Module III

Basic principles of nuclear safety

 International Atomic Energy Agency, May 2015

v1.0

Background

In 1991, the General Conference (GC) in its resolution RES/552 requested the Director General to prepare 'a
comprehensive proposal for education and training in both radiation protection and in nuclear safety' for
consideration by the following GC in 1992. In 1992, the proposal was made by the Secretariat and after
considering this proposal the General Conference requested the Director General to prepare a report on a
possible programme of activities on education and training in radiological protection and nuclear safety in its
resolution RES1584.

In response to this request and as a first step, the Secretariat prepared a Standard Syllabus for the Post-
graduate Educational Course in Radiation Protection. Subsequently, planning of specialised training courses
and workshops in different areas of Standard Syllabus were also made. A similar approach was taken to develop
basic professional training in nuclear safety. In January 1997, Programme Performance Assessment System
(PPAS) recommended the preparation of a standard syllabus for nuclear safety based on Agency Safely
Standard Series Documents and any other internationally accepted practices. A draft Standard Syllabus for
Basic Professional Training Course in Nuclear Safety (BPTC) was prepared by a group of consultants in
November 1997 and the syllabus was finalised in July 1998 in the second consultants meeting.

The Basic Professional Training Course on Nuclear Safety was offered for the first time at the end of 1999, in
English, in Saclay, France, in cooperation with Institut National des Sciences et Techniques
Nucleaires/Commissariat a l'Energie Atomique (INSTN/CEA). In 2000, the course was offered in Spanish, in
Brazil to Latin American countries and, in English, as a national training course in Romania, with six and four
weeks duration, respectively. In 2001, the course was offered at Argonne National Laboratory in the USA for
participants from Asian countries. In 2001 and 2002, the course was offered in Saclay, France for participants
from Europe. Since then the BPTC has been used all over the world and part of it has been translated into
various languages. In particular, it is held on a regular basis in Korea for the Asian region and in Argentina for
the Latin American region.

In 2015 the Basic Professional Training Course was updated to the current IAEA nuclear safety standards. The
update includes a BPTC text book, BPTC e-book and 2 “train the trainers” packages, one package for a three
month course and one package is for a one month course. The” train the trainers” packages include
transparencies, questions and case studies to complement the BPTC.

This material was prepared by the IAEA and co-funded by the European Union.

Editorial Note

The update and the review of the BPTC was completed with the collaboration of the ICJT Nuclear Training
Centre, Jožef Stefan Institute, Slovenia and IAEA technical experts.
 Module III: Basic principles of nuclear safety

CONTENTS

1 WHAT IS NUCLEAR SAFETY? ......................................... 4

2 SAFETY FUNDAMENTALS ............................................... 7
2.1 Fundamental safety objective ....................................... 7
2.2 IAEA Fundamental Safety Principles ............................ 7
Principle One: Responsibility for Safety ............................. 8
Principle Two: Role of Government ................................... 9
Principle Three: Leadership and Management for Safety 10
Principle Four: Justification of Facilities and Activities ..... 11
Principle Five: Optimization of Protection ........................ 11
Principle Six: Limitation of Risks to Individuals ................ 11
Principle Seven: Protection of Present and Future
Generations..................................................................... 12
Principle Eight: Prevention of Accidents .......................... 12
Principle Nine: Emergency Preparedness and Response 13
Principle Ten: Protective Actions to Reduce Existing or
Unregulated Radiation Risks ........................................... 13
2.3 Legislative and regulatory framework ......................... 13
2.4 Management of safety ................................................ 14
2.5 Safety considerations during the various phases of the
installation ................................................................... 15
2.6 Verification of safety.................................................... 16
2.7 Questions .................................................................... 17
3 FUNDAMENTAL SAFETY FUNCTIONS .......................... 18
3.1 Three fundamental safety functions ............................ 18
3.2 Reactivity Control ........................................................ 19
3.3 Removal of Heat ......................................................... 20
3.4 Confinement of Radioactive Material .......................... 20
3.5 Questions .................................................................... 22
4 DEFENCE-IN-DEPTH ....................................................... 23
4.1 The Defence-in-depth Concept ................................... 23
First level: prevention of abnormal operation and failures 24
Second level: control of abnormal operation and detection
of failures......................................................................... 25
Third level: control of accidents within the design basis ... 25
Fourth level: control of severe plant conditions including
prevention of accident progression and mitigation of severe
accident consequences ................................................... 26
Fifth level: mitigation of radiological consequences of
significant off-site releases of radioactive materials ......... 27
Elements common to the different levels ......................... 27
Defence in depth implementation in operation ................. 28
4.2 The Role of Successive Barriers in Preventing Spread
of Radioactive Materials .............................................. 29
Introduction...................................................................... 29
Barriers to the spread of radionuclides ............................ 30
4.3 Mitigation of radiological consequences of significant
release ........................................................................ 34
4.4 Emergency response .................................................. 34

Page 3 of 64
 Module III: Basic principles of nuclear safety

On-site emergency response ........................................... 34

Off-site emergency response ........................................... 35
4.5 Questions ....................................................................36
5 THE INTERNATIONAL NUCLEAR SAFETY REGIME ....37
5.1 Conventions and Codes of Conduct............................37
The Convention on Nuclear Safety................................... 38
Implementing measures ................................................... 39
The Code of Conduct on the Safety of Research Reactors.40
5.2 IAEA Safety Standards................................................42
Historical development and the nature of IAEA safety
standards ......................................................................... 42
Safety fundamentals, requirements and guides................ 43
Topical coverage of safety standards ............................... 45
Bodies for the endorsement of safety standards .............. 45
5.3 National and international institutions for
standardization ............................................................47
5.4 Questions ....................................................................47
6 NUCLEAR SAFETY AND SECURITY INTERFACE .........49
6.1 Introduction .................................................................49
6.2 Responsibilities for safety and security .......................50
State responsibility ........................................................... 50
Responsibility of the regulatory body................................ 50
Responsibility of the operating organization ..................... 51
6.3 Safety and security at nuclear installations .................51
Safety and security culture ............................................... 51
Emergency preparedness and response .......................... 51
Safety and security considerations during siting, design,
construction and operation of a NPP ................................ 51
6.4 Questions ....................................................................52
7 HISTORY OF ACCIDENTS IN NUCLEAR INDUSTRY ....53
7.1 Three Mile Island accident ..........................................53
Health Effects................................................................... 55
INES (International Nuclear Event Scale) rating ............... 55
7.2 Chernobyl accident .....................................................55
Health effects ................................................................... 57
INES (International Nuclear Event Scale) rating ............... 58
7.3 Fukushima accident ....................................................58
Unit 1 ............................................................................... 59
Unit 2 ............................................................................... 60
Unit 3 ............................................................................... 60
Unit 4 ............................................................................... 60
Spent fuel ponds .............................................................. 61
Radioactive releases to air ............................................... 61
Radiation exposure of workers on site.............................. 61
Radiation exposure beyond the plant site......................... 61
INES (International Nuclear Event Scale) rating ............... 61
7.4 Questions ....................................................................62
8 REFERENCES ..................................................................63

1 WHAT IS NUCLEAR SAFETY?

Page: 4 of 64
 Module III: Basic principles of nuclear safety

Learning objectives:
After completing this chapter, the trainee will be able to:
1. Describe the basic goal of nuclear safety.
2. Define the fundamental safety objective according to IAEA Safety
Fundamentals SF-1.
3. Describe the relation between nuclear safety and safety culture.

Practically every human activity, especially those connected with

energy production, may have harmful effects regarding the health of
people and the quality of the environment. The cumulative, long-term
effects of the classical energy production technologies that have
existed for hundreds of years only started to cause concern in recent
decades.

There are many beneficial applications of nuclear phenomena,

radiation and radioactive substances, ranging from generation of
power in nuclear power plants, to uses in medicine, industry and
agriculture.

One specific risk of these technologies is the release of radioactive

substances and exposure to ionizing radiation. This risk has been
known for a long time. Nuclear safety in plain language is simply
everything we do to avoid harmful exposure to ionizing radiation or
contamination with radioactive materials.

The operation of nuclear installations, medical uses of radiation, the

production, transport and use of radioactive materials, and
management of radioactive waste must therefore be subject to the
highest standards of safety, in order to be socially acceptable.
Therefore the concept of nuclear safety has been formally introduced
and developed in parallel with the development of nuclear
technologies. This concept has been expressed by different institutions
and different standards, sometimes in complicated wording.

In 2006, the International Atomic Energy Agency published Safety

Standards Series Safety Fundamentals SF-1, Fundamental Safety
Principles that very clearly outlines nuclear safety through a safety
objective and safety principles.

NUCLEAR SAFETY

The fundamental safety objective is to protect people and the

environment from harmful effects of ionizing radiation.

Nuclear safety is not just a technical concept but is deeply connected

with the culture of people in the nuclear industry. The concept of
safety culture is a very important part of nuclear safety, and will be
elaborated further in greater detail in this document.

Page 5 of 64
 Module III: Basic principles of nuclear safety

One must always be aware that, among all industrial facilities, it is

nuclear power plants that contain the greatest potential for the release
of radioactive materials, though the actual probability of release is
very small. Any complacency in managing a nuclear power plant
would be dangerous.

Several severe accidents have shown that radiation risks can transcend
national borders. It is by now clear that nuclear safety must be
understood as a global concept and that international cooperation is
necessary to enhance safety worldwide.

Page: 6 of 64
 Module III: Basic principles of nuclear safety

2 SAFETY FUNDAMENTALS

Learning objectives:
After completing this chapter, the trainee will be able to:
1. List the main safety objectives and principles as defined in the
IAEA SF-1 Safety Fundamentals document.
2. Describe the legislative and regulatory framework related to
safety in a country.
3. Describe the basic principles of safety management.
4. List the important engineering aspects to be taken into
consideration throughout the lifetime of a nuclear installation.
5. Describe the basic principles of safety verification.

2.1 Fundamental safety objective

The fundamental safety objective is to protect people and the

environment from harmful effects of ionizing radiation.

This safety objective has to be fulfilled without unduly limiting the

operation of facilities or the conduct of activities. To ensure that the
highest standards of safety are achieved, the following measures have
to be taken [1]:
To control the radiation exposure of people and the release of
radioactive material to the environment;
To restrict the likelihood of events that might lead to a loss of
control over a nuclear reactor core, nuclear chain reaction,
radioactive source or any other source of radiation;
To mitigate the consequences of such events if they were to
occur.

The fundamental safety objective applies to all facilities and activities

and throughout their entire lifetime from planning to
decommissioning, including the associated transport of radioactive
material and management of radioactive waste.

From the fundamental safety objective the fundamental safety

principles are derived. They are elaborated in the next section and they
apply to the measures necessary to minimize the risks to site
personnel, the public and the environment from the effects of ionizing
radiation. These risks must be strictly controlled.

2.2 IAEA Fundamental Safety Principles

The Statute of the IAEA in its Article III states that “the Agency is
authorized to establish or adopt standards of safety for protection of
health and minimization of danger to life and property…” The IAEA

Page 7 of 64
 Module III: Basic principles of nuclear safety

has developed standards in collaboration with its Member States, as

well as other international organizations, where appropriate.

As part of this mandate, the IAEA published in 2006 the document

Safety Fundamentals No. SF-1, Fundamental Safety Principles [1].

Fig. 2.1: Fundamental Safety Principles SF-1.

The following paragraphs present the Fundamental Safety Objective

and the 10 Safety Principles as stated in SF-1.

For the purposes of the safety principles, ‘safety’ means protection of

people and the environment against radiation risks, and the safety of
facilities and activities that give rise to radiation risks. ‘Safety’ as used
here and in the Safety Standards includes the safety of nuclear
installations, radiation safety, safety of radioactive waste management
and safety in transport of radioactive material; it does not include non-
radiation-related aspects of safety, such as industrial or occupational
safety [1].

Principle One: Responsibility for Safety

The prime responsibility for safety must rest with the person
or organization responsible for the facilities and activities that
give rise to radiation risks.

This prime responsibility is retained throughout the lifetime of the

facilities and activities and cannot be delegated. Other groups such as
designers, manufacturers, constructors, employers, contractors,
consignors and carriers may also have legal, professional or functional
responsibilities with respect to safety, but the prime responsibility
always remains with the person or organization responsible for the
facilities or activities.

Authorization to operate a facility or conduct an activity may be

Page: 8 of 64
 Module III: Basic principles of nuclear safety

granted to an operating organization or to an individual, known as the

licensee.

The licensee is responsible for:

Establishing and maintaining the necessary competencies;
Providing adequate training and information;
Establishing procedures and arrangements to maintain safety
under all conditions;
Verifying appropriate design and adequate quality of facilities
and activities and their associated equipment;
Ensuring safe control of all radioactive material that is used,
produced, stored or transported;
Ensuring safe control of all radioactive waste that is generated.

