[PDF] - Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human PDF Document

SLIDE 1

2016/3/30 1

Learnings from Fukushima Dai-ichi Accident:

Defense-in-Depth, Human and Organizational aspects, Safety approaches-

Akira OMOTO, Professor, Tokyo Institute of Technology (omoto@nr.titech.ac.jp)

Ou Outline ü Weakness in the application of Defense in Depth concept Human and organizational aspect Implications to approaches/methodologies for safety

2

A. Omoto, Titech

SLIDE 2

2016/3/30 2 3

A. Omoto, Titech

Ø Fukushima Dai-ichi accident: failure of risk governance in a country prone to natural disasters Ø This failure was: not because (as often mentioned) “Japan did not apply level 4 & 5 of Defense-in-Depth” “Nuclear safety principle failed” but because of “Weakness in the application of concept of Defense in Depth” Ø Weakness may be linked with underlying assumptions and traits of the organizations Ø What were the weakness and strength?

4

A. Omoto, Titech

SLIDE 3

2016/3/30 3

De Defense-in in-de dept pth: h: Hierarchical deployment of different levels of equipment and procedures to maintain the effectiveness of physical barriers between radioactive materials and environment

A. Omoto, Titech

5 Level 1: What is the appropriate setting of design basis External Events? Level 4: How to stop progress of accident beyond design basis and limit its consequences? Level 5: How to limit offsite consequences by Emergency Plan? Relevant to Fukushima Accident

What is it for? To compensate for uncertainty and incompleteness in our knowledge of accident initiation and progression” (Sorensen et al. 1999) 6 3.11 Earthquake: Ø A combination of “Plate boundary earthquake” & “Tsunami earthquake”, initiated from B, extended to A and South Ø Multi-segment failures in 200 x 500km zone, Magnitude 9.0 Ø Superimposed Tsunami waves hit Fukushima site

A. Omoto, Titech

SLIDE 4

2016/3/30 4 7

Earthquake & Tsunami by plate techtonics

A. Omoto, Titech

Fukushima- Daiichi NPP Fukushima- Daiini NPP

３．２再現計算結果：広域再現モデル [SOURCE] Reconstruction of Tsunami height map (TEPCo)

8

Run-up height Inundation height

Deeply indented coastline magnifies Tsunami height [SOURCE] Attachment to the report http://www.bousai.go.jp/jishin/chubou/higashinihon/R eport.pdf

High Tsunami along the “rias coastline” (originated from Spanish “ria”) Local differences of Tsunami height due to depth of sea bed

A. Omoto, Titech

Onagawa NPS Fukushima NPS

SLIDE 5

2016/3/30 5

History of re-evaluation of Tsunami height by TEPCO

Design basis (1966)

3m

5.7m Re-evaluation of Design basis Tsunami using JSCE guide(2002) with limited assessment of impact to NPP in case of 10m

Probabilistic T sunami hazard study (2006): 10(-5)/year for 10m

Hypothetical analysis: 10m by assuming Tsunami Earthquake* off Fukushima coast, max. 15.7m by further parametric study (2008) 15.7m (inundation) TEPCO studies: Tsunami deposit, Tall Tsunami wall TEPCO organized experts panel for review

Level 1 Defense in Depth Prevention of abnormal operation and failures

9

*shallow epicenter with large slip causing high tsunami even though magnitude is low

A. Omoto, Titech

10 üIAEA SSG-9 (Seismic hazard evaluation) “Comparisons with similar structures for which historical data are available should be used in this determination. “

M9.5 [Chile, 1960] or M9.2 [Alaska, 1964] or M9.1 [Aleutian,

1957] üComparative subductology: “Magnitude depends on local characteristics of lower plate” (convergence rate and age)

Sumatra earthquake [2004] was a challenge to this “theory”
Discussion on why failed among seismologists can be found

in such documents as

http://www.jsnds.org/contents/shizen_saigai_back_number/ssk_31_1_3.pdf

ü Documents related to Headquarter of Earthquake Research (HER)

Report from long-term projection WG, 2002
NISA projection of earthquake at NPP greater than scale 6

based on HER

A. Omoto, Titech

SLIDE 6

2016/3/30 6

Map of world’s major subduction zones [SOURCE] R. McCaffrey, Geological Society of America, 2009

11

A. Omoto, Titech

Relationship of seismicity to the two variables (convergence rate and age) [SOURCE] L. Ruff and H. Kanamori, “Seismicity and the subduction process” , Physics of the Earth and Planetary Interiors, v23, p240-252, 1980

Comparative subductology 12

A. Omoto, Titech

SLIDE 7

2016/3/30 7

Assessment of external hazards and their Design Basis Ø An important part of Owner’s engineering Ø Needs periodic reassessment ü it is not a one-time work outsourced from Owner to a consulting company ü Epistemic uncertainties needing a group of experts to discuss

13

A. Omoto, Titech

Storegga slide

ØAmongst the largest known landslide ØStudy of deposited sediment Ø8,000 years ago ØAround 10% of Tsunami by landslide?

