 V druge prezentacije, bomo vsečniti vse, kaj je zelo vsečniti inžene, nekaj je zelo vsečniti. Vseč, v svojih kazih nekaj je zelo vsečniti, nekaj je zelo vsečniti. In zelo vsečniti. Safety standards. An in this important concept is not, does not hurt. So it can be fixed in your mind a little better. I will talk about the engineering aspect in the IAA safety standard. So I will try to limit my discussion to what is in the agency safety standard. So what is the agency position. technological fields. You can really have different approaches, different solutions. So I try to follow as much as possible what is in the standard of the agency, the requirement and safety guides. So I will try to explain what is in our view the difference between safety assessment and safety analysis, what we call safety analysis and what we call safety assessment. Then some very short consideration on how the engineering aspects or where the engineering aspects are addressed in the safety analysis report and then something on the evaluation. So the term engineering aspects or engineering aspects important to safety was used in the first time at least in the agency standard because it's a general term so you don't really need a standard of the agency to address this. It was in NSG 1.2, safety assessment and verification on NPP. This was the first standard where there was a distinction between at least an attempt to put some order in the safety assessment and in the safety analysis. Now these things are codified in the requirement so there is no confusion anymore. The term, this term is never used in SSR 2 slash 1, you never find this term but you find a lot of requirement that address these aspects. The term engineering aspects, they don't use the word engineering aspect of important to safety but since it's in a safety requirement is something related to safety so it's obvious, is used explicitly in the safety assessment for facilities and activities is one of the requirements that Tony showed this morning. Don't get upset with me if I keep showing this but in this figure there are a lot of messages. Going back to the requirement number eight that is evident, violet here is prevention of accident, you see. So the strong effort for achieving the main objective is prevention of accident. How do you prevent the accident? Can you tell me someone just how you prevent an accident? How is the microphone? I think this maybe let's collect few positions then I can articulate a little more. Do you need accident analysis to prevent the accident? I want to have a problem to start to study the problem and improve the engineer problem or solution to try to avoid the problem you could imagine in the past. What are the problems first? What kind of problems you want to avoid? Release of material to the environment. We have a name of these problems. One is called failure. You don't want your equipment to fail and the other one is malfunctioning. So you don't want the parameters that you have in normal operation that go outside of the range. These are. If you keep the parameters in the range, nothing breaks in your plant you don't have any accident. So we have to do, most of your effort should be to prevent failure and prevent malfunctioning. That means you want to produce what we call robust design. Robust, strong design. The problem is how you do this. You do this through a strong implementation of all this engineering aspect that are affecting the quality, the strength of material, the margin, the proper implementation of the defense in depth. So this is what you have to do. So dealing nuclear safety, most of people think that there is one strong message, that is a very simple message. I think it's the only message in this presentation. That the people are focusing very often, they confuse the term, safety assessment and safety analysis with transient, accident analysis, thermo-hydraulic calculation. This, of course, is a relevant part, is recognizing the defense in depth. If something goes wrong, you have to know what you are doing. But first of all, you have to avoid that things are going wrong. So that is what we are talking in this presentation this afternoon. And that is how the principle 8 is spelled out. All practical effort must be made to prevent, and also to mitigate the accident. But first the effort should be in prevention. So we should not forget this. And then how do you prevent, you see a strong implementation of the defense in depth, effective management system. These are concepts quite general, and that you are very familiar with, I'm sure. But you see adequate site selection, incorporation of good design and engineering features, providing safety, margin, diversity, redundancy, all engineering rules that are aimed at preventing, mostly preventing accidents, design technology and materials of high quality and reliability, control, limiting and protection system, surveillance feature, and so on. So there are a lot of engineering rules that you have to apply, engineering approach that you have to apply, no design, really mainly to prevent. Of course the engineering aspect, they are cross cutting, because you design with good engineering rules, also protection system, also the containment, everything. So they affect also the mitigation of accidents, but mostly they are important for the prevention, because this is where the big effort should be done. This is the slide. I just want to show how this term engineering aspect enters in our standard, because very often our standards are not fully consistent, so in some cases the family of engineering aspect is quite small in other, is quite larger, but I don't think it's very important. You see here, this is the flow for the safety assessment, and you see the safety assessment includes the safety analysis, the safety assessment, the safety analysis is a part, and then there are other aspects that we have to take care of. And one of these is the engineering aspects. And then in this, so for example, human factor is not considered as an engineering aspect in this standard, but it's something that is important to safety. So really this distinction for our purpose is not very important. But what this slide shows, we have engineering