Stuklex » Regulation » YVL 2.0

Systems design for nuclear power plants, 1 July 2002

YVL 2.0

This Guide remains in force as of 1 December 2002 until further notice. It replaces Guide YVL 2.3, issued on 14 August 1975.

ISBN 951-712-615-8 (print)
ISBN 951-712-616-6 (pdf)
ISBN 951-712-617-4 (html)
ISSN 0783-2346

Authorisation

By virtue of the below acts and regulations, the Radiation and Nuclear Safety Authority (STUK) issues detailed regulations that apply to the safe use of nuclear energy and to physical protection, emergency preparedness and safeguards:

Rules for application

The publication of a YVL guide does not, as such, alter any previous decisions made by STUK. After having heard those concerned, STUK makes a separate decision on how a new or revised YVL guide applies to operating nuclear power plants, or to those under construction, and to licensees’ operational activities. The guides apply as such to new nuclear facilities.

When considering how new safety requirements presented in YVL guides apply to operating nuclear power plants, or to those under construction, STUK takes into account section 27 of the Council of State Resolution (395/1991), which prescribes that for further safety enhancement, measures shall be taken which can be regarded as justified considering operating experience and the results of safety research as well as the advancement of science and technology.

If deviations are made from the requirements of a YVL guide, STUK shall be presented with some other acceptable procedure or solution by which the safety level set forth in the guide is achieved.

1 General

This guide gives guidelines on the design and control of a nuclear power plant’s systems, with emphasis on safety-classified systems. The general design criteria given in Guide YVL 1.0 are explained in more detail in this guide. More detailed descriptions can be found in other YVL guides as well. A system denotes a specific functional or structural entity. A system can be further subdivided into structures and components.

In assuring the safety of a nuclear power plant, the prevention of operational transients and accidents is essential (Section 13 of Government Resolution No. 395/1991, preventive measures). This means that the plant’s systems, structures and components are designed such that any disturbances caused by their failure or malfunctioning remain as mild as possible and do not lead to accidents. In addition, the nuclear power plant shall be equipped with systems to quickly detect and bring under control transients and accidents before they develop into more serious situations (Section 13 of Government Resolution No. 395/1991, control of transients and accidents). The plant shall also be provided with systems to mitigate and limit the consequences of accidents (Section 13 of Government Resolution No. 395/1991, mitigation of consequences).

The control of operational transients and accidents as well as the mitigation of their consequences is based on safety functions and their maintenance. According to Guide YVL 1.0, a safety system is a system that carries out a safety function. A safety function is a function important to safety whose task is to prevent transients and accidents, or their propagation, and to mitigate the consequences of accidents. Nuclear power plant systems other than safety systems may also have safety significance. On the other hand, a safety system may, in addition to its safety function, have functions other than the safety function.

The safety significance of a function carried out by a system is essential when the Radiation and Nuclear Safety Authority decides about the focusing of its regulatory activities. The safety classification of a nuclear power plant’s systems, structures and components affects their regulatory control. A nuclear power plant’s safety classification is dealt with in Guide YVL 2.1.

2 Requirements on systems design

2.1 Design methods

Systems design shall employ both deterministic and PSA-based methods.

Deterministic design methods are methods by which, based on natural scientific theory and empirical data, a component or system is designed to operate such that it carries out a physical function as planned and as technically appropriate. The interdependence between cause and effect is known sufficiently well to design the operation of systems and components and to predict their behaviour with sufficient precision even as regards exceptional events.

Design basis operational conditions of systems are the starting point in the deterministic method. According to Guide YVL 1.0, the deterministic design of safety systems in particular considers even unlikely initiating events during which system operation is needed. The functional requirements of a safety system are defined according to the consequences of the initiating events and the need to mitigate them. The likelihood of initiating events and the severity of their consequences are considered when defining deterministic acceptance criteria according to Guide YVL 2.2.

With probabilistic safety assessment (PSA) the reliability of various safety functions and the balance of design between them is evaluated. A plant shall be so designed that calculated risks are distributed such that no individual component, system, phenomenon or other factor is risk-dominant and that the share of hard-to-manage risks is as low as possible. A plant designed in such a way has a well balanced design.

