NOMBRE DE PAGES : 49
RAISON SOCIALE FOURNISSEUR :
NUMERO D'OTP OU EOTP
NOMBRE D'ANNEXES : 0
10, rue Juliette Récamier 69456 LYON CEDEX 06 - Téléphone : 04.72.74.82.21 - Télécopie : 04.72.74.84.90
12T.DTADSWP21
CONFIDENTIALITE :
CODE
AFFAIRE
AD
PDS-XADS
NATURE
DD
Safety Principles
THEME
SUR
Sûreté
4000
PDS-XADS SAFETY PRINCIPLES
D. Rochwerger
IND
28/05/2002
DATE
Chaudière
PDS-XADS - Integrated Safety Approach - Goals - Principles.
Rules for Assessment, Safety Design and Criteria
TITRE :
A
IMMATRICULATION FOURNISSEUR
DESIGNATION
MATERIEL
TITRE ABREGE :
NUMERO DE COMMANDE
N
B. Carluec
T. Varet
First issue
DES
ETAT
REDACTEUR
NOM-VISA
MODIFICATIONS – OBSERVATIONS – ACCORDS
REFERENCES ET DATES
VERIFICATEUR APPROBATEUR
NOM-VISA
NOM-VISA
This document is the property of FRAMATOME ANP. It must not be reproduced, transmitted or disclosed without the prior written authorization of
FRAMATOME ANP .
IMMATRICULATION CLIENT :
D6
IMMATRICULATION
INTERNE :
EVES
DC
02
150
UNITE
TYPE
ANNEE
CHRONO
RWR /
TRIGRAMMES
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
Modifications
Revision
Date
A
28/05/2002
Modifications
First issue
1/49
@
D6
PDS-XADS Safety Principles
Rev : A
2/49
Error! AutoText entry not defined.
Summary
A safety approach for the XADS has been developed based on the EUR and EFR approaches.
The general safety objectives have been determined:
 protection of individuals, society and environment from harm especially radiological,
 prevention of accidents and mitigation of their consequences,
 minimisation as much as possible of the radiation exposure.
To ensure these objectives, the Defence-in-Depth strategy will be applied.
The fundamental safety functions to maintain to fulfil the safety objectives are:
 control of reactivity and power,
 removal of the decay heat,
 containment of the dangerous materials and fission products,
 protection of the workers against the radiation exposure.
The types of situations to consider have been defined:
 design basis conditions and their classification in four categories,
 internal and external hazards,
 design extension conditions,
 residual risk situations.
The criteria to fulfil for the analysed situations have been established: dose limits, fuel and clad
limits, plant criteria and mechanical limits.
The rules to apply for the safety analysis have also been defined: combination of initial states,
uncertainties, operator action, aggravating failure.
The method of the Lines of Defence has been described in order to use it for the safety analysis.
The general principles of safety classification of components have also been determined.
The general safety principles have been applied to the large scale XADS, LBE- and gas-cooled
concepts, and a preliminary list of situations to analyse has been established.
@
D6
PDS-XADS Safety Principles
Rev : A
3/49
Error! AutoText entry not defined.
Contents
1.
Introduction ................................................................................................................. 8
2.
General safety approach ............................................................................................. 9
2.1
Safety objectives ......................................................................................................... 9
2.2
Current safety approaches .......................................................................................... 9
2.3
Defence-in-Depth principle ........................................................................................ 10
2.4
Probabilistic design targets ....................................................................................... 11
3.
Safety issues............................................................................................................. 12
3.1
Generic safety issues ................................................................................................ 12
3.2
Specific safety issues ................................................................................................ 12
4.
Definition of situations ............................................................................................... 16
4.1
Design basis conditions - Internal and external hazards ............................................ 16
4.2
Design extension conditions ...................................................................................... 18
4.3
Residual risk situations ............................................................................................. 19
5.
Rules and methods for safety analysis ...................................................................... 19
5.1
Rules for the safety analysis of the operating conditions ........................................... 19
5.1.1
Combination of initiating faults and plant operating initial conditions ......................... 19
5.1.2
Uncertainties ............................................................................................................. 20
5.1.3
Operator action ......................................................................................................... 21
5.1.4
Single failure criterion ................................................................................................ 21
5.1.5
Combination with additional failures .......................................................................... 21
5.2
Lines of defence method and application .................................................................. 23
6.
Safety and design criteria .......................................................................................... 24
6.1
Release criteria ......................................................................................................... 24
6.2
Design criteria ........................................................................................................... 25
7.
Principles of safety classification of components ....................................................... 25
@
D6
PDS-XADS Safety Principles
Rev : A
4/49
Error! AutoText entry not defined.
7.1
Principles of classification of safety functions ............................................................ 25
7.2
Principles of classification of components ................................................................. 26
7.3
Additional requirements............................................................................................. 27
8.
Application of the general safety principles to the LBE-cooled XADS small
scale concept ............................................................................................................ 27
8.1
Design basis conditions............................................................................................. 28
8.2
Design extension conditions ...................................................................................... 28
8.3
Residual risk situations ............................................................................................. 28
9.
Application of the general safety principles to the LBE-cooled XADS large
scale concept ............................................................................................................ 28
9.1
Design basis initiating events .................................................................................... 28
9.2
Design extension conditions ...................................................................................... 28
9.2.1
Complex Sequences and Limiting Events ................................................................. 29
9.2.2
Severe Accidents ...................................................................................................... 29
9.3
Residual risk ............................................................................................................. 29
10.
Application of the general safety principles to the gas-cooled XADS concept............ 30
10.1
Design Basis Initiating Events ................................................................................... 31
10.2
Design Extension Conditions .................................................................................... 31
10.2.1
Complex Sequences and Limiting Events ................................................................. 32
10.2.2
Severe Accidents ...................................................................................................... 32
10.3
Residual Risk Situations............................................................................................ 33
11.
Conclusion ................................................................................................................ 33
@
D6
PDS-XADS Safety Principles
Rev : A
5/49
Error! AutoText entry not defined.
List of tables
Table 1
Levels of defence-in-depth (from INSAG-10)
Table 2
Doses from direct radiation during design basis conditions and design extension
conditions
Table 3
Fuel limits for design basis operating conditions and design extension conditions
Table 4
Plant criteria for design basis operating conditions
Table 5
Mechanical limits for design basis operating conditions
Table 6
Classification of safety functions
Table 7
Classification of the mechanical components
Table 8
Classification of the electrical components
Table 9
LBE-cooled design – Preliminary list of Design Basis Conditions
Table 10
Gas-cooled Design – Preliminary list of Design Basis Conditions
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
List of figures
Figure 1
Scheme of the small core LBE-cooled XADS (Myrrha concept)
Figure 2
Scheme of the larger core LBE-cooled XADS
Figure 3
Scheme of the gas-cooled XADS
6/49
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
List of references
(1)
Preliminary Design Study of an Experimental Accelerator Driven System
Rev. 3 – 29th June 2001.
(2)
European Fast Reactor – Non Site Specific Safety Report
B2 00 5 2362 revision B
(3)
European Utilities Requirements for LWR nuclear power plants
revision B November 1995
(4)
IAEA Safety series n°75 - INSAG 3
7/49
@
D6
PDS-XADS Safety Principles
Rev : A
8/49
Error! AutoText entry not defined.
1. Introduction
This document has been prepared as part of the Preliminary Design Studies of an Experimental
Accelerator Driven System (PDS-XADS) (Contract n° FIKW-CT-2001-00179). The general
objective of this programme, reference (1), is to study in parallel three concepts of Accelerator
Driven Systems (XADS):
 The first one with a small core (about 20-40 MWth) cooled by lead bismuth eutectic (LBE)
called the Myrrha concept.
 The second one with a larger core (around 80 MWth) cooled also by LBE.
 The third one with a core of around 80-100 MWth cooled by gas.
The PDS-XADS work programme is split in five work-packages (WPs). The WP2 is devoted to
safety, and is split in three sub work-packages:
 WP 2.1, whose objective is to develop an integrated safety approach and identify the goals,
the basis and the acceptance criteria for the safety of both the LBE- and gas-cooled XADS
concepts.
 WP 2.2, whose objective is to identify and examine for both concepts, LBE- and gas-cooled,
the main safety issues, to perform research on their phenomenology, and to develop an
evaluation methodology for their safety analysis.
 WP 2.3, whose objective is to perform the preliminary safety analysis for each concept of
XADS.
This document is related to WP2.1 and is identified as the deliverable D6 in the reference (1).
In order to draw up a suitable safety approach for future XADS, the following fields should be
considered:
 International reference on safety matter (INSAG…),
 Current safety approach and rules applied to future fast neutron reactors or light water reactors
