Fusion Engineering and Design 5657 (2001) 8393
Improving the safety of future nuclear fission power plants
W. Frisch a,*, G. Gros b,1
a Gesellschaft fur Anlagen- und Reaktorsicherheit (GRS) mbH, Forschungsgelande, 85748 Garching, Germanyb Institut de Protection et de Surete Nucleaire IPSN, BP 6, 92265 Fontenay-aux-Roses, Cedex, France
The main objectives and principles in nuclear fission reactor safety are presented, e.g. the defence in depth strategyand technical principles such as redundancy, diversity and physical separation. After a brief historical review of thecontinuous development of safety improvement, the most recent international discussion is presented. This includesmainly the international activities within IAEA and its International Nuclear Safety Advisory Group (INSAG). Thesafety improvement, presented in recommendations of IAEA and INSAG is expressed as an improvement of allelements and all levels of the defence in depth concept. Special emphasis is put on improvement of the highest level,which requires the implementation of means to mitigate consequences of accidents with severe core damage. Thedifferent future concepts are briefly characterised. Some examples from the FrenchGerman safety approach aretaken to demonstrate how requirements for safety improvement by means of an enhancement of the defence in depthprinciple are developed. 2001 Elsevier Science B.V. All rights reserved.
Keywords: Safety improvement; Nuclear fission reactors; FrenchGerman
The safety of nuclear fission reactors has alwaysbeen a very important issue, and improving safetywas and is a continuous process. However, it canbe observed that within the last decade specialemphasis was put on both the development ofreactor designs with improved safety and the de-velopment of new and more stringent safety ob-jectives and requirements.
There are several reasons for this enhancementof safety despite the good operational and safetyrecords of nuclear power plants within this lastdecade: In some countries no new nuclear power plants
have been ordered for capacity and economicreasons. In the USA the latest of the plants inoperation was ordered in 1973. This long inter-mission was used for an evaluation of theexisting concepts and a development of futureones, with the involvement of industry, re-search institutes and safety authorities.
Some countries are faced with acceptanceproblems of nuclear technologies. It is believedby some that the acceptance can be improvedwhen safety requirements become more strin-
* Corresponding author. Tel.: +49-89-32004-432; fax: +49-89-32599-432.
E-mail addresses: email@example.com (W. Frisch),firstname.lastname@example.org (G. Gros).
1 Tel.: +33-1-4654-8386.
0920-3796/01/$ - see front matter 2001 Elsevier Science B.V. All rights reserved.
PII: S0920 -3796 (01 )00238 -1
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839384
gent and design concepts with improved safetyare offered.
Other countries (especially in Asia) are expand-ing their nuclear power program. With an in-creasing number of power plants the safetylevel has to be increased in order to avoid aconsiderable increase of risk solely by thegrowing number of power plants.
A further improvement of nuclear safety isfeasible. Operating experience, safety studiesand results of safety research programs haveindicated the way to do it, both for existingplants (backfitting) and for new concepts. Thisgain in knowledge and experience has to beturned into proper safety requirements.
The international discussion of safety aspects(considerably intensified after the Chernobylaccident) has lead to a synchronisation ofsafety development. Can a country neglect theinternational discussion on safety improve-ments and afford to install considerably lowerstandards than internationally accepted orrecommended?
2. Basic safety functions
Because of the large amount of radioactivematerial present in a nuclear fission reactor, safetywas always an important issue, focused on theprotection of plant personnel and the publicagainst hazards of radioactive substances releasedfrom a nuclear power plant during normal opera-tion and during accidents. Safety of nuclearfission reactors, especially water cooled reactors ischaracterised by the three basic safety functions: control of the nuclear fission process (nuclear
power) cooling of the fuel (includes removal of the
fission product decay heat) confinement of radioactive material.
Closely related to these basic safety functionsare successive barriers to confine radioactive ma-terial (fuel cladding, coolant system pressureboundary, containment building).