aspects, another aspect, and we have safety analysis, that is another point. I will come back to this, because this is, I think, is important. And you can see here, this distinction between safety analysis and safety assessment was also introduced many years ago in this safety guide 1.2. So the safety assessment is a general. You have to have this in mind, at least in the language of the agency, because in other places they can have different definitions. But when we talk about safety assessment, is a general assessment. It's an assessment of the safety of the plant, of everything. When we talk about safety analysis, we talk about deterministic and probabilistic analysis, and this analysis normally is limited to transient and accident. So we have a fault, we have an evolution of this fault, consequences and improbability, and we are able to calculate deterministic method, the consequences of this fault to determine what is the status of the plant at the end or some point of this sequence. And with the probabilistic we can associate a number of the probability to reach that situation. So with safety analysis we are talking about accident analysis and we talk about the transient analysis. We talk about the other part, the assessment of engineering aspect, we talk about many other aspects that are some have been mentioned this morning, the proven engineering practices, how the defense in depth is implemented, radiation protection, the safety classification, the protection against internal and external hazards, the loads and load combination that we use for the design of the system, how we select the material, single failure criteria, redundancy, equipment qualification, aging and human machine interfaces. So all these aspects should be considered to rate the safety of a plant, to make a complete safety assessment. The analysis of the accident, the analysis of the transient is very important but is a part. It's not the full picture. Because if I have a very good system but I have an accident every day, every day I have a failure, this is not a safe plant, of course. So first of all, all effort on prevention, good design, then the assumption that something can be wrong anyway. So this we have seen this morning that is a standard that is for the design and for the assessment and this can be used also to assess the engineering aspect because all the engineering, there are requirements for each of the engineering aspect that I mentioned to you. Designing structural system and components according to the requirement that is established for engineering aspects provides a robust design that means a strong prevention of failures and effective protection of people. The assessment of engineering aspect ensures together with the safety analysis that all the acceptance criteria are met and the plant performs as intended from a safety point of view. So there are two aspects, very important in the assessment, and the assessment on the engineering aspect. Keep this in mind. So this is how the problem is addressed in the requirement attend of the GSA R Part 4. It shall be determined in the safety assessment whether a facility or activity uses to the extent practical, structural system and components of robust and proven design. And then you see there is a list of all these aspects that we have already seen so we don't have to go through this again. And in this standard, in addition to the engineering aspect, there are other aspects, but we can treat these two families together because really the subdivision is artificial. So this again is the equipment that we have to design with this observing and following all the rules for the engineering aspect. But don't forget that when we are talking about safety we are dealing only with items important to safety. So items, if they fail, they have radiological consequences direct or indirect. There is one consideration to do. You see in this figure, this figure here reflected the situation in SSR2 the old requirement for the design in SSR1. This was the equipment. Now in SSR2 slash 1 we introduce the design extension condition. So also this figure needs to be amended. But it still has not been done in the glossary of the agency because also the safety also the safety feature for design extension condition are items important to safety. Also in general they can have INC part, actuation system and support systems. Why we have to consider separately and not together because the design rules that we are going to follow are different. We don't design with the same approach and the same rules. We mentioned this morning that we have a conservative approach in design this. We have a best estimate approach design in this. We require the single failure criteria here. We don't require the single failure criteria. And then also when we classify then we will discuss this a little more tomorrow when we classify these systems they follow in a different safety class. So it is important to keep these two things separated but unfortunately in the in the glossary of the agency you find this old figure yet has not been changed. But this should be done. Then where we have to provide the demonstration that all these engineering aspects are addressed correctly. They have to be done in the safety analysis report. I think most of you have experience with the safety analysis report and according what I said before should be called safety assessment report rather than safety analysis report at least in the language of the agency because this is a general document that covers everything not only the accident analysis. This is tradition to call safety analysis report so we refer to safety analysis report. So here we have this is a standard of the agency is GSG 4.1 and is the format and content of the safety analysis report of nuclear power plant. So is a safety guide standard level of safety guide that gives you the information what has to be included in the safety analysis report. And then I will ask you in this list of content where do you see the engineering aspect important to safety that we mentioned before in which chapter? Can we start? Chapter one is introduction that we can skip. General plant description. Yes or no? There are three possibilities. Of