MAIN FUKUSHIMA LESSONS LEARNT IN TERMS OF DEFENCE IN DEPTH 1. Fukushima stresses the need to ensure sufficient robustness of the critical safety

systems against external hazards significantly higher than the design basis hazards.

The Great East Japan Earthquake and the subsequent tsunami were, at the time of the accident, not covered by the design basis, although studies were on going in this field. The Fukushima accident reminds us that the site design basis hazard definition must be as complete as achievable, include adequate margins and be updated according to new knowledge.

In addition, as a defence in depth provision, in case that nature would reveal to be more imaginative than us or in case of some mistake in the hazard evaluation, extra margins and robustness should be ensured for the vital safety functions, in case of natural hazard significantly exceeding the design basis. The objective of these provisions and margins is, as far as reasonably practicable, to avoid cliff edge effects in order to prevent a severe accident and, should a severe accident occur, to avoid large and long term off site contamination. In other words, a minimal set of essential safety functions needed to prevent a severe accident or to mitigate its consequences should show sufficient robustness and safety margins to cope with natural hazards significantly more severe than the design basis hazards.

Assessing and ensuring robustness beyond the site hazard referential, in order to avoid cliff edge effects and catastrophic consequences, does not mean defining a new referential;

the design basis hazards are to remain the referential. Beyond design natural hazards situations are dealt with best estimate analysis methodologies and safety criteria less conservative than those traditionally used for the design basis accidents.

Without delaying any of the above, international cooperation remains necessary to define guidelines as regards beyond design hazards. Those should in particular address the methodologies to assess the actual margins of the structures, systems and components in place at the existing facilities and the level of margin to be sought beyond the design basis.

2.1.1. Some insights on earthquakes

Several beyond design earthquakes struck nuclear power plants in the last years (Kashiwasaki Kariwa, Great East Japan and North Anna earthquakes). They showed an overall good resistance of the affected plants to the earthquakes.

This confirms that credit is not only due to the care put in the evaluation of the design basis events, but also as importantly to the quality of the design against seismic hazards and the associated margins taken in the various stages of the design, construction and operation.

Priority is therefore to be maintained on the quality of the seismic design and construction, in order to ensure important margins above the safe shutdown earthquake (SSE).

159 2.1.2. Some considerations on flooding

As shown by the events in Le Blayais (1999) and Fort Calhoun (2012), flooding can be caused by a variety of phenomena which can occur in many places of the world. These are not all as outstanding as the major cataclysmic tsunamis which stroke Fukushima. The lessons learnt in the field of flooding are to receive a particular focus as flooding is the main cause of the Fukushima Daiichi accident and as it is among the main common cause failure potentialities.

Flooding ignores the concepts of independence between the levels of defence in depth, redundancy, diversity or safety classification: it aggresses without distinction every non protected systems, whatever their nature or their ranking in the defence in depth.

The dry site concept remains the overarching requirement: it must be demonstrated with high confidence and sufficient margins that the platform will endure no flooding should the highest water levels defined in the design basis requirement occur. In addition, as a defence in depth provision, unless it can be clearly excluded given the site location, it is our view that a potential flooding of the platform should be deterministically considered and that adequate water-tightness should be provided to the buildings protecting the vital safety functions.

2.2. The Fukushima Daiichi accident highlights the need for an effective implementation of severe accident mitigation in the defence in depth.

The matter that a severe accident can occur was not revealed by Fukushima; severe accident management is an important issue since the WASH 1400 report, TMI and Chernobyl, encompassing design, hardware, procedures, crisis organization and training. It is included in the international standards as the level 4 of defence in depth, as set by INSAG 10.

Containment has for long been recognized as the critical item in severe accidents, being the last barrier to prevent radioactive releases and to protect the people and the environment.

Comprehensive R&D was performed and is continuing on the physics involved in severe accidents and means have been developed to mitigate radiological consequences, including hardware, procedures and training.