For nuclear fission plants all basic safety func-tions are of equal importance. The first basicsafety function has to be fulfilled in two different
ways. Firstly, control means avoidance of an un-controlled power excursion. This is avoided by aninherently stable core configuration with negativefeedback upon increasing power. These negativefeedback functions are typical for all LWR ofwestern design. In some countries this negativefeedback is required in regulation. In Germany,stable core behaviour with negative feedback co-efficients was already required in high level regu-lation, the BMI criteria of 1977 . Secondlycontrol also means to reduce the fission power tolower levels and even to zero (subcriticality) if it isneeded, e.g. after a loss of the normal heat sink(turbine and turbine bypass). In principle thisprocess is a self regulating one for PWRs due tothe negative moderator feedback effect (reducedheat removal causes coolant temperatures to risewhich reduces nuclear power). However, forcloser power control the process is supported byabsorber rods (control rods) and a liquid absorber(boric acid) provided by the volume control sys-tem. If a fast power reduction is needed, the fastshutdown system (scram system) acts automati-cally, triggered by numerous initiation criteria,depending on the type of event. Modern PWRsare designed to survive anticipated transientswithout damage despite the complete failure of allabsorber rods. Long term subcriticality is thenachieved by liquid absorbers, in some plants pro-vided by an extra automatic system.
The heat generation of fission products evenafter a reactor shutdown is an inherent feature offission reactors which cannot be influenced muchby core design. Therefore considerable technicaleffort is necessary to guarantee reliable fissionproduct decay heat removal from the core andalso from the spent fuel pool. Due to the highpower density (6% of fission power right after aplant shutdown and still about 1% after a fewhours) heat removal from the core is only possibleby convection and not by radiation. Several re-dundant and diverse active systems are providedfor decay heat removal. For a PWR these areemergency feedwater systems on the secondaryside of the steam generators and decay heat re-moval systems connected directly to the primarycoolant system. They are all designed to safelyremove the decay heat from the core without
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 85
endangering the first two barriers against radioac-tive material (fuel cladding and primary coolantboundary).
The third basic safety function, the confinementof radioactive material, is expressed by a set ofstaggered requirements for normal operation andfor accidents (for future plants in some countriesalso for beyond design basis accidents). Specialemphasis is put on the minimisation of radioac-tive releases to values far below the prescribedintervention levels for the public by using theALARA (as low as reasonably achievable) princi-ple. For accidents higher releases are allowed thanfor normal operation, however the radioactivematerial present in the containment building canbe considerably higher because of the assumptionon the first barriers. For example, during loss ofcoolant accidents the second barrier is not intactby definition and the first barrier (fuel rod clad-ding) is assumed to have a certain amount ofleakages (e.g. 10% of the rods are no more leaktight).
For beyond design basis accidents some futuredesigns e.g. the EPR or the AP600 (),provide additional cooling systems to mitigateconsequences of core melt accidents (beyond de-sign basis accidents, e.g. assuming multiple fail-ures of safety systems). These systems aredesigned to provide cooling of the molten coreeither within the reactor vessel by outer surfacecooling or within the containment building bycooling core material on the containment floor.The aim of these systems is to limit radioactivereleases by keeping the last barrier, the contain-ment building, intact.
If the release limits for beyond design basisaccidents (core melt accidents) are very stringent,as, e.g. in the FrenchGerman safety approach for future reactors, a double wall containmentwith subatmospheric pressure in the annulus maybe necessary.
The second and third basic safety functions arealso relevant for spent fuel transport and storageand for waste treatment and disposal.
These three basic safety functions can also beapplied to fusion power plants. However, the firsttwo are of lower significance because of the lim-ited potential of a fusion power increase and the
lower power density of activated material. Themost important basic safety function is the thirdone, asking for a very reliable confinement systemwhich has to stay intact during accidents, includ-ing those originating from magnetic systems, andafter internal (e.g. fire) and external hazards.
3. Continuous safety improvement
Being aware of the potential of releasing largeamounts of radioactive material during unfore-seen events in nuclear fission reactors, manysafety principles have been applied from the be-ginning of nuclear power plant design and opera-tion, such as redundancy, diversity, multibarrierconfinement of radioactive material and qualityassurance during design, construction andoperation.
The principle of redundancy and diversity wasalready fully developed in the minds of EnricoFermi and his fellow researchers when demon-strating for the first time a self sustaining nuclearfission chain reaction in Chicago in December1942.