Storegga tsunami deposits, Scotland

14

A. Omoto, Titech

SLIDE 8

2016/3/30 8

1. Continuous reassessment of design basis (Vigilance)
2. Study on what if design basis is exceeded (in 2002)
3. (In Tohoku) Margin in keeping dry site policy
1. Insufficient questioning attitude [To assumptions in the

use of professional society’s guide, To “comparative subductology” theory] Weakness Strength

15

2. Insufficient attention to alternative views (Tsunami,

earthquake)

3. Insufficient margin assessment
What if design basis is exceeded?
Where is cliff edge to degraded core condition?
What is possible to increase distance to cliff edge?
4. Regulation
A. Omoto, Titech

3.11 PM Earthquake and Tsunami left the plant under Complete SBO (AC/DC) + Isolation from Heat Sink Long term ØDepressurize reactor system ØActivate Low Pressure water injection systems Accident Management Short term Ø Core cooling by AC-independent systems: use of decay heat as driving force automatic response 16

Simplified response of unit 2 & 3

Level 4 Defense in Depth Control of accident beyond Design Basis

Failure of AC-independent systems àCore melt, hydrogen generation and explosion outside of CV

A. Omoto, Titech

SLIDE 9

2016/3/30 9

17

50 100 150 200 5 10 15 20 10 20 30 40 50 60 70 80 Flow Rate (kg/s) RPV Water Level (m) Time (h)

TAF BAF

SBO Ø comply with US 1988 SBO rule Ø“30 minutes rule” in Japan: Not a decisive factor

Depressurization

2 4 6 8 10 10 20 30 40 50 60 70 80 RPV Pressure (MPa[gage]) Time (h)

Depressurization Rx Pressure RCIC Flow

50 100 150 200 250 300 200 400 600 800 1000 10 20 30 40 50 60 70 80 Containment Temperature (℃) Containment Pressure (kPa[gage]) Time (h)

853kPa[gage] 427kPa[gage]

Depressurization Venting Drywell Pressure Wetwell Temperature Wetwell Pressure Drywell Temperature

2Pd Pd

FP Flow Loss of water inventory equivalent to Decay Heat RPV water level Fuel uncovered time period is short. (less than 1 hour)

17

A. Omoto, Titech

ü0-24hrs into the accident: Core water makeup by use of stored energy (RCIC/HPCI)) ü24 hrs: Depressurize RCS (Reactor Coolant System) and Low-Pressure injection ü32 hrs: Heat dissipation to the alternative heat sink (atmosphere) by containment venting

BWR operation in SBO+LUHS

Ø Limited available on-site resources on devastated Fukushima site Fire Engines Batteries taken from cars Mobile small Generators Mobile Engine-driven Air Compressors Mobile pumps/motors

18 Ø Recovery actions hampered by Tsunami debris and hydrogen explosions Ø Accident Management (AM) was prepared after Chernobyl, but

not assuming extended SBO + loss of UHS
not assuming extensive damages by external events
A. Omoto, Titech

SLIDE 10

2016/3/30 10

Decision-making, command and implementation in a complex environment

Onsite Command system

Plant condition

Headquarter

PM

Multi-unit accident Multi-hazard (Damage by Earthquake and Tusnami Crippled monitoring and communication system

Also, it just happened;

HE in Unit 3 damaged water injection to Unit 2 when it was ready
Large release from Unit 2 (March 15) happened to cause significant

deposit in NW by occasional wind and precipitation. 19

A. Omoto, Titech
1. Diversity by Air-cooled EDG against LUHS
2. Resilience (case of adaptationto loss of DC)
3. Self-sacrifice
4. Team work under the leadership of sinorities

with professional experiences (oldest site)

