent fuel pools, classification of systems to higher safety and seismic classes, room specific leakage detection);

- Improvements related to control room habitability (detection and filtering of radioactivity and poisonous gases), etc.

All the changes required for the EPR in Finland can be linked to the requirements in the Finnish regulations and YVL guides identified as presenting significant differences from the requirements in RD-337, i.e. protection against large aircraft crash, compliance with the single failure criterion at system level (for some systems under the assumption of a single failure plus any other component inoperable due to repair or maintenance), dedicated electrical and I&C systems for severe accident management, requirements on the protection of containment integrity in severe accidents, etc.


5. UK SAFETY ASSESSMNENT PRINCIPLES BENCHMARK


The SAPs document contains principles and guidance aimed at assisting in the regulatory judgements made by inspectors. The SAPs do not represent requirements on the licensees and applicants.

The SAPs provide inspectors with a framework for making consistent regulatory judgments on nuclear safety cases. The principles are supported by Technical Assessment Guides (TAGs), and other guidance, to further assist decision making by the nuclear safety regulatory process. The SAPs also provide nuclear site duty holders with information on the regulatory principles against which their safety provisions will be judged.

The SAPs apply to the assessment of all nuclear facilities, not only to nuclear power reactors. Not all the principles in the SAPs document apply to all assessments or to every facility. The principles are a reference set from which an inspector needs to choose those to be used for the particular nuclear safety situation. Therefore, only requirements relevant to design were considered in this benchmark.

The Fundamental Safety Principles (FP1 ÷ FP8) in the SAPs are very general and do not have a direct correspondence in RD-337, so this section is not relevant for the comparison of requirements on design.

The next section, Leadership and Management for Safety (MS1 ÷ MS4) includes extensive provisions on leadership and management for safety, applicable to all activities and installations, regardless of the phase in their lifetime. They are not specific to safety management during design. Since RD-337 is focused on design and this section of the SAPs has a wider scope and no specific provisions on design, a comparison cannot be made.

The section on Regulatory Assessment of Safety Cases (SC1 ÷ SC8) from the SAPs is too general / not specific for design and therefore not relevant for the comparison of requirements on design.

The section on Regulatory Assessment of Siting (ST1 ÷ ST7) falls outside of the scope of RD-337.

The section on Engineering Principles contains safety assessment principles relevant for the design of NPPs. A detailed comparison is provided in Section 5.2 and Appendix 3B. Detailed comparisons are also provided in Section 5.2 and Appendix 3B for the Radiation Protection Principles, Fault Analysis Principles, Numerical Targets and Legal Limits and Accident Management and Emergency Preparedness Principles.

Principles RW1 ÷ RW7 and paragraphs 646 ÷ 683 deal with strategies for waste management that go beyond provisions made at the design stage for mimising the generation of radioactive waste. This section from the SAPs is not relevant for the comparison of requirements on design of NPPs.

The section on Decommissioning (DC.1 ÷ DC.8) is also not relevant for the comparison of requirements on design of NPPs, with the exception of principle DC.1 and paragraph 687, referring to design (but also construction and operation) provisions for decommissioning (e.g.


design measures to minimise activation and contamination and design features to facilitate decommissioning and to reduce dose uptake by decommissioning workers). These expectations are equivalent to those in Section 7.24, Decommissioning, of RD-337.

Principles RL.1 ÷ RL.8 and paragraphs 740 ÷ 775 are concerned with the safe management of radioactively contaminated land on nuclear licensed sites. HSE treats radioactively contaminated land and emplaced radioactive substances on nuclear licensed sites as accumulations of nuclear matter, unless they are, or arise from, authorised disposals. This section from the SAPs is not relevant for the comparison of requirements on design of NPPs.


5.2.1 Review of the Engineering Principles

Design requirements similar to the expectations provided in the key principle EKP.1, Inherent Safety, and related guidance (para. 136 ÷ 138) are covered in RD-337 Sections 4.3.1, Defence-in-depth, 6.1, Application of Defence-in-depth, and 6.3, Accident Prevention and Plant Safety Characteristics.

RD-337 does not explicitly state inherent safety as one of the objectives of the design, but mentions the use of inherent safety features in the context of requirements for particular safety systems and in the general context of defence-in-depth and accident mitigation and management (Section 4.2.4).

The SAPs explain the concept of inherent safety and the general means for fulfilling it. RD-337 does not elaborate on the concept and its implementation.

Requirements equivalent to the key principle EKP.2, Fault tolerance, are provided in RD-337 Section 7.6.3 Fail-safe Design.

Design requirements similar to the expectations provided in the key principle EKP.3, Defence in depth, and related guidance (para. 140 ÷ 144) are covered in RD-337 Sections 4.3.1, Defence-in-depth, 4.3.2 ,Consideration of Physical Barriers, 6.1, Application of Defence-in-depth, and 6.1.1 Consideration of Physical Barriers.

The expectations of the key principle EKP.4, Safety Function, and related guidance (para. 145) are equivalent in principle with the RD-337 design requirements in Section 6.2 Safety Functions. RD-337 specifies the fundamental safety functions and requires identification of SSCs contributing to the safety functions while the SAPs require first the identification of the safety functions through a structured analysis of normal operation and fault analysis and then the identification of the safety measures.

The expectations of the key principle EKP.5, Safety Measures, and related guidance (para. 146 ÷ 147) are equivalent in principle with the RD-337 design requirements in Sections 6.2 Safety Functions, and 6.3, Accident Prevention and Plant Safety Characteristics. The SAPs explicitly present the safety characteristics in a hierarchical order of preference (in RD-337 this is implicit).

Principles ECS.1, Safety categorisation, and ECS.2, Safety classification of structures, systems and components, and the related guidance (para. 148 ÷ 156) provide expectations equivalent in principle with those in RD-337 Section 7.1, Classification of SSCs. The SAPs present a methodology for the safety classification of SSCs which involves a prior categorization of the safety functions to be delivered.


Principles ECS.3, Standards, ECS.4, Codes and standards, and ECS.5, Use of experience, tests or analysis, and the related guidance (para. 157 ÷ 161) provide expectations equivalent in principle with those in RD-337 Sections 7.1, Classification of SSCs, 5.4, Proven Engineering Practices, and 7.6.5, Shared Systems.

Regardless of some differences in the wording, the provisions of RD-337 and the SAPs concerning standards and codes can be considered equivalent. However, the SAPs include provisions on the selection of the codes and standards (e.g. preferably nuclear specific, leading to a conservative design, etc.) and on the combination of different codes and standards for the same SSC. The selection of codes and standards and their compatibility are not addressed in the same detail in RD-337.

Principle EQU.1, Qualification procedures, and related guidance (para. 162 ÷ 165) provide expectations equivalent in principle with requirements in Section 7.8, Equipment Environmental Qualification, of RD-337. Specific consideration of dynamic loads is addressed in Section 7.7, Pressure-retaining SSCs, Section 8.1, Reactor Core, and 8.6.2, Strength of the Containment Structure. Relevant requirements are included also in Section 7.15, Civil Structures (7.15.1 Design). Seismic qualification is addressed in Section 7.13.

However, the SAPs provisions on the procedures for equipment qualification explicitly ask for a physical demonstration that the SSCs can deliver their functions under the required conditions and within the required time, while the provisions in RD-337 only address performance under the expected conditions (i.e. the “time” element is not explicitly mentioned, although is can be considered implicit to the fulfillment of the safety functions).

Engineering principles in the SAPs Section on design for reliability, EDR.1, Failure to safety, EDR.2, Redundancy, diversity and segregation, EDR.3, Common cause failure (CCF), and EDR.4, Single failure criterion, together with related guidance provided in para. 166 ÷ 175, are equivalent with the requirements on reliability in Section 7.6, Design for Reliability. The equivalence of requirements is based on the wording of the principles in the SAPs; it should be noted that the paragraphs associated with the principles often include detailed information not covered by RD-337; for example, paragraphs 172 ÷ 174 of the SAPs include a discussion on the figures/claims for CCF considered credible by the assessors.

Requirements similar with the expectations on reliability claims presented in principles ERL.1, Form of claims, ERL.2, Measures to achieve reliability, ERL.3, Engineered safety features, and ERL.4, Margins of conservatism, and related guidance (para. 176 ÷ 181) are provided in RD-337 Sections 7.6, Design for Reliability and 7.3.3, Design Basis Accidents. The SAPs include more detailed expectations on the reliability analysis (and on the quality of the data input and on the assumptions made) than RD-337.

Principle ECM.1, Commissioning, and paragraphs. 182 ÷ 186 address the commissioning process and not the requirements on design for commissioning. Section 7.16 of RD-337 addresses design for commissioning. No comparison can be made due to the difference in scope of these sections.

Principles on Maintenance, inspection and testing (EMT.1 ÷ EMT.8) and related guidance (para. 187 ÷ 193) describe expectations equivalent in principle with the requirements in RD-337 Section 7.14, In-service Testing, Maintenance, Repair, Inspection, and Monitoring. Other relevant requirements are those in RD-337 Sections 7.8, Equipment Environmental Qualification and Section 7.15, Civil Structures (7.15.1 Design).


The SAPs explicitly require that the intervals for testing, maintenance, etc. are commensurate with the reliability claims for the SSCs. This may be considered implicit to the general requirement in RD-337 on standards commensurate with the safety functions.

The SAPs also include an expectation for the provision of locations for temporary storage of materials related to the maintenance activities (in paragraph 187).

Principles EAD.1 ÷ EAD.5 on Ageing and Degradation and related guidance (para. 194 ÷ 202) provide expectations equivalent in principle to the RD-337 requirements in Section 7.17, Ageing and Wear.

Principles ELO.1 ÷ ELO.4 on Layout and related guidance (para. 203 ÷ 207) include more detailed expectations with regard to the role of layout in minimising adverse interactions during operational, maintenance, inspection and testing activities on SSCs and also in the minimisation of the effects of incidents. Also, the SAPs require for the provision of alternative access to rescue equipment in all normally manned areas. These requirements are not covered explicitly or to the same degree of detail in RD-337 Sections 6.6, Facility Layout, 8.13, Radiation Protection, 7.3.2, Anticipated Operational Occurrences, 8.13.2, Access and Movement Control, and relevant requirements on physical separation in Section 7.6.1, Common-cause Failures.

Principles EHA.1 ÷ EHA.6 on External and internal hazards and related guidance (para. 208 ÷ 217) have a different focus than requirements in RD-337 Sections 9.0, Safety Analysis, and 7.4, Postulated Initiating Events Considered in the Design.

RD-337 does not provide information on the criteria for screening of the hazards. Paragraph 212 of the SAPs includes such criteria, including one related to the frequency of a hazard: “Any generic type of hazard with a total frequency that is demonstrably below once in ten million years ( 1E-7/year) may be excluded.

The RD-337 requirements on hazard analysis focus on the objectives and documentation of the hazard analysis, while the SAPs focus on the input data and assumptions for hazard analysis (e.g. EHA.2 ÷ EHA.6).

Cliff-edge effects addressed in principle EHA.7 of the SAPs, are not addressed in RD-337.

RD-337 does not include requirements on the estimation of the frequency of accidental aircraft crashes (principle EHA.8, Aircraft impact and related guidance in para 218 and 219).

RD-337 does not address the selection of the design basis earthquake (DBE). Principle EHA.9, Earthquakes, and paragraph 220 in the UK SAPs address this. In addition, the SAPs address the operating basis earthquake, not covered in the RD-337 requirements.

Principle EHA.10, Electromagnetic interference provides the expectation for the design to include protective measures against the effects of this hazard. Electromagnetic interference is not addressed in RD-337.

Principles EHA.11, Extreme weather and EHA.12, Flooding, and related guidance (224 ÷ 228) include expectations equivalent to those in RD-337 Sections 7.4.2, External Hazards, and 7.4.3, Combinations of Events.

Principles EHA.13 ÷ EHA.17 on Fire, explosion, missiles, toxic gases, etc., and related guidance (para. 229 ÷ 233) include provisions equivalent with the requirements of section 7.12, Fire Safety, of RD-337. RD-337 does not explicitly address the fire hazard analysis, hazard analysis is addressed in general in section 9.3.


Principles EPS.1 ÷ EPS.5 on Pressure systems and related guidance (para. 234 ÷ 237) include detailed requirements on removable closures to pressurised components or systems, flow limiting devices and pressure relief systems, which are not explicitly addressed by RD-337. RD-337 addresses general requirements for the design of pressure-retaining SSCs, in Section 7.7, Pressure-retaining SSCs, without going into details about specific systems and components.

The section on Integrity of metal components and structures (paragraphs 238 ÷ 279 and principles EMC.1 ÷ EMC. 34) is concerned with the engineering assessment of the integrity of metallic components and structures such as pressure vessels, boilers, pressure parts, coolant circuits, pipework, core support, pumps, valves, storage tanks and the freestanding metal shell of pressure retaining containment structures. It includes metal pressure boundary penetrations, metal linings of concrete containments and pressure vessels but not the concrete structures as a whole. RD-337 does not include specific requirements for the integrity of metal components and structures. Only high level integrity related expectations are given in para. 2 (safety margins) and 3 (detection of flaws) of Section 7.7, Pressure-retaining SSCs.

Principles ECE.1 ÷ ECE.24 and related guidance (para. 280 ÷ 302) include expectations for the Civil Engineering, such as engineering assessment of the integrity of structural components such as steel-framed buildings, crane supports, concrete structures, masonry, foundations, embankments, slopes, river and coastal defences. Of those, principles ECE.4 and ECE 5 address expectations relevant for the site investigation phase, and not for design. ECE.16 – ECE.24 cover requirements for construction and in-service inspection.

Requirements for civil structures are included in RD-337 Section 7.15. RD-337 does not address in detail the arguments required to substantiate the reliability claim for civil structures important to safety (in the SAPs these are addressed in principle ECE.2 and paragraphs 282 ÷ 285).

RD-337 does not address aspects related to naturally occurring gases (see principle ECE.11 from the SAPs: The design should take account of the possible presence of naturally occurring explosive gases or vapours in underground structures such as tunnels, trenches and basements.)

Structural analysis and model testing is addressed in the SAPs (principles ECE.12 ÷ ECE.15, paragraphs 292 ÷ 296) in detail, while RD-337 only requires structural analyses for all civil structures important to safety.

The section on Graphite Components and Structures (principles EGR.1 ÷ EGR.15 and para 303. ÷ 332) include expectations specific for the graphite moderated reactors.

Principle ESS.1, Requirement for safety systems, is equivalent with RD-337 requirements in Sections 6.1, Application of Defence-in-depth, 8.1, Reactor Core, and 8.4 Means of Shutdown.

Principle ESS.2, Determination of safety system requirements, includes expectations equivalent with the requirements in RD-337 Section 7.6, Design for Reliability.

Principle ESS.3, Monitoring of plant safety, includes expectations equivalent with the requirements in RD-337 Sections 7.9, Instrumentation and Control, and 8.10, Control Facilities.

Principles EES.4 ÷ EES.6 (and para. 339 ÷ 341) address expectations for the adequacy of the variables used to initiate a safety system action. The adequacy of safety systems initiating


variables is not covered in RD-337, except for the reactor trip parameters addressed in Section 8.4.1, Reactor Trip Parameters.

Principle ESS.7, Diversity in the detection of fault sequences, provides expectations equivalent with the RD-337 requirements in Section 8.4.1, Reactor Trip Parameters.

Principle ESS.8, Automatic initiation, includes expectations equivalent with the requirements in RD-337 Section 7.9.1 (Instrumentation and Control) General Considerations.

Principle ESS.9 provides the expectations for the Time for human intervention. The minimum time specified by RD-337 before operator action from the main control room (MCR) is required is of 15 minutes, while the SAPs specify a time period of 30 minutes. This difference in requirements has an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

RD-337 does not include general requirements on the definition of capability and demonstration of adequacy of the safety systems (principles ESS.10 and ESS.11 of the SAPs), but equivalent requirements are provided in the sections dealing with safety analyses and in the system specific sections.

RD-337 does not include general requirements on the prevention of infringement of service requirements as in principle ESS.12, but includes requirements on the monitoring of safety systems’ status (e.g. in Section 8.10.1, Main Control Room).

The provisions of the principle ESS.13, Confirmation to operating personnel, can be considered covered by the requirements of RD-337 Sections 7.9.1 (Instrumentation and Control) General Considerations, and 8.10.1, Main Control Room, although the wording differs. However, RD-337 does not include a provision on the prohibition of self-resetting actions and alarms (principle ESS.14 in the SAPs).

Principle ESS.15, Alteration of configuration, operational logic or associated data, provides expectations equivalent with the RD-337 requirements in Section 7.9.1 (Instrumentation and Control) General Considerations.

RD-337 does not include a general requirement for the safe state following a safety system action not to depend on an external source of energy, where practicable (a requirement equivalent to principle ESS.16, No dependency on external sources of energy).

Principle ESS.17, Fault identification and assurance of safe state, provides expectations for failure modes and effects analysis as a basis for the avoidance measures or protective features provided within the design. The requirement for attention to be given to spurious operation and unsafe failure modes in RD-337 can be interpreted to have the same meaning.

RD-337 does not include a provision requiring that no fault, internal or external hazard should disable a safety system, as in principle ESS.18, Failure independence, but does require, in Section 6.2, that safety functions are fulfilled in all operational states, AOOs, DBAs and, to the extent practicable, in DBAs. Provisions equivalent to those in para. 352 of the SAPs are given in Section 7.6, Design for Reliability of RD-337.

Principle ESS.19, Dedication to a single task, provides that a safety system should be dedicated to the single task of performing its safety function. RD-337 does not prohibit safety systems from having other functions but imposes requirements for such situations in Section 7.6.5, Shared Systems.

RD-337 does not include requirements on safety system design to avoid complexity and to incorporate means of revealing internal faults from the time of their occurrence, such as the


expectations in principle ESS.21, Reliability. Only the fail-safe approach is addressed in RD-337 requirements.

RD-337 does not include requirements on prevention of spurious operation of safety systems at a frequency that might directly or indirectly degrade safety, such as the expectations in principle ESS.22, Avoidance of spurious operation, except in the context of Section 7.6.5 Shared Systems: “The design includes provisions to ensure that the sharing of instruments does not result in an increased frequency in demand on the safety system during operation.”

The expectations provided in principles ESS.23, Allowance for unavailability of equipment and ESS.24, Minimum operational equipment requirements, are covered by RD-337 requirements in Sections 7.3.1, Normal Operation, 4.3.3, Operational Limits and Conditions, 7.6.2, Single Failure Criterion, 7.6.4, Allowance for Equipment Outages, and 9.2, Analysis Objectives. RD-337 does not explicitly address the “minimum amount of operational safety system equipment”.

Expectations equivalent to principle ESS.25, Safety system vetoes, are provided in RD-337 Section 7.9.1 (Instrumentation and Control) General Requirements.

RD-337 requires that the design allows for online maintenance and online testing of systems important to safety, requirements equivalent in principle with the expectations in ESS.26, Maintenance and testing, even though RD-337 does not explicitly state that maintenance and testing of a safety system should not initiate a fault sequence.

The RD-337 requirements on computer based systems are more comprehensive than those of the principle ESS.27, Computer-based safety systems and related guidance (para. 360 ÷ 362), but the latter are supplemented by more detailed guidance - Technical Assessment Guide T/AST/046 - Computer based safety systems7.

Principle ESR.1, Provision in control rooms and other locations, and related guidance paragraphs (363 ÷ 366) contain expectations equivalent to those in RD-337 Sections 7.9.1 (Instrumentation and Control) General Requirements, and 8.10, Control Facilities.

RD-337 requirements for adequacy of the instrumentation do not address all the factors enumerated in principle ESR.2, Performance requirements, of the UK SAPs (i.e. reliability, accuracy, stability, response time, range and readability).

Principle ESR.3, Provision of controls, provides expectations equivalent to the requirements in RD-337 Section 7.9.1 (Instrumentation and Control) General Requirements.

RD-337 does not explicitly address the “minimum control and instrumentation for which facility operation may be permitted”, as in ESR.4, Minimum operational equipment.

Principle ESR.5, Standards for computer based equipment, provides expectations equivalent to the requirements in RD-337 Section 7.9.2 Use of Computer-based Systems or Equipment.

RD-337 does not explicitly address power supplies for safety-related control and instrumentation systems, as in ESR.6, Power supplies.

Principle ESR.7, Communications systems, is equivalent in principle with the requirements in Section 7.20, Escape Routes and Means of Communication, with the exception that RD-

7 http://www.hse.gov.uk/foi/internalops/nsd/tech_asst_guides/tast046.htm


337 does not include a requirement for the communication systems not to have adverse effects on safety systems or safety-related systems.

Requirements equivalent to principle ESR.8, Monitoring of radioactive substances, are addressed in RD-337 Sections 8.13.3, Monitoring, 8.2, Reactor Coolant System, and 8.12.3, Detection of Failed Fuel.

Requirements equivalent to principle ESR.9, Response of control systems to normal plant disturbances, are provided in RD-337 Section 8.1.2, Control System, with the difference that RD-337 requirements address control systems for the control of reactivity, while principle ESR.9 of the SAPs is wider / more general in scope.

RD-337 does not include a general requirement on the prevention of excessive frequency of actuation of the safety systems, such as that in principle ESR.10, Demands on safety systems in the event of control system faults.

Expectations in principles EES.1 ÷ EES9 and related guidance paragraphs (370 ÷ 374) on the provision of essential services are equivalent to requirements in Sections 7.10, Safety Support Systems, 7.6, Design for Reliability, and 7.6.5, Shared Systems, of RD-337, with a few exceptions:

• RD-337 does not include a general requirement for the capacity of essential services to meet safety requirements not to be undermined by cross-connections to services provided for non-safety functions. However, this requirement may be considered implicit to the provisions of Section 7.6.5, Shared Systems.

• RD-337 does not address protection requirements for essential service components or systems.

• RD-337 does not address the situation in which a source external to the nuclear site is employed as the only source of the essential services.

• RD-337 requires for provision of emergency support systems for situations of concurrent loss of normal and backup services.

Principles EHF.1 ÷ EHF.10 on Human factors and the related guidance paragraphs (375 ÷ 391) contain expectations equivalent in principle with the requirements in RD-337 Section 7.21, Human Factors. A few differences are noted:

• RD-337 does not explicitly require that dependence on human action to maintain a safe state should be minimised.

• RD-337 does not explicitly require for the identification of all human actions than can impact on safety.

• RD-337 does not require for the systematic identification of administrative controls used to remain within the safe operating envelope. However, these can be considered covered by the operational limits and conditions (e.g. in RD-337 Section 4.3.3: “The OLCs are documented in a manner that is readily accessible for control room personnel, with the roles and responsibilities clearly identified”).

• RD-337 does not explicitly address task analysis and all the elements required in the SAPs in principle EHF.5 and paragraphs 379 ÷ 382.

• RD-337 does not explicitly address human reliability analysis.


RD-337 does not include detailed provisions on the control of nuclear matter (ENM.1 ÷ ENM.8) it only references, in Section 7.23, Safeguards, the obligations arising from safeguards agreement between Canada and the IAEA.

Paragraphs 418 ÷ 422 of the SAPs include both explanatory text and requirements on containment and ventilation. There is no direct correspondence with RD-337 requirements. RD-337 does not address the use of pressure gradients and flows within ventilation systems between contamination zones and on fire dampers.

Principle ECV.1 expectations on Prevention of leakage, are covered by the provisions of RD-337 Sections 8.11, Waste Treatment and Control, 8.13.4, Sources and 10.2, Release of Nuclear and Hazardous Substances.

Expectations provided in principle ECV.2, Minimisation of releases, are equivalent with the general requirements on containment in RD-337 Section 8.6.1.

Principle ECV.3, Means of containment, and paragraphs 424 ÷ 425 of the UK SAPs are written in such a way as to be applicable to containment design for all types of nuclear facilities, not only nuclear power reactors. Requirements for the containment are provided in Section 8.6 of RD-337. RD-337 does not:

• explicitly address provisions for making the facility safe following any incident involving the release of radioactive substances within or from a containment, including equipment to allow decontamination and post-incident re-entry to be safely carried out.

• include a requirement for the containment design to minimise the size of service penetrations.

