SSG-2 (Rev. 1) Deterministic Safety Analysis for Nuclear Power Plants

Hledej:

Sekce	Odstavec	Text
Main	1.1.	This Safety Guide provides recommendations and guidance on the use of deterministic safety analysis and its application to nuclear power plants in compliance with the requirements established in IAEA Safety Standards Series Nos SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [1], and GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [2].
Main	1.2.	Current developments for ensuring the stable and safe operation of nuclear reactors are closely related to the advances being made in safety analysis. Deterministic safety analyses for normal operation, anticipated operational occurrences, design basis accidents and design extension conditions, including severe accidents, as defined in SSR-2/1 (Rev. 1) [1] and in the IAEA Safety Glossary [3], are essential instruments for confirming the adequacy of safety provisions.
Main	1.3.	This Safety Guide supersedes the 2009 version of SSG-2¹. The modifications incorporated into this Safety Guide reflect recent experience of deterministic safety analysis included in safety analysis reports for designs for new nuclear power plants and in the application of deterministic safety analysis to existing nuclear power plants. The Safety Guide has also been updated to maintain consistency with current IAEA safety standards, including those Safety Requirements publications updated to reflect lessons learned from the Fukushima Daiichi nuclear power plant accident.
Main	1.4.	The objective of this Safety Guide is to provide recommendations and guidance for designers, operating organizations, regulatory bodies and technical support organizations on performing deterministic safety analysis and on its application to nuclear power plants. It also provides recommendations on the use of deterministic safety analysis in: Demonstrating or assessing compliance with regulatory requirements; Identifying possible enhancements of safety and reliability.
Main	1.5.	This Safety Guide applies to nuclear power plants. It addresses ways of performing deterministic safety analyses to achieve their purpose in meeting safety requirements. Such analyses are primarily required to demonstrate adequate fulfilment of safety functions by the design, to ensure that barriers to the release of radioactive material will prevent an uncontrolled release to the environment for all plant states, and to demonstrate the validity of the operational limits and conditions. Deterministic safety analyses are also required to determine the characteristics of potential releases (source terms) depending on the status of the barriers for different plant states.
Main	1.6.	This Safety Guide focuses primarily on deterministic safety analysis for the safety of designs for new nuclear power plants and, as far as reasonably practicable or achievable, is also applicable to the safety re-evaluation or reassessment of existing nuclear power plants when operating organizations review their safety assessment. The recommendations provided are intended to be consistent with the scope of applicability indicated in paras 1.3 and 1.6 of SSR-2/1 (Rev. 1) [1], and are particularly based on experience with deterministic safety analysis for water cooled reactors.
Main	1.7.	The recommendations provided in this Safety Guide focus on best practices in the analysis of all plant states considered in the design, from normal operation, through anticipated operational occurrences and design basis accidents, to design extension conditions including severe accidents.
Main	1.8.	This Safety Guide deals with human errors and failures of plant systems (e.g. systems in the reactor core, reactor coolant system, containment, fuel storage or other systems containing radioactive material) having the potential to affect the performance of safety functions and thus lead to loss of physical barriers against releases of radioactive material. An analysis of the hazards themselves, either internal or external (natural or human induced), is not covered by this Safety Guide, although the effects and loads resulting from the hazards and potentially inducing failures in plant systems are taken into account in determining initiating events to be analysed.
Main	1.9.	This Safety Guide addresses the use of deterministic safety analysis for design or licensing purposes, aimed at demonstrating, with adequate margins, compliance with established acceptance criteria.
Main	1.10.	This Safety Guide addresses the different options available for performing deterministic safety analysis, namely the conservative approach, the best estimate approach with and without quantification of uncertainty, and a combined approach.
Main	1.11.	This Safety Guide focuses on neutronic, thermohydraulic, fuel (or fuel channel for pressurized heavy water reactors) and radiological analysis. Other types of analysis, in particular structural analysis of structures and components, are also important means of demonstrating the safety of a plant. However, detailed guidance on performing such analysis is not included in this Safety Guide, since such information can be found in specific engineering guides. Neutronic and thermohydraulic analysis provides the necessary boundary conditions for structural analysis.
Main	1.12.	This Safety Guide covers aspects of the analysis of releases of radioactive material up to and including the determination of the source term for releases to the environment for anticipated operational occurrences and accident conditions (paras 2.16–2.18). Radioactive gaseous and liquid effluents and discharges during normal operation are primarily controlled by operational measures and are not covered by this Safety Guide. Similarly, dispersion of radioactive material in the environment and prediction of the radiological effects on people and non-human biota is outside the scope of this Safety Guide (see IAEA Safety Standards Series No. GSR Part 3, Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards [4]). While general rules for deterministic safety analysis also apply to the analysis of radiological consequences of anticipated operational occurrences and accident conditions, this Safety Guide does not provide specific guidance for such analysis. Such specific guidance can be found in other IAEA Safety Guides, for example IAEA Safety Standards Series No. GSG-10, Prospective Radiological Environmental Impact Assessment for Facilities and Activities [5].
Main	1.13.	This Safety Guide describes general rules and processes to be followed in performing deterministic safety analysis. The Safety Guide does not describe specific phenomena, nor does it systematically identify the key factors essential for neutronic, thermohydraulic, fuel (or fuel channel) and radiological analysis. When such information is provided in this Safety Guide, it is intended as an illustration or example and should not be understood to be a comprehensive description.
Main	1.14.	Recommendations on nuclear security are outside the scope of this Safety Guide. In general, documentation and electronic records relating to deterministic safety analysis processes and outputs provide limited information regarding equipment location and vulnerability, and practically no information on cable routes and other aspects of plant layout. However, such information needs to be reviewed to identify any sensitive information that could be used to support malicious acts, and such information needs to be protected appropriately. Guidance on sensitive information and information security is provided in Ref. [6].
Main	1.15.	This Safety Guide comprises nine sections and two annexes. Section 2 introduces some basic concepts and terminology used in the area of deterministic safety analysis, as a basis for the specific recommendations provided in the other sections. The sequence of subsequent sections corresponds to the general process of performing deterministic safety analysis. Section 3 describes methods of systematic identification, categorization and grouping of postulated initiating events and accident scenarios to be addressed by deterministic safety analysis, and includes practical advice on the selection of events to be analysed for the different plant states. Section 4 provides a general overview of acceptance criteria to be used in deterministic safety analysis for design and authorization of nuclear power plants, and describes the rules for determination and use of acceptance criteria. Section 5 provides guidance on verification and validation, selection and use of computer codes and plant models, together with input data used in the computer codes. Section 6 describes general approaches for ensuring adequate safety margins in demonstrating compliance with acceptance criteria for all plant states, with a focus on anticipated operational occurrences and design basis accidents. Section 7 provides specific guidance on performing deterministic safety analysis for each individual plant state. Section 8 includes guidance on the documentation, review and updating of deterministic safety analysis. Section 9 provides guidance on independent verification of safety assessments, including verification of deterministic safety analysis.
Main	1.16.	Annex I indicates additional applications of the computer codes used for deterministic safety analysis, besides nuclear power plant design and authorization. Annex II indicates the frequency ranges of anticipated operational occurrences and design basis accident categories used in some States for new reactors.
Main	2.1.	The objective of deterministic safety analysis for nuclear power plants is to confirm that safety functions can be performed with the necessary reliability and that the necessary structures, systems and components, in combination where relevant with operator actions, are capable and sufficiently effective, with adequate safety margins, to keep the releases of radioactive material from the plant below acceptable limits. Deterministic safety analysis is aimed at demonstrating that barriers to the release of radioactive material from the plant will maintain their integrity to the extent required. Deterministic safety analysis, supplemented by further specific information and analysis (such as information and analysis relating to fabrication, testing, inspection and evaluation of the operating experience) and by probabilistic safety analysis, is also intended to contribute to demonstrating that the source term and the potential radiological consequences of different plant states are acceptable, and that the possibility of certain conditions arising that could lead to an early radioactive release or a large radioactive release can be considered as ‘practically eliminated’ (see para. 3.55).
Main	2.2.	The aim of deterministic safety analyses performed for different plant states is to demonstrate the adequacy of the engineering design, in combination with the envisaged operator actions, by demonstrating compliance with established acceptance criteria.
Main	2.3.	Deterministic safety analyses predict the response of the plant to postulated initiating events, alone or in combination with additional postulated failures. A set of rules and acceptance criteria specific to each plant state is applied. Typically, these analyses focus on neutronic, thermohydraulic, thermomechanical, structural and radiological aspects, which are analysed with appropriate computational tools. Computational simulations are carried out specifically for predetermined operating modes and plant states.
Main	2.4.	The results of computations are space and time dependent values of selected physical variables (e.g. neutron flux; thermal power of the reactor; pressures, temperatures, flow rates and velocities of the primary coolant; loads to physical barriers; concentrations of combustible gases; physical and chemical compositions of radionuclides; status of core degradation or containment pressure; and source term for a release to the environment).
Main	2.5.	Acceptance criteria are used in deterministic safety analysis to assist in judging the acceptability of the results of the analysis as a demonstration of the safety of the nuclear power plant. The acceptance criteria can be expressed in general, qualitative terms or as quantitative limits. Three categories of criteria are recognized: Safety criteria: Criteria that relate either directly to the radiological consequences of operational states or accident conditions, or to the integrity of barriers against releases of radioactive material, with due consideration given to maintaining the safety functions. Design criteria: Design limits for individual structures, systems and components, which are part of the design basis as important preconditions for meeting safety criteria (see Requirement 28 of SSR-2/1 (Rev. 1) [1]). Operational criteria: Rules to be followed by the operator during normal operation and anticipated operational occurrences, which provide preconditions for meeting the design criteria and ultimately the safety criteria.
Main	2.6.	In this Safety Guide, only safety acceptance criteria are addressed. These acceptance criteria, as approved by the regulatory body, may include margins with respect to safety criteria.
Main	2.7.	The use of uncertainty analysis in deterministic safety analysis is addressed in paras 6.21–6.29. Several methods for performing uncertainty analysis have been published (e.g. Ref. [7]). They include: Use of a combination of expert judgement, statistical techniques and sensitivity calculations; Use of data from scaled experiments; Use of bounding scenario calculations.
Main	2.8.	Table 1 lists different options currently available for performing deterministic safety analyses with different levels of conservatism associated with the computer code used (see Section 5), the assumptions made about the availability of systems, and the initial and boundary conditions applied for the analysis.
Main		^* For simplicity, the terms ‘realistic approach’ or ‘realistic analysis’ are used in this Safety Guide to mean best estimate analysis without quantification of uncertainties.
Main	2.9.	Option 1 is a conservative approach in which both the assumed plant conditions and the physical models are set conservatively. In a conservative approach, parameters need to be allocated values that will have an unfavourable effect in relation to specific acceptance criteria. The conservative approach was commonly adopted in the early days of safety analysis to simplify the analysis and to compensate for limitations in modelling and knowledge of physical phenomena with large conservatisms. It was assumed that such an approach would bound many similar transients in a way that the acceptance criteria would be met for all bounded transients.
Main	2.10.	Experimental research has resulted in a significant increase in knowledge of physical phenomena, and the development of computer codes has improved the ability to achieve calculated results that correspond more accurately to experimental results and recorded event sequences in nuclear power plants. Owing to the improved capabilities of computer codes and the possible drawbacks of the conservative approach (e.g. potential masking of important phenomena, and conservatisms in different parameters potentially cancelling each other out), Option 1 is rarely used now and is not suggested for current safety analysis, except in situations in which scientific knowledge and experimental support is limited. Option 1 remains relevant, however, as it may have been used in legacy analyses.
Main	2.11.	Option 2 is a combined approach based on the use of best estimate models and computer codes instead of conservative models and codes (para. 6.12). Best estimate codes are used in combination with conservative initial and boundary conditions and with conservative assumptions made about the availability of systems, assuming that all uncertainties associated with the code models are well established and that the plant parameters used are conservative, based on plant operating experience. The complete analysis requires use of sensitivity studies to justify the selection of conservative input data. Option 2 is commonly used for design basis accidents and for conservative analysis of anticipated operational occurrences.
Main	2.12.	Option 3 is a ‘best estimate plus uncertainty’ approach. This allows the use of best estimate computer codes together with more realistic assumptions. A mixture of best estimate and partially unfavourable (i.e. somewhat conservative) initial and boundary conditions may be used, taking into account the very low probability that all parameters would be at their most pessimistic value at the same time. Conservative assumptions are usually made about the availability of systems. In order to ensure the overall conservatism required in analysis of design basis accidents, the uncertainties need to be identified, quantified and statistically combined. Option 3 contains a certain level of conservatism and is currently accepted for some design basis accidents and for conservative analyses of anticipated operational occurrences.
Main	2.13.	In principle, Options 2 and 3 are distinctly different types of analysis. In practice, however, a mixture of Options 2 and 3 is often employed. This is because the tendency is to use best estimate input data whenever extensive data are available and to use conservative input data whenever data are scarce. The difference between these options is the statistical combination of uncertainties.
Main	2.14.	Deterministic safety analysis performed in accordance with Options 1–3 is considered to be conservative, with the level of conservatism decreasing from Option 1 to Option 3 (see paras 2.9–2.13).
Main	2.15.	Option 4 allows the use of best estimate models and computer codes, and best estimates of system availability and initial and boundary conditions. Option 4 is appropriate for realistic analysis of anticipated operational occurrences aimed at the assessment of control system capability (see paras 7.17–7.44) and in general for best estimate analysis of design extension conditions (see paras 7.45–7.67), as well as for the purpose of justifying prescribed operator actions in realistic analysis. Deterministic analysis for operating events that may necessitate a short term relaxation of regulatory requirements may also rely on best estimate modelling. More detailed information with regard to modelling assumptions applicable for different options is provided in Section 7.
Main	2.16.	An essential component of deterministic safety analysis is the determination of source terms for releases of radioactive material as a key factor for prediction of dispersion of such material in the environment and ultimately of radiation doses to plant staff and to the public as well as the radiological impact on the environment. The source term is the “amount and isotopic composition of radioactive material released (or postulated to be released) from a facility” [3]; and it is used “in modelling releases of radionuclides to the environment, in particular in the context of accidents at nuclear installations or releases from radioactive waste in repositories” [3].
Main	2.17.	To evaluate the source term from a nuclear installation, it is necessary to identify the sources of radiation, to determine the inventories of radionuclides that are produced and to know the mechanisms by which radioactive material can travel from the source through the installation and be released to the environment. Under accident conditions, source term evaluation requires simulation codes capable of predicting fission product release from fuel elements, transport through the primary system and containment or spent fuel pool building, the related chemistry affecting this transport and the form in which the radioactive material would be released.
Main	2.18.	The source term is evaluated for operational states and accident conditions for the following reasons: To confirm that the design is optimized so that the source term is reduced to a level that is as low as reasonably achievable in all plant states; To support the demonstration that the possibility of certain conditions arising that could lead to an early radioactive release or a large radioactive release can be considered to have been ‘practically eliminated’; To demonstrate that the design ensures that requirements for radiation protection, including restrictions on doses, are met; To provide a basis for the emergency arrangements² that are required to protect human life, health, property and the environment in case of an emergency at the nuclear power plant; To support specification of the conditions for the qualification of the equipment required to withstand accident conditions; To provide data for training activities with regard to emergency arrangements; To support the design of safety features for the mitigation of the consequences of severe accidents (e.g. filtered containment venting and recombiners of combustible gases; see IAEA Safety Standards Series No. SSG-54, Accident Management Programmes for Nuclear Power Plants [11]).
Main	2.19.	General rules presented in this Safety Guide for deterministic safety analysis also apply to determination of the source term. Aspects associated with the determination of the source term are introduced in several paragraphs in this Safety Guide to remind readers of the applicability of the general rules to this specific application.
Main	3.1.	In accordance with the definition of “plant states (considered in design)” from SSR-2/1 (Rev. 1) [1], the plant states considered in the deterministic safety analysis should cover: Normal operation; Anticipated operational occurrences; Design basis accidents; Design extension conditions, including sequences without significant fuel degradation and sequences with core melting.
Main	3.2.	The deterministic safety analysis should address all postulated initiating events originating in any part of the plant and having the potential to lead to a radioactive release to the environment, both on their own and in combination with possible additional failures, for example in the control and limitation systems³ and the associated safety functions. This includes events that can lead to a release of radioactive material not only from the reactor core but also from other relevant sources, such as fuel elements stored at the plant and systems dealing with radioactive material.
Main	3.3.	Where applicable, the possibility should be considered that a single cause could simultaneously prompt initiating events in several or even all of the reactors in the case of a multiple unit nuclear power plant, or spent fuel storage units, or any other sources of potential radioactive releases on the given site (para. 5.15B of SSR-2/1 (Rev. 1) [1]).
Main	3.4.	The deterministic safety analysis should address postulated initiating events that can occur in all modes of normal operation. The initial conditions should assume a steady state with normal operation equipment operating prior to the initiating event.
Main	3.5.	Each configuration of shutdown modes, including refuelling and maintenance, should be considered. For these modes, possible failures or other factors that could occur during shutdown and lead to increased risk should be considered, such as: Inability to start some safety systems automatically or manually; Disabled automation systems; Equipment undergoing maintenance or repair; Reduced amounts of coolant in the primary circuit and, for some modes, in the secondary circuit; Instrumentation switched off or non-functional so that measurements are not made; Open primary circuit; Open containment.
Main	3.6.	For postulated initiating events relating to the spent fuel pool, specific operating modes relating to fuel handling and storage should be considered.
Main	3.7.	Postulated initiating events taking place during plant operating modes of negligibly short duration may be excluded from deterministic safety analysis if careful analysis and quantitative assessment confirm that their potential contribution to the overall risk, including the risk of conditions arising that could lead to an early radioactive release or a large radioactive release, is also negligible. Nevertheless, the need to prevent or mitigate these events with appropriate procedures or means should be addressed on a case by case basis.
Main	3.8.	The performance of deterministic safety analysis and the use of the results should take into account the recommendations of IAEA Safety Standards Series Nos GS-G-3.1, Application of the Management System for Facilities and Activities [12], and GS-G-3.5, The Management System for Nuclear Installations [13], for meeting Requirements 1–3 of SSR-2/1 (Rev. 1) [1] and the requirements established in IAEA Safety Standards Series No. GSR Part 2, Leadership and Management for Safety [14].
Main	3.9.	Deterministic safety analysis should include an analysis of normal operation, defined as operation within specified operational limits and conditions. Normal operation should typically include operating conditions such as: Normal reactor startup from shutdown, approach to criticality and approach to full power; Power operation, including full power and low power operation; Changes in reactor power, including load follow modes and return to full power after an extended period at low power, if applicable; Reactor shutdown from power operation; Hot shutdown; Cooling down process; Cold shutdown; Refuelling during shutdown or during normal operation at power, where applicable; Shutdown in a refuelling mode or maintenance conditions that open the reactor coolant or containment boundary; Normal operation modes of the spent fuel pool; Storage and handling of fresh fuel.
Main	3.10.	It should be taken into account that, in some cases during normal operation, the main plant parameters change owing to transfer to different plant modes or changes in the plant power output. A major aim of the analysis for transients occurring during normal operation should be to demonstrate that the plant parameters can be kept within the specified operational limits and conditions.
Main	3.11.	The prediction of plant behaviour in plant states other than normal operation (anticipated operational occurrences, design basis accidents and design extension conditions) should be based on a plant specific list of postulated initiating events, possibly combined with additional equipment failures or human errors for specific event sequences.
Main	3.12.	A list of postulated initiating events should be prepared. The list should be comprehensive to ensure that the analysis of the behaviour of the plant is as complete as possible, so that “all foreseeable events with the potential for serious consequences and all foreseeable events with a significant frequency of occurrence are anticipated and are considered in the design” (Requirement 16 of SSR-2/1 (Rev. 1) [1]).
Main	3.13.	The list of postulated initiating events should take due account of operating experience feedback, including, depending on the availability of relevant data, operating experience from the actual nuclear power plant or from similar plants.
Main	3.14.	The set of postulated initiating events should be defined in such a way that it covers all credible failures, including: Failures of structures, systems and components of the plant (partial failure if relevant), including possible spurious actuation; Failures initiated by operator errors, which could range from faulty or incomplete maintenance operations to incorrect settings of control equipment limits or wrong operator actions; Failures of structures, systems and components of the plant arising from internal and external hazards.
Main	3.15.	All consequential failures that a given postulated initiating event could prompt in the plant should be considered in the analysis of the plant response as a part of the postulated initiating event. These should include: If the initiating event is a failure of part of an electrical distribution system, the analysis for anticipated operational occurrences, design basis accidents or design extension conditions should assume the unavailability of all the equipment powered from that part of the distribution system. If the initiating event is an energetic event, such as the failure of a pressurized system that leads to the release of hot water or pipe whip, the analysis for anticipated operational occurrences, design basis accidents or design extension conditions should include consideration of potential failure of the equipment that could be affected by such an event. For internal hazards, such as fire or flooding, or for failures caused by external hazards, such as earthquakes, the definition of the induced postulated initiating event should include failure of all the equipment that is neither designed to withstand the effects of the event nor protected from it.
Main	3.16.	In addition to the set of initiating failures and consequential failures, other failures are assumed in deterministic safety analysis for conservatism (e.g. single failure criterion in design basis accidents) or for the purpose of defence in depth (e.g. common cause failure). A distinction should be made between these failures and the failures that are part of, or directly caused by, the postulated initiating event. Finally, some failures may be added to bound a set of similar events so as to limit the number of analyses.
Main	3.17.	The postulated initiating events should include only those failures (either initial or consequential) that directly lead to the challenging of safety functions and ultimately to threatening the integrity of barriers to releases of radioactive material. Therefore hazards, either internal or external (natural or human induced), should not be considered as postulated initiating events by themselves. However, the loads associated with these hazards should be considered a potential cause of postulated initiating events, including multiple failures resulting from these hazards.
Main	3.18.	Paragraph 5.32 of SSR-2/1 (Rev. 1) [1] states:
Main	3.19.	The set of postulated initiating events should be identified in a systematic way. This should include a structured approach to the identification of the postulated initiating events, such as: Use of analytical methods such as hazard and operability analysis, failure modes and effects analysis, engineering judgement and master logic diagrams; Comparison with the list of postulated initiating events developed for safety analysis of similar plants (ensuring that previously identified deficiencies are not propagated); Analysis of operating experience data for similar plants; Use of insights and results from probabilistic safety analysis.
Main	3.20.	Certain limiting faults (e.g. large break loss of coolant accidents, main steam or feedwater pipe breaks, and control rod ejection in pressurized water reactors or rod drop in boiling water reactors) have traditionally been considered in deterministic safety analysis as design basis accidents. These accidents should be considered because they are representative of a type of accident against which the reactor has to be protected. They should not be excluded from the category of design basis accidents unless careful analysis and quantitative assessment of their potential contribution to the overall risk, including to conditions arising that could lead to an early radioactive release or a large radioactive release, indicate that they can be excluded.
Main	3.21.	Failures occurring in the supporting systems that impede the operation of systems necessary for normal operation should also be considered as postulated initiating events if such failures ultimately require the actuation of the reactor protection systems or safety systems.
Main	3.22.	The set of postulated initiating events should be reviewed as the design and safety assessment proceed, as part of an iterative process between these two activities. The postulated initiating events should also be periodically reviewed throughout the lifetime of the plant, for example as part of a periodic safety review, to ensure that they remain valid.
Main	3.23.	Postulated initiating events should be subdivided into representative groups of event sequences taking into account the physical evolution of the postulated initiating events. Each group should include event sequences that lead to a similar challenge to the safety functions and barriers, and need similar mitigating systems to drive the plant to a safe state. Therefore, they can be bounded by a single representative event sequence, which is usually referred to when dealing with the group (and is often identified by the associated postulated initiating event itself). These groups are also categorized in accordance with their frequency of occurrence (see para. 3.27). This approach allows the selection of the same acceptance criteria and initial conditions, and the application of the same assumptions and methodologies to all postulated initiating events grouped under the same representative event sequence. As an example, the postulated initiating events ‘stop of a main feedwater pump’, ‘stop of all main feedwater pumps’ and ‘isolable break on the main feedwater system’ are all typically grouped under a single representative event sequence such as ‘loss of main feedwater’.
Main	3.24.	Representative event sequences can also be grouped by type of sequence, with a focus on aspects such as reduced core cooling and reactor coolant system pressurization, containment pressurization, radiological consequences or pressurized thermal shocks. In the example in para. 3.23, the representative event sequence ‘loss of main feedwater’ would belong to the type of event sequence ‘decrease in reactor heat removal’.
Main	3.25.	The postulated initiating events associated with anticipated operational occurrences and design basis accidents should reflect the specific characteristics of the design. Some typical postulated initiating events and resulting event sequences are suggested in para. 3.28 for anticipated operational occurrences and in para. 3.30 for design basis accidents, in accordance with the typical types of sequence listed in the following: Increase or decrease in the heat removal through the reactor coolant system; Increase or decrease in the flow rate of the reactor coolant system; Anomalies in reactivity and power distribution in the reactor core, or anomalies in reactivity in fresh or spent fuel in storage; Increase or decrease in the reactor coolant inventory; Leaks in the reactor coolant system with potential bypass of the containment; Leaks outside the containment; Reduction in, or loss of, cooling of the fuel in the spent fuel storage pool; Loss of cooling of fuel during on-power refuelling (pressurized heavy water reactor); Release of radioactive material from a subsystem or component (typically from treatment or storage systems for radioactive waste).
Main	3.26.	For analysis of the source term, specific groupings of postulated initiating events may be appropriate to adequately address different pathways that could lead to the release of radioactive material to the environment. Special attention should be paid to accidents in which the release of radioactive material could bypass the containment, because of the potentially severe consequences even in the case of relatively small releases.
Main	3.27.	Within each group of postulated initiating events, the representative event sequences should also be subdivided into categories based on the frequency of the most frequent postulated initiating event in the group. The assignment of each postulated initiating event to a frequency range should be checked by an appropriate methodology. Possible anticipated operational occurrences and design basis accident categories with their indicative frequency ranges, as used in some States for new reactors, are indicated in Table II–1 of Annex II.
