Keywords

1 Short Reflection of Basic Safety Issues

In contrary to other technologies, for nuclear facilities, the basic safety rules have been introduced from the very beginning. In addition, the safety requirements and designs especially of LWRs have been improved from the lessons of accidents and incidents that occurred during the history of this technology.

In order to assure the function of the four classical safety barriers—fuel matrix, fuel rod, primary circuit and containment—the defense-in-depth safety concept is applied. The strategy for defense-in-depth is twofold:

  • to prevent accidents, and

  • if prevention fails, to limit their potential consequences and prevent any evolution to more serious conditions.

The fundamental safety goals that shall be achieved with the support of the provisions taken within the framework of the defense-in-depth concept are: control of reactivity, cooling of fuel elements, and activity retention.

The safety goal “reactivity control” means among others that a nuclear reactor should have inherent safety characteristics. The reactor should be designed to have negative reactivity feedback characteristics. The power coefficient of the reactor should be negative for automatic decrease without operator actions. The reactivity coefficients of fuel temperature and coolant voiding should be kept negative for the purpose. After a reactor trip it should be kept in a sub-critical state in the long term and sub-criticality should be ensured during handling, storage and transport of fuel elements.

The safety goal, “cooling of fuel elements,” means to ensure heat removal from the core and the fuel storage pool under all operating and accident conditions and replenishing of coolant for the core and the fuel storage pool. In addition the integrity of coolant retaining systems should be ensured by pressure and temperature limitation in the relevant safety components and systems.

The safety function, “activity retention,” should be provided by means of isolation provisions with the function of confinement of activity within the pressure-retaining boundary and connecting systems. An important activity confinement function is dedicated to the containment and other relevant buildings such as the reactor and the auxiliary building.

According to the IAEA document INSAG 10 [1], five levels of defense should be considered. The levels 1–3 define the design basis. Levels 4 and 5 define the beyond design basis area. An overview on the levels and the main means of action is depicted in Table 12.1.

Table 12.1 The levels and the main means of action for the defense-in-depth safety concept in INSAG 10 [1]
Full size table

Level 1

The safety provisions at Level 1 are taken through the choice of site, design, manufacturing, construction, commissioning, operating and maintenance requirements such as:

  • The clear definition of normal and abnormal operating conditions;

  • Adequate margins in the design of systems and plant components, including robustness and resistance to accident conditions, in particular aimed at minimizing the need to take measures at Level 2 and Level 3;

  • Adequate time for operators to respond to events and appropriate human-machine interfaces, including operator aids, to reduce burden on the operators;

  • Careful selection of materials and use of qualified fabrication processes and proven technology together with extensive testing;

  • Comprehensive training of appropriately selected operating personnel whose behavior is consistent with a sound safety culture;

  • Adequate operating instructions and reliable monitoring of plant status and operating conditions;

  • Recording, evaluation and utilization of operating experience;

  • Comprehensive preventive maintenance prioritized in accordance with the safety significance and reliability requirements of systems.

Furthermore, Level 1 provides the initial basis for protection against external and internal hazards (e.g. earthquakes, aircraft crashes, blast waves, fire, flooding), even though some additional protection may be required at higher levels of defense.

Level 2

Level 2 incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), taking into account phenomena capable of causing further deterioration in the plant status. The systems to mitigate the consequences of such operating occurrences are designed according to specific criteria (such as redundancy, layout and qualification). The objective is to bring the plant back to normal operating conditions as soon as possible.

Diagnostic tools and equipment such as automatic control systems can be provided to actuate corrective actions before reactor protection limits are reached; examples are power operated relief valves, automatic limitation systems on reactor power and on coolant pressure, temperature or level, and process control function systems which record and announce faults in the control room. On-going surveillance of quality and compliance with the design assumptions by means of in-service inspection and periodic testing of systems and plant components is also necessary to detect any degradation of equipment and systems before it can affect the safety of the plant.

Level 3

Engineered safety features and protection systems are provided to prevent evolution towards severe accidents and also to confine radioactive materials within the containment system. Active and passive engineered safety systems are used. In the short term, safety systems are actuated by the reactor protection system when needed.

To ensure a high reliability of the engineered safety systems, the following design principles are adhered to:

  • Redundancy;

  • Prevention of common mode failure due to internal or external hazards, by physical or spatial separation and structural protection;

  • Prevention of common mode failure due to design, manufacturing, construction, commissioning, maintenance or other human intervention, by diversity or functional redundancy;

  • Automation to reduce vulnerability to human failure, at least in the initial phase of an incident or an accident;

  • Testability to provide clear evidence of system availability and performance;

  • Qualification of systems, components and structures for specific environmental conditions that may result from an accident or an external hazard

Level 4

The broad aim of the fourth level of defense is to ensure that the likelihood of an accident entailing severe core damage, and the magnitude of radioactive releases in the unlikely event that a severe plant condition occurs, are both kept as low as reasonably achievable (ALARA).

Such plant conditions may be caused by multiple failures, such as the complete loss of all trains of a safety system, or by an extremely unlikely event such as a severe flood.

Measures for accident management are also aimed at controlling the course of severe accidents and mitigating their consequences.

Essential objectives of accident management are:

  • to monitor the main characteristics of plant status;

  • to control core sub-criticality;

  • to restore heat removal from the core and maintain long term core cooling;

  • to protect the integrity of the containment by ensuring heat removal and preventing dangerous loads on the containment in the event of severe core damage or further accident progression;

  • regaining control of the plant if possible and, if degradation cannot be stopped, delaying further plant deterioration and implementing on-site and off-site emergency response.

The most important objective for mitigation of the consequences of an accident in Level 4 is the protection of the confinement.

Specific measures for accident management are established on the basis of safety studies and research results. These measures fully utilize existing plant capabilities, including available non-safety-related equipment.

Measures for accident management can also include hardware changes. Examples are the installation of filtered containment venting systems and the inerting of the containment in boiling water reactors in order to prevent hydrogen burning in severe accident conditions.

Adequate staff preparation and training for such conditions is a prerequisite for effective accident management.

Level 5

Off-site emergency procedures are prepared in consultation with the operating organization and the authorities in charge and must comply with international agreements.

Both on-site and off-site emergency plans are exercised periodically to the extent necessary to ensure the readiness of the organizations involved.

Safety Culture

The idea of safety culture should be an inherent understanding of any organization in the international nuclear industry, which is focused on safety. For better understanding two definitions may serve.

