the european stress test for nuclear power plants

Defence-in-Depth-Concept not under Review

Most of the safety features of the plant that are needed to prevent an accident to occur are not under review. These safety features are those that belong to the so-called design basis of the plant that follows a defence in depth concept. 

Defence-in-depth means that safety should be guaranteed by independent levels of provisions which shall preclude any accident that may damage human health.12 The first level of defence shall provide a steady and safe operation within the defined operational data specifications. This is achieved by requirements for reliable function of the instruments, of the components like valves and tubes and electric and electronic devices. It affords a good quality of materials and a lot of defined periodical inspections. The second level of defence serves for those cases when the operational specification data is exceeded. In those cases systems are needed to lead the reactor back into the allowed range of operational limits, such as the limits for pressure, temperature, reactivity. If this second independent level of defence fails because there is, for example, a leak or a valve out of function and the reactor could get out of control, there is the most important third level of defence. This third level of defence consists of independent safety systems that must be able to shut down the reactor to cool the fuel rods and to prevent the reactor from releasing radioactivity out of the limits that are allowed for those cases. How safely a reactor works is mainly dependent on the quality of the installed defence in depth system in total. 

This is also the view of ENSREG: 

“It is recognized that all measures taken to protect reactor core or spent fuel integrity or to protect the reactor containment integrity constitute an essential part of the defence-in- depth, as it is always better to prevent accidents from happening than to deal with the consequences of an occurred accident.” 13

The safety systems of the defence in depth design are only partly reviewed by the “Stress test“. Defence-in-depth is reassessed in a limited approach on “assumptions of their performance”14 for it is assumed that adequate performance of those systems has been assessed in connection with plant licensing. 

ENSREG takes for granted that the structures, systems and components to prevent accidents are in place and without deficiencies:

“By their nature, the „Stress test“ will tend to focus on measures that could be taken after a postulated loss of the safety systems that are installed to provide protection against accidents considered in the design. Adequate performance of those systems has been assessed in connection with plant licensing.”15

By this assumption the “Stress test” excludes the by far most important basis of the safety of nuclear power plants from the safety assessment. The comprehensive basic set of requirements and scenarios the plants has to face and master in order to prevent accidents from happening, and which are central part of any codification of nuclear safety requirements, are not included in the “test”:16

  • The quality of the material of pipes, of safety relevant components as the reactor vessel, of control and instrumentation equipment is not investigated. The quality varies widely and it makes the difference in the safety of a plant
  • Degradation effects caused in particular by the aging of plants / material fatigue are not considered
  • The safety management of the plants, which is crucial for safety, is out of the scope. Even not foreseen is a report on whether a safety management corresponding to the state of the art is established and functioning
  • Furthermore ENSREG relies on the safety case of the license.17 This safety case of the plants is in most cases more than two or three, sometimes four, decades old. In the meanwhile a lot of parameters of the plants have been changed, former assumptions have been revised, former calculations methods may be out of date, knowledge about materials, about nuclear systems has developed, and a lot of experience with formerly unforeseen scenarios has been made during operation.18

The safety designs of plants are aged and show deficiencies. Especially the independence of the levels of the defence-in-depth-concept as one of the crucial questions of safety is not realised in all plants. Nevertheless all those plants are in a licensed state.19 Therefore it is imperative that a risk assessment of a nuclear power plant must include the assessment of the complete design base, an assessment which relies on the state of the art and considers the operational experience of the plant under review and of all other comparable plants. Without such an assessment the question of whether a plant is safe or not will remain in the dark.

The importance of defence-in-depth is also addressed in the June 2011 “Report of the Japanese Government to the IAEA Ministerial Conference on Nuclear Safety - The Accident at TEPCO's Fukushima Nuclear Power Stations”. As one the main lessons learned it states: “Establish safety culture, by going back to the basics that pursuing defence-in-depth is essential for ensuring nuclear safety, constantly learning professional knowledge on safety, and maintaining an attitude for trying to identify weaknesses as well as rooms for improvement for safety.”20

12 WENRA (Western European Regulators Association), WENRA Reactor Safety Reference Levels Appendix C, January 2008
13 See fn. 4, page 2 (Downloadable document)
14 See id.
15 See id
16 For example see: Module 4 "Safety Criteria for Nuclear Power Plants: Criteria for the Design of the Reactor Coolant Pressure Boundary, the Pressure Retaining Walls of the External Systems and the Containment System", Principles of basic safety in connection with design and manufacturing, particularly paragraphs about Material selection No. 2.3.2 (Reactor coolant pressure boundary), No. 3.3.2, (Pressure-retaining walls of components of external systems) No. 5.3 (Small-diameter pipes) and No. 7.4 (Containment system), BMU 2009
17 See fn. 4
18 Regular periodic safety assessments do not improve the situation, at least not in every member state. The former safety case that was made for the license is explicitly not under review e.g. within the frame of mandatory periodic safety assessment in Germany but is still the basis of operation. In September 2010 the German nuclear authorities agreed to renew the safety case in a long-term process without a definite time schedule.
19 see in detail: W. Renneberg, Risks of old nuclear power plants, study on behalf of the Parliamentary Group of the Greens in the German Parliament, July 2010 (Text in German);
20 Japanese Government, Report of Japanese Government to the IAEA Ministerial Conference on Nuclear Safety - The Accident at TEPCO's Fukushima Nuclear Power Stations, June 2011