P1-5, Plenary Session I
Water Reactor Fuel Performance Meeting
Sendai International Center
Sendai, Miyagi, Japan
September 15, 2014
Toyoshi Fuketa
Nuclear Regulation Authority
Lessons Learned from the Fukushima Dai-ichi Accident
and Responses in NRA Regulatory Requirements�1NRA
TEPCO’s Fukushima Dai-ich accident revealed the
weakness of the foregone regulatory requirements, e.g.
Insufficient design provisions against tsunami,
Unpractical management measures under severe
accident conditions, and
Insufficient provision for accidents far-exceeding the
postulated design conditions.
We re-realized the importance of the Defense in Depth (DiD)
approach in design and preparations of countermeasures
against beyond design basis accidents (b-DBAs).
We learned from the accident that we must evaluate in
advance the potential and consequences of a wide spectrum
of internal and external initiators.
Introduction�2NRA This presentation covers;
1. Prevention of Structures, Systems and Components
(SSCs) failures
2. Measures to Prevent Common Cause Failures (CCFs)
3. Prevention of Core Damage
4. Mitigation of Severe Accident
5. Emergency Preparedness
6. Continuous Improvement of Safety
7. Use of Probabilistic Risk Assessment (PRA)
8. Post-accident Regulation on Fukushima Dai-ichi�3NRA
1. Prevention of SSCs failures
Lessons (1/2)
The Fukushima Dai-ichi accident revealed vulnerability
of SSCs against extreme loads and conditions caused
by some specific internal/external initiators.
The past nuclear regulation in Japan, of course, defined
design requirements but it focused on provision for
random failures of SSCs and aseismatic design.
Although all the initiators were conceptually required to
be considered in plant design, most of external hazards,
except earthquakes, had not been coped with enough to
address their respective risks.�4NRA
In particular for tsunami, its design-basis heights had
been postulated based on the historical records, which
covered only 400 years. There was no countermeasure
against tsunami with a recurrence period of 1,000 years
or more.
These facts underscore the need to revisit the regulatory
requirements for a wide spectrum of external hazards.
1. Prevention of SSCs failures
Lessons (2/2)�5NRA
The Nuclear Regulation Authority (NRA), accordingly,
enhanced design requirements significantly.
Due considerations are required for all the significant
internal and external initiators.
The new requirements include; (i) identification of potential
hazards, (ii) design against hazards exceeding their
respective thresholds for screening, (iii) definition of design
basis hazard (DBH), (iv) design to cope with the DBH with
safety margin, and (v) evaluation of adequacy of safety
design.
1. Prevention of SSCs failures
Responses (1/4)�6NRA
Re-evaluation of external hazards is also requested,
particularly for natural phenomena, based not only on
historical records but also on expert judgment to cover
very rare events.
As for earthquakes, more stringent criteria are prepared
for active faults, more precise methods are provided for
design-basis ground motions, etc.
As for tsunami, design-basis tsunami which exceeds the
highest historical record is postulated, and
countermeasures such as coastal levee and watertight
doors are required.
1. Prevention of SSCs failures
Responses (2/4)�7NRA
The NRA develops specific requirements regarding fire
and flooding, and includes requirements of
countermeasures for extremely aggravated situations,
e.g., intentional airplane crash.
While many new requirements were developed against
both internal and external initiators, the graded approach
was applied to determine the necessity of such specific
design provision based on their respective risks.
1. Prevention of SSCs failures
Responses (3/4)�8NRA
The new requirements aim at "function-based" approach
to allow flexibility in choosing acceptable measures.
However, based on recognition that adequate
requirements had not been made for fire protection,
specific requirements for physical separation of safety-
related systems, fire hazard analysis, etc. are introduced
considering current international practices. The NRA, of
course, continues the development and application of fire
PRA including data accumulation towards risk-informed
regulations.
1. Prevention of SSCs failures
Responses (4/4)�9NRA
2. Measures to Prevent CCFs
Lessons (1/2)
In the accident, emergency diesel generators (EDGs) and
station butteries lost their functions simultaneously due to the
tsunami since they were located on the floors at similar
elevations. This fact highlights the necessity of enhanced
physical separation for safety-related SSCs.
Although all the water-cooled EDGs were lost by tsunami
directly or indirectly, one air-cooled EDG survived and
supplied power to both Units 5 and 6 because it was located
at a higher elevation. The turbine-driven RCIC (reactor core
isolation cooling) system worked under the station blackout
(SBO) conditions at Units 2 and 3, and delayed accident
progressions. These imply the importance of "Diversity" of
systems.�10NRA
2. Measures to Prevent CCFs
Lessons (2/2)
Loss of station batteries resulted in loss of control room
functions including instrumentation and communication,
closure of isolation valves in isolation condenser at Unit 1,
unavailability of reactor depressurization, loss of control of
RCIC and HPCI (high pressure coolant injection) systems,
inoperability of containment venting, etc. These underline the
need to prepare alternative DC power sources.