To prevent the chain reaction from getting outof control, four different devices were foreseen inthe pile:1. The manual control rod to start and control
the chain reaction2. A set of automatic control rods3. A heavily weighted emergency control rod
held by a rope, which was supposed to bequickly cut with an axe (SCRAM=safetycontrol rod axe man)
4. A liquid control squad, to flood the pile witha cadmium salt solution as absorber in case ofa common cause failure of all rods.
Without the intention to present a completehistory of nuclear fission reactor safety some ex-amples will be given to demonstrate that safetyimprovement has always been practised. It is acontinuous process especially due to the two prin-ciples to always take into account the most recentstate-of-the-art in science and technology and toutilise continuously the feedback from operatingexperience. The feedback from plant operationwas always very intense after an accident had
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839386
occurred. Therefore it is not surprising that theThree-Mile-Island (TMI)-accident in 1979 had aconsiderable impact on technical safety improve-ments and more demanding regulation. Some ofthe consequences were: more emphasis on human errors more emphasis on complex transients design improvements in the feedwater systems design improvement with respect to reduction
of the frequency of events with stuck openrelief valves.One consequence in Germany was the extension
of the Guidelines of the Reactor Safety Commis-sion (RSK) in 1981 , which now require thatfor frequent events the primary coolant systempressure has to stay below the response pressureof any pressurizer valve and that each pressurizerrelief valve (which has a lower response pressurethan the safety valves) has to have a block valvewhich closes automatically when the relief valvefails after opening.
In France the TMI accident initiated the exten-sion of safety analyses and operating procedures(introduction of Complementary Operating Con-ditions and additional ultimate emergency proce-dures . Complementary Operating Conditionsare selected on the basis of a probabilistic ap-proach. In general these are frequent events plusthe complete failure of a safety function such asfast shutdown or emergency feedwater supply.During that time in France the permanent pres-ence of a nuclear safety and radiation protectionengineer on each reactor site was introduced.
While the feedback from the TMI-accident wasonly in the area of technical safety improvement,the Chernobyl Accident had also an impact inthe political field and in the general area of safetyphilosophy, which can be characterised as safetyculture. This different type of feedback originatedfrom the fact that the technology of the RBMK isso different from that of Western light waterreactors, that there was no basis for direct adjust-ments. However there was also a technical impactin the area of reactivity initiated accidents andmeasures to limit consequences of core degrada-tion accidents. This also influenced the safetystrategy in new design concepts.
4. The defence in depth principle
The basic elements of defence in depth werefully developed in the early 80s and they werelaid down by the International Nuclear SafetyAdvisory Group (INSAG) of IAEA in the reportINSAG-3 in 1988 . IAEA and INSAG havespent considerable effort in a further refinementand interpretation of the principle with respect tosafety improvements of operating plants (e.g. acci-dent management) and the application of theprinciple to future nuclear power plants (INSAG-10 in 1996  and IAEA-TECDOC 986 in 1997).
Only the most important objectives, principlesand elements of defence in depth are presentedhere: The main objective is defined in INSAG-3:
To compensate for potential human and me-chanical failures, a defence in depth concept isimplemented, centred on several levels of pro-tections including successive barriers preventingthe release of radioactive material to the envi-ronment. The concept includes protection ofthe barriers by averting damage to the plantand to the barriers themselves. It includes fur-ther measures to protect the public and theenvironment from harm in case these barriersare not fully effective.
The proper application of this principle ensures,that no single human or equipment failure wouldlead to harm to the public and even combinationsof failures that are only remotely possible wouldlead to little or no injury.
Defence in depth helps to ensure that the threebasic safety functions (controlling the power andreactivity, cooling the fuel and confining the ra-dioactive material) are preserved. Table 1 givesthe five levels of defence, based on INSAG 10.Level 4 has been divided into 4a (prevention ofcore damage) and 4b (mitigation of consequences)in this presentation because the measures pro-vided for 4a and 4b are completely different infuture reactors. Level 5 is not related to plantdesign. It characterises additional offsite mea-sures, if radiological limits related to the protec-tion of the public are exceeded.
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 87
An important principle is the independence ofthe means provided at one level of protectionfrom those at other levels in order to ensure thatthe failure of one system cannot jeopardise morethan one level of protection. Special attention hasto be given to events (hazards) which by them-selves could potentially impair several levels ofprotection (e.g. fire or flooding inside the plant).