Since radioactive waste management can extend over many human

generations, consideration must be given to fulfilment of these
responsibilities for present and future operations, including continuity
of responsibilities and funding in the long term.

Principle Two: Role of Government

An effective legal and governmental framework for safety,
including an independent regulatory body, must be
established and sustained.

A properly established framework provides for regulation of facilities

and activities that give rise to radiation risks and for clear assignment
of responsibilities. The government is responsible for adopting within
its national legal system such laws, regulations and other standards
and measures necessary to fulfil its national and international
obligations effectively, including establishing an independent
regulatory body.

Governmental authorities must ensure that arrangements are made for

preparing programmes of action to reduce radiation risks, including
actions in emergencies, for monitoring radioactive releases and for
disposing of radioactive waste. They must provide for control over
sources of radiation for which no one else has responsibility, such as
some naturally-occurring radioactive material, so-called ‘orphan’
sources, and residues from past facilities and activities.

The regulatory body must:

Have adequate legal authority, competencies and resources to
fulfil its responsibilities;
Be effectively independent so that it is free from any undue
pressure from interested parties;
Set up appropriate means of providing information about the
safety, health and environmental aspects of facilities and
activities, and about regulatory processes;
Consult parties in the vicinity, the public and other interested
parties, as appropriate, in an open and inclusive process.

Page 9 of 64
 Module III: Basic principles of nuclear safety

Governments and regulatory bodies thus have an important

responsibility for establishing standards and establishing the
regulatory framework. However the prime responsibility for safety
remains with the licensee.

In the case that the licensee is a branch of government, this branch

must be distinct from and effectively independent of the branches of
government responsible for regulatory functions.

Principle Three: Leadership and Management for Safety

Effective leadership and management for safety must be
established and sustained in organizations concerned with,
and facilities and activities that give rise to, radiation risks.

Leadership in safety matters must be demonstrated at the highest

levels in an organization. Safety must be achieved and maintained by
an effective management system that integrates all requirements so
that safety is not compromised by other demands. The management
system must promote a strong safety culture, including:
Individual and collective commitment to safety by the
leadership, management and personnel at all levels;
Accountability of organizations and individuals at all levels for
safety;
Measures to encourage a questioning and learning attitude and
discourage complacency with regard to safety.

An important factor is recognition of the entire range of interactions of

individuals with technology and organizations. Human factors must be
taken into account and good performance and good practices
supported.

The management system must ensure regular assessment of safety

performance, including a systematic analysis of normal operation and
its effects, of the ways in which failures might occur, the
consequences of such failures and the safety measures needed to
control the hazard. The design, engineered safety features and
operator actions are assessed to ensure that the arrangements are
robust and can be relied upon and that they fulfil the safety functions
required of them. A facility may only be constructed and
commissioned or an activity commenced after the adequacy of the
proposed safety measure has been demonstrated to the satisfaction of
the regulatory body. The safety assessment may be repeated in whole
or in part during operations as circumstances require or periodically as
required by regulations.

Processes must be put in place to ensure analysis and feedback of

operating experience, including initiating events, accident precursors,
near misses, accidents and unauthorized acts, so that lessons learned
may be shared and acted upon.

Page: 10 of 64
 Module III: Basic principles of nuclear safety

Principle Four: Justification of Facilities and Activities

Facilities and activities that give rise to radiation risks must
yield an overall benefit.

For facilities and activities to be considered justified, the benefits that

they yield must outweigh the risks to which they give rise. All
significant consequences of operating facilities or conducting
activities must be taken into account.

Principle Five: Optimization of Protection

Protection must be optimized to provide the highest level of
safety that can reasonably be achieved.

Safety measures are considered optimized if they provide the highest

level of safety that can reasonably be achieved throughout the lifetime
of the facility or activity without unduly limiting its utilization. To
determine whether radiation risks are as low as reasonable achievable,
all such risks, whether arising from normal operation or from
abnormal or accident conditions, must be assessed (using a graded
approach) and periodically reassessed taking into account the
inevitable uncertainties in knowledge. Some factors to be considered
in the optimization process include:
The number of people who may be exposed to radiation;
The likelihood of their incurring exposure;
The magnitude and distribution of the radiation doses received;
Radiation risks arising from foreseeable events;
Economic, social and environmental factors.

Optimization also means using good practices and common sense to

avoid radiation risks as far as practical in day to day activities.

The resources devoted to safety by the licensee and the scope and
stringency of regulations and their application must be commensurate
with the magnitude of the risk and the possibility of control.

Principle Six: Limitation of Risks to Individuals

Measures for controlling radiation risks must ensure that no
individual bears an unacceptable risk of harm.

Justification and optimization (Principles 4 and 5) do not guarantee

that no individual bears an unacceptable risk of harm. Therefore limits
to doses and risk must be established. Both optimization of protection
and limitation of individual doses and risks are necessary to achieve
the desired level of safety.

Page 11 of 64
 Module III: Basic principles of nuclear safety

Principle Seven: Protection of Present and Future

Generations
People and the environment, present and future, must be
protected against radiation risks.

Radiation risks may transcend national borders and may persist for
long periods of time. The possible consequences, now and in the
future, of current actions must be taken into account in judging the
adequacy of measures to control radiation risks. In particular:
Safety standards apply not only to local populations but also to
populations remote from facilities and activities;
Where effects could span generations, subsequent generations
must be adequately protected without any need for them to take
significant protective actions.

Radioactive waste must be managed in such a way as to avoid

imposing an undue burden on future generations. The generations that
produce the waste have to seek and apply safe, practicable and
environmentally acceptable solutions for its long term management.

Principle Eight: Prevention of Accidents

All practical efforts must be made to prevent and mitigate
nuclear or radiation accidents.

To ensure that the likelihood of an accident having harmful

consequences is extremely low, measures must be taken to:
Prevent the occurrence of failures or abnormal conditions
(including breaches of security) that could lead to a loss of
control;
Prevent escalation of any such failures or abnormal conditions
that do occur;
Prevent loss of, or loss of control over a radioactive source or
other source of radiation.

The primary means of preventing and mitigating the consequences of

accidents is “defence in depth”. It is implemented by providing
consecutive and independent levels of protection that must prevent if
harmful effects to people and the environment. Defence in depth is
provided by an appropriate combination of an effective management
system with a strong commitment to safety and a strong safety culture;
by adequate site selection and good design and engineering features
providing safety margins, diversity and redundancy; and by
comprehensive operational procedures and practices including
accident management procedures. Accident management procedures
must be developed in advance to provide for regaining control in the
event of a loss of control and for mitigating any harmful
consequences.

Page: 12 of 64
 Module III: Basic principles of nuclear safety

Principle Nine: Emergency Preparedness and Response

Arrangements must be made for emergency preparedness
and response in the case of nuclear or radiation incidents.

The primary goals of emergency preparedness and response are to:

Ensure that arrangements are in place for an effective response
at the scene and, as appropriate, at the local, regional, national
and international levels;
Ensure that, for reasonably foreseeable incidents, radiation risks
would be minor;
Take practical measures to mitigate any consequences for
human life and health and the environment for any incidents that
do occur.

The licensee, employer, regulatory body and appropriate branches of

government have to establish, in advance, arrangements for
preparedness and response, including criteria for determining when to
take various protective actions and the capability to protect and inform
personnel at the site and, if necessary, the public during an emergency.
Emergency plans must be exercised periodically.

Principle Ten: Protective Actions to Reduce Existing or

Unregulated Radiation Risks
Protective actions to reduce existing or unregulated radiation
risks must be justified and optimized.

Radiation risks may arise in situations other than in facilities and

activities in compliance with regulatory control. If the risks are
relatively high, consideration must be given to whether protective
action can reasonably be taken. Such situations would include:
Mitigation of exposure from natural sources of radiation;
Exposure arising from human activities conducted in the past
that were never subject to regulatory control (or an earlier, less
rigorous control), such as residues from mining operations;
Remediation measures following an uncontrolled release of
radionuclides to the environment.

In all of these cases, protective actions are considered justified only if

they yield sufficient benefit to outweigh the radiation risks and other
detriments associated with taking them. Protective actions must be
optimized to produce the greatest benefit that is reasonably achievable
in relation to the costs.

2.3 Legislative and regulatory framework

The Government of a Member State is responsible for providing

legislation which clearly defines that the responsibility for safety rests
with the operating organization (license holder) and which establishes

Page 13 of 64
 Module III: Basic principles of nuclear safety

the regulatory body responsible for a system of licensing, for the

regulatory control of nuclear activities and for the enforcement of
regulations.

The regulatory body must be independent of the organizations or

bodies charged with the promotion or utilization of nuclear energy. An
important condition for the proper functioning of the regulatory body
is that it must have adequate authority, competence and resources to
fulfil its assigned responsibilities. Resources include both financial as
well as human aspects. An additional function of the regulatory body
is to communicate its regulatory decisions with all the necessary
explanations to the public.

The operating organization may delegate certain functions to others

under certain conditions (e.g. strict quality assurance programme) but
it can never delegate its prime responsibility for safety.

2.4 Management of safety

Safety management is the set of measures which ensure that

an adequate level of safety is maintained throughout the
lifetime of an installation.

Managers should establish policies that clearly specify that safety has
an overriding priority and should ensure that these policies are
implemented at all levels of the organizational structure.

Managers should further ensure that there is a clear division of

responsibilities with corresponding lines of authority and
communication.

Managers should ensure that staff are adequately educated, trained and
retrained (as necessary), that adequate procedures are developed and
strictly adhered to. Safety related matters should be regularly
reviewed, monitored and audited.

Organizations engaged in safety activities should establish and

implement a sound quality management programme which should
extend over the entire lifetime of the installation or activity.

An important factor in safety management is the recognition of the

influence of human factors. The capabilities and limitations of human
behaviour should be taken into account whenever safety decisions
have to be made.

Even though accident prevention is the first priority of designers and

the operating organization, incidents and accidents may occur.
Therefore the operating organization and the regulatory body need to

Page: 14 of 64
 Module III: Basic principles of nuclear safety

make preparations to cope with such situations. Emergency plans for

accident situations must be prepared and exercised by all the
organizations involved.

The main goal of the management system is to achieve and enhance

safety by:
Bringing together in a coherent manner all the requirements for
managing the organization;
Formulating the planned and systematic actions necessary to
provide adequate confidence that all these requirements are
satisfied;
Ensuring that health, environmental, security, quality and
economic requirements are not considered separately from
safety requirements, to help preclude their possible negative
impact on safety [2].

2.5 Safety considerations during the various phases of

the installation

Various engineering aspects need to be taken into account in all stages

of the lifetime of an installation. During site selection all man-made or
natural hazards that might influence the safety of the installation must
be evaluated, as well as the potential influence of the installation on
the environment. Such an evaluation must be performed by the utility
and reviewed by the regulatory body. An important aspect at this stage
is to assure the feasibility of carrying out emergency plans.

During the design and construction of the installation it must be

assured that potential radioactive exposures during operation and
decommissioning are limited as far as reasonably achievable and that
prevention and mitigation of accidents is assured through the
appropriate application of defence in depth. Technologies used in the
design must be proven or qualified by experience.

In the commissioning stage the specific approval of the regulatory

body is necessary before the start of commercial operation. This
approval must be based on an appropriate safety analysis and a
commissioning plan. During this stage consistency with the design
and safety requirements must be verified and operating procedures
validated, ideally with the participation of the operators who will
operate the installation in the future.

For the operation phase, a set of operational limits and conditions need
to be derived from the safety analyses establishing boundaries for
operation. Each time a modification is performed on the installation,
the safety analyses and derived operational limits and conditions need
to be revised. The installation must be regularly inspected, tested and
maintained in accordance with the established procedures to ensure
that structures, systems and components are available and operate as

Page 15 of 64
 Module III: Basic principles of nuclear safety

intended. Further, engineering and technical support must be assured

throughout the lifetime of the installation. Procedures for normal
operation, Emergency Operating Procedures (EOPs) and well as
Severe Accident Management Guidelines (SAMGs) need to be
developed, maintained and regularly updated. A feedback of
Operating Experience (FOE) programme must be established for
learning from the installation’s own experience, as well as from the
experience from other installations, and for disseminating lessons
learned nationally and internationally.

During operation radioactive waste is generated which should be kept

to a minimum in terms of both activity and volume by appropriate
design measures and operating practices. Waste treatment and interim
storage must be strictly controlled.

The decommissioning programme must assure that exposures during

decommissioning are as low as reasonably achievable and the
programme itself must be approved by the regulatory body prior to the
initiation of decommissioning activities.

2.6 Verification of safety

Verification of the safety of a nuclear installation should be performed

regularly throughout the lifetime of the installation and includes many
activities such as:
Review of site-related factors;
Independent assessment of the design;
Review of tests during construction and commissioning;
Continued monitoring and inspection of the installation during
operation;
Continuous monitoring of the environment;
Assessment and control of modifications.