INSAG-4 definition: Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.

NRC definition: A good safety culture in a nuclear installation is a reflection of the values, which are shared throughout all levels of the organization and which are based on the belief that safety is important and that it is everyone’s responsibility.

2 Lessons Learned and Recommendations Derived

The overview of the TEPCO’s Fukushima Daiichi nuclear power station (NPS) accident is depicted in Fig. 12.1 [also see Chap. 2 in this volume—eds.]. The essential lessons from the accident are described in [2]. The lessons learned concerning the reactor design and operation states of view and the recommendations dedicated thereof are described in this section.

Fig. 12.1
figure 1

Lessons learned from the Fukushima Daiichi nuclear power station accident [3]

Full size image

2.1 Natural Hazards

Lessons

The accident was caused by the big tsunami. It flooded the reactor and turbine buildings. The emergency diesel generators (DGs) lost their function and all AC power supply was lost. The loss of function of the emergency diesel generators were caused by flooding of power supply panels and diesel generators themselves as well as loss of heat sink of the DG cooling by the flooding of sea water pumps.

The anti-seismic design of the plant worked well by the improvements after the big earthquakes in Kobe and Chūetsu-oki. The movements of multiple regions in the seabed caused the big earthquake of March 11, 2011. The acceleration on the base mat of the reactor building is, however, predicted well by the standard acceleration for safety grade system.

The safety systems did not lose function by the earthquake. The height of the tsunami was, however, underestimated. It is the most important direct reason for the initiation and progression of the accident. The tsunami was caused by the slides along the boundary of continental plates. The interaction of tsunami waves from multiple origins appears to make the waves high.

Recommendation

It is necessary to develop imagination of natural hazards and its combinations that may potentially cause severe accidents. For example, big hurricanes and typhoons cause extreme high tides that floods large area. The combination of external fires, tsunami and earthquakes may cause difficulty in the availability of the emergency power supply, cooling water and accessibility of the plants.

2.2 Emergency Power Supply

Lessons

The external power of the TEPCO Fukushima Daiichi plants was lost by the failure of transmission lines by the earthquake. The emergency DGs and some batteries were flooded. Both AC and DC power were lost. The capacity of the remaining batteries was exhausted. The safety systems and instrumentation systems lost their functions. Units 5 and 6 of the site survived with the electricity from an air-cooled emergency DG. The loss of DC power caused difficulty for the operators to know the condition of the plants and conduct timely actions.

Recommendation

It is necessary to enhance the reliability of both AC and DC power supply against external events and provide sufficient power in case of severe accidents. In case that they are lost, alternative power supplies need to be provided for the plant.

2.3 Loss of Heat Sink

Lessons

Loss of ultimate heat sink is the important lesson of the accident as well as loss of emergency power. Damage of seawater pumps by the tsunami caused multiple failures of functioning of pumps and heat exchangers needed for cooling and dumping heat into the sea.

Recommendation

Provision of protective measures such as bunkering of important components and/or alternative cooling devices as well as the water source is necessary.

2.4 Hydrogen Detonation

Lessons

The reactor building of Units 1, 3 and 4 were destroyed by hydrogen detonation. The building of unit 2 was not destroyed, because the blow- out panel of the reactor building dropped down by the detonation of Unit 1. The hydrogen detonation of Unit 1 building scattered the debris on the site and made preparation of securing activities for Units 2 and 3 difficult.

The primary containment vessels (PCVs) were inerted by nitrogen. Recombiners of hydrogen were equipped. The temperature and pressure of PCVs became high above the design conditions. The leakage of hydrogen from PCVs occurred at the penetrations and the gasket seals of the flange. It accumulated within the reactor buildings. Venting of PCVs caused hydrogen leakage to the piping connected to the stack.

The detonation of the reactor building of Unit 4 was thought to be caused by the leakage through the piping of stand-by gas treatment system (SGTS) connected to the common stack. The air operated valve of the SGTS piping failed open by the loss of power as well as the loss of air driving the valve as the backup. It caused the leakage of hydrogen from Unit 3 to Unit 4 that was not in operation at the accident [2].

Recommendation

The provision against hydrogen leakage at severe accidents should be elaborated and the respective measures should be performed.

2.5 Measurement at Severe Accidents

Lessons

Important reactor parameters such as water level, pressure and temperature could not be measured due to the loss of DC power after the tsunami. The water level, the most important safety parameter of LWRs was measured erroneously after core melt down because of the change of the reference water level by evaporation due to the high containment temperature. It erroneously showed that the water level existed in the middle of the core. The wrong information confused the actions and harmed the reliability of the TEPCO information to the public. Mental bias of the specialists hoping the survival of the plants also decreased the reliability. It should be noted that the water level monitor did not work well at TMI-2.

Habitability of the main control room (MCR) was deteriorated at the accident. The air ventilation system of the MCR with charcoal filters lost the function.

Recommendation

Important reactor parameters as well as radiation level, radioactivity and hydrogen concentration in PCV need to be measured for management of severe accidents.

2.6 Management of Severe Accident

Lessons

The employees and workers at site had to conduct accident managements under extreme circumstances such as darkness, high radiation, loss of reactor monitoring and communication ability, scattered debris by earthquake, tsunami, and hydrogen explosions. Working under such conditions was not prepared at all. The command of TEPCO headquarters also suffered from difficulty in understanding the situations and making decisions.

The containment venting procedure is written in the manual that the director of the plant orders it. But it was negotiated with the central government and took time to be conducted. The seawater injection was halted by the order of the TEPCO headquarter, but it was continued by the decision of the plant director. There was confusion of command.

Recommendation

There should be a clear definition of information, decision responsibility and actions dedicated to the organizations involved during the management process in case of extreme situations or a severe accident.

3 Recommendations and Requirements Derived from Lessons Learned

All important organizations which are engaged in nuclear safety regulation have analyzed the Fukushima accident and have identified lessons learned and proposed recommendations which evolved from these lessons. These bodies were, for example, IAEA, NRC, ENSREG, ANS and Japanese organizations such as AESJ.