(EFR, EUR…),
 Consideration of existing preliminary safety elements for long term development of nuclear
systems (Generation IV, IAEA),
 Integration of safety features specific to Accelerator Driven Systems.
This document involves all the fields mentioned above, so as to set a suitable basic safety
approach for XADS system, whatever the design options (nature of coolant, nature of fuel, nature
of accelerator…).
@
D6
PDS-XADS Safety Principles
Rev : A
9/49
Error! AutoText entry not defined.
2. General safety approach
2.1 Safety objectives
The safety objectives common to all the approaches for future nuclear plants are:
 To protect individuals, society and the environment from harm by establishing and maintaining
in nuclear installations effective defences against radiological hazards.
 To ensure that in all operational states radiation exposure within the installation is kept below
prescribed limits and as low as reasonably achievable (ALARA principle).
 To take all reasonably practicable measures to prevent accidents in nuclear installations and to
mitigate their consequences should they occur.
These safety objectives are achieved through the application of the Defence-in-Depth strategy
that will continue to be the overriding approach for ensuring the safety of the public and for
protecting the environment.
2.2 Current safety approaches
In Europe, enhanced safety approaches have been develop for the conceptual design phases of
the future plants:
 Light water reactors (LWR). The European safety approach is defined in the European Utilities
Requirements (EUR), reference (3) and has been applied during the design phase of the
European Pressurised Reactor (EPR), whose project has been presented to the French and
German safety authorities.
 Liquid metal fast reactors (LMFR). The safety approach has been defined for the European
Fast Reactor (EFR), reference (2). It has been examined by a European group made by
national licensing experts (the Ad Hoc Safety Club). Also, the EFR safety approach has been
analysed and judged consistent with the basic safety requirements defined in the EUR.
In these projects, the new European reactor concept had to be licensable in any country involved
in the project, that means it needs only little adaptation to meet national licensing requirements
(e.g. type of aeroplane crash).
The documents set by European Utilities and licensing expert groups in the frame of EPR and
EFR projects take an important step towards harmonisation of the safety principles and
requirements in Europe.
The respective safety approaches are not completely similar but for these two reactor system
types (LWR, LMFR), the basic safety principles and objectives are consistent with the existing
IAEA recommendations, reference (4).
For example, the European safety philosophy for the fast neutron reactor (applied to EFR) can be
resumed as follows:
@
D6
PDS-XADS Safety Principles
Rev : A
10/49
Error! AutoText entry not defined.
 The basic safety approach is deterministic: Defence-in-Depth principle, “Analysis by Barriers”
method, events categorisation, safety classification of components, rules for safety analysis
(combination with aggravating faults: Loss Of Station Service Power, single failure; seismic
analysis...).
 Nevertheless local probabilistic assessments may be applied for: safety systems reliability
(weak point identification), faults or sequences or external event categorisation (event
frequency).
 Radiological release targets are decreased in comparison with present plants.
 The reactor behaviour must be stable versus any disturbance, thanks to inherent reactor
properties in addition to safety systems implementation.
 Due to LMFR specificity, one more decade is requested about the probabilistic criteria related
to the core melting frequency in comparison with LWR ( 10-6 per reactor-year instead of  10-5
per reactor-year for LWR core damage) but, for both of them, events with unacceptable
radiological release must be less than 10-6 per reactor-year.
 Prevention of severe accident involves safety systems with high reliability and efficiency. Loss
of each safety function (decay heat removal and neutronic power control) must be extremely
unlikely ( 10-7 per reactor-year) and this is demonstrated by application of the “ Lines-ofDefence ” method, instead of probabilistic safety assessment.
 Whatever the high degree of prevention of core melting, it is requested to consider hypothetical
severe accident cases for assessing the capabilities of the containment and safeguard
systems (core catcher...).
2.3 Defence-in-Depth principle
The overriding “Defence-in-Depth” concept is based on several levels of protection, including
successive barriers that prevent the release of radioactive material to the environment. These
levels are indicated in the Table 1.
The Defence-in-Depth strategy has been proved to be effective in compensating for human and
equipment failures.
Especially important aspects regarding the application of the Defence-in-Depth strategy to the
XADS are:
 The progressiveness of the levels of defence, which means that the events with the higher
potential consequences correspond to multiple failures. In particular hazards capable to fail
several levels of defence have to be rejected. The need of preventive surveillance and inservice inspection (ISI) of the safety equipment is a consequence of this philosophy.
 Despite the high prevention of severe situations achieved by the three first levels, mitigation of
these hypothetical situations is required.
 For the XADS concept, a general objective is to ensure by the first four levels of Defence-inDepth a safety level sufficiently high to offer the Authorities the possibility of simplifying or
declaring unnecessary the off-site emergency plan.
@
D6
PDS-XADS Safety Principles
Rev : A
11/49
Error! AutoText entry not defined.
Prevention of accidents and mitigation of their consequences are both pillars of nuclear safety.
The application of the enhanced safety approaches to the EPR and EFR projects has leads to
improve both the prevention and the mitigation of severe accidents.
Prevention is improved by increasing the level of redundancy and the diversity of the safety
systems and by using inherent and passive means where this is more efficient.
Mitigation of severe accidents has been considered at the conceptual phase adapting the concept
in order to eliminate severe accidents or implementing specific mitigation measures. In order to
avoid any cliff edge effect, the mitigation measures are designed for having low sensitivity to
uncertainties on the plant behaviour during the severe accidents.
Prevention of accidents (loss of coolant circulation, depressurisation, beam overpower, reactivity
insertion, loss of decay heat removal…) has to be complemented by considerations on severe
accidents (whole core accidents), the consequences of which having to be demonstrated of
limited consequences.
2.4 Probabilistic design targets
In accordance with the safety philosophy described before, quantitative probabilistic design
targets can be defined. In the EUR approach, consistently with the IAEA recommendations, the
probabilistic targets are:
 The core damage cumulative mean frequency shall be lower than 10-5 per reactor-year.
 The cumulative mean frequency of exceeding the limiting release targets (see section 6.1)
shall be lower than 10-6 per reactor-year.
 The sequences involving very large releases shall have a cumulative mean frequency well
below the previous target of 10-6 per reactor-year.
The last requirement refers to the avoidance of the so called "cliff edge effect" and the
cumulative mean frequency for these sequences should be at least one order of magnitude
below this for the limiting release target.
The definition of core damage might depend on the concept, generally it refers to core melt.
For EFR, it is taken advantage of the high level of protection against core damage that can be
achieved with LMFR, and the quantitative probabilistic targets are:
 The mean value of the cumulative frequency of core damage shall be lower than 10-6 per
reactor-year.
 The sequences involving very large releases (larger than the limiting release targets) shall
have a mean value of the cumulative frequency well below 10-6 per reactor-year.
To be consistent with the cumulative frequency target of 10-6 per reactor-year (mean value), a
target of 10-7 per reactor-year (mean value) is assigned to the individual sequences leading to
core damage.
In the XADS, in case of core damage, there is potential for criticality much higher than in a LWR
core concept, because of the nature of the fuel. Therefore, for the XADS concept, the quantitative
probabilistic targets of EFR should be used.
@
D6
PDS-XADS Safety Principles
Rev : A
12/49
Error! AutoText entry not defined.
At the actual stage of the XADS design, the previous probabilistic targets are used only as
general references.
For future and more advanced phases of the design, probabilistic methods could be used to
confirm the adequacy of the design with the fulfilment of the probabilistic criteria.
For the conceptual design stage, a simplified probabilistically oriented method, the lines of
defence method, may be used, see section 5.2.
3. Safety issues
3.1 Generic safety issues
For a critical reactor the fundamental safety functions are:
 control of the reactivity,
 removal of the decay heat,
 containment of the dangerous materials and fission products,
 protection of the workers against the radiation exposure.
For an accelerator driven system, the control of the power must be added to the control of the
reactivity. In a critical reactor these two functions are the same, whereas in a subcritical reactor
the control of the power is made by the intermediary of the accelerator.
Besides, other safety related generic issues have to be taken into account:
 Minimise by design possible chemical reactions; this leads to adequate choice for materials
(fuel, cladding, structures), in accordance with the primary coolant and to possible reaction
with air or with a secondary coolant.
 Minimise production of wastes and effluents and consider their future.
 Prevent by design possible types of human malevolence and minimise their potential
consequence.
Through these generic issues some connection can be seen between safety concerns and public
acceptance.
3.2 Specific safety issues
The ADS concepts studied in the project have the following characteristics, fast neutron
spectrum, liquid metal cooled for the LBE- concepts, gas-cooled, presence of an accelerator and
a spallation target, subcriticality, which induces specific issues, whose identification is the
objective of work-package 2.2, deliverables 41 and 42.
Based on a preliminary identification the following specific issues should be taken into account:
@
D6
PDS-XADS Safety Principles
Rev : A
13/49
Error! AutoText entry not defined.
 Specific fast spectrum issues
The normal core configuration does not correspond to the maximum reactivity configuration. This
leads to potential reactivity insertion by possible global loss of geometry, (core compaction e.g.
due to earthquake, core relocation), local loss of geometry (fuel bundle compaction e.g. due to
melting). The central hole in the XADS core increases this compaction risk, because of the
important gap between the fuel assemblies and the target.
For a gas-cooled concept, the volumetric fraction of gas in the core being greater than that of
coolant of liquid metal-cooled core, the core compaction risk is then potentially increased. On the
other hand, the consequences on the structures caused by the energy release due to a large