1. Not prepared to very long-term SBO + Loss of UHS
2. Lack of robustness of AM provisions against external event
3. Insufficient External Event PRA and what-if study:

v What if debris cooling outside of RPV failed v What if H2 leaked from CV was accumulated on top of R/B

Weakness

20

Strength

A. Omoto, Titech

SLIDE 11

2016/3/30 11

Level 5 Defense in Depth Emergency Preparedness and Response (EPR) Ø Overall EPR (evacuation and food control) helped reduce health risks Ø Identified problems are; ü Offsite center’s function was lost ü Confusion in implementation of EPR ü Fatalities of hospital patients during evacuation ü Delineation of responsibility including PM, communication among decision-makers ü Dependence on computer-based prediction system and more………

Identified problems and recommendations by Japan Health Physics Society http://www.jhps.or.jp/jhp/wp-content/uploads/2015/10/Fukushima- recommendation2.pdf

21

A. Omoto, Titech

ü Planning lacked serious consideration of what can happen ü No “Realistic drill” ü Inappropriatedesign of offsite center ü Inappropriate zoning ü Coordination scheme

ü Delineation of responsibility, command line….

Weakness

22

Resident’s decision by collecting available information
Food control (learning from Chernobyl)

Strength

A. Omoto, Titech

SLIDE 12

2016/3/30 12

Weakness in the application of Defense in Depth concept ü Human and organizational aspect Implications to approaches/methodologies for safety

23

A. Omoto, Titech

Ø Risk governance needs considerations of; ü Technology ü Human and organizational aspects ü Institutional aspect Whereas, the focus has always been on Technology

A. Omoto, Titech

Technology Human & Organizational Institutional

SLIDE 13

2016/3/30 13

Ø Impact of "culture for safety" on decisions (prior to and during the accident) relevant to safety Ø Teamwork at the time of crisis Ø Professionalism (dedication, ethics, social responsibility) Ø Leadership & communication in crisis management (case of Daini site) Ø “Decision-making approach did not provide for independent challenge or second checks by other groups within the

rganization.” [INPO Fuku LL report]

Ø In-house independent oversight on safety etc.

25

A. Omoto, Titech

Human and organizational aspect includes;

Ø Water makeup: Depressurization and reactor core water makeup by RCIC (powered by decay heat steam) and later by MUWC Ø Heat removal: Increase of suppression/pool temperature à Ready to vent air space of suppression pool (heat dissipation to atmosphere) àStart (53 hrs into the accident) of Residual Heat Removal by replaced damaged AC motor* Ø *Power to RHRC: Enabled by cable spreading for 9km by 200 persons within one day to use

nly one available offsite power to Radwaste/B (usually 20 persons x 1 month)

4 units in rated power operation when hit by Earthquake/T sunami All units could avoid any damage to core fuel

Case of Fukushima-Daini

A. Omoto, Titech

[SOURCEs] N. Masuda, IAEA-IEM7, 17March 2014 & TEPCO’s accident report

26

SLIDE 14

2016/3/30 14

Cable spreading

Ø Team effort under the leadership of Mr. Masuda (Plant Manager or Site Superintendent)

Working as a team ü Sharing knowledge of plant status ü Ensuring critical decisions are shared ü T eam efforts for Cable spreading, Procurement

f replacement, Innovative idea of pool cooling

etc.

Ø “Sense-making”

ü Mr. Masuda offered data, giving the workers an

pportunity to confront and process the uncertainty

for themselves ü One of the case studies at Harvard Business School For “Adaptive behavior [When past experience doesn’t explain the current condition, revise our interpretation of events and response to them, w/o being trapped by a flawed interpretation of events]

Case of Fukushima-Daini

A. Omoto, Titech

[SOURCEs] N. Masuda, IAEA-IEM7, 17March2014 Harvard Business Review , July-August 2014 27

1. Questioning attitude

ü What if design basis is significantly exceeded? ü Is the underlying assumption appropriate?

2. Group think
3. Learning from global good practices to improve safety
4. “Accident will not happen here”

28

A. Omoto, Titech

Underlying behind “weakness” could be issues of “culture for safety”

SLIDE 15

2016/3/30 15 ØTMI: Kemeny report

“No amount of technical "fixes” will cure this underlying

(attitude) problem”

ØChernobyl: INSAG report

“safety culture in organizations through proper attitudes

and practices of management”

ØFukushima: Diet report and UT-UCB report

Diet report “ingrained conventions of Japanese culture”
Prof. Kastenberg “In the aftermath of the accident, the

focus has been mostly on the machine and how to support the machine with other machines.....but what about the people involved?”

