1.86. When the containment system is challenged, there should be no need for any action to be taken by the operator within a certain ‘period of grace’[5]. For any necessary manual intervention, the operator should have sufficient time to assess the conditions in the plant before taking any action. The plant design should not prevent the operator from initiating appropriate actions in response to clear and unequivocal information.

Performance of the secondary containment

1.87. The secondary containment should be able to withstand the possible pressurization of the volume between the primary and secondary containments in the event of an accident or a malfunction of the ventilation system, and should be able to withstand external loads either alone or in combination with the primary containment.

1.88. To ensure that the pressure between the primary and secondary contain­ments is maintained below atmospheric pressure, the secondary containment and its air extraction system should be operable in the event of a loss of off-site power.

1.89. Safety of Nuclear Power Plants: Design (Ref. [1], para. 5.57) limits the sharing of structures, systems and components in multiunit plants to exceptional cases. For such exceptional cases of the sharing of structures, systems and components between units, all the safety requirements for all the reactors will apply and must be met under all operational and accident conditions.

1.90. External events such as earthquakes that could simultaneously challenge systems serving all units, or events such as the loss of off-site power that could cause the failure of systems common to the units, should be identified and considered in the design.

1.91. Compliance with safety criteria for redundancy, independence and the separation of safety systems should always be considered and any exceptions should be justified.

1.92. In the design of a multiunit plant with a shared or partly shared containment system, appropriate emergency response procedures should be followed for all units in the event that an accident in one unit necessitates the use of the containment function.