Hardware solutions to maintain containment integrity, as primary circuit depressurization, hydrogen risk mitigation and prevention of containment over-pressurization, were known to be available prior to Fukushima. The range of the practicable solutions obviously varies between what can be done on new reactors and what can be back-fitted on operating plants.

Fukushima reminds and strengthens the need to share and implement globally the objective of incorporating severe accident mitigation in the safety approach, in particular by implementing the recognized means to protect the containment integrity in the course of a severe accident.

The general objective to avoid, should a severe accident occur, large and long term offsite contaminations, as stated by the CNS, can be derived along the following lines, as in the IAEA SSR 2-1 and the WENRA safety objectives:

• Scenarios which would lead to early and large releases should be practically eliminated.

• For core melt accident not corresponding to the above, provisions are to be taken so that only limited protective measures, in area and time, may be needed for the public (no permanent relocation, no need for evacuation outside the immediate vicinity of the plant, no long term restrictions in food consumption) and sufficient time is available to implement these measures.

160

Without delaying any of the above, international cooperation remains necessary to further model some of the key physical phenomenon, to harmonize their safety appreciation, to formalize a common understanding of the “practical elimination” concept, to update and harmonize the industry best practices and to further standardize the regulatory approach.

2.3. Some complementary insights on safety systems 2.3.1. Vital functions

At Fukushima, the tsunami primarily impaired the electrical systems - generation and distribution, AC and DC - and deprived the operators of all means of control over the plant.

Any non AC powered, non-water proof systems (e.g. turbine driven pumps, diesel driven systems, powered valves…) located in floodable areas would have endured the same fate;

flooding can put out of use all equipment which is not water resistant.

Indeed, any power plant ultimately needs a minimal set of vital functions to prevent or mitigate severe accidents. They may vary according to the design: active, passive, AC powered, steam driven, DC controlled etc. Minimal Instrumentation and Control, residual heat removal means and containment integrity mastering equipment are among those, including their support systems.

A key lesson from Fukushima is to define adequately those functions, for each facility, and to protect them in such a way that their availability is ensured in extreme situations.

2.3.2. I&C

The most crucial point of the Fukushima Daiichi accident probably relates to the progressive loss of all instrumentation and control over the plant. The instrumentation and control means were ultimately powered by DC, the loss of which proved to be at the heart of the catastrophic evolution of the accident.

The extent and features of the vital Instrumentation and Control is to be defined with care, according to the exact characteristics of each design. It must be protected, hardened and supported in such a way to be available under all circumstances.

The nuclear industry appears in this field in the same situation as many of the other industries dealing with safety, the aviation industry being one of the other major examples.

In modern technologies, electricity (fiber optic data transmission being included in this category) represents the undisputed media to circulate information and orders. The wisest safety approach seems to recognize the ultimate need for some electrical generation and distribution in this field, and to implement the adequate provisions to prove its availability in all circumstances.

2.3.3. Heat sink

The ultimate heat sink generally includes a water intake and can be challenged in two ways by natural hazards, both having occurred in Fukushima: (1) the systems attached to the heat sink (e.g. pumping stations) can be impaired or (2) the water source can become unusable (e.g. the water can turn into mud, can be drawn apart, can be loaded with unmanageable amount of debris, ice, spilled oil, etc).

Indeed, the heat sink is both a system and a part of the environment. The protection of the system may not suffice in all cases of extreme natural situation, because it cannot prevent

161 a major change of the environment itself. Due consideration of an alternate heat sink hence seems an important feature in the defence in depth, as a lesson learnt from Fukushima

2.3.4. Spent fuel pool

The Fukushima Daiichi accident also highlighted the need for increased attention to spent fuel pools. As a severe degradation of the fuel stored in the pool would generally have unbearable consequences, one has to show practical elimination of such a scenario; the pool structural integrity, sufficient water-tightness and residual heat removal must be ensured in all cases.

3. GEN III REACTOR GENESIS AND SAFETY OBJECTIVES