Issue of culture for safety repeatedly mentioned….

29

Culture for safety

Since “culture” is the characteristics of a certain group, better expression is “culture for safety” (Edgar Schein)

A. Omoto, Titech

Ø In a culture where it is impolite to say “no” and where ritual must be observed before all else, I think that Western style “safety culture” will be very hard for the Japanese to accept.

Prof. D. Klein, The Ripon Forum, Summer 2011

Some citations on influence of a national culture

Ø “This was a disaster “Made in Japan.”: Its fundamental causes are to be found in the ingrained conventions of Japanese culture (our reluctance to question authority;

ur groupism…)
Prof. K. Kurokawa in chairman’

s message to the Diet’ s Investigation Committee’ s Report, 2012 July

30

A. Omoto, Titech

SLIDE 16

2016/3/30 16

[SOURCE] http://geert-hofstede.com/japan.html Power Distance (hierarchical society) Individualism Masculinity (driven by competition, Achievement) Uncertainty avoidance Long-term

rientation

31

A. Omoto, Titech

Systemic Approach

Advancing nuclear safety further will need; ü To look at nuclear safety in their entirety and with systemic perspective of interaction among HTO and with outside üSystemic (holistic) perspective by considering interactions that possibly influenced shaping organizational culture ?

32

A. Omoto, Titech

SLIDE 17

2016/3/30 17

HTO and their interface with outside

[SOURCE] M. Haage, IAEA

33 34

A. Omoto, Titech

Ø Systemic interactions with surroundings that may have influenced shaping culture in Japanese Utilities

Historically evolved system for the use of NE by interaction between Government, Industry and Operator ü Institutional aspect

Utility as a local giant monopoly
NE programme endorsed by the Gov. and implemented by Utilities

ü Technology management aspect

Component focus, limited systems thinking
History of heavy outsourcing, insufficient knowledge management
Declined humble attitude to learn from others
Lack of confidence in risk assessment

ü Interface with regulation Relationship with the Society on matters involving risks

SLIDE 18

2016/3/30 18 Group think, critical thinking and not raising concern ü Largelyby a national culture (& education)

The first constitution (604) Article 1: “Harmony is our core

value”

Compassion, self-sacrifice
Strong royalty to the belonging group or to highs in the

hierarchy, rather than as an individual professional üHowever, “Cultures are not good or bad in themselves, but they are good or bad at achieving certain outcomes.” [SOURCE] Charles Packer by referring to Edgar Schein Ø (TEPCO) Encouraging proposals to enhance DinD 35

A. Omoto, Titech

TEPCO 2014 May 1st Overview of actions taken to create culture of safety

(from a meeting with external advisory committee) http://www.tepco.co.jp/cc/press/betu14_j/images/140501j0103.pdf

Ø Safety oversight office installed Ø Encourage proposals to enhance Defense-in-Depth Ø Enhance risk analysis and communication with outside of the company Ø Dialogue between top management and middle management Ø Enhance owner’s engineering capacity

A. Omoto, Titech

60

SLIDE 19

2016/3/30 19 Ri Risk an and So Society Why risk information was not extensively utilized in Japan?

“Risk” : historically unfamiliar word in Japan
Limited dialogue on risks and risk management with the

Society by voiding communication of “residual risk” and consequence of SA at NPP …..”official statement”

Insufficient confidence in data and method for PRA
Failed to develop methodology for risk-informed decision-

making on issues with large uncertainty such as on epistemic uncertain associated with earthquake

Focus on probability rather how things go wrong

Ut Utilities cr createdNR NRRC(Nu Nucle lear ar Ri RiskRe ResearchCe Center) for RA/RM/RC C inor

rder

to to su support Ut Utilities 37

A. Omoto, Titech

Weakness in the application of Defense in Depth concept Human and organizational aspect ü Implications to approaches/methodologies for safety

38

A. Omoto, Titech

SLIDE 20

2016/3/30 20

Where to improve in light of Fukushima in approaches and methods for safety ?