2.2 General design criteria

The solutions and methods chosen for design shall be based on technology proven in practice and on reliable test results. When deciding upon the solutions, the advances of technology shall be made use of (Section 27 of Government Resolution No. 395/1991). The feasibility of new, innovative solutions shall be justified by careful, extensive research and they shall undergo testing before implementation. During design, when choosing basic technologies, the life cycles of technologies and components shall be considered and any restrictions resulting thereof anticipated. As great an independence as possible from any single technology shall be aimed at in the design solutions. Also component replacements and potential technological turning points shall be considered in advance so that any modifications required at the plant can be designed controllably and in good time.

A safety level as high as reasonably achievable (the SAHARA principle) shall be aimed at in design, see subsection 3 of Guide YVL 1.0.

In the design of an individual system, special attention shall be paid to the appropriateness of the system’s operation, possible adverse side effects, requirements set by other systems as well as interdependencies and interactions between systems. Interdependencies and interactions impairing the reliability of systems and components shall be avoided.

A system’s erroneous starting, or its starting in an emergency, must not endanger safety functions or cause new initiating events. Any starting-initiated side effects and consequences adverse to safety shall be extremely minor.

A nuclear power plant’s systems shall be so designed that the loss of a safety function for any internal or external reason will be extremely unlikely. A subsystem’s failure must not cause the failure of the same system’s other subsystems or the loss of any other system contributing to the same safety function.

Ageing during normal operation caused by ambient conditions and other ageing phenomena shall be considered in design. Safety systems shall remain operable under the ambient conditions they are exposed to following an initiating event.

When design bases are defined initiating events plus their consequences, plant internal events (e.g. flooding and fires), plant external phenomena (e.g. unusual weather and earthquakes) and external man-made events (e.g. impact of aircraft, industrial accidents) shall be considered. In addition, the combined effects of accident conditions induced by internal causes and simultaneous natural phenomena shall be taken into account to the extent estimated possible (Section 20 of Government Resolution No. 395/1991) .

Random component failures, common-cause failures and man-made malfunctions as well as the consequences of anticipated operational transients and accidents shall be considered in design. System control measures and the components needed to carry them out shall be designed such that the possibility of human error during system operation is very unlikely.

In a system’s design, tested and proven design methods as well as appropriate regulations, guidelines and standards shall be followed. The safety class of every system shall be determined in accordance with Guide YVL 2.1. In the design of the system the quality requirements of the safety class shall be followed.

To assure operability, systems shall be so designed that their functional testing can be conducted under operating conditions and parameters that are as close as possible to those for which they were designed. System elements important to operability shall be accessible to inspection.

In the design of the structures, materials, location and installations of a system, the ALARA principle as well as maintenance and inspection shall be considered.

Sections of the plant important to nuclear safety shall be placed separately from those serving plant normal operation. In addition, safety-important subsystems shall be placed in their own rooms and shall be physically separated from one another.

A system’s operation, and how it affects the plant’s behaviour, may depend on the plant’s operational state. It is therefore necessary to consider in systems design all the plant’s normal operational conditions, e.g. power operation, start-ups and shutdowns as well as outages and related operational transients and accidents.

2.3 Requirements on the design organisation

According to Section 4 of Government Resolution No. 395/1991, when designing, constructing and operating a nuclear power plant, an advanced safety culture shall be maintained which is based on the safety oriented attitude of the topmost management of the organisations in question and on motivation of the personnel for responsible work. This requires well-organised working conditions and an open working atmosphere even of the organisation responsible for design. Alertness and initiative are to be promoted within the organisation to observe and eliminate factors endangering safety.

Section 5 of Government Resolution No. 395/1991 prescribes that advanced quality assurance programmes shall be employed in all activities which affect safety and relate to the design, construction and operation of a nuclear power plant. Guide YVL 1.14 sets requirements on the quality management of design and the quality system of the design organisation.

A nuclear power plant’s design organisation shall have sufficient experience of corresponding tasks and the necessary know-how to be able to consider as a whole the plant’s operation, configuration and characteristics.