Concerning the barrier concept, the principle isthe provision of successive barriers for the confi-nement of radioactive material. The three mostimportant ones are the fuel cladding, theboundary of the reactor coolant system and thecontainment building. The reliability of the barri-ers depends on both design features of the barriersthemselves (e.g. quality) and on systems designedto protect a barrier. Situations in which one ormore barriers are not fully effective (e.g. duringshutdown) need special attention. The same istrue for events which have the potential of by-passing one or more barriers (e.g. steam generatortube rupture).
5. Enhancement of defence in depth for futurereactors
For future reactors an enhancement of the wellproven defence in depth principle is considered tobe the proper strategy to further improve safety.This demand is expressed in several places, e.g. byIAEA in TECDOC 986, by INSAG in the report
INSAG 10 and in several new national require-ment documents for future reactors.
There are many specific recommendations con-cerning the implementation. It is important thatall elements of the defence in depth principle areconsidered and that improvements are aimed aton each of the four levels. The main principle isthat preventive measures have the highest priority,but mitigation measures also have to be foreseen,e.g. in INSAG 10 a further reduction of theprobability of severe core damage is required aswell as the strengthening of the confinement func-tion to mitigate the consequences of severe coredamage accidents. One rationale for the higherrequirements on the containment function to copewith severe core degradation consequences is thatimprovements in the preventive area are difficultto prove for very low probabilities of occurrence(e.g. 106 per plant and year) due to uncertain-ties in the methods and data. This strategy is aspecial reinforcement of level 4.
Important elements to be considered in safetyimprovement are: provision of the highest possible degree of in-
dependence of levels avoidance of accidents jeopardising more than
one level of protection avoidance of accidents with bypasses of
barriers provision of sufficient conservatism in the de-
sign with a higher degree of conservatism forevents with higher frequency of occurrence
Table 1Defence in depth
Essential meansObjectiveLevels ofdefence indepth
Level 1 Conservative design and high quality in constructionPrevention of abnormal operation and failuresand operation
Control of abnormal operation and detection ofLevel 2 Control, limitation and protection systems and othersurveillance featuresfailures
Control of accidents within the design basisLevel 3 Engineered safety features and accident proceduresLevel 4a Control of severe plant conditions, including Complementary measures and accident management
prevention of accident progressionMitigation of the consequences of severe accidents Complementary measures and accident managementLevel 4b
Level 5 Off-site emergency responseMitigation of radiological consequences of significantreleases of radioactive materials
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839388
hypothetical severe accident sequences, whichcould lead to large radioactive releases due toearly containment failure, have to be elimi-nated with a high degree of confidence.
design improvements on a higher level of pro-tection should not be used to justify cutbackson lower levels.
6. The defence in depth Concept in theFrenchGerman safety approach for futurePWRs
The safety approach for future PWRs jointlydeveloped in France and Germany in 1993  issupposed to give guidance to the designer duringthe development of the European pressurised wa-ter reactor (EPR). This safety approach of 1993has been refined continuously and extended overseveral years .
The three main safety objectives of the ap-proach of 1993 are:1. A further reduction of the core melt frequency.2. The practical elimination of accident situa-
tions which could lead to large early releasesof radioactive material. If those situations can-not be considered as physically impossible,provisions have to be taken to design themout.
3. For low pressure core melt situations the de-sign has to be such that the associated maxi-mum conceivable releases would necessitateonly very limited protective measures in areaand time (no permanent relocation, no needfor emergency evacuation outside the immedi-ate vicinity of the plant, limited sheltering, nolong-term restrictions in the consumption offood).
In the third safety objective the limitation ofradiological consequences is required for coremelt situations with low primary system pressure(depressurised system). Potential core melt situa-tions with high primary system pressure couldendanger the containment function. Thereforethey have to be practically eliminated (see objec-tive 2).
Concerning safety principles to be applied, thedefence in depth-principle is considered the most
important one. This is expressed in chapter 2 ofthe safety approach of 1993 as follows:
The defence in depth principle remains thefundamental principle of safety for the nuclearpower plants of the next generation, with theimplementation of several levels of protectionincluding successive barriers against the releaseof radioactive substances to the environment.This principle has to be used to demonstratethat the three basic safety functionsreactivitycontrol, cooling the fuel and confining radioac-tive substancesare correctly ensured. The aimis to ensure protection of the public and of theworkers. This includes accident prevention aswell as accident mitigation.