Safety verification also encompass the need for thorough investigation

of incidents, determining root causes, lessons learned and applying
appropriate corrective measures. When needed, equipment should be
modified, procedures revised and operators retrained in order to
prevent their recurrence.

An overview of the safety assessment process is presented in Fig. 2.2,

taken from Ref. [3].

In addition a periodic reassessment of safety should be carried out at

least once in 10 years.

Page: 16 of 64
 Module III: Basic principles of nuclear safety

Fig. 2.2: Overview of the safety assessment process (from GSR Part 4
Ref [3]).

2.7 Questions

1. Define in simple language “nuclear safety”!

2. What is the fundamental safety objective as defined in the IAEA
Safety Fundamentals document SF-1?
3. How many safety principles are defined in SF-1?
4. What are the basic principles of safety management?
5. List some important engineering aspects to be taken into account
throughout the lifetime of a nuclear installation.
6. What are the basic principles of safety verification?

Page 17 of 64
 Module III: Basic principles of nuclear safety

3 FUNDAMENTAL SAFETY FUNCTIONS

Learning objectives:
After completing this chapter, the trainee will be able to:
1. Define the three fundamental safety functions.
2. Describe the role of reactivity control.
3. Describe the role of accumulation of fission products.
4. Describe the role of decay heat.

3.1 Three fundamental safety functions

IAEA Safety Requirement SSR-2/1 Safety of Nuclear Power Plants:

Design [4] identifies the following three fundamental safety functions
in its Requirement 4:

Fulfilment of the following fundamental safety functions for a

nuclear power plant shall be ensured for all plant states:
Control of reactivity;
Removal of heat from the reactor and from the fuel
store; and
Confinement of radioactive material, shielding against
radiation and control of planned radioactive releases,
as well as limitation of accidental radioactive releases.

A systematic approach must be utilized to identify those structures,

systems and components that are necessary to fulfil these functions at
all times. Any other items important to safety that are necessary to
fulfil these functions or that might affect them must also be identified.

At the same time it is necessary to establish means for monitoring the

plant status in order to ensure that the required fundamental safety
functions are fulfilled.

Nuclear reactors have three specific characteristics which differentiate

them from other energy production installations (Fig. 3.1):
Under normal operating conditions, a nuclear reactor has no
‘natural’ or ‘intrinsic’ power level, so power excursions are
possible unless reactivity is closely controlled.
Significant energy release continues for a long time, even after
reactor shutdown, because of the radioactive decay of the fission
products contained in the reactor core.
Reactors accumulate a large quantity of radioactive products
from which staff must be protected and the large scale dispersal
of which to the environment would constitute a major accident.

Page: 18 of 64
 Module III: Basic principles of nuclear safety

Fig. 3.1: Specific characteristics of nuclear reactors.

The main purpose of the fundamental safety functions is to reduce the

likelihood of releases of fission products and radionuclides into the
environment.

3.2 Reactivity Control

In order to be able to operate for at least a year without refuelling and

counterbalance various power-related effects, the core has to contain a
quantity of fissile material far exceeding the critical mass at cold
shutdown. The excess reactivity of the core at the beginning of the
fuel cycle must be compensated by a burnable poison in the fuel
elements and addition of a neutron absorber in the form of boric acid
in the primary coolant water. During operation the boric acid
concentration is then gradually lowered towards the end of the fuel
cycle. Under particular operating conditions, the energy released in a
nuclear reactor can increase extremely quickly in an uncontrolled
manner and can then only be limited by neutron feedback effects
related to temperature increase or fuel dispersal.

A reactor must have a reactivity control system that fulfils the

following functions:
Controls the reactor power level in operation and provides for
shutdown under normal and off-normal conditions;
Provides for rapid shutdown if necessary, and maintains the
reactor subcritical, including in accident conditions (control
rods, boric acid injection into the coolant);
Possesses negative reactivity feedback characteristics which are
very important to safety because they limit the reactor power:
o Negative moderator temperature effect;
o Negative fuel temperature effect;
o Negative coolant void effect;
o Negative power effect.

Page 19 of 64
 Module III: Basic principles of nuclear safety

3.3 Removal of Heat

Decay heat is the heat produced by the decay of radioactive fission

products after a nuclear reactor has been shut down. Decay heat is the
principal source of safety concern in Light Water Reactors (LWR) and
the main contributor to the risk of radioactive release.

Fig. 3.2: Decay heat.

The fission of uranium and plutonium in a reactor results in formation

of highly radioactive fission products which decay at a rate
determined by the type of radioactive nuclides present. All radioactive
materials that remain in the reactor after it is shut down will continue
to decay and release a significant amount of thermal energy.

The amount of radioactive materials present in the reactor at the time

of shutdown is dependent on the power levels at which the reactor
operated and the amount of time spent at those power levels. The
amount of decay heat for a typical light water reactor that has been
operating for a long time is shown in Fig. 3.2 as a percentage of its
full power.

Adequate cooling must be maintained at all times to remove decay

heat and prevent cladding failure in the reactor itself or in spent fuel
storage.

Failure to cool the reactor after shutdown may result in core meltdown
(e.g. Three Mile Island 2). Likewise, failure of the spent fuel pond
cooling system may result in spent fuel damage.

3.4 Confinement of Radioactive Material

The unique hazard associated with a nuclear reactor is the inventory of

radioactive material that accumulates in the core after any significant

Page: 20 of 64
 Module III: Basic principles of nuclear safety

period of power operation.

Sources of radionuclides include the fission event, which produces

about two fission fragments per fission, neutron absorption in
structural materials which produces various radioactive products such
as cobalt-60, and neutron absorption in fertile material (primarily U-
238) to produce transuranic elements, which are important to the long-
term radiation hazard from spent fuel.

Roughly speaking, the total fission product activity in a reactor core after a
long period of operation is about 0.2 TBq (5 Ci) per watt of power. Thus, the
core of a 1000 MW(e) power reactor, say 3500 MW(t), would contain 7·108
TBq (1.75·1010 Ci), a very large quantity.

From the point of view of safety, the characteristics of the

radionuclides that are of most concern are:
Chemical volatility, because volatility promotes release in
accidents;
A strong chemical affinity for the human body, because such
nuclides are easily taken up and remain in the body;
A high energy gamma decay, because of the need to shield
against such radiation; and/or
A relatively long half-life, because of the persistence of
contamination from such a nuclide.

Thus, some of the radionuclides of particular interest include the noble

gases, strontium-90, iodine-131, and caesium-137.

Uncontrolled release of radioactive materials must be prevented or

mitigated by confinement as close as possible to their point of origin
or their intended location. This is achieved by physical barriers that
enclose radioactive materials. Confinement as a term applies to those
barriers that are in direct contact or very close to the radioactive
material. In principle, these barriers must be passive.

In a typical pressurized or boiling water reactor confinement is

provided by:
The fuel matrix (sintered uranium dioxide) which can retain
solid fission products;
The zirconium cladding of the fuel rods which retains fission
gases and volatile fission products as long as its integrity is
preserved;
The reactor coolant pressure boundary (reactor pressure vessel,
primary piping, steam generator tubes, pressurizer, reactor
coolant pumps) which retains fission products that may have
leaked through the cladding and dissolved activation products.

In the spent fuel pit confinement is provided by:

The fuel matrix;
The zirconium cladding of the fuel rods;
The spent fuel pit stainless steel cladding and the filtered

Page 21 of 64
 Module III: Basic principles of nuclear safety

cooling system.

In the radioactive waste storage and repository confinement is

provided by the:
Waste form (usually it is solidified in some way);
Container.

3.5 Questions

1. What are the three fundamental safety functions?

2. What are the primary functions of the reactivity control system?
3. What are the main characteristics of the radionuclides in
irradiated nuclear reactor fuel?
4. Draw a typical decay heat curve at different time intervals (after
shutdown, after 1 hour, 1 day, 1 month).

Page: 22 of 64
 Module III: Basic principles of nuclear safety

4 DEFENCE-IN-DEPTH

Learning objectives:
After completing this chapter, the trainee will be able to:
1. Define 5 levels of defence in depth.
2. Define 4 barriers to preventing the spread of radioactive
materials.

4.1 The Defence in depth Concept

The defence in depth concept is not an installation

examination technique eliciting a particular technical solution,
but a method of reasoning and a general framework enabling
more complete examination of an entire installation.

The development of nuclear safety goes back to the earliest use of

nuclear energy, including the concept of placing multiple barriers
between radioactive materials and the environment. The concept of
defence in depth has been gradually developed and refined to
constitute an increasingly effective approach, combining both
prevention of a wide range of incidents and accidents and mitigation
of their consequences. [5] This approach, linking successively
prevention, monitoring and mitigating action, is intended to cover all
safety-related components and structures. We shall see that this
approach, initially developed for plant design analysis, is also well
adapted to operating organizations.

Before describing the different stages involved, the principle can be

simply summarised as follows: Although measures are taken to reduce
errors, incidents and accidents, it is nevertheless assumed that
accidents do occur and provisions must be made to deal with them so
that their consequences can be minimized to levels deemed
acceptable.

The approach combines the prevention of abnormal

situations and their degradation with the mitigation of their
consequences.

The defence in depth concept consists of a set of procedures as well as

components, classified in levels, to maintain the effectiveness of
physical boundaries placed between radioactive materials and
workers, the public and the environment. Each level should prevent
degradation of the next level and mitigate the consequences of failure
of the previous level. The efficiency of mitigation must not lead to
cutbacks in prevention, which takes precedence.

The approach itself has been gradually developed and its various

Page 23 of 64
 Module III: Basic principles of nuclear safety

stages will be referred to throughout this chapter. In July 1995, the

International Nuclear Safety Advisory Group adopted a document on
this subject called INSAG-10, Defence in Depth in Nuclear Power
Plant Safety [5]. This document presents the history of the concept
since its inception, how it is currently applied and indicates advisable
modifications for its application to the next generation of reactors.
The defence in depth concept comprises five levels. The way in which
these levels are structured may vary from one country to another or be
influenced by plant design, but the main principles are common. The
presentation below is consistent with the INSAG document. The main
goal of each level is to protect the barriers and mitigate any releases.
For a description of the barriers, see Section 4.2.

First level: prevention of abnormal operation and failures

The installation must be designed utilizing conservative provisions to
reduce the risk of failure. This implies that following the preliminary
detailed design of the installation, as exhaustive a study as possible of
its normal and foreseeable operating conditions be conducted to
determine for each major system, structure or component (SSCs), the
worst mechanical, thermal and pressure stresses or those due to
environment, layout, etc. for which safety margins must be provided.
Normal operating transients and the various shutdown situations are
included in normal operating conditions. The SSCs are then
constructed, installed, checked, tested and operated by following
clearly defined and qualified rules, while allowing variations within
specified limits to guarantee the correct behaviour of the installation.
These SSCs should be designed such that the systems intended to deal
with abnormal situations are dedicated and do not need to be actuated
on an everyday basis.

In the same way, the various abnormal conditions, initiating events or

hazards deriving from a source external to the plant and which the
installation must be able to withstand without operating disturbances
or, in other cases, without causing significant radioactive releases,
must be specified. Site selection with a view to limiting such
constraints can play a decisive role. In this way, it is possible to
determine a reference seismic level, extreme meteorological
conditions expressed as wind speed, weight of snow, maximum over-
pressure wave, temperature range, etc.

Moderate-paced processes with a computer-based control system

contribute to reduction of hazards caused by operating staff stress.
Human-System interface provisions and time allowances for manual
intervention can make a significant contribution.

Sets of rules and codes are used to define in a precise and prescriptive
manner the conditions for design, supply, manufacture, construction,
checking, initial and periodic testing, operation and preventive
maintenance of all safety-related equipment and structures in the plant
in order to guarantee their quality and reliability. The selection of

Page: 24 of 64
 Module III: Basic principles of nuclear safety

appropriate staff for each stage, from design to operation, their

appropriate training, the overall organization, the sharing of
responsibilities or the operating procedures contribute to the
prevention of failures throughout plant life. This also applies to the
systematic use of operating experience feedback. The authorized
operating range for the plant and its general operating rules may be
defined on this basis.

Second level: control of abnormal operation and detection

of failures
The installation must be prevented from exceeding the authorized
operating conditions. Sufficiently reliable regulation, control and
protection* systems must be designed with the capacity to inhibit any
abnormal development.

Temperature, pressure and nuclear and thermal power control systems

should be installed to prevent incident development without
interfering with power plant operation. With a plant design ensuring a
stable core and high thermal inertia, it is easier to maintain the
installation within the authorized limits.

Instrumentation for measuring the radioactivity levels of certain fluids

and of the atmosphere in various systems must have specified
characteristics to check the effectiveness of the various barriers and
purification systems. Malfunctions clearly signalled in the control
room can be better dealt with by the operators without undue delay.
Finally, the protection systems, the most important of which is the
emergency shutdown system but also including, for example, safety
valves, must be capable of rapidly arresting any undesirable
phenomenon inadequately controlled by the relevant systems, even if
this entails shutting down the reactor.