New regulatory requirements for commercial light water nuclear power plants were developed in Japan in July 2013, taking into account the lessons learned from the accident at Fukushima Daiichi Nuclear Power Station [3]. Major improvements include:

  • Enforcement of resistance against earthquake and tsunami,

  • Reliability of power supply,

  • Measures to prevent core damage by postulating multiple failures,

  • Measures to prevent failure of containment vessel,

  • Measures to suppress radioactive material dispersion,

  • Strengthen command communication and instrumentation,

  • Consideration of natural phenomena in addition to earthquakes and tsunamis, for example volcanic eruptions, tornadoes and forest fires,

  • Response to intentional aircraft crashes,

  • Consideration of internal flooding, and

  • Fire protection

These improvements are specifically required to be installed within the current Japanese reactor fleet as basic requirement for an allowance of further operation.

4 Examples for Potential Countermeasures and/or Technologies to be Applied

On basis of the identified lessons and countermeasures, some examples are described in more detail in the following sections of this chapter. There are three main areas selected as follows:

  • External events,

  • Design of buildings, systems and components, and

  • Severe accident issues

4.1 External Events

There are some common countermeasures proposed for all external events which are considered to be generally applied for all extreme external events as follows:

  • Develop an approach to regulate hazards from extreme natural phenomena;

  • Periodically redefine and re-analyze the natural event design basis.

Since external events in most cases lead to a combination of initiating events such as earthquake and tsunami or earthquake and fire, such combined effects have to be systematically considered in the design. One proposal which could be considered as a good approach is recommended by Sustainable Nuclear Energy Technology Platform (SNETP) [4] as follows:

  • Extending even further the in-depth safety approach to any type of hazards, in particular external ones, and accounting for any mode of combination of them;

  • Systematically include the design extension conditions (beyond design basis accidents) in the defense-in-depth approach at the design stage.

According to SNETP, there is also the need for future studies and development in the following area:

  • Development of approaches to natural hazard definition, techniques and data, and development of guidance on natural hazards assessments, including earthquake, flooding and extreme weather conditions;

  • Development of guidance on the assessment of margins beyond the design basis and cliff-edge effects for extreme natural hazards;

  • Development of a systematic approach to extreme weather challenges and a more consistent understanding of the possible design mitigation measures;

  • Development of the approach for assessment of the secondary effects of natural hazards, such as flood or fires arising as a result of seismic events;

  • Enhancement of probabilistic safety analysis (PSA) for natural hazards other than seismic (in particular extreme weather) and development of methods to determine margins and identify potential plant improvements;

  • Overall enhancement of PSA analysis, covering all plant states, external events and prolonged processes, for PSA levels 1 and 2.

4.1.1 Earthquake

It is proposed from several organizations to increase the seismic design criteria for the evaluation and assessment of beyond design external events. There are some proposals available, such as those from Ref. [5], to increase the seismic design criteria to 1 degree of magnitude e.g. 0.2–0.3 g. Yet, there is no final decision that can be commonly agreed upon within the nuclear community. This is one of the tasks that have to be worked on by the respective organizations in the future.

It is now common understanding that a periodically redefinition and re-analysis of the earthquake design basis should be performed in the future. The regulatory basis has to be provided by the respective organizations.

In Japan, Nuclear Regulatory Authority (NRA) strengthened the examination of active faults. Seismic design needs to take into account of the faults that was active after 126,000 years ago (Late Pleistocene). If necessary, activity of the faults is examined up to 400,000 years ago. The ground acceleration should be determined taking the three-dimensional underground structures, which may amplify the acceleration. The safety-class structures and buildings should not be built on the active faults. The ground acceleration increases with the length of active faults. The length of faults needs to be determined including the examination of nearby seabed. Big earthquakes such as the movement between continental plates also need to be considered separately. The basic earthquake ground motion is determined from these points. It changes with the site of the nuclear power plants. Strengthening the seismic design of the plants is conducted after the approval of NRA.

4.1.2 Tsunami

The common countermeasures described above are also proposed for tsunami events.

As an example the standards set by the Japanese NRA define a “Design Basis Tsunami” as one that exceeds the largest ever recorded. It requires protective measures such as seawalls. The standards also require “structure, systems and components (SSCs)” for tsunami protective measures to be classified as class S, the highest seismic safety classification to ensure that they continue to prevent inundations even during earthquakes.

The examples of multi-layered protection measures against tsunami are installation of a seawall to prevent site inundation and installation of water-tight doors to prevent the flooding of buildings. An example for a seawall is shown in Fig. 12.2.

Fig. 12.2
figure 2

Installation of a seawall to prevent site inundation [3]

Full size image

4.2 Design of Buildings, Systems and Components

4.2.1 Sites with More Than One Reactor

In case of multiple-unit sites, the following measures have to be considered:

  • Strict separation of safety related systems and components, and

  • Provision of a plant arrangement which prevents common cause failures for safety related systems and components,

There is no specific technology required; the design is related to well-known technologies that have to fulfill the specific design requirements.

The PSA should be the tool that enables identification of the areas that must be considered to strengthen the safety of multi-unit sites.

4.2.2 Off-Site and On-Site Electricity Supply

In case of an external event like an earthquake, the off-site electricity supply is very difficult or even impossible to maintain. This results not only from the direct effect on the grid structure like masts and cables, but also from the fact that other plants which feed into the grid may also be affected and consequently have to be shut down. Nevertheless, it should be evaluated whether it is possible to enforce the grid design, which may result in a higher chance for survivability of parts of the off-site grid connection.

Since the large uncertainty exists for the maintainability of the off-site grid in case of an earthquake, the way to substitute off-site electricity supply is mainly to provide mobile power supply systems or addition of diesel generators or other power sources such as gas turbines. These components must be protected against external events by bunkering or locating at positions which cannot be affected by e.g. tsunami waves.

NRA requirements for existing Japanese plants

In order to prevent common cause failures due to events other than natural phenomena, the measure against power failures is strengthened. For off-site power, independence of two circuits was not required before, but is required. For on-site AC power source, two permanently installed units, two more mobile units and storage of fuel for seven days are required. For on-site DC power source, one permanently installed system with a capacity for 30 min was required before, but increase of the capacity to 24 h duration and addition of one mobile system and one permanently installed system both with 24 h duration are required. Additionally, it is required that switchboards and other equipment should not lose their operational capabilities.

Loss of power supply and 3rd grid connection

To ensure that operational and safety-related components maintain their AC supply, in Germany nuclear power plants are forced to use a tiered back-up system: the main grid connection, the stand-by grid connection, the emergency power supply (ordinary back-up AC power source), and the emergency feed power supply (diverse AC power source). The different stages of the AC power supply allow it to cover different failures of the AC grid. An additional third grid connection is also available [6].