course they are not addressed in all. The you see there is one chapter so let's say that we have here in the structure of the agency then I will show other structures but in the structure of the agency we have 15 chapters and we have chapter six for example is a single chapter but addresses all the major systems of the nuclear power plant. They are all together containment, emergency corkuling emergency systems all the reactor core primary cooling system are all addressed in the same chapter but so that is the reason there are only 15 chapters but you see the safety analysis is one chapter that is chapter seven safety guide and I would say that the engineering aspect are addressed in the general design aspects because there are the general aspects that are applicable to all systems here the description and conformance of the design of the plant systems where there are typical aspects for each then there are radiation protection if we include radiation protection we consider also radiation protection or as an engineering aspect so we have to do this and probably radioactive waste management so these are the main chapters so are distributed in the safety analysis report but they occupy a large fraction of the safety analysis report here on the left side is the old regulatory guide structure of the old NRC regulatory guide 117 now this regulatory guide is not updated anymore by the NRC but I think really deeply affected the structure of the majority of safety analysis report in the world all of them took inspiration from this safety guide and the reason is the safety guide is very detailed and it's chapter sub chapter sub sub chapter is described in a very detail and so people were much and they had the reference also of the safety analysis report prepared in the United States to prepare their own so this was one of the most followed and here in this you see from 3 to 10 these are in blue these are all the chapters that address engineering aspect to important to safety and if you compare this with the structure of the agency we have only the mostly in 5 5 and 6 fortunately it's not I don't know why it's not appear at the bottom and then in the safety guide of NRC the we have the accident analysis where all the accident are analyzed is chapter 15 and the equivalent the equivalent in the agency is chapter 7 so I say these things because most of the safety analysis report that you can experience are very much much closer to the RG170 than to the structure of the agency so it's important to know this then NRC stop the updating of the safety guide the safety guide R170 was published in 1978 so it's a very old document but I've been used as a reference by many countries now NRC of course in the years NRC changed the approach to the licensing and now there is the combined licensing application and another regulatory guide has been prepared and that is a sort of replacement of R170 is 1, 2 or 6 and in this safety guide two additional chapters were included one on human factor nothing was R170 at the time and probabilistic risk assessment and severe accident also this was not addressed in R170 accident analysis is deterministic safety analysis only in the agency the accident analysis is a safety analysis is probabilistic and deterministic in one chapter we have both another very important document I think can be useful and it's also universally recognized in what is known as Nurek 8 under, so it's a standard review plan these are practically the rules how to review a safety analysis report this is really if you follow this you make a complete review of all chapter of safety analysis report of course you do this following the rules of the United States because this is American product if you have different regulation you have to be a little flexible but this is very complete document and another would say positive aspect this document is constantly updated so it's available on the web if you go there you find the latest version if something is produced in a week will be updated so it's a good reference so I think whatever your regulations are if you are involved in review of any chapter of the safety analysis report to have this on your desk can be useful that is the reason I mentioned the documents of the agency now I am going through the main some important of these engineering aspects and recall basically the requirement there will be a little boring presentation so be ready and what are the major aspects and then in the following days we will consider this again not all of them the relevant and in dedicated lectures we go much deeper for example in safety classification in the equipment qualification internal, external human factors so we have a lot of lectures on the different aspects so we have the possibility to go a little deeper and ask very detailed question to the lecturers for regarding the proven engineering practices all items important to safety shall be designed in accordance with the relevant national international codes and the standard because the national international codes they reflect the good practice they reflect the experience and they contain very detailed design rules so it is the easiest we don't have to reinvent the wheel every time if you have to design a pipe the primary pipe or you have to design a vessel you don't have to invent a rule these things are already codified you find a very recognized standard very high level and you can follow this you are confident that your design is correct and also the safety authority can check if you follow some recognized standard doesn't make the criticized standard so it's a good way unfortunately this is general and for the majority of the of the equipment you have in the plant you have available codes but when you start modifying, producing new concept, new design and you really introduce new technologies then maybe you don't find the codes because the codes is prepared after follow the evolution of technology that's not anticipate and so maybe you are you are forced to introduce to make a new assumption to design new equipment so in this case of course you need research you need testing you need a specific qualification procedure in order to prove that also this new design equipment meet