The division of responsibilities within the design organisation shall be unambiguous. The design process during a project shall evolve such that information exchange and interactivity of design between different design teams leads to the best possible safety outcome. This particularly applies to any large system entity under design.

The design process shall include audits that are to be defined in the quality plan of the design organisation.

The technical appropriateness of the design of a new plant shall be demonstrated in the plant’s safety analysis report, which is to contain a description of how the design organisation meets the aforementioned requirements. The licensee shall satisfy himself of the acceptability of the design by making safety assessments based on sufficiently profound own know-how.

A conceptual design plan shall be drawn up of modifications to large system entities or systems in an operating nuclear power plant. The plan is to contain facts included in the preliminary safety analysis report and it shall also demonstrate that the design process was carried out by a competent organisation and that all information exchange needed during the design process was realised. The licensee shall assess the acceptability of the conceptual design plan by audits conducted prior to starting detailed systems design. Inspections shall be conducted throughout the design process. As regards extensive plans with a significant bearing on nuclear safety, or plans requiring special know-how, the licensee shall consider whether to commission their independent safety assessment to an assessor entirely independent of the licensee’s organisation. The minimum competence required of individuals and organisations conducting design audits and independent safety assessments is that which is required in the design task, and it shall have been proven in practice. After the assessments have been carried out the licensee shall satisfy himself of the acceptability of the design by safety assessments based on sufficient own know-how.

2.4 Design requirements for safety systems

For the implementation of safety functions, systems and components shall primarily be used that require no external power supply to carry out and control their function (Section 18 of Government Resolution No. 395/1991). Examples of such systems are pressurised water tanks of the emergency coolant system, which discharge by pressure of stored up gas, and the containment external air-cooling system, which operates by natural circulation.

Secondarily, systems may be used whose actual function, the function’s control, or both, require external power supply. Examples of systems whose actual function operates by natural force, and whose control requires external power supply, are decay heat removal from the primary circuit by natural circulation and reactor scram systems operating by force of gravity. An example of systems in which both the function proper and its control function require external power supply are cooling systems utilising pumps. When power supply to systems requiring external power for their control or operation is lost the systems must settle in a state preferable from the safety point of view, whenever such can be defined.

The objective of deterministic design is to assure that safety functions are accomplished in all design basis situations. Such situations may relate to normal operation or they may be anticipated operational transients, postulated accidents or severe accidents. Safety systems may have one or several tasks in the prevention of initiating events, or in the limitation of their propagation and the mitigation of their consequences.

A system’s ability to carry out its safety function shall be demonstrated based on the results on conservative analyses. A system’s operation and the sufficient accuracy of analyses pertaining to it shall be experimentally demonstrated, where necessary. These analyses are dealt with in Guide YVL 2.2.

2.5 Consideration of failures in design

2.5.1 Reliability-based technical design principles

High reliability of operation is required of all systems and of safety systems in particular. This is why system operation in various failure situations shall be assured. This is accomplished by applying the redundancy, diversity and separation principles (Section 18 of Government Resolution No. 395/1991). Incorporation of failures in the plant design is dealt with in Guide YVL 2.7. Consideration of failures in a nuclear power plant’s primary and secondary circuit pressure control is covered in Guide YVL 2.4.

2.5.2 Fulfilment of failure criteria

The terms single failure and common cause failure are applied in systems design. A single failure means a failure due to which a single component is unable to accomplish its function, and also the failure’s consequences. A failure occurring in consequence of an initiating event is not considered a single failure. A common cause failure means the failure of several similar components or structures in consequence of the same single event or cause.

Guide YVL 2.7 lists safety functions that must be accomplished even if a single failure occurred in a system, or in its subsystem, carrying out the safety function. Guide YVL 2.7 prescribes that the design of systems carrying out the most important safety functions shall, in addition to a single failure, also consider the simultaneous unavailability of any other component due to repair or maintenance.

In accordance with the redundancy principle, provision for failures is made by having the same function carried out by more than one subsystem. The subsystems may be mutually similar or dissimilar. It may be necessary to employ more than one subsystem to assure a safety function. The requirements of Guide YVL 2.7 are taken into account when considering the failure of subsystems.