Robustness of emergency power supply

The measures to enforce the on-site power supply are in general the protection of the existing components against external events, to extend the capacity and timely availability, and provide diverse components.

In case of the Olkiluoto 3 Nuclear Power Plant (NPP) [7] the reactor plant electrical power system is divided into four parallel and physically separated sub-divisions designed against external events. The power supply to equipment critical for safety of each division is backed up with a 7.8 MVA diesel generator. The Olkiluoto gas turbine plant can also supply the bus bars of the diesel generators. In case of the loss of all external power supplies, the malfunction of all four diesel generators at once, i.e. the complete loss of all AC power, the plant unit has two smaller diesel generators with an output of approximately 3 MVA each. These units are bunkered and can ensure power supply to safety-critical systems even in such a highly exceptional situation.

Another example is the “SUSAN” system of the Muehleberg NPP in Switzerland [8]. “SUSAN” is an acronym for “Spezielles Unabhängiges System zur Abführung der Nachzerfallswärme,” which means a special independent residual heat removal system. The main tasks are (1) to remove residual heat from the reactor pressure vessel (RPV) in the long term, (2) fast shutdown and isolation of the reactor and (3) limit and reduce the primary circuit pressure. The system is designed to resist design earthquake, protection against sabotage, flooding and airplane crash. The main system parts and equipment of SUSAN are located in a dedicated building, which is protected against impact from outside. Two 100 % emergency diesel generators are used to supply necessary pumps and systems with power in case of station blackout.

4.2.3 Bunkering of Buildings with Safety Related Systems

4.2.3.1 Emergency Feed Building

Recent German PWRs are equipped with a second four-fold emergency power supply (emergency diesel sets) [9]. These second emergency cooling systems can cool the reactor core (via steam generators) as well as the spent fuel pool (via auxiliary emergency cooling chain or emergency systems). Emergency diesel sets are equipped with diesel and water reserves conservatively lasting for at least 10 h and more. Emergency buildings (similar to regular emergency diesel housings) are also designed according to design basis regulations including flooding. A building arrangement of a typical emergency feed building is shown in Fig. 12.3. Air ventilation shafts and air suction holes are located in the upper part of the building, indicated by the circles in Fig. 12.3.

Fig. 12.3
figure 3

Bunkered emergency feed building for recent German PWRs. The circles indicate air ventilation shafts and air suction holes located in the upper part of the building

Full size image

The emergency feed building is designed for airplane crash, explosion pressure wave, flooding, explosive gases, and earthquake, and is located separately from other buildings of the plant. It encloses the following:

  1. 1.

    Four additional EDGs (so called D2 Diesels): They serve for power supply in case of loss of offsite power (LOOP) and unavailability of the four main EDGs (D1 Diesels).

  2. 2.

    Four trains of emergency feed water pumps: Directly driven by the D2 Diesels (but can also be power supplied by the D1 Diesels, if available): An emergency control room (RSS), including wash room, toilet, plant documentation.

  3. 3.

    Safety related instrumentation and control (I&C).

  4. 4.

    Safety related switchgears.

  5. 5.

    Dedicated heating, ventilation, air conditioning (HVAC) system (also powered by D2 Diesel).

  6. 6.

    Mobile equipment for secondary side bleed and feed.

4.2.3.2 Robustness of Cooling Chain in BWRs and PWRs

An example for the implementation of an additional cooling system and therefore for the robustness of the cooling chain of a BWR is described in the Stress test Report for German nuclear power plants [6].

An additional independent residual heat removal (RHR) system was installed in separated new building for Philipsburg 1 NPP, Brunsbuettel NPP both in Germany, Oskarshamm 1&2 NPP in Sweden, and Muehleberg NPP in Switzerland.

It serves as an independent heat sink for residual heat removal and power supply by diesels including cooling of the independent diesels in a separated new building. It is also possible to diversify, for example, by air-cooled cell cooling towers, wells etc. As another example, the ZUNA system of Gundremmingen 1&2 NPP may serve. This is a retrofitted, independent, additional residual heat removal and feed water system with a diverse heat sink by means of wet well cooling towers and diverse emergency power diesels (station blackout diesels). The ZUNA system is protected against external and internal events.

An example for the robustness of a fuel pool cooling system is the wet storage of spent fuel pool of Goesgen NPP in Switzerland [10]. The cooling during normal operation is provided by natural circulation. The temperature of the pool is 45 °C maximum with support of fans in case of high outside temperature and fully loaded fuel pool. The cooling in case of accidents is provided by natural circulation without need of electrical supply. The temperature of the spent fuel pool depends on the type of accident, but up to max 80 °C.

4.2.4 Passive Components and Systems Using Natural Forces

Passive components do not need external power since they rely on laws of physics such as gravity, heat transfer by temperature difference or pressure increase though heating of enclosed fluids.

4.2.4.1 Isolation Condenser

Isolation condenser (IC) is a passive system of BWRs for emergency cooling located above containment in a pool of water open to atmosphere. The scheme is shown in Fig. 12.4 [11, 12]. Under normal condition IC system is not activated, but the top of the IC is connected to the reactor’s steam lines through an open valve. Steam enters the IC until it is filled with water. When the IC system is activated, a valve at the bottom of the IC is opened which connects to a lower area on the reactor. The water flows to the reactor via gravity, allowing the condenser to fill with steam, which then condenses. This cycle runs continuously until bottom valve is closed. In case of electricity failure, the valve closes automatically and operators have to open them manually. Fail-open valves and lines need to be installed for severe accidents.

Fig. 12.4
figure 4

Isolation condenser [11, 12]

Full size image
4.2.4.2 Gravity Driven Cooling System

The gravity-driven cooling system (GDCS) injects water to the RPV by gravity. The GDCS pool locates at higher elevation than the RPV. Squib valves from the DC safety related power from batteries activate the system. The schematic diagram of ESBWR GDCS is provided in [11, 12].

4.2.4.3 Passive Containment Cooling System

Passive containment cooling system (PCCS) of ESBWR consists of a set of heat exchangers located in the upper portion of the reactor building. The steam from the reactor flows through the containment to the PCCS heat exchangers where the steam is condensed. The condensate drains backs from the PCCS heat exchangers where the steam is condensed to the GDCS pools. For more detail, refer to [11, 12].