Electrical power system is essential to actuate and control the
safety-related systems including the control room and its loss
might lead to common cause failures (CCFs) of safety-related
systems. Accordingly, the diversity of electric power systems
should be improved to secure the plant safety.�11NRA
2. Measures to Prevent CCFs
Responses (1/2)
The new requirements extend design-basis events and
strengthen protective measures against natural
phenomena and other initiators which may lead to CCFs.
They put a particular importance in due consideration to
ensure diversity and independence (shift of emphasis
from "redundancy centered").
Diversity of operating mechanisms, e.g., diesel and gas
turbine generators, motor-driven and diesel-driven pumps,
is important as well as physical separation.�12NRA
2. Measures to Prevent CCFs
Responses (2/2)
Safety-related system trains shall be
• located at different elevations and/or different areas,
• compartmentalized by installing bulkhead, or
• distanced enough from each other.
Mobile equipment shall be
• stored in different locations, which are not easily
affected by external initiators including intentional
aircraft crash, and
• easily and surely connectable to the target system by
preparing spatially-dispersed multiple connecting ports.�13NRA
3. Prevention of Core Damage
Lessons (1/2)
Before the accident there was no provision against prolonged
SBO and prolonged loss of ultimate heat sink (LUHS).
The duration of loss of offsite power, 30 minutes, was
assumed based on the operating experience in Japan, which
showed high reliability and short-term restoration of offsite
power and high reliability of EDGs. As well, the
interconnection of safety busbars between units was
incorporated into accident management (AM) procedures on
an industry’s voluntary basis.
For the ultimate heat sink, the hardened venting system
together with alternative water injection was prepared as one
of the voluntary based AM measures.�14NRA
3. Prevention of Core Damage
Lessons (2/2)
As a result, SBO and LUHS were regarded as highly unlikely
scenarios, leading to lack of further studies on these
scenarios.
Although the regulation had applied the single failure criterion
to the safety analysis of design-basis accidents over years,
the Fukushima Dai-ichi accident suggested that multiple
failures due to specific initiators should be considered more
seriously in the licensing bases and/or safety cases.
The regulation should specify the requirements on AM
measures as a licensing basis, and licensees should prepare
the sophisticated AM measures and procedures in
consideration of multiple failures.�15NRA
3. Prevention of Core Damage
Responses
In the new requirements by the NRA, the definitions of
some DBAs are changed. Design provision is now
required against prolonged SBO and LUHS.
Also required is provision against some b-DBAs
involving multiple failures, including anticipated transient
without scram (ATWS), loss of core cooling, and loss of
reactor depressurization.
The new regulation requires licensees to validate the
effectiveness of countermeasures against b-DBAs.�16NRA
4. Mitigation of Severe Accident
Lessons (1/2)
In 1990s, a series of AM measures were prepared at
nuclear power plants (NPPs) in Japan on an industry’s
voluntary basis to improve the plant safety, referring the
results of individual plant examinations (IPEs).
However, these AM measures mainly focused on the
prevention of core damage, and a few mitigation measures,
such as molten core cooling, had been implemented.
In the Fukushima Dai-ichi accident, many attempts to
activate the AM measures were unsuccessful due to the
aggravated plant conditions, such as loss of power, loss of
control air, aftershocks, and high radiation.�17NRA
4. Mitigation of Severe Accident
Lessons (2/2)
The Fukushima Dai-ichi accident brought to light the
necessity of implementing AM measures for mitigating
severe accident and radiological consequences as well as
those for preventing core damage.
Considering the extremely severe natural phenomena and
terrorisms, flexibility should be incorporated into the
design and implementation of AM measures. In addition,
plant personnel should be well trained so that they could
execute the AM procedures under the aggravated
conditions in a timely manner.�18NRA
4. Mitigation of Severe Accident
Responses
The new regulation requires licensees to design and
implement AM measures for mitigating severe accident
conditions.
The feasibility and effectiveness of AM measures are
strictly examined in licensing processes.
Containment cooling/depressurization system, e.g.,
filtered venting system, shall be installed to prevent the
containment failure due to over-pressurization and to
minimize the radioactive consequences.�19NRA
5. Emergency Preparedness
Lessons
The guidelines for emergency preparedness existed before
the Fukushima Dai-ichi accident primarily and excessively
relied on code predictions on source terms and radionuclide
diffusion. This was far different from international practices,
and SBO in Fukushima Dai-ichi accident paralyzed the
computational tools for estimating the source terms.
Accordingly, diffusion simulations were made only based on
hypothetical source terms and regarded unpractical.
It is naturally recognized that source term prediction during
severe accident is unrealistic and non-enforceable.
It is risky and improper to prepare protection relying heavily
on simulations and/or multiple judgments.�20NRA
Projected dose and dose that has been received are not
measurable quantities and cannot be used as a basis for
quick actions in an emergency. The new guidelines by
the NRA accordingly introduce operational criteria
(values of measurable default quantities or observables,
such as the emergency action level, EAL, and the
operational intervention level, OIL) as a surrogate for the
generic criteria for undertaking different protective
actions and other response actions.
