the european stress test for nuclear power plants

Safety Objective O2: 


Accidents without core melt 


“WENRA expects new nuclear power plants to be designed, sited, constructed, commissioned and operated with the objectives of: 

  • ensuring that accidents without core melt induce no off-site radiological impact or only minor radiological impact (in particular, no necessity of iodine prophylaxis, sheltering nor evacuation). 
  • reducing, as far as reasonably achievable, the core damage frequency taking into account all types of credible hazards and failures and credible combinations of events; - the releases of radioactive material from all sources. 
  • providing due consideration to siting and design to reduce the impact of external hazards and malevolent acts.”66 

This safety objective is – considering the first two paragraphs – fully applicable to operating nuclear power plants. In the defence-in-depth concept these tools belong to defence-level-3 67 which has to provide protection against the design basis accidents. 

Design basis accidents 

To meet this objective, WENRA calls for consideration of a more systematic analysis of critical events and situations in all operating states (operation and shutdown) and not only for the reactor, but also for the spent fuel pool and other facilities of the plant. 68 The fulfilment of these requirements would reduce the frequency of accidents that could lead to uncontrolled scenarios and core melt situations (Fukushima), lower the release rates for radioactive material, and give more provision against core melt accidents. 

Corresponding to that goal it must be checked whether all events (internal and external) and particularly credible combinations of events are considered for the plant design according to current state-of-the-art technology. The “Safety Criteria for Nuclear Power Plants”, for example, contain a comprehensive list of events the plant has to cope with.69 Some very important requirements in this context is the assumption of “long lasting external events” and of the combination of several natural or other external impacts, as well as the combination of external impacts with internal events.70 

The implementation of the different levels of the defence-in-depth concept was initially limited to postulated incidents and accidents occurring under full power conditions. Probabilistic Safety Assessments (PSA) show that the contribution of core damage frequency for the shutdown state is in the same order of magnitude as that for operation.71 Therefore, a systematic consideration of the shutdown state should be a key topic for safety in a second phase of the “Stress test“.72 

For existing reactors the control of accidents is mainly focused on the reactor core. However, the scope of the defence-in-depth has to cover all risks induced by the nuclear fuel, even when the fuel is stored in the spent fuel pool. The accident in Fukushima highlights this deficit of older reactor types. According to the “Safety Criteria for Nuclear Power Plants” the equitable consideration of the spent fuel pool in the safety and accident management has been required a considerable time before the Fukushima accident.73 

Human failures and 30 minutes rule 

Another area for improvement highlighted by WENRA is the reduction of human-induced failures particularly through more automatic or passive safety systems and longer “grace period” for operators.74 Human errors bear a potential for jeopardizing defence-in-depth. They have a considerable potential to trigger common cause failures (meaning they affect all redundancies of a specific safety system) as has been seen in many safety significant events, including the Chernobyl accident in 1986.75 According to the “Safety Criteria for Nuclear Power Plants” no necessity shall be given for manual activation of safety systems during the first 30 minutes of an accident scenario.76 

Multiple failure situations that exceed the former design basis 

Accident conditions which are considered in the WENRA safety objectives for defence- level 3 now include multiple failure situations which were previously considered as “beyond design”.77 Examples of multiple failure situations are station blackout or the total loss of the spent fuel pool cooling system. These scenarios are topics of the current “Stress test“. 

Common cause failures - Redundancy and diversity 

For events which are not controlled by the operational systems and/or limitation functions at defence-in-depth levels 1 and 2, safety systems are required to bring and maintain the plant in a safe state with respect to subcriticality, core cooling and confinement of radioactive materials78 (defence-in-depth level 3). The reliability of the safety systems has to be achieved through an adequate combination of redundancy and diversity 79. This means the same safety functions are available several times (redundancy) and respectively the safety function is ensured by provisions with different physical or chemical mechanisms (diversity). Particular attention has to be paid to minimising the possibilities of common cause failures80. Also these events require physical and spatial separation as far as possible81. For example, the safety assessment of fire effects has to clearly identify common mode failure possibilities (including internal flooding risks linked to the use of fire fighting systems) which could result from incomplete separation of equipment that should be redundant.82 Special emphasis has to be placed on the redundancy and diversity of electrical power supplies.83 

Actuality of the safety case 

The methods that were used for the safety case of old plants may be out of date because a renewal process was not performed until now. The confidence in the safety case may therefore be lost. In order to make sure that the plants are operated safely evidence must be given that the safety case is up to date, corresponding to the current state-of-the-art safety requirements, taking into account all changes or corrections of formerly applied data.84