• include a requirement on the containment design to provide discharge routes, including pressure relief systems, with treatment system(s) to minimise radioactive releases to acceptable levels.

• include requirements on the containment design to:

− allow the removal and reinstatement of shielding;

− define the performance requirements of containment systems to support maintenance activities;

− demonstrate that the loss of electrical supplies, air supplies and other services does not lead to a loss of containment nor the delivery of its safety function;

− demonstrate the control methods and timescales for re-establishing the containment conditions where access to the containment is temporarily open (e.g. during maintenance work).

RD-337 does not include provisions equivalent to those in principle ECV.4, Provision of containment barriers, and paragraph 426 of the SAPs.

RD-337 does not require for the need for access by personnel to the containment to be minimized, nor does it stipulate that the access to the containment to ensure the safety of the facility in either the short or long term following an accident should not be necessary, as in principle ECV.5, Minimisation of personnel access, and guidance paragraphs 427 ÷ 429.

The expectations on radiation monitoring devices in principle ECV.6, Monitoring devices, are equivalent to the RD-337 requirements in Section 8.13.3, Monitoring.


Expectations provided in principle ECV.7, Leakage monitoring, are equivalent with the requirements in RD-337 Section 8.6.6, Containment Isolation.

Principles ECV.8, Minimisation of provisions, and ECV.9, Standards, are concerned with the transport of nuclear matter from a containment. For a power reactor this would, for instance, be the movement of used fuel to the cooling ponds. The means for carrying out this activity and the measures to be taken during the operation are covered by items enumerated in para.433. Relevant equivalent requirements are provided in Section 8.12, Fuel Handling and Storage and 7.19, Transport and Packaging for Fuel and Radioactive Waste.

Principle ECV.10, Safety functions, and related guidance (para. 434 ÷ 438) deal with the safety functions of the ventilation systems and are more comprehensive / detailed than the equivalent requirements in RD-337 Section 8.11.2, Control of Airborne Material within the Plant.

Principle ERC.1, Design and operation of reactors, and related guidance paragraphs (439 ÷ 443) contain expectations equivalent in principle with those in RD-337 Section 8.1 Reactor Core. RD-337 does not explicitly require for the uncontrolled movement of reactivity control devices to be prevented.

Principle ERC.2, Shutdown systems, and related guidance paragraphs (444, 445) are equivalent in principle with the requirements in RD-337 Sections 8.4, Means of Shutdown, and 8.1, Reactor Core. RD-337 does not include a general requirement that reactor shutdown and subsequent hold-down should not be inhibited by mechanical failure, distortion, erosion, corrosion, etc. of plant components, or by the physical behaviour of the reactor coolant, under normal operation or design basis fault conditions. However, RD-337 requires that fuel assembly and its component parts remain in position with no distortion that would prevent effective post-accident core cooling or interfere with the actions of reactivity control devices or mechanisms.

RD-337 does not include an explicit requirement for the core not to undergo sudden changes of condition when operating parameters go outside their specified range (see the requirements in principle ERC.3, Stability in normal operation, and paragraph 446 of the SAPs). RD-337 does not explicitly require that limits be set for the maximum degree of positive reactivity (see paragraph 451 of the SAPs).Other provisions in the SAPs not covered by the requirements in RD-337 includes those of paragraphs 449, 453, 454 and 455.

Principle ERC.4, Monitoring of safety-related parameters, is equivalent in principle with the RD-337 requirements in Sections 7.9.1 (Instrumentation and Control) General Considerations, 8.1.1, Fuel Elements and Assemblies and 8.12.3, Detection of Failed Fuel. RD-337 does not include an explicit requirement for the design to allow fuel to be removed from the reactor, despite any environmentally induced damage such as bowing, swelling or from other damage occurring in normal operation and in design basis fault conditions (SAPs paragraph 457).

The principles for heat transport systems relate to the systems required to transport heat within the facility, both in normal operation and fault conditions, and cover the full range of heat transfer applications in reactors, chemical facilities, fuel storage ponds, etc.

Principle EHT.1 on Design is equivalent to the requirement for removal of heat from the core in RD-337 Section 6.2, Safety Functions. More detailed requirements for the reactor coolant system, the emergency core cooling system, and the emergency heat removal system are provided in RD-337 Sections 8.2, 8.5 and 8.8.


Principle EHT.2 addresses the coolant inventory and flow. These expectations are equivalent in principle with the requirements in RD-337 Section 8.2.2, Inventory. RD-337 does not address inherent cooling processes (SAPs para. 461) and does not explicitly require estimation of uncertainties and safety margins in the safety assessments for heat transport systems (SAPs para. 460 and 462).

Principle EHT.3, Heat sinks, is equivalent with the RD-337 requirements in Section 8.7 Heat Transfer to an Ultimate Heat Sink.

Requirements equivalent to principle EHT.4, Failure of heat transport system, and related guidance (para. 464 ÷ 466) are provided in RD-337 Sections 8.2, Reactor Coolant System, 8.2.1, In-service Pressure Boundary Inspection, 8.2.3, Cleanup, and 7.7, Pressure-retaining SSCs.

RD-337 does not address the specification of the properties of the heat transport fluid and the situations where mutually incompatible heat transport fluids are used within a facility (SAPs para. 465-466), but this is due to the fact that RD-337 is concerned with the design of new water-cooled nuclear power plants, while the SAPs are intended to be completely technology-neutral and applicable to a large variety of nuclear installations.

Principle EHT.5 addresses the Minimisation of radiological doses. Equivalent requirements are provided in RD-337 Sections 4.1.1, Radiation Protection Objective, Sections 8.2, Reactor Coolant System, and 8.2.3, Cleanup. RD-337 does not explicitly address provisions for removing and storing the radioactive coolant to allow inspection and repair work (para. 468 of the SAPs).

The requirements in principles ECR.1 and ECR.2 on criticality safety and paragraphs 470 ÷ 475 address all situations that may pose a risk of criticality, for all types of facilities, while RD-337 requirements in Sections 8.12.1 and 8.12.2 address criticality safety only for handling and storage of fresh and irradiated fuel for nuclear power reactors.

5.2.2 Review of the Radiation Protection Principles

The Radiation Protection principles, ERP.1 ÷ ERP.6 and paragraphs 476 ÷ 495, contain mostly expectations equivalent to those in RD-337 Sections 4.1.1, Radiation Protection Objective, 8.13, Radiation Protection, 8.13.1, Design for Radiation Protection, 8.13.2 Access and Movement Control, 8.13.3, Monitoring, 8.13.4, Sources, and 6.6, Facility Layout.

The provisions of para. 486 and 487 are not fully (explicitly) covered by RD-337 provisions. Also, RD-337 does not address detailed provisions such as the use of change barriers (para. 490 of the SAPs). The requirements in the SAPs regarding decontamination are more detailed (para. 491, 492 address particular aspects not explicitly addressed by RD-337). The SAPs regarding shielding are more detailed than the equivalent requirements in RD-337, outlining particular considerations for the provision of shielding (paragraphs 493 and 494).

5.2.3 Review of the Fault Analysis Principles

Principle FA.1, Design basis analysis, PSA and severe accident analysis, contains expectations equivalent with requirements on safety analyses in RD-337 Sections 4.2.3, 5.6 and 9.0, and RD-310 requirements in Section 4.0, Safety Analysis Objectives.


Requirements equivalent in principle to the expectations in principle FA.2, Identification of initiation faults, are provided in RD-337 Sections 9.1 (Safety Analysis) General, 7.4, Postulated Initiating Events Considered in the Design, and RD-310 Section 5.2, Events to be Analyzed.

The SAPs include quantitative criteria for screening out some initiating events based on their potential for having only minor radiological consequences: “Faults lacking the potential to lead to doses of 0.1 mSv to workers, or 0.01 mSv to a hypothetical person outside the site, are regarded as part of normal operation and may be excluded from the fault analysis.”

This means that all events having the potential to lead to doses in excess of 0.1 mSv to workers, or 0.01 mSv to a hypothetical person outside the site have to be included in the fault analysis.

The PIEs to be analysed according to RD-337 and RD-310 are selected based on their frequency of occurrence (events leading to AOOs, DBAs, etc.) and then dose acceptance criteria are established. It is not clear what is the criterion used by CNSC for screening out events that can have minor radiological consequences / that do not pose “significant radiological risk”. The term “significant radiological risk” is used in various CSNC documents and it may be inferred that only events / sequences of events that present “significant radiological risk” need to be analysed. However, the reviewers could not find a reference to a quantitative definition of “significant radiological risk”.

Requirements equivalent in principle to the expectations in principle FA.3, Fault sequences, are provided in RD-310 Sections 5.4.2, Analysis Method, 5.3, Acceptance Criteria, and 5.4.4 Analysis Assumptions, and RD-337 Sections 4.2, Application of the Technical Safety Objectives, and 4.2.3, Safety Analyses.

RD-337 and RD-310 do not explicitly require for a clear relation between the fault sequences used in DBA and severe accident analysis, and the fault sequence development of the PSA (see para. 506 of the SAPs).

RD-337 requires that all sources of exposure are identified (Section 4.2.3) but does not go into details about the calculation of the doses (see para. 508, 509 of the SAPs).

Principle FA.4, Fault tolerance, contains expectations equivalent with requirements on safety analyses in RD-337 Section 9.4, Deterministic Safety Analysis, and RD-310 requirements in Section 5.3.4, Acceptance Criteria for AOOs and DBAs.

The expectations in principle FA.5, Initiating faults and para. 514 and 515 are equivalent to the requirements in RD-310 Section 5.2, Events to be Analyzed. Note that the SAPs allow for the exclusion from the analysis of natural hazards with a predicted frequency of being exceeded of less than 1E-4/year (while the cut-off frequency for internal initiating events is 1E-5/year). RD-310 and RD-337 do not specify a particular cut-off frequency for external hazards.

The expectations in principle FA.6, Fault sequences and para. 516 ÷ 520 are equivalent to the requirements in RD-310 Sections 5.4.4 Analysis Assumptions and 5.5, Safety Analysis Documentation. the requirements on event grouping provided in para. 520 of the SAPs are not explicitly addressed in RD-337 and RD-310.

The expectations in principle FA.7, Consequences and para. 521 ÷ 524 are equivalent to the requirements in RD-310 Sections 5.4.1, (Safety Analysis Methods and Assumptions) General. Relevant requirements are provided also in Sections 5.4.2, Analysis Method, 5.4.3, Analysis


Data, 5.4.5, Computer Codes, 5.4.6, Conservatism in Analysis, and 5.7 Quality of Safety Analysis.

The expectations in principle FA.8, Linking of initiating faults, fault sequences and safety measures, and paragraph 525 are equivalent to the RD-310 provisions in Sections 4.0, Safety Analysis Objectives, and 5.4.4, Analysis Assumptions, and those of RD-337 in Section 9.2, Analysis Objectives.

Principle FA.9, Further use of DBA, is equivalent in principle with the provisions in RD-337 Sections 9.2, Analysis Objectives, 9.3 Hazards Analysis, 9.4, Deterministic Safety Analysis, and 7.2, Plant Design Envelope. RD-337 does not explicitly require that the DBA provides input to the safety classification.

The expectations in principle FA.10, Need for PSA, and paragraphs 527 ÷ 529 are equivalent to the RD-337 provisions in Section 9.5, Probabilistic Safety Assessment. Para. 529 of the SAPs clarifies what can be considered as a disproportionate contribution to the overall risk: e.g. of the order of one tenth or greater. The term used in RD-337 is “dominant contribution” but no quantitative guidance is given on what could be considered as dominant contribution to the frequency of severe accidents.

Principles FA.11 ÷ FA.13 and related guidance (para.530 ÷ 540) provide the expectations for the PSA. Relevant requirements are in the CNSC regulatory standard S-294, Probabilistic Safety Assessment (PSA) for Nuclear Power Plants, Section 5.0, PSA Requirements.

S-294 does not explicitly require for all significant sources of radioactivity and all relevant initiating faults identified at the facility or site to be covered in the PSA (see FA.12). “Adequate representation of the site” in the PSA is not explicitly addressed in S-294. Also, the detailed requirements in para. 532 ÷ 538 are not covered by the provisions of RD-337 and S-294.

The expectations in principle FA.14, Use of PSA, and paragraphs 541 and 542 are equivalent to the RD-3337 provisions in Sections 5.2, Design Management, and 9.5 Probabilistic Safety Assessment.

Principles FA.15 and FA.16 include expectations for severe accident analysis and its use. Equivalent requirements are provided in RD-337 Section 4.2.3, Safety Analyses, and 7.3.4, Beyond Design Basis Accidents, and RD-30 Sections 5.3.3, Beyond Design Basis Accidents, and 5.4.4, Analysis Assumptions.

RD-337 and RD-310 do not explicitly require a “demonstration that there is no sudden escalation of consequences just beyond the design basis” (“cliff-edge” effect). Situations where severe accident uncertainties are judged to have a significant effect on the assessed risk are also not explicitly addressed in RD-337 and RD-310.

Principles FA.17 and FA.18 and para. 551 ÷ 557 refer to the methods for the transient, radiological and other analyses that may be used throughout the fault analysis. Relevant requirements are provided in RD-310 Sections 5.4.2, Analysis Method, 5.4.3, Analysis Data, 5.4.5, Computer Codes, 5.4.6, Conservatism in Analysis, and 5.7, Quality of Safety Analysis.

The aspects in para. 552 ÷ 556 of the SAPs with regard to computer codes validation and the performance of independent checks and in para. 557 with regard to radiological consequence analysis are not fully and explicitly covered by the provisions of RD-337 and RD-310.

Requirements equivalent to the expectations in principle FA.19, Use of data, are provided in RD-310 Section 5.4.3, Analysis Data.


Requirements equivalent to the expectations in principle FA.20, Computer models, are provided in RD-310 Sections 5.4.5, Computer Codes, and 5.7, Quality of Safety Analysis.

Principle FA.22 refers to sensitivity studies. Sensitivity studies are required by both RD-310 and S-294 but no detailed expectations are provided. RD-337 does not address sensitivity studies.

Requirements equivalent to the expectations in principles FA.23 and FA.24 on analysis update and review and data collection for this purpose, are provided in RD-310 Section 5.6, Safety Analysis Review and Update.

5.2.4 Review of the Numerical Targets and Legal Limits

Paragraphs 568 ÷ 578 of the SAPs explain the framework and philosophy behind the numerical targets and legal limits used in the UK. It should be noted that the SAPs include “band criteria”, e.g. in addition to Basic Safety Levels (BSLs, which correspond to “limits” used in other jurisdictions), the SAPs provide for Basic Safety Objectives (BSOs).

RD-337 does not go into details about the basis for the choice of dose acceptance criteria and safety goals. In the case of the UK SAPs, a detailed explanation is provided in a separate note8.

Principle NT.1, Assessment against targets, requires safety assessment against numerical targets not only for the members of the public but also for the people on site. The dose acceptance criteria in RD-337 are set “for average members of the critical groups who are most at risk, at or beyond the site boundary” – i.e. for members of the public. RD-337 does not include dose acceptance criteria for workers on-site.

The maximum annual dose limit for nuclear energy workers in Canada is of 50 mSv in any single year, but not more than 100 mSv in 5 years, i.e. the average annual dose limit is 20 mSv, consistent with the ICRP recommendations, while in all the countries in the European Union, including the UK, is of 20 mSv (SAPs Target 1).

No evidence could be found in the Canadian documents reviewed (RD-337, RD-310, SOR/2000-203) of average effective dose limits for defined groups of employees (SAPs Target 2).

The limit for effective dose in a calendar year for any person off the site from sources of ionising radiation originating on the site is the same in UK and Canada (SAPs Target 3).

Paragraph 590 of the SAPs mentions the dose constraints that should be applied in the case of multiple sites in close proximity. No such provision could be found in the Canadian documents reviewed (RD-337, RD-310, SOR/2000-203).

RD-337 specifies a dose acceptance criterion of 0.5 mSv (calculated for 30 days) for any anticipated operational occurrence (AOO). In accordance with RD-310, AOOs include all events with frequencies of occurrence equal to or greater than 10-2 per reactor year. For initiating events with frequencies greater than 10-2 per reactor year, the BSL in the SAPs is of 1 mSv.

8 http://www.hse.gov.uk/nuclear/saps/explanation.pdf


For events with estimated frequencies greater than 10-3 per reactor year but lower than 10-2 per reactor year, the dose acceptance criteria in RD-337 is of 20 mSv, while the BSL in the UK SAPs is of 1 mSv. For this frequency interval, the dose criteria in the SAPs are more demanding than those in RD-337.

For events with estimated frequencies greater than 10-4 per reactor year but lower than 10-3 per reactor year, the dose acceptance criteria in RD-337 is of 20 mSV, while the BSL in the UK SAPs is of 10 mSv. For this frequency interval, the dose criteria in the SAPs are more demanding than those in RD-337.

For events with estimated frequencies greater than 10-5 per reactor year but lower than 10-4 per reactor year, the dose acceptance criteria in RD-337 is of 20 mSV, while the BSL in the UK SAPs is of 100 mSv. For this frequency interval, the dose criteria in RD-337 are more demanding than those in the SAPs.

Events with a frequency lower than 10-5 per reactor year are considered BDBAs according to RD-310.

Paragraph 514 of the SAPs allows for the exclusion from the design basis analysis of initiating events with a frequency lower than 10-5 per reactor year.

It should be noted that the classification of events as in RD-310 Section 5.2.3 is based on events frequency (unless explicitly stated otherwise, this should imply that this includes sequences of events and combinations of events, not only initiating events), while the SAPs Target 4 refers to the frequencies of the initiating events. This appears to be a more conservative approach (i.e. setting a dose acceptance criterion function of the frequency of the initiating event, regardless of the frequency of the event sequence taking account of potential additional failures).

The conservative assumptions for analysis outlined in paragraph 601 of the SAPs are not covered by RD-337.

CNSC documents do not include safety goals explicitly related to the risk of death (SAPs Targets 5 and 7). Only surrogate risk metrics are provided in RD-337 Section 4.2.2 Safety Goals, while the requirements on risk to individuals and to society are expressed as qualitative goals.

The dose-frequency targets in SAPs Targets 6 and 8 are expressed in terms of maximum allowed cumulative annual frequency for all events that could lead to a dose in a certain interval. The dose acceptance criteria in Section 4.2.1 of RD-337 are set for individual events (not for groups of events). In addition, the SAPs include targets for persons on site, while the dose acceptance criteria in RD-337 are set for members of the public.

CNSC documents do not include quantitative safety goals for the societal risk (Target 9). These are expressed only in a qualitative manner (RD-337 Section 4.2.2).

Principle NT.2 and paragraphs 629 ÷ 638 of the SAPs deal with “time at risk” situations (a higher risk will exist for shorter periods of time that make the use of annualised frequency targets unrealistic) which are particularly relevant for the operational phase, but may be relevant also at the design stage, in the establishment of OLCs. RD-337 does not include provisions for dealing with “time at risk” situations.


5.2.5 Review of the Accident Management and Emergency Preparedness Principles

Principle AM.1 and related guidance (para.639 ÷ 645) provide expectations equivalent to those in RD-337 Sections 4.2.4, Accident Mitigation and Management, 7.3.4, Beyond Design Basis Accidents, 7.9.3, Post-accident Instrumentation, 9.2, Analysis Objectives, 9.5 Probabilistic Safety Assessment.


5.3.1 Differences in dose criteria and safety goals and in the expectations for safety assessment

Safety goals and risk criteria

The UK SAPs include numerical targets related to the risk of death to an individual. CNSC documents do not include safety goals explicitly related to the risk of death. Only surrogate risk metrics (Core Damage Frequency, Small Release Frequency, Large Release Frequency) are provided in RD-337 Section 4.2.2 Safety Goals, while the requirements on risk to individuals and to society are expressed as qualitative goals. The UK SAPs also include quantitative criteria for the societal risk (Target 9). CNSC documents do not include quantitative safety goals for the societal risk, these being expressed only in a qualitative manner (RD-337 Section 4.2.2).

Criteria for normal operation

The maximum annual dose limit for nuclear energy workers in Canada is of 50 mSv in any single year, but not more than 100 mSv in 5 years, i.e. the average annual dose limit is 20 mSv, consistent with the ICRP recommendations, while in all the countries in the European Union, including the UK, is of 20 mSv (SAPs Target 1). No evidence could be found in the Canadian documents reviewed (RD-337, RD-310, SOR/2000-203 [10]) of average effective dose limits for defined groups of employees (see Target 2 of the SAPs).

Paragraph 590 of the SAPs mentions the dose constraints that should be applied in the case of multiple sites in close proximity. No such provision could be found in the Canadian documents reviewed (RD-337, RD-310, SOR/2000-203).

Criteria for accident analysis

The SAPs require assessment against numerical targets not only for the members of the public but also for the people on site. The dose acceptance criteria in RD-337 are set “for average members of the critical groups who are most at risk, at or beyond the site boundary” – i.e. for members of the public. RD-337 does not include dose acceptance criteria for workers on-site.

RD-337 specifies a dose acceptance criterion of 0.5 mSv (calculated for 30 days) for any anticipated operational occurrence (AOO). In accordance with RD-310, AOOs include all events with frequencies of occurrence equal to or greater than 10-2 per reactor year. For initiating events with frequencies greater than 10-2 per reactor year, the BSL in the SAPs is of 1 mSv.




For events with estimated frequencies greater than 10-5 per reactor year but lower than 10-4 per reactor year, the dose acceptance criteria in RD-337 is of 20 mSV, while the BSL in the UK SAPs is of 100 mSv. For this frequency interval, the dose criteria in RD-337 are more demanding than those in the SAPs.

Events with a frequency lower than 10-5 per reactor year are considered BDBAs according to RD-310. Paragraph 514 of the SAPs allow for the exclusion from the design basis analysis of initiating events with a frequency lower than 10-5 per reactor year.

It should be noted that the classification of events as in RD-310 Section 5.2.3 is based on events frequency (unless explicitly stated otherwise, this should imply that this includes sequences of events and combinations of events, not only initiating events), while the SAPs (Target 4) refer to the frequencies of the initiating events. This appears to be a more conservative approach (i.e. setting a dose acceptance criterion function of the frequency of the initiating event, regardless of the frequency of the event sequence taking account of potential additional failures).

The conservative assumptions for analysis outlined in paragraph 601 of the SAPs are not covered by RD-337 or RD-310.

The dose-frequency targets in SAPs Targets 6 and 8 are expressed in terms of maximum allowed cumulative annual frequency for all events that could lead to a dose in a certain interval. The dose acceptance criteria in Section 4.2.1 of RD-337 are set for individual events (not for groups of events).

RD-337 does not provide details about the basis for the choice of dose acceptance criteria and safety goals. In the case of the UK SAPs, a detailed explanation is provided in a separate note: http://www.hse.gov.uk/nuclear/saps/explanation.pdf.

Safety Assessment

Differences between the expectations and requirements on safety assessment in the UK SAPs and RD-337 have the potential of leading to design differences (however, the design differences cannot be directly inferred from the safety assessment expectations). A summary of the most notable differences in the area of safety assessment is provided below:

- The UK SAPs include more detailed expectations on the reliability analysis (and on the quality of the data input and on the assumptions made) than RD-337.

- RD-337 does not provide information on the criteria for screening of the hazards. Paragraph 212 of the SAPs includes such criteria, including one related to the frequency of a hazard: “Any generic type of hazard with a total frequency that is demonstrably below once in ten million years ( 1E-7/year) may be excluded. The RD-337 requirements on hazard analysis focus on the objectives and documentation of the


hazard analysis, while the SAPs focus on the input data and assumptions for hazard analysis (e.g. EHA.2 – EHA.6).

- RD-337 does not include requirements on the estimation of the frequency of accidental aircraft crashes.

- Electromagnetic interference is not addressed in the requirements for hazard analysis in RD-337.

- RD-337 does not explicitly require a fire hazard analysis.

- The adequacy of safety systems initiating variables (addressed in the SAPs by principles ESS.4 – ESS.6, paragraphs 339 – 341) is not explicitly addressed in RD-337, except for the reactor trip parameters.