Main	3.28.	Typical examples of postulated initiating events leading to event sequences categorized as anticipated operational occurrences should include the following, sorted by types of sequence. This list is broadly indicative, and the actual list will depend on the type of reactor and the actual design: Increase in heat removal from the reactor: inadvertent opening of steam relief valves; pressure control malfunctions leading to an increase in steam flow rate; feedwater system malfunctions leading to an increase in the heat removal rate. Decrease in heat removal from the reactor: feedwater pump trips; reduction in the steam flow rate for various reasons (control malfunctions, main steam valve closure, turbine trip, loss of external load and other external grid disturbances, loss of power, loss of condenser vacuum). Increase in flow rate of the reactor coolant system: start of a main coolant pump. Decrease in flow rate of the reactor coolant system: trip of one or more coolant pumps; inadvertent isolation of one main coolant system loop (if applicable). Anomalies in reactivity and power distribution in the reactor core: inadvertent withdrawal of the control rod (or control rod bank); boron dilution due to a malfunction in the chemical and volume control system (pressurized water reactor); wrong positioning of a fuel assembly. Anomalies in reactivity in fresh or spent fuel in storage: boron dilution in the spent fuel pool. Loss of moderator circulation or a decrease in, or loss of, moderator heat sink (pressurized heavy water reactor). Increase in the reactor coolant inventory: malfunctions of the chemical and volume control system; excessive feedwater flow (boiling water reactor); inadvertent operation of emergency core cooling. Decrease in the reactor coolant inventory: very small loss of coolant due to the failure of an instrument line. Reduction in, or loss of, cooling of the fuel in the spent fuel storage pools: loss of off-site power; malfunctions in the decay heat removal system; leaking of pool coolant. Release of radioactive material due to a leak in the reactor coolant system, with potential containment bypass. Release of radioactive material due to a leak from a subsystem or component: minor leakage from a radioactive waste system or effluents system.
Main	3.29.	The subset of postulated initiating events potentially leading to design basis accidents should be identified. All postulated initiating events identified as initiators of anticipated operational occurrences should also be analysed using design basis accident rules; that is, demonstrating that it is possible to manage them “by safety actions for the automatic actuation of safety systems in combination with prescribed actions by the operator” (para. 5.75(e) of SSR-2/1 (Rev. 1) [1]). Although it is not usual to include postulated initiating events with a very low frequency of occurrence, the establishment of any lower limit of frequency should take account of the safety targets established for the specific reactor.
Main	3.30.	Typical examples of postulated initiating events leading to event sequences categorized as design basis accidents should include the following, sorted by type of sequence. This list is broadly indicative, and the actual list will depend on the type of reactor and the actual design: Increase in heat removal from the reactor: steam line breaks. Decrease in heat removal from the reactor: loss of feedwater. Decrease in flow rate of the reactor coolant system: seizure or shaft break of main coolant pump; trip of all coolant pumps. Anomalies in reactivity and power distribution: uncontrolled withdrawal of the control rod (or control rod bank); ejection of the control rod (pressurized water reactor); rod drop accident (boiling water reactor); boron dilution due to the startup of an inactive loop (pressurized water reactor). Decrease in the reactor coolant inventory: a spectrum of possible loss of coolant accidents; inadvertent opening of the primary system relief valves; leaks of primary coolant into the secondary system. Reduction in, or loss of, cooling of the fuel in the spent fuel storage pools: break of piping connected to the water of the pool. Loss of cooling of fuel during on-power refuelling (pressurized heavy water reactor). Loss of moderator circulation or a decrease in, or loss of, moderator heat sink (pressurized heavy water reactor). Release of radioactive material due to a leak in the reactor coolant system, with potential containment bypass, or from a subsystem or component: overheating of, or damage to, used fuel in transit or storage; break in a gaseous or liquid waste treatment system. End shield cooling failure (pressurized heavy water reactor).
Main	3.31.	Probabilistic analysis should be used in support of deterministic analysis in justifying the categorization of postulated initiating events in accordance with their frequency of occurrence. The calculation of the frequency should take account of the relative frequencies of the plant operational state(s) in which the postulated initiating event could occur, such as full power or hot shutdown. Particular care should be taken to ensure that a transient with the potential to degrade the integrity of barriers is assigned to a category consistent with its possible effect on the barriers.
Main	3.32.	A number of limiting cases, referred to as bounding or enveloping scenarios, should be selected from each category of events (see para. 3.27). These bounding or enveloping scenarios should be chosen so that collectively they include cases presenting the greatest possible challenges to each of the relevant acceptance criteria and involving limiting values for the performance parameters of safety related equipment. Several postulated initiating events may be combined, and/or their consequences amplified, within a bounding scenario in order to encompass all of the possible postulated initiating events in the group. The safety analysis should confirm that the grouping and bounding of initiating events is acceptable.
Main	3.33.	A single event should in some cases be analysed from different points of view with different acceptance criteria. A typical example is a loss of coolant accident, which should be analysed for many aspects — including degradation of core cooling, buildup of containment pressure, and transport and environmental release of radioactive material — and, specifically for pressurized water reactors, also for leakage of primary coolant to the steam generator bypassing the containment, pressurized thermal shock and boron dilution (reactivity accident) due, for example, to a boiling condensing regime.
Main	3.34.	Accidents during the handling of both fresh and irradiated fuel should also be evaluated. Such accidents can occur both inside and outside the containment.
Main	3.35.	There are a number of other types of postulated initiating event that would result in a release of radioactive material outside the containment and whose source term should be evaluated. Such events include: A reduction in, or loss of, cooling of the fuel in the spent fuel pool when the pool is located outside the containment; An increase of reactivity in the fresh or spent fuel; An accidental discharge from any of the auxiliary systems that carry solid, liquid or gaseous radioactive material; A failure in systems or components such as filters or delay tanks that are intended to reduce the discharges of radioactive material during normal operation; An accident during reload or maintenance when the reactor or containment might be open.
Main	3.36.	The frequency assigned to a bounding event sequence belonging to an anticipated operational occurrence or a design basis accident should be the bounding frequency established for the postulated initiating events that have been grouped together.
Main	3.37.	Requirement 20 of SSR-2/1 (Rev. 1) [1] states:
Main	3.38.	Two separate categories of design extension conditions should be identified: design extension conditions without significant fuel degradation; and design extension conditions progressing to core melting (i.e. severe accidents).⁴ Different acceptance criteria and different rules for deterministic safety analysis may be used for these two categories.
Main	3.39.	The initial selection of sequences for design extension conditions without significant fuel degradation should be based on the consideration of single initiating events of very low frequency or multiple failures to meet the acceptance criteria with regard to the prevention of core damage.
Main	3.40.	A deterministically derived list of design extension conditions without significant fuel degradation should be developed. The relevant design extension conditions should include: Initiating events that could lead to situations beyond the capability of safety systems that are designed for design basis accidents. A typical example is multiple tube rupture beyond the design basis assumptions in a steam generator of a pressurized water reactor. Anticipated operational occurrences or frequent design basis accidents combined with multiple failures (e.g. common cause failures in redundant trains) that prevent the safety systems from performing their intended function to control the postulated initiating event. A typical example is a loss of coolant accident without actuation of the safety injection. The failures of supporting systems are implicitly included among the causes of failure of safety systems. The identification of these sequences should result from a systematic analysis of the effects on the plant of a total failure of any safety system credited in the safety analysis, for each anticipated operational occurrence or design basis accident (and in particular for the most frequent, anticipated operational occurrences and design basis accidents). Credible postulated initiating events involving multiple failures causing the loss of a safety system while this system is used to fulfil its function as part of normal operation. This applies to those designs that use, for example, the same system for heat removal both in accident conditions and during shutdown. The identification of these sequences should result from a systematic analysis of the effects on the plant of a total failure of any safety system used in normal operation.
Main	3.41.	Design extension conditions are, to a large extent, technology and design dependent, but the following list should be used as a preliminary reference of design extension conditions without significant fuel degradation, which should be specifically adapted to the type and design of the plant: Very low frequency initiating events typically not considered as design basis accidents: Multiple steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor); Main steam line break and induced steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor). Anticipated operational occurrences or design basis accidents combined with multiple failures in safety systems: Anticipated transient without scram: anticipated operational occurrences combined with the failure of rods to insert; Station blackout: loss of off-site power combined with the failure of the emergency diesel generators or alternative emergency power supply; Total loss of feedwater: loss of main feedwater combined with total loss of emergency feedwater; Loss of coolant accident together with complete loss of one type of emergency core cooling feature (either the high pressure or the low pressure part of the emergency core cooling system); Loss of required safety systems in the long term after a postulated initiating event. Postulated initiating events involving multiple failures: Total loss of the component cooling water system or of the essential service water system; Loss of the residual heat removal system during cold shutdown or refuelling; Loss of the cooling systems designed for normal cooling and for design basis accidents in the spent fuel pool; Loss of normal access to the ultimate heat sink. Multiple steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor); Main steam line break and induced steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor). Anticipated transient without scram: anticipated operational occurrences combined with the failure of rods to insert; Station blackout: loss of off-site power combined with the failure of the emergency diesel generators or alternative emergency power supply; Total loss of feedwater: loss of main feedwater combined with total loss of emergency feedwater; Loss of coolant accident together with complete loss of one type of emergency core cooling feature (either the high pressure or the low pressure part of the emergency core cooling system); Loss of required safety systems in the long term after a postulated initiating event. Total loss of the component cooling water system or of the essential service water system; Loss of the residual heat removal system during cold shutdown or refuelling; Loss of the cooling systems designed for normal cooling and for design basis accidents in the spent fuel pool; Loss of normal access to the ultimate heat sink.
Main		3.42. For the identification of design extension conditions without significant fuel degradation, specific attention should be paid to auxiliary and support systems (e.g. ventilation, cooling and electrical supply) as some of these systems may have the potential to cause immediate or delayed consequential multiple failures in both operational and safety systems.
Main	3.43.	Sequences for different design extension conditions without significant fuel degradation that are associated with similar safety challenges should be grouped together. Each group should be analysed through a bounding scenario that presents the greatest challenge to the relevant acceptance criteria.
Main	3.44.	Multiple failures considered in each sequence of design extension conditions without significant fuel degradation should be specifically listed.
Main	3.45.	A number of specific sequences with core melting (severe accidents) should be selected for analysis in order to establish the design basis for the safety features for mitigating the consequences of such accidents, in accordance with the plant safety objectives. These sequences should be selected in order to represent all of the main physical phenomena (e.g. primary circuit pressure, reactor decay heat or containment status) involved in core melt sequences.
Main	3.46.	It should be assumed that the features to prevent core melting fail or are insufficient, and that the accident sequence will further evolve into a severe accident. Representative event sequences should be selected by considering additional failures or incorrect operator responses to design basis accident or design extension condition sequences and to the dominant accident sequences identified in the probabilistic safety analysis.
Main	3.47.	The representative event sequences for design extension conditions with core melting, in accordance with each acceptance criterion, should be analysed to determine limiting conditions, particularly those sequences that could challenge the integrity of the containment. The representative event sequences should be used to provide input to the design of the containment and of those safety features necessary to mitigate the consequences of such design extension conditions.
Main	3.48.	Design extension conditions are, to a large extent, technology and design dependent, but the following accidents are provided as a preliminary reference of design extension conditions with core melting (severe accidents): Loss of core cooling capability, such as an extended loss of off-site power with partial or total loss of on-site AC power sources and/or the loss of normal access to the ultimate heat sink (exact sequence is design dependent); Loss of reactor coolant system integrity, such as loss of coolant accidents without the availability of emergency core cooling systems or exceeding their capabilities.
Main	3.49.	A low estimated frequency of occurrence for an accident with core melting is not a sufficient reason for failing to protect the containment against the conditions generated by such an accident. Core melt conditions should be postulated regardless of the provisions implemented in the design. To exclude containment failure, the analysis should demonstrate that very energetic phenomena that may result from an accident with core melting are prevented (i.e. the possibility of the conditions arising may be considered to have been ‘practically eliminated’).
Main	3.50.	Representative event sequences of design extension conditions with core melting should be selected to identify the most severe plant parameters resulting from the phenomena associated with a severe accident. These parameters should be used in the deterministic analyses of the plant structures, systems and components to demonstrate the limitation of the radiological consequences of such severe accident sequences. The analysis of these sequences should provide the environmental conditions to be taken into account when assessing whether the equipment⁵ used in severe accidents is capable of performing its intended functions when necessary (see Requirement 30 of SSR-2/1 (Rev. 1) [1]).
Main	3.51.	Determination of postulated initiating events should take account of effects and loads from events caused by relevant site specific internal and external hazards, individually and in combination (Requirement 17 and paras 5.15A–5.21A of SSR-2/1 (Rev. 1) [1]). A list of external hazards can be found in IAEA Safety Standards Series No. SSR-1, Site Evaluation for Nuclear Installations [15]. Analysis of internal and external hazards differs from analysis of postulated initiating events and scenarios caused by a single failure or multiple failures in the nuclear power plant technological systems or by erroneous human actions having a direct impact on performance of fundamental safety functions⁶. The hazards themselves do not represent initiating events but they are associated with loads, which can initiate such events.
Main	3.52.	In accordance with paras 5.15B, 5.19 and 5.63 of SSR-2/1 (Rev. 1) [1], in determining postulated initiating events caused by site specific hazards for multiple unit plant sites, the possibility of affecting several or even all units on the site simultaneously should be taken into account. Specifically, the effects from losing the electrical grid, those from losing the ultimate heat sink and the failure of shared equipment should be taken into account.
Main	3.53.	The analysis of hazards⁷, which is performed by using probabilistic methods or appropriate engineering methods, should aim to demonstrate for each hazard that either: The hazard can be screened out owing to its negligible contribution to risk; The nuclear power plant design is robust enough to prevent any transition from the load caused by the hazard into an initiating event; The hazard causes an initiating event considered in the design.
Main	3.54.	In cases where an initiating event is caused by a hazard, the analysis should credit only the functions of those structures, systems and components that are qualified for, or protected from, the hazard.
Main	3.55.	Paragraph 2.13(4) of SSR-2/1 (Rev. 1) [1] states:
Main	3.56.	The event sequences for which specific demonstration of their ‘practical elimination’ is required should be classified as follows: Events that could lead to prompt reactor core damage and consequent early containment failure, such as: Failure of a large pressure-retaining component in the reactor coolant system; Uncontrolled reactivity accidents. Severe accident sequences that could lead to early containment failure, such as: Highly energetic direct containment heating; Large steam explosion; Explosion of combustible gases, including hydrogen and carbon monoxide. Severe accident sequences that could lead to late containment failure⁸: Basemat penetration or containment bypass during molten core concrete interaction; Long term loss of containment heat removal; Explosion of combustible gases, including hydrogen and carbon monoxide. Severe accident with containment bypass. Significant fuel degradation in a storage fuel pool and uncontrolled releases. Failure of a large pressure-retaining component in the reactor coolant system; Uncontrolled reactivity accidents. Highly energetic direct containment heating; Large steam explosion; Explosion of combustible gases, including hydrogen and carbon monoxide. Basemat penetration or containment bypass during molten core concrete interaction; Long term loss of containment heat removal; Explosion of combustible gases, including hydrogen and carbon monoxide.
Main	3.57.	The consequences of event sequences that may be considered to have been ‘practically eliminated’ are not part of the deterministic safety analysis. However, deterministic safety analysis contributes to the demonstration that design and operation provisions are effective in the ‘practical elimination’ of these sequences (see paras 7.68–7.72).
Main	4.1.	Paragraph 4.57 of GSR Part 4 (Rev. 1) [2] states that “Criteria for judging safety, sufficient...to meet the requirements of the designer, the operating organization and the regulatory body, shall be defined for the safety analysis.”
Main	4.2.	Paragraph 5.75 of SSR-2/1 (Rev. 1) [1] states that “The deterministic safety analysis shall mainly provide:…(d) Comparison of the results of the analysis with acceptance criteria, design limits, dose limits and acceptable limits for purposes of radiation protection”. Compliance with the acceptance criteria should be demonstrated by deterministic safety analysis.
Main	4.3.	Acceptance criteria should be established for the entire range of operational states and accident conditions. These criteria should aim at preventing damage to relevant barriers to the release of radioactive material in order to prevent releases (and hence consequences) above acceptable limits. The selection of the criteria should ensure a sufficient margin between the criterion and the physical limit for loss of integrity of a barrier.
Main	4.4.	Acceptance criteria should relate to the frequency of the relevant conditions. Conditions that occur more frequently, such as normal operation or anticipated operational occurrences, should have acceptance criteria that are more restrictive than those for less frequent events, such as design basis accidents or design extension conditions.
Main	4.5.	Acceptance criteria should be established at two levels, as follows: High level (radiological) criteria, which relate to radiological consequences of plant operational states or accident conditions. These are usually expressed in terms of activity levels or doses, and are typically defined by law or by regulatory requirements. Detailed (derived) technical criteria, which relate to the integrity of barriers to releases of radioactive material (e.g. the fuel matrix, fuel cladding, reactor coolant system pressure boundary and containment). These are defined in regulatory requirements, or proposed by the designer subject to regulatory acceptance, for use in the safety demonstration.
Main	4.6.	The radiological acceptance criteria should be expressed in terms of effective dose, equivalent dose or dose rate to workers at the nuclear power plant, members of the public or the environment, including non-human biota, as appropriate. Radiological acceptance criteria with regard to doses should be defined in accordance with the applicable safety requirements (see Requirements 5 and 81 of SSR-2/1 (Rev. 1) [1]).
Main	4.7.	Radiological acceptance criteria expressed in terms of doses may be converted into acceptable activity levels for different radionuclides in order to decouple nuclear power plant design features from the characteristics of the environment.
Main	4.8.	Radiological acceptance criteria for normal operation should typically be expressed as effective dose limits for the workers at the plant and for members of the public in the vicinity of the plant, or as authorized limits on the activity in planned discharges from the plant (see Requirement 5 of SSR-2/1 (Rev. 1) [1]).
Main	4.9.	The radiological acceptance criteria for anticipated operational occurrences should be more restrictive than for design basis accidents, since the frequencies of anticipated operational occurrences are higher.
Main	4.10.	The radiological acceptance criteria for design basis accidents should ensure that Requirement 19 and the requirements in para. 5.25 of SSR-2/1 (Rev. 1) [1] are met.
Main	4.11.	The radiological acceptance criteria for design extension conditions should ensure that Requirement 20 and the requirements in para. 5.31A of SSR-2/1 (Rev. 1) [1] are met.
Main	4.12.	Technical acceptance criteria should be set in terms of the variables that govern the physical processes that challenge the integrity of a barrier. It is common engineering practice to use surrogate variables⁹ relating to the integrity of the barriers to establish an acceptance criterion or a combination of criteria for ensuring the integrity of the barrier. When defining these acceptance criteria, sufficient conservatism should be included to ensure that there are adequate safety margins to the loss of integrity of the barrier.
Main	4.13.	The following groups and examples of criteria should be considered, as appropriate depending on specific design solutions, in the specification of a set of technical acceptance criteria: Criteria relating to the integrity of the nuclear fuel matrix: maximum fuel temperature and maximum radially averaged fuel enthalpy (taking into account burnup, fuel composition and additives, such as burnable absorbers, in both values). Criteria relating to the integrity of fuel cladding: minimum departure from nucleate boiling ratio; maximum cladding temperature; and maximum local cladding oxidation. Criteria relating to the integrity of the whole reactor core: adequate subcriticality; maximum production of hydrogen from oxidation of cladding; maximum damage of fuel elements in the core; maximum deformation of fuel assemblies (as required for cooling, insertion of control rods and removal of control rods); and calandria vessel integrity (for pressurized heavy water reactors). Criteria relating to the integrity of the nuclear fuel located outside the reactor: adequate subcriticality; adequate water level above the fuel assemblies; and adequate heat removal. Criteria relating to the integrity of the reactor coolant system: maximum coolant pressure; maximum temperature, pressure and temperature changes and resulting stresses and strains in the coolant system pressure boundary; and no initiation of a brittle fracture or ductile failure from a postulated defect of the reactor pressure vessel. Criteria relating to the integrity of the secondary circuit (if relevant): maximum coolant pressure; and maximum temperature, pressure and temperature changes in the secondary circuit equipment. Criteria relating to the integrity of the containment and limitation of releases to the environment: value and duration of maximum and minimum pressure; maximum pressure differences acting on containment walls; maximum leakages; maximum concentration of flammable or explosive gases; acceptable working environment for operation of systems; and maximum temperature in the containment. Criteria relating to the integrity of any other component necessary to limit radiation exposure, such as the end shield in pressurized heavy water reactors: maximum pressure, temperature and heat-up rate.
Main	4.14.	For postulated initiating events occurring during shutdown modes or other cases with disabled or degraded integrity of any of the barriers, more restrictive criteria should be used if possible, for example avoiding boiling of coolant in an open reactor vessel or in the spent fuel pool, or avoiding uncovering of fuel assemblies.
Main	4.15.	In general, technical acceptance criteria relating to the integrity of barriers should be more restrictive for conditions with a higher frequency of occurrence. For anticipated operational occurrences, there should be no consequential failure of any of the physical barriers (fuel matrix, fuel cladding, and reactor coolant pressure boundary or containment) and no fuel damage (or no additional fuel damage if minor fuel leakage, within operational limits, is authorized in normal operation). For design basis accidents and for design extension conditions without significant fuel degradation, barriers to the release of radioactive material from the plant should maintain their integrity to the extent required (see paras 4.10 and 4.11). For design extension conditions with core melting, the integrity of the containment should be maintained and containment bypass should be prevented to ensure prevention of an early radioactive release or a large radioactive release.
Main	4.16.	The range and conditions of applicability of each individual criterion should be clearly specified. For example, specification of fuel melting temperature or fuel enthalpy rise should be associated with specification of fuel burnup and content of burnable absorbers. Similarly, for a limitation of radioactive releases, the duration of the releases should be specified. Acceptance criteria can vary significantly depending on the conditions. Therefore, acceptance criteria should be associated with sufficiently detailed conditions and assumptions to be used for safety analysis.
Main	4.17.	Although the assessment of engineering aspects important to safety might not be explicitly addressed in the safety analysis, it constitutes a relevant part of the safety assessment. Safety margins applied to the design of structures, systems and components should be commensurate with the uncertainty in the loads they may have to bear and with the consequences of their failure.
Main	4.18.	In addition to all relevant physical quantities, the evaluation of stresses and strains should take account of the environmental conditions resulting from each loading and each loading combination and of appropriate boundary conditions. The acceptance criteria should adequately reflect the prevention of consequential failure of structures or components that are necessary to mitigate the consequences of the events, which are correlated with the assumed loading.
Main	5.1.	Requirement 18 of GSR Part 4 (Rev. 1) [2] states that “Any calculational methods and computer codes used in the safety analysis shall undergo verification and validation.” The models and methods used in the computer codes for deterministic safety analysis should be appropriate and adequate for the purpose. The extent of the validation and verification necessary and the means for achieving it should depend on the type of application and the purpose of the analysis.
Main	5.2.	With regard to the selection of computer codes, it should be confirmed that: The physical models used to describe the processes are justified. The simplifying assumptions made in the models are justified. The correlations used to represent physical processes are justified and their limits of applicability are identified. The limits of application of the code are identified. This is important when the model or calculational method is only designed to model physical processes in a particular range of conditions, and the code should not be applied outside this range. The numerical methods used in the code are accurate and robust. A systematic approach has been used for the design, coding, testing and documentation of the code. Compliance of the source coding with its description in the system code documentation has been assessed.
Main	5.3.	The assessment of the accuracy of individual computer codes should include a series of steps: Identifying the important phenomena in the supporting experimental data and expected plant behaviour; Estimating uncertainties associated with the numerical approaches used in the code; Estimating uncertainties in the main models used in the code; Establishing sensitivities of important processes to values of the main variables.
Main	5.4.	With regard to the outputs of the computer codes, it should be confirmed that the predictions of the code have been compared with: Experimental data for the significant phenomena modelled. This would typically include comparison with ‘separate effect tests’ and ‘integral effect tests’, as described in para. 5.25. Available plant data, including tests carried out during commissioning or startup and data from operational occurrences or accidents. Outputs from other codes that have been developed independently and use different methods. Results from standard problems and/or numerical benchmarks, when these are available and reliable.
Main	5.5.	Although there has been substantial progress in the development of more accurate and reliable computer codes for accident analysis, the user still has a significant influence on the quality of the analysis. It should be ensured that: All users of the code have received adequate training and have a sufficient understanding of the models and the methods used in the code; The users or their supervisors are sufficiently experienced in the use of the code and have a sufficient understanding of such use and corresponding limitations for the specific application case (e.g. loss of coolant accident); The users have adequate guidance on the use of the code; The users follow the recommendations for use of the code, especially those relevant to the specific application for which the analysis is being carried out.
Main	5.6.	With regard to the use of the computer code, it should be confirmed that: The nodalization (see para. 5.39) and the plant models provide a good representation of the behaviour of the plant; The input data are correct; The nodalization, selected models and assumptions are consistent, to the extent practicable, with those chosen for separate effect tests and integral effect tests used for the qualification of the application; The output of the code is evaluated and understood adequately and used correctly.
Main	5.7.	All activities that affect the quality of computer codes should be managed using procedures that are specific to ensuring the quality of software. Established software engineering practices that are applicable to the development and maintenance of software critical to safety should be applied. Formalized procedures and instructions should be put in place for the entire lifetime of the code, including code development, verification and validation, and a continued maintenance process with special attention to the reporting and correction of errors.
Main	5.8.	Code developers should ensure that the planned and systematic actions required to provide confidence that the code meets the functional requirements have been taken. The procedures should address, as a minimum, development control, document control, configuration of the code, and testing and corrective actions.
Main	5.9.	To minimize human error in code development, only suitably qualified or supervised personnel should be involved in the development, verification and validation of the code. Similarly, in user organizations, only suitably qualified or supervised personnel should use the code.
Main	5.10.	The activities in development and maintenance of the computer code should include: Preparation and upgrading of code manuals for developers and users; Verification and validation activities and their documentation; Error reporting and corrective actions and their documentation; Acceptance testing including non-regression tests, installation of the code and upgrading of code manuals; Configuration management; Control of interfaces; Version control of the code.
Main	5.11.	If tasks of code development, verification or validation are delegated to an external organization, those tasks should be managed within the external organization to ensure quality. The user’s organization should review arrangements within the external organization and should audit their implementation.
Main	5.12.	When new versions of computer codes are developed, an established set of test cases should be simulated and run with the new version and any significant differences in the results compared to previous versions should be identified and understood. Such simulations should be performed by the code developers and users, as appropriate.
Interface between safety and security with regard to the use of the computer codes	5.13.	Computer security measures should be in place to protect the code and development environment from malicious acts and the introduction of new vulnerabilities. Guidance on computer security for nuclear facilities is provided in Ref. [19].
