When making safety assessments, we need to make a basic distinction between the risk potential, as the maximum possible damage a risk source can cause, and the risk, which involves considering both the potential extent of the damage and how likely that damage is to occur. Nuclear power plants and nuclear installations generally have a high risk potential, so safety is absolutely vital when designing, building, operating and shutting down such plants to minimise the risks involved (damage prevention).

In nuclear power plants, these requirements mean protective goals such as controlling reactivity, cooling fuel assemblies, confining radioactive substances and limiting radiation exposure must be adhered to. The components and building structures required to meet these requirements are safety-related and are therefore referred to as safety-related components and building structures.

To meet these safety goals, we basically use the safety barriers as shown in Figure 2.14 and the safety systems, which may be designed as either active or passive safety systems.

2. Fuel rod cladding

Reinforced concrete cylinder as radiation shield

Fig. 2.14 Passive safety barriers

These safety systems are highly reliable, thanks to the following:

— Redundancy

Main safety system components are multiplicated so that, should one of these modules fail, another identical module can take over.

— Diversity

Major components are made to different designs, so that not all the modules of the same type needed for these safety systems are likely to fail at the same time. This also reduces the risks of failing for the same reasons (common cause failure).

— Spatial separation

Major components of redundant safety systems are located away from one another, so that if an incident occurs that has limited local events that cause one module to fail, an identical module somewhere else which is not affected by that incident can take over the safety function (Figure 2.15).

Safety systems are needed to manage incidents, and must therefore be designed for both rare internal incidents (internal actions) and rare external ones (external actions). Internal design basis accidents include loss of coolant accident and internal flooding. A loss of coolant accident, and how it is handled, is shown in Figure 2.16. Significant external actions include earthquakes and floods. So plants must be designed to withstand an earthquake with the greatest seismic effects foreseeable where they are located.

These rare design basis accidents can be distinguished from the system status conditions in nominal use (normal operations as regular condition and anomalous operations as frequent condition) and the extremely rare events resulting from an accident (Table 2.2). Under the banded safety concept used in Germany, these system

Fig. 2.16 Controlling loss of coolant accidents

status conditions and events are assigned to four safety levels, as shown in Table 2.2, plus the extremely rare events which as accidents count as so-called ‘residual risks’ and which call for disaster prevention and environmental protection measures accordingly.

In the scenarios in Table 2.2, which must be considered as part of a safety philosophy, the focus is on preventing damage. One major contribution to this damage prevention is made by the International Atomic Energy Agency (IAEA), the international atomic energy organisation which sets the standards for erecting and operating nuclear plants. Another contribution comes from reviewing preventive measures and how effective the safety systems of each nuclear power plants are in the light of past events at nuclear plants which have occurred worldwide.

Following the reactor accident at Chernobyl in 1986, the IAEA launched the INES scale in 1991 (Table 2.3 ) for recording incidents and events at nuclear facilities.

This ranges from anomalies (levels 0-1), incident (levels 2-3) and accidents (levels 4-7). Depending on how they are rated, events must be assessed at the nuclear power plant concerned and rated with the controlling government organ­isations to show that the safety procedures in place are effective and to improve them if required.

On the INES scale, the Chernobyl incident must be classified as a major accident at the highest level 7. By way of comparison: the equally notorious event (partial meltdown) at Harrisburg (‘Three Mile Island’ in 1979, where the effects of the meltdown were limited to the plant itself, without damaging the health of the population, were classified as a level 5 event. In Germany, there have been 74 events since 1991 which were rated as level 1 on the INES scale and just three that were rated at level 2.

In assessing the risks that nuclear power plants present, we also include extremely rare events as ‘hypothetical’ accidents classified as residual risks. These include a melt­down due to serious core problems. Compared with the units now operating (up to Generation III), in which the effects of a meltdown are studied as part of a safety analysis, the new Generation III+ plans are designed such that they have structural

Fig. 2.17 EPR, core catcher (heat removal system)

safeguards and/or passive safety features to protect against a meltdown. For the EPR, for example, a meltdown prevention system was designed with a ‘core catcher’. As Figure 2.17 shows, should the reactor’s pressure vessel burn through, the molten core can be collected in a space below the reactor pressure vessel and cooled to avoid it burning through the foundations and to prevent pressure in the reactor pressure vessel increasing any further. This covers not only short-term but also long-term safety functions, without any further serious disaster prevention measures being required in the area around the plant.