1. Resilience (bouncing capability, robustness)
2. Risk assessment (Multi-hazard, Multi-unit…)
3. Defense in Depth (thickness, independence)
4. Deterministic approach (DEC, S/T)
5. Safety Goals (Social disruption)
6. Balanced EPR
7. Effective regulation
8. Nexus between safety and security

39

A. Omoto, Titech

Ø What is it ? Bouncing capability, robustness : A concept developed in ü Psychology (individual's tendency to cope with stress and adversity) ü Disaster control (capacity to prevent, Mitigate, prepare for, respond to and recover from the impacts of Disasters) 40

A. Omoto, Titech
1. Resilience

Ø Where to improve in light of Fukushima? ü Built-in resilience in Accident Management to cope with unexpected ü Look at “what went right” and “why”

SLIDE 21

2016/3/30 21

[Example] Why 11 out of 14 NPPs along the coastal line affected by Tsunami had escaped from core melt?

41

A. Omoto, Titech
A. Omoto, Titech

1) Tsunami height and Elevation of facilities 2) Availability of power a) Offsite power b) Location of Power Distribution Equipment & Battery room c) Air-cooled EDG 3) Accident Management using then-available resources including availability of resources

Onagawa 1F1-3 1F5-6 2F1-4 Tokai

42

SLIDE 22

2016/3/30 22 43

2. Probabilistic risk assessment
What can go wrong?（S：scenario）
How frequent? （L：likelihood）
What is the consequence? （Ｘ：consequence）

Ø Where to improve in light of Fukushima?

Assessment of external hazards (especially treatment of

epistemic uncertainty) and of fragility

Treatment of multi-hazards, multi-units, multi-sources

situation, human reliability in harsh environment

Seismic hazard: SSHAC method on epistemic

uncertainties for each NPP

A. Omoto, Titech

Ø What is it?

44

Ø Where to improve in light of Fukushima? ü Independence of each layer of Defense in Depth ü No accident leading to relocation (Vienna declaration in CNS 2015 and EU directive 2014) ü Use of IAEA-SRS-46 Annex II (Objective tree to consider

ptions to enhance Defense-in-Depth)
A. Omoto, Titech
3. Defense in Depth

SLIDE 23

2016/3/30 23 45

Ø Where to improve in light of Fukushima? ü Stress test in design stage and periodically as new findings:

“where is cliff edge”
“how to increase distance to cliff edge”

ü Intensive “what if” studies ü Enhance Design Extension Condition*

Extended SBO (Station Blackout) + Loss of Heat Sink
Containment integrity after core melt (EU Directive)
A. Omoto, Titech
4. Deterministic analysis (approach)

ØWhat is it? Analysis focusing on accident types, releases and consequences, without considering the probabilities

5. Safety goals

ØHistoricallythe goals focused on health risk by radiation (acute fatality, latent cancer fatality) by nuclear reactor accident ØHowever, Fukushima accident (with a exception, Chernobyl as well) made it clearthis was a narrow view üNo acute fatality, no discernible increase of latent cancer (UNSCEAR) üFatalityandsickness triggered by evacuation/relocation (hospital patient, degraded QOL and mental sickness) üAccident led to social disruption

land contamination and relocation
significant socio-economic impact (including environmental

remediation, image cost, power replacement cost, decommissioning cost)

ØPost Fukushima safety goals need to address the whole risk in its totality 46

A. Omoto, Titech

SLIDE 24

2016/3/30 24

Safety goals in the future …….

üIs expected to be a societal safety goal to address the whole risk in its totalityincluding social disruption üIndustry safety goal responding to expectation from the Society in a way“social contract to operate” üTop goal(in the context of hierarchy of goals) “No largeearly release leading to long-term relocation”

EC Directive (Aug2014)
CNS Vienna declaration (Feb2015)

üAlso, address multi-hazard, multi-unit, multi-source

47

A. Omoto, Titech

ü Fukushima accident cost will amount to M.T. 100B US ü Further indirect cost;

Power replacement cost by

import oil/gas (27B$/year)

Image cost
Civil liability: (projected) M.T. 60B US$
Onsite management of crippled facilities and

decommissioning: M.T. 10B US$

Offsite decontamination: 25B US$
Interim storage of Decontamination Waste: 11B US$

For your information

48

A. Omoto, Titech

SLIDE 25

2016/3/30 25 49

Ø Where to improve in light of Fukushima? ü Delineation of responsibility in law ü “Realistic” drill….many others in a report from Health Physics Society of Japan ü “What is a balanced EPR including long-term evacuation (relocation)? “

given [death of hospital patients during evacuation,

no acute radiation fatality, indiscernible increased incidence of radiation-related health (UNSCEAR), sickness by degraded quality of life among evacuees, mental health]

A. Omoto, Titech
6. EPR (Emergency Preparedness and Response)

Drill on a devastated field by Earthquake Tsunami Tornado Terrorist attack….

