1.34. The results of the analysis of design basis accidents should be used in the determination of the critical design parameters.

1.35. The design basis accidents for the containment systems are the set of possible sequences of events selected for assessing the integrity of the containment and for verifying that the radiological consequences for operators, the public and the environment would remain below the acceptable limits. The design basis accidents relevant for the design of the containment systems should be those accidents having the potential to cause excessive mechanical loads on the containment structure and/or containment systems, or to jeopardize the capability of the containment structure and/or containment systems to limit the dispersion of radioactive substances to the environment.

1.36. All evaluations performed for design basis accidents should be made using an adequately conservative approach. In a conservative approach, the combination of assumptions, computer codes and methods chosen for evaluating the consequences of a postulated initiating event should provide reasonable confidence that there is sufficient margin to bound all possible

results. The assumption of a single failure[2] in a safety system should be part of the conservative approach, as indicated in Ref. [1], paras 5.34-5.39. Care should be taken when introducing adequate conservatism, since:

— For the same event, an approach considered conservative for designing one specific system could be non-conservative for another;

— Making assumptions that are too conservative could lead to the imposition of constraints on components that could make them unreliable.

1.37. Changes resulting from the ageing of structures, systems and components should be taken into account in the conservative approach.

1.38. All evaluations for design basis accidents should be adequately documented, indicating the parameters that have been evaluated, the assumptions that are relevant for the evaluations of parameters, and the computer codes and acceptance criteria that were used.

1.39. These evaluations should cover, but are not necessarily limited to, the following:

— The mass and energy of releases inside the containment as a function of time;

— The heat transfer to the containment structures and those to and from components;

— The mechanical loading, both static and dynamic, on the containment structure and its subcompartments;

— The releases of radionuclides inside the containment;

— The transfer of radionuclides to the environment;

— The rate of generation of combustible gases.

1.40. The time periods used in these evaluations should be sufficient to demonstrate that the safety limits have been analysed and that the subsequent evolutions of the physical parameters are known and are controllable.

1.41. Design parameters for the containment structures (e. g. design pressure and free volume) that have to be determined early in the design process, before detailed safety assessments can be made, should incorporate significant margins.[3]

1.42. The mechanical resistance of the containment structure should be assessed in relation to the expected range of events and their anticipated probability over the plant lifetime, including the effects of periodic tests.

1.43. Three types of margin should be considered:

— Safety margins, which should accommodate physical uncertainties and unknown effects;

— Design margins, which should account for uncertainties in the design process (e. g. tolerances) and for ageing, including the effects of long term exposure to radiation;

— Operating margins, which are introduced in order to allow the operator to operate the plant flexibly and also to account for operator error.

1.44. Computer codes that are used to carry out evaluations of design basis accidents should be documented, validated and, in the case of new codes, developed according to recognized standards for quality assurance. Users of the codes should be qualified and trained with respect to the operation and limits of the code and with respect to the assumptions made in the design and the safety analysis.

1.45. Computer codes should not be used beyond their identified and documented domain of validation.

1.46. In considering containment systems with double walls, the potential for high energy pipe breaks in the space between the walls should be evaluated. In the event that the possibility of such breaks cannot be eliminated by design features, the internal and external shells, as well as all systems fulfilling safety functions in the annulus between the walls, should be capable of withstanding the related pressures and thermal loads, or else qualified protective features (such as guard pipes) should be installed.

1.47. Multiple failures in redundant safety systems could lead to their complete loss, potentially resulting in beyond design basis accident conditions and significant core degradation (severe accidents) and even threatening the integrity of the containment. Although accident sequences exhibiting such characteristics have a very low probability, they should be evaluated to assess whether they need to be considered in the design of the containment. The selection process for such sequences should be based on probabilistic evalua­tions, engineering judgement or deterministic considerations, as explained in Ref. [1], para. 5.31. The selection process should be well documented and should provide convincing evidence that those sequences that were screened out do not pose undue risks to operators or the public. (See Section 6 for design considerations for severe accidents.)