the requirement you want, you set at the beginning of course following the using all the existing experience using the existing codes is the easiest way but it's not always possible and there is also this application of the codes should be done with intelligence because should be understood what the code is for and really if the code that you are using is actually the code that you need for your design for your piece of equipment so you have to know what is in the code and you should know the applicability of the code it's not just take a code and follow maybe then you use the wrong one so, but that is of course this is a responsibility of the designer and the responsibility also of the safety authority that makes the review of your safety analysis report to see that if you make reference to some codes these are the right codes for that structure and system and components for defense in depth we already said several things but this morning we presented defense in depth as a concept to origin the the safety requirement but in SSR 2 slash 1 there is a requirement that said your design shall follow the defense in depth for something not this you are not free to do or not you have to do and you have to follow the defense in depth in the concept that is illustrated in the document so you have to design very well for normal operation you have to design for anticipated operational occurrences and you have to have systems to deal with this situation you have to design for design basis action you have system to deal with this situation you have to design for design extension condition and you have to have system for this so that means what the meaning of application of the defense in depth but I don't want to bother you too much there is we already mentioned this morning the independence of level but I would like just very quickly to mention again here the independence of level of defense in depth because this has a very strong impact of the design that implies the addition of other systems implied a new design to make completely independent the auxiliary system the supporting system like the power supply compressor supply some cooling is a big impact this requirement is not in the current sorry SSR SSR 2 slash 1 but is in the revised version this is in addition to the the current requirement that is in the revised version that will be printed very soon so the level of the defense in depth shall be independent as far as expectable to avoid a failure of one level reducing the effectiveness of other levels because you know the failure of one level cause the failure of also other levels the defense in depth that is organized in different levels is completely ineffective you have more more level because the subsequent level have to deal with the failure of the previous one if they fell together goodbye and that is what in Fukushima happened practically so in particular a safety feature for the design extension condition this is required especially feature for mitigating the consequence of accident involving the melt so a severe accident shall be as far expectable independence of safety systems so the factor that affect the independence we already mention the sharing of systems we will never have a complete independence because there are always some common parts at least there are common structures different safety system they are supported by the same concrete structure in many cases also they are not completely independent so as far as expectable this should be achieved and one is typical example the common power supply the common cooling system the working structure and the exposure to common cause failure to be really independent they should be also independent with respect to external and internal as much as much as possible so this is something that is radiation protection of course all the measures should be implemented in the plant to protect the workers and the people but there are there are two aspects of the radiation protection because when we talk about accident analysis accident analysis for each accident we calculate the release practically you start from a fault and you end to the release to the environment following this accident so radiation aspects for the public people outside of the plant are in the safety analysis part in the accident analysis so the radiation protection of the people is addressed in the safety in the accident analysis part of the safety assessment report and of course there are different situations that also they are considered one is the normal operation plant release working normally during the year and the releases and dosage should comply with the prescribed limits and should be as low as a reasonable achievable that Alara so there are prescribed limits value that the safety authority tells you is the maximum release that you have 12 per day per year, per month it depends so during the normal operation because also in normal operation the plant produce some radioactivity and this radioactivity should be in a way or another eliminated but the quantity that we can release to the environment is established the maximum value of safety authority and this also should be proved and demonstrate in the safety analysis and should be in the safety analysis report because this is is the dosage that the members of the public experiment more frequently because the plant operates every day the accident may be never happen in the life of the plant hopefully so these are the dosage that the members of the public reject to then for the accident conditions here the approaches are not always the same the releases and the dosage evaluated in the accident analysis should comply with the acceptable limits you see we switch the terms from prescribed limits to the acceptable because for the for the accident conditions of course the public should be always protected so the public should never have those that exceeded the limit established by the international body like ICRP, like the agency so these are but during accident conditions this is quite difficult to demonstrate so the safety authority can in some cases accept some values but they cannot import they don't normally import this value but they gave this indication target you should not