The new guidelines also define requirements on roles
and functions of off-site emergency response centers,
execution of nuclear emergency drills, etc.
5. Emergency Preparedness
Responses�21NRA
6. Continuous Improvement of Safety
Lessons
Before the Fukushima Dai-ichi accident, licensees had
re-evaluated tsunami height and some of them reinforced
the protection against tsunami. As a result, some NPPs
could be brought into a safe shutdown although they
were hit by very high tsunami. This shows the
importance of "Continuous Improvement".
On the other hand, the regulatory requirements on
tsunami were not reviewed over years before the
Fukushima Dai-ichi accident. This implies lack of
continuous improvement in regulation.�22NRA
6. Continuous Improvement of Safety
Responses (1/2)
The amended "Reactor Regulation Act" stipulates
licensees’ responsibility for "safety improvement" and
requires licensees to conduct "self-assessment for safety
improvement" periodically.
This framework strongly encourages licensees’ initiatives
towards continuous improvement of safety by requesting
licensees to prepare the final safety analysis report which
provides "as-built" or "as-is" plant description and to update
it when major design modifications or procedural changes
take place.�23NRA
6. Continuous Improvement of Safety
Responses (2/2)
Licensees are also requested to carry out the periodic
safety review (PSR) to incorporate the state-of-the-art
knowledge into the plant design, operation and
maintenance activities.
In addition, it is required to conduct level 1 and 2 PRAs
periodically for both internal and external initiators
including hazard re-evaluation to demonstrate the
effectiveness of the plant modifications.�24NRA
The importance of PRA is dependent on initiators.
The priority should be determined according to risk profile
(a relative importance of the initiator).
Since natural hazards were thought to be dominant
initiators even before the accident, the IPEEE (individual
plant examination for external events) should have had a
relatively higher priority in Japan. However, PRA
technologies for external initiators had not been developed
or improved in Japan where they were most needed.
Although PRAs for external initiators have relatively large
uncertainties, implementing those PRAs can provide
important technical insights regarding, e.g., relative
importance of SSCs.
7. Use of PRA
Lessons�25NRA
7. Use of PRA
Responses (1/2)
The NRA recognizes that the PRA methodology is very
useful and applicable to develop and propose effective
and efficient protection against the specific initiators.
The NRA promotes utilization of PRA recognizing its
usefulness and limitations.
In the new regulatory framework, licensees are
requested to conduct the plant-specific level 1 and 2
PRAs for both internal and external initiators.�26NRA
7. Use of PRA
Responses (2/2)
Using the plant-specific PRA, licensees shall identify the
severe accident scenarios and classify them into several
groups. Also, licensees shall check the adequacy and
sufficiency of AM measures by conducting accident
analysis for the severest scenario in each group.
Licensees shall analyze all the "generic severe accident
sequence groups" and "generic containment failure
modes" that were defined by the NRA regardless of the
results from the plant-specific PRAs.�27NRA
8. Post-accident Regulation
on Fukushima Dai-ichi
The NRA designated the Fukushima Dai-ichi as "Disaster-
experienced Nuclear Power Plant" on November 7, 2012.
In order to keep reducing the existing risk in the Fukushima
Dai-ichi, the NRA should regulate and promote the
decommissioning processes at the same time.
The important challenge is to maintain harmonization
between the implementation and acceleration of the
decommissioning and the protection of people and the
environment during the processes.
The NRA considers that a risk of water leakage from
underground trenches connected to the reactor turbine
buildings on the seaward side is significant.�28NRA
Closing Remarks (1/2)
In the light of the Fukushima Dai-ichi accident, the NRA
developed the new design requirements and established
the new regulatory framework to ensure the NPP safety.
The new requirements aim at primarily;
extending the definition of DBAs by including multiple
failures such as prolonged SBO and LUHS,
enhancing preventions against CCFs, in particular those
due to external hazards, by strengthening the
diversity/independence,
enhancing protection against core damage by preparing
alternative measures with use of mobile equipment, and
enhancing mitigation of severe accidents to eliminate a
large radioactive release from the containment and to
minimize the radioactive consequences by mobile and
immobile equipment.�29NRA
Closing Remarks (2/2)
The new regulatory framework encourages licensees’
initiatives towards continuous improvement of safety and
requests licensees to:
conduct "self-assessment for safety improvement"
periodically,
prepare and update the final safety analysis report which
provides "as-built" or "as-is" plant description, and
carry out PSR and plant-specific level 1 and 2 PRAs for
both internal and external initiators to demonstrate the
effectiveness of the plant modifications.
The NRA continues to address the lessons learned from the
Fukushima Dai-ichi accident, keeps updating regulatory
requirements where appropriate, and never becomes
complacent.
�With thanks to
Kiyoharu Abe
Tomoho Yamada
Hiroshi YamagataNRANorio Watanabe
NSRC, JAEA