reactivity insertion should be lower in a gas-cooled concept than a liquid metal-cooled concept.
For a LBE-cooled concept, there is a risk of reactivity increase in case of core voiding, which is
certainly of low probability because of the high LBE boiling point, higher than the core structure
melting point.
For a gas-cooled concept, there is a risk of reactivity increase in case of neutron moderator
ingress, e.g. large water ingress in the core.
 Specific liquid metal-cooled issues
The main difficulties of the liquid metal are related to corrosion issues, in-service inspection
issues and also decommissioning issues (elimination of a potentially contaminated and
chemically toxic fluid). An other disadvantage is the activation of bismuth in polonium 210 under
irradiation.
Related to the corrosion issue, monitoring of in-vessel structure is a major issue. In addition a
leak-before-break methodology must be defined for the primary vessel. The objective is double:
 First, to demonstrate by an adequate analysis that the credible flaws of the main vessel do not
propagate significantly.
This necessitates:
 To establish the propagation mechanism and to quantify it.
 To define the credible flaws.
 Second, to show that if a through-wall crack occurs it can be detected before unacceptable
damages occur. This necessitates to establish a system able to detect small lead bismuth
leaks.
An other risk with liquid metal is the freezing risk or oxide formation, which can creates flow
blockages.
 Specific gas-cooled issues
Compared with liquid metal concept, gas as coolant facilitates in-service inspection of the primary
circuit and its internal components.
In comparison with liquid metal, inert gas as primary coolant rejects risk of significant interaction
or coolant phase change. Nevertheless:
@
D6
PDS-XADS Safety Principles
Rev : A
14/49
Error! AutoText entry not defined.
 residual grits content in the primary gas (other gases, steam…) could involve interaction
with the structures (corrosion…),
 loss of pressure can have reactivity effect but much less significant than a liquid metal void
effect,
 other gas passage, than primary coolant, through the core needs not be considered for gascooled, while being potentially a severe reactivity insertion initiator for liquid metal-cooled ;
but on the other hand for gas-cooled, water/steam ingress in the primary circuit from heat
exchanger tubes failure could potentially have significant reactivity consequences in
addition to water attack effect,
 for helium as coolant, lack of oxygen leads to a tribology related phenomena, the removal of
the natural oxide layer of the structure materials. In connection, risk of seizure of moving
parts without oxide layer (lubricant) might occur,
 phenomena of fast neutron effect on primary gas could intervene in the core: helium
scattering into the cladding surface.
The poor properties of gas as coolant is not a major issue at nominal operating conditions, thanks
to suitable elevated pressure and temperature parameters.
The main issue of gas as cooling is the lack of thermal inertia in comparison with liquid metal
(coolant inertia). This weak feature introduces a sensitivity of the gas-cooled core following any
fast loss of gas mass flow: either loss of forced circulation or loss of gas inventory
(depressurisation). Because of this lack of thermal inertia, the accelerator has to be shut down
quickly after accident initiation. Moreover the gas density being low, natural circulation of gas is
not efficient at low pressure, especially with helium. It is necessary to maintain the core coolability
and the decay heat removal by natural circulation if the gas pressure is maintained, or by forced
convection in case of loss of gas pressure.
 Specific accelerator and target issues
As already said, for an accelerator driven system the power level is mainly controlled by the
accelerator. The reduction of the power to the decay heat level is only possible by tripping the
accelerator.
In case of abnormal increase of fuel, structure or coolant temperatures, it is thus necessary to trip
the accelerator rapidly and thus have a core instrumentation reliable, redundant and diversified.
The study of a passive system able to trip the accelerator in case of abnormal and dangerous
evolution of the relevant core parameters could increase the reliability requirement for the
accelerator shutdown function.
This is of special importance for accelerator driven systems utilising dedicated fuel with a high
minor actinide content and a lack of fertile materials, resulting in degraded safety coefficients and
notably a reduced Doppler effect.
Inadvertent beam power increases lead to overpower conditions.
The accelerator is a source of activation of the structures, which has to be taken into account in
the radiological protection of the workers.
The radioactive elements generated by the spallation reactions in the target must be kept
confined. For example the two following points must be analysed in detail:
@
D6
PDS-XADS Safety Principles
Rev : A
15/49
Error! AutoText entry not defined.
 In the window concept, the window between the accelerator and the target which is a week
point of the reactor containment.
 In the windowless concept, the containment of the spallation products.
In any case the implementation of additional containment barrier in the accelerator line has to be
investigated.
 Specific issues related to the sub criticality level
As already said, a core with a high content of minor actinides has reduced safety coefficients. For
a critical core the reduction of the effective delayed neutron fraction eff, has the disadvantage that
a small reactivity increase can lead to prompt criticality.
For an accelerator driven system, whose core is heavily loaded in minor actinides, it is thus a
major safety issue that any plausible reactivity increase does not lead to a critical state.
To fix the nominal subcriticality level, all the design basis operating conditions and design
extension conditions leading to a reactivity increase (except severe accidents which has to be
analysed independently) must be determined. The slow and the quick increases of reactivity must
be distinguished and adequate means and procedures for intervention must be assessed.
The following situations have to be taken into account:
 reactivity change due to fuel burnup,
 reactivity change between the nominal power operating state and the cold shutdown state for
refuelling,
 reactivity effects related to the target (changes in source importance, modification of the
source geometry and location),
 voiding effect for the liquid metal concept,
 moderator ingress for the gas-cooled concept,
 handling error:
 introduction of too many fuel assemblies or of a too reactive fuel assembly.
This request can lead to the implantation of absorber rods in the core during the fuel
handling state, according to the nominal subcriticality level. The design of the absorber rods
is unlikely to be similar to those used in critical reactors.
 absorber rod withdrawal if any,
 replacement of a shutdown rod by a fuel subassembly,
 core geometry modification, for example core compaction due to earthquake,
 partial core melting.
Once the nominal subcriticality level has been fixed, an important safety challenge is the reliable
measure of its level. The subcriticality level has to be controlled during power operation and
during shutdown state.
@
D6
PDS-XADS Safety Principles
Rev : A
16/49
Error! AutoText entry not defined.
4. Definition of situations
A comprehensive list of situations and its accurate classification following their frequency of
occurrence is an essential basic element for the safety analyses and afterwards validation of the
plant project.
For future innovative reactor/cycle systems, including future ADS, lack of experience feedback
represents a weak starting point for setting a comprehensive classified list. Lack of knowledge is
compensated in the safety analysis by taking into account enveloping situations and uncertainties
in their classification.
The demonstration of the adequacy of the design with the safety objectives is made through the
analysis of three kinds of events:
 The design basis operating conditions. The design of the plant is essentially resulting from the
analysis of these events. It must be shown that their consequences are very limited and in any
case that the risk of whole core accident initiated by these events is very low.
Internal and external hazards are grouped with the design basis conditions.
 Design extension conditions (limiting events, complex sequences and severe accidents)
evaluated for licensing purposes independently of their occurrence frequency. The
consequences of these accidents are analysed and their consequences in the environment
have to be demonstrated to be lower than the limiting release targets.
 Residual risk situations. The consequences of these situations are not analysed, they are
postulated to be unacceptable. The prevention measures regarding their occurrence have to
be demonstrated to be sufficient.
4.1 Design basis conditions - Internal and external hazards
Postulated faults are assumed to occur within the design basis and are called design basis
initiating faults. They may arise due to component failure, operator errors, internal or external
hazards. Their consequences affect the plant behaviour.
Initiating faults to be considered within the design basis cover the whole range of faults from
those which are likely to occur several times within the life of the plant, to those whose
occurrence is highly unlikely but for which the consequences must be evaluated, and, if
necessary, design measures taken to restrict them. The design basis initiating faults studied are
selected as the worst conditions representative of families of faults.
The initiating faults to be considered in the design basis are assigned to three categories in
addition to the normal operating conditions. The expected frequency of the initiating faults is used
as guideline for their classification.
Starting from a plant operating initial condition, a design basis condition is the changing plant
condition which arise as a result of a design basis initiating fault combined with the conventional
aggravating situations and the mitigating actions that are taken.
The plant operating initial conditions define the initial state of the plant when the initiating fault
occurs. The analysis of a design basis initiating fault includes the most severe plant initial
conditions that can occur in normal operating conditions.
@
D6
PDS-XADS Safety Principles
Rev : A
17/49
Error! AutoText entry not defined.
The parameters representative of the initial conditions are within the range allowed by a
monitoring system which generates an automatic protection or an alarm, or an in-service
inspection procedure.
The design basis conditions are grouped in four categories on the basis of the expected
occurrence frequency of the corresponding initiating faults.
The first category of the design basis conditions consists of the plant normal operating conditions.
In the EFR safety approach, the internal and external hazards are considered as initiating events
associated with an occurrence frequency and therefore are analysed with the same general rules.
The same principle is proposed to be used for XADS.
 Design basis category 1 - Normal operations
The normal operations are plant conditions planned and required. They include special conditions
such as tests during commissioning and start-up, part load, shutdown states, handling states,