The passive safety systems of ESBWR are discussed in [11, 12]. In the events where the reactor pressure boundary remains intact, the isolation condenser system(IC) is used to remove decay heat from the reactor to transfer it outside containment. In the events where the reactor pressure boundary does not remain intact and water inventory in the core is lost, the PCCS and GDCS work in concert to maintain the water level in the core and remove decay heat from the reactor and transferring it outside containment. When the water level of the RPV drops to a predetermined level, the reactor is depressurized and the GDCS is initiated. Both IC and PCCS heat exchangers are submerged in a pool of water large enough to provide 72 h of reactor decay heat removal capability. The pool is vented to the atmosphere. It is located outside of the containment. It will be refilled easily with low-pressure water sources via pre-installed piping.

4.2.4.4 Emergency Condenser

Emergency condensers (ECs) are used for residual heat removal from the RPV. The residual heat is released into the core flooding pool inside the containment, not outside of it as the isolation condenser. The schematic drawing of the ECs is shown in Fig. 12.5 [13]. Each of the four ECs consists of a steam line (to connection) leading from an RPV nozzle, and a condensate return line (lower connection) back to the RPV. Each return line is equipped with an anti-circulation loop. The ECs are connected to the RPV without any isolating element and are actuated by a drop of the RPV water level. In the event of water level drop in the RPV, steam from the RPV enters the heat exchanger tubes of the ECs, located in the core flooding pools and condense inside the pipe. The condensate returns back into the RPV. This system assures core cooling even at high RPV pressure.

Fig. 12.5
figure 5

Emergency condenser [13]

Full size image

The ECs are used for the KERENATM (formerly SWR-1000) reactor, an advanced BWR in Germany. The cross section of the KERENATM reactor containment is shown in Fig. 12.6 [13]. Shielding/Storage pool is on top of the containment. It is used as a heat sink to remove the heat from the containment. The water inventory is sufficient to ensure passive heat removal for at least 3 days.

Fig. 12.6
figure 6

Section through the KERENA reactor containment [13]

Full size image
4.2.4.5 Containment Cooling Condenser

In case the ECs are in operation or when the safety relief valves are opened in case of LOCA, the water of the core flooding pool starts to evaporate and the pressure in the containment will increase. Containment cooling condensers (CCC) are installed above the core flooding pools as seen in Fig. 12.7.

Fig. 12.7
figure 7

Containment cooling condenser [13]

Full size image

The heat exchanger tubes are slightly inclined. Both inlet and discharge lines are connected to the shielding/storage pool and are open during normal operation. When the temperature increases inside the containment, the water in the CCC starts to heat up so that a natural circulation flow establishes in the system.

4.2.4.6 Passive Pressure Pulse Transmitter

The passive pressure pulse transmitters (PPPT) function without electric power supply, external media, or actuation via I&C signals. The PPPTs serve to initiate scram, containment isolation of main steam lines, and automatic depressurization of the RPV. The PPPT consists of a small heat exchanger connected to the RPV via a non-isolatable pipe, as shown in Fig. 12.8.

Fig. 12.8
figure 8

Passive pressure pulse transmitter [13]

Full size image

The secondary side of the heat exchangers is connected to a diaphragm pilot valve via a pipe. During normal operation the PPPTs are filled with water. In case of water level drop inside the RPV, the water level in the tube of the PPPTs drops as well. When the primary side of the heat exchanger is filled with steam it will condense and drains back into the RPV while in the secondary side of the heat exchanger the temperature rises until the water starts to evaporate. The design of the heat exchanger is such that the activation of the systems is done in the required time. By means of the increased pressure, a function is triggered via the diaphragm pilot valve.

4.2.4.7 Passive Residual Heat Removal System

The passive residual heat removal system (PRHR) of advanced PWR, AP1000TM provides reactor cooling by natural circulation through the core as shown in Fig. 12.9 [14].

Fig. 12.9
figure 9

Passive residual heat removal system (PRHR) [14]

Full size image

The heat exchanger of PRHR is located in the in-containment refueling water storage tank (IRWST). The decay heat is transferred to the cooler water in the IRWST. The reactor coolant water in PRHR becomes cooler and denser and cools the core. The cycle continues until the water of the IRWST is depleted. Large amount of water is, however, stored in the IRWST. The decay heat is transferred to the water of IRWST in the containment vessel (CV) with PRHR and steam is generated. The IRWST is vented to the containment vessel and increase its pressure.

4.2.4.8 Passive Containment Cooling System

The passive containment cooling system (PCS) of AP 1000TM is shown in Fig. 12.10 [14].

Fig. 12.10
figure 10

Passive containment cooling system [14]. 1 Core, 2 PRHR, 3 IRWST, 4 Gutters, 5 CV, 6 Louvers, 7 PCCWST, 8 Atmosphere

Full size image

Passive containment cooling water storage tank (PCCWST) is located in the roof structure of the containment building. The water will be dispersed via gravity to the top of the CV from PCCWST. The water film covers the steel surface of the CV. The airflow through the annulus removes the heat from the CV by evaporation of the water.

The outside air flows into the outer annulus from the inlet louvers. It flows down and flows up in the inner annulus between the CV wall and the air baffle. Evaporating water is applied to the top of the CV from PCCWST. The steam is exhausted through the chimney area to the atmosphere. PRHR heat exchanger transfers decay heat to the in containment refueling water storage tank to the containment atmosphere. The steam is condensed by PCS operation and returned via gravity-drain gutters to the IRWST again.

4.2.4.9 Advanced Accumulator

An advanced accumulator (ACC) is a passive device leading to a discharge characteristic of high and low flow rate using a vortex flow damper to cope with large break loss of coolant accident (LOCA) of a PWR [1517]. High flow rate is required for the refill of RPV after large break LOCA, but low flow injection is necessary for reflooding of the core. The function was provided by an accumulator firstly and low head injection pump secondly in the current system. The switching off the systems is necessary. The new system of ACC operates at high flow rate firstly and low flow rate secondly by means of the vortex flow damper. It can eliminate the low head injection pumps and storage tank for safety injection of the present system.

A vortex chamber is provided at the bottom of accumulator tank as shown in Fig. 12.11. A standpipe is connected to the vortex chamber that is connected to the injection pipe. At high water level, water comes into both large and small flow pipes. Since the mass flow through the standpipe is large and is radially directed to the vortex chamber, it dominates the injection mass flow at the outflow without forming a vortex in the vortex chamber. Consequently the coolant is injected at high flow rate. At low water level, water stops flowing into the standpipe. The flow from the small flow pipe connected circumferentially to the vortex chamber forms a strong vortex in the vortex chamber. The coolant is injected with small flow rate due to the vortex.

