e-learning view The Manual here
DEFENCE IN DEPTH
Defence in depth: reactors

SAFETY FUNCTION OPERABILITY CONTINUED...

 
  • Inadequate
  • Adequate
  • Minimum required by operational limits and conditions
  • Full

Inadequate

The operability of the safety systems is such that the safety function cannot be fulfilled for the initiator being considered

Inadequate is probably the simplest to define!
What you have left will not provide the safety function you need. For post trip cooling if the safety function is inadequate, the fuel melts. 

Adequate

The operability of at least one safety system is sufficient to achieve the safety function challenged by the initiator being considered

The next level up is 'Adequate'. Put simply this means there was enough working plant to avoid an accident. The definition here talks of the operability of a 'safety system'. Sometimes, there may be systems that are not claimed as 'safety systems' that may work and prevent an accident. Where the function and availability of these systems has been demonstrated they may also be considered. Read the full definition here or on page 73 and 74 of the Manual for a good explanation of this issue.

Minimum required by OL&C

The operability of each safety system provided for the initiator being considered meets the requirements of OL&C for continued operation at power even for a limited time

This is the next level above 'Adequate'. It is a long sentence but let’s break it down. First of all, what do we mean by 'Operational Limits and Conditions'? Have a look here, or on page 188 of the Manual. The definition is clear. Generally it is the plant limits and operability requirements defined in Technical Specifications.

So to determine if the operability is at least at this level we need to:

  • Identify all the safety systems relevant to the initiator we are thinking about
  • Check their operability requirements against the Technical Specification requirements
  • Make sure that we at least meet the operability requirements that allow continued operation, even if only for a limited time, such as 12 hours. Technical Specifications often allow a time to restore operability.

Technical Specifications may also say that for some plant situations, you have 4 hours to carry out a controlled shutdown. This is not allowing continued operation at power for a limited time. It is telling you to shutdown in a controlled manner.

Full

All safety systems and components provided by the design for the initiator being considered are fully operable, i.e. all installed redundancy/diversity is available

Finally, we have here the definition of 'Full'. It is quite simply, everything that the designer provided as a safety system. The availability of all such plant safety systems should be controlled by Technical Specifications.

Again you might now like to read section 5.1.2 of the Manual to reinforce what we have learned about safety function operability.

Operational limits and conditions.
A set of rules setting forth parameter limits, the functional capability and the performance levels of equipment and personnel approved by the regulatory body for safe operation of an authorized facility. (In most countries, for nuclear power plants, these are included within Technical Specifications).

Adequate
This is when the operability of at least one of the safety systems required to provide the safety function is sufficient to achieve the safety function challenged by the initiator being considered. In some cases, categories B and C may be the same (i.e. the operability is inadequate unless all the safety systems meet the OL&C requirements). In other cases, Category C will correspond to a level of operability lower than that required by OL&C. One example would be where diverse safety systems are each required to be operable by OL&C, but only one is operable. Another would be where all safety systems that are designed to assure a safety function are inoperable for such a short time that the safety function can still be assured, even though the safety systems do not meet the OL&C requirements. (For example, the safety function ‘cooling of the fuel’ may be assured if a total station blackout occurs for only a short time). In identifying the effectiveness of such provisions, it is important to take account of the time available and the time required for identifying and implementing appropriate corrective action.

5.1.2. Safety function operability

The three basic safety functions for reactor operation are:
(1) controlling the reactivity;
(2) cooling the fuel; and
(3) confining the radioactive material.

These functions are provided by passive systems (such as physical barriers) and by active systems (such as the reactor protection system). Several safety systems may contribute to a particular safety function, and the function may still be achieved even with one system unavailable. Following an initiator, nonsafety systems may also contribute to a particular safety function (see explanation under definition of Adequate (C). Equally, support systems such as electrical supplies, cooling and instrument supplies will be required to ensure that a safety function is achieved. It is important to evaluate the operability of the safety function when events are rated, not the operability of an individual system. A system or component is considered operable when it is capable of performing its required function in the required manner.
The operational limits and conditions (OL&C) of a plant govern the operability of each safety system. In most countries, they are included within a plant’s Technical Specifications.
The operability of a safety function for a particular initiator can range from a state where all the components of the safety systems provided to fulfil that function are fully operable to a state where the operability is insufficient for the safety function to be achieved. To provide a framework for rating events, four categories of operability are considered.

A. Full
This is when all the safety systems and components that are provided by the design to cope with the particular initiator in order to limit its consequences are fully operable (i.e. redundancy/diversity is available).

B. Minimum required by operational limits and conditions
This is when the operability of each of the safety systems required to provide the safety function meets the minimum level for which operation at power can be continued (possibly for a limited time), as specified in the Operational Limits and Conditions. This level of operability will generally correspond to the minimum operability of the different safety systems for which the safety function can be achieved for all the initiators considered in the design of the plant. However, for certain particular initiators, redundancy and diversity may still exist.

C. Adequate
This is when the operability of at least one of the safety systems required to provide the safety function is sufficient to achieve the safety function challenged by the initiator being considered. In some cases, categories B and C may be the same (i.e. the operability is inadequate unless all the safety systems meet the OL&C requirements). In other cases, Category C will correspond to a level of operability lower than that required by OL&C. One example would be where diverse safety systems are each required to be operable by OL&C, but only one is operable. Another would be where all safety systems that are designed to assure a safety function are inoperable for such a short time that the safety function can still be assured, even though the safety systems do not meet the OL&C requirements. (For example, the safety function ‘cooling of the fuel’ may be assured if a total station blackout occurs for only a short time). In identifying the effectiveness of such provisions, it is important to take account of the time available and the time required for identifying and implementing appropriate corrective action.
It is also possible that the safety function may be adequate due to the operability of non-safety systems (see Example 40). Non-safety systems can be taken into account if they have been demonstrated (or are known) to be operable during the event. However, care must be taken in including non-safety systems, as their operability is not generally controlled and tested in the same way as it is for safety systems.

D. Inadequate
This is when the operability of the safety systems is such that none of them is capable of achieving the safety function challenged by the initiator being considered.

It should be noted that although operability categories C and D represent a range of plant states, categories A and B represent specific operabilities. Thus, the actual operability may be between that defined by operability categories A and B (i.e. the operability may be less than full but more that the minimum allowed for continued operation at power). This is considered in Section 5.1.3.