A. Omoto, Titech

50

SLIDE 26

2016/3/30 26 IAEA report on Fukushima, 2015 Sept.;

The regulation of nuclear safety in Japan at the time of the accident

was performed by a number of organizations with different roles and responsibilities and complex inter-relationships. It was not fully clear which organizations had the responsibility and authority to issue binding instructions on how to respond to safety issues without delay.

The regulations, guidelines and procedures in place at the time of the

accident were not fully in line with international practice in some key areas, most notably in relation to periodic safety reviews, re-evaluation

f hazards, severe accident management and safety culture.

51

7. Effective regulation
A. Omoto, Titech

Effective regulation would require

1. Independence and dialogue with stakeholders

ü Independence is a condition to enable “safety-first” decision ü CLI (local information committee) with local community

2. Professional competence
3. Organizational and managerial

üRole of Commissioner üACRS

4. Clear regulatory position in writing
5. Oversight by the Parliament

(J) Special committee created in both houses (J) Discussions (role of Commissioner, EPR as pre-requisite of licensing…) not leading to law nor use of “power of purse” (J) Number and quality of staffers

6. Risk-informed decision-making

üUse of insights from PRA üComplementary with deterministic approach (where is cliff edge and increase distance by S/T, Design extension Condition) 52

Institutional

SLIDE 27

2016/3/30 27

Ø The Fukushima-Daiichi accident revealed vulnerability of the plant safety, which could become a target by terrorist, i.e., loss of safety function due to damages by extreme external hazards could also be caused by security attacks Ø Damages to SSC (System/Structure/Component), Offsite power, Ultimate Heat Sink, Communication system, Team Ø Accident Management measures had to be executable under damaged conditions, which was not the case Ø No safety without security, since security violation may be intended to cause harmful impact by radiation

53

A. Omoto, Titech
8. Nexus between Safety & Security

Ø Differences; ü Safety deals with random and unintentional events, whereas Security deals with intended action ü Security: Ever changing threats (weapon, IT, probability) ü Information sharing ü Access to components ü State’s/Operator’s responsibility Ø However, some of the principles to ensure safety could apply to security as well ü Risk-informed approach ü Application of Defense-in-Depth concept ü Strategy for coping capability to threat and sharing of Global Best Practices

54

A. Omoto, Titech

Differences and Commonalities between safety and security

SLIDE 28

2016/3/30 28

Other details for future design considerations a) Containment isolation : Conflict between isolation and use

f equipment outside of containment

b) BWR reactor water level measurement c) Reduced system inter-dependency d) Accessibility under SA condition

55

A. Omoto, Titech

Ø GSR Part-1, Rev.1 Generic Safety Requirement) ü Independence of regulatory bodies ü evaluate progress in science and technology ü shall ensure that adequate training, drills and exercises Ø NS-R-3, Rev.1 (Site evaluation) ü Assessment of the feasibility of implementation of emergency plans ü Periodic review of site specific hazards (typically 10 years) Ø SSR-2/1, Rev.1 (Specific Safety Requirement) ü Defense-in-depth: a) independence of levels, b) avoid offsite contamination, c) ‘practically eliminate’ early or large release ü Design Extension Condition including core melt 56

A. Omoto, Titech

Revisions to IAEA SS (29Feb2016)

SLIDE 29

2016/3/30 29 Ø SSR-2/1, Rev.1 (Specific Safety Requirement) ü External hazards: prevent early/large release in the event of levels of natural hazards exceeding those considered for design ü Ultimate heat sink: The heat transfer function shall be fulfilled for levels of natural hazards more severe than those considered for design ü Each unit of a multiple unit nuclear power plant shall have its own safety and shall have its own safety features for design extension conditions. Ø SSR-2/2, Rev.1 (Safety of NPP, Commissioning and Operation) ü For a multi-unit nuclear power plant site, concurrent accidents affecting all units shall be considered in the accident Ø GSR Part-4 (Safety assessment for Facilities/Activities) ü effects of external events on all facilities and activities ü adequate margins to avoid cliff edge effects 57

A. Omoto, Titech

Revisions to IAEA SS (29Feb2016)

Take-away messages

1. Thickness of layers of Defense-in-Depth decides

effectiveness of defense and varies depending on decisions made by involved parties and individuals

2. Integrated safety management by technology, human and
rganizational aspect, institutional aspect
3. The accident suggests areas for improvement in the

approach/method for safety. IAEA SS has been revised.