partial unavailability for inspection, test, maintenance and repair. The decommissioning conditions
are not included in the safety analysis of the operating plant; they will be specifically analysed in
good time. Nevertheless, considerations concerning the decommissioning have to be made.
The goal of the safety analysis of normal operating conditions is to verify that their consequences
on the staff and the public are ALARA and in any case lower than the corresponding release
criteria.
 Design basis category 2 - Incidents
They are conditions not planned but expected to occur one or more times during the life of the
plant (mean occurrence frequency of the initiating event estimated greater than 10 -2 per year).
Plant shall be able to return to normal operating conditions in reasonable time after fault
rectification.
The goal of the safety analysis of category 2 operating conditions is to verify that their
consequences on the staff and the public are ALARA and in any case lower than the
corresponding release criteria.
 Design basis category 3 – Accidents (low frequency)
They are conditions not expected to occur during the life of the plant but after which plant
restarting is required (mean occurrence frequency of the initiating event estimated between 10-4
per year and 10-2 per year).
The goal of the safety analysis of category 3 operating conditions is to verify that their
consequences on the public are lower than the corresponding release targets.
 Design basis category 4 – Accidents (very low frequency)
They are conditions after which plant restart is not required (mean occurrence frequency of the
initiating event lower than 10-4 per year).
The goal of the safety analysis of category 4 operating conditions is to verify that their
consequences on the public are lower than the corresponding release targets.
The following Internal and external hazards have to be taken into account:
@
D6
PDS-XADS Safety Principles
Rev : A
18/49
Error! AutoText entry not defined.
 Category 2 operating conditions: internal flooding, extreme weather conditions, external loss
of power of short duration…
 Category 3 operating conditions: fire, earthquake, external loss of power of long duration…
The level of the earthquake corresponds to the Operating Basis Earthquake (OBE)
depending on the site characteristics. The methods to define OBE are presented in the
EUR.
 Category 4 operating conditions: aircraft crash, external explosion, earthquake… The level
of the earthquake corresponds to the Safe Shutdown Earthquake (SSE) depending on the
site characteristics. The methods to take into account the external hazards are presented in
the EUR.
4.2 Design extension conditions
The design extension conditions are not defined on the basis of their occurrence frequency, but
are postulated to be bounding cases resulting from risks specific to the design or the process.
Two kinds of design extension conditions are considered: complex sequences and limiting
events, and severe accidents.
The goal of the safety analysis of design extension conditions is to verify that their consequences
on the public are lower than the limiting release targets (see paragraph 6.1).
 Complex sequences and limiting events
In the safety approach developed in the EUR, complex sequences are unlikely sequences which
go beyond those in the deterministic design basis in terms of failure of equipment or operator
errors and have the potential to lead to significant releases but do not involve core melt. An
example is simultaneous failure of redundant functions.
In the EFR safety approach, the complex sequences are complemented by limiting events
defined for licensing purposes. They are bounding cases not associated with an occurrence
frequency resulting from risks specific to the design or the process (common mode failures,
sodium use for EFR…). The consequences of limiting events are investigated in order to show
that extended core melting is prevented.
The consequences of complex sequences and limiting events are investigated. This can lead to
enhance the design in order to show that core damage is prevented, and therefore that the
limiting release targets are not exceeded.
 Severe accidents
In the EUR approach, severe accidents are certain unlikely event sequences beyond category 4
operating conditions involving significant core damage which have the potential to lead to
significant releases.
Given the enhanced preventive safety, core damage accidents have very low occurrence
frequency (the mean value of the cumulative core damage frequency is lower than the
probabilistic target of 10-6 per year) and it is not realistic to do a sensible ranking of severe
accidents.
@
D6
PDS-XADS Safety Principles
Rev : A
19/49
Error! AutoText entry not defined.
Therefore, the severe accidents to consider are not defined on a probabilistic basis, but are
determined by using an engineering judgement, for example by assuming the failure of materials
performing a safety function.
The goal of the analysis of severe accidents is to prove the efficiency of the containment
measures for limiting the consequences of core damage accidents. The radiological
consequences shall be lower than the limiting release targets. This can lead to enhance the
design in order to show that the limiting release targets are not exceeded
In the EFR safety approach, despite the very low occurrence frequency of whole core accident, a
number of beyond design plant states forms the basis for judgement of what mitigating measures
should be provided by the containment design. The objective of this analysis is to provide a
robust and homogeneous containment without weak point in order to reject as far as reasonably
possible any cliff edge effects.
4.3 Residual risk situations
Residual risk situations are accident conditions for which the prevention is such that the analysis
of their consequences is not required by the safety demonstration. The adequacy of the
prevention of these accident conditions has to be demonstrated.
Such a demonstration may be performed using probabilistic assessment. In this case, the goal is
to show that accident conditions whose consequences may exceed the limiting release targets
have a mean frequency well below 10-7 per year.
The probabilistic safety assessment cannot be realistically used for innovative concepts with
limited operating experience, as the actual designs of the different XADS concepts. It is also not
easily usable during the conceptual design phase because of the lack of detailed design of
system and equipment. The demonstration of adequate prevention can be performed using the
lines-of-defence method.
For future and more advanced phases of the design, probabilistic methods could be used to
confirm the adequacy of the design with the fulfilment of the probabilistic criteria.
5. Rules and methods for safety analysis
5.1 Rules for the safety analysis of the operating conditions
The rules are issued from both EFR safety approach and EUR.
5.1.1 Combination of initiating faults and plant operating initial conditions
The combination of initiating faults and particular states including unavailabilities due to in-service
maintenance and tests which are planned but where the estimated duration is limited are taken
into account as follows:
 Category 2 operating conditions
@
D6
PDS-XADS Safety Principles
Rev : A
20/49
Error! AutoText entry not defined.
Category 2 initiating fault combined with initial states which have a duration higher than about
1000 hours per year.
 Category 3 operating conditions
Category 3 initiating fault combined with initial states which have a duration higher than about
1000 hours per year.
Category 2 initiating fault combined with initial states which have a duration higher than about
10 hours per year, but less than about 1000 hours per year.
 Category 4 operating conditions
Category 4 initiating fault combined with initial states which have a duration higher than about
1000 hours per year.
Category 3 initiating fault combined with initial states which have a duration higher than about
10 hours per year, but less than about 1000 hours per year.
Due to the low probability for an initiating fault to occur during an initial state which has a duration
shorter than 10 hours per year, such combinations are not taken into account in the design basis.
The design extension conditions have very low mean occurrence frequency. Therefore, they are
combined with initial states having duration higher than 1000 hours per year, assuming that the
parameters representative of the initial state are at their nominal values.
Particular rules for combination of initial states and earthquakes are proposed in the EFR safety
approach. They can be used for XADS and are the following:
 Category 3 operating conditions
OBE combined with initial states which have a duration higher than about 1000 hours per year.
 Category 4 operating conditions
OBE combined with initial states which have a duration higher than about 10 hours per year,
but less than about 1000 hours per year.
SSE combined with initial states which have a duration higher than about 10 hours per year.
5.1.2 Uncertainties
For usual reactors, the analysis of design basis operating conditions includes the effect of random
and systematic uncertainties. Because the uncertainty level is not well known for an innovative
reactor such as the XADS, the values used for the analysis of design basis conditions will be the
best estimated values with suitable margins based on engineering judgement and on sensitivity
calculations.
For calculations of releases resulting from each category 3 and 4 operating condition, bestestimated evaluations, with suitable margins to take into account uncertainties, may be
performed.
The design extension conditions have very low mean occurrence frequency. Therefore, they can
be analysed without uncertainties, using physically-based assumptions and best-estimated data.
Some analysis including uncertainties can be performed in order to identify possible cliff edge
@
D6
PDS-XADS Safety Principles
Rev : A
21/49
Error! AutoText entry not defined.
effects and in order to verify that the plant design is homogeneous and consistent, without weak
points.
5.1.3 Operator action
Operator action can be considered only if they are requested by unambiguous alarms. No
beneficial operator intervention should be assumed during the first 0.5 hour following the request
by alarm.
5.1.4 Single failure criterion
The adequacy of the redundancy level of the systems performing safety functions is analysed
using:
 the single failure criterion for the design of safety equipment,
 the aggravating failure assumption for the safety analysis of the design basis operating
conditions, see paragraph 5.1.5.
The single failure criterion is a rule used for the design of systems performing safety functions,
while the aggravating failure assumption is a rule used for the analysis of the design basis
operating conditions.
A system is considered to be designed against an assumed single failure if neither a single failure
of any active component (assuming passive equipment functions properly) nor a single failure of a
passive equipment (assuming active equipment functions properly) results in a loss of capability
of the system to perform its safety functions.
The systems providing the main safety functions (accelerator shutdown, decay heat removal) are
designed according to the single failure criterion. Systems that support the performance of such
major safety systems are similarly designed according for the single failure criterion.
5.1.5 Combination with additional failures
