Fusion Engineering and Design 5657 (2001) 8393
Improving the safety of future nuclear fission power plants
W. Frisch a,*, G. Gros b,1
a Gesellschaft fur Anlagen- und Reaktorsicherheit (GRS) mbH, Forschungsgelande, 85748 Garching, Germanyb Institut de Protection et de Surete Nucleaire IPSN, BP 6, 92265 Fontenay-aux-Roses, Cedex, France
The main objectives and principles in nuclear fission reactor safety are presented, e.g. the defence in depth strategyand technical principles such as redundancy, diversity and physical separation. After a brief historical review of thecontinuous development of safety improvement, the most recent international discussion is presented. This includesmainly the international activities within IAEA and its International Nuclear Safety Advisory Group (INSAG). Thesafety improvement, presented in recommendations of IAEA and INSAG is expressed as an improvement of allelements and all levels of the defence in depth concept. Special emphasis is put on improvement of the highest level,which requires the implementation of means to mitigate consequences of accidents with severe core damage. Thedifferent future concepts are briefly characterised. Some examples from the FrenchGerman safety approach aretaken to demonstrate how requirements for safety improvement by means of an enhancement of the defence in depthprinciple are developed. 2001 Elsevier Science B.V. All rights reserved.
Keywords: Safety improvement; Nuclear fission reactors; FrenchGerman
The safety of nuclear fission reactors has alwaysbeen a very important issue, and improving safetywas and is a continuous process. However, it canbe observed that within the last decade specialemphasis was put on both the development ofreactor designs with improved safety and the de-velopment of new and more stringent safety ob-jectives and requirements.
There are several reasons for this enhancementof safety despite the good operational and safetyrecords of nuclear power plants within this lastdecade: In some countries no new nuclear power plants
have been ordered for capacity and economicreasons. In the USA the latest of the plants inoperation was ordered in 1973. This long inter-mission was used for an evaluation of theexisting concepts and a development of futureones, with the involvement of industry, re-search institutes and safety authorities.
Some countries are faced with acceptanceproblems of nuclear technologies. It is believedby some that the acceptance can be improvedwhen safety requirements become more strin-
* Corresponding author. Tel.: +49-89-32004-432; fax: +49-89-32599-432.
E-mail addresses: email@example.com (W. Frisch),firstname.lastname@example.org (G. Gros).
1 Tel.: +33-1-4654-8386.
0920-3796/01/$ - see front matter 2001 Elsevier Science B.V. All rights reserved.
PII: S0920 -3796 (01 )00238 -1
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839384
gent and design concepts with improved safetyare offered.
Other countries (especially in Asia) are expand-ing their nuclear power program. With an in-creasing number of power plants the safetylevel has to be increased in order to avoid aconsiderable increase of risk solely by thegrowing number of power plants.
A further improvement of nuclear safety isfeasible. Operating experience, safety studiesand results of safety research programs haveindicated the way to do it, both for existingplants (backfitting) and for new concepts. Thisgain in knowledge and experience has to beturned into proper safety requirements.
The international discussion of safety aspects(considerably intensified after the Chernobylaccident) has lead to a synchronisation ofsafety development. Can a country neglect theinternational discussion on safety improve-ments and afford to install considerably lowerstandards than internationally accepted orrecommended?
2. Basic safety functions
Because of the large amount of radioactivematerial present in a nuclear fission reactor, safetywas always an important issue, focused on theprotection of plant personnel and the publicagainst hazards of radioactive substances releasedfrom a nuclear power plant during normal opera-tion and during accidents. Safety of nuclearfission reactors, especially water cooled reactors ischaracterised by the three basic safety functions: control of the nuclear fission process (nuclear
power) cooling of the fuel (includes removal of the
fission product decay heat) confinement of radioactive material.
Closely related to these basic safety functionsare successive barriers to confine radioactive ma-terial (fuel cladding, coolant system pressureboundary, containment building).