Furthermore, a periodic equipment surveillance programme enables

any abnormal developments in major equipment to be spotted. Such
developments would otherwise be likely to lead to failures over a
period of time. Periodic weld inspections, crack and leak detection and
routine system testing are examples of these preventive surveillance
activities.

Third level: control of accidents within the design basis

The first two levels of defence in depth, prevention and keeping the
reactor within the authorized limits, are designed to eliminate the risk
of plant failure with a high degree of reliability. However, despite the
care devoted to these two levels with the obvious aim of safety, a

*
Control systems are sometimes included in first level provisions. The INSAG
document places automatic shutdown at the third level. But these variations make no
difference to the general principle.

Page 25 of 64
 Module III: Basic principles of nuclear safety

complete series of incidents and accidents is postulated by assuming

that failures could occur as serious as a total instantaneous main pipe
break in a primary coolant loop or steam line which could affect
reactivity control. This is confirmed by deterministic analysis, which
is one of the essential elements of the safety approach.

For these reasons, it is required to install systems for limiting the

effects of such accidents to acceptable levels, even if this involves the
design and installation of safety systems having no function under
normal plant operating conditions. These are the engineered safety
features.* The start-up of these systems must be automatic and human
intervention should only be required after a time lapse allowing a
carefully considered diagnosis to be reached. In the postulated
situations, the correct operation of these systems ensures that core
structure integrity will be unaffected, which means that it can
subsequently be cooled. Radioactive release to the environment will
consequently be limited.

The choice of potential/postulated incidents and accidents must be

made from the beginning of the design phase of a project so that those
systems required for limiting the consequences of such incidents or
accidents integrate properly with the overall installation design. This
choice must be made with the greatest care as it is very difficult to
insert major systems in a completed construction at a later date.

Fourth level: control of severe plant conditions including

prevention of accident progression and mitigation of
severe accident consequences
In the context of on-going analysis of risks of the plant failure, such as
the accident which occurred at Three Mile Island in 1979, it was
decided to consider cases of multiple failure and, more generally, the
means required to contend with plant situations which had bypassed
the first three levels of the defence in depth strategy, or which were
considered as part of the residual risk. Such situations can lead to core
meltdown and consequently to even higher radioactive release levels.
The concern here is consequently to reduce the probability of such
situations by preparing appropriate procedures and equipment to
withstand additional scenarios corresponding to multiple failures.
These are the complementary measures aimed to prevent core
meltdown.

If nevertheless a very serious occurrence initiating core meltdown did

*
Examples of these systems include:
The emergency core cooling system;
The steam generator auxiliary feedwater supply system; and
Containment capable of withstanding an over pressure of about 4 bar (gauge)
and the associated systems for internal spray, automatic isolation of
penetrations, containment atmosphere monitoring and, in the case of double-
wall containment, depressurization of the annulus.

Page: 26 of 64
 Module III: Basic principles of nuclear safety

take place, all efforts must be made to limit radioactive release and to
gain time to arrange for protective measures for the populations in the
vicinity of the site. It is then essential that the containment function is
maintained under the best possible conditions. The latter accident
management actions are defined in emergency procedures and are
outlined in the internal emergency plan.

Fifth level: mitigation of radiological consequences of

significant off-site releases of radioactive materials
Population protection measures in the event of high radioactive
release levels (evacuation, confinement indoors with doors and
windows closed, distribution of stable iodine tablets, restrictions on
certain foodstuffs, etc.) would only be necessary in the event of the
failure or inefficiency of the measures described above. So this is still
part of the defence in depth concept. The conditions of this evacuation
or confinement are within the scope of the public authorities. They are
supplemented by the preparation of long or short term measures for
checking the consumption or marketing of foodstuffs which could be
contaminated. Such measures are included in the external emergency
plans. The decision to implement such measures will be based on
analysis of the situation by the operator and the safety organizations
and then on environmental radioactivity measurements.

Periodic training drills are also necessary in this area to ensure that the
efficiency of the resources and linkups provided are adequate.

Elements common to the different levels

Defence in depth can only be satisfactorily implemented if care is
taken at each level to ensure an appropriate degree of conservatism,
quality control and positive attitudes stemming from safety culture.
The notions of conservatism and safety margins, very closely linked
with the deterministic approach, apply more especially to the first
three levels of defence in depth. Severe accidents, on the other hand,
generally require a less conservative approach and realistic
assessments are preferable when populations have to be protected
against substantial radioactive release.

Page 27 of 64
 Module III: Basic principles of nuclear safety

Mitigation of radiological consequences

of significant off-site releases of radioactive materials
Control of severe plant conditions including prevention of accident progression
and mitigation of severe accident consequences

Control of accident within the design basis

Control of abnormal operation and detection of failures

Prevention of abnormal operation

and failures

Conservative design and

high quality in construction and operation

Control, limiting and protective systems

and other surveillance features

Engineered safety features and accident procedures

Complementary measures and accident management

Off-site emergency response

Fig. 4.1: The defence in depth concept: purposes, methods and means
(INSAG-10).

Finally, all those actively involved in plant safety, whether they are
operators, constructors, contractors or members of safety
organizations, must have a strong safety culture.

General comments: The notion of successive defence levels implies

that these levels should be as independent as possible. It is
consequently very important to ensure that the same event or failure,
whether single or multiple, could not affect several levels
simultaneously, thereby calling the entire approach into question. This
would be the case, for example, if a specific failure inhibited the
systems provided to limit the consequences of the event considered.
Safety system reliability must be adequate. Special design, layout and
maintenance rules are applied to them.

Quality control: The efficiency of these principles and methods

would be limited if the quality control of all activities involved in the
design, supply, manufacture, construction, tests and inspections,
operating preparations and the actual operation itself were not fully
ensured. This depends on the motivation of all concerned and implies
appropriate organizational procedures.

Obviously, the quality assurance process is more difficult to apply in

the very disturbed situations covered by severe accident management,
but this emphasises the need for the prior preparation of a well-
structured decision making process and methods to be applied in such
situations.

Defence in depth implementation in operation

As mentioned, the defence in depth concept is fully applicable to
operation activities, and the operating documents such as the General
Operating Rules should reflect it in its different chapters:

Page: 28 of 64
 Module III: Basic principles of nuclear safety

Level 1: Prevention
Plant organization, staff selection and training.
Normal operation procedures.
Implementation of technical specifications.

Level 2: Surveillance
Periodic testing programme.
Preventive maintenance programme.
Incident detection and analysis.

Level 3: Mitigation
Incident and accident procedures – Emergency Operating
Procedures (EOPs).

Level 4: Accident management

Accident procedure/guidelines for design extension conditions –
Severe Accident Management Guidelines (SAMGs).
Internal emergency plan (links with external emergency plan).

Level 5: Emergency response

External emergency plan.

4.2 The Role of Successive Barriers in Preventing the

Spread of Radioactive Materials

Introduction
The principle of defence-in-depth is at the heart of nuclear safety. One
way in which this principle is implemented in design is through
provision of the four classical engineered physical barriers to the
spread of radioactive materials. These barriers include the fuel matrix,
fuel cladding, the pressure boundary of the primary coolant system,
and the low-leakage containment building. Each of these barriers is
subject to different challenges and to different surveillance
requirements and leakage specifications. In a safety analysis, the
performance of each barrier under normal operating conditions,
normal operating transients and abnormal operating transients is
examined in detail. The ability of the barriers to prevent release in
severe accidents is also assessed and accident management measures
are devised to ensure containment integrity. The physical barriers are
shown in Fig. 4.2 below.

Page 29 of 64
 Module III: Basic principles of nuclear safety

Fig. 4.2: Main PWR barriers.

Barriers to the spread of radionuclides

The fuel matrix: Most present day power reactors are fuelled with a
low U-235 enrichment uranium dioxide (UO2) fuel originally
fabricated as a ceramic pellet. Fission product radionuclides and
transuranic elements resulting from neutron absorption in the fertile
isotope U-238 accumulate in the fuel material. Most of these nuclides
remain contained in the fuel matrix under steady state conditions.
However, since some of the fission products and their decay daughters
are gases, and others are volatile at normal fuel operating
temperatures, the fuel matrix provides only a partial barrier to their
spread. In particular, the noble gases, krypton and xenon, along with
tritium (from ternary fission), will migrate out of the fuel matrix to the
fission gas plenum within the cladding.

Also, the volatile fission products, primarily iodine and caesium,

which are vapours at normal operating temperature, will migrate out
of the fuel matrix and tend to collect in the fuel-cladding gap as
elements and compounds. Changes in fuel temperature, such as those
associated with power changes, lead to release of fission gases trapped
within the microstructure of the fuel, probably because of thermal
diffusion and fuel cracking.

This fission gas release is postulated to result in high mechanical

loading of the cladding and possible cladding failure. Apart from the
fission gases and volatile fission products, the other fission products
and transuranic elements remain contained in the matrix unless near-
melting temperatures are encountered. The extent and kinetics of
fission product release from fuel melting during an accident is an
active research area in several countries.

The cladding: The UO2 fuel pellets are contained within a metal
cladding tube which serves to maintain the fuel geometry and to

Page: 30 of 64
 Module III: Basic principles of nuclear safety

prevent release of fission products and actinides into the coolant. In

current water-cooled reactors, the cladding is an alloy of zirconium
called Zircaloy (or a proprietary variation of this alloy), chosen
because of its good structural and corrosion properties, and low
neutron absorption. A cladding tube is typically of the order of five
metres long and 0.95 cm (PWR) to 1.30 cm (BWR) in diameter; while
the fuel column is about 3.5 to 3.7 metres long. Space is provided
within the cladding to accommodate fission gas release from the fuel
without excessive internal pressure build-up. The cladding tube is
closed by welded end caps to create a hermetic seal.

Failure of the cladding barrier can occur due to defects in end cap
welds or in the cladding tube itself. Such failures are relatively rare
relative to the number of fuel rods in a reactor. Other potential failure
mechanisms include pellet-cladding mechanical interactions or high
pressure due to fission gas release in transients, flow-induced or
mechanical vibrations, or excessive cladding corrosion. Cladding
failures can be detected promptly by monitoring fission product
radioactivity or delayed neutrons in the coolant. While plant technical
specifications may allow operation with up to a specified fraction of
defective fuel, prudent operating practice and ALARA principles
dictate that failed fuel be removed at the earliest practical time to
minimize contamination of the primary coolant system with
accompanying radiation exposure to the plant operating and
maintenance staff.

The primary coolant system: The boundary of the primary coolant

system (the ‘reactor-coolant pressure boundary’) is clearly defined
within the reactor building. However, it branches out in a fairly
complex manner in the auxiliary buildings. In a PWR, the primary
coolant system pressure boundary consists of the reactor pressure
vessel, the coolant piping, the steam generators, and main coolant
pumps, along with some auxiliary systems including the pressurizer,
chemical and volume control systems (CVCS), and parts of the
emergency core cooling and residual heat removal systems, depending
on the design and operating details.

The primary coolant system is intended to be leak-tight, except for

controlled outflow, for example, through the main coolant pump seals,
or the CVCS. Under normal conditions, the radioactive inventory of
the primary coolant system consists of radionuclides that have leaked
from defective fuel, plus activated corrosion products. An important
class of design basis accidents involves loss of integrity of the
pressure boundary. This class includes a large-break loss-of-coolant
accident (LBLOCA), and a small-break loss of coolant accident
(SBLOCA). So long as these accidents do not lead to core damage,
which they should not, radionuclide release will be easily limited by
the containment. If, however, a core melt accident should occur, it has
been found that the debris can be retained within the reactor vessel
under certain conditions. The TMI-2 accident, which began as a small-

Page 31 of 64
 Module III: Basic principles of nuclear safety

break LOCA and escalated into a large-scale core melt, showed that
the debris could be cooled in-vessel by water addition.

Failure modes of the primary coolant pressure boundary include

piping leaks, piping breaks, pump seal failures, steam generator tube
failures, valve failures or misalignment, and pressure vessel failure.

Piping leaks - Leaks in the primary system piping could occur from
various causes, including through-wall cracks. Such leakage can be
detected by abnormal radiation readings, loss of coolant inventory, or
direct observation of leakage. Detection and investigation of any
leakage is extremely important, because leaks can provide a warning
of an impending pipe break. The so-called “leak-before-break” theory
argues that leakage will always precede a pipe break and that the
leakage can be detected and action taken before the break occurs, so
that instantaneous double-ended “guillotine” pipe breaks need not be
considered as a design basis accident. While this argument has
technical merit in many cases, the LBLOCA is still analysed as a
design-basis accident in many regulatory regimes. Release of
radioactivity due to piping leaks is in general easily confined within
the containment.