 Combination with loss of power:
The loss of power can be of external origin or of internal origin, in the case where the XADS
produces electrical power.
Each design basis initiating fault must be analysed in combination with a loss of power of long or
short duration, if it has an adverse effect. Combination with loss of power is made at the most
unfavourable time of the event.
The combination of the initiating fault with loss of power is considered to be a design basis
operating condition (category 3 or 4 according the category of the initiating event and the duration
of the loss of power).
Combination of loss of power with design extension conditions has to be examined on a case-bycase basis.
 Combination with aggravating failure:
@
D6
PDS-XADS Safety Principles
Rev : A
22/49
Error! AutoText entry not defined.
Aggravating failures are combined for the analysis of design basis operating conditions in order to
check that a minimum level of redundancy is provided in the systems needed for the mitigation of
the consequences of the initiating event being considered.
The application of the aggravating failure is restricted to those components activated during the
transient resulting from the initiating event. Although the activated components can be designed
to withstand the consequences of the initiating event, the aggravating failure is arbitrarily applied
for one of them. A component is classified as activated by the transient if a change of its state has
to occur during the transient, which could reveal a potential undetected latent failure.
If the failure can be detected during the normal operation preceding the initiating faults, either
because it leads to an abnormal plant behaviour, or during in-service inspection, such a failure is
not considered as aggravating failure and it is not combined with the initiating fault being
considered. On the contrary, if the failure cannot be identified during normal operation, it is
considered as an aggravating failure to combine with the initiating fault.
A latent failure of an active component is applied as an aggravating failure if it results in nonoperation of the function activated by the consequences of the operating condition. The
aggravating failure of active components is the failure to change its state. Adverse behaviour of
an active component for which no change of state occurs as a result of the initiating fault is not
combined as an aggravating failure.
The behaviour of passive components the function of which is activated by the consequences of
the initiating fault is considered for all the duration in which the component is needed. The risk of
failure of passive components is assessed on a case-by-case basis taking into account factors
such as significance of the change of state, component quality, in-service inspection and
permanent monitoring of the component.
Combination of an operator error as aggravating failure has to be assessed on a case-by-case
basis.
Each initiating event is analysed with combination with loss of power. The aggravating failure
associated to such an operating condition may be the unavailability of the stand-by power of one
electrical division (assuming independence of the electrical division).
Design extension conditions have very low occurrence frequency and generally combine several
independent failures. Therefore, their analysis needs not combine additional aggravating failure.
Regarding the safety analysis of earthquake, the failure of an element of seismically qualified
components has to be assessed as possible aggravating failure.
 Combination with loss of stand-by power supply:
In order to assess the passive capability of the plant, the design basis operating conditions with
loss of power (as initiating event or due to the combination with any initiating event) are
additionally combined with the complete failure of the stand-by power system (as working basis,
the duration of the complete unavailability may be assumed to be 32 hours). No additional failure
is assumed.
Such a combination is classified in an operating condition category higher than the category of
the initiating fault, and at least, it is considered as a complex sequence. In gas-cooled XADS, a
sensitive point concerns the combination with the loss of primary pressure, which leads to
implement design measures in order to reduce at a very low occurrence frequency the resulting
core damage accident.
@
D6
PDS-XADS Safety Principles
Rev : A
23/49
Error! AutoText entry not defined.
5.2 Lines of defence method and application
Usual safety analysis methods stemming from the basic Defence-in-Depth principle, like “Analysis
by Barrier” method (analysis of the means of prevention, surveillance, protection associated to
each barrier), are not recalled in this document but their applications remain recommended for the
future analyses in order to improve and complement the safety demonstration.
On the other hand, the “Lines-of-Defence” method (already applied e.g. EFR) is presented above,
because it is considered as including the other methods and principles, except for the ultimate
levels of the Defence-in-Depth related to mitigation measures.
The Lines-of-Defence (LOD) method should be applied at the first conceptual design stage as
preliminary probabilistic assessment for each main safety function in order to demonstrate that
loss of each safety function has a probability less than 10-7 /year. Consequences beyond the loss
of one safety function are not considered in this LOD application.
The LOD method can also help for the classification of initiating faults and events.
The verification of the adequacy of protective measures to demonstrate that the core disruptive
accidents are residual risk situations, showing that the mean value of their cumulative occurrence
frequency is lower than 10-6 per reactor-year (10-7 per reactor-year considering individually the
initiating faults), will be demonstrated for the XADS concept by the lines-of-defence method. In
the future for more advanced phases of the design, probabilistic methods could be used to
confirm the adequacy of the design with the fulfilment of the probabilistic criteria.
There are three main types of lines of defence:
 Preventive measures against occurrence of initiating fault.
 Active protection actions.
 Inherent behaviour and natural resistance to event progression.
Taking into account their expected reliability, the lines of defence are classified in two kinds:
 The strong lines of defence (a LOD) with an expected failure rate of about 10-3 to 10-4 per
demand.
 The medium lines of defence (b LOD) with an expected failure rate of about 10 -1 to 10-2 per
demand.
Conventionally, one can classify as lines of defence:
 Strong lines:
 High quality active systems with internal redundancy.
 High quality passive component.
 Inherent behaviour that allows long delays for fault rectification.
 Medium lines:
 Classical active systems without internal redundancy.
 Operator actions (accident management measures).
@
D6
PDS-XADS Safety Principles
Rev : A
24/49
Error! AutoText entry not defined.
Two medium lines are considered as equivalent to a strong line.
Regarding situations needing to be rejected in the residual risk, the objective of the lines-ofdefence analysis is to verify that:
 Situation initiated by any category 2 initiating fault is protected by two strong plus a medium
lines of defence.
 Situation initiated by any category 3 initiating fault is protected by two strong lines of defence.
 Situation initiated by any category 4 initiating fault is protected by a strong plus a medium lines
of defence.
 Situation initiated by any design extension condition (except severe core accident) is protected
by a medium line of defence.
Extrapolation of the rules presented before allows to use the lines-of-defence method for
classifying sequences:
 Sequences initiated by any category 2 initiating fault combined with the failure of a medium line
of defence may be assimilated to a category 3 operating condition.
 Sequences initiated by any category 2 initiating fault combined with the failure of a strong line
of defence may be assimilated to a category 4 operating condition.
 Sequences initiated by any category 2 initiating fault combined with the failure of two strong
lines of defence may be assimilated to a design extension condition.
 Sequences initiated by any category 3 initiating fault combined with the failure of a medium line
of defence may be assimilated to a category 4 operating condition.
 Sequences initiated by any category 3 initiating fault combined with the failure of a strong plus
a medium lines of defence may be assimilated to a design extension condition.
 Sequences initiated by any category 4 initiating fault combined with the failure of a strong line
of defence may be assimilated to a design extension condition.
The LOD method has to be applied to the main safety functions in order to define the number and
the reliability of the systems achieving the accelerator shutdown and decay heat removal
functions.
6. Safety and design criteria
6.1 Release criteria
The goal of the safety analysis is to show that any release from the plant is limited, below
unacceptable value regarding the environment, the health of public living near the plant site, and
the health of the operational staff. Among the different hazardous materials that can be released,
special attention concerns the radiological materials.
@
D6
PDS-XADS Safety Principles
Rev : A
25/49
Error! AutoText entry not defined.
Concerning the radiological releases, the limits proposed in the EUR and in EFR approach can be
used as starting point.
For simplicity reason, at the present stage of the XADS design, the radiological limits are defined
in terms of doses. At more advanced stages of the design, when the core and target inventory will
be more precisely defined, the radiological limits can be defined in terms of releases, as in the
EUR approach.
For each design basis operating condition category, radiological limits are specified in Table 2.
The dose limits for category 1 and 2 are in compliance with ICRP 60. More stringent targets are
proposed in EUR in accordance with the ALARA principle.
The consequences in the environment of design extension conditions (limiting events, complex
sequences and severe accidents) have to be demonstrated to be lower than the limiting release
targets, which are specified in Table 2.
6.2 Design criteria
Although the definitive criteria for the operating conditions within the design basis are related to
the releases (particularly the radiological releases), the safety analysis has to demonstrate the
respect of physical limits, which can be more easily applied to the design process. Thus, some
intermediate design criteria that ensure that the radiological limits are not exceeded are defined.
On the basis of the EFR safety approach, the criteria related to the design basis operating
conditions for the fuel, the plant availability and the mechanical components are proposed in
Table 3, Table 4 and Table 5.
The acceptance of the behaviour of equipment during the design extension conditions is
examined on a case-by-case basis taking into account the objective to verify.
7. Principles of safety classification of components
7.1 Principles of classification of safety functions
The purpose of ranking safety functions in safety classes is to provide a basis upon which it is
possible to establish adequate design and construction requirements for components performing
the safety functions, reference (4).
The classification of the safety functions is based on:

The consequences of the safety function failure; the consequences are ranked by comparing
with the release targets.

The probability that the safety function would be required; the probabilities are ranked by
comparing the frequencies of the events requiring the safety function with the event
classification used in the safety analysis.
@
D6
PDS-XADS Safety Principles
Rev : A
26/49
Error! AutoText entry not defined.
Using these basic criteria, the method for classification of the safety function should be in
accordance with the rules defined in the selected design code.
The methodology developed for the EFR project is not plant specific and could be used with
simple adaptation for any nuclear installation, especially the XADS, provided it is designed using
the standard European design code.
On this basis, the consequences of the failure of the function are compared with:
 The dose limits for the normal and category 2 operating conditions (see Table 2), if the
releases are lower the function is not safety classified.
 The dose limits for category 4 operating conditions (see Table 2):
 If the consequences are higher, the function is fundamental for the protection of the public
and the environment.
 If the consequences are lower, the function allows to minimise the consequences.
The probability that the safety function would be required is compared with the expected
occurrence frequency of:
 The frequent events (normal and category 2 initiating faults).
 The infrequent events (category 3 and 4 initiating faults).
 The frequency of incredible events (design extension conditions).
Thus, combining these comparison criteria, three safety classes can be defined as indicated in
Table 6.
The failure of the three main safety functions, control of reactivity and power, decay heat removal,
containment of the dangerous materials and fission products, leads certainly to unacceptable
radiological consequences; they are permanently demanded or particularly demanded after
category 2 events; therefore they will be probably classified in safety class 1.
These three main functions are decomposed in sub-functions which can be classified in safety
classes:
 control of reactivity and power: core support, accelerator shutdown…
 decay heat removal: primary coolant boundary, cooling of irradiated spent fuel, primary coolant
circulation
 containment: fuel boundary, containment of irradiated spent fuel…
7.2 Principles of classification of components
Components and parts of components are classified in design and construction classes in
accordance with the safety function they perform.
The correspondence between the safety functions and the design and construction classes for
components are based on:
@
D6
PDS-XADS Safety Principles
Rev : A
27/49
Error! AutoText entry not defined.
 The class of the safety function performed by the component.
 The reliability of the component to perform the safety function when required. The reliability is
assessed taking into account.
 The redundancy and the diversity with other components performing the same safety function
in the same conditions.
 The degree of passivity of the component.
 The delay before reaching unacceptable consequences after the failure of the component
when required, and possibilities for corrective measures (operator actions, repairing) during
this delay.
Assuming the utilisation of the European code RCC-MR used for the design and construction of
the future LMFR (e.g. EFR), the correspondence between the safety functions and the design and
construction classes of the mechanical components is indicated in Table 7.
For electrical components, the classical European codes considered generally two safety classes.
Electrical components are considered as active components. Therefore using the same
principles, the classification indicated in Table 8 is proposed.
7.3 Additional requirements
In order to exclude beyond the category 4 a double ended pipe rupture and to exclude in the
residual risk the vessel rupture, a leak-before-break approach can be used. The leak-beforebreak approach is applied to equipment classified at least as safety class 2.
Specific requirements are related to the components if they have to ensure their safety function
during or after earthquake. Generally, components performing safety class 1 and 2 functions are
seismically qualified. Components performing safety class 3 functions or non-safety functions
may be seismically qualified if their failure during the earthquake leads to the failure of safety
class 1 or 2 components.
8. Application of the general safety principles to the LBE-cooled XADS
small scale concept
Tractebel contribution to come later
@
D6
PDS-XADS Safety Principles
Rev : A
28/49
Error! AutoText entry not defined.
8.1 Design basis conditions
8.2 Design extension conditions
8.3 Residual risk situations
9. Application of the general safety principles to the LBE-cooled XADS
large scale concept
The safety general principle described in this document are applied to the LBE-cooled XADS
concepts and incorporated in the plant design. This work has been done in deliverable 19 and is
summarised hereafter.
All the foreseeable internal initiating events are systematically identified and grouped in Design
Basis Conditions (DBC) according to their expected frequency of occurrence.
Internal and external hazards are also identified and are considered as design basis events for
the XADS.
Events, combination of events or scenarios with lower expected frequency of occurrence are also
addressed and labelled as Design Extension Conditions (DEC). The precise determination of the
DEC will be done in deliverable 32.
Finally, events pertaining to the residual risk evaluation are addressed.
9.1 Design basis initiating events
A top-level logic model (called Master Logic Diagram, MLD), systematically describing all the
abnormal and accident conditions resulting in potential challenges to the plant physical barriers,
has been developed and reported in deliverable 19. From the MLD an appropriate set of initiating
internal events for the LBE-cooled XADS has been deduced. A preliminary list of initiating events
is proposed in Table 9.
9.2 Design extension conditions
In addition to the Design Basis Conditions a specific set of accident sequences are identified as
the Design Extension Conditions (DEC), which shall be selected with the basic aim of meeting
both probabilistic safety objectives for core damage and for release of radioactive products to the
external atmosphere.
DECs comprehend:
 Complex sequences and limiting events, which involve failures beyond those considered in the
deterministic design basis but do not involve core melt.
@
D6
PDS-XADS Safety Principles
Rev : A
29/49
Error! AutoText entry not defined.
 Severe accidents, which involve unlikely sequences of events causing significant core
damage.
9.2.1 Complex Sequences and Limiting Events
These conditions include:
 Anticipated Transients Without Proton Beam Trip (ATWPBT), namely:
 Primary Gas Compressors Trip
 Secondary Coolant System Pump Failure
 Air Cooler Control System Malfunction
 Loss of AC Power to One Secondary Coolant System Loop
 Uncontrolled Proton Beam Current Increase
 Total or partial loss of lead-bismuth circulation in the target system.
 Accident sequences with multiple independent failures, namely:
 Multiple Intermediate Heat Exchanger pipe rupture
 Simultaneous main and safety vessel failure
 Excessive cooling leading to Pb-Bi solidification
 Reactivity insertion due to maximum allowable core compaction (elimination of clearance
between all fuel assemblies)
 Large flow blockage in one fuel assembly or a cluster of fuel assemblies
9.2.2 Severe Accidents
These conditions include:
 Peculiar scenarios leading to fuel melting. It is planned that the list of these events, if any, will
be provided in deliverable 32
9.3 Residual risk
Residual risk situations are accident conditions for which the prevention is such that the analysis
of their consequences is not required by the safety demonstration.
The redundancy and the general design of the LBE-cooled XADS should be a basis for the
demonstration. Various situations should be included:
 Large reactivity insertion due to:
 core compaction (e.g. due to earthquake larger than Safe Shutdown Earthquake)
 large fuel loading errors (or neutron absorbing elements positioning error)
@
D6
PDS-XADS Safety Principles
Rev : A
30/49
Error! AutoText entry not defined.
 Primary circuit damage due to:
 dropped large load (e.g. during Target extraction)
 structural failure (e.g. diverting magnet above the vessel head)
 structural failure of internal component due to erosion/corrosion phenomena induced by
LBE
 complete diagrid welding failure (causing the entire core to float)
10. Application of the general safety principles to the gas-cooled XADS
concept
The general safety principles described in this document are comprehensive but also flexible and
will cover the various XADS designs. Applying these principles to the gas-cooled concept will be
acceptable, as long as certain gas-cooled specific issues are considered.
The issues specific to the gas-cooled concept that need to be considered in the safety analysis
are detailed below:
 The main concern for the gas-cooled concept is the lack of thermal inertia compared to LBE
designs. An elevated pressure and temperature is necessary to maintain adequate coolant
properties for gas, in addition to any possible effect on reactivity. This means that events
involving loss of gas mass flow are of great significance and need extra consideration. A loss
of forced circulation will mean that core cooling must be maintained by natural circulation.
However, natural circulation of gas is not efficient at low pressure. Therefore in the case of
depressurisation of the primary circuit it is essential that forced circulation is maintained.
A monitoring system to detect leakage from the primary circuit and identify the location will be
of great importance.
Core coolability is a main issue for the gas-cooled concept and this must be taken into account
both in the design process and in the safety analysis.
 As detailed in deliverable 4, there is the need to consider two options for target unit/beam tube
penetration into the vessel. The reference design is target unit/beam tube penetration from
above, but there is also the option to have beam penetration from below.
 As detailed in deliverable 4, for the gas-cooled concept there is no need to consider the
windowless target and the associated safety issues.
 The effect of a large water or steam ingress into the primary circuit, for example from failure of
a heat exchanger tube, needs to be considered. There is the potential for significant reactivity
increase from any water ingress.
 Unlike the LBE designs, alternative gas ingress does not need considering as a significant
safety threat. Similarly, the threat of a rapid reactivity insertion due to a coolant phase change
does not need consideration.
 In-service inspection of the primary circuit and internal components will be possible in the gascooled concept which represents an additional operating state. The systems required during
in-service inspection and those which will be unavailable must be considered.
@
D6
PDS-XADS Safety Principles
Rev : A
31/49
Error! AutoText entry not defined.
 There is the possibility of structural problems due to the gas-coolant. For example, the possible
effects of contamination in the gas must be considered. If contamination levels are kept low
there should be no significant chemical attack on fuel and structures. If helium is used as the
coolant, lack of oxygen can remove the natural oxide layer of structure materials which could
lead to seizure of parts.
 The phenomena of fast neutron effect on helium could intervene in the core, to cause helium
scattering into the cladding surface.
These issues have been taken into account when compiling the following lists of design basis and
design extension conditions. They should also be of prime concern during the classification,
analysis and design processes.
For XADS and other future reactor systems, there is little or no feedback from operating
experience on which to base analysis. This makes the production of a comprehensive list of
events and their classification more difficult.
A preliminary list has therefore been compiled based on existing data from the EFR project and
the EUR document, with adaptation based on the specific issues related to the gas-cooled XADS
concept. Details on the basic design of the gas-cooled XADS have been taken from and
deliverables 1 and 4 of this project.
10.1 Design Basis Initiating Events
Design basis initiating events are faults which may occur and which would affect the behaviour of
the plant. Faults may occur due to failure of a component or components, operator error or due to
external hazards.
The design basis initiating events should include all faults which could occur during the lifetime of
the plant. Some faults may be expected to occur several times within the life of the plant, whilst
other faults are highly unlikely but may have severe consequences. Design Basis Conditions
(DBC) are the plant conditions resulting from these initiating events and also include normal
operating conditions.
A preliminary list of design basis initiating events is included in Table 10. This list is not
exhaustive and will need to be modified as the gas-cooled design evolves. Similarly, the DBC
analysis will lead to changes and additions to the design. The areas of initiating events most likely
to be expanded include plant systems and the accelerator, as these are the areas where fewer
details are currently available.
A final list of DBC for the gas-cooled XADS and their classification will be included in
deliverable 20.
10.2 Design Extension Conditions
The Design Extension Conditions (DEC) are postulated to be bounding cases resulting from the
risks which are specific to the gas-cooled design or the process. Two kinds of DEC are
considered, the situations for which the consequences have to be demonstrated to be limited and
the severe accidents.
@
D6
PDS-XADS Safety Principles
Rev : A
32/49
Error! AutoText entry not defined.
The discussion below is based on the basic design of the gas-cooled XADS and on data from
EUR, EFR, and others.
A final list of DEC for the gas-cooled XADS will be included in deliverable 33.
10.2.1 Complex Sequences and Limiting Events
Using the description of complex sequences and limiting events in section 4.2, there are a
number of sequences that will need to be investigated. These are sequences for which there is
the potential for significant releases but do not involve widespread core melt.
 Any DBC combined with failure of the safety systems required for removal of decay heat needs
to be considered.
Special consideration should be given to LOSSP combined with any other initiating event. This