Fig. 12.11
figure 11

Principle of advanced accumulator [17]. a Large flow rate (RV refilling). b Water levels in accumulator tank. c Small flow rate (core reflooding)

Full size image

4.2.5 Actual Japanese NRA Requirements Related to Buildings, Systems and Components

Installation of permanent backup facilities designed as “specialized safety facility” is required as the measures against intentional air craft crashes, etc.

Measures are strengthened for fire protection and internal flooding which trigger simultaneous loss of all safety function due to common cause.

Measures are required to prevent core damage even in the event of loss of safety functions due to the common cause. For example, a safety-relief valve(SRV) is opened by using mobile power sources to reduce the RPV pressure and water is injected using mobile water injection system.

Measures are required to prevent CV failures in the event of core damage. For example a filtered venting system is installed to reduce the pressure and temperature of CV and to remove radioactive materials. A system such as mobile pumps, hoses etc. are to be prepared to inject water into the lower part of the CV to prevent its failure. It is shown in Fig. 12.12.

Fig. 12.12
figure 12

Measures to prevent containment vessel failure [3]

Full size image

In order to suppress radioactive materials dispersion in the event of CV failure, deployment of outdoor water spray equipment is required to douse the reactor building and prevent a plume of radioactive materials contaminating the atmosphere.

4.3 Mitigation Measures Against Severe Accidents

4.3.1 Hydrogen Mitigation

Hydrogen and other flammable gases represent a key contributor to potential containment failure risk and therefore must be effectively eliminated. Reactor type as well as containment type, size and internal configuration and the selected melt mitigation strategy (in-vessel or ex-vessel molten corium cooling) are determining factors. Several provisions are generally available for mitigation of hydrogen risks, including containment venting, inerting, mixing, use of hydrogen igniters and passive autocatalytic recombiners (PAR).

After TMI-2 in 1979 attention was focused on the hydrogen produced by metal-water reactions in a degraded core accident. As a consequence, certain types of non-inerted operating plants installed electrical powered igniter system to control hydrogen build-up under severe accidents to prevent potential detonations at average uniform concentrations greater than 10 %. Later on, a new, simpler device called the passive autocatalytic recombiner (PAR) was developed, which is now considered as an appropriate system for the future.

The principle and concept of a passive autocatalytic recombiner is shown in Fig. 12.13 [20]. The PAR has a metal housing with a gas inlet at the bottom and a lateral gas outlet at the top. Catalysts are arranged in the bottom part of the housing. Housing protects the catalyst from direct spraying of water and aerosol deposition. H2 molecules coming into contact with the catalytic surface react with ambient O2. Reaction between H2 and O2 is an exothermic process with high activation energy (600–650 °C). By the use of catalysts the energy can be reduced to ambient condition. Reaction heat (exothermic process) reduces density of gas. It induces buoyancy-driven flow through PAR. Natural convection is increased by the chimney effect of PAR housing. Hot gas/steam mixture leaves PAR at the top.

Fig. 12.13
figure 13

Passive autocatalytic recombiner (PAR)

Full size image

The hydrogen issue in a PWR dry containment can be solved by 20–40 PARs distributed inside the containment. With this measure, the global hydrogen concentration can be limited to 10 vol. % and in case of deflagration the containment pressure can be kept below the design pressure. Global detonation is prevented [19].

BWR containments generally are inerted by nitrogen. Therefore only a few PARs in the drywell and wetwell are required which are able to limit the oxygen (from radiolysis) concentration below the flammability limit of 5 vol. %.

Acting in combination with igniters or pre-inerting, PARs deplete hydrogen in non-inerted containment atmospheres and oxygen in inerted atmospheres, such that no detonations or uncontrolled burning takes place that could cause failure of safety-related structures or components.

4.3.2 Containment Venting Systems

Motivation and objectives for filtered containment venting systems are to decrease the containment pressure in severe accident sequences when energy and fission products are released into the containment, if the pressure exceeds a specified limit (prevention of late containment failure) and to limit the level of releases into the environment via the atmosphere. Different principles for containment venting systems are available such as dry filter systems and scrubber systems.

4.3.2.1 Dry Filter Method

The dry filter method (DFM) is a venting system that consists of the combination of two types of filters.

A metal fiber filter that retains airborne radioactive aerosols (aerosol filter) and a molecular sieve with doped zeolite for chemisorption of gaseous radioactive elemental iodine and its organic compounds (iodine filter).

A droplet separator prevents water droplets from entering the filtered containment venting system (FCVS). The venting system can be actuated either remotely by opening containment isolation valves or by a rupture disc, depending on regulatory and/or customer requirements.

4.3.2.2 Scrubber System

This system is double-staged and uses the advantages of a high-speed venturi scrubber technology combined with highly efficient filter features. The system operates by passing the vented vapors from the containment atmosphere through a scrubber/filter vessel to remove high activity isotopes and aerosols to contain the radioactive releases. The filter unit is a wet scrubber system with chemical control. In the second cleaning stage, the micro-aerosol filter combination equipped with metal fibers helps to avoid significant long-term re-entrainment. The second part of the filter unit retains the aerosol particles that are usually too small for retention by any scrubber and droplet separation devices. A venturi scrubber is shown in Fig. 12.14 [20]. For both PWR and BWR dry filter or scrubber systems are installed in many nuclear power plants all over the world.

Fig. 12.14
figure 14

Venturi scrubber

Full size image

4.3.3 Melt Stabilization Measures

If a core in LWRs starts to melt and cannot be cooled within its original configuration, fuel, cladding and core structures will form a core melt within the RPV. In order to prevent the failure of the RPV or the containment, cooling mechanisms have to be implemented which will keep the core melt either within the RPV or within the containment. The stabilization and termination of the accident if it is successful with the coolability of the core melt in the bottom head is called In-Vessel melt Retention (IVR) and the same, if successful with the coolability of the melt on the concrete base mat or within a special coolable configuration (core catcher) is termed as ex-vessel melt retention.

4.3.3.1 In-Vessel Melt Retention

In-vessel melt retention (IVR) is the retention of core melt by thermally stabilization in the reactor vessel by RPV outside cooling. The principle of this concept of IVR is depicted in Fig. 12.15. Specific requirements of IVR are:

Fig. 12.15
figure 15

Concept of in-vessel retention

Full size image

  • It must be activated manually or coupled to severe accident signal.