exceed this value so this case while the prescribed limits are normally the same almost everywhere in the world one or two million years the release in the accident is not so the approach is not so uniform so but what I want to say that we are dealing with the protection of public and environment in the accident analysis regarding the protection of the workers the situation is a little different because normally in the safety analysis report there is a dedicated chapter to this aspect so all the aspect related to the protection of the works in the plant are in this chapter and I will go through very quickly what is the content of this chapter all actual and potential sources have to be identified the materials have to be selected to minimize deactivation the generation transport of corrosion product and deviation product shall be controlled provision shall be made for preventing the release of dispersion of radioactive substances inside the plant the plant layout should ensure that areas with radiation hazard in possible contamination are adequately controlled so all of you that have the experience to enter a nuclear power plant there are some areas that are blocked by a door you need a specific base to go in you need some instrumentation for the measurement of radiation when you enter this area but this is for people in the plant the plant shall be divided in zones related to the aspect of frequency and radiation level so there are normally in the plant different zone with different colors and they are separate from each other so I think if you have the experience to enter a nuclear power plant this is quite general rule I'm sure that you have seen this shielding shall be provided to prevent radiation level equipment subject to frequent maintenance or manual operation shall be located in areas below those rate of course we cannot roast the operator that has to go to maintain a very radioactive radioactive component and the facility shall be provided for the decontamination of personnel and equipment shall be provided for radiation monitoring in operational states and accident these are all these aspects that you will find in the chapter in the chapter dedicated to radiation protection as I said before this chapter deals with the protection of the work the plant then another important aspect is the safety classification I just mentioned the basic concept here tomorrow we are going in little more detail of this so all items important to safety shall be identified shall be classified on the basis of their function and the safety significance that means you have to imagine that each piece of equipment in the nuclear power plant as a label touched tells you if this is important to safety or not if it is important to safety as a number letter whatever that indicates the importance of safety to safety of this component so that should be done thoroughly through the plant so we have to measure we have to rank the importance to safety how to do this this is not an easy task in the requirement we give some criteria at least in general terms then in the safety guide we try to be a little more specific but you see what are the considerations to rank the importance to safety first what is the safety function to be performed by that item second is the consequences of the failure to performance function for this component structure fails what is the radiological impact because we have to realize that not all the failures are the same for the consequence some can cause limited consequences large consequences some can happen very rarely some can happen more frequently and this is another another criteria and then we have also something related to the tie some components some system have to react very quickly in case of an accident other and so they should be automatically initiated should be very reliable and they should provide their performance in a very short time so they should be designed for this other system maybe they are equally important but maybe are needed much later so there is more time the system can be operated manually by the operator because the operator has time to understand the situation and has to have the procedure to start this equipment so these are the four the four criteria that we are giving in our safety standards so the safety classification why is important because affect the design rules an item in safety class one is designed normally with more stringent rules than an item in a safety class too probably the equipment SSIC in I don't know there is a telephone interacting and so there is the equipment in different safety classes have different safety margins or different safety margins they are subjected to different testing and maintenance rules so there is a big impact on this so classified one component one class rather than into another has impact very strong impact on the cost immediate cost in the design and manufacturing but also cost during the life of the plant it could require more intervention so you realize how this is something very important and also because of this we had a lot of problem in the agency to prepare the safety guide on safety classification because there are different approaches in different in different member states and they are not really keen to change their approaches just because we write a rule on standard of the agency a very sensitive subject then we have the protection against internal and external hazard of course the requirements said we have to all foreseeable internal hazard and external hazard including the potential for human induced events the safety of the plant shall be identified and their effect shall be evaluated so hazard shall be considered for the determination of postulated in shedding event and generating loadings for use in the design of relevant items important to safety for the plant but you realize that the hazards are not the same for all plants because the internal hazard so those that are generating inside the plant like a fire like internal explosion like forces due to pipe breaks pipe weeps falling of objects all these that are in the family of the internal hazard they depend on a specific nuclear power plant specific design but the external hazard are extremely related