Protection of Power Plants from Severe Accidents And External Events

December 16, 2012
Fukushima Ministerial Conference
Protection of Power Plants from Severe Accidents
And External Events

Richard A. Meserve
Chairman, International Nuclear Safety Group
President, Carnegie Institution for Science

I am very pleased to have the opportunity to join you this morning for this important conference. Just as the Three Mile Island and Chernobyl accidents brought about an overall reconsideration and strengthening of the safety system, it is already apparent that the Fukushima Daiichi accident is having a similar effect.

My aim this morning is to provide an overview of developments prompted by the Fukushima accident to ensure the protection of nuclear power plants from severe accidents and extreme natural hazards. Although much progress has been made, continuing investigations will allow a deeper analysis of the accident and will prompt further actions. Nonetheless, there is much that has already been learned and aggressive efforts to apply those lessons are underway. Dr. Tanaka has discussed some of the activities underway in Japan and I will try today to summarize some of the lessons that are being applied across the globe.

At the outset, however, I want to acknowledge that the effort by the nuclear community to extract lessons from the Fukushima accident reflects an impressive commitment to “go the extra mile” to enhance safety. It would have been possible to view the Fukushima accident as the product of serious flaws in the Japanese safety system with limited implications for others. It might also have been possible to limit the response to the need to assess the adequacy of the design basis for external events, such as the tsunami that initiated the challenge to the Fukushima Daiichi power plants, and to verify that the safety systems were adequate to cope with such events. It might have been possible, in taking the next step, to limit the focus to assurance of adequate power to operate safety systems and not to expand the scope to all the other systems that were compromised as a result of the loss of power at the Fukushima Daiichi plant. Similarly, it might have been possible to limit the scrutiny of the many “softer” elements of safety – the importance of safety culture, of accident management and response, of communications, and of regulatory structure.  

It is a credit to the nuclear community that the Fukushima Daiichi accident has instead caused a wide-ranging examination of safety matters that could have been deemed to be “out of scope.” The actions of the IAEA to pursue the Action Plan and, in fact, this very conference attest to the seriousness of purpose that has surrounded the review of the Fukushima accident. The willingness of those involved in the nuclear enterprise to address the widest range of implications of the accident both forthrightly and aggressively is no doubt a major factor in the maintenance of trust in nuclear safety by political decision makers and the general public in those countries that have retained their commitment to nuclear power in the aftermath of the accident. That effort should continue.

In this connection, it is also worth noting that the nuclear community (regulators, industry, and the various international and support organizations) responded immediately by undertaking a variety of largely independent efforts to examine the accident and to take actions in response. It is reassuring to observe that, despite somewhat different terminology and emphases, the efforts have largely converged on the same conclusions. The similarities in actions provide confidence that significant issues have not been overlooked. Moreover, the overall effort has been comprehensive, thoughtful, and impressive.

Let me turn to the substance of the response to Fukushima as it relates to severe accidents and the response to extreme external events. I think there have been three important fundamental changes.

First, the accident has reinforced the importance of careful attention to external events, such as floods, earthquakes, and tsunamis. The previous major accidents – TMI and Chernobyl -- involved internal events initiated or exacerbated by operator error. Much was learned and now, probabilistic safety assessments show that the vulnerability of plants to severe accidents initiated by internal events is very small. This is true as a general rule for older plants in many countries as a result of safety upgrades and is more the case with the new plant designs. As Fukushima has demonstrated, the occurrence of extraordinary external events is not subject to accurate prediction or control. The recent experience with the tropical storm Sandy in the US – which caused billions of dollars in damages and extensive and continuing disruption -- serves to reinforce this basic lesson. The Fukushima accident has shown the importance of designing, constructing, and operating plants so as to make them capable of surviving external events without the release of radioactivity to the environment. It is noteworthy that, in so far as I am aware, every regulator and operator included an evaluation of vulnerability to extreme events as an early response to the Fukushima accident.

In this connection, I think it is important for all to realize that, as a result of climate change, the probability of flooding and other extreme weather events will grow over time, challenging engineered structures of all kinds. This means that efforts to prepare for extreme events have to be a continuing obligation – and not just for power plants.

Second, the Fukushima accident has served as the stimulus for the reexamination of the intellectual foundations of the nuclear safety system. In the early days, and in the absence of experience with nuclear power, regulatory systems were established with a focus on certain “design-basis accidents.” These were postulated events that an NPP was to accommodate on the basis of engineering features, such as the capability through supplemental systems to continue to cool the core in the event of a large pipe break in the reactor coolant system. This approach was accompanied by a variety of safety-enhancing features, including a philosophy of defense in depth, reflected in layers of independent prevention and mitigation capability; redundant and diverse means to respond to events; the avoidance of vulnerability to a single equipment failure; stringent quality-assurance standards; and conservative engineering design and strict compliance with conservative engineering codes. As time went on, these elements were accompanied by increased attention to configuration management, training, maintenance, and operational requirements. This approach provided a solid foundation for safety. But as knowledge has grown, particularly through the use of probabilistic safety assessment, and experience has been gained, there has been increasing attention to challenges that extend beyond the design-basis approach. This resulted over the years in the US to supplemental requirements dealing with such things as “station blackout” and anticipated transients without scram. These supplemental requirements were not typically fully integrated into the regulations in the same fashion as design-basis events.