For nuclear fission plants all basic safety func-tions are of equal importance. The first basicsafety function has to be fulfilled in two different
ways. Firstly, control means avoidance of an un-controlled power excursion. This is avoided by aninherently stable core configuration with negativefeedback upon increasing power. These negativefeedback functions are typical for all LWR ofwestern design. In some countries this negativefeedback is required in regulation. In Germany,stable core behaviour with negative feedback co-efficients was already required in high level regu-lation, the BMI criteria of 1977 . Secondlycontrol also means to reduce the fission power tolower levels and even to zero (subcriticality) if it isneeded, e.g. after a loss of the normal heat sink(turbine and turbine bypass). In principle thisprocess is a self regulating one for PWRs due tothe negative moderator feedback effect (reducedheat removal causes coolant temperatures to risewhich reduces nuclear power). However, forcloser power control the process is supported byabsorber rods (control rods) and a liquid absorber(boric acid) provided by the volume control sys-tem. If a fast power reduction is needed, the fastshutdown system (scram system) acts automati-cally, triggered by numerous initiation criteria,depending on the type of event. Modern PWRsare designed to survive anticipated transientswithout damage despite the complete failure of allabsorber rods. Long term subcriticality is thenachieved by liquid absorbers, in some plants pro-vided by an extra automatic system.
The heat generation of fission products evenafter a reactor shutdown is an inherent feature offission reactors which cannot be influenced muchby core design. Therefore considerable technicaleffort is necessary to guarantee reliable fissionproduct decay heat removal from the core andalso from the spent fuel pool. Due to the highpower density (6% of fission power right after aplant shutdown and still about 1% after a fewhours) heat removal from the core is only possibleby convection and not by radiation. Several re-dundant and diverse active systems are providedfor decay heat removal. For a PWR these areemergency feedwater systems on the secondaryside of the steam generators and decay heat re-moval systems connected directly to the primarycoolant system. They are all designed to safelyremove the decay heat from the core without
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 85
endangering the first two barriers against radioac-tive material (fuel cladding and primary coolantboundary).
The third basic safety function, the confinementof radioactive material, is expressed by a set ofstaggered requirements for normal operation andfor accidents (for future plants in some countriesalso for beyond design basis accidents). Specialemphasis is put on the minimisation of radioac-tive releases to values far below the prescribedintervention levels for the public by using theALARA (as low as reasonably achievable) princi-ple. For accidents higher releases are allowed thanfor normal operation, however the radioactivematerial present in the containment building canbe considerably higher because of the assumptionon the first barriers. For example, during loss ofcoolant accidents the second barrier is not intactby definition and the first barrier (fuel rod clad-ding) is assumed to have a certain amount ofleakages (e.g. 10% of the rods are no more leaktight).
For beyond design basis accidents some futuredesigns e.g. the EPR or the AP600 (),provide additional cooling systems to mitigateconsequences of core melt accidents (beyond de-sign basis accidents, e.g. assuming multiple fail-ures of safety systems). These systems aredesigned to provide cooling of the molten coreeither within the reactor vessel by outer surfacecooling or within the containment building bycooling core material on the containment floor.The aim of these systems is to limit radioactivereleases by keeping the last barrier, the contain-ment building, intact.
If the release limits for beyond design basisaccidents (core melt accidents) are very stringent,as, e.g. in the FrenchGerman safety approach for future reactors, a double wall containmentwith subatmospheric pressure in the annulus maybe necessary.
The second and third basic safety functions arealso relevant for spent fuel transport and storageand for waste treatment and disposal.
These three basic safety functions can also beapplied to fusion power plants. However, the firsttwo are of lower significance because of the lim-ited potential of a fusion power increase and the
lower power density of activated material. Themost important basic safety function is the thirdone, asking for a very reliable confinement systemwhich has to stay intact during accidents, includ-ing those originating from magnetic systems, andafter internal (e.g. fire) and external hazards.
3. Continuous safety improvement
Being aware of the potential of releasing largeamounts of radioactive material during unfore-seen events in nuclear fission reactors, manysafety principles have been applied from the be-ginning of nuclear power plant design and opera-tion, such as redundancy, diversity, multibarrierconfinement of radioactive material and qualityassurance during design, construction andoperation.