Piping breaks - Breaks in the primary system piping give rise to one
of the major classes of design basis accidents (DBA). The LBLOCA is
the classical DBA for the design of the emergency core cooling
systems and the containment. SBLOCAs have also been studied
extensively, especially since the TMI-2 accident, which was
essentially a SBLOCA, led to large-scale core melting and
radionuclide release to the containment. The design requirement is to
show that cladding temperature, cladding oxidation, and containment
pressure remain within acceptable bounds, so that fuel integrity and
containment function are maintained. Assuming that the engineered
safety features perform as designed, piping breaks do not result in
large release of fission product activity from the fuel, and any release
is contained by the containment building.

Pump seal failures - The main coolant pumps used in many light-
water reactors have shaft seals through which there is a small
controlled leakage flow. The failure of a pump seal would allow a
larger leakage. For the present discussion, such an event can be
considered to be equivalent to a SBLOCA. Probabilistic safety
assessments for some reactors have shown that pump seal failures can
be significant contributors to core melt frequency.

Steam generator tube failures - Failures of steam generator tubes in a

pressurized water reactor (PWR) are of particular concern because
leakage from the primary side to the steam side results in a
containment bypass. That is, any radioactive material that is released
from the primary system can find its way to the environment through
the steam system and is not retained within the containment. Thus,

Page: 32 of 64
 Module III: Basic principles of nuclear safety

strict limits on the amount of leakage, and the number of leaking tubes
are maintained. Steam generator tubes are frequently inspected for
flaws, and plugged or repaired as necessary.

Valve failures or misalignment - Valve failures by themselves do not

introduce a new class of accident. Most valve failures would be
characterised as a SBLOCA. However, certain valves are used to
separate the high pressure primary system from auxiliary systems
which are designed for lower pressure. Examples of such systems may
include residual heat removal systems or chemical clean-up systems.
Failure of such valves would result in a so-called ‘interfacing system
LOCA’, in which the full primary system pressure causes failure in
the lower pressure interfacing system. Such events have also been
found to be important contributors to core melt frequency in some
PSAs.

Pressure vessel failure - Pressure vessel failure is considered too

remote an event to be included in the design basis. However, the
material of the vessel is subject to neutron irradiation and potential
embrittlement or elevated null-ductility temperature. The principal
concern is with the ‘pressurized thermal shock’ phenomenon, in which
the vessel is subjected to rapid cooling due to introduction of cold
water while still at operating pressure. If vessel temperatures during
the cooling transient approach the null-ductility temperature,
mitigatory measures are called for. In extreme cases, it may be
necessary to anneal the vessel to restore its ductility. Annealing has
been done in some older Soviet-designed PWRs.

In spite of its complexity of design and numerous failure modes, the

primary coolant system has proven to be a very effective barrier
against radionuclide release. Even in the TMI-2 accident, a severe
accident with large-scale fuel melting, the molten core material and
fission products were largely contained within the reactor vessel
because water was introduced to cool the debris and the vessel wall.
Most of the radioactive materials released into the containment were
noble gases, which were retained for over a year in the containment
building, before being vented to the atmosphere in a controlled
manner.

The containment building: A low-leakage containment building

provides the final physical barrier against spread of radionuclides. The
containment building is required to have a very low leak rate, typically
of the order of 0.1 % per day, and to demonstrate its leak tightness in
periodic tests. Many different types of containment are used, including
large dry buildings, various pressure suppression types (such as the ice
condensers in the BWR containments), and sub-atmospheric
buildings. The design basis for the containment of most present-day
plants was the large-break LOCA accident, which had to be contained
without exceeding the design pressure of the building. However, the
containments have been shown to be very robust against short-term

Page 33 of 64
 Module III: Basic principles of nuclear safety

failure in severe accidents. The principal threat to containment

integrity appears to be long-term pressurization due to heating and
non-combustible gas generation from interaction between core debris
and concrete. Accident management measures to counter these threats
have to be developed.

4.3 Mitigation of the radiological consequences of

significant release

As discussed above, application of the concept of defence-in-depth in

thedesign of a nuclear power plant can be viewed as involving five
levels of defence against excessive radiological consequences from an
accident. The fifth level of defence, mitigation of the radiological
consequences, can be viewed as not being part of the design, because
the measures taken are generic in their essential nature. However, one
goal of modern designs is to eliminate the need for off-site emergency
planning by considering severe accidents in the design and thereby
practically eliminating the possibility of radiological consequences
beyond the site boundary. Mitigation measures include on-site
emergency plans, aimed at providing protection to plant workers and
assuring that vital control functions can be maintained, and off-site
emergency plans, aimed at protection of the public and the
environment. On-site and remote emergency control centres should be
provided for coordination of the emergency response and decision-
making.

4.4 Emergency response

On-site emergency response

A well-organized and tested on-site emergency response plan must be
in place. Elements of this plan may include such items as:
Definition of the decision-making process and the people
responsible for making emergency decisions;
Criteria for declaring various levels of alert or emergency
situation;
Notification of the appropriate company, local, state, and
national authorities of the occurrence, depending on the severity
of the situation;
Activation of an on-site or near-site emergency control centre,
with appropriate staff, communications, and support, including
public communications personnel;
Activation of emergency response teams as required by the
nature of the situation;
If necessary, activation of control room habitability features or a
remote reactor control room;
Evacuation of non-essential personnel from the site.

The on-site emergency response organization must have access to

Page: 34 of 64
 Module III: Basic principles of nuclear safety

sufficient information about the event to assess the need for activation
of the off-site emergency plans. Local, state, and national regulatory
and emergency organizations will also require information, and
appropriate communications arrangements must be included in the
emergency plan.

Off-site emergency response

As with the on-site emergency response, there must be a clearly
defined organization and decision-making process to decide on the
appropriate response, and to organize the implementation measures.
Generally, the off-site emergency response includes three possible
actions: sheltering; chemical protection (iodine tablets); and
evacuation.

In case of a small off-site release, sheltering of the nearby population

may provide sufficient mitigation. In this context, sheltering means
requiring the population to remain indoors, with doors and windows
closed, until the release has ended and the plume of radionuclides has
dispersed. Sheltering can provide significant protection through
shielding against weakly penetrating radiation and the effect of the
slow interchange between interior and ambient air. Sheltering is the
minimum level of protective action for the public, and involves little
risk but some inconvenience.

A significant contribution to risk from a radioactive release is the

uptake of radioactive iodine into the thyroid. Children are especially at
risk of developing thyroid cancer from this source. A possible
emergency preparedness measure is to supply iodine pills to persons
within the emergency planning zone to be taken if a release containing
iodine is expected. In this way, radioiodine will be prevented from
concentrating in the thyroid, affording a measure of protection.

The most extreme measure that can be taken to mitigate off-site

radiological consequences is evacuation of the population. Evacuation
involves significant risk due to transportation accidents, as well as
significant disruption to the lives of the population. Evacuation was
considered at the time of the TMI-2 accident, but rejected except for
voluntary evacuation of particularly vulnerable people. Large-scale,
permanent evacuation followed the Chernobyl accident. Planning for
evacuation involves consideration of means of transportation,
mapping routes, traffic control, and establishment of reception
facilities for evacuees.

Mitigation of radiological consequences through on-site and off-site

emergency planning is the fifth level of defence-in-depth. On-site
emergency plans emphasize recovery from the emergency,
communications with authorities and the public, and assuring
continued control of the plant while minimizing personnel exposure.
Off-site emergency planning focuses on public protection, involving
such actions as sheltering, use of chemical protection, and, in the

Page 35 of 64
 Module III: Basic principles of nuclear safety

extreme, evacuation.

4.5 Questions

1. Define the five levels of defence in depth.

2. Name the barriers for prevention of the spread of radioactive
materials used in the defence in depth concept.

Page: 36 of 64
 Module III: Basic principles of nuclear safety

5 THE INTERNATIONAL NUCLEAR SAFETY

REGIME

Learning objectives:
After completing this chapter, the trainee will be able to:
1. Describe the underlying principles governing the review process
under the Nuclear Safety Convention.
2. Describe the main purpose of the Code of Conduct for research
reactors.
3. Describe the main elements of the IAEA Safety Standards Series
publications.
4. Describe the main elements of the EC Nuclear Safety Directive.

The international nuclear safety regime starts with recognition of the

mutual dependence between organizations and persons involved in the
utilization of nuclear energy and radiation sources worldwide.
Therefore the existence of international arrangements and cooperation
are vital for enhancing safety globally. The IAEA serves as the
secretariat for the legally binding conventions and develops non-
binding codes of conduct and safety standards.

5.1 Conventions and Codes of Conduct

Since 1986, five conventions have been ratified by a sufficient number

of countries in order to come into force in the areas of nuclear,
radiation, transport and waste safety. These are:
The Convention on Nuclear Safety [6], which legally commits
contracting parties to maintain a high level of safety by setting
international benchmarks to which the contracting parties
subscribe. The Convention applies only to land-based nuclear
power plants, and all states operating such nuclear power plants
are now contracting parties.
The Convention on Physical Protection of Nuclear Material [7]
obliges states (parties) to ensure protection of nuclear material
during international transport within their territory or on board
their ships or aircraft. (The Convention was amended in 2005 to
make it binding on parties to protect nuclear facilities and
material in peaceful domestic use and storage, as well as
transport. The amendment also provides for rapid measures to
locate and recover stolen or smuggled nuclear material and to
mitigate the radiological consequences of sabotage. The
amendments will come into force when ratified by 2/3 of the
parties.)
The Convention on Early Notification of a Nuclear Accident [8]
establishes a notification system for nuclear accidents that have
the potential for international trans-boundary release and that
could be of radiological safety significance for another state.

Page 37 of 64
 Module III: Basic principles of nuclear safety

The Convention on Assistance in the Case of a Nuclear

Accident or Radiological Emergency [9] sets out an
international framework for cooperation among Parties and with
the IAEA to facilitate prompt assistance and support in such an
event.
The Joint Convention on the Safety of Spent Fuel Management
and on the Safety of Radioactive Waste Management [10]
(usually known as the ‘Joint Convention’) is the first treaty on
safety in these areas. It represents a commitment by
participating states to achieve and maintain a high level of safety
in the management of spent fuel and radioactive waste as part of
the global safety regime.

In addition to the Conventions, two non-legally binding Codes of

Conduct have been adopted in these areas:
The Code of Conduct on the Safety of Research Reactors [11]
provides guidance to states on the development and
harmonization of laws, regulations and policies on the safety of
research reactors, and provides ‘best practice’ guidance to the
state, the regulatory body and the operating organization for
management of research reactor safety.
The Code of Conduct on the Safety and Security of Radioactive
Sources [12], and supplementary Guidance on the Import and
Export of Radioactive Sources [13] is intended to achieve and
maintain a high level of safety and security of radioactive
sources, reduce the likelihood of accidental harmful exposure or
malicious use of such sources to causing harm, and to mitigate
the consequences of an accident or malicious act involving a
radioactive source.

The Convention on Nuclear Safety

The Convention on Nuclear Safety is a binding international
instrument having the following objectives:
To achieve and maintain a high level of nuclear safety
worldwide through the enhancement of national measures and
international co-operation including, where appropriate, safety-
related technical co-operation;
To establish and maintain effective defences in nuclear
installations against potential radiological hazards in order to
protect individuals, society and the environment from the
harmful effects of ionizing radiation from such installations;
To prevent accidents with radiological consequences and to
mitigate such consequences if they occur.

The Convention applies to the safety of land-based civil nuclear power

plants (NPPs) including such storage, handling and treatment facilities
for radioactive materials as are on the same site and are directly
related to the operation of the NPP. The obligations of the parties are
based to a large extent on the principles contained in the IAEA Safety
Series 110, The Safety of Nuclear Installations, now superseded by

Page: 38 of 64
 Module III: Basic principles of nuclear safety

Safety Fundamentals SF-1. These obligations are summarized in

Table 5.1.

Table 5.1: Obligations contained in Convention on Nuclear Safety.

Legislation and General safety Safety of installations

regulation considerations
Legislation and Priority of safety Siting: effect of
regulatory environment on the
framework NPP
Safety requirements Financing for Siting: effect of NPP on
and regulations safety the environment
System of licensing Competence of Siting: re-
staff evaluation/consulting
Regulatory Human Design: defence in
inspection and performance depth
assessment
Enforcement Quality assurance Design: proven
technology
Regulator with Safety assessment Easily manageable
authority operation
Independent Verification: Initial authorization and
regulator analysis and survey commissioning
Operator’s Radiation Operational limits and
responsibility protection conditions
Emergency Emergency
preparedness operating
procedures
Engineering and
technical support
Incident reporting
Operating
experience feedback
Waste management

Implementing measures
Each Contracting Party must take, within the framework of its
national law, the legislative, regulatory and administrative measures
and other steps necessary for implementing its obligations under this
Convention.
Each Contracting Party must submit for review prior to each review
meeting, a National Report on the measures it has taken to implement
each of the obligations of the Convention.