Interface between safety and security with regard to the use of the computer codes	5.14.	Paragraph 4.60 of GSR Part 4 (Rev. 1) [2] indicates that verification of the computer code is required to include both model verification and system code verification.
Interface between safety and security with regard to the use of the computer codes	5.15.	Verification of the computer code should include a demonstration that the code (source code and algorithm) accurately represents the mathematical model of the real system (model verification) and conforms to the code documentation (system code verification). In general, the verification should ensure that the numerical methods, the transformation of the equations into a numerical scheme to provide solutions, and the user options and restrictions are appropriately implemented in accordance with the specifications.
Interface between safety and security with regard to the use of the computer codes	5.16.	Verification of the computer code should be performed by means of review, inspection and audit. Checklists may be provided for review and inspection. Audits may be performed on selected items to ensure quality.
Interface between safety and security with regard to the use of the computer codes	5.17.	Verification of the computer code should be performed to review the source coding in relation to its description in the code documentation. The verification should include a review of the design concept, basic logic, flow diagrams, algorithms and computational environment.
Interface between safety and security with regard to the use of the computer codes	5.18.	If the computer code is run on a hardware or software platform (e.g. operating system) other than the one on which the verification process was carried out, the validity of the code verification for the intended platform should be assessed.
Interface between safety and security with regard to the use of the computer codes	5.19.	Verification of the source coding should be performed to demonstrate that it conforms to accepted programming practices and that its logic is consistent with the code documentation.
Interface between safety and security with regard to the use of the computer codes	5.20.	A complex computer code may include the integration or coupling of simpler codes. In such cases, verification of the complex code should ensure that the links and/or interfaces between the codes are correctly designed and implemented to meet the code documentation.
Interface between safety and security with regard to the use of the computer codes	5.21.	Validation of the computer code should be performed to determine whether the mathematical models used in the code are an adequate representation of the real system being modelled. Outputs of the code should be compared, as far as possible, with observations of the real system or experimental data.
Interface between safety and security with regard to the use of the computer codes	5.22.	Validation of the computer code should provide confidence in the ability of a code to predict, realistically or conservatively as required, the values of the safety parameter or parameters of interest. The level of confidence provided by the validation should be appropriate to the type of analysis. For example, the scope of validation may be relaxed for codes used in severe accident analysis, in view of the limited experimental data available, in which case additional reliance should be placed on verification (see paras 5.14–5.20).
Interface between safety and security with regard to the use of the computer codes	5.23.	Validation of the computer code should be performed to assess the uncertainty in the parameter values predicted by the code. Outputs of the code should be compared with relevant experimental data and, if possible, with data from operational transients representing the important phenomena expected to occur.
Interface between safety and security with regard to the use of the computer codes	5.24.	Validation of the computer codes used in complex analysis should be performed in two phases: the development phase, in which the validation assessment is performed by the code developer; and the independent assessment phase, in which the validation assessment is performed by the code user.
Interface between safety and security with regard to the use of the computer codes	5.25.	The validation should ideally include comparisons of code outputs with results from four different types of test: Basic tests: These are simple test cases, which might not be directly related to a nuclear power plant. These tests may have analytical solutions or may use correlations or data derived from experiments. Separate effect tests: These are designed to highlight specific phenomena that may occur at a nuclear power plant, but do not address other phenomena that may occur at the same time. Separate effect tests should ideally be performed at full scale. If not, appropriate attention should be paid to possible scaling effects (see paras 5.30–5.32). Integral effect tests: These are test cases that are directly related to a nuclear power plant. All or most of the relevant physical processes are represented simultaneously. However, these tests may be carried out on a reduced scale, may use substitute materials or may be performed with different boundary conditions, compared to a nuclear power plant. Nuclear power plant level tests and validation through operational transients: Nuclear power plant level tests are performed on an actual nuclear power plant, for example during the commissioning phase. Validations through operational transients, together with nuclear power plant tests, are important means of qualifying the plant model.
Interface between safety and security with regard to the use of the computer codes	5.26.	Validation against test data is the primary means of validation. However, in cases where no means to achieve appropriate data for validation are available for test cases of the types in para. 5.25(b)–(d), it is possible to enhance confidence in the results by means of code to code comparisons or using bounding engineering judgement to compensate for limitations in the full validation. The approach taken to validation and the use of the code should be justified.
Interface between safety and security with regard to the use of the computer codes	5.27.	The validation should ideally cover the full range of values of parameters, conditions and physical processes that the computer code is intended to model, in the specific applications for which it is to be used.
Interface between safety and security with regard to the use of the computer codes	5.28.	The scope of the validation performed by the code user should be consistent with the intended use of the computer code. The scope of validation should also be in accordance with the complexity of the code and the complexity of the physical processes that it represents.
Interface between safety and security with regard to the use of the computer codes	5.29.	For complex applications, a computer code might predict one set of test data with a high degree of accuracy but be inaccurate for other datasets. For such cases, a validation matrix should be developed for code validation, tailored to the application(s) for which the code is to be validated.
Interface between safety and security with regard to the use of the computer codes	5.30.	The validation matrix should include test data from different experimental facilities and from different sets of conditions in the same facility, and should ideally include basic tests, separate effect tests, integral effect tests and nuclear power plant level tests. The models and associated assumptions chosen at each level of validation should be consistent with one another and should not be different for different types of test. If sufficient data from full scale experiments are not available, data from reduced scale experiments should be used, with appropriate consideration of scaling effects. The number and the selection of tests in the validation matrix should be justified as being sufficient for the intended application(s) of the computer code.
Interface between safety and security with regard to the use of the computer codes	5.31.	To ensure that the computer code is validated for conditions that are as close as possible to those in a nuclear power plant, it should be ensured that the boundary conditions and initial conditions for each test are appropriate. If data relating to other conditions are used, consideration should be given to scaling effects. A scaled experimental facility cannot be used to represent all of the phenomena that are relevant for a full size facility. Thus, for each scaled facility that is used in the validation process, the phenomena that are correctly represented and those that are not correctly represented should be identified. The effects of phenomena that are not properly represented should be addressed in other ways, taking into account the applicable level of conservatism.
Interface between safety and security with regard to the use of the computer codes	5.32.	When performing validation against experimental data, allowance for uncertainties in the measured data should be included in the determination of the uncertainty in the computer code’s predictions. In addition, the evaluation of uncertainties based on scaled experimental results should be transposed to the real power plant application, and this transposition should be evaluated and justified in assessing the overall uncertainty in the results.
Interface between safety and security with regard to the use of the computer codes	5.33.	The range of validity and the limitations of a computer code, established from its validation, should be documented in a validation report.
Interface between safety and security with regard to the use of the computer codes	5.34.	The results of validation should be used to determine the uncertainty in the results provided by computer code calculations. Different methods are available for assessing the uncertainty in the results.
Interface between safety and security with regard to the use of the computer codes	5.35.	For point data, the difference between values calculated using the computer code and experimental results may be determined directly or, in the case of a set of experimental results, by using descriptive statistics. For time dependent data, as a minimum a qualitative evaluation of the uncertainty should be performed.
Interface between safety and security with regard to the use of the computer codes	5.36.	As a result of the validation process, the uncertainty in the computer code calculations and the code’s range of validation should be known and should be considered in interpreting any results of safety analysis calculations.
Interface between safety and security with regard to the use of the computer codes	5.37.	For a computer code intended to be conservative with regard to a particular acceptance criterion, it should be demonstrated that the code prediction for that criterion is conservative when compared with the experimental data (i.e. that predictions of negative consequences are worse than the likely actual consequences).
Interface between safety and security with regard to the use of the computer codes	5.38.	Results produced by computer codes are sensitive to decisions that are made by the user, such as the models chosen and the number and structure of nodes that are used. Such user effects could be particularly large in cases where results cannot be compared with plant data or experimental data. The procedures, code documentation and user guidelines should be carefully elaborated and followed to minimize such user effects. For example, users’ procedures should include guidance on issues such as how to compile input datasets, selecting the appropriate models in the code, and general rules for preparing the nodalization.
Interface between safety and security with regard to the use of the computer codes	5.39.	The nodalization should be sufficiently detailed that all important phenomena of the scenario and all important design characteristics of the nuclear power plant are represented. A qualified nodalization that has successfully provided code outputs in agreement with experimental results for a given scenario should be used, as far as possible, for the same scenario when performing an analysis for a nuclear power plant. When scaled tests are used to assess a computer code, a consistent nodalization philosophy should be used for the test and for the full scale analysis of the plant. Sufficient sensitivity analyses should be performed on the nodalization to ensure that the calculated results are free from erratic variations.
Interface between safety and security with regard to the use of the computer codes	5.40.	The input data for a computer code include some form of model that represents all or part of the nuclear power plant. There is usually a degree of flexibility in how the plant is modelled and nodalized. The input data that are used to perform deterministic calculations should conform to the best practice guidelines for using the computer code (as in the user manual) and should be independently checked. The input data should be a compilation of information found in valid technical drawings, operating manuals, procedures, set point lists, pump performance charts, process diagrams, instrumentation diagrams, control diagrams and other plant documentation.
Interface between safety and security with regard to the use of the computer codes	5.41.	Each computer code should be adequately documented to facilitate review of the models and correlations employed, and to ensure that the models for important phenomena are appropriate and are not applied outside their range of validity. The documentation should also provide a description of the uncertainties in important models and in the overall code for typical applications. The code documentation should also include user guidelines and input descriptions to ensure that the user can use the code properly. A description of the experimental data or other key data used, a description of the computer options considered in the validation and a description of the validation results should also be included. The documentation should be available to all users.
Interface between safety and security with regard to the use of the computer codes	5.42.	Although the guidance may vary depending on the complexity of the computer codes and the modelling parameters available to the user, the user guidelines or validation documentation should give the user some guidance on the influence of important modelling parameters, recommendations for typical applications of the code, the type of nodalization to be used and the important trends to be expected. Typically, a complete set of documentation would include an abstract of the programme, a theory manual, a user’s manual and a description of the inputs, a programmer’s manual and a validation report.
Interface between safety and security with regard to the use of the computer codes	5.43.	The tracking of errors and reporting of their correction status should be a continuous process and should be a part of code maintenance. The impacts of such errors on the results of analyses that have been completed and used as part of the safety assessment for a plant should be assessed.
Interface between safety and security with regard to the use of the computer codes	6.1.	The deterministic safety analysis should demonstrate that the associated safety requirements are met and that adequate margins (depending on the plant state) exist between the real values of important parameters that could actually be reached and the threshold values at which the barriers against release of radioactive material would fail. Conservatisms might be introduced in many ways, such as in acceptance criteria or through conservative assumptions in physical models or in initial and boundary conditions.
Interface between safety and security with regard to the use of the computer codes	6.2.	Uncertainties in the predictions of computer codes should be taken into account either implicitly by applicable approaches or explicitly using a best estimate approach with quantification of uncertainties (see Table 1, Section 2). This is particularly important for the most limiting conditions (those with the smallest margins to acceptance criteria).
Interface between safety and security with regard to the use of the computer codes	6.3.	To demonstrate compliance with acceptance criteria for anticipated operational occurrences, two complementary approaches should be considered: the realistic approach, using plant control and limitation systems (paras 7.17–7.26); and a more conservative approach, using only safety systems (paras 7.27–7.44).
Interface between safety and security with regard to the use of the computer codes	6.4.	Paragraph 5.26 of SSR-2/1 (Rev. 1) [1] states (see para. 2.14 of this Safety Guide):
Interface between safety and security with regard to the use of the computer codes	6.5.	Paragraph 5.27 of SSR-2/1 (Rev. 1) [1] states, in relation to the deterministic safety analysis of design extension conditions, that “The effectiveness of provisions to ensure the functionality of the containment could be analysed on the basis of the best estimate approach” (although more stringent approaches may be used in accordance with specific regulatory requirements).
Interface between safety and security with regard to the use of the computer codes	6.6.	When best estimate analysis is used, adequate margins to the loss of integrity of barriers should still be ensured. It should be demonstrated by sensitivity analysis that cliff edge effects¹⁰ potentially leading to an early radioactive release or a large radioactive release can be reliably avoided. This demonstration is particularly important in the case of best estimate analysis used for design extension conditions and particularly for severe accidents, which have a higher potential for degradation of the barriers leading to an early radioactive release or a large radioactive release.
Interface between safety and security with regard to the use of the computer codes	6.7.	Parameters to which the analysis results are most sensitive should be identified. A sensitivity analysis should be performed with systematic variation of the key input variables to determine their influence on the results. These analyses should be used for the determination of the values of parameters that represent the greatest challenges to safety, and for demonstrating that realistically foreseeable changes in parameters do not lead to cliff edge effects. It should be taken into account that when sensitivity analyses are carried out by changing one parameter at a time, misleading results might be obtained because the possible compensatory or cumulative effects when several parameters change simultaneously are not necessarily reflected.
Interface between safety and security with regard to the use of the computer codes	6.8.	For practical reasons, only a limited number of parameters — those identified as having the more significant effect on results — can be considered in sensitivity analysis. Variation in the values of these parameters within a given range aims to identify the values that lead to the smallest margins to a selected acceptance criterion, and such values are criterion dependent. Moreover, the importance of any parameter may change during transients. Care should be taken to avoid situations in which arbitrary variations in selected parameters that are not independent may cause problems owing to inconsistency of the data (e.g. violation of mass balance).
Interface between safety and security with regard to the use of the computer codes	6.9.	Deterministic safety analysis should incorporate a degree of conservatism commensurate with the objectives of the safety analysis and dependent on the plant state. For conservative analysis of anticipated operational occurrences and design basis accidents (see para. 2.14), one of the two following options, or a combination thereof, should be considered instead of the fully conservative approach: Use of the best estimate computer code in combination with conservative input data; Use of a best estimate computer code in combination with best estimate input data, irrespective of how it is associated with the quantification of uncertainties both in the code models and in input data.
Interface between safety and security with regard to the use of the computer codes	6.10.	The procedures, code documentation and user guidelines should be followed carefully to limit the influence of the user in performing deterministic safety analysis.
Interface between safety and security with regard to the use of the computer codes	6.11.	The selection of initial and boundary conditions should take account of geometric changes, fuel burnup and age related changes to the nuclear power plant, such as fouling of boilers or steam generators.
Interface between safety and security with regard to the use of the computer codes	6.12.	In the conservative approach or combined approach, conservative initial and boundary conditions should be selected from the ranges of parameters specified in the plant’s operational limits and conditions (see Table 1, Section 2). Examples of initial conditions are reactor power level, power distribution, pressure, temperature and flow in the primary circuit. Examples of boundary conditions are actuation set points and performance characteristics of plant systems such as pumps and power supplies, external sources and sinks for mass and energy, and other parameters that change during the course of the transient. Selection of conservative assumptions with regard to the availability of systems and operator actions is discussed separately for individual plant states in Section 7.
Interface between safety and security with regard to the use of the computer codes	6.13.	Input data and modelling assumptions should be selected not only for neutronic and thermohydraulic aspects of anticipated operational occurrences and design basis accidents, but also for radiological aspects. In particular, for analysis of the source term for releases to the environment, the following factors should be addressed: Inventory of fission products and other radionuclides in the fuel (in the core or in the spent fuel pool); Activity in the reactor coolant system, including release of volatile fission products prior to, or during, the event (spiking); Time progression and scope of fuel damage (clad leakage); Fractions of radionuclides released from the fuel; Retention of radionuclides in the primary cooling system and in containment leakage pathways; Partitioning of fission products between the steam and liquid phases of the coolant; Performance of containment systems (sprays, ventilation, filtering, deposition and resuspension); Leak rate and position of leaks from the containment; Timing and duration of releases; Chemical and physical forms of radioactive material released, in particular iodine; Effective height of release to the environment taking into account the energy of the releases.
Interface between safety and security with regard to the use of the computer codes	6.14.	When a best estimate code is used in combination with conservative inputs and assumptions, it should be ensured that the uncertainties associated with the best estimate code are sufficiently compensated for by conservative inputs. The analysis should include a combination of validation of the code, use of conservatisms and use of sensitivity studies to evaluate and take into account the uncertainties relating to code models. These studies may be different depending on the type of transient and therefore should be carried out for each deterministic safety analysis.
Interface between safety and security with regard to the use of the computer codes	6.15.	For the conservative or combined approaches, the initial and boundary conditions should be set to values that will lead to conservative results for the safety related parameters that are to be compared with the acceptance criteria. A single set of conservative values for initial and boundary conditions does not necessarily lead to conservative results for each safety related parameter or acceptance criterion. Therefore, the appropriate conservative initial and boundary conditions should be selected individually, depending on the specific transient and acceptance criteria.
Interface between safety and security with regard to the use of the computer codes	6.16.	In selecting conservative input parameters for the analysis, the following should be taken into account: Intentional conservatisms might not always lead to the intended conservatism in the results, for example if different assumptions lead to compensatory effects and ‘cancel out’ conservatisms. The degree of conservatism can change during the course of the event and an assumption might not remain conservative throughout the whole transient. The use of some conservative assumptions might lead to misleading or unrealistic predicted sequences of events and timescales. If conservative values are selected based on engineering judgement, there is a high risk that such selection is not properly implemented by the user and that it does not lead to conservative results.
Interface between safety and security with regard to the use of the computer codes	6.17.	Since the use of conservative computer codes can conceal the effects of certain phenomena or significantly change their chronological order, the analysis of such phenomena should be supported by adequate sensitivity analysis to demonstrate that important safety issues are not being concealed by the conservative code.
Interface between safety and security with regard to the use of the computer codes	6.18.	In conservative safety analysis, the most limiting initial conditions expected over the lifetime of the plant should be used, based on sensitivity analyses. The initiating event should be considered to occur at an unfavourable time with respect to initial reactor conditions such as plant mode (power or shutdown), power level, residual heat level, fission product inventory, reactivity conditions, and reactor coolant system temperature, pressure and inventory.
Interface between safety and security with regard to the use of the computer codes	6.19.	Initial conditions that cannot occur at the same time in combination do not need to be considered. For example, the limiting decay heat and the limiting peaking factors cannot physically occur at the same time of the fuel campaign. However, the initial conditions considered should include the most unfavourable combinations that are possible.
Interface between safety and security with regard to the use of the computer codes	6.20.	Operating conditions occurring with negligibly low frequency and having a very limited duration might not need to be considered in the selection of conservative initial conditions.
Interface between safety and security with regard to the use of the computer codes	6.21.	Uncertainties, in particular for anticipated operational occurrences and design basis accidents, may be addressed in deterministic safety analysis by the use of a best estimate computer code taking into account uncertainties in models, initial and boundary conditions, and other input parameters. To obtain conservative results of safety analysis, the effects of such uncertainties on the results should be identified and assessed to confirm that the actual plant parameters will be bounded by the upper and lower limits of the results of calculation with an adequate level of confidence.
Interface between safety and security with regard to the use of the computer codes	6.22.	Before quantification of uncertainties, it should be ensured that: the best estimate computer code used for the analysis is adequately validated; user effects (e.g. possible improper selection of values) are properly accounted for; the influence of the computational platform (hardware and software) on the results is minimized; and the methodology to assess the uncertainties is qualified.
Interface between safety and security with regard to the use of the computer codes	6.23.	A reliable assessment of the uncertainties is necessary to carry out robust ‘best estimate with quantification of uncertainties’ analyses, especially for the identification and separation of aleatory and epistemic sources of uncertainties¹¹. These different sources of uncertainty should be treated differently when performing the uncertainty analysis. Code to data comparisons are the preferred means to quantify the epistemic uncertainties. However, a combination of sensitivity studies, code to code comparisons and expert judgements may also be used as an input for the assessment (para. 4.59 of GSR Part 4 (Rev. 1) [2]). The preferred means for assessing aleatory uncertainties is the collection of data from nuclear power plants on initial and boundary conditions that are relevant to the events being considered.
Interface between safety and security with regard to the use of the computer codes	6.24.	The quantification of uncertainties should be based on a statistical combination of uncertainties in plant conditions and in computer code models (see para. 2.7) to ensure that, with a specified probability, a sufficiently large number of calculated results meet the acceptance criteria. For analysis of anticipated operational occurrences and design basis accidents, it is typically required that assurance be provided at a 95% confidence level, or greater, such that at least 95% of the results comply with applicable acceptance criteria for a plant. However, national regulations may require different levels of probability.
Interface between safety and security with regard to the use of the computer codes	6.25.	Within the uncertainty methods considered, uncertainties should be evaluated using either propagation of input uncertainties or extrapolation of output uncertainties. In the former approach, overall uncertainty in outputs is evaluated by performing a sufficient number of calculations, varying uncertain input parameters. In the latter approach, overall uncertainty in outputs is evaluated based on a comparison between the outputs (calculation results) and experimental data.
Interface between safety and security with regard to the use of the computer codes	6.26.	For the ‘propagation of input uncertainties’ approach, the uncertain input parameters that are varied should include at least the most significant ones. Ranges should be assigned to the values of selected input parameters and the probability distributions within those ranges specified based on data from relevant experiments, measurements of parameters, records of plant operational parameters or other appropriate sources. If this is not feasible, conservative values from the range should be used. Either the selected input parameters should be independent of each other or dependencies between uncertain input parameters should be identified and quantified; specific processing of these results should be applied.
Interface between safety and security with regard to the use of the computer codes	6.27.	The selection of uncertain input parameters to be varied, and the ranges and probability distributions used are crucial for the reliability of results, since they strongly affect the width of the uncertainty bands of the results that is essential for engineering applications.
Interface between safety and security with regard to the use of the computer codes	6.28.	Uncertainty methods with ‘propagation of input uncertainties’ by using regression or correlation techniques from the sets of input parameters and from the corresponding output values also allow ranking of the uncertain input parameters in accordance with their contribution to output uncertainty. Such ranking indicates which of the parameters should be given the greatest attention. However, it should be taken into account that regression or correlation techniques might also give unclear or misleading results, especially when the response is not linear or when the cross-correlation effects are important.
Interface between safety and security with regard to the use of the computer codes	6.29.	The uncertainty in parameters associated with the results of a computer code may also be estimated based on expert judgement with the assistance of ‘phenomena identification and ranking tables’ for each event that is analysed. Each table should identify the most important phenomena for which the suitability of the code has to be assured, based to the extent possible on available data. The important parameters should be varied randomly in accordance with their respective probability distributions to estimate the overall uncertainty. The same process can be applied to evaluate the applicability of a computer code or a computational tool to simulate a selected event.
Interface between safety and security with regard to the use of the computer codes	7.1.	Deterministic safety analysis should address postulated initiating events and accident sequences corresponding to different plant states, and should follow general rules for the selection of acceptance criteria, use of computer codes, and suggested approaches for treatment of uncertainties and ensuring safety margins, as described in Sections 4–6.
Interface between safety and security with regard to the use of the computer codes	7.2.	Deterministic safety analysis should also be conducted following more specific guidance with regard to the objectives of the analysis, selection of acceptance criteria, consideration of availability of various plant systems, operator actions, treatment of uncertainties and other assumptions of the analysis for individual plant states, as described in this section. In deterministic safety analysis, credit should only be given to those structures, systems and components that meet the requirements associated with relevant plant states, with due consideration of their safety classification (see IAEA Safety Standards Series No. SSG-30, Safety Classification of Structures, Systems and Components in Nuclear Power Plants [20]).
Interface between safety and security with regard to the use of the computer codes	7.3.	Decisions on the level of conservatism in performing deterministic safety analysis should include consideration of the input data or assumptions on the following: Computer code models; Plant operating parameters; Control and limitation systems; Active safety systems; Passive safety systems; Safety features for design extension conditions; Operator actions.
Interface between safety and security with regard to the use of the computer codes	7.4.	Separate analyses of the source term should be carried out for each type of failure for which the phenomena that would affect the source term would be different. Typical types of accident include: Loss of coolant accidents with release of reactor coolant and fission products from the core to the containment; Accidents bypassing the containment or accidents taking place outside the containment, such as in the spent fuel pool; Accidents during manipulation of irradiated fuel; Accidental releases from the systems for treatment and storage of gaseous and liquid radioactive waste.
Interface between safety and security with regard to the use of the computer codes	7.5.	For many types of postulated accident, the important release of radionuclides would be from the reactor core into the reactor coolant system and subsequently into the containment. Evaluation of the source term should therefore include predicting the behaviour of the radionuclides through this route, until their release to the environment.
Specific objectives of the analysis	7.6.	Deterministic safety analyses of normal operation should use an iterative process to support the development of operational limits and conditions, and confirm their adequacy. These represent the limiting conditions of operation, expressed in terms of values of process variables, system requirements, or surveillance or testing requirements.