- The SAPs include quantitative criteria for screening out some initiating events based on their potential for having only minor radiological consequences: “Faults lacking the potential to lead to doses of 0.1 mSv to workers, or 0.01 mSv to a hypothetical person outside the site, are regarded as part of normal operation and may be excluded from the fault analysis.” This means that all events having the potential to lead to doses in excess of 0.1 mSv to workers, or 0.01 mSv to a hypothetical person outside the site have to be included in the fault analysis. The PIEs to be analysed according to RD-337 and RD-310 are selected based on their frequency of occurrence (events leading to AOOs, DBAs, etc.) and then dose acceptance criteria are established. It is not clear what is the criterion used by CNSC for screening out events that can have minor radiological consequences / that do not pose “significant radiological risk”.

- The SAPs allow for the exclusion from the analysis of natural hazards with a predicted frequency of being exceeded of less than 1E-4/year (while the cut-off frequency for internal initiating events is 1E-5/year). RD-310 and RD-337 do not specify a particular cut-off frequency for external hazards.

- RD-337 and RD-310 do not explicitly require for a clear relation between the fault sequences used in DBA and severe accident analysis, and the fault sequence development of the PSA (see para. 506 of the SAPs).

- RD-337 and RD-310 do not cover the grouping of events for the purpose of safety assessment (e.g. the requirements on event grouping provided in para. 520 of the SAPs are not explicitly addressed in RD-337 and RD-310).

- Para. 529 of the SAPs clarifies what can be considered as a disproportionate contribution to the overall risk: e.g. of the order of one tenth or greater. The term used in RD-337 is “dominant contribution” but no quantitative guidance is given on what could be considered as dominant contribution to the frequency of severe accidents.

- RD-337 requires that all sources of exposure are identified (Section 4.2.3) but does provide details on expectations for the calculation of the doses (see para. 508-509 of the SAPs).

- Neither RD-337 nor S-294 explicitly require for all significant sources of radioactivity and all relevant initiating faults identified at the facility or site to be covered in the PSA (see principle FA.12 of the SAPs).

- Cliff-edge effects addressed in principle EHA.7 of the SAPs, are not addressed in RD-337. RD-337 and RD-310 do not explicitly require a “demonstration that there is no sudden escalation of consequences just beyond the design basis” (“cliff-edge” effect).


- Situations where severe accident uncertainties are judged to have a significant effect on the assessed risk are not explicitly addressed in RD-337 and RD-310 (see para. 548 of the SAPs).

- Sensitivity studies (see principle FA.22) are required by both RD-310 and S-294 but no detailed expectations are provided. (RD-337 does not address sensitivity studies).

5.3.2 Differences in design expectations

Safety classification of SSCs Principles ECS.1, Safety categorisation, and ECS.2, Safety classification of structures, systems and components, and the related guidance (para. 148 ÷ 156) provide expectations equivalent in principle with those in RD-337 Section 7.1, Classification of SSCs. However, the SAPs present a methodology for the safety classification of SSCs (the key principle EKP.4, Safety Function, and the related guidance in para. 145) which involves a prior categorization of the safety functions to be delivered. In Section 6.2 Safety Functions, RD-337 specifies the fundamental safety functions and requires identification of SSCs contributing to the safety functions while the SAPs require first the identification of the safety functions through a structured analysis of normal operation and fault analysis and then the identification of the safety measures. The above differences in the methodology applied for the safety classification of SSCs (i.e. the categorization of the safety functions required by the UK SAPs) may lead to differences in design requirements applied to the safety related SSCs, but such differences can only be assessed on a case-by-case basis, for any given design.

Design of SSCs important to safety

- Regarding pressure-retaining SSCs, the SAPs include detailed requirements on removable closures to pressurised components or systems, flow limiting devices and pressure relief systems, which are not explicitly addressed by RD-337. RD-337 addresses only general requirements for the design of pressure-retaining SSCs, without going into details about specific systems and components.

- RD-337 does not include specific requirements for the integrity of metal components and structures, while the SAPs have a comprehensive section on this topic. RD-337 includes only high level integrity related expectations, e.g. in para. 2 (safety margins) and 3 (detection of flaws) of Section. 7.7.

- RD-337 does not address in detail the arguments required to substantiate the reliability claims for civil structures important to safety (in the SAPs these are addressed in principle ECE.2 and paragraphs 282 – 285). Structural analysis and model testing is addressed in the SAPs (principles ECE.12 – ECE.15, paragraphs 292 – 296) in detail, while RD-337 only requires structural analyses for all civil structures important to safety.

- RD-337 does not explicitly require the identification of all human actions than can impact on safety or the systematic identification of administrative controls used to remain within the safe operating envelope. Also, RD-337 does not explicitly require that dependence on human action to maintain a safe state should be minimised. RD-337 does not explicitly address task analysis and all the elements required in the SAPs in principle EHF.5 and paragraphs 379 – 382. Human reliability analysis is not explicitly required in RD-337.


- The minimum time specified by RD-337 before operator action from MCR is required is of 15 minutes, while the SAPs specify a time period of 30 minutes. This difference in requirements has an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

- RD-337 does not include provisions on the prohibition of self-resetting actions and alarms (principle ESS.14 in the SAPs).

- RD-337 does not include a general requirement for the safe state following a safety system action not to depend on an external source of energy, where practicable (a requirement equivalent to principle ESS.16 from the SAPs).

- RD-337 does not include requirements on safety system design to avoid complexity and to incorporate means of revealing internal faults from the time of their occurrence, such as the expectations in principle ESS.21, Reliability. Only the fail-safe approach is addressed in RD-337 requirements.

- RD-337 does not include requirements on prevention of spurious operation of safety systems at a frequency that might directly or indirectly degrade safety, such as the expectations in principles ESS.22 and ESR.10, except in the context of Section 7.6.5 Shared Systems.

- RD-337 does not explicitly address the “minimum control and instrumentation for which facility operation may be permitted”. Also, RD-337 requirements for adequacy of the instrumentation do not address all the factors enumerated in principle ESR.2 of the UK SAPs (i.e. reliability, accuracy, stability, response time, range and readability). RD-337 does not explicitly address power supplies for safety-related control and instrumentation systems.

- RD-337 does not include a requirement for the communication systems not to have adverse effects on safety systems or safety-related systems. (Also, as already mentioned above, electromagnetic interference is not addressed in the requirements for hazard analysis in RD-337).

- RD-337 does not address protection requirements for essential service components or systems (as in EES.7). Also RD-337 does not address the situation in which a source external to the nuclear site is employed as the only source of the essential services (as in EES.8).

- RD-337 does not include a requirement for the containment design to minimise the size of service penetrations. Also, RD-337 does not include a requirement on the containment design to provide discharge routes, including pressure relief systems, with treatment system(s) to minimise radioactive releases to acceptable levels.

- RD-337 does not require for the need for access by personnel to the containment to be minimised and does not stipulate that the access to the containment to ensure the safety of the facility in either the short or long term following an accident should not be necessary.

- The provisions in the UK SAPs with regard to ventilation systems are more comprehensive / detailed than the equivalent requirements in RD-337.

- RD-337 does not include an explicit requirement for the core not to undergo sudden changes of condition when operating parameters go outside their specified range (see the requirements in principle ERC.3 and paragraph 446 of the SAPs). RD-337 does not explicitly require that limits be set for the maximum degree of positive reactivity


(see paragraph 451 of the SAPs). Other provisions in the SAPs not covered by the requirements in RD-337 includes those of paragraphs 449, 453, 454 and 455. RD-337 does not include an explicit requirement for the design to allow fuel to be removed from the reactor, despite any environmentally induced damage such as bowing, swelling or from other damage occurring in normal operation and in design basis fault conditions.

For some of the above topics, e.g. civil structures, CNSC adopted a different philosophy in regard to engineering requirements. Where engineering codes and standards exist, the adopted approach was not to expand on these requirements in RD-337, so as to avoid duplication and possible contradictions.

5.4 Lessons Learnt in the UK Generic Design Assessment Process

In their contributions to the Government’s Energy Review, the HSE Nuclear Directorate (now the Office for Nuclear Regulation - ONR9) and Environment Agency set out proposals to assess new nuclear reactor designs, in advance of any site-specific proposals to build a nuclear power station. The process became known as Generic Design Assessment (GDA).

GDA has a number of key benefits:

• It allows the regulators to get involved with designers at the earliest stage, where they have most influence.

• It is a step-wise process, with the assessments getting increasingly detailed. This allows the regulators to identify issues early in the process and reduce the financial and regulatory risks for potential operators.

• It separates design issues from specific site related issues, improving the overall efficiency of the regulatory process.

• It is open and transparent. The public can view detailed design information on the web and comment on it. The regulators also give regular feedback on how the assessments are progressing and publish reports at the end of key stages.

At the end of the GDA process, the Regulators will decide if the proposed designs are acceptable for build in the UK.

When concerns exist that a particular feature of the design might not meet UK regulatory standards, and those concerns are sufficiently important that they may, if not addressed, prevent the successful completion of GDA, Regulatory Issues (RIs) are raised.

So far, four Regulatory Issues have been raised, two for the EPR design and two for the AP1000. Of these, one for each design was raised in 200810 and concerned the lack of

9 The Office for Nuclear Regulation (ONR) was established on 1 April 2011. ONR has been set up as an agency of the Health and Safety Executive (HSE), pending planned legislation to establish it as a statutory body. It will bring together the relevant nuclear regulatory functions of HSE (through its former Nuclear Directorate (ND)) and the Department for Transport. 10 Regulatory Issues were also raised against GE-Hitachi and AECL in February 2008, both relating to a lack of information, and both of which were subsequently closed. AECL withdrew from the GDA process in April 2008 and in GE-Hitachi temporarily suspended its participation in the process in September 2008.


sufficient information in the applications to allow the assessment. Up to present three RIs have been addressed (closed).

EPR RI

The NII raised a Regulatory Issue on the UK EPR control and instrumentation architecture.

The NII judged that the C&I architecture appeared overly complex. This judgement was based on a number of concerns:

• The reliance on two computer-based systems (originally developed by the same company) and a high degree of connectivity between these two systems,

• Independence between the safety (Class 1) and the larger number of safety related systems (Class 2/3) appeared to be significantly compromised due to the high level of interconnectivity between systems of different safety classification,

• EDF/Areva’s proposal which allowed lower safety class systems to have write access (permissives, etc.) to higher safety class systems (i.e. the usual UK practice of only allowing one way online communication from a safety system to systems of a lower safety class was not applied in the UK EPR design).

Other concerns included the absence of a safety class 1 display system (which is included in the Olkiluoto 3 (OL3) and US EPR designs), no Class 1 manual controls or indications either in the Main Control Room or Remote Shutdown Station and EPR function categories/equipment class assignments did not appear to align with UK expectations as defined in BS IEC 61226.

In addition EDF/Areva has submitted its C&I PSA sensitivity study. HSE ND believed the baseline values used for C&I systems (i.e. 10-5 pfd (probability of failure on demand) for the Teleperm XS Protection System (PS) and 10-4 pfd for the Siemens SPPA-T2000 platform which provides back up reactor protection) will prove very difficult if not impossible to substantiate. The claim on the PS system was beyond the normal limit for reliability claims (i.e. 10-4 pfd) as stated in nuclear sector standards and guidance (IAEA NS-G-1.1, IEC 61226:2005, HSE T/TAST/046 and paragraph 172 of the SAPs) including that of ASN’s safety advisory group (“Technical guidelines for the design and construction of the next generation of nuclear pressurized water plant units", see Section 6 of this report). The claim for the Siemens SPPA-T2000, a Class 2/3 platform, was at the 10-4 pfd limit for Class 1 systems. The sensitivity study had shown that there is unlikely to be any margin for reducing the claimed C&I system reliabilities to more credible values without significantly increasing EDF/Areva’s risk estimates to levels which are close to or in excess of the Basic Safety Levels.

By way of comparison, the claim on the Sizewell B computerised Primary Protection System (PPS) when standing alone was 10-4 pfd and for the most frequent faults the claim for the combination of the PPS and hardware (laddic) based Class 1 Secondary Protection System was 10-7 pfd.

EDF/Areva attempted to claim two orders of magnitude better reliability for the combination of two computer based systems (i.e. 10-9 pfd) one of which (i.e. the Siemens SPPA-T2000 platform) was not developed to nuclear sector protection system standards such as IEC 60880 or IEC 60987.


The HSE had previously advised EDF/Areva that the provision of a hardware back up protection system (as employed in OL3) might be a possible way forward on some of the topics identified in this RI. The provision of a hardware backup system on OL3 and Class 1 display system (OL3 and US EPR) suggested that the implementation of such systems is reasonably practicable and necessary for a plant designed to meet modern international safety standards.

A number of the SAPs on which this RI was based include expectations that are different from or not fully addressed in RD-337 requirements:

ECS.1 – Safety categorisation

ECS.2 – Safety classification of systems, structures and components

ECS.3 – Standards

Paragraphs 172 ÷ 174 discussing CCF claims and values that are considered reasonable by NII, and stating that where required reliabilities cannot be achieved due to CCF considerations, the required safety function should be achieved taking account of the concepts of diversity and segregation, and by providing at least two independent safety measures.

ESS.21 – Reliability, stating that the design of a safety system should avoid complexity.

EDF and AREVA have addressed satisfactorily the above mentioned concerns by proposing design changes to the C&I for the UK EPR:

1. All networked communications will be one-way, from the Class 1 systems to lower Class 2 and 3 systems. The implementation will be through the isolation provided by one-way diodes. The permissive signals that were to be implemented through the lower Class systems will now be implemented using Class 1 Safety Information and Control System (SICS) equipment including a Qualified Display System.

2. There will be a Class 1 SICS operational in the Main Control Room and a similar panel in the Remote Shutdown Station. The SICS will include simple hard-wired technology and will be fully operational for alarms and displays at all times. Actuation signals from the SICS will be switched on if the Class 3 Plant Information and Control System fails.

3. Class 2 systems, rather than Class 3, will now provide the important station control systems. This will be achieved by reallocating functions to fully comply with IEC 61226:2009 and upgrading the Reactor Control and Surveillance Limitation system to Class 2.

4. Probabilistic claims on each of the main C&I platforms will have lower limits than in the original design for the UK. The shortfall in overall reliability of the safety systems will be made up by the introduction of a Non-Computer-Based Safety System (NCSS). The functions of the NCSS have been designed although details on the platform selection are still being evaluated by EDF and AREVA. However, they have given a commitment that the platform technology will be diverse to all hardware and software on the main Safety Systems.

AP1000 RI


The AP1000 uses a steel-concrete-steel sandwich technique for reactor building walls that should give it the strength required of a nuclear facility. However, building codes for the technique have never been established internationally, making it difficult for Westinghouse to define and justify the design of modules made in this way to UK and US safety authorities.

The HSE Nuclear Directorate (ND) found that the concrete filled steel structural modules (CA modules) are outside the scope of applicability of the substantive provisions of Westinghouse’s chosen design standard - American Concrete Institute (ACI) standard ACI 349-01. Westinghouse has neither fully defined nor adequately justified the design methodology or methodologies used for CA modules.

HSE’s Safety Assessment Principle ECS.5 addresses the eventuality that there is no applicable or relevant design code or standard for a nuclear safety related component:

“In the absence of applicable or relevant codes and standards, the results of experience, tests, analysis, or a combination thereof, should be applied to demonstrate that the item will perform its safety function(s) to a level commensurate with its classification.”

At the same time HSE ND was aware that Westinghouse is actively considering major design changes to the design methodology for the Shield Building, including the addition of through going shear reinforcement, a change in plate material, and a change in plate thickness.

The HSE ND required:

• updating and resubmission of the design methodology document. The items highlighted in the action were the lack of conceptual connections, no revision in light of subsequent evolution of the design, major design changes to the enhanced shield building,

• justification of the adequacy of the specified design methodology, following its formal resubmission. The item highlighted in this action was the lack of any established code or standard for this type of structure. Therefore Westinghouse needed to demonstrate by whatever combination appears necessary of appropriate reference to relevant design guidance, analysis and structural testing that its design methodology, fabrication specification, installation and construction process provide equivalent reliability to that which would be achieved by an appropriate design standard,

• review of the implications of design changes to the steel-concrete composite (SC) part of the enhanced shield building, resulting from the US NRC assessment, and whether similar design changes were required for all the nuclear safety related SC structures within the AP1000.

Westinghouse has carried out a substantive amount of confirmatory analyses and calculations, additional substantiation reports and laboratory testing to demonstrate that the capacity of the composite structures will have sufficient margin above the design loads placed upon them.

The design methodology document for CA Modules was updated and resubmitted. It was also clarified that the enhanced shield building had a separate, although similar, design methodology which was detailed in the Enhanced Shield Building Design Report.

The actual structural elements have been sized using ACI-349-01 which is not fully applicable to this type of structure. However, Westinghouse has provided further justification by comparing the structure with other design codes, which although again are not fully applicable, never the less give a spread of methodologies. These comparisons have shown that there is considerable margin in the structure’s capacity. Laboratory testing has also been


carried out by Westinghouse in 2010, to increase confidence that the structure will perform as designed.

Westinghouse has confirmed that the Shield Building and the CA Modules are different structural types, albeit both are novel steel/concrete composites outside of the established design codes. Design changes made to the shield building, specifically providing transverse reinforcement (tie-bars) has brought this design in closer alignment to the claimed code ACI-349-01. Westinghouse has satisfied ONR concerns by committing to specifying reduced code limits to account for any shortfall in the applicability of the original code limits, and demonstrating there is still margin in the structure.

Principles ECS.3, Standards, ECS.4, Codes and standards, and ECS.5, Use of experience, tests or analysis, and the related guidance (para. 157 ÷ 161) provide expectations equivalent in principle with those in RD-337 Sections 7.1, Classification of SSCs, 5.4, Proven Engineering Practices, and 7.6.5, Shared Systems.

Regardless of some differences in the wording, the provisions of RD-337 and the SAPs concerning standards and codes can be considered equivalent. However, the SAPs include provisions on the selection of the codes and standards (e.g. preferably nuclear specific, leading to a conservative design, etc.) and on the combination of different codes and standards for the same SSC. The selection of codes and standards and their compatibility are not addressed in the same detail in RD-337.

GDA Issues

A large number of other issues have been raised, and part of them already closed, during the GDA process, which resulted in design changes. Several examples of design changes resulting from GDA issues already closed are given in the following. For the outstanding ones resolution plans have to be submitted by the applicants by the autumn 2011. These issues are required to be addressed before the regulatory assessment could be closed and a decision be made on whether to provide a Design Acceptance Confirmation11. There is also a new GDA issue on both EDF/Areva and Westinghouse to address the lessons learnt from the Fukushima nuclear accident.

Both EDF/Areva and Westinghouse have proposed a number of important design changes to the reactor protection system on the UK EPR and AP1000 that will significantly improve the safety of the design. The design changes include:

EPR

• An increase in the automatic partial cooldown rate following a loss of coolant accident which has considerably increased the margin of safety for these faults,

• An improvement to the activity detectors for steam generator tube rupture faults,

• Addition on one of the diverse reactor protection systems, of a high neutron flux trip signal, a high axial offset trip signal, a hot leg high pressure trip signal, a low Reactor Coolant Pump speed trip signal,

11 Westinghouse has recently signalled that its Resolution Plans will not have start dates assigned to them, and it will not proceed to address any of the GDA Issues until it is able to secure funding for this work (practically the GDA for AP1000 is paused).


• Addition on the diverse reactor protection system of an automatic actuation signal for the emergency feedwater system using a low steam generator pressure,

AP1000

• An upgrading of a number of active systems to Class 2 safety standards, including: the start-up feedwater system, the component cooling water system, the service water system, and the diesel generators. For example, the two train separation of the normal residual heat removal system has been increased while the diverse actuation system has been upgraded from a 1-out-of-2 system to dual-1-out-of-2 system with elements of the architecture 2-out-of-3,

• Modification to improve protection against a steam generator tube rupture (SGTR) fault.

• Implementation of additional reactor trip signals.

• Modification to reduce the risk of spurious operation of valves leading to depressurisation of the primary circuit.

• Improvements in the design of the spent fuel pool.

Westinghouse has also agreed to make some important changes to the nuclear ventilation system as a result of interactions within GDA. This includes raising the height of the nuclear ventilation discharge stack to a level above the adjacent containment building, in line with UK expectations, and also the provision of passive high efficiency particulate air (HEPA) filtration to additional areas of the plant.


6. FRENCH-GERMAN TECHNICAL GUIDELINES BENCHMARK


The technical guidelines (TG) present the opinion of the French Groupe Permanent chargé des Réacteurs nucléaires (GPR) concerning the safety philosophy and approach as well as the general safety requirements to be applied for the design and construction of the next generation of nuclear power plants of the PWR (pressurized water reactor) type, assuming the construction of the first units of this generation would start at the beginning of the 21st century.

The TG are based on common work of the French Institut de Protection et de Sûreté Nucléaire (IPSN) and of the German Gesellschaft für Anlagen- und Reaktorsicherheit (GRS).

The final version of TG was validated by ASN’s advisory committee for reactors in October 2000, in consultation with German safety experts. In 2004, ASN approved the TG and made them official by sending a letter to the Chairman of EDF. Their status remains that of “guidelines” rather than of “regulation”, although some of the requirements in the TG have been included in legally binding documents such as the decree and the decision mentioned below.

The design requirements in Decree No. 2007-534 of 10 April 2007 Authorising the Creation of the “Flamanville 3” Basic Nuclear Installation12 are based on the TG requirements, therefore no additional review against RD-337 is performed as part of the benchmarking project (also due to the fact the requirements in the Decree are even more specific and prescriptive than those of the TG).

The design requirements Decision No. 2008-DC-0114 of 26 September 2008 by the French Nuclear Safety Authority Setting Forth Specific Requirements to Be Met by Électricité de France – Société anonyme (EDF-SA) at the Flamanville Nuclear Site Regarding the Design and Construction of the Flamanville-3 (INB No. 167) NPP and the Operation of Flamanville-1 (INB No. 108) and Flamanville-2 (INB No. 109) NPPs13 are also based on the TG requirements. However, there are some differences between the requirements in the Decision and the corresponding requirements of the TG (e.g. regarding the design of the fuel pool cooling system – the TG requires two identical independent trains, while the Decision requires, in addition, a third independent train characterised, in comparison to the main trains, by a diversification requirement for its cooling system and its cooling water). No additional review against RD-337 is performed as part of the benchmarking project, due to the requirements in the Decision being largely based on the TG and also due to the fact the requirements in the Decision are very specific and prescriptive.

The requirements in the TG are significantly more detailed and prescriptive than the requirements in RD-337. Moreover, the requirements in the TG have been developed in parallel with the basic design of the EPR and incorporate lessons learned from the early 12 http://www.french-nuclear-safety.fr/index.php/content/download/15570/100925/Decree-007-534.pdf 13http://www.french-nuclear-safety.fr/index.php/content/download/15568/100919/Decision-2008-DC-0114UK.pdf


regulatory reviews of the EPR, while the requirements in RD-337 are intended to be technology-neutral in what concerns water-cooled reactors.

The findings of the detailed comparison of TG requirements with those of RD-337 is presented in the following and in Appendix 4.


The French-German Technical Guidelines express in Section A.1.1 the General Safety Objectives for new reactors in comparison to the reactors already in operation rather than expressing them in a stand-alone manner, like in RD-337 Sections 4.1.1 Radiation Protection Objective, 4.1.2 Technical Safety Objectives and 4.2.2 Safety Goals.

They require the “practical elimination” of certain severe accident sequences that represented or represent a concern for the reactors currently in operation (e.g. high pressure core melt ejection scenarios and direct containment heating in LWRs). This means that if such scenarios cannot be considered as physically impossible, design provisions should be made to prevent them from occurring. There are no similar provisions in RD-337.

The core damage frequency in the French-German Technical Guidelines is the same as in RD-337: less than 10-5 per reactor year. This is the only safety goal expressed in a quantitative manner.

For accident situations without core melt, the French-German Technical Guidelines require that there shall be no necessity of protective measures for people living in the vicinity of the damaged plant (no evacuation, no sheltering).

