NUCLEAR SAFETY - OBJECTIVES (INSAG)
12. Three safety objectives are defined for nuclear power plants. The first is very general in nature. The other two are complementary objectives that interpret the general objective, dealing with radiation protection and technical aspects of safety respectively. The safety objectives are not independent; their overlap ensures completeness and adds emphasis.
2.1. GENERAL NUCLEAR SAFETY OBJECTIVE
13. Objective: To protect individuals, society and the environment by establishing and maintaining in nuclear power plants an effective defence against radiological hazard.
14. Each viable method of production of electricity has unique advantages and possible detrimental effects. In the statement of the general nuclear safety objective, radiological hazard means adverse health effects of radiation on both plant workers and the public, and radioactive contamination of land, air, water or food products. It does not include any of the more conventional types of hazard that attend any industrial endeavour. The protection system is effective as stated in the objective if it prevents significant addition either to the risk to health or to the risk of other damage to which individuals, society and the environment are exposed as a consequence of industrial activity already accepted. In this application, the risk associated with an accident or an event is defined as the arithmetic product of the probability of that accident or event and the adverse effect it would produce. The overall risk would then be obtained by considering the entire set of potential events and summing the products of their respective probabilities and consequences. In practice, owing to the large uncertainties that can be associated with the different probabilities and consequences, it is generally more convenient and useful to disaggregate the probabilities and the consequences of potential events, as discussed in INSAG-9. These health risks are to be estimated without taking into account the countervailing and substantial benefits which the nuclear and industrial activities bestow, both in better health and in other ways important to modern civilization. When the objective is fulfilled, the level of
risk due to nuclear power plants does not exceed that due to competing energy sources, and is generally lower. If another means of electricity generation is replaced by a nuclear plant, the total risk will generally be reduced. The comparison of risks due to nuclear plants with other industrial risks to which people and the environment are exposed makes it necessary to use calculational models in risk analysis. To make full use of these techniques and to support implementation of this general nuclear safety objective, it is important that quantitative targets, ‘safety goals’, be formulated.
It is recognized that although the interests of society require protection against the harmful effects of radiation, they are not solely concerned with the radiological safety of people and the avoidance of contamination of the environment. The protection of the resources invested in the plant is of high societal importance and demands attention to all the safety issues with which this report is concerned. However, the main focus of this report is the safety of people. What follows is therefore expressed in these terms solely, but this is not to imply that INSAG has no regard for other factors.
2.2. RADIATION PROTECTION OBJECTIVE
16. Objective: To ensure in normal operation that radiation exposure within the plant and due to any release of radioactive material from the plant is as low as reasonably achievable, economic and social factors being taken into account, and below prescribed limits, and to ensure mitigation of the extent of radiation exposure due to accidents.
17. Radiation protection is provided in nuclear power plants under normal conditions and separate measures would be available under accident circumstances. For planned plant operating conditions and anticipated operational occurrences, compliance with radiation protection standards3 based on recommendations by the International Commission on Radiological Protection (ICRP) ensures appropriate radiation protection.
18. The aforementioned radiation protection standards have been developed to prevent harmful effects of ionizing radiation by keeping doses sufficiently low that deterministic effects are precluded and the probability of stochastic effects is limited to levels deemed tolerable. This applies to controlled circumstances. In the event of any accident that could cause the source of exposure to be not entirely under control, safety provisions in the plant are planned and countermeasures outside the plant are prepared to mitigate harm to individuals, populations and the environment.
2.3. TECHNICAL SAFETY OBJECTIVE
19. Objective: To prevent with high confidence accidents in nuclear plants; to ensure that, for all accidents taken into account in the design of the plant, even those of very low probability, radiological consequences, if any, would be minor; and to ensure that the likelihood of severe accidents with serious radiological consequences is extremely small.
20. Accident prevention is the first safety priority of both designers and operators. It is achieved through the use of reliable structures, components, systems and procedures in a plant operated by personnel who are committed to a strong safety culture (see Sections 3.2.1 and 3.2.2, and subsequent sections).
21. However, in no human endeavour can one ever guarantee that the prevention of accidents will be totally successful. Designers of nuclear power plants therefore assume that component, system and human failures are possible, and can lead to abnormal occurrences, ranging from minor disturbances to highly unlikely accident sequences. The necessary additional protection is achieved by the incorporation of many engineered safety features into the plant. These are provided to halt the progress of an accident in the specific range of accidents considered during design and, when necessary, to mitigate its consequences. The design parameters of each engineered safety feature are defined by a deterministic analysis of its effectiveness against the
accidents it is intended to control. The accidents in the spectrum requiring the most extreme design parameters for the safety feature are termed the design basis accidents for that feature. For existing plants, design basis accidents are generally associated with single initiating events; they are evaluated with conservative assumptions including aggravating failures and do not usually imply severe core damage.
22. Attention is also directed to accidents of very low likelihood which might be caused by multiple failures or which might lead to conditions more severe in existing plants than those considered explicitly in the design (accidents ‘beyond the design basis’). Some of these severe accidents could cause such deterioration in plant conditions that proper core cooling cannot be maintained, or that fuel damage occurs for other reasons. These accidents would have a potential for major radiological consequences if radioactive materials released from the fuel were not adequately confined. As a result of the accident prevention policy, they are of low probability of
23. Since these accidents could nonetheless occur, other procedural measures (accident management) are provided for managing their course and mitigating their consequences. These additional measures are defined on the basis of operating experience, safety analysis and the results of safety research. Attention is given in design, siting, procedures and training to controlling the progression and consequences of accidents. Limitation of accident consequences requires measures to ensure safe shutdown, continued core cooling, adequate confinement integrity and off-site emergency preparedness. High consequence severe accidents are therefore
extremely unlikely because they are effectively prevented or mitigated by defence in depth.
24. Notwithstanding the high level of safety so achieved, increased understanding of severe accidents beyond design basis events has led to complementary design features being implemented in some operating nuclear power plants as well as expanded guidelines and/or procedures to cope with severe accidents of very low likelihood beyond design basis.
25. For future nuclear power plants, consideration of multiple failures and severe accidents will be achieved in a more systematic and complete way from the design stage. This w ill include improving accident prevention (for example, reduced common mode failures, reduced complexity, increased inspectability and maintainability, extended use of passive features, optimized human–machine interface, extended use of information technology) and further reducing the possibilities and consequences of off-site radioactive releases.
26. In the safety technology of nuclear power, overall risk is obtained (as discussed in Section 2.1) by considering the entire set of potential events and their respective probabilities and consequences. The technical safety objective for accidents is to apply accident prevention, management and mitigation measures in such a way that overall risk is very low and no accident sequence, whether it is of low probability or high probability, contributes to risk in a way that is excessive in comparison with other sequences.
27. The target for existing nuclear power plants consistent with the technical safety objective is a frequency of occurrence of severe core damage that is below about 10–4 events per plant operating year. Severe accident management and mitigation measures could reduce by a factor of at least ten the probability of large off-site releases requiring short term off-site response. Application of all safety principles and the objectives of para. 25 to future plants could lead to the achievement of an improved goal of not more than 10–5 severe core damage events per plant operating year. Another objective for these future plants is the practical elimination of accident sequences that could lead to large early radioactive releases, whereas severe accidents that could imply late containment failure would be considered in the design process with realistic assumptions and best estimate analyses so that their consequences would necessitate only protective measures limited in area and in time.