Specific objectives of the analysis	7.7.	The limits and conditions used in deterministic safety analyses of normal operation, such as those of the reactor power and coolant inventory, should include all important initial and boundary conditions that will subsequently be used in the analysis of anticipated operational occurrences, design basis accidents and design extension conditions.
Specific objectives of the analysis	7.8.	All modes of normal operation and relevant plant configurations covered by operational limits and conditions should be analysed, with particular attention paid to associated transients such as changes in reactor power, reactor shutdown from power operation, reactor startup, reactor cooling down, mid-loop operation and handling of fresh and irradiated fuel, including offloading of irradiated fuel from the reactor to the spent fuel pool and loading of fuel into the core.
Specific objectives of the analysis	7.9.	The deterministic safety analysis for normal operation should include an analysis of the radiological situation in the plant and an estimate of the releases of radioactive material to the environment. These are necessary inputs for determining radiation doses to workers at the plant, and to members of the public and non-human biota around the nuclear power plant. Owing to the complexity of radiological analysis, and in particular its strong dependence on the overall organization of the plant operation, the corresponding guidance is not provided in this Safety Guide (e.g. see GSG-10 [5] ).
Acceptance criteria	7.10.	The deterministic safety analysis should provide an assessment of whether normal operation of the plant can be carried out in such a way that plant parameter values do not exceed operational limits and conditions. The assessment of design in normal operation should verify that a reactor trip or initiation of the limiting and safety systems would be avoided in all transients, as defined by the operational limits and conditions, and taking account of all operating modes. Transitions from one operational state to another, as anticipated in operational guidelines, should also be taken into account.
Acceptance criteria	7.11.	The safety analysis for normal operation should include an analysis of the overall design and operation of the plant: to predict the radiation doses likely to be received by workers and members of the public; to assess that these doses are below dose limits (see Requirement 5 of SSR-2/1 (Rev. 1) [1] ); and to ensure that the principle that these doses should be as low as reasonably achievable has been satisfied. However, compliance with radiological acceptance criteria (see GSR Part 3 [4] and GSG-10 [5] ) is not covered in this Safety Guide.
Availability of systems	7.12.	Systems credited in deterministic analysis of normal operation should be limited to normal operation systems, including plant control systems. No other plant systems should be actuated during transients associated with normal operational modes.
Operator actions	7.13.	Planned operator actions performed in accordance with normal operating procedures should be credited in the analysis.
Analysis assumptions and treatment of uncertainties	7.14.	Analysis of normal operation should provide a realistic representation of plant behaviour. However, uncertainties with regard to system performance, including that of instrumentation and control and mechanical systems, should be considered in order to assess the adequacy of the available provisions.
Analysis assumptions and treatment of uncertainties	7.15.	The initial conditions considered should be representative of all expected and authorized plant modes, in accordance with the operational limits and conditions. Bounding values of parameters used should take into account the whole acceptable range of the parameters.
Analysis assumptions and treatment of uncertainties	7.16.	When there are uncertainties in making predictions of doses, conservative assumptions should be made. Detailed guidance in this area is beyond the scope of this Safety Guide.
Specific objectives of the analysis	7.17.	The main objective of the realistic analysis of anticipated operational occurrences is to verify that the plant’s operational systems (in particular control and limitation systems) can prevent a wide range of anticipated operational occurrences from evolving into accident conditions and that the plant can return to normal operation following an anticipated operational occurrence. The realistic analyses should aim at providing a response of the plant to the initiating event that is realistic.
Specific objectives of the analysis	7.18.	The anticipated operational occurrences category of postulated initiating events considered in the analysis should include all those that might be expected to occur during the lifetime of the plant. For many postulated initiating events, the control and limitation systems, in combination with inherent plant characteristics and operator actions, will compensate for the effects of the event without a reactor trip or other demands being placed on the safety systems. In such cases, operation can resume after rectification of the fault.
Specific objectives of the analysis	7.19.	Typically, anticipated operational occurrences should not lead to any unnecessary challenge to safety equipment primarily designed for protection in the event of design basis accidents. It is therefore advisable to demonstrate in the analysis that if the plant control and limitation systems operate as intended, they will be capable of preventing the need for actuation of the safety systems. However, it is recognized that some anticipated operational occurrences themselves require the actuation of safety systems.
Acceptance criteria	7.20.	The realistic analyses of anticipated operational occurrences should aim to demonstrate that no induced damage is caused to any of the physical barriers (fuel matrix, fuel cladding, and reactor coolant pressure boundary or containment) or the systems important to safety. In addition, they should aim to verify, as far as possible, that reactor trip and safety systems are not actuated.
Acceptance criteria	7.21.	The realistic analyses of anticipated operational occurrences may also aim to demonstrate that specific design criteria, more stringent than acceptance criteria for conservative analysis of anticipated operational occurrences, are fulfilled when control and limitation systems are available (e.g. no actuation of safety valves).
Acceptance criteria	7.22.	Failures of physical barriers are typically prevented by providing assurance (for light water reactors) that, with 95% probability at a 95% confidence level, there will be no boiling crisis or dry-out anywhere in the core, no fuel melting anywhere in the core and that the pressure in the reactor coolant system and main steam system will not significantly (i.e. by more than 10–15%) exceed the design value.
Acceptance criteria	7.23.	There should be negligible radiological impact beyond the immediate vicinity of the plant from any anticipated operational occurrence. The radiological acceptance criteria for doses and correspondingly for releases for each anticipated operational occurrence should be comparable with annual limits for normal operation and more restrictive than for design basis accidents. Acceptable effective dose limits are similar to those for normal operation.
Availability of systems	7.24.	For realistic analysis of anticipated operational occurrences, any system not affected by the postulated initiating event should be assumed to be available. The analysis should mostly rely on control and limitation systems in addition to inherent plant characteristics.
Operator actions	7.25.	Planned operator actions performed in accordance with operating procedures for normal and abnormal operation should be credited in the analysis. Typically, when correct operation of the control and limitation systems is assumed, there is no need for any operator action during the associated transient; otherwise, realistic estimates for operator action times should be used.
Analysis assumptions and treatment of uncertainties	7.26.	Realistic analysis of anticipated operational occurrences should be performed with a best estimate methodology covering the anticipated initial conditions of the plant that are considered in the determination of postulated initiating events. Normally, uncertainties are not considered in realistic analysis of anticipated operational occurrences. For operational considerations (such as analysis of plant reliability), treatment of uncertainties may be applied to the control and limitation systems.
Specific objectives of the analysis	7.27.	Paragraph 5.26 of SSR-2/1 (Rev. 1) [1] requires that “design basis accidents shall be analysed in a conservative manner.” One of the conservative methods¹² (Options 1–3 from Table 1, Section 2) should therefore be used; realistic analysis should not be applied for design basis accidents. The conservative analysis of anticipated operational occurrences and design basis accidents should demonstrate that the safety systems alone in the short term, along with operator actions in the long term, are capable of achieving a safe state by fulfilling the following safety conditions: Shut down the reactor and achieve subcritical condition during and after anticipated operational occurrences or design basis accident conditions; Remove residual heat from the core after reactor shutdown from all anticipated operational occurrences or design basis accident conditions; Reduce the potential for the release of radioactive material and ensure that any releases are below acceptable limits during anticipated operational occurrences and design basis accident conditions.
Specific objectives of the analysis	7.28.	The safety analysis should demonstrate that the acceptance criteria relevant to the applicable events are met. In particular, it should be demonstrated that some or all of the barriers to the release of radioactive material from the plant will maintain their integrity to the extent required.
Specific objectives of the analysis	7.29.	The safety analysis should establish the performance characteristics and set points of the safety systems and operating procedures to ensure that the fundamental safety functions are always maintained. The analysis provides the basis for the design of the reactivity control systems, the reactor coolant system and the engineered safety features (e.g. the emergency core cooling systems and the containment heat removal systems).
Acceptance criteria	7.30.	For conservative analysis of anticipated operational occurrences, the technical acceptance criteria relating to fuel integrity and radiological acceptance criteria should, in principle, be the same as for realistic analysis of anticipated operational occurrences.
Acceptance criteria	7.31.	There should be no, or only minor, radiological impact beyond the immediate vicinity of the plant as a result of anticipated operational occurrences or design basis accidents, without the need for any off-site protective actions. The definition of minor radiological impact should be set by the regulatory body, but acceptable limits of effective dose for members of the public beyond the immediate vicinity of the plant are typically in the order of a few millisieverts per event.
Acceptance criteria	7.32.	Specific technical acceptance criteria should be defined such that their fulfilment allows demonstration that the three fundamental safety functions can be ensured in any condition and that, in anticipated operational occurrences or design basis accidents, some or all of the barriers are able to limit the releases of radioactive material to the environment.
Acceptance criteria	7.33.	The technical acceptance criteria should typically include the following: An event should not generate a more serious plant condition without the occurrence of a further independent failure (in addition to any single failure assumed to meet the single failure criterion). Thus, an anticipated operational occurrence by itself should not generate a design basis accident, and a design basis accident should not generate a design extension condition. There should be no consequential loss of the overall function of the safety systems necessary to mitigate the consequences of an accident, although a safety system may be partially affected by the postulated initiating event. Systems used for accident mitigation should withstand the maximum loads, stresses and environmental conditions for the accidents analysed. This should be demonstrated by separate analyses covering environmental conditions and ageing (e.g. temperature, humidity, radiation or chemical environment), and thermal and mechanical loads on plant structures and components. The margins considered in the design for given loads should be commensurate with the probability of the loads. The pressure in the reactor and main steam systems should not exceed the relevant design limits for the existing plant conditions, in accordance with the overpressure protection rules. Additional overpressure analysis may be necessary to study the influence of the plant conditions on safety and relief valves. The number of fuel cladding failures should be limited for each type of postulated initiating event to allow the global radiological criteria to be met and to limit the level of radiation to below that used for equipment qualification. In design basis accidents with fuel uncovering and heating up, a coolable geometry and the structural integrity of the fuel assemblies (light water reactors) should be maintained. No event should cause the temperature, pressure or pressure differences between containment compartments to exceed values which have been used as the design basis for the containment. Subcriticality of nuclear fuel in the reactor after shutdown, in fresh fuel storage and in the spent fuel pool should be maintained. Temporary returns to criticality (e.g. steam line break in pressurized water reactors) may be acceptable for certain events and plant operating modes, provided that criteria for sufficient cooling of the fuel continue to be met. There should be no initiation of a brittle fracture or ductile failure from a postulated defect of the reactor pressure vessel during the plant design life for any postulated design basis accident. Internal reactor components should withstand dynamic loads during design basis accidents so that safe shutdown of the reactor, reactor subcriticality and sufficient reactor core cooling are maintained.
Acceptance criteria	7.34.	For postulated initiating events occurring when the integrity of any of the barriers is missing or degraded (such as situations with an open reactor, open containment or an event initiated in the spent fuel pool), more restrictive acceptance criteria (e.g. avoiding coolant boiling or fuel uncovering) should be used.
Availability of systems	7.35.	The conservative assumptions to be made in the analysis about the availability of plant systems should typically include the following: Normal operation systems that are in operation at the beginning of the postulated initiating event, and that are not affected by the initiating event itself and by its consequences, continue to operate. Any control or limitation systems start operating only if their functioning would aggravate the effects of the initiating event. No credit should be taken for the operation of the control systems in mitigating the effects of the initiating event. Safety systems designed and maintained as safety grade (in accordance with the rules for quality assurance, periodic testing, use of accepted design codes and equipment qualification) operate with conservative performance (see para. 7.42). In accordance with the single failure criterion, a single component failure should be assumed to occur in the operation of the safety groups required for the initiating event, in addition to the initiating failure and any consequential failures. Depending on the selected acceptance criterion, the single failure should be postulated in a system or component that leads to the greatest challenge to the safety systems. Safety features specifically designed for design extension conditions should not be credited in the analysis.
Availability of systems	7.36.	If maintenance is allowed, the unavailability of the concerned train of the safety system should be taken into account.
Operator actions	7.37.	For conservative safety analysis, credit should not be taken for operator diagnosis of the event and for initiating the necessary actions until after a conservatively specified time. The timing assumed in an analysis should be justified and validated for the specific reactor design; for example, the minimum specified time may be 30 minutes for control room actions or 60 minutes for field actions.
Operator actions	7.38.	Correct actions of plant staff to prevent an accident or mitigate its consequences should only be taken into account in the analysis if it can be shown that the event sequence and the plant specific boundary conditions allow for carrying out the assumed actions. The conditions to be considered include the overall context in which the event sequence takes place, the working environment in the control places, written procedures, and the relevant staff’s training status and access to necessary information.
Operator actions	7.39.	In accordance with the practice in some States, an additional operator error during performance of recovery actions may be considered as a single failure.
Analysis assumptions and treatment of uncertainties	7.40.	The conservative assumptions used for the analysis of anticipated operational occurrences and design basis accidents should take account of uncertainties in the initial conditions and boundary conditions, in the availability of the plant systems and in operator actions. The general rules specified in Section 6 should be applied in full for these categories of plant state. The aim is to demonstrate with a high level of confidence that there are significant margins to the safety limits.
Analysis assumptions and treatment of uncertainties	7.41.	Conservative analysis of anticipated operational occurrences should include the same conservative assumptions as used for the deterministic analysis of design basis accidents, especially those assumptions about the systems for maintaining safety functions during these postulated initiating events.
Analysis assumptions and treatment of uncertainties	7.42.	If a conservative or combined methodology is applied, the safety systems should be assumed to operate at their minimum or maximum performance levels, whichever is conservative for a given acceptance criterion. For reactor trip and safety system actuation systems, it should be assumed that the initiating action occurs at the worst end of the possible range of conditions. If a best estimate plus uncertainty methodology is applied, uncertainties on safety systems performances are included in the overall uncertainty analysis.
Analysis assumptions and treatment of uncertainties	7.43.	In addition to the postulated initiating event itself, a loss of off-site power may be considered as an additional conservative assumption. If such a loss is considered as an additional failure, it may be assumed to occur at a time that has the most negative effect for the barrier integrity; in this case, some acceptance criteria should be adapted, taking into account the probability of this combination.
Analysis assumptions and treatment of uncertainties	7.44.	In line with the general rules for deterministic safety analysis, the source term evaluation for anticipated operational occurrences and design basis accidents should take into account all significant physical processes occurring during an accident and use conservative values of initial data and coefficients on a plant specific basis.
Specific objectives of the analysis	7.45.	The objective of the safety analysis of design extension conditions without significant fuel degradation is to demonstrate that core melt can be prevented with an adequate level of confidence and that there is an adequate margin to avoid any cliff edge effects.
Acceptance criteria	7.46.	Acceptance criteria for design extension conditions should meet the requirement established in para. 5.31A of SSR-2/1 (Rev. 1) [1], namely:
Availability of systems	7.47.	In general, only systems shown to be operable for this category of design extension conditions should be credited in the analysis.
Availability of systems	7.48.	Safety systems that are not affected by the failures assumed in the design extension conditions without significant fuel degradation sequence may be credited in the analysis. Special attention should be paid to other factors affecting safety systems (e.g. sump screen blockage) and support systems (e.g. electrical, ventilation and cooling) when assessing the independence of safety systems with regard to the postulated failures (e.g. internal flooding).
Availability of systems	7.49.	For design extension conditions without significant fuel degradation, the single failure criterion does not need to be applied. Furthermore, the unavailability of safety features for this category of design extension conditions due to maintenance may not need to be considered.
Availability of systems	7.50.	To ensure independence between the levels of defence in depth, the normal operation systems, including control and limitation systems, should not be credited in analysis of design extension conditions without significant fuel degradation. This is because: One given sequence is potentially intended to cover several kinds of postulated initiating event, and it may be difficult to demonstrate that the operational system is always available considering both the origin of the postulated initiating event and the multiple failures. The sequences often create degraded ambient conditions and the systems credited in the analysis should be adequately qualified for such conditions.
Availability of systems	7.51.	Non-permanent equipment should not be considered in demonstrating the adequacy of the nuclear power plant design. Such equipment is typically considered to operate for long term sequences and is assumed to be available in accordance with the emergency operating procedures or accident management guidelines. The time claimed for the availability of non-permanent equipment should be justified.¹³
Operator actions	7.52.	Best estimate assumptions may be used regarding operator actions for the analysis of design extension conditions. However, some conservative assumptions, as described for design basis accidents, may be used to the extent practicable.
Analysis assumptions and treatment of uncertainties	7.53.	The requirements on the selection, validation and use of computer codes specified for design basis accidents should apply in principle for analysis of design extension conditions without significant fuel degradation.
Analysis assumptions and treatment of uncertainties	7.54.	For design extension conditions without significant fuel degradation, in principle the combined approach or the best estimate approach with quantification of uncertainties (best estimate plus uncertainty), as applicable for design basis accidents, may be used. However, in line with the general rules for analysis of design extension conditions, best estimate analysis without a quantification of uncertainties may also be used, subject to consideration of the caveats and conditions indicated in paras 7.55 and 7.67.
Analysis assumptions and treatment of uncertainties	7.55.	When best estimate analysis is performed, the margins to avoid cliff edge effects should be demonstrated to be adequate. This may be done, for example, by means of sensitivity analysis demonstrating, to the extent practicable that when more conservative assumptions are made about dominant parameters, there are still margins to the loss of integrity of physical barriers.
Specific objectives of the analysis	7.56.	The analysis of severe accidents should identify the bounding plant parameters resulting from the postulated core melting sequences, and demonstrate that: The plant can be brought into a state in which the containment functions can be maintained in the long term; The plant structures, systems and components (e.g. the containment) and procedures are capable of preventing a large radioactive release or an early radioactive release, including containment bypass; Control locations remain habitable to allow performance of required staff actions; Planned severe accident management measures are effective.
Specific objectives of the analysis	7.57.	The safety analysis of severe accidents should demonstrate that compliance with the acceptance criteria is achieved by features implemented in the design, combined with implementation of procedures or guidelines for accident management.
Acceptance criteria	7.58.	Radiological acceptance criteria in terms of doses to members of the public (or releases to the environment) used for analysis of severe accidents should represent levels such that only off-site protective actions that are limited in terms of lengths of time and areas of application are necessary, and that there is sufficient time for their implementation early enough for them to be effective.
Acceptance criteria	7.59.	Technical acceptance criteria should represent conditions such that the integrity of the containment is maintained. Examples of acceptance criteria for analysis of design extension conditions include limitation of the containment pressure, containment water level, temperature and flammable gas concentrations, and stabilization of molten corium.
Acceptance criteria	7.60.	On-site radiological acceptance criteria should ensure the habitability of the control locations (i.e. the control room, supplementary control room, and other emergency response facilities and locations) and the areas used to move between them. In particular, the radiation levels (e.g. ambient dose rates and activity concentrations in the air) in the control locations of the site should allow for adequate protection of their occupants, such as emergency workers, consistent with Requirements 11 and 24 of GSR Part 7 [8].
Availability of systems	7.61.	Safety systems should not be credited in the analysis of severe accidents unless it is shown with reasonable confidence that: Their failure is not part of any scenario that the severe accident sequence is meant to cover; The equipment will survive realistic severe accident conditions for the period that is necessary to perform its intended function.
Availability of systems	7.62.	Consideration of the availability of equipment assumed to operate under severe accident conditions should include: The circumstances of the applicable initiating event, including those resulting from external hazards (e.g. station blackout and earthquakes); The environment (e.g. pressure, temperature and radiation) and time period for which the equipment is needed.
Availability of systems	7.63.	For design extension conditions with core melting, the single failure criterion does not need to be applied. Furthermore, the unavailability of a system or component due to maintenance does not need to be considered in the deterministic safety analysis. Appropriate rules should be defined for testing and maintenance of systems or components necessary for design extension conditions to ensure their availability.
Availability of systems	7.64.	Non-permanent equipment should not be considered in demonstrating the adequacy of the nuclear power plant design. For some design extension conditions, such equipment is typically considered to operate for long term sequences and is assumed to be available in accordance with the emergency operating procedures or accident management guidelines. The time claimed for the availability of non-permanent equipment should be justified.¹⁴
Operator actions	7.65.	The same assumptions made about operator actions should be considered as for design extension conditions with core melting as for those without significant fuel degradation (see para. 7.52).
Analysis assumptions and treatment of uncertainties	7.66.	The severe accident analysis should model (in addition to neutronic and thermohydraulic phenomena occurring in conditions without core melting) the wide range of physical processes that could occur following core damage and that could lead to a release of radioactive material to the environment. These should include, where appropriate: Core degradation processes and fuel melting; Fuel–coolant interactions (including steam explosions); In-vessel melt retention; Vessel melt-through; Direct containment heating; Distribution of heat within the primary circuit; Generation, control and combustion of hydrogen; Failure or bypass of the containment; Corium–concrete interaction; Release and transport of fission products, including venting to prevent overpressure in the containment; Ability to cool in-vessel core melt and ex-vessel core melt.
Analysis assumptions and treatment of uncertainties	7.67.	Analysis of severe accidents should be performed using a realistic approach (Option 4 in Table 1, Section 2) to the extent practicable. Since explicit quantification of uncertainties may be impractical due to the complexity of the phenomena and insufficient experimental data, sensitivity analyses should be performed to demonstrate the robustness of the results and the conclusions of the severe accident analyses.
Analysis assumptions and treatment of uncertainties	7.68.	Paragraph 5.31 of SSR-2/1 (Rev. 1) [1] states that “The design shall be such that the possibility of conditions arising that could lead to an early radioactive release or a large radioactive release is ‘practically eliminated’”. The regulatory body may establish more specific rules describing acceptable ways to demonstrate ‘practical elimination’.
Analysis assumptions and treatment of uncertainties	7.69.	The demonstration of ‘practical elimination’ of the possibility of conditions arising that could lead to an early radioactive release or a large radioactive release include deterministic considerations and engineering aspects, such as design, fabrication, testing and inspection of structures, systems and components, and evaluation of operating experience, supplemented by probabilistic considerations, taking into account the uncertainties due to the limited knowledge of some physical phenomena.
Analysis assumptions and treatment of uncertainties	7.70.	Demonstration of ‘practical elimination’ of the possibility of conditions arising that could lead to an early radioactive release or a large radioactive release should include, where appropriate, the following steps: Identification of conditions that potentially endanger the integrity of the containment or allow bypassing of the containment, resulting in an early radioactive release or a large radioactive release. Implementation of design and operational provisions in order to ‘practically eliminate’ the possibility of those conditions arising. The design of these provisions should include sufficient margins to cope with uncertainties. Final confirmation of the adequacy of the provisions by deterministic safety analysis, complemented by probabilistic safety assessment and engineering judgement.
Analysis assumptions and treatment of uncertainties	7.71.	Although probabilistic targets can be set, demonstration of the ‘practical elimination’ of conditions arising that could lead to an early radioactive release or a large radioactive release should not be based solely on low probability values. Such event sequences should be deterministically defined and their ‘practical elimination’ should be demonstrated based on the performance of safety features making the event sequences extremely unlikely to arise.
Analysis assumptions and treatment of uncertainties	7.72.	Where a claim is made that the conditions potentially resulting in an early radioactive release or a large radioactive release are physically impossible, it is necessary to examine the inherent safety characteristics of the system to demonstrate that the conditions cannot, by the laws of nature, occur and that the fundamental safety functions — control of reactivity, removal of heat and confinement of radioactive material, including limitation of accidental radioactive releases (see Requirement 4 of SSR-2/1 (Rev. 1) [1]) — will be achieved. In practice this approach is limited to very specific cases. An example of its use may be for uncontrolled reactivity accidents for which the main protection is provided by ensuring a negative reactivity coefficient with all possible combinations of the reactor power and coolant pressure and temperature.
Analysis assumptions and treatment of uncertainties	8.1.	Paragraph 4.62 of GSR Part 4 (Rev. 1) [2] states that “The results and findings of the safety assessment shall be documented, as appropriate, in the form of a safety report that reflects the complexity of the facility or activity and the radiation risks associated with it.” Paragraph 4.64 of GSR Part 4 (Rev. 1) [2] states that “The safety report shall document the safety assessment in sufficient scope and detail to support the conclusions reached and to provide an adequate input into independent verification and regulatory review.”
Analysis assumptions and treatment of uncertainties	8.2.	While the safety report itself should be sufficiently comprehensive for these purposes, there are typically other documents, which may include a description and the results of the deterministic safety analysis, that are used as supporting information to independent verification or regulatory review. Similar rules to those for the safety report should apply to all documentation of deterministic safety analysis intended for submission to the regulatory body.
Analysis assumptions and treatment of uncertainties	8.3.	The safety report should provide a list of all plant states considered in the deterministic safety analysis, appropriately grouped in accordance with their frequencies and the specific challenges to the integrity of physical barriers against releases of radioactive material that are addressed. The selection of the bounding scenarios in each group should be justified. ‘Practical elimination’ of the possibility of conditions arising that could lead to an early radioactive release or a large radioactive release should be demonstrated.
Analysis assumptions and treatment of uncertainties	8.4.	A set of the most important plant data used for the development of plant models (effectively the ‘database for deterministic safety analysis’), and considered necessary for independent verification or evaluation of the deterministic safety analysis performed, should be provided in a separate part of the safety report or in a separate document. Such data should include information on geometry, thermal and hydraulic parameters, material properties, characteristics of the control system and set points, and the range of uncertainties in plant instrumentation devices, and should include relevant drawings and other graphical documentation. If these data are not sufficiently documented and justified in the safety report itself, other reliable data sources used for the preparation of the plant models should be clearly identified and referenced in the safety report.
Analysis assumptions and treatment of uncertainties	8.5.	A brief description of the computer codes used in the deterministic safety analysis should be provided. In addition to a reference to the specific code documentation, the description should include a justification that the code is adequate for the given purpose, and has been verified and validated by the user (see paras 5.14–5.39).
Analysis assumptions and treatment of uncertainties	8.6.	Depending on the phenomena modelled and other characteristics of each analysed scenario, a relevant acceptance criterion or set of criteria should be selected for each scenario and presented together with the safety analysis of that scenario, with a clear specification of the conditions for applicability of the criteria (see Section 4).