For the next generation of nuclear powerplants, a general objective is to reinforce thedefence in depth of the plants. To achieve this,the design should be made on deterministicbases, supplemented by the use of probabilisticmethods. The objective should be reached con-sidering the results of operating experience andof in-depth studies like probabilistic safety as-sessments conducted for pressurised water reac-tors (PWR). The progress in knowledge of thephysical phenomena which may occur duringthe development of accidental situations, partic-ularly core melt situations, has to be taken intoaccount.
An important objective is to achieve a signifi-cant reduction of radioactive releases due to allconceivable accidents, including core melt acci-dents. The containment has to be designed inorder to follow this objective.
Since 1993, mainly between 1994 and 1998,many safety relevant subjects have been treatedand recommendations of the two advisory groupsGroupe permanent Charge des Reacteurs Nucle-aires (GPR) and Reaktorsicherheitskommission(RSK) have been developed jointly. In support ofthis development of recommendations more than50 IPSN/GRS reports have been produced onnumerous subjects. The general approach andlater recommendations have been adopted by theGermanFrench Directorate (DFD) of the safety
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 89
Table 2Event categories in the FrenchGerman safety approach
Systems and measures to cope with theEvent categories Defence in depthlevelsevents
Plant condition categoriesPCC1 Inherently stable plant behaviourNormal operation 1
operational systemsOperational systems, limitation systems 2PCC2 Anticipated operational occurrencesSafety systems (F1)Incidents 3PCC3
PCC4 Safety systems (F1)Limiting accidents 3
Risk reduction categoriesRRC-A Diverse safety systems (F2) to prevent corePrevention of core melt 4a
meltSystems to mitigate consequences of corePrevention of large release after core meltRRC-B 4b
authorities of both countries. In 1999 the GermanFederal Ministry for Environment, Nature Con-servation and Nuclear Safety stopped its supportof the development of requirements for futurereactors, because the German government hasdecided to put a regulated end to the generationof electricity from nuclear fission energy.
During the development of these recommenda-tions the main elements of defence in depth havealways been considered and some examples aregiven to demonstrate this.
6.1. Balance among leels of protection
In the FrenchGerman safety approach safetyimprovement is required on all levels of protec-tion. During the refinement of the approach atten-tion has been given to making it well-balanced.One important prerequisite to the implementationof defence in depth is the establishment of aproper classification concept for events, safetyfunctions and systems and the specification ofrules and assumptions for analyses of theseevents. This has been done by means of a classifi-cation concept for events and for systems to copewith these events. The concept of event classifica-tion is presented in Table 2 and linked with thedifferent levels of protection of the defence indepth. The events are grouped into two cate-gories. The Plant Condition Categories (PCC)represent the conventional design basis as in pre-
vious plant designs. The Risk Reduction Cate-gories (RRC) represent the extension of thedefence in depth concept, especially the reinforce-ment of level 4, requiring measures and systems toprevent severe core damage events and to mitigatetheir consequences.
A quantitative proof of proper and balancedimplementation of defence in depth can only beobtained on the basis of a Probabilistic SafetyAssessment (PSA). For this reason, the FrenchGerman safety approach asks for a PSA alreadyin the early phase of the design.
6.2. Independence of the leels of protection
Several levels of protection are only useful andeffective when the measures and systems providedon each level are independent of each other. FromTable 2 it can be seen that different systems areprovided for each level of protection. One impor-tant requirement is that a system of class F2 (level4a) is different from the F1 system which hasdue to its assumed complete failurecaused thetransition of an event from level 3 or 4 to RRC-A. The most important example is the manualactuation of the primary bleed and feed system(F2) which allows decay heat removal via theprimary circuit after its depressurisation, if theemergency feedwater system has completelyfailed. This primary bleed and feed system isdifferent from and has no common parts with the
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839390
emergency feedwater system (large degree ofindependence).