National Reports should, among other requirements, demonstrate that:

A Regulatory Body entrusted with the implementation of the
legislative and regulatory framework is established;
The appropriate steps are taken to ensure that the safety of

Page 39 of 64
 Module III: Basic principles of nuclear safety

nuclear installations is reviewed and to ensure that all

reasonably practicable improvements are made as a matter of
urgency to upgrade the safety of the nuclear installation;
The legislative and regulatory framework is established and
maintained;
The appropriate steps are taken to ensure an effective separation
between the Regulatory Body and any other body or
organization concerned with the promotion or utilization of
nuclear energy;
Prime responsibility for the safety of a nuclear installation rests
with the holder of the relevant licence and the appropriate steps
must be taken to ensure that each such licence holder meets its
responsibility.

The Convention is a motivating instrument. It is not designed to

ensure fulfilment of obligations by the parties through control and
sanctions, but is based on their common interest in achieving higher
levels of safety which will be developed and promoted through regular
meetings of the parties. The Convention obliges parties to submit
reports on the implementation of their obligations for ‘peer review’ at
meetings of the parties to be held at the IAEA. This mechanism is the
main innovative and dynamic element of the Convention.

The Convention entered into force on 24 October 1996. All countries

with operating nuclear power plants are parties to the Convention, as
are several countries that do not have nuclear power plants. Review
meetings should be convened at intervals no greater than three years.
Review meetings have been held in the month of April of the
years1999, 2002, 2005, 2008 and 2011. The sixth meeting was held in
2014. In August of 2012 an extraordinary meeting of contracting
parties was held to address the impact of the Fukushima accident.

The Code of Conduct on the Safety of Research Reactors.

The objective of the Code of Conduct on the Safety of Research
Reactors is to achieve and maintain a high level of safety in research
reactors worldwide through the enhancement of national measures and
international co-operation including, where appropriate, safety-related
technical co-operation. The Code includes technical provisions based
upon consensus documents, principally the Safety Fundamentals
Safety Series 110, The Safety of Nuclear Installations (now
superseded, as noted previously); Safety Requirements GS-R-1, Legal
and Governmental Infrastructure for Nuclear, Radiation, Radioactive
Waste and Transport Safety [14]; NS-R-4, Safety of Research
Reactors [15]; and WS-R-2, Predisposal Management of Radioactive
Waste, including Decommissioning [16]. The Code is a non-binding
international legal instrument.

The Code provides that states should apply its recommendations and
guidance through national safety regulations, and make appropriate
use of IAEA Safety Standards. Because there are many different

Page: 40 of 64
 Module III: Basic principles of nuclear safety

research reactor designs and power ratings resulting in a wide range of

potential hazards, states should adopt a graded approach to application
of the guidance commensurate with the hazard potential, while
maintaining a strong safety culture. States should also communicate
any difficulties encountered in application of the guidance in the Code
and any assistance required to the IAEA. The IAEA is charged with
providing advice and assistance on all aspects of safe management of
research reactors.

The Code provides guidance for the state, the regulatory body and the
operating organization on many topics important to research reactor
safety. The areas covered in the Code are summarized in Table 5.2.

Generally, the state is responsible for establishing a legislative and

regulatory framework for research reactor safety that places the prime
responsibility for safety on the operating organization. The state
should establish an effectively independent regulatory body and
provide it with the authority and resources to carry out its
responsibilities to establish safety criteria, regulations and guides, and
to conduct authorization, safety reviews and assessments, inspections
and enforcement. The state should ensure that the operating
organization has a financing system for safe operation of the reactor,
for extended shutdown, if necessary, and decommissioning. If a
research reactor is in extended shutdown and there is no longer an
effective operating organization, the state should make arrangements
for safe management of the reactor. Finally, the state should ensure
adequate legal and infrastructure arrangements for decommissioning.

The regulatory body is the executive organ of the state for

establishing a process of issuing authorizations (licences), undertaking
inspections and assessments of compliance, enforcing regulations and
authorizations, reviewing and assessing regulatory submissions, and
making available information on its regulatory requirements and
decisions. As seen in Table 5.2, the Code of Conduct offers guidance
for the regulatory body in most areas. The regulatory body establishes
the minimum requirements in most areas; the operating organization
must respond to the regulatory requirements.

The operating organization should establish its own policies that

give safety the highest priority and promote a strong safety culture. It
should carry out a safety assessment and prepare a safety analysis
report before construction and commissioning, carry out safety
reviews at appropriate intervals, including after modifications and
changes in utilization, for experiments having safety significance, and
for management of ageing. The operating organization should ensure
that there is an effective financing system for safe operation, extended
shutdown and decommissioning.

Page 41 of 64
 Module III: Basic principles of nuclear safety

Table 5.2: Guidance topics covered in the Code of Conduct on the

safety of research reactors.

Guidance topic State Regulatory Operating

body organization
Legal and governmental
√
infrastructure
Regulatory process √ √
Management of safety √ √
Assessment and verification
√ √ √
of safety
Financial and human
√ √ √
resources
Quality assurance √ √
Human factors √ √
Radiation protection √ √
Emergency preparedness √ √ √
Siting √ √
Design, construction,
√ √
commissioning
Operation, maintenance,
√ √
modification, utilization
Extended shutdown √
Decommissioning √

5.2 IAEA Safety Standards

Historical development and the nature of IAEA safety

standards
The development of nuclear and radiation safety standards is a
statutory function of the IAEA. The IAEA Statute expressly
authorizes the Agency “to establish standards of safety” and “to
provide for the application of these standards”.

The major development of Safety Standards started with the Nuclear

Safety Standards - NUSS Programme in the 1970s. Within this
programme, 5 Codes of Practice and about 60 Guides were produced.

Page: 42 of 64
 Module III: Basic principles of nuclear safety

Fig. 5.1: Examples of NUSS publications.

In 1996, a new uniform preparation and review process was

introduced, covering all the areas in which the IAEA establishes
safety standards. The Safety Series was replaced by two new series of
safety-related publications, the Safety Standards Series and the
Safety Reports Series. In addition, safety-related information is
published in IAEA TECDOCs.

The purpose is to separate the IAEA Safety Standards, which spell out
safety objectives, concepts, principles, requirements and guidance as a
basis for national regulations, or as an indication of how various safety
requirements may be met, from the Safety Reports and TECDOCs
which are issued for the purpose of providing information on ways of
ensuring safety. The Safety Standards reflect a consensus view among
Member States of ‘best practices’, while the Safety Reports and
TECDOCs do not necessarily express a consensus view and therefore
do not have to undergo the rigorous approval procedure required for
the Safety Standards Series.

Safety fundamentals, requirements and guides

The Safety Standards Series includes three levels of documents:
Safety Fundamentals;
Safety Requirements; and
Safety Guides.

Page 43 of 64
 Module III: Basic principles of nuclear safety

Fig. 5.2: Examples of Safety Standards Series publications.

The Safety Fundamentals document is the “policy document” of the

IAEA Safety Standards Series. It states the basic objectives, concepts
and principles involved in ensuring protection and safety in the
development and application of atomic energy for peaceful purposes.
It states - without providing technical details and without going into
the application of principles - the rationale for actions necessary in
meeting Safety Requirements. There is now one Safety Fundamentals
document that covers all areas.

The Safety Requirements series set forth the basic requirements which
must be met in order to ensure the safety of particular activities. These
requirements are governed by the basic objectives, concepts and
principles presented in the Safety Fundamentals document. The
written style (with “shall” statements) is that of regulatory documents
so that the Safety Requirements are adopted by States, at their own
discretion, as national regulations.

The Safety Guides documents contain recommendations (with

“should” statements) based on international experience and best
practices regarding measures to ensure that the Safety Requirements
are met. But unless alternative equivalent measures are implemented,
the ’should’ statements in practice become ‘shall’ requirements,
because they are indicative of the level of safety to be achieved
through the recommended measures. Again, the style of the Safety
Guides is such that they may be adopted by States, at their own
discretion, as national regulatory guidance material.

IAEA safety standards have been developed on the basis of

international consensus and as such they reflect very widely accepted
safety levels. They do not necessarily reflect current requirements in a

Page: 44 of 64
 Module III: Basic principles of nuclear safety

specific member state. Each state should define its own acceptable
safety level on the basis of local conditions and governmental
practices. Although the IAEA safety standards are not binding on
member states, they are very useful because they discuss key issues
and present possible acceptable solutions. If there are large national
deviations compared to the internationally accepted safety levels,
special consideration should be given to these issues.

Topical coverage of safety standards

The IAEA safety standards include a single safety fundamentals
document, thematic safety standards and facility- and activity-specific
safety standards. Generally, each topical area includes a safety
requirements document and one or more safety guides.

Thematic Safety Standards

Legal and governmental infrastructure;
Emergency preparedness and response;
Management systems;
Assessment and verification;
Site evaluation;
Radiation protection;
Radioactive waste management;
Decommissioning;
Remediation of contaminated areas;
Transport safety.

Facility- and activity-specific safety standards

Nuclear power plant: design;
Nuclear power plant: operation;
Research reactors;
Fuel cycle facilities;
Radiation-related facilities;
Waste treatment and disposal facilities.

Every 5 years typically, safety standards should be reviewed (for

Transport Safety Regulations, the review period is 2 years) and, if
necessary, revised [17]. In addition, new standards are being
developed as the need arises and resources permit. A document giving
the status of published and draft safety standards is updated
approximately quarterly and is available on the IAEA Nuclear Safety
Web-site.

Bodies for the endorsement of safety standards

To assist in the development, review and endorsement of safety
standards and to underline their importance, the IAEA has established
the Commission on Safety Standards (CSS) as a standing body of
senior government officials holding national responsibilities for
establishing standards. It has a special overview role with regard to the
IAEA’s safety standards and other documents relevant to nuclear,
radiation, waste and transport safety, and provides advice to the

Page 45 of 64
 Module III: Basic principles of nuclear safety

Director General on the overall safety standards programme. In

addition, a special safety standards committee has been established for
each of the major areas comprising nuclear safety, radiation safety,
waste safety and transport safety. Figure 5.3 shows the review and
endorsement bodies for the IAEA safety standards.

Fig. 5.3: The Commission on Safety Standards and the Standards

Committees.

In the future development of safety standards, requirements and

guides will be divided into two categories; general safety requirements
and guides, and specific safety requirements and guides as indicated in
Fig. 5.4.

Page: 46 of 64
 Module III: Basic principles of nuclear safety

Fig. 5.4: The long term structure of the IAEA Safety Standards Series.

5.3 National and international institutions for

standardization

Although they are not legally binding on member states, the IAEA
Safety Standards are written in such a way that they could be adopted
by member states for use in national regulations and guidance
material. The standards are consensus documents between the member
states’ governments. In addition to these internationally agreed safety
standards there are also industrial standards. A number of national as
well as international institutions develop these technical standards.
Well known examples of international institutions are the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC).

To avoid duplication and to ensure a consistent approach, the co-

operation between the IAEA and these international institutions is
controlled through well established liaison channels. This co-operation
has been established through a Memorandum of Understanding
(IAEA/ISO) or a written agreement (IAEA/IEC).

The IAEA/ISO co-operation reads:

“The ISO recognises the responsibilities of the IAEA ... in particular
with regard to the establishment ... of standards of safety for the
protection of health ... which are primarily addressed to national
regulatory bodies” and “The IAEA recognises the responsibilities of
the ISO as a specialised international institution for matters of
standardization, having as its objectives the facilitation of
international exchange of goods and services ...”.

In practice this co-operation is managed by the nominated responsible

liaison officers in particular subject areas. Examples of national
institutions are the American Society of Mechanical Engineers
(ASME), the German Nuclear Safety Standards Commission
(“Kerntechnischer Ausschuß, KTA”), the “Deutsches Institut für
Normung e.V., DIN” and the “Association Française de
Normalization, AFNOR” in France.

In this way a complete global framework of safety standards and

technical specifications is created by the IAEA and the institutions
concerned with standardization.

5.4 Questions

1. What the process is used to verify the safety status in Member

States under the Nuclear Safety Convention?
2. How often are review meetings held under the Nuclear Safety
Convention?

Page 47 of 64
 Module III: Basic principles of nuclear safety

3. Describe the main elements of the Code of Conduct for research

reactors.
4. How many levels of documents are present in the IAEA Safety
Standards Series? Name them.
5. Name the bodies involved in the endorsement of the IAEA safety
standards.

Page: 48 of 64
 Module III: Basic principles of nuclear safety

6 NUCLEAR SAFETY AND THE SECURITY

INTERFACE

Learning objectives:
After completing this chapter, the trainee will be able to:
1. Describe the synergy between safety and security.
2. Describe responsibilities for safety and security at different
levels.
3. Explain the concepts of safety and security culture.