58

A. Omoto, Titech

SLIDE 30

2016/3/30 30

….thank you for your attention

A. Omoto, Titech

Supplementary slides

Changes made for level 1,4,5 DinD in Japan to enhance

safety -

SLIDE 31

2016/3/30 31

Changes to improve safety in Level 1 defense-in depth

[SOURCE] AIST , T sunami sediments from boring Sample at the Sendai plain, 2011 August AD869 Jogan T sunami sediments Pre- Jogan T sunami sediments

Hamaoka NPS Tsuruga NPS

61

A. Omoto, Titech

17 Mmax~9.6 Mmax~9.2 Mmax~9.6 NRA’ s Tsunami review guide (2013June)

*Allowa nce t o r educe M max in ca se larg e slip occurr ed recently

62

A. Omoto, Titech

SLIDE 32

2016/3/30 32

A. Breakwater wall
B. Water-tight doors
C. Independent power supply, cooling capability and mobile

equipment, backup control room (terrorist attack, CV venting, cooling…)

D. Water cannon
E. Filtered venting system
F. Others (instrumentation…)

B A C C D E Seismic upgrading

For enhanced safety (mostly for level 4 Defense-in-depth)

illustration by media interpreting NRA new requirements-

63

A. Omoto, Titech

Ø Law amended to clarify delineation of responsibility Ø Emergency Response Network Ø Emergency Plan Zoning has been changed [Japan]

Changes in level 5 Defense-in-depth

64

Ø Basis of precautionary action [was] measured/predicted dose à [new] plant condition Ø Offsite center: Enhanced communication, seismic resistance, distanced from NPS

[was] EPZ : 8-10km [new] PAZ (Precautionary Action Zone) : 5km UPZ (Urgent Protective Action Planning Zone):~30km PPA (Plume Protection Planning Zone): ~50km (IAEA GS-G-2.1 suggests PAZ 3-5km, UPZ 5-30km)

A. Omoto, Titech

SLIDE 33

2016/3/30 33 65

[SOURCE] Law of Nuclear Emergency Countermeasure and others

Nuclear Accident

Cabinet decision to establish Nuclear Emergency Response HQ.

Nuclear Emergency Response HQ Head: PM, Location: PM office Functions: Info. collection, Coordination of emergency operation by each ministry, Provide directions/advices* to the licensee/local gov., Can order support by SDF etc.

NRA (Info. & technical advice

n nuclear &

radiological safety) MoE (Info. & technical advice

n public health

and environment) Other ministries

Graded response depending

n level of emergency

* Direction by the head excludes T echnical/professional area covered by NRA

Licensee and local Gov to take Emergency Response (prevention, mitigation, sheltering, Evacuation, food Control etc.) as required by law

Supplementary slides

Changes made in IAEA safety standards -

SLIDE 34

2016/3/30 34

Ø Generic Safety Requirement（GSR） Part-1, Rev.1

ADD ü (Independence) (f) Shall be able to liaise directly with regulatory bodies of

ther States and with international organizations to promote cooperation

and the exchange of regulatory related information and experience. ü (evaluate progress in science and technology )2.15A. The person or

rganization responsible for a facility or an activity, having prime

responsibility for safety, shall actively evaluate progress in science and technology as well as relevant information from the feedback of experience, in order to identify and to make8 those safety improvements that are considered practicable. ü (Training & education) 2.24A. The government shall ensure that adequate training, drills and exercises 2.24B ….. inform the general public and members of the public who are affected, or are potentially affected, about measures for emergency preparedness and response. ….. 67

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

Ø NS-R-3, Rev.1 (Site evaluation)

ADD ü (Frequency & severity evaluation)2.5A. Information on frequency and severity derived from the characterization of the hazards resulting from external events shall be used in establishing the design basis hazard level for the nuclear installation. Account shall be taken of uncertainties in the design basis hazard level. ü (Feasibility of EP)2.13A. An assessment shall be made of the feasibility of implementation of emergency plans. All on-site and collocated installations shall be considered in the assessment, with special emphasis

n nuclear installations that could concurrently experience accidents.