Systems to mitigate consequences of core meltaccidents (level 4b) are by their naturedue tothe different functions to be fulfilleddiversefrom those of lower levels. Typical systems oflevel 4b are a system to reduce hydrogen concen-tration, a system for cooling the molten core onthe containment floor and a containment heatremoval system.
The diversity of these systems is alone notsufficient as a design means against commoncause failures affecting more than one level ofprotection. Failures in support systems (e.g. elec-trical power supply or component cooling) thataffect several levels of protection must also beprevented. This can be achieved by independentsupport systems for each level and/or highly reli-able support functions with system diversity.
On the electrical power supply, the FrenchGerman approach of 1993 had already asked fordiversity. After the designer of the project hadmade a proposal (four main diesel generators+two smaller diesels, backing up two of the mainones) more refined requirements were set up, espe-cially with respect to the proof of sufficient inde-pendence and diversity among the two types ofdiesel generators.
Another potential degradation of different lev-els of protection can arise from effects of internalhazards (e.g. fire, flooding). GPR/RSK recom-mend the minimisation of common cause failuresby installing components of different trains ofsafety systems in segregated areas designed suchthat an internal hazard affects only one train of amulti-train safety system (and thus does not affectthe safety function to be performed by thissystems).
6.3. Preention and mitigation
Another important element of defence in depthis the prevention of events and the limitation (ormitigation) of consequences, should they occur.This principle should be applied to each level ofdefence. Both aspects have been considered up tothe fourth level, where measures are foreseen toprevent core melt (e.g. primary side feed and
bleed) and measures to cope with low pressurecore melt accidents (e.g. containment heat re-moval) in such a way that radiological conse-quences are limited to such values that the abovementioned objective 3 is met.
For those event sequences for which radiologi-cal limits according to objective 3 cannot be met(or where this cannot be proven with sufficientconfidence), more effort is put into prevention. Inthose cases the requirement on prevention is muchstronger, expressed by practical elimination (ob-jective 2). In the safety approach of 1993 thestrategy is explained as follows:
Single initiating events have to be excludedor dealt with (that is to say their consequencesare examined in a deterministic way). Singleinitiating events can only be excluded if suffi-cient design and operation provisions are takenso that it can be clearly demonstrated that it ispossible to practically eliminate this type ofaccident situations; for example, vessel rupturecan be examined in that way.
Two examples of event sequences to be practi-cally eliminated are: Core melt situations underhigh primary system pressure and global hydro-gen detonations.
It is stressed here that the practical eliminationof such accident sequences is a matter of judge-ment and each type of accident sequences has tobe assessed separately. Due to limited knowledgeof some physical phenomena and due to the largevariety of these types of accident sequences, theirpractical elimination cannot be demonstrated bycompliance with a general cut-off probabilisticvalue. This means that case by case evaluationsare necessary and the judgement on a successfulpractical elimination may contain deterministicand probabilistic elements.
The practical elimination of high pressure coremelt situations with a primary system pressureabove 20 bar at the time of vessel rupture was animportant issue from the beginning. GPR/RSKhad asked to investigate specific valves to beactuated only in case of core melt sequences (inaddition to the pressurizer safety valves, which
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 91
also have a depressurisation function within theprimary feed and bleed).
In response to this demand the designer hasprovided such a system (dedicated bleed valvewith an isolation valve) with a high degree ofdiversity to the pressurizer safety valves in orderto avoid common cause failures among the twodepressurisation systems.
In order to achieve the practical elimination ofcore melt under high primary system pressure,diversity for one safety function (depressurisation)is not sufficient. In addition more diverse systemsare necessary on lower levels of protection. This isdemonstrated with the event loss of a main feed-water pump. Within the present design severalsystems are provided to cope with this event. Onthe operational level a standby pump would startto replace the capacity of the lost pump. If allmain feedwater pumps including the standbypump would fail, a scram would occur and thedecay heat can be removed by the start-up andshutdown system (also an operational system).Upon a failure of this system the emergency feed-water system, a class F1 system would start (level3). Should this system fail, the primary bleed andfeed via pressurizer safety valves (level 4a) wouldreduce the primary system pressure in such a waythat decay heat removal can be taken over byprimary feed systems (emergency core cooling,residual heat removal systems). Should the de-pressurisation by the pressurizer valves fail, thediverse depressurisation by dedicated valves asdescribed above is initiated (level 4b). The proba-bility of occurrence of such a rare event will beestimated by a PSA during the design phase of theplant.