Analysis assumptions and treatment of uncertainties	8.7.	The simulation models and the main assumptions used in the analysis for demonstrating compliance with each specific acceptance criterion should be described in detail, including the scope of validation of the model. Different approaches that may have been used for each plant state should be described (see Section 6).
Analysis assumptions and treatment of uncertainties	8.8.	If the deterministic analysis involves using different computer codes in sequence, the transfer of data between the different stages of accident analysis and/or computer codes used in the sequence should be clearly described in order to provide for traceability of calculations as a necessary condition for independent verification, understanding and acceptance of the results.
Analysis assumptions and treatment of uncertainties	8.9.	The time span covered by any scenario analysed and presented should extend up to the moment when the plant reaches a safe and stable end state (although not all sensitivity calculations need necessarily be presented over the full timescale). What is meant by a safe and stable end state should be defined. Typically, it is assumed that a safe and stable end state is achieved when the core is covered and long term heat removal from both the core and the containment is achieved, and the core is, and will remain, subcritical by a given margin.
Analysis assumptions and treatment of uncertainties	8.10.	The documentation of the results of the deterministic safety analysis should be structured and presented in an appropriate format in such a way as to provide a clear description and interpretation of the course of the accident. A standardized format may be adopted for similar analyses to facilitate interpretation and intercomparison of the results.
Analysis assumptions and treatment of uncertainties	8.11.	The documentation of the results of the deterministic safety analysis should typically include the following information: A chronological description of the main events as they have been calculated; A description and evaluation of the accident on the basis of the parameters selected; Figures showing plots of the main parameters calculated; Conclusions on the acceptability of the level of safety achieved and a statement on compliance with all relevant acceptance criteria, including the adequacy of margins; Results of sensitivity analyses, as appropriate.
Analysis assumptions and treatment of uncertainties	8.12.	Documentation of deterministic safety analysis should be subject to relevant quality assurance procedures and quality control [12–14].
Analysis assumptions and treatment of uncertainties	8.13.	More detailed information about documentation of deterministic safety analysis to be included in different parts of the safety analysis report can be found in IAEA Safety Standards Series No. SSG-61, Format and Content of the Safety Analysis Report for Nuclear Power Plants [21].
Sensitive information in documentation	8.14.	Sensitive information included in reports describing deterministic safety analysis the unauthorized disclosure of which could compromise nuclear security should be identified and appropriately protected. This may include, but is not limited to, information about identification and categorization of postulated initiating events and results from deterministic safety analysis conducted. Such information should be protected in accordance with guidance on information security [6].
Sensitive information in documentation	8.15.	In accordance with the requirement established in para. 5.10 of GSR Part 4 (Rev. 1) [2], deterministic safety analysis used in the licensing process should be periodically updated to take into account changes in nuclear power plant configuration, characteristics of plant systems and components, operating parameters, plant procedures, research findings, and advances in knowledge and understanding of physical phenomena, including changes in computer codes, with potentially significant effects on the results of the analysis.
Sensitive information in documentation	8.16.	In addition to periodic updates, the safety analysis should be updated following any discovery of information that may reveal a hazard that is different in nature, greater in probability or greater in magnitude than was previously assumed.
Sensitive information in documentation	8.17.	In such cases, the safety analysis should be reassessed to ensure that it remains valid and meets the objectives set for the analysis. The results should be assessed against the current requirements relevant for deterministic safety analysis, applicable experimental data, expert judgement and comparison with similar analyses.
Sensitive information in documentation	8.18.	The outcomes of the reassessment, including new deterministic safety analyses, if necessary, should be reflected in the updated safety analysis report with a level of documentation commensurate with the extent of the changes and the associated impacts.
Sensitive information in documentation	9.1.	Requirement 21 of GSR Part 4 (Rev. 1) [2] states that “The operating organization shall carry out an independent verification of the safety assessment before it is used by the operating organization or submitted to the regulatory body.” The objective and scope of such independent verification are further described in paras 4.66–4.71 of GSR Part 4 (Rev. 1) [2].
Sensitive information in documentation	9.2.	The main purpose of the independent verification of safety analysis by the licensee (the operating organization) is to confirm that the safety analysis, and particularly parts developed by other groups or organizations, such as designers, manufacturers and constructors, has been carried out in an acceptable way and satisfies the applicable safety requirements. As a minimum, it should be verified by the licensee that the design will comply with the relevant regulatory requirements and that acceptance criteria are met, in accordance with the licensee’s prime responsibility for safety.
Sensitive information in documentation	9.3.	Among the responsibilities set out in para. 3.6 of IAEA Safety Standards Series No. SF-1, Fundamental Safety Principles [22], the licensee is responsible for “Verifying appropriate design and the adequate quality of facilities and activities and of their associated equipment”. The adequacy of the design should be demonstrated by means of safety assessment.
Sensitive information in documentation	9.4.	Paragraph 4.13 of GSR Part 4 (Rev. 1) [2] makes clear that safety analysis is an essential component of safety assessment. The relevant requirements of GSR Part 4 (Rev. 1) [2] therefore apply fully to deterministic safety analysis performed as an essential part of the safety assessment.
Sensitive information in documentation	9.5.	Throughout the design process, the safety analysis and independent verification are carried out by different groups or organizations. They are integral parts of an iterative design process with the objective of ensuring that the plant meets the safety requirements. However, the independent verification should be carried out by, or on behalf of, the operating organization and should only relate to the design as submitted to the regulatory body for approval.
Sensitive information in documentation	9.6.	In accordance with para. 4.67 of GSR Part 4 (Rev. 1) [2], the operating organization should ensure that independent verification of the deterministic safety analysis is performed by suitably qualified and experienced individuals or a group different from those who carried out the original safety analysis, before it is submitted to the regulatory body. The operating organization is fully responsible for the independent verification even if parts of the work are delegated to separate organizations.
Sensitive information in documentation	9.7.	Personnel performing independent verification are considered independent if they have not participated in the original safety analysis. Special attention should be paid to the independence of the verification team if it is established in the same design organization or another closely associated organization. Use of a fully independent organization should be the preferred solution.
Sensitive information in documentation	9.8.	The group performing the independent verification may take into account any quality assurance reviews which have previously been conducted in determining the extent and scope of its verification.
Sensitive information in documentation	9.9.	Special attention should be paid to independent verification of the safety analysis for nuclear power plants of older designs constructed to less rigorous standards, and of evolutionary or innovative designs using novel design solutions.
Sensitive information in documentation	9.10.	The conduct of the independent verification may follow the methods of the original safety analysis. However, the scope of the independent verification could be narrower, focusing on the most significant safety issues and requirements rather than on all of them. Paragraph 4.68 of GSR Part 4 (Rev. 1) [2] requires that “The decisions made on the scope and level of detail of the independent verification shall be reviewed in the independent verification itself”.
Sensitive information in documentation	9.11.	While the verification may be conveniently subdivided into phases that are performed at different significant stages of the design, a final independent verification of the safety assessment should always be performed by the operating organization when the design has been finalized.
Sensitive information in documentation	9.12.	Independent verification usually addresses the stages before the beginning of plant construction and focuses on the safety analysis originally performed by the design organization. The same approach should, however, be applied to other subsequent verification activities.
Sensitive information in documentation	9.13.	Any findings, recommendations and general conclusions from the independent verification should be justified using one of the following methods, as appropriate: Comparison with requirements of the law, regulations or other legal requirements; Comparison with guidance from the regulatory body; Comparison with IAEA safety standards or guidance; Comparison with similar projects; Use of general experience from previous projects; Independent verification calculations.
Sensitive information in documentation	9.14.	The reliability of all numerical models used in safety analysis should be shown through comparisons, independent analyses and qualification, with the aim of demonstrating that their intrinsic uncertainty level complies with the reliability required for the whole design project.
Sensitive information in documentation	9.15.	In accordance with para. 4.69 of GSR Part 4 (Rev. 1) [2], the independent verification should consist of two main parts: an overall (qualitative) review focused on the quality and comprehensiveness of the safety analysis; and specific detailed reviews of important aspects of the analysis, which may include a comparison of the results of submitted analyses with the results of new, independent calculations. The components of verification should include, as appropriate, the following: Compliance with the requirements of reference documents (see para. 9.13); Completeness of the documentation; Correctness of input data; Selection of initiating events or accident scenarios; Selection of acceptance criteria; Selection of the safety analysis method; Selection of safety analysis computer codes and adequacy of code validation; Selection of assumptions for ensuring safety margins; Adequacy of the description and evaluation of the analysis results.
Sensitive information in documentation	9.16.	An independent check of selected computer calculations should be conducted to verify that they are correct. If sufficient verification and validation of the original computer code have not been performed, then a different code should be used to verify the accuracy of the computer calculations. Use of different computer codes for independent verification is preferred, but use of the same codes may meet the objectives of the review if the plant models (including nodalization, initial and boundary conditions) are developed independently.
Sensitive information in documentation	9.17.	If independent calculations are performed, it may be appropriate to select at least one case from each group of initiating events, typically the case with the smallest margin with regard to the acceptance criterion. However, it should be taken into account that independent calculation is a time and resource demanding task.
Sensitive information in documentation	9.18.	Typically, the independent safety verification of deterministic safety analysis should confirm that: The safety analysis was performed in accordance with relevant regulations, safety standards and other relevant guidance. The selected postulated initiating events or accident scenarios reflect specific features of the given design and bound the other cases. The combination of individual events and identification of consequential failures was performed adequately. The computer codes used in safety analysis have been adequately verified and validated for the given application. The computational models reflect experience and applicable guidance for their development, and are appropriate for reliable prediction of operational states and accident conditions. The assumptions and data used in each analysis have been specified in an adequate way to demonstrate that the relevant acceptance criteria have been met and there are sufficient margins to prevent cliff edge effects. Adequate sensitivity calculations or uncertainty evaluations are available in order to ensure that the demonstration of safety by safety analysis is sufficiently robust. Consideration of the operability of plant systems in different plant states was in accordance with established rules for deterministic safety analysis and consistent with industrial standards. Compliance with the relevant acceptance criteria was achieved either by means of automatic systems, or personnel actions were assumed only in cases where contextual boundary conditions for diagnosis, decision and performing the required action were available. Independent calculations are in reasonable qualitative and quantitative agreement with the original analysis, and both demonstrate that the relevant acceptance criteria are met. Any discrepancies found in the safety analysis are clearly understood and explained, and do not call into question conclusions with regard to the acceptability of the design.
Sensitive information in documentation	9.19.	The independent verification and its results should preferably be documented in a separate verification report which describes the scope, level of detail and methodology of the verification, and the findings and conclusions from the qualitative and quantitative evaluation, including detailed comments on individual parts of the safety assessment and the results of independent calculations.
Sensitive information in documentation	9.20.	The plant design models and data essential for the safety analysis should be kept up to date during the design phase and throughout the lifetime of the plant. This should be the responsibility of the designer during the design phase and of the operating organization over the lifetime of the plant. It is advisable to maintain relevant documents or databases centrally to ensure that the same information is used by all assessors, authors and reviewers.
Sensitive information in documentation	9.21.	In relation to the sharing of plant data, information on models and other know-how between assessors, authors and reviewers, and proprietary rights should be addressed through appropriate confidentiality undertakings. INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, 2018 Edition, IAEA, Vienna (2019). EUROPEAN COMMISSION, FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION, Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards, IAEA Safety Standards Series No. GSR Part 3, IAEA, Vienna (2014). INTERNATIONAL ATOMIC ENERGY AGENCY, UNITED NATIONS ENVIRONMENT PROGRAMME, Prospective Radiological Environmental Impact Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSG-10, IAEA, Vienna (2018). INTERNATIONAL ATOMIC ENERGY AGENCY, Security of Nuclear Information, IAEA Nuclear Security Series No. 23-G, IAEA, Vienna (2015). INTERNATIONAL ATOMIC ENERGY AGENCY, Best Estimate Safety Analysis for Nuclear Power Plants: Uncertainty Evaluation, Safety Reports Series No. 52, IAEA, Vienna (2008). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL CIVIL AVIATION ORGANIZATION, INTERNATIONAL LABOUR ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, INTERPOL, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, PREPARATORY COMMISSION FOR THE COMPREHENSIVE NUCLEAR-TEST-BAN TREATY ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, UNITED NATIONS OFFICE FOR THE COORDINATION OF HUMANITARIAN AFFAIRS, WORLD HEALTH ORGANIZATION, WORLD METEOROLOGICAL ORGANIZATION, Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSR Part 7, IAEA, Vienna (2015). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR OFFICE, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS OFFICE FOR THE COORDINATION OF HUMANITARIAN AFFAIRS, WORLD HEALTH ORGANIZATION, Arrangements for Preparedness for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GS-G-2.1, IAEA, Vienna (2007). FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR OFFICE, PAN AMERICAN HEALTH ORGANIZATION, WORLD HEALTH ORGANIZATION, Criteria for Use in Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSG-2, IAEA, Vienna (2011). INTERNATIONAL ATOMIC ENERGY AGENCY, Accident Management Programmes for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-54, IAEA, Vienna (2019). INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series No. GS-G-3.1, IAEA, Vienna (2006). INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards Series No. GS-G-3.5, IAEA, Vienna (2009). INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards Series No. GSR Part 2, IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Site Evaluation for Nuclear Installations, IAEA Safety Standards Series No. SSR-1, IAEA, Vienna (2019). INTERNATIONAL ATOMIC ENERGY AGENCY, External Events Excluding Earthquakes in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.5, IAEA, Vienna (2003). INTERNATIONAL ATOMIC ENERGY AGENCY, Protection against Internal Fires and Explosions in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.7, IAEA, Vienna (2004). (A revision of this publication is in preparation.) INTERNATIONAL ATOMIC ENERGY AGENCY, Protection against Internal Hazards other than Fires and Explosions in the Design of Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.11, IAEA, Vienna (2004). (A revision of this publication is in preparation.) INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security at Nuclear Facilities, IAEA Nuclear Security Series No. 17, IAEA, Vienna (2011). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Classification of Structures, Systems and Components in Nuclear Power Plants, IAEA Safety Standards Series No. SSG-30, IAEA, Vienna (2014). INTERNATIONAL ATOMIC ENERGY AGENCY, Format and Content of the Safety Analysis Report for Nuclear Power Plants, IAEA Safety Standards Series No. SSG-61, IAEA, Vienna (in preparation). EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION, INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION, Fundamental Safety Principles, IAEA Safety Standards Series No. SF-1, IAEA, Vienna (2006).
Sensitive information in documentation	I–1.	Deterministic safety analysis may be carried out for a number of applications, including: Design of nuclear power plants by the designer, or verification of the design by the operating organization; Safety analysis for licensing purposes (for authorizations), including authorizations for different stages for a new plant; Independent verification of the safety analysis by the regulatory body; Updating of safety analyses in the context of a periodic safety review to provide assurance that the original assessments and conclusions are still valid; Safety analysis of plant modifications; Analysis of actual operational events, or of combinations of such events with other hypothetical faults exceeding the limits of normal operation (analysis of near misses); Development and validation of emergency operating procedures; Development of severe accident management guidelines; Demonstration of success criteria and development of accident sequences in Level 1 and Level 2 probabilistic safety assessments.
Sensitive information in documentation	I–2.	Deterministic safety analysis associated with the design and authorization (licensing) of a nuclear power plant (para. I–1(a)–(e)) may be performed to demonstrate compliance with established acceptance criteria with adequate safety margins (ensured in different ways for design basis accidents and design extension conditions). Deterministic safety analysis associated with analysis of operational events, development of procedures or guidelines and support of the probabilistic safety analysis (para. I–1(f)–(i)) are typically not aimed at demonstration of compliance with acceptance criteria and are performed in a realistic way to the extent practicable.
Sensitive information in documentation	I–3.	Safety requirements for safety analysis of the plant design are established in Requirement 42 and paras 5.71–5.74 of IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [I–1]. More specific requirements on the scope and objectives of deterministic safety analysis are specified in para. 5.75 of SSR-2/1 (Rev. 1) [I–1].
Sensitive information in documentation	I–4.	The main components of the design requirements determined by deterministic safety analysis typically include: equipment sizing; capacity; set point values for parameters regarding initiation, termination and control of systems; and working (environmental) conditions. These ensure effective operation of the systems in all relevant plant states and provide for adequate operating margins. The analysis also includes assessment of radiological effects for all plant states to ensure that there is confidence in the future authorization of the plant.
Sensitive information in documentation	I–5.	The designer typically uses the safety analysis as an integral part of the design process, which usually consists of several iterations that may continue through the manufacture and construction of the plant. The safety analysis used in the design is performed in accordance with a quality assurance programme.
Sensitive information in documentation	I–6.	The operating organization usually performs or verifies the safety analysis to the extent necessary to ensure that the as-built design will perform as expected in operation, and to demonstrate that the design meets the safety requirements at any point in the plant’s design life. This independent verification is considered as a separate additional check to ensure a safe and proper design.
Sensitive information in documentation	I–7.	Although the deterministic safety analysis for design does not represent a direct input for authorization of the nuclear power plant, its results are expected to provide for sufficient margins to facilitate future authorization. It is therefore performed with the same scope and following the same or even more stringent rules as applicable for the authorization itself, which are described in the main text.
Sensitive information in documentation	I–8.	Compliance with all applicable regulations and standards, and other relevant safety requirements is essential for the safe and reliable operation of a nuclear power plant. This may be demonstrated by means of an initial or an updated safety analysis, typically included in safety analysis reports for different stages of the plant lifetime and other supporting safety analysis associated with various submissions to the regulatory body.
Sensitive information in documentation	I–9.	On the basis of this analysis for licensing, the robustness of the design in performing safety functions during all operational modes and all plant states may be demonstrated. In particular, the effectiveness of the safety systems in combination with prescribed operator actions for anticipated operational occurrences and design basis accident conditions, and of safety features in combination with expected operator actions for design extension conditions, may be demonstrated.
Sensitive information in documentation	I–10.	The analysis for licensing is typically performed in accordance with established conservative or realistic rules, and includes a comparison of the results of the analysis with relevant acceptance criteria. Demonstration of compliance with the acceptance criteria is performed to take into consideration uncertainties in the analysis. The rules for performing deterministic safety analysis are described in detail in the main text.
Sensitive information in documentation	I–11.	A separate independent review is typically carried out by the regulatory body to check the completeness and the consistency of the deterministic safety analyses submitted for licensing purposes and to verify that the design meets their requirements. As stated in para. 4.71 of IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [I–2], “The verification by the regulatory body is not part of the operating organization’s process and it is not to be used or claimed by the operating organization as part of its independent verification.”
Sensitive information in documentation	I–12.	New deterministic safety analyses may be necessary to refine or update the previous safety analyses in the context of a periodic safety review, to provide assurance that the original assessments and conclusions are still valid. In such analyses, account is typically taken of any margins that may be reduced due to ageing over the period under consideration.
Sensitive information in documentation	I–13.	A nuclear power plant is typically upgraded on the basis of feedback from operating experience, findings of periodic safety reviews (when performed), changes in regulatory requirements, advances in knowledge or developments in technology. Plant modifications include changes in structures, systems or components, changes in plant parameters, changes in plant configuration or changes in operating procedures.
Sensitive information in documentation	I–14.	Plant modifications are often aimed at more economical utilization of the reactor and the nuclear fuel. Such modifications encompass uprating of the reactor power, the use of improved types of fuel and the use of innovative methods for core reloads. Such modifications often mean that the safety margins to operating limits are reduced and special care is taken to ensure that the limits are not exceeded.
Sensitive information in documentation	I–15.	Deterministic safety analyses are typically performed to support plant modifications. The scope of such deterministic safety analysis typically corresponds to the safety significance of the modification. The safety analysis is usually performed in accordance with the rules established for deterministic analysis for design and for licensing.
Sensitive information in documentation	I–16.	Changes that require significant plant modifications, such as power uprating and achieving higher burnup, longer fuel cycles and life extensions, are typically addressed by comprehensive deterministic safety analysis to demonstrate compliance with acceptance criteria. Special care is taken when several changes are implemented at the same time.
Sensitive information in documentation	I–17.	Deterministic safety analyses are used as a tool for obtaining a comprehensive understanding of events that occur during the operation of nuclear power plants and form an integral part of the feedback from operating experience. The events are analysed with the following objectives: To check the comprehensiveness of the earlier selection of postulated initiating events; To determine whether the transients analysed in the safety analysis report bound the event; To provide additional information on the time dependence of the values of parameters that are not directly observable using the plant instrumentation; To check whether the operators and plant systems performed as intended; To check and review emergency operating procedures; To identify any new safety issues and questions arising from the analyses; To support the resolution of potential safety issues identified in the analysis of an event; To analyse the severity of possible consequences in the event of additional failures (such as severe accident precursors); To validate and adjust the models in the computer codes used for analyses and in training simulators.
Sensitive information in documentation	I–18.	The analysis of events is typically performed using a realistic (best estimate) approach. Actual plant data are used where possible. If there is a lack of detailed information on the plant operating parameters, sensitivity studies, with the variation of selected parameters, may be performed.
Sensitive information in documentation	I–19.	The evaluation of safety significant events is an important aspect of the feedback from operating experience. Modern best estimate computer codes make it possible to investigate and to gain a detailed understanding of plant behaviour. Conclusions from such analyses are incorporated into the plant modifications or plant procedures that address the feedback from operating experience.
Sensitive information in documentation	I–20.	Best estimate deterministic safety analyses are typically performed to confirm the recovery strategies that have been developed to restore normal operational conditions at the plant following transients due to anticipated operational occurrences, and design basis accidents and design extension conditions without significant fuel degradation. These strategies are reflected in the emergency operating procedures that define the actions to be taken to recover from such events. Deterministic safety analyses provide the input that is necessary to specify the operator actions to be taken, and play an important role in the review of accident management strategies. In the development of the recovery strategies for determining the available time period for the operator to take effective action, sensitivity calculations are carried out on the timing of the necessary operator actions, and these calculations may be used to optimize the procedures.
Sensitive information in documentation	I–21.	After the emergency operating procedures have been developed, a verification analysis is performed to confirm that the final emergency operating procedure is consistent with the simulated plant behaviour. Validation of emergency operating procedures is also performed. This validation is usually performed using plant simulators. The validation is made to confirm that a trained operator can perform the specified actions within the time period available and that the plant will reach a safe end state. Possible failures of plant systems and possible errors by the operator are considered in the sensitivity analyses.
Sensitive information in documentation	I–22.	Deterministic safety analyses are also typically performed to assist the development of the strategy that an operator should follow if the emergency operating procedures fail to prevent progression of a design basis accident into design extension conditions with core melting. The analyses are carried out using one or more of the specialized computer codes that are available to model relevant physical phenomena.
Sensitive information in documentation	I–23.	The analyses are used to identify the challenges to the integrity of the barriers or alternative pathways for their bypass that can be expected during the progression of accidents and the phenomena that will occur. They are used to provide the basis for developing a set of guidelines for managing accidents and mitigating their consequences.
Sensitive information in documentation	I–24.	The analysis typically starts with the selection of the accident sequences that, without intervention by the operator, would lead to core damage. A grouping of accident sequences with similar characteristics is used to limit the number of sequences that need to be analysed. Such a categorization may be based on several indicators of the state of the plant: the postulated initiating event; the shutdown status; or the status of the emergency core cooling systems, the coolant pressure boundary, the secondary heat sink, the system for the removal of containment heat and the containment boundary.
Sensitive information in documentation	I–25.	The accident management measures can be broadly divided into preventive and mitigatory measures. The analyses supporting the development of severe accident management guidelines typically focus on mitigatory measures, which are strategies for managing severe accidents to mitigate the consequences of core melting. For water cooled reactors, such strategies may include: coolant injection into the degraded core; depressurization of the primary circuit; activation of the containment spray system; ex-vessel cooling of molten corium; recombination of combustible gases; and filtered containment venting [I–3]. Possible adverse effects that may occur as a consequence of taking mitigatory measures are taken into account, such as pressure spikes, hydrogen generation, return to criticality, steam explosions, thermal shock, or hydrogen deflagration or detonation. For reactors of other designs, consideration is given to the mitigatory measures applicable to the design.
Sensitive information in documentation	I–26.	The transition from the emergency operating procedures to the severe accident management guidelines, if they are separate, needs to be carefully defined and analysed, so that the operator always has guidance on the necessary actions and the monitoring of accident progression, regardless of the sequence of faults.
Sensitive information in documentation	I–27.	Deterministic analysis and probabilistic assessment are complementary means to provide a comprehensive view of the overall safety of the plant for the entire frequency–consequence spectrum. However, it is acknowledged that some residual risks will remain.
Sensitive information in documentation	I–28.	Deterministic safety analysis has an important role in support of the probabilistic safety assessment by determining ‘success criteria’. Deterministic safety analysis is typically used to identify challenges to the integrity of the physical barriers, to determine the failure mode of a barrier when challenged and to determine whether an accident scenario may challenge several barriers. The aim of such studies supporting probabilistic safety assessment is to identify, for various combinations of equipment failures and human errors, a minimum set of safety features that can prevent nuclear fuel degradation. The deterministic analysis is performed in a realistic way although uncertainties are quantified where it is necessary.
Sensitive information in documentation	I–29.	More specifically, the deterministic analysis is performed to specify the order of actions for both automatic systems as well as operator actions. This determines the time available for operator actions in specific scenarios, and supports the specification of success criteria for the required systems for prevention and mitigation measures.
Sensitive information in documentation		REFERENCES TO ANNEX I
Sensitive information in documentation		[I–1] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), IAEA, Vienna (2016).
Sensitive information in documentation	II–1.	Possible anticipated operational occurrences and design basis accident categories used in some States for new reactors are indicated in Table II–1.
Sensitive information in documentation		Note: DBC — design basis condition; PC — plant condition. The designations DBC-1 and PC-1 are used for normal operation. Some other accidents for which the frequency is <10⁻⁶ need to be considered because they are representative of a type of risk from which the reactor has to be protected.