The overall reliability of a system can be improved by increasing the number of similar, redundant subsystems. System reliability is limited by potential common cause failures, however. A common cause failure may be attributable to an error made in a component’s design, manufacture, operation or maintenance, an external event or other cause simultaneously affecting several subsystems.

In order to ward off the impact of common cause failures, and to thus improve a system’s reliability, systems, subsystems or components based on diverse operating principles shall be employed, where possible, to assure safety functions (the diversity principle, Section 18 of Government Resolution No. 395/1991). Examples of diverse operating principles are an electrically or pneumatically operated control valve, a passive emergency cooling system and an emergency cooling system equipped with pumps. In applying the diversity principle care shall be taken to assure that increased system sophistication does not nullify the increase in reliability achieved by the diversity principle. Guide YVL 2.7 lists those most important safety functions for whose assurance at least the diversity principle shall be employed. The guide also prescribes how single failure is to be considered in applying the diversity principle.

2.5.3 Separation of safety-significant systems

Systems that carry out safety functions only shall be structurally separated from plant sections serving the purpose of normal operation. Systems and subsystems carrying out the same safety function, whether or not they be similar or dissimilar, shall be separated from one another as well. These separations ensure that the possibility of common cause failures arising from external effects is very small (the separation principle). Such external effects include, among other things, floods, fires, missiles, aircraft impact and exceptional natural phenomena.

Individual subsystems can be designed such, however, that their cross-connection by operator actions is possible in exceptional situations. This requires that the cross-connection improves, and does not reduce, the reliability of the system entity and that unintentional cross-connection is reliably prevented.

Guide YVL 4.3 presents detailed design criteria for room layout plans and for separation in provision against fires.

Design criteria for separation of electrical and I&C systems are presented in Guides YVL 5.2 and YVL 5.5.

2.6 PSA based design

It shall be demonstrated by PSA methods that a plant’s design is well-balanced in terms of reliability, as per subsection 2.1. It shall specifically be demonstrated that a well-balanced design has been reached between

In addition, it shall be ensured that risks (in terms of both core melt and/or environmental release frequency and severity) are distributed between various initiating events in such a way that no individual event sequence, system, subsystem, structure or component causes a major contribution to overall risk.

Guide YVL 2.8 presents PSA-based design objectives and numerical safety goals.

PSA methods can also be used to make comparisons between various design alternatives. Examples are optimisation of the number of redundant subsystems and of subsystem-specific performance as regards safety and availability. Optimisation also includes the design of cross-connection options between subsystems to enhance the reliable operation of the system entity.

2.7 Other aspects for consideration in design

When a system connects to another system the interfaces of both shall be defined and designed such that the connection between the systems does not endanger the operation of any system carrying out a safety function. In addition, the interfaces of a safety system and its support systems shall be designed such, if possible, that the failure of the interfaces does not endanger the system’s own, or any other system’s, safety function, and so as to prevent failure propagation across interfaces.

The reliability of a safety function depends not only on systems carrying out the function proper but also on the reliability of the necessary support systems. The reliability of the main systems contributing to a safety function and the support systems serving them shall be mutually well balanced. In case provision for repairs has been made in design (ambient conditions, e.g. temperature, humidity, radiation) the making of system repairs during a safety function’s operation may be considered when analysing the reliability level of auxiliary and support systems.

3 Submission of documents to STUK

3.1 Design stages and related documents

During the design of a new nuclear power plant data on its systems shall be submitted as follows:

3.2 Preliminary Safety Analysis Report

The below descriptions shall be contained in the preliminary safety analysis reports of Safety Class 1, 2 and 3 systems and, where necessary, of Safety Class 4 systems:

The description of Class EYT (non-nuclear) systems shall be of a scope facilitating assessment of the operation of the plant as a whole.

The system’s design bases shall state what guides and standards are to be utilised in the system’s design. In addition, the preliminary safety classification of the system and its components shall be presented as well as the system ambient conditions and consequent design requirements.