  • Flooding must be completed before corium relocation into the lower vessel head.

  • At any melt-contacted location internal heat fluxes must be lower than local CHF limits on the outside.

  • Suitable two-phase flow conditions must be established.

  • Suitable water reservoir and flooding strategy; preferred water level in the pit near hot leg level.

  • Elevated water reservoir with sufficient volume to cover the grace period, (period of no operator action necessary) for the unavailability of active measures.

Issues related to thermal regime of IVR have been studied in detail with dedicated experimental devices. The heat transfer distribution from a convective, volumetrically heated pool has been studied with facilities of various scale and geometry. The Rasplav [27] and MASCA [28] projects have employed real corium materials and thus played a significant role in confirming the applicability of the results obtained with simulant materials. Even though the heat transfer distribution from a molten metallic layer is relatively well known, there is still some uncertainty attached to the thickness of the metallic layer, which ultimately determines the magnitude of the focusing effect. However, when attempting to apply IVR to reactor with higher power density, the focusing effect during intermediate states becomes a major issue. Efforts are still needed for better understanding of the corium relocation process into the lower plenum, the formation of a molten pool there and the height of the metallic vs. oxidic layers as a function of time.

4.3.3.2 Ex-Vessel Melt Retention

Two PWR designs for which currently projects are under way rely on ex-vessel corium retention for the management and stabilization of corium within the containment: the EPRTM and the VVER 1000. In these designs it is considered that in-vessel retention cannot be proven for large power reactors in all severe accident scenarios, therefore dedicated core catchers have been designed that can gather the corium and cool it safely without violating the containment basemat. The principle of ex-vessel melt retention (EVR) is shown in Fig. 12.16. Specific requirements are:

Fig. 12.16
figure 16

Concept of ex-vessel retention

Full size image

  • Suitable water reservoir and flooding strategy (longer lead time than for IVR).

  • Sufficient cavity size/volume.

  • Openings for pit flooding must be protected against melt ingress.

Ex-vessel retention and coolability are also considered in a flooded pit for BWR’s in Nordic Countries (Sweden, Finland) [25]. In these reactors, it is expected that after a vessel melt-through the corium will be fragmented in the flooded cavity and form a coolable debris bed.

Another proposal is the application of so called “EPRI concept” based on the provision of a certain spreading area for corium on the basemat and fragmentation of the melt through corium concrete interaction with water infiltration from above. It is assumed that this process will lead to a stable fragmented bed, which can be cooled and stabilized without penetration of the containment liner.

A concept was studied and tested by FZK (Research Center Karlsruhe), Germany, which relies on penetration of water through the melt from below which shall lead to a stable fragmented and coolable bed.

The operational principle or ex-vessel melt retention (crucible) is core melt collected and thermally stabilized within pit/cavity. It avoids most IVR-related concerns thanks to the addition of sacrificial material, which influences chemistry, stratification and heat fluxes.

4.3.3.3 Core Catcher Concepts

The EPRTM melt retention (core catcher) concept

The scheme of the principle of the EPRTM core catcher concept is shown in Fig. 12.17. For the stabilization and long-term cooling of the molten core, the EPRTM relies on an ex-vessel strategy, which implies the spreading of the molten core on a large area with subsequent flooding and quenching. The resulting, high surface-to-volume ratio allows an effective cooling of the spread melt, even without crediting superficial fragmentation [21].

Fig. 12.17
figure 17

Principle of the EPRTM core catcher concept

Full size image

Melt relocation into the core catcher is promoted by a preceding temporary retention of the melt in the pit, with the admixture of sacrificial concrete. This results in an accumulation and pre-conditioning and enhances the ability of the melt to spread.

The principles of the main sequences are as follows:

  • Temporary melt retention to accumulate and condition the core debris in the pit by means of sacrificial material (step 1).

  • Spreading in one event into the core catcher after penetration of the melt plug (step 2).

  • Triggering of flooding valves which activate gravity- driven water overflow from the IRWST, Quenching and passive cooling of the melt by the evaporation or heat- up of water.

A picture of EPRTM [7] IRWST, spreading room and core catcher is shown in Fig. 12.18. ATMEA, a 1000 MWe class PWR of Mitsubishi-AREVA also adopted this type of core catcher.

Fig. 12.18
figure 18

EPRTMIRWST, spreading room and core catcher [7]

Full size image

The VVER 1000 crucible concept

The core catcher of VVER 1000, a crucible concept is discussed in [22]. External heat fluxes to side/bottom can be adjusted by amount and type of added sacrificial material. Thermal-chemical interactions are not of concern; stabilization solely based on cooling and crust formation. Concept is used in VVER-1000 in China and India.

The crucible-type catcher comprises: a water-cooled steel vessel, a container with sacrificial material under the reactor bottom plate. The vessel performs the function of the main corium-retention barrier. The vessel comprises a vertical lateral part and a cone-shaped bottom with 12÷16º canting angle allowing the critical heat flux increase as compared to semi-elliptical or hemispherical bottom. The inner space of the vessel is sealed by a steel sheet preventing water penetration into the vessel prior to the molten corium relocation. Such a measure considerably reduces the probability of steam explosion. In a low probable case of a simultaneous water and corium relocation into the core catcher, the risk of steam explosion is reduced down to the negligible level by the honeycomb structure inside the catcher.

Other core melt stabilization concepts

European safety requirements are satisfied with limited modifications of the current ABWR [23]. The ESBWR proposes a so-called BiMAC (Basemat-internal Melt Arrest Coolability) concept located below the reactor pressure vessel [24]. It is a core catcher combined with passive containment cooling.

EPRI requirement

The EPRI requirement is used for the melt spreading, flooding and quenching on concrete in USA. “EPRI criterion” [26] requires that a spreading area should be larger than 0.02 m2/MWth. Its function is based on water ingression and continued thermal cracking/fragmentation at the top. It is deduced from observations for volcanic magma flows. Its efficiency was first investigated for molten corium in the MACE/CCI test program at Argonne National Laboratory. The concept was developed for existing generation two (Gen-II) plants, but applied also in generation three (Gen-III) designs.

The basis for the “EPRI requirement” is as follows:

  1. 1.

    Decay heat considered to 1 % of thermal power

  2. 2.

    Removable “reference heat flux” from debris bed 1 MW/m2

  3. 3.

    Assumption of a “conservative design factor” of 0.5

Using these figures the following specific number can be generated:

Area/thermal power = 0.01/(0.5*1 MW/m2) = 0.02 m2/MWth.