66 WENRA: Statement on Safety Objectives for New Nuclear Power Plants, November 2010; Note: The complete text of the safety objectives (including footnotes) is given in the Annex . 
67 See chapter I.3.1 
68 WENRA: Safety Objectives for New Power Reactors – Study by WENRA Reactor Harmonization Working Group (RHWG), December 2009, Appendix 3 
69 Module 3 „Safety Criteria for Nuclear Power Plants: Events to be Considered for Pressurised and Boiling Water Reactors”, Event lists, No. 5 
70 Module 1 „Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria“ Postulated operating conditions and events, No. 4.1 (5) 
71 IAEA: “Defence in depth in Nuclear Safety, INSAG 10, A report by the International Nuclear Safety Advisory Group, Vienna, 1996 
72 Module 3 „Safety Criteria for Nuclear Power Plants: Events to be Considered for Pressurised and Boiling Water Reactors”, Definitions and classification of the operating phases for PWRs and BWRs, No. 4 
73 Module 1 „Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria“, Concept of fundamental safety functions (safety goals), No. 2.3 (2); Module 7 \"Safety Criteria for Nuclear Power Plants: Criteria for Accident Management\" Plant conditions, event sequences and phenomena considered in accident management planning, No. 2 (6), Preventive accident management measures, No. 4.1 (4+5) 
74 WENRA: Safety Objectives for New Power Reactors – Study by WENRA Reactor Harmonization Working Group (RHWG), December 2009, Appendix 3 
75 IAEA: Defence in depth in Nuclear Safety, INSAG 10, A report by the International Nuclear Safety Advisory Group, Vienna, 1996 
76 Module 1 “Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria”, Technical criteria, No 3.1 (3); Module 5 “Safety Criteria for Nuclear Power Plants: Criteria for Instrumentation and Control and Accident Instrumentation\", Design, No. 3.2 (6); Module 12 “Safety Criteria for Nuclear Power Plants: Criteria for Electric Power Supply\", Design, No. 2 (15): The startup and connection of the emergency power generators runs automatically on demand, so that no manual actions are required within 30 min. Manual startup and connection of the emergency power generators to the bus bars is possible at any time. 
77 WENRA: Safety Objectives for New Power Reactors – Study by WENRA Reactor Harmonization Working Group (RHWG), December 2009, Appendix 2; see Fn. 68, 69, 71 
78 ASN - Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors - adopted during the GPR/German experts plenary meetings held on October 19th and 26th, 2000, p. 7; Module 1 “Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria”, Concept of the fundamental safety functions (protection goals), No 2.3 (1) 
79 ASN - Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors - adopted during the GPR/German experts plenary meetings held on October 19th and 26th, 2000, p. 7; IAEA: Defence in depth in Nuclear Safety, INSAG 10, A report by the International Nuclear Safety Advisory Group, Vienna, 1996; These requirements are since long commonly accepted as fundamental principles of reactor designs and can be found in any codification of reactor safety requirements 
80 ASN - Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors, GPR/German experts plenary meetings held on October 19th and 26th, 2000, p. 7; Module 10 \"Safety Criteria for Nuclear Power Plants: Criteria for the Design and Safe Operation of Plant Structures, Systems and Components\". Prevention of multiple failures, No. 1.3 (1-2) Example: No 1.3 (2) Safety installations for which potentials for commoncause failures were identified are designed according to the principle of diversity as far as feasible and technically reasonable.. 
81 Module 1 “Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria”, Technical criteria, No 3.1 (3), No. 3.7 (3); Module 5: \"Criteria for Nuclear Power Plants: Criteria for Instrumentation and Control and Accident Instrumentation\" No. 6 Redundancy and independence, Example No. 6 (3) To prevent failureinitiating events affecting multiple redundancies within the instrumentation and control installations and within the plant, redundancies are on principle accommodated physically separated from each other. Module 10 \"Safety Criteria for Nuclear Power Plants: Criteria for the Design and Safe Operation of Plant Structures, Systems and Components\". Prevention of multiple failure No. 1.3 (1-7), Example: No. 1.3 (7) Deficiencies and damages in safety-relevant installations are analysed with regard to their cause. Here, it is clarified, in particular, whether the damage mechanism identified is of systematic nature. If there is suspicion of a systematic failure, it is clarified immediately and corrective measures are taken, if necessary. The necessary safety-related measures when determining redundancy- wide failures are included in the plant operating procedures. 
82 ASN - Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors - adopted during the GPR/German experts plenary meetings held on October 19th and 26th, 2000, p. 57 Module 10 \"Safety Criteria for Nuclear Power Plants: Criteria for the Design and Safe Operation of Plant Structures, Systems and Components\". Plant internal fire No. 2.2.1 (10-12); Example No. 2.2.1 (10): The layout design of the redundancies of the safety system is generally such in a manner that in case of fire a loss of more than one redundant due to fire-induced heat, fumes or fire extinguishing agents does not have to be postulated 
83 ASN - Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with Pressurized Water Reactors - adopted during the GPR/German experts plenary meetings held on October 19th and 26th, 2000, p. 11; Module 12 \"Safety Criteria for Nuclear Power Plants: Criteria for Electric Power Supply\" Design, No, 2 (10-13); Example: No. 2 (13) The redundants of emergency power supply facilities are physically separated or protected from each other such that any failure-initiating events in the emergency power supply facility will not lead to a loss of several redundants of an emergency power supply facility. 
84 Module 1\"Safety Criteria for Nuclear Power Plants: Fundamental Safety Criteria\", Criteria for documentation, operating rules and safety demonstration No. 5 (7-9), Example No, 5 (9): For the analysis of events and conditions, a) validated calculation methods are used for the respective scope of application, b) any uncertainties associated with the calculation are quantified or considered by suitable methods. Module 6 \"Safety Criteria for Nuclear Power Plants: Criteria for Safety Demonstration and Documentation\", Validation of analysis methods, No. 3.1