to where the plant is located to the site so for each site we need a careful evaluation to determine what is really the hazard what are the different hazards for that specific site and from this hazard analysis then the designer according to the rules established by the safety authority will determine what is the specific value of the external events that he has to consider to design structures for example if you have the seismic the seismic hazard analysis you have a curve that is the result of the analysis where you have for example a magnitude of the earthquake against the frequency so you have very low frequency very high magnitude then the frequency increases and the hazard curve you are familiar with this and the hazard curve now which value are you going to use for your design of course there are different approaches but normally you use a value that is in the range for example return period tennis minus four that is the rule that people are following now at least for some equipment the magnitude of this earthquake and then of course you make the conservative consideration at the margin and whatever at the end say this is my design basis earthquake I have to design my system or this family of system with this earthquake that means I have to consider the loads of this earthquake and design for this but the plant is not subjected only to the loads of the earthquake but at the same time there are other loads think about pressurized components as loads generated by the pressure loads generated by the temperature or gradients of temperature and we have to combine these loads with the seismic load because the component has to continue to function or should not break with all these loads combined so these aspects are very important but there is very wide literature on this and there are codes so these are addressed in detail you can find a lot of information so for our purpose in this introductory lecture we just mentioned what are the internal hazards or interest normally first is the fire explosions flooding, we are talking here about internal flooding so floods that are caused by faults we have a tank full of water the tank breaks somewhere and you flood something so these are the internal hazards then we have missile generation we have rotating equipment so you can have missiles or can break pressurized components can break and then generate missiles and so on then you have collapse structures so things that are falling down if there is this risk you have to avoid that items important to safety are below things that can fall particular case is the spent fuel the pool of where you store the spent fuel you always avoid to move on top of these fuel heavy objects there are many many regulations they really oblige you to follow this requirement heavy should be moved on top of these equipment during when there is fuel in the pool then the pipe whip when a pipe breaks can hit some other components and cause the failure of other components especially if there are cabinets instrumentation that can be really be destroyed being hit by the broken pipe or put jet impact when you have release of high pressure fluid so all these things should be considered so for each area of this you have to make an analysis what are the potential hazard that you have and then put measure for each one that are rather well codified measure to implement this should be described in the safety analysis report if you revise if you review the safety analysis report you have to check if the identification of the hazard is complete and you have to check if the measure implemented for each hazard are effective so the external hazard we have a category of natural and human induced also this I think you know very well the meteorological events in the natural so heavy rain snow ice heavy wind hydrological events geological events seismic events and human induced and we have I would say that all these external hazard there is one chapter normally in the safety analysis report for example chapter 2 in 170 is dedicated to the site evaluation so all these consideration on external event you will find in detail and should be in detail described in that chapter for human induced we have the aircraft crashes also this depends where the plant is located and what you consider depends on the specific regulation of the country fire, explosion missiles outside of the plant of course and the releases of toxic maybe you can have railroad passing by your plant and on this railroad maybe it can be some dangerous fluid or material can be transported and so can cause can have an impact on the nuclear power plant I think we have a dedicated lecture also on the external events and one on the internal hazard so you will go to this in much more detail so here how what we do to protect against internal hazard just is very simplified list of topics so we say items important to safety shall be designed and located to withstand the effect so this is very easy to say this is a requirement because we know that these hazard exist so our equipment should be protected hazard for example fire, flooding or earthquakes this is something very specific of the eyes very important could potentially impair several level of the defense and what is serious that another think about an earthquake is shaking it breaks a pipe so it's causing an accident but at the same time if the earthquake is strong enough can cause also the failure of your safety system to deal with that break so you know you lose different level of the defense at the same time so the analysis of these hazards and implementation on the design are very very important and the hazard normally are really origin of the common cause failure so effective protection against fire requires for example prevention of fire so it should not accumulate material combustible material to have detection system and the limitation of the consequences creating separation and protected area so these are also rules implemented in the conventional industry I mean it's not something civil buildings that is specific for nuclear power plant but the attention nuclear power plant because of the potential consequences of course should be much more the design shall provide for adequate margin