is of particular concern in the case of depressurisation when natural circulation in the primary
circuit is not sufficient to remove heat. Forced circulation has to be maintained if the primary
circuit depressurises to prevent core damage.
If it cannot be demonstrated that these sequences have a very low occurrence frequency,
preventative measures may have to be included in the design. For example, it may be
necessary to provide additional passive means of core cooling or to provide more diverse
forms of electrical supply.
 Local fuel melt must be analysed to demonstrate that it cannot lead to a whole core accident. It
has been stated as a general aim for XADS that mitigation against core damage is preferable
to designing safety systems to deal with it.
 A very large helium leak from the primary circuit including main vessel failure may need to be
analysed, if it is not included as a category 4 operating condition.
The possible levels of containment leakage following core damage accident need to be
considered.
10.2.2 Severe Accidents
There are a number of unlikely sequences which will involve significant core damage and could
lead to significant releases. The analysis of these severe accidents will influence the design of the
containment.
For a gas-cooled reactor, in-service inspection of the core and support structures will be possible.
Taking this and the sub-critical design of XADS into account, events initiating reactivity accidents
should be demonstrated to have a very low occurrence frequency. Nevertheless, there are a
number of possible sequences that should be considered.
Inability to shutdown the accelerator would affect the main safety function of criticality control. The
possibility of diverse means of initiating accelerator shutdown should be considered.
The possibility of maintaining a subcritical configuration following core melt must be considered.
The behaviour of the core melt could lead to criticality either elsewhere in the vessel or in the
containment. The potential for controlling the reactivity and providing adequate cooling needs to
be considered.
@
D6
PDS-XADS Safety Principles
Rev : A
33/49
Error! AutoText entry not defined.
10.3 Residual Risk Situations
Residual risk situations are accident conditions for which the prevention is such that the analysis
of their consequences is not required by the safety demonstration.
The in-service inspection capabilities, redundancy and the general design of the XADS should be
a basis for the demonstration. Various situations should be included:
 Large reactivity insertion due to:
 core support failure
 core compaction (e.g. due to earthquake or fuel melting)
 large loading errors
 Catastrophic failure of the primary circuit due to:
 large overpressure
 dropped large load
 failure of rotating machinery
 Ingress of a large amount of water into the primary circuit
11. Conclusion
A safety approach for the XADS has been developed based on the EUR and EFR approaches.
The general safety objectives have been established. To ensure these objectives, the Defence-inDepth strategy will be applied.
The fundamental safety functions to maintain to fulfil the safety objectives have been determined.
The types of situations to consider have been defined, Design Basis Conditions, Design
Extension Conditions, Residual Risk.
The criteria to fulfil for the different situations have been defined: dose limits, fuel and clad limits,
plant criteria and mechanical limits.
The rules to analyse the different situations have been defined: combination of initial states,
uncertainties, operator action, single failure criterion, aggravating failure.
The method of the Lines of Defence has been described and will be used for the safety analysis.
The general principle of safety classification of components have been defined.
The general safety principles have been applied to the LBE-cooled XADS large scale concept
and to the gas-cooled concept and a preliminary list of situations to analyse has been
established.
@
D6
PDS-XADS Safety Principles
Rev : A
34/49
Error! AutoText entry not defined.
Table 1 Levels of Defence-in-Depth (from INSAG-10)
Levels
defence
1
of
Objective
Essential means
Level 1
Prevention of abnormal operation and Conservative design and high
failures
quality in construction and
operation
Level 2
Control of abnormal
detection of failures
Level 3
Control of accidents within the design Engineered safety features and
basis
accident procedures
Level 4
Control of severe plant conditions Complementary measures and
including
prevention
of
accident accident management
progression and mitigation of the
consequences of severe accidents
Level 5
Mitigation of radiological consequences Off-site emergency response1
of significant releases of radioactive
materials
operation
and Control, limiting and protection
systems and other surveillance
features
For the XADS concept, a general objective is to ensure by the first four levels of Defence-inDepth a safety level sufficiently high, so that no off site emergency response is necessary
@
D6
PDS-XADS Safety Principles
Rev : A
35/49
Error! AutoText entry not defined.
Table 2 Doses from direct radiation during design basis conditions and design extension
conditions
Category
Public 1
Operational staff
Normal operations
ICRP 60 recommends
1 mSv/year.
ICRP 60 recommends for
individual dose a mean value
of 20 mSv/year during 5 years
with a maximum value of
50 mSv during 1 year.
The XADS target will be
10 Sv/year as EUR.
The XADS targets will be the
same as EUR:
 5 mSv/year for individual
dose,
 0.7 man.Sv/GWe for annual
collective dose averaged
over the plant life .
1
Category 2
Releases from category 2 operating conditions shall not
cause the annual release criteria to be exceeded, and
therefore, each category 2 operating condition shall
individually meet the annual release criteria.
Category 3
1 mSv/event
Category 4
50 mSv/event
Design extension
conditions
150 mSv/event during at least the first 24 hours following the
accident1
This shall be assess for the most exposed individual:
 At 100 m from the most significant sources with an occupancy factor of 1/30, or
 At 300 m with an occupancy factor of 1.
@
D6
PDS-XADS Safety Principles
Rev : A
36/49
Error! AutoText entry not defined.
Table 3 Fuel limits for design basis operating conditions and design extension conditions
Category of
operating
conditions
Safety target
Fuel limits
Clad limit
Normal
operating
conditions
Radiological release
ALARA
No melting
No open clad failure.
2
Radiological release
lower than the limit
No melting
No open clad failure
except due to random
effects or experimental
pins
3
Radiological release
lower than the limit
No melting except
locally for
experimental pins
No systematic (i.e. large
number of) pin failures
4
Maintaining of the core
coolability and limitation
of core geometrical
modifications
Complex
Maintaining of the core
sequences and coolability and limitation
limiting events
of core geometrical
modifications
Severe
accident
Releases lower than the
limiting releases targets
Any predicted
No systematic clad
localised melting melting. No simultaneous
to be shown to be and coincident clad failure
acceptable.
and fuel meting
No extended core
melting
Coolability of the
damaged core
No recriticality of
the damaged core
No systematic clad
melting
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
Table 4 Plant criteria for design basis operating conditions
Category of operating
conditions
Plant criteria
2
Plant shall be able to return to normal conditions in a
reasonable time after faults rectification
3
Plant shall be able to return to normal conditions after
inspection, rectification and requalification
4
Plant restart is not required
37/49
@
D6
PDS-XADS Safety Principles
Rev : A
38/49
Error! AutoText entry not defined.
Table 5 Mechanical limits for design basis operating conditions
Criteria level of RCC-MR2
Category of
operating
conditions
2
Safety
Components
classified
which are
components
difficult to
requalify
Components
whose
leaktightness
is required
Active
components
whose
functional
operability is
required
Normal
operating
conditions
A
A
A
A
2
A
A
A
A
3
C
A
C
A
4
D
D
C
A
Concerning the mechanical design, the criteria are associated to a design code adapted to the selected
concept. As a working basis, the European RCC-MR code used for the EFR project is proposed for the
XADS design.
@
D6
PDS-XADS Safety Principles
Rev : A
39/49
Error! AutoText entry not defined.
Table 6 Classification of safety functions
Safety functions
Classification
Function indispensable to meet the radiological limits of category 4
during a category 1 or 2 operating condition.
1
Function indispensable to meet the radiological limits of category 4
during a category 3 or 4 operating condition.
2
Function allowing to meet the radiological limits of normal and
category 2 operating conditions.3 during a category 1, 2, 3 or 4
operating condition (minimisation)
3
Function not necessary to meet the doses limits for normal and Not safety classified
category 2 operating conditions.
3The
safety class 3 functions include in particular, the functions needed to minimise the doses on the
operational staff during normal and category 2 operating conditions.
@
D6
PDS-XADS Safety Principles
Rev : A
40/49
Error! AutoText entry not defined.
Table 7 Classification of the mechanical components
Classification of the
function performed by the
mechanical component
Characteristics of the
mechanical component
Mechanical RCC-MR design
and construction class4
1 or 2
Active component needed
before corrective measures
can be implemented
1
1 or 2
Active
component
only
needed after a delay which
allows corrective measures to
be implemented
2
1
Passive
mechanical
component
with
no
redundancy provided
1
1
Passive
mechanical
component with redundancy
provided
2
2
Passive
component
2
3
Mechanical component
4This
mechanical
classification is the minimum required to meet the safety requirements.
3
@
D6
PDS-XADS Safety Principles
Rev : A
41/49
Error! AutoText entry not defined.
Table 8 Classification of the electrical components
Classification of the
function performed by the
electrical component
Characteristics of the
electrical component
Electrical design and
construction class5
1 or 2
Electrical component needed
before corrective measures
can be implemented
E1
1 or 2
Electrical component only
needed after a delay which
allows corrective measures to
be implemented
E2
Electrical component
E2
3
5This
classification is the minimum required to meet the safety requirements.
@
D6
PDS-XADS Safety Principles
Rev : A
42/49
Error! AutoText entry not defined.
Table 9
LBE-cooled design – Preliminary list of Design Basis Conditions
Normal Operating Conditions
Operation at power.
Hot shutdown condition.
Cold Shutdown condition.
Refueling.
Fuel Cladding Challenges
Uncontrolled Proton Beam Current Increase
Fuel Assembly Partial Flow Blockage
Proton Beam Startup With Cold Reactor
Fuel Assembly Mechanical Lock Failure
Core Compaction (following a Safe Shutdown Earthquake and to the extent resulting from mechanical calculations)
Reactor Coolant System and Target Unit Coolant System Challenges
RCS Challenge
Inadvertent Proton Beam Trip
Air Cooler Control System Malfunction (increasing Air Coolers heat removal)
Air Cooler Control System Malfunction (decreasing Air Coolers heat removal)
Air Cooler Malfunction (1 out of 3; increasing Air Coolers heat removal)
Air Cooler Malfunction (1 out of 3; decreasing Air Coolers heat removal)
Secondary Coolant System Pump Failure
Loss Of Ac Power To One Secondary Coolant System Loop
Total Loss of AC Power
Partial Loss Of Enhanced Primary Coolant Flow
Primary Gas Compressors Trip
Standby Gas Compressor Spurious Startup
Cover Gas Pressure Control System Malfunction (increasing Primary Coolant flowrate)
Cover Gas Pressure Control System Malfunction (decreasing Primary Coolant flowrate)
Total Loss of AC Power with Concomitant Diesel Generator Unavailability
Inadvertent Opening of a Secondary Coolant System Safety Valve
Small Secondary Coolant System Pipe Break
Small Primary Gas System Pipe Break
Large Secondary Coolant System Pipe Break
Inadvertent Opening of Secondary Coolant System Drain Valves
Large Primary Gas System Pipe Break
Lead-Bismuth Leakage From The Primary Vessel
IHX Pipe Rupture (one Pipe)
TUCS Challenge
The events listed below refer to accidents originate inside the TUCS. Other events exist which can cause challenge to TUCS; they are
originated in the RCS. An example of them are represented by such events causing the RCS enhanced primary coolant flow system
malfunction or failure (e.g. gas compressor trip failure or malfunction, cover gas pressure control system malfunction, etc..)
Small Primary Gas System Pipe Break (affecting the U shaped risers)
Small Target Gas System Pipe Break
Target Unit Gas Compressors Trip
Partial Loss Of Enhanced Target Unit Coolant Flow
Pressure Control System Malfunction of the Target Enhanced Circulation System (increasing Target Unit pressure)
Target Unit Lead-Bismuth Inleakage from Primary Coolant
Target Unit Coolant System Break
Proton Beam Pipe Vacuum Control System Malfunction
@
D6
PDS-XADS Safety Principles
Rev : A
43/49
Error! AutoText entry not defined.
Proton Beam Pipe Break
Containment Challenges
A symbol "I" or "R" is associated to each incident or accident condition. The symbol "I" is assigned to the events resulting primarily in
potential challenge to the integrity or leaktightness of the reactor containment. The symbol "R" is assigned to the events resulting
primarily in a potential release of radioactivity inside the reactor containment.
Reactor Containment Pressure Test
Loss of Reactor Building HVAC System
Leakage from Vessel Top Closure
Total Loss of AC Power
I
R
I
Radioactive Drain Network System Line Break
R
Waste Gas System Line Break
R
Waste Liquid System Line Break
R
Primary Cover Gas System Line Break
R
Leakage from Primary Cover Gas System Components
R
Target Enhanced Circulation System Line Break
R
Leakage from Target Enhanced Circulation System Components
R
Accelerator Beam Transport System Failure
R
Total Loss of Secondary Coolant System
Reactor Coolant Filling System Failure
Simultaneous Reactor and Guard Vessel Rupture
Total Loss of AC Power with Concomitant Diesel Generator Unavailability
Hazards
Internal hazards
Fire and Explosion
Release of gases
Dropped or impacting loads (e.g. from fuel handling operation)
Electromagnetic interference from equipment on-site
External hazards - Natural
External flooding
Extreme weather condition
Earthquake
Drought
Lightning
External hazards - Man made
Aircraft crash
Hazards from adjacent installations, transport activity (missiles, gas cloud, explosion)
Electromagnetic interference
Sabotage
I
R
I&R
I
@
D6
PDS-XADS Safety Principles
Rev : A
44/49
Error! AutoText entry not defined.
Table 10
Gas-cooled Design – Preliminary list of Design Basis Conditions
Normal Operating Conditions
Comments
Nominal power operation (Pn)
Partial load

