Operating Under Fire the French Way

Fire protection in nuclear plants usually has three aspects: prevention. detection and fire fighting. Prevention mainly consists in avoiding that a single fire may render two redundant safety systems unavailable. Detection aims at rapidly locating a starting fire, giving the alarm, and sometimes initiating automatic actions. Fire fighting is organised to extinguish any fire fast. On French plants, an operator is sent to confirm the fire and to extinguish it. In case of difficulty, he isolates the area, informs the control room who will call for outside support. In addition to this organization which aims at both the fire and its direct consequences, Electricite de France has developed an approach that allows the safe operation of the unit. This approach makes the assumption that the fire remains confined in a fire compartment, but all the electric equipment within this compartment is liable to be damaged and is subject to spurious faults. In order to mitigate these faults, all actuators are de-energised, and these de-energisations are programmed in such a way that untimely actions are avoided. The analysis determines which operational functions are unavailable due to this de-energisation. The list of unavailabilities allows the selection of the correct operating procedure. Each procedure is structured according to the function to be ensured (core cooling, water level or anti-reactivity margin) and for each function, according to the systems necessary or their possible substitutes. This approach implies that one can prove that whatever compartment is on fire, at least one substitute system for each safety function is available. The electrical distribution gives great importance to the A-train as only the redundant protection and safeguard systems are supplied by the B-train. For the control room operator to have sufficient means to bring the plant to a safe shut-down state in case of a total loss of the A-train, it is preferable to ensure the availability of some minimal operating systems in addition to the B-train ones. In practice, this imposes the protection of a few control and power cables from non-redundant systems necessary for operator information or for long term operation.