The Canadian Guidelines for Intervention during a Nuclear Emergency [11] provide the following indications:

Regarding sheltering:

“The projected dose is the radiation dose which would be expected to occur if no protective actions were taken. The averted dose is the difference between the projected dose and the residual dose which would occur even if protective actions were taken. International agencies (International Commission on Radiological Protection (ICRP) 1993; International Atomic Energy Agency 1994, 1996) generally recommend basing criteria for protective actions on the averted dose as the best way to maximize the benefit of the protective actions. The use of averted dose gives decision makers latitude in balancing the benefits and risks of intervention. The estimation of averted dose, however, may be more complex and subject to greater uncertainties (e.g., due to uncertainties in the effectiveness of sheltering or stable iodine administration). The averted dose is most useful in emergency planning, but may not be practical in a response situation. There are a number of cases where the simple projected dose may be the more useful quantity:

• If the projected dose is approaching the Intervention Level for a certain protective action, this can serve as a trigger for the responsible authority to begin consideration of the action.

• If the contemplated action can avoid the entire projected dose (e.g. evacuation before release of radioactivity), then the averted dose is simply equal to the projected dose.


• In cases where uncertainties in averted dose might delay appropriate interventions, actions based simply on the projected dose will generally ensure that authorities act cautiously and that the public is adequately protected.”

“In the judgement of the IAEA (1994), sheltering is broadly justified and optimized if the dose averted is about 1.5 to 6 mSv/day, or 3 to 12 mSv over a maximum of two days. A value of 10 mSv in 2 days has been chosen by the IAEA to allow for the costs, risks and detriment associated with sheltering, irrespective of duration. However, if sheltering was expected to have a duration of only several hours, then it could be undertaken to avert a lower dose, provided that it could be justified.”

“Sheltering is recommended if the action will avert a dose of at least 5 mSv over a period of 1 day. This value is consistent with IAEA recommendations of 10 mSv in two days, but recognizes that the effectiveness of sheltering is significantly decreased after about 1 day. Furthermore, scenarios for which sheltering of more than 1 day would be effective would likely involve ground contamination with short-lived radionuclides, for which evacuation may be more appropriate. At a dose of 5 mSv, the lifetime fatal cancer risk for a member of the public is 1 in 4000 (based on the linear no-threshold hypothesis), or 1 in 2750 if non-fatal cancers and hereditary effects are included. A sheltering order to avert a dose significantly below 5 mSv is not clearly justified, since annual exposure to normal background radiation amounts to 2 to 3 mSv/year (NCRP 1987). However, consideration should be given to situations that may require a higher intervention level to targeted segments of the population, for example, to critical personnel in industry whose absence could result in security or safety issues.”

Regarding evacuation:

“The IAEA (1994) has judged that evacuation would be broadly justified and optimized if the dose averted by the evacuation exceeds 3-12 mSv/day. The length of time over which this is expressed must be long enough that any initial costs and risks are warranted. It must be long compared with the implementation time, but not so long that conversion to temporary relocation will have become more appropriate. An assumed period of one week results in a range of intervention levels from 20 to 80 mSv/week. A generic level of 50 mSv was selected by the IAEA. If evacuation was expected to last only a day or so, then a lower dose could be justified.”

“Based on the above considerations, evacuation is recommended if the action will avert a dose of at least 50 mSv over a period of up to 7 days. At a dose of 50 mSv, the lifetime fatal cancer risk for a member of the general public is about 1 in 400. If non-fatal cancers and hereditary injury are included, this risk increases to about 1 in 275 (ICRP 1991). During an emergency, decisions makers may choose to evacuate at lower levels if it can be carried out quickly and easily, if only a small population is affected, or if it will be for a shorter length of time. Conversely, complications could arise if the weather conditions are adverse at the time when the evacuation is being considered. In such a case the dose criterion for evacuation can be raised significantly without reaching deterministic threshold, although the increased risk of stochastic effects needs to be balanced against the physical risk of the evacuation.”


Interpretation: For design basis accidents (traditionally considered as accidents without core melt) RD-337 specifies a dose acceptance criterion of 20 mSv, which refers to a projected dose calculated for 30 days. The doses in the Canadian Guidelines for Intervention during a Nuclear Emergency are averted doses. In accordance with these guidelines, sheltering would be justified if the averted dose is greater than 5 mSv over a period of 1 day and evacuation is recommended if the action will avert a dose of at least 50 mSv over a period of up to 7 days. This implies that evacuation is not needed for design basis accident but, for those design basis accidents for which the projected dose is greater than 5 mSv over a period of 1 day, sheltering may be needed. Further investigation of this interpretation should be considered by the CNSC.

For accidents with core melt, the French-German Technical Guidelines do not provide any quantitative safety goal related to the limitation of large releases, they only require that:

- “Accident situations with core melt which would lead to large early releases have to be "practically eliminated"; if they cannot be considered as physically impossible, design provisions have to be taken to design them out”, and that

- “Low pressure core melt sequences have to be dealt with so that the associated maximum conceivable releases would necessitate only very limited protective measures in area and in time for the public. This would be expressed by no permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in consumption of food.”

Regarding relocation:

“The IAEA (1994) has recommended two separate intervention levels for relocation: one for introduction of the countermeasure for avertable doses of 10 to several tens of mSv in the first month, and one for cessation when the avertable dose drops below a few to a few tens of mSv per month. Generic values of 30 and 10 mSv/month have been selected for initiating and terminating temporary relocation, respectively. Two levels are specified because of the relatively higher detriment of initiating relocation compared to maintaining it. Values for the first month include transportation costs for leaving and returning, whereas values for subsequent months exclude these costs. If doses are not expected to fall below 10 mSv/month within a year or two, permanent resettlement should be considered (IAEA 1996). In selecting generic ILs for relocation, the IAEA has excluded factors of social disruption and reassurance, stating however that both could be important in the decision making process.”

“Relocation should be considered if the action will avert a dose of at least 50 mSv for a period of up to one year following the time of the assessment. The difference between the initiating criteria of 50 mSv/year recommended here and the 30 mSv/month recommended by the IAEA is more apparent than real. Because of rapid decay of short-lived radionuclides, a large fraction of an annual dose of 50 mSv would be delivered during the first month.”

Regarding long term restrictions in food consumption:

“The Intervention Level for food controls has been set at 1 mSv per year for each of three food groups (fresh milk, other commercial foods and beverages, and public drinking water). This is based on an intervention level of about 3 mSv per year for the total diet, apportioned


equally amongst the three groups. The intervention level has been used to derive concentrations of specific radionuclides in foods that would lead to the 1 mSv dose per food group (Action Levels). These action levels form the basic food screening criteria following a nuclear emergency, and are consistent with the guidelines of the Codex Alimentarius Commission (Food and Agriculture Organization of the United Nations / World Health Organization 1995).

The hypothetical lifetime risk of fatal cancer and non-fatal effects associated with a dose of 1 mSv is about 7 in 100 000, based on the ICRP (1991) population-averaged risk coefficient. If the three food groups in the reference diet were each continuously contaminated at the action levels, the effective dose received from the commercial food and public water supply would be on the order of 3 mSv in the first year following the emergency, giving a lifetime risk of about 22 in 100 000. The annual effective dose from ingestion due to contamination in the years following an emergency is likely to be considerably less than that received in the first year, and would approach background levels within a few years following a major accident.”

Interpretation: In accordance with the French-German Technical Guidelines, for accidents involving core melt there should be no need for permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in food consumption. In the context of the Canadian Guidelines for Intervention during a Nuclear Emergency this would be translated into:

- effective doses estimated for 7 days for the vicinity of the plant (interpreted as outside the site boundary) less than 50 mSv (no need for emergency evacuation);

- effective doses estimated for 1 year less than 50 mSv (no need for permanent relocation).

Due to the fact that the French-German Technical Guidelines do not clarify what “limited sheltering” and “long term restrictions in food consumptions” signify in terms of time periods, a comparison with the intervention levels in the Canadian Guidelines is not possible.

RD-337 specifies two safety goals related to temporary evacuation and long term relocation, expressed in quantities of releases of certain isotopes vs. frequency:

- Small Release Frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1015 Becquerel of iodine-131 is less than 10-5 per reactor year. A greater release may require temporary evacuation of the local population.

- Large Release Frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 Becquerel of cesium-137 is less than 10-6 per reactor year. A greater release may require long term relocation of the local population.

The safety goals in Section 4.2.2 cannot be directly linked to dose acceptance criteria and no insights were available to the reviewers during the elaboration of the present study on the basis for linking the above mentioned releases with emergency measures.

The interpretation of the French-German Technical Guidelines objectives in relation to the intervention values in the Canadian Guidelines for Intervention during a Nuclear Emergency


and the relation with the dose acceptance criteria and safety goals in RD-337 should be subject to a more in depth consideration by CNSC. The details of the safety analysis practices have not been within the scope of this study and, unless they are specified, no conclusions can be drawn. For example, the calculation of the doses as part of the radiological consequence analyses is usually done for 30 days, without taking into account emergency response measures. If estimation of doses for 1 year would be required, the calculations may credit the emergency response actions (e.g. sheltering, food bans, temporary evacuation). In any case, uncertainties in the estimation of doses are generally considered to be significant and this was one of the reasons for which the French-German Technical Guidelines do not provide any quantitative safety objectives in terms of doses resulting from accidents.

The requirements in Section A.1.2 - The "defence-in-depth" principle of the TG are equivalent in principle with those in RD-337 Sections 4.3.1, Defence-in-depth, and 4.3.2 Consideration of Physical Barriers.

The main objectives for the protection against severe accidents are provided in the TG in Section A.1.3 - General strategy related to severe accidents:

“The general objectives set in section A.1.1 have the following general implications concerning severe accidents:

a) "Practical elimination" of accident situations which would lead to large early releases

• Accident sequences involving containment bypassing (via the steam generators or via circuits connected to the primary system which exit the containment) have to be "practically eliminated" by design provisions (such as adequate piping design pressure) and operating provisions, aimed at ensuring reliable isolation and also preventing failures.

• Special attention shall be given to shutdown states and open containment building.

• Reactivity accidents resulting from fast introduction of cold or deborated water must be prevented by design provisions so that they can be "excluded".

• Overpressurization of the primary circuit must also be prevented as far as necessary by design provisions and operating procedures so as to contribute in particular to the "exclusion" of the reactor pressure vessel rupture.

• High pressure core melt situations must be prevented by design provisions (such as diversity and automatic actuation) for the secondary side safety systems and if necessary for the reactivity control and primary feed and bleed systems. It must be a design objective to transfer high pressure core melt to low pressure core melt sequences with a high reliability (as an orientation, the equipment used to depressurize the primary circuit has to be as reliable as the relief valve system used to prevent an overpressurization) so that high pressure core melt situations can be "excluded". The depressurization must be such that loads from ejected melt into the containment atmosphere ("direct containment heating") and loads on the reactor pressure vessel support and cavity structures can be coped with.

• Global hydrogen detonations and in-vessel and ex-vessel steam explosions threatening the containment integrity must be "practically eliminated".

b) Mitigation of low pressure core melt accident situations

• As regards containment leaks, there shall be no path of direct leakage from the containment building to the outside. Pipes liable to carry radioactive substances


outside the containment building shall lead to peripheral buildings providing adequate confining capabilities. Improvements must be sought for the permanent surveillance of the containment building leaktightness. Penetrations through the pressure boundary of the containment have to cope with loads from core melt sequences.

• Due consideration must be paid to the different aspects of a spray system inside the containment building for severe accident situations. This system allows lowering both the pressure and the radioactive aerosols concentrations in the containment building; however a spray system reduces the inerting influence of steam and increases the flame velocity of hydrogen combustion.

• The residual heat must be removed from the containment building without venting device; for this function, a last-resort heat removal system must be installed.

• Concerning the possible formation of combustible gas mixtures, the containment building must be designed to withstand the global deflagration of the maximum amount of hydrogen which could be contained in this building in the course of core melt accidents and also to withstand a representative fast local deflagration. Besides, provisions must be taken with respect to local detonations and to possibilities of deflagration to detonation transition (DDT) sequences which might jeopardize this building and its internal structures. Limitation of the concentrations of combustible gases by design of internal structures and the use of catalytic devices have notably to be considered.

• The penetration of the basemat of the containment building by a "corium" must be avoided, as this phenomenon could imply significant releases and durable contamination of underground waters and of the sub-soil. Moreover, adequate provisions have to be implemented to prevent leakage of contaminated water and gases to the sub-soil via cracks in the basemat.”

Additional requirements in the TG are provided in:

- Section B.1.4.1 - Design requirements for the containment building and the peripheral buildings: (examples provided below)

• […] “The design pressure and design temperature of the containment inner wall must be such to allow a grace period of at least 12 hours without containment heat removal after a severe accident and to ensure its integrity and leaktightness even after the global deflagration of the maximum amount of hydrogen which could be contained in the containment building in the course of low pressure core melt accidents (see section A.1.3).”;

• “Concerning the basemat, the objectives set in section A.1.3 related to low pressure core melt situations can be achieved by the implementation a large "corium" spreading compartment adequately cooled.”, etc.

- Section B.1.4.2 - Prevention of containment bypass which includes detailed requirements (some PWR specific);

- Section E - Control of Multiple Failures Conditions and Core Melt Accidents (including specific scenarios to be analysed, phenomena to be considered in the analysis, equipment qualification considerations, etc.).


The requirements in Section A.1.3, B.1.4.1-2 and Section E of the TG significantly more detailed and prescriptive (including some requirements specific to PWRs) than the requirements in Sections 8.6.12 and 7.3.4 of RD-337.

With respect to Safety demonstration, addressed in section A.1.4 of the TG, relevant requirements are provided in RD-337 Section 9.0, Safety Analysis, and in RD-310.

RD-337 does not address the grouping of events to be analysed. There is no equivalent in RD-337 of the “practical elimination” concept extensively used in the TG. “Practical elimination” of certain accident scenarios is similar, in principle, with the concept of “incredibility of failure” applied to exclude gross failure of reactor pressure vessels from the design basis, but no quantitative target is provided in the TG.

The aspects related to the radiological consequence analysis mentioned in TG Section A.1.4 are not fully and explicitly covered by the provisions of RD-337 and RD-310.

Section A.2.1 of the TG addresses Plant Transient Behaviour. Some of the requirements in this section, e.g. provision of inherent safety features, fail safe design, engineered design features, and procedures that minimize the consequences of DBAs are covered in RD-337 Sections 6.1, Application of Defence-in-depth, and 6.3, Accident Prevention and Plant Safety Characteristics. Also, Sections 7.3.2, 7.3.3, 7.9.1 and 7.21 contain relevant requirements on human factors.

RD-337 does not specifically require a negative moderator feedback. There is also no equivalent requirement in RD-337 for preventing unnecessary safety system actuation.

The requirements on Redundancy and diversity in the safety systems in Section A.2.2 are equivalent with those in RD-337 Section 7.6, Design for Reliability. Note the provision in the TG regarding the CCF claim for a redundant safety system consisting of identical trains, which is considered as impossible to demonstrate at a value < 10-4 per demand. There is no equivalent numerical target in RD-337 – however, this value is stated in the TG in the context of an observation rather than a requirement and is relevant mainly in the implementation of the safety assessment.

The requirements in Section A.2.3 - Man-machine interface, are equivalent with those in RD-337 Sections 7.21, Human Factors,7.9.1, (Instrumentation and Control) General Considerations, 7.3.2, Anticipated Operational Occurrences, 7.3.3, Design Basis Accidents, and 8.10, Control Facilities.

Section A.2.4 of the TG deals with Protection against internal hazards. Requirements equivalent in principle are provided in RD-337 Sections 7.4.1, Internal Hazards, and 9.3, Hazards Analysis. RD-337 does not explicitly address load drops and electromagnetic interference (only a few examples of internal hazards are provided). Also, RD-337 does not address the particular situation of internal hazards during shutdown states.

Section A.2.5 of the TG deals with Protection against external hazards. Requirements equivalent in principle are provided in RD-337 Section 7.4.2, External Hazards. RD-337 does not specifically require that external hazards must not have a large contribution to the risk associated with new reactors.

Section A.2.6 - Use of probabilistic safety assessment includes requirements equivalent in principle with those in RD-337 Section 9.5, Probabilistic Safety Assessment, and in regulatory standard S-294, Probabilistic Safety Assessment (PSA) for Nuclear Power Plants.


Section A.2.6 of the TG is rather descriptive. However, it mentions some aspects not explicitly addressed by RD-337 and S-294, such as the expectations regarding a PSA for the design stage and the treatment of human factors related to diagnosis and maintenance.

Section A.2.7.1 - Occupational exposures of the TG includes requirements equivalent in principle with those of RD-337 Section 8.13, Radiation Protection. In addition, it sets objectives for the optimisation of occupational exposures with reference to the operating experience of the existing plants and gives specific examples of possible design improvements.

Section A.2.7.2 - Radioactive releases and wastes of the TG includes requirements equivalent in principle with those of RD-337 Sections 4.1.1, Radiation Protection Objective, 8.13.4, Sources, and 8.11, Waste Treatment and Control. Section A.2.7.2 also requires that the radiation exposure is calculated taking into account discharges from other installations. This consideration is particularly relevant for setting dose constraints and release limits in cases where several facilities are in close vicinity.

The provisions in Section B.1.1 - Fuel cladding and core design include detailed and prescriptive requirements and also some PWR specific requirements. Some notable requirements include those related to the evolution of the fuel designs (such requirements can be useful in a technology – neutral regulatory framework) and those related to the reactivity coefficients (negative moderator feedback and negative void coefficient). There are no equivalent requirements in RD-337.

Section B.1.2.1 - General requirements (for the primary circuit) includes requirements equivalent to those in RD-337 Sections 8.2, Reactor Coolant System, 8.2.1, In-service Pressure Boundary Inspection, and 8.2.3, Cleanup.

Section B.1.2.2 – Break postulates of the TG allows for the exclusion from the design basis of the complete guillotine break of a main coolant line. This issue is not explicitly addressed in RD-337, but, traditionally, such an event has been considered a design basis accident.

Section B.1.2.3 deals with the Consequences on the safety demonstration of the exclusion from the design basis of the complete guillotine break of a main coolant line allowed in Section B.1.2.2. RD-337 does not include specific provisions on the analysis of LOCA events.

Section B.1.3 includes Requirements related to the main secondary lines. RD-337 does not include specific provisions on the analysis of breaks in secondary circuit pipes.

The requirements in the TG Section B.1.4.1 - Confinement function, regarding the protection of the containment against severe accidents are significantly more detailed and prescriptive than the relevant requirements in RD-337 Section 8.6.12, Severe Accidents. Also, the TG require the use of a double wall containment.

The requirements in the TG Section B.1.4.2 regarding the Prevention of containment bypass are more detailed and prescriptive than the provisions on containment bypass in RD-337 Section 7.3.4, Beyond Design Basis Accidents. Section B.1.4.2 includes provisions on the treatment of specific severe accident scenarios.

Classification of SSCs is addressed in the TG in Section B.2.1 - Classification of the safety functions, barriers, structures and systems. The requirements in this section prescribe a classification scheme, being more detailed than the requirements in RD-337 Section 7.1, Classification of SSCs. The differences in the requirements for the safety classification of SSCs may lead to differences in design requirements applied to the safety related SSCs, but such differences can only be assessed on a case-by-case basis, for any given design.


Requirements in Section B.2.2.1 - Qualification of safety equipment are equivalent in principle with those in RD-337 Section 7.8, Equipment Environmental Qualification. Specific consideration of dynamic loads is addressed in Section 7.7, Pressure-retaining SSCs, Section 8.1, Reactor Core and 8.6.2, Strength of the Containment Structure. Relevant requirements are included also in Section 7.15, Civil Structures (7.15.1, Design). Seismic qualification is addressed in Section 7.13.

Section B.2.2.1 of the TG includes details on specific qualification procedures, for specific conditions.

In addition, Section B.2.2.1 of the TG mentions the generic issue of sump filter clogging and requires this to be addressed. In RD-337, this is addressed in Section 8.5 (“The ECCS recovery flow path is such that impediment to the recovery of coolant following a loss of coolant accident by debris or other material is avoided.”).

RD-337 requirements on computer based systems (Section 7.9.2) are more comprehensive than the requirements in Section B.2.2.2 - Computerized safety systems of the TG.

Requirements in Section B.2.2.3 - Reactivity control function are equivalent in principle with those in RD-337 Section 8.1.2, Control System. Section B.2.3.1 of the TG provides PWR specific requirements.

The provisions of Section B.2.3.2 - Residual heat removal function of the TG are more detailed and prescriptive than those of RD-337 Section 8.2.4, Removal of Residual Heat from Reactor Core, and include PWR specific requirements. It should be noted that the TG also defines an acceptable solution for the design of the residual heat removal system.

Section B.2.3.3 - Emergency core cooling function of the TG includes prescriptive and detailed requirements and addresses PWR specific design solutions.

Section B.2.3.4 - Secondary side heat removal function of the TG includes some detailed requirements not covered by RD-337, some of them being PWR specific. PWR specific requirements include the design solutions proposed for the "practical elimination" of high pressure core melt scenarios. Requirements applicable to water cooled pressurised reactors (including PHWR) refer to the design provisions for coping with specific event sequences, such as small LOCA + SGTF (steam generator tube failure).

Section B.2.3.5 - Containment heat removal function of the TG includes prescriptive requirements for heat removal in case of low pressure core melt scenarios which are not addressed in RD-337.

Section B.2.3.6 - Primary circuit overpressurization protection and depressurization functions of the TG includes requirements on specific design provisions aimed at preventing high pressure core melt ejection scenarios for PWRs.

Section B.2.3.7 - Secondary side overpressure protection function of the TG includes prescriptive requirements for the protection against secondary side overpressure which are more detailed than the requirements in RD-337 Section 8.3, Steam Supply System (which only require that the design limits of the pressure boundary are not exceeded).

Section B.2.4.1 - Electrical power supplies prescribes the type and configuration of electrical power supply to the assumed four trains of safety systems of a plant. RD-337 includes in Section 8.9 requirements only for the emergency power supply.

While RD-337 requirements on heat transfer to an ultimate heat sink (Section 8.7) focus on the safety function and are technology-neutral, the requirements in Section B.2.4.2 -


Component cooling water system and essential service water system of the TG are focused on specific systems contributing to this function.

Requirements in Section C.1 of the TG on the reduction of the frequencies of initiating events for new reactors (in relation to the existing plants) do not have a direct equivalent in RD-337. However, they can be linked with the requirements on Levels 1 and 2 of the defence-in-depth implementation (Section 4.3.1) in RD-337. Section C.1 of the TG addresses specific conditions (e.g. thermal fatigue phenomena linked to mixing between cold and hot fluids) which are not covered in RD-337.

The application of the single failure criterion is required in RD-337 for each safety group (i.e. at function level rather than at system level), while the TG (Section C.2.1 - Single failure criterion and preventive maintenance) requires the application of the SFC at system level for F1A systems and at function level for F1B systems (see the provisions of Section B.2.1 - Classification of the safety functions, barriers, structures and systems). Where the SFC is required in the TG to be applied at system level, preventive maintenance is taken into consideration resulting in one safety train being considered unavailable, in addition to one considered rendered unavailable as a single failure. In addition, the TG provides more details than RD-337 on the expectations for the application of the SFC to passive components.

Neither Section 9.5 of RD-337 nor S-294, Probabilistic Safety Assessment (PSA) for Nuclear Power Plants, include explicit requirements on the systems’ mission times to be considered and on the prevention of cliff-edge effects.

Section C.2.2 - Probabilistic safety assessment and diversity of the TG provides an orientation value for CDF (<10-6/ryr) from internal events (power states and shutdown states). There is no equivalent value in RD-337 (the CDF safety goal in RD-337 is based on a full-scope PSA.

RD-337 does not explicitly address human reliability analysis, while Section C.2.2 of the TG includes some general requirements, acknowledging the limitation of a HRA performed at design stage but highlighting the importance of HRA in the analysis of sequences leading to core melt with containment heat removal system unavailability.

Section C.3 of the TG deals with Human factors. RD-337 provisions on human factors in Section 7.21 do not explicitly address task analysis, staffing and verification and validation as part of the human factors engineering program. Alarm prioritisation is also not explicitly addressed in RD-337.