6.1 Introduction

In the operation of a nuclear power plant, the integration of safety,

security and safeguards (the three S’s) is important. Safety aims at
preventing accidents, security at preventing intentional acts that might
harm the installation, and safeguards at preventing the diversion of
nuclear material for nuclear weapons, terrorist, illegal or unauthorised
use.

In simple words safety and security can be described as; safety

protects people from the harm that might come from the installation,
and security protects the installation from the harm that might come
from people. Since the 9/11 attacks the nuclear community has
realized that there is a possibility for such terrorist attacks on nuclear
installations. This has led to an increased focus on defences against
such possibilities and guidance has been developed at national and
international levels.

Both safety and security have the common overall objective to protect
people and the environment and therefore many of the principles used
are common, and many of actions taken enhance both safety and
security simultaneously. For example, a nuclear power plant’s
containment serves both safety and security purposes by containing
fission products in case of an accident and protecting the reactor core
from possible attacks from outside. On the other hand, some specific
measures which are put in place to enhance security might have a
negative impact on safety. An example of such measures is strict
control of access to vital structures, systems or components put in
place for security reasons but which might delay urgent actions which
could be necessary in case of a nuclear safety event.

The above examples only emphasize the importance of having a

coordinated approach to nuclear safety and security.

The IAEA Safety Glossary [18] gives the following definitions of

nuclear safety and nuclear security:

Page 49 of 64
 Module III: Basic principles of nuclear safety

Nuclear safety:
”The achievement of proper operating conditions, prevention
of accidents or mitigation of accident sequences, resulting in
protection of workers, the public and the environment from
undue radiation hazards”.

Nuclear security:
“The prevention and detection of, and response to, theft,
sabotage, unauthorized access, illegal transfer or other
malicious acts involving nuclear material, other radioactive
substances or their associated facilities”.

Another aspect which both safety and security have in common is the
fact that both rely on the concept of defence-in-depth. In both cases,
the first priority is prevention. If this fails and an undesired event
nevertheless happens, the second stage is its early detection and
prompt action to minimize the potential consequences. The third layer
is mitigation and if it also fails, the fourth layer is emergency
planning. Defence in depth for safety is discussed in INSAG-10 [3]
and INSAG-12 [19] and defence in depth for security in the
Amendment to the Physical Protection of Nuclear Material [20].

6.2 Responsibilities for safety and security

Responsibilities for safety and security are defined in national

legislations. Several organizations on different levels have a role to
play [21].

State responsibility
At the state level, appropriate legislation and a regulatory framework
need to be put in place to assure the safety and security of nuclear
installations as well as the safe transport of radioactive material.
Regulatory authorities must be established in the safety and security
fields; in some countries both responsibilities are mandated to one
regulatory agency. In situations where that is not the case, a proper
coordination between the authorities overseeing safety and the
authorities in charge of security must be assured.

The main responsibility for safety and security rests with the operator.
However, especially in the area of security, state support for the
operating organization is essential as the operator would not have all
the necessary intelligence information about possible terrorist attacks
that the specialized state agencies might have.

Responsibility of the regulatory body

The main task of the regulatory authorities for safety and security is to
define the requirements the operating organization must fulfil. As also

Page: 50 of 64
 Module III: Basic principles of nuclear safety

explained in much more detail in the Module on the Regulatory

Authorities, their prime responsibility is also to put in place an
effective inspection and enforcement system. In addition it must
ensure that an adequate emergency response system is in place on all
levels.

Responsibility of the operating organization

The prime responsibility for safety and security rests with the licence
holder i.e. with the operating organization. As already stated above,
the national police and armed forces might be asked for help in
security issues, as well as the national intelligence agencies. The
operating organization is however the best qualified to identify
potential plant vulnerabilities that might be targets of terrorist attacks.

6.3 Safety and security at nuclear installations

Safety and security culture

The INSAG-4 [22] document has defined safety culture as “that
assembly of characteristics and attitudes in organizations and
individuals which establishes that, as an overriding priority, nuclear
safety issues receive the attention warranted by their significance”. A
similar definition of security culture is given in the IAEA Nuclear
Security Series No 7, Nuclear Security Culture [23] where the focus is
on security issues.

However, there are differences in the two cultures. For example safety
culture asks for transparency and cooperation in exchanging
information on safety issues. The same cannot be valid in the security
field as in this case sharing of information is normally limited to a
small group of people.

Emergency preparedness and response

Emergency plans are developed at different levels; state level,
municipal level, and plant level as a minimum. It is essential to assure
that the security plans are compatible with and complementary to the
safety plans. It is therefore necessary to have joint exercises in order
to verify this and implement any possible corrections that might be
needed.

Safety and security considerations during siting, design,

construction and operation of an NPP
Safety considerations at the siting stage are described in sufficient
detail in the Module devoted to siting. However, security
considerations are already important at the very beginning of a nuclear
project. At the siting stage, possible vulnerability should be assessed.
The plant should not be situated in or close to the regions which are
prone to terrorist attacks or unrest. They should also not be sited near
borders with countries where terrorist activities are frequent.

Page 51 of 64
 Module III: Basic principles of nuclear safety

At the design stage, defence in depth principles are applied for safety
and security as already mentioned. Synergy between safety and
security is also achieved by the use of passive systems to minimize
human errors, by introduction of doors and barriers that serve both
safety and security, or by introduction of robustness against human
errors. Efforts should be made, however, not to overdo security
barriers to the extent that they might hinder access for maintenance or
surveillance, or delay access to the vital systems in the case of
emergencies.

In the construction phase a large number of subcontractors are present

at the site. The same applies in the operation phase during planned
outages or large modifications. In such cases the security provisions
should prevent deliberate introduction of weaknesses that could result
in unwanted events later on during normal operation.

6.4 Questions

1. Describe the synergy between nuclear safety and security.

2. Give an example when nuclear safety and security measures can
be in conflict.
3. What is the difference between safety culture and security
culture?

Page: 52 of 64
 Module III: Basic principles of nuclear safety

7 HISTORY OF ACCIDENTS IN THE

NUCLEAR INDUSTRY

Learning objectives:
After completing this chapter, the trainee will be able to:
1. List three major accidents in the nuclear industry.
2. Describe the root causes of these three accidents.
3. Describe the courses of these three accidents.
4. Describe the consequences of these three accidents.

Since introduction of nuclear power (Obninsk, Soviet Union, 1954,

Calder Hall, U.K., 1956 and Shippingport, USA, 1957) more than
15.000 reactor operating years have been accumulated. During this
time three serious nuclear power plant accidents (Three Mile Island 2
accident in 1979, the Chernobyl disaster in 1986 and the Fukushima
Daiichi disaster in 2011) have occurred. Each one of these accidents is
a major source of lessons learned and profoundly influenced the
understanding of nuclear safety.

7.1 Three Mile Island accident

The Three Mile Island Unit 2 (TMI-2) reactor, near Middletown, Pa.,
experienced a severe accident on March 28, 1979 [24]. This was the
most serious accident in U.S. commercial nuclear power plant
operating history, although its small radioactive releases had no
detectable health effects on plant workers or the public.

A combination of equipment malfunctions, design-related problems

and worker errors led to TMI-2's partial core meltdown and very small
off-site releases of radioactivity.

TMI -2 is a pressurized water reactor (PWR), the most common type

of a nuclear power reactor in the world.

On March 28, 1979 the plant experienced a failure in the secondary,

non-nuclear section of the plant (see Fig. 7.1). Either a mechanical or
electrical failure prevented the main feedwater pumps from sending
water to the steam generators that remove heat from the reactor core.
This caused the plant's turbine-generator and then the reactor itself to
automatically shut down. The pressure in the primary system
increased immediately and the power-operated relief valve at the top
of the pressurizer opened. The valve should have closed when the
pressure fell to proper levels, but it became stuck open. Instruments in
the control room, however, indicated to the plant staff that the valve
was closed. The plant staff was unaware that the primary system was
losing coolant because other instruments available to the reactor
operators provided inadequate information. There was no instrument

Page 53 of 64
 Module III: Basic principles of nuclear safety

that showed the water level in the core. Plant staff assumed that as
long as the pressurizer water level was high, the core was properly
covered with water. As alarms rang and warning lights flashed, the
operators did not realize that the plant was experiencing a loss-of-
coolant accident. They took a series of actions that made conditions
worse. The coolant escaping through the stuck valve reduced the
primary system pressure so much that the reactor coolant pumps had
to be turned off to prevent dangerous vibrations. To prevent the
pressurizer from filling up completely, the staff reduced the flow of
emergency cooling water to the primary system. These actions starved
the reactor core of coolant, causing it to overheat.

Without the proper water flow, the nuclear fuel overheated to the point
at which the zirconium cladding ruptured and the fuel pellets began to
melt. It was later found that about half of the core melted during the
early stages of the accident due to loss of coolant (Fig. 7.2). Chemical
reactions between steam and the zirconium fuel cladding created a
large hydrogen bubble in the dome of the pressure vessel. This was of
great concern as the hydrogen bubble might burn or even explode and
rupture the pressure vessel. The crisis ended when experts determined
on Sunday, April 1, that the hydrogen could not burn or explode due
to the absence of oxygen in the pressure vessel.

Fig. 7.1: Schematic diagram of TMI-2 reactor (© Nuclear Training

Centre).

Although TMI-2 suffered a severe core meltdown, the most dangerous

kind of nuclear power accident, the consequences outside the plant

Page: 54 of 64
 Module III: Basic principles of nuclear safety

were minimal. The TMI-2 containment building remained intact and

retained almost all of the accident's radioactive material.

Health Effects
The approximately 2 million people around TMI-2 during the accident
are estimated to have received an average radiation dose of only about
0.01mSv above the usual background dose. The maximum dose to a
person at the site boundary from the accident would have been less
than 1mSv above background.

INES (International Nuclear Event Scale) rating

The INES scale did not exist at the time of the TMI-2 accident.
Presently it is rated as a level 5 accident. (The INES scale runs from 0,
indicating an abnormal situation with no safety consequences, to 7,
indicating an accident causing widespread contamination with serious
health and environmental effects).

Fig. 7.2: TMI-2 Core End-State Configuration (www.nrc.org).

7.2 Chernobyl accident

The 1986 disaster at the Chernobyl nuclear power plant in Ukraine (at
that time part of the Soviet Union) was the product of a flawed reactor

Page 55 of 64
 Module III: Basic principles of nuclear safety

design coupled with the lack of safety culture [25].

The Chernobyl reactor was a Soviet-designed and built graphite

moderated pressure tube type reactor (RBMK-1000), using slightly
enriched (2% U-235) uranium dioxide fuel. The vertical pressure
tubes contained the zirconium alloy clad uranium dioxide fuel around
which the cooling water flowed. Light water that boiled in the
pressure tubes was used as reactor coolant and also provided the steam
to drive the turbines.

One of the most important characteristics of the RBMK reactor was

that it possessed a 'positive void coefficient', where an increase in
steam bubbles ('voids') was accompanied by an increase in core
reactivity. There were other components that contributed to the overall
power coefficient of reactivity, but the void coefficient was the
dominant one in the Chernobyl reactor.

The accident occurred on 26. April 1986 after a test to determine how
long the turbines would operate and supply power to the main
circulating pumps following loss of the main electrical power supply.
It had been preceded by a series of operator actions, including
disabling of the automatic shutdown mechanisms. By the time that the
operator decided to shut down the reactor, the reactor was in an
extremely unstable condition. A peculiarity of the design of the
control rods caused a dramatic power surge as they were inserted into
the reactor.

Fig. 7.3: Aerial view of the Chernobyl reactor after the accident
(Wikipedia.org).

Page: 56 of 64
 Module III: Basic principles of nuclear safety

The interaction of the very hot fuel with the cooling water led to fuel
fragmentation along with rapid steam production and an increase in
pressure. The overpressure caused the 1000 t cover plate of the reactor
to become partially detached, rupturing the fuel channels and jamming
all the control rods, which at that time were only halfway down.
Intense steam generation then spread throughout the core (fed by
water dumped into the core due to the rupture of the emergency
cooling circuit) causing a steam explosion and releasing fission
products to the atmosphere. About two to three seconds later, a second
explosion threw out fragments from the fuel channels and hot
graphite. This second explosion is likely to have been caused by the
production of hydrogen from zirconium-steam reactions.

The graphite and fuel became incandescent and started a number of

fires. The resulting steam explosion and fires released at least 5 % of
the radioactive reactor core into the atmosphere.

The plume of smoke, radioactive fission products and debris from the
core and the building rose about 1 km into the air. The heavier debris
in the plume was deposited close to the site, but lighter components,
including fission products and virtually all of the noble gas inventory,
were blown by the prevailing wind to the northwest of the plant.