Guidelines on the analyses, testing and type tests of, as well as the drawing up of qualification plans for, I&C systems can be found in Guide YVL 5.5. Guide YVL 7.11 provides guidance on the designing and qualification of a nuclear power plant’s radiation measurement systems. Guide YVL 4.3 sets requirements pertaining to fire protection arrangements at nuclear power plants.

The Preliminary Safety Analysis Report shall state how a system meets its safety requirements.

3.3 Final Safety Analysis Report

The below descriptions shall be contained in the preliminaryfinal safety analysis reports of Safety Class 1, 2 and 3 systems and, where necessary, of Safety Class 4 systems:

As a main rule, the below data shall be given of the design bases:

Class EYT (non-nuclear) systems shall be described in the extent necessary for assessment of the plant’s overall operation.

A performance specification shall present a system’s operation in situations considered during the plant’s design, as per subsection 2.2. The performance specification shall demonstrate the appropriateness of the system’s operation and the insignificance of potential detrimental side effects.

The below data shall mainly be provided with the performance specification:

The system’s performance specification, or the related topical reports, shall be of a detail facilitating the system’s analysis on their basis.

The system’s analysis demonstrates the fulfilment of its design bases and requirements. Essential analyses to be included in a safety analysis report or topical reports include among others an analysis of the system’s physical operation, a single-failure analysis, a Failure Mode and Effect Analysis (FMEA), and importance measures. The mutual order of importance of the various analysis types varies according to the field of technology.

Requirements on quality management, analysis, tests and type tests to be applied in the design of I & C systems are given in Guide YVL 5.5.

System-specific safety assessments demonstrate the meeting of the requirements set in YVL guides and other design bases and also present the reliability analyses made during the system’s design.

Separate documentation shall be submitted on the system’s periodic inspections and testing conducted during plant operation.

3.4 Systems modifications in an operating nuclear power plant

3.4.1 General requirements on documents

The pre-inspection of a system modified or added during the operation of a nuclear power plant is to be carried out on the basis of the modification’s conceptual design plan and its pre-inspection documentation. The general principle is that the conceptual design plans and system-specific pre-inspection documents of Safety Class 1, 2 and 3 systems as well as of systems whose inspection STUK requires in YVL guides or by a separate decision are to be submitted to STUK for approval. The pre-inspection documents of Safety Class 4 systems shall be submitted to STUK for information.

The submission of a conceptual design plan is not required if a system modification is so minor that it does not essentially change the system’s design basis, operating principle or task. The scope and detail of the system modification’s pre-inspection documents depend on the modification’s safety significance.

In connection with a modification, the Final Safety Analysis Report shall be amended accordingly without delay. Requirements pertaining to document amendments are given in Guide YVL 1.1. Modifications are dealt with in Guide YVL 1.8 as well.

3.4.2 Conceptual design plan

The contents of a system’s conceptual design plan shall mainly be equivalent to that of the Preliminary Safety Analysis Report. In addition, the conceptual design plan shall contain the below descriptions:

In connection with systems modifications, the conceptual design plan shall also consider a modification’s impact on the entire facility’s risk assessment.

3.4.3 System pre-inspection documents

A system’s pre-inspection documents shall mainly contain descriptions equivalent to the contents of the Final Safety Analysis Report. In addition, the system’s pre-inspection documents shall contain

A pre-operational testing programme relating to the system’s test operation shall be submitted to STUK for approval, as per Guide YVL 2.5.

4 References

  1. IAEA, SS Nro 110, The Safety of Nuclear Installations, 1993.
  2. IAEA, 50-C-D, Safety of Nuclear Power Plants: Design, 2000.
  3. IAEA, 50-SG-Q10, Quality Assurance in Design, 1996.
  4. INSAG-10, Defence in Depth in Nuclear Safety, 1996.
  5. INSAG-12, Basic Safety Principles for Nuclear Power Plants, 75-INSAG-3 rev.1, 1999.
  6. IAEA, DS309, The Format and Content of Safety Analysis Reports for Nuclear Power Plants, DRAFT Safety Guide-Version 3.