Section C.4.1 of the TG provides more detailed and prescriptive requirements on radiation protection in normal operation (based on the operating experience) than Section 8.13 of RD-337.

Requirements in Section C.4.2.1 - Waste reduction and dismantling of the TG are equivalent in principle with those of RD-337 Sections 8.11, Waste Treatment and Control, 8.13, Radiation Protection, and 7.24, Decommissioning. Section C.4.2.1 of the TG includes some specific provisions based on operating experience (e.g. choice of materials).

Section 8.11 of RD-337 is focused on the design requirements for waste treatment and control, while Section C.4.2.2 - Effluent treatment system of the TG focuses on the safety demonstration by the designer to support the objective of limitation of exposures.

Section D.1 of the TG deals with reference transients, incidents and accidents to be considered to demonstrate the safety of the plant. Grouping of initiating events in accordance with their consequences for the selection of bounding (reference) cases and with their


estimated frequency of occurrence for the application of acceptance criteria is not explicitly addressed in RD-337. RD-337 does not list specific transients and accidents. The TG includes lists on such events which are PWR specific.

Section D.2.1 - Safety analysis rules and acceptance criteria of the TG includes some design specific requirements (PWR) which do not have a direct equivalent in the more general requirements in Section 5.4.4, Analysis Assumptions, of RD-310 (although the intent is the same).

Section D.2.1 of the TG requires for 30 minutes available before operator action in the control room is necessary to respond to an initiating event and for 1 hour for actions outside the control room. The minimum time specified by RD-337 before operator action from MCR is required is of 15 minutes and the minimum time for action outside MCR is of 30 minutes. These differences in requirements have an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

In addition, D.2.1 requires that reference transients, incidents and accidents (except those initiated by human action), have to be studied with a loss of off site power at the most penalizing time. There is no such explicit requirement in RD-337 or RD-310. The current expectations regarding safety analyses need to be considered in order to assess whether such a requirement could lead to any new analyses and to design changes.

Section D.2.2 - Acceptance criteria of the TG includes detailed and prescriptive requirements (including PWR specific) on acceptance criteria for accident analysis which are not covered by RD-337 and RD-310.

Section D.2.3 of the TG provides a general discussion in the use of computer codes and their verification and validation and some design specific requirements, while Section 5.4.5, Computer Codes, of RD-310 references an industry standard considered acceptable. A comparison cannot be made.

Section D.2.4 provides requirements for the radiological consequences analysis. Neither RD-337 nor RD-310 provides details regarding the performance of the radiological consequence analyses.

Sections E.1.1, E.1.2.1 and E.1.2.2 of the TG provide requirements for and list of multiple failures conditions (called Risk Reduction Category A) to be considered in the safety demonstration. Some of those are PWR specific. Sections E.1.2.3 and E.1.3 provide guidance on accident analysis rules and acceptance criteria and on probabilistic assessment of the multiple failures conditions. RD-337, RD-310 and S-294 do not address specific transients and accidents nor do they provide details regarding the analysis rules and acceptance criteria or the probabilistic safety assessment of specific accident scenarios.

In Section E.2 - Protection measures against core melt accidents, subsection E.2.1 - Safety objectives, the French-German Technical Guidelines require the “practical elimination” of certain severe accident sequences that represented or represent a concern for the reactors currently in operation because they could lead to large early releases (e.g. high pressure core melt ejection scenarios and direct containment heating in PWRs). This means that if such scenarios cannot be considered as physically impossible, design provisions should be made to prevent them from occurring.

Section E.2.2.1 of the TG deals with a design specific (PWR) issue: prevention of core melt under high pressure and direct containment heating.


Section E.2.2.2 - Prevention of fast reactivity accidents of the TG Section E.2.2.2 of the TG provides design specific (PWR) requirements for the "practical elimination" of heterogeneous boron dilution scenarios. RD-337 requirements in Section 8.1, Reactor Core, are technology-neutral.

Section E.2.2.3 of the TG addresses the Prevention of steam explosions. RD-337 requirements on severe accidents do not explicitly address the potential for steam explosions.

The requirements in RD-337 Sections 8.6, Containment, regarding the control of hydrogen are less detailed than the requirements in section E.2.2.4 - Prevention of hydrogen detonation of the TG, which address specific design solutions and safety analysis considerations.

The requirements in the TG Sections E.2.2.5 - Prevention of containment bypass and B.1.4.2 regarding the prevention of containment by-pass are more detailed and prescriptive than the provisions on containment bypass in RD-337 and address specific accident scenarios and design solutions.

The requirements in Section E.2.2.6 - Prevention of fuel melt in fuel pool of the TG are equivalent in principle with those in RD-337 Section 8.12.2, Handling and Storage of Irradiated Fuel. RD-337 does not explicitly address “practical elimination” of fuel melt in the spent fuel pool and the assessment of spent fuel pool safety in case of earthquake.

While the provisions in Section 8.6.12, Severe Accidents, of RD-337 only require consideration of complementary design features for preventing containment melt-through and for facilitating cooling of the core debris, Section E.2.3.1 - Ex-vessel molten core coolability of the TG includes detailed and prescriptive design requirements for a “core catcher” and expectations for the assessment of its effectiveness.

RD-337 only includes general requirements for containment heat removal. Section E.2.3.2 of the TG addresses specific design solutions for achieving this function in severe accidents without venting of the containment.

RD-337 requirements on instrumentation in Sections 7.9.1 (Instrumentation and Control) General Considerations, 7.9.3, Post-accident Instrumentation, and 8.10.3, Emergency Support Centre, are more comprehensive than those in Section E.2.3.3 – Instrumentation of the TG.

Requirements in Section E.2.3.4 - Qualification under severe accident conditions of the TG are equivalent with those in RD-337 Section 7.8, Equipment Environmental Qualification.

Section E.2.4 – Safety Demonstration of the TG explicitly requires for severe accident analysis and gives examples of severe accident sequences to be analysed. In RD-337, this requirement is implicit and no examples of accident sequences are provided. RD-310 requires explicitly that BDBAs are analyzed. Section E.2.4 of the TG also discusses various aspects relevant to severe accident analysis, e.g. assumptions, uncertainties, validation of computer codes, etc.

The general requirements for protection against internal hazards in Section F.1.1 of the TG are equivalent in principle with those in RD-337 Sections 7.4.1, Internal Hazards, and 9.3, Hazards Analysis. RD-337 does not explicitly address load drops (only a few examples of internal hazards are provided).

Section F.1.2.1 of the TG includes more detailed and prescriptive requirements on the protection against failures of pressure-retaining SSCs than RD-337. The requirements in F.1.2.1 of the TG include specific design requirements and requirements on the analysis of the internal hazards arising from failures of pipes, vessels, tanks, pumps and valves.


RD-337 does not include detailed / specific provisions for the protection against internal flooding (TG Section F.1.2.2).

Requirements in Section F.1.2.3 - Fires of the TG are equivalent in principle to those in RD-337 Section 7.12, Fire Safety. The requirements in Section F.1.2.3 of the TG are more detailed as regards the fire protection specifications required from the designer and the safety assessment of fire effects.

RD-337 requires in Section 7.4.1, Internal events, minimization of the probability and effects of fires and explosions caused by external or internal events, but does not explicitly require the limitation of the explosive gases and fluids, as does Section F.1.2.4 - Internal explosions of the TG.

The requirements in Section F.1.2.5 - Internal missiles of the TG are equivalent with those in Sections 7.4.1, Internal events, and 8.3.3, Turbine Generators of RD-337.

Section F.2 B of the TG deals with Protection against external hazards. RD-337 does not explicitly address lightning and electromagnetic interference, groundwater and toxic, corrosive of burnable gases. The list provided in RD-337 Section 7.4.2 includes fewer examples of external hazards than Section F.2.1 - Events to be considered of the TG.

The expectations on seismic design in Section F.2.2.1 - Earthquake of the TG are more detailed than the requirements in RD-337 Section 7.13, Seismic Qualification..

In RD-337 Section 7.4.2 External Hazards, potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation. RD-337 does not explicitly require the analysis of an aircraft crash. Section F.2.2.2 - Aircraft crashes of the TG provides prescriptive design requirements for the protection against aircraft crashes, as well as expectations for the associated safety analyses.

RD-337 does not provide specific requirements on the protection against external explosions, such as those in Section F.2.2.3 - Explosions.

RD-337 does not provide detailed requirements on the design of the spent fuel pool cooling system. Section G.1 of the TG contains such detailed / prescriptive requirements.

Section G.2 of the TG provides detailed requirements on the design features and measures implemented to ensure leak-tightness of the containment which are not covered in RD-337.

The requirements in section G.3 - Design of Instrumentation and Control of the TG are equivalent in principle with those in RD-337 Section 7.9, Instrumentation and Control. Relevant requirements are provided also in RD-337 Section 8.10, Control Facilities. The discussion on I & C and the expectations provided in Section G.3 include some aspects not fully addressed by RD-337 (e.g. the consideration of consequences of internal and external hazards on the I&C systems and of the hazards originating in I&C systems).

The requirements in Section G.4 - Use of technical codes are equivalent with those in RD-337 Section 5.4 Proven Engineering Practices. The use of codes and standards is addressed also in the context of system-specific requirements in RD-337. In addition to the general requirements on the use of codes and standards, Section G.4 of the TG includes detailed requirements on I&C, civil works, heating, ventilation and air conditioning systems, which are not fully covered by RD-337.



6.3.1 Differences in Safety Goals

The French-German Technical Guidelines express the general safety objectives for new reactors in comparison to the reactors already in operation rather than expressing them in a stand-alone manner, like in RD-337.

They require the “practical elimination” of certain severe accident sequences that represented or represent a concern for the reactors currently in operation (e.g. high pressure core melt ejection scenarios and direct containment heating in LWRs). This means that if such scenarios cannot be considered as physically impossible, design provisions should be made to prevent them from occurring. There are no similar provisions in RD-337.

The core damage frequency in the French-German Technical Guidelines is the same as in RD-337: less than 10-5 per reactor year. In addition, Section C.2.2. of the TG provides an orientation values for CDF (<10-6 per reactor year) from internal events (power states and shutdown states). There is no equivalent value in RD-337 for the contribution of internal events to the CDF (the CDF safety goal in RD-337 is based on a full-scope PSA).

The CDF values (for all events and for internal events contribution) are the only safety goals expressed in a quantitative manner. Other safety goals for protection against severe accidents are expressed qualitatively, in relation to the avoidance of disruption to life, environment and economy that would result from the implementation of emergency measures.

For accident situations without core melt, the French-German Technical Guidelines require that there shall be no necessity of protective measures for people living in the vicinity of the damaged plant (no evacuation, no sheltering). For accidents with core melt, the French-German Technical Guidelines do not provide any quantitative safety goal related to the limitation of large releases, they only require that, for accident sequences that are not practically eliminated, i.e. for low pressure core melt sequences, the associated maximum conceivable releases would necessitate only very limited protective measures in area and in time for the public (no permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in consumption of food).

The French-German Technical Guidelines practically link the safety objectives for protection against severe accidents with the intervention levels in a nuclear emergency.

The interpretation (provided in Section 6.2 of this report) of the French-German Technical Guidelines objectives in relation to the intervention values in the Canadian Guidelines for Intervention during a Nuclear Emergency and the relation with the dose acceptance criteria and safety goals in RD-337 should be subject to a more in depth consideration by CNSC. The details of the safety analysis practices have not been under the scope of this study and, unless they are specified, no conclusions can be drawn.


6.3.2 Differences in design requirements for protection against severe accidents

The requirements on protection against severe accidents in Sections A.1.3, B.1.4.1-2 and Section E of the TG significantly more detailed and prescriptive (including some requirements specific to PWRs) than the requirements in Sections 8.6.12 and 7.3.4 of RD-337.

Section B.2.3.5 (Containment heat removal function) of the TG includes prescriptive requirements for heat removal in case of low pressure core melt scenarios which are not addressed in RD-337.

Section E.2.2.3 of the TG includes requirements for the assessment of the potential for steam explosions linked to core melt. RD-337 requirements on severe accidents do not explicitly address the potential for steam explosions. Also, the requirements in RD-337 regarding the control of hydrogen are less detailed than the requirements in section E.2.2.4 of the TG, which address specific design solutions and safety analysis considerations.

While the provisions in Section 8.6.12 of RD-337 only require consideration of complementary design features for preventing containment melt-through and for facilitating cooling of the core debris, Section E.2.3.1 of the TG includes detailed and prescriptive design requirements for a “core catcher” and expectations for the assessment of its effectiveness.

RD-337 only includes general requirements for containment heat removal. Section E.2.3.2 of the TG address specific design solutions for achieving this function in severe accidents without venting of the containment.

6.3.3 Differences in requirements on safety classification of SSCs

Classification of SSCs is addressed in the TG in Section B.2.1 - Classification of the safety functions, barriers, structures and systems. The requirements in this section prescribe a classification scheme, being more detailed than the requirements in RD-337 Section 7.1, Classification of SSCs. The differences in the requirements for the safety classification of SSCs may lead to differences in design requirements applied to the safety related SSCs, but such differences can only be assessed on a case-by-case basis, for any given design.

6.3.4 Differences in the application of the Single Failure Criterion

The application of the single failure criterion is required in RD-337 for each safety group (i.e. at function level rather than at system level), while the TG requires the application of the SFC at system level for F1A systems and at function level for F1B systems (see the provisions of Section B.2.1 - Classification of the safety functions, barriers, structures and systems). Where the SFC is required in the TG to be applied at system level, preventive maintenance is taken into consideration resulting in one safety train being considered unavailable, in addition to one considered rendered unavailable as a single failure.

In addition, the TG provides more details than RD-337 on the expectations for the application of the SFC to passive components.


The above mentioned differences in requirements on the application of SFC have the potential to results in design differences (however, the resulting design differences can only be assessed on a case-by-case basis for a given design).

6.3.5 Differences regarding the treatment of aircraft crash

In RD-337 Section 7.4.2 External Hazards, potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation. RD-337 does not explicitly require the analysis an aircraft crash. Section F.2.2.2 of the TG provides prescriptive design requirements for the protection against aircraft crashes, as well as expectations for the associated safety analyses.

6.3.6 Differences in the requirements for safety assessment

Grouping of initiating events in accordance with their consequences (for the selection of bounding cases) and with their estimated frequency of occurrence (for the application of acceptance criteria) is not explicitly addressed in RD-337 (see, for example Section 6.1).

RD-337 does not address specific transients and accidents. The TG includes lists on such events which are PWR specific (see Section D of the TG).

RD-337 does not explicitly address task analysis, staffing and verification and validation as part of the human factors engineering program.

Section 9.5 of RD-337 and S-294, Probabilistic Safety Assessment (PSA) for Nuclear Power Plants, require systems’ mission times to be considered but do not specify them (e.g. 24 h in the initial analyses, longer mission times required by external events for some systems, in Section C.2.2 of the TG). Also, they do not include explicit requirements on the prevention of cliff-edge effects.

Section D.2.1 of the TG requires for 30 minutes available before operator action in the control room is necessary to respond to an initiating event and for 1 hour for actions outside the control room. The minimum time specified by RD-337 before operator action from MCR is required is of 15 minutes and the minimum time for action outside MCR is of 30 minutes. These differences in requirements have an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

Section D.2.1 of the TG requires that reference transients, incidents and accidents (except those initiated by human action), have to be studied with a loss of off-site power at the most penalizing time. There is no such explicit requirement in RD-337 or RD-310. The current expectations regarding safety analyses need to be considered in order to assess whether such a requirement could lead to any new analyses and to design changes.

Section D.2.4 of the TG provides requirements on the calculation of radiological consequences. Neither RD-337 nor RD-310 do not provide details regarding the performance of the radiological consequence analyses.

Section E.2.4 of the TG explicitly requires for severe accident analysis and gives examples of severe accident sequences to be analysed. In RD-337, this requirement is implicit and no examples of accident sequences are provided. Section E.2.4 of the TG also discusses various


aspects relevant to severe accident analysis, e.g. assumptions, uncertainties, validation of computer codes, etc.

Electromagnetic interference and load drops are not addressed in the requirements for hazard analysis in RD-337. Although the lists of internal and external hazards provide in RD-337 are not intended to be extensive, it may be worth of mentioning additional examples of hazards, such as electromagnetic interference and load drops.

6.3.7 Other notable differences

The provisions in Section B.1.1. of the TG (Fuel cladding and core design) include detailed and prescriptive requirements and also some PWR specific requirements. Some notable requirements include those related to the evolution of the fuel designs (such requirements can be useful in a technology – neutral regulatory framework) and those related to the reactivity coefficients (negative moderator feedback and negative void coefficient).

Section B.1.2.2 of the TG allows for the exclusion from the design basis of the complete guillotine break of a main coolant line. This issue is not explicitly addressed in RD-337, but, traditionally, such an event has been considered a design basis accident.

The TG require, in section B.1.4.1 (Design requirements for the containment building and the peripheral buildings), the use of a double wall containment.

The provisions of Section B.2.3.2 (Residual heat removal function) of the TG are more detailed and prescriptive than those of RD-337 Section 8.2.4 and include PWR specific requirements. It should be noted that the TG also defines an acceptable solution for the design of the residual heat removal system.

The requirements on electrical systems in Section B.2.4.1 of the TG (Electrical power supplies) are more prescriptive and detailed than the requirements in RD-337, which only includes requirements only for the emergency power supply.

Section G.2 of the TG provides detailed requirements on the design features and measures implemented to ensure leak-tightness of the containment which are not covered in RD-337.

The discussion on I & C and the expectations provided in Section G.3 of the TG include some aspects not fully addressed by RD-337 (e.g. the consideration of consequences of internal and external hazards on the I&C systems and of the hazards originating in I&C systems).

In addition to the general requirements on the use of codes and standards, Section G.4 of the TG includes detailed requirements on I&C, civil works, heating, ventilation and air conditioning systems, which are not fully covered by RD-337.

6.4 Application of the TG to Flamanville EPR

The construction of an EPR reactor was started at the Flamanville site in 2007 and the construction of a second EPR reactor is envisaged at the Penly site.

The EPR is an evolutionary PWR, initially developed by a group of French and German industrialists and power utilities (Framatome, Siemens, followed by AREVA NP, with EDF and a group of German power utilities).

The review of the safety options of the project began in 1993 through a Franco-German technical co-operation project. The successive recommendations formulated by the French


and German expert groups were approved jointly by the regulatory bodies of both countries, and since the end of 1998, by ASN alone.

The review process continued and went through the following steps:

• in 1997, the transmission to the French and German regulatory bodies of the “Basic Design Report”, consisting of a detailed preliminary project, followed by an update in February 1999, and

• the drafting of “Technical Guidelines”, consisting of a set of recommendations concerning the main safety options of the EPR Project.

The final version of that compendium describing the main safety options of the French-German EPR project was validated by the advisory committee for reactors in October 2000, in consultation with German safety experts. The TG incorporate all the technical recommendations put forward by the French and German experts and approved by ASN throughout the review of the safety options in a structured and organised form. As such, they constituted the principal technical reference system for the EPR project review over the period 2001-2006.

The technical guidelines were given official sanction in 2004 in a letter sent to the Chairman of EDF, in which the public authorities judged that the reviewed safety options satisfied the objective of overall safety improvement compared with the reactors currently in service.

It can be inferred that the development of the TG was largely undertaken in parallel with the regulatory review of the preliminary design of the EPR. From this, and from the fact that a construction licence has been granted for Flamanville-3 based on the review of the design against the TG, it can be concluded that there should have been no major differences between the requirements in the TG and the design requirements for the EPR.

In September 2006 ASN completed its review of the preliminary safety analysis report14; this review had begun in 2002, in parallel with the production of this report. With regard to nuclear risks, it reviewed in particular:

• compliance with the overall safety objectives;

• the taking into account of recent experience feedback from reactors in operation;

• the innovations introduced with respect to operating reactors in response to industrial concerns;

• the design of nuclear pressure vessels.

An executive summary of the technical review [12] was presented to the ASN Board, in February 2007, to support the decision for granting a construction licence for Flamanville-3.

However, one of the main issues arising from the most recent regulatory reviews conducted by ASN and IRSN (ASN’s technical support organisation) concerns the instrumentation and control system of the Flamanville-3 EPR.

In order to prepare its decisions, ASN relies on the opinions and recommendations of its advisory committees. The advisory committee for reactors reportedly met several times over the last few years in order to address various topics concerning the EPR, such as the reference system for equipment qualification under accident conditions; ruptures of the shutdown 14 The preliminary safety report for the EPR is available (in French only) at this link: http://france.edf.com/html/epr/rps/somgen.pdf .


cooling system; pool accidents in the fuel building; effluents and waste; reference system for external floods; clogging risk in the filtration chain of safety injection systems and emergency containment cooling systems; the protection approach against aggressions and reference systems for aggressions (fire, internal explosion, lightning, cold spell); architecture and platforms of control and instrumentation systems; calculations of the radiological impact of accidents without core melt, etc.

In June 2009, the advisory committee for reactors reviewed the EPR’s computerised control and instrumentation systems. In order to ensure safety, the EPR’s system includes two independent and complementary systems designed to run the reactor under all circumstances, as follows:

• the first system (Téléperm XS platform) is dedicated to the reactor’s automated protective and shutdown functions in the event of an incident and to its return to safe operating conditions, in support of the highest safety-classification functions, and

• the second system (SPPA T2000 platform), which acts as a complement, is designed to run the reactor directly from the control room under safe conditions during normal operation and for management purposes over the long term in the event of an accident.

In a letter addressed to EDF on 15 October 2009, ASN noted that EDF had presented the necessary elements in order to demonstrate the capability of the first system to bear the highest safety classification functions. In addition, ASN also felt that the technological diversity of both systems, which represents a significant component for the robustness of the architecture and the reliability of the control and instrumentation systems, was satisfactory. However, ASN also noted that conformity with the safety classification level of the second system had not been demonstrated so far, not only for automated controls, but also for operating controls (man-machine interface). Furthermore, ASN felt that the strong interconnection of control and instrumentation systems (via the communication network) calls for the reinforcement of the existing robustness specifications for their architecture (backup measures in the event of a failure in part of the functions of control and instrumentation systems). Besides the continuation of the qualification programme for that system, ASN also requested EDF in the same letter to study various design options, if that qualification were refused.

In November 2009, a joint letter by ASN and the UK and Finnish nuclear safety regulators was made publicly available, stating that, in carrying out individual assessments, the regulatory authorities have raised issues regarding the EPR Control and Instrumentation (C&I) systems, primarily related to “ensuring the adequacy of the safety systems (those used to maintain control of the plant if it goes outside normal conditions), and their independence from the control systems (those used to operate the plant under normal conditions)”.

Following the review conducted by ASN and IRSN, of the first elements provided by EDF in response to ASN’s request, ASN concluded, in a letter addressed to EDF on 9 July 2010 that the ability of the SPPA T2000 platform to assume some protective functions for the reactor was yet to be demonstrated. Hence, it requested EDF to implement a change in the T2000 platform in order to improve robustness and to authorise its use for EPR-type reactors. That change consisted in duplicating on the Téléperm XS platform a certain number of protective functions of the reactor, which are borne by the SPPA T2000 platform.


EDF was required to present the detailed elements of that evolution in the design and the impact on the demonstration of the reactor’s safety by the end of 2010. No updates on this issue are available yet.


7. WENRA SAFETY OBJECTIVES AND REFRENECE LEVELS BENCHMARK


The reference levels issued by WENRA in 2008 address existing plants. They should be met also by the new reactors. In addition, for new reactors, WENRA published in 2010 a set of safety objectives.

The reference levels were based on IAEA safety requirements and guides. For the purpose of harmonisation of the regulatory requirements in European countries operating nuclear power plants, the reference levels were selected to cover issues where significant differences were expected between the WENRA member countries. The reference levels do not therefore cover all the aspects important to safety, but only the aspects that were considered at the time as having the most potential for harmonisation of regulatory requirements.