against level of external hazard derived from the site evaluation why this? because the determination of the hazard in the site especially when we are talking about event that are frequency of tennis minus four or minus five are very rare so the uncertainties in determining these values even with most advanced technology and knowledge is as always large uncertainties so we should be aware when even the best institute for whether the best seismologist of the world give you a value take it a little more just in case so this is the approach that is recommended here the determination of rare event is by nature affected by very large uncertainties always this is in the nature of the human world the reliability of items important to safety and also the reliability shall be commensurate with the safety significance so that means if you assign a structural system or component to a safety class implicitly you are imposing a reliability on the system and reliability on components because they go together so so that means that the structure important SSSC is important to safety shall be designed qualified, procured commissioned, operated and maintained to withstand with sufficient reliability the conditions specified in the design the potential for commo this is always the most tricky part the potential for common cause failure shall be considered in the application of redundancy diversity and independence so these three factors redundancy, diversity and independence are the means to achieve reliability for your desk to improve the reliability of your system in different conditions then the single failure criteria shall be applied for safety group this is the way written in our requirement and the principle of failed, safe design shall be considered and incorporated into the design of system and component do you know what the failed, safe design is what is the concept of this is I think nuclear engineer should know this at least can you someone explain to everybody can you try what we mean if we say fail safe fail safe is when system failure it fails in a condition that is favorable to the safety I mean the situation that you reach after the failure is a safe situation there are many examples one example is if you have an isolation system so you want to isolate if in case you have an accident or an event you have to isolate a line or a containment or whatever you make this isolation devices in such a way that something goes wrong they lose the power or they lose the compressed air they shut the line so you go in the isolation status that is what you wanted to achieve but also this can be very tricky because what can be you want in some situation could be avoided in the other so it's not so straight the application of this criteria in general we can say that but you know can also counter effect so should be consider very carefully because there are some lines you don't want to isolate in some situation so it's better that in this case it doesn't work but of course there are considerations to do but this is as a general approach is something to consider so something goes wrong for any reason and you achieve a status that is safe so also this in general should be for this is all these are topics that are related to the reliability then we have another requirement on calibration testing maintenance and repair probably also this will be addressed maybe tomorrow after the coming days so the calibration testing maintenance repair replacement inspection and monitoring items important to safety items important to safety shall be designed to be calibrated tested, maintained, repaired replaced, inspected and monitored as required to ensure their capability and performing the function along the life of the plant so it should be something important for safety you have to ensure the functionality of this equipment so this equipment should be periodically tested maintained and checked that is that are providing even after many years of life of the plant still providing the function if required provide the function as intended the design shall be such that these activities can be performed according to relevant codes and over the lifetime of the plant and without undue radiation exposure to the workers these are some general things to have in mind for calibration, testing and maintenance during power operation the plant design shall be such that these activities are facilitated and performed with no significant reduction of the system reliability also this requirement has a strong impact on the design I think something was mentioned by Tony this morning if you want to test for example a redundant system that means simple redundancy 2 2 trains that can perform each 100% of the performance that is necessary and you want to test one of this during the operation you are forced to disconnect this system during the maintenance so that means that is in the period of time you have only one so in this period of time your single failure criteria is not valid you are operating the plant without adding a safety system responding to the safety to the single failure criteria so what do you do in these cases there are different solutions you can prove that the maintenance time is very short and it doesn't affect globally the risk of the plant or another solution more practical and now adopted at least for many systems do put another one so you put three systems so even if you have one in maintenance you have the single failure so there are different ways to deal with this problem but you see when you I'm telling you these things but if you have in your profession you have to write a safety analysis report or to review according to your role safety analysis report these are all the aspects that you have to consider you cannot forget any of these equipment qualification all these are very very important I think also on this if I'm not wrong we have you are going to give a lecture on equipment qualification so you will have all the details tomorrow so qualification program and if you are familiar what is the qualification qualification is really the demonstration the practical proof just to say in in a few words that the equipment is going to perform under all the possible condition that you