Fukushima has resulted in efforts to establish an additional layer of protection to prevent or mitigate a beyond-design-basis accident regardless of the initiating event. This is to be accomplished initially by additional installed and/or mobile equipment that provides increased assurance of a capacity to meet essential safety functions, such as a need for electrical power or cooling water. And over the longer term, efforts are underway to integrate a broader set of challenges to safety into the regulatory system in a consistent and formal way so as to expand the scope of protection beyond that provided by the traditional approach. This effort to expand the regulatory system is in many respects the most interesting and the most profound outgrowth of the Fukushima accident. It should allow the achievement of increased levels of risk protection.

Third, the accident has prompted a reexamination of the focus of the safety system. As you all know, the Great East Japan Earthquake exacted a devastating toll on human life – 20,000 people were lost as a consequence of the earthquake and tsunami. It is noteworthy that the world’s focus on this event has largely been directed at Fukushima Daiichi reactors, despite the fact that the available information would suggest that significant detectable long-term radiation-related health effects have not arisen and are not expected. No workers have died or suffered permanent injury or acute illness as a result of radiation exposures, although the doses to some workers exceeded regulatory limits. Similarly, the radiation impacts on the health of the Japanese public, if any, were restricted as result of countermeasures that served to limit radiation exposures. It is the case, however, that other impacts on the Japanese public have been very severe as a result of the evacuations, the extensive land contamination, and the disruption of the economy. Although the focus of regulatory systems has been on radiation-related impacts on public health and safety, the Fukushima accident shows that even events that do not have extensive radiation-related health consequences can impose grievous damage and can cause great public concern. This reinforces the importance of preventing events even in the absence of significant direct radiation-related health impacts and argues for expanding the scope of regulatory assessments to include more emphasis on broader environmental and societal impacts.

In addition to these three sweeping changes in perspective, the accident has caused a variety of other more modifications of our approach to reactor safety. Some of those elements include the following:
• Require the response to the threat from external hazards to include combinations of hazards and to encompass consideration of complications that can arise on multiple-unit sites and from disruption of infrastructure;

• Upgrade the capacity to provide power from both off-site and on-site sources, coupled with the capability to cope with station blackout for an extended period;

• Ensure the capability to provide cooling water to the reactor and spent fuel pool in circumstances in which normal cooling is lost. The objective is to ensure an ultimate heat sink under accident conditions;
• Expand and harden the I&C systems necessary for monitoring of critical safety parameters of the reactor and spent fuel pool during accident conditions;
• Assure the adequacy of means to prevent or mitigate hydrogen deflagration and detonation;

• Provide on-site and off-site resources, including mobile equipment and facilities, at the regional, national or even international level;

• Establish a clear chain of command so that accident-management decisions can be taken promptly at the appropriate operational level;

• Provide support for new entrant countries so that they can accommodate enhanced safety requirements;

• Consider both safety and security and assure that actions reflect consideration of both;

• Recognize the value of IAEA peer reviews of design, operations, and the regulatory framework;

• Establish an effective nuclear safety regulatory framework, including an independent, competent, and adequately funded regulator.


Each of these elements reinforce each other as part of the comprehensive response to Fukushima that I mentioned earlier.


As you can see from this summary, I believe that the response to the Fukushima accident is already having a profound effect on nuclear safety. The IAEA has accepted its central role in assuring that the many lessons from the accident are learned and applied broadly. Let me close, however, with two points of caution.


First, as noted by this talk, there are many, many actions to respond to the Fukushima accident. Not everything can or should be accomplished at once. Indeed, the implementation of Fukushima-related improvements should not be allowed to distract operators and regulators from the hard day-to-day work of assuring that important existing safety requirements are met. This means that the implementation of Fukushima-related improvements has to be prioritized, guided by considerations of risk reduction and cost-benefit. Further work should proceed with this reality in mind.


Second, despite all the actions we undertake to improve safety, it must always be recognized that there is no way to eliminate all risk entirely. As history has shown, despite all the design improvements that we conceive, systems still fail; despite all the training and lessons-learned exercises that are conducted, human beings will still make mistakes, particularly when confronted with once-in-a-lifetime events. Improbable event sequences will occur. Although the various safety measures identified in response to the Fukushima accident will serve to improve safety, the key will always be constant vigilance. No matter how safe we make reactors, there is no room for complacency or anything less than a total commitment to safety. The establishment of an enduring safety culture remains the key.


Thank you.





Protection of Power Plants from Severe Accidents And External Events