The principle of redundancy and diversity wasalready fully developed in the minds of EnricoFermi and his fellow researchers when demon-strating for the first time a self sustaining nuclearfission chain reaction in Chicago in December1942.
To prevent the chain reaction from getting outof control, four different devices were foreseen inthe pile:1. The manual control rod to start and control
the chain reaction2. A set of automatic control rods3. A heavily weighted emergency control rod
held by a rope, which was supposed to bequickly cut with an axe (SCRAM=safetycontrol rod axe man)
4. A liquid control squad, to flood the pile witha cadmium salt solution as absorber in case ofa common cause failure of all rods.
Without the intention to present a completehistory of nuclear fission reactor safety some ex-amples will be given to demonstrate that safetyimprovement has always been practised. It is acontinuous process especially due to the two prin-ciples to always take into account the most recentstate-of-the-art in science and technology and toutilise continuously the feedback from operatingexperience. The feedback from plant operationwas always very intense after an accident had
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839386
occurred. Therefore it is not surprising that theThree-Mile-Island (TMI)-accident in 1979 had aconsiderable impact on technical safety improve-ments and more demanding regulation. Some ofthe consequences were: more emphasis on human errors more emphasis on complex transients design improvements in the feedwater systems design improvement with respect to reduction
of the frequency of events with stuck openrelief valves.One consequence in Germany was the extension
of the Guidelines of the Reactor Safety Commis-sion (RSK) in 1981 , which now require thatfor frequent events the primary coolant systempressure has to stay below the response pressureof any pressurizer valve and that each pressurizerrelief valve (which has a lower response pressurethan the safety valves) has to have a block valvewhich closes automatically when the relief valvefails after opening.
In France the TMI accident initiated the exten-sion of safety analyses and operating procedures(introduction of Complementary Operating Con-ditions and additional ultimate emergency proce-dures . Complementary Operating Conditionsare selected on the basis of a probabilistic ap-proach. In general these are frequent events plusthe complete failure of a safety function such asfast shutdown or emergency feedwater supply.During that time in France the permanent pres-ence of a nuclear safety and radiation protectionengineer on each reactor site was introduced.
While the feedback from the TMI-accident wasonly in the area of technical safety improvement,the Chernobyl Accident had also an impact inthe political field and in the general area of safetyphilosophy, which can be characterised as safetyculture. This different type of feedback originatedfrom the fact that the technology of the RBMK isso different from that of Western light waterreactors, that there was no basis for direct adjust-ments. However there was also a technical impactin the area of reactivity initiated accidents andmeasures to limit consequences of core degrada-tion accidents. This also influenced the safetystrategy in new design concepts.
4. The defence in depth principle
The basic elements of defence in depth werefully developed in the early 80s and they werelaid down by the International Nuclear SafetyAdvisory Group (INSAG) of IAEA in the reportINSAG-3 in 1988 . IAEA and INSAG havespent considerable effort in a further refinementand interpretation of the principle with respect tosafety improvements of operating plants (e.g. acci-dent management) and the application of theprinciple to future nuclear power plants (INSAG-10 in 1996  and IAEA-TECDOC 986 in 1997).
Only the most important objectives, principlesand elements of defence in depth are presentedhere: The main objective is defined in INSAG-3:
To compensate for potential human and me-chanical failures, a defence in depth concept isimplemented, centred on several levels of pro-tections including successive barriers preventingthe release of radioactive material to the envi-ronment. The concept includes protection ofthe barriers by averting damage to the plantand to the barriers themselves. It includes fur-ther measures to protect the public and theenvironment from harm in case these barriersare not fully effective.
The proper application of this principle ensures,that no single human or equipment failure wouldlead to harm to the public and even combinationsof failures that are only remotely possible wouldlead to little or no injury.
Defence in depth helps to ensure that the threebasic safety functions (controlling the power andreactivity, cooling the fuel and confining the ra-dioactive material) are preserved. Table 1 givesthe five levels of defence, based on INSAG 10.Level 4 has...