The safety objectives for new reactors were initially based on the IAEA SF-1 publication (Fundamental Safety Principles), but have incorporated elements from French-German Technical Guidelines for EPR, Finish regulatory requirements for new reactors and the UK Safety Assessment Principles. The safety objectives for new reactors are formulated in a relative manner, in comparison with the existing reactors and represent high-level, general, requirements. Of particular interest is the concept of “practical elimination” of certain severe accident sequences that represented or represent a concern for the reactors currently in operation (e.g. high pressure core melt ejection scenarios and direct containment heating in LWRs). An explanation for this concept is provided – “the possibility of certain conditions occurring is considered to have been practically eliminated if it is physically impossible for the conditions to occur or if the conditions can be considered with a high degree of confidence to be extremely unlikely to arise” (reference is made to NS-G-1.10 [13], but it fact this concept has been used earlier, in the French-German Technical Guidelines for EPR). “Practical elimination” of certain accident scenarios is similar, in principle, with the concept of “incredibility of failure” applied to exclude gross failure of reactor pressure vessels from the design basis.

The reference levels and the safety objectives do not include quantitative safety objectives (except for the specification of at least 30 minutes available before operator action is required in design basis accidents). Although some quantitative criteria could have been attached to the qualitative safety objectives for new reactors, agreement was not reached on such criteria, the concerns expressed being linked with the differences in safety analysis methods and assumptions.

7.2 Comparison of Safety Objectives

The WENRA Safety Objectives for the design, siting, construction, commissioning and operation of new nuclear power plants are formulated in comparison to currently operating nuclear power plants.

Objective O1. Normal operation, abnormal events and prevention of accidents, refers to reducing the frequencies of abnormal events by enhancing plant capability to stay within normal operation and to reducing the potential for escalation to accident situations by enhancing plant capability to control abnormal events. RD-337 design requirements for new reactors are not formulated in comparison to currently operating nuclear power plants.


Objective O2. Accidents without core melt, refers to ensuring that accidents without core melt induce no off-site radiological impact or only minor radiological impact and reducing, as far as reasonably achievable CDF and releases.

To achieve the objective O2, it is expected that off-site radiological impact of accidents without fuel melt is less than the intervention levels for iodine prophylaxis, sheltering and evacuation. These intervention levels, which are used in the 5th level of the defence in depth, have already been enforced by EU members in their national regulation to comply with Directive 96/29/Euratom - 13 may 1996 – article 50.2., and are consistent with the International Commission on Radiological Protection (ICRP) recommendations. For instance, in ICRP-63 [14], the intervention level for sheltering is 50 mSv in 2 days. Design targets should be set below these intervention levels.

RD-337 includes quantitative safety goals for new reactors, but these are formulated as stand-alone goals, not in comparison to the expectations for the reactors currently in operation.

The dose acceptance criterion of 20 mSv for DBAs (calculated for 30 days) has to be compared with the emergency response levels established in Canada to check what measures are expected (e.g. iodine prophylaxis, sheltering) in case of DBA. (Note: 20 mSv represents a projected dose, while emergency response levels are usually based on averted dose).

The small release frequency quantitative safety goal is established such that the sum of frequencies of all events that would require temporary evacuation is less than 1E-5/year. This implies that for accidents without core melt no evacuation is required (taking into account also the classification of events in RD-310 and the CDF safety goal in RD-337).

The Canadian Guidelines for Intervention during a Nuclear Emergency provide the following indications:

Regarding sheltering:

“Sheltering is recommended if the action will avert a dose of at least 5 mSv over a period of 1 day. This value is consistent with IAEA recommendations of 10 mSv in two days, but recognizes that the effectiveness of sheltering is significantly decreased after about 1 day.”

Regarding iodine prophylaxis:

“Administration of potassium iodide to the whole population in the affected area is recommended at the dosage levels specified by the World Health Organisation (WHO 1989, 1999) if the action will avert a thyroid dose of at least 100 mSv. Dosage levels recommended by the U.S. Food and Drug Administration (FDA 2001) differ slightly from the WHO dosage levels, but are also acceptable. Recommended age-specific administration quantities are given in Table 1. A brief rationale for administering stable iodine to avert a 100 mSv thyroid dose is given below:

• A dose saving of 90 % or more can be achieved if there is sufficient advance warning to administer stable iodine several hours before exposure. This can lead to a substantial reduction in thyroid cancer risk.

• The side effects of stable iodine prophylaxis are minimal.

• The likelihood of restoring public confidence and relieving anxiety is increased if authorities take specific and concrete countermeasures. Since the timely administration of stable iodine can avert practically all of the dose from inhaled radio-iodine, the reassurance provided should more than offset the anxiety associated with the measure.


• The benefits and risks of stable iodine prophylaxis are expected to be similar to those for sheltering, with minimal disruption or side effects. Based on the tissue weighting factor of 0.05 for the thyroid (ICRP 1990), the cancer risk associated with a 100 mSv thyroid dose is equivalent to an effective whole body dose of 5 mSv, which is the intervention level for sheltering.

• For practical reasons, a single intervention level of 100 mSv is recommended for all ages, which is consistent with the recommendations of the IAEA.”

In accordance with WENRA Objective O2, for design basis accidents (traditionally considered as accidents without core melt), there should be no necessity of iodine prophylaxis, sheltering nor evacuation. The dose acceptance criterion of 20 mSv for DBAs provided in RD-337 refers to a projected dose calculated for 30 days.

RD-337 does not specify dose acceptance criteria for the thyroid dose but the Guidelines for Intervention during a Nuclear Emergency mention that “the cancer risk associated with a 100 mSv thyroid dose is equivalent to an effective whole body dose of 5 mSv, which is the intervention level for sheltering.”

The doses in the Canadian Guidelines for Intervention during a Nuclear Emergency are averted doses. In accordance with these guidelines, sheltering would be justified if the averted dose is greater than 5 mSv over a period of 1 day and evacuation is recommended if the action will avert a dose of at least 50 mSv over a period of up to 7 days. This implies that evacuation is not needed for design basis accident but, for those design basis accidents for which the projected dose is greater than 5 mSv over a period of 1 day, sheltering and iodine prophylaxis may be needed. Further investigation of this interpretation should be considered by the CNSC.

Objective O3. Accidents with core melt, refers to reducing potential radioactive releases to the environment from accidents with core melt also in the long term, for which qualitative criteria are provided: practical elimination of accidents with core melt which would lead to early or large releases and such design provisions as only limited protective measures in area and time are needed for the public for those accidents with core melt which have not been practically eliminated.

To achieve the objective O3, it is expected that the off-site radiological impact of accidents with core melt only leads to limited protective measures in area and time (no permanent relocation, no long term restrictions in food consumption, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering).

These protective measures are associated with intervention levels, which are used in the 5th level of the defence in depth. Such intervention levels have already been enforced by EU members in their national regulation to comply with Directive 96/29/Euratom - 13 may 1996 – article 50.2., and are consistent with the ICRP recommendations. For instance, in ICRP-63, the intervention level for sheltering is 5-50mSv in 2 days.

Considering these intervention levels, design targets should be set so that only limited protective measures in area and time are needed. These design targets should take due account of the uncertainties associated with the use of best estimate methodologies for core melt accidents.

RD-337 does not explicitly address “early” releases (it only includes requirements for containment capability in severe accidents – “Containment maintains its role as a leak-tight barrier for a period that allows sufficient time for the implementation of off-site emergency


procedures following the onset of core damage. Containment also prevents uncontrolled releases of radioactivity after this period.”).

RD-337 quantitative safety goal for Large Release Frequency implies that long term relocation would not be required with a frequency greater than 1E-6.

As regards measures such as “limited” sheltering, emergency evacuation outside the “immediate vicinity” of the plant, long term restrictions on food consumption, it has to be checked how the emergency response levels in Canada correlate with the quantitative safety goals in RD-337.

WENRA objectives for accidents with core melt do not provide quantitative safety goals, therefore it is not possible to compare this objective with the provisions of RD-337. The Canadian Guidelines for Intervention during a Nuclear Emergency provide the following indications:

Regarding evacuation:

“[…] evacuation is recommended if the action will avert a dose of at least 50 mSv over a period of up to 7 days.”

Regarding relocation:

“Relocation should be considered if the action will avert a dose of at least 50 mSv for a period of up to one year following the time of the assessment. The difference between the initiating criteria of 50 mSv/year recommended here and the 30 mSv/month recommended by the IAEA is more apparent than real. Because of rapid decay of short-lived radionuclides, a large fraction of an annual dose of 50 mSv would be delivered during the first month.”

Regarding long term restrictions in food consumption:

“The Intervention Level for food controls has been set at 1 mSv per year for each of three food groups (fresh milk, other commercial foods and beverages, and public drinking water). This is based on an intervention level of about 3 mSv per year for the total diet, apportioned equally amongst the three groups.”

In accordance with WENRA Objective O3, for accidents involving core melt there should be no need for permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in food consumption. In the context of the Canadian Guidelines for Intervention during a Nuclear Emergency this would be translated into:

- effective doses estimated for 7 days for the vicinity of the plant (interpreted as outside the site boundary) less than 50 mSv (no need for emergency evacuation);

- effective doses estimated for 1 year less than 50 mSv (no need for permanent relocation).

Due to the fact that WENRA Objective O3 does not clarify what “limited sheltering” and “long term restrictions in food consumptions” signify in terms of time periods, a comparison with the intervention levels in the Canadian Guidelines is not possible.

RD-337 specifies two safety goals related to temporary evacuation and long term relocation, expressed in quantities of releases of certain isotopes vs. frequency:

- Small Release Frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1015 Becquerel of iodine-131 is less than


10-5 per reactor year. A greater release may require temporary evacuation of the local population.

- Large Release Frequency: The sum of frequencies of all event sequences that can lead to a release to the environment of more than 1014 Becquerel of cesium-137 is less than 10-6 per reactor year. A greater release may require long term relocation of the local population.

The safety goals in Section 4.2.2 cannot be directly linked to dose acceptance criteria and no insights were available to the reviewers during the elaboration of the present study on the basis for linking the above mentioned releases with emergency measures.

The whole interpretation of the WENRA objectives in relation to the intervention values in the Canadian Guidelines for Intervention during a Nuclear Emergency and the relation with the dose acceptance criteria and safety goals in RD-337 should be subject to a more in depth consideration by CNSC. The details of the safety analysis practices have not been under the scope of this study and, unless they are specified, no conclusions can be drawn. For example, the calculation of the doses as part of the radiological consequence analyses is usually done for 30 days, without taking into account emergency response measures. If estimation of doses for 1 year would be required, the calculations may credit the emergency response actions (e.g. sheltering, food bans, temporary evacuation). In any case, uncertainties in the estimation of doses are generally considered to be significant and this was one of the reasons for which WENRA has not established any quantitative safety objectives in terms of doses resulting from accidents.

Objective O4. Independence between all levels of defence-in-depth, refers to enhancing, in comparison with currently operating NPPs, the effectiveness of the independence between all levels of defence-in-depth, in particular through diversity provisions. RD-337 requirements on defence-in-depth and on design for reliability are not formulated in relation to currently operating reactors.

Objective O5. Safety and security interfaces, refers to ensuring that safety measures and security measures are designed and implemented in an integrated manner. Equivalent requirements are provided in RD-337 Section 6.6 Facility Layout.

Objective O6. Radiation protection and waste management, refers to reducing as far as reasonably achievable by design provisions, for all operating states, decommissioning and dismantling activities the individual and collective doses for workers, the radioactive discharges to the environment and the quantity and activity of radioactive waste. Equivalent requirements are provided in RD-337 Section 8.13 Radiation Protection.

Objective O7. Leadership and management for safety, refers to ensuring effective management for safety from the design stage, e.g. licensee leadership and management for safety, in house technical and financial resources, awareness among the staff of the nuclear safety issues associated with their work, etc. Equivalent requirements are provided in RD-337 Section 5.0, Safety Management During Design.



7.3.1 Reference Levels in Appendix E - Design Basis Envelope for Existing Reactors

RL E 1.1 is equivalent with the radiation protection and technical safety objectives stated in Sections 4.1.1 and 4.1.2 of RD-337, complemented by the requirements on radiation protection acceptance criteria in Section 6.4.

RL E 2.1 requirements are equivalent with those of RD-337 Sections 4.3.1 Defence-in-depth and 4.3.2 Consideration of Physical Barriers.

RL E 2.2 requirements are equivalent with those of RD-337 Section 6.1.1 Consideration of Physical Barriers.

RL E. 3.1 requirements are equivalent with those of RD-337 Section 6.2 Safety Functions. It has to be noted that the basis for this RL was IAEA NS-R-1 para. 4.6. “To ensure safety, the following fundamental safety functions shall be performed in operational states, in and following a design basis accident and, to the extent practicable, on the occurrence of those selected accident conditions that are beyond the design basis accidents:

(1) control of the reactivity;

(2) removal of heat from the core; and

(3) confinement of radioactive materials and control of operational discharges, as well as limitation of accidental releases.”

The formulation of the 3rd fundamental safety function is different in the RL than in the IAEA requirement. In RD-337, this is split into 2 functions.

In the Canadian regulatory documents, “control of operational discharges and hazardous substances, as well as limitation of accidental releases” is mentioned as a fundamental safety function, while in the IAEA safety standards, WENRA RLs and regulatory documents from other jurisdictions, this function is considered included in “confinement of radioactive material”; the Canadian formulation is more precise (it could, in fact, include the first 3 functions mentioned).

Also, “monitoring of safety critical parameters…” is considered a fundamental safety function in Canadian regulatory documents, while in other jurisdictions and in documents issued by international organisations (e.g. IAEA, WENRA, etc.), this is considered as a support function.

Since these differences appear in high-level / general requirements, it cannot be inferred that they could lead to design differences.

Removal of heat is mentioned only in relation to cooling of the core (the same as in the RL and in the IAEA reference). It may be worth considering mentioning removal of heat from irradiated fuel outside the reactor.

RL E 4.1 requirements are covered mainly by RD-337 Sections 7.2, Plant Design Envelope and 7.3, Plant States. Classification of SSCs, specifications for the various plant states, postulated initiating events, are all covered in Section 7.0 General Design Considerations. Analysis assumptions and methods as part of the design basis are covered in Section 9.0 Safety Analysis. Requirements in section 5.7, Design Documentation, are also relevant.

RL E 4.2 requirements are covered by Sections 9.1 (Safety Analysis) General, 7.4 Postulated Initiating Events Considered in the Design, 7.3.3 Design Basis Accidents, 7.8 Equipment


Environmental Qualification of RD-337 and by RD-310 Section 5.2 Events to be Analyzed/ 5.2.1 Identifying Events requirements.

RL E 4.3 requirements are equivalent with those of RD-337 Sections 5.0 Safety Management During Design. Relevant requirements are found also in RD-337 Section 5.6 Safety Assessment.

RL E 5.1 requirements are covered by those of RD-337 Sections 7.4 Postulated Initiating Events Considered in the Design and 7.4.1 Internal Hazards.

RL E 5.2 requirements are equivalent with those in Section 7.4.2, External Hazards, of RD-337.

RL E 6.1 requirements are equivalent with those in Section 7.4.3, Combinations of Events, of RD-337.

RL E 7.1 requirements are equivalent with those in Section 7.3, Plant States, of RD-337.

RL E 7.2, 7.3 and 7.4 requirements are partially covered by those in RD-337 Section 5.7, Design Documentation. Requirements in this Section refer to “acceptance criteria and derived acceptance criteria” (8) in a generic manner and do not include explicit requirements for the design documentation to specify all the criteria mentioned in RLs E 7.2, 7.3 and 7.4.

RL E 7.5 requires criteria to be specified for protection of containment, including temperatures, pressures and leak rates. These criteria are implicitly addressed in the requirements in RD-337 Sections 8.6.2, Strength of the Containment Structure, and 8.6.4, Leakage.

RL E 8.1 requirements are covered by those in RD-337 Section 7.2, Plant Design Envelope, and RD-310 Section 5.4.6 Conservatism in Analysis.

RL E 8.2 requirements are equivalent with those in RD-337 Section 7.6.2 Single Failure Criterion.

RL E 8.3 requirements are equivalent with those in RD-310 Section 5.4.4 Analysis Assumptions.

RL E 8.4 requirements are equivalent in principle with those in RD-337 Section 8.4, Means of Shutdown.

RL E 8.5 requirements are equivalent in principle with those in RD-310 Sections 5.4.4, Analysis Assumptions, and 5.4.6, Conservatism in Analysis, although the requirements in RD-310 are more general and the straightforward requirement in E 8.5. It should be checked if such a requirement as the one in E 8.5 needs to be included in a regulatory document providing guidance on safety analysis.

RL E 8.6 requirements are equivalent with those in RD-310 Section 5.4.4, Analysis Assumptions.

RL E 8.7 requirements are equivalent with those in RD-310 Sections 5.3.4, Acceptance Criteria for AOOs and DBAs, and 5.4.3, Analysis Data.

RL E 9.1 requirements are equivalent with those of RD-337 Section 7.6.3, Fail-safe Design.

RL E 9.2 requirements are covered by those of RD-337 Section 7.1, Classification of SSCs. Relevant provisions are included also in Sections 7.6.1, Common-cause Failures, and 7.6.5, Shared Systems.


RL E 9.3 requires for 30 minutes available before operator action is necessary to respond to an initiating event (exceptions have to be justified). The minimum time specified by RD-337 before operator action from MCR is required is of 15 minutes. This difference in requirements has an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

RL E 9.4 requirements are mainly covered by those in RD-337 Section 7.6, Design for Reliability. Provisions on the use of proven components, redundancy, diversity, physical and functional separation and isolation are covered by the following sections:

5.4 Proven Engineering Practices 7.6.1 Common-cause Failures 7.6.2 Single Failure Criterion 7.6.3 Fail-safe Design 7.6.4 Allowance for Equipment Outages 7.6.5 Shared Systems 7.8 Equipment Environmental Qualification.

RL E 9.5 and 9.6 requirements are equivalent with those in RD-337 Section 8.4, Means of Shutdown.

RL E 9.7 requirements are covered by those of RD-337 Sections 8.7, Heat Transfer to an Ultimate Heat Sink, and 8.8, Emergency Heat Removal System.

RL E 9.8 requirements are equivalent with those in RD-337 Section 8.6.1, (Containment) General Requirements.

RL E 9.9 requirements are equivalent in principle with those of RD-337 Section, 8.6.6 Containment Isolation. For lines that are part of the reactor coolant pressure boundary that penetrate the containment, the requirement for the isolation valves to be as close as practical to the containment is not covered in RD-337. Note that for “closed systems”, RD-337 includes a provision requiring the isolation valve to be located as close as practicable to, the containment structure.

RL E 9.10 requirements are covered by those of RD-337 Section 8.6.6, Containment Isolation (Closed Systems).

RL E 10.1 requirements are equivalent with those of RD-337 Sections 7.9.1 (Instrumentation and Control) General Considerations and 7.9.3 Post-accident Instrumentation.

RL E 10.2 requirements are covered by those of RD-337 Section 7.9.1 (Instrumentation and Control) General Considerations. Also, the provisions in Sections 7.8, Equipment Environmental Qualification, and 7.13, Seismic Qualification, apply to all SSCs, including I&C.

RL E 10.3, 10.4 and 10.5 are equivalent with those of RD-337 Section 8.10.1 Main Control Room.

RL E 10.6 are equivalent with those of RD-337 Section 8.10.2 Secondary Control Room.

The requirements relevant for RL E10.7 are covered in several sections of RD-337, e.g.:

7.6.2 Single Failure Criterion 7.6.4 Allowance for Equipment Outages 7.9 Instrumentation and Control 7.9.1 General Considerations


8.4.1 Reactor Trip Parameters 7.6.5 Shared Systems - Sharing of SSCs between Reactors.

RL E 10.8 requirements are addressed by the general requirements in RD-337 Section 7.14 In-service Testing, Maintenance, Repair, Inspection, and Monitoring. Explicit provisions on testing from the sensor to the actuator are provided in section 7.6.5, Shared Systems.

RL E 10.9 requirements are equivalent with those of RD-337 Section 7.9.1 (Instrumentation and Control) General Considerations.

RL E 10.10 requirements are equivalent with those of RD-337 Section 7.9.2, Use of Computer-based Systems or Equipment.

RL E 10.11 requirements are equivalent with those of RD-337 Section 8.9, Emergency Power Supply.

RL E 11.1 is a requirement for reviewing and maintaining a valid design basis during the operational phase. The CNSC may consider the opportunity of including provisions for the review of the design basis, in pre-operational phases, to take account of significant new safety information, if available and relevant (e.g. from applicable operating experience, from research, etc.). Section 5.5 Operational Experience and Safety Research includes only a general principle, without detailing.

The list of events provided in the Appendix to the reference levels on design basis envelope include both generic and technology-specific events. RD-337 is technology-neutral and does not include detailed lists of events. However, a regulatory document specifying requirements or providing guidance on safety analysis may include more examples of postulated events.

7.3.2 Reference Levels in Appendix F - Design Extension of Existing Reactors

RL F 1.1 requirements are equivalent in principle with those of RD-337 Sections 7.2, Plant Design Envelope, and 6.4, Radiation Protection and Acceptance Criteria. However, RD-337 addresses new reactors, while WENRA Appendix F addresses reactors already in operation, for which a “design extension” may be necessary to cope with severe accidents and other conditions not considered in the original design.

RL F 2.1 requirements are equivalent in principle with those of RD-337 Section 7.3.4 Beyond Design Basis Accidents, with the same mention as above, that RD-337 addresses new reactors (and RD-337 requirements are more detailed / prescriptive), while WENRA Appendix F addresses reactors already in operation.

RL F 2.2 requirements are covered by those in RD-337 Section 7.3.4 Beyond Design Basis Accidents.

RL F 3.1 requirements are covered by those in RD-337 Sections 7.9.3, Post-accident Instrumentation, 8.10.1.1, Safety Parameter Display System, and 7.3.4, Beyond Design Basis Accidents/Severe Accidents.

RL F 3.2 requirements are covered by those in RD-337 Sections 8.10.1.1, Safety Parameter Display System, and 8.10.2, Secondary Control Room.

RL F 4.1 requirements are covered by those in RD-337 Sections 7.3.4, Beyond Design Basis Accidents, 8.6.1, (Containment) General Requirements, and 8.6.12, Severe Accidents.


RL F 4.2 requirements are covered by those in RD-337 Sections 7.3.4, Beyond Design Basis Accidents, and 8.6.12, Severe Accidents.

RL F 4.3 requirements are covered by those in RD-337 Sections 8.6.9, Containment Pressure and Energy Management, and 8.6.12, Severe Accidents.

RL F 4.4 requirements are covered by those in RD-337 Section 8.6.12, Severe Accidents.

RL F 4.5 requirements are equivalent in principle with those of RD-337 Sections 8.6.9, Containment Pressure and Energy Management, and 8.6.12, Severe Accidents. RD-337 includes requirements for management of pressure inside the containment in case of severe accidents but does not explicitly address “fast as well as slow containment overpressurization”. WENRA RLs 4.3 and 4.5 are not very explicit either. Consideration could be given as to where these aspects need to be clarified in a regulatory guidance document.

RL F 4.6 requirements have no equivalent in RD-337. High pressure core melt scenarios are specific to LWRs.

RL F 4.7 requirements are covered by those in RD-337 Section 8.6.12, Severe Accidents.

The list of events provided in the Appendix in relation to the interpretation of RL F2.1 include both generic and technology-specific events. RD-337 is technology-neutral and does not include detailed lists of events. However, a regulatory document specifying requirements or providing guidance on safety analysis may include examples of severe accident scenarios.

7.3.3 Reference Levels in Appendix G - Safety Classification of Structures, Systems and Components

RL G 1.1 requirements are covered by those of RD-337 Section 7.1, Classification of SSCs.

RL G 2.1 requirements have no equivalent in RD-337. RD-337 does not include an explicit requirement for the safety classification to be based primarily on deterministic methods, complemented where appropriate by probabilistic methods and engineering judgment.

RL G 2.2 requirements have no equivalent in RD-337. RD-337 does not include a provision for the safety classification to identify specific requirements for each safety class.

RL G 3.1 and 3.2 requirements are covered by those of RD-337 Section 7.1, Classification of SSCs.

RL G 4.1 and 4.2 requirements are addressed by the requirements in Section 7.8, Equipment Environmental Qualification.