6.4. Experience feedback from plant operationand safety studies
Considerable resources have been devoted byutilities, constructors and regulatory bodies tocollect information on operating experience andto derive improvements from this experience, par-ticularly from incidents and precursors of inci-dents. Within the FrenchGerman safetyapproach this technical principle is refined in thesense that reference is made to particular issues
which had been investigated for existing plants,such as unexpected degradation modes of struc-tures and components (e.g. corrosion, vibration,temperature). Measures are asked for to reducethe number of significant incidents, which in-volves seeking for improvements of the equipmentand systems used in normal operation, aiming at areduction of the frequency of transients and inci-dents and potential accident situations. It is con-sidered that PSAs are essential tools to gain anin-depth understanding of relative weaknesses inthe plants and investigate complex situations in-volving several equipment failures and/or humanerrors. In a more detailed refinement GPR/RSKhave given numerous recommendations concern-ing system design and the use of PSA.
6.5. Mitigation of consequences of low pressurecore melt sequences
According to safety objective 3, low pressurecore melt situations have to be coped with and thecorresponding radioactive releases have to be lim-ited. This is an important safety objective withinthe enhancement of level 4 of the defence in depthand has considerable impact on the design. Itincludes the investigation of various phenomenaand the development of a strategy from which therelevant design criteria can be derived. The mostrelevant phenomena are hydrogen burning pro-cesses, ex-vessel molten core cooling and tightnessof the containment. A description of these phe-nomena and the related requirements and designmeasures are presented in a conference paper .
7. Other future concepts with improved safetyfeatures
The FrenchGerman safety approach for fu-ture PWRs has been chosen as an example inorder to show different means of safety improve-ment within the enhancement of the defence indepth principle. The parallel industrial develop-ment is that of the EPR. There are several otherfuture reactor designs with improved safety, butthe approaches are different. A comprehensivesurvey of these concepts is given in the IAEA-
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 839392
TECDOC 968 Status of advanced light watercooled reactor designs . The advanced con-cepts can be grouped according to their safetycharacteristics and degree of innovation.
Evolutionary Concepts are those with no oronly minor conceptual changes, but with improve-ments based on previous operating experience.The operating experience is not only taken fromthe predecessor of a particularly type, but alsofrom international experience of different reac-tors. One example is the control rod drive conceptof the advanced boiling water reactor, ABWR(USA, Japan) which had already good operatingexperience in some European BWRs. Typical ex-amples of these evolutionary concepts areAPWR (USA), ABWR (USA/Japan), BWR90(Sweden), System 80+ (USA) and WWER 1000/V 293 (Russia).
Another group, slightly different from the firstone, is the group of Evolutionary Concepts withimproved containment function. The nuclearsteam supply system is rather conventional as forthe evolutionary concepts, however more effortis put on core melt mitigation features, whichmeans that during core melt scenarios the ra-dioactive releases are limited to specified values.The most typical representative in this group isthe EPR (France/Germany). The Korean KNGRalso has mitigative features.
The next group can be called evolutionaryconcepts with passive features. Some reactor con-cepts make use of physical processes which func-tion without supporting energy, e.g. gravity drivencooling systems. The advantage of theses conceptsis the non-reliance on emergency electrical powersystems. In addition there is a large degree ofdiversity, because in general these concepts alsohave an active system for the same function.Examples of these concepts are SBWR (USA),AP600 (USA), HSBWR (Japan), MS600 (Japan),WWER 640 (Russia) and SWR 1000 (Germany).The nuclear steam supply systems of these reactortypes are still similar to PWRs and BWRs, there-fore credit can be taken from operating experiencewith those reactors.
Completely different concepts are called Inno-vative Concepts with completely different ar-
rangements of core and cooling systems. Most ofthese concepts are aiming at the elimination ofcore melt by design (e.g. core submerged in a hugewater reservoir, automatic reactor shutdown byself-regulating thermal-hydraulic processes) andthus giving relief on the containment design.These concepts are in an early development phase,and further experimental verification up to a pro-totype demonstration plant is required before theycan be used for electricity production. Examplesare JPSR (Japan), PIUS (Sweden) and VPBER600 (Russia).