can postulate is going to perform as wanted if you want a pump make an example to work even under an earthquake or after an earthquake you have to prove that this you have to really to have confidence that this pump can can really work as wanted under the earthquake how can you do this of course now there is a lot of experience you can refer to similar equipment similar design rules but there is a very practical way is just to test it in a real situation for some structure for some situation is possible to do this I am sure that you have seen several times these big components that are on shaking table that is reproducing earthquake and then you can check if really keep the component whatever keep working and functional as desired under this condition of course you can do the same with radiation temperature humidity for all the conditions that can occur during the life of the plant during an accident and when the component or whatever the system is expected to work so this is very so the qualification is a science because there are different methods so I think you will hear tomorrow more than this but the qualification precise qualification is one of the most common other things you can qualify for high temperature for fire and so on this is also very important aspect that should be addressed in the safety and hazard report first of all you should know what are the most severe conditions and combination of conditions to which your equipment is subjected and then prove that it works as intended aging and wear out of course during the life of the plant the characteristic of the plant many of the characteristic of the plant are degrading are changing because the material is getting older some material that are very much subjected to the variation of the properties and there are the material of course is exposed to cycle mechanical cycle thermal cycle neutron irradiation this is maybe tomorrow talking about the coolant system the vessel we will say something more on this so really the mechanical properties the electrical properties the insulation properties of the materials are changing with time so you have to predict this and include also in this case and also to have the possibility to replace and to maintain this during the life of the plant but this is something that you have to consider this is becoming more and more important because now there is the trend to extend the life of the plant before talking about 30 years when I was a student was 30 years now it's 60 years so it's growing expect the life of the plant in 60 years what can happen some components some materials is a very long time so you have to have the possibility to deal with all these aspects then human factor so this is another very important aspects then the systematic consideration of human factors including human machine interface shall be included at the early stage in the design process and shall be continued through the entire process also this there are a lot of experience the modern plants of course are much better than the old plants and so there are a lot of rules and there is really wide literature dealing with aspects but some as a general rules the need of intervention and the operator on a short time shall be kept to a minimum may ask you why why you think the operator should act as less as possible yes of course to but why is not reliable the operator very well trained he studied a lot he was trained in the the simulator yeah he had a fight with the wife maybe then he came to the nuclear power plant because the human is the less reliable in the scale of reliability the first are inherent features in the plant because these are intrinsic to the physics these are very reliable gravity cannot be cancelled and heat transport is the same or some neutronic phenomenon so these are intrinsic but you can rely most on this and your design should rely first on these intrinsic characteristics on physics second are the passive systems in the scale of reliability then there are the active systems the last one is the operator so is the weak point of the chain the operator so you should really of course the operator is very important but should be used and should have the time to think time to to recall what the procedures are for that specific situation should have the possibility to understand exactly what is going on because this in some cases is not so simple and and so this is and normally the trend is now the approach is to delegate to the operator most of the action in the long term in the long term the very quick action normally they can special during accident condition by automatic system this is valid at least for the reactor that we are considering what the reactor like pressurized water reactor boiling reactor there are other type of reactors maybe this not applies 100% what they said but for this reactor this is the trend so the operator is requested to act for long term when the situation is already clear and less critical and the intervention can be correct so the design shall be operator friendly the working environment shall be designed according to ergonomic principles so should not put something that cannot be reached the human machine interface shall be designed to provide the operator with comprehensive but easily manageable information compatible with the necessary decision so these are very general requirement that I just recalled in this introduction then there are still other other engineering aspects that I did not include because this is every presentation with all these rules I don't have any figure here any nice picture so let's try to limit but I think in the coming days you will reconsider most of this in much more detail if I'm not wrong this is the last one yes before concluding I think that you register the message I want to give you as I said at the opening is that there are several factors that affect the safety of your plant and you should not forget any of this analyzing very well accident making this beautiful transient and put the frequencies is something very important but it's not the only thing first you have to do very good engineering in your plant to avoid accident to prevent accident so this is the point prevention first ok, thank you