Sekce

Odstavec

Text

Main

1.1.

This Safety Guide provides recommendations and guidance on the use of deterministic safety analysis and its application to nuclear power plants in compliance with the requirements established in IAEA Safety Standards Series Nos SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [1], and GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [2].

Main

1.2.

Current developments for ensuring the stable and safe operation of nuclear reactors are closely related to the advances being made in safety analysis. Deterministic safety analyses for normal operation, anticipated operational occurrences, design basis accidents and design extension conditions, including severe accidents, as defined in SSR-2/1 (Rev. 1) [1] and in the IAEA Safety Glossary [3], are essential instruments for confirming the adequacy of safety provisions.

Main

1.3.

This Safety Guide supersedes the 2009 version of SSG-2¹. The modifications incorporated into this Safety Guide reflect recent experience of deterministic safety analysis included in safety analysis reports for designs for new nuclear power plants and in the application of deterministic safety analysis to existing nuclear power plants. The Safety Guide has also been updated to maintain consistency with current IAEA safety standards, including those Safety Requirements publications updated to reflect lessons learned from the Fukushima Daiichi nuclear power plant accident.

Main

1.4.

The objective of this Safety Guide is to provide recommendations and guidance for designers, operating organizations, regulatory bodies and technical support organizations on performing deterministic safety analysis and on its application to nuclear power plants. It also provides recommendations on the use of deterministic safety analysis in:

Demonstrating or assessing compliance with regulatory requirements;
Identifying possible enhancements of safety and reliability.

Main

1.5.

This Safety Guide applies to nuclear power plants. It addresses ways of performing deterministic safety analyses to achieve their purpose in meeting safety requirements. Such analyses are primarily required to demonstrate adequate fulfilment of safety functions by the design, to ensure that barriers to the release of radioactive material will prevent an uncontrolled release to the environment for all plant states, and to demonstrate the validity of the operational limits and conditions. Deterministic safety analyses are also required to determine the characteristics of potential releases (source terms) depending on the status of the barriers for different plant states.

Main

1.6.

This Safety Guide focuses primarily on deterministic safety analysis for the safety of designs for new nuclear power plants and, as far as reasonably practicable or achievable, is also applicable to the safety re-evaluation or reassessment of existing nuclear power plants when operating organizations review their safety assessment. The recommendations provided are intended to be consistent with the scope of applicability indicated in paras 1.3 and 1.6 of SSR-2/1 (Rev. 1) [1], and are particularly based on experience with deterministic safety analysis for water cooled reactors.

Main

1.7.

The recommendations provided in this Safety Guide focus on best practices in the analysis of all plant states considered in the design, from normal operation, through anticipated operational occurrences and design basis accidents, to design extension conditions including severe accidents.

Main

1.8.

This Safety Guide deals with human errors and failures of plant systems (e.g. systems in the reactor core, reactor coolant system, containment, fuel storage or other systems containing radioactive material) having the potential to affect the performance of safety functions and thus lead to loss of physical barriers against releases of radioactive material. An analysis of the hazards themselves, either internal or external (natural or human induced), is not covered by this Safety Guide, although the effects and loads resulting from the hazards and potentially inducing failures in plant systems are taken into account in determining initiating events to be analysed.

Main

1.9.

This Safety Guide addresses the use of deterministic safety analysis for design or licensing purposes, aimed at demonstrating, with adequate margins, compliance with established acceptance criteria.

Main

1.10.

This Safety Guide addresses the different options available for performing deterministic safety analysis, namely the conservative approach, the best estimate approach with and without quantification of uncertainty, and a combined approach.

Main

1.11.

This Safety Guide focuses on neutronic, thermohydraulic, fuel (or fuel channel for pressurized heavy water reactors) and radiological analysis. Other types of analysis, in particular structural analysis of structures and components, are also important means of demonstrating the safety of a plant. However, detailed guidance on performing such analysis is not included in this Safety Guide, since such information can be found in specific engineering guides. Neutronic and thermohydraulic analysis provides the necessary boundary conditions for structural analysis.

Main

1.12.

This Safety Guide covers aspects of the analysis of releases of radioactive material up to and including the determination of the source term for releases to the environment for anticipated operational occurrences and accident conditions (paras 2.16–2.18). Radioactive gaseous and liquid effluents and discharges during normal operation are primarily controlled by operational measures and are not covered by this Safety Guide. Similarly, dispersion of radioactive material in the environment and prediction of the radiological effects on people and non-human biota is outside the scope of this Safety Guide (see IAEA Safety Standards Series No. GSR Part 3, Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards [4]). While general rules for deterministic safety analysis also apply to the analysis of radiological consequences of anticipated operational occurrences and accident conditions, this Safety Guide does not provide specific guidance for such analysis. Such specific guidance can be found in other IAEA Safety Guides, for example IAEA Safety Standards Series No. GSG-10, Prospective Radiological Environmental Impact Assessment for Facilities and Activities [5].

Main

1.13.

This Safety Guide describes general rules and processes to be followed in performing deterministic safety analysis. The Safety Guide does not describe specific phenomena, nor does it systematically identify the key factors essential for neutronic, thermohydraulic, fuel (or fuel channel) and radiological analysis. When such information is provided in this Safety Guide, it is intended as an illustration or example and should not be understood to be a comprehensive description.

Main

1.14.

Recommendations on nuclear security are outside the scope of this Safety Guide. In general, documentation and electronic records relating to deterministic safety analysis processes and outputs provide limited information regarding equipment location and vulnerability, and practically no information on cable routes and other aspects of plant layout. However, such information needs to be reviewed to identify any sensitive information that could be used to support malicious acts, and such information needs to be protected appropriately. Guidance on sensitive information and information security is provided in Ref. [6].

Main

1.15.

This Safety Guide comprises nine sections and two annexes. Section 2 introduces some basic concepts and terminology used in the area of deterministic safety analysis, as a basis for the specific recommendations provided in the other sections. The sequence of subsequent sections corresponds to the general process of performing deterministic safety analysis. Section 3 describes methods of systematic identification, categorization and grouping of postulated initiating events and accident scenarios to be addressed by deterministic safety analysis, and includes practical advice on the selection of events to be analysed for the different plant states. Section 4 provides a general overview of acceptance criteria to be used in deterministic safety analysis for design and authorization of nuclear power plants, and describes the rules for determination and use of acceptance criteria. Section 5 provides guidance on verification and validation, selection and use of computer codes and plant models, together with input data used in the computer codes. Section 6 describes general approaches for ensuring adequate safety margins in demonstrating compliance with acceptance criteria for all plant states, with a focus on anticipated operational occurrences and design basis accidents. Section 7 provides specific guidance on performing deterministic safety analysis for each individual plant state. Section 8 includes guidance on the documentation, review and updating of deterministic safety analysis. Section 9 provides guidance on independent verification of safety assessments, including verification of deterministic safety analysis.

Main

1.16.

Annex I indicates additional applications of the computer codes used for deterministic safety analysis, besides nuclear power plant design and authorization. Annex II indicates the frequency ranges of anticipated operational occurrences and design basis accident categories used in some States for new reactors.

Main

2.1.

The objective of deterministic safety analysis for nuclear power plants is to confirm that safety functions can be performed with the necessary reliability and that the necessary structures, systems and components, in combination where relevant with operator actions, are capable and sufficiently effective, with adequate safety margins, to keep the releases of radioactive material from the plant below acceptable limits. Deterministic safety analysis is aimed at demonstrating that barriers to the release of radioactive material from the plant will maintain their integrity to the extent required. Deterministic safety analysis, supplemented by further specific information and analysis (such as information and analysis relating to fabrication, testing, inspection and evaluation of the operating experience) and by probabilistic safety analysis, is also intended to contribute to demonstrating that the source term and the potential radiological consequences of different plant states are acceptable, and that the possibility of certain conditions arising that could lead to an early radioactive release or a large radioactive release can be considered as ‘practically eliminated’ (see para. 3.55).