ü (periodic review) 5.1A. Site specific hazards shall be periodically reviewed using updated knowledge, typically every ten years, and shall be re- evaluated when necessary. 68

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

SLIDE 35

2016/3/30 35

Ø Specific Safety Requirement（SSR） -2/1, Rev.1

ADD ü 2.13 (DinD level4) …offsite contamination would be avoided or minimized. Event sequences that would lead to an early release or large release are required to be ‘practically eliminated’. ü 4.13A. (DinD) The levels of DinD shall be independent as far as practicable to avoid the failure of one level reducing the effectiveness of other levels. In particular, safety features for design extension conditions (especially features for mitigating the consequences of accidents involving the melting of fuel) shall as far as is practicable be independent of safety

systems. Defense-in-depth

ü 5.1 (plant condition) DEC including core melt ü 5.15A/B (hazards) consideration against common cause failure, simultaneous failure in multiple units 69

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

Ø Specific Safety Requirement（SSR） -2/1, Rev.1

ADD ü 5.17 (external hazards) ….availability of off-site services such as electricity supply and firefighting services. The design shall take due account of site specific conditions to determine the maximum delay time by which off- site services need to be available. ü 5.18 (DEC) broader scope 70

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

SLIDE 36

2016/3/30 36

Ø Specific Safety Requirement（SSR） -2/1, Rev.1

ü 5.21A (External hazards) The design of the plant shall also provide for an adequate margin to protect items ultimately necessary to prevent an early radioactive release or a large radioactive release in the event of levels of natural hazards exceeding those considered for design, derived from the hazard evaluation for the site. ü (Requirement 33) Each unit of a multiple unit nuclear power plant shall have its own safety and shall have its own safety features for design extension conditions. ü 5.73 (safety analysis) safety analysis shall provide assurance that uncertainties have been given adequate consideration ….in particular that adequate margins are available to avoid cliff edge effects and early radioactive releases or large radioactive releases 71

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

Ø Specific Safety Requirement（SSR） -2/1, Rev.1

Requirement 53(UHS) ü 6.19A …This may require the use of a different ultimate heat sink or different access to the ultimate heat sink. ü 6.19B. The heat transfer function shall be fulfilled for levels of natural hazards more severe than those considered for design, derived from the hazard evaluation for the site Requirement 58 (containment ) ü 6.28A. Design provision shall be made to prevent the loss of the structural integrity of the containment in all plant states. The use of this provision shall not lead to an early radioactive release or a large radioactive release. ü 6.28B. The design shall also include features to enable the safe use of non- permanent 72

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

SLIDE 37

2016/3/30 37

Ø SSR-2/2, Rev.1 (Safety of NPP , Commissioning and Operation)

ADD ü 4.47 (modifications) On the basis of the results of the systematic safety assessment, the operating organization shall implement any necessary corrective actions and reasonably practicable modifications for compliance with applicable standards ü 5.7 (Safety parameter)The operating organization shall ensure that relevant information on safety parameters is available in the emergency response facilities 5.8 (accident management) ü 5.8A. (multi-unit ) For a multi-unit nuclear power plant site, concurrent accidents affecting all units shall be considered in the accident management programme. ü 5.8C. (contingency measures)The accident management programme shall include contingency measures, such as an alternative supply of cooling water and an alternative supply of electrical power 73

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

Ø SSR-2/2, Rev.1 (Safety of NPP , Commissioning and Operation)

5.8 (AM) ü 5.8F (adverse working conditions) In developing the accident management programme and its procedures, the possibility of regional infrastructure being degraded and of adverse working conditions (e.g. elevated radiation levels, elevated temperatures, lack of lighting, limited access to the plant from off the site) 74

A. Omoto, Titech

A series of revisions to IAEA SS released (29Feb2016)

SLIDE 38

2016/3/30 38

Ø GSR Part-4 (Safety assessment for Facilities/Activities)

ü 4.36A. (multiple facilities) For sites with multiple facilities or multiple activities, account shall be taken in the safety assessment of the effects of external events on all facilities and activities, including the possibility of… ü 4.36B. For facilities on a site that would share resources in accident conditions, the safety assessment shall demonstrate that … ü 4.48A. (Defense-in-Depth: cliff edge) Where practicable, the safety assessment shall confirm that there are adequate margins to avoid cliff edge effects that would have unacceptable consequences. 75

A. Omoto, Titech