Health effects
The Chernobyl accident caused many severe radiation effects almost
immediately. Of 600 workers present on the site during the early
morning of 26 April 1986, 134 received high doses (0.8-16 Gy) and
suffered from radiation sickness. Of these, 28 died in the first three
months and another 19 died in 1987-2004 of various causes not
necessarily associated with radiation exposure. In addition, according
to the UNSCEAR 2008 Report, the majority of the 530,000 registered
recovery operation workers received doses of between 0.02 Gy and
0.5 Gy between 1986 and 1990. That cohort is still at potential risk of
late consequences such as cancer and other diseases and their health is
being followed closely.

For the last two decades, attention has been focused on investigating
the association between radiation exposure caused by radionuclides
released in the Chernobyl accident and late effects, in particular
thyroid cancer in children. Doses to the thyroid received in the first
few months after the accident were particularly high in children and
adolescents living in Belarus, Ukraine and the most affected Russian
regions due to the consumption of milk with high levels of radioactive
iodine. By 2005, more than 6,000 thyroid cancer cases had been
diagnosed in this group. Of these cases, 9 children died, the others
were cured. It is expected that the increase in thyroid cancer incidence
due to the Chernobyl accident will continue for many more years,
although the long-term increase is difficult to quantify precisely.

There is no clearly demonstrated increase in the incidence of solid

Page 57 of 64
 Module III: Basic principles of nuclear safety

cancers or leukemia due to radiation in the exposed populations.

Neither is there any proof of other non-malignant disorders that are
related to ionizing radiation. However, there were widespread
psychological reactions to the accident, which were due to fear of
radiation, not to the actual radiation doses. In addition, thousands of
individuals were forced to leave their homes due to contamination.

Although those exposed as children and the emergency and recovery

workers are at increased risk of radiation-induced effects, the vast
majority of the population need not live in fear of serious health
consequences due to radiation from the Chernobyl accident. For the
most part, they were exposed to radiation levels comparable to or a
few times higher than annual levels from the natural background, and
future exposures continue to diminish slowly as the radionuclides
decay.

INES (International Nuclear Event Scale) rating

Chernobyl accident is the most severe nuclear accident on record and
is rated 7 on the INES scale.

7.3 Fukushima accident

The Fukushima Daiichi reactors are General Electric boiling water

reactors (BWR) of an early (1960s) design supplied by GE, Toshiba
and Hitachi, with what is known as a Mark I containment. Reactors 1-
3 came into commercial operation 1971-75.

The Great East Japan Earthquake of magnitude 9.0 occurred at 2:46

pm on Friday 11 March 2011 [26]. The earthquake caused an
automatic shutdown of the reactors without significant damage to the
plant. External power supply sources were lost due to earthquake
damage but the power from emergency diesel generators to run the
residual heat removal system (RHR) pumps and equipment was
available as designed.

Page: 58 of 64
 Module III: Basic principles of nuclear safety

Fig. 7.4: Tsunami flooding of the Fukushima Daiichi site

(chong.zxg.net).
41 minutes later a 15 m tsunami inundated the seawater pumps for
both the main condenser circuits and the Residual Heat Removal
(RHR) cooling system, the diesel generators, the electrical switchgear
and 125-volt DC batteries, all located in the basements of the turbine
buildings. A station blackout occurred, resulting in the loss of the
ultimate heat sink of the reactors. The tsunami also damaged and
obstructed roads.

At that time the reactor cores were producing decay heat (some 1.5 %
of nominal thermal power – about 22 MW in unit 1 and 33 MW in
units 2 and 3) which produced steam in the reactor pressure vessels.
Due to the loss of cooling, steam and later hydrogen (from the
reaction of steam with the zirconium cladding) was released into the
dry primary containment (PCV) through safety valves.

By early Saturday, water injection was provided to the reactor

pressure vessel (RPV) utilizing fire pumps.

Unit 1

Page 59 of 64
 Module III: Basic principles of nuclear safety

Fig. 7.5: Simplified representation of the Fukushima Daiichi Unit 1

Accident (© Nuclear Training Centre).
The fuel was exposed some 8 hours after the trip, started to melt and
at 7 am Saturday, 16 hours after the scram, the corium (an alloy
comprised of melted fuel and control rods) had fallen into the water at
the bottom of the RPV. Thereafter RPV temperatures decreased
steadily.

Attempts to vent steam, noble gases and hydrogen from the

containment resulted in a hydrogen explosion on the service floor of
the building above unit 1 reactor containment.

Unit 2
Water injection using the steam-driven back-up system failed on
Monday 14th, and there was a delay of about six hours before a fire
pump started injecting seawater into the RPV. Before the fire pump
could be used the RPV pressure had to be relieved via the wetwell,
which required power and nitrogen, hence the delay. Reactor water
level dropped rapidly after back-up cooling was lost, the fuel then
melted and most likely fell into the water at the bottom of the RPV
about 100 hours after the scram. Pressure was vented and the blowout
panel near the top of the building was opened to avoid a repetition of
the unit 1 hydrogen explosion. On Tuesday 15th, the drywell
containment pressure inside dropped and the primary containment
developed a leak. Most of the radioactive releases from the site
appeared to come from unit 2.

Unit 3
The main back-up water injection system failed at 11:00 am on
Saturday 12th and early on Sunday 13th water injection using the high
pressure system failed and water levels dropped dramatically. RPV
pressure was reduced by venting steam into the wetwell, allowing
injection of seawater using a fire pump from just before noon. Early
on Sunday venting the suppression chamber and containment was
successfully undertaken. It is now understood that core damage started
about 9:00 am and much or all of the fuel melted on the morning of
Sunday 13th and possibly fell into the water at the bottom of the RPV,
or was retained on the core support plate within the shroud.

Early on Monday 14th PCV venting was repeated, and this evidently
backflowed to the service floor of the building, so that at 11:00 am a
very large hydrogen explosion occurred in the unit 3 reactor
containment. This explosion blew off much of the roof and walls and
demolished the top part of the building, creating radioactive debris on
the ground near unit 3.

Unit 4
The reactor was defuelled in the time of the accident. On Tuesday 15
March a hydrogen explosion destroyed the top of the building due to

Page: 60 of 64
 Module III: Basic principles of nuclear safety

backflow of hydrogen from unit 3 through shared ducts.

Spent fuel ponds

As typical with this type of BWR, the spent fuel ponds are located
adjacent to the top of all reactor buildings. Spent fuel requires
shielding and cooling by pumping water through external heat
exchangers. Following the accident, the water level in the fuel ponds
was found to be low. The primary cause of the low water levels was
loss of circulation of cooling water through external heat exchangers,
leading to elevated temperatures and probably boiling. Replenishing
the water in the ponds was attempted unsuccessfully with fire pumps,
but utilizing a concrete pump with a high boom enabled more precise
targeting of water.

The spent fuel ponds survived the earthquake, tsunami and hydrogen
explosions without significant damage to the fuel or significant
radiological release, or threat to public safety.

Radioactive releases to air

Major air releases of radionuclides, including long-lived caesium,
occurred mainly in mid-March. The population within a 20km radius
had been evacuated three days earlier. Considerable work was done to
reduce the amount of radioactive debris on site and to stabilise dust.
The main source of radioactive releases was the apparent hydrogen
explosion in the suppression chamber of unit 2 on 15 March.
Radioactive releases in mid-August 2011 were reduced to 5 GBq/hr,
and the dose rate from these at the plant boundary was 1.7 mSv/yr
(worldwide average annual effective dose from natural external
exposure is 0.9 mSv).

Radiation exposure of workers on site

No radiation casualties (acute radiation syndrome) occurred, but
higher than normal doses were accumulated by several hundred
workers on site. High radiation levels in the three reactor buildings
hindered access to the site into 2012.

Summary: Six workers received radiation doses over the 250 mSv
level set by NISA, but at levels below those which would cause
radiation sickness.

Radiation exposure beyond the plant site

As of now, there have been no harmful effects from radiation to local
people, nor any doses approaching harmful levels. However, some
160,000 people were evacuated from their homes and were allowed
limited return only in 2012. In October 2013, 81,000 evacuees
remained displaced due to government concern about radiological
effects from the accident.

INES (International Nuclear Event Scale) rating

The Fukushima nuclear accident is rated 7 on the International

Page 61 of 64
 Module III: Basic principles of nuclear safety

Nuclear Event Scale. Prior to Fukushima, the Chernobyl disaster was

the only level 7 accident.

7.4 Questions

1. Which are the three major accidents to have occurred in the

nuclear industry?
2. What was the root cause of these three accidents?
3. What were the consequences of the three accidents?

Page: 62 of 64
 Module III: Basic principles of nuclear safety

8 REFERENCES

[1] INTERNATIONAL ATOMIC ENERGY AGENCY,

Fundamental Safety Principles, Safety Standards Series No. SF-
1, IAEA, Vienna (2006).
[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety
Requirements No. GS-R-3, The Management System for
Facilities and Activities, IAEA, Vienna (2006).
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, General
Safety Requirements No. GSR Part 4, IAEA, Vienna (2009).
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of
Nuclear power plants: Design, Specific Safety Requirement
SSR-2/1, IAEA, Vienna (2012).
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Defence in
Depth in Nuclear Safety, INSAG-10, IAEA, Vienna (1996).
[6] INTERNATIONAL ATOMIC ENERGY AGENCY, The
Convention on Nuclear Safety, INFCIRC/449, IAEA, Vienna
(1994).
[7] INTERNATIONAL ATOMIC ENERGY AGENCY, The
Convention on Physical Protection of Nuclear Material,
INFCIRC/274/Rev. 1, IAEA, Vienna (1980).
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, The
Convention on Early Notification of a Nuclear Accident,
INFCIRC/335, IAEA, Vienna (1986).
[9] INTERNATIONAL ATOMIC ENERGY AGENCY, The
Convention on Assistance in the Case of a Nuclear Accident or
Radiological Emergency, INFCIRC/336, IAEA, Vienna (1986).
[10] INTERNATIONAL ATOMIC ENERGY AGENCY, The Joint
Convention on the Safety of Spent Fuel Management and on the
Safety of Radioactive Waste Management, INFCIRC/546,
IAEA, Vienna (1997).
[11] INTERNATIONAL ATOMIC ENERGY AGENCY, Code of
Conduct on the Safety of Research Reactors, IAEA, Vienna
(2006).
[12] INTERNATIONAL ATOMIC ENERGY AGENCY, The Code
of Conduct on the Safety and Security of Radioactive Sources,
IAEA/CODEOC/2004, IAEA, Vienna (2004).
[13] INTERNATIONAL ATOMIC ENERGY AGENCY, Guidance
on the Import and Export of Radioactive Sources,
IAEA/CODEOC/IMP-EXP/2005, IAEA, Vienna (2005).
[14] INTERNATIONAL ATOMIC ENERGY AGENCY, Legal and
Governmental Infrastructure for Nuclear, Radiation, Radioactive
Waste and Transport Safety, Safety Requirements GS-R-1,
IAEA, Vienna (2000).
[15] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of
Research Reactors, Safety Requirements NS-R-4, IAEA, Vienna
(2005).
[16] INTERNATIONAL ATOMIC ENERGY AGENCY,
Predisposal Management of Radioactive Waste, including

Page 63 of 64
 Module III: Basic principles of nuclear safety

Decommissioning, Safety Requirements WS-R-2, IAEA,

Vienna (2000).
[17] INTERNATIONAL ATOMIC ENERGY AGENCY, Strategies
and processes for the establishment of IAEA safety standards
(SPESS), Version 2.1, IAEA, Vienna (2013)
[18] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA
Safety Glossary, IAEA, Vienna (2007).
[19] INTERNATIONAL NUCLEAR SAFETY ADVISORY
GROUP, Basic Safety Principles for Nuclear Power Plants 75-
INSAG-3 Rev. 1, INSAG-12, IAEA, Vienna (1999).
[20] INTERNATIONAL ATOMIC ENERGY AGENCY,
Amendment to the Convention on the Physical Protection of
Nuclear Material, GOV/INF/2005/10-GC(49)/INF/6, IAEA,
Vienna (2005).
[21] INTERNATIONAL NUCLEAR SAFETY GROUP, The
Interface Between Safety and Security at Nuclear Power Plants
INSAG-24, IAEA, Vienna (2010).
[22] INTERNATIONAL NUCLEAR SAFETY ADVISORY
GROUP, Safety Culture INSAG-4, IAEA, Vienna (1991).
[23] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear
Security Culture, IAEA Nuclear Security Series No. 7, IAEA,
Vienna (2008).
[24] www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-
isle.html#tmiview
[25] http://www.world-nuclear.org/info/Safety-and-Security/Safety-
of-Plants/Chernobyl-Accident/
[26] http://www.world-nuclear.org/info/Safety-and-Security/Safety-
of-Plants/Fukushima-Accident/

The views expressed in this document do not necessarily reflect the

views of the European Commission.

Page: 64 of 64