7.3.4 Reference Levels in Appendix H - Operational Limits and Conditions

RL H 1.1 requirements are covered by those of RD-337 Section 4.3.3, Operational Limits and Conditions.

RL H 1.2 requirements are covered by those of RD-337 Section 4.3.3, Operational Limits and Conditions. Although the wording differs, the requirements are equivalent in principle. The intent of the reference level, which is based on the IAEA NS-G-2.2, para. 3.1, is covered in RD-337.


RL H 2.1 requirements are equivalent in principle with those of RD-337 Sections 4.3.3, Operational Limits and Conditions, 5.7, Design Documentation and 9.2, Analysis Objectives. RD-337 does not explicitly mention validation of OLCs based on commissioning tests.

RL H 2.2 and 2.3 requirements are more relevant for the operational phase. There are no explicit requirements in RD-337 addressing the review, update of or modifications to OLCs. These may be addressed in another regulatory document.

RL H 3.1 requirements are equivalent in principle with those of RD-337 Section 4.3.3, Operational Limits and Conditions. RL H 3.1 is more relevant for the operational phase.

RL H 3.2 contains requirements for the operational phase, which are not under the scope of RD-337.

RL H 4.1 requirements are equivalent in principle with those of RD-337 Section 4.3.3, Operational Limits and Conditions. RD-337 does not explicitly require that OLCs cover “all operational plant states including power operation, shutdown and refuelling, any intermediate conditions between these states and temporary situations arising due to maintenance & testing.” (only the shutdown states are mentioned explicitly). This difference comes from the different technology: for CANDU plants the refuelling is made during operation at power and is implicitly included in the normal operation, no differentiation is needed. To improve the clarity when applying this requirement to reactors of a design different than CANDU, CNSC might consider explicitly mentioning the power operation, refuelling and intermediate states, but also “temporary situations arising due to maintenance & testing”.

RL H 5.1 does not have an equivalent requirement in RD-337 (i.e. for ensuring margins between the normal operating values and safety systems settings such that undesirably frequent actuation of safety systems is avoided).

RL H 5.2 is not explicitly covered in RD-337. Conservatism is addressed in several requirements of RD-337, but not explicitly in relation to the choice of the safety limits.

RL H 6.1 is not explicitly covered in RD-337. RD-337 does not explicitly address the time allowed for actions taken by operating personnel in response to deviations from OLCs. The “minimum amount of operable equipment” is not explicitly addressed either (it may be considered as implicit to the requirement in Section 9.2, on OLCs including allowable “operating configurations”).

RL H 6.2 is not explicitly covered in RD-337. There is no explicit provision in RD-337 for the OLCs to specify the time allowed to complete the actions necessary to bring the plant to a safer state in case of operability requirements not being met.

RL H 6.3 does not have an equivalent requirement in RD-337 (i.e. for operability requirements to state, for the various modes of normal operation, the number of systems or components important to safety that should be in operating condition or standby condition). It may be considered as implicit to the requirement in Section 9.2, on OLCs including allowable “operating configurations”.

RL H 7.1 and 7.2 represent requirements for operation (not for design).

RL H 8.1 does not have an equivalent requirement in RD-337. RD-337 does not include a requirement on OLCs to include minimum staffing levels for shift staff. The minimum shift complement depends on the design, therefore consideration could be given to include such a provision in future revisions of RD-337.


The CNSC Regulatory Guide G-323, “Ensuring the Presence of Sufficient Qualified Staff at Class I Nuclear Facilities – Minimum Staff Complement” [15], addresses this in Section 5.1.1, Use of a Systematic Analysis.

RL H 9.1, 10.1 and 10.2 represent requirements for operation (not for design).

7.3.5 Reference Levels in Appendix S - Protection against internal fires

RL S 1.1 requirements are covered by those of RD-337 Sections 7.12.1, (Fire Safety) General Provisions and 7.12.3, Environmental Protection and Nuclear Safety.

RL S 2.1 requirements are covered by those of RD-337 Sections 7.4.1, Internal Hazards, and 7.12.1, (Fire Safety) General Provisions.

RL S 2.2 and 2.3 do not have equivalent requirements in RD-337. RD-337 does not explicitly require that fire protection measures are based on the fire hazard analysis. Also, RD-337 does not include explicit requirements on the use of fire compartments and fire cells, based on the fire hazard analysis.

RL S 2.4 requirements are equivalent with those of RD-337 Section 7.12.3, Environmental Protection and Nuclear Safety.

RL S 2.5 requirement is covered by those of RD-337 Section 7.12.2, Safety to Life.

RL S 3.1 requirements are equivalent in principle with those of RD-337 Section 9.3, Hazards Analysis, where general requirements for all hazard analyses are provided. RD-337 does not address fire hazard analysis in particular.

RL S-3.2 ÷ 3.4 include requirements for fire hazard analysis and fire PSA. RD-337 does not address fire hazard analysis and fire PSA in particular.

RL S 4.1 includes requirements on fire compartments and fire cells (i.e. to be equipped with fire detection and alarm features, provided with non-interruptible emergency power supplies and appropriate fire resistant supply cables, etc.). RD-337 does not include explicit requirements on fire compartments and fire cells.

RL S 4.2 includes requirements for the fire extinguishing systems. RD-337 does not detail the types of extinguishing systems to be installed.

RL S 4.3 ÷ 4.5 include detailed requirements for fire water distribution and ventilation systems. RD-337 does not include such detailed requirements.

RL S 5.1 and 6.1 ÷ 6.4 address operational provisions, not under the scope of RD-337.


7.4.1 Differences in safety goals

The WENRA safety objectives for new reactors do not include quantitative safety goals and are formulated in relation to the expectations for the reactors currently in operation (i.e. the level of safety expected for new reactors is not specified in an absolute manner, but in comparison to the operating reactors). RD-337 requirements for new reactors are not formulated in comparison to currently operating nuclear power plants. RD-337 includes


quantitative safety goals for new reactors, but these are formulated as stand-alone goals, not in comparison to the expectations for the reactors currently in operation. Therefore, a comparison between the safety goals in RD-337 and the WENRA safety objectives is of little value, being highly speculative.

Although no agreement was reached within WENRA on quantitative safety goals, the Reactor Harmonization Working Group (RHWG) report on safety objectives for new power reactors [16], in chapter 7, about quantitative targets, makes several references to ICRP Publication 63 [14]. ICRP 63 recommendations are aimed to be used for intervention in emergencies and not for design (the ICRP publication relevant safety goals for the design of nuclear installations is ICRP 64 [17]). In the same manner, the approach in the European Utility Requirements (EUR), a document produced by the European industry and not endorsed by any regulatory body in Europe but which is used by the utilities in bid specifications for new reactors [18], is to set criteria for severe accidents linked with the generic intervention levels for emergency situations based on ICRP 63, which gives values based on averted doses – i.e. doses that could be avoided if the respective emergency measures are implemented; in an ideal situation, the averted dose would equal the projected / estimated dose (note that ICRP 103 [19] was issued in 2007 and includes reference levels referring to residual doses after emergencies rather than to averted doses). Since, unlike the ICRP 64, the ICRP 63 does not give any indication about the probabilities that would be acceptable, the EUR document uses values as recommended for Large Early Release Frequency (LERF) - 1E-6 /year ( "frequency of exceeding the criteria for limited impact" - meaning, basically, that the frequency of having an accident that requires certain emergency actions is < 1E-6/year). The logic behind the establishment of LERF values linked with the ICRP 63 levels is based on the qualitative criterion of no need for evacuation in a severe accident.

Since the safety goals in the WENRA safety objectives for new reactors are similar to those in the French-German Technical Guidelines, no additional discussion is provided in this section. Instead, the reader should refer to Sections 6.3. and 7.2 (Objectives O2 and O3).

7.4.2 Coverage of WENRA Reference Levels

The most important difference form the point of view of the potential impact on the design provisions is that WENRA RL E 9.3 requires for 30 minutes available before operator action is necessary to respond to an initiating event (exceptions have to be justified) while the minimum time specified by RD-337 before operator action from MCR is required is of 15 minutes. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

With regard to provisions for the contents of the design documentation RD-337 refers to “acceptance criteria and derived acceptance criteria” in a generic manner does not include explicit requirements for the design documentation to specify all the criteria mentioned in RL E 7.2 to 7.4, such as criteria for protection of the fuel rod integrity (fuel temperature, DNB, and cladding temperature, maximum allowable fuel damage during any design basis event), for the protection of the (primary) coolant pressure boundary and of the secondary coolant system (maximum pressure, maximum temperature, thermal- and pressure transients and stresses).


With regard to containment isolation, for lines that are part of the reactor coolant pressure boundary that penetrate the containment, the requirement for the isolation valves to be as close as practical to the containment is not covered in RD-337.

The list of events provided in the Appendix to the reference levels on design basis envelope include both generic and technology-specific events. RD-337 is technology-neutral and does not include detailed lists of events. However, a regulatory document specifying requirements or providing guidance on safety analysis may include more examples of postulated events.

RD-337 includes requirements for management of pressure inside the containment in case of severe accidents but does not explicitly address “fast as well as slow containment overpressurization”. WENRA RLs 4.3 and 4.5 are not very explicit either. Consideration could be given as to where these aspects need to be clarified in a regulatory guidance document.

RD-337 does not include an explicit requirement for the safety classification to be based primarily on deterministic methods, complemented where appropriate by probabilistic methods and engineering judgment, nor a provision for the safety classification to identify specific requirements for each safety class (e.g. on codes and standards in design, manufacturing, construction and inspection, need for emergency power supply, environmental qualification, quality requirements, etc.).

There is requirement in RD-337 for ensuring margins between the normal operating values and safety systems settings such that undesirably frequent actuation of safety systems is avoided.

Conservatism is addressed in several requirements of RD-337, but not explicitly in relation to the choice of the safety limits.

RD-337 does not explicitly address the time allowed for actions taken by operating personnel in response to deviations from OLCs. The “minimum amount of operable equipment” is not explicitly addressed either (it may be considered as implicit to the requirements in Section 4.3.3 and Section 9.2, on OLCs including allowable “operating configurations”).

RD-337 does not include a requirement on OLCs to include minimum staffing levels for shift staff. The minimum shift complement depends on the design, therefore consideration could be given to include such a provision in future revisions of RD-337.

With regard to fire safety RD-337 does not explicitly require that fire protection measures are based on the fire hazard analysis and it does not address fire hazard analysis and fire PSA in particular. Also, RD-337 does not include explicit requirements on the use of fire compartments and fire cells, based on the fire hazard analysis, nor requirements on fire compartments and fire cells (i.e. to be equipped with fire detection and alarm features, provided with non-interruptible emergency power supplies and appropriate fire resistant supply cables, etc.), fire water distribution and ventilation systems. It also does not detail the types of extinguishing systems to be installed.

Table 1 below provides a summary of the coverage of the WENRA RL in RD-337.


Table 1 – Coverage of the WENRA RL in RD-337 (and RD-310 where applicable)

WENRA APPENDIX E - DESIGN BASIS ENVELOPE FOR EXISTING REACTORS

RL Covered Partially Covered

Equivalent in principle

Not Covered

RD-337 Section

RD-310 Section

E 1.1 √ 4.1.1, 4.1.2 E 2.1 √ 4.3.1, 4.3.2 E 2.2 √ 6.1.1 E 3.1 √ 6.2 E.4.1 √ 7.2, 7.3, 7.0,

9.0, 5.7

E 4.2 √ 9.0, 9.1, 7.4, 7.33, 7.8

5.2.1

E.4.3 √ 5.0, 5.6 E.5.1 √ 7.4, 7.4.1 E.5.2 √ 7.4.2 E 6.1 √ 7.4.3 E 7.1 √ 7.3 E 7.2 √ 5.7 E.7.3 √ 5.7 E 7.4 √ 5.7 E 7.5 √ 8.6.2, 8.6.4 E 8.1 √ 7.2 5.4.6 E 8.2 √ 7.6.2 E 8.3 √ 5.4.4 E 8.4 √ 8.4 E 8.5 √ 5.4.4, 5.4.6 E 8.6 √ 5.4.4 E 8.7 √ 5.3.4, 5.4.3 E 9.1 √ 7.6.3 E 9.2 √ 7.1, 7.6.1,

7.6.5

E 9.3 √ 7.9.1, 8.10.4, 7.21

E 9.4 √ 7.6, 5.4, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5,





Not Covered

RD-337 Section

RD-310 Section

7.8 E 9.5 √ 8.4 E 9.6 √ 8.4 E 9.7 √ 8.7, 8.8 E 9.8 √ 8.6.1 E 9.9 √ 8.6.6 E 9.10 √ 8.6.6 E 10.1 √ 7.9.1, 7.9.3 E 10.2 √ 7.9.1, 7.8,

7.13

E 10.3 √ 8.10.1 E 10.4 √ 8.10.1 E 10.5 √ 8.10.1 E 10.6 √ 8.10.2 E 10.7 √ 7.6.2, 7.6.4,

7.9.1, 8.4.1, 7.6.5

E 10.8 √ 7.14, 7.6.5 E 10.9 √ 7.9.1 E 10.10 √ 7.9.2 E 10.11 √ 8.9 E 11.1 √ 5.0, 5.5 App √ 7.4.1 WENRA APPENDIX F - DESIGN EXTENSION OF EXISTING REACTORS



Not Covered

RD-337 Section

F 1.1 √ 7.2, 6.4, F 2.1 √ 7.3.4 F 2.2 √ 7.3.4 F 3.1 √ 7.9.3, 8.10.1.1, 7.3.4 F 3.2 √ 8.10.1.1, 8.10.2 F 4.1 √ 7.3.4, 8.6.1, 8.6.12 F 4.2 √ 7.3.4, 8.6.12 F 4.3 √ 8.6.9, 8.6.12





Not Covered

RD-337 Section

RD-310 Section

F 4.4 √ 8.6.12 F 4.5 √ 8.6.9, 8.6.12 F 4.6 √ F 4.7 √ 8.6.12 App √ WENRA APPENDIX G - SAFETY CLASSIFICATION OF STRUCTURES, SYSTEMS AND COMPONENTS



Not Covered

RD-337 Section

G 1.1 √ 7.1 G 2.1 √ G 2.2 √ G 3.1 √ 7.1 G 3.2 √ 7.1 G 4.1 √ 7.8 G 4.2 √ 7.8 WENRA APPENDIX H - OPERATIONAL LIMITS AND CONDITIONS



Not Covered

RD-337 Section

H 1.1 √ 4.3.3 H 1.2 √ 4.3.3 H 2.1 √ 4.3.3, 5.7, 9.2 H 2.2 √ * H 2.3 √ * H 3.1 √ * 4.3.3 H 3.2 √ * H 4.1 √ 4.3.3 H 5.1 √ H 5.2 √ H 6.1 √ 4.3.3, 9.2 H 6.2 √ 4.3.3 H 6.3 √ H 7.1 √ * H 7.2 √ *





Not Covered

RD-337 Section

RD-310 Section

H 8.1 √ ** 4.3.3 H 9.1 √ * H 10.1 √ * H 10.2 √ * WENRA APPENDIX S - PROTECTION AGAINST INTERNAL FIRES



Not Covered

RD-337 Section

S 1.1 √ 7.12.1, 7.12.3 S 2.1 √ 7.4.1, 7.12.1 S 2.2 √ 7.12.1 S 2.3 √ S 2.4 √ 7.12.3 S 2.5 √ 7.12.2 S 3.1 √ 9.3 S 3.2 √ S 3.3 √ S 3.4 √ S 4.1 √ S 4.2 √ 7.12.1 S 4.3 √ S 4.4 √ S 4.5 √ S 5.1 √ * S 6.1 √ * S 6.2 √ * S 6.3 √ * S 6.4 √ * * Requirement for the operational phase ** Addressed in G-323 Section 5.1.1


8. CONSERVATISM, SAFETY BENEFITS AND COSTS

8.1 Scope and limitations of the assessment of conservatism, safety benefits and costs

The assessment of the differences in the level of conservatism is limited to a comparison of regulatory requirements.

A more in-depth analysis would have necessitated the benchmarking of regulatory review practices and criteria. Since the comparison of regulatory review practices and criteria was outside the scope of the present study, safety criteria were compared only for the cases where these were provided in the regulatory documents subjected to benchmarking. A detailed comparison of all the criteria used in the regulatory review to assess compliance with the requirements was not performed.

Therefore, in the review of the conclusions of this study, as well as in any use of its conclusions, there are at least two factors to be considered:

1) the differences in scope (design specific vs. technology-neutral, existing plants vs. new reactors, etc.), style (prescriptive vs. goal-setting) and degree of detail between the regulatory requirements in various jurisdictions;

2) the availability and transparency of regulatory review practices and criteria.

The situation regarding the documentation and transparency of the regulatory review criteria is summarised below:

In the case of US NRC regulations, the criteria for assessing compliance are generally provided in the Standard Review Plan and in the regulatory guides.

In the case of STUK, only some of the criteria are provided in publicly available documents such as the YVLs.

The publicly available criteria for assessing the fulfilment of the Safety Assessment Principles issued by the UK nuclear regulator are provided in Technical Assessment Guides (which have not been under the scope of the present study and which are not all up to date to reflect the current SAPs), but these do not represent all the criteria used in the review, as the UK regulatory practice relies significantly on the experience of the assessors.

The French Technical Guidelines for new reactors, even if eventually endorsed by ASN and used in the safety assessment and licensing of the EPR, represent design guidelines elaborated by technical support organisations (IRSN and GRS) rather than regulatory requirements and are very detailed, prescriptive and focused on the EPR design. The TG include some criteria for the safety review of the EPR design but it may be the case that additional, more detailed acceptance criteria, not provided in publicly available regulatory requirements and guidelines, have been used in the actual regulatory review (this remark refers to detailed assumptions on safety systems' performance, assumptions used in the calculation of radiological consequences, etc. which have not been prescribed by the regulator but which have been accepted when reviewing the safety analyses submitted in the licensing process, based on applicant's justification).


The WENRA Reference Levels for existing reactors were intended to be incorporated into national regulatory requirements and no supplementary information was provided by WENRA on the regulatory review criteria for assessing compliance with the reference levels – it is expected that the regulatory review criteria are those already used in the national practices and there has been no WENRA initiative for harmonising safety assessment practices and criteria. This implies that, although the national regulatory requirements will be harmonised in what regards the RLs, there will still be differences in the practical implementation of the RLs, due to differences in regulatory review and acceptance criteria.

Since the prescriptive / detailed regulatory guides used in the US, Finland and France do not have a correspondent in the Canadian nuclear regulatory documents, which are goal-setting and technology-neutral, it was not possible to fully assess the implications of certain regulatory requirements on the design of a nuclear power reactor proposed for licensing in these various jurisdictions. The same is true for the UK regulatory assessment principles and guides, which, although technology-neutral, rely on a different philosophy regarding safety goals - the SAPs include “band criteria”, i.e. in addition to Basic Safety Levels (BSLs, which correspond to “limits” and “dose acceptance criteria” used in other jurisdictions), the SAPs provide for Basic Safety Objectives (BSOs). WENRA RLs, intended to be complied with even by the existing fleet of reactors in the European Union, are not likely to raise any issues in the licensing of new reactor designs. The WENRA safety objectives for new reactors have been inspired from the French Technical Guidelines for new reactors and are more general / less prescriptive.

Another source of design differences which could not be fully addressed as part of this study is the compliance with national industrial codes and standards required in the regulations in force in various jurisdictions. The differences in the industrial codes and standards prescribed and / or considered acceptable by the national regulators lead to differences in design requirements and implicitly to design changes. For example, the French EPR had to be completely redesigned using American codes and standards in view of licensing in the US. Since the regulatory documents benchmarked make reference to national codes and standards in several instances, there is some uncertainty in the comparison of regulatory requirements due to lack of details provided in these codes and standards which are important for judging compliance with the regulatory requirements.

The safety benefits and costs of potential design changes arising from the above mentioned sources cannot be quantified without taking account of the national philosophy and implementation of the ALARA / ALARP principle and of the national practices and criteria for justification of practices, limitation of risk and optimisation of protection.

Therefore, only a qualitative assessment is provided in the following section, based on the apparent conservatism of the regulatory requirements benchmarked. The term “apparent conservatism” is used to cater for situations where a requirement intended to be conservative can be considered satisfied based on realistic and best-estimate analyses rather than based on conservative analyses, as well as for situations where very demanding requirements are imposed, although the safety demonstration needed to show compliance implies significant uncertainties related to the phenomena analysed (this being the case, for example, for severe accident analyses).


8.2 Differences in regulatory requirements most important to conservatism, safety benefits and costs of design provisions

The most important differences in terms of apparent conservatism, perceived safety benefits and costs of implementation arising from the benchmark are related to:

- protection against severe accidents,

- containment design,

- the treatment of aircraft crash.


The US, Finnish and French requirements are more prescriptive / detailed as regards the safety requirements and criteria for design features used in severe accident management. Examples include:

- assumptions for hydrogen generation in a severe accident based on 100% fuel clad – coolant reaction (US and FI);

- containment integrity maintained for 24 hours following the onset of core damage (US and FI);

- design pressure and design temperature of the containment inner wall such as to allow a grace period of at least 12 hours without containment heat removal after a severe accident and to ensure its integrity and leak tightness even after the global deflagration of the maximum amount of hydrogen which could be contained in the containment building in the course of low pressure core melt accidents (FR);

- global hydrogen detonations and in-vessel and ex-vessel steam explosions threatening the containment integrity to be "practically eliminated" (FR);

- dedicated electrical and I&C systems to assist in the management of severe accidents and sufficient redundancy in the systems credited in severe accident management to meet the single failure criterion (FI).

It can be concluded that US, Finnish and French requirements impose a more prescriptive approach in the area of systems’ design for severe accident management. This does not necessarily imply that the US, Finnish and French requirements are more conservative, for the following reasons:

- The need for the containment to maintain its role as leak tight barrier during severe accidents is clearly stated in RD-337 (Section 7.3.4)

We note here that, as per Health Canada guidance and Provincial criteria, public evacuation at the onset of core damage is not mandatory in Canada, because early containment failure is not a concern for existing CANDU reactors, where the consequential challenges to containment integrity are likely to occur one or several days after onset of core damage. However, RD-337 requires that the containment does not need venting before completion of off-site emergency measures, regardless when a decision on implementation of these measures is taken, maintaining its integrity and leak tightness. For comparison, the time limits for similar requirements are of 24 hours in US and Finland, and of 12 hours in France.


- In addition, this requirement precludes containment failure (i.e. uncontrolled releases of radioactivity) at any time and due to any failure mode including DCH, hydrogen explosions, steam explosions, and basemat penetration due to MCCI.

- Although RD-337 is not prescriptive in how to define the hydrogen source term, the concern of hydrogen burns in severe accidents is not ignored: “The design identifies a radiological and combustible gas source term for use in the specification of the complementary design features for BDBAs” (RD-337, Section 7.3.4). Further (RD-337, Section 8.6.12), “Control of combustible gases” is an explicit item to show “the ability of the containment systems to withstand loads associated with severe accidents”.

- The Canadian regulatory framework includes specific requirements (see the CNSC regulatory document G-306) for severe accident management (SAM). Meeting G-306 requires adequately reliable instrumentation. In this area, RD-337 requires that “The design authority establishes initial severe accident management guidelines, taking into account the plant design features and the understanding of accident progression and associated phenomena” (RD-337, Severe Accidents part of Section 7.3.4). RD-337 also requires that “The design also identifies equipment to be used in management of severe accidents. A reasonable level of confidence that this equipment will perform as intended in the case of a severe accident is demonstrated by environmental, fire and seismic assessments” (RD-337, Severe Accidents part of Section 7.3.4). This provision also applies to instrumentation needed during severe accidents.

- The core damage frequency (CDF) limit in RD-337 is one order of magnitude lower - more demanding - than the regulatory limit for CDF for new plants of US NRC.

The UK Safety Assessment Principles relevant for protection against severe accidents are not prescriptive, therefore no implications for the design could be inferred. WENRA RLs and Safety Objectives relevant for protection against severe accidents are less prescriptive than the requirements in the French TG, therefore it can be inferred that any design implications are bounded by the measures required in the French TG.