4.3.4 Severe Accident Instrumentation

A severe accident instrumentation concept consists of the availability of appropriate instrumentation in order to (1) perform operator actions, (2) inform about the progression of the accident and survey the effectiveness of the mitigation process, (3) survey the overall plant conditions including possible releases to the environment.

4.3.4.1 Instrumentation for Severe Accident Management

The essential parameters for severe accident (SA) management are shown in Table 12.2 for PWR and Table 12.3 for BWR.

Table 12.2 Essential PWR parameters for severe accident management
Full size table
Table 12.3 Essential BWR parameters for severe accident management
Full size table
4.3.4.2 Instrumentation for Containment Integrity

Important containment parameters relevant for severe accident management (SAM) strategy are combustible gas production (H2, CO) and information on radioactivity content of aerosols, noble gases, iodine etc. The information is necessary for defining venting strategy, capability to derive the damage state of the core and the radioactivity level in the containment.

Measurement of combustible gas (H2, CO) concentrations is necessary in order to get information about core degradation and location, and to succeed in mitigation measures. Containment pressure and containment temperature need to be measured to know pressure buildup in containment due to decay heat. Positions of core melt within the containment need to be known.

For identification of containment leak-tightness, measurement of specific parameters in adjacent compartments, for example, H2-concentration, pressure build-up etc. is necessary.

4.3.4.3 Post Accident Sampling System

A post-accident sampling system (PRONAS) has been developed and is described in [18]. The technical features are:

  1. 1.

    Analysis of containment gases: Aerosol bound radionuclides; Non-aerosol bound (gaseous) iodine isotopes, radioactive noble gases (Xenon & Krypton)

  2. 2.

    In situ sampling technology

  3. 3.

    No loss of accuracy in pipes

  4. 4.

    High dilution technology enabling easy handling of the samples

  5. 5.

    Gases are diluted in modules and discharged from a sampling box

  6. 6.

    In situ micro sampling based on capillary pipe technology which requires no containment penetration valves

  7. 7.

    Design basis and SA qualified hardware

  8. 8.

    Entire measuring equipment outside containment

  9. 9.

    Capability for oxygen monitoring (for BWR)

5 Summary

The lessons learned from the Fukushima Daiichi accident support safety enhancements to cope with events that go beyond the design basis. Nevertheless the fundamental concepts of defense-in-depth still remain valid for nuclear safety. In case of higher uncertainties of external hazards, the effective implementation of the defense-in-depth requires additional means.

Concerning the structures, systems and components, technology and concepts exist which can cope with this type of accidents. With respect to severe accident mitigation, most of the technologies required to cope with Fukushima type accidents is considered to be already available, too.

External hazards

From the technological point of view it has to be stated that every measure that needs to be installed to cope with stricter requirements for both earthquake and tsunami hazards is available. This is explicitly demonstrated by the already started or even finished measures for the enforcement of the plants up to now.

The main issue for the enforcement of the plants is to find out the design requirements which have to be considered concerning the beyond design basis conditions.

Enforcement of structures, systems and components

The main issue of multi-unit sites is to identify weak points of individual units. They are considered to be as follows:

  • Common cause failures that lead to the failure of safety related systems and/or components, and

  • Connections among units that may affect intact structures, systems or components from hazardous conditions of other units which consequently may lead to their failure

The PSA is considered to be the tool that enables to identify the areas which must be considered to strengthen the safety of multi-unit sites.

Since after an external event like an earthquake the offsite electricity supply is very difficult to guarantee, for such case the solution is mainly to use mobile equipment which is to be stored in the vicinity of the plant with the guarantee that it can be connected to the respective plugs at the plant under all circumstances. Only in cases where an offsite electricity source is very closely located to the plant site it can be considered to harden the source and the connection appropriately.

For the enforcement of onsite emergency energy supply many examples exist for bunkered systems, which were back-fitted and therefore are already provided for existing plants. So, the technology for such components is available; for example, diverse diesel generator systems with appropriate reliability for their function exist.

The main issue to strengthen the safety related structures, systems and components (SSC) in case of extreme external events is as follows:

  • enforce the design of existing SSCs

  • add alternative and/or additional SSCs

  • use bunkered solutions

  • provide passive components which need no electricity supply

For all these measures the technology is available and there exist a number of executed solutions for existing reactors. It is a matter of individual plant design what measure could be appropriate to strengthen existing SSCs considering also the impact on the economics effects of the plant.

Severe accident mitigation measures

The use of catalytic recombiner can be regarded as the most suitable hydrogen hazard mitigation strategy for nuclear power plants in the future because of its passive behavior, its well-known physical phenomenology, its efficiency under both beyond-design-basis and design-basis accident conditions, its start-up at low hydrogen concentration, and its simple use without supplementary constraints in normal operation.

All venting systems have passed a number of qualification tests and most of them were already installed in NPPs, meaning that they have successfully passed a licensing process. Decisive criteria for the selection of one of the systems have to be defined by the respective utilities under consideration of their regulatory requirements.

For existing reactors the back-fitting of RPV outside cooling is a very complex and expensive measure, and may be only possible from the technical point of view for very limited applications. It is expected that in most cases for the cooling an active system must be provided. In such cases it is proposed to use such an additional active system to inject water into the vessel instead injecting it for outside cooling. For existing BWRs, the method proposed by the Nordic countries could be a solution if it is assured that the cavity around the RPV can be filled with water passively and the water tightness of the compartment can be maintained.

In other cases, the proposal considering melt concrete interaction could be a solution, which may lead to an extension of the time the melt can be contained within the containment boundaries or even will be stabilized within the containment. For both solutions further effort of research and development is required.

Core catchers are mainly proposed for Generation 3+ reactor systems. Up to now already some concepts have been successfully developed and licensed, such as those for the VVER and EPRTM reactors, and are implemented in ongoing projects.

Appropriate instrumentation qualified for severe accident conditions is one of the main prerequisites for an efficient severe accident management. In order to improve existing measures, it is required to consider this issue and implement severe accident related instrumentation for hydrogen monitoring or radioactivity monitoring. In addition the instrumentation that reliably indicates the state of the plant such as temperature, pressure and water level measurement have to be qualified for severe accident conditions at elevated temperatures and radioactivity doses.

It should be noted that management, command and control of severe accident for reducing the socio-psychological impact is important, although it is not addressed in this chapter.