III Basis for Moving Forward

Implications and Lessons for Advanced Reactor Design and Operation

Yoshiaki Oka and Dietmar Bittermann

Abstract This chapter describes the implication and lessons from reactor design and operation points of view. After introduction of safety principles and safety designs of LWRs, lessons of the accident, new regulatory requirements and improvements in Japan, essential technologies for preventing and mitigating severe accidents are described.

Keywords Severe accidents Regulatory requirements External events Passive systems Hydrogen mitigation Containment venting systems Melt stabilization measures Severe accident instrumentation

Short Reflection of Basic Safety Issues

In contrary to other technologies, for nuclear facilities, the basic safety rules have been introduced from the very beginning. In addition, the safety requirements and designs especially of LWRs have been improved from the lessons of accidents and incidents that occurred during the history of this technology.

In order to assure the function of the four classical safety barriers—fuel matrix, fuel rod, primary circuit and containment—the defense-in-depth safety concept is applied. The strategy for defense-in-depth is twofold:

• to prevent accidents, and

• if prevention fails, to limit their potential consequences and prevent any evolution to more serious conditions.

The fundamental safety goals that shall be achieved with the support of the provisions taken within the framework of the defense-in-depth concept are: control of reactivity, cooling of fuel elements, and activity retention.

The safety goal “reactivity control” means among others that a nuclear reactor should have inherent safety characteristics. The reactor should be designed to have negative reactivity feedback characteristics. The power coefficient of the reactor should be negative for automatic decrease without operator actions. The reactivity coefficients of fuel temperature and coolant voiding should be kept negative for the purpose. After a reactor trip it should be kept in a sub-critical state in the long term and sub-criticality should be ensured during handling, storage and transport of fuel elements.

The safety goal, “cooling of fuel elements,” means to ensure heat removal from the core and the fuel storage pool under all operating and accident conditions and replenishing of coolant for the core and the fuel storage pool. In addition the integrity of coolant retaining systems should be ensured by pressure and temperature limitation in the relevant safety components and systems.

The safety function, “activity retention,” should be provided by means of isolation provisions with the function of confinement of activity within the pressureretaining boundary and connecting systems. An important activity confinement function is dedicated to the containment and other relevant buildings such as the reactor and the auxiliary building.

According to the IAEA document INSAG 10 [1], five levels of defense should be considered. The levels 1–3 define the design basis. Levels 4 and 5 define the beyond design basis area. An overview on the levels and the main means of action is depicted in Table 12.1.

Level 1

The safety provisions at Level 1 are taken through the choice of site, design, manufacturing, construction, commissioning, operating and maintenance requirements such as:

Table 12.1 The levels and the main means of action for the defense-in-depth safety concept in INSAG 10 [1]



Main means of action


Prevention of abnormal operation and failures

Conservative design and high quality in construction and operation


Control of abnormal operation and failures

Control, limiting and protection systems and other surveillance features


Control of accidents within the design basis

Engineered safety features and accident procedures


Control of severe conditions including prevention of accident progression and mitigation of the consequences

of a severe accident

Complementary measures and accident management


Mitigation of the radiological consequences of significant external releases of radioactive material

Offsite emergency response

• The clear definition of normal and abnormal operating conditions;

• Adequate margins in the design of systems and plant components, including robustness and resistance to accident conditions, in particular aimed at minimizing the need to take measures at Level 2 and Level 3;

• Adequate time for operators to respond to events and appropriate human-

machine interfaces, including operator aids, to reduce burden on the operators;

• Careful selection of materials and use of qualified fabrication processes and proven technology together with extensive testing;

• Comprehensive training of appropriately selected operating personnel whose

behavior is consistent with a sound safety culture;

• Adequate operating instructions and reliable monitoring of plant status and operating conditions;

• Recording, evaluation and utilization of operating experience;

• Comprehensive preventive maintenance prioritized in accordance with the safety significance and reliability requirements of systems.

Furthermore, Level 1 provides the initial basis for protection against external and internal hazards (e.g. earthquakes, aircraft crashes, blast waves, fire, flooding), even though some additional protection may be required at higher levels of defense.

Level 2

Level 2 incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), taking into account phenomena capable of causing further deterioration in the plant status. The systems to mitigate the consequences of such operating occurrences are designed according to specifi criteria (such as redundancy, layout and qualifi The objective is to bring the plant back to normal operating conditions as soon as possible.

Diagnostic tools and equipment such as automatic control systems can be provided to actuate corrective actions before reactor protection limits are reached; examples are power operated relief valves, automatic limitation systems on reactor power and on coolant pressure, temperature or level, and process control function systems which record and announce faults in the control room. On-going surveillance of quality and compliance with the design assumptions by means of in-service inspection and periodic testing of systems and plant components is also necessary to detect any degradation of equipment and systems before it can affect the safety of the plant.

Level 3

Engineered safety features and protection systems are provided to prevent evolution towards severe accidents and also to confine radioactive materials within the containment system. Active and passive engineered safety systems are used. In the short term, safety systems are actuated by the reactor protection system when needed.

To ensure a high reliability of the engineered safety systems, the following design principles are adhered to:

• Redundancy;

• Prevention of common mode failure due to internal or external hazards, by physical or spatial separation and structural protection;

• Prevention of common mode failure due to design, manufacturing, construction, commissioning, maintenance or other human intervention, by diversity or functional redundancy;

• Automation to reduce vulnerability to human failure, at least in the initial phase

of an incident or an accident;

• Testability to provide clear evidence of system availability and performance;

• Qualification of systems, components and structures for specific environmental conditions that may result from an accident or an external hazard

Level 4

The broad aim of the fourth level of defense is to ensure that the likelihood of an accident entailing severe core damage, and the magnitude of radioactive releases in the unlikely event that a severe plant condition occurs, are both kept as low as reasonably achievable (ALARA).

Such plant conditions may be caused by multiple failures, such as the complete loss of all trains of a safety system, or by an extremely unlikely event such as a severe flood.

Measures for accident management are also aimed at controlling the course of severe accidents and mitigating their consequences.

Essential objectives of accident management are:

• to monitor the main characteristics of plant status;

• to control core sub-criticality;

• to restore heat removal from the core and maintain long term core cooling;

• to protect the integrity of the containment by ensuring heat removal and preventing dangerous loads on the containment in the event of severe core damage or further accident progression;

• regaining control of the plant if possible and, if degradation cannot be stopped,

delaying further plant deterioration and implementing on-site and off-site emergency response.

The most important objective for mitigation of the consequences of an accident in Level 4 is the protection of the confinement.

Specific measures for accident management are established on the basis of safety studies and research results. These measures fully utilize existing plant capabilities, including available non-safety-related equipment.

Measures for accident management can also include hardware changes. Examples are the installation of filtered containment venting systems and the inerting of the containment in boiling water reactors in order to prevent hydrogen burning in severe accident conditions.

Adequate staff preparation and training for such conditions is a prerequisite for effective accident management.

Level 5

Off-site emergency procedures are prepared in consultation with the operating organization and the authorities in charge and must comply with international agreements.

Both on-site and off-site emergency plans are exercised periodically to the extent necessary to ensure the readiness of the organizations involved.

Safety Culture

The idea of safety culture should be an inherent understanding of any organization in the international nuclear industry, which is focused on safety. For better understanding two definitions may serve.

INSAG-4 definition: Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.

NRC definition: A good safety culture in a nuclear installation is a reflection of the values, which are shared throughout all levels of the organization and which are based on the belief that safety is important and that it is everyone's responsibility.

< Prev   CONTENTS   Next >