Main

2.2.

The aim of deterministic safety analyses performed for different plant states is to demonstrate the adequacy of the engineering design, in combination with the envisaged operator actions, by demonstrating compliance with established acceptance criteria.

Main

2.3.

Deterministic safety analyses predict the response of the plant to postulated initiating events, alone or in combination with additional postulated failures. A set of rules and acceptance criteria specific to each plant state is applied. Typically, these analyses focus on neutronic, thermohydraulic, thermomechanical, structural and radiological aspects, which are analysed with appropriate computational tools. Computational simulations are carried out specifically for predetermined operating modes and plant states.

Main

2.4.

The results of computations are space and time dependent values of selected physical variables (e.g. neutron flux; thermal power of the reactor; pressures, temperatures, flow rates and velocities of the primary coolant; loads to physical barriers; concentrations of combustible gases; physical and chemical compositions of radionuclides; status of core degradation or containment pressure; and source term for a release to the environment).

Main

2.5.

Acceptance criteria are used in deterministic safety analysis to assist in judging the acceptability of the results of the analysis as a demonstration of the safety of the nuclear power plant. The acceptance criteria can be expressed in general, qualitative terms or as quantitative limits. Three categories of criteria are recognized:

Safety criteria: Criteria that relate either directly to the radiological consequences of operational states or accident conditions, or to the integrity of barriers against releases of radioactive material, with due consideration given to maintaining the safety functions.
Design criteria: Design limits for individual structures, systems and components, which are part of the design basis as important preconditions for meeting safety criteria (see Requirement 28 of SSR-2/1 (Rev. 1) [1]).
Operational criteria: Rules to be followed by the operator during normal operation and anticipated operational occurrences, which provide preconditions for meeting the design criteria and ultimately the safety criteria.

Main

2.6.

In this Safety Guide, only safety acceptance criteria are addressed. These acceptance criteria, as approved by the regulatory body, may include margins with respect to safety criteria.

Main

2.7.

The use of uncertainty analysis in deterministic safety analysis is addressed in paras 6.21–6.29. Several methods for performing uncertainty analysis have been published (e.g. Ref. [7]). They include:

Use of a combination of expert judgement, statistical techniques and sensitivity calculations;
Use of data from scaled experiments;
Use of bounding scenario calculations.

Main

2.8.

Table 1 lists different options currently available for performing deterministic safety analyses with different levels of conservatism associated with the computer code used (see Section 5), the assumptions made about the availability of systems, and the initial and boundary conditions applied for the analysis.

Main

^* For simplicity, the terms ‘realistic approach’ or ‘realistic analysis’ are used in this Safety Guide to mean best estimate analysis without quantification of uncertainties.

Main

2.9.

Option 1 is a conservative approach in which both the assumed plant conditions and the physical models are set conservatively. In a conservative approach, parameters need to be allocated values that will have an unfavourable effect in relation to specific acceptance criteria. The conservative approach was commonly adopted in the early days of safety analysis to simplify the analysis and to compensate for limitations in modelling and knowledge of physical phenomena with large conservatisms. It was assumed that such an approach would bound many similar transients in a way that the acceptance criteria would be met for all bounded transients.

Main

2.10.

Experimental research has resulted in a significant increase in knowledge of physical phenomena, and the development of computer codes has improved the ability to achieve calculated results that correspond more accurately to experimental results and recorded event sequences in nuclear power plants. Owing to the improved capabilities of computer codes and the possible drawbacks of the conservative approach (e.g. potential masking of important phenomena, and conservatisms in different parameters potentially cancelling each other out), Option 1 is rarely used now and is not suggested for current safety analysis, except in situations in which scientific knowledge and experimental support is limited. Option 1 remains relevant, however, as it may have been used in legacy analyses.

Main

2.11.

Option 2 is a combined approach based on the use of best estimate models and computer codes instead of conservative models and codes (para. 6.12). Best estimate codes are used in combination with conservative initial and boundary conditions and with conservative assumptions made about the availability of systems, assuming that all uncertainties associated with the code models are well established and that the plant parameters used are conservative, based on plant operating experience. The complete analysis requires use of sensitivity studies to justify the selection of conservative input data. Option 2 is commonly used for design basis accidents and for conservative analysis of anticipated operational occurrences.

Main

2.12.

Option 3 is a ‘best estimate plus uncertainty’ approach. This allows the use of best estimate computer codes together with more realistic assumptions. A mixture of best estimate and partially unfavourable (i.e. somewhat conservative) initial and boundary conditions may be used, taking into account the very low probability that all parameters would be at their most pessimistic value at the same time. Conservative assumptions are usually made about the availability of systems. In order to ensure the overall conservatism required in analysis of design basis accidents, the uncertainties need to be identified, quantified and statistically combined. Option 3 contains a certain level of conservatism and is currently accepted for some design basis accidents and for conservative analyses of anticipated operational occurrences.

Main

2.13.

In principle, Options 2 and 3 are distinctly different types of analysis. In practice, however, a mixture of Options 2 and 3 is often employed. This is because the tendency is to use best estimate input data whenever extensive data are available and to use conservative input data whenever data are scarce. The difference between these options is the statistical combination of uncertainties.

Main

2.14.

Deterministic safety analysis performed in accordance with Options 1–3 is considered to be conservative, with the level of conservatism decreasing from Option 1 to Option 3 (see paras 2.9–2.13).

Main

2.15.

Option 4 allows the use of best estimate models and computer codes, and best estimates of system availability and initial and boundary conditions. Option 4 is appropriate for realistic analysis of anticipated operational occurrences aimed at the assessment of control system capability (see paras 7.17–7.44) and in general for best estimate analysis of design extension conditions (see paras 7.45–7.67), as well as for the purpose of justifying prescribed operator actions in realistic analysis. Deterministic analysis for operating events that may necessitate a short term relaxation of regulatory requirements may also rely on best estimate modelling. More detailed information with regard to modelling assumptions applicable for different options is provided in Section 7.

Main

2.16.

An essential component of deterministic safety analysis is the determination of source terms for releases of radioactive material as a key factor for prediction of dispersion of such material in the environment and ultimately of radiation doses to plant staff and to the public as well as the radiological impact on the environment. The source term is the “amount and isotopic composition of radioactive material released (or postulated to be released) from a facility” [3]; and it is used “in modelling releases of radionuclides to the environment, in particular in the context of accidents at nuclear installations or releases from radioactive waste in repositories” [3].

Main

2.17.

To evaluate the source term from a nuclear installation, it is necessary to identify the sources of radiation, to determine the inventories of radionuclides that are produced and to know the mechanisms by which radioactive material can travel from the source through the installation and be released to the environment. Under accident conditions, source term evaluation requires simulation codes capable of predicting fission product release from fuel elements, transport through the primary system and containment or spent fuel pool building, the related chemistry affecting this transport and the form in which the radioactive material would be released.

Main

2.18.

The source term is evaluated for operational states and accident conditions for the following reasons:

To confirm that the design is optimized so that the source term is reduced to a level that is as low as reasonably achievable in all plant states;
To support the demonstration that the possibility of certain conditions arising that could lead to an early radioactive release or a large radioactive release can be considered to have been ‘practically eliminated’;
To demonstrate that the design ensures that requirements for radiation protection, including restrictions on doses, are met;
To provide a basis for the emergency arrangements² that are required to protect human life, health, property and the environment in case of an emergency at the nuclear power plant;
To support specification of the conditions for the qualification of the equipment required to withstand accident conditions;
To provide data for training activities with regard to emergency arrangements;
To support the design of safety features for the mitigation of the consequences of severe accidents (e.g. filtered containment venting and recombiners of combustible gases; see IAEA Safety Standards Series No. SSG-54, Accident Management Programmes for Nuclear Power Plants [11]).

Main

2.19.

General rules presented in this Safety Guide for deterministic safety analysis also apply to determination of the source term. Aspects associated with the determination of the source term are introduced in several paragraphs in this Safety Guide to remind readers of the applicability of the general rules to this specific application.

Main

3.1.

In accordance with the definition of “plant states (considered in design)” from SSR-2/1 (Rev. 1) [1], the plant states considered in the deterministic safety analysis should cover:

Normal operation;
Anticipated operational occurrences;
Design basis accidents;
Design extension conditions, including sequences without significant fuel degradation and sequences with core melting.

Main

3.2.

The deterministic safety analysis should address all postulated initiating events originating in any part of the plant and having the potential to lead to a radioactive release to the environment, both on their own and in combination with possible additional failures, for example in the control and limitation systems³ and the associated safety functions. This includes events that can lead to a release of radioactive material not only from the reactor core but also from other relevant sources, such as fuel elements stored at the plant and systems dealing with radioactive material.

Main

3.3.

Where applicable, the possibility should be considered that a single cause could simultaneously prompt initiating events in several or even all of the reactors in the case of a multiple unit nuclear power plant, or spent fuel storage units, or any other sources of potential radioactive releases on the given site (para. 5.15B of SSR-2/1 (Rev. 1) [1]).

Main

3.4.

The deterministic safety analysis should address postulated initiating events that can occur in all modes of normal operation. The initial conditions should assume a steady state with normal operation equipment operating prior to the initiating event.

Main

3.5.

Each configuration of shutdown modes, including refuelling and maintenance, should be considered. For these modes, possible failures or other factors that could occur during shutdown and lead to increased risk should be considered, such as:

Inability to start some safety systems automatically or manually;
Disabled automation systems;
Equipment undergoing maintenance or repair;
Reduced amounts of coolant in the primary circuit and, for some modes, in the secondary circuit;
Instrumentation switched off or non-functional so that measurements are not made;
Open primary circuit;
Open containment.

Main

3.6.

For postulated initiating events relating to the spent fuel pool, specific operating modes relating to fuel handling and storage should be considered.

Main

3.7.

Postulated initiating events taking place during plant operating modes of negligibly short duration may be excluded from deterministic safety analysis if careful analysis and quantitative assessment confirm that their potential contribution to the overall risk, including the risk of conditions arising that could lead to an early radioactive release or a large radioactive release, is also negligible. Nevertheless, the need to prevent or mitigate these events with appropriate procedures or means should be addressed on a case by case basis.

Main

3.8.

The performance of deterministic safety analysis and the use of the results should take into account the recommendations of IAEA Safety Standards Series Nos GS-G-3.1, Application of the Management System for Facilities and Activities [12], and GS-G-3.5, The Management System for Nuclear Installations [13], for meeting Requirements 1–3 of SSR-2/1 (Rev. 1) [1] and the requirements established in IAEA Safety Standards Series No. GSR Part 2, Leadership and Management for Safety [14].

Main

3.9.

Deterministic safety analysis should include an analysis of normal operation, defined as operation within specified operational limits and conditions. Normal operation should typically include operating conditions such as:

Normal reactor startup from shutdown, approach to criticality and approach to full power;
Power operation, including full power and low power operation;
Changes in reactor power, including load follow modes and return to full power after an extended period at low power, if applicable;
Reactor shutdown from power operation;
Hot shutdown;
Cooling down process;
Cold shutdown;
Refuelling during shutdown or during normal operation at power, where applicable;
Shutdown in a refuelling mode or maintenance conditions that open the reactor coolant or containment boundary;
Normal operation modes of the spent fuel pool;
Storage and handling of fresh fuel.

Main

3.10.

It should be taken into account that, in some cases during normal operation, the main plant parameters change owing to transfer to different plant modes or changes in the plant power output. A major aim of the analysis for transients occurring during normal operation should be to demonstrate that the plant parameters can be kept within the specified operational limits and conditions.

Main

3.11.

The prediction of plant behaviour in plant states other than normal operation (anticipated operational occurrences, design basis accidents and design extension conditions) should be based on a plant specific list of postulated initiating events, possibly combined with additional equipment failures or human errors for specific event sequences.

Main

3.12.

A list of postulated initiating events should be prepared. The list should be comprehensive to ensure that the analysis of the behaviour of the plant is as complete as possible, so that “all foreseeable events with the potential for serious consequences and all foreseeable events with a significant frequency of occurrence are anticipated and are considered in the design” (Requirement 16 of SSR-2/1 (Rev. 1) [1]).

Main

3.13.

The list of postulated initiating events should take due account of operating experience feedback, including, depending on the availability of relevant data, operating experience from the actual nuclear power plant or from similar plants.

Main

3.14.

The set of postulated initiating events should be defined in such a way that it covers all credible failures, including:

Failures of structures, systems and components of the plant (partial failure if relevant), including possible spurious actuation;
Failures initiated by operator errors, which could range from faulty or incomplete maintenance operations to incorrect settings of control equipment limits or wrong operator actions;
Failures of structures, systems and components of the plant arising from internal and external hazards.

Main

3.15.

All consequential failures that a given postulated initiating event could prompt in the plant should be considered in the analysis of the plant response as a part of the postulated initiating event. These should include:

If the initiating event is a failure of part of an electrical distribution system, the analysis for anticipated operational occurrences, design basis accidents or design extension conditions should assume the unavailability of all the equipment powered from that part of the distribution system.
If the initiating event is an energetic event, such as the failure of a pressurized system that leads to the release of hot water or pipe whip, the analysis for anticipated operational occurrences, design basis accidents or design extension conditions should include consideration of potential failure of the equipment that could be affected by such an event.
For internal hazards, such as fire or flooding, or for failures caused by external hazards, such as earthquakes, the definition of the induced postulated initiating event should include failure of all the equipment that is neither designed to withstand the effects of the event nor protected from it.

Main

3.16.

In addition to the set of initiating failures and consequential failures, other failures are assumed in deterministic safety analysis for conservatism (e.g. single failure criterion in design basis accidents) or for the purpose of defence in depth (e.g. common cause failure). A distinction should be made between these failures and the failures that are part of, or directly caused by, the postulated initiating event. Finally, some failures may be added to bound a set of similar events so as to limit the number of analyses.

Main

3.17.

The postulated initiating events should include only those failures (either initial or consequential) that directly lead to the challenging of safety functions and ultimately to threatening the integrity of barriers to releases of radioactive material. Therefore hazards, either internal or external (natural or human induced), should not be considered as postulated initiating events by themselves. However, the loads associated with these hazards should be considered a potential cause of postulated initiating events, including multiple failures resulting from these hazards.

Main

3.18.

Paragraph 5.32 of SSR-2/1 (Rev. 1) [1] states:

Main

3.19.

The set of postulated initiating events should be identified in a systematic way. This should include a structured approach to the identification of the postulated initiating events, such as:

Use of analytical methods such as hazard and operability analysis, failure modes and effects analysis, engineering judgement and master logic diagrams;
Comparison with the list of postulated initiating events developed for safety analysis of similar plants (ensuring that previously identified deficiencies are not propagated);
Analysis of operating experience data for similar plants;
Use of insights and results from probabilistic safety analysis.

Main

3.20.

Certain limiting faults (e.g. large break loss of coolant accidents, main steam or feedwater pipe breaks, and control rod ejection in pressurized water reactors or rod drop in boiling water reactors) have traditionally been considered in deterministic safety analysis as design basis accidents. These accidents should be considered because they are representative of a type of accident against which the reactor has to be protected. They should not be excluded from the category of design basis accidents unless careful analysis and quantitative assessment of their potential contribution to the overall risk, including to conditions arising that could lead to an early radioactive release or a large radioactive release, indicate that they can be excluded.

Main

3.21.

Failures occurring in the supporting systems that impede the operation of systems necessary for normal operation should also be considered as postulated initiating events if such failures ultimately require the actuation of the reactor protection systems or safety systems.

Main

3.22.

The set of postulated initiating events should be reviewed as the design and safety assessment proceed, as part of an iterative process between these two activities. The postulated initiating events should also be periodically reviewed throughout the lifetime of the plant, for example as part of a periodic safety review, to ensure that they remain valid.

Main

3.23.

Postulated initiating events should be subdivided into representative groups of event sequences taking into account the physical evolution of the postulated initiating events. Each group should include event sequences that lead to a similar challenge to the safety functions and barriers, and need similar mitigating systems to drive the plant to a safe state. Therefore, they can be bounded by a single representative event sequence, which is usually referred to when dealing with the group (and is often identified by the associated postulated initiating event itself). These groups are also categorized in accordance with their frequency of occurrence (see para. 3.27). This approach allows the selection of the same acceptance criteria and initial conditions, and the application of the same assumptions and methodologies to all postulated initiating events grouped under the same representative event sequence. As an example, the postulated initiating events ‘stop of a main feedwater pump’, ‘stop of all main feedwater pumps’ and ‘isolable break on the main feedwater system’ are all typically grouped under a single representative event sequence such as ‘loss of main feedwater’.

Main

3.24.

Representative event sequences can also be grouped by type of sequence, with a focus on aspects such as reduced core cooling and reactor coolant system pressurization, containment pressurization, radiological consequences or pressurized thermal shocks. In the example in para. 3.23, the representative event sequence ‘loss of main feedwater’ would belong to the type of event sequence ‘decrease in reactor heat removal’.

Main

3.25.

The postulated initiating events associated with anticipated operational occurrences and design basis accidents should reflect the specific characteristics of the design. Some typical postulated initiating events and resulting event sequences are suggested in para. 3.28 for anticipated operational occurrences and in para. 3.30 for design basis accidents, in accordance with the typical types of sequence listed in the following:

Increase or decrease in the heat removal through the reactor coolant system;
Increase or decrease in the flow rate of the reactor coolant system;
Anomalies in reactivity and power distribution in the reactor core, or anomalies in reactivity in fresh or spent fuel in storage;
Increase or decrease in the reactor coolant inventory;
Leaks in the reactor coolant system with potential bypass of the containment;
Leaks outside the containment;
Reduction in, or loss of, cooling of the fuel in the spent fuel storage pool;
Loss of cooling of fuel during on-power refuelling (pressurized heavy water reactor);
Release of radioactive material from a subsystem or component (typically from treatment or storage systems for radioactive waste).

Main

3.26.

For analysis of the source term, specific groupings of postulated initiating events may be appropriate to adequately address different pathways that could lead to the release of radioactive material to the environment. Special attention should be paid to accidents in which the release of radioactive material could bypass the containment, because of the potentially severe consequences even in the case of relatively small releases.

Main

3.27.

Within each group of postulated initiating events, the representative event sequences should also be subdivided into categories based on the frequency of the most frequent postulated initiating event in the group. The assignment of each postulated initiating event to a frequency range should be checked by an appropriate methodology. Possible anticipated operational occurrences and design basis accident categories with their indicative frequency ranges, as used in some States for new reactors, are indicated in Table II–1 of Annex II.

Main

3.28.

Typical examples of postulated initiating events leading to event sequences categorized as anticipated operational occurrences should include the following, sorted by types of sequence. This list is broadly indicative, and the actual list will depend on the type of reactor and the actual design:

Increase in heat removal from the reactor: inadvertent opening of steam relief valves; pressure control malfunctions leading to an increase in steam flow rate; feedwater system malfunctions leading to an increase in the heat removal rate.
Decrease in heat removal from the reactor: feedwater pump trips; reduction in the steam flow rate for various reasons (control malfunctions, main steam valve closure, turbine trip, loss of external load and other external grid disturbances, loss of power, loss of condenser vacuum).
Increase in flow rate of the reactor coolant system: start of a main coolant pump.
Decrease in flow rate of the reactor coolant system: trip of one or more coolant pumps; inadvertent isolation of one main coolant system loop (if applicable).
Anomalies in reactivity and power distribution in the reactor core: inadvertent withdrawal of the control rod (or control rod bank); boron dilution due to a malfunction in the chemical and volume control system (pressurized water reactor); wrong positioning of a fuel assembly.
Anomalies in reactivity in fresh or spent fuel in storage: boron dilution in the spent fuel pool.
Loss of moderator circulation or a decrease in, or loss of, moderator heat sink (pressurized heavy water reactor).
Increase in the reactor coolant inventory: malfunctions of the chemical and volume control system; excessive feedwater flow (boiling water reactor); inadvertent operation of emergency core cooling.
Decrease in the reactor coolant inventory: very small loss of coolant due to the failure of an instrument line.
Reduction in, or loss of, cooling of the fuel in the spent fuel storage pools: loss of off-site power; malfunctions in the decay heat removal system; leaking of pool coolant.
Release of radioactive material due to a leak in the reactor coolant system, with potential containment bypass.
Release of radioactive material due to a leak from a subsystem or component: minor leakage from a radioactive waste system or effluents system.

Main

3.29.

The subset of postulated initiating events potentially leading to design basis accidents should be identified. All postulated initiating events identified as initiators of anticipated operational occurrences should also be analysed using design basis accident rules; that is, demonstrating that it is possible to manage them “by safety actions for the automatic actuation of safety systems in combination with prescribed actions by the operator” (para. 5.75(e) of SSR-2/1 (Rev. 1) [1]). Although it is not usual to include postulated initiating events with a very low frequency of occurrence, the establishment of any lower limit of frequency should take account of the safety targets established for the specific reactor.

Main

3.30.

Typical examples of postulated initiating events leading to event sequences categorized as design basis accidents should include the following, sorted by type of sequence. This list is broadly indicative, and the actual list will depend on the type of reactor and the actual design:

Increase in heat removal from the reactor: steam line breaks.
Decrease in heat removal from the reactor: loss of feedwater.
Decrease in flow rate of the reactor coolant system: seizure or shaft break of main coolant pump; trip of all coolant pumps.
Anomalies in reactivity and power distribution: uncontrolled withdrawal of the control rod (or control rod bank); ejection of the control rod (pressurized water reactor); rod drop accident (boiling water reactor); boron dilution due to the startup of an inactive loop (pressurized water reactor).
Decrease in the reactor coolant inventory: a spectrum of possible loss of coolant accidents; inadvertent opening of the primary system relief valves; leaks of primary coolant into the secondary system.
Reduction in, or loss of, cooling of the fuel in the spent fuel storage pools: break of piping connected to the water of the pool.
Loss of cooling of fuel during on-power refuelling (pressurized heavy water reactor).
Loss of moderator circulation or a decrease in, or loss of, moderator heat sink (pressurized heavy water reactor).
Release of radioactive material due to a leak in the reactor coolant system, with potential containment bypass, or from a subsystem or component: overheating of, or damage to, used fuel in transit or storage; break in a gaseous or liquid waste treatment system.
End shield cooling failure (pressurized heavy water reactor).

Main

3.31.

Probabilistic analysis should be used in support of deterministic analysis in justifying the categorization of postulated initiating events in accordance with their frequency of occurrence. The calculation of the frequency should take account of the relative frequencies of the plant operational state(s) in which the postulated initiating event could occur, such as full power or hot shutdown. Particular care should be taken to ensure that a transient with the potential to degrade the integrity of barriers is assigned to a category consistent with its possible effect on the barriers.

Main

3.32.