Power operation between 20% Pn and 100% Pn
Low power operation (< 3% Pn)

During commissioning

After refuelling shutdown
Shutdown states

Hot shutdown

Cold shutdown
Shutdown transients

To hot shutdown

To cold shutdown
Start-up transients

From hot shutdown

From cold shutdown
In-service inspection and maintenance
Handling
Reactivity and Sub-assembly Faults
Spurious reactor trip
All trips initiated by fault different from those
specified
Shutdown system faults
e.g. unable to insert shutdown rod(s)
Accidental withdrawal of control rod(s)
Pin failure
Local sub-assembly cooling faults
e.g. blockage, wrapper split
Water ingress into primary circuit from HX
May be classified as residual risk
In-vessel fuel handling error

Wrong sub-assembly loaded in core

Too many sub-assemblies loaded

Incorrect positioning of sub-assembly
Dropped load
Single faults in fuel handling and storage
Multiple faults in fuel handling and storage
Circuit Faults
Primary Circuit
Loss of flow

Failure of primary compressor

Inadvertent reduction in primary compressor flowrate

Inadvertent increase in primary compressor flowrate

Spurious operation of primary circuit valves
Other than due to LOSSP
Depressurisation

Vessel leak

Vessel penetration failure

Cold gas duct leak

Hot gas duct leak

Leak between cold/hot gas duct
Dependent on design chosen
@
D6
PDS-XADS Safety Principles
Rev : A
45/49
Error! AutoText entry not defined.
Cold gas duct break
Hot gas duct break
Spurious turbine trip
Turbine malfunction
Electric motor malfunction
Used for start-up/low power
Ingress of foreign substances into primary circuit
Corrosion
Intermediate Water Circuit
Loss of flow

Failure of circulator

Inadvertent reduction of circulator flowrate

Inadvertent increase in circulator flowrate
Other than due to LOSSP
Depressurisation

Cooling water pipework leak

Cooling water pipework rupture

Spurious operation of secondary circuit valves
e.g. containment isolation, relief valves
Loss or reduced effectiveness of ultimate heat sink

Loss or reduction of flow

Leakage

Temperature increase
System Faults
Electrical System Faults
Loss of station service power (LOSSP) of short duration
(< 1 hour)
Loss of station service power (LOSSP) of medium duration
(1 to 12 hours)
Loss of station service power (LOSSP) of longer duration
(> 12 hours)
Decay Heat Removal (DHR) System Faults
Note: the DHR System is only required to operate a) in the event of loss of forced helium circulation
b) in the event of loss of pressure
c) during handling
Failure of one circulator
Failure of both circulators
Inadvertent reduction in flowrate of circulator
Inadvertent increase in flowrate of circulator
Spurious operation of check valve
Increase in coolant water temperature
Water ingress into primary circuit from HX tube failure
Due to reactivity consequences and effect of
water attack
HX secondary side leak
HX secondary side break
Other System Faults
Failure of pressure parts
May result in pipe whip, blast effects etc.
Loss of redundant systems
Failure of auxiliary or cooling systems

Reactor vault cooling system
Gas control/purification system
Instrumentation failure
Spurious start-up of systems not required in normal operation
Accelerator Faults
Unable to shut down beam
High proton beam current
Other than due to LOSSP
@
D6
PDS-XADS Safety Principles
Rev : A
46/49
Error! AutoText entry not defined.
Low proton beam current
Pulsed/continuous beam fault
Dependent on design
Incorrect beam direction
Due to problem with magnet
Beam/target catcher failure
Only relevant following magnet failure
Shielding failure
This section will be elaborated by CEA
Target Faults
Beam tube break
Target unit shell break
Window break
Consequences
depend
mitigation measures
on
possible
Target LBE chemistry/purity fault
Target LBE forced cooling fault
Effectiveness
of
natural
convection
dependent on beam configuration
Hazards
Seismic
Level will depend on site characteristics
Missiles

internal
e.g. turbine, compressor

external
e.g. aircraft crash, explosion
Biological hazards
Extreme weather conditions
External flooding
Internal flooding
Ground subsidence
Electromagnetic interference
Release of hazardous gases or materials held on-site
Conventional fire
e.g. temperature, lightning, pressure
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
Figure 1
Scheme of the small core LBE-cooled XADS (Myrrha concept)
47/49
Rev : A
Error! AutoText entry not defined.
Figure 2
Scheme of the larger core LBE-cooled XADS
REACTOR C
@
D6
PDS-XADS Safety Principles
48/49
@
D6
PDS-XADS Safety Principles
Rev : A
Error! AutoText entry not defined.
Figure 3
Scheme of the gas-cooled XADS
49/49