The large amount of fission products producedin nuclear fission power plants has to be keptwithin given boundaries (fuel rod, coolant pres-sure boundary, containment building). Violationof this principle has to be extremely unlikely forthe last barrier, the containment building (e.g.106 per year and plant).
This extremely high reliability cannot beachieved by one technical system or componentalone. This has been recognised very early innuclear reactor safety philosophy. Consequen-tially, the defence in depth principle was devel-oped, ensuring that the failure of one system oreven several redundant systems (= commonmode failure) would not lead to unacceptableradioactive releases. This multi-level principlecomprising among others the elements of multiplebarriers, independence of barriers, physical segre-gation, redundancy and diversity, has proven tobe very effective (e.g. by results of probabilisticanalyses). With increasing demands concerningthe low probability of events with unacceptableradioactive releases, the defence in depth principlehas been further strengthened and extended espe-cially with respect to level 4 (control and mitiga-tion of consequences of severe accidents). Inconsequence future light water reactor conceptscontain additional safety devices (e.g. cooling ofa damaged core inside or outside the pressurevessel) and improved containment tightnessfunctions.
W. Frisch, G. Gros / Fusion Engineering and Design 5657 (2001) 8393 93
 Sicherheitskriterien fur Kernkraftwerke (Nuclear PowerPlant Safety Criteria). Promulgation as of October 21,1977. Published by the German Federal Minister of theInterior (Bundesminister des Innern) in: BundesanzeigerNr. 206, dated November 3, 1977 pp. 1, 3.
 G. Azarian et al., The EPR overall approach to severeaccident mitigation, Proceedings of KTG/SFEN Confer-ence, Cologne, Germany 1221 October, 1997, pp. 193197.
 H. Weisshaupl, P. Lauret, Prevention and mitigation ofsevere accidents for the EPR, Proceedings of the Interna-tional Meeting on Advanced Reactor Safety (ARS97),Orlando, FL, 115 June, 1997.
 W. Gengloff, Westinghause AP600: advanced nuclearplant design, Proceedings of the Symposium on Evolu-tionary Water Cooled Reactors, Seoul, 30 November4December 1998. Published as IAEA-TECDOC-1117, Vi-enna, December 1999, p. 313 ff.
 W. Frisch et al., Common safety approach for futurepressurized water reactors in France and Germany, Pro-ceedings of the International Topical Meeting on Ad-vanced Reactors Safety (ARS94), Pittsburgh, PA, 1721April, 1994, pp. 893898.
 RSK-Leitlinien fur Druckwasserreaktoren (RSK Guideli-nes for Pressurized Water Reactors) 3rd ed., 14 October,
1981. Available through: Bundesamt fur Strahlenschutz,RSK-Geschaftsstelle, Postfach 120629, 53048 Bonn.
 J. Libman, Elements of Nuclear Safety, Les Editions dePhysique, 1996, pp. 213214.
 Basic Safety Principles of Nuclear Power Plants, a reportby the International Nuclear Safety Advisory Group,IAEA Safety Series No. 75-INSAG-3, Vienna, 1988.
 Defence in Depth in Nuclear Safety: INSAG-10, a reportby the International Nuclear Safety Advisory Group.INSAG-Series No. 10, Vienna, 1996.
 Implementation of Defence in Depth for Next GenerationLight Water Reactors, IAEA-TECDOC-986, Vienna, De-cember 1997.
 W. Frisch, G. Gros, The FrenchGerman Safety Ap-proachImportant Steps in Harmonising Safety Re-quirements for Future PWRs, TOP SAFE 98, Valencia,Spain, 1517 April, 1998, session TSB-4b.
 D. Queniart, W. Frisch, Assessment of basic safety issues,SFEN/KTG Conference on the EPR Projekt, Strasbourg,France, 1314 November 1995, pp. 108122.
 W. Frisch, G. Gros, D. Queniart, J. Rohde, Key issues ofthe common FrenchGerman safety approach for futurePWRs, ASMEJSME International Conference in Nu-clear Engineering (ICONE-4), New Orleans, USA, 1014March, 1996.
 IAEA-TECDOC-968, Status of advanced light watercooled reactor designs, Vienna, September 1997.