A number of limiting cases, referred to as bounding or enveloping scenarios, should be selected from each category of events (see para. 3.27). These bounding or enveloping scenarios should be chosen so that collectively they include cases presenting the greatest possible challenges to each of the relevant acceptance criteria and involving limiting values for the performance parameters of safety related equipment. Several postulated initiating events may be combined, and/or their consequences amplified, within a bounding scenario in order to encompass all of the possible postulated initiating events in the group. The safety analysis should confirm that the grouping and bounding of initiating events is acceptable.

Main

3.33.

A single event should in some cases be analysed from different points of view with different acceptance criteria. A typical example is a loss of coolant accident, which should be analysed for many aspects — including degradation of core cooling, buildup of containment pressure, and transport and environmental release of radioactive material — and, specifically for pressurized water reactors, also for leakage of primary coolant to the steam generator bypassing the containment, pressurized thermal shock and boron dilution (reactivity accident) due, for example, to a boiling condensing regime.

Main

3.34.

Accidents during the handling of both fresh and irradiated fuel should also be evaluated. Such accidents can occur both inside and outside the containment.

Main

3.35.

There are a number of other types of postulated initiating event that would result in a release of radioactive material outside the containment and whose source term should be evaluated. Such events include:

A reduction in, or loss of, cooling of the fuel in the spent fuel pool when the pool is located outside the containment;
An increase of reactivity in the fresh or spent fuel;
An accidental discharge from any of the auxiliary systems that carry solid, liquid or gaseous radioactive material;
A failure in systems or components such as filters or delay tanks that are intended to reduce the discharges of radioactive material during normal operation;
An accident during reload or maintenance when the reactor or containment might be open.

Main

3.36.

The frequency assigned to a bounding event sequence belonging to an anticipated operational occurrence or a design basis accident should be the bounding frequency established for the postulated initiating events that have been grouped together.

Main

3.37.

Requirement 20 of SSR-2/1 (Rev. 1) [1] states:

Main

3.38.

Two separate categories of design extension conditions should be identified: design extension conditions without significant fuel degradation; and design extension conditions progressing to core melting (i.e. severe accidents).⁴ Different acceptance criteria and different rules for deterministic safety analysis may be used for these two categories.

Main

3.39.

The initial selection of sequences for design extension conditions without significant fuel degradation should be based on the consideration of single initiating events of very low frequency or multiple failures to meet the acceptance criteria with regard to the prevention of core damage.

Main

3.40.

A deterministically derived list of design extension conditions without significant fuel degradation should be developed. The relevant design extension conditions should include:

Initiating events that could lead to situations beyond the capability of safety systems that are designed for design basis accidents. A typical example is multiple tube rupture beyond the design basis assumptions in a steam generator of a pressurized water reactor.
Anticipated operational occurrences or frequent design basis accidents combined with multiple failures (e.g. common cause failures in redundant trains) that prevent the safety systems from performing their intended function to control the postulated initiating event. A typical example is a loss of coolant accident without actuation of the safety injection. The failures of supporting systems are implicitly included among the causes of failure of safety systems. The identification of these sequences should result from a systematic analysis of the effects on the plant of a total failure of any safety system credited in the safety analysis, for each anticipated operational occurrence or design basis accident (and in particular for the most frequent, anticipated operational occurrences and design basis accidents).
Credible postulated initiating events involving multiple failures causing the loss of a safety system while this system is used to fulfil its function as part of normal operation. This applies to those designs that use, for example, the same system for heat removal both in accident conditions and during shutdown. The identification of these sequences should result from a systematic analysis of the effects on the plant of a total failure of any safety system used in normal operation.

Main

3.41.

Design extension conditions are, to a large extent, technology and design dependent, but the following list should be used as a preliminary reference of design extension conditions without significant fuel degradation, which should be specifically adapted to the type and design of the plant:

Very low frequency initiating events typically not considered as design basis accidents:
1. Multiple steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor);
2. Main steam line break and induced steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor).
Anticipated operational occurrences or design basis accidents combined with multiple failures in safety systems:
1. Anticipated transient without scram: anticipated operational occurrences combined with the failure of rods to insert;
2. Station blackout: loss of off-site power combined with the failure of the emergency diesel generators or alternative emergency power supply;
3. Total loss of feedwater: loss of main feedwater combined with total loss of emergency feedwater;
4. Loss of coolant accident together with complete loss of one type of emergency core cooling feature (either the high pressure or the low pressure part of the emergency core cooling system);
5. Loss of required safety systems in the long term after a postulated initiating event.
Postulated initiating events involving multiple failures:
1. Total loss of the component cooling water system or of the essential service water system;
2. Loss of the residual heat removal system during cold shutdown or refuelling;
3. Loss of the cooling systems designed for normal cooling and for design basis accidents in the spent fuel pool;
4. Loss of normal access to the ultimate heat sink.
Multiple steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor);
Main steam line break and induced steam generator tube ruptures (pressurized water reactor, pressurized heavy water reactor).
Anticipated transient without scram: anticipated operational occurrences combined with the failure of rods to insert;
Station blackout: loss of off-site power combined with the failure of the emergency diesel generators or alternative emergency power supply;
Total loss of feedwater: loss of main feedwater combined with total loss of emergency feedwater;
Loss of coolant accident together with complete loss of one type of emergency core cooling feature (either the high pressure or the low pressure part of the emergency core cooling system);
Loss of required safety systems in the long term after a postulated initiating event.
Total loss of the component cooling water system or of the essential service water system;
Loss of the residual heat removal system during cold shutdown or refuelling;
Loss of the cooling systems designed for normal cooling and for design basis accidents in the spent fuel pool;
Loss of normal access to the ultimate heat sink.

Main

3.42. For the identification of design extension conditions without significant fuel degradation, specific attention should be paid to auxiliary and support systems (e.g. ventilation, cooling and electrical supply) as some of these systems may have the potential to cause immediate or delayed consequential multiple failures in both operational and safety systems.

Main

3.43.

Sequences for different design extension conditions without significant fuel degradation that are associated with similar safety challenges should be grouped together. Each group should be analysed through a bounding scenario that presents the greatest challenge to the relevant acceptance criteria.

Main

3.44.

Multiple failures considered in each sequence of design extension conditions without significant fuel degradation should be specifically listed.

Main

3.45.

A number of specific sequences with core melting (severe accidents) should be selected for analysis in order to establish the design basis for the safety features for mitigating the consequences of such accidents, in accordance with the plant safety objectives. These sequences should be selected in order to represent all of the main physical phenomena (e.g. primary circuit pressure, reactor decay heat or containment status) involved in core melt sequences.

Main

3.46.

It should be assumed that the features to prevent core melting fail or are insufficient, and that the accident sequence will further evolve into a severe accident. Representative event sequences should be selected by considering additional failures or incorrect operator responses to design basis accident or design extension condition sequences and to the dominant accident sequences identified in the probabilistic safety analysis.

Main

3.47.

The representative event sequences for design extension conditions with core melting, in accordance with each acceptance criterion, should be analysed to determine limiting conditions, particularly those sequences that could challenge the integrity of the containment. The representative event sequences should be used to provide input to the design of the containment and of those safety features necessary to mitigate the consequences of such design extension conditions.

Main

3.48.

Design extension conditions are, to a large extent, technology and design dependent, but the following accidents are provided as a preliminary reference of design extension conditions with core melting (severe accidents):

Loss of core cooling capability, such as an extended loss of off-site power with partial or total loss of on-site AC power sources and/or the loss of normal access to the ultimate heat sink (exact sequence is design dependent);
Loss of reactor coolant system integrity, such as loss of coolant accidents without the availability of emergency core cooling systems or exceeding their capabilities.

Main

3.49.

A low estimated frequency of occurrence for an accident with core melting is not a sufficient reason for failing to protect the containment against the conditions generated by such an accident. Core melt conditions should be postulated regardless of the provisions implemented in the design. To exclude containment failure, the analysis should demonstrate that very energetic phenomena that may result from an accident with core melting are prevented (i.e. the possibility of the conditions arising may be considered to have been ‘practically eliminated’).

Main

3.50.

Representative event sequences of design extension conditions with core melting should be selected to identify the most severe plant parameters resulting from the phenomena associated with a severe accident. These parameters should be used in the deterministic analyses of the plant structures, systems and components to demonstrate the limitation of the radiological consequences of such severe accident sequences. The analysis of these sequences should provide the environmental conditions to be taken into account when assessing whether the equipment⁵ used in severe accidents is capable of performing its intended functions when necessary (see Requirement 30 of SSR-2/1 (Rev. 1) [1]).

Main

3.51.

Determination of postulated initiating events should take account of effects and loads from events caused by relevant site specific internal and external hazards, individually and in combination (Requirement 17 and paras 5.15A–5.21A of SSR-2/1 (Rev. 1) [1]). A list of external hazards can be found in IAEA Safety Standards Series No. SSR-1, Site Evaluation for Nuclear Installations [15]. Analysis of internal and external hazards differs from analysis of postulated initiating events and scenarios caused by a single failure or multiple failures in the nuclear power plant technological systems or by erroneous human actions having a direct impact on performance of fundamental safety functions⁶. The hazards themselves do not represent initiating events but they are associated with loads, which can initiate such events.

Main

3.52.

In accordance with paras 5.15B, 5.19 and 5.63 of SSR-2/1 (Rev. 1) [1], in determining postulated initiating events caused by site specific hazards for multiple unit plant sites, the possibility of affecting several or even all units on the site simultaneously should be taken into account. Specifically, the effects from losing the electrical grid, those from losing the ultimate heat sink and the failure of shared equipment should be taken into account.

Main

3.53.

The analysis of hazards⁷, which is performed by using probabilistic methods or appropriate engineering methods, should aim to demonstrate for each hazard that either:

The hazard can be screened out owing to its negligible contribution to risk;
The nuclear power plant design is robust enough to prevent any transition from the load caused by the hazard into an initiating event;
The hazard causes an initiating event considered in the design.

Main

3.54.

In cases where an initiating event is caused by a hazard, the analysis should credit only the functions of those structures, systems and components that are qualified for, or protected from, the hazard.

Main

3.55.

Paragraph 2.13(4) of SSR-2/1 (Rev. 1) [1] states:

Main

3.56.

The event sequences for which specific demonstration of their ‘practical elimination’ is required should be classified as follows:

Events that could lead to prompt reactor core damage and consequent early containment failure, such as:
1. Failure of a large pressure-retaining component in the reactor coolant system;
2. Uncontrolled reactivity accidents.
Severe accident sequences that could lead to early containment failure, such as:
1. Highly energetic direct containment heating;
2. Large steam explosion;
3. Explosion of combustible gases, including hydrogen and carbon monoxide.
Severe accident sequences that could lead to late containment failure⁸:
1. Basemat penetration or containment bypass during molten core concrete interaction;
2. Long term loss of containment heat removal;
3. Explosion of combustible gases, including hydrogen and carbon monoxide.
Severe accident with containment bypass.
Significant fuel degradation in a storage fuel pool and uncontrolled releases.
Failure of a large pressure-retaining component in the reactor coolant system;
Uncontrolled reactivity accidents.
Highly energetic direct containment heating;
Large steam explosion;
Explosion of combustible gases, including hydrogen and carbon monoxide.
Basemat penetration or containment bypass during molten core concrete interaction;
Long term loss of containment heat removal;
Explosion of combustible gases, including hydrogen and carbon monoxide.

Main

3.57.

The consequences of event sequences that may be considered to have been ‘practically eliminated’ are not part of the deterministic safety analysis. However, deterministic safety analysis contributes to the demonstration that design and operation provisions are effective in the ‘practical elimination’ of these sequences (see paras 7.68–7.72).

Main

4.1.

Paragraph 4.57 of GSR Part 4 (Rev. 1) [2] states that “Criteria for judging safety, sufficient...to meet the requirements of the designer, the operating organization and the regulatory body, shall be defined for the safety analysis.”

Main

4.2.

Paragraph 5.75 of SSR-2/1 (Rev. 1) [1] states that “The deterministic safety analysis shall mainly provide:…(d) Comparison of the results of the analysis with acceptance criteria, design limits, dose limits and acceptable limits for purposes of radiation protection”. Compliance with the acceptance criteria should be demonstrated by deterministic safety analysis.

Main

4.3.

Acceptance criteria should be established for the entire range of operational states and accident conditions. These criteria should aim at preventing damage to relevant barriers to the release of radioactive material in order to prevent releases (and hence consequences) above acceptable limits. The selection of the criteria should ensure a sufficient margin between the criterion and the physical limit for loss of integrity of a barrier.

Main

4.4.

Acceptance criteria should relate to the frequency of the relevant conditions. Conditions that occur more frequently, such as normal operation or anticipated operational occurrences, should have acceptance criteria that are more restrictive than those for less frequent events, such as design basis accidents or design extension conditions.

Main

4.5.

Acceptance criteria should be established at two levels, as follows:

High level (radiological) criteria, which relate to radiological consequences of plant operational states or accident conditions. These are usually expressed in terms of activity levels or doses, and are typically defined by law or by regulatory requirements.
Detailed (derived) technical criteria, which relate to the integrity of barriers to releases of radioactive material (e.g. the fuel matrix, fuel cladding, reactor coolant system pressure boundary and containment). These are defined in regulatory requirements, or proposed by the designer subject to regulatory acceptance, for use in the safety demonstration.

Main

4.6.

The radiological acceptance criteria should be expressed in terms of effective dose, equivalent dose or dose rate to workers at the nuclear power plant, members of the public or the environment, including non-human biota, as appropriate. Radiological acceptance criteria with regard to doses should be defined in accordance with the applicable safety requirements (see Requirements 5 and 81 of SSR-2/1 (Rev. 1) [1]).

Main

4.7.

Radiological acceptance criteria expressed in terms of doses may be converted into acceptable activity levels for different radionuclides in order to decouple nuclear power plant design features from the characteristics of the environment.

Main

4.8.

Radiological acceptance criteria for normal operation should typically be expressed as effective dose limits for the workers at the plant and for members of the public in the vicinity of the plant, or as authorized limits on the activity in planned discharges from the plant (see Requirement 5 of SSR-2/1 (Rev. 1) [1]).

Main

4.9.

The radiological acceptance criteria for anticipated operational occurrences should be more restrictive than for design basis accidents, since the frequencies of anticipated operational occurrences are higher.

Main

4.10.

The radiological acceptance criteria for design basis accidents should ensure that Requirement 19 and the requirements in para. 5.25 of SSR-2/1 (Rev. 1) [1] are met.

Main

4.11.

The radiological acceptance criteria for design extension conditions should ensure that Requirement 20 and the requirements in para. 5.31A of SSR-2/1 (Rev. 1) [1] are met.

Main

4.12.

Technical acceptance criteria should be set in terms of the variables that govern the physical processes that challenge the integrity of a barrier. It is common engineering practice to use surrogate variables⁹ relating to the integrity of the barriers to establish an acceptance criterion or a combination of criteria for ensuring the integrity of the barrier. When defining these acceptance criteria, sufficient conservatism should be included to ensure that there are adequate safety margins to the loss of integrity of the barrier.

Main

4.13.

The following groups and examples of criteria should be considered, as appropriate depending on specific design solutions, in the specification of a set of technical acceptance criteria:

Criteria relating to the integrity of the nuclear fuel matrix: maximum fuel temperature and maximum radially averaged fuel enthalpy (taking into account burnup, fuel composition and additives, such as burnable absorbers, in both values).
Criteria relating to the integrity of fuel cladding: minimum departure from nucleate boiling ratio; maximum cladding temperature; and maximum local cladding oxidation.
Criteria relating to the integrity of the whole reactor core: adequate subcriticality; maximum production of hydrogen from oxidation of cladding; maximum damage of fuel elements in the core; maximum deformation of fuel assemblies (as required for cooling, insertion of control rods and removal of control rods); and calandria vessel integrity (for pressurized heavy water reactors).
Criteria relating to the integrity of the nuclear fuel located outside the reactor: adequate subcriticality; adequate water level above the fuel assemblies; and adequate heat removal.
Criteria relating to the integrity of the reactor coolant system: maximum coolant pressure; maximum temperature, pressure and temperature changes and resulting stresses and strains in the coolant system pressure boundary; and no initiation of a brittle fracture or ductile failure from a postulated defect of the reactor pressure vessel.
Criteria relating to the integrity of the secondary circuit (if relevant): maximum coolant pressure; and maximum temperature, pressure and temperature changes in the secondary circuit equipment.
Criteria relating to the integrity of the containment and limitation of releases to the environment: value and duration of maximum and minimum pressure; maximum pressure differences acting on containment walls; maximum leakages; maximum concentration of flammable or explosive gases; acceptable working environment for operation of systems; and maximum temperature in the containment.
Criteria relating to the integrity of any other component necessary to limit radiation exposure, such as the end shield in pressurized heavy water reactors: maximum pressure, temperature and heat-up rate.

Main

4.14.

For postulated initiating events occurring during shutdown modes or other cases with disabled or degraded integrity of any of the barriers, more restrictive criteria should be used if possible, for example avoiding boiling of coolant in an open reactor vessel or in the spent fuel pool, or avoiding uncovering of fuel assemblies.

Main

4.15.

In general, technical acceptance criteria relating to the integrity of barriers should be more restrictive for conditions with a higher frequency of occurrence. For anticipated operational occurrences, there should be no consequential failure of any of the physical barriers (fuel matrix, fuel cladding, and reactor coolant pressure boundary or containment) and no fuel damage (or no additional fuel damage if minor fuel leakage, within operational limits, is authorized in normal operation). For design basis accidents and for design extension conditions without significant fuel degradation, barriers to the release of radioactive material from the plant should maintain their integrity to the extent required (see paras 4.10 and 4.11). For design extension conditions with core melting, the integrity of the containment should be maintained and containment bypass should be prevented to ensure prevention of an early radioactive release or a large radioactive release.

Main

4.16.

The range and conditions of applicability of each individual criterion should be clearly specified. For example, specification of fuel melting temperature or fuel enthalpy rise should be associated with specification of fuel burnup and content of burnable absorbers. Similarly, for a limitation of radioactive releases, the duration of the releases should be specified. Acceptance criteria can vary significantly depending on the conditions. Therefore, acceptance criteria should be associated with sufficiently detailed conditions and assumptions to be used for safety analysis.

Main

4.17.

Although the assessment of engineering aspects important to safety might not be explicitly addressed in the safety analysis, it constitutes a relevant part of the safety assessment. Safety margins applied to the design of structures, systems and components should be commensurate with the uncertainty in the loads they may have to bear and with the consequences of their failure.

Main

4.18.

In addition to all relevant physical quantities, the evaluation of stresses and strains should take account of the environmental conditions resulting from each loading and each loading combination and of appropriate boundary conditions. The acceptance criteria should adequately reflect the prevention of consequential failure of structures or components that are necessary to mitigate the consequences of the events, which are correlated with the assumed loading.

Main

5.1.

Requirement 18 of GSR Part 4 (Rev. 1) [2] states that “Any calculational methods and computer codes used in the safety analysis shall undergo verification and validation.” The models and methods used in the computer codes for deterministic safety analysis should be appropriate and adequate for the purpose. The extent of the validation and verification necessary and the means for achieving it should depend on the type of application and the purpose of the analysis.

Main

5.2.

With regard to the selection of computer codes, it should be confirmed that:

The physical models used to describe the processes are justified.
The simplifying assumptions made in the models are justified.
The correlations used to represent physical processes are justified and their limits of applicability are identified.
The limits of application of the code are identified. This is important when the model or calculational method is only designed to model physical processes in a particular range of conditions, and the code should not be applied outside this range.
The numerical methods used in the code are accurate and robust.
A systematic approach has been used for the design, coding, testing and documentation of the code.
Compliance of the source coding with its description in the system code documentation has been assessed.

Main

5.3.

The assessment of the accuracy of individual computer codes should include a series of steps:

Identifying the important phenomena in the supporting experimental data and expected plant behaviour;
Estimating uncertainties associated with the numerical approaches used in the code;
Estimating uncertainties in the main models used in the code;
Establishing sensitivities of important processes to values of the main variables.

Main

5.4.

With regard to the outputs of the computer codes, it should be confirmed that the predictions of the code have been compared with:

Experimental data for the significant phenomena modelled. This would typically include comparison with ‘separate effect tests’ and ‘integral effect tests’, as described in para. 5.25.
Available plant data, including tests carried out during commissioning or startup and data from operational occurrences or accidents.
Outputs from other codes that have been developed independently and use different methods.
Results from standard problems and/or numerical benchmarks, when these are available and reliable.

Main

5.5.

Although there has been substantial progress in the development of more accurate and reliable computer codes for accident analysis, the user still has a significant influence on the quality of the analysis. It should be ensured that:

All users of the code have received adequate training and have a sufficient understanding of the models and the methods used in the code;
The users or their supervisors are sufficiently experienced in the use of the code and have a sufficient understanding of such use and corresponding limitations for the specific application case (e.g. loss of coolant accident);
The users have adequate guidance on the use of the code;
The users follow the recommendations for use of the code, especially those relevant to the specific application for which the analysis is being carried out.

Main

5.6.

With regard to the use of the computer code, it should be confirmed that:

The nodalization (see para. 5.39) and the plant models provide a good representation of the behaviour of the plant;
The input data are correct;
The nodalization, selected models and assumptions are consistent, to the extent practicable, with those chosen for separate effect tests and integral effect tests used for the qualification of the application;
The output of the code is evaluated and understood adequately and used correctly.

Main

5.7.

All activities that affect the quality of computer codes should be managed using procedures that are specific to ensuring the quality of software. Established software engineering practices that are applicable to the development and maintenance of software critical to safety should be applied. Formalized procedures and instructions should be put in place for the entire lifetime of the code, including code development, verification and validation, and a continued maintenance process with special attention to the reporting and correction of errors.

Main

5.8.

Code developers should ensure that the planned and systematic actions required to provide confidence that the code meets the functional requirements have been taken. The procedures should address, as a minimum, development control, document control, configuration of the code, and testing and corrective actions.

Main

5.9.

To minimize human error in code development, only suitably qualified or supervised personnel should be involved in the development, verification and validation of the code. Similarly, in user organizations, only suitably qualified or supervised personnel should use the code.

Main

5.10.

The activities in development and maintenance of the computer code should include:

Preparation and upgrading of code manuals for developers and users;
Verification and validation activities and their documentation;
Error reporting and corrective actions and their documentation;
Acceptance testing including non-regression tests, installation of the code and upgrading of code manuals;
Configuration management;
Control of interfaces;
Version control of the code.

Main

5.11.

If tasks of code development, verification or validation are delegated to an external organization, those tasks should be managed within the external organization to ensure quality. The user’s organization should review arrangements within the external organization and should audit their implementation.

Main

5.12.

When new versions of computer codes are developed, an established set of test cases should be simulated and run with the new version and any significant differences in the results compared to previous versions should be identified and understood. Such simulations should be performed by the code developers and users, as appropriate.