8.2.2 Containment Design

In addition to the implications for the containment design arising from the requirements on severe accident analysis and design provisions for severe accident management, some of the regulatory requirements reviewed include specifications for the type of containment to be employed (e.g. double-wall containment structure). Such requirements cannot be considered technology-neutral, since instead of focusing on the safety objective of maintaining the confinement function and setting containment performance objectives and criteria directly linked with safety goals and dose acceptance criteria, they actually prescribe the design solution perceived as more conservative and as offering an enhanced degree of protection regardless of the costs.

Some of the requirements in the Finnish YVLs are either prescribing or can be interpreted as requiring for a specific containment design, i.e. double wall containment building (pressure-retaining primary containment structure and a secondary containment building designed against external events – implied by requirements such as “The containment shall be encased in a secondary containment building so that any radioactive substances which leak from the primary containment can be collected and treated as appropriate”), with specific features for


accommodating severe accidents, such as the requirements for a filtered containment venting system (“A containment filtered venting system shall be designed which can be used to remove any overpressure caused by non-condensable gases possibly released in a later phase of an accident.”), or the requirement on prevention of containment melt-through may be interpreted as referring to a “core catcher”. (“The nuclear power plant shall be equipped with systems that ensure the stabilisation and cooling of molten core material generated during a severe accident. Direct interaction of molten core material with the load bearing containment structure shall be reliably prevented”. “The containment lower space shall be so designed that a core melt possibly formed in a severe accident with high certainty does not cause a containment melt-through”. – for the last requirement, it should be noted that RD-337, in Section 8.6.12, requires consideration of “incorporation of complementary design features that will: 1. Prevent a containment melt-through or failure due to the thermal impact of the core debris; 2. Facilitate cooling of the core debris; and 3. Minimize generation of non-condensable gases and radioactive products.”).

The French Technical Guidelines for new reactors explicitly require the provision of a specific containment design. In section B.1.4.1 (Design requirements for the containment building and the peripheral buildings), the TG require the use of a double wall containment “including an inner wall in prestressed concrete, an outer wall in reinforced concrete, with the annulus between the inner and the outer walls being maintained at a subatmospheric pressure in order to collect all possible leaks through the inner wall and to filter them before release to the environment via the stack”. The French TG are more prescriptive than the Finnish guides, requiring heat removal without venting for 12 hours (see Section E.2.3.2 and section B.1.4.1 of the TG) and the provision of a core catcher (Section E.2.3.1 - Ex-vessel molten core coolability: “Regarding the basemat of the containment building, the objectives stated in section A.1.3 for low pressure core melt situations can be achieved as mentioned in paragraph B.1.4.1 by the implementation of a large "dead-end" spreading compartment and the cooling of the corium when it is spread on this large area. This large spreading compartment would be spatially separated from the reactor pit and protected from the thermo-mechanical loads consecutive to the reactor pressure vessel failure. Design provisions would prevent the flow of condensate from any part of the containment into this compartment. Moreover, a steel gate would physically separate the reactor pit from the spreading compartment.[…]”).

It is not possible at this stage to assess the benefit of installing such features without having a specific reactor in mind and without looking at alternative design solutions (e.g. in-vessel retention vs. core-catcher) for achieving the same goals (i.e. reduction of releases to the environment, prevention of containment overpressure in severe accidents, prevention of containment basemat melt-trough, etc.). However, all these features pertaining to the design of the containment are significant in terms of cost.

For illustration, an example of a cost-benefit analysis for the choice of a single containment instead of a double containment for a Korean reactor design (APR-1400, formerly known as KNGR - Korean Next Generation Reactor) can be found in Annex 7 of the IAEA TECDOC-1209, Risk Management: A Tool for Improving Nuclear Power Plant Performance [20].


8.2.3 Treatment of aircraft crash

Regarding the treatment of the aircraft crash, in RD-337 (Section 7.4.2 External Hazards), potential aircraft crashes are mentioned as human-induced external events identified in the site evaluation.

US regulations require an assessment of a large aircraft crash, specifying (realistic) assumptions and criteria for analysis and the provision of “design features and functional capabilities to show that, with reduced use of operator actions: (i) The reactor core remains cooled, or the containment remains intact; and (ii) Spent fuel cooling or spent fuel pool integrity is maintained.”

The Finnish regulations require that the design takes account of a large aircraft, but without any guidance on the assumptions and criteria for analysis.

The UK SAPs require (in principle EHA.8 and paragraphs 218-219) that the total predicted frequency of aircraft crash is determined and, if found “lower than that typically defined as a design basis event, and greater than that which can be automatically excluded, efforts should be made to understand and minimise the potential impact consequences on structures, systems and components important to safety. The external hazard associated with the impacts should include the possibility of fires and/or explosions from aircraft fuel.”

The French Technical Guidelines, in Section F.2.2.2, provide prescriptive design requirements for the protection against aircraft crashes, as well as expectations for the associated safety analyses (“As regards aircraft crashes, provisions must be taken to ensure an adequate protection of safety related buildings with due consideration to the general and military aircraft traffics near the site and anticipating as far as possible their evolution during the lifetime of the plant. Protection of the safety systems has to be considered with regard to the direct impact (penetration) as well as to the indirect impact by induced vibrations. […]”)

WENRA RLs only mention aircraft crash as an example of external hazard that should be analyzed based on site specific conditions, without providing any details.

It is obvious that the treatment of aircraft crash is different in all the jurisdictions, but it is not clear what are the basic assumptions behind these approaches – i.e. whether the design basis threat for the specific country has been taken into account in establishing a requirement for protection against aircraft crash (although in US 10 CFR 50.13 it is specified that licensees and applicants are not required to provide specific design features for protection against malevolent acts; in the Finnish regulations and in the French Technical Guidelines there is no explicit mention of the aircraft crash considered as a malevolent act; in the UK SAPs the relevant requirements on aircraft crash do not address malevolent acts) or whether aircraft crash can be excluded based on site-specific considerations.

Strengthening of containment building, internal structures and of other safety related buildings to withstand the impact of a large aircraft crash and its consequential effects (i.e. vibrations, fire, explosions, etc.) adds significantly to the costs of a nuclear power project. Unless the consideration of a large aircraft crash is prescribed in national regulations and review criteria have been established by the regulatory authority, any cost-benefit analysis is likely to take account also of the probability of such an event as a large aircraft crash for a specific country and a specific site. A comparison of the detailed regulatory review criteria for analysis of aircraft crashes is likely to be hindered by the fact that such information is usually classified.


8.2.4 Other significant differences

Other significant differences (from the point of view of importance to safety, apparent conservatism and perceived safety benefit, rather than from the point of view of cost of implementation) are related to:

- dose acceptance criteria and safety goals;

- the application of the single failure criterion;

- time available for operator actions;

- electrical systems;

- inherent reactivity feedback characteristics of the reactor.

Dose acceptance criteria and safety goals Significant differences between the dose acceptance criteria and safety goals have been identified, but without a comparison of the assumptions and methodologies for analysis, a conclusion of the different levels of conservatism cannot be drawn. As an example, in both US and Finnish requirements, the dose limits or targets for AOOs (anticipated operational occurrences) appear to be lower than the dose acceptance criterion in RD-337. Since a comparison of the assumptions and methodologies for calculating these doses was not performed, it is not possible at this point to conclude with certainty that the US and Finnish requirements on AOOs are more conservative than the Canadian requirements, but this issue is worth of further investigation.

Differences in dose criteria and safety goals and in the expectations for safety assessment between the UK SAPs and RD-337 and RD-310 are discussed extensively in Section 5.3.1 of the report and in Appendix 3B (Section 3.B.4). The Basic Safety Objectives (BSOs) in the SAPs are very demanding, even for advanced reactor designs, and are more conservative than the dose acceptance criteria in RD-337. For the cases where the Basic Safety Levels (BSLs) could be compared with the dose acceptance criteria in RD-337, the BSLs we found to be more demanding (see the comments on Target 4 in Appendix 3B, Section 3.B.4).

The French-German Technical Guidelines (and, similarly, the WENRA Safety Objectives for new reactors) link the safety objectives for protection against severe accidents with the intervention levels in a nuclear emergency. The interpretation of the French-German Technical Guidelines objectives in relation to the intervention values in the Canadian Guidelines for Intervention during a Nuclear Emergency and the relation with the dose acceptance criteria and safety goals in RD-337 was provided in Section 6.2 of the report. No clear conclusion could be reached, in the absence of an in-depth review of the assumptions and criteria used in the estimation of radiological consequences of accidents.

The WENRA Reference Levels do not include any dose acceptance criteria or other quantitative safety goals.

The application of the single failure criterion

Regarding the application of the single failure criterion, RD-310 defines the single-failure criterion (SFC) as “the criterion used to determine whether a system is capable of performing


its function in the presence of a single failure”. However, it requires that “the analysis of AOO and DBA shall apply the single-failure criterion to all safety systems and their support systems”. In RD-337, Section 7.6.2, the SFC is required to be applied at safety group level, i.e. the SFC is defined as a criterion to be used in the design of safety related systems, but compliance is verified in the safety analyses at function level (the aim being to demonstrate that the safety function can be accomplished in spite of a single failure rather than demonstrating that each individual system complies with the SFC).

US and Finnish regulations require the application of the SFC at system level, with the requirements in the YVL guides in some instances requiring that the SFC is met also in case of an additional component being impaired due to repair or maintenance.

The French Technical Guidelines requires the application of the SFC at system level for F1A systems and at function level for F1B systems (see the provisions of Section B.2.1 - Classification of the safety functions, barriers, structures and systems). Where the SFC is required in the TG to be applied at system level, preventive maintenance is taken into consideration resulting in one safety train being considered unavailable, in addition to one considered rendered unavailable as a result of a single failure. In addition, the TG provides more details than RD-337 on the expectations for the application of the SFC to passive components.

RD-337 allows for exemption of passive components from the application of the SFC, for those components that are “designed and manufactured to high standards of quality, that are adequately inspected and maintained in service, and that remain unaffected by the PIE. In US NRC regulations, single failures of passive components in electric systems are not exempted (i.e. they should be assumed in designing against a single failure). Also according to the Guide YVL 2.7 (extensive quotation provided), no distinction is made between active and passive failures in electrical systems, while passive failures in mechanical components are exempted subject to conditions similar to those in RD-337).(“In the application of the failure criteria, two failure types shall be analysed, certain exceptions excluded. Both component functional failures i.e. active failures and passive failures which may occur when a system or a component is in the process of carrying out its safety function shall be considered. There are passive failure types relating to electrical engineering components and systems. When applying the failure criteria to electrical and automation systems or to the instrumentation systems of safety systems, however, no difference is made between functional and passive failures. Both functional and passive failure types shall be examined in the failure analyses performed for these systems. A design basis passive failure shall be defined by analysing the possible failure and leak modes in such a way that a system’s operational conditions are appropriately taken into account. For example, the failure of a pump or a valve sealing, or the rupture of a small-diameter pipe can be defined as the worst design basis passive failure if, based on a system’s operational conditions plus the design, manufacture and inspection of components and structures, it can be demonstrated that failures worse than these are highly unlikely. A passive failure can be completely ignored if its probability can be demonstrated as being sufficiently low. In assessing the application of passive failures, even the post-initiating event period during which a component or structure must operate shall be taken into account, and also the impact of the failure on the accomplishment of a safety function and on the plant total risk shall be considered. A prerequisite for ignoring a passive failure is that a component is designed, manufactured and inspected according to high quality requirements and that an equal quality level is preserved by maintenance during operation. Possible items fulfilling these prerequisites are e.g. buildings, water tanks and support structures of


components. The potential non-application of a passive failure as regards the above factors and prerequisites shall be justified in a failure analysis.”)

It is not clear how are single failures of passive components in electric systems treated in accordance with RD-337 and whether the exemption of passive components refers only to mechanical components, so a conclusion on what the differences actually are and on their impact cannot be drawn.

Time available for operator actions

As mentioned in the UK SAPs (para 344), the practice on UK civil nuclear power reactor facilities is that no human intervention should be necessary for approximately 30 minutes following the start of a requirement for protective action.

The French Technical Guidelines, in Section D.2.1, require for 30 minutes available before operator action in the control room is necessary to respond to an initiating event and for 1 hour for actions outside the control room.

WENRA RL E 9.3 requires for 30 minutes available before operator action is necessary to respond to an initiating event (exceptions have to be justified).

The minimum time specified by RD-337 (Section 8.10.4) before operator action from MCR is required is of 15 minutes and the minimum time before action outside MCR is required is of 30 minutes.

These differences in requirements have an impact on design provisions. This impact can only be assessed on a case-by-case basis, for each design submitted for regulatory review.

Electrical Systems It was not possible to compare the regulatory expectations for electrical systems since the requirements in RD-337 are limited to the EPS and there are no specific provisions on measures for coping with station black-out scenarios.

Inherent reactivity feedback characteristics of the reactor Both US and Finnish regulations include requirements on the inherent reactivity feedback characteristics of the reactor (Criterion 11 in US NRC 10 CFR Part 50 Appendix A “The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity” and Section 14 of the Finnish Government Decree on Safety of NPPs 27.11.2008/733 “the combined effect of a nuclear reactor's physical feedbacks shall be such that it mitigates the increase in reactor power.”). On the other side, RD-337 requires for “two separate, independent, and diverse means of shutting down the reactor” and for “redundancy to be provided in the fast-acting means of shutdown if, in the event that the credited means of reactivity control fails during any AOO or DBA, inherent core characteristics are unable to maintain the reactor within specified limits”.

Since the aim / intention of the requirements on reactivity control mechanisms and systems is that the reactor can be rendered and maintained subcritical and that fuel safety criteria are met


in all design basis accidents, including LOCA (loss of coolant accidents) and RIA (reactivity initiated accidents), it is of less importance whether the safety function is achieved.

The French Technical Guidelines are more prescriptive with regard to reactivity coefficients:

- B.1.1 (Fuel cladding and core design) “[…]In principle, the moderator temperature coefficient must be kept negative from hot zero power to nominal conditions with all the control rods out of the core; the coolant void coefficient has to be negative for all conditions.[…]”.

- A.2.1 (Plant transient behaviour) “Generally speaking, the plant design shall be such that the inherent reactor behaviour is stable (e.g. negative moderator feedback)”.

The UK SAPs, in paragraphs 449 – 451, require that “Changes in temperature, cool ant voiding, core geometry or the nuclear characteristics of components that could occur in normal operation or fault conditions should not cause uncontrollably large or rapid increases in reactivity. Effects of changes in coolant condition or composition on the reactivity of the reactor core should be identified. The consequences of any adverse changes should be limited by the provision of protective systems or by reactor core design parameters. There should be suitable and sufficient design margins to ensure that any reactivity changes do not lead to unacceptable consequences. Limits should be set for t he maximum degree of positive reactivity by inherent safety characteristics or by engineered safety features.”

The Canadian, US, Finnish and UK regulatory requirements on reactivity control can be considered as providing an equivalent level of safety. However, to confirm that the measures for their implementation are also equivalent in practice, a detailed review of the assumptions, methodologies and acceptance criteria for LOCA and RIA events would be necessary, taking account also the particularities of different reactor cores and fuel designs (PHWRs, LWRs, etc.).

As regards the prescriptive requirements in the French Technical Guidelines, these cannot be considered as technology-neutral. The French Technical Guidelines do not explicitly address reactivity feedback from steam line breaks (PWR), cold or light water injection (PWR & BWR), or sudden turbine stop valve closure (BWR), which are negative for HWRs and positive for the LWRs (although the issues associated with the above mentioned transients can be inferred from the requirements in Section D.2.1 - Safety analysis rules).


9. CONCLUDING REMARKS

The aim of this project was to provide support to the CNSC in the formulation of a regulatory position on the Canadian design requirements for new nuclear power plants as compared to those applied in other regulatory jurisdictions, specifically in the US, Finland, UK, France and in the European Union.

The regulatory requirements currently applied in various countries that have nuclear power programmes reflect the technology of choice for the respective reactors, the operating experience accumulated as well as the developments due to research and improvement in assessment tools and techniques. While the basic safety principles governing the design of nuclear power reactors are the same regardless of the reactor technology employed, differences arise when the regulatory requirements become prescriptive as regards the design of particular safety systems provided to prevent and / or mitigate accident scenarios which are specific for each reactor type.

During the last decade, a number of new reactor systems have been developed which include significant changes in technology when compared to the reactors currently in operation. These new reactors have been developed in observance of the regulatory requirements and industry standards of the country of origin, and more often than not difficulties arise when such a design is submitted for regulatory approval as part of the licensing process for construction in other countries, which usually have established their own national safety requirements and standards.

This project made a comparison of the newest Canadian regulatory requirements on nuclear power plant design, reflecting the Canadian legal and licensing strategies, but also the CANDU technology developed and licensed in Canada, with the requirements of other regulators, reflecting in turn different licensing strategies and different reactor technologies developed/imported in those jurisdictions. The RD-337 requirements, although intended to be technology neutral with regard to water-cooled reactors, do include some technology specific requirements, but to a lesser degree than corresponding requirements in the other jurisdictions. The existence of LWR specific requirements and their functionality is a natural development for other jurisdictions where importing different reactor technologies was not consistently considered (e.g. US and France). The same consideration was valid in Canada for many decades.

As such, the comparison identified as differences a number of technology specific requirements. Not having LWR design specific requirements is not a weakness of the Canadian regulation, but rather a reality the CNSC has to cope with due to Canada’s long history in developing the heavy water reactor technology, accompanied by parallel development and evolution of industry standards as well as regulatory practices.

The fact that some requirements imposed in other jurisdictions do not have a direct equivalent in RD-337 does not mean that there are “gaps” in RD-337 - they only represent differences which need to be acknowledged and analysed for any relevance regardless of the design for which they were originally developed.

The degree of equivalence from the safety point of view cannot always be assessed in a generic manner, without looking at particular cases of application of the requirements and at the safety analyses deemed acceptable for supporting fulfillment of these requirements. Each of the foreign regulations, as well as RD-337 have stronger and weaker areas. E.g. it is true that targets expressed in releases are more relevant/useful to a designer (RD-337), as input to


the design, than are the targets expressed in doses to population (or fatality risk in the UK); at the same time, a quantitative expectation for the performance of the containment (24 h in USA) may be more useful for a designer than a requirement referencing the time necessary for implementing off-site measures (RD-337) without actually providing an estimation.

Also, the potential safety benefits associated with particular regulatory requirements cannot be directly inferred from the requirements alone, especially in the case of prescriptive requirements specifying design solutions, since alternative solutions could always be found to achieve the same safety objective and the same safety function.

As regards the minimum safety benefits/improvements shared by the new reactor designs available on the market, regardless of the regulatory requirements in their countries of origin, these can be summarised as follows:

- Consideration of severe accidents from the design stage and the provision of (qualified) systems specifically dedicated to the prevention and mitigation of severe accident scenarios;

- Less reliance on operator actions in response to accidents / increased operator “grace time”.

- Preference given to “passive” safety systems and inherent safety characteristics;

- Increased reliability of all safety related systems, including protection against common-cause failures;

- More systematic definition of the design basis, including more systematic consideration of external hazards in the design basis;

- Design features facilitating optimisation of the radiological protection of workers, the minimisation of waste and the eventual decommissioning.

These improvements have resulted from the development of safety assessment tools and techniques, research and accumulation of operational experience with the existing fleet of plants, more than from requirements imposed by regulators.

RD-337 already covers the above mentioned safety improvements, but in a generic manner, without prescribing specific design solutions. Although prescriptive approaches are implemented in other jurisdictions, it is not advisable to prescribe design solutions in regulatory documents, mainly because the responsibility for safety should rest with the operators and the designers/vendors. In addition, there should be fair treatment of all the applicants in a licensing process and regulatory requirements prescribing design solutions are generally seen as favouring particular designs without providing a justification of the added value for safety.

To decide on a course of action, such as whether or not the existing requirements are sufficient and adequate for the licensing activities envisaged in the foreseeable future, whether or not to introduce new requirements and what their formulation should be or to eliminate existing ones, identification of differences alone is not sufficient. Once identified, a more in-depth analysis of these differences is needed to establish their significance. One useful task, which was not a part of this project, would be to compare the regulatory frameworks of the different regulators, as well as benchmarking of regulatory review and assessment practices and criteria (including scope, methodology and assumptions of the safety analyses). Thus a complete picture could be obtained of not only the different requirements in themselves, but also of the context in which they are applied and of the way in which they are implemented. This includes specific concepts and their understanding and application in different regulatory


frameworks, such as the ALARA principle, the Single Failure Criterion, the treatment of early containment failure, etc. Which, in the present study, due to time and effort limitations, have been discussed only to the extent to which they are treated in the regulatory documents compared. It can also include industrial codes and standards prescribed and / or considered acceptable by the national regulators, which are important for judging compliance with the regulatory requirements.


10. REFERENCES

[1] Safety of Nuclear Power Plants: Design. Requirements, IAEA Safety Standards Series, Safety Requirements, No. NS-R-1, International Atomic Energy Agency, Vienna, 2000

[2] General requirements for seismic qualification of CANDU nuclear power plants, CSA N289.1-08, Canadian Standards Association, 2008

[3] Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, NUREG-0800 (Formerly issued as NUREG-75/087), U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation

[4] Safety Analysis for Nuclear Power Plants, Regulatory Document RD-310, Canadian Nuclear Safety Commission, 2008

[5] Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants, US NRC Policy Statement, 52 FR 32138, published 8/8/85

[6] Advanced Light Water Reactor Utility Requirements Document, Electric Power Research Institute

[7] Seismic Analysis of Safety-Related Nuclear Structures, ASCE 4-98, American Society of Civil Engineers, 2000

[8] Probabilistic Safety Assessment (PSA) for Nuclear Power Plants, Regulatory Standard S-294, Canadian Nuclear Safety Commission, 2005

[9] Emergency Power Generating Facilities with Diesel-Generator Units in Nuclear Power Plants, KTA 3702 (06/2000), Safety Standards of the Nuclear Safety Standards Commission (KTA), KTA-Geschaeftsstelle c/o Bundesamt fuer Strahlenschutz (BfS), Germany

[10] Radiation Protection Regulations, SOR/2000-203, Canadian Nuclear Safety Commission, current to 2011-08-08 and last amended on 2007-09-18

[11] Canadian Guidelines for Intervention during a Nuclear Emergency, Health Canada, ISBN 0-662-35147-9 (Revised November 2003)

[12] Authorisation Decree Application for the creation of the FLAMANVILLE-3 Basic Nuclear Installation, Executive Summary of the Technical Review, ASN/DCN/ Report No. 0080-2007, Nuclear Power Plant Division, Nuclear Pressure Equipment Division, Autorité de sûreté nucléaire

[13] Design of Reactor Containment Systems for Nuclear Power Plants, IAEA Safety Standards Series, Safety Guide, No. NS-G-1.10, International Atomic Energy Agency, Vienna, 2004

[14] Principles for Intervention for Protection of the Public in a Radiological Emergency, ICRP Publication 63, Annals of the ICRP Volume 22/4, ICRP, 1992

[15] Ensuring the Presence of Sufficient Qualified Staff at Class I Nuclear Facilities – Minimum Staff Complement, Regulatory Guide G-323, Canadian Nuclear Safety Commission, 2007


[16] Safety Objectives for New Power Reactors, Study by WENRA Reactor Harmonization Working Group, Western European Nuclear Regulator’s Association, December 2009

[17] Protection from Potential Exposure: A Conceptual Framework, ICRP Publication 64, Annals of the ICRP Volume 23/1, ICRP 1993

[18] European Utility Requirements for LWR Nulear Power Plants, Volume 1, Revision C, British Energy plc, Electricité de France (EDF), Fortum, Iberdrola, NRG (Nuclear Research & consultancy Group), Rosenergoatom (REA), SOGIN (Società Gestione Impianti Nucleari), swissnuclear, Teollisuuden Voima Oy (TVO), Tractebel, Vattenfall, VGB Powertech, April 2001

[19] The 2007 Recommendations of the International Commission on Radiological Protection, ICRP Publication 103, Annals of the ICRP Volume 37/2-4, ICRP, 2007

[20] Risk management: A tool for improving nuclear power plant performance, IAEA-TECDOC-1209, International Atomic Energy Agency, Vienna, 2001